How ACME saved your business with FS7300 and safe-guarded copies

Today ransomware attacks have become a constant threat to businesses of all sizes. An effective solution to this challenge is the use of protected copies on advanced storage systems such as those offered by IBM’s FS7300 storage systems. This article explores a case in which a customer, which we will call ACME, was able to recover its critical systems in minutes after a ransomware attack, thanks to the capabilities of the FS7300 cockpit.

A key technology: IBM Safe-guarded copies

Protected copies on IBM FS7300 systems are replicas of data that are stored securely and isolated within the same system. These copies are not accessible for normal modification or deletion, making them immune to malware attacks such as ransomware.

Our client

ACME is a leading financial services provider in a North African country that recently faced a sophisticated ransomware attack in November 2023. This attack encrypted a significant amount of their critical data, affecting essential operations. Fortunately, I had recently implemented IBM’s FS7300 storage cabinet, which included the protected copy feature and which SIXE had scheduled to run on a regular basis. An alert from IBM Storage Protect warned that more files than normal had been modified during planned backups.

Response to Attack

When ACME became aware of the attack, its IT team acted quickly. Using the protected copies stored in their FS7300 cabinet, they were able to restore the affected data in a matter of minutes. This rapid recovery was made possible by the efficient data management and instantaneous recovery capability of the FS7300 system.

Key Benefits

The ability to recover quickly from a ransomware attack is crucial to maintaining business continuity. In the case of ACME, IBM’s FS7300 booth provided:

  1. Fast Recovery: Data restoration was almost instantaneous, minimizing downtime.
  2. Data Integrity: Protected copies ensured that the restored data was free from corruption or tampering.
  3. Uninterrupted Operations: Rapid recovery allowed critical business operations to continue without significant interruption.

This case demonstrates how an advanced storage solution such as IBM’s FS7300 array, equipped with copy-protected technology, can be a lifesaver in crisis situations such as ransomware attacks. It provides not only an additional layer of security, but also the confidence that business data can be recovered quickly and efficiently, ensuring business continuity in times of uncertainty and constant threats.

First steps with the QRadar XDR API using python and Alienvault OTX

IBM QRadar XDR is a security information and event management (SIEM) platform used to monitor an organization’s network security and respond to security incidents as quickly and comprehensively as possible. While QRadar is already incredibly powerful and customizable on its own, there are several reasons why we might want to enhance it with Python scripting using its comprehensive API.

Getting started with the QRadar API

Let’s see an example of how you could use the QRadar API to get different information from its database (ArielDB) using Python. The first thing we need first is a token, which is created from Admin – > Authorized Services

Generating the python code for the QRadar API

Let’s start with something very simple, connect and retrieve the last 100 events detected by the platform.

import requests
import json

# Configura las credenciales y la URL del servidor QRadar
qradar_host = 'https://<your_qradar_host>'
api_token = '<your_api_token>'

# Define la URL de la API para obtener los eventos
url = f'{qradar_host}/api/ariel/searches'

# Define los encabezados de la solicitud
headers = {
'SEC': api_token,
'Content-Type': 'application/json',
'Accept': 'application/json'
}

# Define la consulta AQL (Ariel Query Language) para obtener los últimos 100 eventos
query_data = {
'query_expression': 'SELECT * FROM events LAST 100'
}

# Realiza la solicitud a la API de QRadar
response = requests.post(url, headers=headers, data=json.dumps(query_data))

# Verifica que la solicitud fue exitosa
if response.status_code == 201:
print("Solicitud de búsqueda enviada correctamente.")
search_id = response.json()['search_id']
else:
print("Error al enviar la solicitud de búsqueda:", response.content)

In this example, replace <your_qradar_host> with the host address of your QRadar server and <your_api_token> with the API token you obtained from your QRadar instance.

This code will prompt QRadar to run a search of the last 100 events. The response to this search request will include a ‘search_id’ which you can then use to retrieve the search results once they become available. You can change this query to any of the queries available in the
guide provided by IBM to get the most out of
to get the most out of QRadar’s Ariel Query Language

Detecting malicious IPs in QRadar using AlienVault OTX open sources

While in QRadar we have X-Force as a pre-defined module to perform malicious IP lookups and integrate them into our rules, for a multitude of reasons (including the end of the support / SWMA payment to IBM) we may want to use open sources to perform these types of functions. A fairly common example that we talk about in our courses and workshops is maintaining a series of data structures updated with “malicious” IPs obtained through open cybersecurity data sources.

Using the QRadar API, we can create python code to create a rule that constantly updates a reference_set that we will later use in different rules.

To achieve what you are asking for, you would need to break it down into two steps.

  1. First, you would need an open source security intelligence source that provides a list of malicious IPs. A commonly used example is the AlienVault Open Threat Exchange (OTX) malicious IP list just mentioned.
  2. Then, we will use the QRadar API to update a reference set with that list of IPs.

Programming it in Python is very simple:

First, download the malicious IPs from the open source security intelligence source (in this case, AlienVault OTX):

import requests
import json

otx_api_key = '<your_otx_api_key>'
otx_url = 'https://otx.alienvault.com:443/api/v1/indicators/export'

headers = {
'X-OTX-API-KEY': otx_api_key,
}

response = requests.get(otx_url, headers=headers)

if response.status_code == 200:
malicious_ips = response.json()
else:
print("Error al obtener las IPs maliciosas:", response.content)

We then use the QRadar API to update a reference set with those IPs:

qradar_host = 'https://<your_qradar_host>'
api_token = '<your_api_token>'
reference_set_name = '<your_reference_set_name>'

url = f'{qradar_host}/api/reference_data/sets/{reference_set_name}'

headers = {
'SEC': api_token,
'Content-Type': 'application/json',
'Accept': 'application/json'
}

for ip in malicious_ips:
data = {'value': ip}
response = requests.post(url, headers=headers, data=json.dumps(data))

if response.status_code != 201:
print(f"Error al agregar la IP {ip} al conjunto de referencia:", response.content)

The next and last step is to use this reference set in the rulers we need .

Want to know more about IBM QRadar XDR?

Consult our services of sales, deployment, consultingandofficial training.

IBM QRadar SIEM/XDR courses updated to version 7.5.2! Including SOAR, NDR and EDR features of QRadar Suite

We are pleased to announce that all of our IBM QRadar SIEM / XDR courses have been upgraded to version 7.5.2. In this new release, powerful SOAR, NDR and EDR features have been incorporated within the QRadar Suite, providing our students with an even more comprehensive and up-to-date learning experience with a mid-term view of the technology through CloudPak for Security IBM’s new disruptive cybersecurity products that are on the way.

IBM QRadar XDR is the market-leading information security solution that enables real-time security event management and analysis. With its ability to collect, correlate and analyze data from multiple sources, QRadar SIEM provides organizations with a comprehensive view of their security posture and helps them effectively detect and respond to threats.

In QRadar SIEM / XDR version 7.5.2, three key features have been introduced that further extend the capabilities of the platform:

  1. SOAR (Security Orchestration, Automation and Response): This feature enables the automation of security tasks and response orchestration, which streamlines and optimizes incident detection and response processes. With SOAR, organizations can automate workflows, investigate incidents more efficiently and take quick and accurate action to contain and mitigate threats.
  2. NDR (Network Detection and Response): With the NDR feature, QRadar SIEM / XDR expands its ability to detect network threats. This feature uses advanced network traffic analysis algorithms to identify suspicious behavior and malicious activity. By combining network threat detection with event correlation and security logs, QRadar SIEM / XDR provides comprehensive visibility into threat activity across the entire infrastructure.
  3. EDR (Endpoint Detection and Response): The EDR feature enables threat detection and response on endpoint devices, such as desktops, laptops and servers. With EDR, QRadar SIEM / XDR continuously monitors endpoints for indicators of compromise, malicious activity and anomalous behavior. This helps to quickly identify and contain threats that might go undetected by traditional security solutions.

At Sixe, we are committed to providing our students with the most up-to-date and relevant knowledge in the field of cybersecurity. The upgrade of our IBM QRadar SIEM / XDR courses to version 7.5.2, along with the addition of SOAR, NDR and EDR features from QRadar Suite, allows us to provide a comprehensive learning experience that reflects the latest trends and developments in the field of information security.

If you are interested in learning about QRadar SIEM / XDR and taking advantage of all these new features, we invite you to explore our updated courses:

You can also ask us for customized training or consulting, as well as technical support and support with your QRadar projects.

Sealpath IRM: we discuss native integrations and its on-premises and SaaS (cloud) options.

Over the past few years, Sealpath has worked hard to provide native integrations with several popular and widely used tools in enterprise environments to facilitate adoption and improve efficiency in data protection and intellectual property. Some of these tools are mentioned below. Below is an updated list of the products 100% compatible with Sealpath IRM that we at Sixe have tested and which are already enjoyed by many customers around the world.

Sealpath main integrations through optional modules

All these modules are available in on-premises (local installation) or cloud (SaaS) format.

  1. Sealpath for RDS: This module allows working in remote desktop or Citrix environments that require a single installer per terminal server.
  2. Sealpath for File Servers and SharePoint: Allows the automatic protection of folders in file servers, SharePoint, OneDrive, Alfresco and other documentation repositories.
  3. Automatic Protection for Exchange: Provides automatic protection of message bodies and attachments in Microsoft Exchange according to specific rules.
  4. AD/LDAP Connector: Enables integration with Active Directory or LDAP in a SaaS system.
  5. SealPath for Mobile Devices: Provides access to protected documentation through the SealPath Document Viewer app or Microsoft Office Mobile on iOS, Android or Mac OSX mobile devices.
  6. Platform customization: Includes the ability to customize the appearance of email invitations, user and administrator portals.
  7. Multi-organization: Offers the possibility of having more than one “host” or sub-organization linked to the same company. Ideal for large corporate groups or government offices with different types of hierarchies or very complex organizational charts.
  8. DLP Connectors: Enables automatic protection of information based on rules configured in Symantec, McAfee and ForcePoint DLP, which are the solutions we like the most in this sector.
  9. SealPath Sync Connector: Facilitates offline access to a large number of files stored in certain folders on a user’s device.
  10. Protection Based Classification Connector: Enables automatic protection of documents classified by an information classification solution that includes tags in the file metadata.
  11. SealPath Secure Browser: Enables viewing and editing of protected documents in the web browser.
  12. SealPath SDK (.Net, REST, command-line): Allows the use of SealPath SDK in REST, .Net or command-line format for the integration of protection with certain corporate applications.

As you can see, there is no shortage of modules and add-ons that extend the capabilities of the main Sealpath IRM solution, allowing organizations to adapt protection and access control to their specific needs… and above all, without having to change the way they work or the products they already use.

Do we deploy it or use SaaS mode)?

This is the second major customer question. Sealpath IRM offers two deployment modes: Software as a Service (SaaS) and On-Premises. Both options offer the same functionality and data protection, but differ in the way they are hosted and managed. The main differences between the two modalities are presented below:

  1. Hosting and infrastructure management:

  • Sealpath SaaS: In the SaaS mode, the infrastructure and servers are hosted and managed by Sealpath in the cloud. This means that customers do not need to worry about server maintenance, upgrades and security, as these aspects are Sealpath’s responsibility.
  • Sealpath On-Premises: In the On-Premises option, the infrastructure and servers are deployed and managed within the client’s facilities or in its own private cloud environment. This gives customers greater control over the location and access to their data, but also means they must manage and maintain the servers themselves.
  1. Integration with Active Directory and LDAP:

  • Sealpath SaaS: In the SaaS version, customers can integrate Sealpath with their Active Directory or LDAP systems using the AD/LDAP connector. This connector allows synchronizing users and groups with the Sealpath system and facilitates the administration of permissions and access policies.
  • Sealpath On-Premises: In the On-Premises version, integration with Active Directory or LDAP is integrated by default and it is not necessary to purchase an additional connector.
  1. Licensing of additional modules:

  • Sealpath SaaS: Some modules, such as SealPath for Mobile Devices, are included in the SaaS version at no additional cost.
  • Sealpath On-Premises: In the On-Premises option, these modules must be purchased separately according to the organization’s needs.
  1. Platform customization:

  • Sealpath SaaS: Customization of the look and feel of the platform (colors, logos, etc.) may be limited compared to the On-Premises option, since it is based on a shared environment in the cloud.
  • Sealpath On-Premises: The On-Premises option allows for greater customization of the platform, since it is hosted in a dedicated environment controlled by the client.

The choice between Sealpath SaaS and On-Premises depends on the organization’s needs and preferences in terms of control over infrastructure, costs and ease of administration. Both options provide robust protection and the same functionality for controlling access to confidential information and intellectual property. Unlike Microsoft and other competitors, customers are not forced to use one model or another, because only they know what is best for them.

Interested in Sealpath IRM?

Request a no-obligation demonstration

Sealpath IRM in the industrial design sector: Strengthening project management and protecting intellectual property

Industrial design is a highly competitive sector in which intellectual property plays a crucial role. Project managers in industrial design companies face challenges in managing sensitive information and protecting intellectual property. Sealpath’ s Information Rights Management (IRM) solution can be of great help in these cases and ensure the protection of critical information and successful project management.

The following are some of the ways in which Sealpath IRM can help companies engaged in industrial design and whose value depends on the proper protection of their intellectual property.

Intellectual property protection in CAD files and other documents

Computer Aided Design (CAD) files and other technical documents contain valuable information about a company’s products and designs. Sealpath IRM allows you to protect this sensitive data through encryption and access control, ensuring that only authorized users can access, edit and share files.

Secure collaboration with suppliers and customers

In the industrial design sector, collaboration between suppliers, customers and other stakeholders is essential for the success of projects. Sealpath IRM allows you to securely share files and control access to information, even after documents have been shared outside the organization. This ensures that intellectual property is protected throughout the collaboration process.

File usage tracking and auditing

Sealpath IRM provides a detailed log of file usage, including who accessed the files, when and from where. This allows project managers to monitor the use of confidential information and detect possible security breaches or misuse of intellectual property.

Facilitating regulatory compliance

The industrial design sector may be subject to various regulations and standards related to intellectual property protection and data privacy. Sealpath IRM facilitates compliance with these regulations by ensuring that confidential information is protected and accessible only to authorized users.

Integration with project management tools and CAD software

Sealpath IRM can be easily integrated with existing project management tools and CAD software, allowing project managers to protect intellectual property without disrupting existing workflows. This facilitates solution adoption and improves project management efficiency.

Integration with other business tools

In conclusion, Sealpath IRM is a valuable tool for companies dedicated to industrial design. By protecting intellectual property and facilitating secure collaboration, the solution can improve project management efficiency and ensure success in a highly competitive industry. These include:

  1. Microsoft Office: Sealpath offers native integration with Microsoft Office applications such as Word, Excel, PowerPoint and Outlook. This allows users to easily protect their documents, spreadsheets and presentations, as well as control access and share them securely via e-mail.
  2. Microsoft SharePoint and OneDrive: Integration with Microsoft SharePoint and OneDrive makes it easy to protect and control access to files stored in these cloud storage and collaboration platforms.
  3. Microsoft Teams: Sealpath integrates with Microsoft Teams to guarantee the protection of information shared in chats and collaboration channels. This integration allows users to apply protection policies directly from Teams and control access to shared documents.
  4. Google Workspace (formerly G Suite): Sealpath integrates with Google Workspace to protect documents, spreadsheets and presentations created and stored in Google Drive. Users can apply protection policies and control access to their files directly from Google Workspace applications.
  5. Alfresco: Sealpath offers native integration with the Alfresco enterprise content management system. This allows users to protect and control access to documents and files stored in the Alfresco repository.
  6. Box: Sealpath’s integration with Box allows users to protect and control access to files stored in this cloud storage platform. Users can apply protection and monitoring policies directly from the Box interface.
  7. Salesforce: Sealpath integrates with Salesforce to protect confidential information stored in the CRM platform. Users can apply protection policies and control access to data directly from Salesforce, ensuring the security of customer information and intellectual property.

Interested in the solution?

Contact us and request
request a demonstration right now

“The salesperson tricked me” or why you need a Technology Radar service.

The title of this article, “The salesperson tricked me,” is one of the most common beginnings of our conversations with new customers. Large projects with little return, if not omitting key information that if known would have changed the course of strategic technology decisions. Incredible specifications where someone forgets about the professional services necessary for the solution to be implemented, or the correct training of the personnel who will operate it in the coming years. Read more

New Cybersecurity Analyst Certification with QRadar SIEM 7.4.3

Just came out of the first of the new IBM QRadar SIEM certifications. As always, they have started with the simplest one, the analyst. It is intended for professionals who wish to validate their knowledge of QRadar SIEM in version 7.4.3. The exam is C1000-139, entitled “IBM Security QRadar SIEM V7.4.3 – Analysis” and the certification obtained is“IBM Certified Analyst – Security QRadar SIEM V7.4.3“.

As you know (and if you don’t, we’ll tell you about it) the main novelty in version 7.4 is the change of user interface. They have been including control and monitoring panels to improve the visibility of security incidents with specific mappings to methodologies such as MITRE ATT&CK. It is a way to standardize incidents, give a bit of abstraction to the product, provide us with a higher level view of what is happening, beyond the specific rules that have been applied and the chains of events that have been generated.

As prerequisites (not part of the exam) it is necessary to be proficient:

  • SIEM concepts (what it is, what it isn’t and what it is for)
  • Master TCP/IP network theory
  • Have a good knowledge of computer security terminology.
  • Learn about the different QRadar modules and plugins such as Network Insights or Incident Forensics.

Why are we asked in the exam?

  • Analysis of security offenses and events (logs, network flows, etc.)
  • Understanding of reference data listings (sets, maps, tables, etc.)
  • Mastering the rules and building blocks
  • Know how to search in reports, create them from scratch, program them, modify them, etc.
  • Have a basic knowledge of QRadar architecture, fundamentally its components, licensing and configuration at the network level.
  • Finally, multi-domain and multi-client configurations, which seem to be becoming more and more fashionable, have a dedicated section in this review.

Do I have to recertify?

In our opinion, if you are certified on versions 7.2.X or 7.3.X there is no need to re-certify. Another thing is that your company requires it to maintain a certain level of partnership with IBM or it is a requirement for a public tender. However, if you are going to get certified, take advantage of it and do it when the new versions are released.

When will the rest of the certifications in 7.4.2 be released?

Between this quarter and next quarter, the “administrator” and “deployment professional” will be released. The differences between all of them were covered some time ago in this article. Although the versions change, the types of exams and their objectives are the same.

Can you help us with QRadar?

Of course, we offer training, professional services, support and we also sell and renew your licenses. Contact us and let’s talk.

New IBM QRadar courses updated to version 7.4.2

Of all the IBM courses, perhaps the most demanded and valued by IBM clients and partners are the QRadar SIEM courses. Therefore, from June 2021 the new official courses will be available: QRadar SIEM Fundamentals (BQ104G) and QRadar SIEM advanced functionalities (BQ204G) . We have also updated our pre-sales, architecture, deployment and initial configuration workshop to version 7.4. Since 2014 we have trained over 35 clients and 400 students from 20 different countries in this amazing technology. We have passed on all our practical experience in real projects and have helped to successfully pass official certifications.

What is QRadar?

The market leading solution for the prevention, detection and remediation of security incidents. Hundreds of SOCs (Security Operations Centers) around the world rely on technology developed by Q1 Labs and acquired by IBM in 2011 to complement their cybersecurity capabilities. QRadar allows us to link events ranging from physical security (access controls), ID card readers, OT devices to the service infrastructure deployed in the cloud or even the daily activity logs of users. Its capabilities allow us to analyze thousands of events per second to ensure that our organization is not only secure, but also compliant with applicable industry regulations and legislation. QRadar also has strategic partnerships with Juniper Networks, Enterasys, Nortel, McAfee, Foundry Networks and 3Com among other companies. The product is so powerful that many of these companies sell their own SIEMs based on QRadar technology.

What’s new?

In the last year and a half many things have changed. From the user interface that has been completely revamped, to new applications that allow you to analyze incidents in a fully automated way. For example, the QRadar Advisor application with Watson (IBM AI) automatically maps tactics and techniques available in the MITRE ATT&CK database to internal QRadar rules. Through an innovative monitoring dashboard you can see the techniques used by attackers and their relationship to open security incidents.

The new versions allow you to use the hints and tips provided by IBM QRadar Use Case Manager (formerly QRadar Tuning app) to help you optimize the configuration and tuning of QRadar rules, keeping them always up to date and ready for when they are needed.

 

What about certifications?

We have been helping to prepare for the official IBM exams in the technologies we teach for a long time. That is why we have decided that from June 2021, we will include at no additional cost a preparation day for the certifications in all private courses that are contracted to us with at least 4 students enrolled.

I want to enroll in a course


Contact us and in less than 24h you will receive an offer.
All courses are taught both on-site and on-line. Our instructors speak English, French and Spanish.

Need more help?

At Sixe Ingeniería we are IBM Security BP. We sell, install and support IBM QRadar SIEM. We also conduct tailor-made training, seminars and technical talks. We also advise you with the licenses and the definition of the architecture you need at no additional cost. Ask for a demonstration without obligation.

The importance of cybersecurity in the healthcare sector

Hospitals, health centres and all the elements that make up the healthcare sector depend to a large extent on the proper functioning of computerized systems. In fact, these are indispensable for performing clinical and administrative tasks at any time during all days of the year. Therefore, and taking into account the high sensitivity of patients’ clinical data, cybersecurity prevention is essential. Theft or misuse of them can have devastating consequences.

Cyberattacks on hospitals and health centers, an unre-new practice

It is curious, but traditionally the complexes that make up the healthcare sector have taken little or no care of their cybersecurity processes. In fact, it has been regarded as a sector of little interest to cybercriminals, when the opposite could really be said.

It is true that, with the advent of the COVID-19 pandemic, cyberattacks have multiplied and becomemore relevant at the media level. However, they are not the first. For example, the different organizations that make up the health sector in the United States encrypted the losses of this criminal activity in 2019 at more than $4 billion.

The risks of not taking care of cybersecurity in the health sector

But what are the main reasons why cybercriminals focus on attacking hospitals and health centers? Basically, we can cite the following:

  • Theft of clinical patient information.
  • Theft of the identity of medical specialists.
  • Access to sensitive patient data.
  • Purchase and sale of clinical information on the black market.

This relieves the importance of hiring an experienced professional with a cybersecurity career. But there’s more. For example, in recent years, the number of medical devices running connected to the Internet has grown exponentially. And, with them, the risk of cyberattack. In fact, this trend is expected to continue upwards for quite some time.

These devices use technology of theso-called Internet of Things (IoT) and, despite their undoubted usefulness in the healthcare sector, most cyberattacks are directed towards them. The lack of protection and vulnerability they present to hackers means that, in too many cases, end-user security is compromised by them.

Cybercriminals’ preferred formula for attacking healthcare IoT devices

There is no doubt that ransomware files and malware are the most commonly used by cybercriminals when attacking health centers, hospitals and other particularly vulnerable places within the healthcare sector.

A ransomware is a program that downloads, installs and runs on your computer thanks to the Internet. In doing so, it ‘hijacks’ all the device or some of the information it stores and, in exchange for its release, requests an economic bailout (hence its name).

The removal of these files and malware is not excessively complex for computer security specialists, but the consequences they can have on hospitals and medical centers are of great consideration. For example, they involve:

  • Disruption of the center’s operational processes, at least, on the affected IoT computers.

  • Inability to access patient information and diagnostic tests.
  • Need to restore systems and backups.
  • Damage to the corporate reputation of the center or company after suffering the attack.

All of this comes at a very important economic cost from a business point of view. In fact, it can be so high that the investment of implementing the best cybersecurity solutions sounds ridiculous. Just restoring systems is a task that can stop medical center activity for almost a day.

How to prevent cyberattacks in the health sector?

Interestingly, the best way
to prevent cyberattacks on IoT
equipment is by strategically investing in those devices. That is, making greater and better use of them. More and more technologies are in place to control access, block attacks by malicious files, and ultimately safeguard critical information and processes with as little human intervention as possible.

The reality is to acquire an infrastructure of equipment, programs and specialized personnel within a hospital or medical center can be an inesumable investment. However, there are alternatives. The most interesting of these is the one that goes through the implementation of cloud solutions. The reduction in costs is very noticeable and the solutions offered are very effective.

SaaS(Software as a Service)solutions are currently the most widely used in medical centers that use cloud platforms for their systems. But for them to work, it is necessary to consider a cybersecurity strategy of the data prior to the dumping of the data on the servers. Encryption and encryption mechanisms are basic at this point. A fairly simple and fully automated task that can result in a really high return on investment.

In short, the health sector, both in terms of hospitals and health centres, is particularly sensitive in cybersecurity. Especially since most of its processes depend on IoT devices that are highly sensitive to the action of hackers. However, the advantages they provide in terms of efficiency and productivity make their use indispensable. With this being clear, it is obvious that the investment in protecting these systems, which must always be made from a strategic perspective, is essential.

Top OT cybsersecurity solutions for Industry & Healthcare

Introduction

Today’s industrial control networks are a hive of interconnected devices designed to work together as a whole. If the mechanism fails at any point, it can trigger a serious domino effect. For example, communications systems are needed to advise power plants on the amount of electricity available in the network and to regulate its production. A hospital depends on its own networks to send diagnostics to customers and a car factory has complex robots that are also interconnected. Although not everything is accessible on the Internet, there are many ways to access these environments and the risk is growing exponentially.

In general, each of the 16 Critical Infrastructure Resources (CIKR) are highly interconnected and are generally affected by similar vulnerabilities and attack vectors.  Securing CIKR is difficult due to many factors. These environments were initially planned to be independent, so no online defense was required or implemented. They also manufacture goods and operate non-stop for thousands of hours, so downtime, except for repairs and patches, would have a significant impact on the business. Few hospitals upgrade an X-ray machine if it works and does its job, nor does a grav conveyor or uranium centrifuge. This is a problem because old hardware and applications are prone to create problems when exposed to modern attacks.

CIKRs have been reluctant to adopt newer technology because their design has been able to reliably deliver a result that is necessary for our modern society over the years using their own protocols, processes and security systems (however old they may be). The vast majority of WO systems operate on a day-to-day basis without significant error. However, the risk of supporting legacy applications and systems even since the late 1980s is increasingly high.

Medigate

Medigate is our preferred solution for making hospitals and medical centers safe and free from cyber threats. It identifies the nature of the attack so the user will have the ability to prevent a rash action or be targeted. The clinical context will help in identifying the development of chaotic human behavior. Device profiles will help you manage device lifecycles and offer additional network security as a result. Medigate and Check Point have come up with an advanced security solution for implementing the Internet of Things (IoT) and IoMT networks. The combined solution of Check Point with Medigate establishes quick and effective security monitoring for Hospitals. The key features include:

  • Realistic and holistic medical device registration.
  • Mapped-automated anomaly detection.
  • Policies are generated from device attributes.
  • “Single pane of glass” for all content produced by Medigate on Check Point Smart Console.
  • Automatically activating IPS flagging of known Internet of Things exploits.

Security experts wonder whether the security mechanism of online hospitals hasn’t been developed differently. This should be seen as another hint that plenty of legacy networks were never made with data security in mind, placing vital resources and lives at risk. Of course, layers of Cyber defense safety can be added today. The only real difficulty is to design and enforce appropriate layered layers of internet security. Another way to do this is to bring security programs into applications. This would be the safest decision in the long run. Long story short, the transition will take a long time. Updating the equipment of such facilities would come with an equal magnitude of risks as the installation of security systems.

Medigate’s passive platform can be installed by hospitals and security system integrators very easily and is integrated with Check Point’s R80 management system and Security Gateways. Once connected, the medical device security platform shared the identification information of the device and application information with Check Point’s Smart Console. This enables a full view of the screen for a screencast of both devices. Due to granular visibility in surgical devices, medication’s effectiveness is assured. Medigate takes advantage of deep packet inspection to monitor devices by specific identifiers, including setup, usage, performance, and location. This enables both systems to be displayed simultaneously to the Check Point Smart Console, removing the need to flip back and forth between dashboards.

The ability to tag medical devices by connectivity type, model name, and vendor enables more granular policies management. Medigate checks what is changing in the network every hour to ensure that the tags stay current.

Tenable.ot

The heart of a company is a computerized network of controllers that transmit and receive commands. Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) are industrial equipment that acts as the bedrock of industrial processes. Operations infrastructure now has a large scale attack surface and multiple attack vectors. If we are not able to monitor access to the info, there is a strong risk of getting targeted.

Tenable.ot (formely know as Indegy ICS) is designed to protect enterprise networks from cyber threats, malicious insiders, and human error. Our solution also offers vulnerability identification and avoidance, asset tracking, reporting, and managing the setup of a Wi-Fi network. Industrial Control System (ICS) protection and protection is improved dramatically. The approach provides a clear situational understanding across all departmental locations.

When making investment decisions in OT systems, the cost is still a concern. In order to finance the initiative, we must transfer the costs to users of the services. These innovations are not affordable since the users of the goods produced by this technology have fixed-capital costs included in the cost of goods sold. Increased investment in technology along with its short life span would be costly. Many of the costs of recycling would not be passed down to consumers because of federal legislation. The sector has failed to come to a consensus about the consequences of protecting their OT processes, and how to finance those improvements over the decades.

Just recently no evidence there needed to be special strategies developed to defend against cyber-attacks. On the rise are cyberwar scenarios and as a result, users and companies should be safe as well. The urgent need is for authentication mechanisms to protect UTM/OTM so that system administrators can protect and safeguard their systems from end to end.

Integration of QRadar SIEM

QRadar is a security information solution that offers real-time monitoring of the IT networks. We offer a broad variety of QRadar solutions including core SIEM parts and associated additional hardware.

The key feature of the QRadar SI Platform allows the acquisition of security information in real-time. The solution will gather data from attached logs to analyze abnormalities and produce disturbing warnings until a security threat is identified. This unique appliance recognizes, evaluates, and tracks security, enforcement, and policy threats in networks. It allows network administrators and others to decide on proactive network safety initiatives.

This module scans your computer network for bugs, as well as looks at the data obtained from other hackers (such as Nessus and Rapid7). Using our system to address network security issues. In addition, this lists the index of vulnerabilities that can be further used in connection rules and reports by IBM QRadar Vulnerability Manager. This module would help you inspect your computing devices within hours or even minutes.

Ensuring security using Next-Gen SIEM

  • Security vendors will use machine learning and artificial intelligence approaches to bypass old security tools that are using static laws. You can deter unknown attacks by using a big data analytics-based next-gen SIEM service. Machine learning systems evolve easily and are capable of identifying advanced threats that law- or signature-based detection systems can’t identify.
  • Behavioral analytics can be used to track insider danger and spying practices. Understanding the entire body of “Behavior Anomaly” is a key to identifying an insider danger at an individual and community level. Insider attacks stem from breaking into access rights they have been given. These malicious actions may be identified using a next-gen SIEM that introduced powerful behavioral analytics.
  • Good emergency response systems are important to disaster management. Cyber threats that are not stopped are also had detrimental consequences. In delivering and sustaining company instruction on the procedures to conduct in the event of an assault, your organization minimizes the harm of an attack.
  • Physicians should ensure their medical data stays private and limited to approved persons. The EMR documents contain health information, so it is important to keep the medical details private. Usually, Legacy SIEMs enable organizations to mix confidential patient data with other IT data as well as enforcement details a next-gen SIEM solution offers all of the privileges required to preserve data security, such as anonymization of data, role-based access management, data filtering or erasure, and a full audit trail.
  • Healthcare companies are subject to more legislation in today’s culture. Next-gen SIEM technologies deliver out of the box and ad-hoc reporting to satisfy regulations like HIPAA, HITRUST, GDPR, and others.

Conclusion

Healthcare practitioners are mindful of the necessity of preserving patient records. Healthcare security is under attack by both external and internal threats, making it imperative to protect individuals Personal Health Information (PHI). There has been a substantial rise in the cost of healthcare, and companies are being targeted for their information and results. The organization often faces stiff regulatory pressure which punishes careless or mischievous mishandling of data.

We must keep in mind to provide sufficient protection in our enterprise climate. This form of networking can help us learn more about what is happening in our machine as well as the internet. One of the most common tracking and analysis techniques is Security Information and Event Management, which collect information such as computer device events and archive and process them. Special attention should be paid to installing SIEMs in OT networks and the peculiarities of these networks should be borne in mind. We can help you to deploy and integrate IPS, SIEM, and IDS. Contact us!

SiXe Ingeniería
×