Managing Complexity · dark cottage industries that have been making ill gotten gains on the...

• Cyber threats are evolving FAST• Find out how to get ahead of them• Discover the 3 key actions to building and

maintaining a robust security regime

Managing ComplexityThe New Imperative for Cyber Security Readiness

www.quartetservice.com | 2

If you read our recent Management Primer on Cyber Security Re-sponsibilities, you already know that SMBs are the current bullseye in the cyberattack landscape, that employees are your biggest vul-nerability, and the steps you need to take to stay secure.1

What this eBook communicates is ‘how’, in the face of dizzying complexity, you can put an achievable plan in place to stay secure. Securing a business is no longer something that one person—or one team—can do alone. But it can be done by organizations of all types and sizes. It’s a three-part solution. Before we get into the mechanics of it, let’s take another look at the nature of the threat landscape and how organizations engage with it.

You Know the ‘What’. Here’s the ‘How’.

58% of all cyberattacks target SMBs2

1 “2018 Cybersecurity Survey : Report,” Canadian Internet Registration Authority (CIRA), February 05, 2019, , accessed February 24, 2019, https://cira.ca/2018-cybersecurity-survey-report.2 “2018 Data Breach Investigations Report,” report, Verizon, February 2018, accessed September 2018, https://enterprise.verizon.com/resources/reports/dbir/.


In the face of mounting threats, organizations need to safeguard business continuity, maintain the high levels of transparency and resilience that good governance requires, while husbanding their legal and fiduciary cybersecurity responsibilities . It’s getting tougher to do these things, in large part because of the rate of change in the security world. It’s astonishing. It’s almost vertical. And given the complexity involved in stay-ing secure, criminals are making a fortune.

A Business Imperative

The number of cyberattacks is

going way, way up.

The severity of cyberattacks is

going way, way up.

The types of cyberattacks

are multiplying.


Since cybercrime is highly lucrative, it has become highly sophisticat-ed. Stolen data of every type and quality is readily available for sale. Cyber exploit kits are mass produced. The component parts of every-thing needed for a wide variety of cyberattacks are now expertly cre-ated, brokered and sold on the Dark Web. You even can hire people to put them all together for you.

Cybercriminals have learned to specialize. There are groups that do nothing but create ransomware. Others broker and sell stolen data. Still more conduct the research into companies’ dynamics and per-sonnel that’s needed for sophisticated spearphishing attacks. The dark cottage industries that have been making ill gotten gains on the Internet for 20 years have metamorphosed into elaborate organized criminal networks.

Pretty much everything that cybercriminals do is quickly getting better and better. They have taken a page out of the cybersecurity industry book, leveraging the very technologies that legitimate security compa-nies use for defence, like Artificial Intelligence and machine learning. This makes for better quality, more creative and more successful cy-berattacks.

Perhaps even more importantly, cybercriminals now work together in a very synchronized fashion. The cybercrime world has become deep-ly collaborative, a key element in the power that it wields. It’s time for businesses to return the favour and take a page out of the cybercrime book.

The Business of Theft


How many times have you asked an IT person a question that they couldn’t answer? Perhaps something that they didn’t know, you knew about? It’s becoming commonplace. That’s because the big consulting and accounting firms are teaching Executive Directors and boards the questions that they need to ask. They’re essentially saying “if you’re going to be fully responsible for this organization, you need to stay on top of cyber security.” And they’re not wrong.

Still, the poor IT folks who report to Executive Directors and boards don’t have answers at the ready. That’s because the cybersecurity environment that they have built is typically incoherent. It’s often an in-house effort that doesn’t leverage collaboration with an IT security firm—without even an IT security expert3. It’s a jumble of tools, programs and protocols that do a passable job of keeping their company secure. If boards of directors knew how complicated cybersecurity was, they would have some empathy.

IT Defence Meltdown

3 “2018 Cybersecurity Survey : Report,” Canadian Internet Registration Authority (CIRA), February 05, 2019, , accessed February 24, 2019, https://cira.ca/2018-cybersecurity-survey-report.


The knights of old wore chain mail—mesh garments made of small metal rings linked together. That’s a great analogy for effective modern IT defense: interlocking security tools that keep your orga-nization safe. The tools you need work together to address the dif-ferent attack vectors that criminals use to compromise companies, and limit your internal vulnerabilities.

We use 31 process and remote management tools within our en-vironment at Quartet. Seven of those are intrinsic to our managed security service. Each group represents a different category of de-fense:

• Security Configuration• Firewall• Anti-Virus and Anti-Malware • Internet Security• 3rd Party Patch Management• Internal Network Defense • Disk Encryption• Advanced Threat Detection

A Chain Mail of Tools

Everything works automatically… until it doesn’t.


Security ConfigurationThis tool ensures that you’ve dotted the ‘I’s and crossed the ‘T’s of security. The one we use checks 130 security items across all us-ers and key infrastructure elements in the corporate environment. If something is misconfigured, this tool detects it—for example, if a Microsoft server is missing a patch. This toolset also detects users who have permissions that they shouldn’t, e.g. access to files with-out appropriate security clearance. It extends to firewalls, including on-premise mail servers and Office 365. As security exceptions are flagged, we review them and act accordingly.

FirewallsIn theory, firewalls are simple. They keep unwanted traffic out of the corporate network. In practice, a firewall is not just a firewall. They come with things like Real-Time Deep Memory Inspection and Re-assembly-Free Deep Packet Inspection that enable them to decrypt and analyze secure (SSL) traffic in real time—without breaking it. Oh, and all while processing up to 10 Gigabits per second.

Modern firewalls leverage networks of millions of sensors worldwide to monitor the Internet. Unrecognized signatures are sandboxed and those that pose a threat are added to firewall defenses in real time. Firewalls extend protection to wireless devices, wherever they may be. And of course they offer centralized management, report-

ing and experts on the other end of a telephone, 24/7. The trick lies in configuring a firewall solution that’s right for your environment and fine-tuning it as your network environment changes, so that it sends out only meaningful alerts.



Anti-Virus and Anti-Malware Anti-virus and anti-malware capabilities have grown enormously over the years. But so have viruses and malware. New vectors are detected every day. When something suspect is detected within the network perimeter of a customer organization, it is sandboxed. Our AV provider then uses artificial intelligence to determine if the pro-gram is safe.

The weakness inherent in this kind of tool lies in its management. It needs to be configured properly and updated constantly. If it’s not updated, it doesn’t work. Both the virus scanner agent itself and the definitions need to be kept up to date. The tool itself does that most of the time, and we add an extra layer of precaution with our remote monitoring agent that keeps an eye on the antivirus system and forces updates when required. Monitoring these tools is a big part of the service we provide.

Internet SecurityHow often does John in accounting try to access a counterfeit bank login page? This tool analyzes Internet traffic in real time and blocks the bad stuff. The Internet security program we use also has heuristic analysis built in. In other words, it tracks and analyzes browsing behavior. This insight into employee surfing habits can

then be used to block specific sites like Google Mail, Facebook or anything deemed not safe for work.

The team behind the tool has a whole R&D department that finds bad traffic and blocks it automatically. But they need us as a local agent. They occasionally block a valid domain and we need to work with them to get around that.



Patch ManagementThis tool scans servers and workstations for popular 3rd party ap-plications like Google Chrome and GoToMeeting. It checks versions and compares them to the most recent available, then updates if required. As new apps are added to this 3rd party application patching tool, we push them selectively to customer environments. But we have to be careful about automatic updates, because some clients need old versions of applications, like Adobe or a Microsoft OS. An extreme example is one of our customers, an airport. 50 of the 300 applications they use to run the airport broke when we updated the Microsoft OS (in test mode, of course). So we had to figure out an upgrade path, application by application.

Internal Network Defense Internal network defense detects anything that has gotten through the firewall. It gets a copy of all network traffic and analyzes it against known patterns. That might look like a user going to Drop-box or Ask.com, if those are internally banned sites. Or it could be a user going to the Tor network (the deep Web) or a virus that’s attempting to download something from it. If any of those patterns match, it creates a ticket so the team behind the tool who performs an analysis. If it’s an actual issue, we are immediately notified and take appropriate action with our customer.

Disk EncryptionDisk encryption protects data from physical theft. Without disk en-cryption, a thief could simply put your hard drive into a different computer and read its contents. With encryption, they can’t get access to the data unless they know your encryption keys. That applies to USB drives as well: to use them in the work environment, they must either be encrypted or read-only. We define encryption configuration and policies within customer environments and en-force encryption, verifying encryption status by means of a remote monitoring agent.



Advanced Threat DetectionWhat traditional anti-virus misses, advanced threat detection will eliminate. However, there is a fine line between an actual threat and an unwanted program. That’s because such programs can lead to horrible things. For example, Google does a good job of winnow-ing out search results that lead to malicious websites. Some niche search engines, however, don’t. When workstations have certain search engine toolbars downloaded, it’s asking for trouble.

Advanced threat detection also eliminates persistent mechanisms. These are malicious hooks that are hard to get rid of. For example, such a mechanism might download a virus every time the com-puter starts or a user logs in. The anti-virus program detects and deletes the virus, but the next time the computer restarts it will do the same thing. Advanced threat detection solves that problem.

Phishing Detection and TrainingHave you ever received an email from your boss asking to you send iTunes gift cards to a suspicious account? Employees receive many phishing emails a day but they’re getting harder and harder to de-tect. Cyber criminals are now disguising their phishing attacks as click-bait emails that look so real, you’re compelled to click on it. Some emails are disguised as free pizza coupons, while others can

be specific to your industry.Employees are your weakest link, simply because they’re human. That’s why it’s becoming increasingly important to train them on phishing email detection. Phishing detection and training tools help prevent employees from making a small mistake that could poten-tially cost your company millions.



All of these tools are designed to help you:

• Minimize your attack surface • Stop bad attacks from completing • Recover more quickly from attacks

Notice that we don’t say ‘to prevent attacks’. Why? Because attacks happen. They’re happening right now—to your network. The quicker you get used to the idea of hardening and recovering, rather than building a hard shell to protect a soft underbelly, the better you’ll fare.

The tools we just reviewed do a great job of reducing the likelihood of an attack and limiting the damage that an attack may cause. Still, as good as they are, they won’t stand up to employee ignorance and negligence. Human error is still the number one cause of IT security issues, so it’s still very important to train your people. All of them.

Tools Help

4 “How to Hack-proof Your Employees,” The Globe and Mail, September 28, 2018, , accessed February 10, 2019, https://www.theglobeandmail.com/business/rob-magazine/article-how-to-hack-proof-your-employees/.


The tools that are available today are nothing short of fantastic. There is so much money being poured into tools right now that they are all good. These are cyber defence tools that your average in-house IT team typically cannot access, either because of price or because they are only provisioned directly to managed service providers. They are a far cry from self-managing. You can’t turn a robust, cutting edge tool on, walk away and expect it to work properly.

To cite a simple example, think of a firewall. The night that a new firewall is set up, a typical company of 50 people will get about 150 alerts, approximately 12 of which are relevant. You got the other 138 because firewall alert parameters are too sensitive, or misconfigured. They need fine-tuning—a process that can take weeks or months. Whoever is responsible for that firewall needs to be trained on it and understand in great detail how it works. And that’s just a firewall, a tool that’s been around for over 20 years.

Coping With Complexity

You can’t turn a robust, cutting edge tool on and walk away.


Selecting, managing and updating the several tools required for each bucket—as well as organizing and conducting two types of training—is not a one-man job. It’s not even a five-man job: You need time and expertise to evaluate and choose the right tools. You need time…

…to master their use. …to train other people in their use. …to formulate and conduct employee training to reduce the human risk factor. …to manage tool alerts.

Time, time, time. And money.

Think it might be time to bring in some outside help?

The heart of security has gone from building a security apparatus to managing complexity. It’s no surprise that your IT people can’t answer all your questions. They have tools, they have some exper-tise, but they can’t stay on top of it.

Quartet has systematized complexity management. We put togeth-er teams of people who are experts at doing all of this. It begins

with tool selection. We base our tool choices on three things:

• The function they need to fill• How good they are • Whether they can interface with our security software manage-

ment solution

“I simply can’t keep up with cybersecurity. AND do my other job. AND answer to Directors armed with great questions but too little IT knowledge.” ~ IT Directors everywhere

Complexity Is Your Enemy


SituationIT security breaches endanger the lives of children every day. When we began working with Alan, the CTO of an Ontario-wide children’s organization in 2008, his net-work defenses needed help. Alan was constantly putting out fires. What’s worse, smaller regional organizations had experienced serious breaches that put young lives at jeopardy and made the news.

SolutionThe security regime that we put in place drastically re-duced the threat of an IT security breach. As we beefed up the organization’s defenses, its security environment slowly switched from reactive to proactive.

But getting there took more than tools—it involved something over which Quartet had little control: inter-nal security posture. Alan drove the essential change management effort, educating employees, putting pro-tocols in place and enforcing good behaviour. Together, we achieved what we never could have managed on our own—especially with respect to behavioural change within the organization. Documentation, training, best practices…our work would have been for naught without his help. It’s a classic example of interdependence.

In 2018 we got together with Alan and co-presented our

program and its results to a council of organizations un-der the same umbrella. It blew them away. It made them realize that they didn’t have to be victims—that they could take a proactive stance on cyber security.

An Unexpected BenefitSeveral years ago, as we were busy adding tools to count-er threats to Alan’s organization, we began to feel the weight of managing all those tools and alerts. No sur-prise there: a more sophisticated security environment upped the volume of work for Quartet. Eventually, the challenge morphed from securing Alan’s environment to managing the complexity of the program.

It dawned on us that comprehensive security program-ming is more about managing complexity than security, or at least more than we had appreciated. The paradigm had shifted. That’s when we adopted one tool to man-age that complexity, to consolidate and prioritize alerts and actions.

Case Study: Keeping Children Safe“It doesn’t get much more critical than assuring the safety of children.” Quartet goes to bat for an Ontario not-for-profit dedicated to improving the lives of children-at-risk.


We may see the day when a single tool can deal with the entire uni-verse of cyberthreats. But it won’t come soon. That’s because every attack vector is a small microcosm that’s constantly evolving. Each demands a ton of specialized knowledge and specializes tools with countermeasures for each particular threat.

“The key to effective cybersecurity is managing complexity.”

Keeping up with one tool is difficult, because each of them de-mands that you do dozens or hundreds of things every day. You have to learn which of those 100 things the tool wants you to do are urgent, important or irrelevant. Multiply that by 38 different tools and the complexity quickly becomes unmanageable.

We are constantly looking for the best tools for each of the different attack vectors. Last year, we adopted 26 new ones. We researched, tested, then integrated them and became expert in their use.

The reason we can do this is that we employ two people who are dedicated to managing tools. Just managing them! What this gives our clients is an easy-to-follow and transparent process for IT de-fence. The security software management ecosystem that we offer is something that boards of directors can easily understand.

Tool Complexity


What’s needed Is a Consolidation Tool. If you don’t have a way of integrating all tool management and notifications within a security software management solution, you can’t handle the complexity. At Quar-tet, a critical part of our tool selection pro-cess is determining if a new security tool will integrate into our consolidation tool.

Our consolidation tool centralizes and streamlines the management of security tools. It allows us to collect and interpret the data from our defence ecosystem and provides a single location to identify issues, assign tasks, manage changes and track progress. Without tool consoli-dation, a security management program will be inconsistent and may be crushed by the weight of its own complexity.

One Tool to Rule Them All

• Anti-virus• Firewalls• Phishing• Mobile device management• Policy/Behavior Monitoring• Patch Management• Traffic Monitoring• Data Collection• Best Practices Advice

• Security Tools Research & Selection

• Staff Training• Tools Configuration• Integration into work flow

management system• Issues Resolution• Data Collection• Management Reporting• Best practice policy coaching• Process Compliance Certifi-

cations

• Independent Acceptable Use Policies

• Security Awareness Training• When appropriate, resolve

onsite issues• Good governance compliance

certifications• Security Standards Enforce-

ment – Hardware & Software• Completion of assigned secu-

rity tasks

Specialty Tools

Quartet

Client

Inter-dependency Roles & Responsibilities


Right now, there are ten jobs for every competent IT security pro-fessional. They don’t come cheap. It’s tough to find and afford the right people, and if you’re going to get the tools, you need those people to select them, master them, manage them and use them to secure your ship.

We have the right people at Quartet. We can afford to—we lever-age economies of scale. It’s a perfect example of collaborative con-sumption. But our people aren’t the whole picture. Behind each of the tools that our experts use is a team of experts ready to help us.

Our teams communicate regularly. We make tool development teams aware of cyberattack refinements as they appear on our ra-dar, and they use this knowledge to refine their tools. The result is a team of teams tracking and responding to the threat environment as it evolves.

A Team of Teams


The tools and teams must interact in a coherent way. When we integrate them within our security software management solution, we have a unified interface for managing security.

The implication of this? We need tools as well as the technology to manage them, and we have to work with other people. And if collaboration is imperative for Quartet, guess what that means for your company?

Outside IT service provisioning might once have been a ‘nice to have’. Now it’s an imperative.

The IT industry is playing catch up. How many companies have in-house legal counsel? Lots. And outside legal representation? Lots. Do companies have financial controllers and outside accounting partners? Of course they do. Any Director who questions that needs his head examined. But for a long time, there was an all-or-noth-ing mentality: manage with internal resources, or outsource. There was judgment: ‘if Bill and his team can’t take care of everything by themselves, they couldn’t be doing their job. That’s no longer the case. Your in-house IT team simply can’t do what we do, nor can we do what they do.

The Collaboration Imperative48 percent of Canadian businesses outsourced at least some of their network infrastructure

or other IT related needs.5

5 “2018 Cybersecurity Survey : Report,” Canadian Internet Registration Authority (CIRA), February 05, 2019, , accessed February 24, 2019, https://cira.ca/2018-cybersecurity-survey-report.


Cybersecurity challenges are real and pressing and collaboration is imperative. It’s a 3-step process with tool suppliers working with service providers and service providers working with end clients.

Cybersecurity is a complex and rapidly evolving landscape that now targets small and medium businesses. Collaboration is imperative.

A 3-Step Process

1. Select Great Tools, Integrate &Maintain Them

Enterprise-grade IT security tools are fan-tastic but must be integrated together for a comprehensive security management solution. Tools will automate 50% to 80% of the work and provide insights on your security posture. Your service provider will likely recommend a suite of tools.

2. Select A Managed Disciplined Process & Good

Reporting Capabilities

Choose a service provider with smart people, disciplined processes and good reporting capabilities. Service providers leverage “collaborative consumption” to bring you economies of skill and scale. Your service provider should share your

3. Combine Points 1 & 2 With Your Process & Systems

Cyber security operations is a relentless challenge. Ensure that communication and escalation procedures are clear with your security services providers. Confirm reporting formats and establish a meet-ing cadence to review activities and set priorities.


Good governance requirements are onerous. IT security require-ments are just as onerous. Meeting them is not optional.

Most business leaders now appreciate how dire the IT security sit-uation is. Chances are, your IT people are silently screaming for help. Managed IT security service providers augment your IT team to take care of the day-to-day grind of selecting, configuring and updating tools. They manage security responses, reporting activi-ties and bringing expertise that is difficult to develop and retains in-house.

Let’s look again at our firewall example in the context of collabora-tion. Your IT security service partner helps your IT team choose the right firewall and manages the integration. The night that the new firewall is set up, they receive about 150 alerts, approximately 12 of which are relevant. They alert your IT team of the prioritized local actions that you need to take based on those alerts. Your IT secu-rity partner fine-tunes the firewall over the coming weeks. If you have decided that a firewall is something that should be managed in-house, it’s at this point that your team takes control, with full management documentation provided by your partner. Scheduled IT security partner audits will confirm that the firewall is still doing its job.

Meet Your Requirements


We Help Strong Toronto Companies Stay Strong.

We’ve been helping Toronto companies maintain efficient, secure IT environments since 1998. We play the long game. As we’ve said before, an effective IT strategy isn’t a one-time deliverable; it’s a constantly evolving execution that’s shaped by the kind of risk your business faces, efficiency and ROI.

We became SOC2-compliant in 2017, meaning that we conform to strict, audited standards of secure data manage-ment that protect customer interests and privacy. That’s just the latest in a long string of investments we make on behalf of our customers. When we acquire new tools or certifications like SOC, all our customers benefit. The same is true for our IT security services and solutions: we conduct the cybersecurity audits that most auditors now require of customers like ours. We also help clients transform their security posture to a robust security information and event management (SIEM) approach. The bottom line is simple. If it’s something we think you need, we’ll make sure you have it.

Call +1 416-483-8332 Email [email protected]

www.quartetservice.com

Copyright © Quartet Service Inc. 2019

Quartet Can Help

mailto:talktous%40quartetservice.com%20?subject=

http://www.quartetservice.com

https://www.quartetservice.com/let-us-join-your-team/


Notes

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________


Notes

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Quartet Service Inc.500-214 King St. West

Toronto, ON4164838332

[email protected]

https://www.quartetservice.com/let-us-join-your-team/

https://www.quartetservice.com/

mailto:talktous%40quartetservice.com?subject=

http://www.quartetservice.com

Date post:	12-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Managing Complexity · dark cottage industries that have been making ill gotten gains on the...

Documents