Since the beginning of the war, many global manufacturers have provided Ukrainian companies with free access to their products. Cisco, Elastic, Panda, IBM, Qualys, and others have opened up licenses to enterprises in various industries, which certainly gives them more opportunities to compete on the cyber front.
Now, based on the results of a quarter of work in the new conditions, we at Octava Defense can draw several conclusions based on the experience of our customers and the situation in Ukraine in general.
So, the free license trap hides two key problems:
- inappropriate configuration of the solutions;
- and its improper operation.
Both of these problems undermine the good intentions of the vendors and the efforts of the defense team.
Thus, incorrect system configuration does not allow cyber-defenders to obtain data on the real state of protection systems and ensure the required level of security.
The most urgent problem is not fully configured firewall security services (NG-FW) such as WEB, DNS, Application, malware, etc. At a time when businesses counts on reliable firewall protection, its configuration at the level of “just to work” conflicts with the real ability to provide protection. Thus, setting up security services is a painstaking job that requires care in the design, engineering and maintenance of the solution, and only then ensures that only trusted requests receive access to the infrastructure from the outside.
Another example is quite complex EDR/XDR class systems that can operate in the “default” mode, but with professional tuning, the effect of their use increases many times.
Regarding the second point – the improper operation of a particular solution or the so-called operational maturity of the enterprise as a whole, the cyber-defenders of Ukrainian enterprises “sin” by forgetting the need for constant tuning of protection systems.
So, NG-FW is required to work with updated signature databases (IoC). The effectiveness of access lists should be analyzed and tuned based on an assessment of the threat landscape, etc.
EDR / XDR class systems generally need constant “guardianship” from the owners. Continuous event analysis and tuning will help eliminate false-positives to work with real threats that meet the risk map of a particular enterprise. We had a situation where a customer’s EDR system was generating 10,000 notifications a day at the beginning of a project. This was not because the company was a target for hackers, but due to staff negligence and unprofessionalism. As a result, the system perceived almost any event as an attempt to interfere with the operation of the IT infrastructure, and honestly informed the owners about it. Worst of all, among these thousands of events, 2-5 posed a real threat and were not noticed.
And even those who have managed to overcome the errors of configuration, implementation of basic operation and administration of solutions, face the next obstacle – the inability of staff to conduct event analysis, professional investigation and incident response.
The lack of qualified cyber analysts able to interpret the data that provides various security solutions and see the chain of cyber attacks leads to the fact that the power of cyber events goes unnoticed, and this is a direct threat to business in the form of potential incidents.
The key value of cybersecurity solutions is that in addition to providing automated protection and counteraction tasks at the moment, they provide a wealth of information for the implementation of full-fledged investigation and response processes.
The main thing is to be able to use these data and draw the right conclusions.
To do this, we at Octava Defense accompany the implementation of any cybersecurity solutions with a detailed analysis of the existing infrastructure, critical business services, conduct a general risk analysis and help with tuning and setting up the relevant systems and necessary business processes.
In our opinion, the managed services format allows you to optimize costs regardless of the vendor’s pricing policy and guarantees that you get the most out of the technology, both in terms of settings required for your infrastructure and 100% operation.