Malware isn t The only Threat on Your Endpoints

Transcription

1 Malware isn t The only Threat on Your Endpoints Key Themes The cyber-threat landscape has Overview Cybersecurity has gained a much higher profile over the changed, and so have the past few years, thanks in part to the frenzied media strategies to deal with it There is a growing insider threat attention, and is now recognised as a key issue for organisations of all types and sizes. Boards have woken up from user negligence and to the fact that cyber threats pose a serious business risk, malicious activity Lack of visibility of user activity on endpoints presents a critical blind spot to data security and are supportive of greater investment of resources and focus across their organisations to ensure that cyber security is seen as a strategic goal, and not just something that needs to be done by IT. Innovative solutions providing So too is the outlook of practitioners and vendors, with a malware visibility miss out on providing key information on user and controls new philosophy emerging based on the fact that it s not if your enterprise gets compromised, but when. This new philosophy is based on the changing cyber threat Through continuous endpoint landscape, which is now more capable of attacking your monitoring the insider threat can be mitigated, data loss can be organisation, stealthier, and capable of circumventing the traditional security controls that you have invested in. avoided, and the efficacy of existing controls and policies can In this briefing, we provide you with the historical context be verified. This enables a necessary to understand why the vendor landscape is proactive security posture which can identify or resolve issues before they become a problem, leading to a significant reduction in the cost of an incident moving in the current direction, and why the existing focus solely on endpoint malware leaves a gaping hole at the heart of your security infrastructure. A Brief History of Cyber Security The past few decades saw the security solution landscape settled on a very specific set of objectives, relying mostly on preventing access to networks and implementing highly restrictive policies. This strategy is still

2 relevant, but forward-thinking organisations are evolving their security strategies to combat new and emerging threats. This evolution is illustrated in Figure 1, which shows how security strategy is evolving over time as threat sophistication increases, moving beyond the traditional Hard Shell preventative model to harness Proactive Threat Intelligence, and ultimately to incorporate a Monitoring, Detection and Incident Response posture. The Hard Shell Over the past 20 years the majority of Cyber Security spending has been invested in preventative hard shell solutions that stop external attackers from gaining unauthorised entry to a network, utilising firewalls, IDS, and other products. This model can provide an effective security baseline as long as you take into account some of the fundamental weaknesses of the model: being reliant on highly restrictive policies that are commonly seen as a barrier to productivity and routinely circumvented by users, and the use of signature-based detection systems that are not effective for non-signature based threats, of which advanced threats are a large component. Figure 1 The Evolving Security Response Landscape

3 Proactive Threat Intelligence Under-pinning the hard-shell model is the use of antivirus products which are now known to be less than 38% effective, with 20% of all malware ever seen appearing in 2013 at a rate of 82,000 variants a day. In response to this proliferation of threats there has been an evolution in products that offer advanced malware analysis that operate on non-signature based detection. These products allow you to rapidly detect and respond to malware threats effectively. Monitoring, Detection and Incident Response The final step in the evolution of a more effective cyber security strategy. The endpoint is one of the few remaining blind spots within an organisation due to traditional focus on the network and perimeter. This lack of visibility means that an organisation is vulnerable to accidental, as well as malicious threats, and are unaware of how well their existing set of policies and controls are working. A lack of visibility creates a blind spot which in turn leads to a lack of information or feedback. Without a feedback loop, an organisation does not have the insight required when a policy needs updated or changed. Finally, in a worst case scenario, is unable to react quickly or effectively to a data breach, meaning their exposure to losses increases along with the cost of remedying the breach. Why New Solutions Miss Critical Threats Emerging vendors are starting to supply innovative solutions to help provide Monitoring, Detection and Incident Response capabilities. However, all of these solutions are typically focussed on fixing one specific problem; the threat of malware on your endpoint estate. As stated previously, traditional malware detection can be on 24% effective 1, and so there s a definite need for these new types of malware detection solutions. However, they miss out on areas of concerns relating to other important aspects of information security. By doing so, they only provide your organisation with a reactive security posture. When dealing with data loss or user threats this is often too late. By deploying a solution that can audit existing controls and provide you insights into user behaviour, you can adopt 1 A Closer Look: -Based Malware Attacks -

4 a proactive security posture, which means problems can be resolved before they escalate into security incidents, which in turn leads to a lower cost per breach. Audit of existing controls and policies You ve spent many person-hours and a significant amount of your budget, as well as your personal capital, in building the business case to purchase and deploy the controls across your enterprise s IT estate. Therefore it is critical to ensure that you are properly auditing these controls to ensure they are working effectively. Without doing so your organisation may be vulnerable due to a failed control (for example, which organisations don t have the issue of users turning off anti-virus or a firewall?) or a critical policy not being followed. Cyber security best practice has been influenced by other areas of business risk management. In this case we need to refer to a concept that has been around in the accounting profession for decades. If a control has been implemented, there needs to be an independent audit to ensure that it is functioning as intended. ZoneFox Threat Analytics Prevents 10m Theft An advanced engineering design company engaged ZoneFox to help them understand how existing controls were protecting data. After a short period of deployment, the following was revealed. A critical control had failed to prevent a user from installing a piece of backup software. The user then proceeded to use the backup software to retrieve and archive core IP, including designs and test information, worth an estimated 10m. They had handed in their resignation. The majority of information security policies depend on Without the visibility provided by automated controls being deployed, and working ZoneFox, the organisation would not effectively. However, without an independent audit, your have been able to stop the individual organisations is blind to their efficacy. or address the issues that led to the faulty control. Real-time User Threat detection Our customers, as well as the majority of organisations, can divide their users into two groups; those who make an accidental mistake that leads to a security incident; and malicious users that circumvent security on purpose.

5 By far the largest majority are those users that accidentally breach security policies. This is something that can be corrected through the use of training, awareness, and feedback. However, without the ability to monitor behaviour on the endpoint, the enterprise is unable to understand which actions need correcting. This can lead to the organisation wasting a great deal of time and effort in the implementation and repeated re-education of the workforce. With user-behaviour analysis, they can target effectively the repeat offenders. When detecting the behaviour of malicious employees, resignation events are of key concern. The 30 days after a resignation, or HR, event are crucial to increase employee monitoring to make sure they do not attempt to take company-ip with them when they leave. Continuous monitoring of user behaviour is also crucial when there is little indication an employee is considering data theft. As highlighted in the CERT Insider Threat Report 2 employees may also steal information due to external, non-obvious factors such as desire for revenge, financial gain, or coercion. ZoneFox User Behaviour Analytics Results in Policy Compliance A high-tech design client implements a policy that all employees need to encrypt data that is destined to be used on a USB drive, or other removable media. They invested in providing an encryption solution, and training their staff. However, they were unsure of how many staff members were actually encrypting data, which left them exposed to potential risk. After installing ZoneFox, they gained immediate insight into the users that persistently did not follow policy. This enabled them to intervene and provide additional training and support. Summary The cyber threat landscape has changed, and so have the strategies organisations have devised to deal with it. The traditional model of border network protection and automated fire and forget controls is no longer able to cope with the advanced threats faced by the enterprise. Endpoint visibility has been neglected and poses a blind spot to the organisation. Innovative solutions providing malware visibility miss out on providing key information on user and controls, and only allow an organisation to take a reactive posture once malware has been found. By auditing existing controls and monitoring 2 Common Sense Guide to Mitigating Insider Threats, 4 th Edition -

6 user behaviour, it s possible to take a proactive role in preventing threats, which ultimately lowers to total cost of an incident, and helps justify the ROI on existing controls and policies. About ZoneFox ZoneFox is a highly innovative Endpoint Monitoring & Threat Detection solution that helps our customers protect their business-critical assets: data and intellectual property (IP) from malicious and accidental insider threats. ZoneFox has a proven track record of protecting reputation, sales revenue, and competitive advantage by providing next generation data monitoring, security analytics and endpoint security. Through its continuous monitoring capability, ZoneFox provides a unique perspective on user activity tracking. Our lightweight software agent, resident on each machine under surveillance, monitors user behaviour as a series of fine-grained events in real-time. This provides timely threat detection of data breaches, informing and facilitating a relevant response and enabling: Policy compliance monitoring Monitoring the effectiveness of security controls Protective monitoring of user risk Data and IP Protection