2018. The year of one of the largest data breaches ever, namely at the Marriott hotel chain, during which the personal data of half a billion hotel guests were stolen. The year when the number of DDoS attacks at banks, official authorities, and businesses was larger than ever . But it was also the year when attention was expressly paid to making the Dutch manufacturing industry (OT) more resilient, for instance in the form of the Cyber Security Centrum Maakindustrie in Twente .
Cyber-security incidents can have a considerable impact on the continuity of your business operations. Hence, it is important that preventive measures were taken to reduce the risk of incidents, e.g. consequential damages, to an absolute minimum. In the specific instance of cyber-security, every business – without exception – will sooner or later have to deal with incidents. It is therefore important to detect these issues as soon as possible in order to prevent damages as much as possible.
What point solutions are available? The cyber-security market is still strongly dominated by point solutions; solutions for one or some specific aspects of cyber-security. For instance, in 2019 practically all businesses set up end-point security (e.g., a virus scanner) and dispose of a firewall. Does this mean that the ‘Private Limited Company The Netherlands’ was prepared properly for an incident? To what degree do a virus scanner and firewall overlap in functionality, and more importantly, where can the loopholes be found? In what (other) aspects of cyber-security should investments be made? To answer these questions, an integral picture needs to be formed of the security landscape, which is monitored and updated constantly.
What we regularly underestimate is the need for this kind of integral security policy of a business. Where every point solution focuses on monitoring within the parameters imposed by the developer, the cross-solution relationship is absent. And that is strange in a time when organisations like the National Cyber Security Centre (NCSC)  and the European police organisation Europol  warn for the rapid increase in targeted and multi-vector attacks; attacks that are often difficult to recognise when only one vector is detected by a point solution and that actually require a broad, integral approach. An example:
- Due to a large data breach at a party for ‘social media’ your login details are stolen. These login details then become publicly available.
- The breached login details are used to gain access to the web mail environment of your organisation. It requires a number of attempts to discover the correct username, however your password appears to be identical to the breached password (from step 1).
- Now that access has been gained to your mailbox, a cyber-criminal can in all peace and quiet have a look at what is going on at the business. Knowledge is gained about your customers, the incoming and outgoing orders, and about the organisation of your network structure.
- The attacker sends an email in your name to the department of your organisation that handles orders of customers with the request to gain access to their data storage in the cloud where all documents are stored. This does not arouse suspicion with your colleagues because the email was sent in your name.
- Not long after that, an order is sent to your business by a customer by email after which the order is administered in the data storage.
- The cyber-criminal seizes his opportunity and sends, in your name, a fake invoice to your customer with the bank account details of the cyber-criminal, hoping that it will not be noticed. The consequence: the customer loses his money. and you miss out on the payment.
In the example above you can recognise several vectors: (a) threat intelligence, consisting of information about breached login details (step 1), (b) email (steps 2, 3, and 6), and (c) data storage in the cloud (steps 4 and 5). This perfectly demonstrates the importance of monitoring beyond parameters because it can detect the sophisticated attacks on the basis of enrichment and correlation.
Obtaining an integral picture of your business in the area of cyber-security is often accomplished by setting up Security Information & Event Management (SIEM). In a SIEM, all sorts of data flows can be accessed, analysed, and correlated. With these data flows you can think about the following:
- Active data flows: the scanning of your network, e.g., in the context of vulnerabilities.
- Passive data flows: the absorption of information flows in and from your network by means of a sensor that receives log flows and analyses network traffic.
It probably goes without saying that this kind of system brings about the necessary costs and investments. In general, ever more data are generated and collected to monitor security; think about office automation and other IT infrastructure, production systems (OT), and of course the cloud. In addition to the configuration and the management of the SIEM system, follow-up of notifications and incidents should, obviously, also be set up. Specialists are required for all these activities. The demand for (actual) specialists is considerable, whilst the offer is small. It can, therefore, be difficult to commit specialists to your business, for instance because of the (limited) scope of your business or the scarcity of specialists on the labour market. The outsourcing of SIEM in the form of a ‘managed (security) service’ is consequently a logical step, also for the SME.
The services of Tesorion consist of a ‘managed (security) service’, where the organisation and management of your security landscape is taken out of your hands. Your ‘trusted advisor’ is familiar with your business operations and analyses your present and desired maturity in the area of cyber-security. Together with you he / she prepares a plan for the expansion of your cyber-security landscape and, potentially, the integration of your existing infrastructure and components.
2019: If it were up to us, then this will be year when the Netherlands becomes a bit more resilient to cyber-criminality. The year when you do not need to browse the internet yourself for a point solution that fits precisely in your final bit of IT budget, but when you can take advantage of the all-in services of Tesorion. It is time to start thinking in an all-in manner; is my business really secure? What risks do I accept and what risks do I want to cover? We will be happy to assist you.