Archive for December, 2011
Posted by Phil Neray in Cybersecurity, Federal, Security Intelligence, SIEM
According to a recent report in the Wall Street Journal, a group of hackers in China broke into the U.S. Chamber of Commerce’s network around November 2009 and were not discovered until more than a year later.
The hackers likely used a spearphishing attack to install spyware on end-user machines. The spyware was used to steal employee administrative credentials, which were then used to install about a half dozen back doors which communicated with computers in China every week or two.
The hackers stole sensitive Chamber data such as trade-policy documents, meeting notes, trip reports and schedules, and emails containing the names of companies and individuals in contact with the Chamber. They even used their own search tools to locate documents containing keywords related to financial and budget information, and stole all emails from four targeted employees – who worked on Asia policy – for approximately six weeks during one portion of the attack.
And here’s an interesting twist — a thermostat at a Chamber town house on Capitol Hill was communicating with an Internet address in China, and a printer spontaneously started printing pages with Chinese characters.
The Chamber represents the interests of U.S. companies in Washington and its members include most of the nation’s largest corporations. As a result of this incident, the organization’s COO concluded that “It’s nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in. It’s the new normal. I expect this to continue for the foreseeable future. I expect to be surprised again.”
So how can next-generation SIEM and Security Intelligence help?
First, we should acknowledge that even strict adherence to some compliance mandates, such as PCI-DSS and HIPAA/HITECH, won’t usually protect intellectual property (IP) such as strategic plans, product designs and proprietary algorithms. Of course, broader compliance frameworks such as ISO 27001/27002, and NIST 800-53 – as well as recent SEC guidance regarding cybersecurity risks and disclosure – will definitely help tighten controls and improve the overall security posture of your infrastructure by requiring centralized monitoring and other best practices, along with helping to address minimum “standards of due care” expectations of your board of directors, customers and shareholders.
Next-generation SIEM can certainly help in reducing the cost and effort of compliance – by centralizing and automating compliance reporting and efficiently addressing log retention requirements – but it also provides significant added value by helping to proactively detect attacks such as this one.
Second, the fact that the hackers were in the network for more than a year before being detected is not unusual. According to the 2011 Data Breach Investigations Report, more than 60% of breaches remain undiscovered for a period of months or longer (versus days or weeks). And according to Kim Peretti, former senior counsel at the U.S. Department of Justice, “Our most formidable challenge is getting companies to detect they have been compromised.”
Why? Because most organizations still rely on basic server and device logs which are widely dispersed across their infrastructures – combined with manual, after-the-fact log analysis – making it virtually impossible to detect any intruder alarms because the information simply gets lost in the noise.
Continuous real-time monitoring of all network and system activity – combined with real-time event correlation and automated behavior profiling – can help by rapidly identifying anomalous or out-of-policy events such as:
- A server (or thermostat) communicating with an IP address in China.
- An unusual Windows service starting up, such as a backdoor or spyware program.
- A spike in network traffic and/or data server activity, such as a high volume of downloads from a SharePoint server during off-hours.
- A high number of failed logins to critical servers, which can indicate a brute-force password attack.
- A configuration change, such as an unauthorized port being enabled.
- An inappropriate use of protocols and applications, such as sensitive data being exfiltrated via P2P or social media applications; in this case, detection requires application-aware (Layer 7) monitoring with flow analysis and deep examination of packet content.
More information on how organizations can leverage a unified architecture to reduce risk with continuous, real-time monitoring, can be found in this white paper, “Countering Advanced Threats.”
Graphic courtesy of the Wall Street Journal (December 21, 2011).
Posted by Michael Applebaum in In the Industry, Security Intelligence, Webinars
The value of advanced security solutions might be apparent to infosec professionals, but they often need to justify such purchases to senior management. Budgets are always tight and the CISO, let alone the CIO, can only fund a fraction of the project proposals he receives. That’s why customers often ask us to help them estimate the return on investment (ROI) provided by SIEM and Security Intelligence.
We recently had the pleasure of working with IANS Research, who performed a study of the Return on Security (ROS) obtained by Q1 Labs customers. IANS faculty member Diana Kelley joined me in a lively webinar last week, in which she revealed those findings and shared tips on how organizations can perform their own ROS estimates.
I gleaned two critical sets of information from the white paper and webinar:
- A formal structure for analyzing the costs and benefits associated with Security Intelligence deployments
- Hard data (costs and benefits) based on the experiences of Q1 Labs customers
With these two elements, you have the foundation to conduct your own ROI / ROS analysis. View the webinar today to see how.
In the interest of sharing best practices, we’d also like to hear from you, our valued readers. How have you conducted ROI and ROS analyses in your own organization?
Posted by Heather Howland in Healthcare, Security Intelligence, Webinars
Truism: it’s always informative to have customers join us on webinars. Last Thursday’s webinar was no exception, as we had two of our healthcare customers accompany us for an interactive discussion about healthcare security and compliance concerns as we approach 2012. A hearty thanks to both Youssef Jad from McGill University Health Centre and Jerry Walters from OhioHealth for taking time away from their busy days to participate in this discussion.
Here’s a brief clip:
- Tuning your security intelligence solution is extremely important to establish a baseline and avoid being overwhelmed with data early on.
- Visibility into network flows is a huge factor when attempting to track down application related traffic, especially when fully correlated with other events.
- In the healthcare space, securing the mobile infrastructure is extremely important.
- Security intelligence solutions like QRadar go way beyond reporting and log management.
During their QRadar proof-of-concept (POC), OhioHealth was able to quickly identify infection sources from a malware outbreak stemming from a zero-day event. They leveraged QRadar’s unique QFlow capability to analyze network traffic by looking for specific patterns in the traffic, and they now use QFlow extensively to look for abnormal network activity. QRadar was a replacement for a previous SIEM and log management solution that simply ran out of gas – it could not scale to support the high volume of security events that OhioHealth needed to monitor.
At McGill University Health Centre, QRadar was deployed in a just a few days using the system’s pre-built templates. Tuning and creating custom rules required an additional month, but is an important step to effectively isolate incidents. The solution has already been used to identify malware attacks, and it is a key element of their change control process because it is used to identify unauthorized or erroneous configuration changes that affect the availability of critical applications. McGill chose QRadar after an evaluation process that also included testing ArcSight, which they found to be too complex
- Why did you need a security intelligence solution?
- What were your criteria?
- What other solutions did you look at?
- Did you have any challenges getting the solution in place?
- How large of a staff do you maintain that works directly with QRadar?
- How many systems and devices were included in your deployment?
- Once an incident is discovered, how is it handled?
If you missed the live webinar, the recorded version is posted here for your viewing. Have questions while watching? Send them to info@q1labs.com and we’ll get back to you quickly.
Related: Five Ways to Use Security Intelligence to Pass Your HIPAA Audit (eBook)
Posted by Heather Howland in Retail, Security Intelligence, SIEM
Over the past two weeks, we have been covering the use case of a Q1 Labs’ customer in the retail space with a series of blog posts dissecting their experience with QRadar so far. Now that we have a better idea why using a security intelligence solution is important and how to make choosing a SIEM vendor relatively painless, lets hear from our customer on why they chose Q1 Labs’ QRadar over other vendor solutions.
For starters, here are a few:
- Ease of use and simple customization – Different parties (network team, dba, etc) were able to use QRadar with a very short learning curve: a one hour training session was more than enough. With the ability to easily customize views for each group, the unique needs of each group can be met easily with report and dashboard customization.
- Events Per Second (EPS) and scaling – Our customer needed a solution that can scale EPS based on their varying needs. As they monitor larger portions of their infrastructure with QRadar, they expect correlation to perform efficiently no matter the size of the data volume.
- Unique approach to log aggregation and event management – The combination of traditional log events and flow data give our customer a comprehensive view of their environment, enhancing their ability to detect anomalies and other suspicious activity when compared to competing solutions.
In next week’s post, we will hear about their experience setting up and deploying QRadar. But why wait for that if you can watch the whole webcast now?
Posted by Phil Neray in PCI, Retail, Security Intelligence
There was an interesting story last week about four Romanian nationals that were charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers. According to the Federal indictment (pdf), the hackers compromised the credit card data of more than 80,000 customers and used the data to make millions of dollars of unauthorized purchases.
No details yet on how the cybercriminals gained access to the retail point-of-sale (POS) systems on which they installed sniffers in order to steal credit card information, but this story sounds a lot like the Dave & Buster’s hack which occurred in March 2008. In that case, Maksym Yastremkiy (“Maksik”) and Aleksandr Suvorov (“JonnyHell”) — Ukrainian colleagues of Albert Gonzalez, who hacked Heartland and TJX in the infamous operation he called “Get Rich or Die Tryin” — used social engineering as well as administrative passwords stolen from a POS service provider to steal approximately 5,000 credit and debit cards from Dave & Buster’s. (Maksik is now serving a 30-year sentence in a Turkish prison for hacking into 12 Turkish banks).
There is also similarity with a 2009 POS hack in which cybercriminals used a commercial remote access program to steal credit card information from POS systems. A POS service provider installed the pcAnywhere program on store POS systems to allow its technicians to fix technical problems remotely — except they used the same username and password for all of the POS systems in various retail chains (according to Wired, the default login was “administrator” and the password was “computer”)!
According to the 2010 Data Breach Investigations Report, stolen and/or weak credentials are the number one hacking type. The report states that “Stolen credentials offer an attacker many advantages, not the least of which is the ability to disguise himself as a legitimate user. Authenticated activity is much less likely to trigger IDS alerts or be noticed by other detection mechanisms.” And in the 2011 Data Breach Investigations Report, exploitation of default or guessable credentials is #2 in the “Hacking” category.
The point? All of these examples highlight a weakness in traditional, credential-based POS security, emphasizing the need for retailers to adopt continuous monitoring, combined with security intelligence, to immediately identify unauthorized or suspicious activity — such as unknown files being uploaded from POS devices to unknown servers (in this case, the files contained stolen credit card numbers, and the servers belonged to the cybercriminals). Relying on credentials alone is simply not sufficient anymore.
Learn more about how Q1 Labs is helping retailers protect sensitive information — and pass their compliance audits faster and with less effort — by leveraging Security Intelligence, in this data sheet.
PS: This heist also points to the global nature of cybercrime — and the reason why you need centralized, automated, enterprise-scale technology to monitor and correlate security events across multiple devices, systems and geographies. Operating from Romania, the hackers targeted multiple individual stores in Plaistow, NH, East Northport, NY, Ocala, FL, Fairborn, OH, and Tulare, CA. They exfiltrated the stolen information to a compromised server belonging to a small business owner in Mechanicsburg, PA, created phony credit cards from a rented house in Belgium, and then used the phony cards to make purchases in France.
The latest on Cyber Security