Posts Tagged ‘retail’
Welcome to the final part of our “customer use perspective” series, where one of our biggest retail customers talks about using network flow data to add a whole new dimension to their security posture. When we talk about network flow, it’s not limited to the typical formats – i.e. NetFlow, J-Flow and sFlow. While standard network flow is useful for establishing a general understanding of network conversations, it doesn’t provide deep visibility into network activity beyond basic network characteristics such as IP address and protocol transport.
To help fill this gap, there is QRadar QFlow, which provides Layer 7 visibility (application layer) and stateful classification of applications and protocols such as voice over IP (VoIP), social media, ERP, database, and thousands of other protocols and applications. While this information is powerful on its own, it becomes extremely useful when correlated with network and security events as part of a SIEM and Log Management solution.
Watch the clip to hear how our customer is using QRadar QFlow in their environment:
What can you do with QRadar QFlow?
- Detect zero-day threats through traffic profiling
- Comply with policy and regulatory mandates via deep analysis of application data and protocols
- Monitor social media traffic
- Advanced incident analysis via correlation of flow and event data
- Continuous profiling of assets
Learn more about QRadar QFlow and be sure to listen to the full webcast to hear more about how our customer is utilizing the QRadar Security Intelligence Platform to help meet compliance regulations, centralize logs, correlate network events, and detect anomalies that other solutions might miss.
Welcome to the fourth installment of our latest “customer use perspective” series, featuring a large Q1 Labs customer who is a well known luxury brand in the retail industry. If you missed the first three, you can find them all here.
In this part of the series, our customer covers a few tips, tricks, and best practices when rolling out QRadar.
Below are a few of the high-level topics addressed by our customer, and a synopsis of their thoughts on each.
After you install the appliances, progress through interactive startup menu, setup IP addresses, DNS entries, etc., have your network hierarchy ready to go before roll-out for a quicker deployment.
Specific to reporting, there are a number of preset templates. However, it’s simple to create a report on any type of data you want to focus on.
Tech support will help you tweak and tune your installation, whether it’s via phone and/or via a secure tunnel. Our customer greatly appreciated the secure tunneling to get their request completed as fast as possible.
The last part of this series will wrap up with a focus on network flow, which can vastly improve your ability to detect anomalies. Until then, watch the first three videos in the series and check out the full on-demand webinar.
Over the past two weeks, we have been covering the use case of a Q1 Labs’ customer in the retail space with a series of blog posts dissecting their experience with QRadar so far. Now that we have a better idea why using a security intelligence solution is important and how to make choosing a SIEM vendor relatively painless, lets hear from our customer on why they chose Q1 Labs’ QRadar over other vendor solutions.
For starters, here are a few:
- Ease of use and simple customization – Different parties (network team, dba, etc) were able to use QRadar with a very short learning curve: a one hour training session was more than enough. With the ability to easily customize views for each group, the unique needs of each group can be met easily with report and dashboard customization.
- Events Per Second (EPS) and scaling – Our customer needed a solution that can scale EPS based on their varying needs. As they monitor larger portions of their infrastructure with QRadar, they expect correlation to perform efficiently no matter the size of the data volume.
- Unique approach to log aggregation and event management – The combination of traditional log events and flow data give our customer a comprehensive view of their environment, enhancing their ability to detect anomalies and other suspicious activity when compared to competing solutions.
In next week’s post, we will hear about their experience setting up and deploying QRadar. But why wait for that if you can watch the whole webcast now?
There was an interesting story last week about four Romanian nationals that were charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers. According to the Federal indictment (pdf), the hackers compromised the credit card data of more than 80,000 customers and used the data to make millions of dollars of unauthorized purchases.
No details yet on how the cybercriminals gained access to the retail point-of-sale (POS) systems on which they installed sniffers in order to steal credit card information, but this story sounds a lot like the Dave & Buster’s hack which occurred in March 2008. In that case, Maksym Yastremkiy (“Maksik”) and Aleksandr Suvorov (“JonnyHell”) — Ukrainian colleagues of Albert Gonzalez, who hacked Heartland and TJX in the infamous operation he called “Get Rich or Die Tryin” — used social engineering as well as administrative passwords stolen from a POS service provider to steal approximately 5,000 credit and debit cards from Dave & Buster’s. (Maksik is now serving a 30-year sentence in a Turkish prison for hacking into 12 Turkish banks).
There is also similarity with a 2009 POS hack in which cybercriminals used a commercial remote access program to steal credit card information from POS systems. A POS service provider installed the pcAnywhere program on store POS systems to allow its technicians to fix technical problems remotely — except they used the same username and password for all of the POS systems in various retail chains (according to Wired, the default login was “administrator” and the password was “computer”)!
According to the 2010 Data Breach Investigations Report, stolen and/or weak credentials are the number one hacking type. The report states that “Stolen credentials offer an attacker many advantages, not the least of which is the ability to disguise himself as a legitimate user. Authenticated activity is much less likely to trigger IDS alerts or be noticed by other detection mechanisms.” And in the 2011 Data Breach Investigations Report, exploitation of default or guessable credentials is #2 in the “Hacking” category.
The point? All of these examples highlight a weakness in traditional, credential-based POS security, emphasizing the need for retailers to adopt continuous monitoring, combined with security intelligence, to immediately identify unauthorized or suspicious activity — such as unknown files being uploaded from POS devices to unknown servers (in this case, the files contained stolen credit card numbers, and the servers belonged to the cybercriminals). Relying on credentials alone is simply not sufficient anymore.
Learn more about how Q1 Labs is helping retailers protect sensitive information — and pass their compliance audits faster and with less effort — by leveraging Security Intelligence, in this data sheet.
PS: This heist also points to the global nature of cybercrime — and the reason why you need centralized, automated, enterprise-scale technology to monitor and correlate security events across multiple devices, systems and geographies. Operating from Romania, the hackers targeted multiple individual stores in Plaistow, NH, East Northport, NY, Ocala, FL, Fairborn, OH, and Tulare, CA. They exfiltrated the stolen information to a compromised server belonging to a small business owner in Mechanicsburg, PA, created phony credit cards from a rented house in Belgium, and then used the phony cards to make purchases in France.
So, you have been given the task of finding a SIEM solution. Not just any solution, but one that is affordable, scalable, easy to deploy and maintain, and creates an impenetrable virtual force-field around your company. Ok, forget that last one.
Does this sound familiar? Your team might be saddled with a looming audit, industry regulations to abide by, overwhelmed by logs, or perhaps having a challenging time monitoring internal and external threats. Whatever the case, it’s clear some new level of intelligence is required to make sense of all that log data and effectively strengthen your security posture.
It just so happens that one of our customers, a worldwide luxury accessory company, had similar challenges and solved many of them by implementing QRadar, which is a next-generation SIEM that we call a Security Intelligence Platform. Of course, while evaluating various solutions, they had several major vendors on their short list. At the time, the industry was dominated by one or two heavyweights, but with a quick and effective POC demonstrating QRadar’s ability to automatically detect log sources and correlate log events with network activity flows at the application layer (such as VoIP, Social Media, and P2P), the decision was made to purchase and deploy QRadar.
Simply put, they wanted a next-generation SIEM and log management solution that integrated easily with their existing infrastructure — rather than adjusting their environment to fit the solution.
If you missed the first post in the series, read why our customer needed a SIEM in the first place. In the next part, we will find out why they chose Q1 Labs over other vendors.