onShore Security

Because Security Gives Us Freedom.

onSecurity – Governance, Risk, and Compliance

By

Episode 9: Governance, Risk, and Compliance


At the Enterprise level, many discussions and decisions about cybersecurity and IT focus on the operational capability of the organization and bad actors that may interfere. As cyber operations become a larger part of business operations as a whole, organizations now must also consider regulatory compliance or risk losing the ability to operate and even face potential damaging liability.

Chris Johnson, Sr. Director of Cybersecurity Programs at CompTIA ISAO, joins onSecurity to discuss the importance of GRC – governance, risk, and compliance. Though implementation of GRC in an organization may offer some hurdles, this work raises the cybersecurity posture of an organization, making them better able to prevent and resist cyberattacks, as well as comply with regulations, allowing them to continue the work they do and expand into new opportunities.

Everyone is a target for a cybercriminal

By

The following is an interview by the team at Cybernews. The original posting is available at Cybernews.

Stel Valavanis - CyberNews

Stel Valavanis, onShore Security:
“everyone is a target for a cybercriminal”

Recent global events negatively affected the cyber landscape, urging companies to search for the best ways to shield themselves from various cyberthreats.

Many enterprises, especially small businesses, still believe that they won’t be affected by cyber attackers. After all, cybersecurity requires investment, making it easier to rather stay unprotected and save money. However, if a cyberattack hits – huge financial losses are one of the main consequences.

Implementing cybersecurity solutions, such as managed security services, is never a mistake and should rather be prioritized.

To better comprehend the importance of cybersecurity, its solutions, and potential threats for businesses, we invited Stel Valavanis, the CEO and Founder of onShore Security – a company that offers managed security services.

What was the journey like since your launch in 1991? How did the idea of onShore come to life? 

Since launching in 1991, and even before onShore existed as a proper company, I’ve been involved in almost every part of Internet service. At one point in the company’s history, we started an ISP business practically overnight to serve clients that would otherwise have experienced a loss in their Internet service. The biggest part of our journey has been our complete shift to security, which began in 2015 and has been what drives us ever since. It was becoming clear that it was the most important thing not only for our clients but for the well-being and freedom of the Internet at large.

Can you tell us a little bit about what you do? What industries do you mainly work with?

Our main service is called Panoptic Cyberdefense. Panoptic means “all-seeing” and that is what we strive to do. Our service monitors your entire network and we ingest data from as many of your systems as we can to develop a full-picture view of your network operations. This data is analyzed and correlated by our expert analysts and then used to further refine your security, detect any anomalies or bad actors, and discover vulnerabilities before they can be exploited. 

One of the industries that we’ve specialized in working with, and these clients were a big part of why we’re focused on security, is banking. It’s perhaps not surprising that they would have high-security standards as they retain valuable data and are considered a profitable target, but they are also subject to regulations that often act as a bellwether for future regulations in other industries.

Similarly, charged with retaining valuable data, providing uninterrupted service, and complying with regulation and oversight, our other main industries are healthcare organizations, educational institutions, and construction firms.

You state that it takes more than just technology to protect your network. Would you like to share more about your approach?

One of the founding principles at onShore Security has been the importance of the human element in technology. The human cannot be automated out of the loop if security is to be up to the highest standards. Augmenting the continuously evolving automation and machine learning, the core of our company are our security analysts who use their experience, intuition, and creativity to correlate data from a network and see things that a computer cannot. This work by our analysts is often the difference between failure and success for bad actors.

How do you think the pandemic influenced the cybersecurity industry? Were there any new features added to your services as a result?

The pandemic sent many offices home and without much warning. Many companies likely had some remote work policies and supporting security measures in place, but not at the scale that the pandemic made remote work vital to business continuity. Short-term, crisis mitigating measures were put in place that are no longer sufficient, and will not be in the long-term future either. Our company shifted to remote-first at the outset of the pandemic, putting into place proper security to allow our company to be fully operational, with the safety of working out of our office. As we developed these systems, we’ve found that working remotely and setting policy to assume remote work as the standard has actually strengthened our security and increased adherence to security policy. 

As the networks that our clients work on pivot towards being distributed for remote work, our services continue to adapt. Things like multi-factor authentication and better VPN access were immediately in greater demand, but we’re finally seeing a significant shift towards a more advanced EDR offering, as well as more advanced vulnerability management offerings, and in general, something closer to a zero-trust approach over time. We’re finally seeing more organizations get serious about their security policies.

We love this because we’ve been arguing about this approach for a long time. It gives us far greater visibility into clients’ networks and at the same time, raises security posture.

Why do you think certain organizations push cybersecurity to the background, despite the growing rates of cybercrime?

Some organizations still believe that they are not the kind of organization that would be considered a target for cybercrime, but unfortunately, this is wishful thinking. Our experience shows that everyone is a target and bad actors expend so little effort in attacks that they don’t have to be choosy about targets.

Many companies see cybersecurity as a large investment and instead opt to remain in danger and hope for the best, though industry regulation is inspiring most companies to at least comply with basic security regulation.

I believe that many larger companies falsely assume that they are protected from harm because they have cybersecurity insurance policies. While cybersecurity insurance is certainly a helpful thing to have in case of a cyberattack, it does not begin to cover the cost of the disruption and impact of a cyberattack, nor will it fix the underlying problem of weak cybersecurity posture. There are growing implications outside of the organization that will not be addressed by insurance coverage, such as impact to clients, vendors, trade secrets, and other things that are susceptible.

Even though it may seem that large organizations aren’t being put out of business by cyberattacks, the damages are way more wide-reaching than is commonly understood. Of course, having proper protection in the first place is a good way to avoid much of this threat and to be ready for what new threats emerge.

We expect insurance companies to enforce much stricter requirements on their clients’ cybersecurity posture in the future and this will likely change the way things are done.

In your opinion, what are the worst cybersecurity habits that can do serious damage to one’s company?

At every level of the company, one of the biggest vulnerabilities to your cybersecurity is your employees. Employees often have bad habits when it comes to cyber hygiene, things like opening suspicious emails, ignoring password policy, and other little things that are the responsibility of all employees. These little things can be the cause of a large, damaging cyberattack. Management and remediation of bad security hygiene is a very quick, easy, and cost-effective process that your organization can undertake that will make a difference immediately. Having proper security policies in place, training for all employees, and a way to detect compliance reduces this threat to your office.

The other bad habit is when people assume that the Cloud is inherently secure or safer. Ever hear the saying that “the cloud is just someone else’s computer”? Well, it’s true and your lack of visibility into the security of your cloud provider may actually make you less secure. This assumption of security seems to extend to many vendors, and it’s a reason we’re always trying to highlight vendor risk management as a vital security tool.

As remote work becomes the new normal, what are some of the best practices organizations should follow to ensure secure operations?

Security is a process, not a product. The process should be dictated by, and to a good extent encoded in, policy. Developing and tuning your policies and procedures will give you the biggest bang for your buck.

One policy practice is to implement multi-factor authentication wherever you can on your network. This will ensure that your employees will only have access to the parts of your network they need and when they need it. Tools, such as authenticator apps and hardware keys, add this layer of security. Another important policy for remote workers is to maintain the same good security hygiene that they would at the office. A good data management policy for the office should be followed strictly at home as well. Clean desk, clean screen policies should still be in place and internal communication should be restricted to secure channels. Out-of-band communications should be deterred whenever and wherever possible.

In your opinion, what kind of threats can we expect to see more of in the next few years? What actions can individuals take to protect themselves?

Especially considering current events in the news, there is reason to believe that attacks deriving from foreign state-funded sources will continue and may grow in scope. It’s worth remembering that some of this visible growth was unintentional and actually caused the downfall of several hacking entities. I believe that world events, such as war, climate change, and future global pandemics, will be a big source of threat to nation-states, so expect increased espionage and even something like a cyber cold war which one could argue we’re already in.

Cybercrime will continue to grow and sophistication will increase. As the gap between proper defense and most companies’ security posture slowly closes, hackers still have a wide berth of vulnerability in which to attack. Expect attacks to increasingly occur in the form of carefully considered disruptions, such that backup practices are no longer adequate for recovery. Expect the criminal financial ecosystem to become more resilient to law enforcement investigations. Expect new forms of monetizing cyberattacks, such as blackmailing for disruption or attacking weaker parts of the supply chain.

Regulations will continue to grow and compliance will be a much larger part of your organization’s workload.

The role of cybersecurity insurance is going to change. We’ve already seen the cost of insurance policies grow by multiples. Insurance companies will become stricter about qualifications for insurance policies in the first place and for claims.

And finally, what’s next for onShore?

We continue to develop our product to meet the security demands of our clients and the business world. Our Panoptic Cyberdefense platform evolves as our clients’ networks change and we have bolstered our other offerings, such as our newly re-engineered Continuous Vulnerability Management service.

New regulations will mean new priorities for our clients, and we are planning and preparing to lead their organizations through the increasingly dense web of compliance.

We are also constantly considering new best practices and providing thought leadership in the security space. For example, we’ve been part of a growing call for zero-trust practices in cybersecurity, which is especially relevant in this new normal.

onShore Security Launches New Vulnerability Management Offering

By

onShore Security relaunches vulnerability management services, massively expanding the previously offered service. Vulnerability management is necessary for organizations today and required by all cybersecurity compliance frameworks. This newly launched service goes way beyond standard Common Vulnerabilities and Exposure (CVE) scanning, ingesting policies, configurations, and full cloud assets with an automated continuous scan, all incorporated into our Elastic cluster for correlation. Unlike its competitors, onShore Security’s service includes a monthly analyst briefing. The briefing helps organizations make sense of the findings and provides insights that other providers overlook. On top of that, these features are fully integrated with our Elasticsearch-powered Panoptic SIEM®.

Steve Kent, CTO of onShore Security, said, “By correlating found vulnerabilities with system and network activity, we can prioritize critical patches within specific environments, and help reduce our client’s risk exposure – both in the immediate and long term.”

“This is a complete revamp of our CVMaaS offering,” Stel Valavanis, CEO of onShore Security adds. “Because vulnerability management, beyond just regular scanning, has risen to the level of a required GRC [Governance, Risk, Compliance] process for enterprise, we’ve added continuous scanning and full analytics via our Elastic Stack big data platform. Add to this much deeper inspection of AD, GPOs, Azure configurations, etc., and you get a whole other level of offering that begs for a new name.”

To find out more about this new service, go to www.onshore.com/continuous-vulnerability-management/.

Game-Changing FDIC regulations will make us safer

By

Game-Changing FDIC regulations will make us safer

– Stel Valavanis

Arlington FDIC office

In today’s dangerous world of omnipresent cyber risk, it’s difficult to believe that a banking organization could experience a cyber security incident with no requirement to disclose it. But that has been the case, until now.

The FDIC is enforcing new guidelines beginning this spring  for how information is shared about cyber incidents. The new regulation called The Final Rule states that banking organizations need to notify their primary federal regulator of any significant computer-security incidents as soon as possible and no later than 36 hours after the banking organization has determined that a cyber incident has occurred. 

These notifications are will now be required when incidents have the following attributes:

  • An incident has materially affected, or is likely to materially affect, the viability of a banking organization’s operations
  • The banking organization cannot deliver its usual banking products and services to customers 
  • The incident has the ability to affect the stability of the financial sector

Additionally, the FDIC notes that when it has been determined that a computer security incident has materially affected, or is likely to affect, an organization’s customer base for four or more hours, customers must also be notified. This rule is set to go into effect on April 1, 2022, allowing banks to comply by May 1, 2022. Clearly this is not an easy task even for organizations with more mature cybersecurity, but it is necessary and here’s why.

Proper detection needs to be available in order to comply with these regulations. The notice of a cyber incident cannot be made if the breach is never detected in the first place. Organizations need to deploy necessary cybersecurity to be vigilant of these threats. Even with cybersecurity present, if a breach is made, accurate information needs to be reported to those who can fix it. This information can be used to better protect areas that have shown vulnerability. Data needs to be properly collected, analyzed, and modeled in order to fully understand what a possible attacker may want. Data allows analysts to do forensics and be better prepared for future incidents that may occur.

The faster that these incidents are reported, the less damage an organization, as well as those affiliated with that organization, will suffer. A swift and informed response indicates to customers and shareholders that they are in good hands. Taking control of a cyber incident as fast as possible is crucial. The FDIC implementing this policy is a great step in both highlighting and preventing cybercrime. The more visible these threats are, the more serious organizations will take them.  

Through the implementation of this new rule, increased visibility in the financial space will occur. The knowledge of what data might have been breached and how that affects individuals can lead to more informed decisions by both the consumer and the banks themselves. An emphasis on knowledge sharing can allow organizations to run more effectively. Additionally, this visibility provides information to vendors of these banking organizations. Banks have a variety of vendors that they need to disclose this information to. The faster a bank handles these issues, the faster associated vendors can minimize damage to themselves.

While this new rule appeals directly to customers and vendors, banks themselves may be hesitant about the 36 hour rule. For one, these organizations have reputations to uphold, and a cyber incident occurring could affect how the general public sees them. They have shareholders and large clients that they need to keep happy and a cyber incident could lead to a loss of trust. Additionally, complying to such stringent policies could be a burden on the IT department of these institutions. If an organization’s cybersecurity team is not well structured it could be an overwhelming task. Insurance rates could also dissuade banking organizations from disclosing their incidents. They have incentive to want to keep insurance companies unaware of the possible attacks they have faced. 

This regulation is coming a bit late, frankly the fact that without this regulation a banking organization could have had a cyber incident without disclosing is appalling. I truly believe this regulation will have an impact, these organizations will step up their policies and procedures, hold data longer, and in a more usable way, and perform tabletop exercises to make sure their incident reports are done well. These organizations will provide an even playing field for customers, vendors, and shareholders for they have to make these decisions. Let’s hope we see more smart regulation like this in future.

Photo Attribution: Coolcaesar at English Wikipedia

Governance for SMB – MSP 1337 Podcast

By

onShore Security Governance and Risk Specialist Sarah O’Kelley was a recent guest on the MSP 1337 Podcast, hosted by Chris Johnson.

Almost every time I do a security maturity assessment I find that companies are the least mature in Governance. The areas that seem to need the most attention are Policy and Compliance which is to be expected since that is the area we least like to focus on. In this episode, Sarah O’Kelley from onShore Security and I discuss the differences between governance and leadership and how cybersecurity plays into the leadership and health of an organization.

312-850-5200

216 W. Jackson Blvd.
Chicago, IL 60606

info@onShore.com