Category: Compliance
Posted by Phil Neray in PCI, Retail, Security Intelligence
There was an interesting story last week about four Romanian nationals that were charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers. According to the Federal indictment (pdf), the hackers compromised the credit card data of more than 80,000 customers and used the data to make millions of dollars of unauthorized purchases.
No details yet on how the cybercriminals gained access to the retail point-of-sale (POS) systems on which they installed sniffers in order to steal credit card information, but this story sounds a lot like the Dave & Buster’s hack which occurred in March 2008. In that case, Maksym Yastremkiy (“Maksik”) and Aleksandr Suvorov (“JonnyHell”) — Ukrainian colleagues of Albert Gonzalez, who hacked Heartland and TJX in the infamous operation he called “Get Rich or Die Tryin” — used social engineering as well as administrative passwords stolen from a POS service provider to steal approximately 5,000 credit and debit cards from Dave & Buster’s. (Maksik is now serving a 30-year sentence in a Turkish prison for hacking into 12 Turkish banks).
There is also similarity with a 2009 POS hack in which cybercriminals used a commercial remote access program to steal credit card information from POS systems. A POS service provider installed the pcAnywhere program on store POS systems to allow its technicians to fix technical problems remotely — except they used the same username and password for all of the POS systems in various retail chains (according to Wired, the default login was “administrator” and the password was “computer”)!
According to the 2010 Data Breach Investigations Report, stolen and/or weak credentials are the number one hacking type. The report states that “Stolen credentials offer an attacker many advantages, not the least of which is the ability to disguise himself as a legitimate user. Authenticated activity is much less likely to trigger IDS alerts or be noticed by other detection mechanisms.” And in the 2011 Data Breach Investigations Report, exploitation of default or guessable credentials is #2 in the “Hacking” category.
The point? All of these examples highlight a weakness in traditional, credential-based POS security, emphasizing the need for retailers to adopt continuous monitoring, combined with security intelligence, to immediately identify unauthorized or suspicious activity — such as unknown files being uploaded from POS devices to unknown servers (in this case, the files contained stolen credit card numbers, and the servers belonged to the cybercriminals). Relying on credentials alone is simply not sufficient anymore.
Learn more about how Q1 Labs is helping retailers protect sensitive information — and pass their compliance audits faster and with less effort — by leveraging Security Intelligence, in this data sheet.
PS: This heist also points to the global nature of cybercrime — and the reason why you need centralized, automated, enterprise-scale technology to monitor and correlate security events across multiple devices, systems and geographies. Operating from Romania, the hackers targeted multiple individual stores in Plaistow, NH, East Northport, NY, Ocala, FL, Fairborn, OH, and Tulare, CA. They exfiltrated the stolen information to a compromised server belonging to a small business owner in Mechanicsburg, PA, created phony credit cards from a rented house in Belgium, and then used the phony cards to make purchases in France.
Posted by Michael Applebaum in Compliance, Security Intelligence, SIEM, Threat Management
This is the 6th and final entry in a series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
To understand how people are getting started with Security Intelligence, let’s go straight to an industry expert: Q1 Labs’ own Chris Poulin. Chris is not only Q1 Labs’ Chief Security Officer but also the head of our worldwide Professional Services practice, and drives our Customer Council. Chris has seen more Security Intelligence use cases and customer deployments than most security pros will ever dream (or have nightmares!) about.
I recently sat down with Chris to get the straight talk about how organizations begin their Security Intelligence (SI) journey. Much of what Chris shared with me has also been published in this SecurityWeek article. Here are my takeaways from our conversation:
1. Organizations know they need Security Intelligence, but often don’t know where to start.
We often speak with customers whose SI business cases start with regulatory compliance – PCI DSS, HIPAA, NERC CIP, FISMA, NIST 800-53, GPG 13, etc. – and that’s certainly important. But they know log management and reporting are just the tip of the iceberg in how SI can benefit them. As Chris noted, using Security Intelligence for compliance alone is like stamping a checkbox with a sledgehammer.
2. There are several use cases that apply to nearly all customers.
Security Intelligence Dashboard
Although SIEM and other Security Intelligence solutions provide great value through company- and industry-specific use cases, they also address many generic use cases. These include botnet detection, traffic from darknets, excessive authentication failures, and IDS alerts indicating that an attack is targeting an asset the VA scanner reports is vulnerable to that exploit, for example. SI vendors usually provide out-of-the-box rules (with alerts), reports, dashboard widgets, and saved searches that cover these scenarios.
3. Start with a set of core data sources.
Before you can monitor anything, you need to decide which data sources to start with. To avoid getting overwhelmed, Chris recommends beginning with a core set of log sources:
- Authentication events (from Active Directory and other identity management services)
- Windows, Linux/UNIX, and other OS administration logs
- Perimeter firewalls and VPN concentrators
- Anti-malware logs
- File and directory auditing on high-value servers (those that contain PII, ePHI, financial information, and sensitive company information or intellectual property)
Automated Server Discovery
In addition, bring in network activity flows (ideally Layer 7 flows) as soon as practical. If incorporated from day one, they can save you a ton of time by automatically discovering and profiling assets and tuning your solution. On an ongoing basis, flows then provide an entirely new dimension of information that leads to better identification of threats, elimination of false positives and faster forensic investigations – across a range of use cases.
4. Define targeted use cases by examining your key business problems.
Once you’re addressing the common use cases, step back and look at your business. What are you and your executives most concerned about detecting or preventing? If you’re an investment brokerage, it might be trader fraud. If you’re a retailer, you might want to protect customers’ PII, including credit card numbers. If you’re a utility or energy company, you might need to strengthen security around your SCADA systems. Re-examine the business case for your project, or take a close look at your CEO’s and CIO’s top priorities, to define your next use cases.
5. Spend time understanding your network and your SI solution’s capabilities.
Congratulations, your solution is in production and delivering new real-time intelligence! Take some time to digest what you’re seeing in its dashboards, reports and offenses (incidents). Move beyond the well-trodden road and push it to give you more. You can learn a lot more than just which users can’t enter their passwords correctly the first three times. Think about new insights you could gain from correlating previously disparate data sets, and new reports you can deliver now that all this data is in a single repository.
6. Phase in IDS/IPS data and other application/user/network telemetry.
IDS/IPS data is also important, but those systems are often improperly tuned, leading to a significant volume of alerts. Therefore Chris recommends waiting until you’ve brought the number of offenses in your SIEM or SI solution down to about 25 per day before adding IDS/IPS telemetry.
Once you’re in business with IDS/IPS data and have tuned your solution sufficiently, think about layering in additional data sources – such as database (and database security) logs, application logs, physical security system logs, etc. – to improve the accuracy of your risk and threat management efforts.
7. Don’t overlook the value of training and community.
Lastly, remember there are others out there who can help you. Look into the training options for your products. Explore vendor and industry conferences that give you the opportunity to meet with peers face to face. Participate in online vendor communities and industry organizations. Everyone using SI or SIEM today – and there are tens of thousands of us worldwide – was once a beginner, and went through the same learning curve. Many will be happy to help, so don’t be shy.
In summary, I hope this blog series has clarified the concept and practice of Security Intelligence. SI is a powerful new enabler of security and compliance that delivers actionable information through real-time insight and deep forensics. It provides significant benefits by addressing customers’ needs for intelligence, integration and automation – areas that have historically been the Achilles heel of security solutions. And most importantly, SI solutions are reasonable to implement and manage for both small and large organizations, and deliver value quickly.
For the final word, I look to Jerry Walters of Ohio Health for the customer perspective:
“We’ve seen tremendous value using the QRadar product. In the past we were very reactive. My team would get a call to do an investigation, and things had already occurred and we had to piece together what happened. With QRadar we’re able to see things before they even occur and prevent them upfront before they become a real problem. [QRadar] helps us get in front of the things we need to be in front of as a security organization.”
Best wishes on your Security Intelligence journey!
Posted by Todd Harris in Compliance, Retail, Security Intelligence, SIEM
We recently held a webcast with SANS, featuring a major Q1 Labs customer who is a well-known luxury brand in the retail space. They have been relying on the QRadar Security Intelligence Platform to help them tackle compliance regulations, gain visibility into network devices and system logs, display packet level detail, and provide powerful reporting capabilities.
Let’s rewind a bit and discover why they need a SIEM.
PCI compliance is a driving factor since they are a publicly traded company and host payment information. Beyond that, and the reason why they need a SIEM, is the diversity and size of their network. Their infrastructure is comprised of multiple flavors of UNIX (including HPUX and IBM AIX), Red Hat Linux, and Windows servers; with network devices from Cisco, Checkpoint (firewalls), Solarwinds, and Airwave.
With over 500 stores, a corporate network, and a retail network, they faced a challenge of continuously monitoring for threats and suspicious activities. It was clear to them that simply reviewing logs on a periodic basis was not enough. They needed a SIEM solution to help uncover anomalies on their network in real time.
Of course, you don’t have to wait for each of these series to be released – watch the full webcast now. In the next part of the series, we will see why selecting a SIEM vendor is not an easy process.
Posted by Melissa Stevens in Compliance, Cybersecurity, Q1 Labs, Risk Management, Security Intelligence, SIEM, Threat Management
Ever wonder what the “big deal” is with QRadar Security Intelligence? Watch this short video featuring Chris Poulin to understand what sets QRadar apart from other security inteligence solutions, and why thousands of customers large and small have chosen the QRadar Security Intelligence platform to meet their IT security needs. Learn how QRadar helps customers:
- Detect threats others miss
- Consolidate data silos
- Detect insider threats
- Predict risks against your business, and
- Exceed regulation mandates.
Posted by Michael Applebaum in Compliance, Risk Management, Security Intelligence, SIEM, Threat Management
This is part 4 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
With a firm understanding of Security Intelligence (SI) in hand, let’s get down to brass tacks and review the benefits organizations are gaining from their SI deployments. Here are several real-world examples:
Improved Compliance
Like it or not, regulatory compliance – for PCI DSS, HIPAA, NERC CIP, SOX and many others – is a major driver of security initiatives. Although compliance doesn’t guarantee a secure environment, compliance will always get attention and budget because of the potential penalties for failure. Complying with relevant mandates is just the start of enhancing one’s security posture, but it’s an important first step. Security Intelligence aids both regulatory and internal policy compliance by logging and proactively monitoring diverse information across the enterprise in real time, providing accountability, transparency and measurability. It delivers practical value through automated reporting and easy searching of logs, flows and much more.
David Blackburn of California ISO, the electrical grid operator for 80 percent of California, notes, “Compliance was the chief driver in our purchasing a SIEM [solution]. We have many tools that monitor and analyze, but there was no centralized logging capability that [could] analyze those logs and give us good information quickly.” Hear more about how California ISO uses Security Intelligence for NERC CIP compliance in this video.
Faster Detection and Remediation of Threats
In the post-perimeter world, focusing solely on prevention is a noble but losing proposition. Boundaries are porous – think mobile computing, social media and cloud computing – and there’s a heightened risk of insider theft, leading to what Forrester calls a “zero-trust” environment. Security Intelligence solutions address this reality by helping businesses detect and remediate breaches faster. They have become adept at finding the needle in the haystack, by correlating massive data volumes in real time. This includes events from network & security devices, servers, applications, directory servers; network activity flows with Layer 7 visibility; asset information; configuration data; vulnerability information; and more. (If you think SIEM solutions have already been doing this for years, think again.) SI solutions also aid in remediation by identifying which assets and users were potentially affected by a compromise, and by capturing application content for forensic activities.
Adobe Systems senior network security manager Leon Fong discusses the benefits Adobe received from Security Intelligence in this video. He explains that QRadar detected threats other security products missed:
“Within 2 months [of deploying the solution], the conficker worm starting hitting our network. I noticed that we were getting a lot of heavy TCP port 445 traffic being denied by our firewalls. The next day, the traffic grew 10-fold. I had to notify our antivirus team that this needed to be looked into. Soon after, McAfee sent a note of this worm being prevalent. In this case, the SIEM solution [QRadar] found the problem before McAfee was able to.”
Reduction of Insider Fraud, Theft and Data Leakage
External attacks garner most of the headlines, but insider threats can be even more damaging – compromising invaluable intellectual property and even jeopardizing national security. We’re all familiar with WikiLeaks, but few organizations have come to grips with the true risk of insider threats. Would you know if an employee was sending key product plans to a competitor, anonymously publishing confidential information, or accessing financial information that could be used for insider trading? With Security Intelligence solutions, organizations can identify and mitigate those inside threats and many more, by detecting the following:
- Unauthorized application access or usage
- Data loss such as sensitive data being transmitted to unauthorized destinations
- VoIP toll fraud
- Application configuration issues such as privileged access exceptions
- Application performance issues such as loss of service or over-usage
A multi-billion-dollar branded consumer products firm recently used its SI solution to detect an attempted data exfiltration by a trusted employee for financial gain. The company’s executives suspected its intellectual property was being leaked but couldn’t identify the source. When they applied flow-based network activity monitoring to the situation, they were able to quickly track down the data leakage and stop the employee. With application content capture, they could even drill down and view the specific emails sent by the employee through his personal email account to the third party. This prevented the problem from snowballing and potentially causing millions of dollars in damage to the firm.
Pre-Exploit Risk Reduction
Sure, I just finished explaining how you can’t focus only on threat prevention in a post-perimeter, zero-trust world. But that doesn’t mean you have to give up on prevention either. No one is ripping out all their firewalls or IDS/IPS products. Likewise, you shouldn’t overlook some of the more cutting edge approaches to pre-exploit risk reduction. Three ways SI solutions are helping customers prevent compromises today are by:
- Automatically monitoring device configurations (e.g., firewalls) and alerting on policy violations
- Prioritizing the multitude of vulnerabilities reported by vulnerability scanners
- Performing predictive threat modeling and simulation of network changes
These may sound familiar, but modern SI solutions surpass yesterday’s point products by applying greater intelligence to a broader set of inputs. Network activity flows, for example, provide a more complete view of the effectiveness of security device rules than configuration data by itself. As my colleague Brian Mehlman writes, “[Configuration data alone can] miss situations where a configuration is thought to be adequate but for some reason still allows potentially risky network traffic to propagate.” Similarly, knowledge of network topologies can “minimize false positives common among vulnerability scanners and … [prioritize vulnerabilities] that can be easily exposed because of the way the network is configured.”
A major electric energy transmission company uses QRadar Risk Manager to perform centralized device configuration monitoring and auditing, thus reducing the risk of security breaches. Because the solution monitors multiple vendors’ security products and uses flow analytics (QRadar QFlow) to paint a rich picture of exposures, the company believes it has significantly strengthened its security and risk posture. The fact that its risk management capability is part of a broader Security Intelligence solution also reduces training and staffing requirements.
Simplified Operations and Reduction of Effort
Lastly, SI solutions are applying intelligent automation to simplify security operations and reduce the burden on security and network professionals. IANS just published a study of the Return on Security (ROS) achieved by two large customers, and the findings were compelling. In addition to estimated risk reduction benefits of $13.5 million, the objective benefits (net of all solution costs) were estimated at $550,000. These stem from greater efficiencies and elimination of tedious manual tasks. Again, these were the benefits reported by the customers based on actual experience. The full report can be accessed here.
How do these benefits compare to what you’ve received from security solutions? We welcome comments about your own real-world experiences.
The latest on Cyber Security