Archive

Believe it or not, compliance saves you money


We all hear it over and over again: complying with data protection requirements is expensive. But did you know that the financial consequences of non-compliance can be far more expensive?

Attribution of an attack - don’t waste time on empty calories


When we are attacked, we feel a sense of outrage and the natural tendency is to want to somehow punish the attacker. To do this, you must first identify the attacker, preferably accurately, or else. This is easier said than done, especially online.

Can you outsource the risk? Five questions to ask a managed SIEM or SOC vendor.


Given the acute shortage of security skills, managed solutions like SIEM-as-a-Service and SOC-as-a-Service such as SIEMphonic have become more widely adopted. It has proven to be an excellent way to leverage outside expertise and reduce cost, which is a challenge for companies globally. Seem too good to be true? It is and it isn’t. Regardless of how much responsibility you delegate, accountability lays firmly on the shoulders of the organization doing the delegating.

Going Mining for Bitcoin


While you’ve been busy defending against ransomware, the bad guys have been scheming about new ways to steal from you. Let’s review a tactic seen in the news called bitcoin mining. Hackers broke into servers hosted at Amazon Web Services (AWS) that holds information from multi-national, multi-billion-dollar companies, Aviva and Gemalto. The criminals were using computer power to mine the cryptocurrency, bitcoin.

Prevention is Key in Cybersecurity


“You see, but you do not observe. The distinction is clear.” Sherlock Holmes said this to John Watson in “A Scandal in Bohemia.” Holmes was referring to the number of steps from the hall to the rooms upstairs. Watson, by his own admission, has mounted those steps hundreds of times, but could not say how many there were.

Experimenting with Windows Security: Controls for Enforcing Policies


Interest continues to build around pass-the-hash and related credential artifact attacks, like those made easy by Mimikatz. The main focus surrounding this subject has been hardening Windows against credential attacks, cleaning up artifacts left behind, or at least detecting PtH and related attacks when they occur. All of this is important – especially because end-users must logon to end-user workstations, which are the most vulnerable systems on the network.

What’s Next in 2018? Our Prediction: SIEM-as-a-Utility


The traditional enterprise network has seen a tectonic shift in recent years thanks to cloud, mobility and now IoT. Where once enterprise data was confined to the office network and data center, it’s now expanded past its traditional perimeter. For instance, in a hospital, traditionally data resided in the data center, laptops, and desktop machines.

SIEM, UEBA, SOAR and Your Cybersecurity Arsenal


The evolution of Security Information and Event Management (SIEM) solutions has made a few key shifts over time. It started as simply collecting and storing logs, then morphed into correlating information with rules and alerting a team when something suspicious was happening.

You’re in the Cybersecurity Fight No Matter What: Are You Prepared?


“You’re in the fight, whether you thought you were or not”, Gen. Mike Hayden, former Director of the CIA and NSA. It may appear at first to be a scare tactic or an attempt to sow fear, uncertainty, and doubt, but truly, what this means is that it’s time to adopt the Assume Breach paradigm.

Which security functions outsource poorly and which outsource well


The IT security industry’s skill shortage is a well-worn topic. Survey after survey indicates that a lack of skilled personnel is a critical factor in weak security posture. If the skills are not available in your organization then you could: a) ignore the problem and hope for the best, or b) get help from the outside. Approach “a” is simply a dereliction of duty, and approach “b” has some negative connotations associated with the word “outsource”. It throws up images of loss of control and misaligned priorities.

Avoid Three Common Active Directory Security Pitfalls


While the threats have changed over the past decade, the way systems and networks are managed have not. We continue with the same operations and support paradigm, despite the fact that internal systems are compromised regularly.

Three myths surrounding cybersecurity


A common dysfunction in many companies is the disconnect between the CISO, who views cybersecurity as an everyday priority, versus top management who may see it as a priority only when an intrusion is detected. The seesaw goes something like this: If breaches have been few and far between then leaders tighten the reins on the cybersecurity budget until the CISO proves the need for further investment in controls.

Report All the Binary Code Executing on Your Network with Sysmon Event IDs


Computers do what they are told, whether good or bad. One of the best ways to detect intrusions is to recognize when computers are following bad instructions – whether in binary form or in some higher level scripting language. We’ll talk about scripting in the future, but in this article I want to focus on monitoring execution of binaries in the form of EXEs, DLLs and device drivers.

Can general purpose tools work for IT security?


This post got me thinking about a recent conversation I had with the CISO of a financial company. He commented on how quickly his team was able to instantiate a big data project with open source tools. He was of the view that such power could not be matched by IT security vendors who, in his opinion, charged too much money for demonstrably poorer performance.

Are you lowering your expectations to meet your SIEM performance?


It’s an old story. Admin meets SIEM. Admin falls in love with the demo provided by the SIEM vendor. Admin commits to a 3 year relationship with SIEM. And now the daily grind. The SIEM requires attention, but the Admin is busy. Knowledge of what the SIEM needs in order to perform starts to dissipate from memory as the training period recedes in the past. Log volume constantly creeps up, adding to sluggishness.

Equifax’s enduring lesson — perfect protection is not practical


Recently Equifax, one of the big-three US credit bureaus, disclosed a major data breach. It affects 143 million individuals — mostly Americans, although data belonging to citizens of other countries, for the most part Canada and the United Kingdom, were also hit.

Three critical advantages of EventTracker Essentials


By now it’s accepted that SIEM is a foundational technology for both securing a network from threats as well as demonstrating regulatory compliance. This definition from Gartner says: Security information and event management (SIEM) technology supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources.

Three paradoxes disrupting IT Security


2017 has been a banner year for IT Security. The massive publicity of attacks like WannaCry have focused public attention like never before on a hitherto obscure field. Non-technical people, including board members, nod gravely when listening as the CISO or wise friend harangue them for attention, behavior change or budget on the topic of IT Security. It’s in a way comforting to think that such attention is a good thing.

Think you are too small to be hacked?


As a small business, how would you survive an abrupt demand for $250,000? It’s ransomware, and as this poll shows, that’s what an incident would cost a small business. Just why has ransomware exploded on to the scene in 2017? Because it works. Because most bad guys are capitalists and are driven by the profit motive. Because most small business have not taken the time to guard their data. Because they are soft targets.

How do you determine IT security risk?


How much security is enough? That’s a hard question to answer. You could spend $1 or $1M on security and still ask the same question. It’s a trick question; there is no correct answer. The better/correct question is how much risk are you willing to tolerate? Mind you, the answer to this question is a “beauty in the beholder” deal, and again there is no one correct answer.

Ransomware's Next Move


Have we seen the true business impact of of ransomware yet, or has this just been a proof-of-concept? The recent news about WannaCrypt and Petya ransomware should not come as a surprise. The outbreaks are due not only to the ransomware’s ability to spread but also to mutate. While IT security teams identify, hunt, and remove specific variants of the ransomware, there may already be unknown mutated varieties lurking dormant and ready to execute.

Yet Another Ransomware That Can be Immediately Detected with Process Tracking on Workstations


As I write this, yet another ransomware attack is underway. This time it’s called Petya, and it again uses SMB to spread. But here’s the thing — it uses an EXE to get its work done. That’s important because there are countless ways to infect systems, with old ones being patched and new ones being discovered all the time. You definitely want to reduce your attack surface by disabling/uninstalling unneeded features.  Plus, you want to patch systems as soon as possible.

Petya Ransomware – What it is and what to do


A new ransomware variant is sweeping across the globe known as Petya. It is currently having an impact on a wide range of industries and organizations, including critical infrastructure such as energy, banking, and transportation systems. While it was first observed in 2016, it contained notable differences in operation that caused it to be “immediately flagged as the next step in ransomware evolution.”

Perfect protection is not practical


With distressing regularity, new breaches continue to make headlines. The biggest companies, the largest institutions both private and government are affected. Every sector is in the news. Recounting these attacks is fruitless. Taking action based on the trends and threat landscape is the best step. Smarter threats that evade basic detection, mixed with the operational challenge of skills shortage, make the protection gap wider.

Three myths about Ransomware


Ransomware is a popular weapon for the modern attacker with >50% of the 330,000+ attacks in 3Q15 targeted against US companies. No industry is immune to these attacks, which if successful are a blot on financial statements of the targeted companies. Despite their success, ransomware attacks are not sophisticated, exploit traditional infection vectors and are not stealthy.

WannaCry: What to do if you can’t update Microsoft Windows


A global pandemic of ransomware hit Windows based systems in 150 countries in a matter of hours. The root cause was traced to a vulnerability corrected by Microsoft for supported platforms (Win 7, 8.1 and higher) in March 2017, about 55 days before the malware was widespread. Detailed explanations and mitigation steps are described here. The first step to mitigation is to apply the update from Microsoft. A version for XP and 2003 was also released by Microsoft on Friday May 12, 2017.

WannaCry: Nuisance or catastrophe? What to expect next?


As we come to the one week point of the global pandemic of ransomware called WannaCry, it seems that while the infection gained worldwide (and unprecedented) news coverage, it has been more of a global nuisance than a global catastrophe. Some interesting points to note...

Do hackers prefer attacking over the weekend?


The recent WannaCry attack started on a Friday and it was feared that the results would be far more severe on Monday, as workers trickled back from the weekend. The fraudulent wires from Bangladesh Bank that resulted in $81M lost also happened on a Friday. A detailed account of how this weekend timing allowed hackers to get away a large sum (rerouted to the Philippines) with is described in this Reuters investigation.

WannaCry at Industrial Control Systems


A global pandemic of ransomware hit Windows based systems in 150 countries in a matter of hours. The root cause was traced to a vulnerability corrected by Microsoft for supported platforms (Win 7, 8.1 and higher) in March 2017, about 55 days before the malware was widespread. Detailed explanations and mitigation steps are described here. The first step to mitigation is to apply the update from Microsoft. A version for XP and 2003 was also released by Microsoft on Friday May 12, 2017.

WannaCry: Fraud follows fear


After the global pandemic of the WannaCry ransomware attack this past weekend, it’s entirely predictable that fraudsters would follow. After every major attack or vulnerability disclosure, criminals are quick to take advantage of the attendant fear by pitching phony schemes to “protect” those that are worried they may be, or may become, victims.

WannaCry: What it is and what to do about it


What happened For those of us in the IT Security profession, Friday May 12 was Black Friday. Networks in healthcare and critical infrastructure across at least 99 countries have been infected by the WannaCry ransomware worm, aka WanaCrypt, WannaCrypt or Wcry. The bulk of infections were reported in Russia, Taiwan and Spain.

Challenges with Threat Intelligence or why a Honeynet is a good idea


Shared threat intelligence is an attractive concept. The good guys share experiences about what the bad guys are doing thereby blunting attacks. This includes public-private partnerships like InfraGard, a partnership between the FBI and the private sector dedicated to sharing information and intelligence to prevent hostile acts against the U.S.

When a SIEM is Like an Exercise Machine Stuck Behind the Junk in Your Garage


I’m a big believer in security analytics and detective controls in general.  At least sometimes, bad guys are going to evade your preventive controls, and you need the critical defense-in-depth layers that detective controls provide through monitoring logs and all the other information a modern SIEM consumes. Better yet, going on the offensive with threat hunting approaches the concept of taking the battle to enemy instead of passively waiting.

Essential soft skills for cybersecurity success


IT workers in general, but more so IT Security professionals, pride themselves on their technical skills. Keeping abreast of the latest threats and the newest tactics to demonstrate to management and peers that one is “worthy.” The long alphabet soup in the signature, CISSP, CISA, MCSE, CCNA and so on, is all very necessary and impressive. However, cybersecurity puzzles are not solved by technical skills alone. In fact, the case can be made that soft skills are just as important, especially because everyone in the organization needs to cooperate. Security is everyone’s job.

Who suffers more — cybercrime victims or cybersecurity professionals?


So you got hit by a data breach, an all too common occurrence in today’s security environment. Who gets hit? Odds are you will say the customer. After all it’s their Personally Identifiable Information (PII) that was lost. Maybe their credit card or social security number or patient records were compromised. But pause a moment and consider the hit on the company itself. The hit includes attorney fees, lost business, reputational damage, and system remediation costs.

Top three high risk behaviors that compromise IT Security


The insider threat is typically much more infrequent than external attacks, but they usually pose a much higher severity of risk for organizations when they do happen. While they can be perpetrated by malicious actors, it is more common the result of negligence. In addition to investing in new security tools and technology to protect against external threats, companies should place higher priority on identifying and fixing internal risks. Here are the top 3 high risk behaviors that compromise IT security.

Man Bites Dog!


Made you look! It’s a clickbait headline, a popular tactic with the press to get people to click on their article. Cyber criminals, the ones after the gold in your network, are at heart, capitalists. In other words, they seek efficiency. How to get maximum returns for the minimum possible work. This tendency reveals itself in multiple ways.

Ransomware is only getting started


By Randy Franklin Smith Ransomware is about denying you access to your data via encryption. But that denial has to be of a great enough magnitude create sufficient motivation for the victim to pay. Magnitude of the denial is a factor – Value of the encrypted copy of the data, which is a function of: Intrinsic value of the data (irrespective of how many copies exist) The number of copies of the data and their availability Extent of operations interrupted

SIEMphonic and the Cyber Kill Chain


The Cyber Kill Chain model by Lockheed Martin describes how attackers use the cycle of compromise, persistence and ex filtration against an organization. Defense strategies that focus exclusively on the perimeter and on prevention do not take into account the kill chain life cycle approach; this is a reason why attackers are continuing to be so successful. Defending against persistent and advanced threats requires methods that detect and deny threats at each stage of the kill chain.

Spending too much or too little on IT Security?


A common assumption is that security expenditure is a proxy for security maturity. This may make sense at first blush but paradoxically, a low relative level of information security spending compared to peers can be equally indicative of a very well-run or a poorly run security program. Spending analysis is, therefore, imprecise and a potentially misleading indicator of program success. In fact, it is necessary to ensure that the right risks are being adequately managed, and understand that spending may fluctuate accordingly.

See EventTracker in action!

See EventTracker in action!

Join our next live demo August 6th at 2:00 p.m. EST.

Register Here