Before & during targeted attacks – the 2016 Eskenzi IT Security Analyst & CISO Forum

A recent Quocirca report, The trouble at your door, sponsored by Trend Micro, looked at the scale of targeted attacks faced by UK and European businesses and the before, during and after measures in place to mitigate such attacks. Trend Micro has plenty of its own products on offer, not least its recently upgraded Hybrid Cloud Security offering. However, last week, Quocirca got a chance to review ideas from some smaller vendors at the annual Eskenzi PR IT Security Analyst and CISO Forum. The 10 vendors that sponsored the forum were focussed mainly on before and after measures.

Targeted attacks often rely on IT infrastructure vulnerabilities. The best way to protect against these is to find and fix them before the attackers do. White Hat Security discussed the latest developments in its static (before deployment) and dynamic (post deployment) software scanning services and how its focus has extended from web-enabled applications to a significant emerging attack vector – mobile apps. This is backed by White Hat’s global threat research capability, including a substantial security operations centre (SOC) in Belfast, UK.

Cigital is an IT services company also focussed on software code scanning, mainly using IBM’s AppScan. It helps its customers improve the way they develop and deploy software in the first place, as Cigital puts it we can “do it for you, do it with you or teach you to do it yourself“. The company is based in Virginia but has an established UK presence and customer base.

Tripwire provides a broader vulnerability scanning capability looking for known problems across an organisation’s IT infrastructure. In 2015 Tripwire was acquired by Belden, the US-based manufacturer of networking, connectivity and cabling products. Belden sees much opportunity in the Internet of Things (IoT) and Tripwire extends vulnerability scanning to the multitude of devices involved.

The continual need to interact with third parties online introduces new risk for most organisations; how can the security of the IT systems and practices of 3rd parties be better evaluated? RiskRecon offers a service for assessing the online presence of third parties, for example looking at how up to date web site software and DNS infrastructure are; poor online practice may point to deeper internal problems. RickRecon is considering extending its US-only operations to Europe.

UK-based MIRACL provides a commercial distribution of a new open source Milagro encryption project of which it is one of the major backers. Milagro is an alternative to public key encryption that relies on identity based keys that are broken down using a distributed trust authority which only the identity owner can reassemble. MIRACL believes IoT will be a key use case as confidence in the identity of devices is one of the barriers that needs to be overcome.

Illumio provides a set of APIs for embedding security into workloads, thus ensuring security levels are maintained wherever the workload is deployed, for example when moved from in-house to public cloud infrastructure. This moves security away from the fractured IT perimeter into the application itself; for example, enabling deployments on the same virtualised infrastructure to be ring fenced from each other – in effect creating virtual internal firewalls.

FireEye was perhaps the best know brand at the forum and one of four vendors more focussed on during measures. Its success in recent years has been mitigating threats at the network level using sandboxes that test files before they are opened in the user environment. FireEye’s success has enabled it to expand to offer threat protection on a broad front including user end-points, email and file stores.

Lastline also mitigates network threats by providing a series of probes that detect bad files and embedded links. Its main development centre is in Cambridge, UK. A key route to market for Lastline is a series of OEM agreements with other security vendors including WatchGuard, Hexis, SonicWall and Barracuda.

UK-based Mimecast was itself a sponsor at the forum. Its on-demand email management services have always had a strong security focus. It has been expanding fastest in the USA and this included a 2015 IPO on NASDAQ. Mimecast has also been focussing on new capabilities to detect highly targeted spear phishing and supporting the growing use amongst its customers of Microsoft Office 365 and Google Apps.

Last but not least, Corero is a specialist in DDoS mitigation. In a mirror image of Mimecast it is US-based but listed on the UK’s Alternative Investment Market (AIM). Its appliances are mainly focussed on protecting large enterprises and service providers. Its latest technology initiative has been to move DDoS protection inline, enabling immediate detection and blocking of attacks as opposed to sampling traffic out of line and therefore blocking attacks only after they have started by diverting network traffic.

Quocirca’s research underlines how attackers are getting more sophisticated. The Eskenzi forum provides a snapshot of how the IT security industry is innovating too. There were no vendors present specifically focussed on responding to successful attacks and the need for such plans to be in place for when an attack has been successful is paramount. That said, decreasing the likelihood of being breached with better before and during measures should reduce the need for clearing up after the event.