Showing posts with label Audit. Show all posts
Showing posts with label Audit. Show all posts

How Endpoint Security Analytics Could Have Cut the Target Hack Short

Alfred Chung

Recent intelligence about the Target breach, its scope, and its attack vectors has included the fact that memory-scraping malware was instrumental in hijacking credit-card data prior to its encryption for transmission to remote payment processors. Symantec reported on the registry keys and files dropped by the malware that are even now being used by software vendors to update their signature-based antivirus and alerting systems.

The critical point, however, is that the malware that was undoubtedly designed specifically for Target is probably already morphing into something unrecognizable by those signature-based tools for the next organization being drawn into the hackers’ crosshairs. Each organization that is hit with a form of this malware in the future will be on the receiving end of its own, customized attack for which no signature can be created.

Recent breaches show traditional security defenses fail to deliver

Anthony Di Bello

We’ve highlighted in numerous posts that studies of security incidents and publicly disclosed breaches reveal that it’s all too common for attacks to go unnoticed for days, weeks, months, and even years. And, nearly as troubling, it’s rarely the breached organization that discovers that it’s been compromised – rather it’s usually a customer, partner, supplier, or even law enforcement that eventually notices something is awry and brings it to victims’ attention.

All of that was certainly true with the South Carolina Department of Revenue attack that we covered here. In this incident, the post-breach investigation found that the compromise occurred in mid-September and wasn't detected until mid-October. And when it was detected, it was done so by the United States Secret Service, which happened to be conducting a sting against the group that was responsible for the attack.

So what happened regarding this breach? As we learn more, it’s clear that time was working against the South Carolina Department of Revenue. To be fair, this is true for all targeted attacks. Take a look at the illustration below, from the 2012 Verizon data breach investigation report, which accurately demonstrates the scope of this challenge. The data in the figure below are the result of thousands of investigations that were conducted last year both by Verizon and a number of government agencies from multiple countries, including the United States Secret Service.

When looking at the various time spans between attack and response in all of those incident investigations, disturbing patterns emerge. Specifically, patterns appear when attack life cycles are segmented into four stages: the time between initial attack and compromise; the time between the initial compromise and data being stolen from the target; the time between that compromise and the point at which it was discovered; and finally the time between the discovery of that compromise and remediation.

The data find that attackers can exfiltrate data at best in a matter of hours, or days, and at worse in a span of only minutes. Once in, attackers have shown again and again that they have the ability to begin exfiltrating data as soon as they’ve compromised a system.

And this isn’t just a handful of organizations; it is thousands. This proves that the status quo provided by traditional security software simply isn’t good enough. And the reality is that after attackers have had weeks, or months, to rummage through a network, simply wiping servers and endpoints isn’t going to rid the infection. The attacker has had too much time to plant backdoors and create ways to burrow back in. 

Identify unknown, suspicious behaviors
What’s needed are ways to identify unknown, suspicious behaviors on endpoints. This is best achieved by performing periodic assessments designed to expose unknown running applications that exist in temporary memory; instances of known threats that morph (such as the Zeus banking Trojan); and the ability to conduct ongoing scans for variants of such threats in order to fully understand and address the scope of a successful attack against your infrastructure.

Additionally, and in order to reduce your attack surface, you also need to be able to audit endpoints for sensitive data, which in all likelihood, are the target of the attackers’ activity. By limiting pools of sensitive and confidential data, you can significantly reduce risk.

EnCase Cybersecurity helps in many of these efforts. First, EnCase Cybersecurity conducts network-wide system integrity assessments against a known good baseline that has been established. Essentially, what you are doing is performing regularly scheduled audits for anomalies across the range of endpoints. And it works because, while you don’t know what the unknown looks like, you do know what the baseline looks like. This allows you to look at everything that doesn’t match that baseline, so you then can decide whether it's something that's good (and should be added to a trusted profile), or if you've been exposed to a malicious attack that needs to be remedied and added to known bad profiles for future integrity audit scans.

How does EnCase Cybersecurity achieve this? It does so by leveraging the concept of entropy for similar file scans. Consider it a very fuzzy signature, but not an exact match, that the system is assessing. It doesn’t matter what kind of files are being evaluated – EnCase Cybersecurity will expose the files and processes used by advanced attacks that are easily missed by traditional security technologies, such as intrusion detection systems and anti-malware software.

We’ve recently completed a webinar on this topic, Hunt or be Hunted: Exposing Undetected Threats with EnCase Cybersecurity, that provides much more detail about how EnCase Cybersecurity helps to defend against advanced, clandestine attacks. I invite you to watch, and learn how your organization can proactively ferret out any possible breaches before it’s too late and attackers have had time to entrench themselves into your infrastructure.

# # #

Sensitive data discovery is an essential part of IT security

Anthony Di Bello

Yet, most organizations don’t give it the attention it deserves. Here’s why it’s hard, and what you can do to do it right.

When we talk about protecting enterprises from attack, we are really talking about protecting our data. After all, it is the data that is so heavily regulated. It’s data - when comprised - that causes breach notifications. And it’s that valuable data that one ultimately doesn't want to fall into the wrong hands.

So it’s surprising why so few companies - companies that spend so much capital and effort on security technologies to defend their networks - actually seek to know where their sensitive, confidential, and regulated data reside. Perhaps it’s because they don’t see the real value in doing so. Perhaps it’s because the process has proven to be insurmountable at some point in the past. Regardless of the reason: it’s a serious oversight.

Why? First consider the benefits of understanding sensitive data location. Understanding and controlling the location of sensitive data can help to significantly reduce risk as that data can be consolidated into fewer data stores as it’s identified. It can also help streamline data leak prevention deployments, help with litigation readiness, (for data disclosure requests) and can improve data retention policies. So why isn't it being done?

Part of the challenge is that auditing endpoint data, without the right tools, isn't ;easy. First, many of the tools require that endpoint data be fully indexed before it can be searched. That’s just ludicrous today, as the process will take weeks, if not a month or more to complete. With the velocity at which data moves today, the locations and nature of the data will change before the indexing process is even completed. Not to mention that much of the data will be on highly-mobile notebooks. Additionally, unstructured data is a big challenge for most tools. This includes finding data in emails, attachments, and local files.

Also, policies alone, without technological enforcement, isn’t enough. Users will always find a way to bypass policies that aren’t monitored and enforced either accidentally or intentionally. So sensitive data discovery technology should also provide remediation: it’s the only way to deliver critical enforcement capabilities to ensure sensitive data is not anywhere against your data policies.

Despite these difficulties, endpoint data classification is something that must be done. Not only because having sensitive data scattered about significantly increases risk exposure, as well as the costs associated with eDiscovery requests - but it’s also a requirement among many regulations. Some of those include Nevada’s Security of Personal Information Law (NRS 603.A), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS).

For these regulations, and for un-regulated confidential data, the ability to discover sensitive data on endpoints is crucial for reducing the risk and costs of incidents, remaining compliant, and enforcing policies to avoid mishaps and regulatory findings. When looking for a solution, there are certain requirements you need consider:
  • Broad Encryption support
  • Broad OS support
  • Ease and Flexibility of deployment and configuration
  • Forensic-grade visibility
  • Review capability
  • Policy enforcement mechanism
  • Integration with other systems
EnCase Cybersecurity enables organizations to find sensitive intellectual property, personally identifiable information, and classified data on endpoints. Also, with disk-level and volatile RAM search ability, EnCase Cybersecurity can target and locate sensitive data wherever it is stored - even if it has already been deleted. Additionally, organizations can target data based on self-defined and pre-defined criteria. Then, when critical data is found in unauthorized areas, the data can be collected to a central repository if needed and then removed in such a way as to be unrecoverable. This way risk is not only instantly reduced, but policy is also continuously enforced going forward as employees will know that endpoint data policy violations will be identified, and won’t be tolerated.

There’s no doubt that endpoint data identification and auditing will be a challenge for some time to come. If you’d like to learn more, you’re invited to watch the on-demand webinar Dude, Where’s My Data – Finding & Securing Sensitive Data, which provides more detail on the challenges of endpoint data auditing and identification, and how EnCase Cybersecurity will help.