By Ziften CEO Charles Leaver
For US companies the incident of a significant cyber attack and consequential data leakage is looking more like “when” rather than “if”, because of the new risks that are presenting themselves with fragmented endpoint techniques, cloud computing and data extensive applications. All too frequently organizations are ignoring or inadequately addressing vulnerabilities that are understood to them, and with aging IT assets that are not properly protected the cyber crooks start to take notice.
The variety of data breaches that are taking place is really troubling. In a report from the Verizon Risk Team there were 855 significant breaches which resulted in 174 million records being lost back in 2011. The stakes are really high for businesses that handle personally identifiable info (PII), because if employees are not educated on compliance and inadequate endpoint data security steps are in place then expensive legal action is most likely to occur.
” The likelihood of a data breach or privacy concern occurring in any organization has actually become a virtual certainty,” Jeffrey Vagle, legal expert posting for Mondaq specified. He advised that record keepers have to rethink their approach to network and device security, worker data access controls and the administration of PII information. The increase in the use of cloud services can make the avoidance of data breaches more of a challenge, as these services make it possible for the huge exchange of information each time. It would only take one event and millions of files could be lost.
Known Vulnerabilities Need Focus
A great deal of IT departments worry constantly about zero day attacks that will cause a data breach and catch them off guard. As an example of this, Dirk Smith of Network World posted about an Adobe Acrobat exploit that provided access for hackers to perform sophisticated surveillance. A great deal of IT vulnerabilities can come when software is not patched up to date, and a lot of zero day risks can take place from weaknesses in legacy code that includes a bug in Windows which targeted functions that were first introduced Twenty Years earlier.
Security expert, Jim Kennedy wrote in a Continuity Central post “one thing that I have actually found is that many of the breaches and invasions which prospered did so by attacking recognized vulnerabilities that had actually been determined and had actually been around for many years: not from some sophisticated ‘zero-day’ attack which was unidentified and unknown until just the other day by the security community at large.” “And, even more troubling, social engineering continues to be a most successful way to begin and/precipitate an attack.”
Now the cyber criminal fraternity has access to an extensive series of pre packaged malware. These tools have the capability to perform network and computer system analytics that are complex in nature then recommend the optimal attack method. Another threat is a human one, where employees are not trained correctly to evaluate out calls or messages from people who lie about belonging to the technical support team of an external security supplier.
It is definitely extremely important to proactively prevent zero day attacks with robust endpoint protection software, however likewise companies have to integrate reliable training and processes with the hardware and software solutions. While most companies will have a variety of security policies in place there is generally an issue with enforcing them. This can lead to risky variations in the motion of data and network traffic that ought to be evaluated by security staff being neglected and not being resolved.
From The Desk Of Charles Leaver CEO Ziften Technologies
With the advent of bring your own device (BYOD) techniques and cloud computing the securing of specific endpoints has actually become much harder, as administrators could be making ease of data access a priority over security. The threats are there nevertheless, due to the fact that most of the present generation of endpoint security software have not been customized to safeguard from aggressive hacking and destructive cyber attack techniques that target specific endpoints as the launch pad for attacks that are commonly distributed.
There was a very popular endpoint attack that occurred in recent times where a malware family called Comfoo was used to jeopardize the networks of lots of multinational organizations back in 2010. The Comfoo malware included a number of custom designed backdoor Trojans and exploits that could constantly disperse malware. A more major consequence was that this malware could cause damaging data leakage by scraping account and network info and monitor all user input, according to CRN contributor Robert Westervelt. It is believed that the Comfoo malware could have been a part of a sophisticated cyber espionage campaign, because of the approach that was applied and the evasion of standard endpoint tracking.
Utilizing e-mail phishing and social engineering the malware was able to compromise targeted gadgets, which highlights how ripe endpoints have actually ended up being for malware infiltration, so states Jason O’Reilly, security executive. When he was speaking with ITWeb, O’Reilly stated that standard endpoint software does not adequately account for access from locations beyond the IT department most of the time, and it does not limit data exposure to authorized parties through using access controls.
O’Reilly specified that “endpoint security solutions need to provide layered defense that surpasses signature-based detection only to consist of heuristic-based detection and polymorphic-based detection.” “Today’s networks are exposed to risks from several sources.”
Real Time Hazard Capturing And Report Creation
The high stakes for control techniques and endpoint security were recognized by business consulting company Frost & Sullivan, as they felt both of these areas were under pressure from both external hackers and the pressing demand from employees for gadget choice flexibility.
Chris Rodriguez, Frost & Sullivan analyst stated “enterprise IT departments now deal with remarkable pressure to enable staff members to access the business network and files from their own personal devices.” “Considering their seemingly omnipresent nature, quick data connections, and powerful hardware and os, these gadgets represent prime targets for hackers.”
When asked what companies can do to tighten up on the special weaknesses of mobile hardware, O’Reilly suggested that any services need to provide clear and detailed visibility into what is happening on each endpoint so that action can be taken rapidly when any hazards are found.
By Charles Leaver Ziften Technologies CEO
A large number of companies have the belief that there is no need for them to pursue assiduous data loss prevention, they concern cyber attacks as either extremely unlikely to take place or have very little financial impact if they do take place. There is a boost in the recorded cases of cyber attacks and advanced persistent threats have contributed to this complacency. These malicious attacks tend to avert conventional endpoint security software, and while they do not have the teeth of denial-of-service attacks, they have the potential to cause substantial damage.
Over 67% of organizations assert that they have actually not been the victims of a cyber attack in the last 18 months, or that they had little or no visibility into whether an attack had actually jeopardized their network according to Infosecurity. The coordinators of the study were skeptical about the outcomes and highlighted the numerous vulnerable desktop and mobile endpoints that are now typical in companies.
Security specialist and survey coordinator Tom Cross stated “Any system you connect to the Internet is going to be targeted by hackers extremely rapidly afterwards.” “I would assert that if you’re uncertain whether your company has actually had a security event, the chances are very high that the response is yes.”
Around 16% stated that they had experienced a DDoS attack over the very same period, and 18% reported malware infiltrations. In spite of this, the majority of the companies assessed the effects as minor and not justifying the implementation of new endpoint security and control systems. Approximately 38% said that they had actually not struggled with found security breaches, and only 20% were able to admit to financial losses.
The loss of reputation was more extensive, affecting around 25% of the respondents. Highlighting the potential impact of a cyber attack on finances and reputation, an incident at The University of Delaware resulted in 74,000 people having their delicate data exposed, according to Amy Cherry, WDEL contributor. The hackers targeted the school’s site and scraped details about university identifications and Social Security Numbers, which forced it to supply complimentary credit monitoring of the affected parties.
Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften Technologies
A 5 Point Plan For A New Security Strategy Proposed By Amit Yoran
Amit Yoran’s, RSA President delivered an excellent keynote speech at the RSA Conference which reinforced the Ziften strategy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to supply robust defenses in a new age of sophisticated cyber attacks. Present organization security techniques were slammed as being mired in the Dark Ages of cyber moats and castle walls by Yoran, it was referred to as an “impressive fail”, and he outlined his vision for the way forward with 5 main points, and commentary from Ziften’s viewpoint has actually been added.
Stop Believing That Even Advanced Protections Suffice
” No matter how high or smart the walls, focused foes will discover methods over, under, around, and through.”
A lot of the previous, more advanced attacks did not employ malware as the primary strategy. Conventional endpoint antivirus, firewall software and conventional IPS were criticized by Yoran as examples of the Dark Ages. He stated that these traditional defenses could be quickly scaled by skilled hackers and that they were largely inefficient. A signature based anti-virus system can just safeguard against formerly seen threats, but hidden threats are the most threatening to a company (given that they are the most typical targeted attacks). Targeted cyber criminals use malware only 50% of the time, possibly only quickly, at the start of the attack. The attack artifacts are readily changed and not used ever again in targeted campaigns. The build-up of short-term indicators of compromise and malware signatures in the billions in huge antivirus signature databases is a meaningless defensive technique.
Embrace a Deep and Prevalent Level of True Visibility Everywhere – from the Endpoint to the Cloud
“We require pervasive and real visibility into our business environments. You merely can’t do security today without the visibility of both continuous complete packet capture and endpoint compromise assessment visibility.”
This indicates continuous endpoint monitoring throughout the enterprise endpoint population for generic indicators of compromise (not stale attack artifacts) that show ageless strategies, not short lived hex string happenstance. And any company carrying out constant full packet capture (comparatively pricey) can easily pay for endpoint threat assessment visibility (relatively affordable). The logging and auditing of endpoint process activity offers a wealth of security insight utilizing just primary analytics techniques. A targeted hacker counts on the relative opacity of endpoint user and system activity to cloak and hide any attacks – while real visibility supplies a bright light.
Identity and Authentication Matter More than Ever
” In a world with no perimeter and with fewer security anchor points, identity and authentication matter even more … At some point in [any successful attack] campaign, the abuse of identity is a stepping stone the aggressors use to enforce their will.”
The use of more powerful authentication fine, however it just produces bigger walls that are still not impenetrable. Exactly what the hacker does when they overcome the wall is the most essential thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for indicators of unusual user activity (insider attack or potential jeopardized credentials). Any activity that is observed that is different from regular patterns is possibly suspicious. One departure from normality does not make a case, but security analytics that triangulates multiple normality departures concentrates security attention on the highest danger anomalies for triage.
External Risk Intelligence Is A Core Capability
” There are extraordinary sources for the best risk intelligence … [which] must be machine-readable and automated for increased speed and leverage. It needs to be operationalized into your security program and customized to your organization’s assets and interests so that analysts can rapidly deal with the risks that posture the most risk.”
Most targeted attacks typically do not utilize readily signatured artifacts once again or recycle network addresses and C2 domains, but there is still value in threat intelligence feeds that aggregate timely discoveries from countless endpoint and network threat sensors. Here at Ziften we integrate third party risk feeds via the Ziften Knowledge Cloud, plus the exposure of Ziften discoveries into SIEM and other enterprise security and operations infrastructure by means of our Open Visibility ™ architecture. With the developing of more machine-readable risk intelligence (MRTI) feeds, this capability will effectively grow.
Understand What Matters Most To Your Business And What Is Mission Critical
” You must comprehend what matters to your organization and exactly what is mission critical. You have to … safeguard exactly what is very important and protect it with everything you have.”
This holds true for threat driven analytics and instrumentation that focuses security attention and action on areas of highest enterprise risk exposure. Yoran advocates that asset value prioritization is only one side of business risk analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security staff attention on the most common dynamic risks (for instance by filtering, associating and scoring SIEM alert streams for security triage) need to be well-grounded in all sides of enterprise threat analysis.
At Ziften we commend Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security market evolves beyond the present Dark Ages of facile targeted attacks and entrenched exploitations.