Offensive Defense in the Enterprise
Posted: May 2, 2013 at 10:11 am | by Joe Gottlieb
Recently, the idea of Offensive Defense has become a hot topic in the security industry. In theory, the notion of going after an attacker that targeted your organization seems like a logical plan. However, there are a host of legal and ethical concerns with this approach.
For one, current legislation is vague when it comes to an organization’s ability to go after cyber attackers off-premises. Secondly, what if you unintentionally go after an innocent bystander and cause irrevocable harm to their infrastructure? Are you then legally liable for any damaged they incurred?
Because of this ambiguity, we urge our customers to focus on what they own in their own enterprise, where hidden intrusions and malicious codes can have long-term security ramifications.
According to Verizon’s 2013 Data Breach Investigations Report, 66 percent of attacks take at least two months or longer to discover. That’s considerably more so than in 2010, when 41 percent of attacks went undetected for that long. This further supports the need for SIEM analytics, which will sharply reduce the time that a threat can “hide” within enterprise infrastructure.
By leveraging advanced SIEM solutions, organizations can define the context of threats and enable an automated, active defense. With a deeper, richer understanding of the context of patterns and anomalies via the analytical capabilities which advanced SIEM solutions deliver, you strengthen the deployment of policy-driven controls that balance enterprise defense with corporate responsibility.
In a recent piece I did on this topic, I discuss the risks, the debates and the future of sharing information about cyber attacks.
While the idea of going off-premises to attack your attacker may sound appealing, the risks clearly outweigh the benefits. There’s a better way to keep your enterprise secure, while staying out of trouble—and an advanced SIEM will get you there.
Security Metrics - Truth in Data
Posted: August 17, 2012 at 10:06 am | by Joe Gottlieb
I am thrilled to share theThreatPost articleI wrote about the top ten tips security teams should consider as they evolve their metrics-driven practices. If video is your preferred format, I also shared details about these tips in this short piece.
These are not huge revelations or commandments - instead a set of principles proactive security teams should consider as they get serious about making the most of their event data.
I am passionate about this topic - as are many others in the security field. Without taking a more methodical and sustainable approach to analyzing our security posture, we will be in a constant knife-fight with cyber-criminals and we won’t win that one.
In fact, I will soon be sharing some details about some research we did that highlights the challenges faced by most security organizations. Some of the results were surprising, but my biggest take-away is that security teams are not armed with the right tools or processes to confidently stay ahead of threats.
Keep your eyes peeled for that report and let’s continue the dialog about improving our security posture with greater intelligence.
Operation High Roller: Lessons Learned
Posted: July 24, 2012 at 8:54 am | by Joe Gottlieb
Cybercrime has definitely become more profitable than old fashioned crime. Compare $38 million stolen through 2011 physical bank burglaries* with the recent report of the Operation High Roller attack, where up to $78 million may have been stolen by hackers targeting high balance bank accounts in 60 or more mid-sized banks.
We spent a little time researching this attack and, while initial reports were vague, we now understand this to be an interesting layering of multiple cyber methods in an attack that spanned many months.
Operation High Roller started with a basic phishing ploy, then leveraged several unique maneuvers once successfully in systems. What was unique about this attack was not only the level of automation it used to distract its victims momentarily with a fake screen when hijacking their funds, but also the ability to compromise two-factor authentication for the first time – in this case a short-lived, one-time use password. With these new developments in bypassing two-factor authentication through automated sets of code, we can expect to see it used by cybercriminals in future hack attacks.
There was some good news about this attack (and most others): the operation left behind many logs which ultimately gave security experts insights on the anatomy of the attack, its migration pattern and which customers were compromised.
This is also another wakeup call that there needs to be more consistency in three key areas:
· Education – much like other attacks before this, High Roller started with a simple phishing scam. Employees need ongoing education about the new, innovative ways that attacks can take shape.
· Automation – when your organization knows that that updates of anti-virus software happen without action on their part, for example, they will distrust a pop-up from a supposed anti-virus application.
· Monitoring – it is not enough to do “spot checks” or rely on real-time alerts…clearly, cyber-criminals have figured out how to fool those processes. Develop a consistent monitoring process that looks for suspicious events, like connections to an unknown outside server at unusual times of day. There are many basic metrics you can establish baselines for, and then look for unexplained variances.
* Source: FBI
Gray Hat Reveals Data Breach
Posted: July 2, 2012 at 10:44 am | by Joe Gottlieb
I don’t know if “hero” is the right term for the hacker who recently announced that he was able to breach 79 banks and claimed to have access to more than 50 gigabytes of U.S. and foreign bank data. At minimum, he provided another wake-up call to organizations around the world that they must be more aggressive with their security strategy.
The price for that reality check? It’s not just the data breach fines that the payment processor will pay. Let’s think about the painful customer service costs each of these banks and processing vendors will have to incur as consumers hear the news and call to find out if their personal data was stolen. Next, the costly process of changing payment processing vendors, which Visa and Mastercard will need to consider doing. And finally, the loss of brand and business productivity while all of the affected financial institutions manage the bad publicity.
Is PCI to blame? Do most organizations see PCI as a set of policies and procedures they prove they can meet once a year or so, and then set it aside? Are we creating a self-governing society, where eventually only vendors who demonstrate continuous evolution of their security practices will be left standing?
To get more on this story, visit www.youtube.com/sensagetv
Don’t Take the Bait…
Posted: June 26, 2012 at 12:16 pm | by Joe Gottlieb
Google just released some really interesting data that highlights the explosion of phishing attacks…with over one hundred thousand malicious attack sites discovered every month.
Just as the term “phishing” implies, it’s clearly a profitable method of cyber-theft because people are easier to trick than computers. As I explained in a previous post, at the heart of every action we take on line, there is an element of trust…and when you trust the source, you will most likely act.
These attackers are getting really clever: masking themselves as trusted sources, such as automated alerts from your anti-virus software or updates from your trusted vendors. Many times employees are so focused on their day-to-day activities that they become susceptible and, without thinking, click on links that they should not.
Here are just a few things you should do in order to reduce the risk of a successful phishing attempt in your organization:
1. Train – The most effective defense for phishing it to teach employees how to identify potential threats. This works best if you can point to real world examples of breaches, even one that may have happened in your own organization. This will give your employees something to relate to and illustrates what can happen if they don’t pay attention.
2. Analyze – As attacks grow in sophistication, organizations should set up processes for analyzing event data to identify anomalies. The individual that is phished often isn’t the intended target, but rather a means for the phisher to get to their intended target: internal servers housing sensitive information or admins with lots of privileges. It can take months or years from the original “act” to the point when a real attack is executed. Daily monitoring or real time alerts won’t necessarily surface those slow/cunning moves so establish ways to correlate and analyze of your event data to spot suspicious acts.
3. Automate – This seems like a no-brainer… automate trust so your users are less at risk. Ensure that all updates and patches are automatically run so users know not to click on software update alerts. Establish a list of external sites and IP addresses which can be trusted, as opposed to just maintaining a blacklist. Set policies for online behaviors – eliminate the ability to download files from social media sites or instant messaging applications.
To hear the Five Minutes with Joe on this topic, visit www.youtube.com/sensagetv