Mark Kerrison of ‘New Net Technologies’ Explains “SecureOps” and Vulnerability Tracking

‘New Net Technologies’ (NNT) is a leader in advanced and also foundational security systems built upon solid security frameworks. They provide security controls that are capable of handling even today’s highly complex and multi-layered threat space, with intelligent rules, approval tickets, change monitoring, and vulnerability tracking.

Mark Kerrison has been the CEO of NNT since 2008, and he has been working in IT for over three decades now. We’ve had a short interview with him discussing NNT’s security solutions, the current situation in infosec, and how legislation and guidelines fit in the picture. From handling zero-day risks to enabling teams to identify small signs of threat in a large and noisy environment, Mark explains how NNT makes it all possible.

Tell us a few things about how you’ve found your path to a cybersecurity career, and give us an overview of your role at NNT.

I have worked in IT for 30 years. During this time, I have held a number of positions within large and medium-sized businesses, as well as helped start and grow three companies. We initially started NNT to assist IT operations, but as we built on our theories and methodologies, it became clear that, in fact, we had a stonewall security solution. I still believe that our roots in Ops is partly what makes us great at security, and as we have now come full circle, we brand our solution under the banner ‘SecureOps,’ which is a blend of operational and security best practices.

As the Chief Executive, I see my role principally as one of enabling the people within our company and, ultimately, the company itself to fulfill every available potential. Success within the business for me is when the processes and ideas that we all help to create themselves then become self-generating, and we see natural growth as a result. At the end of the day, it’s about getting the right people aligned with the right processes exploring great vision and ideas. None of this happens without contribution from everyone involved, crucially, and importantly that includes our customers.

In the nearly two decades you’ve been at NNT, what has changed in the industry and what has remained mostly the same?

I have more grey hair for one! Despite many claims to the contrary, our industry remains pretty nascent. That said, I really do believe we are on the precipice of exciting change. Security is finally showing signs of maturity, not dissimilar to how IT Ops evolved over the past 40 years. By virtue of necessity, cyber security will begin to become more streamlined behind prevailing ‘Best Practice Frameworks’ such as The National Institute of Standards and Technology (NIST) and The Center for Internet Security (CIS).

We need to stop trying to make it up as we go – or worse – take cyber security vendors word for it. The legislation will, I suspect, eventually force our hand here somewhat, and on a more general basis, as the digital transformation revolution continues with more and more cyber physical security and industrial controls becoming targets, the stakes will become so high as to render this approach non-negotiable.

Automation typically promises ‘ease of use, uniformity, and convenience,’ all of which, of course, somewhat contradicts the disciplined and connected approach that we all expect of cyber security. That said, I am fascinated to see how AI, Machine Learning, and Complex Event Processing will evolve and assist – this is something we at NNT are investing heavily in for our own future releases.

Agile systems, cloud, containers, Kubernetes, 5G, are likely to present their own advantages and challenges in equal measure. That said, the pragmatic rules defined within these best practice frameworks remain our best bet.

Can you give us an idea of how “SecureOps” works?

SecureOps is short for Secure Operations. It includes a combination of the essential, foundational security controls as prescribed by all leading security frameworks along with the operational discipline of change management and the innovation of change control pioneered by NNT.

By ensuring the basic and essential security controls are in place, combined with the ability to validate the safety of all changes, organizations can prevent and protect against cyber-attack while improving IT Service Delivery quality.

Solution includes:

• Asset discovery and Inventory
• Secure system configuration for all assets
• Regular vulnerability scanning
• Change monitoring and control
• Whitelist approved File Integrity Monitoring
• Integration with operational Change Management process and systems
• Security Information and Event Log Management (SIEM)

SecureOps utilizes a unique blend of intelligent, layered security analysis technology, combined with integration and correlation of ITSM planned changes. NNT’s Intelligent change control technology cuts out change noise, which leads to improved operational integrity and protection from all forms of cyberattack, even zero-day threats and ransomware.

NNT’s Change Tracker has reached its seventh generation. What are the highlights of the Gen 7 R2 release that would compel clients to consider it?

We focus on four key areas: Innovation, Best Practice, Scale, and Flexibility.

Ask 100 people if being able to spot a potentially harmful change within the millions of harmless production changes would be useful from an operational and security standpoint, 100 people will say absolutely. Ask the same 100 people if they believe it’s actually feasible, and 99 will likely say no, with the exception being either me, one of our customers, or someone else here at NNT.

It’s within this realm of change control or noise control that Gen 7 R2 has really come of age. We have stacked the solution with intelligence, now able to systematically and reliably shift through every change and highlight any that may be suspicious. Any form of effective breach by definition must change something, either initially or eventually. Any changes that might be considered suspicious or harmful will be instantly highlighted by Gen 7.

In addition, we have created a fully compartmentalized architecture, which essentially means the software is infinitely scalable as well as being ideal within a cloud or containerized environment.

Lastly, based mainly on customer feedback, we have improved the interface and reporting such that we are able to curate the information we generate in a way that will make it consumable and useful across multiple departments within the security and operations function.

What does your ‘Vulnerability Tracker’ solution show today in terms of statistics, and how has this field developed over the last couple of years? Do you see a trend for more diligent patching, and are you dealing with an ever-expanding pool of flaws to detect?

In 2020 alone, we have seen more than 13,300 vulnerability disclosures added to the National Vulnerability Database (NVD). NNT’s Vulnerability Tracker keeps pace with these inclusions expanding our NVT’s to almost 84,000. 2020 is set to break another record for new vulnerabilities identified, driven by both the rise in breach activity and a corresponding rise in bug bounty programs set up around the world.

Patching remains problematic with cycles often too long, leading to exploitable gaps. Compounding all this is the esoteric nature of systems such as outdated OS versions, which can’t easily be upgraded or even patched. Healthcare institutions such as the UK National Health Service, for example, one of the highest-profile victims of WannaCry, report widespread continued use of Windows 7 due to budget and the practical challenges placed upon them by large-scale IT demand. It’s clear then that upgrading and patching systems are a big challenge, and while this remains the case, exploitable, known vulnerabilities will still be present and a threat.

Once again, all this points back to a best practice approach to managing vulnerabilities – there’s no ‘one size fits all’ solution. Our approach is to combine limitless (no restriction on the number of IP addresses) Vulnerability Scanning with Intelligent Change Detection and Configuration Hardening in order to cover all bases and fill in the gaps left by traditional scanning and patching.

NNT Vulnerability Tracker additionally provides the mapping of critical operational services to assets and vulnerabilities. This can help organizations better assess their risk in context and, where necessary, double down on critical areas to ensure a higher level of attention is given to the more sensitive areas.

As zero-days are within your scope too, how does NNT handle these nasties? How can IT teams protect against threats targeting unknown holes?

Nasty fellows, as you say. Like all breaches, the number one goal is to try and stop them from getting to you in the first place. NNT will reduce the attack surface for you by leveraging certified secure configuration benchmarks and scanning for operational vulnerabilities. However, the real Zero-Day Attack killer we provide is to utilize NNT’s intelligent change control and detection feature set.

We may not necessarily understand the signature of a Zero-Day attack but what we can say for certain is that it will precipitate one or a number of unauthorized changes. NNT significantly reduces the likelihood of a breach but crucially provides the ultimate backstop in ensuring we spot unauthorized change immediately, using our sophisticated, intelligent change analysis technology.

Since NNT offers regulatory compliance services as well, can you comment on the various user data protection schemes you cover? Which one would be the strictest, and is US legislation on this area behind Europe’s GDPR?

Because NNT’s solution set fits within the essential controls required by all of the major standards such as CIS and NIST, NNT covers most if not all schemes. More recently, we have embraced and built-in automated features to help organizations better meet standard compliance requirements for operational technology and industrial controls such as NERC CIP.

I think GDPR, for example, does go further than the current prevailing general US standards. One issue in the US is that there is no universally adopted standard, such as GDPR. John Gilligan, the CEO of the Center for Internet Security, recently lobbied Congress to adopt their controls as a legislative benchmark for the United States, and we keep hearing snippets that this may happen, but so far, nothing.

GDPR also probably does a better operational job since it requires total transparency from merchants and organizations in terms of their intentions for your personal data, and you are typically provided with an opt-in rather than an opt-out system, which provides us all with a little more control.

Can data protection laws help organizations protect against data breaches, and should there be more done on that part? Like enriching data protection regulations with the NIST cybersecurity framework, for example?

Absolutely – 100%. You are speaking our language. The Critical Security Controls laid out by NIST, and the CIS have been assessed to prevent up to 90% of pervasive and dangerous cyber-attacks. SANS and the IT Process Institute report that Up to 91% of all security breaches can be auto-detected when release, change, and configuration management controls are implemented.

As an example, In the recent Marriott case involving a data breach impacting approximately 500 million customers, a guest registration database from its Starwood properties had been compromised in 2014 — a full two years before Marriott purchased Starwood.

Although the specific root causes of the attack have not been made public, based on the analysis of other breaches, the root causes will likely track to a failure to properly implement one or more of the CIS Controls. Had adherence to these controls been a part of the law, this would have been covered during the due diligence process, and millions of consumers would have been protected. In short, it needs to happen.

Ransomware groups today are locking healthcare, government, financial, and electrical utility systems down while also stealing files. The FBI and the entire white-hat community appears unable to contain the threat, which is still growing. Is there a way to end this menace decisively?

Well – partly what I have just said above but finally and perhaps particularly so for the industries highlighted, there has to be personal board-level accountability. The controls exist to massively reduce this threat, but until we force the hand of these organizations a little harder, I am not convinced things will change much.

Compounding all this is the somewhat apocryphal way in which vendors promote preventative tech such as File Integrity Monitoring. When in fact, what you get is simple file monitoring without the context and or intelligence to separate good file activity from the bad – noise fatigue. NNT Change Tracker includes context-based File Integrity Monitoring and File Whitelisting to assure all change activity is automatically analyzed and validated.

If you were to give our readers a single security advice, what would it be?

Pick up a copy of the critical controls laid out by NIST or the CIS and review how well you align. The basic essential controls will loosely include a definition of assets, ensuring those assets are configured properly (at all times), regular vulnerability checks, and some sort of event analysis. We would add change detection to that. If you can be sure you have the basic essential controls in place and build from there, you will be in a pretty good place.

Like a good piece of flat-packed furniture, don’t try and figure it out yourself. Read and follow the manual!