BYOD is the concept of rather than having the employer supply employee computing devices, the employee would use their own device while at work. These devices typically include laptops, tablets, and mobile phones, but could include other devices like desktops for home office workers, etc. Although it seems a straightforward proposition, there are significant risks associated with this model, including:
- Ensuring adequate minimum standards are met
- Supporting BYOD devices in the corporate environment
- Securing BYOD devices
- Software license management
- Preventing data leakage, both from a leakage of corporate data outside the enterprise, as well as the potential leakage of personal employee data into corporate management systems.
- Acceptable use: define the assets employees have access to from their personal devices
- Minimum required security controls for devices
- Company-provided components, such as SSL certificates for device authentication
- Company rights for altering the device, such as remote wiping for lost or stolen devices
- Software licensing management
- Encryption for data at rest and in transit.
- Higher employee’s productivity
- Increased employee’s effectiveness and retention
- Remote access to work data and networks
- Hardware strain is reduced
BYOD approach is usually implemented in companies with a large number of employees for providing them flexibility and added benefits for protecting and licensing their own devices. BYOD can also be incorporated in industries where flexibility and mobility need to be leveraged, such as manufacturing, IoT, public sectors.
While BYOD practices can help mitigate hardware strain on an enterprise level and give employees access to work files remotely, it still presents an elevated risk from a security perspective. It leaves employees vulnerable to malware attacks, the devices have a higher likelihood of being targeted for theft but also employees may be using incompatible software.
The basic principle of EDR is to drastically improve visibility of IT events, by turning endpoints into probes and gathering detailed status and activity information that can be correlated, analyzed and processed before, during, and after an attack All these collected bits of data can be fed to local machine-learning models or fetched and sent to a central location for further enrichment and processing, using the whole environment for intelligent detection and protection It allows to establish a baseline, assess, contain a situation or recover from the attack.
- Malicious activity detection and containment: provide early detection of threats on endpoint, facilitate forensics and accelerate containment of attack.
- Incident-driven security analytics for SOC analysts: reducing investigation time and alert volume by leveraging analytics capabilities for root-cause analysis on a compromised system, and group the related alerts into a single incident.
- Triage: can be used as a tool for aggregation of data, system monitoring, events detection and alerting.
- Investigation and training: can be used as a repository of analyses and information regarding the events. In combination with other technologies (e.g. Threat intelligence) it can bring an added value for alerts investigations, response evaluation ad training for security staff.
- Correlations to accurately assess an organization’s security posture and protect it from attacks : Once centrally consolidated, all elements can be correlated with other “weather reports” like threat intelligence feeds, situational data at other managed customers, etc.
- Response actions (such as process kill, containment, user lock-out…) can then be triggered from this central location and pushed to all devices (even the ones that are unaffected) to protect the environment.
- Complexity of integration
- EDR systems do not work on unmanaged devices, which will soon vastly outnumber managed devices in corporate
- EDR does not work on unconventional IT devices such as industrial OT environments
Enterprise Digital Rights Management
Enterprise Digital Rights Management (EDRM) is a systematic approach to copyright protection for digital content. EDRM is a combination of identity and access management and encryption. EDRM protects content with the help of encryption by applying protection policies that specify permissions for different users and user groups, to view, edit, download, print, save or forward specified content or types of content.
Restricting unauthorized redistribution of content and any other ways by which consumers can copy the content they are having access to. Some examples:
- Protection of video-on-demand content.
- Protection of live-streaming contents.
- Pensure application licenses distribution.
- Secure exchange of product information (at design phase or during M&A processes). “
In near future, EDRM solutions will likely be leveraging Blockchain and AI-based approaches, which would prove to be more effective than the existing ones.
With online streaming platforms gaining popularity in recent years. Enterprise Digital Rights Management is becoming important to publishers of digital media.
Beyond Media content distributors, any industry embracing Digital Transformation is keen to adopt EDRM to avoid the illegitimate use of their Intellectual Property.
- Conversion of usage policies into access rules
- Interoperability across multiple solutions
- Impact on user experience.
Any type of software designed to infiltrate or damage a computer system without the owner’s informed consent can be termed as Malware. Trojans, viruses, worms, ransomware, and other threats are common forms of Malware. Malware Protection solution should detect this malicious software and stop and eliminate them. Cybercriminals use social engineering methods and malware implementation techniques to target users. Another technique employed by malware writers is to use various “protectors” or run-time packers to hide the malicious code from inspection, and therefore detection, by basic anti-virus scanners. This is also known as server-side polymorphism. Detection is very difficult in the case of server-side polymorphism. Sandboxing or running malicious software in virtual environment can restrict the damage to the system and user.
Combination of these techniques in recent attacks highlights the importance of multi-layered security, with solutions to be deployed at perimeter, application/OS, and endpoint levels.
- Block known and unknown file-based malware, without relying on daily signature distribution.
- Detect suspicious and malicious activity based on the behavior of a process.
- Perform static, on-demand malware detection scans of folders, drives or devices such as USB drives.
- Suspicious event data can be stored in a centralized location for retrospective IOC and indicator of attack (IOA) searching and analysis.
- Detections and alerts include severity and confidence indicators, to aid in prioritization.
- Automatically quarantines malicious files.
- Identifies changes made by malware and provides the recommended remediation steps.
- Includes access to a cloud- or network-based sandbox that is VM-evasion-aware.
- Effectively block threats against the organization
- Minimize serious incidents
- Protect endpoints
- Prevents data loss and down time
- Firewall protection from spyware and phishing attacks
- Protect secrets such as access codes, passwords, etc.
The main challenge is represented by the plethora of malicious actors who are far ahead of the curve when it comes to engineering new types of malwares and are becoming craftier with their types of attacks and constantly refining their attacks blueprints. Another threat is represented by poor digital hygiene and untrained staff creating an elevated risk if proper procedures are not being followed.
Application Shielding is a set of technologies that protect an application from the inside, without requiring any external components to be installed on the device. It is a form of protection better suited for the protection of high-value applications that run on untrusted devices or operating environments.
- Application Hardening: code obfuscation, white box cryptography, certificate pinning
- Anti-tampering: debugger detection, malware detection, integrity checks, fingerprinting
- Anti-bot technologies identify and block malicious bots based on behavior
- Risk Analysis: collects “attack telemetry” in a back-end system
- Multifactor/OOB Authentication defends against takeover, phishing, password spraying
- Reduce risk from both internal and third-party sources
- Keep customer data secure
- Protect sensitive data from leaks
- Improve trust
- Crucial for Mobile IoT security
Application shielding targets all verticals that need a secure layer of protection for their applications such as: IoT, Media, Business, Healthcare, etc.
Application shielding must be incorporated within the application, which involves the development team rather than the security team. In some cases they can be less sensitive to security implications of software and are more focused on the performance of the application.
Browser isolation is a cybersecurity model which is designed to isolate the end user’s browsing activity from its devices and infrastructure. This is usually achieved by browsing in a remote browser, isolated from the physical computer and network of the user.
This approach elevates the security for the end user, since many well-known threats such as ransomware and malware can be spread through browser exploits. The mechanism typically uses virtualization or containerization technologies to isolate the web browsing activity from the endpoint. This decreases the attack surface for rogue links and files.
Users are provided with a disposable browser environment, and when the browsing session is closed or times out, the entire browser is discarded with all the code and data, malicious or not , it has encountered, thus protecting the user from known and unknown threats, even zero day threats.
- Browser isolation can be implemented into a zero-trust security model
- It enables safe access to risky web content
- Protects sensitive data
- Removes the threat of data exfiltration
- Allows more open internet policies
- It deletes any malicious cookies after the session has ended.
- Browser isolation can be implemented into a zero-trust security model
- It enables safe access to risky web content
- Protects sensitive data
- Removes the threat of data exfiltration
- Allows more open internet policies
- It deletes any malicious cookies after the session has ended
All verticals that require internet/web-based access apply
Browser isolation can be an expensive endeavor for large organizations with a large number of employees thus making it difficult to scale up
Mobile Threat Defense
Mobile threat defense (MTD) solutions protect organizations from threats on iOS and Android mobile devices . In particular those protect against known vulnerabilities and avenues of attack such as:
- Signature based malware
- Mobile application vetting
- Network-based risks (MITM, host certificate hijacking, SSLStrip, TLS downgrade)
- Vulnerability assessment of applications and OS versions
- OS level vulnerabilities caused by user actions such as rooting and jailbreaking
- counter threats
- content filtering
- mobile phishing
- mobile endpoint detection response (EDR)
- app vetting
- device vulnerability management
- protect from malicious URLs without having to perform traffic redirection
- MTD solutions have reached a level of maturity that makes them suitable for wide enterprise adoption
- In addition to innovation to counter the evolving mobile malware, innovation also focuses on improving the MTD user experience on the device, for example, when providing phishing protection
- Certain MTD tools integrate with Microsoft Outlook, Microsoft Office 365 suite, as well as other popular enterprise suites and managed enterprise apps to provide ZTNA functionality on unmanaged devices
- MTD solutions can identify apps that conflict with an enterprise’s security and privacy policies, even when these applications are not malicious
Financial services, insurance, healthcare, government and energy, as well as enterprises with high-security requirements.
- After a period of intense innovation, MTD innovation has slowed down.
- MTD adoption has been slower than predictions, as the industry has waited for highly visible or publicized mobile breaches that did not occur. As mobile security issues have rarely led to spectacular breaches, enterprises adopting MTD sometimes have difficulty in identifying positive impact.
- MTD are often refused as standalone products.
A major drawback of the traditional antivirus approach is that it can only protect from already known threats, making frequent system updates an important part of keeping these more conventional defense tools applicable. Another drawback is that they are not built to handle all related attack activities once they occur.
For the past few years, antivirus has become, for many CISOs, a synonym for performance degradation, update problems, unexpected outages and deployment struggles.
Nextgen antivirus (NGAV) aims to ease these issues by leveraging the capabilities and in-depth access offered by endpoint solutions and approaches such as EDR to avoid the pitfalls of traditional antivirus solutions. Updates are less frequent and even pieces of malware unknown at the time of their deployment can be detected.
- Identify malicious intent, behaviors, and activities – and once identified, the attackers can be blocked
- Port scan detection
- Virus definition updates
- Malware breakouts identification across multiple machines on same Subnet/ Different Subnets
- Proactively detect and identify threats, including never-before-seen malware and exploits, enabling companies to focus on how attackers are approaching and interacting with their enterprise systems and prevent those attacks, instead of just dealing with security-related incidents after the fact.
- NGAV is cloud-based, which allows it to be deployed in hours instead of months, and reducing the burden of maintaining software, managing infrastructure, and updating signature databases, with auto sandboxing performed.
- NGAV focuses on events – files, processes, applications, and network connections – to see how actions, or event streams, in each of these areas are related. Analysis of event streams can help identify malicious intent, behaviors, and activities – and once identified, attackers can be blocked.
- If your organization adheres to stringent data privacy policies requiring to retain data ownership, NGAV is not an option as some of them are strictly cloud-based, with no option to deploy as an on-premise management server.
- NGAV attempts to identify never-seen-before malware, a harder, less definitive task that tends to generate a high volume of false positives.
- Testing NGAV: an effective NGAV employs advanced machine learning, data analysis and AI to identify new attack methodologies, define them as malicious and protect against them. When possible, it is highly recommended to test the abilities of the considered NGAV tool against a set of advanced threats, task which can require additional resources and time.
Zero Trust Network Access
Zero trust implies that no user or device — whether inside or outside the network — will be trusted. In the traditional security paradigm, you trust everything inside the network.
Zero trust network access solutions require all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously (per request) validated for security configuration and posture before being granted or keeping access to applications and data.
Increasing organisation’s security posture by:
- Validating users and their devices’ security posture
- Controlling access through granular policy enforcement
- Protecting and encrypting data transactions
- Normalizing the user experience for application access & authenticating users on per-sonal devices.
- Carrying encryption all the way to the endpoints for scenarios where you don’t trust the carrier or cloud provider.
- Providing application-specific access for IT contractors and remote or mobile employ-ees as an alternative to VPN-based access.
- Extending access to an acquired organization during M&A activities, without having to configure site-to-site VPN and firewall rules.
- Isolating high-value enterprise applications within the network or cloud to reduce in-sider threats.
- Creating secure enclaves of Internet of Things (IoT) devices or a virtual-appliance-based connector on the IoT network segment for connection.
- Cloaking systems on hostile networks, such as systems that would otherwise face the public internet, used for collaboration.
- Dynamic assessment of the access risk, including steppinng up or down the access and/or authentication according to the user and his device security risk and posture evolution.”
- High Time and Effort during Initial Setup.
- Understanding User Access: An organization must have a deep understanding of user access rights from the highest level possible to the bottom of the technology stack.
- Impact on Employee Productivity: A balance will be needed between security enhancement and availability of information to perform tasks.
- Traffic behind the gateway may not be encrypted by the product.
- No vendor currently covers both Identity management & access and network segmentation.”
DLP for mobile
The mobile device offers many messaging and collaboration apps, cloud storage and content sharing, all providing to the mobile enterprise user just as many avenues to lose or exfiltrate data. Mobile DLP vendors have come up with solutions to address the issue, varying from securely tunnelling mobile traffic to DLP appliances to agent-based monitoring, monitoring certain types of traffic, anti-phishing protection as part of a MTD solution and so on. Capabilities vary from vendor to vendor, and can include a number of supported file formats, file watermarking, tracking data access, support for OCR, monitored communication methods, as well as operation modes that can either warn the user regarding the intended action breaching the DLP policy, blocking it, or both. A more recent and efficient approach to address the existing mobile DLP limitations is the integration with a CASB solution, providing the combined advantage of enforcing DLP policies while controlling access to vetted or sanctioned SaaS applications only. Given the ever-changing and innovating nature of the mobile communication apps, mobile DLP will continue to evolve.
- Preventing data loss in motion
- Securing endpoints and protecting data in use
- Protecting data at rest
- Detecting data leaks
- Securing data transfers off the network
- Anti-phishing protection
- Data monitoring
- Data classification
- Prevent accidental data loss/leak
- Address multiple channels of data loss: email, endpoint, etc.
- Prevent phishing attacks
- Help keep track of data on mobile devices
- Compatible with MDM Software
- Can be implemented into a BYOD security Policy
All verticals that require data management: banking, business, healthcare, telecommunications, IT, media.
DLP for mobile requires a strict policy in order for it to be properly implemented ; this policy can contradict business objectives and/or restrict employees’ productivity by slowing/restricting the data they can work with.
IoT devices security
Estimates of the number of IoT devices in circulation in 2020 range from 20 billion (Gartner) to 33 Billion (Harbor research), and with IDC predicting $1.29 trillion dollars being spent on IoT technologies, this seems to be a market that is not going away.
NIST has recommended a three-step approach to consumer IoT adoption (Katie Boeckl) which presumes a level of understanding of IoT, Data Protection and Security far beyond what is reasonable to expect of most organizations, let alone consumers. This means that current standards are unlikely to offer any significant level of protection against the risks posed. IoT adoption requires a comprehensive review and adjustment of organizational policies relating to Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy and Supply Chain Risk Management, but this process is in an embryonic state currently in many organizations.
- Securing IoT ecosystems and its applications
- IoT Analytics
- Network Segmentation
- Device Authentication
- AI-based IDS systems
- Data protection
- End-to-end ecosystem security
- Local decision/AI
- New business models
- Regulatory compliance
- Data privacy
- New features
The biggest challenges securing IoT systems and applications are related to the nature of IoT devices. For example many IoT devices have limited amounts of storage, memory and processing power, making them unable to perform complex encryption or decryption fast enough. Other challenges are related to managing device updates, vulnerabilities, securing communication, ensuring data protection and availability.
Hardware based Security
Today there is a broad installation base of Hardware based security solutions in specific markets with high-security requirements. The most common ones are HSM (aka Hardware Security Module). HSM are a de facto standard in financial institutions as an essential component to secure banking transactions. HSM are also used in few other verticals with a need to secure critical applications and data, such as PKI deployments.
- HSMs provide one of the highest levels of security against external threats. It helps protect against malicious hacks
- Continuous check of component authenticity as well as data and system integrity to prevent manipulation
- Verification of the authenticity of software updates
- Protection of remote access activities
- Robust protection against low-quality, counterfeit spare parts and repair tools
- Hardware-based security is more robust than its software-based counterpart.
- Establishing a “root of trust” starts with trusted software that stems from a hardware-based approach. The only way to guard against attacks that attempt to breach an electronic device’s hardware is to use a secure microcontroller that executes software from an internal, immutable memory. Stored in the microcontroller’s ROM, this software is inherently trusted because it cannot be modified (and is, therefore, the root of trust). This “non-modifiable” and trusted software can now be used to verify and authenticate the application software’s signature.
All verticals with a high-security requirement such as: finance, businesses that require a PKI system in critical areas, defense, etc.
HSM and other Hardware-based security solutions are considered niche solutions, restricted to high-tech/high-budget customers, mainly because the solutions are more expensive than their software counterpart, less flexible, costly to scale and difficult to integrate and use. Those challenges are probably the main reasons preventing a widespread adoption of Hardware based security technologies.
HPC Security by design
High Performance Computing (HPC) has been limited to scientific environments in the past, but today, has expanded its applications to governments, academia and business in general. As HPC becomes more widely used, security challenges of HPC implementations will need to be addressed. How will organizations secure multiple HPC nodes working in parallel through multiple regions, using fast-networks? How will they handle data encryption consistently through multiple HPC nodes and up-to the same processing speeds, while not becoming a bottleneck? How will organizations monitor all HPC activity in real-time so to be able to react properly to potential attacks, data breaches or other potential incidents?
HPC security is still in its infancy, and deserves further focus as well an industry standard for a HPC Security framework.
An obvious solution in any new “HPC Security by design” model will be to leverage HPC for Cybersecurity: HPC is the best platform to boost Artificial Intelligence and Machine Learning security tools, enabling correlation of vast amounts of event logs at speed never seen today or process threat simulation and analysis of the whole attack surface in real time.
- Integration with Hybrid Cloud and AI workloads
- Can be used to boost Machine learning and AI security tools capabilities
- Threat modeling & simulation
- Monitoring HPC systems behavior and analytics
- Conduct advanced threat hunting operations
- Develop HPC intrusion detection methods
- Collect and better audit data
- Improved IT infrastructure management and flexibility
- Improved app or infrastructure performance
- Lower compute and storage costs overall
- Greater agility to respond more quickly and capably to workload demands
- Synergizes with AI and ML
HPCs are no longer limited to the traditional academia research format and have gained ground into new verticals such as:
- Weather & Environment
- Openness: HPC systems are often used for research and other settings which in turn create the need for a relative transparency to the system for collaboration purposes. This however can create vulnerabilities.
- Architecture: HPC architecture is typically clustered, exposing it to risks and usually requiring multiple management systems to function which can put a halt or slow down the implementation of security policies.
- Monitoring: monitoring data in HPC systems cannot be done in a traditional way due to the large flow of data that flows through these systems.
Unified Endpoint Management
Unified endpoint management (UEM) is a concept that describes a platform which includes both equipment and application management. Tools such as Microsoft Intune and Endpoint Configuration Manager can be used to simplify the modern workplace management. A productive environment, where users can work on the devices and apps they choose, while still protecting the organization’s data, is now possible.
There is a significant diversity of equipment types being used, and applications are often delivered as apps via SaaS as well as through corporate portals, but these still require appropriate levels of support and security, delivered in a frictionless manner. As a result, it is critical that security and access management of third party applications are coordinated in a unified manner.
- Mobile device management
- PC management
- Highly secure and/or regulated industries
- BYOD management
- User-centric device management