Cato Networks Response to UK’s NCSC Guidance On Tightening Cyber Control Due to the Situation in Ukraine
Table of Contents
- 1. Step 1 - Lock administrative access down.
- 2. Step 2 - Review SDP user account usage.
- 3. Step 3 - Tighten access controls.
- 4. Step 4 - Implement strong firewalling.
- 5. Step 5 - Start logging everything.
- 6. Step 6 - Enable TLS inspection.
- 7. Step 7 - Enable Enhanced Threat Protection (IPS, Anti Malware, NG Anti Malware).
- 8. Step 8 – 24x7 Detection and Response.
Listen to post:
Getting your Trinity Audio player ready...
|
Last week the United Kingdom’s National Cyber Security Centre (NCSC) urged UK organizations “to strengthen their cyber resilience in response to the situation in Ukraine” [1] and today they followed that warning up with a call for “organisations in the UK to bolster their online defences” [2] by adopting a set of “Actions to take when the cyber threat is heightened.”[3] Similar statements have been issued by other authorities such as Germany’s Federal Office for Information Security (BSI) and CISA in the US.
As a global provider of the converged network and security solutions known as SASE (Secure Access Service Edge) [4], Cato Networks has a rapidly expanding portfolio of customers not just here in the UK but in many other regions around the world which are also exposed to the current situation. Here are some suggestions for Cato customers who wish to enhance their security posture in accordance with the NCSC’s advice.
Step 1 – Lock administrative access down.
Cato’s true single-pane-of-glass management console makes it easy for organisations to understand and control exactly who can make changes to their Cato SASE environment. Customers can use the built-in Events Discovery (effectively, your own SIEM running inside Cato) to easily filter for admin users which haven’t recently logged on, and then disable them. Admin user MFA should be enabled across the board and any administrators who don’t make changes (such as auditors) given viewer accounts only.
This is also a good opportunity to review API keys and revoke any which are no longer required.
Step 2 – Review SDP user account usage.
Now is also the right time to review SDP users for stale user accounts which can be disabled or deleted, ensure that directory synchronisation and SCIM groups are appropriately configured and filter all manually created SDP users for unexpected third party users. Customers should also check that any user-specific configuration settings which override global policy are there for good reasons and do not expose the organisation to increased risk.
Inside Cato Networks Advanced Security Services | Find OutStep 3 – Tighten access controls.
Cato provides a wide range of access control features including Device Authentication, Device Posture (currently EA), MFA, SSO, operating system blocking and Always-On connectivity policy. Customers should ensure that they are taking advantage of the tight access control capable with Cato by implementing as many of these features as possible and minimising user-based exceptions to the global policy.
Step 4 – Implement strong firewalling.
As true Next-Generation Firewalls which are both identity-aware and application-aware, Cato’s WAN Firewall and Internet Firewall allow our customers to create fine-grained control over all network traffic across the WAN and to the Internet from all Cato sites and mobile users. The seamless integration of a Secure Web Gateway with the firewalls further increases the degree of control which can be applied to Internet traffic.
Both firewalls should be enabled with a final “block all” rule. Customers should also inspect the remaining rules for suitability, and engage Cato Professional Services to assist with a comprehensive firewall review.
Step 5 – Start logging everything.
One of the main benefits of cloud-based security solutions is that unlike on-premise appliances which are constrained by hardware, the elasticity built into the cloud allows for seamless real-time scaling up of features such as logging. Cato customers can take advantage of our cloud-native elasticity to enable flow-level logging for all traffic across their environment, and then use the built-in SIEM and analytics dashboards to derive real intelligence and perform forensics on real-time and historic data.
Step 6 – Enable TLS inspection.
Another feature made possible by the cloud is ubiquitous inspection of TLS inspection regardless of source location or destination. Cato SASE automatically detects TLS traffic on non-standard ports and can be controlled by fine-grained policies to avoid disrupting traffic to known good destinations and to comply with local regulations regarding sensitive traffic decryption.
Step 7 – Enable Enhanced Threat Protection (IPS, Anti Malware, NG Anti Malware).
Even organisations who are not directly in the line of state-sponsored fire are exposed to the usual risk of compromise by ransomware gangs and other actors of economic motivation. Cato’s Enhanced Threat Protection services – IPS, Anti Malware and Next-Gen Anti Malware – are specifically designed to complement the base level firewalls and Secure Web Gateway by inspecting the traffic which is allowed through for suspicious and malicious content. Customers who don’t currently have these features should ask their account management team to enable an immediate trial. Customers with these features should ensure that TLS inspection is enabled and engage Cato Professional Services to ensure that the feature are properly configured and tuned for maximum efficacy.
Step 8 – 24×7 Detection and Response.
During a recent interview [5] regarding a high-profile hack which occurred on his watch, a CISO stated that “no time is a good time, but these things never come during the middle of the day, during the work week.” Customers without a 24×7 incident response capability should carefully consider their options for being able to detect and respond to threats outside of normal working hours. Cato’s Managed Detection and Response (MDR) service can help customers who are unable to stand up their own 24×7 MDR capability.
The NCSC article referred to above includes many other suggestions which are automatically covered by Cato, such as device patching, log retention and configuration backup. The main concern for organisations who already have Cato is to make the best use of what they’ve already got. They no longer need to worry gaps in their security posture, because Cato has those covered out of the box. If you’re not a Cato customer and you’d like to find out more about our solution, or you’re an existing customer who wants to find out more about the additional products and services we provide, let’s talk.
References:
[1] https://twitter.com/NCSC/status/1493256978277228550 [2] https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences [3] https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened [4] https://www.catonetworks.com/sase/sase-according-to-gartner/ [5] https://risky.biz/HF15/