How Spalding University Strengthened Security and Achieved GLBA Compliance

As privacy and compliance demands in higher education grew more complex, Ntirety’s customer sought a trusted partner to enhance its security posture and meet the requirements of the new Gramm-Leach-Bliley Act (GLBA).

The Challenge: Meeting GLBA Compliance

Spalding University’s small IT team had already prioritized security with a managed firewall service. However, the introduction of new GLBA requirements underscored the need for more robust and proactive security measures to achieve compliance by the looming deadline.

We were always going to outsource this. An operation that’s 24/7 with a small team is not really possible. We need a good partner to provide around the clock service and help monitor because we can’t be in front of monitors all day, every day.” – Ezra Krumhansl, CIO, Spalding University.

After evaluating multiple managed service providers, Spalding chose Ntirety for its deep expertise and robust solutions across IT areas.

Proactive, Comprehensive Security

To strengthen Spalding’s security posture, Ntirety implemented Next-Generation Firewalls, Managed Detection and Response with Endpoint Protection, and log ingestion with 24x7x365 monitoring. Monthly cybersecurity training for employees, including Ntirety’s Email Security and Phishing Awareness Training, fulfilled a key requirement of the GLBA and empowered staff to recognize and prevent threats. 

These solutions delivered advanced threat detection and response, actionable alerts, granular reporting, and improved visibility. Spalding achieved GLBA compliance, reduced risk, and maximized the efficiency of their small IT team while focusing on mission-critical activities.

Discover the Full Story

Curious to learn more about how Ntirety transformed Spalding University’s security posture? Read the full case study here.

See How a Leading Airflow Product Company Modernized Its IT Infrastructure and Strengthened Security

A typical use case of Ntirety’s customer base is growth over time that results in insufficient infrastructure, security gaps and outdated data models. This was true for a leading provider of industrial airflow solutions during its rapid global expansion. The company’s rapid growth exposed weaknesses in its IT infrastructure and other related challenges.

Barriers to Scale

The company’s technology infrastructure struggled under an increased workload, leading to high latency, database issues, production outages, and compliance challenges. Its IT leaders realized the company needed a hosted infrastructure to better support their enterprise resource planning (ERP) and database applications that drastically improved performance to accommodate their growth. Additionally, they wanted to gain highly responsive application support, backed by proactive security threat identification and remediation. With an IT team of less than 10, the company’s in-house resources were stretched thin to tackle all facets of this project.

Partnering for Success

Bluewave, the company’s trusted technology advisor, stepped in to help. Bluewave’s experienced technologists assessed the company’s technology portfolio, and recommended Ntirety. Ntirety’s comprehensive solutions across cloud infrastructure, security, compliance, and data, were exactly what the company needed to modernize its infrastructure, strengthen security, and meet regulatory compliance.

Achieving High Performance and Availability

Ntirety worked closely with the company to provide a holistic solution across the IT stack. The company selected Ntirety’s Private Cloud and Managed Database Services as the solutions to modernize its infrastructure and databases. To keep its infrastructure secure, the company also opted for Managed Detection and Response Service (MDR) to gain proactive network monitoring 24x7x365.

The result? A highly available, secure, performant system with significantly improved uptime and no production outages. The company now enjoys a stable, resilient IT environment that supports their continued growth, while Ntirety’s Managed Services relieves the burden on their in-house team, freeing them up to focus on business growth.

Want to learn more about how Ntirety transformed this customer’s IT infrastructure and positioned them for future success?

Read the full case study here.

How to Align Your Cybersecurity Strategy with the NIST Framework

In today’s digital age, cybersecurity is more critical than ever. Cyber threats are constantly evolving, and organizations of all sizes must be proactive in protecting their data and systems. Implementing the NIST Cybersecurity Framework is one of the most effective ways to enhance your cybersecurity posture.

What Is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a set of guidelines and best practices designed to help organizations manage and reduce cybersecurity risks. Developed by the National Institute of Standards and Technology (NIST), this framework is widely recognized and used by organizations across various industries to improve their cybersecurity defenses.

Key Benefits of the NIST Framework

  1. Comprehensive Coverage: The NIST framework covers all aspects of cybersecurity, from identifying potential risks to responding to and recovering from incidents. This comprehensive approach ensures that no part of your cybersecurity strategy is overlooked.
  2. Customizable to Your Needs: One of the strengths of the NIST framework is its flexibility. It can be tailored to fit the specific needs and resources of your organization, regardless of size or industry.
  3. Alignment with Business Goals: The framework helps align cybersecurity efforts with your organization’s business objectives. This ensures that your cybersecurity strategy supports and enhances your business goals rather than hindering them.
  4. Improved Risk Management: By following the NIST framework, organizations can better identify, assess, and manage cybersecurity risks. This proactive approach helps in prioritizing and addressing the most critical threats.
  5. Enhanced Incident Response: The NIST framework includes guidelines for responding to and recovering from cybersecurity incidents. This ensures your organization is prepared to handle incidents effectively, minimizing damage and reducing recovery time.
  6. Compliance and Best Practices: Implementing the NIST framework can help organizations comply with regulatory requirements and industry standards. It also ensures that you are following cybersecurity best practices recognized globally.

How the NIST Framework Works

The NIST Cybersecurity Framework is organized into five core functions:

  1. Identify: Develop an understanding of your environment to manage cybersecurity risk to systems, assets, data, and capabilities.
  2. Protect: Implement appropriate safeguards to ensure the delivery of critical services.
  3. Detect: Develop and implement activities to identify the occurrence of a cybersecurity event.
  4. Respond: Be prepared to act regarding a detected cybersecurity event.
  5. Recover: Maintain plans for resilience and restore any capabilities or services impaired due to a cybersecurity event.

These functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.

Why Adopt the NIST Framework?

Adopting the NIST Cybersecurity Framework is a strategic move that can significantly strengthen your organization’s cybersecurity posture. It provides a structured approach to managing cybersecurity risks and ensures that your efforts are comprehensive, effective, and aligned with your business goals. By implementing the NIST framework, you can enhance your organization’s resilience against cyber threats and ensure that you are well-prepared to handle incidents that may arise.

How to Align Your Organization with the NIST Framework

Ntirety has developed a self-service, online security assessment to help organizations identify and address cybersecurity gaps and risks. The free assessment consists of 10 questions aligned with the NIST framework, covering the key areas: Identify, Protect, Detect, Respond, Recover. Upon completion, you’ll receive a comprehensive report with tailored recommendations for each area, prioritized to help you tackle the most critical gaps first. This report is an excellent first step in upgrading your organization’s cybersecurity posture.

Click here to take the assessment and get started.

Ntirety is the leader in comprehensive managed services, partnering with organizations to modernize and secure today’s complex IT environment. Ntirety’s solutions span cloud infrastructure, cybersecurity, data, and compliance, connecting mission-critical data across highly secure, available, and resilient environments.

If you’re looking to take the next steps in understanding and implementing the NIST CSF for your organization, the experts at Ntirety can help. Request a consultation to get started.

The CrowdStrike Impact and the Ntirety Response

By Steven Spence, SVP Customer Operations, Ntirety

Businesses around the globe experienced major disruptions to their IT stacks on July 19, 2024 due to a CrowdStrike update. Ntirety would like to take a moment to inform customers how we approached this challenge on their behalf.

The Cause of the Outage

According to CrowdStrike, the outage was caused by a defect found in a Falcon content update for Windows hosts. Ultimately, this was caused by a bug in their validation software and a process error with their Rapid Response Content release testing. CrowdStrike has pledged to improve in both of these areas.

While we’ve all experienced impact from issues around people, process, or hardware failures, for managed services providers like Ntirety, ensuring the security and stability of customers’ IT environments is the top priority. The cause of the recent global disruption highlights one of the challenges of protecting even the most secure IT systems.

The Ntirety Customer Experience

Fortunately, the CrowdStrike incident had no effect on the Ntirety Security Services technology stack and customers utilizing the full Ntirety Managed Security Services experienced no disruption in service.

The primary benefit to Ntirety customers during this event is that Ntirety is not just a Managed Security Service Provider (MSSP) but also an award-winning Managed Service Provider (MSP), managing not just security services, but also infrastructure. What this means is that customers are able to utilize their own tech stacks and, should that technology fail, Ntirety is there to provide support and recovery services. Some of our customers do utilize CrowdStrike applications within their environments. For these customers, Ntirety supported remediation efforts as they became available.

Ntirety Support Engineers worked with our customers to remediate the impact during this outage. For those customers who rely on Ntirety’s Monitoring Insights platform, Ntirety notified affected customers as applications became unresponsive, even as remediations were simultaneously occurring based on runbooks designed in conjunction with these customers. Conference bridges were available where necessary, and engineers worked around the clock until all customers impacted were back online and running fully.

As a customer, when an incident of this magnitude occurs, it’s understandable to ask yourself, “What could I have done differently to avoid being impacted?”

The CrowdStrike defect was not caused by a cyber incident or a product quality issue. It was related to a process issue that CrowdStrike is taking steps to remediate. Responsible technology suppliers take quality control issues very seriously, and issues like the recent outage are extremely rare.

The Ntirety Commitment to Customers

As a Services company entrusted with critical systems and data, we at Ntirety deeply value our customers and are invested in their continued success. We state our commitment via a Customer Pledge that we take very seriously:

  • Put Customers and Partners first. Always.
  • Deliver peace of mind continually and rapid resolution, if necessary.
  • Invest in world-class systems and people.
  • Innovate with performance and value in mind.
  • Be transparent.

Here is how we put these commitments into practice.

Comprehensive Security Services
Our comprehensive suite of managed security services is designed to ensure your systems always remain secure and operational.

Rapid Response
When disruptions occur, the Ntirety team addresses issues immediately, minimizing downtime and maintaining business continuity.

Proactive Management
Our 24x7x365 Security Operations Center (SOC) constantly monitors for potential threats, quickly identifying and resolving issues to prevent disruptions.

Unmatched Expertise
Our cybersecurity experts bring deep knowledge and experience, providing the highest levels of service.

In today’s interconnected world, having a trusted and responsive Managed Service Provider (MSP) is not just a competitive advantage—it’s a necessity. With Ntirety, you can rest assured that your system and security needs are in capable hands, empowering you to focus on what you do best: running your business.

To learn more about Ntirety Managed Services, schedule a consultation.

The Evolving Role Of Cybersecurity Operations In A Rapidly Changing World

Today’s evolving cyber threat landscape poses a significant challenge to organizations around the world. With the emergence of nefarious AI-powered threats and state-sponsored entities, the security industry finds itself at a crossroads. From sophisticated cyberattacks to internal vulnerabilities, threat complexity is escalating and creating pervasive and multifaceted risks. This environment requires innovative solutions, prompting a shift in traditional security paradigms towards a more integrated, data-driven approach.

Security Silos No More

The days of siloed security operations are behind us. Cybersecurity is now a critical conversation occurring at the highest levels of business and being intricately woven into every facet of operations. Amidst this paradigm shift terminology has evolved, moving from ‘security’ to ‘risk and resilience.’ The emerging lexicon underscores the strategic role comprehensive security must play in safeguarding an organization’s bottom line.

As this transformation in business security gains momentum and efficacy, it indicates a positive evolution in security practices. It also emphasizes the necessity for security professionals to possess a keen understanding of business dynamics. Security strategies now demand a holistic view that spans the entire organization and IT infrastructure, to not only protect against threats but enhance business activities and demonstrate tangible value from investments in security technologies and solutions.

Navigating Internal and External Threats with Agility

The current security landscape is exceedingly complex. Organizations must contend with external hackers and internal employees who misuse resources (consciously or unconsciously) or engage in nefarious activities. The adoption of zero-trust models and emphasis on identity threat management in the face of these risks exemplifies a shift towards more sophisticated, data-driven security practices. These approaches not only defend against known threats, but also anticipate and mitigate potential vulnerabilities from within.

Security operations have pivoted as a result, and are embracing business intelligence tools and data to shape priorities, strategy, and decision-making. This shift away from traditional methods reflects the growing sophistication of enterprise security leaders, and their adeptness at translating data into actionable insights.

Beyond Traditional Defenses: Embracing Comprehensive Security

Modern security has evolved from a peripheral concern to a central element of strategic business planning. The harsh reality is that companies can now face closure due to a security breach, as demonstrated by numerous unfortunate instances. This shift signifies a transition from conventional security protocols to a comprehensive security model that integrates every facet of organizational operations. This model surpasses mere defense against attacks; it aims to establish an ecosystem where security is deeply ingrained in the fabric of business processes. Through such integration, organizations enhance their ability to effectively anticipate, respond to, and recover from cyber threats.

The Elusive Cybersecurity Nirvana

Technological advancements, such as artificial intelligence (AI) and machine learning (ML), have revolutionized security monitoring. These technologies enable organizations to detect and respond to threats more efficiently by analyzing vast amounts of data to identify patterns and predict potential security incidents. Comprehensive security encompasses a multifaceted approach that extends beyond these technological defenses to include policy, governance, and human factors. It blends business acumen with security expertise, integrating solutions into an interconnected system that supports business continuity and creates value.

Yet achieving this cybersecurity excellence, or “Nirvana,” can be challenging. Some organizations lack the staff or strategy needed for effective implementation. Partnering with external service providers can bridge these gaps, as partners can embed a cybersecurity culture across the entire IT stack, beyond just the outer defensive layers. While many vendors focus on point solutions, organizations should seek partners capable of managing the entire stack from data and infrastructure to embedding security and compliance throughout the organization.

Building a Resilient Future

In today’s cyber world, security operations are constantly in motion, and the need for a holistic, adaptive security strategy has never been more pressing. As organizations navigate the intricacies of the threat landscape, cybersecurity success will be defined by an emphasis on risk and resilience, alongside a proactive, data-driven approach. This integration of security monitoring services within a comprehensive security framework represents a pivotal shift in how organizations approach cyber defense. By seamlessly combining advanced monitoring capabilities, strategic planning, and a profound understanding of business operations, organizations can establish a resilient security posture. Such a posture not only safeguards against existing threats, but anticipates and mitigates future challenges.

To achieve success organizations must also embrace humility in acknowledging their limitations and seek assistance from comprehensive security providers. Avoiding the temptation of siloed point products, organizations should prioritize partnering with providers capable of managing the entire stack. This collaborative approach ensures a cohesive and robust defense against the dynamic landscape of cyber threats.

Looking for support in combating all the internal and external cyber threats your organization faces? Contact us to get started.

 

This article was originally published in Forbes.

Election 2024: Championing Proactive Cybersecurity To Fortify National Security

The 2024 election presents a pivotal moment for national security, particularly through the lens of cybersecurity. Amid widespread discussion on the perceived shortcomings of United States presidential candidates, a policy domain with the potential for broad consensus emerges: cybersecurity. This issue transcends political divisions, posing a universal challenge to advocates of peace and democracy across the political spectrum. It offers a unique opportunity not only to unite with allies, but to extend olive branches to global adversaries through cooperative efforts.

As we explore our national priorities and hopes for the future, the forthcoming election brings the significance of cybersecurity policies to the forefront. It demands that candidates clarify their positions on adopting proactive cybersecurity measures. Cybersecurity is not only central to national security dialogues, but increasingly impacting our day to day activities, requiring we delve into the specific policies, practices, and technological innovations that define an advanced cybersecurity strategy. This strategy is crucial not just for presidential hopefuls, but for gubernatorial, mayoral, and congressional candidates. Related discussions should underscore the critical need to employ technology and foster policy-led partnerships to develop a robust digital infrastructure, which is proactive, resilient, and ready to tackle the cybersecurity challenges of tomorrow.

Advocating for Proactive Cybersecurity Measures

Advocating for proactive cybersecurity measures is pivotal, as is emphasizing prevention over reaction. This approach entails several critical policies and technologies, which candidates can champion in their platforms:

  • Comprehensive Risk Assessments: Regular, in-depth evaluations of government and critical infrastructure networks are essential to uncover vulnerabilities and anticipate threats.
  • Early Adoption of Emerging Technologies: Commitment to the latest advancements, such as Artificial Intelligence (AI) and Machine Learning (ML), is crucial for predictive threat analysis, anomaly detection, and orchestrating automated responses.
  • Strengthening Cyber Hygiene: Advocating for stringent cyber hygiene practices across both government entities and the private sector is vital. This means ensuring regular software updates, implementing strong password policies, and conducting thorough employee training programs.

The value of AI and ML in supporting the shift from reactive to proactive cybersecurity cannot be overstated. By integrating these technologies into national cybersecurity strategies, candidates can support key activities:

  • Automated Threat Intelligence: Leveraging AI to sift through global threat data enables the anticipation and neutralization of cyberattacks with real-time defense mechanisms.
  • Behavioral Analytics: Utilizing ML to scrutinize network behavior allows for the identification of anomalies that could signal potential threats, facilitating early intervention.
  • Enhanced Incident Response: AI enhances the development of rapid and more effective response strategies, significantly mitigating the repercussions of any breaches.

Safeguarding Porous Cyber Borders

Protecting against the permeability of cyber borders necessitates a multifaceted approach that combines technology with human insight. This approach is underpinned by a commitment to a robust security culture that acknowledges our collective responsibility in upholding high security standards through:

  • Education and Awareness Programs: Enhancing cybersecurity knowledge at all levels of education and providing continuous training for both government personnel and the general populace.
  • Encouraging Responsible Innovation: Promoting the integration of ethical considerations and security measures in the development of new technologies and digital services.

Despite the internet’s borderless nature, the definition and protection of cyber borders are imperative. Candidates should advocate for international collaboration and frameworks that extend cybersecurity efforts beyond national boundaries, including:

  • Global Cybersecurity Alliances: Strengthening alliances with global partners to facilitate the exchange of threat intelligence, share best practices, and orchestrate coordinated responses to cyber incidents. This initiative should also consider building cybersecurity partnerships with political adversaries, potentially as a cornerstone of future trade agreements.
  • Regulatory and Legal Frameworks: Developing comprehensive laws and international agreements aimed at bolstering cross-border cooperation in cybersecurity operations and the prosecution of cybercrime.
  • Public-Private Partnerships: Encouraging a synergistic relationship between government agencies and the technology sector, leveraging the latter’s innovative capabilities and responsiveness to effectively address cybersecurity challenges.

Prioritizing Cybersecurity to Secure our Digital Future: A Call to Action for Candidates

As we approach the 2024 election, the importance of cybersecurity cannot be overstated. The outlined strategies and policies represent a blueprint for national resilience in the face of digital threats to our banking sector, our health care sector, and even our emerging electrical vehicle sector.

This is a call to action for the top presidential candidates to prioritize and articulate robust cybersecurity platforms. By choosing a proactive cybersecurity approach, emphasizing comprehensive risk assessments, leveraging AI and ML technologies, promoting global cooperation, and fostering a culture of security, candidates can demonstrate their commitment to safeguarding our nation’s digital infrastructure.

This commitment will not only enhance national security, but provide voters with a clear basis to assess which candidate is best equipped to navigate the complexities of our modern cyber landscape. It’s imperative for leading figures to embrace these principles, showing preparedness to lead and protect, as so many of our future innovations are at stake. As voters, we must demand dedication to cybersecurity from our future leaders, recognizing that the safety of our digital future hangs in the balance.

Need to better prioritize cybersecurity within your organization? Contact us to get started.

 

This article was originally published on Forbes, please follow me on LinkedIn.

Balancing Transparency and Practicality Amidst CISA Call for Enhanced Cyber Incident Reporting

The Cybersecurity and Infrastructure Security Agency (CISA), led by Director Jen Easterly, made a compelling case for increased cyber incident reporting in late 2023. While the intent behind this initiative is commendable – and the need for improved cybersecurity measures evident – it’s crucial to critically assess the proposed approach and its potential implications, as it could become a double-edged sword for organizations.

The Urgency of Cyber Incident Reporting

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) due to the escalating scale, sophistication, and impact of cybersecurity threats. Organizations, critical infrastructure, and governments continue to face looming risks across the digital landscape, and timely detection and response are pivotal in mitigating the damage caused by cyber incidents.

Easterly’s push for mandatory incident reporting aims to address this challenge by fostering transparency and information sharing among organizations. The rationale is that by collecting and analyzing data on cyber incidents, CISA can offer better guidance and support to organizations, enabling them to bolster their defenses and respond more effectively to attacks.

This much-needed initiative has been anticipated for some time, signifying a union between the private sector and national organizations. However, the adoption of such a standard is a journey that must acknowledge certain realities.

The Potential Challenges

There are several potential challenges associated with mandatory cyber incident reporting that merit consideration:

  1. Compliance Burden: Requiring all organizations, regardless of size or industry, to report every cyber incident can create a significant compliance burden. Smaller organizations with limited resources may struggle to meet reporting requirements, diverting their attention and resources from other cybersecurity efforts.
  2. Data Security Concerns: Sharing sensitive information about cyber incidents raises concerns about data security and privacy. Organizations may be hesitant to disclose details of a breach that could expose them to legal or reputational risks. Striking a balance between transparency and data protection is a delicate task.
  3. Potential for Misuse: The information collected through mandatory incident reporting could be misused if not handled carefully. It might inadvertently provide cybercriminals with insights into vulnerabilities, tactics, and targets. There is also a risk of sensitive information being leaked or exploited by malicious actors.
  4. Reporting Fatigue: An influx of incident reports could overwhelm CISA and other relevant agencies, potentially leading to delayed response times or a backlog of cases. It might also result in “reporting fatigue,” where organizations hesitate to report incidents due to perceived complexity and time requirements.
  5. Resource Allocation: Organizations must allocate resources judiciously, focusing on threat prevention, detection, and response. The additional administrative and reporting burden could divert resources from proactive cybersecurity measures, and potentially leave organizations more vulnerable to attacks.

At this stage, the proposed initiative appears to have shortcomings in addressing these risks. It’s crucial to carefully consider the potential drawbacks and unintended consequences of such a mandate.

The Way Forward: Collaborative Solutions

Effective collaboration is essential for fostering a productive partnership between Government and Industry, with several key steps:

  1. Education and Training: Both government and industry can invest in training programs to build a highly skilled cybersecurity workforce and facilitate a better understanding of each other’s needs and constraints.
  2. Shared Frameworks: Developing standardized frameworks for incident reporting, threat intelligence sharing, and vulnerability disclosure can simplify processes for both sides and reduce legal concerns.
  3. Seamless Communication: Enhanced communication channels between government agencies and tech companies can streamline the flow of information. Regular dialogues and joint exercises can enhance mutual understanding.
  4. Incentives and Support: Governments can offer incentives, such as tax breaks or grants, to encourage the tech industry to invest in cybersecurity. Public-private partnerships can also be formed to bolster collective defense.
  5. Transparency: Promoting transparency in decision-making processes and prioritizing it in incident reporting when it doesn’t jeopardize national security can support these efforts.

Genuine Concern: Bureaucracy Vs. Security

The call for increased cyber incident reporting by CISA is driven by a genuine concern for national cybersecurity and the safety of critical infrastructure. Striking the right balance between transparency and practicality is, however, key. While incident reporting can enhance our collective understanding of cyber threats and responses, it must be implemented in a way that doesn’t unduly burden organizations or compromise data security. Moreover, it should be accompanied by robust support mechanisms, including guidance on what and how to report, as well as resources to help organizations bolster their cybersecurity defenses.

In the ever-evolving landscape of cybersecurity, collaboration between government agencies and private organizations is crucial. However, achieving the right balance between security, privacy, and compliance is a complex challenge that requires careful consideration and ongoing dialogue among all stakeholders involved.

This article was originally published in Forbes, please follow me on LinkedIn.

Anatomy of a Comprehensive Security Response

The frontlines of current cyber threat conditions are an interesting combination of rogue threat actors, state-sponsored groups, and Advanced Persistent Threats (APTs). Their intrusions are characterized by stealth, patience, and slow burn endeavors that are well-funded towards their missions. Namely, these threats are focused on evading detection, reconnaissance, and weaponization in a specialized sequence of escalated changes. Even with multiple layers of technical protection, activities still occur on the most privileged networks. This is an account of how a recent incident in a protected environment was uncovered through diligence and forensic review.  

If you could visualize a successful cyberattack in review, you would see that the journey is a lot like skipping across stones in a river. Here, we are going to dissect such an attack.  The object of cybersecurity protections is to review every stone and successfully stop attacks at every possible point. Uncovering threats can rely on automated detection, artificial intelligence, and alerting to varying degrees. However, information uncovered from these scenarios requires analysis and a threat disposition by actual trained and qualified human beings. 

Anatomy of the Incident 

Let us dissect an actual security incident, so we can gain an appreciation of what it takes to mitigate these millions of incidents that happen every day.  

  • In the pre-dawn hours of a recent morning, the Ntirety Security Operations Center (SOC) received the first of series of behavioral threat alerts for an endpoint system within a client’s environment.  
  • The alert triggered a disposition of a potential network ransom event. 
  • An immediate investigation into this system was launched where it was discovered that a portion of the files on the system were encrypted. 
  • The investigation further showed that the operating system was functional, with no observable impact. 
  • Tier 2 SOC personnel initiated an immediate network containment action to isolate the threat and prevent any possible further lateral movement. 
  • Tier 2 SOC personnel continued to scan logs and immediate network connections for signs of further propagation. As the investigation continued, these findings were negative.  
  • The SOC initiated a Root Cause Analysis and determined that the initial Point of Entry for this ransomware attack initiated from an unpatched, externally facing server that DID NOT have standard security products installed 
  • This server was scheduled for decommissioning. Further, an administrator account for this system had been exploited and had been using a weak, 8-character password that had no history of updates. 
  • The affected server was completely compromised, with evidence of complete system encryption.  
  • A ransomware note and additional tracking evidence showed the attack was most likely Crylock ransomware, a new variant of Cryakl ransomware.  
  • Further investigation uncovered that the attacker(s) were able to log in and install software to maintain remote persistence on the server.  
  • System and Security event logs were unable to be recovered, indicating the logs were scrubbed. 

With the successful compromise in place, the attack attempted to escalate, moving laterally to the endpoint system where our detection tools were able to catch it before any further damage could be done.  

As an epilogue, the customer received guidance and recommendations towards decommissioning the server as soon as possible, wiping and imaging the affected workstation, network isolation, strong password enforcement practices, and installation of our advanced security tools throughout all systems in their environment.  

The Comprehensive Response 

Client environments have all kinds of interesting facets to them that can affect overall security. Sometimes there is a bit of baggage, such as a legacy operating system or application that has no available updates or is tied down to legacy by means of licensing, contract, or a functional gap. That legacy OS was the first problem. Missing security tools were the next issue.  

From there, we have an unpatched public-facing system, weak and unmanaged privileged passwords, and an open network hop that allowed the attempt to laterally propagate. You can call that an unfortunate mix of vulnerabilities that could have led to a major problem.  

However, comprehensive practices came through in the detection of anomalous events at the first point possible. Our SOC sprang into action, according to plans, and we were able to fully ascertain this situation and prevent any further incidents. You can see how one unprotected system the potential for significant impact has, but by layering detection and response throughout the environment, we can mitigate the unknown.  

The goals of the Ntirety SOC and application of comprehensive security principles have common targets. We are focused on minimizing the impact of incidents and breaches on our client organizations. To minimize impact, we are focused on responding to incidents quickly and reducing the time it takes to detect and enact our responses. By effectively remediating security conditions and maintaining security baselines throughout our client environments, we work towards preventing major incidents from occurring.  

Detection, analysis, investigation, and remediation are some of the milestone capabilities of our comprehensive defensive systems. In the current and future climate of threat conditions, this is the best available path to uncovering the unknown, to reveal hidden threats and adversarial activities, and to identify attacks before they scale.  

Why Security Maturity is Necessary for Your Business

A security maturity model is a set of characteristics that represent an organization’s security progression and capabilities. According to CISOSHARE, Key Processing Areas (KPAs) in a security maturity model are practices that help improve a security infrastructure 

These KPAs include:  

  • Commitment to perform  
  • Ability to perform  
  • Activities performed  
  • Measurement and analysis of the results
  • Verifying the implementation of processes  

Levels of security maturity range from 1 to 5, with the lowest level of security maturity being one and the highest level of security maturity being five. Various industries lie within these levels, depending on their security needs. The retail industry typically falls under Levels 2 or 3, manufacturing falls between 3 to 5, while Fintech and Healthcare are between levels 4 and 5 due to the high levels of compliance needed in these industries.  

Ntirety details these levels of security maturity by detection, response, and recovery times:  

  • Level 1 (Vulnerable)  
  • Time to Detect: Weeks/months  
  • Time to Respond: Weeks  
  • Time to Recovery: unknowable
  • Recovery Point: unknowable
  • Compliance: None  
  • Level 2 (Aware & Reactive)  
  • Time to Detect: Days
  • Time to Respond: Hours
  • Time to Recovery: 1-2 Days
  • Recovery Point: <2 days data loss
  • Compliance: Internal Objectives

  

  • Level 3 (Effective)  
  • Time to Detect: Hours  
  • Time to Respond: Minutes  
  • Time to Recovery: Hours  
  • Recovery Point: <24 hours data loss
  • Compliance: Internal & 3rd party  

 

  • Level 4 (Compliant)  
  • Time to Detect: Minutes  
  • Time to Respond: Minutes
  • Time to Recovery: Hours
  • Recovery Point: <6 hours data loss
  • Compliance: Internal & 3rd party  

 

  • Level 5 (Optimizing)
  • Time to Detect: Immediate
  • Time to Respond: Immediate
  • Time to Recovery: Immediate
  • Recovery Point: <15 min data loss
  • Compliance: Internal & 3rd party  

How Ntirety Helps With Security Maturity: 

With over 20 years of industry experience, Ntirety understands how to support a business’s cybersecurity maturity needs and follow the necessary processes to ensure a smooth transition into IT transformation.  

For a company to appraise their security maturation with Ntirety, the first step is to have a conversational assessment with our team to determine the security gaps in your business’s cyber infrastructure. Our team can see where your business lies in the security maturity framework and compare it to your goals by answering some questions. Whether it is a particular industry vertical that your company falls under, you are adopting best practices within your IT infrastructure operations, or it is a board mandate, we can help formulate a plan based on your business’s needs.  

Following an assessment, the Ntirety team can detail how to improve Protection, Recovery, and Assurance. Ntirety’s Guidance Level Agreements (GLAs) can help improve these areas by optimizing availability, security, performance, and costs. Ntirety is committed to securing the “entirety” of your environment through solutions that identify, inventory, and protect the entire target environment. Ntirety’s Compliant Security Framework covers the security process from establishing your security design & objectives through protection, recovery, and assurance of compliance to your security requirements.  

One mistake we often see with companies is the idea of doing it themselves being a safer option. While resourcing a cybersecurity solution internally may seem more manageable, it can be far more costly and take away from other essential business functions. Here are the top 7 reasons to outsource security:  

  1. Finding and maintaining a talented SIEM/SOC team is expensive
  2. The benefit of trends and detection of other customers
  3. Accessing more threat intelligence and state of the art technology
  4. Long-term Return on Investment
  5. Outsourcing lowers the Risk of conflict of interest between departments
  6. Enhancing efficiency to concentrate on your primary business
  7. Scalability and flexibility 

For more details on securing your cyber infrastructure, watch our most recent webinar and schedule an assessment with us today. 

Building An Industry Response To Ransomware

While your business may have a disaster recovery plan in place, it is equally if not more important to proactively put security measures in place to defend your cyber infrastructure from ransomware and similar threats. The following piece is by Ntirety CEO Emil Sayegh originally published in Forbes. 

 

Building An Industry Response To Ransomware 

The term ransomware will often trigger a detectable response in even the most hardened security professional, especially as the industry sees an 800% increase in cyberattacks in the early days of the Russia-Ukraine war. This well-known digital blight carries so much impact that the appropriate response to the word itself is justified. Year after year, we can see that the rate and scale of ransomware attacks are skyrocketing, and recent attacks on Samsung and Nvidia illustrate an even more rapid acceleration —thankfully, the response to ransomware is also on the way up. One of the actionable ways that the threat is being addressed is through proposed legislative acts. 

A First Try: Ransomware Disclosure Act 

Among the most significant legislative measures proposed in the last few months is the Ransom Disclosure Act. On the surface, this governmental initiative, like many other initiatives, seems like a great idea, until you dig into it. The provisions in the act create a 48-hour window in which a company that has paid a cyber ransom must report various details about that payment. The disclosure mandate includes information on the amount paid, the date of the occurrence(s), the type of currency used, and any available data about the parties that made the ransom demand. This information is then sanitized by the U.S. Department of Homeland Security (DHS) and published on a public website. Still unquantified are the prospective penalties of non-compliance with the Act. 

From an enforcement perspective, it cannot be denied that there is a deficiency of active data that could assist in criminal implications and recovery. Rapid, detailed information can make a big difference in the ability for governmental agencies to step in, tracking funds and potentially being able to seize ill-gotten proceeds. 

For example, there was a partial but significant ransom recovery that occurred after the ransom payment in the case of the Colonial Oil Pipeline event. The Colonial incident was a major attack that had considerable national impact and publicity. Due to the publicity, federal agencies were involved in the response, and the partial financial recovery speaks for itself. Should similar actions be the response framework for all attack incidents? There are many practical points to debate in the matter, starting with whether the governmental authorities have the mandate, resources and capability to pursue these cases adequately and in a fulsome way. 

Disclosure Flaws 

While we all want actionable intelligence to maintain a level of awareness, the public aspects of this Act are cause for some legitimate concerns. Over the course of events, as they are publicly disclosed, it is possible that the proposed DHS site could amount to a ransomware leaderboard. This could add the unintended effects of increased ransoms, increased ransomware cybercriminal participants, increased volume of attacks and increased severity of successful attacks across the board. Here are some key flaws in this proposed reporting requirements by DHS: 

  • Public disclosure could result in the creation of successful ransom intelligence that cybercriminals can use by correlating data. It is possible to unintentionally disclose industry information, date, and time information, ransom amounts, and preferred payment methods. Even with the company names redacted from this base of information, cybercriminals can glean the identity of the biggest “scores” from public news, service information, and countless methods of dark web underground chatter.
  • The collection of information proposed in the act only focuses on the impact of the attack upon targeted companies. Once published, an incident could serve as a reference point for unknown public and financial repercussions.
  • Compliance and the roll out of a reporting program could lengthen the duration of disruption, extending the time needed to return to operations.
  • There doesn’t appear to be a history of successful piloting of such a system, including the impact on an industry.
  • Rival global cyber-gangs could derive intelligence from successful attacks, and fine tune their strategies.

What About False Security? 

Starting with Cyber-liability insurance, beware of a false sense of security. Ransom payments should be exceedingly rare and even nonexistent. This should never be part of a response plan even if you have cyber liability insurance, but these principles somehow persist. Publication of these flawed decisions serve to highlight the prevalence of unfortunate planning and a perceived lack of available ransomware responses. 

Numerous industry reports show that there is a false sense of security in ransom payment. Close to half of the companies that pay ransoms discover that their recovered data is corrupted. As we saw in the case of Ukraine, suspected Russian hackers used wiper code to completely destroy key data in banks and key governmental organizations. If, during the course of the attack, data made its way outside the company, that data is now “out in the wild” and there are no ransom-backed guarantees about what happens to that data. Further insult to injury, reports show that most organizations that are hit once with ransomware and pay a ransom will experience a second, likely-related ransomware attack. 

Bad Ideas and Good Ideas 

On the frontlines, organizations must continue to break free of the mentality and false sense of security that relies on outdated security such as cybersecurity insurance, vulnerability scanning, signature detection, and VPN systems. Instead, companies that are prepared to prevent ransomware threats must implement security measures that are comprehensive and full spectrum across the data center, cloud, endpoint, and applications. 

Actions against ransomware gangs such as the arrest of the REvil gang by Russia, and the extradition of the alleged REvil Ukrainian Hacker from Poland are a good thing, but insufficient if done as one-time events, as more sophisticated gangs will quickly pop up. Reporting programs such as what is proposed in the Ransom Disclosure Act have the potential to provide great advantages for a new breed of cybercriminals. This information should be privileged as the public focus carries too many unknown implications. Public information should instead be focused on identifying information about the attackers when available and figuring out their apprehension and prosecution. More detailed information should be passed on only to a group of private companies that are entrusted to fight cyber-criminals, while protecting the privacy of the victims. 

This First Step is Critical 

Time will tell what becomes of this proposed measure and how much traction it will gain. It is an indication of an important first step into these matters. With some tweaking and industry partnership, it could possibly be the right step in the right direction. 

In any case, the industry will continue to drive towards improvements in the defense and prevention of ransomware incidents but needs proper Governmental leadership. This type of partnership between industry and government is the best path for prevention of incidents in the first place. 

As we build up these improvements, organizations will be looking at both next level and first level steps to address these novel and continued threats including threat model strategy, multiple-layer security, advanced anti-ransomware technology suites, and behavior-based incident detection. While many of these disciplines are needed now, the cybersecurity talent drought persists driving a need for outsourcing and security partnerships. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn.