defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Similar documents
Authentication Strategy: Balancing Security and Convenience

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

Leveraging Privileged Identity Governance to Improve Security Posture

expanding web single sign-on to cloud and mobile environments agility made possible

Enabling and Protecting the Open Enterprise

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

Closing the Biggest Security Hole in Web Application Delivery

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

how can I improve performance of my customer service level agreements while reducing cost?

IBM QRadar Security Intelligence April 2013

Reference Architecture: Enterprise Security For The Cloud

Protecting Your Organisation from Targeted Cyber Intrusion

CA Technologies Solutions for Criminal Justice Information Security Compliance

How To Comply With Ffiec

Teradata and Protegrity High-Value Protection for High-Value Data

Designing a CA Single Sign-On Architecture for Enhanced Security

Strengthen security with intelligent identity and access management

CyberArk Privileged Threat Analytics. Solution Brief

Protecting against cyber threats and security breaches

Stay ahead of insiderthreats with predictive,intelligent security

RSA Security Anatomy of an Attack Lessons learned

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

agility made possible

agility made possible

The Benefits of an Integrated Approach to Security in the Cloud

Identity Centric Security: Control Identity Sprawl to Remove a Growing Risk

CA SiteMinder SSO Agents for ERP Systems

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

How To Secure An Rsa Authentication Agent

Safeguarding the cloud with IBM Dynamic Cloud Security

How To Create An Insight Analysis For Cyber Security

Transforming IT Processes and Culture to Assure Service Quality and Improve IT Operational Efficiency

A Layperson s Guide To DoS Attacks

IBM Security Intelligence Strategy

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Securely Outsourcing to the Cloud: Five Key Questions to Ask

CA Arcot RiskFort. Overview. Benefits

how can I comprehensively control sensitive content within Microsoft SharePoint?

IBM Security Privileged Identity Manager helps prevent insider threats

IBM Security QRadar Risk Manager

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004

Introducing IBM s Advanced Threat Protection Platform

IBM Security QRadar Risk Manager

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

Protect Your Connected Business Systems by Identifying and Analyzing Threats

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

The Next Generation IPS

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Safeguarding the cloud with IBM Security solutions

Advanced Threats: The New World Order

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Concierge SIEM Reporting Overview

Security in the App Economy

Securing Your Enterprise in the Cloud. IT executives must be ready to move to the cloud safely

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Spear Phishing Attacks Why They are Successful and How to Stop Them

The Key to Secure Online Financial Transactions

CA Technologies Healthcare security solutions:

Fighting Advanced Threats

The Top 7 Ways to Protect Your Data in the New World of

accelerating time to value in Microsoft Hyper-V environments

Mobile, Cloud, Advanced Threats: A Unified Approach to Security

Defending Against Cyber Attacks with SessionLevel Network Security

Protecting Point-of-Sale Environments Against Multi-Stage Attacks

how can I virtualize my mission-critical servers while maintaining or improving security?

Beyond the Hype: Advanced Persistent Threats

CA point of view: Content-Aware Identity & Access Management

Reducing the Cost and Complexity of Web Vulnerability Management

can I customize my identity management deployment without extensive coding and services?

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Cybersecurity and internal audit. August 15, 2014

Fujitsu Australia and New Zealand provides cost-effective and flexible cloud services with CA Technologies solutions

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Addressing the United States CIO Office s Cybersecurity Sprint Directives

Seven Things To Consider When Evaluating Privileged Account Security Solutions

CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed?

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Passing PCI Compliance How to Address the Application Security Mandates

Five keys to a more secure data environment

are you helping your customers achieve their expectations for IT based service quality and availability?

Understanding Enterprise Cloud Governance

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

How Do Threat Actors Move Deeper Into Your Network?

1 CA SECURITY SAAS VALIDATION PROGRAM 2015 ca.com. CA Security SaaS Validation Program. Copyright 2015 CA. All Rights Reserved.

Securing and protecting the organization s most sensitive data

assure the quality and availability of business services to your customers

Types of cyber-attacks. And how to prevent them

Finding Security in the Cloud

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Achieve Deeper Network Security

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

CA Business Service Insight

SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management

INDUSTRY OVERVIEW: HEALTHCARE

IBM Security Intrusion Prevention Solutions

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

Transcription:

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

security threats as we know them are changing The traditional dangers IT security teams have been facing and overcoming for years are being replaced by a far more hazardous, insidious form of attack: the Advanced Persistent Threat (APT). Although APTs are an emerging threat vector, their impact has already been felt in substantial ways: RSA SecurID Hack In 2011, an APT compromised the systems containing information about RSA SecurID two-factor authentication tokens, including the values the company uses to generate onetime passwords. 1 Operation Aurora Hackers stole sensitive intellectual property, including source code, from Google, Adobe, and other high-profile companies using highly sophisticated, well-coordinated techniques. 2 The financial impact of an APT cannot be underestimated: On average, it costs organizations $5.5 million to respond to and address the aftermath of an APT attack. 3 1 PCWorld. RSA SecurID Hack Shows Danger of APTs. March 18, 2011. 2 Wired. Google Hack Attack was Ultra Sophisticated, New Details Show. January 14, 2010. 3 Ponemon Institute. 2011 Cost of Data Breach Study. 2011 02

what makes an APT an APT? An APT is a long-term, sophisticated strike launched against a specific, targeted entity. By its very definition, an APT is not your normal threat: Advanced: The attacker has the significant technical capabilities required to take advantage of weaknesses in the target including coding skills and the ability to uncover and exploit previously unknown vulnerabilities. Persistent: Unlike short-term, one-off hacks that capitalize on temporary opportunities, APTs often unfold over the course of years, employ multiple vectors and combine security breaches over time to gain access to more and significant data. Threat: The individuals, groups and organizations that execute APTs have the motivation, ability and resources needed to be successful. APT perpetrators are often state-sponsored entities with objectives that reach far beyond simple theft. These include: Military Intelligence Economic Sabotage Technical Espionage Financial Extortion Political Manipulation 03

how an APT works Nearly every APT follows four phases: Reconnaissance Initial Entry Escalation of Privileges Continuous Exploitation 1 2 3 4 An investigation into the organization s weaknesses, which often includes domain queries and port and vulnerability scans. Discovered exposures are exploited and a foothold in the target network is established using sophisticated technical methods or social engineering techniques, such as spear phishing. Following initial penetration, hackers work to acquire more rights and gain control over additional systems and install a back door that makes future access easier. Once control has been established, the assailant will be able to continuously identify, compromise and exploit sensitive data. And since the third and fourth stages often occur over a matter of years, detecting an APT can be incredibly difficult. 04

traditional security is no match for an APT Targeted threats, highly advanced methods and well-funded, motivated perpetrators make standard Internet and network security measures an insufficient defense against APTs. While common perimeter and infrastructure protection may help prevent or delay the initial network penetration, they can do little once a foothold has been established. For these reasons, organizations require a more proactive, comprehensive protection strategy one that can detect APTs earlier and prevent attempts to escalate privileges or export sensitive data. Why do the traditional rules of Internet security no longer apply in the world of APTs? Patient individuals will wait for new vulnerabilities to open up or combine seemingly small techniques into a large-scale, damaging attack A dedicated, state-sponsored enemy will not be dissuaded from targeting an organization simply because it has stronger security than similar companies An APT can unfold in a very measured, deliberate manner, helping it evade even the most wellconfigured firewalls and intrusion-detection systems 05

defense-in-depth is the key to stopping APTs Successful protection against APTs should complement traditional perimeter and infrastructure security measures, so the organization is able to: Make the initial penetration difficult Reduce the potential for privilege escalation in the event an account is compromised Limit the damage that can be done by a compromised account What s needed, then, is defense-in-depth, a strategy that complements traditional security solutions with such identity and access management capabilities as: shared account management least privilege access session recording virtualization security identity management and governance advanced authentication Detect suspicious activity early in the intrusion attempt Gather the information forensic investigators need to determine what damage occurred, when and by whom server hardening unexpected and externalized security data controls 05 06

A defense-in-depth strategy extends traditional perimeter and system security with identity and access management tools, providing protection against APTs across all four phases of the attack. Reconnaissance Initial Entry Escalation of Privileges Continuous Exploitation Perimeter security Shared account management Server hardening Least privilege access Capture and review server and device audit logs Anti-virus Phishing protection Session recording Unexpected and externalized security Virtualization security Employee education Identity management and governance Advanced authentication Data controls 07

defense-in-depth at a glance shared account management least privilege access session recording server hardening unexpected and externalized security virtualization security identity management and governance advanced authentication data controls shared account management Accessing and exploiting privileged accounts is a key tactic in all APT attacks. For this reason, shared account management capabilities should be able to: Securely store encrypted passwords Manage password complexity and make automated changes according to policy Restrict access to administrative accounts Prevent password sharing by using automatic login capabilities Limit the number of people who have access to privileged accounts by providing emergency account access Eliminate the use of hard-coded passwords in scripts least privilege access Access should not be treated as an all or nothing decision. Instead, individuals should be given the credentials required to accomplish their assigned tasks. For example: System administrators should be allowed to update server software, make configuration changes and install new software but shouldn t be free to change security settings or view logs security administrators should be able to update and alter settings and configurations and view log files but shouldn t be permitted to install software or access sensitive data Auditors must be able to check security settings and view log files but shouldn t be allowed to make any changes to a given system 08

defense-in-depth at a glance continued shared account management least privilege access session recording server hardening unexpected and externalized security virtualization security identity management and governance advanced authentication data controls session recording Tracking what actions are being performed by privileged accounts is a critical step in detecting APTs. To this end, session recording must be able to: Visually show who did what Provide analytical tools that expedite breach investigations by eliminating the need to look through gigabytes of hard-to-read text file logs Track the time, date, source IP and user ID of all logins Note any commands the user enters Connect anomalous behavior with the individual who performed it server hardening Any server that hosts sensitive information must be configured in a way that protects it from being compromised by an APT. This should include: Using a firewall to control communications, restrict packets and block unsecure protocols Employing application whitelisting to allow only explicitly specified executions and installations Defining a specific set of actions for high-risk applications Preventing changes to log files Monitoring the integrity of key files Controlling access to directory files 09

defense-in-depth at a glance continued shared account management least privilege access session recording server hardening unexpected and externalized security virtualization security identity management and governance advanced authentication data controls unexpected and externalized security Individuals who launch APTs often use common operating system commands, functions and utilities to their benefit. These techniques can actually aid in the defense against APTs by: Using external tools to monitor and protect files, so they appear unsecured but actually allow administrators to detect an attacker s attempts to compromise the network Modifying the name of common system commands, so any use of the original triggers an alert virtualization security The number of virtualized systems has skyrocketed, making these environments and the hypervisor in particular key targets of APTs. To protect virtual infrastructures, organizations should: Apply the principle of least privilege to hypervisor accounts Monitor and log all actions that occur at the hypervisor layer Secure virtual machines by leveraging virtualization-aware automation capabilities identity management and governance Carefully protecting user identities is an essential step in minimizing the effectiveness of an APT attack. To this end, identity management and governance functionality must be able to: De-provision and de-authorize identities as soon as an individual leaves the company Find and remove orphaned, or unused, identities 10

defense-in-depth at a glance continued shared account management least privilege access session recording server hardening unexpected and externalized security virtualization security identity management and governance advanced authentication data controls advanced authentication Two-factor authentication and risk-based evaluations help to protect against the initial penetration of an APT by denying or detecting inappropriate access attempts. To be as effective as possible, advanced authentication capabilities should include: Software-based, two-factor credentials that vary by device Versatile authentication methods that can be matched to a specific scenario Rules that adjust to protect against different APT tactics Device identification, geolocation, IP blacklisting and case management for suspicious activities The ability to step up authentication when stronger identity assurance is required data controls Since the end goal of any APT is to steal sensitive information, having firm control over this data is a core component of a successful defense. To safeguard these assets, data must be: Classified according to sensitivity and type at access, in use, in motion, at rest, etc. Controlled as it is transferred between sources, such as email and physical drives 11

a holistic approach to security reduces risk The concept of defense-in-depth is an essential component of any proactive, holistic APT protection strategy. The techniques supporting this approach work in concert to enable you to build and apply a security model that allows or denies actions based on business rules, data sensitivity and specific types of behavior. Because this model can be applied uniformly across platforms and separated from operating system security, it provides an effective means of preventing and detecting APTs. As such, defense in-depth helps your organization stay one step ahead of APTs and reduce the effects such an attack can have on the business and its employees, customers and partners. 12

about the solutions from CA Technologies CA security solutions are comprised of a broad, comprehensive and integrated suite of capabilities that simplifies operations and reduces the total cost of management across cloud, on-premise, virtual, physical, distributed and mainframe environments helping you significantly increase business agility. Unlike traditional solutions, the CA suite controls not only user identities and the availability of critical IT resources, but also access to sensitive information assets. This provides more layers of security than conventional solutions and helps to reduce the risk of breaches, minimize information loss and simplify compliance audits. These offerings are complemented by a range of cloud-based identity services, which give you the flexibility to deploy security services how and when you choose, so you can adopt cloud or hybrid models in a way that fits your unique needs. The CA Identity and Access Management suite covers the following areas: Identity Management and Governance Privileged Identity Management and Virtualization Security Advanced Authentication Data Protection Cloud Security Secure Single Sign-On and Access Management 13

CA Technologies (NASDAQ: CA) is an IT management software and solutions company with expertise across all IT environments from mainframe and distributed, to virtual and cloud. CA Technologies manages and secures IT environments and enables customers to deliver more flexible IT services. CA Technologies innovative products and services provide the insight and control essential for IT organizations to power business agility. The majority of the Global Fortune 500 relies on CA Technologies to manage evolving IT ecosystems. For additional information, visit CA Technologies at ca.com. Copyright 2013 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information