Do you have a cyber blind spot?

What's the cost of securing your network from a cyber attack? According to Precision Analytics and The CAP Group, many companies are now spending less than 0.2 percent of their revenue on cybersecurity, at least one-third less than financial institutions. If that's you then you may have a cyber blind spot. Brian Walker, a former head of global information technology for Marathon Oil says, "It’s scary…Executives making funding decisions aren't necessarily millennials who intuitively understand how cyber threats work. It’s guys my age that are the problem,” according to Walker, who said he's in his early 50s. “We've been 30-years-trained in a world that doesn't work this way anymore. This cyber blind spot is a real challenge,” Walker said. “Our fear is that we will play an ostrich and put our head in the sand until something blows up and people get killed, or until the lights go out for a month.”
 
The threat isn't new, but it is escalating.
 
Financial services and retailers have been in the limelight for data breaches. Based on analysis developed over 15 years, energy companies that earn $1 billion in revenue a year generally spend about $1 million for cybersecurity; precision found. In comparison, companies within the financial industry with $1 billion in revenue could spend as much as $3 million.
 
The approach to cybersecurity is also affected by the normal separation of departments within individual companies, the experts said. “At many companies, IT security typically falls under the purview of the chief information officer, while operations security staff report to a different boss,” Walker said. The result, there is a communications gap.
 
It's not that the companies don't care about security. But the threat is growing exponentially, and companies of all types have had a hard time keeping up. For instance, “there's been a dramatic rise in so-called supply-chain attacks where a software update itself has been compromised before it's even introduced into a company system,” Walker said.


Do you have a blind spot? Is it under investment in cybersecurity? Or do you have an overdose of confidence in the shiny security whizzbang, which the vendor promised would be as effective as Iron Dome?
 

Time is money. Downtime is loss of money.

The technological revolution has introduced a plethora of advanced solutions to help identify and stop intrusions. There is no shortage of hype, innovation, and emerging trends in today's security markets. However, data leaks and breaches persist. Shouldn't all this technology stop attackers from gaining access to our most sensitive data? Stuxnet and WannaCry are examples of weaknesses in the flesh-and-bone portion of a security plan. These attacks could have been prevented had it not been for human mistakes.
 
Stuxnet is the infamous worm (allegedly) authored by a joint U.S.-Israeli coalition, designed to slow the enrichment of uranium by Iran's nuclear program. The worm exploited multiple zero-day flaws in industrial control systems, damaging enrichment centrifuges. So, how did this happen?
  • The Natanz nuclear facility, where Stuxnet infiltrated, was air-gapped.
  • Somebody had to physically plant the worm. This requires extensive coordination, but personnel in Natanz should have been more alert.
  • Stuxnet was discovered on systems outside of Natanz, and outside of Iran. Somebody likely connected a personal device to the network, then connected their device to the public Internet.
  • While Stuxnet went from inside to outside, the inverse could easily have happened by connecting devices to internal and external networks.
 
If human beings had updated their systems, we may never have added "WannaCry" to our security lexicon. WannaCry and its variants are recent larger-scale examples. Microsoft had issued patches for the SMBv1 vulnerability, eventually removing the protocol version from Windows. Still, some 200,000 computer systems were infected in over 150 countries worldwide to the tune of an estimated $4 billion in ransoms and damages.
 
The lesson here? We care too much about gadgets and logical control systems, and not enough about the skilled staff needed to operate this technology. Gartner estimates that 40 percent of mid-size enterprises don't have a cybersecurity expert in their organization. A labor shortage for security professionals will prevent you from filling this talent gap for at least three years. A logical solution is to assess which security functions can be effectively delivered as a service to minimize internal staffing requirements.

Services (such as SIEMphonic) solve popular use cases including:
  • Operational tasks such as log monitoring, vulnerability scanning, and firewall management
  • Delivering 24/7 security monitoring when there is not enough staff to accomplish this internally (a minimum of eight to 12 dedicated security analysts are required for 24/7 monitoring)
  • Security monitoring for public cloud environments to ensure users are not placing sensitive data in the cloud in ways that are insecure or non-compliant
  • Building out advanced attack detection capabilities by employing advanced analytics to identify threats through statistical or behavioral anomalies in security events, IT logs, network behavior, network forensics, payload analysis, endpoint behavior, and endpoint forensics
 
Time is money; downtime is loss of money. The cost of doing nothing is significant.
 

Cybersecurity is an Investment, Not a Cost Center

The cybersecurity threat landscape is in constant motion – ever evolving. According to Kaspersky Labs, 323,000 new malware strains are discovered daily! Clearly, this rate of increased risk to a company’s assets and business continuity warrants a smart investment in cybersecurity. Unfortunately, many companies are not keeping pace with their increasing risk, nor could they ever be expected to if their leadership views cybersecurity as a cost center while still viewing other innovations, such as digital transformation, as an investment.

For any digital transformation project to be successful and return the anticipated value, cybersecurity must be considered foundational.

Just as that new $500 suit is an investment to help you get that new job, the cost to have it tailored is part of that investment. The same goes for digital transformation and cybersecurity. But for many companies, the digital transformation is long underway, and cybersecurity desperately needs to catch up. That new suit needs to be tailored quickly before another person sees you in that poor-fitting getup.

A successful cybersecurity strategy is without much hope if executive leadership does not champion the proper investment and prioritize the efforts. The result is too often organizations piecemealing pointed IT security solutions one-at-a-time, failing to prioritize wholistic cybersecurity projects. This only exacerbates the risks to the business, but also hampers the efficiency in accomplishing other technology projects deemed as competitive differentiators.

So, where do you start to improve your cybersecurity posture ASAP?
  1. Get executive support immediately so you don’t spin your wheels on half-baked inefficient IT security practices.
  2. Change the mindset by showing cybersecurity is an investment in the company’s future.
  3. Keep in mind the cybersecurity triad of “platform, people and process”, and seek complete solutions that can ensure long-term success.
Here are some tools to help you along your journey…

Cybersecurity Maturity Model

It’s important to take a step back and understand where you are today, where you should be, and where you want to go next. By considering all four key aspects of a complete security architecture – prevent, detect, respond, and predict – a good Cybersecurity Maturity Model provides a practical stair-step approach toward the appropriate level for your organization.



SIEM Total Cost of Ownership Calculator

Security Information and Event Management (SIEM) is the foundation of any well-grounded IT security strategy. However, depending on your organization’s unique requirements, staffing, and deployment situation, the total cost of SIEM can vary widely. Use our SIEM TCO calculator to compare 1-year and 3-year costs of self-managed and Co-Managed SIEM solutions.

 
 
Calculate your TCO now

 

How to Protect Your Network from Ransomware Tips from the FBI

The FBI estimates that more than 4,000 ransomware attacks have occurred daily since the beginning of 2016. That’s a 300% increase from the previous year. This is due in part to the thriving sector of “ransomware-as-a-service.” Individuals don’t need to possess a certain skill set, but rather, malware developers advertise their ransomware on the dark web to be distributed by less sophisticated attackers. This allows developers/advertisers to take their cut from the ransom amount paid.
 
The cyber criminals behind these attacks aren’t necessarily picky; they target big companies, small businesses, government entities, and individuals. But the damage they cause to small- and medium-size businesses (SMBs) is particularly alarming. A recent report by a security firm last year noted that 22% of SMBs affected by ransomware had to cease operations immediately. One-third had suffered a ransomware attack in the previous year.
 
“If you haven’t been a victim of ransomware or any other type of computer attack, you have to operate as if it’s just a matter of time before you are – and take the steps to protect yourself and mitigate the resulting damage or loss,” says Sheraun Howard, supervisory special agent with the FBI’s Cyber Division in Washington, D.C.
 
How it Works
While the names, details, and entry points of each attack vary, the concept remains the same. First, the bad actors deliver the ransomware. This is often done by spearphishing emails – targeted phishing emails aimed at specific employees that contain personal details to perpetuate the fraud. These emails or email attachments will contain an exploit for a particular software application vulnerability that provides the attacker access to your computer. After the attacker has access to your computer, they typically use additional malware to propagate throughout your network and drop their ransomware onto your environment. Once the ransomware has been delivered in one way or another, it prevents the targeted user from accessing their data or systems by encrypting their files. The targets receive an email, text file, or screen message demanding that they pay a ransom in order to regain that access.
 
How to Defend Yourself
The FBI recommends that all businesses take the following steps to reduce their risk of a ransomware attack:
 
  1. Educate your employees about the risks
  2. Create a security incident response plan
  3. Update and patch software and firmware
  4. Manage privileged accounts
  5. Audit user access to your systems
  6. Use firewalls, spam filters, and anti-virus programs
 
These six recommendations are a solid start for individuals and companies, but at some point, advanced threat protection with Co-Managed SIEM will need to be evaluated and adopted to truly stay ahead of attacks.
 

The Difference Between a SIEM Solution and SIEM Tool: Features vs. Outcomes

Can you simply buy a “SIEM solution”? Turns out you really cannot, no matter how hard you try nor how passionately the vendor promises. What you can buy at the store is a SIEM tool, which is a completely different thing. SIEM tools are products, while implementing a security or compliance solution involves people, process, and technology. SIEM tools are a critical part of SIEM, but they’re not the whole solution.
 
Security processes – unlike appliances, software and services – cannot be acquired in exchange for cash. They can only be established by an organization and then mature to an appropriate level. Developing a policy, as well as operational procedures for SIEM, is an important task that has to be handled by the security team.
 
Over the past decade in working with SIEM technology, this is the one unescapable lesson: People + Process is synonymous with that portion of the iceberg that is under the waterline (not visible and frankly, very large). It has caused very large unsinkable ships to go down (think Titanic).
 
And it is a problem that our Co-Managed SIEMphonic solution was expressly designed to solve. Let us help you strengthen your security defenses, respond effectively, control costs, and optimize your team's capabilities.
 
Catch more threats. Respond quicker. Simplify compliance.
 

Host-based Versus Network-based Security

The argument is an old one; are you better off with a network-based detector, assuming all hosts will eventually communicate, or should you look at each host to determine what they are up to?

Over five years ago, the network was far simpler. There was a clear perimeter – us versus them, if you will. You could examine all traffic at the egress point (so-called North/South traffic) for potentially hostile patterns while pretty much ignoring local traffic (so-called called East/West traffic) as usually benign. This is usually done with the help of attack signatures which are updated periodically. In other words, classic network-based, signature-driven detection.

This applied to firewalls. You could be network-based and/or have one for each host. The attraction of the network-based firewall is simplicity; one device to deploy and manage versus the hassle of configuring one firewall per host. Notice that this depends on the traditional (simple) network with a clear us/them perimeter. But that is a pretty simple, traditional model that is vanishing fast. Applications are moving to the cloud and the perimeter is porous. You pretty much need a micro-fortress around a host or location.

So, what arguments are the network-based passive monitoring solutions making for themselves? And how do they stack up against a host-based managed solution? Let me count the ways…
 
Claim Response
Passive network monitoring has no impact on endpoint performance A well-designed, user-space host-based solution has virtually no impact on the endpoint 
A network-based solution is transparent to system users The host-based sensor runs as a service and is also invisible to users
Network monitoring is invisible to attackers Insiders know of its existence because they have access to the network diagram; every external attacker assumes that network traffic is being monitored and seeks to be stealthy
Network-based monitoring can listen to all endpoints, regardless of type; no specific sensor is needed A host-based sensor must be provided for each endpoint type; the common ones are Windows and Linux
Passive network monitoring devices are easy to install When host-based sensors are provided as a managed service, they are also simple to install
When monitoring at the egress point only, endpoints can move or be added with no extra effort Endpoints are usually not added/moved randomly, but through a defined process; extending this process to accommodate sensor deployment is no more work than deploying patches or anti-virus
 
And then here are challenges with network based monitoring…
 
Challenge Problem
Network-based signatures are always out-of-date or lagging Zero-day attacks are not detected, maybe worse; detection is limited to attacks with signatures only
Packet inspection is blind to encrypted traffic North/south network traffic is increasingly encrypted
Packet inspection is hard to scale as network speeds increase OTOH host-based approaches scale neatly both up and down; we're going to need a bigger boat
Network monitors can’t handle switched networks; it requires span ports Now you need span ports, more hardware, and networking skills
Network monitors usually can only see north/south traffic Insider threat, anyone? Remember Nyety? It spread laterally. Here’s an article about how to detect.
Network monitoring is blind to host activity; new processes, removable media Remember Edward Snowden?
 
Network monitoring does no log collection; therefore, it can’t meet compliance requirements
 
PCI-DSS, NIST 800-171, and all other compliance standards mandate log collection and retention for 1+ years to be able to perform forensics
 
And now, the advantages of a host-based solution…
 
Advantage of a Host-based Solution
Collect audit trail; meets compliance needs
Develop detailed understanding of user behavior; fight insider attacks
Scales well; no single choke point
Detect subtle patterns of misuse which can’t be seen at a higher layer (first-time-seen, zero day)
Effective for encrypted traffic as well
Sees all actions including east/west
Effective against removable media
Works even in switched networks
 
And to be fair, how to address the challenges…
 
Challenge Response
Sensor deployment to nodes SIEMphonic is a managed service; leave the deployment/configuration to us
Sensor can impact node performance The EventTracker Windows sensor consumes 0.1% of memory/CPU resources and 0.001% network bandwidth
Adding nodes means adding sensors It’s no more complicated than deploying anti-virus
Can’t see all network traffic; only those where a sensor is installed The next-gen firewall you already paid for does see this traffic; we get all of its logs, so why duplicate effort/cost
Sensor must be available for chosen platform An EventTracker endpoint sensor is available for Windows, Linux, AS/400, and IBM iSeries
 
Don't bring a knife to a gunfight. Passive network monitoring may be attractive because of deployment simplicity, and the fit and forget promise, but it is not capable of solving today's network security ad compliance challenges.
 

Once More Unto the Data (Breach), Dear Friends

As I reflect on this year, a Shakespearean quote plays out in my mind – when King Henry the Fifth is rallying his troops to attack a breach, or gap, in the wall of a city, “Once more unto the breach, dear friends”. Sadly, this has become the new normal. But even more so, 2017 has felt like Lemony Snicket's, A Series of Unfortunate Events. There were massive data breaches, unintended exposures of sensitive information on the internet, and other unfortunate tech incidents. 
 
Here are the five to illustrate the variety:
  1. Dallas Emergency Sirens: Just before midnight on a Friday in early April, all 156 of the emergency sirens in Dallas started sounding simultaneously for no apparent reason. The hubbub lasted a full 90 minutes before the sirens could be manually overridden and shut down, during which time panicked residents flooded 911 with calls. Dispatchers who typically pick up within 10 seconds were so overwhelmed that the wait time hit six minutes. Officials blamed hackers for the intrusion into their emergency alert system. Nobody had ever thought this could happen.
  2. WannaCry The National Security Agency has for years been diligently finding major weaknesses in commonly used pieces of software. Instead of alerting the affected companies about the vulnerabilities, however, it’s been hiding those aces up its sleeve for future use. This year, a group of hackers calling themselves the Shadow Brokers, stole a bunch of those exploits then proceeded to turn them loose on the internet. North Korea used one such NSA-developed hacking technique to target Windows, resulting in a piece of ransomware called “WannaCry” that crippled an estimated 230,000 computers around the world. Brad Smith, Microsoft’s Chief Legal Officer remarked, "An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
  3. State Election Systems: Russian hackers targeted election systems in 21 states during the 2016 presidential election (to say nothing of their activity on FacebookTwitter, Reddit, etc.), as part of what the Department of Homeland Security called “a decade-long campaign of cyber-enabled operations directed at the U.S. Government and its citizens.” Jeanette Manfra, acting as assistant secretary for the office of cybersecurity and communications, told the Senate Select Committee on Intelligence that "the cyberattacks were intended or used to undermine public confidence in electoral processes.”
  4. : In September, consumer credit ratings agency, Equifax, revealed hackers had stolen the personal details of roughly half of all Americans – 143 million people. Equifax waited five months to tell anyone and then bungled its response, initially forcing those affected to sign a legal document prohibiting them from joining a class-action suit, then inadvertently directing potential victims to a fake phishing site which proceeded to steal yet more information.
  5. Deep Root Analytics: This summer, a Republican data analysis company called Deep Root Analytics left exposed a 1.1-terabyte online database containing the personal information of 200 million American voters. Not just birthdays and addresses, this leak included deeply personal information about individual voters, including their likely stance on abortion, gun control, stem cell research, environmental issues, and 44 other categories.
Will 2018 be better? 
There is the promise of advancements in fields like AI and machine learning. And we could learn from our mistakes but nah, not really. I don't mean to be a nattering nabob of negativism. Given the increasing penetration of IT in every facet of life, so long as those tasked with administering these increasingly complex systems are equipped with weaponry from the last war, then it’s hard to see improvement.

Still bringing a knife to a gunfight? SIEMphonic can help level the odds.
 

True Cost of Data Breaches

The Cisco 2017 Annual Cybersecurity Report provides insights based on threat intelligence gathered by Cisco's security experts, combined with input from nearly 3,000 Chief Security Officers (CSOs), and other security operations leaders from businesses in 13 countries. 
 
Here are some takeaways:
  • Data breaches have repercussions: More than 50 percent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention.
    Lesson: Is sunlight the best disinfectant?
  • Repercussions are expen$ive: For organizations that suffered a breach, the effect was substantial: 22% of breached organizations lost customers – 40% of them lost more than a fifth of their customer base and 29% lost revenue, with 38% of that group losing more than a fifth of their revenue. In addition, 23% of breached organizations lost business opportunities, with 42% of them losing more than a fifth of such opportunities.
    Lesson: There's a bad moon rising.
  • Complexity and skill shortage drive risk: CSOs cite budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security postures. Security leaders also reveal that their security departments are increasingly complex environments with nearly two-thirds of organizations using six or more security products – some with even more than 50 – increasing the potential for security effectiveness gaps and mistakes.
    Lesson: Calculate asset risk to prioritize spending; co-sourcing can help.
  • It’s the basics: Criminals are leveraging "classic" attack mechanisms such as adware and email spam in an effort to easily exploit the gaps that such complexity can create. Old-fashioned adware software that downloads advertising without user permission continues to prove successful, infecting 75% of organizations polled.
    Lesson: Security laggards, beware. Here are "some stories that never happened" from "files that do not exist".
  • Spam works: Spam is now at a level not seen since 2010, and accounts for nearly two-thirds of all email – with 8-10% of it being outright malicious. Global spam volume is rising, often spread by large and thriving botnets.
    Lesson: Spam is easy and effective, so a mix of technology and awareness is needed.
  • Data is everywhere; not much actionable intelligence: Just 56% of security alerts are investigated and less than half of legitimate alerts are actually remediated. Defenders, while confident in their tools, are undermined by complexity and manpower challenges. Criminals are exploiting the inability of organizations to handle all important security matters in a timely fashion.
    Lesson: Look for ease of use; get access to expertise via co-sourcing.
What can/should you do?
  1. Improve threat defense technologies and processes after attacks by separating IT and security functions 
  2. Increase security awareness training for employees 
  3. Implement risk mitigation techniques

The Perimeter is Dead: Long-live the Perimeter

In 2005, the Department of Homeland Security commissioned Livermore National Labs to produce a kind of pre-emptive post-mortem report. Rather than wait for a vengeful ex-KGB hacker agent to ignite an American pipeline until it could be seen from space, the report issued recommendations for preventing an incursion that had yet never happened, from ever happening again.
 
Recommendation Number 1: Know your perimeter.
"The perimeter model is dead," pronounced Bruce Schneier, author of The New York Times' best seller Data and Goliath, and the CTO of IBM Resilient. "But there are personal perimeters. It doesn't mean there exists no perimeters. It just means it's not your underlying metaphor any more. So, I wouldn't say to anyone running a corporate network: There are no perimeters, zero."

"The traditional fixed perimeter model is rapidly becoming obsolete," stated the CSA's December 2013 white paper,” because of BYOD and phishing attacks providing untrusted access inside the perimeter, and SaaS and IaaS changing the location of the perimeter. Software defined perimeters address these issues by giving application owners the ability to deploy perimeters that retain the traditional model's value of invisibility and inaccessibility to ‘outsiders’, but can be deployed anywhere – on the internet, in the cloud, at a hosting center, on the private corporate network, or across some or all of these locations."

This reality invalidates the model of safeguarding the corporate network via the fortress model, one where all assets are inside and a well-defined perimeter exists, which can be defended. Instead, each asset requires a micro-fortress around it, regardless of where it is located. The EventTracker sensor enables a micro-fortress around and near the endpoint on which it operates. It provides host-based intrusion detection, data leak protection and endpoint threat detection. While the sensor itself operates on any Windows platform, it is able to act as a forwarder for any local syslog sources, relaying logs over an encrypted connection.
 
Welcome to your software defined perimeter.
 

Can your Cybersecurity Posture be Called "Reactive Chaos"?

Does this sound familiar? You have no control of your environment and most of your efforts are diverted into understanding what happened, containing the damage, and remediating the issue. New projects, including cloud development and mergers and acquisitions, are significantly stalled. If this does sound familiar, then most likely you are blind to what is happening on the network, unaware of where the weaknesses are, and without the ability to quickly assess risk.

This is the alternate reality organizations enter once they have been materially compromised. It stops business, costs millions, and can have an incalculable impact on current and future customers. You get here by thinking tactically all the time. No time to step back and consider the big picture, instead always making small changes and more investments in new, disparate tools. This wasn't the business plan you started the year with, but it is what will be managed for months, and likely a few years to come.

How can you avoid this? Get visibility of your entire security posture and be able to measure it easily, and preferably, continuously so you can take proactive action – including endpoints and networks. This is important and useful in monitoring, responding to, and in some cases, being able to block potential exploits. But this is only a start.

Embed the culture of security: Have you appointed a cybersecurity champion?
You need a cybersecurity champion just as you need a leader for a fire drill – one who practices and directs the possibly panicked staff in evacuating the floor/building in the event of a fire or other emergencies. By embedding security culture into the organization, you can have the visibility and assurance that you need for the best defense against reactive chaos.

Systemically avoid reactive chaos.
Automate and orchestrate wherever possible to provide better visibility. Co-source when necessary, as it gives you access to experts in cybersecurity at an affordable price point.

Forget 007 Intel…What Truly Wins the War?

How important is intelligence in bringing victory or averting defeat? In our IT Security universe, this refers to "threat intelligence", which has been all the rage for some years now. Indeed, a number of providers charge hefty sums to provide best-of-breed, mixed strategic and tactical, with full actor information, detailed indicators, and with revelations about future attacks targeted at your organization. During a conference, attendees at a roundtable were asked, "If you hear 3 days in advance that you will be hit with a colossal DDoS attack of a particular type, will it help you?" Some people answered “yes” and pointed at specific things they can do in the time they have, while others said, “sort of”. They would still take heavy damage, but may be able to reduce panic and avoid some mistakes in responding. A few said that they will be able to do a few things only… and if the “3-day attack warning” costs them $100K, they won’t sign for it.

F.H. Hinsley, the historian of British intelligence in the real war against Hitler, made a sustained attempt to show how intelligence affected its outcome. His conclusion, which did not please the intelligence establishment, is that the efforts of MI6 and Bletchley Park shortened the war, but emphatically did not win it. As John Keegan noted "The reason is that the fiction of intelligence has worked so powerfully on the Western imagination that many of its readers, including presidents and prime ministers, have been brought to believe that intelligence solves everything. It stops wars starting. If they start nevertheless, it assures that the wrong side loses and the right-side wins."

Actual warfighters (= skilled security professionals) with weapons (=security tools), on top of threat intelligence are needed to win the war. As Chuvakin observed in this Threat Intelligence and Operational Agility article, telling armed peasants and spearmen that a ballistic missile is coming does not help – even if you know the exact model and who launched it. You need to have the defenses, tools, people, and effective processes already in place.

This is the value proposition of our SIEMphonic co-managed SIEM-as-a-service offering. Put our 24/7, ISO 27001-certified team of experts to work for you. They come armed with deep subject matter experience, robust processes,and award-winning weaponry. And oh yes, it’s all integrated with up-to-the-minute threat intelligence.

Still skeptical? See use cases about what the team has caught, in top-secret 007 fashion: from stories that "never happened" from "files that do not exist". Intel never wins wars on its own, but combined with effective teams, defenses, and processes, the right-side may always triumph.

Security Signals Everywhere: Finding the Real Crisis in a World of Noise

Imagine dealing with a silent, but mentally grating barrage of security alerts every day. The security analyst’s dilemma? They either need to cast nets wide enough to identify all potential security incidents, or laser-focus on a few and risk missing an important attack.

A recent Cisco study covered in CSO found that 44 percent of security operations managers saw more than 5,000 security alerts a day. As a consequence, they can only investigate half of the alerts they receive every day, and follow up on less than half of alerts deemed legitimate. VentureBeat says the problem is far worse. Just 5 percent of alerts are investigated due to the time and complexity of completing preliminary investigations.

The CSO article recommends better filtering to reduce threat fatigue, while focusing efforts on the most important risks to a company’s industry and business. These are great suggestions. However, in a world of exploding risks, you need a dedicated team of experts on point 24/7, while deploying technology to stay ahead of the threat landscape.

This is all very cumbersome and expensive. Even the largest companies in the world may not have this level of resources. That is where a tailored, affordable managed threat detection and response or co-managed SIEM comes into play. Here’s why co-managed SIEM is better than a DIY scenario for the digital transformation era:
 
  1. A dedicated SWAT team for security – You may have great analysts, but they’re stretched and may be tired. Expand their reach with a team of external experts who can partner on calibrating and monitoring security services, follow up on alerts, and augment your team when you need more resources due to business growth, staff departures, or an inability to hire enough experts.
  2. – It’s challenging to optimize processes when you’re constantly fighting fires. Leave that work to your partner. EventTracker’s Security Operations Center, for example, is ISO/IEC 27001-certified, and we have to work hard to maintain that certification by continually improving our information management systems for our clients.
  3. – Self-managing a SIEM solution can be expensive and difficult. Co-management is on the rise and expected to grow five-fold by 2020. EventTracker’s SIEMphonic platform provides all the managed security services you need, including SIEM and log management, threat detection and response, vulnerability assessment, user behavior analysis, and compliance management. It collects data from a variety of sources, including your platform, application and network logs; alerts from intrusion detection systems; and vulnerability scans and analyzes it all.  In addition, our HoneyNet deception technology uses virtualized decoys throughout your network to lure bad actors and sniff out attacks.

If you’re concerned about the rise of risks, you should be. Your information security team has great expertise and skills – but it’s probably time to extend their reach.
 
Empower your company with co-managed SIEM and hone in on the real crises, despite a world of noise. Get SIEMphonic managed security service today.

EventTracker Statement on Meltdown and Spectre Vulnerability

On January 3, 2018, an industry-wide hardware-based security vulnerability was disclosed. CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre, and CVE-2017-5754 is the official reference to Meltdown.

To exploit this vulnerability, specific code must be run on a CPU. The hosted EventTracker SIEMphonic service is provided from our own data center, and does not use compute-as-a-service from providers such as AWS EC2 or Azure who allow customers to run arbitrary code on the provided compute service.

Keeping our customers and their data secure is always our top priority. EventTracker continually tests and monitors our systems for vulnerabilities such as this, using our own products and services. The unknown process feature in EventTracker is expressly designed to detect and surface first-time-seen code execution. We have taken active steps to ensure that no EventTracker customer is exposed to these types of vulnerabilities. At the time of this posting, EventTracker has not received any information to indicate that these types of vulnerabilities have been used to attack the SIEMphonic infrastructure or in any way impact the integrity of customer data stored with the SIEMphonic service.

EventTracker does not use a third-party compute-as-a-service offering, so we don’t allow arbitrary code to be run on our servers. As such, security vulnerabilities that require specific code to be run on the same server as the exploited service pose less of a threat to EventTracker’s service and the data stored therein than those services and data stores utilizing shared servers at large cloud hosting facilities. With that said, EventTracker is constantly evaluating the server vendor patches that are relevant to server components used, and we will test and roll out these patches as they become available.

At our Security Operations Center we are patching on all workstations to address Meltdown and Spectre vulnerabilities. Specifically, we are: 

  1. Updating anti-virus to the latest version to make it compatible with Microsoft patches. Microsoft has identified a compatibility issue with a number of antivirus software products.
  2. Installing Microsoft cumulative patch on all workstations
  3. Installing the latest BIOS update on the workstations
  4. Updating Chrome and Firefox browsers to the latest versions

We will post more updates here, as they become available. More details about these vulnerabilities are available. Learn more about the Meltdown and Spectre vulnerabilities.

Believe it or not, compliance saves you money


We all hear it over and over again: complying with data protection requirements is expensive. But did you know that the financial consequences of non-compliance can be far more expensive?
 
The Ponemon Institute once again looked at the costs that organizations have incurred, or are incurring, in meeting mandated requirements, such as the EU General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI-DSS), and the Healthcare Information Portability and Accountability Act (HIPAA). The results were compared with the findings from a 2011 Ponemon survey on the same topic. The differences were stark and telling.
 
Average costs of compliance have increased 43%, up from around $3.5 million in 2011 to just under $5.5 million this year, while non-compliance costs surged from $9.4 million to $14.8 million during the same period. On average, organizations that are found non-compliant with data protection obligations these days can expect to fork out at least 2.71 times more money getting started and proving compliance than if they had been compliant in the first place.
 
For most enterprises, the cost associated with buying and deploying data security and incident response technologies account for a bulk of their compliance-related expenditure. On average, organizations in the Ponemon survey spent $2 million on security technologies to meet compliance objectives. The study found that businesses today are spending on average about 36% more on data security technologies and 64% more on incident response tools compared to 2011.
 
Financial companies tend to spend a lot more - $30.9 million annually - on compliance initiatives than entities in other sectors. Organizations in the industrial sector and energy/utilities sector also have relatively high compliance-related expenses of $29.4 million and $24.8 million respectively, on an annual basis.
 
So, what is the hardest regulation to satisfy? GDPR. 90% of the participants in the Ponemon studied pointed to GDPR as being the most difficult regulation to meet.
 
Need to get off to a fast start? Thinking NIST 800-171 or PCI-DSS? Our SIEMphonic service, powered by EventTracker technology, was designed to do just that. Check out all the compliance regulations we support.
 
It's a paradox, but the less you might spend, the more you might pay.
 

Attribution of an attack - don’t waste time on empty calories

Empty calories are those derived from food containing no nutrients. When consumed in excess, they contribute to weight gain, especially if you're not burning them off in your daily activities. Why make more work for yourself?
 
When we are attacked, we feel a sense of outrage and the natural tendency is to want to somehow punish the attacker. To do this, you must first identify the attacker, preferably accurately, or else. This is easier said than done, especially online.
 
Threat researchers have built an industry on identifying and profiling hacking groups in order to understand their methods, anticipate future moves, and develop methods for battling them. They often attribute attacks by “clustering” malicious files, IP addresses, and servers that get reused across hacking operations, knowing that threat actors use the same code and infrastructure repeatedly to save time and effort. So, when researchers see the same encryption algorithms and digital certificates reused in various attacks, for example, they tend to assume the attacks were perpetrated by the same group. 
 
The attacks last year on the Democratic National Committee, for example, were attributed to hacking groups associated with Russian intelligence based in part on analysis done by the private security firm CrowdStrike, which found that tools and techniques used in the DNC network matched those used in previous attacks attributed to Russian intelligence groups.
 
This is, of course, is much harder for the average business that cannot (and should not) spend scarce IT security budget on attribution of an attacker. It's a lot harder than it would seem. This Virus Bulletin reviews cases in which they’ve seen hackers acting on behalf of nation-states stealing tools and hijacking infrastructure previously used by hackers of other nation-states. Investigators need to watch out for signs of this or risk tracing attacks to the wrong perpetrators. Which means that attribution of an attack is hard even for those agencies with limitless funds at their disposal.
 
The WannaCry ransomware outbreak is an obvious example of malware theft and reuse. Last year, a mysterious group known as the Shadow Brokers stole a cache of hacking tools that belonged to the National Security Agency and posted them online months later. One of the tools — a so-called zero-day exploit, targeting a previously unknown vulnerability — was repurposed by the hackers behind WannaCry to spread their attack. 
 
Even assuming you were somehow able to absolutely identify the attacker as "Peilin Gu" located at "He Nan Sheng Zheng Zhou Shi Nong Ke Lu 38hao Jin Cheng Guo Ji Guang Chang Wu Hao Lou Xi Dan Yuan 2206", then what? How would you inflict retribution on this attacker? Likely as a private company, without a presence in China.
 
The rational course of action is instead to study the attack method and the target within your infrastructure and use this information to shore up defenses. You can bet that if this attacker uncovered a vulnerability in your defenses and exploited it then others of his “ilk” would follow course imminently.
 
Are you finding it hard to keep up with all the threats? Co-managed SIEM services can help. Give us a chance to show you how you can avoid empty calories and in the process, breathe a little easier.
 
 

Can you outsource the risk? Five questions to ask a managed SIEM or SOC vendor.

Given the acute shortage of security skills, managed solutions like SIEM-as-a-Service and SOC-as-a-Service such as SIEMphonic have become more widely adopted. It has proven to be an excellent way to leverage outside expertise and reduce cost, which is a challenge for companies globally. Seem too good to be true? It is and it isn’t. Regardless of how much responsibility you delegate, accountability lays firmly on the shoulders of the organization doing the delegating. What this means is that when you consider co-sourcing a critical function like security monitoring, it’s important to perform a vendor risk assessment. After all, if your vendor has a problem, then you have a problem. Their risk becomes your risk. So, what should a responsible CIO be doing? Frankly, the best time to enforce security at a service provider is before you sign the contract. Ask these questions:
  1. How seriously does the provider take security?
  2. What industry standard practices do they follow?
  3. How do they vet their staff?
  4. Are the data centers properly redundant and physically secure?
  5. Are the regularly audited by a competent external authority?
Some buyers who have a dim view of their internal commitment to the various forms of risk automatically consider that any firm that provides services for a living must inevitably have better processes and procedures than they themselves do. Careful, now. Proceed with caution – assumptions are risky too. As part of our ongoing commitment to managing risk, our SIEMphonic solutions were certified as ISO27001 compliant. We regularly audit and review our own performance and share the results with our customers every month to solicit feedback. As you think about enjoying the benefits of co-sourcing, remember: Risk cannot be outsourced.

Going Mining for Bitcoin

While you’ve been busy defending against ransomware, the bad guys have been scheming about new ways to steal from you. Let’s review a tactic seen in the news called bitcoin mining.

Hackers broke into servers hosted at Amazon Web Services (AWS) that holds information from multi-national, multi-billion-dollar companies, Aviva and Gemalto. The criminals were using computer power to mine the cryptocurrency, bitcoin.

Though anyone could try to mine bitcoin off their computer services, the process is very energy intensive, and could be costly in electricity expenses alone. But it’s worthwhile for many hackers because a successful attempt can be very lucrative.

To avoid the high cost of going at it alone, most bitcoin miners join a pool of different computers that combine their powers to solve complex algorithms. Successfully solving the problem generates a set number of new bitcoin, which are worth upwards of $4,300 each. Bitcoin can be mined until there are a total of 21 million bitcoin that exist.

How should you defend against this? Know your baseline and watch for anomalies. See how EventTracker caught a bitcoin miner, hidden behind a rarely used server dedicated for key-fob provisioning.

Bitcoin

Prevention is Key in Cybersecurity

“You see, but you do not observe. The distinction is clear.” Sherlock Holmes said this to John Watson in “A Scandal in Bohemia.” Holmes was referring to the number of steps from the hall to the rooms upstairs. Watson, by his own admission, has mounted those steps hundreds of times, but could not say how many there were. The same can be said in the world of IT security. A lot of data, an overwhelming amount actually, is available from hundreds of sources, but rarely is it observed. Having something and getting value from it are entirely different.

This is also underlined in the story, “Peace Health employee accessed patient info unnecessarily.” On Aug. 9, a Vancouver medical center, Peace Health, discovered that an employee accessed electronic files containing protected health information, including patient names, ages, medical records, account numbers, admission and discharge dates, progress notes, and diagnoses. An investigation revealed that the employee accessed patient information between November 2011 and July 2017.

What? This had been going on for 5 years and was just discovered? It would seem this is another case of “You see but do not observe,” and indeed the distinction is clear. Log data showing what this employee was doing had been accumulating and faithfully archived, but it was never examined.

What was the impact? There was reputational damage, plus the costs incurred (letters, call center expenses, etc.), and possible fines by HHS for the HIPAA violation. Plus, there was disruption of regular tasks to investigate the extent and depth of this incident and related incidents that may have occurred.

Ben Franklin observed that an ounce of prevention is worth a pound of cure. The same is true in this case. We at EventTracker know that it’s hard to pay attention given the volume of security data that is emitted by the modern network. Therefore, we provide security monitoring as a service, so that you don’t just get more technology thrust your way, you gain the actual outcome you desire.

Contact us to start your free trial today.

What’s Next in 2018? Our Prediction: SIEM-as-a-Utility

The traditional enterprise network has seen a tectonic shift in recent years thanks to cloud, mobility and now IoT. Where once enterprise data was confined to the office network and data center, it’s now expanded past its traditional perimeter. For instance, in a hospital, traditionally data resided in the data center, laptops, and desktop machines. Now, data can be resident in the x-ray machines, PCs connected to blood test analyzers, HVAC chiller units, etc. In franchise restaurants, one sees the rapid advent of digital menus, self-serve kiosks, customer Wi-Fi, and more. These digital assets have come into the market and onto the network very quickly, so that businesses can keep pace and compete for customers.

Correspondingly, the threats have also migrated — hackers now attack that less secure digital drink dispenser to then go lateral to the POS network. Often in the rush to market, securing these new assets that are now on the network has been an afterthought.

The techniques to protect and monitor these new assets are not so different. Secure the configuration, limit access, watch over logs for patterns. The ubiquity and scale of these assets, though, is tenfold, and so, traditional SIEM technology struggles with deployment, cost, and scale. Traditional SIEM was designed for large enterprise with assumptions on lots of bandwidth, CPU, and staff. These are all belied in the brave new world where all are in short supply.

Now that organizations have a 10x increase in the number of devices on the network – but most of these devices are lower value, simpler assets, with fixed networks and a limited scope of attacks that they are susceptible to — those can be managed in a more automated sense.

SIEM Will Evolve in Functionality and Ubiquity

The progression of today’s SIEM platform has seen dramatic changes. Mature platforms that have their roots in centralized log management have proven to be the species best suited to evolve, adapt, and match today’s advanced cybersecurity demands. We see this trend continuing. SIEM’s ability to centralize and aggregate billions of event logs from devices makes it a natural choice to house advanced threat lifecycle management capabilities. We’ve already seen the beginnings of SIEM taking on functionality that was originally viewed by some as a different animal—those being User and Entity Behavior Analytics (UEBA) and Security Orchestration and Automated Response (SOAR). After a quick rise in interest surrounding UEBA and SOAR solutions, these concepts have become rightly absorbed into SIEM platforms.

Evolution of SIEM

In terms of ubiquity, as the Internet of Things (IoT) explosion continues to unfold, right-sized SIEM functionality will be brought to these simpler, yet very numerous, devices. Case in point, in 2017, Netsurion brought SIEM to the point-of-sale (POS) market to answer the restaurant data breach epidemic. By folding the POS into the enterprise cybersecurity scope, the days of a data breach siphoning credit card data going undetected for months would no longer be the case.

By then coupling SIEM with IoT and branch location connectivity technology, like SD-WAN, the evolved capabilities of SIEM will be able to reach every edge of the highly-distributed enterprise.

Bringing It All Together

With SIEM platforms evolving to encompass machine learning concepts and orchestration capabilities, plus spreading to the furthest ends of the digital enterprise, we must also look at the most appropriate delivery model. By intertwining connectivity, threat, and compliance management, the delivery model that might work best for some organizations would be that the SIEM, or IT security, is delivered from an organization’s preferred ISP or managed IT service provider (MSP). The fully evolved SIEM platform will be able to deliver advanced functionality, wide integration, and lastly, MSP-friendly deliverability.

SIEM, UEBA, SOAR and Your Cybersecurity Arsenal

The evolution of Security Information and Event Management (SIEM) solutions has made a few key shifts over time. It started as simply collecting and storing logs, then morphed into correlating information with rules and alerting a team when something suspicious was happening. And now, SIEM solutions are providing advanced analytics and response automation.

Today’s advanced SIEM solutions:

  1. Incorporate purpose-built sensors to continually collect digital forensics data across an organization.
  2. Leverage artificial intelligence and machine learning to identify out-of-the-ordinary network behavior that may indicate possible malware or a data breach.

Advanced SIEM requires continual tuning to learn what is deemed abnormal behavior for a given organization.

At EventTracker, this all happens through our ISO 27001 certified Security Operations Center (SOC), where expert analysts work with this intricate data to learn the customer network and the various device types (OS, application, network devices etc.). Ideally, these experts work in tandem with the customers’ internal IT teams to understand their definition of normal network activity.

Next, based on this information and the available knowledge packs within EventTracker, we schedule suitable daily and weekly reports, along with configure alerts. The real magic happens when this data becomes “flex reports”. These reports focus on valuable information that is embedded within the description portion of the log messages. When these parameters are trended in a graph, all sorts of interesting, actionable information emerges.

User and Entity Behavior Analytics

In addition to noticing suspicious network behavior, SIEMs have evolved to include User Behavior Analytics (UBA), or User and Entity Behavior Analytics (UEBA). UBA/UEBA triggers an alert when unusual user or entity behavior occurs. This is an important feature now that compromised credentials make up 76% of all network intrusions.

When credentials are stolen, they tend to be used in unusual ways, places, and times. For instance, if a log in occurs that is outside the normal pattern, then this is immediately flagged for investigation. If user ‘‘Susan’’ usually logs in to “Workstation5” but suddenly logs in to “Server3”, then this is out of ordinary and may merit an investigation.

Security Orchestration Automation and Response (SOAR)

While alerts to suspicious behavior are necessary, the real goal is acting on the suspicious behavior as quickly and effectively as possible. That’s the next evolution of SIEM: Security Orchestration Automation and Response (SOAR).

While traditional SIEMs can “say” something, those that incorporate SOAR can “do” something.

SOARs consolidate data sources, use information provided by threat intelligence feeds, and automate responses to improve efficiency and effectiveness.

For example, with EventTracker, if an infected USB is plugged into a laptop, even if it’s off the network at the time, and malware begins to run, EventTracker will detect the insertion of the USB, as well as detect any suspicious communication to a low-reputation IP address. It will also catch any suspicious processes that begin to run. Once detected, EventTracker automatically stops the communication and the executable, preventing a potential data breach. Watch a short demo about advanced endpoint security now.

Get the Most Out of Your SIEM

As attacks continue to become more sophisticated and persistent, traditional security tools that just focus on protecting the perimeter will continue to be replaced by solutions that also have detection and response capabilities, in particular on the endpoint devices.

Learn more about the features of EventTracker’s SIEMphonic Enterprise, and sign up for a demo to learn more about our machine learning, UEBA and SOAR functionality.

You’re in the Cybersecurity Fight No Matter What: Are You Prepared?

“You’re in the fight, whether you thought you were or not”, Gen. Mike Hayden, former Director of the CIA and NSA. It may appear at first to be a scare tactic or an attempt to sow fear, uncertainty, and doubt, but truly, what this means is that it’s time to adopt the Assume Breach paradigm.

Mr. Hayden also said, “You are almost certainly penetrated.” These words ring true and it’s time to acknowledge that a breach has either already occurred or that it’s only a matter of time until it will. It is more likely that an organization has already been compromised, but just hasn’t discovered it yet. Operating with this assumption will reshape detection and response strategies in a way that pushes the limits of any organization’s infrastructure, people, processes, and technologies.

Traditional security methodologies have largely been focused on prevention. It is a defensive strategy aimed at eliminating vulnerabilities and thereby mitigating security breaches before they happen. However, as the daily news headlines bear witness, perfect protection is not practical. So, monitoring is necessary.

Many businesses think of IT security as a nice-to-have option – just a second priority to be addressed, if IT budget dollars remain. However, compliance with regulations is seen as a must-have, mostly due to fear of the auditor and potential shame or penalty in the event of an audit failure. If this mindset prevails, then up to 70% of the budget under security and compliance will be allocated to the latter, with the rest “left over” for security. And as the total amount shrinks, this leads to the undesirable phenomenon known as checkbox compliance. Article after article explains why this is a bad mindset to have.

Remember, you’re in the fight, whether you knew it or not. Accept this and compliance becomes a result of good security practice. The same IT security budget can become more effective.

If you’re overwhelmed at the prospect of having to develop, staff, train, and manage security and compliance all by yourself, there are services like EventTracker’s SIEMphonic, that will do the heavy lifting. See our “Catch of the Day” to see examples of how this service has benefited our customers.

Avoid Three Common Active Directory Security Pitfalls

While the threats have changed over the past decade, the way systems and networks are managed have not. We continue with the same operations and support paradigm, despite the fact that internal systems are compromised regularly. As Sean Metcalf notes, while every environment is unique, they all too often have the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more.

There is also the reality of what we call the Assume Breach paradigm.  This means that during a breach incident, we must assume that an attacker a) has control of a computer on the internal network and b) can access the same resources of legitimate users through recent log on activity.

Active Directory (AD) is the most popular Lightweight Directory Access Protocol (LDAP) implementation and holds the keys to your kingdom. It attracts attackers, as honey attracts bees. There are many best practices to secure Active Directory, but to start, let’s ensure you stay away from common pitfalls. Below are three common mistakes to avoid:

  1. Too many Domain Admins: Active Directory administration is typically performed by a small number of people. Membership in Domain Admins is rarely a valid requirement.Those members have full administrative rights to all workstations, servers, Domain Controllers, Active Directory, Group Policy, etc., by default. This is too much power for any one account, especially in today’s modern enterprise. Unless you are actively managing Active Directory as a service, you should not be in Domain Admins.
  2. Over-permissioned Service Accounts: Vendors have historically required Domain Admin rights for Service Accounts even when the full suite of rights provided is not actually required, though it makes the product easier to test and deploy. The additional privileges provided to the Service Account can be used maliciously to escalate rights on a network. It is critical to ensure that every Service Account is delegated only the rights required, and nothing more. Keep in mind that a service running under the context of a Service Account has that credential in LSASS (protected memory), which can be extracted by an attacker. If the stolen credential has admin rights, the domain may be quickly compromised due to a single Service Account.
  3. Not monitoring admin group membership: Most organizations realize that the number of accounts with admin rights increases on a yearly, if not monthly basis, without ever going down. The admin groups in Active Directory need to be scrutinized, especially when new accounts are added. It’s even better to use a system that requires approval before a new account is added to the group. This system can also remove users from the group when their approved access expires.

By avoiding these pitfalls, and securing Active Directory properly, you are on your way to keeping your “kingdom” safe. But like Thomas Paine said, “Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it.” There are a number of ways to reap the benefits of a secure infrastructure, but there are many intracacies required to make this a reality. Solutions, like SIEMphonic Enterprise, takes on “fatigue” required to with a dedicated 24/7 SOC.

Click here for more details or sign up for a free demo today.

Three myths surrounding cybersecurity

A common dysfunction in many companies is the disconnect between the CISO, who views cybersecurity as an everyday priority, versus top management who may see it as a priority only when an intrusion is detected. The seesaw goes something like this: If breaches have been few and far between then leaders tighten the reins on the cybersecurity budget until the CISO proves the need for further investment in controls. On the other hand, if threats have been documented frequently, leaders may reflexively decide to overspend on new technologies without understanding that there are other, nontechnical remedies to keep data and other corporate assets safe.

Does your organization suffer from any of these?

Myth: More spending equals more security

McKinsey says, “There is no direct correlation between spending on cybersecurity (as a proportion of total IT spending) and success of a company’s cybersecurity program.” Companies that spend heavily but are still lagging behind their peers may be protecting the wrong assets. Ad hoc approaches to funding (goes up when an intrusion is reported, goes down when all is quiet on the western front) will be ineffective in the long term.

Myth: All threats are external

Too often, the very people who are closest to the data or other corporate assets are the weak link in a company’s cybersecurity program. Bad habits — like sharing passwords or files over unprotected networks, clicking on malicious hyperlinks sent from unknown email addresses, etc. — open up corporate networks to attack. In this study by Intel Security, threats from inside the company account for about 43 percent of data breaches. Leaders must realize that they are actually the first line of defense against cyberthreats, which is never the sole responsibility of the IT department.

Myth: All assets are equally valuable

Are generic invoice numbers and policy documents that you generate in-house as valuable as balance sheets or budget projections? If not, then why deploy a one-size-fits-all cybersecurity strategy? Does leadership understand the return they are getting on their security investments and associated trade-offs? Leaders must inventory and prioritize assets and then determine the strength of cybersecurity protection required at each level. McKinsey cites the example of a global mining company that realized it was focusing a lot of resources on protecting production and exploration data, but had failed to separate proprietary information from that which could be reconstructed from public sources. After recognizing the flaw, the company reallocated its resources accordingly.

These three myths are common, but the list goes on…Now it’s time to decide what to do about it. Research is a great start, but time is of the essence. According to a 2017 Forbes survey, 69% of senior executives are already re-engineering their approach to cybersecurity. What’s your next step?

EventTracker reviews billions of logs daily to keep our customers safe. See what we caught recently and view our latest demo.

Can general purpose tools work for IT security?

This post got me thinking about a recent conversation I had with the CISO of a financial company. He commented on how quickly his team was able to instantiate a big data project with open source tools. He was of the view that such power could not be matched by IT security vendors who, in his opinion, charged too much money for demonstrably poorer performance.

The runaway success of the ELK stack has the DIY crowd energized. Why pay security vendors for specialist solutions when a “big data” project that we already have going on, based on this same stack, can work so much better, the thinking goes. And it’s free, of course.

What we know from 10+ years of rooting around in the security world is that solving the platform problem gets you about a quarter of the way to the security outcome. After that comes detection content, and then the skills to work the data plus the process discipline. Put another way, “Getting data into the data lake, easy. Getting value out of the data in the lake, not so much.”

In 2017, it is easier than ever to spin up an instance of ELK on premises or in the cloud and presume that success is at hand just because the platform is now available. Try using generic tools to solve the security problem and you will soon discover why security vendors have spent so much time writing rules and why service providers spend so much effort on process/procedure and recruitment/training.

Are you lowering your expectations to meet your SIEM performance?

It’s an old story. Admin meets SIEM. Admin falls in love with the demo provided by the SIEM vendor. Admin commits to a 3 year relationship with SIEM.

And now the daily grind. The SIEM requires attention, but the Admin is busy. Knowledge of what the SIEM needs in order to perform starts to dissipate from memory as the training period recedes in the past. Log volume constantly creeps up, adding to sluggishness.

Soon you are at a point where the SIEM could have theoretically performed but actually does not. It’s a mix of initial underestimation of hardware needs, increasing log volume, apathy and dissipation of knowledge about SIEM details.

How now?

In most implementations, this vicious cycle feeds on itself and the disillusionment reinforces itself. The SIEM is either abandoned or the user is resigned to poor performance.

What a revoltin’ development.

It doesn’t have to be this way, you know. Our SIEMphonic offerings were designed to address each of these problems. Don’t just buy a SIEM, get results!

Equifax’s enduring lesson — perfect protection is not practical

Recently Equifax, one of the big-three US credit bureaus, disclosed a major data breach. It affects 143 million individuals — mostly Americans, although data belonging to citizens of other countries, for the most part Canada and the United Kingdom, were also hit.

It’s known the data was stolen, not just exposed. Equifax disclosed it had detected unauthorized access. So this isn’t simply a case of potential compromise of data inadvertently exposed on the web. Someone came in and took it.

How the breach occurred remains publicly unknown, and Equifax has been close-mouthed about the details. But there’s considerable speculation online that the hackers exploited a patchable yet unpatched flaw in Equifax’s website.

Quartz suggests an Apache Struts vulnerability. Markets Insider says it’s unclear which vulnerability may have been exploited. The Apache Struts team has issued a statement which says: Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here –we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP. What we saw here is common software engineering business –people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It’s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.

So where to turn? Is it reasonable to assume that Equifax should be rigorous in updating its systems, especially public facing ones with access to such valuable data? Yes, of course. But it frankly doesn’t matter what it was written in, how it was deployed, or whether it was up to date. How do you explain (apparently) no controls to monitor unusual activity? That’s dereliction of duty, in 2017.

Perfect protection is not practical, thus monitoring is necessary. Rinse and repeat, ad nauseam, it seems.

Looking for an expert set of eyes to monitor your assets? SIEMphonic can help. See what we’ve caught.

Three critical advantages of SIEMphonic Essentials

By now it’s accepted that SIEM is a foundational technology for both securing a network from threats as well as demonstrating regulatory compliance. This definition from Gartner says: Security information and event management (SIEM) technology supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources. It also supports compliance reporting and incident investigation through analysis of historical data from these sources. The core capabilities of SIEM technology are a broad scope of event collection and the ability to correlate and analyze events across disparate sources.”

However, SIEM is not fit-and-forget technology, nor is it technically simple to implement and operate. In order to bring the benefits of SIEM technology to the small network, with a decade of experience behind us, we developed SIEMphonic Essentials to address the problems beyond mere technology. Here’s three specific advantages:

1) No hardware to procure or maintain

SIEMphonic Essentials is hosted in our Tier-1 data center freeing you from having to procure, maintain and upgrade server class hardware. Disk in particular is a challenge. Log data grows exponentially and while consumer disk cost is relatively inexpensive, the same cannot be said for business class disk cost.

2) More data? Fixed cost!

The hallmark of a successful SIEM implementation is growing volumes of data. Many SIEM solutions are priced based on log volume indexed or received (the so-called events per second). More data inevitably means more unforeseen cost. With SIEMphonic Essentials, you get simple t-shirt sizing (Small, Medium, Large) and you can leave both the cost and implementation of data storage to us.

3) Skill shortage

There is an African proverb that says, “It takes a village to raise a child.” In fact, it takes various skills to RUN and WATCH a SIEM solution. This specific problem is why many SIEM implementations become shelfware. Writing and tuning detection rules, performing incident investigations, and understanding how to search means that analysts need both security knowledge and specialized SIEM tool expertise. The IT Security space has zero unemployment, high staff acquisition costs and ongoing training costs. Buying a SIEM solution is easy. There are many providers and an end-of-quarter discount is always around the corner. Getting value from it? Not so much. With SIEMphonic Essentials, we start with a proper implementation (after all as Aristotle noted, well begun is half done) and then our 24/7 Security Operations Center escalates P1 events to your team.

SIEMphonic Essentials delivers visibility and detection across your enterprise. Not just technology…results!

Think you are too small to be hacked?

As a small business, how would you survive an abrupt demand for $250,000? It’s ransomware, and as this poll shows, that’s what an incident would cost a small business. Just why has ransomware exploded on to the scene in 2017? Because it works. Because most bad guys are capitalists and are driven by the profit motive. Because most small business have not taken the time to guard their data. Because they are soft targets. What makes the news headlines are the attacks on large companies like Merck, Maersk or large government, NHS Hospitals in the UK, etc. But make no mistake, small businesses get hit every day – they’re just not in the headlines. After all, more people miss work due to the common cold, but this never makes the news. On the other hand, a single case of Ebola and whoa!

Unfortunately this leads to confirmation bias. Since you don’t hear about it, it must not be a thing, right? That’s dangerous thinking for a small business. The large corporations can bounce back from cyberattacks; they have the depth of pocket to hire the experts needed during the crisis. But how does a small businesses cope? Breach costs can go to $250,000, not to mention the destruction of client trust if word gets out that confidential information was leaked.

So what do you do? Try these three steps:

Educate
It starts with you and your employees. Know your digital assets and maintain an up-to-date inventory. Invest in training of employees, as they are the weakest link in the IT security game.
Protect
Minimum diligence includes up-to-date anti-virus, a managed next-gen firewall and regular patching. Step it up with endpoint protection. Regular reviews of user and system activity is a solid, low-cost improvement to close the gap.
Co-source
Get an expert on your team. It’s too expensive to get dedicated resources, but this doesn’t mean you have to go it alone.  Co-sourcing is an excellent technique to have an expert team on call that specializes in cybersecurity.

If the first half of 2017 is an indicator, then it’s high time to wake up and smell the hummus.

***Some images from FreePik.com

How do you determine IT security risk?

How much security is enough? That’s a hard question to answer. You could spend $1 or $1M on security and still ask the same question. It’s a trick question; there is no correct answer. The better/correct question is how much risk are you willing to tolerate? Mind you, the answer to this question is a “beauty in the beholder” deal, and again there is no one correct answer.

The classic comeback from management when posed this question by the CISO is to debate what risk means, in a business context, of course. To answer this, consider the picture below.

This is your tax dollars at work. It comes from a NIST publication called “Small Business Information Security” and is available here. It presents a systematic method to first identify and thereafter mitigate the elements of risk to your business. To a small business owner, this may all be very well but can be overwhelming.

Did you know that you are not alone in tackling this problem? Our SIEMphonic program is specifically designed to provide co-management. We get that for a small business owner, it’s difficult to deploy, manage and use an effective combination of expertise and tools that provide early detection of targeted, advanced threats and insider threats. With SIEMphonic Enterprise Edition and SIEMphonic MDR Edition, we work together with you to analyze event data in real-time, then collect, store, investigate, and report on log data for incident response, forensics and regulatory compliance. Let us help you strengthen your security defenses, respond effectively, control costs and optimize your team’s capabilities through SIEMphonic.

Petya Ransomware – What it is and what to do

A new ransomware variant is sweeping across the globe known as Petya. It is currently having an impact on a wide range of industries and organizations, including critical infrastructure such as energy, banking, and transportation systems. While it was first observed in 2016, it contained notable differences in operation that caused it to be “immediately flagged as the next step in ransomware evolution.”

What is it?

This is a new generation of ransomware designed to take timely advantage of recent exploits. This current version is targeting the same vulnerabilities (ETERNALBLUE) that were exploited during the recent Wannacry attack. In this variant, rather than targeting a single organization, it uses a broad-brush approach that targets any device it can find that its attached worm is able to exploit.

The gravity of this attack is multiplied by the fact that even servers patched against the SMBv1 vulnerability exploited by EternalBlue can be successfully attacked, provided there is at least one Windows server on the network vulnerable to the flaw patched in March in MS17-010.

How it spreads?

Early reports also suspected that some infections were spread via phishing emails with infected Excel documents exploiting a CVE-2017-0199, a Microsoft Office/WordPad remote code execution vulnerability.

The attackers have built in the capability to infect patched local machines using the PSEXEC Windows SysInternals utility to carry out a pass-the-hash attack. Some researchers have also documented usage of the Windows Management Instrumentation (WMIC) command line scripting interface to spread the ransomware locally.

Unlike WannaCry, this attack does not have an internet-facing worming component, and only scans internal subnets looking for other machines to infect. Once a server is compromised by EternalBlue, the attacker is in as a system user.

What it does

The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools. Once it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note.

The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above.

The criminals behind this attack are asking for $300 in Bitcoins to deliver the key that decrypts the ransomed data, payable to a unified Bitcoin account. Unlike Wannacry, this technique would work because the attackers are asking the victims to send their wallet numbers by e-mail to “wowsmith123456@posteo.net,” thus confirming the transactions.

There is no kill-switch as of yet, and reports say the ransom email is invalid, so paying up is not recommended.

Technical Details

Talos observed that compromised systems have a file named “Perfc.dat” dropped on them. Perfc.dat contains the functionality needed to further compromise the system and contains a single unnamed export function referred to as #1. The library attempts to obtain administrative privileges (SeShutdowPrivilege and SeDebugPrivilege) for the current user through the Windows API AdjustTokenPrivileges. If successful, the ransomware will overwrite the master boot record (MBR) on the disk drive referred to as PhysicalDrive 0 within Windows. Regardless of whether the malware is successful in overwriting the MBR or not, it will then proceed to create a scheduled task via schtasks to reboot the system one hour after infection.

As part of the propagation process, the malware enumerates all visible machines on the network via the NetServerEnum and then scans for an open TCP 139 port. This is done to compile a list of devices that expose this port and may possibly be susceptible to compromise.

The malware has three mechanisms used to propagate once a device is infected:

  1. EternalBlue – the same exploit used by WannaCry.
  2. Psexec – a legitimate Windows administration tool.
  3. WMI – Windows Management Instrumentation, a legitimate Windows component.

These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally.

For systems that have not had MS17-010 applied, the EternalBlue exploit is leveraged to compromise systems.

Psexec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user’s windows token to install the malware on the networked device. Talos is still investigating the methods in which the “current user’s windows token” is retrieved from the machine.

C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1

WMI is used to execute the following command which performs the same function as above, but using the current user’s username and password (as username and password).

Wbem\wmic.exe /node:”w.x.y.z” /user:”username” /password:”password” “process call create “C:\Windows\System32\rundll32.exe \”C:\Windows\perfc.dat\” #1″

Once a system is successfully compromised, the malware encrypts files on the host using 2048-bit RSA encryption. Additionally, the malware cleans event logs on the compromised device using the following command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

What steps has EventTracker SIEMphonic taken?

  1. Closely monitoring announcements and details provided by industry experts including US CERT, SANS, Microsoft, etc.
  2. Reviewed the latest vulnerability scan results from your network (if subscribed to ETVAS service) for vulnerable machines. ETVAS service subscribers who would like us to scan your network again can request us at ecc@eventtracker.com and we will perform a scan at your convenience.
  3. Updated the Active Watch List in your instance of EventTracker with the latest Indicators of Compromise (IOCs). This includes MD5 hashes of the malware variants, IP addresses of  C&C servers, the email address wowsmith123456@posteo.net
  4. Monitoring system reboots and additions to the Scheduled Tasks list
  5. Watching Change Audit snapshots in your network for changes to registry (RunOnce)
  6. Updated ETIDS with snort signatures as described by Cisco Talos
  7. Performing log searches using known IOCs

Recommendations

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Perform a detailed vulnerability scan of all systems on your network and apply missing patches ASAP.
  • Limit traffic from/to ports 139 and 445 to internal network only. Monitor traffic to these ports for out of ordinary behavior.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.