Posts Tagged ‘Threat Management’
Posted by Michael Applebaum in Cybersecurity, Network Intelligence, SIEM, Threat Management
You know that QRadar SIEM excels at collecting, correlating and reporting on unusual activity, but have you ever wondered how it performs user activity monitoring? Or what value this would have for your organization?
In this new 8-minute YouTube demo, we look at how the integration of identity and access management data enables real-time user activity monitoring. We show how QRadar can identify risky or abnormal activity of user groups such as employees with privileged access, contractors, or terminated employees.
What value would user activity monitoring provide? You might care about a number of use cases:
- A terminated employee taking action on your network (if terminated, how is he or she still on your network?)
- A privileged employee accessing databases she doesn’t usually access (is she performing malicious activity? was her account compromised by an attacker? or did her responsibilities just change?)
- Is an employee from one geography, who does not travel for business, seen performing activity in a different geography? (was his account taken over?)
- Is a contractor accessing a database or application that he doesn’t require for his job? Can he be trusted? do his actions require closer monitoring?
- And many more exmples specific to your business.
Without a SIEM solution that can correlate identity and access management data with network activity in real time, most organizations would miss these risks. But QRadar provides the visibility to know whenever a user performs activity that is risky or abnormal. Whether you want to be alerted to security and risk incidents in real-time or view automated reports periodically, QRadar makes it easy to take a proactive stance toward user risks and improve your security posture.
For more information, visit the Q1 Labs Resource Center today.
Posted by Melissa Stevens in Cybersecurity, Log Management, Security Intelligence, SIEM
This morning I read an article on Computing.co.uk that asked, “How can organizations be prepared for cyber security incidents they can’t predict?”
I think this is a question a lot of CISOs ask themselves – and certainly, they should be. In the recent Data Protection & Breach Readiness Guide, published this January by the Online Trust Association (OTA), a key take away is “If a business collects data it will experience a data loss incident at some point.” That said, maybe you can’t predict how you will be breached, but it’s reasonable to assume that you will. This is the first step in a comprehensive network security strategy.
There are plenty of tools out there that can help analyze network configurations and identify the vulnerabilities that are creating entry points. You can run simulations and tests, hire white-hat hackers to break into your systems, and monitor network activity until you’re blue in the face. There are some breaches you can prevent, and there are some that you will never see coming.
The key is to have capabilities that will help you respond to the breach and limit your organization’s exposure as quickly as possible. How many horror stories have we heard over the past year of high profile breaches that lasted for months before they were spotted? How long did it take to find out what really happened? When breached, you immediately want to know who, what, when and how, so you can brief your constituents (customers, executives, board members, etc) about what has occurred along with your remediation plan. This is where Security Intelligence comes in.
A Security Intelligence solution like QRadar can help keep you safe. It can be a part of your walled fortress, collecting information from across your entire infrastructure and alerting you when anomalies occur or improper configurations create new vulnerabilities. But more importantly, it can act as a stop gap, the tool you use to help stop the ship from sinking. Knowing immediately that you have been breached and what has been compromised; knowing how the breach occurred and where it originated from; seeing where the information has been distributed, in real-time; all of this knowledge can help you respond and stop the threat from spreading further. And since it’s only a matter of time before a breach occurs, better response preparation could be the competitive advantage you’re looking for.
For more information about breach response best practices, please read Five Ways to Prepare for Your Data Breach. As always, share your comments and questions below!
Posted by Phil Neray in Cybersecurity, Federal, Security Intelligence, SIEM
According to a recent report in the Wall Street Journal, a group of hackers in China broke into the U.S. Chamber of Commerce’s network around November 2009 and were not discovered until more than a year later.
The hackers likely used a spearphishing attack to install spyware on end-user machines. The spyware was used to steal employee administrative credentials, which were then used to install about a half dozen back doors which communicated with computers in China every week or two.
The hackers stole sensitive Chamber data such as trade-policy documents, meeting notes, trip reports and schedules, and emails containing the names of companies and individuals in contact with the Chamber. They even used their own search tools to locate documents containing keywords related to financial and budget information, and stole all emails from four targeted employees – who worked on Asia policy – for approximately six weeks during one portion of the attack.
And here’s an interesting twist — a thermostat at a Chamber town house on Capitol Hill was communicating with an Internet address in China, and a printer spontaneously started printing pages with Chinese characters.
The Chamber represents the interests of U.S. companies in Washington and its members include most of the nation’s largest corporations. As a result of this incident, the organization’s COO concluded that “It’s nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in. It’s the new normal. I expect this to continue for the foreseeable future. I expect to be surprised again.”
So how can next-generation SIEM and Security Intelligence help?
First, we should acknowledge that even strict adherence to some compliance mandates, such as PCI-DSS and HIPAA/HITECH, won’t usually protect intellectual property (IP) such as strategic plans, product designs and proprietary algorithms. Of course, broader compliance frameworks such as ISO 27001/27002, and NIST 800-53 – as well as recent SEC guidance regarding cybersecurity risks and disclosure – will definitely help tighten controls and improve the overall security posture of your infrastructure by requiring centralized monitoring and other best practices, along with helping to address minimum “standards of due care” expectations of your board of directors, customers and shareholders.
Next-generation SIEM can certainly help in reducing the cost and effort of compliance – by centralizing and automating compliance reporting and efficiently addressing log retention requirements – but it also provides significant added value by helping to proactively detect attacks such as this one.
Second, the fact that the hackers were in the network for more than a year before being detected is not unusual. According to the 2011 Data Breach Investigations Report, more than 60% of breaches remain undiscovered for a period of months or longer (versus days or weeks). And according to Kim Peretti, former senior counsel at the U.S. Department of Justice, “Our most formidable challenge is getting companies to detect they have been compromised.”
Why? Because most organizations still rely on basic server and device logs which are widely dispersed across their infrastructures – combined with manual, after-the-fact log analysis – making it virtually impossible to detect any intruder alarms because the information simply gets lost in the noise.
Continuous real-time monitoring of all network and system activity – combined with real-time event correlation and automated behavior profiling – can help by rapidly identifying anomalous or out-of-policy events such as:
- A server (or thermostat) communicating with an IP address in China.
- An unusual Windows service starting up, such as a backdoor or spyware program.
- A spike in network traffic and/or data server activity, such as a high volume of downloads from a SharePoint server during off-hours.
- A high number of failed logins to critical servers, which can indicate a brute-force password attack.
- A configuration change, such as an unauthorized port being enabled.
- An inappropriate use of protocols and applications, such as sensitive data being exfiltrated via P2P or social media applications; in this case, detection requires application-aware (Layer 7) monitoring with flow analysis and deep examination of packet content.
More information on how organizations can leverage a unified architecture to reduce risk with continuous, real-time monitoring, can be found in this white paper, “Countering Advanced Threats.”
Graphic courtesy of the Wall Street Journal (December 21, 2011).
Posted by John Burnham in Cybersecurity, Security Intelligence, SIEM, Threat Management
Not too long ago, in fact just a few weeks or months back, you couldn’t refresh your browser without a new headline about a breach exposing critical data to attack, leakage, etc. Nowadays, the news is full of other topics, but this does not mean the cyber-threat has been diminished or that these hacks of the week aren’t still occurring. Below is a sampling of the steady stream of security concerns the IBM X-Force has been reporting on:
November 16, 2011: Self Cross Site Scripting Behind Facebook Shock Spam For the past day now Facebook has been the victim of an attack causing pornographic and other shocking photos to show up in people’s newsfeeds. A statement released by Facebook says that the attackers are using a browser vulnerability which allows a sort of self cross site scripting. Facebook states that users are being tricked into copying and pasting malicious JavaScript into their browser address bar. So far Facebook has yet to determine the browser in question that has this vulnerability. If it is this easy to trick users into pasting JavaScript into their browser, then Facebook may only be the first stop. Companies should communicate with their users to help them understand how pasting JavaScript into their browser can compromise their security. Something like a simple fake contest or prize offering may be enough to entice people to do just about anything from their computer. Remind users that such things are often a scam. Read More Here and Here >
November 15, 2011: DoS Vulnerability Announced in ISC DNS
A new vulnerability in BIND 9 is being actively exploited, causing DNS servers to crash all across the Internet. According to a release from ISC, “Affected servers crash after logging an error in query.c with the following message: ‘INSIST(! dns_rdataset_isassociated(sigrdataset))’”. Multiple versions of BIND 9 are reported to be vulnerable, ISC is still investigating specific version numbers at the time of writing. Currently no workaround or patch is available, however it is under development. We will continue to monitor this situation and update things once a patch is available. Read More >
November 15, 2011: Operation Ghost Click
Recently the FBI announced details on a two year investigation resulting in the arrest of 6 individuals involved in a massive cyber-theft ring. This ring is reported to have infected over 4 million computers through means of a brand of malware dubbed DNSChanger. DNSChanger works by pointing a user’s computer to a rogue DNS server. When the user attempts to visit popular websites, the DNS server sends back a bogus address, sending the user to a malicious site instead. The cyber ring used this vast network of machines to manipulate internet advertising, bringing in over $14 million. The FBI has published the blocks of IPs involved with this activity and advised people to ensure they have no traffic destined to them. Read More >
The fact that these breaches and vulnerabilities aren’t getting the coverage they once were has me a little concerned. It’s not that we want to see these fear-inspiring headlines every day, but keeping security top of mind for even the general public means that more people are thinking like we do. You have to stay ahead of the threat to be safe, and that’s what you get with Security Intelligence.
Register for IBM X-Force Threat Reports to get access to the latest information concerning cyber-threats and security trends. Learn more about protecting your organization from a breach with this white paper, “5 Practical Steps to Protecting Your Organization Against Breach.”
Posted by Heather Howland in Cybersecurity, Risk Management, Security Intelligence, Threat Management
My husband and I were watching Sunday Night Football last night when the US Postal Service ran this ad.
The voice-over intones, “A refrigerator has never been hacked. An online virus has never attacked a corkboard.” The commercial continues with “Give your customers the added sense of security a printed statement or receipt provides. With Mail.”
“We’re the Post Office, and we’re nearly bankrupt: please mail something!”, my husband wisecracked. I immediately thought of Chris Poulin’s presentation on “When refrigerators attack: the future of Smart Grid” which Chris wrote about in a previous post and has spoken about at several recent events. With some new refrigerators offering WiFi-enabled apps, presumably your kitchen is now an attack surface. My second thought was, “What about the businesses systems that are creating those printouts? They can be hacked. I can request printed statements from my online banking, and I’m still vulnerable to phishing, and the web server is still at risk of buffer overflow attacks.” There’s also the recent article in Computer Business Review which discusses the risks associated with non-digital breaches- aka, lost or stolen files on paper. The Post Office’s attempt at FUD doesn’t make a lot of sense.
Clearly the ad would like viewers to think that snail-mailed paper statements are at less risk than online accounts, and USPS hopes this will generate some postage revenues. Little wonder: according to a recent Bloomberg article, it lost 22% of its mail volume over the past 5 years.
Is the ad timely? Certainly, in light of new stories covering the recent breaches at Sega, Citibank, Sony and others. But with both my marketing and my technical hats on, I think the ad was less than successful for a number of reasons:
1) The viewer’s call to action was unclear. Go mail a letter? Change one’s online preferences? Disconnect from the scary Internet?
2) It inadvertently raises the question: how secure is your corkboard? While it’s true paper can’t be hacked, it can be copied, tampered with, stolen, eaten by the dog, and destroyed by fire or flood. If you’re really as paranoid as the Post Office would like you to be, shouldn’t you now be weighing your corkboard security risk?
3) It may be underestimating the intelligence of today’s consumers and their knowledge of who is getting hacked. But even if it isn’t, security professionals know the paltry amount of risk reduction yielded by going from paperless back to paper statements.
While the ad was targeted to business, I think it might give some consumers a false sense of security about paper vs. electronic statements, which do nothing to eliminate most vulnerabilities their banks and other service providers are facing. That well-populated corkboard will be scant comfort to a customer whom you must notify of a breach of Personally Identifiable Information (PII) or other compliance violation.
So support the Post Office, by all means, but don’t forget to ask yourself: what’s your strategy for protecting your customer’s data? Check out this recent on-demand webcast to learn more about how Security Intelligence can help organizations with advanced threat detection and prevention.
The latest on Cyber Security