Security Thoughts for 2025

Security Thoughts for 2025

Beyond AI, cybersecurity challenges continue to evolve. Effective vulnerability management requires more than just CVSS scores, and supply chain attacks highlight the need for greater scrutiny of third-party providers. Meanwhile, advancements in quantum computing could reshape encryption and cloud security.

As we navigate 2025, understanding these trends will be key to staying ahead in an increasingly complex digital landscape.

AI is everywhere but does it need to be?

There’s been something of a stampede by vendors to add AI functionality into products.  It seems almost every product now has a Copilot or similar feature claiming to make life easier.  Understanding how beneficial this is to users is unclear at present.  When evaluating new products, KedronUK does cast a critical eye over the “datasheet benefits” and how they many actually work in the real world.

AI and ML does suit some applications very well though.  Surfacing performance or security detections (events / alerts) in large amoun’ts of data, such as raw network traffic in NDR tools or logs in a SIEM solution, is a great use case.

AI isn’t just all good though

I’m sure every IT professional has seen a terrible attempt at a phishing e-mail, either offering them money lost in a foreign bank account or one claiming to be from a senior colleague asking them to help with an urgent action.  Easy access to AI tools will make these harder to spot as they mimic the writing style or even voices of colleagues.  Alongside appropriate security tools, user awareness will be very important in helping combat this threat.

Managing the use of AI platforms will also continue to challenge organisations from a GRC perspective.  The leaking of sensitive data could occur thanks to careless but well-intentioned use of AI to help with productivity.

Look beyond just the vulnerability

Vulnerability scanners are a common and essential part of any IT’s team tooling.  Finding and addressing vulnerabilities early is important in maintaining a good secure posture.  However, just considering a CVSS score in isolation may not deliver the best results.  Leveraging additional data sources such as the CISA KEV catalogue can provide extra context to help prioritise remediation work.  As an example, a CVE with a score of 9.8 would, at first glance, look to need immediately addressing.  However, it may not be actively exploited.  Thus, a CVE with a lower score (eg 6.5) which is being commonly exploited should be addressed first.

Incorporating vulnerabilities (with all import context) and other signals can provide a much wider and more complete view of your attack surface.

Trusted Partners

The December 2024 attack on the US Department of the Treasury used BeyondTrust’s remote support tools to gain access to the Department’s infrastructure.  Supply chain attacks are nothing new though – the SolarWinds Sunburst and Supernova attacks date back to 2020/21.  Whilst SaaS (or other XaaS) still has many benefits, it can be extremely difficult to audit and build trust in a provider.  Major SaaS providers will continue to be a ripe target for nation state attackers.  This may encourage organisations to move back to self-hosted solutions, especially critical parts of the infrastructure such as ZTNA.

This topic doesn’t just cover technology service providers though.  With the change of government in the USA and their “unsettling” statements on subjects such as security, borders and tariffs, both private business and public sector users may start to reconsider the implications of hosting applications and storing data in cloud platforms owned by US technology companies such as Microsoft and Google.  Could unexpected policy announcements have sudden legal implications for data sovereignty and local compliance regulations?

The World of Quantum

For large enterprises, interest in quantum computing will continue to grow as they research and plan how the new age will impact their operations.  The applications of aspects quantum computing, such as Quantum Random Number Generation gives financial businesses the chance to improve the accuracy and speed of simulations.   QRNG also offers a truly random source of random numbers to provide an ideal basis for encryption keys.  Entropy as a Service offers a way to benefit for cloud applications and IoT devices to benefit from QRNG.

For more information please get in touch!

Kirsty Jones

Kirsty Jones

Marketing and Brand Development Lead

Spreads the word further and wider about how we can help connect and visualise your IT Ops and Sec Ops data.

Call us today on 01782 752 369
KedronUK, Kern House, Stone Business Park, Stone, Staffordshire ST15 0TL

Logpoint – What’s New?

Logpoint – What’s New?

Who are Logpoint and when was the company established?

Logpoint was founded in 2012, and safeguards society in a digital world by helping customers and Managed Security Service Providers (MSSPs) detect cyberattacks. Combining reliable technology with a deep understanding of cybersecurity challenges, Logpoint makes security operations easier, giving organisations the freedom to progress. Logpoint’s SIEM and NDR technologies improve visibility and give a multi-layered approach to cybersecurity that helps customers and MSSPs in Europe navigate the complex threat landscape. Headquartered in Copenhagen, Denmark, Logpoint has a European foundation and is the only European SIEM vendor with a Common Criteria EAL3+ certification. This demonstrates Logpoint’s strong focus on data protection and cybersecurity regulations. 

What’s new since KedronUK first partnered with Logpoint?

The biggest news in 2024 was Logpoint’s acquisition of Muninn, a Danish company specialising in AI-driven Network Detection & Response (NDR) technology. 

What new features have been introduced in the past year?

1. SIEM

  • Support for .CSV and .TXT to import lists (IoC, malicious domains, IPs, etc.)
  • Templated log sources, including syslog sources
  • Dark mode
  • Support for Azure Blog Storage for more cost-effective cloud-based storage methods and scalability to scale up or down in tiers of storage
  • SaaS Logpoint Portal for centralised access management, expanding to on-prem SIEMs in 2025
  • Onboarding with pre-configured compliance dashboards covering access management, incident management, and perimeter security monitoring. 

2. SOAR Playbooks

  •  Playbook restoring
  • Integration-agnostic playbooks for easier distribution to customers
  • Playbook action for encoding/decoding HTML, changing case types and adding incidents as a new artifact

3. SOAR Case Management

  • Automatic reading of the incidents and adding all the extractable data as artifacts to the case
  • All-in-one screen case management with case timeline, graphical overview of artifacts relations in an incident, and the option to run automatic investigations from the case

4. Director 

  • Templated log sources, including syslog log sources and cloud features
  • Centralised health metrics monitoring dashboard
  • Role-based access control for segregation of users permissions

What’s coming in 2025?

Throughout the following months, Logpoint will focus on different areas. To reduce operational overhead, Logpoint is looking for ways to improve log source onboarding and enhance log source activity monitoring and data integrity. Analysts will also benefit from better enrichment and querying features for threat hunting and will continue to get better threat detection, thanks to optimised T1 integrations and alerting. 

What gap does KedronUK fill for Logpoint?

Logpoint delivers a comprehensive end-to-end security platform, equipping organisations with everything they need for effective cybersecurity. Kedron complements this by providing value-added services and managing security complexities on behalf of end customers. Together, we enable organisations to stay focused on their core business while ensuring their security operations are well-managed and optimised. 

Phil Swainson, Head of Technology at KedronUK says: “We’ve found that customers managing enterprise networks are struggling to find a network performance management tool focused on packets that can handle the demands of high-speed, high-bandwidth networks, while not breaking the bank with excessive storage requirements. The unique way Allegro Packets solutions work means that network managers and IT Ops managers can get the information they need without having to search petabytes of data.”

What does Logpoint bring to KedronUK?

Logpoint brings a valuable SIEM capability to the KedronUK product and services portfolio. 

  • Flexible deployment models including self-managed (on-premise / private cloud) and SaaS cover varying customer requirements. For users with specific compliance or contractual obligations, the SaaS instance can be provisioned in the UK to remove any concerns about data sovereignty.
  • Logpoint’s transparent pricing model is easy to understand and provides cost clarity for users. Predicting costs can be difficult with other models such as ingestion-based billing (e.g. events per second or GB per day) and limit the scope of a deployment. There are also special license bundles for public sector customers such as the NHS. 
  • Hundreds of out-of-the-box integrations allow users to collect data from a wide variety of sources and leverage existing security tools to improve detection, investigation, and response capabilities.

The recent acquisition of Muninn extends the security capabilities of Logpoint to include NDR/XDR. This provides additional visibility into Cloud, OT, and remote workers. 

To find out more about Logpoint, please Contact us or get in contact with our sales team through sales@kedronuk.com

Kirsty Jones

Kirsty Jones

Marketing and Brand Development Lead

Spreads the word further and wider about how we can help connect and visualise your IT Ops and Sec Ops data.

Call us today on 01782 752 369
KedronUK, Kern House, Stone Business Park, Stone, Staffordshire ST15 0TL

OT/IoT Visibility Survey

OT/IoT Visibility Survey

The convergence of Information Technology (IT) with Operational Technology (OT), Industrial Control Systems (ICS), and the expanding landscape of Internet of Things (IoT) and Internet of Medical Things (IoMT) devices is transforming how modern enterprises operate. As these traditionally separate networks become more interconnected, organisations have a unique opportunity to optimise their operations, gain real-time insights, and improve overall efficiency. This integration allows for streamlined processes, predictive maintenance, and enhanced data analysis capabilities, driving digital transformation across industries.

However, the integration of IT with OT, ICS, and IoT/IoMT networks also introduces significant challenges, particularly in the realm of cybersecurity. As these systems become more intertwined, the attack surface for cyber threats increases, making critical infrastructure more vulnerable to potential breaches, data manipulation, or disruptions in service. Enterprises are now faced with the challenge of protecting both their IT and OT environments while ensuring that their interconnected systems remain secure, reliable, and resilient.

In response to these challenges we conducted a survey to better understand how enterprises are approaching the integration of these diverse systems. The survey aimed to gather insights into the strategies, technologies, and best practices that organisations are adopting to secure their interconnected networks. We are particularly interested in learning about how enterprises are navigating the complexities of cybersecurity, ensuring the safe operation of their ICS and IoT devices, and maintaining the integrity of their data in an increasingly interconnected world.

The results provided some common areas of risk which require mitigation and also demonstrate varying levels of success leveraging their cybersecurity and compliance tools.

For the full report and a summary of responses, please see the OT/IoT Visibility Survey Report.

Kirsty Jones

Kirsty Jones

Marketing and Brand Development Lead

Spreads the word further and wider about how we can help connect and visualise your IT Ops and Sec Ops data.

Call us today on 01782 752 369
KedronUK, Kern House, Stone Business Park, Stone, Staffordshire ST15 0TL

Current Cyber Threats and how to Prevent Them

Current Cyber Threats and how to Prevent Them

 In our increasingly digital world, cyber-attacks pose a significant threat to both individuals and organisations. Understanding these threats and learning how to protect yourself is essential. This blog post will delve into some of the most common cyber-attacks, providing detailed insights and practical prevention tips. 

1. Phishing Attacks 

Phishing attacks are deceptive attempts to obtain sensitive information such as usernames, passwords, and credit card details. These attacks often come in the form of emails, text messages, or websites that mimic legitimate communications from trusted sources.

How it works: 

  • The attacker sends a message that appears to be from a reputable entity, such as a bank, telecommunications, cloud provider, courier / postal service or other well-known company. 
  • The message contains a link or attachment that prompts the victim to enter personal information such as logon credentials or download malware. 

Prevention Tips:

  • Verify the Source: Always check the senders email address and look for signs of spoofing. If unsure, contact the organisation directly using a known, legitimate contact method. 
  • Think Before You Click/React: Hover over the links to see where they lead before clicking. Be cautious with unexpected attachments, even from known contacts. Services like Microsoft 365 and Google Workspace can place additional warnings into external e-mails to help users spot phishing attempts which try to make out they are internal from a colleague. 
  • Use Security Services/Software: Implement email filters and anti-phishing tools to detect and block malicious messages. Alongside the standard security controls provided by email providers, third party vendors such as Heimdal offer additional layers of security. 
  • Education: Regularly train employees on how to recognise and respond to phishing attempts. Simulated phishing attacks can be occasionally run to ensure user awareness is checked and maintained. 

2. Ransomware & Malware 

Ransomware is a type of malware that encrypts a victims files to prevent access and demands a ransom for the decryption key. Attackers may also exfiltrate the data and threaten to publicly release sensitive business information if a ransom is not paid. This attack can cripple businesses, plus cause significant financial losses and reputational damage.

How It Works: 

  • Ransomware typically spreads through phishing emails, malicious ads, or by exploiting vulnerabilities in software. Once executed, it encrypts files and displays a ransom note demanding payment, often in cryptocurrency. It will also try to move laterally across a network to maximise the disruption. 

Prevention Tips: 

  • Regular Backups: Again, maintain regular backups of critical data and ensure they are stored offline or in a secure cloud environment. Immutable backups can protect critical restore points from ransomware. Backup procedures need to be tested on a regular basis to ensure they are working as expected – do not just trust log reports!
  • Install Antivirus / EDR Software: Ensure you have reliable antivirus and anti-malware software installed and regularly updated. That said, the recent CrowdStrike outage has shown regular updated can be a double-edge sword!
  • Patch Vulnerabilities: Keep your software and systems updated to protect against exploits. A vulnerability scanner / solution such as Qualys. Tenable Nessus or Rapid7 InsightVM can help automate this process to avoid blind-spots when dealing with a large IT estate. Any vulnerabilities with a CVE score of 9 or more should generally be treated as a priority and either be patched or mitigated. 
  • Network Segmentation: Segment your network to limit the spread of ransomware and contain potential damage. Zero Trust Network Access (ZTNA) solutions like Appgate can ensure users only have access to the applications they need, restricting the ability of ransomware to move laterally to other devices on the network. 
  • Consider Fire-Break Solutions: Ransomware containment solutions such as BullWall RC can provide a last line of defence against encryption. These solutions aim to stop a ransomware attack as quickly as possible, isolating or shutting down the infected PC(s) to minimise the impact of the attack. 
  • Examine your full supply chain and technology stack: A number of enterprises impacted by the ransomware groups which targeted the MOVEit vulnerabilities were actually affected due to the use of MOVEit by their payroll / HR software provider (TechCrunch). 

3. EOS/EOL and Unpatched Network Equipment

Patching operating systems and applications is a regular task for most businesses, with tools such as Heimdal Patch & Asset Management used to automate much of the repetitive work. However, it is also critically important to update network equipment, especially routers and firewalls which are internet facing. 

Research published this week by Vedere Labs, the cybersecurity research arm of our partner Forescout, identified 14 new security vulnerabilities in 24 models of the popular DrayTek Vigor network routers/firewalls. Around 785,000 impacted devices have been identified globally, with 20% of these considered to be End of Life (EOL) and 43% End of Support (EOS). 

Thankfully, DrayTek have provided firmware updates for EOS/EOL routers. 

How It Works: 

  • Attackers use automated tools such as Shodan to scan the Internet for exposed devices with out-of-date firmware. 
  • One located, attackers will have scripts ready to exploit the security bugs. 
  • The attackers may use the device launch DDoS attacks as part of a botnet, intercept traffic or penetrate the private network behind the firewall/router to deploy ransomware.

Prevention Tips:

  • Patch Firmware: Where possible, subscribe to vendor email notifications to automatically receive alerts for new firmware release. More importantly, arrange appropriate maintenance windows to install the updates, especially where they contain security fixes. 
  • Replace End of Life (EOL) Equipment: Critical network infrastructure which is EOS/EOL and thus unsupported should be replaced. Even though the equipment may continue to work fine without support by the vendor, the lack of updates means rushing to replace a device when an exploit is found and widely abused. Not all vendors will product patches for old equipment like DrayTek!
  • Remove or secure public management access: Although convenient for remote support, exposing router, firewall or other management interfaces directly to the Internet should be avoided wherever possible. The DrayTek research found over 704,00 devices with the management UI exposed to the Internet.

Conclusion

Understanding these common cyber-attacks and implementing robust security measures can significantly reduce your risk. Stay informed, stay vigilant, and prioritize cybersecurity to protect yourself and your organisation from these pervasive threats.

As an independent specialist consultancy working with leading cyber-security vendors, KedronUK can assist enterprises in addressing gaps within their security tooling from EOL device management through to ransomware containment solutions.

For more information on our full product portfolio, please contact us, or email our sales team at sales@kedronuk.com

Kirsty Jones

Kirsty Jones

Marketing and Brand Development Lead

Spreads the word further and wider about how we can help connect and visualise your IT Ops and Sec Ops data.

Call us today on 01782 752 369
KedronUK, Kern House, Stone Business Park, Stone, Staffordshire ST15 0TL

SOC-ial Cricket Event: Disruptive Cyber Tech 2024

SOC-ial Cricket Event: Disruptive Cyber Tech 2024

Our first #NoSalesPitch event of 2024 saw the KedronUK team heading north into central Manchester. The No Sales Pitch format was a great success last year, with ten-minute presentations from five security vendors to keep things moving and interesting. With Sixes Manchester as the venue, there was the chance for networking over food and drink, along with some virtual cricket fun after the presentations had finished.

Zero Trust – Forescout
Phil Swainson, KedronUK’s Head of Technology, was compere for the afternoon. After a brief overview of KedronUK, he introduced our first presentation from Keith Gilbert of Forescout. Keith talked about Zero Trust (ZT), focusing on the steps required to begin the journey to a ZT world. We know from speaking to many enterprises, there’s a lot to consider when starting out with ZT and proper planning is essential. Using the NIST 800-207 document entitled “Zero Trust Architecture” as a guide, Keith outlined the key system components such as Policy Enforcement Points and Policy Decision Points, plus how these interact with the “data plane” of users and systems.

Ransomware Containment – BullWall.
In the IT security arena, ransomware remains an ongoing threat to businesses of all size. Whilst the exact attack techniques and methods evolve, the risk of severe business disruption remains. Bullwall Ransomware Containment (RC) is an innovative but lightweight solution to provide an extra layer of protection. To use an analogy, an IT datacentre or large building will have a sprinkler or fire suppression system which will trigger in the event of a fire. The job of the sprinkler system is not to stop the fire from happening in the first place but to extinguish the fire as quickly as possible. Andrew Grant outlined how Bullwall RC offers the same solution for ransomware – other security tools will hopefully block and prevent as many attacks as possible but in the worst case, it will automatically trigger and stop the ransomware.

Breach & Attack Simulation – Keysight.
The ever-expanding IT security market means new vendors and new products appear almost daily. Analysts will identify attack vectors which need tools to protect against but what about the existing security tooling you have deployed? Kevin Berry from Keysight showed how a Breach & Attack Simulation (BAS) tool can fit into your security testing plans. Whilst it is a new tool (somewhat ironically), BAS is not about directly filling a gap or replacing an existing tool, but helping you understand how your existing security solutions are working. With regular updates from the Keysight Application & Threat Intelligence (ATI) team, Keysight ThreatSim helps you validate your existing security policies and posture to ensure they are providing the best possible protection against the latest threats. BAS compliments point-in-time tests such as penetration testing which are performed perhaps annually or six-monthly, as well as frequent scans from vulnerability management tools such as Tenable Nessus.

API Security – NoName.
Our newest vendor partner is NoName Security. API security continues to gain focus for CISOs and other security practitioners. As far back as December 2021, Gartner predicted that APIs would become the top attack vector. As an example, the recent (May 2024) Dell data breach saw an attacker use a poorly secured and non-rate limited API to extract the details of around 49 million customers. As a market leader in API security, David Moss outlined how the key pillars provided by Noname cover Discovery (what is my API estate?), Posture (how many of those APIs have vulnerabilities or are mis-configured?), Runtime (who is attacking my APIs?) and Testing (finding potential vulnerabilities during development).

Network Detection & Response – ExtraHop.
The “Need for Speed” was the theme of the last presentation from Kyle Francis of ExtraHop. IT teams are always under pressure to work faster. Security threats need to be detected and contained quicker, whilst outages must be resolved quicker to avoid costly business disruption. However, incomplete data, blind spots and too many complex interfaces hinder the investigation and resolution process. As a Forrester Wave (Q2 2023) leader for Network Analysis and Visibility, ExtraHop can help enterprises eliminate blind spots, detect issue and anomalies in real-time, ultimately reducing investigation to drive quicker, positive, outcomes.

With the presentations complete, the bar opened, food was served and the cricket began. Across the two nets, the best attendee on each screen stepped forward at the end for a competition to win an Oculus VR Headset! Although the runner up didn’t miss out, receiving a £75 voucher to return to a sixes cricket near them…

We received some great feedback from the attendees at the event. From speaking to them, the key takeaway from the afternoon included that whilst not every tool presented is the right fit for every organisation (perhaps due to size, budget or security maturity), the format is an excellent way of getting a view of current security trends and risks. Finally, a number of attendees noted how the workload for IT teams is unrelenting, so “light-touch” tools (such as BullWall RC) which can quick enhance security with a low management footprint are extremely attractive.

To find out more about each technology discussed, take a look at our SOCial Cricket Event Presentation Slides here!

Kirsty Jones

Kirsty Jones

Marketing and Brand Development Lead

Spreads the word further and wider about how we can help connect and visualise your IT Ops and Sec Ops data.

Call us today on 01782 752 369
KedronUK, Kern House, Stone Business Park, Stone, Staffordshire ST15 0TL