Recent intelligence about the Target breach, its scope, and its attack vectors has included the fact that memory-scraping malware was instrumental in hijacking credit-card data prior to its encryption for transmission to remote payment processors. Symantec reported on the registry keys and files dropped by the malware that are even now being used by software vendors to update their signature-based antivirus and alerting systems.
Showing posts with label Audit. Show all posts
Showing posts with label Audit. Show all posts
How Endpoint Security Analytics Could Have Cut the Target Hack Short
Recent intelligence about the Target breach, its scope, and its attack vectors has included the fact that memory-scraping malware was instrumental in hijacking credit-card data prior to its encryption for transmission to remote payment processors. Symantec reported on the registry keys and files dropped by the malware that are even now being used by software vendors to update their signature-based antivirus and alerting systems.
- Categories: Analytics , Anomalies , Audit , DFIR , Endpoint Intelligence , Endpoint Visibility , Intelligent Security
Recent breaches show traditional security defenses fail to deliver
We’ve highlighted in numerous posts that studies of security incidents and publicly disclosed breaches reveal that it’s all too common for attacks to go unnoticed for days, weeks, months, and even years. And, nearly as troubling, it’s rarely the breached organization that discovers that it’s been compromised – rather it’s usually a customer, partner, supplier, or even law enforcement that eventually notices something is awry and brings it to victims’ attention.
All
of that was certainly true with the South Carolina Department of Revenue attack
that we covered here. In this incident,
the post-breach investigation found that the compromise occurred in
mid-September and wasn't detected until mid-October. And when it was detected,
it was done so by the United States Secret Service, which happened to be
conducting a sting against the group that was responsible for the attack.
So
what happened regarding this breach? As we learn more, it’s clear that time was
working against the South Carolina Department of Revenue. To be fair, this is
true for all targeted attacks. Take a look at the illustration below, from the 2012
Verizon data breach investigation report, which accurately demonstrates the
scope of this challenge. The data in the figure below are the result of
thousands of investigations that were conducted last year both by Verizon and a
number of government agencies from multiple countries, including the United
States Secret Service.
When looking at the various time spans between attack and response in all of those incident investigations, disturbing patterns emerge. Specifically, patterns appear when attack life cycles are segmented into four stages: the time between initial attack and compromise; the time between the initial compromise and data being stolen from the target; the time between that compromise and the point at which it was discovered; and finally the time between the discovery of that compromise and remediation.
The
data find that attackers can exfiltrate data at best in a matter of hours, or
days, and at worse in a span of only minutes. Once in, attackers have shown
again and again that they have the ability to begin exfiltrating data as soon
as they’ve compromised a system.
And
this isn’t just a handful of organizations; it is thousands. This proves that
the status quo provided by traditional security software simply isn’t good
enough. And the reality is that after attackers have had weeks, or months, to
rummage through a network, simply wiping servers and endpoints isn’t going to
rid the infection. The attacker has had too much time to plant backdoors and
create ways to burrow back in.
Identify
unknown, suspicious behaviors
What’s
needed are ways to identify unknown, suspicious behaviors on endpoints. This is
best achieved by performing periodic assessments designed to expose unknown
running applications that exist in temporary memory; instances of known threats
that morph (such as the Zeus banking Trojan); and the ability to conduct
ongoing scans for variants of such threats in order to fully understand and
address the scope of a successful attack against your infrastructure.
Additionally,
and in order to reduce your attack surface, you also need to be able to audit
endpoints for sensitive data, which in all likelihood, are the target of the
attackers’ activity. By limiting pools of sensitive and confidential data, you
can significantly reduce risk.
EnCase
Cybersecurity helps in many of these efforts. First, EnCase Cybersecurity
conducts network-wide system integrity assessments against a known good
baseline that has been established. Essentially, what you are doing is
performing regularly scheduled audits for anomalies across the range of
endpoints. And it works because, while you don’t know what the unknown looks
like, you do know what the baseline looks like. This allows you to look at
everything that doesn’t match that baseline, so you then can decide whether
it's something that's good (and should be added to a trusted profile), or if
you've been exposed to a malicious attack that needs to be remedied and added
to known bad profiles for future integrity audit scans.
How
does EnCase Cybersecurity achieve this? It does so by leveraging the concept of
entropy for similar file scans. Consider it a very fuzzy signature, but not an
exact match, that the system is assessing. It doesn’t matter what kind of files
are being evaluated – EnCase Cybersecurity will expose the files and processes
used by advanced attacks that are easily missed by traditional security
technologies, such as intrusion detection systems and anti-malware software.
We’ve
recently completed a webinar on this topic, Hunt
or be Hunted: Exposing Undetected Threats with EnCase Cybersecurity, that provides
much more detail about how EnCase Cybersecurity helps to defend against
advanced, clandestine attacks. I invite you to watch, and learn how your
organization can proactively ferret out any possible breaches before it’s too
late and attackers have had time to entrench themselves into your
infrastructure.
# # #
- Categories: Audit , Data Breach , Malware , Security Tactics
Sensitive data discovery is an essential part of IT security
Yet, most organizations don’t give it the attention it deserves. Here’s why it’s hard, and what you can do to do it right.
When we talk about protecting enterprises from attack, we are really talking about protecting our data. After all, it is the data that is so heavily regulated. It’s data - when comprised - that causes breach notifications. And it’s that valuable data that one ultimately doesn't want to fall into the wrong hands.
So it’s surprising why so few companies - companies that spend so much capital and effort on security technologies to defend their networks - actually seek to know where their sensitive, confidential, and regulated data reside. Perhaps it’s because they don’t see the real value in doing so. Perhaps it’s because the process has proven to be insurmountable at some point in the past. Regardless of the reason: it’s a serious oversight.
Why? First consider the benefits of understanding sensitive data location. Understanding and controlling the location of sensitive data can help to significantly reduce risk as that data can be consolidated into fewer data stores as it’s identified. It can also help streamline data leak prevention deployments, help with litigation readiness, (for data disclosure requests) and can improve data retention policies. So why isn't it being done?
Part of the challenge is that auditing endpoint data, without the right tools, isn't ;easy. First, many of the tools require that endpoint data be fully indexed before it can be searched. That’s just ludicrous today, as the process will take weeks, if not a month or more to complete. With the velocity at which data moves today, the locations and nature of the data will change before the indexing process is even completed. Not to mention that much of the data will be on highly-mobile notebooks. Additionally, unstructured data is a big challenge for most tools. This includes finding data in emails, attachments, and local files.
Also, policies alone, without technological enforcement, isn’t enough. Users will always find a way to bypass policies that aren’t monitored and enforced either accidentally or intentionally. So sensitive data discovery technology should also provide remediation: it’s the only way to deliver critical enforcement capabilities to ensure sensitive data is not anywhere against your data policies.
Despite these difficulties, endpoint data classification is something that must be done. Not only because having sensitive data scattered about significantly increases risk exposure, as well as the costs associated with eDiscovery requests - but it’s also a requirement among many regulations. Some of those include Nevada’s Security of Personal Information Law (NRS 603.A), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS).
For these regulations, and for un-regulated confidential data, the ability to discover sensitive data on endpoints is crucial for reducing the risk and costs of incidents, remaining compliant, and enforcing policies to avoid mishaps and regulatory findings. When looking for a solution, there are certain requirements you need consider:
- Broad Encryption support
- Broad OS support
- Ease and Flexibility of deployment and configuration
- Forensic-grade visibility
- Review capability
- Policy enforcement mechanism
- Integration with other systems
There’s no doubt that endpoint data identification and auditing will be a challenge for some time to come. If you’d like to learn more, you’re invited to watch the on-demand webinar Dude, Where’s My Data – Finding & Securing Sensitive Data, which provides more detail on the challenges of endpoint data auditing and identification, and how EnCase Cybersecurity will help.
- Categories: Audit , Data Discovery , HIPAA , PCI
