Introduction Businesses have increasingly turned to Secure Services Edge (SSE) to secure their digital assets and data, as they undergo digital transformation. SSE secures the... Read ›
Essential steps to evaluate the Risk Profile of a Secure Services Edge (SSE) Provider Introduction
Businesses have increasingly turned to Secure Services Edge (SSE) to secure their digital assets and data, as they undergo digital transformation.
SSE secures the network edge to ensure data privacy and protect against cyber threats, using a cloud-delivered SaaS infrastructure from a third-party cybersecurity provider.
SSE has brought numerous advantages to companies who needed to strengthen their cyber security after undergoing a digital transformation. However, it has introduced new risks that traditional risk management methods can fail to identify at the initial onboarding stage.
When companies consider a third party to run their critical infrastructure, it is important to seek functionality and performance, but it is essential to identify and manage risks. Would you let someone you barely know race your shiny Porsche along a winding clifftop road, without first assessing his driving skills and safety record?
[boxlink link="https://www.catonetworks.com/resources/ensuring-success-with-sse-rfp-rfi-template/"] Ensuring Success with SSE: Your Helpful SSE RFP/RFI Template | Download the Template [/boxlink]
When assessing a Secure Services Edge (SSE) vendor, it is therefore essential to consider the risk profile alongside the capabilities.
In this post, we will guide you through the key steps to evaluate SSE vendors, this time not based on their features, but on their risk profile.
Why does this matter?
Gartner defines a third-party risk “miss” as an incident resulting in at least one of the outcomes in Figure 1.
Its 2022 survey of Executive Risk Committee members shows how these third-party risk “misses” are hurting organizations: 84% of respondents said that they had resulted in operations disruption at least once in the last 12 months.
Courtesy of Gartner
Essential steps to evaluate the Risk Profile of a potential SSE provider
Step 1: Assess Reputation and Experience
Start your evaluation by researching the provider’s reputation and experience in the cybersecurity industry. Look for established vendors with a proven track record of successfully securing organizations from cyber threats. Client testimonials and case studies can offer valuable insights into their effectiveness in handling diverse security challenges.
Step 2: Certifications and Compliance
Check if the cybersecurity vendor holds relevant certifications, such as ISO 27001, NIST Cybersecurity Framework, SOC 2, or others. These demonstrate their commitment to maintaining high standards of information security. Compliance with industry-specific regulations (e.g., GDPR, HIPAA) is equally important, especially if your organization deals with sensitive data.
Step 3: Incident Response and Support
Ask about the vendor's incident response capabilities and the support they provide during and after a cyber incident. A reliable vendor should have a well-defined incident response plan and a team of skilled professionals ready to assist you in the event of a security breach.
Step 4: Third-party Audits and Assessments
Look for vendors who regularly undergo third-party security audits and assessments. These independent evaluations provide an objective view of the vendor's security practices and can validate their claims regarding their InfoSec capabilities.
Step 5: Data Protection Measures
Ensure that the vendor employs robust data protection measures, including encryption, access controls, and data backup protocols. This is vital if your organization handles sensitive customer information or intellectual property.
Step 6: Transparency and Communication
A trustworthy vendor will be transparent about their security practices, policies, and potential limitations. Evaluate how well they communicate their security measures and how responsive they are to your queries during the evaluation process.
Step 7: Research Security Incidents and Breaches
Conduct research on any past security incidents or data breaches that the vendor might have experienced. Analyze how they handled the situation, what lessons they learned, and the improvements they made to prevent similar incidents in the future.
Gartner has recently released a Third Party Risk platform to help organizations navigate through the risk profiles of Third Party providers, including of course, cybersecurity vendors.
The Gartner definition of Third-Party Risk is: “the risk an organization is exposed to by its external third parties such as vendors, contractors, and suppliers who may have access to company data, customer data, or other privileged information.”
The information provided by vendors on Gartner's Third-Party Risk Platform is primarily self-disclosed. While Gartner relies on vendors to accurately report their details, they also offer the option for vendors to upload attestations of third-party audits as evidence to support their claims. This additional layer of validation helps increase the reliability and credibility of the information presented. However, it is ultimately the responsibility of users to perform their due diligence when evaluating vendor information.
Conclusion
Selecting the right SSE provider is a critical decision that can significantly impact your organization's security posture. By evaluating vendors based on their Risk profile, not just their features, and leveraging the Gartner Third Party Risk Platform, you can make an informed choice and gain a reliable cybersecurity provider. Remember: investing time and effort in the evaluation process now, can prevent potential security headaches in the future, ensuring your organization remains protected from evolving cyber threats and compliant to local regulations.
Introduction Organizations need to protect themselves from the risks of running their business over the internet and processing sensitive data in the cloud. The growth... Read ›
How to Solve the Cloud vs On-Premise Security Dilemma Introduction
Organizations need to protect themselves from the risks of running their business over the internet and processing sensitive data in the cloud. The growth of SaaS applications, Shadow IT and work from anywhere have therefore driven a rapid adoption of cloud-delivered cybersecurity services.
Gartner defined SSE as a collection of cloud-delivered security functions: SWG, CASB, DLP and ZTNA. SSE solutions help to move branch security to the cloud in a flexible, cost-effective and easy-to-manage way. They protect applications, data and users from North-South (incoming and outgoing) cyber threats. Of course, organizations must also protect against East-West threats, to prevent malicious actors from moving within their networks.
Organizations can face challenges moving all their security to the Cloud, particularly when dealing with internal traffic segmentation (East-West traffic protection), legacy data center applications that can’t be moved to the cloud, and regulatory issues (especially in Finance and Government sectors). They often retain a legacy data center firewall for East-West traffic protection, alongside an SSE solution for North-South traffic protection.
This hybrid security architecture increases complexity and operational costs. It also creates security gaps, due to the lack of unified visibility across the cloud and on-premise components.
A SIEM or XDR solution could help with troubleshooting and reducing security gaps, but it won’t solve the underlying complexity and operational cost issues.
Solving the cloud vs on-premise dilemma
Cato Networks’ SSE 360 solution solves the “on-premise vs cloud-delivered” security dilemma by providing complete and holistic protection across the organization’s infrastructure. It is built on a cloud-native architecture, secures traffic to all edges and provides full network visibility and control.
Cato SSE 360 delivers both the North-South protection of SSE and the East-West protection normally delivered by a data center firewall, all orchestrated from one unified cloud-based console, the Cato Management Application (CMA).
Cato SSE 360 offers a modular way to implement East-West traffic protection. By default, traffic protection is enforced at the POP, including features such as TLS inspection, user/device posture checks and advanced malware protection. See Figure 1 below. This does not impact user experience because there is sub-20ms latency to the closest Cato POP, worldwide.
Figure 1 - WAN Firewall Policy
Using the centralized Cato Management Application (CMA), it is simple to create a policy based on a zero-trust approach. For example, in Figure 2 below, we see that only
Authorized users (e.g. Cato Fong),
Connected to a corporate VLAN,
Running a policy-compliant device (Windows with Windows AV active)
Are allowed to access sensitive resources (in this case, the Domain Controller inside the organization).
Figure 2 - An example WAN Firewall rule
In some situations, it is helpful to implement East-West security at the local site: to allow or block communication without sending the traffic to the POP.
For Cato services, the default way to connect a site to the network is with a zero-touch edge SD-WAN device, known as a Cato Socket. With Cato’s LAN Firewall policy, you can configure rules for allowing or blocking LAN traffic directly on the Socket, without sending traffic to the POP. You can also enable tracking (ie. record events) for each rule.
Figure 3 - LAN Firewall Policy
When to use a LAN firewall policy
There are several scenarios in which it could make sense to apply a LAN firewall policy.
Let’s review the LAN Firewall logic:
Site traffic will be matched against the LAN firewall policies
If there is a match, then the traffic is enforced locally at the socket level
If there is no match, then traffic will be forwarded by default to the POP the socket is connected to
Since the POP implements an implicit “deny” all policy for WAN traffic, administrators will just have to define a “whitelist” of policies to allow users to access local resources.
[boxlink link="https://www.catonetworks.com/resources/the-business-case-for-security-transformation-with-cato-sse-360/?cpiper=true"] The Business Case for Security Transformation with Cato SSE 360 | Download the White Paper [/boxlink]
Some use cases:
prevent users on a Guest WiFi network from accessing local corporate resources.
allow users on the corporate VLAN to access printers located in the printer VLAN, over specific TCP ports.
allow IOT devices (e.g. CCTV cameras), connected to an IOT-camera VLAN, to access the IOT File Server, but only over HTTPS.
allow database synchronization across two VLANs located in separate datacenter rooms over a specific protocol/port.
To better show the tight interaction between the LAN firewall engine in the socket and the WAN and Internet firewall engines at the POP, let’s see this use case: In Figure 5, a CCTV camera is connected to an IoT VLAN. A LAN Firewall policy, implemented in the Cato Socket, allows the camera to access an internal CCTV server. However, the Internet Firewall, implemented at the POP, blocks access by the camera to the Internet. This will protect against command and control (C&C) communication, if the camera is ever compromised by a malicious botnet.
Figure 4 - Allow CCTV camera to access CCTV internal server
All policies should both be visible in the same dashboard
IT Managers can use the same CMA dashboards to set policies and review events, regardless of whether the policy is enforced in the local socket or in the POP. This makes it simple to set policies and track events.
We can see this in the figures below, which show a LAN firewall event and a WAN firewall event, tracked on the CMA.
Figure 6 shows a LAN firewall event. It is associated with the Guest WiFi LAN firewall policy mentioned above. Here, we blocked access to the corporate AD server for the guest user at the socket level (LAN firewall).
Figure 5 - LAN Firewall tracked event
Figure 7 shows a WAN firewall event. It is associated with a WAN firewall policy for the AD Server, for a user called Cato Fong. In this case, we allowed the user to access the AD Server at the POP level (WAN firewall), using zero trust principles: Cato is an authorized user and Windows Defender AV is active on his device.
Figure 6 - WAN Firewall tracked event
Benefits of cloud-based East-West protection
Applying East-West protection with Cato SSE 360 brings several key benefits:
It allows unified cloud-based management across all edges, for both East-West and North-South protection;
It provides granular firewall policy options for both local and global segmentation;
It allows bandwidth savings for situations that do not require layer 7 inspection;
If provides unified, cloud-based visibility of all security and networking events.
With Cato SASE Cloud and Cato SSE 360, organizations can migrate their datacenter firewalls confidently to the cloud, to experience all the benefits of a true SASE solution.
Cato SSE 360 is built on a cloud-native architecture. It secures traffic to all edges and provides full network visibility and control. It delivers all the functionality of a datacenter firewall, including NGFW, SWG and local segmentation, plus Advanced Threat Protection and Managed Threat Detection and Response.
Introduction In an increasingly digital world, cybersecurity has become a critical concern for companies. With the rise of sophisticated cyber threats, protecting critical infrastructure and... Read ›
Achieving NIS2 Compliance: Essential Steps for Companies Introduction
In an increasingly digital world, cybersecurity has become a critical concern for companies. With the rise of sophisticated cyber threats, protecting critical infrastructure and ensuring the continuity of essential services has become a top priority. The EU’s Network and Information Security Directive (NIS2), which supersedes the previous directive from 2016, establishes a framework to enhance the security and resilience of network and information systems. In this blog post, we will explore the key steps that companies need to take to achieve NIS2 compliance.
Who needs to comply with NIS2?
The first step towards NIS2 compliance is to thoroughly understand the scope of the directive and its applicability to your organization. It is critical to assess whether your organization falls within the scope and to identify the relevant requirements.
For non-compliance with NIS regulations, companies providing essential services such as energy, healthcare, transport, or water may be fined up to £17 million in the UK and €10 million or 2% of worldwide turnover in the EU.
NIS2 will apply to any organisation with more than 50 employees whose annual turnover exceeds €10 million, and any organisation previously included in the original NIS Directive.
The updated directive now also includes the following industries:
Electronic communications
Digital services
Space
Waste management
Food
Critical product manufacturing (i.e. medicine)
Postal services
Public administration
Industries included in the original directive will remain within the remit of the updated NIS2 directive. Some smaller organizations that are critical to the functioning of a member state will also be covered by NIS2.
[boxlink link="https://www.catonetworks.com/resources/protect-your-sensitive-data-and-ensure-regulatory-compliance-with-catos-dlp/?cpiper=true"] Protect Your Sensitive Data and Ensure Regulatory Compliance with Cato’s DLP | Download the Whitepaper [/boxlink]
Achieving Compliance
NIS2 introduces more stringent security requirements. It requires organizations to implement both organizational and technical measures to safeguard their networks and information systems. This includes measures such as risk management, incident detection and response, regular security assessments, and encryption of sensitive data.
By adopting these measures, organisations can significantly enhance their overall security posture.
Let’s have a closer look at the key steps to achieve NIS2 compliance:
Perform a Risk Assessment
Conduct a detailed risk assessment to identify potential vulnerabilities and threats to your network and information systems. This assessment should cover both internal and external risks, such as malware attacks, unauthorized access, human errors, and natural disasters. Understanding the specific risks your organization faces will help you design effective security measures.
Establish a Security Governance Framework
Develop a robust security governance framework that outlines the roles, responsibilities, and processes necessary to achieve and maintain NIS2 compliance. Assign clear accountability for cybersecurity at all levels of your organization and establish protocols for risk management, incident response, and communication.
Implement Security Measures
Implement appropriate technical and organizational security measures to protect your network and information systems. Ensure that they are regularly reviewed, updated, and tested to address evolving threats. Example measures include access controls using multi-factor authentication, encryption using services like PKI certificates to secure networks and systems, regular vulnerability assessments, intrusion detection and prevention systems, and secure software development practices..
Supply chain security
Assess suppliers, service providers, and even data storage providers for vulnerabilities. NIS2 requires that companies thoroughly understand potential risks, establish close relationships with partners, and consistently update security measures to ensure the utmost protection.
Incident Response and Reporting
Establish a well-defined incident response plan to address and mitigate cybersecurity incidents promptly. This plan should include procedures for identifying, reporting, and responding to security breaches or disruptions. Designate responsible personnel and establish communication channels to ensure swift and effective incident response.
NIS2 compliant organizations must report cybersecurity incidents to the competent national authorities. They must submit an “early warning” report within 24 hours of becoming aware of an incident, followed by an initial assessment within 72 hours, and a final report within one month.
Business Continuity
Implement secure backup and recovery procedures to ensure the availability of key services in the event of a system failure, disaster, data breaches or other cyber-attacks. Backup and recovery measures include regular backups, testing backup procedures, and ensuring the availability of backup copies.
Collaboration and Information Sharing
Establish a culture of proactive information exchange related to cyber threats, incidents, vulnerabilities, and cybersecurity practices. NIS2 recognizes the significance of sharing insights into the tools, methods, tactics, and procedures employed by malicious actors, as well as preparation for a cybersecurity crisis through exercises and training.
Foster collaboration and information sharing with relevant authorities, sector-specific CSIRTs (Computer Security Incident Response Team), and other organisations in the same industry. NIS2 encourages structured information-sharing arrangements to promote trust and cooperation among stakeholders in the cyber landscape. The aim is to enhance the collective resilience of organizations and countries against the evolving cyber threat landscape.
Compliance Documentation and Auditing
Maintain comprehensive documentation of your NIS2 compliance efforts, including policies, procedures, risk assessments, incident reports, and evidence of security measures implemented. Regularly review and update these documents to reflect changes in your organization or the threat landscape. Consider engaging independent auditors to evaluate your compliance status and provide objective assessments.
Training and Awareness
Invest in continuous training and awareness programs to educate employees about the importance of cybersecurity and their role in maintaining NIS2 compliance. Regularly update employees on emerging threats, best practices, and incident response procedures. Foster a culture of security consciousness to minimize human-related risks.
The right network and security platform can help
Cato Networks offers a comprehensive solution and infrastructure that can greatly assist companies in achieving NIS2 compliance. By leveraging Cato's Secure Access Service Edge (SASE) platform, organizations can enhance the security and resilience of their network and information systems.
Cato's integrated approach combines SD-WAN, managed security services and global backbone services into a cloud-based service offering. Its products are designed to help IT staff manage network security for distributed workforces accessing resources across the wide area network (WAN), cloud and Internet. The Cato SASE Cloud platform supports more than 80 points of presence in over 150 countries.
The company's managed detection and response (MDR) platform combines machine learning and artificial intelligence (AI) models to process network traffic data and identify threats to its customers, in a timely manner.
Cato SASE cloud offers a range of security services like Intrusion Prevention Systems (IPS), Anti Malware (AM), Next Generation Firewalls (NGFW) and Secure Web Gateway, to provide robust protection against cyber threats,
It also provides cloud access security broker (CASB) and Data Loss Prevention (DLP) capabilities to protect sensitive assets and ensure compliancy with cloud applications. The Cato SASE cloud is a zero-trust identity driven platform ensuring access-control based on popular multifactor authentication, integration with popular Identity providers like Microsoft, Google, Okta, Onelogin and OneWelcome.
With Cato's centralized management and visibility, companies can efficiently monitor and control their network traffic as well as all the security events triggered. By partnering with Cato Networks, companies can leverage a comprehensive solution that streamlines their journey towards NIS2 compliance while bolstering their overall cybersecurity posture.
Cato Networks is ISO27001, SOC1-2-3 and GDPR compliant organization. For more information, please visit our Security, Compliance and Privacy page.
Conclusion
Achieving NIS2 compliance requires a comprehensive approach to cybersecurity, involving risk assessments, robust security measures, incident response planning, collaboration, and ongoing training. By prioritizing network and information security, companies can enhance the resilience of critical services and protect themselves and their customers from cyber threats.
To safeguard your organization's digital infrastructure, be proactive, adapt to evolving risks, and ensure compliance with the NIS2 directive.
