KARE for Security – S2
Cyber-security threats to organisations from cyber-attacks are becoming increasingly more sophisticated. Because organisations increasingly rely on their data and reputation, there is a need for more advanced cyber protection. S2 is designed to address more sophisticated risk environments.
1. Zero-day exploits 2. Constant flux 3. Shadow IT 4. Insurance compliance
Dark web actors now have access to significant funds and resources. This means that, where security vulnerabilities were previously found by “white-hat” hackers and vendors, the vulnerabilities are now being found by dark web actors. The dark web actors then exploit these vulnerabilities and can do so for months or even years before the broader IT industry even becomes aware of their existence.
Zero-day is a misleading name for an exploit. It used to mean that the vulnerability only started to be a risk on the first day it was found, limiting risk exposure to that day. Now, a Zero-day exploit is one that was discovered by the Dark web and may have been activity exploited for a period of time. The “Zero” is a measure of our ignorance to its use.
How do we defend against threats we do not know about?
We use Endpoint Detection and Response and Breach scanners within the KARE for Security S2 plan.
Nothing is static anymore, It networks are no different with many dynamic components. Changes happen as staff undertake their daily activities, and they happen because of external and internal influences.
- Security companies, printer providers, production equipment providers, telco’s and others may add or remove components from your network.
- Staff install software, use new tools, save documents, emails, downloads or plug in devices (e.g. the USB gift they got as a Secret Santa present)
- Software updates such as ‘Line of Business’ or other application providers, including Microsoft 365.
- IT rights, access, routes are often adjusted to meet current business needs. Staff leave and new ones arrive, leaving behind a legacy of redundant access rights.
- Projects are undertaken planned and managed. Decisions may be made in good faith, have unforeseen consequences elsewhere.
- Systems that were once important are now replaced or dropped from daily usage, leaving legacy components behind.
- Software patches are applied, either planned or unplanned.
- Software that was once up-to-date gets older and becomes unsupported
All these components interact with each other. Today’s best practise can become a vulnerability tomorrow. To combat this, we must regularly reconfirm what is happening on the network. This means looking for new vulnerabilities, or old vulnerabilities that have been reintroduced and other changes to the network. Finally, there must be an active step to confirm that any past decisions remain valid.
How do we contend with a dynamic environment?
Our KARE for Security S2 plan starts with a cyclical review of the network by scanning for new vulnerabilities and comparing these against known baseline configurations. This is followed by reviewing the outcomes. We can then either reassess any previous configuration decisions or set up a separate project to make a change to the system that will mitigate the risks.
Shadow IT refers to the trend within organisations for users or departments to simply purchase specific solutions, typical web-based, to help them fulfil their responsibilities. These solutions tend to be obtained without support, and often without any awareness, from the traditional IT support resource. Because the apps often only require internet access through a browser or mobile app, there is no need for deeper technical support, and therefore the app moves into production without any professional IT oversight. Normally these will function satisfactorily, but the absence of oversight means that there is no assessment about security, data privacy concerns, like user access rights, are not reviewed and there may be duplication with other tools used elsewhere resulting in inefficiency.
For the purposes of security, we are concerned about the risk of data leakage. The first step to managing this is to identify the tools in use, and our experience is that organisations almost always have some surprise tools in use.
How do you know your security and privacy policies are being applied if you don’t know what you have, whats in use and where your data is?
We include cyclical scans to find Shadow IT
There is a common question on Cyber insurance risk assessments. “Do you undertake regular vulnerability scans?” It is there because risk assurers know that we live in a dynamic landscape and new vulnerabilities can emerge in networks.
Unfortunately, vulnerability scans take a lot of time and are expensive. At best, most organisations will do them once a year. That is akin to a CFO only reviewing bank balances once a year. The problem with doing this once a year is that the information can become out of date very quickly. For example a system change the day after a scan could create a vulnerability,
These scans can be expensive. If they are done well, they are quite intensive with a series of different tests that have to applied against every item on the network. The process of gathering the information can take days, and then the data needs experienced people to assess it.
Kinetics has overcome the issues of timeliness and cost by clever use of different resources and using a cadence of information gathering and review.
Regular targeted scans :
Our breach alert tool runs daily scans that are targeted at unusual login indicators .
Increasing Complexity of scans.
Rather than run one large information gathering exercise once a year, we have a cadence of increasingly deep/complex scans. This reduces the load on your network, and because scans are spread out over a period of time, we get a better view of issues/devices that may come and go. Supplying timely and reliable information that improves decision making. Because there is a cadence, changes are identified quickly and questions can be answered before matters get out of control.
As we are producing information on a regular bases. We can use meaningful baselines, improving the efficiency of our team as they review the data.
We will undertake a full scan three times a year. This series of deeper penetrating actions can take several days to complete. Because we have spent the intervening time with targeted scans, the full scan will turn up fewer actions, therefore better controlling the cost of any remediation, as well as the time needed to digest the information.
Always on duty
Always on duty
What is included in S2?
Endpoint Detection and Response (EDR)
EDR is effectively next-generation antivirus. Endpoint Detection and Response includes advanced analytics, machine learning and AI to help identify risks which may not yet identified.
Antivirus deals with the known, looking for threats that it understands and blocking them. EDR solutions include traditional antivirus capabilities but add to that advanced analytics making use of cloud computing to identity patterns and anomalies.
EDR solutions are generally considered to provide more comprehensive network security than traditional managed antivirus solutions. They’re more effective than antivirus tools at combating advanced threats to endpoints—which is increasingly important as our modern workplaces grapple with more and more endpoints every day.
EDR brings a lot to the table, including a range of capabilities that many managed antivirus software programs don’t offer. For example, EDR doesn’t use traditional signatures. Instead, it collects data on numerous activities across an endpoint and performs analysis to identify and remediate threats. EDR uses machine learning and artificial intelligence to track potential threats and act on your behalf to remediate and even roll devices back to their pre-attack state—delivering results with both speed and accuracy.
Weaponized documents provide a good example of how an EDR solution works. If an individual makes the mistake of downloading an attachment from a phishing email, the malicious document will attempt to exert control over the device by launching a script so it can download a ransomware payload. An EDR tool will log and monitor this behaviour and, if it has alerting functionality and is configured to do so, it will send you an alert. An advanced EDR solution will even quarantine the ransomware and rollback the endpoint to a known safe state. Some, like KARE EDR, even allow you to disconnect* the infected device from the network—minimising the risk of other devices becoming infected.
Endpoint protection tools can better defend against internal attacks. Internal attacks are especially prevalent among corporate networks, where sharing between devices is common. When an EDR solution identifies suspicious activity, it will block its source and help prevent a potential attack from infiltrating your wider network. One of the great benefits of EDR is it can use AI to act autonomously, delivering a rapid and reasonable response to malicious activity before infection spreads.
The benefits of an EDR solution is recognised by many insurance companies. “Do you have a EDR solution deployed to all devices” is a common question on Cyber insurance risk assessments.
Kinetics KARE for Security S2 includes a powerful EDR solution
The current KARE for Security Antivirus remains installed as it includes extra features such as DNS scrubbing. However, file scanning is disabled and replaced by the use of KARE EDR.
*Automatic disconnection is not configured in by default in S2. This can be enabled if requested but is recommended only for high sensitivity networks.
Shadow IT Discovery
If you don’t know where data is stored, you can’t assess the risks to that data or even determine if your policies are being followed.
Shadow IT refers to the practice of users or departments subscribing to (free or paid) services over the internet without going through a formal IT process. These might be accessed via a web-browser, thus requiring no formal IT support. In using the service, the operator will often upload data as part of the normal operation of the tool.
The informal nature of acquisition means that the organisation will not be aware of all the (cloud) software in use. Shadow IT Discovery sets out to identify these occurrences. This is important because a key component of security is managing risk. Before you can manage risk, you need to know what risk you have.
“Dropbox” is a classic example of a Shadow IT application. Employees maybe using Dropbox to share and store sensitive documents, often without the companies knowledge. Quite often these will be under a personal account of DropBox as well, so if the employee leaves the organisation they retain access to these files
If a business does not know what applications are in use, they cannot be sure that security policies such as password and multifactor authentication are applied.
KARE for Security S2 includes a Shadow IT tracker
An agent is installed on all Windows devices which uses an advanced log file analysis framework to identify SaaS applications in use. That data is then compared against a SaaS Application database which includes over 22,000+ vendors and applications. By using an advanced application classification algorithm, discovery will provide you with actionable data in the areas of finance, security, and productivity.
KARE for Security S2 classifies Shadow IT applications and reports on which applications are in use
This passes the power to manage them back into your hands. Data is collected and classified monthly and reported on quarterly in the KARE reports.
The use of Password Vaults has increased as users become aware of the need to have complex and unique passwords for all the sites they access, and therefore need a solution to manage these.
If you don’t supply a solution, then staff will find their own, normally choosing based on cost (free). Every company has some shared accounts, and to make this workable, often such passwords are simple and are never changed. The vault offers a secure method for sharing that information and improving the passwords on these sites.
Passwords are gold to hackers and, like gold, they should be stored securely. With the explosion of applications and passwords, users often choose password solutions based on price (free) and convenience ahead of security. They find solutions over which you have no control. It would not be uncommon for sensitive passwords to be cached into unsecured browsers or saved into free online password managers.
KARE Password Vault supplies everyone with their own personal and secure password vault, along with a manageable shared company vault. KARE Password Vault is private to your business and your staff. Kinetics cannot see into your company vault and you cannot see into employees’ personal vaults. Employees can export their personal vaults if they leave your organisation.
FEATURES AT A GLANCE
- No more remembering dozens of passwords
- Faster access to websites and applications
- Password generator
- Centralised system for both corporate and personal passwords
- Folders to organize and categorise credentials
- Generation of audits and reports to help with tracking and compliance
- Granularly grant employee access to systems and networks
- Manage access to shared passwords by department or role
- Native mobile apps on iOS and Android
- Browser support for Chrome, FireFox, Edge, and Chromium-based browsers.
- Ability to share company vault passwords with Kinetics.
- Password roll over feature*
Because passwords are personal and secure, KARE Password Vault is a self-managed system. KARE for Security S2 does include training and assistance in setting up your company vault structure.
*Password roll over can be set up against an AD network or Office 365, but not both.
Data Leakage Policies (DLP)
Sometimes you need to stop the sharing of confidential information or control it once its leaves your organisation.
KARE for Security S2 plan includes the configuration of a set of Data Leakage Policies in Microsoft Office 365 for clients with compatible Office 365 plans.
Kinetics deploys a set of policies to Outlook and SharePoint. The policies allow you to define rules around data that you can then apply to your content. For example, you can then mark an email as ‘not being allowed to be forwarded’ and to mark documents as ‘sensitive, not to be shared outside the organisation.’
Breach Activity Daily scan
There are some changes on your network that you would want to know about immediately. For example, suspicious activities around logins and accounts, as these may indicate that a bad actor is looking around or preparing the way for others.
Breach Activity alerts on some signs of potential breach activity. The Breach Alerted is focused on Windows operating systems and accounts.
With our S2 plan, we introduce a cadence of daily, weekly, monthly and six monthly checks, scans and reports. This starts with the daily and weekly search of the network for breach activity. Each site is set up with a virtual device which searches out the network looking for changes and alerting Kinetics to suspicious activity which may indicate a breach or changes which could introduce vulnerabilities.
The Daily Scan looks for activity by reading events and logs:
- Changes specific to the Default Domain Policy
- Removal or addition of users from the domain.
- New user profiles appearing on devices.
- Local Computer, accounts elevated to administrator
- Users logging into multiple computers
- Accounts promoted network administration
- Non approved users accessing sensitive computers *
- Suspicious logons to computers **
- Suspicious logons by users **
- Devices added to restricted networks***
*Devices can be tagged as Business owners, Accounts or Cardholder data devices. Alerts are generated when non approved accounts logon to these devices.
**Computers or users logging on outside of normal work patterns.
***Applies only to tightly locked down networks.
- Automatic screen lock not enabled for sensitive computers or users.
- Changes made to devices tagged as locked down (typically servers)
The breach activity scanner is a virtual appliance and requires minimum 12 GB RAM, 20GB disk space with an I5 for a dedicated processor or Xeon. It can run on Hyper-V windows 10+ or Esxi 5.5+. One appliance is required for each location/site. If our client is unable to provide space on their servers for this, we can rent them a scanner device for a small additional cost.
A daily scan is run once a day. Alerts are generated once every day and reviewed every Kinetics business day. Management of the alerts and triage/review is covered under the agreement.
Investigation and remedy of issues is outside of the agreement.
Monthly Network Scan
Breach activity is focused on specific activities taking place now. But in IT, nothing is static. All systems are complex and in constant flux. The monthly cycle focuses on your identity management and access control systems. We run software installed onsite on a server to gather information and pass it back to our systems. (For remote workers, we ask that they run a scan manually and return the results to us)
- Domain Controllers: Identifies domain controllers and with FSMO Role Analysis.
- AD Organization Units and Security Groups: Lists the organizational units and security groups (with members).
- AD User Analysis: Lists the users in AD, status, and last login/use, which helps identify potential security risks.
- Detect Local Mail and Time Servers on the network. Identifying rouge devices and services
- Discover and report on network shares by device.
- Applications: Detects all major apps / versions and counts the number of installations.
- Detailed Domain Controller Event Log Analysis: Lists the event log entries from the past 24 hours for the directory service, DNS server and file replication service event logs.
- SQL Server Analysis: Lists the SQL Servers and associated database(s).
- Internet Domain Analysis: Queries company domain(s) via a WHOIS lookup.
- Password Strength Analysis: Uses MBSA to identify computers with weak passwords that may pose a security risk.
- System Protocol Leakage: Detects outbound protocols that should not be allowed.
- Unrestricted Protocols: Detects system controls for protocols that should be allowed but restricted.
- Domain Security Policy: Documents domain computer and domain controller security policies.
- Local Security Policy: Documents and assesses consistency of local security policies.
- Network Share Permissions: Documents access to file system shares.
- Logon History: Documents login history by device and logon failures.
- Scan of your public IP’s. Performs a detailed External Vulnerability Scan. Lists and categorizes externally accessible security threats.
For the best result we will arrange the date of the scan with you. We ask that as many devices as possible be onsite and active on that day. For teleworks we do have an easy-to-run tool which we ask them to use and then send us the results.
Review, recommend, baseline
Once we have gathered together all the information. Our system will combine it with data from the daily/weekly breach scans. Data is then reviewed for and we develop a list of changes and recommended actions. This is reviewed by our experienced team and used to produce a easy to track assessment score.
Its recommended that scan are run across the local site. For each site we need access to a device (preferably a server) from which the scans can be run. As each site will also have our breach detection device. Then you will already have the infrastructure in place or alternatively we can supply a suitable device as a cost.
Deep Vulnerability Scan
Risk comes from more than just PCs and servers. They can come from any connected device (including phone systems, security cameras, and even baby monitors). The monthly scan does a ‘deep dive’ on the public IP addresses.
Normally, it takes days to do that on the whole of the network. At least 3 times a year, we run full scans layer 2/3 scans and vulnerability scans. Data is collected and reviewed, recommendations made.
For a deep scan, we bring onsite a device which over several days that will gather data for deep analysis. The deep scan looks at all device types, including those that you may not normally associated with networking. The monthly scan is focuses on your Microsoft network.
There is a reason that cyber insurance assessment forms ask if you undertake regular vulnerability scans. They know that today’s best practice can easily become tomorrow’s weakest link and they know how complex a modern network can be.
Vulnerabilities scans go beyond PCs, servers and patching. They are based around CVE (Common Vulnerability and Exposures) and CVSS (Common Vulnerability Scoring System) and are maintained by First.org a global forum for response and security teams. CVE’s can describe vulnerabilities in software on any connected device, from baby monitors to virtual appliances, CVE’s can be found everywhere and anywhere.
The deep vulnerability scan is intensive. In addition to scanning devices, it will attempt to use common login and passwords to brute-force hack devices. To manage network traffic when the scan occurs, we may need to run it overnight or on a weekend. It is not vital that all devices like laptops are onsite. The two scans which make up a deep vulnerability are targeted at devices which offer services (like servers) and hardware devices (phone systems, printers, switches).
A vulnerability scan will help detect issues which may otherwise be missed.
#1: You may regularly be applying updates to server and deploying the latest version of your LoB software from your supplier. A vulnerability scan can help identify that your LoB supplier is using a weak version of Apache web server in their deployment.
2# When deploying a new application in 2018, the best practise and vendor recommendations of that time where followed. In 2020 the vendor recommendations have changed and now certain TLS security protocols should be disabled. A vulnerability scan could identify that the application is still accepting requests from those protocols.
3# When a new printer, copier, scanner was installed, there was a lack of available port. The technician supplied a mini switch to overcome this. The switch was left on the default admin password and is connected to the internet.
When the deep scan is completed, we produce a report for each site with recommendations of changes and explanations of the issues found.