How Axis approaches surveillance solution cybersecurity
Cybersecurity threat analysis
A strategic approach to cybersecurity starts with an understanding of what common industry-specific threats an organization is likely to face, existing vulnerabilities in their defense and industry regulation. Axis recognises this and proactively works with partners and customers to ensure they are equipped with the right knowledge and protocols to help defend against attacks.
Unfortunately, security threats don’t fit into specific and well-defined boxes. They vary in terms of sophistication and impact. Highly complex attacks with the biggest impact to businesses and their customers tend to steal the most column inches and awareness, but these aren’t the most common. Rather, the threats that organizations need to worry most about arise far more frequently from lapses in protocol and what is often referred to as “deliberate or accidental misuse of the system”.
User error is a top factor when it comes to successful cyberattacks and shouldn’t be overlooked
This is something that Fred Juhlin, Global Senior Consultant, Axis believes is one of the greatest misconceptions when it comes to threats commenting, “Many organisations mistakenly focus on protecting their businesses from the high profile threats, instead of getting the basics right. User error is a top factor when it comes to successful cyberattacks and shouldn’t be overlooked when putting measures in place to improve cybersecurity.”
Addressing cybersecurity vulnerabilities
Vulnerabilities are weaknesses or opportunities for different threats to impact the system negatively and are a part of every system: no solution exists which is completely free from vulnerabilities. Rather than focus solely on the vulnerability itself, it’s important to quantify the potential impact on the organization if it is exploited. This will help qualify the associated risk and whether addressing the vulnerability should be prioritized.
Axis strives to apply cybersecurity best practices in the design, development, and testing of devices to minimize the risk of flaws that could be exploited in an attack. However, securing a network, its devices, and the services it supports relies on active participation by the entire vendor supply chain, as well as the end-user organization. The Axis Hardening Guide describes each security control that can be applied with the device and recommends when, where and why it should be used when securing the network, devices, and services.
From a vendor perspective, developing software products with security built in throughout the development lifecycle requires experience and maturity in secure software design and coding. In addition, these products must comply with prevailing legislation (for example, GDPR, CCPA for privacy and NDAA, DoD CCMC for secure supply chains and the UK Secure by Default legislation), and many more.
Wayne Dorris, CISSP, Business Development Manager - Cybersecurity at Axis commented, “We dedicate a significant portion of our time to examining laws, legislation and standards for cybersecurity requirements to see where these may impact Axis. These regulations may differ according to geographical location, which presents a challenge to customers who need to deploy products across multiple markets. For example, it’s counterproductive to install one version of firmware for the Americas, when they need another version for EMEA.”
Axis approaches this challenge through its Security Development Model, which is based on several cybersecurity industry best practices. The model defines the processes and tools used to build software with security built-in throughout the development lifecycle, spanning initial requirements, design, implementation, verification and deployment.
Communication and collaboration
Even with the best processes in place to prevent critical vulnerabilities being designed into a product, the threat landscape is in a continual state of change. Communicating information about these vulnerabilities to customers and partners as soon as they are discovered is key. This will allow them to undertake risk assessments and take an action – such as patching – to rectify.
Sometimes customers choose to take assessment into their own hands, employing independent scanning tools which report current vulnerabilities in the solution. These can be invaluable to keeping a system secure, but must be given right context and associated risk assessment. Without this, there is the chance that the wrong conclusions are drawn, leading to expensive and unnecessary actions.
Without the right context and risk assessment, it’s easy to go down a rabbit hole
Steven Kenny, Industry Liaison Manager at Axis commented, “It’s great when customers take such a proactive stance to understanding the vulnerabilities that exist within their systems, but these reports can include many false positives. Without the right context and risk assessment, it’s easy to go down a rabbit hole, dedicating resources towards fixing a problem that has very little impact on the business.”
Axis works closely with customers and partners regarding interpreting and prioritizing vulnerabilities, and developing a strategic and informed plan of action.
Cybersecurity best practice education and training
As part of this guidance on the latest vulnerabilities, education plays an important role in informing the development of security policies. One of the greatest cybersecurity weaknesses in an organization can be its staff. It is critical that they are made aware of how they can be targeted and the potential impact of failing to comply with security practices. Axis helps to deliver cyber awareness training and establish best practice guides for end users.
Security personnel can also be a weak point in an organization’s cybersecurity, given their responsibility for managing security controls. This includes maintaining an up-to-date device inventory, secure deployment, patching and device account management. Keeping on top of this can be difficult, and Axis Device Manager (ADM) can support security personnel in this endeavour.
However, customer needs are changing and demand for capabilities such as multi-site management and improved monitoring is increasing. To meet this demand, Axis has launched ADM Extend which enables a more flexible deployment which allows personnel to support multiple sites. Although ADM Extend is currently focusing on the common operations, it will include more policies, security automation, integration with other systems in the near future.
Robust cybersecurity cannot be achieved alone
Threat actors often work in collaboration, sharing information on the latest vulnerabilities, tactics and associated rewards. Faced with such a determined and often well-funded foe, organizations should not attempt to go into battle without the right armor and support. New threats continuously emerge a multi-layered approach, underpinned with cybersecurity education is essential to an organization’s defence.
As the industry moves to a ‘zero trust’ approach to security where every entity is identified and defined by its risk profile, it is important to choose products which are designed with security in mind. Axis leverages over 30 years of experience to create robust products and employs a collaborative approach to ensure that partners and customers are armed with the key information and tools needed to react to changing threats.