Guidance Software Whitepaper. Point-of-Sale Systems Endpoint Malware Detection and Remediation



Similar documents
EnCase Endpoint Security Product Overview

EnCase Analytics Product Overview

Guidance Software Whitepaper. Best Practices for Integration and Automation of Incident Response using EnCase Cybersecurity

Corporations Take Control of E-Discovery

EnCase Cybersecurity In Action

EnCase Cybersecurity. Network-enabled Incident Response and Endpoint Data Control through Cyberforensics. GUIDANCE SOFTWARE EnCase Cybersecurity

EnCase Forensic Product Overview

Guidance Software Whitepaper. Best Practices for Integration and Incident Response Automation Using EnCase Endpoint Security

SECURITY BEGINS AT THE ENDPOINT

Whitepaper BEST PRACTICES FOR INTEGRATION AND AUTOMATION OF INCIDENT RESPONSE USING ENCASE ENDPOINT SECURITY

EnCase Enterprise For Corporations

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

Whitepaper MANAGING INSIDER THREATS THROUGH ENDPOINT DETECTION AND RESPONSE

Carbon Black and Palo Alto Networks

Cisco Cyber Threat Defense - Visibility and Network Prevention

Top five strategies for combating modern threats Is anti-virus dead?

EnCase ediscovery. Automatically search, identify, collect, preserve, and process electronically stored information across the network.

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Advanced Threats: The New World Order

Privilege Gone Wild: The State of Privileged Account Management in 2015

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

September 20, 2013 Senior IT Examiner Gene Lilienthal

Breach Found. Did It Hurt?

Privilege Gone Wild: The State of Privileged Account Management in 2015

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Securing Remote Vendor Access with Privileged Account Security

End-user Security Analytics Strengthens Protection with ArcSight

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

I D C A N A L Y S T C O N N E C T I O N

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Endpoint Threat Detection without the Pain

A Case for Managed Security

24/7 Visibility into Advanced Malware on Networks and Endpoints

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

What Do You Mean My Cloud Data Isn t Secure?

How To Protect Your Network From Attack From A Network Security Threat

Integrated Threat & Security Management.

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

IBM Security re-defines enterprise endpoint protection against advanced malware

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

White. Paper. Rethinking Endpoint Security. February 2015

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

SANS Top 20 Critical Controls for Effective Cyber Defense

CyberArk Privileged Threat Analytics. Solution Brief

Eliminating Cybersecurity Blind Spots

Can Your Organization Brave The New World of Advanced Cyber Attacks?

Guidance Software Training

GUIDANCE SOFTWARE EnCase Portable. EnCase Portable. A Data Collection and Triage Solution that Anyone can Use

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

ALERT LOGIC FOR HIPAA COMPLIANCE

Into the cybersecurity breach

Content Security: Protect Your Network with Five Must-Haves

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Network Incident Report

Combating a new generation of cybercriminal with in-depth security monitoring

Protecting against cyber threats and security breaches

The Hillstone and Trend Micro Joint Solution

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Security Controls Implementation Plan

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Endpoint Security: Moving Beyond AV

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

ENABLING FAST RESPONSES THREAT MONITORING

Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats

Incident Response. Six Best Practices for Managing Cyber Breaches.

Security and Privacy

Data Loss Prevention Best Practices to comply with PCI-DSS An Executive Guide

GUIDANCE SOFTWARE EnCase Cybersecurity Complement Guide. EnCase Cybersecurity. Complement Guide

The Symantec Approach to Defeating Advanced Threats

IBM Security Intrusion Prevention Solutions

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Cutting the Cost of Application Security

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Reducing the cost and complexity of endpoint management

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Advanced Threat Protection with Dell SecureWorks Security Services

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

IBM Endpoint Manager for Core Protection

Course Descriptions November 2014

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Practical Threat Intelligence. with Bromium LAVA

Closing Wireless Loopholes for PCI Compliance and Security

WHITE PAPER. Understanding How File Size Affects Malware Detection

Fighting Advanced Threats

Transcription:

Guidance Software Whitepaper Point-of-Sale Systems Endpoint Malware Detection and Remediation

Executive Summary Point-of-Sale (POS) device vulnerabilities and fraud at storefront and retail sites have made merchants of every size nervous about controls over devices and data. The fact is that the entire connected world is vulnerable to cyber-attack, but a rash of recent data breaches in the retail sector clearly demonstrates heightened and more financially intensive risks associated with POS systems. High-profile breaches at Target last December and more recently with Home Depot are the result of compromised POS systems. Hackers stole card numbers from Target and Home Depot using malware that scraped unencrypted data from the memory of their payment systems prior to its encryption for transmission to credit-card payment processors. Gartner asserts that effectively dealing with advanced threats that bypass traditional signature-based approaches will require monitoring, detection and response capabilities at endpoints. 1 This paper sheds some light on the POS-device threat landscape and how to overcome those issues and mitigate threats through proactive endpoint detection and response. EnCase products provide capabilities to effectively manage both the detection of active malware processes and the protection of personally identifiable information (PII). This paper addresses the root of the problem and focuses on malware. An actual user scenario illustrates how EnCase Cybersecurity is used to expose, detect and remediate malware threats on POS systems. Previous papers, such as the recently published whitepaper Locating and Wiping Credit Card Data from Unauthorized Locations with EnCase Cybersecurity, specifically address the data, while others, such as Endpoint Security Analytics with EnCase Analytics, focus on proactive threat hunting. Introduction Over the past few years, the news has featured a seemingly unending parade of data breaches, virtually all of which began on compromised endpoints. It s understandable why attackers have set their sights on POS system endpoints. They fulfill the specialized purpose of processing and transmitting payment transactions, through which a massive volume of credit card data and other personally identifiable information (PII) passes, creating a lucrative opportunity to mine a rich field of valuable data from a system with three inherent vulnerabilities. It is a daunting task to enforce policies and best practices on each of those POS endpoints, and even more difficult to see patterns that indicate potential issues. There are three vulnerabilities and corresponding challenges in accomplishing POS security and management and PCI compliance: 1. An essential business requirement for POS systems is a network connection in order to communicate with corporate systems and/or external credit card processors. 2. Though purpose-built, most POS terminals use embedded versions of Windows or Linux making them vulnerable to malware. 3. POS systems are difficult to secure and manage due to their role and exposed remote locations. 1 Market Guide for Endpoint Detection and Response Solutions, Gartner, 2014 The key differentiator with EnCase products is the in-depth visibility into the endpoint, which is essential to addressing these particular issues. With EnCase Cybersecurity, security analysts and incident responders can view open ports, compare them to known healthy states, and easily determine which are unauthorized activities and processes. They can also centrally manage endpoints and easily narrow down the list of running processes, open ports, open files, and hashes that are uniquely present on a potentially compromised endpoint. Guidance Software WP Endpoint Malware Detection and Remediation 12-2014 2

Problem Statement as Defined by Analysts POS endpoints are vulnerable and threats are mounting. As Enterprise Strategy Group (ESG) acknowledged in a recent brief, POS systems in particular represent a mounting and much more lucrative target for cyber criminals, and the majority of security professionals agree that the malware threat landscape is growing increasingly dangerous each year. 2 The past several Data Breach Investigation Reports (DBIR) published by Verizon have addressed POS intrusions and the general threat landscape for POS systems. The most common malware types used were RAM scrapers, followed by Trojan horses like Zeus. The top ten POS threat action varieties cited by Verizon are shown in Figure 1: 3 Figure 1: Excerpt from Verizon 2014 DBIR report indicating top malware threats to POS devices. Interestingly, the top three actions illustrated in Figure 1 are all related. The perpetrators scan the Internet for open remote-access ports and, if the script identifies a device as a POS terminal, issue likely credentials (Brute force) to access a device. They then install malware (RAM scraper) to collect and exfiltrate (export data) payment-card information. Malware Detection and Remediation Malware often finds its way onto POS endpoints through non-pos specific applications. It is generally standard operating procedure to restrict the installation and use of unapproved applications on POS devices, but clearly it is still occurring with alarming frequency. Audits often uncover browsers, office-productivity applications, user-created documents, and games. EnCase products simplify these audits as well as the restoration of systems to a state of compliance. Unlike applications, however, malware is deceptive and disguises itself. 2 2014, ESG Brief Guidance Software Can Enhance Incident Detection and Response for POS Systems. Anti-malware technologies block known malware scripts and macros, and administrators can create policies to block specific applications, but there are no guarantees that even known applications will be blocked. Signature-based systems identify known threats, but unknown processes commonly escape detection. Unknown applications and processes pose yet another threat, and remediation adds a further level of complexity. Exacerbating the problem, there can be hundreds of processes running on thousands of machines in the enterprise, and malware tends to spread stealthily from machine to machine. 3 2014, Verizon Data Breach Investigations Report. Guidance Software WP Endpoint Malware Detection and Remediation 12-2014 3

How EnCase Cybersecurity Works in the POS Environment With EnCase Cybersecurity, organizations can overcome these issues and mitigate the financial risks through endpoint enforcement. In addition, with EnCase Cybersecurity, organizations can confirm the compromise, assess the scope of impact, kill malicious processes, and wipe offending files remotely with no disruption to business operations. Figure 2: EnCase Cybersecurity process diagram for assessing anomalous activities on POS devices. Sony called on Guidance Software to help investigate the data breaches that compromised the user account information of more than 100 million of its customers in the infamous Playtstion hack.. Use Case Recently, a well-publicized polymorphic (constantly evolving) worm tunneled its way through one POS endpoint deep into the home offices of a large retail company and began spreading from there to other POS endpoints throughout the network. The malware was designed to expose vulnerabilities and enable exfiltration of credit-card and other sensitive information from endpoints through remote connections. IT considered monitoring traffic with intrusion detection, identifying suspicious systems, sending an administrator to each machine, diagnosing the ports and processes used and creating a custom signature for each instance of the malware. Then, they would wipe and reimage each infected system. This slow and expensive option would leave the company chasing an ever-elusive worm, but would also necessitate downtime that the company couldn t accept. With dozens of subnets, each with hundreds of hosts scattered at sites across the country, there was little hope of complete remediation. EnCase Cybersecurity in Action EnCase Cybersecurity is deployed and managed centrally. Servlets are pushed out to run complete scans of all endpoints. There are thousands of endpoints on 45 subnets, so the InfoSec team elects to run scans and analyze one subnet at a time to simplify the task. Scans average about 30 minutes per subnet. The Incident Response team anticipated only a few errant processes that they would be able to identify as malware. In actuality, the scans identified 271 suspicious processes on 150 terminals across the network. Reports provided the team with valuable information including host, process and instance names, executable hash, and a host of other information that can be added to blacklists and other preventive mechanisms. An example of the report is shown in Figure 3. Guidance Software WP Endpoint Malware Detection and Remediation 12-2014 4

Figure 3: Snapshot feature allows incident response teams to identify suspicious DLLs, ports, processes, and other pertinent data on each endpoint. This was far more complex than originally expected, which prompted further analysis. Through EnCase Cybersecurity, the team securely contained the processes, collected logical evidence from the running files and processes to fully characterize the actions of the worm for future reference, and then fully remediated all instances of the worm by hash throughout the network without any downtime. Through EnCase Cybersecurity, the Incident Response team: a. Detected the source and any unauthorized processes resulting from the infection b. Detected any errant outbound data connections resulting from the infection c. Remediated all suspicious processes d. Restored all infected POS devices without disrupting operations e. Securely wiped all instances of errant sensitive data. With EnCase Cybersecurity, processes were quickly and effectively remediated. Figure 4: EnCase Cybersecurity Remediate Job capability enables quick termination of threats. Users have the option to kill the process only or remediate the file with which the process is associated and kill the process. Guidance Software WP Endpoint Malware Detection and Remediation 12-2014 5

Summary POS devices are a popular, abundant and vulnerable target, and organizations are encumbered with logistical difficulties protecting these data rich systems. The only way to effectively mitigate the cost of downtime and reimaging, and the risk of loss of sensitive data in remote locations, is to go to the sources the endpoints. EnCase technology built on the foundational light, passive servlet component on the endpoint is the proven solution for threat -hunting, remediation, sensitive data discovery, and secure removal. EnCase products are proven inside more than 70 percent of the Fortune 100, and in national and local government agencies worldwide. EnCase products reduce the time it takes to locate sensitive data, prepare for impending litigation, and to enforce regulatory and policy compliance. With EnCase Cybersecurity and EnCase Analytics, organizations can reduce the time and cost associated with data discovery processes that don t easily scale and for which policies tend to be difficult to enforce. Regular system integrity assessments and data audits substantially shrink the chance of data loss, and EnCase products enable organizations to effectively accomplish these otherwise excessively difficult tasks. The forensic-grade features offered by EnCase Cybersecurity enable security teams to establish defensible, repeatable policy-enforcement processes, including follow-up audits that provide proof of compliance. In addition, the scheduling capability facilitates automation with web-based reviewing for remote monitoring. The EnCase servlet enables security teams to maintain productivity during detection and remediation because it requires no business interruption. EnCase products save on costs associated with traditional remediation downtime, operating in the background to achieve maximum results. Sensitive data can be located and wiped, including documents, e-mail, and e-mail attachments, anywhere on any network endpoint. Tools that can detect which endpoints contain regulated data, such as personally identifiable information (PII), are particularly important. 4 The customer featured in this use case knows that information security breaches are inevitable, which is why they adopted a proactive posture based on this assumption. As a result, they can now contain the risk of data loss and shrink the attack surface. For additional information on EnCase Cybersecurity, or for details, additional case studies, videos, webinars, and statistics on detection and remediation of sensitive data, visit www.guidancesoftware. com/cybersecurity. 4 2014 SANS Report, The Case for Endpoint Visibility Guidance Software WP Endpoint Malware Detection and Remediation 12-2014 6

Our Customers Guidance Software customers are corporations and government agencies in a wide variety of industries, such as financial and insurance services, technology, defense contracting, pharmaceutical, manufacturing and retail. Representative customers include Allstate, Chevron, FBI, Ford, General Electric, Honeywell, NATO, Northrop Grumman, Pfizer, SEC, UnitedHealth Group, and Viacom. About Guidance Software (NASDAQ: GUID) Guidance Software is recognized worldwide as the industry leader in endpoint investigation solutions for security incident response and forensic analysis. Its EnCase Enterprise platform, deployed on an estimated 20 million endpoints, is used by more than 70 percent of the Fortune 100 and more than 50 percent of the Fortune 500, and numerous government agencies, to conduct digital investigations of servers, laptops, desktops and mobile devices. Built on the EnCase Enterprise platform are market-leading cyber security and electronic discovery solutions, EnCase Cybersecurity, EnCase Analytics, and EnCase ediscovery. They empower organizations to conduct speedy and thorough security incident response, reveal previously hidden advanced persistent threats or malicious insider activity, perform sensitive data discovery for compliance purposes, and respond to litigation discovery requests. For more information about Guidance Software, visit www.guidancesoftware.com. This paper is provided as an informational resource only. The information contained in this document should not be considered or relied upon legal counsel or advice. EnCase, EnScript, FastBloc, EnCE, EnCEP, Guidance Software and Tableau are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks and copyrights referenced in this press release are the property of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information