Navigating the Digital and Operational Resilience Act DORA

Digital Operational Resilience Act

Understanding DORA: A Game-Changer for UK Financial Enterprises in 2025

As we approach January 2025, financial enterprises in the UK are gearing up for a significant regulatory shift with the introduction of the Digital Operational Resilience Act (DORA). This new regulation aims to strengthen the digital operational resilience of financial institutions, ensuring they can withstand and recover from various disruptions. Let’s delve into what DORA entails, its implications for UK finance enterprises, and the personal accountability it imposes on leadership.

What is DORA?

DORA is a comprehensive framework developed by the European Union, designed to bolster the operational resilience of financial services. Its primary objective is to ensure that institutions can effectively manage, respond to, and recover from ICT-related incidents. This includes everything from cyberattacks to system failures, emphasizing the importance of having robust processes and measures in place.

Key Provisions of DORA

  1. Risk Management Frameworks: Financial institutions will be required to establish and maintain comprehensive risk management frameworks that address operational risks, particularly those associated with digital technologies.
  2. Incident Reporting: Firms will need to implement mechanisms for reporting significant incidents to regulatory bodies. This aims to enhance transparency and enable a more coordinated response across the sector.
  3. Testing and Validation: Regular testing of operational resilience measures will be mandated. This includes stress testing and scenario analysis to ensure that institutions can handle adverse situations.
  4. Third-Party Risk Management: DORA places a strong emphasis on managing risks associated with third-party service providers. Financial enterprises must ensure that their partners also comply with operational resilience standards.
  5. Governance and Accountability: One of the most significant aspects of DORA is its focus on governance. Senior management will be held accountable for the institution’s operational resilience, ensuring that it is prioritised at the highest levels of leadership.

 

Impacts on UK Financial Enterprises

The introduction of DORA will have profound implications for UK financial enterprises:

  1. Increased Compliance Burden

Firms will need to invest time and resources to align their practices with DORA’s requirements. This may involve updating existing risk management frameworks, enhancing incident reporting processes, and conducting regular resilience testing.

  1. Strengthened Risk Culture

DORA promotes a culture of resilience within organizations. Financial enterprises will need to foster an environment where operational risks are identified, assessed, and managed proactively. This cultural shift requires commitment from all levels of the organization.

  1. Enhanced Collaboration with Third Parties

With a strong focus on third-party risk management, firms must engage in closer collaboration with their service providers. This may involve conducting due diligence, ensuring compliance with DORA standards, and establishing clear communication channels.

  1. Accountability at the Top

One of the most significant shifts introduced by DORA is the requirement for personal accountability among senior leaders. Leaders must now ensure that their organizations not only comply with operational resilience standards but also prioritize these aspects in strategic decision-making. This change could lead to increased scrutiny of leaders’ actions and decisions, holding them accountable for operational failures.

Personal Accountability: A New Era for Leadership

DORA’s emphasis on personal accountability marks a paradigm shift in how financial enterprises operate. Leaders will need to:

  • Demonstrate Commitment: They must visibly commit to enhancing operational resilience, integrating it into the organization’s strategic objectives.
  • Foster a Resilient Culture: By championing a culture of resilience, leaders can encourage their teams to prioritize risk management and incident preparedness.
  • Ensure Compliance: Leaders are responsible for ensuring that their organizations meet DORA’s requirements, which may involve regular audits, training, and updates to policies and procedures.
  • Communicate Effectively: Transparent communication with stakeholders about resilience efforts and challenges is crucial. Leaders must articulate the importance of operational resilience and the steps being taken to enhance it.

Conclusion

As DORA comes into effect in January 2025, UK financial enterprises must prepare for a transformative shift in how they manage digital operational resilience. With an increased focus on compliance, risk management, and personal accountability for leaders, organizations must prioritize resilience as a core component of their operations. By embracing these changes, financial enterprises can not only meet regulatory requirements but also enhance their overall operational robustness, ultimately benefiting their clients and stakeholders.

The road ahead may be challenging, but the commitment to a resilient future is essential for the success of the UK financial sector in an increasingly digital landscape.

How does Iris Networks Help?

Expanding on DORA: Key Pillars with a Focus on Security, Network Testing, and Third-Party Risk

The Digital Operational Resilience Act (DORA) is poised to transform the landscape of operational resilience in the financial sector. With a focus on five key pillars, DORA not only enhances the overall resilience of financial institutions but also places a significant emphasis on security, network testing, and third-party risk management. Here, we will explore these pillars in depth, highlighting their critical components and implications for UK financial enterprises.

  1. Risk Management Frameworks

DORA mandates that financial institutions develop comprehensive risk management frameworks to identify, assess, and mitigate operational risks. This involves:

  • Holistic Risk Assessment: Institutions must evaluate risks from a broad perspective, considering all potential disruptions—cyberattacks, system failures, and natural disasters.
  • Continuous Monitoring: Firms are required to continuously monitor their risk environment, adapting to new threats as they emerge.
  • Integration with Business Strategy: Risk management must be embedded into the core business strategy, ensuring alignment with organizational goals and resilience objectives.

 

  • 2. Incident Reporting

Prompt and transparent incident reporting is crucial for enhancing sector-wide resilience. DORA outlines:

  • Real-time Reporting: Institutions must establish protocols for reporting significant incidents in real-time to relevant regulatory bodies. This ensures that all stakeholders are aware of potential systemic risks.
  • Post-Incident Analysis: After an incident, firms are required to conduct thorough analyses to understand the causes and impacts, and to implement lessons learned to prevent future occurrences.
  • Collaboration with Regulators: Effective communication with regulators is emphasized, fostering a collaborative environment for managing operational resilience.

 

  1. Testing and Validation

DORA places a strong emphasis on rigorous testing of operational resilience measures, particularly concerning security and network robustness. Key aspects include:

  • Regular Stress Testing: Financial institutions must conduct regular stress tests to assess their ability to withstand various disruptive scenarios. This includes simulating cyberattacks and system outages to evaluate response capabilities.
  • Vulnerability Assessments: Firms are required to perform regular vulnerability assessments to identify potential weaknesses in their systems and networks. This proactive approach is critical for enhancing security posture.
  • Penetration Testing: Institutions should engage in penetration testing to simulate real-world attacks, enabling them to understand their defenses and improve their incident response plans.
  • Continuous Improvement: Testing outcomes should lead to actionable improvements in processes, technologies, and personnel training, fostering a culture of continuous resilience enhancement.

 

  1. Third-Party Risk Management

Given the interconnected nature of the financial ecosystem, DORA emphasizes the importance of managing risks associated with third-party service providers. This pillar includes:

  • Due Diligence: Financial institutions must conduct thorough due diligence on third-party vendors, assessing their security practices, operational resilience, and compliance with DORA standards.
  • Contractual Obligations: Firms should include specific resilience requirements in contracts with third-party providers, ensuring they adhere to agreed-upon security measures and incident reporting protocols.
  • Ongoing Monitoring: Continuous monitoring of third-party performance and resilience is crucial. Institutions should regularly review their partners’ operational practices and conduct audits to ensure compliance.
  • Crisis Management Coordination: In the event of an incident, institutions must have protocols in place for coordinating responses with third-party vendors. This ensures a cohesive approach to incident management and recovery.

 

  1. Governance and Accountability

The final pillar of DORA focuses on governance structures and the accountability of senior management:

  • Clear Roles and Responsibilities: Institutions must define clear roles and responsibilities for operational resilience within their governance frameworks, ensuring that accountability is established at all levels.
  • Executive Oversight: Senior management is required to actively oversee resilience initiatives, making operational resilience a board-level priority. This shift encourages leaders to take ownership of risk management practices.
  • Reporting to the Board: Regular updates on operational resilience efforts, risks, and incidents must be provided to the board, ensuring transparency and informed decision-making.

Conclusion

The Digital Operational Resilience Act is set to reshape the operational landscape for UK financial enterprises, with a strong emphasis on security, network testing, and third-party risk management. By prioritizing these pillars, firms can enhance their resilience against the ever-evolving threat landscape.

As organizations prepare for DORA’s implementation in January 2025, focusing on these key areas will not only ensure compliance but also fortify their defenses against disruptions, ultimately benefiting their stakeholders and the wider financial ecosystem. Embracing this shift towards a more resilient operational model is crucial for the future success of the sector.

Spotlight - Partnering with Spirent to address the needs outlined in Dora

How Spirent Tools Address DORA Requirements

As financial institutions prepare for the implementation of the Digital Operational Resilience Act (DORA) in January 2025, leveraging advanced testing and validation tools becomes essential. Spirent offers a range of solutions designed to help organizations meet DORA’s requirements, particularly in the areas of security, network testing, and third-party risk management. Here’s how Spirent tools can specifically support compliance with DORA.

  1. Robust Security Testing

Vulnerability Assessment and Penetration Testing: Spirent provides tools that facilitate comprehensive vulnerability assessments and penetration testing. These tools allow financial institutions to:

  • Identify Weaknesses: By simulating real-world attacks, Spirent helps organizations pinpoint vulnerabilities in their systems and networks before they can be exploited by malicious actors.
  • Improve Incident Response: Testing scenarios can be tailored to mimic various attack vectors, enabling firms to assess their incident response capabilities and refine their strategies accordingly.

 

  1. Network Resilience Testing

Stress Testing and Performance Validation: DORA emphasizes the need for rigorous testing of operational resilience. Spirent’s network testing solutions allow organizations to:

  • Simulate Network Conditions: By creating realistic network environments, financial institutions can evaluate how their systems perform under stress. This includes testing for bandwidth limitations, latency issues, and failure scenarios.
  • Assess Scalability: Spirent tools can help organizations assess whether their infrastructure can scale effectively during peak loads or unexpected disruptions, ensuring they remain operational during critical periods.

 

  1. Third-Party Risk Management

Comprehensive Testing of Third-Party Integrations: With DORA requiring financial institutions to manage third-party risks effectively, Spirent tools can assist by:

  • Validating Third-Party Solutions: Spirent can help organizations assess the security and performance of third-party applications and services before integration, ensuring they meet necessary resilience standards.
  • Ongoing Compliance Monitoring: Tools that support continuous testing can help firms monitor third-party integrations over time, providing insights into their ongoing security posture and operational reliability.

 

  1. Continuous Monitoring and Reporting

Automated Testing Solutions: Spirent’s automated testing solutions facilitate ongoing compliance with DORA’s incident reporting requirements by:

  • Real-Time Monitoring: Organizations can set up automated tests to continuously monitor network health and security, providing immediate alerts in the event of a significant incident.
  • Detailed Reporting: Spirent tools generate comprehensive reports that can be used for internal assessments and regulatory reporting, ensuring transparency and compliance with DORA’s requirements.

 

  1. Enhanced Incident Response Capabilities

Scenario Simulation and Training: Spirent’s simulation tools allow organizations to conduct training exercises and drills that mirror potential incidents:

  • Crisis Management Drills: By simulating various operational disruptions, firms can test their incident response plans and improve coordination among teams.
  • Lessons Learned: Post-simulation analyses provide valuable insights that help organizations refine their strategies and enhance their overall resilience.

Conclusion

As UK financial enterprises prepare for the DORA rollout, Spirent’s suite of tools offers a comprehensive approach to meeting the regulation’s requirements. By focusing on security testing, network resilience, third-party risk management, continuous monitoring, and incident response, Spirent helps organizations not only comply with DORA but also build a more robust operational foundation. Embracing these solutions will empower financial institutions to navigate the complexities of the digital landscape while ensuring they remain resilient in the face of potential disruptions.

Contact your account manager to discuss how our strategic partships are helping our customers navigate the objectives outlined in DORA.

h[email protected]

Remote Office Wi-Fi Troubleshooting Using AirCheck G3 and EtherScope

Since the release of the AirMapper feature for AirCheck and EtherScope back in July 2020, we have seen a shift in the way wireless engineers and network teams manage distributed networks. Having many discussions with the Wi-Fi and network professional community we are understanding that covid has played a huge part in behaviour and the way they operate.

Today the Aircheck G3 and EtherScope nXG have helped in the shift more than ever before.

Wifi Testing with AirCheck G3

Pre-covid it was widely common for network teams to travel the length and breadth of the UK to distributed networks whenever issues arise. Being onsite to troubleshoot was common practice. However, when covid hit and lockdown was introduced network professionals nation-wide faced challenges of being able to continue to operate networks, from warehouses to NHS hospitals whilst maintaining safety. Challenged with lockdown and reducing contact with people, many network teams turned to NetAlly and their Wi-Fi products such as AirCheck  and EtherScope nXG to help with this.

Using either the AirCheck or EtherScope, network teams could send the tool rather than a person to site. With these tools, engineers were able to set pre-configured tests to be conducted on site, either at the press of a button or remotely. An operative already based at the remote site simply tasked with switching on (with one button) the AirCheck or EtherScope. Remotely the network teams could operate the AirCheck or EtherScope remotely and view and analyse test results instantly using link-live. Proving a much needed view in to the Wi-Fi environment at distributed sites. Additionally with the power of NetAlly’s AirMapper feature, network teams could also conduct passive and active site surveys, helping to maintain optimum performance for existing networks and to plan new networks with ease. Requesting the onsite operative to walk through the area slowly, the network experts could control the AirCheck or EtherScope remotely and again analyse the results instantly from the comforts of their home office.

No need to spend hours in traffic

Network professionals now do not need to travel to each site, they can: “send an AirCheck to our Ireland distribution centre, rather than a person” as one of our customers said. Another of our MSP customers commented “we can now get a standarised visibility into our remote customer networks using an almost self-serve approach, meaning happier customers, faster response times and huge expense reduction”

aircheck connection test

Time for change?

If you are facing a similar situation, where a small subset of specialist engineers are responsible for distributed sites then maybe it’s time to take a look at sending a tool, rather than a person.

Take a look at the AirCheck G3 models HERE, and EtherScope models HERE

Want to try for yourself?

Simply drop your account manager  line, or send us a message and we will send you test units to try out absolutely free of charge!

Using AirCheck G2 to Maintain Great Wi-Fi

Without doubt, one of the best tools on the market for maintaining great Wi-Fi is the NetAlly AirCheck G2 Wireless Tester. Its ease of use, portability, reliability, depth of visibility and cetralised reporting capability have made it a worldwide success and staple part of the engineer’s toolkit. The purpose of this post was to highlight a few examples of how to use the tool to address some of the most common considerations, and of course issues, presented by Wi-Fi. Firstly, lets take a look at the tool itself:

netscout aircheck g2 hardware

On the AirCheck G2 we have a large clear and responsive touch screen, a mounting point for an external uni-directional antenna, a 1Gbps Ethernet port for testing backhaul connectivity and PoE and a couple of USB slots for attaching devices, memory sticks etc.

For the purpose of completeness of visibility we will assume use of the NetAlly AirCheck G2 TA Kit which includes a few additional handy extras including the external antenna and holster but a clue in the ‘TA’ part of the name, the Test Accessory. This is a small footprint device, which is used to remotely connect to the AirCheck and provide iPerf testing – to get network throughput performance statistics. Here is what is in this ‘TA Kit’:

 

Verify The Network Deployment

Using the AirCheck G2 we can check the ability to establish a connection to the network and access core services such as DHCP and DNS, can it resolve a web address, and how long did this all take. From this simple workflow, you can ensure that everything from a connectivity perspective is as expected:

aircheck connection test

Verify Network Performance

Using the AirCheck G2 paired with the Test Accessory, we can now validate performance to a remote device. Here’s how:

  1. Connect to a network
  2. Select iPerf Test
  3.  Select iPerf Server or Test Accessory to test against
  4.  Click ‘Start’ to begin your test

This now gives us an indication that the network is available, we can connect and gives an indication of its performance.

Auto-Test Feature

Auto Test is a really handy, user configurable set of tests that can be run with a single touch to validate network health with a ‘Pass or Fail’ indication. Using this feature, the AirCheck G2 is testing the following 5 elements:

  • 802.11 Utilisation : Reports top 3 channels in each band (2.4/5ghz) with highest Wifi traffic utilisation.
  • Non-802.11 Utilisation : Reports top 3 channels in each band (2.4/5ghz) with highest non 802.11 airtime utilisation. This indicates the presence of interference sources and high noise.
  • Co-Channel Interference : Reports the top 3 channels in each band (2.4/5ghz) with the most AP’s on the same channel that exceed the minimum signal level threshold.
  • Adjacent Channel Interference : Reports the top 3 channels in 2.4ghz band in which AP’s might experience adjacent channel interference. For each channel of which at least one AP is found, the feature counts how many access points are operating on other channels that are overlapping with that channel.
  • Network Quality : Verifies coverage, interference, security and ability to connect to specified networks, along with the availability of critical services such as DHCP and specified network targets.

 

aircheck G2 autotest

Non-802.11 Interference

Using the onboard Wi-Fi radio of the AirCheck G2, we can sense and classify (when possible) sources of interference that are having a detrimental impact to network performance. Sources which are identified are as follows:

  • AirHORN
  • Baby Monitor
  • BlueTooth
  • Canopy
  • Cordless Phone
  • Game Controller
  • Microwave
  • Motion Detector
  • Narrowband Jammer
  • Radar
  • Video Monitor
  • Wireless Bridge (non-802.11)
  • Wireless Mouse
  • Wireless Video Camera
  • ZigBee
  • + Possible Interferer and Unclassified Interferer

 

 By getting close to the area in question and running this test you can quickly see if there is anything that could be causing a problem, how strong the interference source is, on what band, what channels are impacted, how often and for how long. From here you can even locate the source and either isolate it, or in some cases engineer the network around around it so that it no longer poses a problem.

Optimising the Network Using the AirCheck G2

The ‘Channels’ screen on the AirCheck G2 gives an excellent insight in to channel configuration, channel utilisation and also non-wifi channel utilisation across 2.4 & 5ghz bands. Using this screen, we can see the entire Wi-Fi spectrum at a glance and also view how the channels are overlapping

aircheck channels screen
Aircheck channel overlap screen

When optimising the channel domain, some considerations are:

  • Are there too many APs on a channel?
  • Are there AP’s on overlapping channels in the 2.4ghz band (2, 3, 4, 5, 7, 8, 9, 10)
  • Is 802.11 airtime utilisation too high?
  • Is Non-802.11 airtime utilisation too high?
Take a look at the clients on the channel, are there too many? If so, think about removing unauthorised devices or employing techniques such as band steering or client load balancing.

View the Iris Networks NetAlly AirCheck G2 product page HERE

View NetAlly’s AirCheck G2 product page HERE

Download the datasheet HERE

Network Taps vs Span/Mirror ports

Profitap F1PL

Network Taps vs Span/Mirror ports

How do you access network traffic today? Are you able to monitor traffic without adding points of failure or affecting network performance?

The first building-block to your visibility architecture is access to the data. That comes in one of two forms: a network tap, or a switch port analyser (SPAN) port (also known as port mirroring). But which is the right one?

A Network Tap captures network traffic in both directions and sends it to a monitoring device such as an Intrusion Detection System (IDS) or statistics traffic generator. Network taps optimize monitoring, security, and storage by enabling access to network traffic, reliably and unobtrusively.

Network Taps can be deployed passively at any inline connection on the network to provide 100% visibility for monitoring and security tools. A more effective solution than SPAN ports, Network Taps deliver all full-duplex network traffic—including Layer 1 and Layer 2 errors—to these devices as though the devices were deployed inline

How do you get instant access to full-duplex traffic for security analysis?

Are you able to scale your monitoring infrastructure to support multiple tools without increasing the complexity of your network architecture?

Are you concerned about SPAN port contention and switch degradation?

Switched port analyser or SPAN ports on network devices can also be used to monitor network traffic. However, the SPAN approach results in several costly disadvantages:

  • Monitoring and security devices do not receive traffic as though deployed inline
  • Layer 1 and 2 errors are not passed to monitoring tools
  • Solutions do not scale effectively
  • Copying packets and converting signals adds delay
  • Switch CPU and memory resources are consumed, impacting performance
  • Limited port capacity may cause packets to be dropped

In contrast, Network Taps pass traffic at wire-speed, are more reliable and immune to external attacks, and require little or no configuration to scale with network and technology needs.

A physical Ethernet tap provides complete traffic visibility and access to any network connection. A copper tap can be deployed onto any inline copper network link, delivering permanent monitoring access ports. The copper tap provides an out-of-band monitoring or security tool, with all traffic as if it were sitting inline. The taps send copies of traffic, including Layer 1 and Layer 2 errors, from each side of the full-duplex network link to its respective monitor ports. Network Taps provide network isolation, dropping any traffic that is accidentally or maliciously transmitted back onto the monitor ports. The copper taps are isolated from the network because they have no IP address, eliminating exposure to external attacks.

Ixia NetOptics Ethernet Tap Network

A SPAN port was a concept coined by Cisco used on Catalyst switches (Switched Port Analyzer) for mirroring packets to a port for monitoring purposes. It is software configurable, and you can set a single port to receive any packets sent or received on any “monitored” port. Generally the SPAN port has to be the same physical and logical characteristics of the monitored port. The SPAN port cannot be used for inbound traffic at all, effectively dedicating it for monitoring purposes. Different switches implement SPAN ports different ways — some only allow a single port to be monitored at a single time, some allow multiple ports to be funnelled into a single SPAN monitoring port, etc. But the term “SPAN port” has become synonymous with “port mirroring for monitoring purposes”.

Dedicated packet mirroring devices exist (such as Ixia, Profitap, Garland) whose entire mission in life is to make copies of IP packets. The flexibility they provide is far better than that of typical mirroring ports on a switch. They can generally groom traffic from one physical topology to another, merge and split streams, funnel many small streams to one large stream (e.g. 10 x 1G to 1 x 10G), even filter at L3/4. For flexible packet monitoring, these devices are always the way to go.
No matter what packet mirroring options you pick, you still need a device to capture or otherwise analyse the packets. Modern options include: IDS/IPS devices, DLP device, Security analytics devices, or simple packet capture devices.

Check out this YouTube video for an overview of how Network Taps can provide you with the visibility that your monitoring and security tools need to operate to their maximum effect:

[embedyt] https://www.youtube.com/watch?v=qQUUikiejtM[/embedyt]

Which is the right NetAlly tool for me?

Which NetAlly Tool is Right for Me?

NetAlly Link Live Family

Often, as specialist providers of network monitoring and test equipment and working with leading manufacturers in this space including NetAlly we often get asked the question “What is the right tool for me?” or “what would be the best tool for my engineers?

Within NetAlly’s portfolio is a complete range of solutions, designed specifically to help everybody from a field technician or network technician through to 3rd line engineer whether they are looking in to designing, installing, maintaining, troubleshooting or capacity planning for both wired and 802.11 wireless networks.  Often, tool selection can simply come down to budget – however getting to grips with understanding exactly what you need to achieve with the product will pay dividends back during its lifetime and will ensure that you have the right tool for the right job whilst achieving the best return on investment and keeping the financial controllers happy.

The purpose of this document is to provide a brief summary into the purpose of some of the most popular tools which we provide here at Iris Networks, the types of customers who have typically purchased them and some examples of how they have been used. Whilst we understand that as networks become more and more borderless, we have decided to keep the wireless software (AirMagnet) range separate and will detail those products as a separate consideration.

Network Installer/Implementation

Although the name is very specific, we have used this title to describe an engineer who might be responsible for installing network devices, new switches, desktops, phones or access points. Whilst there may be an element of onsite troubleshooting. For this particular role, there is a need to be able to understand connectivity, where you are plugging in to, is it on the right switch port, is the remote switch configuration correct, is it advertising the correct speed, what VLAN is configured, are my PoE levels correct for the purpose. Another consideration might also be documentation required to sign off a job upon completion so the ability to save docs and report centrally.

If you are looking for a handy tool that can give you answers to all of the above then the LinkRunner AT is a great choice.

NetAlly LinkRunner AT2000 hardware front

The NetAlly LinkRunner AT

The NetAlly LinkRunner AT comes in 2 flavours, the 1000 which is 1Gb copper RJ45 and the 2000 which is copper RJ45 and fibre SFP. The 2000 model also has TruPower PoE which inserts a resistance to solicit for PoE, and has the ability to save more reports. The LinkRunner AT enables technicians to be able to plug in to a port and understand what configuration is coming out of the port. So, which switch am I connected to and on which port, which VLAN, what PoE, is DHCP configured so that I can obtain an IP address and can I communicate out to the internet.

Core Capabilities : Cable Length , wiremap, Location, PoE

Using the NetAlly LinkRunner AT you can make light work of a potentially messy job with the ability to quickly and efficiently locating cable runs with toning (digital and analogue IntelliTone modes), switch port advertisement/light blinking and remote cable identifiers. I cast my mind back to a job a number of years ago when a client moved in to a serviced office where over time the port labels on the patch panel had faded away. Using the LinkRunner G2 with the wiremap identifiers which come in the kit enables me to plug the LinkRunner in to one end and the wiremap in to the other until I found the ports I needed to re-label.

From there, we configured VoIP VLAN on the switch and once patched in and PoE was enabled for those ports, we were able to check and verify everything was correct for the phone rollout to be seamless.

On the LinkRunner AT there is an inbuilt patch cable test using the onboard wiremap port which checks pin-to-pin connection, or installed wiring for length, shorts or open or split pairs.

Alternatively, you can do this using the wiremap adaptors which are conveniently numbered for identification.

LinkRunner AT wiremap 2

Going up a level, the LinkRunner AT enables you to see the switch model, slot and port by using LLDP, CDP and EDP to give nearest switch information including:

Switch name and model
– IP address
– Chassis, slot, and port
– VLAN IDs
– Duplex and speed (actual and advertised)
– Signal Strength
– Connection (MDI or MDI/X)
– PoE voltage and power (actual and test limit)
– Graphical representation of power on pairs
– 1 Gig link on copper with PoE on port 30
– 1 Gig link on fiber on port 6

LinkRunner AT Switch Config

An important thing to consider is that there is no option to test wireless on the NetAlly LinkRunner AT.

You can purchase the LinkRunner AT via our eShop here:

NetAlly LinkRunner G2 Smart Tester

If you find yourself needing all of these features, and often finding yourself having to connect in to systems or applications to make network configuration changes, or are installing IoT devices or facilities requiring 802.3bt 90W then the NetAlly LinkRunner G2 may be a smart option given the flexibility afforded to it by being the first field tester able to validate loaded PoE 802.3bt 90W across all 4 pairs. Its also operating an Android OS which makes it very versatile by enabling you to load your own apps on top, such as ticketing apps, technical setup files, collaboration apps, iPerf, WLAN controller Apps and much, much more.

Netscout LinkRunner G2 smart tester overview
Netscout LinkRunner G2 Tester in hand

The LinkRunner G2 has similar inbuilt cable testing and link testing as the LinkRunner AT models, however with the addition on the enhanced testing for 90W 802.3bt across all four pairs, and with the flexibility of the inbuild Android OS it makes for a very versatile and capable tester, ideal for engineers for example who are having to check connections to building management systems, and IoT devices that are using PoE to power them. Whilst you can run an Edimax USB wifi adaptor, and download apps to look at wireless connectivity – its important to note that this should not be treated as a specific wireless tester, in those requirements we would highly recommend the NetAlly AirCheck

A good visual representation of how the Android OS gives a high degree of flexibility and customisation is represented in the image below, which highlights how installing your own applications on to the device extends its capabilities much further than cable testing.

LinkRunner G2 workflow

You can purchase the NetAlly LinkRunner G2 via our eShop here:

Network Technician, Wireless Network Engineer, Wireless Network Installer etc

NetAlly AirCheck G2 Wireless Tester

NetAlly AirCheck G2 Wireless Tester in hand

The NetAlly AirCheck G2 has become the go to tester for wireless professionals all over the world, who are looking to install, maintain, troubleshoot and secure wireless 802.11 a/b/g/n/ac/ax networks.

If you are responsible for deploying Access Points and connecting them to the network, and then responsible for making sure that the wireless network is performing at its best then this could be the tool for you.

What makes this tool so popular, is a combination of its portability, speed, breadth of visibility, and ease of use. The AirCheck G2 even has a wired port on the side so that you can test the backhaul connectivity to the switch to ensure the correct configs are in place at a switch port level and that the right PoE levels are reaching the AP to power it.

From there, the AirCheck G2 gives clear information relating to the statistics of the network itself and the air quality – including Networks, Channels, AP’s, clients and interferers which are present including devices such as microwave, cameras, jammers etc. The AirCheck G2 is also compatible with the iPerf Test Accessory enabling you to test the performance of traffic traversing the wireless (and wired) networks using the industry standard iPerf. You might also want to take a read of our other blog post specific to Using AirCheck G2 to maintain great Wi-Fi here (https://irisnetworks.co.uk/2018/12/10/using-aircheck-g2-to-maintain-great-wi-fi/)

aircheck channels screen
Aircheck channel overlap screen

You can purchase the NetAlly AirCheck G2 via our eShop here:

Should you be in a role where you need all of the features of a portable tool that can help with not only what is mentioned above in the aforementioned platforms, but with the ability to go deeper in to the network, discover network devices and categorise them, to be able to capture network packets at and connect at speeds of up to 10G then you should be considering the NetAlly Etherscope nXG

Network Engineer, L3 Network Engineer, Senior Engineer, Network Manager etc

Etherscope nXG ; Portable Network Expert

Etherscope nXG Front image

The Etherscope nXG is designed to be a fully featured, all-in-one hand-held portable network tester that enables 2nd and 3rd line technicians the ability to do more, quicker with fewer tools. The Etherscope nXG uses custom built hardware and onboard testing. This combined with its Android OS it’s one of the most flexible, fully featured products on the market.

We often ask our customers “if you were despatched to a site to fix generic IT issues and could only take one tool, what would it be?” This would be that tool. Everything from deploying devices, testing the performance of networked devices and network paths, understanding the path devices are taking to communicate with each other, testing QoS, testing 10G, capturing packets at up to 10G , checking documentation and trouble tickets, making configuration to networked devices, troubleshooting wireless and trending wireless performance over time to help with troublesome intermittent issues. It’s all possible with the Etherscope nXG

Stats at a glance:

Native 4×4 Wi-Fi (802.11 a/b/g/n/ac wave 2)

10/100/1000 Mbps to 2.5/5/10G

90W PoE loaded verification

Problem detection includes duplicate IP, congested switch ports, oversubscribed Wi-Fi channels/SSID’s, security issues such as unknown switches and Aps with open auth and unencrypted.

Path Analysis to show switch/router path to connected devices

4 stream load testing of IP traffic via Ethernet port at line rate 10G testing for packet loss, jitter, delay.

Execute multiple AutoTest profiles to shorten test times verifying multiple VLANs and Wi-Fi SSID’s.

Packet capture on wired and wireless to PCAP file.

You can purchase the NetAlly Etherscope nXG on our eShop here: 

Collaboration & Documentation.

An extra plus point is that ALL of the above tools integrate with Link-Live which is a complimentary cloud service. The Link-Live cloud service enables collaboration and centralised report keeping  across all tools. Link-Live is excellent for asset management, so you can see device serial numbers, where they are connected to etc and also enables users to attach photos or comments to reports quickly and easily.

link live cloud service

Should you wish to learn more about these products, or to arrange demo’s or trials please contact us.

Security Awareness is Dead

If we’re honest with ourselves, we’ve all known it for a long time. Posters. Compulsory e-learning. Seminars and desk-drops. They’re security awareness staples. And they’re now all, without question, ineffective. They’re designed to teach people about security. Just on our terms.

People have overdue deadlines. Expectant bosses. Kids to feed. So we run our campaigns. And people smile and nod. Meanwhile, cyber criminals laugh and joke. For a long time, we’ve needed an overhaul. 

It’s arrived.

Times have changed

Borderless security awareness is a radical change of thinking for a radically different world.

Consider COVID-19 for a second.

First, COVID-19 changed our tech. It changed the way we livelearnshop and work. And by the way, the changes are permanent

Now, old security awareness campaigns are absurd.

How many people are putting up their own security awareness posters at home?

How many people have security desk drops on their kitchen tables?

Good luck holding people’s attention in a virtual seminar. Or getting people on board by attacking them in their own home

Compulsory e-learning?

Maybe. With seven other tabs open and the TV on in the background.

Enter borderless security awareness

Borderless security awareness is the only reasonable reaction to the permanently altered world.

It’s not just about securing remote people.

COVID-19 torched some time-honoured borders.

The physical separation between homes and offices. The assumed protection of in-situ office networks. The hope-filled comfort blanket of extensive security policies.

The border between personal and professional lives. And the border curtailing our expectations

All are gone. And we need to adapt.

Borderless security awareness is our next move.

Borderless security awareness is about ditching a delusional blueprint.

It’s about downgrading enforced e-learning. 

It’s about stepping beyond fake phishing.

Borderless security awareness is about supporting and assisting people at the right time and wherever they are.

It’s security awareness. For a world without borders.

The principles of borderless

At the heart of borderless thinking are six core principles:

  • Engage with people at the right time and in the right place. We must help people when they need help – not on our own arbitrary schedule.
  • Treat people like adults. We must build security into people’s lives in a people-centric way.
  • Go beyond training and education. Training and education alone do not work. People need support and assistance too.
  • Focus on security behaviours. What people do matters more than what people know.

  • Focus on resilience rather than absolute security. Security isn’t binary. We must watch and adjust our resilience as desired.
  • Measure. Use data and metrics to determine impact. Only then can you manage and reduce your cyber risk.

Borderless security awareness is an approach. It’s a mindset. 

It guides how you view and address human cyber risk as it relates to security awareness, behaviour and culture.

Borderless security awareness examples

CybSafe’s Assist helps people on-demand, no matter where they are.

Let’s say they click a suspicious link.

Assist guides them. It tells them what to do next. It’s welcome advice that suffocates resulting cyber risk.

CybSafe’s Protect is another example.

With Protect, people get interactive “checklists” that help them build their security armour. Think fitness apps, or digital games. 

People set security goals. – like securing their smartphone. Or security professionals set it for them. People work towards the goal in their own time, building their resilience as they go. 

The above have almost nothing to do with the existing security awareness blueprint.

No posters; no desk-drops; no tick-box e-learning.

And they work.  We have the data and metrics to prove it.

Changing security roles

COVID-19 has changed the world. In doing so, it’s changed the security awareness blueprint. 

It’s also changed the role of security professionals.

We’re still here to manage cyber risk. But how that’s done has changed. 

We need a new approach to security awareness. The new approach needs to be tailor-made for today’s world. And that means it needs to be borderless.

Traditional security awareness is dead.

Long live borderless security awareness.

 

Take a look for yourself how you can make a huge difference to your Cyber Security posture by empowering your workforce : CLICK HERE

Credit @cybsafe

Proactive Wi-Fi Experience Monitoring

HOW TO BE PROACTIVE AT MEASURING YOUR END USER PERFORMANCE OVER DISTRIBUTED & WI-FI NETWORKS..

Let’s roll the clock back a few years, back to when wireless networking was seen as something handy to use in areas where you didn’t have any cable runs or was a temporary fix for an ad-hoc connection. Back to the days where a user was so ecstatic for their new found freedom of mobility that the odd drop of connection, or slightly slower page speed loading really wasn’t an issue. It was after all a luxury that they felt lucky to have…

Now, lets get back to the real world, back to 2018 and how do things compare.

More and more applications are being deployed for core services, what was once recreational traffic can now be seen as an enabler for business, studies have suggested that staff moral and productivity is increased by allowing recreational surfing, social media browsing and more. Wireless has become prolific, no longer a nice to have – many see it as the primary connection media and are adopting wireless first initiatives and businesses depend on it to run. No longer are your end users content with mediocre connectivity, the slightest glitch and ‘the Wi-Fi is down’ calls start flooding the helpdesk. Sorry to bring you back to earth with a bump.

Reactive or Proactive?

I’m not here to beat up any train of thought, there is a use case for both reactive tools and proactive tools and we can certainly help with both elements. For the purpose of this particular blog, I will focus on ways which we have successfully helped our clients to be proactive about understanding network & application performance from how the user (or client) sees it. Solutions that might give you a different opinion when your core monitoring tools tell you everything is O.K, just as a client would when they pick up the phone and raise a case telling you so.

In absolutely no particular order I will introduce 3 solutions to address this. Solutions which bring proactive monitoring of both Wifi experience and underlying network experience for both hosted and cloud applications.

Ixia Hawkeye

Ixia Hawkeye Test

Ixia Hawkeye enables you to conduct wireless network assessments by deploying wireless enabled endpoints in different distributed locations; or between different sites with software endpoints deployed on Android. iOS, Windows or Linux.

With the agents deployed, you can now conduct network assessments and run real world traffic over your Wi-Fi (and supporting core) network, emulating typical applications and measure end user experience. Hawkeye measures experience metrics like voice MoS score, or application response time over time and per location. It can be permanently deployed or deployed on an ad-hoc method due to the flexible nature of the way it is licensed.

hawkeye dashboard

“By running Hawkeye continuous Wi-Fi assessments on my campus, I am able to monitor the quality of access to critical services like Lync and SAP from different buildings and floors and be very reactive when I detect degradation, quickly identifying where to diagnose and solve issues”

There are 2 type of test, the Node to Node, or the Real Service Test.

In Node to Node, one endpoint generates application traffic and sends to another endpoint over the live network. The receiving node is in turn able to relay the information and statistics back to the management interface.

In Real Service Tests, endpoints generate application traffic and send to network devices such as servers and sends its metrics back to the management interface.

application library

Ixia have a long standing history in the network test market and it would come as no surprise that they have the largest application test library in the industry. This enables you to create real world synthetic tests specific to your needs.

With the application library, you are able to:

Ensure Quality of Experience (QoE) of end users using service such as Voice, Skype for Business or video conferencing.

Ensure that users can access business critical cloud applications such as Office365, YouTube, Dropbox and more.

Qualify and maintain network SLAs with diagnostic tools for IP Transport testing – Assess layer 3 network performance indicators (loss, jitter, delay)

Validate core services such as DNS and traceroute.

Qualify and quantify the real capacity of your network circuits Test TCP and UDP at speeds up to line rate.

 

NETSCOUT enGenius Pulse

engenius pulse service dashboard

NETSCOUT’s enGenius Pulse is architected in a similar way to that of Ixia, where as you have a centralised monitoring service dashboard and distributed endpoints. The endpoints come either as a dedicated small footprint PoE powered micro appliance or one that can be added as a lightweight piece of software on a laptop or PC for example.

engenius pulse hardware endpoint

Once the endpoint is deployed you can immediately begin testing proactively. The devices will behave like a client, obtaining IP addresses, DNS and then communicating the services under test be it core back in the datacenter, or cloud applications, or even VoIP between sites; the micro appliances will call each other and report back the status of the calls – which is a really nice feature.

NETSCOUT Pulse transaction dashboard

NETSCOUT’s enGenius Pulse will enable you to track actions through an application, so for example when you have to traverse log-in screens for applications such as SalesForce, or Office365 helping you to understand the tru application and not just its front page load.

Integration with NETSCOUT enGeniusONE

It goes without saying that there is a very slick integration with the NETSCOUT enGeniusONE service assurance platform, meaning that when you combine Pulse with enGenuisONE you have a full core-to-edge solution giving a enterprise wide visibility of your critical infrastructure and application performance.

Distributed Wi-Fi End User Experience monitoring

Aruba User Experience Insight (Cape)

Another fantastic way to look at end user performance over the wireless network is by using HPE Aruba Service Assurance which was formerly known as Cape. So how is this different?

cape sensor

Cape sensors look similar to a small wireless access point and are deployed where your end users would be, and from where you really want to monitor your end user experience. The only other component is a cloud subscription, to where the sensors communicate and report all of their findings.

Aruba Cape dashboard overview

In answer to ‘how is this different?’ a good place to start is right at the dashboard. Cape’s dashboard utilises a very easy to read traffic light system of service availability and takes a detailed understanding of service availability to a different audience, with as much technicality as you would need for a 2/3rd line tech.

In the dashboard you configure what you want to test, cloud services and business apps, remote servers back in the datacentres and the test profiles are executed from the sensors with full detailed analysis being sent back to the dash for analysis and long term trending.

Dashboard drilldown

The Cape sensors connect in to the network just like a client would, and communicate with the selected applications, report back all transaction statistics over time whilst recording all of the wireless statistics to correlate at the same time. 

7Signal Distributed Wireless Network Monitoring

7Signal is an overlay distributed monitoring platform that employs sensors within your environment that are used to connect in to your network and run a number of synthetic transactions to test the performance of real world applications, whilst recording both active and passive statistics.

7 signal eyeq dashboard

What 7SIGNAL monitors:

      • Connection rates and quality
      • Client throughput and data rates
      • Packet latency
      • Voice quality (MOS)
      • Utilization
      • Signal strength
      • RF interference

7SIGNAL benefits:

      • 100% SaaS delivery
      • Enterprise-wide visibility of Wi-Fi performance from any browser
      • Modular deployment to fit needs
      • Find and fix WLAN issues before users notice or complain
      • Boost productivity by improving the Wi-Fi user experience for all
      • Track WLAN performance as the devices mix and usage evolves
      • Verify the true impact of WLAN configuration changes
      • Reduces the TCO of operating business-critical WLANs
      • Rapid SaaS deployment model

A additional great feature of the 7Signal solution is the Mobile Eye app, which runs on a mobile device and enables crowdsourcing of your mobile device connectivity with all results being shared to the EyeQ platform.

7signal mobile eye application

Wi-Fi KPI & SLA Measurement/Monitoring

Something extra that we really like here, is the way that 7Signal have a really unique way of getting to the specifics that matter – in the way that they measure and report against pre-determined SLA/KPI targets so that you are kept abreast of how close (or far) you are from meeting your objectives.

7signal kpi monitoring

Should you wish to see any of these solutions in further detail please let us know, we are happy to help and can set up trials/Pocs etc.

 

You can learn more about Ixia Hawkeye here : 

Iris Networks – Hawkeye

Ixia – Hawkeye

You can learn more about NETSCOUT nGenius Pulse here:

Iris Networks – nGenius Pulse

NETSCOUT – nGenius Pulse

You can learn more about Aruba Service Assurance (Cape) here:

Iris Networks – Aruba Service Assurance (Cape)

HPE Aruba – Aruba Service Assurance (Cape)

You can learn more about 7Signal here:

Iris Networks – 7Signal

7Signal

And thanks for reading!

What will be the top areas of cyber security focus in 2021?

Iris Networks Cloud and Security Logo Full
2021 top cyber security focus

What will be the top 5 areas for cyber security focus in 2021?

As the curtains close out on 2020 and the promise of new things shines the lights on to 2021 we look back at what enterprises did in the previous year to support the rise of the teleworker, the unfaltering desire to move more and more in to the cloud and the never ending threat from cyber crooks that keep businesses leaders and cyber professionals alike tossing and turning at night.

1. Securing remote and dynamic workforce - identity assurance and XDR

Pre-covid19 and with digitalisation, organisations were already working with geographically distributed teams, and with covid19, many are now looking to keep their workforces remote even beyond the crisis.  As workforces become more distributed and remote, and with a widened and complex threat landscape, the traditional approach to security must has to be reimagined.

Protection combined with proactive approach to threat detection and response delivers visibility into data across networks, clouds and endpoints while applying analytics and automation to address today’s increasingly sophisticated threats. Enter eXtended Detection and Response (XDR) and Zero Trust (ZTNA) to support the noticeable acceleration in SaaS-based Identity Access Management (IAM) and Identity Governance and Administration (IGA) seen in 2019-2020.

ransomware image

2- Ransomware protection and cyber hygiene

According to ENISA, an estimated €10.1B were paid in ransoms during April 2019 – April 2020,  €3.3B more than 2018. This makes ransomware the second most common and costliest types of extreme cyber events, according to IRIS2020 report. The sophistication of threat capabilities increased in 2020, with many attackers using exploits, credential stealing and multi-stage attacks. Considering the high yield for attackers and organisations struggling with cyber hygiene, we expect an increase in ransomware.

Significant progress has been achieved by organisations such as Europol and over 150 partners with the ‘No more ransom project’ . The portal has added more than 30 tools and can now decrypt 140 different types of ransomware infections. The Lockheed Martin Cyber Kill Chain framework can be used to map each step with the controls that organisations can implement.

3- Cloud Posture - CSPM, CWP (host, container, serverless), and microsegmentation

A successful move to the cloud is much more than just moving data. It’s an opportunity to transform the way organisations work, how they interact with data, how they interact with each other, and how they enable their teams to work with the best possible tools. Welcome to the world of “workload-based architecture” and hybrid multi cloud environment.

Unfortunately, nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. Security leaders would increase investment in cloud security posture management (CSPM) processes and tools as well as monitoring and protecting cloud workloads (Cloud Workload Protection – CWP) to proactively identify and remediate these risks.

4- Visibility and monitoring – adopt the triad model but bring in DevOps and AppSec

The Security Operations Centre (SOC) Visibility Triad is a network-centric approach to threat detection and response, as described by Gartner in 2015 and 2019. The SOC Visibility Triad model leverages data from three core pillars:

  1. Logs/user and entity behaviour through SIEM complemented by UEBA and SOAR
  2. Network traffic through network detection and response (NDR)
  3. Endpoint detection and response (EDR).

 

Although this is still valid in 2020, modern security operations will continue to demand integration of applications and modern development practices such as DevOps, from the first line of written code through production. Aligning the contrast platform to the modern enterprise security architecture with the SOC provides deeper visibility and enhances the security posture of the digital landscape while benefiting from efficiently secure software at DevOps speed and providing intelligent, real-time, and actionable responses to block and mitigate application threats.

Security must shift left. Security leaders will need to completely reimagine how SOCs are built and managed — sentient enough — to keep pace with digitalisation with new level of rigour, adaptive and agile processes, and collaboration across the organisation.

data access governance

5- Data access governance (DAG)

As more and more organisations are making their journey to the cloud, they are faced with regulatory challenges and what to do with an increasing amount of sensitive data in unstructured formats, often found in storage solutions that are far less secure such as file shares, collaboration portals (such as SharePoint), cloud storage systems (such as OneDrive or Box), or emails.

Although Cloud Native DLP and CASB DLP both act on data at rest, organisations are confronted with running multiple disjointed governance solutions exposing themselves to security risks which often stem from duplicated and inconsistent policies, access requests and certification in this new world of work-from-anywhere, IoT, Cloud and GDPR.

DAG is becoming of more interest as a solution that works on the same basis as DLP, but instead of quarantining, encrypting or deleting data, provides large amounts of information about the data structures, access and use – as well as sensitivity and therefore some idea of risk, especially Data Security Governance.

Special mention: Iot and IoMT for manufacturing and healthcare

A June 2020 research by HelpnetSecurity of anonymised data from more than five million unmanaged IoT and IoMT deployments across a variety of verticals including healthcare, life sciences, retail and manufacturing, found a staggering number of vulnerabilities and risks concerning connected devices.

There are real risks and threats posed by IoT, IoMT, and other connected devices if not accounted for and properly managed. As many analysts predict, there is no sign of the slowing of adoption of IoT devices, thus security needs to be prioritised.

Organisations need to refocus on this growing attack surface of unmanaged and IoT devices with a better uptake on solutions to discover every managed, unmanaged, and IoT device on and off of their network, analyse device behaviour to identify risks or attacks, and protect critical business information and systems.

Iris Networks Cloud & Security offers four distinct Managed Security Services to support our customers:

  1. One-off Cloud Security Posture Assessment Service

This one-off cloud security assessment  helps organisations to reduce their risk, and improves the visibility of their data life cycle in an era where cyber threats are complex and multi-faceted.

In this model, we provide a one-time assessment service our SaaS environment or for highly regulated customers, we also set up an on-demand offering.

Carrying out a cloud security assessment is a practical and strategic exercise to improve your cloud security health. A cloud security assessment helps you reduce your risk, and improves the visibility of the data life cycle in an era where cyber threats are complex and multi-faceted.

 

  1. Managed Cloud Monitoring

This service provides organisations with continuous security monitoring, compliance adherence and custom policy building effectiveness, across multiple major cloud platforms.

As businesses everywhere move onto the cloud, they face new security challenges. There are thousands of configurations in the cloud and the numbers increase exponentially as you start leveraging more and more services from Cloud Service Providers and more so, when you have a multi cloud posture. It then becomes humanly impossible to keep up with and understand the nuances of the configurations involved in some of the key components in the cloud, mainly centred around Compute, Networks, Identity and Storage. 

 

Using our industry-leading cloud-native platform, our Mission Control team enable you to have assurance that continuous monitoring, compliance adherence and custom policy building are effective as well as detecting cloud vulnerabilities and attacks as they occur, across multiple major cloud platforms. Our team work directly with you as an extension of your team, bringing their cloud security expertise to bear to guide implementation, risk surface identification, and ongoing cloud monitoring, enhancing your cloud strategy security posture.

  1. Managed SIEM

This service goes beyond Managed Security Services, and is tailored for organisations not comfortable off-loading their data to a provider, while maintaining full transparency working with our Mission Control.

It covers a blended group of security operations specialists, running, managing, and perfecting your tools, while you retain total ownership.

This service enables your security analysts to prioritise alerts, and respond to the most suspicious threat behaviour faster, and ensuring that threats don’t go unnoticed and linger in your environment.

  1. Managed Detection & Response (MDR)

MDR is for organisations struggling with detecting and responding to modern cyber threats efficiently across all environments: IT, OT, and cloud. MDR a cost-effective alternative to building an in-house SOC, delivers real-time monitoring, detection, and response using a holistic, turnkey approach.

We provide 24×7 coverage, extensive security expertise, and a well-staffed security team ensuring that threats don’t go unnoticed. We eliminate alert fatigue and false positives to promote a faster response with detection, and response capabilities that are tailored to your specific needs. Our Mission Control team work directly with you as an extension of your team to perform threat hunting, incident response, and guided remediation, while also providing strategic recommendations tailored to the unique needs of your environment.

 

For more information, or to book a no obligation solution overview, contact the team on 

 

Tel: 01925 357 770

 

Email:  [email protected]

Iris Networks Cloud & Security

What are successful organisations doing to beat today’s sophisticated cyber threats?

Iris Networks Cloud and Security Logo Full

What are successful organisations doing to beat today’s sophisticated cyber threats?

Security Information Event Management (SIEM) has been the centre of the security operations centre for over a decade now.  SIEMs are intended to log as much data as possible in order to assist with incident detection, response, and investigation. One challenge is that it can be prohibitive, either from a cost or storage perspective, to log everything. This is particularly true for the logs on all of the endpoints in an environment.

Modern IT and OT networks push massive amounts of data throughout the ecosystems per day, generating thousands of alerts and not enough security operations analysts to address these. Valuable time is wasted searching for the missing context needed to determine what’s a real threat and its priority, and too much time lost due to overwhelming numbers of false positives. Unfortunately, this has been the golden goose for countless number of MSSPs. With attackers aware of these limitations of SIEM tools (both technology and economics), the best way to evade a SIEM security is to use tactics that are unlikely to be logged at all. SIEM solutions do a fantastic job of aggregating logs, but need more context for them to make sense of the data

Over the last five years, the industry began shifting from log aggregation and rule-based event monitoring to security analytics, and user and entity behaviour analytics (UEBA). Unfortunately, attackers are growing confident and focus more and more on avoiding detection by well-known security analytics use cases such as in the recent Solorigate supply chain attack, where they took steps to avoid being detected based on IP geolocation anomalies, or by detecting Command & Control traffic based on typical beaconing behaviour. In short, experienced attackers are paying attention to what the best blue teams (e.g., FireEye) are doing out there and tweaking their methods to avoid detection.

SIEM tools are good but remain low on the detection maturity scale. Security Analytics methods are a powerful, and sometimes the only way to detect advanced attacks. Organisations adopting SIEM and security analytics-based use cases across the many tactics of the Mitre ATT&CK framework have a higher chance; however, monitoring remains an arduous task. Enter threat hunting, a proactive technique that combines security tools, analytics, and threat intelligence with human analysis and instinct as well as the quality of the data, not the quantity.

SIEM, Security Analytics, UEBA, security use-cases as well as Security Threat Hunting are capabilities that have provided a new map to direct and address execution and critical resourcing issues that have troubled the industry. To complement these, security automation technology such as Security Orchestration, Automation, and Response (SOAR) driven by artificial intelligence offers streamlined security operations in three key areas: threat and vulnerability management, incident response, and security operations automation.

The rapid rise of cyber threats is outpacing many organisation’s ability to combat these. At Iris Networks, we believe that a winning approach requires rapid detection that provides greater contextual relevance to the business and built on a dynamic understanding of an ever-changing threat landscape. This means a different AI-driven capability combining SIEM, Security Analytics, UBA, security use-cases as well as threat hunting and security automation to provide a new map to direct and address execution and resourcing issues that have troubled the industry. 

Iris Networks Cloud & Security offers four distinct Managed Security Services to support our customers:

  1. One-off Cloud Security Posture Assessment Service

This one-off cloud security assessment  helps organisations to reduce their risk, and improves the visibility of their data life cycle in an era where cyber threats are complex and multi-faceted.

In this model, we provide a one-time assessment service our SaaS environment or for highly regulated customers, we also set up an on-demand offering.

Carrying out a cloud security assessment is a practical and strategic exercise to improve your cloud security health. A cloud security assessment helps you reduce your risk, and improves the visibility of the data life cycle in an era where cyber threats are complex and multi-faceted.

 

  1. Managed Cloud Monitoring

This service provides organisations with continuous security monitoring, compliance adherence and custom policy building effectiveness, across multiple major cloud platforms.

As businesses everywhere move onto the cloud, they face new security challenges. There are thousands of configurations in the cloud and the numbers increase exponentially as you start leveraging more and more services from Cloud Service Providers and more so, when you have a multi cloud posture. It then becomes humanly impossible to keep up with and understand the nuances of the configurations involved in some of the key components in the cloud, mainly centred around Compute, Networks, Identity and Storage. 

 

Using our industry-leading cloud-native platform, our Mission Control team enable you to have assurance that continuous monitoring, compliance adherence and custom policy building are effective as well as detecting cloud vulnerabilities and attacks as they occur, across multiple major cloud platforms. Our team work directly with you as an extension of your team, bringing their cloud security expertise to bear to guide implementation, risk surface identification, and ongoing cloud monitoring, enhancing your cloud strategy security posture.

  1. Managed SIEM

This service goes beyond Managed Security Services, and is tailored for organisations not comfortable off-loading their data to a provider, while maintaining full transparency working with our Mission Control.

It covers a blended group of security operations specialists, running, managing, and perfecting your tools, while you retain total ownership.

This service enables your security analysts to prioritise alerts, and respond to the most suspicious threat behaviour faster, and ensuring that threats don’t go unnoticed and linger in your environment.

  1. Managed Detection & Response (MDR)

MDR is for organisations struggling with detecting and responding to modern cyber threats efficiently across all environments: IT, OT, and cloud. MDR a cost-effective alternative to building an in-house SOC, delivers real-time monitoring, detection, and response using a holistic, turnkey approach.

We provide 24×7 coverage, extensive security expertise, and a well-staffed security team ensuring that threats don’t go unnoticed. We eliminate alert fatigue and false positives to promote a faster response with detection, and response capabilities that are tailored to your specific needs. Our Mission Control team work directly with you as an extension of your team to perform threat hunting, incident response, and guided remediation, while also providing strategic recommendations tailored to the unique needs of your environment.

 

For more information, or to book a no obligation solution overview, contact the team on 

 

Tel: 01925 357 770

 

Email:  [email protected]

Iris Networks Cloud & Security

How to Optimise your SIEM Syslog Environment

How do you create a secure, resilient, effective, compliant and cost efficient syslog event management infrastructure?

If you are asking yourself this question, its likely that by this stage you have invested in a market leading SIEM platform such as Splunk, QRadar, LogRhythm, Elastic or any other of the market leaders – maybe you have adopted a multi-tier approach and have more than one of the listed.

It’s not uncommon to have hundreds of thousands of events per second flowing across enterprise networks and given that the majority are sent via UDP and hence connectionless, it’s possible that in times of peak network capacity that some events are simply lost. Other considerations to bear in mind are things such as security, compliance and volume base license costs. We will highlight some use cases in this post to show ways in which you can address these considerations, creating an efficient, secure, GDPR compliant and cost effective syslog environment.

Challenge#1: Platform Agnostic Log Management

Challenges:

Variety of sources & schema, multiple destinations, delivery guarantee, fault tolerance

End Goals:

Unified collection, real-time transformation, secure transit, buffering/caching

 

 

 

Here, Syslog-ng relays and PE have been deployed to deliver syslog messages using RLTS protocol which guarantees log delivery at different locations, should a log be dropped it is resent until it is acknowledged and forwarded. PE also uses TLS to secure the delivery, meaning that sensitive information cannot be accessed by third parties. Syslog-ng also caches and buffers on the local disk should the network or device connection become unavailable. Now multiple teams can retrieve logs for their specific use cases in a standardised, efficient and secure manner.

Challenge #2: Long-Term Storage & Search

Challenges:

Usage based licensing costs, storage costs, varying retention requirements

End Goals:

Implement long-term storage layer, automated retention policies, automated archiving, indexed and compressed

syslog ng long term storage

In this case, relays have been used in conjunction with the Syslog Store Box (SSB). Policies have been created to index the events at the SSB and send to SAN for lower cost storage. Also, content such as human readable content has been stripped and the logs re-written to further drive efficiency and reduce SIEM license costs along with de-duplication. Logs are indexed and compresses resulting in faster searching in archives. Policies created to create differing retention policies as required.

Challenge #3: Advanced Routing / Filtering

Challenges:

Varying events-per-second EPS, usage based licensing, usage based planning, cost implications

End Goals:

Filter out irrelevant data, asset based planning, cost effective retention

syslog ng product filtering

Here, relays and PE have been used in conjunction with advanced filtering techniques and directional forwarding that have drastically reduced the volume of messages hitting the SIEM and compliance platforms. Syslog-ng can be deployed as an agent on a wide number of hosts and flexibly route content to multiple destinations without the need to deploy multiple agents on devices. Duplicates and unnecessary content has been stripped and discarded.

Challenge #4: Compliance, Even Without a SIEM

Challenges:

unsorted, mixed content, too noisy for correlation, mixed compliance models, unfiltered data exposed

End Goals:

Logically separate content, data can be filtered further, different archiving policies, repository access controls, user specific log ‘views’

syslog ng store box routing

Using the SSB, log data is stored in encypted, compressed and time stamped binary files with access restricted to authorized personnel only. Authentication, authorisation and accounting settings provide granular control based on user privileges. Can also be integrated with LDAP and Radius database. Ability to store up to 10TB of uncompressed data in the largest SSB. PE also ensures that messages cannot be accessed by third parties by using TLS to encrypt the communication between agents and syslog-ng store box. Filtering and routing rules send data to correct platforms.

Challenge #5: Reliable Log Infrastructure

Challenges:

Critical event, logs never sent, connection saturation, single point of failure, data open to inspection

Solution:

Relays as a local staging post, consolidate cache & buffer, alternate destinations, RLTP: received and understood, encryption & timestamping

syslog ng encrpted syslog architecture

A combination of Syslog-ng Agents, relays and SSB have been used to create TLS encrypted messages sent through the network securely. RLTP has been used to guarantee log delivery using received and understood methodology. Logs stored in encrypted state on the SSB, indexed and timestamped and sent to SAN and SIEM for processing.

Thanks & credit to the team @ BALABIT & OneIdentity for assistance with content.

If you would like to discuss how these solutions can transform your syslog architecture, help you to meet GDPR compliance regulations and save you substantially on your license costs please get in touch.

Do NOT follow this link or you will be banned from the site!