Believe it or not, compliance saves you money


We all hear it over and over again: complying with data protection requirements is expensive. But did you know that the financial consequences of non-compliance can be far more expensive?
 
The Ponemon Institute once again looked at the costs that organizations have incurred, or are incurring, in meeting mandated requirements, such as the EU General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI-DSS), and the Healthcare Information Portability and Accountability Act (HIPAA). The results were compared with the findings from a 2011 Ponemon survey on the same topic. The differences were stark and telling.
 
Average costs of compliance have increased 43%, up from around $3.5 million in 2011 to just under $5.5 million this year, while non-compliance costs surged from $9.4 million to $14.8 million during the same period. On average, organizations that are found non-compliant with data protection obligations these days can expect to fork out at least 2.71 times more money getting started and proving compliance than if they had been compliant in the first place.
 
For most enterprises, the cost associated with buying and deploying data security and incident response technologies account for a bulk of their compliance-related expenditure. On average, organizations in the Ponemon survey spent $2 million on security technologies to meet compliance objectives. The study found that businesses today are spending on average about 36% more on data security technologies and 64% more on incident response tools compared to 2011.
 
Financial companies tend to spend a lot more - $30.9 million annually - on compliance initiatives than entities in other sectors. Organizations in the industrial sector and energy/utilities sector also have relatively high compliance-related expenses of $29.4 million and $24.8 million respectively, on an annual basis.
 
So, what is the hardest regulation to satisfy? GDPR. 90% of the participants in the Ponemon studied pointed to GDPR as being the most difficult regulation to meet.
 
Need to get off to a fast start? Thinking NIST 800-171 or PCI-DSS? Our SIEMphonic service, powered by EventTracker technology, was designed to do just that. Check out all the compliance regulations we support.
 
It's a paradox, but the less you might spend, the more you might pay.
 

Attribution of an attack - don’t waste time on empty calories

Empty calories are those derived from food containing no nutrients. When consumed in excess, they contribute to weight gain, especially if you're not burning them off in your daily activities. Why make more work for yourself?
 
When we are attacked, we feel a sense of outrage and the natural tendency is to want to somehow punish the attacker. To do this, you must first identify the attacker, preferably accurately, or else. This is easier said than done, especially online.
 
Threat researchers have built an industry on identifying and profiling hacking groups in order to understand their methods, anticipate future moves, and develop methods for battling them. They often attribute attacks by “clustering” malicious files, IP addresses, and servers that get reused across hacking operations, knowing that threat actors use the same code and infrastructure repeatedly to save time and effort. So, when researchers see the same encryption algorithms and digital certificates reused in various attacks, for example, they tend to assume the attacks were perpetrated by the same group. 
 
The attacks last year on the Democratic National Committee, for example, were attributed to hacking groups associated with Russian intelligence based in part on analysis done by the private security firm CrowdStrike, which found that tools and techniques used in the DNC network matched those used in previous attacks attributed to Russian intelligence groups.
 
This is, of course, is much harder for the average business that cannot (and should not) spend scarce IT security budget on attribution of an attacker. It's a lot harder than it would seem. This Virus Bulletin reviews cases in which they’ve seen hackers acting on behalf of nation-states stealing tools and hijacking infrastructure previously used by hackers of other nation-states. Investigators need to watch out for signs of this or risk tracing attacks to the wrong perpetrators. Which means that attribution of an attack is hard even for those agencies with limitless funds at their disposal.
 
The WannaCry ransomware outbreak is an obvious example of malware theft and reuse. Last year, a mysterious group known as the Shadow Brokers stole a cache of hacking tools that belonged to the National Security Agency and posted them online months later. One of the tools — a so-called zero-day exploit, targeting a previously unknown vulnerability — was repurposed by the hackers behind WannaCry to spread their attack. 
 
Even assuming you were somehow able to absolutely identify the attacker as "Peilin Gu" located at "He Nan Sheng Zheng Zhou Shi Nong Ke Lu 38hao Jin Cheng Guo Ji Guang Chang Wu Hao Lou Xi Dan Yuan 2206", then what? How would you inflict retribution on this attacker? Likely as a private company, without a presence in China.
 
The rational course of action is instead to study the attack method and the target within your infrastructure and use this information to shore up defenses. You can bet that if this attacker uncovered a vulnerability in your defenses and exploited it then others of his “ilk” would follow course imminently.
 
Are you finding it hard to keep up with all the threats? Co-managed SIEM services can help. Give us a chance to show you how you can avoid empty calories and in the process, breathe a little easier.
 
 

Can you outsource the risk? Five questions to ask a managed SIEM or SOC vendor.

Given the acute shortage of security skills, managed solutions like SIEM-as-a-Service and SOC-as-a-Service such as SIEMphonic have become more widely adopted. It has proven to be an excellent way to leverage outside expertise and reduce cost, which is a challenge for companies globally. Seem too good to be true? It is and it isn’t. Regardless of how much responsibility you delegate, accountability lays firmly on the shoulders of the organization doing the delegating. What this means is that when you consider co-sourcing a critical function like security monitoring, it’s important to perform a vendor risk assessment. After all, if your vendor has a problem, then you have a problem. Their risk becomes your risk. So, what should a responsible CIO be doing? Frankly, the best time to enforce security at a service provider is before you sign the contract. Ask these questions:
  1. How seriously does the provider take security?
  2. What industry standard practices do they follow?
  3. How do they vet their staff?
  4. Are the data centers properly redundant and physically secure?
  5. Are the regularly audited by a competent external authority?
Some buyers who have a dim view of their internal commitment to the various forms of risk automatically consider that any firm that provides services for a living must inevitably have better processes and procedures than they themselves do. Careful, now. Proceed with caution – assumptions are risky too. As part of our ongoing commitment to managing risk, our SIEMphonic solutions were certified as ISO27001 compliant. We regularly audit and review our own performance and share the results with our customers every month to solicit feedback. As you think about enjoying the benefits of co-sourcing, remember: Risk cannot be outsourced.

Going Mining for Bitcoin

While you’ve been busy defending against ransomware, the bad guys have been scheming about new ways to steal from you. Let’s review a tactic seen in the news called bitcoin mining.

Hackers broke into servers hosted at Amazon Web Services (AWS) that holds information from multi-national, multi-billion-dollar companies, Aviva and Gemalto. The criminals were using computer power to mine the cryptocurrency, bitcoin.

Though anyone could try to mine bitcoin off their computer services, the process is very energy intensive, and could be costly in electricity expenses alone. But it’s worthwhile for many hackers because a successful attempt can be very lucrative.

To avoid the high cost of going at it alone, most bitcoin miners join a pool of different computers that combine their powers to solve complex algorithms. Successfully solving the problem generates a set number of new bitcoin, which are worth upwards of $4,300 each. Bitcoin can be mined until there are a total of 21 million bitcoin that exist.

How should you defend against this? Know your baseline and watch for anomalies. See how EventTracker caught a bitcoin miner, hidden behind a rarely used server dedicated for key-fob provisioning.

Bitcoin