by Paul Caiazzo
As we talk to our customers during this time, questions regarding this unprecedented situation understandably arise: Is Avertium able to stay up and running during the outbreak? How is Avertium ensuring data protection at the highest level when attacks have increased, and employees can’t physically report to work?
Avertium’s ability to protect customer data through the COVID-19 pandemic comes down to one factor: We hold ourselves to a gold standard of cybersecurity maturity every day, 24 hours a day; one that is demarcated by rigor.
Being at the optimum level of preparedness to ensure business continuity doesn’t come overnight. Achieving and maintaining a cybersecurity gold standard has been our mantra from Avertium’s inception, and it carries forward the commitment to our customers’ security that our legacy companies held sacrosanctly.
We regularly review our security program, and the myriad policies, processes, procedures, and technical controls we utilize, to protect ourselves and our customers. We look at each control domain and identify the best approach to policy and control implementation to make use of our hard-won expertise in the solutions we offer to our customers to also protect ourselves. From this, we created and follow the Avertium Security Manual, a set of policies, procedures, best practices, and control requirements that embodies our goal to exceed compliance standards.
We believe if you take the check-the-box compliance approach, you're going to eventually have a very bad day. Every organization must hold itself to a cybersecurity gold standard during the crisis and beyond; one that reflects its risks management strategy maintains business continuity while optimizing its security posture.
We help our customers establish a cybersecurity gold standard relevant and customized to their business and these are the steps we take to develop ours.
Secure Operations During Crisis
Our customers rely on us to maintain visibility into their network and provide actionable remediation guidance in a timely manner, especially in times of crisis. Even in this complicated situation in which the customer's workforce might be transitioning to virtual offices or they might be shutting down a site, we still must be able to see and analyze what's happening on their network in order to protect them.
In addition, the nature of our business model means our risk profile as a managed security services provider is higher than any one of our individual customers. We know we’re a target and an interesting one at that. We must do everything we tell our customers they should do in order to protect not just ourselves, but ultimately them in the process.
As the senior vice president of security and compliance, I am an Avertium Managed Security Services (MSS) customer myself. I continuously review reports generated by our CyberOps Centers of Excellence, which monitors us and our customers 24/7/365 for suspicious or anomalous activity throughout our geographically distributed hybrid cloud environment.
If we identify a risk that could require an investment or significant strategic decision, I take it to our compliance governance board, which I chair, made up of business unit leaders from across our organization. Once we address issues and make decisions, I take them forward to implement.
We center on mapping our program to the National Institute of Standards and Framework's Cybersecurity Framework (NIST CSF), a maturity model I love as it translates to all relevant security and compliance standards and gives great insight into maturity across five key domains. (See explanation below). This mapping helps us identify where we're strongest and where enhancements could make us even stronger.
I will address each of the five topics of the NIST CSF at a high level to explain how Avertium operates to a gold standard, protecting both our customers and ourselves.
Basing a Gold Standard of Cybersecurity on the NIST CSF
Topic One: Identify
The first phase of the NIST CSF focuses on identifying risk. One way we do this is through regular technical testing, including internal and external vulnerability scans and penetration tests to help to uncover technical problems in the environments.
Vulnerability Scanning Cadence
Avertium conducts vulnerability scanning once a week and we recommend customers scan at least once a month. PCI requires that a scan be run once per quarter. As you can see, we do this several times more frequently than the baseline requirement of our primary compliance mandate. We believe this is an important step to maintaining that gold standard as vulnerability data is most valuable when it is current and is being used to drive action.
Sensitive Data Discovery
Identification also includes sensitive data discovery, so Avertium recommends all organizations implement a sensitive data discovery program. Our program centers around using the same tools we offer our customers via our MSS platform, and we run it on a frequent basis as well.
Sensitive data discovery scans are configured to look for personally identifiable information, payment card information, and other sensitive data. This helps us to identify potential information governance issues and take action to train users in a very timely manner.
Penetration Testing
In addition to required external testing, Avertium conducts penetration tests in regular intervals to test the tactics, techniques, and procedures (TTPs) of real-world attackers to reveal vulnerabilities. This allows for remediation to prevent hackers from infiltrating systems.
Avertium uses our own pen testing team, the same experts our customers employ, to conduct proprietary attacks and develop an impact analysis specific to our organization. Our security analysts then work with our MSS team and our enterprise security consultants to fully understand the impact of any found vulnerabilities and remediate them before they are exploited.
Similar to vulnerability scanning, penetration test results are a snapshot in time, and currency of results is imperative in maintaining situational awareness of our actual security posture
Topic Two: Protect
Understanding our risks helps us to move into the next phase, which is to protect the organization from exposure. Avertium has capitalized on our 24x7 managed security operations to protect the company along with our MSS customers in these ways:
Phishing Defenses
The COVID-19 pandemic has spurred bad actors to leverage fear and the disruption of business to prey on workers. We've observed a colossal uptick in phishing attacks during the current crisis, targeting people's susceptibility to clicking links related to COVID-19.
We protect against this malware delivery system through advanced email filtration, secure configuration of our email platform including multifactor authentication, user training, and continuous monitoring.
Side note: If you have a Microsoft Office 365 subscription, in our opinion Microsoft’s O365 Advanced Threat Protection is a must-have. You are exposed if you don't have it implemented.
Endpoint Protection
In this day and age, the network perimeter no longer exists. The COVID-19 crisis compounds this, since more employees are working from home than ever before, and circumstances with the supply chain forced many organizations to allow end-users to bring their own devices. Also, since the majority of attacks focus on the end-user, the perimeter today is formed by the endpoint itself. And that can now be located anywhere in the world.
Avertium deploys the same endpoint protection packages we offer to our MSS customers. Our software includes traditional antivirus as well as advanced capabilities such as anti-ransomware, analysis of fileless malware, malicious processes, and anomalous activities, and remote response tools we use to enable our customer-facing and internal incident response programs.
It’s also important to empower your workforce to protect their own devices. This practice allows you to protect against all avenues of risk.
We’ve made available to all staff licenses of the same endpoint protection tools available to our customers to install on their personally owned devices as well. Our employees can install these on all devices within their household, making their working environment – and therefore ours – more secure.
Cloud-Based Platforms
The NIST CSF protection phase is intended to support business continuity risks as well. Avertium’s resiliency is, in part, attributable to the fact that our operating environments make heavy use of securely configured, highly resilient cloud infrastructure. The core cloud-based platforms we use to protect ourselves are, again, the same platforms we use to deliver services to our customers.
Related Reading: Cloud Security Using Defense in Depth
Redundant Dual Security Operations Centers
We also leverage our fully redundant CyberOps Centers of Excellence, which serve all our managed security customers, to provide the critical human analysis needed to cut the signal from the noise.
Our architecture creates effectively one logical unit spread across multiple geographies, allowing for a full site failure with no impact on service delivery. We test the effect of the added workload during failover as part of our regular disaster recovery and business continuity testing.
Secure Connectivity for Remote Workers
Due to the pandemic we, like our customers, wanted to protect our employees by allowing them to work from home. We provide secure access to home-based devices to our cloud environments to provide high key strength encryption for work-from-home devices. Ensuring operations are continuous, and operating securely in turn, secures our customer environments and provides visibility. We packaged this same solution for our many customers who struggled to pivot their primarily office-based staff to work from home.
Topic Three: Detect
Since no control is perfect, there's always going to be some element of risk that a threat will infiltrate the lines of protection. To address the NIST CSF detection phase, Avertium uses an advanced cloud-based platform along with a proprietary set of best practices and data sources that we log and monitor to protect our managed services customers and ourselves.
We capture this data and feed it to our security information and event management (SIEM) technology to provide it the amount of information it needs to perform optimally. This includes vulnerability scan data, all the network IDS we have running, threat intelligence that we correlate against what's happening in the environment, and more.
We map our proprietary correlation rules to the MITRE ATT&CK framework, both for our customers and ourselves. This gives us the ability to track a potential incident through the stages of the kill chain and to identify tactics and techniques which could represent a significant risk. This helps us to rapidly identify suspected problems for both Avertium and Avertium’s MSS customers.
While there are costs associated with onboarding data to a SIEM, we feel the cost-to-benefit ratio justifies minimizing risk at almost any expense because it empowers us to protect our network and ultimately our customers’ networks.
Related Reading: Using MITRE ATT&CK Framework for Beyond-Checkbox Cybersecurity
Topic Four: Respond
Detecting a threat creates the need to respond immediately.
To do this, an organization needs to have prepared to respond as part of its incident response plan. Avertium practices various scenarios through tabletop exercises. And, since we operate in a 24x7 mode, we're continuously testing our response capabilities simply by serving our customers day in and day out, all day, every day.
We also offer our customers the same platforms we utilize for security orchestration and automated response (SOAR). We use SOAR to automate our response for common types of alerts to minimize or eliminate threats within the window of opportunity particular to that threat. We work diligently to configure as much as possible within our toolsets to minimize the potential for human error in the responses for us and on our customer’s behalf.
A word of caution: SOAR must be applied intelligently since automation can lead to problems if not done correctly. This is a collaborative effort between our security operations center (SOC) analysts and the customer. Continuing the scenario of Avertium’s infrastructure team as the customer, the infrastructure team and the SOC engineers continually work to shore up the SOAR rules. They make sure all the data sources are being adjusted correctly and review vulnerability reports to tie everything together to maintain the gold standard.
We are also fortunate to have a team of highly skilled incident responders available to us if there were an incident. Just as our customers can pick up the phone and call us for any sort of elevated incident response activity, we can pick up the phone and make a call, too. In this instance, it happens to be to a colleague on staff.
Topic Five: Recover
Avertium’s SOC is here 24 hours a day, seven days a week - so we’re equipped to work diligently to recover from an incident if needed.
Depending on the risk types, recovery can be as simple as spinning up a new virtual machine and turning down an old one, or it could be standing up a new site. Either way, we're well prepared for it.
We have a comprehensive internal security program supported by policy and procedure which has been written specifically to our infrastructure. We’ve backstopped this initiative by process and trained our team accordingly. Finally, we’ve implemented technology and technical controls across the environment to minimize risk wherever we possibly can.
Of course, there's no way to eliminate risk – the bad guys make sure of that - so that's where the vigilance of 24 hours-a-day monitoring comes in.
Because, what it all boils down to is us doing the right things for ourselves too, in turn, provide more rigor, more relevance, and more responsiveness for our customers.
Paul Caiazzo, Senior VP of Security and Compliance
Paul brings his wealth of cybersecurity experience to guide Avertium customers through challenging security problems while keeping business goals and objectives at the forefront. His primary focus is on business development, partner and client engagement, and other strategic initiatives.