Security Operations – Operating Beyond IT Security

Monday, February 27, 2017

Security Operations – Operating Beyond IT Security

- Lars Wittmaack, QuoScient Security Operations Principle Consultant

Recently, three Chinese citizens were charged in the U.S. courts after it was found that they hacked U.S. law firms and then used the stolen information for insider-trading that netted them $4 million dollars. This is a prime example of "clever" hackers earning money on the financial market, but not by hacking a bank. It also illustrates the value of law firms to hackers.

Within the financial sector, due to the security requirements that are demanded by financial regulations in the various regional jurisdictions, one of the biggest challenges for organisations is how much to spend on security. Regulators such as the European Central Bank expect security to be an integral part of financial businesses – sometimes with a simple reference to confidentiality, integrity and availability; sometimes with detailed expectations. In any case, the trend is towards a cyber security framework that regulators perform audits against. Essential part of today’s cyber security is threat intelligence and sharing. Besides understanding when it would really hurt and where, and if the threat is increasing; regulators want to be notified about security incidents and see sharing initiatives as the cornerstone to reducing exposure to financial markets. Compliance can be understood as ticking a box, but it is ultimately about establishing the right people, processes and technologies to minimise financial markets manipulations.

These regulatory-driven security requirements feed into the policies and procedures of financial institutions and are a part of contracts and Audits with third parties, including law firms. Banks expect partners, such as law firms, to adhere to their institution’s security policies and/or have adequate organisational policies and security of their own to reduce the threat exposure of their business. Typically, banks’ contracts with law firms contain clauses that allow the financial institution to audit their legal services providers.

Policies in the first place must meet internal and regulatory requirements. If there is no specific vendor policy or other policy defined by contracts, law firms obviously inherit the security expected from financial regulators. So, for the law firm, it can be tricky – what is the right level of security to have in order to meet the contractual and audit requirements of their bank? In any case, as for any Audit, it is essential that law firms are able to factually demonstrate the execution of the policies and controls that were accepted as part of the contract.

From a contract perspective for law firms, it’s about where the liability is; from a compliance perspective, it’s about whether the agreed controls are in place; from a security perspective, it’s about identifying, preventing, detecting and responding to changing threats to ultimately reduce financial market manipulations. This is important as cyber criminals are continuously adopting different tactics to breach security and today, they are shifting to indirect attacks like in the Chinese example mentioned above.

Therefore, a Security Operations-led approach is needed, going beyond traditional IT security. In analyst house, Gartner’s words: ““Security operations centers must be architected for intelligence, embracing an adaptive security architecture to become context-aware and intelligence-driven. Security leaders should understand how intelligence-driven SOCs use tools, processes and strategies to protect against modern threats.”

Intelligence-driven Security Operations cover the full life-cycle of threats so that reactive and proactive threat management become par for the cause. It delivers Adaptive Threat Processing encompassing everything from assessing new relevant threats, adaptive controls, detecting manifesting threats, mitigating the impact and monitoring threats and their evolution. A ‘big’ picture, as facilitated by Security Operations is essential to mitigating threats.

Note: This is a summary of Lars Wittmaack’s presentation at the recent Ascertus Cyberthreat seminar in London.

About Lars Wittmaack

Lars Wittmaack heads up QuoScient's Security Operations Consultancy Services. He has 15 years of experience in the IT Security industry. Lars started his career as security consultant for a company with expertise in cryptography. For six years, he headed a large international financial institution's Security Operations Centre including Security Incident Management.

Thursday, February 16, 2017

What does the cyber threat landscape for law firms look like?

What does the cyber threat landscape for law firms look like?

Guest Blog by Rob Dartnall, Cyber Intelligence Director, Security Alliance

Towards the end of last year, Security Alliance published a report entitled: The Cyber Threat Landscape for Law Firms. The overall assessment of the report is that the current cyber resilience of the legal sector does not match the severity of the threat, and further incidents similar to the magnitude of Mossack Fonseca breach will continue to occur if proactive cyber-defence strategies are not implemented.

Looking at the lay of the land, this isn’t surprising, given the tenacity with which cyber criminals are targeting the legal sector. The report highlights the following:

  • The type of threat actors seeking to exploit law firms range from state-sponsored Advanced Persistent Threat (APT) groups to organised criminal gangs and cyber-criminals

  • APT groups are seeking to extract market-information such as strategic trading and M&A information and are choosing to target law firms as the best route to access this information

  • Cyber criminals are more commonly seeking to extort law firms, with the rising trend of ransomware attacks being of particular concern

  • Law firms frequently find themselves implicated in geopolitical conflicts between two or more countries trying to assert their power over a region

  • There is a lack of sharing of cyber threat intelligence between firms in the UK

I’m delivering the keynote address on this subject at the upcoming Ascertus Seminar, Cyber Threat Landscape for Law Firms on 23 February 2017. My presentation will:

  • Provide insight into the multitude of cyber threats faced by the legal sector, and how threat intelligence can be used to identify, understand and mitigate some of these threats

  • Outline the key tenets of threat intelligence, how it should be defined, and how it should be practically applied in an organisation

  • Clarify some broad categories of threat actors, from the nation states to insiders, and explain why each category may want to target a law firm

  • Highlight case studies where law firms have been targeted by cyber threat actors

  • Explain how future events and trends may impact the severity of the cyber threat to law firms

  • Offer next steps that explain how intelligence sharing, threat assessments and targeted security can help law firms mitigate the cyber threat

    The seminar is free to attend, do come along. You’ll leave with a good understanding of the issues involved and actionable next steps for your law firm.

    About Rob Dartnall

    Rob is a CREST Certified Threat Intelligence Manager (CCTIM) and Cyber Intelligence Director of Security Alliance - a Bank of England certified Cyber Threat Intelligence provider under the CBEST framework. With specialist interest areas of Insider Threat and Nation State Fusion Warfare, Mr Dartnall has unique experience and insight into the threat landscape.

Wednesday, March 1, 2017

Key Take Aways for Law Firms from the Ascertus Cyber Security Seminar

- Roy Russell, CEO, Ascertus Limited

Six industry experts presented at our Cyber Threat Landscape for Law Firms seminar last week, with all broadly agreeing on the key cyber security issues facing law firms and the measures they must take to mitigate the impact on their organisations. The highlights are as follows:

  • Law firms are marked

Several threat actor categories are targeting law firms including Nation State, Organised Crime Gangs (OCGs), Hacktivists and Insiders – each motivated slightly differently. For example, Nation States want to gather intelligence on mergers and takeovers, pinch intellectual property or gain intelligence that offers them a favourable position in trade negotiations. OCGs see great scope in monetising data from law firms – be it by selling insider intelligence to rogue traders or stealing money. Furthermore, different threat actors operate differently in different sectors. As firms develop their cyber defences, it’s wise to incorporate future requirements, looking at the business and threat scenario three to five years ahead.

  • Hackers love email

Ransomware holds the number two spot for malware popularity among criminals. It’s easily delivered via email, the most ubiquitous application in business today; and isn’t too complex to put together. For the same reason, phishing attacks are increasing too. A friendly, legitimate-looking email from the boss explaining via an attached spreadsheet why the individual wasn’t given the desired salary raise is all it takes to infect the employee’s PC. Similarly, criminals are able to easily breach people’s PC and wider organisational infrastructure such as network shares via attachments such as PDFs, which end-users perceive as ‘being safe’ to send and receive.

A ‘herd alertness is critical’ organisation-wide to ensure security. It’s imperative that firms develop cyber-resilience via a combined approach to prevention, continuity and recovery.

  • People and culture are weak links

A vast number of hackers are social engineers, exploiting the vulnerabilities of people and the culture of organisations to breach for financial gain. Social engineering isn’t rocket science, it requires little technical knowledge, a great deal of patience, people skills and good research. A disgruntled employee could easily be exploited (unbeknown to the individual) by a hacker to gain information that helps breach the organisation, physically or online.

A major blind spot that hackers often manipulate is people’s view that they aren’t important in the firm and hence not a hacker target. A hacker could potentially take advantage of a pre-occupied receptionist to gain important information on the physical security procedures of the organisation to then exploit. Firms must ‘know’ their employees, but also ‘grow’ their own social engineers, educating them in the ways and the mindset of hackers so that they can spot potential breaches.

  • Behavioural analytics is a must

Behavioural analytics can help firms ‘know’ their employees. Data is a law firm’s crown jewels, how and when they are accessed can serve as strong indicators of security. With behavioural analytics, every employee has a ‘finger print’, which can be a tell-tale sign for a potential breach. For instance, a hacker using a litigation lawyers ID to access sensitive M&A files on a matter would be instantly flagged up to the IT department as an anomaly, for appropriate action to be taken.

  • Security, legal, privacy and compliance must work together

There are three principles of information security including confidentiality, integrity and availability. Based on these tenets, security, legal, privacy and compliance professionals in law firms must all work together to influence how data is accessed and managed, today and in the future. This approach will grow in importance with trends such as Big Data and regulations such as the upcoming EU General Data Protection Regulation (GDPR).

  • Intelligence-driven security operations are needed

Cyber criminals are continuously adopting new tactics to breach security. Law firms need to adopt a Security Operations-led approach that goes beyond traditional IT security. This approach delivers Adaptive Threat Processing that facilitates a big picture of the threat landscape encompassing everything from assessing new threats, adaptive controls, detecting manifesting threats, mitigating the impact as well as monitoring threats and their evolution.

Over 50 people attended the seminar and the feedback has been excellent with comments including “very interesting”, “very informative”, “excellent seminar” and “good range of presenters and materials”. Watch out for future Ascertus seminars being planned for locations across the UK and Europe.

This blog is based on the presentations by The Security Alliance, iManage, Mimecast, DocuSign, Jenny Radcliffe and QuoScient at the Ascertus Cyber Threat Landscape for Law Firms seminar on 23rd February 2017 at the Bird and Bird LLP auditorium.