A Case for Managed Security



Similar documents
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Fighting Advanced Threats

24/7 Visibility into Advanced Malware on Networks and Endpoints

Anti-exploit tools: The next wave of enterprise security

CKAHU Symposium Cyber-Security

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Things To Do After You ve Been Hacked

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

NATIONAL CYBER SECURITY AWARENESS MONTH

Best Practices for Building a Security Operations Center

Continuous Network Monitoring

Cyber Situational Awareness for Enterprise Security

Data Security. So many businesses leave their data exposed, That doesn t mean you have to Computerbilities, Inc.

RSA Security Anatomy of an Attack Lessons learned

The Hillstone and Trend Micro Joint Solution

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

CyberArk Privileged Threat Analytics. Solution Brief

SANS Top 20 Critical Controls for Effective Cyber Defense

Managed Security Services for Data

Cisco Advanced Malware Protection

Impact of Data Breaches

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Host/Platform Security. Module 11

Enterprise Cybersecurity: Building an Effective Defense

Presented by Evan Sylvester, CISSP

Defending Against Data Beaches: Internal Controls for Cybersecurity

Information Security Services

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

INTRUSION PREVENTION SYSTEMS: FIVE BENEFITS OF SECUREDATA S MANAGED SERVICE APPROACH

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Vulnerability Management

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Endpoint Threat Detection without the Pain

Ovation Security Center Data Sheet

Advanced Threat Protection with Dell SecureWorks Security Services

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Defending Against Cyber Attacks with SessionLevel Network Security

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Ovation Security Center Data Sheet

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Specific recommendations

Cyber Security Metrics Dashboards & Analytics

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

End-user Security Analytics Strengthens Protection with ArcSight

External Supplier Control Requirements

Bio-inspired cyber security for your enterprise

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Internet threats: steps to security for your small business

MANAGED SECURITY SERVICES (MSS)

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Analyzing HTTP/HTTPS Traffic Logs

The Cloud App Visibility Blindspot

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Under the Hood of the IBM Threat Protection System

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Secret Server Qualys Integration Guide

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Protect Your Business and Customers from Online Fraud

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

Overcoming PCI Compliance Challenges

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

How to Reduce Web Vulnerability Scanning Times

Jort Kollerie SonicWALL

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

KEY STEPS FOLLOWING A DATA BREACH

Firewalls and Software Updates

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Application Security in the Software Development Lifecycle

The Four-Step Guide to Understanding Cyber Risk

A New Perspective on Protecting Critical Networks from Attack:

IBM Security QRadar Vulnerability Manager

10 Smart Ideas for. Keeping Data Safe. From Hackers

Spyders Managed Security Services

Global Partner Management Notice

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Concierge SIEM Reporting Overview

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Transcription:

A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services

1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction that leaves a system vulnerable, but looking at current trends, it s rarely a single element that causes an issue; it s a confluence of many weaknesses in an environment, often small and seemingly unimportant. Just in the first half of 2014 alone, there have been at least five major breaches, affecting large organizations and millions of people. Cyber security threats are clearly on the increase, with more reported attacks in 2014 to date than in all of 2013 combined. The nature of the attacks is changing as well, and with very damaging consequences, including the loss of key data and damaged reputations. Listening to the news every day, we are all familiar with the terrible results of security breaches and how detrimental they are to the firms or the individuals involved. What is a bit harder to piece together, however, is exactly how these security breaches occur and what you can do to protect yourself from them. 2. CYBER SECURITY THREATS IN A NUTSHELL To understand how you can better protect against, and prepare for, cyber security threats, it s important to first understand the current threat landscape. Advanced Persistent Threats and Data Exfiltration An Advanced Persistent Threat (APT) is where attackers relentlessly scope out a business or government entity over a period of time looking for an opening to infiltrate the system. Precisely because the attackers are willing to wait a long period of time for an opportunity, even up to several years, makes this threat one of the most dangerous types. Another cyber security attack technique is data exfiltration, which refers to the illegal extraction of confidential data directly from a system. In this instance, the hacker uses malicious code to collect data and slowly transfer it out to a central point. As an example of this type of breach, occurring earlier this year, ebay announced that over a period of two months, cyber criminals used a small number of compromised employee user credentials to obtain the personal account information of over 200 million users. ebay was slow to announce the discovery of this breach, leaving some people to further question their security operations. Recovering now from a damaged reputation, the breach resulted in a drastic reduction in projected sales for the year, with ebay lowering their targets by $200 million. The silver lining is that thanks to data being stored in separate encrypted databases, ebay reports there was no evidence of credit card data being compromised. The arts and crafts retailer, Michaels, and its subsidiary, Aaron Brothers, announced early in 2014 that during an eight-month period, sophisticated malware had been used to pull over 2.5 million payment card numbers and expiration dates from their point-of-sale systems. It isn t clear how exactly the point-of-sale systems were compromised, however, what is clear is that the environment was compromised for over six months without any detection, including the removal of sensitive customer data.

Important takeaways from these two instances: APTs imply the attacker is intent on compromising your environment and will remain persistent until successful. To counteract this, you should take a strategic, risk-based approach to protecting your organization. Clearly understand from a risk perspective what needs to be protected, continually update key systems, maintain secure configurations, and closely monitor for suspicious activity. Diligence is the key. Zero-Day Attacks In terms of IT vulnerability, an infinite amount exists that has yet to be identified by cyber security experts. These unknown potential threats lead to zero-day attacks, typically occurring in the window of time between when the vulnerability is discovered by cyber criminals and when software developers are able to identify it and take protective measures against it. For example, in April, news of the Heartbleed bug hit the world stage. Heartbleed exploited a flaw in the widely used encryption library OpenSSL, which allowed anyone to access vulnerable systems and obtain login credentials, encryption keys and other private data. This vulnerability was unique in that the flaw existed in the code for at least two years before the public was aware of it, while reports indicate the NSA, the Russian mafia, and others, were aware of the flaw for an extended period of time. Fixing this flaw was a little more difficult than the norm because administrators had to first patch their servers and then reissue the security certificates. It is believed that a large number of vulnerable servers still exist today despite the amount of education and press this flaw has been given. This reinforces the case for early detection of vulnerabilities and for the prompt remediation of those vulnerabilities, when they are discovered. A couple of things to remember: The best defense against zero-day attacks is a strong security program that uses a combination of positive and negative security models. A negative security model involves blacklisting the known bad using virus signatures, anti-spam signatures, and so on. A positive model uses a whitelisting approach of the known good. Close monitoring of critical systems can alert you to malicious activity so it can be suppressed as soon as possible. Ransomware 2014 has also been the year of Ransomware. Ransomware is a type of malware where a system, including anything from a single computer to a whole network, is taken over by an outside party. The attacker then demands a ransom before giving access back to its true owner, or risk damaging results. Although it was seen well before this year, the Cryptolocker Trojan and its variants have wreaked havoc on thousands of victims in 2014, and seem to have started an unsavory trend. Cryptolocker relies on command and control servers to provide it with encryption keys. These are public servers with which an infected system communicates. A few things to keep in mind: Prevention is key. Once your data is encrypted by an attacker, it is most likely unrecoverable.

Phishing emails have been the primary delivery mechanism, so educating users is crucial to prevention. These are only a few examples of the security attacks that have occurred year-to-date. AOL, P.F. Chang s, Neiman Marcus, Holiday Inn and Marriott Hotels have all had their own troubles this year. But what can be done to prevent this from happening to your organization? Assuming your environment will be compromised, how do you quickly detect and respond to the attack? 3. A CASE FOR MANAGED SECURITY The best managed security solution is a 24-hour, 7-day a week, 365-day a year service provided by a firm who has deep expertise in the field of cyber security. It often includes a round-the-clock solution that uses engaged security professionals to monitor all security devices, such as firewalls, VPN devices, authentication servers, as well as servers, such as Active Directory servers, anti-virus servers and application servers. Looking at all of these devices, the service monitors how your data is accessed, as well as who accesses it. Some service solutions can also include continuous vulnerability scans, identifying areas that pose a risk to compliance or to external threats. Lastly, when a problem does arise, it provides quick identification and resolution. More specifically, a managed security solution typically has the following five functional components: 1. Security Analysts who constantly monitor your event data and the overall security landscape. 2. A Security Incident and Event Management (SIEM) component that collects and correlates security event data so that it can be acted upon. 3. A vulnerability scanner that continuously scans an environment for known vulnerabilities. 4. Configuration monitoring scans, which test an environment for system hardening issues. 5. An intrusion prevention system that blocks malicious network traffic. State-of-the-Art Tools & Engineers Typically, the service leverages state-of-the-art tools that monitor and automatically flag issues. The underlying system will include a Security Incident and Event Management (SIEM) platform used for log collection, correlation, alerting, and analysis. A SIEM is a system that collects and correlates event logs from multiple sources for the purpose of performing analysis, forensics, and troubleshooting. These events include any actions on a system that are relevant to security such as password changes, VPN connections, web logins, port scans, and denied firewall connections. Security event data is analyzed in real-time to generate alerts, create actionable cases, and provide notification to engineers. The SIEM collects information from most security devices and applications, firewalls, network equipment, Active Directory, Linux servers, and in general, anything that produces syslog output. A SIEM is a collection of valuable security events. There should also be an intrusion prevention component that analyzes network traffic and blocks malicious activity, as well as a tool that performs vulnerability and configuration monitoring scans, ensuring the environment is consistently up-to-date with the latest standards in cyber security. Cases are typically submitted to a proprietary case management system, via email, a phone or by a security appliance. These cases are then assigned to an engineer, based on the required area of expertise, who will follow a case through to resolution, leveraging historical cases and client data.

While the technology behind managed security is important, it is the people who make the difference when it comes to cyber security. When the data from your environment is collected by the managed security service provider and then stored in their infrastructure, the security engineers are the individuals who will analyze the data. Network engineers are trained and experienced on specific network devices, systems, applications, and operating systems. They respond to and troubleshoot incidents of all types, and when necessary, escalate security issues to a Security Operations Center (SoC). SoC engineers are experts in the field of security. They are certified and experienced in information security, and are equipped to respond to security incidents and troubleshoot security-related problems. In cases where there is the absence of competent and experienced security professionals, alerts are still flagged by the control systems, but a proper and speedy response might not be taken afterward. This reinforces the need to make sure both aspects, people and tools, are state-of-the-art. Managed Security: In Practice So, what does the data flow of a managed security system look like, specifically? Your internal systems create local log data. Depending on its type, your system will either forward this log data to the data collector, or the collector will contact your system to pull the log data. The collector will then send the log data over an encrypted SSL tunnel to another system where a proprietary set of alerting rules are executed. Then, the data is stored by the service provider, often in a private cloud. In tandem, the security appliance is sniffing strategic network segments so that malicious network traffic can be detected and blocked. Events of this nature are forwarded from the Intrusion Prevention module to the collector, and on to the supervisor. Periodically, the security appliance will scan the environment looking for known security vulnerabilities and policy compliance failures. This data is retrieved by the collector, and like all other data, is analyzed by the system, reviewed by SoC personnel and acted upon. Important Aspects of a Managed Security Solution Not all managed security solutions are created equal. As such, there are a few important aspects to keep in mind when considering a service to keep your data and reputation safe: Be sure that your solution includes a dedicated engineer who will personally get to know the ins and outs of your environment. The better they know your environment, and the more dedicated they are in understanding you as a company, the easier and faster it will be for them to catch and resolve any security issues when they arise. In the case of security incidents that require human intervention, make sure your security partner will provide full management of the remediation, offering advice and guidance throughout the process. The solution must include best-of-breed security tools. Great service is not the only important factor. Enterprise-class tools provide the foundation for the attack signatures, alert algorithms, and vulner ability detection policies that are used as an important part of the service. Make sure your managed security service provider is secure. This should go without being said, if your security provider isn t secure, neither will be the work they do for you. It s important to look into what steps and certifications they take in order to protect themselves against cyber security threats. Be sure consulting services are available as well, for example, to help building incident response policies and procedures, if you don t already have them. Make sure your service level agreement (SLA) includes a target resolution time of four hours or less for critical situations.

4. CONCLUSION Cyber security threats are on the rise and, unfortunately, there is no fail-proof solution to protect yourself 100% against them. The best posture to adopt is one that detects and reacts appropriately through a combination of vulnerability identification, prevention techniques, and quick identification and resolution when something does occur. And since most firms don t have the bandwidth or experience to maintain a healthy security posture, oftentimes they find themselves far from the ideal situation, exposing their firms to risk as well as creating complex compliance issues. A managed security solution fills that need. It enables firms to take a strategic, risk-based approach to protection against the attacks that we are seeing today. An ideal managed security solution includes a consistent and continuous focus on the security basics, including a risk-based approach to understanding the data being protected, maintaining an effective vulnerability program, continually updating key systems, maintaining secure configurations, and closely monitoring for suspicious activity. No matter what type of cyber security threat you re concerned about, detection and appropriate reaction are key. About Agio (www.) Agio is a progressive Managed IT & Security Services provider, offering technology hosting, monitoring, management, disaster prevention and recovery, security, and other high-end technology services. With nearly 150 employees, Agio is headquartered in New York City with operational headquarters in Norman, OK. 1.877.780.AGIO (2446) sales@

1.877.780.AGIO (2446) sales@

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information