The Art of Layered Security - Data Protection in a Threatscape of Modern Malware

Similar documents
PCI DSS File Integrity Monitoring

Event Log Monitoring and the PCI DSS

File Integrity Monitoring - The Last line of Defense in the PCI Data Security Standard

File Integrity Monitoring - The Last line of Defense in the PCI Data Security Standard

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

File Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions

SANS Top 20 Critical Controls for Effective Cyber Defense

Security Best Practices and File Integrity Monitoring

The Hillstone and Trend Micro Joint Solution

A Case for Managed Security

End-user Security Analytics Strengthens Protection with ArcSight

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Fighting Advanced Threats

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Where every interaction matters.

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Did you know your security solution can help with PCI compliance too?

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Top five strategies for combating modern threats Is anti-virus dead?

Cisco IPS Tuning Overview

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Best Practices for PCI DSS V3.0 Network Security Compliance

Advanced Threat Protection with Dell SecureWorks Security Services

Integrated Protection for Systems. João Batista Territory Manager

Security Management. Keeping the IT Security Administrator Busy

Information & Asset Protection with SIEM and DLP

Incident Response. Six Best Practices for Managing Cyber Breaches.

How To Secure Your Store Data With Fortinet

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

PCI Requirements Coverage Summary Table

Global Partner Management Notice

MITIGATING LARGE MERCHANT DATA BREACHES

GFI White Paper PCI-DSS compliance and GFI Software products

Passing PCI Compliance How to Address the Application Security Mandates

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Defending Against Data Beaches: Internal Controls for Cybersecurity

Beyond the Hype: Advanced Persistent Threats

Advanced Persistent Threats

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

The Key to Secure Online Financial Transactions

SORTING OUT YOUR SIEM STRATEGY:

How To Create Situational Awareness

What is Penetration Testing?

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Penetration Testing Service. By Comsec Information Security Consulting

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Avoiding the Top 5 Vulnerability Management Mistakes

Top tips for improved network security

Driving Company Security is Challenging. Centralized Management Makes it Simple.

FERPA: Data & Transport Security Best Practices

LogRhythm and PCI Compliance

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

ITAR Compliance Best Practices Guide

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

CyberArk Privileged Threat Analytics. Solution Brief

Nine Steps to Smart Security for Small Businesses

Extreme Networks Security Analytics G2 Vulnerability Manager

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

AB 1149 Compliance: Data Security Best Practices

PCI DSS Reporting WHITEPAPER

Security Analytics The Beginning of the End(Point)

IT Security Risks & Trends

The Four-Step Guide to Understanding Cyber Risk

Modular Network Security. Tyler Carter, McAfee Network Security

Student Tech Security Training. ITS Security Office

Host/Platform Security. Module 11

PCI Requirements Coverage Summary Table

Protecting personally identifiable information: What data is at risk and what you can do about it

Simple Steps to Securing Your SSL VPN

Things To Do After You ve Been Hacked

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Securing SharePoint 101. Rob Rachwald Imperva

Compliance Guide: PCI DSS

74% 96 Action Items. Compliance

3 Marketing Security Risks. How to combat the threats to the security of your Marketing Database

The Cloud App Visibility Blindspot

PCI Data Security Standards (DSS)

Transcription:

- Data Protection in a Threatscape of Modern Malware A New Net Technologies Whitepaper Mark Kedgley CTO - New Net Technologies 2012 new net technologies www.nntws.com

Abstract Trojans were 72 percent of malware detected in H1, 2011, up from 55 percent in H2, 2010 (http://www.antiphishing.org/ reports/apwg_trends_report_ h1_2011.pdf) Threats to theft of Intellectual Property, financial data, Cardholder Data, PII (Personally Identifiable Information) are more diverse and increasingly difficult to defend against. The traditional internet vandalism from viruses is still an issue but the threatscape in 2012 is far more diverse and dangerous than ever before. Not only is it becoming more difficult to protect your confidential data, but more important too. Your enterprise is under attack right now and if a breach is successful, you could lose your Intellectual Property, your sensitive company planning and financial data, your market intelligence and with it, your overall competitive edge could be setback by years. But this could be the best case scenario. If you lose cardholder data or customer personal information, not only would you be left with the costs of financial compensation and system repairs to be paid, but with your brand value and company reputation severely damaged. The 2012 Threatscape - Modern Malware in 2012 Modern Malware - The Headlines Trojans and Viruses - are still in the wild and pose a renewed threat when combined with social engineering techniques for distribution - AV systems will never be 100% effective against even known malware whilst zero day threats i.e. previously unknown malware are never ending Phishing Attacks - bypass firewalls, Intrusion Protection Systems and Anti- Virus by Users unwittingly welcoming in malware Vulnerability Exploits - year after year when the Top Ten of security breaches is published, straightforward Cross-Site Scripting (XSS) and SQL Injection exploits of Web applications are always at or near the top of the list Insider Threats - by definition, bypass even the best firewalls, Intrusion Protection Systems and Anti-Virus defenses. Clearly there is a big advantage of being inside the firewall, but when the attacker has Admin rights to key systems, a different approach to data protection is needed The Advanced Persistent Threat (APT) - the best orchestrated professional attacks play the long game. The classic APT is run as a tactical campaign over a prolonged period of several months as a progressive hack. The APT typically originates with a phishing attack (in the case of the APT, a spear phishing attack, being carefully targeted) or Inside Man to implant spyware, which can then be used as a vector to hack deeper into systems and steal data over a period of months www.nntws.com page 1

Silver Bullets or Magic Bullets for Security? From January to June 2011, 11,777,775 new malware samples were registered, 13 percent more than the number of samples registered in H2, 2010. In other words, every month that goes by sees an increase of zero-day threats over the previous month - how will AV and IPS systems ever keep ahead? The truth is that there is no such thing as the best security defense measure. The range of threats in terms of sophistication and anatomy used in conjunction with dirty tricks and cunning mean that we also need to similarly harness and blend all security measures at our disposal. Essentially the range of measures can be summarized as Firewall and IPS (Intrusion Protection System) use rules and attack-signature recognition to block attacks Anti Virus uses a dictionary of file signatures to block and remove malware Best Practice Security Procedures such as hardening, change control, user account management, patching and physical security DLP (Data Leakage Prevention) works by blocking data export functions such as USB ports, DVD writers and other transfer mechanisms for copying data Encryption and Tokenization render data unusable in different ways - encryption scrambles data to make it unreadable on any device not authorized to use it, while tokenization translates data into a token, with the resulting tokens meaningless unless used in conjunction with the tokenized data store White listing blocks any processes not pre-authorized from running on a system, good for preventing virus and trojan malware SIEM (Security Incident and Event Management) provides analysis and correlation of all system event log activity in order to identify irregular or unusual activity FIM (File Integrity Monitoring) detects any file system activity affecting system/program files, and any configuration changes that may affect security External Threats Figure 1: The Art of Layered Security - security measures need to be varied and layered to provide an effective defense to your organization s confidential data FIR E WALL IDS /IPS HAR DE NING /PATC HING FILE C HANG E /C ONFIG MGMT ANTI-VIRUS/DLP/ENCRYPTION/TOKENIZATION INTE GR ITY & E VE NT LOG MONITOR Protected Data ING www.nntws.com NNT protected environment Insider Threats Zero Day Threats page2

But OUR security isn t weak? The number one threat to security is complacency...once you come to terms with the reality that your organization is constantly under threat...you are beginning to practise The Art of Layered Security The multi-billion dollar security technology market is always going to be rife with reassuring claims that Appliance X will fully protect you whilst Technology Y has so much intelligence it can spot a piece of malware within a nanosecond of it hitting your network. They all work well and will defend your data 24/7 - apart from the threats they don t cater for. For example, there is a new wave in real-time sandbox technology which exploits the higher power processing appliance platforms now available. The concept is sound - assume that all incoming data is potentially unsafe, and before any of it hits your internal network, intercept and analyze its behavior in a safe sandbox environment. It s the equivalent of taking a biopsy and cultivating a culture to see what pathogens exist - but doing it in milliseconds. The theory is good as a way of detecting zero day malware, but you wouldn t stop using anti-virus technology on servers and desktops, because malware can be introduced via other means, not least because laptops leave the corporate network and the protection of the sandbox technology. And what about new generation malware that is able to evade the sandbox, or that is deliberately introduced by an Inside Man with Administrator privileges to do so? In summary, great idea and great technology implementations are available, but is it the only security measure you ll ever need? Of course not! As we have already highlighted, Inside Man threats exist and any other trusted employee can import malware knowingly (or unknowingly). The Number One Threat to any organization s security? Complacency - but before you go and check whether your AV package can detect this new polymorphous-worm, we are referring to an organizations attitude to security rather than any malware. Before you can take action to defend your organization you first need to come to terms with the inescapable fact that it is under constant and unpredictable threats of attack. There are three key questions to ask yourself on a regular basis - What does each of my security measures provide protection for? Where are the gaps in my security layers? And most crucially if we are to avoid the biggest threat of complacency What are my checks and balances? How do I validate that security measures are effective? To get an honest, self-assessment of your organization s security posture can be difficult as the security threatscape is always changing, so getting accurate answers to the first of these two questions is harder than it seems. If you have a firewall and you have a brand-leader anti-virus package then you have defenses against the large proportion of everyday threats, but as in our opening summary of Modern Malware, these measures alone are only partial defenses, especially when you consider your defenses against Inside Man threats, which may not actually utilize any form of malware. www.nntws.com page 3

The Number One threat to any organiszation s security? contd. Therefore the best additional security measure you can implement is to be on your guard. This may sound like a government-sponsored anti-terrorism poster slogan, but when we are trying to defend against threats that can come from any direction, and take any form, then we need to know about anything unusual and irregular happening on our systems that may render the system more prone to attack. Being vigilant at all times, not just when an audit is due, is a habit that needs to be adopted. Once you come to terms with the reality that your organization is under threat constantly, both from external and internal attacks, and that your technological protection may not always be effective at preventing these, then you are beginning to practise The Art of Layered Security. The Art of Layered Security With attacks becoming phased and layered in order to evade malware protection measures in a progressive, step by step iterative attack, we need a security strategy that is also layered. The Art of Layered Security means combining different security technologies in order that all possible avenues of attack are blocked or, where prevention is not an option, ensuring that threats are always detected. This approach to security requires technologies to be hedged. The philosophy needed is an assumption that any layer of defense has at least some weaknesses or blindspots. Once weaknesses have been evaluated, other measures can then be selected that will compensate. But this isn t all about buying malware-detection/blocking technology. Bringing us back to the anti-complacency measure, vigilance. Given that we are going to need to be capable of detecting malware and user activities that may be very subtle and trying to avoid detection, we will need to utilize highly sensitive monitoring capabilities. Being highly sensitive will mean lots of false positives, so we will need to deploy the monitoring in a focused manner and make it highly intelligent and automated. Hence the use of the term Art - there is a need to be creative and pragamtic in terms of enforcing security within the context of your organization and its risk of attack. It will also require our regular activities to become more controlled - for instance, if patches are being applied at any time to any server by anyone, then it will be impossible to distinguish between a legitimate maintenance task and a malware infiltration. This is why change management/change control is such a vital part of any security policy. The two key metrics to monitor in order to confirm that change control is being observed are file system/configuration file changes and system access. In a wellmanaged environment with tight change control, there should only be one period of system access and file changes every month during Patch Thursday. At all other times, systems should be isolated and change-free. Therefore we need an additional two key security layers which combine to give all the checks and balances we need at a forensic level, namely File Integrity Monitoring and System Event Log Analysis. www.nntws.com page 4

File Integrity Monitoring and System Event Log/Audit Trail Analysis These two technologies work together to provide the ultimate forensic-level detail of activities on a server (or laptop, appliance, desktop, firewall etc). File Integrity Monitoring serves to record any changes to the file system i.e. core operating system files or program components, and the systems configuration settings i.e. user accounts, password policy, services, installed software, management and monitoring functions etc. The beauty of FIM as a security measure is two-fold. Firstly, it is utterly comprehensive in detecting any changes to the file system and configuration settings. Secondly, particularly in the case of system or program file changes, it makes no assumptions as to whether the changes are good or bad. This makes it an infallible tool for identifying malware, detecting even the most subtle change to a file (as with a Trojan impersonating a genuine system file, for example). For this reason it brings the need for tight change management procedures to be observed, although of course, change management is a must in order to govern system security anyway. FIM should be used as a means of verifying that only planned and expected changes are made to devices so that any unplanned change is treated as a potential security threat. Contemporary state of the art FIM technology allows for precise focusing on file types and specific paths to monitor so that only changes to files that shouldn t change are detected. For example, image files on a website may change regularly but pose no potential security risk so can be excluded from the FIM policy. Figure 2: FIM (File Integrity Monitoring) works closely in conjunction with Event Log Analysis (SIEM) to provide essential checks and balances that security is being maintained, and that critical procedures such as Change and Configuration Management (CCM) are being operated correctly SIEM ccm FIM Similarly, significant configuration file changes need to be recorded in case the security of the component - server, firewall, router, EPoS device etc - is weakened. Unix and Linux platforms are straightforward in that security settings are governed by text-based configuration files. Similarly firewalls and other network appliances will typically expose their configuration settings via a TFTP export or through interrogation via an SSH session. Windows servers pose more of a problem due to security settings being governed by a range of registry keys, Local Security Policy, file system controls, Installed Programs and updates, service startup and running states and actual processes running on the server. This requires a specialized agent in order to efficiently monitor all these attributes in real-time against a policy. www.nntws.com page 5

File Integrity Monitoring and System Event Log/Audit Trail Analysis contd. System Event Log or Audit Trail analysis provides a further check and balance to record all user activity within the protected IT estate. Again this is ideally used in conjunction with tight change control procedures so that any access to a device outside of a planned change window should be treated as a potential breach. Gathering a full audit trail of user activity also allows for an after the event W5 (who, what, when, where, and why) forensic reconstruction of user activity. In this way, FIM and Event Log Analysis provide both an advance warning system for any potential security threats, and also a means of deterring Inside Man threats - a System Administrator may well have access rights to some confidential data on the network by virtue of their privileges, but if they know their activities will be detected and recorded then there is no future in data theft. GATHER - 100% OF EVENTS Implement the SIEM system to gather all events centrally PROFILE - 30% OF EVENTS Refine event type identification and tune alert thresholds FOCUS - <1% OF EVENTS Correlate and pattern-match events to ensure only genuine security threats are alerted DECREASING EVENT LOG VOLUMES CAPTURE FILTER INDEX ANALYZE CORRELATE THRESHOLD Figure 3: Event Log Analysis (SIEM) must intelligently correlate events from all servers and network security appliances in order to automatically detect unusual or irregular activity symptomatic of potential security breaches www.nntws.com page 6

Conclusion - The NNT View Good data protection requires all available security technologies to be deployed in harmony to give you a fighting chance of defending your organizations digital assets. But there will never be any substitute for sound adherence to best practice security measures. Good change control, device hardening, no default user accounts but always named user accounts being used, restricted assignment of privileges to users - the list goes on, but technology can be used to automate the checks and balances required to operate best practice measures. File Integrity Monitoring combined with a Change Management process will make detection of any unusual file system activity straightforward to detect - malware cannot infiltrate a system without touching a server file system. Similarly Event Log analysis can be highly automated to learn what regular system activity looks like and in this way makes identification of unusual or irregular activity easy to identify in order to head off any potential security threat. About NNT NNT Change Tracker and Log Tracker Enterprise - The Art of Layered Security NNT is a global provider of data security and compliance solutions, with a particular emphasis on the PCI DSS. We are firmly focused on helping organizations protect their sensitive data against security threats and network breaches in the most efficient and cost effective manner. Our easy to use security monitoring and change detection software combines Device Hardening, SIEM, CCM and FIM in one integrated solution, making it straightforward and affordable for organizations of any size to ensure their IT systems remain healthy, secure and compliant at all times. NNT will safeguard your systems and data, freeing you to focus on delivering your corporate goals. www.nntws.com 2012 New Net Technologies Audit Configuration Settings - The core function of NNT Change Tracker Enterprise is to first understand how your IT estate is configured Compare Audited Settings Against Policy - Configuration settings are assessed for compliance with any policy or standard relevant to your organization and deviations highlighted Continuously Monitor Configuration Settings - Configuration attributes are then monitored continuously for all changes, both from a compliance standpoint and from a general change management/control standpoint Attributes covered include File Integrity, File Content, Registry Key Settings and Values, Service States, Processes, User Accounts, Installed Programs and Vital Signs Change Management Process Underpinned - Authorized changes which have been approved via the formal change management process are reconciled with the original RFC to ensure the correct changes were implemented accurately The Change Management Safety Net - All unplanned changes are flagged up for review immediately to mitigate security integrity or service delivery performance SIEM Event Log Correlation - Centralize and correlate event logs messages from all windows, unix/linux, firewall and IPS systems UK Office - Spectrum House, Dunstable Road, Redbourn, AL3 7PR Tel: +44 8456 585 005 TO REQUEST A FREE TRIAL OR DISCUSS ANY AREA COVERED IN THIS WHITEPAPER, PLEASE CONTACT US AT info@nntws.com US Office - 5633 Strand Blvd, Suite 306, Naples Florida 34110 Tel: +1 239 592 9638 www.nntws.com page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information