A Case for Managed Security

Transcription

1 A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services

2 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction that leaves a system vulnerable, but looking at current trends, it s rarely a single element that causes an issue; it s a confluence of many weaknesses in an environment, often small and seemingly unimportant. Just in the first half of 2014 alone, there have been at least five major breaches, affecting large organizations and millions of people. Cyber security threats are clearly on the increase, with more reported attacks in 2014 to date than in all of 2013 combined. The nature of the attacks is changing as well, and with very damaging consequences, including the loss of key data and damaged reputations. Listening to the news every day, we are all familiar with the terrible results of security breaches and how detrimental they are to the firms or the individuals involved. What is a bit harder to piece together, however, is exactly how these security breaches occur and what you can do to protect yourself from them. 2. CYBER SECURITY THREATS IN A NUTSHELL To understand how you can better protect against, and prepare for, cyber security threats, it s important to first understand the current threat landscape. Advanced Persistent Threats and Data Exfiltration An Advanced Persistent Threat (APT) is where attackers relentlessly scope out a business or government entity over a period of time looking for an opening to infiltrate the system. Precisely because the attackers are willing to wait a long period of time for an opportunity, even up to several years, makes this threat one of the most dangerous types. Another cyber security attack technique is data exfiltration, which refers to the illegal extraction of confidential data directly from a system. In this instance, the hacker uses malicious code to collect data and slowly transfer it out to a central point. As an example of this type of breach, occurring earlier this year, ebay announced that over a period of two months, cyber criminals used a small number of compromised employee user credentials to obtain the personal account information of over 200 million users. ebay was slow to announce the discovery of this breach, leaving some people to further question their security operations. Recovering now from a damaged reputation, the breach resulted in a drastic reduction in projected sales for the year, with ebay lowering their targets by $200 million. The silver lining is that thanks to data being stored in separate encrypted databases, ebay reports there was no evidence of credit card data being compromised. The arts and crafts retailer, Michaels, and its subsidiary, Aaron Brothers, announced early in 2014 that during an eight-month period, sophisticated malware had been used to pull over 2.5 million payment card numbers and expiration dates from their point-of-sale systems. It isn t clear how exactly the point-of-sale systems were compromised, however, what is clear is that the environment was compromised for over six months without any detection, including the removal of sensitive customer data.

3 Important takeaways from these two instances: APTs imply the attacker is intent on compromising your environment and will remain persistent until successful. To counteract this, you should take a strategic, risk-based approach to protecting your organization. Clearly understand from a risk perspective what needs to be protected, continually update key systems, maintain secure configurations, and closely monitor for suspicious activity. Diligence is the key. Zero-Day Attacks In terms of IT vulnerability, an infinite amount exists that has yet to be identified by cyber security experts. These unknown potential threats lead to zero-day attacks, typically occurring in the window of time between when the vulnerability is discovered by cyber criminals and when software developers are able to identify it and take protective measures against it. For example, in April, news of the Heartbleed bug hit the world stage. Heartbleed exploited a flaw in the widely used encryption library OpenSSL, which allowed anyone to access vulnerable systems and obtain login credentials, encryption keys and other private data. This vulnerability was unique in that the flaw existed in the code for at least two years before the public was aware of it, while reports indicate the NSA, the Russian mafia, and others, were aware of the flaw for an extended period of time. Fixing this flaw was a little more difficult than the norm because administrators had to first patch their servers and then reissue the security certificates. It is believed that a large number of vulnerable servers still exist today despite the amount of education and press this flaw has been given. This reinforces the case for early detection of vulnerabilities and for the prompt remediation of those vulnerabilities, when they are discovered. A couple of things to remember: The best defense against zero-day attacks is a strong security program that uses a combination of positive and negative security models. A negative security model involves blacklisting the known bad using virus signatures, anti-spam signatures, and so on. A positive model uses a whitelisting approach of the known good. Close monitoring of critical systems can alert you to malicious activity so it can be suppressed as soon as possible. Ransomware 2014 has also been the year of Ransomware. Ransomware is a type of malware where a system, including anything from a single computer to a whole network, is taken over by an outside party. The attacker then demands a ransom before giving access back to its true owner, or risk damaging results. Although it was seen well before this year, the Cryptolocker Trojan and its variants have wreaked havoc on thousands of victims in 2014, and seem to have started an unsavory trend. Cryptolocker relies on command and control servers to provide it with encryption keys. These are public servers with which an infected system communicates. A few things to keep in mind: Prevention is key. Once your data is encrypted by an attacker, it is most likely unrecoverable.

4 Phishing s have been the primary delivery mechanism, so educating users is crucial to prevention. These are only a few examples of the security attacks that have occurred year-to-date. AOL, P.F. Chang s, Neiman Marcus, Holiday Inn and Marriott Hotels have all had their own troubles this year. But what can be done to prevent this from happening to your organization? Assuming your environment will be compromised, how do you quickly detect and respond to the attack? 3. A CASE FOR MANAGED SECURITY The best managed security solution is a 24-hour, 7-day a week, 365-day a year service provided by a firm who has deep expertise in the field of cyber security. It often includes a round-the-clock solution that uses engaged security professionals to monitor all security devices, such as firewalls, VPN devices, authentication servers, as well as servers, such as Active Directory servers, anti-virus servers and application servers. Looking at all of these devices, the service monitors how your data is accessed, as well as who accesses it. Some service solutions can also include continuous vulnerability scans, identifying areas that pose a risk to compliance or to external threats. Lastly, when a problem does arise, it provides quick identification and resolution. More specifically, a managed security solution typically has the following five functional components: 1. Security Analysts who constantly monitor your event data and the overall security landscape. 2. A Security Incident and Event Management (SIEM) component that collects and correlates security event data so that it can be acted upon. 3. A vulnerability scanner that continuously scans an environment for known vulnerabilities. 4. Configuration monitoring scans, which test an environment for system hardening issues. 5. An intrusion prevention system that blocks malicious network traffic. State-of-the-Art Tools & Engineers Typically, the service leverages state-of-the-art tools that monitor and automatically flag issues. The underlying system will include a Security Incident and Event Management (SIEM) platform used for log collection, correlation, alerting, and analysis. A SIEM is a system that collects and correlates event logs from multiple sources for the purpose of performing analysis, forensics, and troubleshooting. These events include any actions on a system that are relevant to security such as password changes, VPN connections, web logins, port scans, and denied firewall connections. Security event data is analyzed in real-time to generate alerts, create actionable cases, and provide notification to engineers. The SIEM collects information from most security devices and applications, firewalls, network equipment, Active Directory, Linux servers, and in general, anything that produces syslog output. A SIEM is a collection of valuable security events. There should also be an intrusion prevention component that analyzes network traffic and blocks malicious activity, as well as a tool that performs vulnerability and configuration monitoring scans, ensuring the environment is consistently up-to-date with the latest standards in cyber security. Cases are typically submitted to a proprietary case management system, via , a phone or by a security appliance. These cases are then assigned to an engineer, based on the required area of expertise, who will follow a case through to resolution, leveraging historical cases and client data.

5 While the technology behind managed security is important, it is the people who make the difference when it comes to cyber security. When the data from your environment is collected by the managed security service provider and then stored in their infrastructure, the security engineers are the individuals who will analyze the data. Network engineers are trained and experienced on specific network devices, systems, applications, and operating systems. They respond to and troubleshoot incidents of all types, and when necessary, escalate security issues to a Security Operations Center (SoC). SoC engineers are experts in the field of security. They are certified and experienced in information security, and are equipped to respond to security incidents and troubleshoot security-related problems. In cases where there is the absence of competent and experienced security professionals, alerts are still flagged by the control systems, but a proper and speedy response might not be taken afterward. This reinforces the need to make sure both aspects, people and tools, are state-of-the-art. Managed Security: In Practice So, what does the data flow of a managed security system look like, specifically? Your internal systems create local log data. Depending on its type, your system will either forward this log data to the data collector, or the collector will contact your system to pull the log data. The collector will then send the log data over an encrypted SSL tunnel to another system where a proprietary set of alerting rules are executed. Then, the data is stored by the service provider, often in a private cloud. In tandem, the security appliance is sniffing strategic network segments so that malicious network traffic can be detected and blocked. Events of this nature are forwarded from the Intrusion Prevention module to the collector, and on to the supervisor. Periodically, the security appliance will scan the environment looking for known security vulnerabilities and policy compliance failures. This data is retrieved by the collector, and like all other data, is analyzed by the system, reviewed by SoC personnel and acted upon. Important Aspects of a Managed Security Solution Not all managed security solutions are created equal. As such, there are a few important aspects to keep in mind when considering a service to keep your data and reputation safe: Be sure that your solution includes a dedicated engineer who will personally get to know the ins and outs of your environment. The better they know your environment, and the more dedicated they are in understanding you as a company, the easier and faster it will be for them to catch and resolve any security issues when they arise. In the case of security incidents that require human intervention, make sure your security partner will provide full management of the remediation, offering advice and guidance throughout the process. The solution must include best-of-breed security tools. Great service is not the only important factor. Enterprise-class tools provide the foundation for the attack signatures, alert algorithms, and vulner ability detection policies that are used as an important part of the service. Make sure your managed security service provider is secure. This should go without being said, if your security provider isn t secure, neither will be the work they do for you. It s important to look into what steps and certifications they take in order to protect themselves against cyber security threats. Be sure consulting services are available as well, for example, to help building incident response policies and procedures, if you don t already have them. Make sure your service level agreement (SLA) includes a target resolution time of four hours or less for critical situations.

6 4. CONCLUSION Cyber security threats are on the rise and, unfortunately, there is no fail-proof solution to protect yourself 100% against them. The best posture to adopt is one that detects and reacts appropriately through a combination of vulnerability identification, prevention techniques, and quick identification and resolution when something does occur. And since most firms don t have the bandwidth or experience to maintain a healthy security posture, oftentimes they find themselves far from the ideal situation, exposing their firms to risk as well as creating complex compliance issues. A managed security solution fills that need. It enables firms to take a strategic, risk-based approach to protection against the attacks that we are seeing today. An ideal managed security solution includes a consistent and continuous focus on the security basics, including a risk-based approach to understanding the data being protected, maintaining an effective vulnerability program, continually updating key systems, maintaining secure configurations, and closely monitoring for suspicious activity. No matter what type of cyber security threat you re concerned about, detection and appropriate reaction are key. About Agio ( Agio is a progressive Managed IT & Security Services provider, offering technology hosting, monitoring, management, disaster prevention and recovery, security, and other high-end technology services. With nearly 150 employees, Agio is headquartered in New York City with operational headquarters in Norman, OK AGIO (2446) sales@

7 AGIO (2446)