Author Archive
Posted by Phil Neray in Network Intelligence, Security Intelligence, Threat Management
Earlier this week, IBM announced a network behavioral analysis (NBA) extension for its Network IPS offering which is based on the QRadar Security Intelligence platform.
Using advanced behavioral analytics and anomaly detection, the new QRadar Network Anomaly Detection appliance continuously analyzes network traffic in real-time — using deep packet inspection and passive monitoring of Layer 7 flow data, performed by QFlow and VFlow Collectors — to rapidly identify and prioritize advanced threats such as zero-day attacks and “low and slow” data breaches, as well as more common attacks such as botnets and other malware infections.
In addition, the new appliance correlates its own behavioral information about network activity with alerts and events from the IBM Security Network IPS console, IBM Site Protector. It also leverages contextual information – to aid in prioritizing the most critical threats – from additional sources including vulnerability assessments, user activity and identity information, and threat intelligence feeds.
By applying behavioral algorithms to network traffic data, the new appliance can immediately flag abnormal events such as:
- Outbound network traffic detected to regions where the company does not conduct any business.
- FTP traffic observed in a department that doesn’t regularly use FTP services.
- A known application running on a non-standard port, or in areas where it is not allowed (e.g. unencrypted traffic running in secure areas of the network).
- Hosts that are sending an abnormally high volume of packets, indicating a potential malware infection.
Prioritizing Threats and Gaining Greater Visibility
QRadar Network Anomaly Detection allows organizations to quantify multiple risk factors in order to evaluate the significance of a reported threat, such as the business value of targeted assets and any vulnerabilities that have been identified for those assets, such as missing patches. It leverages core QRadar functionality – such as auto-discovery of assets, protocols and services – to provide a comprehensive asset profile database and real-time network view that is continuously updated based on passive monitoring of network flows, without consuming bandwidth or impacting the network infrastructure.
Integrating QRadar Network Anomaly Detection with IBM Network IPS also provides IBM Network IPS customers with enhanced visibility into their data via QRadar’s Big Data capabilities such as instant search (Google-like indexing across large volumes of unstructured data) as well as sophisticated network security dashboards and pre-configured compliance reports.
Upgradeable to Full QRadar SIEM
QRadar Network Anomaly Detection will be upgradeable to the full-blown SIEM capabilities provided by QRadar SIEM. The full SIEM delivers additional capabilities including the ability to collect and correlate events from a wider range of sources such as firewall logs, Windows and Linux host logs, application logs, database activity monitoring and vulnerability assessment technologies such as IBM Guardium, and configuration/patch management systems such as IBM Security End-Point Manager (BigFix). QRadar SIEM also offers a more comprehensive library of pre-configured correlation rules, dashboards and compliance reports.
Leverages X-Force Threat Intelligence
Like QRadar SIEM, the new appliance receives IP Reputation data from IBM X-Force research, providing insight into suspect entities from a massive URL database containing information about more than 15 billion Web pages and images – believed to be the world’s 2nd largest URL database (after Google) – which are monitored and classified on a continuous basis.
The X-Force feed provides QRadar Network Anomaly Detection with a list of potentially malicious IP addresses such as malware hosts, spam sources, anonymous proxies and other threats. If the appliance sees any traffic to or from these sites, it can immediately alert the organization and provide rich contextual information about the observed activity.
SNORT Compatibility
IBM also announced the newest version of its Network IPS, which now provides hybrid protection combining the open source capabilities and common rule syntax of SNORT with the broad protection found in IBM’s Protocol Analysis Module (PAM). This gives clients the ability to easily create and share custom IPS rules in a popular open source format while continuing to leverage IBM’s advanced network IPS capabilities.
Considered to be one of the industry’s most comprehensive threat detection engines, IBM’s PAM leverages packet, content, file and session inspection to go beyond the protection offered by traditional IPS technologies and defend against advanced threats such as browser attacks, data leakage and malicious web applications.
Since PAM is a modular and extensible module that does not depend solely on signature detection, new security protections can be easily added over time. For example, “shell-code heuristics” have been built into PAM to increase its ability to detect obfuscated or dynamic threats.
PAM is also fed updates from IBM X-Force, including protections for new vulnerabilities discovered by IBM’s X-Force R&D team as well as threat information obtained from the real-time monitoring of 12 billion security events per day and 20,000+ devices for IBM’s managed services clients in more than 130 countries worldwide.
IBM’s Vision for Advanced Threat Protection
This announcement demonstrates IBM’s commitment to evolving its IPS technology to provide advanced threat protection at the network layer, in combination with QRadar Security Intelligence and X-Force Threat Intelligence. This vision will continue to be expanded and delivered over time.
To read the full press release of the announcement, click here.
To read a detailed blog posting describing the benefits of combining IPS with Security Intelligence, click here.
Posted by Phil Neray in Cybersecurity, Federal, Security Intelligence, SIEM
According to a recent report in the Wall Street Journal, a group of hackers in China broke into the U.S. Chamber of Commerce’s network around November 2009 and were not discovered until more than a year later.
The hackers likely used a spearphishing attack to install spyware on end-user machines. The spyware was used to steal employee administrative credentials, which were then used to install about a half dozen back doors which communicated with computers in China every week or two.
The hackers stole sensitive Chamber data such as trade-policy documents, meeting notes, trip reports and schedules, and emails containing the names of companies and individuals in contact with the Chamber. They even used their own search tools to locate documents containing keywords related to financial and budget information, and stole all emails from four targeted employees – who worked on Asia policy – for approximately six weeks during one portion of the attack.
And here’s an interesting twist — a thermostat at a Chamber town house on Capitol Hill was communicating with an Internet address in China, and a printer spontaneously started printing pages with Chinese characters.
The Chamber represents the interests of U.S. companies in Washington and its members include most of the nation’s largest corporations. As a result of this incident, the organization’s COO concluded that “It’s nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in. It’s the new normal. I expect this to continue for the foreseeable future. I expect to be surprised again.”
So how can next-generation SIEM and Security Intelligence help?
First, we should acknowledge that even strict adherence to some compliance mandates, such as PCI-DSS and HIPAA/HITECH, won’t usually protect intellectual property (IP) such as strategic plans, product designs and proprietary algorithms. Of course, broader compliance frameworks such as ISO 27001/27002, and NIST 800-53 – as well as recent SEC guidance regarding cybersecurity risks and disclosure – will definitely help tighten controls and improve the overall security posture of your infrastructure by requiring centralized monitoring and other best practices, along with helping to address minimum “standards of due care” expectations of your board of directors, customers and shareholders.
Next-generation SIEM can certainly help in reducing the cost and effort of compliance – by centralizing and automating compliance reporting and efficiently addressing log retention requirements – but it also provides significant added value by helping to proactively detect attacks such as this one.
Second, the fact that the hackers were in the network for more than a year before being detected is not unusual. According to the 2011 Data Breach Investigations Report, more than 60% of breaches remain undiscovered for a period of months or longer (versus days or weeks). And according to Kim Peretti, former senior counsel at the U.S. Department of Justice, “Our most formidable challenge is getting companies to detect they have been compromised.”
Why? Because most organizations still rely on basic server and device logs which are widely dispersed across their infrastructures – combined with manual, after-the-fact log analysis – making it virtually impossible to detect any intruder alarms because the information simply gets lost in the noise.
Continuous real-time monitoring of all network and system activity – combined with real-time event correlation and automated behavior profiling – can help by rapidly identifying anomalous or out-of-policy events such as:
- A server (or thermostat) communicating with an IP address in China.
- An unusual Windows service starting up, such as a backdoor or spyware program.
- A spike in network traffic and/or data server activity, such as a high volume of downloads from a SharePoint server during off-hours.
- A high number of failed logins to critical servers, which can indicate a brute-force password attack.
- A configuration change, such as an unauthorized port being enabled.
- An inappropriate use of protocols and applications, such as sensitive data being exfiltrated via P2P or social media applications; in this case, detection requires application-aware (Layer 7) monitoring with flow analysis and deep examination of packet content.
More information on how organizations can leverage a unified architecture to reduce risk with continuous, real-time monitoring, can be found in this white paper, “Countering Advanced Threats.”
Graphic courtesy of the Wall Street Journal (December 21, 2011).
Posted by Phil Neray in PCI, Retail, Security Intelligence
There was an interesting story last week about four Romanian nationals that were charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers. According to the Federal indictment (pdf), the hackers compromised the credit card data of more than 80,000 customers and used the data to make millions of dollars of unauthorized purchases.
No details yet on how the cybercriminals gained access to the retail point-of-sale (POS) systems on which they installed sniffers in order to steal credit card information, but this story sounds a lot like the Dave & Buster’s hack which occurred in March 2008. In that case, Maksym Yastremkiy (“Maksik”) and Aleksandr Suvorov (“JonnyHell”) — Ukrainian colleagues of Albert Gonzalez, who hacked Heartland and TJX in the infamous operation he called “Get Rich or Die Tryin” — used social engineering as well as administrative passwords stolen from a POS service provider to steal approximately 5,000 credit and debit cards from Dave & Buster’s. (Maksik is now serving a 30-year sentence in a Turkish prison for hacking into 12 Turkish banks).
There is also similarity with a 2009 POS hack in which cybercriminals used a commercial remote access program to steal credit card information from POS systems. A POS service provider installed the pcAnywhere program on store POS systems to allow its technicians to fix technical problems remotely — except they used the same username and password for all of the POS systems in various retail chains (according to Wired, the default login was “administrator” and the password was “computer”)!
According to the 2010 Data Breach Investigations Report, stolen and/or weak credentials are the number one hacking type. The report states that “Stolen credentials offer an attacker many advantages, not the least of which is the ability to disguise himself as a legitimate user. Authenticated activity is much less likely to trigger IDS alerts or be noticed by other detection mechanisms.” And in the 2011 Data Breach Investigations Report, exploitation of default or guessable credentials is #2 in the “Hacking” category.
The point? All of these examples highlight a weakness in traditional, credential-based POS security, emphasizing the need for retailers to adopt continuous monitoring, combined with security intelligence, to immediately identify unauthorized or suspicious activity — such as unknown files being uploaded from POS devices to unknown servers (in this case, the files contained stolen credit card numbers, and the servers belonged to the cybercriminals). Relying on credentials alone is simply not sufficient anymore.
Learn more about how Q1 Labs is helping retailers protect sensitive information — and pass their compliance audits faster and with less effort — by leveraging Security Intelligence, in this data sheet.
PS: This heist also points to the global nature of cybercrime — and the reason why you need centralized, automated, enterprise-scale technology to monitor and correlate security events across multiple devices, systems and geographies. Operating from Romania, the hackers targeted multiple individual stores in Plaistow, NH, East Northport, NY, Ocala, FL, Fairborn, OH, and Tulare, CA. They exfiltrated the stolen information to a compromised server belonging to a small business owner in Mechanicsburg, PA, created phony credit cards from a rented house in Belgium, and then used the phony cards to make purchases in France.
The latest on Cyber Security