Security, Risk and Privacy

Since Edward Snowden, NSA and a few local ‘digital burglaries’, cyber security is all over the news. It seems logic, if you quantify it: there are 70 million cybersecurity events per day, with small and bigger impact.

Security, Risk and Privacy at Umicore

At Umicore, IT is there to support the business first and foremost. “We are in an industrial environment. It is almost more important to focus on physical security, to make sure our furnaces are running 24/7 to melt down raw materials. We haven’t always asked questions on availability or IT risk”, says Joris Van Herzele, CISO.
As physical and IT security are converging – badging systems and CCTV for instance now run on IP – Umicore decided to invest in cybersecurity and create a dedicated team. Cybersecurity is linked to Risk management and the corporate security officer therefore reports to the VP Legal.
As part of the annual business risk assessment, the IT security team does an independent penetration test to identify weaknesses. “That correlation is very important. You should assume they break into IT: if they have access to your badging system, they know when you’ve signed off and they can do whatever they want. You need to secure your operational risk. It is much more threatful than we think”, says Edwin D’Hondt.

CISO: a relatively new position

Even if there was a strong appetite for security at Umicore, system patching was rather low, policies were not in place (IT administrators using their admin rights longer than necessary), the network wasn’t really segregated (flat trusted network) and security, privacy or availability were not always taken in consideration when designing IT solutions. It is the corporate security officer, who deals with manufacturing security and fraud, who created the CISO position, governing both industrial IT security as regular IT systems security.

The CISO and his IT security team started with an external, independent penetration test, once per year. On a side note: risk management is run by the Audit department. They for instance foresee in financial minimal internal controls, to prepare for SOx-audits. Next to the financial risk audit, every business also has its annual business risk assessment which also includes IT and cyber security auditing.

“You need to secure your operational risk. It is much more threatful than we think.”

Van Herzele: “The first year we had a few web servers that needed readjusting, nothing very special. The second year we did an internal penetration test. It took them less than four hours to become domain administrators via the guest network. We use the security self-assessment provided by ISO 27:001 to identify and quantify the risk, and allow the board to assess it and decide upon investments. The risk assessment is different for every business.”

Twice a year members of the Board (the Security Committee) have an update and create a list of points for improvement. “We then have security discussions with the CEO. He understands the risk and checks our strategy: we shouldn’t overdo – sometimes a fair security level is good enough. Global IT security FTE at Umicore is 1.8 for 10.000 users. You cannot protect everything at the highest level”, says the CISO. Every project is categorized in prevention, detection and awareness.

Prevention: Investments in preventive security controls

Umicore IT focuses on six core security projects the past years.

1. Segregation

“We tried to mitigate the risk of our flat network, and ran a large project to migrate all Windows XP machines to Windows 7. Still, after a thorough investigation, we noticed there were still 700 machines running XP left. They were not controlled by the IT department, they were used in industrial or manufacturing environment.”
“They couldn’t or didn’t want to run the risk of updating to Windows 7. We informed the CEO we would mitigate the risk at an acceptable cost. We tried to isolate them in VLANs with specific access lists. We did take them out of the Active Directory, and decided to stop support from IT.”

2. System patching

“Companies cannot patch applications and systems as fast as they’d like. Historically we didn’t even patch the AD or our domain controllers. We learned from our penetration tests and made it a priority. We don’t have the resource for it, and decided to partly outsource patching to an external vendor.”

3. Secure wireless

“In our penetration tests, we found out that by creating an SSID with the same name you could break into the wireless network. We used to use two-factor authentication with a token. People hated it. We decided to implement the identity services engine from Cisco and even integrate our VPN authentication with it. This decision had an gigantic, but positive impact.”

4. Web filtering

“One of the first services we pushed into a managed services model. We had BlueCoat boxes for web filtering in two sites. In smaller sites with sometimes only a dozen people we didn’t do web filtering, as it would be too costly. Yet, the majority of malware comes in via websites. And we had a flat trusted network.. Cloud is buzz word, but served its purpose here. Wherever our employees are and surf, their traffic is rerouted to a cloud service, zscaler, and it is filtered via their proxy. This system also protects home workers.”

5. Laptop encryption

“While updating our laptops to Windows 7, we did two improvements. We upgraded our McAfee subscription and included laptop encryption. Sometimes your devices get lost and stolen. We also removed laptop administration for users. They cannot install anything anymore, but if needed we can still elevate their rights with third party software that we bought.”

6. USB Encryption

“Data loss prevention software helps to disable or encrypt USB sticks. It is on demand for the business departments, not mandatory. We leverage the McAfee platform we have.”

Detection: SIEM to pinpoint breaches

“In our penetration tests, we noticed a malware increase in our logs.
For the multinational Umicore, industrial espionage is a real threat. The R&D-team was eager to know if Umicore’s IP was at risk. Is China really attacking the organization? How often? Umicore needed to invest in its detective capabilities, as nobody was looking at the security logs. The security team started using SIEM to filter the logs and add intelligence to it.
“In our penetration tests, we noticed a malware increase in our logs. Simultaneously someone was creating an account to become a domain admin. SIEM puts two and two together. We now have a dashboard with these anomalies”, says Van Herzele.

Awareness: mailings with security tips

People are often the weakest link in security. At least once a week, the security team sees phishing mailings coming through. “We started increasing user awareness with security tips, through IT mailings. We also focused on internal IT staff, explaining they have a critical role in keeping the bad guys out”, concludes Joris Van Herzele.

“People are often the weakest link in security.”

SMARTER RISK MANAGEMENT AT IBM

Until 2011, the security team at IBM built thick walls, so that no-one could come in. But keeping the bad guys out has evolved to letting the good guys in. “We now evaluate risk”, says Karl-Heinz Mohr.
Mohr’s team introduced key risk assessments. “Do we need to move away from BlackBerry or not? What’s the risk if we don’t?”, he says. “The next step was to move up the decision ladder, so we integrated risk management into the company’s strategic planning, assessing the inherent risk of future decisions. We therefore use IBM QRadar, amongst others, to get the intelligence out of all the data. We cannot avoid risk, but should be predictive and take smarter risk. Also for mergers and acquisitions. Smarter risk should be a competitive advantage for IBM.”

Security discussions with the board

From an operational point of view, IBM created 10 essential security practices, from network architecture to awareness. Mohr measures their effectiveness and discusses it with the executives of each division.
“We have monthly sessions at Board level, to advise decision makers on these topics and communicate on our risk and mitigation actions”, Mohr says.

The CISO organization

Inside IBM’s CISO organization, security leadership is organized around three towers: a CSIRT, the incident response team that go out when something happens. CSIRT is also an internal hackers community that tries to stay ahead of the real hackers; secondly, a security architects team that writes policies and looks at new security technologies; and finally a IT risk transformation group with project managers that implement the strategy internally.
“But we are only 80 people, so we’re not the security police. We set the standards and give the tools, but compliance is not our job. That’s up to the divisions themselves. The governance lies with them”, Mohr indicates.

SIEM

To allow the incident response team to detect incidents more easily, IBM uses Security Information and Event Management software. “We monitor continuously, to avoid exfiltration. At first, we found millions of incidents per month. But there are only a couple of hundreds where people are actually involved, and only four-five per month where our CSIRT guys need to take action. SIEM leads us to the noteworthy incidents. In 6 months time, we encountered 14% targeted attacks. We also had malware infections (20%), and opportunistic exploits. Don’t make it too easy for the hacking community! That’s why we make sure it’s not so easy to break in.”

Mohr also installed Mandiant on end-user systems, to control the low-level hardware. By remotely detecting and investigating cyber attacks on these endpoints, he immediately knows which computers are compromised and is able to take action.

“Attackers follow a five step attack chain. You need to intercept before the last step, exfiltration of the information outside the company. With Mandiant, we now have better visibility on lower-level hardware.”
Karl-Heinz MohrProgram Director IT Risk & Privacy, IBM
“Attackers follow a five step attack chain. You need to intercept before the last step, exfiltration of the information outside the company. With Mandiant, we now have better visibility on lower-level hardware.”

Future challenges

Now that IBM has structured its CISO organisation, worked on awareness and education at both user and board level and implemented the right tooling with SIEM and Mandiant amongst others : what’s next? “Innovation at IBM is run by SMAC: social, mobile, cloud and analytics. Yet again, those trends are subject to high risk of data loss”, Mohr explains.

1.Social
“Social is a big challenge, with regard to both privacy and security. IBM Connections has 1,18 Million file shares and 45 Million downloads. We have to put some control in. We of course have our social media guidelines on how to behave on social networks. We also have a content monitoring tool, to see if confidential information is protected in ‘locked’ documents. But social requires your attention.”

2.Mobile

“We have 115.000 personally owned end point devices that could connect with the network. We cannot disallow them to use them for their work. We do install MDM software to monitor connections and exfiltrations. Maas360 by Fiberlink, a company that we purchased, has administrative rights and can inforce regular password change, minimum password length, screen locker use, and so on. It even has a secure browser. We monitor both misuse and loss with this MDM software.”

3.Cloud

“There’s a standardization process regarding cloud going on for the moment. Still, we’re setting minimum requirements in terms of external certificates that we trust. Our advice to the divisions is to make sure their application is controllable, can be reset and is guaranteed not to leak information. Those are similar to the requirements we had in mainframe security days. Yet again, cloud is like old-fashioned data centre business.”
“We are also having discussions around data privacy. Do you use a local or an intercontinental cloud? We have a patent on a location-aware cloud that verifies if your cloud is allowed to transfer data across geographies, for privacy reasons. As from January 2015, personal data of Russians may only be processed in Russia. That’s a challenge.”

4.Single-sign on

“With 435,000 employees and 20 to 25% going in and out year over year, we need to closely monitor off-boarding of departing contractors. Single sign-on will help us to have clean and more secure systems. It allows you to have your applications under control. It is not just a nice to have for the user.”
Even with all the technology and the entire CISO organization in place, Mohr cannot protect everything the same way. “We therefore launched a data governance process a year ago. Every business unit VP – assigned data stewards – had to give us certain information about their applications, so that we could categorize it in our risk map and SIEM. It helped us to define the crown jewels of the company and protect them better.”