Posts Tagged ‘breaches’
As I sat down to watch the new James Bond film with my usual supplies of fizzy drinks and sugary sweets, I was very surprised when he decided to take on the cyber terrorist at large and solve the problem single-handedly, physically and without the need for a Security product in sight!
Of course we don’t all have our a secret agent in our organization, driving around eradicating danger. However, security teams can prepare and have clear flexible strategies in place to reduce risk on their network.
The premise of the film (spoiler alert) is a cyber terrorist getting into the British Secret Service network undetected and causing harm to key personnel. The clever methods used to infiltrate the network highlight what is happening on a daily basis to security teams globally, and though a great film, probably made many security personnel squirm slightly in their chairs when seeing the consequences that could occur!
From internal constraints to the rise of Advanced Persistent Threats (an ESG research report highlighted that 59% of enterprise organizations think they have been a target of on APT attack), the role of the security team is becoming ever more complex. The requirement for a clear security strategy, which is able to adapt and be flexible to an organization evolving needs, is vital.
In an exclusive webcast with Dark Reading on 12/13/2012 at 1200 ET Q1 Labs very own James Bond, Michael Applebaum and Jon Oltsik, Senior Principal Analyst at ESG will be presenting “Information Security in Transition: Top things to consider in 2013”. In this must attend event there will be recommendations on how to improve your organizations’ information security model and importantly key issues that you are likely to face in 2013.
If you don’t want to wait for our webcast to get this information, please download Jon Oltsik’s report “Enterprise Information Security in Transition”.
As the news broke that the final trilogy of Star Wars was going to be made, I was excited and intrigued about the plot. However, one question I always ask myself is, “How different would the story have been if the Deathstar were more secure?”
Along with most Star Wars fans, the moment when the rebel alliance flew in on mass to destroy the Deathstar was one of great intrigue. With a power so great and protection around the entire perimeter of the battlestation, how could it ever be penetrated?
Of course the hero, Luke Skywalker, comes to save the day by finding a small gap and, undetected, he flies through to the center of the Deathstar, destroying it and escaping without a single scratch.
When comparing this scenario to what we see everyday in the news regarding cyber attacks, it is very similar- right down to the part where organizations react to the breach far too late. It is of utmost importance for organizations to make sure they are able to see and react instantly when a security breach is happening, no matter how small. As we see with the case of the Deathstar, it only takes one opening for an attacker to slip in and cause a tremendous amount of damage. We only have to see this in the news, where an attacker describes how he stole a database of 150,000 contacts using a SQL injection (more details) without any reaction.
Having a thorough Security Intelligence strategy in place, with a next generation SIEM as the center piece, is vital for an organization. With the advantage of real-time normalization and correlation across your network, any abnormal behavior will be highlighted and notified immediately to your security team, detailing where, when, how, what and why about the attack.
It is just my opinion, but if the Deathstar had an anomaly detection system to highlight immediately when enemies were within its network, Darth Vader would have had a much easier life…. “May the Force be with you”.
To learn more about securing your own “Deathstar,” watch this Dark Reading webcast featuring end user Richard Webster, Senior Manager of Security at Sanofi, and Michael Applebaum, Director of Product Marketing at Q1 Labs, an IBM Company. In it, they discuss real-world lessons about applying Security Intelligence and next-generation SIEM for threat protection.
Four people standing in a semi-circle, looking down with grave expressions. Two men are dressed in plain, navy blue suits. The remaining two are well dressed: a woman and a man, clearly business professionals, probably executive management.
“I’ve never seen anything like this in all my years as an investigator,” says one of the men in a cheap suit. The other man remains impassive and grim behind his aviator sunglasses.
The woman lowers her forehead to the palm of her hand and shakes her head. “You hear about this once in a while in the news, but you never think it’ll happen to you.”
Her colleague nods his agreement, reflecting on the situation. “A healthy regimen, regular testing, and you fall into the trap of believing it will be old age that delivers the final blow. But then a simple infection takes down the the strongest.”
Pan out, revealing the computer screen they’re all gazing at. A stock ticker shows steady growth for most of the diagram on the screen, followed by a steep fall at the end.
The investigator reaches out and turns off the monitor. “Staring at it won’t bring it back, folks. You did all you can: formal processes for system hardening and patching, penetration testing, application firewalls–you followed the defense in depth playbook to a ‘T’. But even Achilles had a weakness. You’ve been compromised.”
The second investigator whips off his sunglasses. “Damned hackers and their advanced persistent threats” he sneers.
Well maybe it’s not quite that dramatic, at least not the denouement of a successful attack; yet it can be just as devastating to your business. Many executives are more concerned about negative publicity than monetary fines when it comes to computer security. With the spate of information security compromises in the last couple of years, earning 2011 the title of “Year of of the Security Breach”by IBM’s X-Force in their Trend and Risk Report, coupled with mandatory reporting requirements for private records exposure, such as the new rules proposed by EU Justice Commissioner, Viviane Reding, and HITECH’s requirement in the US, organizations are feeling pressure from both their attackers and legislative bodies.
The fictional scene above is taken from a real-life case, where 35 million customer records were stolen from a service provider. Ironically, they had near perfect security controls. So good, in fact, that the attackers ended up compromising a third party who provided utility software, and trojaned their product. The primary target didn’t detect the malware since it was specifically written for the specific attack circumstance, and no anti-malware solution had a signature for it. Adding insult to injury, the target’s own patch management process ended up being an effective mechanism for thoroughly distributing the malware, pervading their environment.
It would seem that resistance is futile: no matter what you do, a persistent and creative attacker will find a way to compromise your systems. That doesn’t mean all is lost: compromise is not the problem; data theft, including surveillance, and data destruction are. Just like biological infection, the introduction of a foreign organism isn’t the problem; we live with plenty of parasitic entities that cause no consequential damage. Most of your relatives’ computers are bot infected, but until they receive a directive from their command and control server, they’re relatively harmless.
That’s not to say you should live with a freeloading tenant piece of malware and wait for it to go rogue. But when your defenses fail to both keep out and keep in badness, you’re next line of defense is the ability to detect it. The purpose of security intelligence is to identify anomalous behavior in your environment early enough to stem the potential damages.
And that’s what I’ll be talking about at RSA Europe 2012, at the Hilton London Metropole: “Staying Out of the Headlines with Security Intelligence”. The presentation is Thursday, October 11 at 14:40 – 15:30pm (session ID: DAS309) and I hope to see you there.
If you’re not going to be at RSA Europe, check out my latest webcast with SCMagazine UK.
What would you do if someone was repeatedly trying to break in your front door? Would you add an extra lock and hope that was enough? Would you completely ignore the back door? If you lived in a neighborhood where lots of homes had been broken into, would you do some research to see what the common entry points were and maybe take some precautions to better address those risks- even if your house had been safe so far?
I’d like to think you’d do just about anything in your power to protect your home, and definitely your business. But finger crossing and dead bolt- equivalents seem to be the approach a lot of organizations take when it comes to security, especially network security. Those organizations are resting on hope; hope that they won’t be targeted by a cyber attack, hope that no disgruntled insiders will take a shot, hope that their network security analysts won’t miss something in the piles of log data being generated every minute, and hope that their first generation solutions are working good enough to catch modern attackers.
Earlier this week I read an article in Network World about the failure of CSOs to properly evaluate risk in their security strategy. It asked the important question- “what happens if your security strategy doesn’t work?” I’m betting there’s a lot of organizations out there who don’t know the answer to that question, and if they did, they wouldn’t be happy.
To truly be secure, you need to know where your vulnerabilities are and then figure out how to fix them. Your team needs to be prepared to identify and respond quickly to attempted and successful breaches (because inevitably, some will get through). They also need to know how to minimize the damage that can be caused by an incident. They need to be able to find the who, the what, the when, the where and most importantly, the how- and they need this information in real time! This is the essence of Security Intelligence. Do you have it?
As we have lately read and seen, the style and sophistication of cyber attacks on organizations’ networks have become ever more complex. One type of attack that has had a lot of media coverage in the UK are DDoS attacks, with hacktivists using multiple IP addresses to attack one IP address within an organization, resulting in critical business services and infrastructure being made unavailable. Although this type of attack may not be new news to people, in the UK there has been a lot of fresh exposure, bringing DDoS top of mind.
When reading through these cases it is not the seriousness of the cyber-attack that is the problem, but the late reaction to the attack. These can occur at any time and in many cases the technology is not in place to detect and highlight these immediately. The consequence? A DDoS attack that happens after people have “finished” work are not being acted upon by the Security team until the next morning when the attack has been successful in its mission. This raises the need for organizations to have an effective threat detection system, highlighting an attack to the security team, regardless the time of the day or a DDoS could be used opportunistically to mask other harmful activities.
Real time correlation and effective rule settings allow this to be combated successfully. With the right technology in place, automated alerts can be sent to the security team immediately when there is a suspicious incident, such as a DDoS attack. This allows an instant reaction to occur and enables the security team to be on top of the problem instead of chasing the issue– when it’s already too late to stop or prevent more damage.
For more information on how a next generation SIEM and Log Management solution like QRadar can bring you total security intelligence, changing your security posture from reactive to proactive, as well as responding to “dumber” brute force attacks such as DDoS, download this white paper “The Business Case for a Next Generation SIEM.”