Unknown Threat in Finland
|
|
- Paul Anthony
- 8 years ago
- Views:
Transcription
1 Unknown Threat in Finland kpmg.com Contact us Name Surname Sector name T: + 44 (0) E: n.surname@kpmg.com Name Surname Sector name T: + 44 (0) E: n.surname@kpmg.com Name Surname Sector name T: + 44 (0) E: n.surname@kpmg.com Lorem ipsum et Legal information. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco nsequam, velit, vercil et iusto dolore velduipsuscing eriure tat nummodiam quat dolim in hendio et wis nim alis nulput volor aliquat ullaorting euipsumsan vercidui blaorting eugiamet lor accum iliquisi. Ting essequat. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco nsequam, velit, vercil et iusto dolore velduipsuscing eriure tat nummodiam quat dolim in hendio et wis nim alis nulput volor aliquat ullaorting euipsumsan vercidui blaorting eugiamet lor accum iliquisi. Ting essequat. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco nsequam, velit, vercil et iusto dolore velduipsuscing eriure tat nummodiam quat dolim in hendio et wis nim alis nulput volor aliquat ullaorting euipsumsan vercidui blaorting eugiamet lor accum iliquisi. Ting essequat. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco nsequam, velit, vercil
2 1 Unknown threat in Finland Report on Study of Unknown Threat in Finland During the recent years, we have heard claims that Finland is somehow an exemplary country in information security. However, it often seems that organisations in Finland think that we are safe and modern IT threats are not a threat to us because we are physically located far North and, in generic terms, have some of the cleanest networks in the world. To find out whether this is true, KPMG arranged a study where we inspected network traffic inside 10 selected Finnish organisations. The goal was to find out whether there is an unknown threat hiding inside the organisations infrastructure that current information security solutions or practices do not detect or prevent. The study was started in August 2013 by inviting organisations to participate in the study and the actual data collection was carried out in November the same year. Our conclusion from the study is that in Finnish organisations, there are successful attacks ongoing that organisations are not aware of. FireEye Inc. provided the technology that was used to analyse the network traffic and Cybersec Oy consulted in the study. Our conclusion from the study is that in Finnish organisations, there are successful attacks ongoing that organisations are not aware of and that are not prevented by current security solution, such as virus protection and firewalls. One of the most important things all organisations must do is to improve their ability to monitor and detect unwanted and previously unknown security issues in their networks and IT systems and to be able to act accordingly.
3 Unknown threat in Finland 2 Main Findings The main finding of the study is that almost half of the participating organisations have been breached. In addition, in half of the organisations end-user devices have been exposed to modern malware despite the fact that there are traditional security controls in place. End-Used Devices Exposed to Malware We inspected network traffic inside organisations in such a topological position where all network-based malware prevention solutions are already applied to the traffic i.e. where the solutions should already have prevented the threat. The solutions may include firewalls, IPS/IDS solutions as well as gateway level anti-virus solutions. If the existing solutions provided an efficient protection against the threats, we should have seen no malware traffic at this point. We found that in half of the organisations, malicious traffic reached the end-user computers and was able to bypass the current network security solutions altogether. This means that as the final protection mechanism, organisations currently rely heavily on the ability of host based solutions to protect against these threats. It should be noted, that in order for malicious traffic to have an effect on an end-user device so that the exploits are successful and device infected, the device has to be vulnerable to the specific threat and the host based antimalware solution must fail to prevent the infection. Figure 1 - Organisations with Breached Hosts Organisations Are Already Breached When modern malware infects a computer, it usually starts sending messages to servers residing in the Internet. These servers are called Command and Control (CnC) servers and the requests that are sent to servers in the Internet are called callbacks. Messages sent to CnC servers may include for example requests for commands to be executed in the client or some other relevant information that is available for the infected computer. The existence of callback traffic proves that there are infected, compromised computers inside the network. In this study, we identified such traffic in almost half of the organisations. In the rest of the organisations, we were unable to identify any such traffic during the analysis period but this does not guarantee that such traffic will not be present at later stages or that these organisations would not be breached. Figure 2 - Organisations with Malware Reaching the Hosts
4 3 Unknown threat in Finland Parameters and Statistics of the Study This study included 10 organisations. The participants were mainly companies which are listed in Helsinki Stock Exchange (NASDAQ OMX HELSINKI). In addition, certain smaller companies with specific interest towards advanced threats were included in the study. The average number of personnel in the companies was 8500 with an average yearly turnover of 3200 million EUR. The 10 participants represented different vertical industries and can therefore be considered as a valid and sufficient sample for the purposes of this study. The focus of the study was to analyse the organisations threat posture in Finland. Therefore, FireEye NX 7400 appliances were placed is such locations in companies networks that only network traffic originating in Finland was analysed (most, if not all of the participating organizations operate in various countries). However, due to network topology and routing related issues, limited amount of the analysed traffic originated from other countries, where participating organisations operate. The data for the study was collected mainly between 8th of November until 30th of November In this study, FireEye NX 7400 appliances were placed inside the companies networks, in-between the current network security layers and company workstations. Both ingoing and outgoing traffic was mirrored to the FireEye appliance to be analysed. Due to dynamic IP addressing and varying IP address release schemes, the exact number of workstations originating traffic during this study cannot be defined. However, based on the available log data we estimate this figure to be between individual end-points. The collective peak amount of traffic that was inspected was 1,65Gbit/s.
5 Unknown threat in Finland 4 Typical Attack Modern advanced threats have an infection lifecycle with the goal of long-term control over the system. Systems are exploited typically over the web, utilising drive-by exploits or watering hole attacks. The initial exploit can also happen via a targeted spear phishing attack, easily bypassing traditional security in many cases. In the next phase, after the callback to a Command and Control Server (CnC), the malware payload is downloaded to the system, establishing control of the host. Modern Malware is now installed at the kernel level, below host-based security software like Anti-Virus and HIPS. Modern Malware may include built-in, long-term controls for data exfiltration, remote access tools and it may have advanced functionalities such as change of location to avoid detection. A typical example of a modern attack is the RSA breach (1). An with a weaponised Excel document was opened by the user thus causing the initial exploit in the client. This was followed by a callback to a CnC server from where a backdoor DLL was dropped to the client. In the last phase the client initiated communications in a secure fashion with the CnC server, thus enabling the attacker to control the system. It was not tested as part of this study, but KPMG has noted in various security audits that: Roughly 50% of recipients in Finnish organization click the links in messages even though the mail and the links clearly is not work-related and seems suspicious. Effective defence against modern threats require broad visibility of the entire attack lifecycle. This visibility provides the background needed for accuracy, and the details needed for forensically understanding the attack. (1)
6 5 Unknown threat in Finland Security Events Figure 3 - Security Events by Type We divided the security event to the following categories: Malware objects: Malware, such as viruses and Trojans Callbacks: Callback connection from client to CnC server URL Match: An URL that is known to contain malicious content Domain Match: DNS request to resolve a domain name (such as that is known to contain malicious content Browser exploit: Content that tries to take advantage of some browser vulnerability Additionally, we divided malware objects and callbacks to known and unknown categories. Unknown category includes malware objects and callbacks that are not observed previously, but are detected by analysing the behaviour or content. They are also known as zero-day objects.
7 Unknown threat in Finland 6 Figure 4 - Malware Objects by Type We further divided the Malware objects category into the following types: Trojan: Malware taking control of the client Virus: Known Virus/Worm BackDoor: Malware having full access to the client and can have lateral movement InfoStealer: Malware typically targeting financial information or users credentials/data Rogue Exploit Kit: water holing websites delivering malware via an exploit APT: Advanced Persistent threat (Sophisticated and Committed) (2) FakeAV: Application pretending to be an AntiVirus In figure 4, we summarised the distribution of malware objects into respective categories and it should be noted that the existing security controls have already been applied to the traffic we analyzed. During the data collection period (between 8th and 30th of November 2013), we identified 57 malicious binaries. On 3rd of December 2013, we tested these binaries against virustotal.com that can be used to test whether the 45 different available anti-virus engines can detect the malicious binary. Figure 5 - Antivirus Response Time It is essential for anti-virus product vendors to quickly add new malware signatures to their products so that new threats can be prevented. However, as the figure 5 shows, there were 7 binaries that were not recognised by any antivirus product at all. When analysing the performance of individual anti-virus products, there were many solutions that recognised only few of the related threats. (2) Malware is categorised into APT category based on FireEye s intelligence information and knowledge of malware usage in APT campaigns
8 7 Unknown threat in Finland Figure 6 - Number of security events in organisations that have small or medium amount of events Figure 6 shows the number of security events by the size of the organisation (number of personnel). The figure only shows organisations that have a small or medium amount of security events. From the figure, we can conclude that in this study, covering a limited number of organisations, there is no clear connection between the organisation s size and the number of security events. However, the organisations that have a large number of security events are amongst the largest in the study.
9 Unknown threat in Finland 8 Figure 7 - CnC Server Locations Analysis of the Infected Hosts We identified 220 different IP addresses generating alerts (3) within the organisations that were affected by malicious traffic. Having alerts in total means that each host created 50 alerts on the average. Thus, most organisations have multiple hosts that are affected. Since we only monitored ingress and egress traffic between the organisation s hosts and the Internet and not the traffic between internal hosts, we were unable to monitor potentially malicious traffic within an organisation s network, between 2 or more internal IP addresses. Therefore it is possible that there were more infected hosts that did not initiate traffic to the Internet. In order to analyse in detail whether the affected hosts were end-user devices or servers that were located in office network, a deeper analysis would be required. Who Controls the Infected Hosts Once a client in an internal network is infected by malware, it usually initiates a connection to so-called Command and Control (CnC) hosts. The connection can be used for example to inform the attacker of a successful infection, ask for commands to be executed by the client machine or transfer data from an internal network to the attacker. (4) During the study we saw that infected host inside the participating organizations were sending lots of encrypted traffic to Command and Control (CnC) hosts. The content of that traffic is unknown. The computers that are used as CnC servers are not usually owned by the attacker, but are computers that are hacked by this third party. The locations of the CnC servers therefore do not reveal the physical location of the attacker. (4) The identified locations of the CnC servers are summarised in the figure below. More than 80% of the CnC servers were located in Germany while Russia has more than a 8% share. (3) The same host may have a different IP address during the study and can trigger alerts that seem to be originated from multiple hosts even though it is the same hosts creating the traffic. We had no means of reliably differentiating each host. (4) FireEye has threat intelligence information that gives some indication that the main source of attack traffic comes from Eastern Europe, but we do not have any concrete, solid evidence of the source.
10 9 Unknown threat in Finland Connections to the Internet As described above, we observed more than 6000 connections from organisations internal networks to the Internet (callbacks to CnC servers). Figure 8 shows the number of callback requests in organisations that have such traffic. It should be noted that certain malware types try to stay as silent as possible on purpose. This type of malware very seldom establishes connections to CnC servers. The implication of this is that even though the amount of connections to the CnC server is small, the organisations could still be under a serious attack. Figure 8 - Amount of Callback Events in Organisations Modern malware programs encrypt the callback traffic and hence we were unable to extract clear text examples of the traffic that these callbacks included.(5) As already indicated, such callbacks may include for example requests for further commands or even worse, confidential data leaking out of organisation. In figure 9, we have summarised the target TCP ports used by the malware to connect to the CnC servers. The callback traffic is almost always using port 80 and HTTP connections. This is most probably due to the fact that it is the easiest way to connect outside - port 80 is not usually blocked by firewalls. This is also one of the main reasons why traditional firewalls are becoming obsolete. Figure 9 - Callback Ports (5) There is an amount of data which allows unauthorized transmission of important corporate secrets - such as IPR. However, analysis of the specific data in question was not directly within the scope of this report. Important corporate secrets may consist of e.g. user identities, security management details, plain documents, database dumps etc.. Some of the transmission used encryption to protect data in transit
11 Unknown threat in Finland 10 The Business Perspective In the chapters above, we have analysed the state of an unknown threat from the technical perspective. In addition to the impact on the technical side, the issue has a significant business impact due to the following key reasons (6): False feeling of security. The study showed that many organizations are dependent on traditional security controls and believe that those will protect them sufficiently. The study showed that this is not the case. Direct losses to business functions. Competitors may get valuable information by eavesdropping organisation s information. It may contain for example R&D information or information of prices during competitive bidding. Additionally, the malware could destroy data inside the organisation, which may be costly to re-create. It is also possible that because of the breach, the company has to pay fines or pay compensation to a third party. The European Union is currently preparing to introduce directives that may lead to significantly more substantial fines, especially in data privacy cases. Indirect losses to business functions. Information security incidents may lead to loss of reputation which may have an indirect effect on business. IT costs related to an incident. Even if the incident does not have a direct effect on business functions, it may be costly to remediate. Some IT functions may be limited during the clean-up and it may require many man-days to remove the malware and it will be very difficult to determine when the environment is properly cleaned-up after the incident. From the results of our study, especially in cases of organisations with widespread problems, it is clear that the unknown threat has business implications. Regarding the costs listed above, especially the first three are hard to quantify and it is hard to introduce these types of threats to organisations risk management processes. It is therefore possible that even though the IT function would see the benefit of enhancing the protection against unknown threats, justifying the cost can be very hard. The results of this study and recent security breaches and issues covered by the media should help in justifying the security investments. If the unknown threat remains unknown to the business, it may mean that information security is managed by assuming that the organisation does not have any widespread problems and that existing security controls are enough to protect the organization. In addition to identifying the threats, it is important to identify and evaluate the value of business information so that the assets can be properly protected. We acknowledge that even if this sounds easy, it is far from it. (6) In the study, we only obtained technical data and did not even try to correlate it with business losses. For this reason, this chapter gives a general business view from the perspective of the study.
12 11 Unknown threat in Finland Solutions to Threats The study shows that there are threats and ongoing attacks in the organisations. It is clear that organisations must better ensure that their protection is up to date and that they have visibility into ongoing attacks. (7) In the study, we identified malware traffic that should have been filtered out by traditional network level anti-virus solutions or prevented by a host-based anti-virus solution. It practically means that the traditional solutions are not up to date or are otherwise incapable of mitigating the threat. In order to prevent attacks, organisations should ensure that basic information security controls are applied in a constant and ongoing manner. (8) In addition to known attack traffic, we identified plenty of zero-day attack traffic. This means that traditional solutions are not sufficient to prevent modern threats. If organisations want to have better control over information assets, they should monitor the network and use modern solutions that do not rely on signatures only. (9) In addition to technical security controls, organisations should teach their personnel how to use computers in compliance with the organisation s information security policy. If employees use computers without any concern of security, it makes an attacker s task too easy. It should be noted that adding a technical solution to the organisation s network is always a risk in itself, even if the purpose of the solution is to improve the information security. Often, the information security solutions have access to a large amount of the organisation s data. Therefore, when implementing such solutions, organisations should take the risks into consideration and implement only solutions that are used optimally. (10) (7) In this study, we did not correlate the current information security solutions with the attack traffic. This is an interesting area for further research. (8) Basic information security controls include for example secure software, patch management, password policies and such. Example of a list of comprehensive security control is ISO/IEC (9) Many of the current anti-virus providers claim that their products are not using only signatures but also more advanced methods. However, as this study shows, those methods currently implemented in anti-virus solutions are far from effective. (10) Example of non-optimal use is a solution that is used to monitor the state of information security and no one is actually using the solution actively (inspecting the events and acting on them).
13 Unknown threat in Finland 12 Conclusions KPMG arranged a study to clarify the state of an unknown information security threat in Finland. In the study, we monitored the network traffic in 10 organisations and used state-of-the-art technology to find attack traffic. The main finding of the study is that almost half of the case organisations in the scope of the study are already breached. It means that organisations in Finland cannot trust that their information assets are secured. In the study, we noticed that there is a lot of malicious zero-day traffic that is impossible to detect using traditional information security solutions. In addition to this advanced threat, there is also known malicious traffic that should not exist if already installed solutions would work properly. Organisations should investigate whether their protection mechanisms are sufficient in today s interconnected world where attacks are growing in complexity. Information security attacks may have significant business impact. Therefore, it is essential that IT and business functions have a regular dialogue on the state of information security and handle information security risks as part of day-to-day risk management. As a summary, all organizations should at least consider and do the following: Verify that basic information security controls are implemented and maintained properly Verify that end-user devices are properly maintained and updated. This includes also all applications such as Java, PDF readers, media players, browsers and so-on Raise end-user and C-level awareness on current cyber security threats and their impacts Improve their ability to detect unwanted actions in their networks and IT systems Improve their ability to react to unwanted actions they detect Do not have a false feeling of security due to implemented preventative controls they fail to mitigate all the risks
14 Matti Järvinen Head of Technical Security Services Management Consulting T: +358 (0) E: Mika Laaksonen Head of Information Security Services Management Consulting T: +358 (0) E: KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks or trademarks of KPMG International Cooperative, a Swiss entity.
Unknown threats in Sweden. Study publication August 27, 2014
Unknown threats in Sweden Study publication August 27, 2014 Executive summary To many international organisations today, cyber attacks are no longer a matter of if but when. Recent cyber breaches at large
More informationNigeria Fiscal Guide TAX. kpmg.com. Contact us 2012/13. Name Surname Sector name T: + 44 (0) 00 0000 0000 E: n.surname@kpmg.com
TAX Nigeria Fiscal Guide Contact us 2012/13 Name Surname Sector name T: + 44 (0) 00 0000 0000 E: n.surname@kpmg.com Name Surname Sector name T: + 44 (0) 00 0000 0000 E: n.surname@kpmg.com Name Surname
More informationPersonal branding. kpmg.co.nz. People, Performance and Culture. Official Supplier of. Advisory Services. Contact us
Personal branding kpmg.co.nz Contact us Name Surname Sector name T: + 44 (0) 00 0000 0000 E: n.surname@kpmg.com Name Surname Sector name T: + 44 (0) 00 0000 0000 E: n.surname@kpmg.com People, Performance
More informationInspection of Encrypted HTTPS Traffic
Technical Note Inspection of Encrypted HTTPS Traffic StoneGate version 5.0 SSL/TLS Inspection T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 1 Table of Contents
More informationSolvency II and Insurance Groups: Making it real for the business
FINANCIAL SERVICES Solvency II and Insurance Groups: Making it real for the business Review of developing market practices and the new group supervisory regime May 2012 kpmg.co.uk/solvencyii Contact us
More informationWildFire. Preparing for Modern Network Attacks
WildFire WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends
More informationTurn silver grey into gold
ageing workforce challenge Turn silver grey into gold Empowering companies and organisations to tackle the ageing workforce challenge kpmg.eu 1 Contents Introduction 5 Examining the challenges and opportunities
More informationModular Network Security. Tyler Carter, McAfee Network Security
Modular Network Security Tyler Carter, McAfee Network Security Surviving Today s IT Challenges DDos BOTS PCI SOX / J-SOX Data Exfiltration Shady RAT Malware Microsoft Patches Web Attacks No Single Solution
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationFighting Advanced Threats
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
More informationUnified Security, ATP and more
SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users
More informationINSTANT MESSAGING SECURITY
INSTANT MESSAGING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part
More informationAnti-exploit tools: The next wave of enterprise security
Anti-exploit tools: The next wave of enterprise security Intro From malware and ransomware to increasingly common state-sponsored attacks, organizations across industries are struggling to stay ahead of
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationSpear Phishing Attacks Why They are Successful and How to Stop Them
White Paper Spear Phishing Attacks Why They are Successful and How to Stop Them Combating the Attack of Choice for Cybercriminals White Paper Contents Executive Summary 3 Introduction: The Rise of Spear
More informationCybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix
Cybercrime myths, challenges and how to protect our business Vladimir Kantchev Managing Partner Service Centrix Agenda Cybercrime today Sources and destinations of the attacks Breach techniques How to
More informationCommodity trading companies
ENR TAX Commodity trading companies Centralizing trade as a critical success factor Contact us Name Surname Sector name T: + 44 (0) 00 0000 0000 E: n.surname@kpmg.com Name Surname Sector name T: + 44 (0)
More informationBreaking the Cyber Attack Lifecycle
Breaking the Cyber Attack Lifecycle Palo Alto Networks: Reinventing Enterprise Operations and Defense March 2015 Palo Alto Networks 4301 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com
More informationIBM Security re-defines enterprise endpoint protection against advanced malware
IBM Security re-defines enterprise endpoint protection against advanced malware Break the cyber attack chain to stop advanced persistent threats and targeted attacks Highlights IBM Security Trusteer Apex
More informationModern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth
Modern Cyber Threats how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure Axel Wirth Healthcare Solutions Architect Distinguished Systems Engineer AAMI 2013 Conference
More informationPreparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationWEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World
Securing Your Web World WEBTHREATS Constantly Evolving Web Threats Require Revolutionary Security ANTI-SPYWARE ANTI-SPAM WEB REPUTATION ANTI-PHISHING WEB FILTERING Web Threats Are Serious Business Your
More informationWhat Do You Mean My Cloud Data Isn t Secure?
Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there
More informationThe Hillstone and Trend Micro Joint Solution
The Hillstone and Trend Micro Joint Solution Advanced Threat Defense Platform Overview Hillstone and Trend Micro offer a joint solution the Advanced Threat Defense Platform by integrating the industry
More informationWhite Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks
White Paper Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks White Paper Executive Summary Around the world, organizations are investing massive amounts of their budgets
More informationSECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal
WHITE PAPER SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM Why Automated Analysis Tools are not Created Equal SECURITY REIMAGINED CONTENTS Executive Summary...3 Introduction: The Rise
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationDefending Against Cyber Attacks with SessionLevel Network Security
Defending Against Cyber Attacks with SessionLevel Network Security May 2010 PAGE 1 PAGE 1 Executive Summary Threat actors are determinedly focused on the theft / exfiltration of protected or sensitive
More informationSecurity as a Service
Security as a Service 360 Living Security Assessment Why Traditional Security Assessments Are Failing To Keep Up Professional Services Whitepaper April 2014 Craig D'Abreo, CISSP GCIH Vice President - Masergy
More informationIT Security Strategy and Priorities. Stefan Lager CTO Services stefan.lager@addpro.se
IT Security Strategy and Priorities Stefan Lager CTO Services stefan.lager@addpro.se Cyberthreat update Why would anyone want to hack me? I am not a bank! Security Incidents with Confirmed Data Loss Source:
More informationThe Advantages of a Firewall Over an Interafer
FIREWALLS VIEWPOINT 02/2006 31 MARCH 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the Protection
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationCommon Cyber Threats. Common cyber threats include:
Common Cyber Threats: and Common Cyber Threats... 2 Phishing and Spear Phishing... 3... 3... 4 Malicious Code... 5... 5... 5 Weak and Default Passwords... 6... 6... 6 Unpatched or Outdated Software Vulnerabilities...
More informationIntegrating MSS, SEP and NGFW to catch targeted APTs
#SymVisionEmea #SymVisionEmea Integrating MSS, SEP and NGFW to catch targeted APTs Tom Davison Information Security Practice Manager, UK&I Antonio Forzieri EMEA Solution Lead, Cyber Security 2 Information
More informationThe Ostrich Effect In Search Of A Realistic Model For Cybersecurity
The Ostrich Effect In Search Of A Realistic Model For Cybersecurity 1 Contents Introduction 3 Threats Stealthy, Sophisticated & Successful 4 Operation Beebus 5 G20 Brisbane 2014 6 Redefining the Debate
More informationHost-based Intrusion Prevention System (HIPS)
Host-based Intrusion Prevention System (HIPS) White Paper Document Version ( esnhips 14.0.0.1) Creation Date: 6 th Feb, 2013 Host-based Intrusion Prevention System (HIPS) Few years back, it was relatively
More informationUNCLASSIFIED. http://www.govcertuk.gov.uk. General Enquiries. Incidents incidents@govcertuk.gov.uk Incidents incidents@govcertuk.gsi.gov.uk.
Version 1.2 19-June-2013 GUIDELINES Incident Response Guidelines Executive Summary Government Departments have a responsibility to report computer incidents under the terms laid out in the SPF, issued
More informationBreach Found. Did It Hurt?
ANALYST BRIEF Breach Found. Did It Hurt? INCIDENT RESPONSE PART 2: A PROCESS FOR ASSESSING LOSS Authors Christopher Morales, Jason Pappalexis Overview Malware infections impact every organization. Many
More informationUncover security risks on your enterprise network
Uncover security risks on your enterprise network Sign up for Check Point s on-site Security Checkup. About this presentation: The key message of this presentation is that organizations should sign up
More informationSPEAR PHISHING AN ENTRY POINT FOR APTS
SPEAR PHISHING AN ENTRY POINT FOR APTS threattracksecurity.com 2015 ThreatTrack, Inc. All rights reserved worldwide. INTRODUCTION A number of industry and vendor studies support the fact that spear phishing
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More informationCarbon Black and Palo Alto Networks
Carbon Black and Palo Alto Networks Bring Together Next-Generation Endpoint and Network Security Solutions Endpoints and Servers in the Crosshairs of According to a 2013 study, 70 percent of businesses
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationThe Federal CISO Dilemma. You have to do FISMA. You must defend against cyber threats.
The Federal CISO Dilemma You have to do FISMA. You must defend against cyber threats. October 2012 Executive Summary Federal CISOs face a unique cyber security challenge copious amounts of regulatory compliance
More informationDefending Against. Phishing Attacks
Defending Against Today s Targeted Phishing Attacks DeFending Against today s targeted phishing attacks 2 Introduction Is this email a phish or is it legitimate? That s the question that employees and
More informationYou ll learn about our roadmap across the Symantec email and gateway security offerings.
#SymVisionEmea In this session you will hear how Symantec continues to focus our comprehensive security expertise, global intelligence and portfolio on giving organizations proactive, targeted attack protection
More informationENABLING FAST RESPONSES THREAT MONITORING
ENABLING FAST RESPONSES TO Security INCIDENTS WITH THREAT MONITORING Executive Summary As threats evolve and the effectiveness of signaturebased web security declines, IT departments need to play a bigger,
More informationFireEye Advanced Threat Report 1H 2012
FireEye Advanced Threat Report 1H 2012 FireEye, Inc. FireEye Advanced Threat Report 1H 2012 1 Advanced Threat Report Contents Inside This Report 2 Executive Summary 2 Finding 1 3 Explosion in Advanced
More informationSymantec Advanced Threat Protection: Network
Symantec Advanced Threat Protection: Network DR150218C April 2015 Miercom www.miercom.com Contents 1.0 Executive Summary... 3 2.0 Overview... 4 2.1 Products Tested... 4 2.2. Malware Samples... 5 3.0 How
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper
ADVANCED THREATS IN THE ENTERPRISE Finding an Evil in the Haystack with RSA ECAT White Paper With thousands of workstations and servers under management, most enterprises have no way to effectively make
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More informationREPORT FIREEYE ADVANCED THREAT REPORT 1H 2012 SECURITY REIMAGINED
REPORT FIREEYE ADVANCED THREAT REPORT 1H 2012 SECURITY REIMAGINED CONTENTS Inside This Report...3 Executive Summary...3 Finding 1 Explosion in Advanced Malware Bypassing Traditional Signature-Based Defenses...4
More informationPractical Threat Intelligence. with Bromium LAVA
Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful
More informationIBM Security QRadar QFlow Collector appliances for security intelligence
IBM Software January 2013 IBM Security QRadar QFlow Collector appliances for security intelligence Advanced solutions for the analysis of network flow data 2 IBM Security QRadar QFlow Collector appliances
More informationAdvanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series
Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 2 Executive Summary Promotion
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationThe Benefits of SSL Content Inspection ABSTRACT
The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic
More informationRSA Security Anatomy of an Attack Lessons learned
RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack
More informationTop tips for improved network security
Top tips for improved network security Network security is beleaguered by malware, spam and security breaches. Some criminal, some malicious, some just annoying but all impeding the smooth running of a
More informationSecuring Cloud-Based Email
White Paper Securing Cloud-Based Email A Guide for Government Agencies White Paper Contents Executive Summary 3 Introduction 3 The Risks Posed to Agencies Running Email in the Cloud 4 How FireEye Secures
More informationSecure Your Mobile Workplace
Secure Your Mobile Workplace Sunny Leung Senior System Engineer Symantec 3th Dec, 2013 1 Agenda 1. The Threats 2. The Protection 3. Q&A 2 The Mobile Workplaces The Threats 4 Targeted Attacks up 42% in
More informationProtecting Your Data, Intellectual Property, and Brand from Cyber Attacks
White Paper Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks A Guide for CIOs, CFOs, and CISOs White Paper Contents The Problem 3 Why You Should Care 4 What You Can Do About It
More informationLASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains
LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way
More informationTHREAT VISIBILITY & VULNERABILITY ASSESSMENT
THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com TABLE OF CONTENTS 1 Key Findings
More informationTechnology Blueprint. Protect Your Email Servers. Guard the data and availability that enable business-critical communications
Technology Blueprint Protect Your Email Servers Guard the data and availability that enable business-critical communications LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL 1 2 4 5 3 Security
More informationWhen attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher
TrendLabs When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher Advanced persistent threats (APTs) refer to a category
More informationCombating a new generation of cybercriminal with in-depth security monitoring
Cybersecurity Services Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored.
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationContent-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.
Content-ID Content-ID enables customers to apply policies to inspect and control content traversing the network. Malware & Vulnerability Research 0-day Malware and Exploits from WildFire Industry Collaboration
More informationCombating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center
Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored. It takes an average
More informationTargeted attacks: Tools and techniques
Targeted attacks: Tools and techniques Performing «red-team» penetration tests Lessons learned Presented on 17/03/2014 For JSSI OSSIR 2014 By Renaud Feil Agenda Objective: Present tools techniques that
More informationBeyond the Hype: Advanced Persistent Threats
Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,
More informationThreat Landscape. Threat Landscape. Israel 2013
Threat Landscape Threat Landscape Israel 2013 Document Control Document information Version Title Creation Date Revision Date 1.4 Threat Intelligence / Israel 2013 17 January 2014 27 January 2014 Contact
More informationDRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario
DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationCovert Operations: Kill Chain Actions using Security Analytics
Covert Operations: Kill Chain Actions using Security Analytics Written by Aman Diwakar Twitter: https://twitter.com/ddos LinkedIn: http://www.linkedin.com/pub/aman-diwakar-ccie-cissp/5/217/4b7 In Special
More informationSecuring the endpoint and your data
#SymVisionEmea #SymVisionEmea Securing the endpoint and your data Piero DePaoli Sr. Director, Product Marketing Marcus Brownell Sr. Regional Product Manager Securing the Endpoint and Your Data 2 Safe harbor
More informationThings To Do After You ve Been Hacked
Problem: You ve been hacked! Now what? Solution: Proactive, automated incident response from inside the network Things To Do After You ve Been Hacked Tube web share It only takes one click to compromise
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More informationSurvey: Endpoint Security Concerns 2014 The issues keeping IT admins awake into the New Year
Survey: Endpoint Security Concerns 2014 The issues keeping IT admins awake into the New Year Intro 2014 has created uncertainty for those in charge of IT security. Not only is the threat landscape advancing
More informationIntrusion Defense Firewall
Intrusion Defense Firewall Available as a Plug-In for OfficeScan 8 Network-Level HIPS at the Endpoint A Trend Micro White Paper October 2008 I. EXECUTIVE SUMMARY Mobile computers that connect directly
More informationThe Value of QRadar QFlow and QRadar VFlow for Security Intelligence
BROCHURE The Value of QRadar QFlow and QRadar VFlow for Security Intelligence As the security threats facing organizations have grown exponentially, the need for greater visibility into network activity
More informationCisco Advanced Malware Protection
Solution Overview Cisco Advanced Malware Protection Breach Prevention, Detection, Response, and Remediation for the Real World BENEFITS Gain unmatched global threat intelligence to strengthen front-line
More informationWHAT S NEW IN WEBSENSE TRITON RELEASE 7.8
WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8 Overview Global organizations are constantly battling with advanced persistent threats (APTs) and targeted attacks focused on extracting intellectual property
More informationSIEM is only as good as the data it consumes
SIEM is only as good as the data it consumes Key Themes The traditional Kill Chain model needs to be updated due to the new cyber landscape A new Kill Chain for detection of The Insider Threat needs to
More informationAgenda. 3 2012, Palo Alto Networks. Confidential and Proprietary.
Agenda Evolution of the cyber threat How the cyber threat develops Why traditional systems are failing Need move to application controls Need for automation 3 2012, Palo Alto Networks. Confidential and
More informationArchitecture. The DMZ is a portion of a network that separates a purely internal network from an external network.
Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part
More informationGetting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
More informationSECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION
SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION How ThreatBLADES add real-time threat scanning and alerting to the Analytics Platform INTRODUCTION: analytics solutions have become an essential weapon
More informationWEB ATTACKS AND COUNTERMEASURES
WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More informationSPEAR PHISHING UNDERSTANDING THE THREAT
SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business
More informationSYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION
SYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION Frequently Asked Questions WHAT IS SYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION 1? Symantec Endpoint Protection Small Business Edition is built
More informationHow Attackers are Targeting Your Mobile Devices. Wade Williamson
How Attackers are Targeting Your Mobile Devices Wade Williamson Today s Agenda Brief overview of mobile computing today Understanding the risks Analysis of recently discovered malware Protections and best
More informationMalware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime sponsored by Introduction
More informationThe Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud
The Advanced Attack Challenge Creating a Government Private Threat Intelligence Cloud The Advanced Attack Challenge One of the most prominent and advanced threats to government networks is advanced delivery
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More information13 Ways Through A Firewall
Industrial Control Systems Joint Working Group 2012 Fall Meeting 13 Ways Through A Firewall Andrew Ginter Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright
More information