Newsletter: 8 September 2020
Essential 8 compliance needed for government business
Hot areas: Application Control / Staff awareness training / Incident response
We have recently been working with many clients who gain mandates and work with Government departments and government enterprises. Increasingly they are being asked to demonstrate their compliance with the ASD Essential 8 framework. The following are some solutions we recommend:
Detection v Prevention – Airlock Digital
Here at Securite we are big fans of prevention and Application Whitelisting (one of the cornerstones of the ASD Essential 8). Airlock Digital is a solution we like very much. Airlock is the only company able to manage Application Control at scale that plays nicely with your EDR solution.
Application control and Application Whitelisting is the number 1 mitigation strategy as directed by the ACSC and the Australian Signals Directorate’s Essential Eight framework. Airlock Digital Application control and Whitelisting platform continues to mature and serve as a comprehensive solution for organisations to use it across their entire environment.
Airlock Digital is an Australian sovereign, purpose-built, application whitelisting and safelisting platform designed to perform application whitelisting at scale, making application whitelisting and blocklisting simple in complex and changing enterprise environments. The platforms allows for creating, deploying and managing application whitelists at a rapid pace, enabling organisations to become secure and compliant, quicker.
What’s new in v4.5 Airlock Digital
Application whitelisting for Linux: New Linux agent support now allows Airlock customers to implement application whitelisting and system hardening on Linux servers and workstations.
Roles and Group-based filtering and restriction: Assign users to only see and manage computers in certain policy groups, useful for managing different teams looking after different servers and workstations, making the management of large user groups significantly easier.
Parent Process Whitelisting & Blacklisting: Administrators can define trusted applications that can be used to execute code on a system, particularly useful for developers that may require the ability to compile and execute unsigned code from a particular application without restriction.
Offline Application Captures: Updates now allow for Application Captures to be performed offline without an Airlock server connection and can be initiated without requiring server access, helping improve the speed and flexibility of capturing applications.
David Cottingham, co-founder of Airlock Digital recently was interviewed on the Risky Biz podcast ( //risky.biz/RB595/ ). Some interesting points raised were:
- They have employed Airlock at scale. Have a 30,000 endpoint customer. Practitioners really like the Airlock solution especially over Microsoft App locker.
- Getting traction in the US in the enterprise space in big Pharma, Broadcasting, Military, Government, law firms and have 120 customers and growing
- EDR is less work with an effective Allow List like Airlock and provides Host hardening
- The NIST certification level 3 Cyber Security Model Maturity requires Application control and Allow listing
- Future releases will have features such as Linux agents and cornel updates and publisher style support for Linux. Configuration auditing on endpoints to spot where Group Policy gaps are.
- Airlock can now restrict categories of users for execution of files. E.g. Restrict Powershell by user or app.
Airlock’s great benefit is its stops execution and blocks executable files early on. Prevention is detection by its nature. Malicious code such as ransomware just won’t execute in the first place. The other aspect we like is Airlock is easy to get up and running at scale. For a demo and trial of Airlock contact Securite today.
Staff Awareness training – Knowbe4
Your employees are frequently exposed to sophisticated social engineering attacks. It is time for a comprehensive approach to effectively manage this problem, managed by people with a technical background. We like Knowbe4 for staff awareness training which provides:
Baseline Testing: Provides baseline testing to assess the Phish-prone percentage of your users through a simulated phishing, vishing or smishing attack.
Train Your Users: The world’s largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters. Automated training campaigns with scheduled reminder emails.
Phish Your Users: Best-in-class, fully automated simulated phishing, vishing and smishing attacks, thousands of templates with unlimited usage, and community phishing templates.
See The Results: Enterprise-strength reporting. Both high-level and granular stats and graphs ready for management reports. We even have a personal timeline for each user. ROI board reporting and risk analysis.
Automatic prioritisation for emails: PhishER™ helps your InfoSec and Security Operations team cut through the inbox noise and respond to the most dangerous threats more quickly.
Because phishing remains the most widely used cyberattack vector, most end users report a lot of email messages they “think” could be potentially malicious to your incident response team.
Whether or not you step employees through security awareness training doesn’t change the fact that your users are likely already reporting potentially dangerous emails in some fashion within your organisation.
With the firehose of spam and malicious email that attack your network, some 7-10% of these make it past your filters. With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you not only handle the high-risk phishing attacks and threats, but also effectively manage the other 90% of user-reported messages accurately and efficiently?
Privileged Account Management – Thycotic
We are seeing that many organisations do not know how many privileged accounts that there are on their network and that privileged accounts are often managed manually by keeping a spreadsheet up to date with credentials. This method has the obvious floor that if a hacker can access the spreadsheet then they have free access to everything.
Savvy organisations are deploying PAM tools that integrate with directory services and will manage the passwords for any privileged account or service account, the tool will rotate the passwords based on password policy and will be used by an administrator to log into privileged or service accounts without the admin ever knowing what the password is, this means that when they leave the organisation they can be removed from the directory service and they lose access to all accounts. We like Thycotic for PAM.
Incident Response solution – Sophos Managed Threat Response (MTR)
Few organisations have the right tools, people, and processes in-house to effectively manage their security program around-the-clock while proactively defending against new and emerging threats. Going beyond simply notifying you of attacks or suspicious behaviours, the Sophos MTR team takes targeted actions on your behalf to neutralize even the most sophisticated and complex threats.
With Sophos MTR, your organisation is armed with a 24/7 team of threat hunters and response experts who will:
Proactively hunt for and validate potential threats and incidents,
Use all available information to determine the scope and severity of threats
Apply the appropriate business context for valid threats
Initiate actions to remotely disrupt, contain, and neutralize threats
Provide actional advice for addressing the root cause of recurring incidents
Machine-Accelerated Human Response Built on the Intercept X Advanced with EDR technology, Sophos MTR fuses machine learning technology and expert analysis for improved threat hunting and detection, deeper investigation of alerts, and targeted actions to eliminate threats with speed and precision. This fusion of Sophos’ consistently top-rated endpoint protection and intelligent EDR, with a world-class team of security experts results in what we call “machine-accelerated human response.”
Contact Scott Thomas and Jack Drewe at Securite based in North Sydney for a no obligation discussion, demo and trial of these and more solutions on 02 9957 6666 or firstname.lastname@example.org. Refer www.securite.net.au