ADVANCED THREATS, ADVANCED SOLUTIONS Security and Strategies to Counter Today’S Top Cyber-Threats

Security Strategies eBook

ADVANCED THREATS, ADVANCED SOLUTIONS Security and Strategies to Counter Today’s Top Cyber-Threats

INSIDE News and Views on: - Advanced Attacks - Insider Threat - Ransomware - Data Analytics

EXCLUSIVE Interview with Mike Nichols of General Dynamics Fidelis on the Power of Network and Behavioral Analytics

Sponsored by From the Editor

It’s Time to Advance the Discussion About Advanced Threats

If the Target breach was the wakeup call, then what do you say about recent attacks against entities such as Dairy Queen and Sony? That they are sounding a major alarm, and it’s time to evacuate the premises?

The message should be as loud as it is clear: Any type of organization is a target to attackers – you don’t have to be a financial services company or a merchant. It isn’t just financial data that’s sought; intellectual property is a rich bounty, too. And don’t discount the value of a good, old-fashioned disruption, whether for criminal or ideological

Tom Field reasons. Most importantly, yesterday’s security solutions are increasingly ineffective at detecting today’s advanced VP - Editorial attacks. Information Security Media Group That last point is key. If there is an overriding theme from recent attacks, it’s this: Ambitious attackers are continually working to improve their game, and traditional security solutions simply don’t cut it anymore. Existing controls might catch the known threats, but what about the unknown or the polymorphic?

This is a question we explore in this new Security Strategies eBook. Sponsored by General Dynamics Fidelis, this publication features:

»» Insight – A new interview with Mike Nichols, Director of Global Sales Engineering, General Dynamics Fidelis Cybersecurity Solutions, on how to respond to advanced threats;

»» News – Fresh looks at recent breaches, malware strains and the growing insider threat;

»» Analysis – What can you do about it? Thought-leaders such as ISACA’s Rob Stroud and Gartner’s Avivah Litan chime in with their security strategies.

I trust we’ve put together an insightful read for you here, and as always I’m eager for your feedback. Please write with comments, questions and especially ideas. How can we improve our response to these ever-advancing threats against us?

Best, Tom Field VP, Editorial Information Security Media Group [email protected]

2 Advanced Threats, Advanced Solutions CONTENTS Security Strategies eBook

Advanced Threats, Advanced Solutions

Introduction 2

Advanced Threats, Responding with 4 Network and Behavioral Analytics

From the ISMG Archives Ransomware: 7 Defensive Strategies 12

Data Breach Explosion Proes Costly 17 4 CISOs Respond to Heartbleed Bug 19 Featured Interview Advanced Threats, Responding with Testing Your APT Response Plan 22 Network and Behavioral Analytics Avivah Litan on ‘Context-Aware’ Security 28 Insights and Strategies from Mike Nichols of General Dynamics Fidelis Keys to Fighting Insider Fraud 32 Advanced threats are like the weather. Everyone talks about them, Are You Prepared for a Breach? 36 but few have a solid defense plan - or even a solid understanding of the threat landscape. Mike Nichols of General Dynamics Fidelis offers insight.

Sponsored by General Dynamics Fidelis Cybersecurity Solutions provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today’s sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services, delivered by an elite team of security professionals with decades of hands-on experience, and our award-winning Fidelis XPS™ Advanced Threat Defense Products , which provide visibility and control over the entire threat life cycle. www.fidelissecurity.com

ISMG Security Strategies eBook 3 Advanced Threats: Responding with Network and Behavioral Analytics Insights and Strategies from Mike Nichols of General Dynamics Fidelis by Tom Field

Ambitious attackers are continually working to improve their game, and traditional security solutions simply don’t cut it anymore. Mike Nichols of General Dynamics Fidelis discusses advanced solutions.

In a year of high-profile security incidents – from the Target breach to Home Depot, and from the Heartbleed bug to ransomware attacks – the message couldn’t be any clearer:

Ambitious attackers are continually working to improve their game, “Just like the antivirus market, the and traditional security solutions simply don’t cut it anymore. defense-in-depth network stack also Existing controls might catch the known threats, but what about the needs to evolve.” unknown or the polymorphic? Mike Nichols, Senior Manager of Global Sales “Just like the antivirus market, the defense-in-depth network stack Engineering, General Dynamics Fidelis Cybersecurity also needs to evolve,” says Mike Nichols, Director of Global Sales Solutions Engineering, General Dynamics Fidelis Cybersecurity Solutions. “It needs to be one step ahead of the threat actors who are constantly changing their tactics.”

To be the best in network defense and to stay ahead of the threat actors, organizations must focus on the techniques these threat actors are using, Nichols says.

4 Advanced Threats, Advanced Solutions “Look at their behavior, how they’re attacking a network and use Advanced Threat Landscape these analytics across time to identify them no matter how they TOM FIELD: Mike, as we sit here heading into 2015, what are the change their individual attack tactics,” he says. types of advanced threats that you’re most concerned about?

In this exclusive interview about advanced threats and analytics, MIKE NICHOLS: The advanced threats that we’re seeing, they just Nichols discusses: seem to be getting smarter about evading typical defenses. We’re seeing the same types of attack still: spear-phishing emails, drive-by »» Today’s top threats; downloads, these kind of vectors of getting into environments. But »» Why traditional security solutions fail; and we’re seeing them spanning their attacks across a longer period of »» How leading organizations are improving security time and across more network sessions, more network transactions. with network and behavioral analytics. Why Traditional Solutions Fall Short As Senior Manager of Global Sales Engineering at General Dynamics FIELD: Why do we find that so many of today’s traditional Fidelis Cybersecurity Solutions, Nichols interfaces directly with solutions are just inadequate to detect and defend against these General Dynamics Fidelis Research & Development and plays a key advanced threats? role in determining product direction and architecture. Prior to joining General Dynamics Fidelis, he served as a Security Analyst NICHOLS: If you were to go back in time to the antivirus market for Defense Point Security, where he worked for the Department and when AV first hit the world, it seemed like this great way of of Homeland Security’s Security Operations Center to provide real defending ourselves against threats. We quickly learned that threats time analysis of potential network intrusion attempts. He also served are very fast in evolution. The threat actor has a reason to get better, as a Sergeant and Intelligence Analyst in the US Army.

ISMG Security Strategies eBook 5 “Now we’re seeing that to be the best across time be able to identify them no matter how they change their in network defense and to stay ahead individual attack tactics.

of the threat actors, we need to Successful Security Solutions focus on the techniques these threat FIELD: What are the types of solutions that you’re seeing be actors are using.” successful against the threat actors? Mike Nichols NICHOLS: It really has to be a true solution. It’s not so much of a single technology that is being successful, but a combination of technologies used in concert that are able to find these problems. Because the attack, again, is much easier to detect if you’re looking because he gets a lot of money doing this. So his motivation, his across the entire breadth of that attack lifecycle. reasoning to quickly adapt is financially driven. With that, we had a great way of finding these things through account signature-based If you were just looking at a single malicious file entering the detection … but then very quickly we started getting reports saying, network, you could easily miss something. Or even if you do detect OK, AV is now being defeated. Polymorphism became the norm, it, it’s difficult to tell if the thing that you found is truly an advanced as did other ways of compressing and packing files to get past the threat, or if it’s just background noise that’s happening on the antivirus in your systems. We saw that those attacks were now internet. easily bypassing defenses. What you need to do is gather the information from multiple So, defenses had to evolve, and that’s what’s happening today. As different technologies. You need to look at things that are traversing we move into the network defensive side, moving outside of the my network. You need to find the communications that are host-based system with the antivirus and looking more at what’s happening in and out of my network, as well as malicious files traversing the network, what’s coming in and out of egress points, coming in. We saw earlier this year that looking just at files coming we had the traditional defense-in-depth stack, and that’s been very into your network would not help you against something like successful at protecting us over the years. But just like the antivirus Heartbleed, which was a vulnerability that was enabling people to market, the defense-in-depth network stack also needs to evolve. It basically dump out your database. So you need to look at everything needs to be one step ahead of the threat actors who are constantly coming into your network. All potential possibilities of attack on changing their tactics. Now we’re seeing that to be the best in that inbound problem, as well as what happens afterwards -- that network defense and to stay ahead of the threat actors, we need to communication around the propagation through the network. focus on the techniques these threat actors are using. Look at their behavior, how they’re attacking a network and using these analytics And then, finally, you have to maintain a focus on what is bleeding in

6 Advanced Threats, Advanced Solutions the network. You have to focus on the content of your data because you’ve given it to them, and who’s doing things that by themselves you need to stop that final theft. Theft is that final stage of what the look like typical behavior inside the enterprise, it’s difficult to spot threat actor is trying to do. Very rarely do we see a truly destructive someone doing malicious activity inside your network. campaign out there. Most of the time, what the attackers are trying to do is steal something from you. So you also need to add in that So, when looking for insider threat, there are a few things we need data theft aspect to your full defenses. to realize. First is: if I’m using kind of a net flow-type device or just a device looking at the transactions that are taking place between my So, looking at all of those technologies and finding a way to correlate users and my protected file servers, where all my files are located, the information you’re receiving, is really the best way to truly that’s not giving me enough data. Because what I’m seeing might defend the network. Because it’s only using those multiple different be the transaction. I can see that user X downloaded a file at 3:00, avenues, those different vectors, that you are able to really identify a and he downloaded another file at 4:00, and maybe I’ll have the true campaign against the background noise of the internet. file name if I’m able to actually decode into that file share protocol. But that’s not enough, because there are so many files maintained

Network and Behavioral Analytics in the file server that I just don’t care about as a security defender. There might be information about some upcoming bake sale or the FIELD: Mike, talk a little bit about some use cases. What are some employee’s phone records, or other things that are maintained on of your customers doing with network and behavioral analytics? the file server that I don’t need to track, because if they leave my environment it’s not going to impact my business. NICHOLS: To begin with, it’s that one thing that every CISO out there says they have a really hard time protecting against, and that’s So what I need to really do is figure out: How do I find the files the malicious insider. If you’re trying to identify someone who that have my crucial information on my file systems? Things like already has the privileged access into your environment because intellectual property or source code or my customer information.

ISMG Security Strategies eBook 7 “Very few people have an How do I know when that is going start looking for things like insiders is, understanding internally through my network and which very few people have an understanding users it’s going to? of what the typical employee does on of what the typical a daily basis in their environment? So employee does on And what I don’t want to do is just generate by looking at this I can tell that, OK, my a daily basis in their alerts every single time a user in my accounting department, on average they’re environment downloads a file from the file downloading 15 proprietary files a day for environment?” server that might have some proprietary my environment. It’s then much easier Mike Nichols information. Because that’s a typical for me to find the user who spikes to 30 daily process, and I’m just going to flood or spikes to 100, or maybe they are trying myself with false-positives, overload the to be intelligent about it and they’re only database and whatever my security tool downloading a few files a day, but over is. So instead, I just need to way to track. the course of the year I see that they’ve I need a way to maintain that something downloaded a huge amount of unique files. happened in my environment that I should That is what I need to do, and those are the be aware of that by itself isn’t necessarily analytics that need to take place. suspicious or malicious. I need to, in this case, extract some kind of usable data about Understanding what’s normal and then that transaction, or metadata about it. So being able to identify what is outside the if I can look inside that content and I can norm, and that allows me to then, actually identify, based on the content that, yes, this create an alert for that. If I have a SIEM thing is actually important to my business, solution or any other kind of device that’s then I can flag that now I know that user X monitoring, I can get it out there so that I over here downloaded a file, and that file can start my incident response cycle. I can was actually important to my business, and start my investigation to see, is this person I need to make sure that I monitor what’s actually doing something malicious. In happening. that case, hopefully I can catch this insider before they actually make the news, or I can then do trending analysis across time. before I find out from some third-party that I could say over the past day or seven days all of my data was stolen. or a month: What does the average user in my environment look like? Because And then, because I have that rich one of the things we find out when we information about what’s happening, I

8 Advanced Threats, Advanced Solutions need to also maintain deep information about the files themselves. environment this past year. With CryptoLocker, basically you would Because it’s not enough to know that this user downloaded get infected with a file, something would affect your system and 100 proprietary files. I want to also answer the question to my then it would reach out into your hard drive, encrypt all of your files management of what files were they? So, I need to have the that were important to you and then say, “You now pay me so much information about what’s the file name, when was it created. money and I’ll unencrypt them for you, otherwise you’re going to Metadata about that file is crucially important so that when I do lose your data.” my investigation I can tell my management team, and I can say this is exactly what was taken or what they tried to take from the But what happens with ransomware is, with the advent of this Bring environment. Your Own Device situation, we now say, “OK, user, you can go take your laptop home and use it at home.” What happens when they use If you move into another example, outside of the insider threat it at home and the user is perusing the internet, but he doesn’t have and more into just trying to protect yourselves against malicious my security stack anymore? That whole defense-in-depth model of activity, we could look at something like ransomware. CryptoLocker putting all these different devices to monitor what is coming into the is one version of ransomware that has been pretty rampant in the network doesn’t protect my users when they are at home. We were

ISMG Security Strategies eBook 9 “If I saw a user in my finding that people were getting infected to the file server, so that your file server environment on their home networks and then plugging now had encrypted versions of all these back into the enterprise the next day, and files. So for us, the analytics there is just within a minute what this particular type of ransomware did to monitor this transaction between the download 10 files and was it didn’t just encrypt your hard drive; user environment and between the file upload 10 encrypted it actually enumerated all of your files of servers, and once we saw some thresholds all the attached storage. We were finding get broken -- too many downloads and then files to a file server, businesses that were losing huge amounts uploads in encrypted files in a period of that’s something that of data. So the question comes up: How do time from a single host -- we were able to needs to now have you protect against that? take an action upon that. Let’s take 10 as a number. If I saw a user in my environment an action take place.” And if I have some type anti-malware within a minute download 10 files and Mike Nichols system in my network, it doesn’t help with upload 10 encrypted files to a file server, this, because I’m not going to see the files that’s something that needs to now have traverse across the stack. The file is already an action take place. And in this way, by on the system. Again, I have this trusted identifying the behavior, that CryptoLocker person who has brought this laptop into my malware can be morphed many times, the environment and plugged into my network. signature could change, all the ways that I Instead, what I need to do is look past could identify the file itself are insignificant identifying the file. Look past trying to find to me because what I’m looking for is the the malware because it’s too late for that. actual behavior of how this thing acts once What I want to do is look for the behavior it is inside my environment. -- the characteristics of what this malware

is doing -- and try to see if I can figure out Advice for Improving Defenses what’s happening and then do prevention FIELD: Based on your customers’ against that. experiences and what you see in the marketplace, what advice would you offer In this case, it was pretty easy because to organizations on where they can begin what CryptoLocker was doing was finding to improve their defenses against advanced your file server, mapping out those drives, threats? and then once it found it, then it was just a series of downloading and encrypting and then re-uploading the encrypted file back

10 Advanced Threats, Advanced Solutions NICHOLS: One of the most common things we see as we go into One of the key pieces of our company is our services arm which different environments is that customers of ours that we talk to, does incident response. Time and time again they respond to they have a great handle on the right model of protection. They put these big breaches and will see the threat actors have been in that their security stack together properly. They have a good set of tools environment for almost a year. If you map a timeline of how that in there. But what we’re seeing is that their focus is weighted too attack took place -- the time spent breaking in the door, the time heavily in one direction. There are a whole lot of products that are spent getting into your network -- where that security stack that looking at the inbound problems coming into the network. You have was monitoring for inbound problems would be successful is at your anti-malware box, your IPS and other devices that are focused stopping something in a couple days at most. The rest of that time, on malicious things coming into the network so you can stop that the other 10 months or more of activity, is all that threat actor now malicious file as it comes in. The problem is: What we don’t see rooting around your network, finding where your files are, ensuring a focus on is the rest of the information. So, what’s propagating that they can get them out properly and all the other kinds of things through my network? What is normal network activity so that I can that they are doing, and then finally scanning the data. They are identify anomalous communications going out? And then, finally, moving around your network constantly. They’ve already gotten what’s monitoring the actual data leaving? What’s doing the deep in. So we need to look at: Do we have enough coverage on this inspection, so I can actually understand what’s happening? inbound problem? Because if you miss that problem, if you miss the file coming in, if you miss the thing that you set you stack to look Old-school data loss prevention is not enough anymore. That at, what’s going to help you detect the actual attack once it is inside registration of important files and looking for those leaving, that’s your network? n not what’s happening. People aren’t taking the exact files off your system and sending them out so the tags are still there. You need to actually inspect the content of this information to find out if it’s important to you or not. You need real deep content analysis so you can actually focus on the other avenues of attack.

ISMG Security Strategies eBook 11 Ransomware: 7 Defensive Strategies Essential Data Protection Steps for Enterprises by Mathew J. Schwartz

To all the victims of the shakedown malware known as Cryptolocker, which forcibly encrypts PCs and demands a ransom to receive the unlock code: You can get your data back.

Security firms FireEye and Fox-IT announced Aug. 6 that they had cracked the Cryptolocker encryption scheme. By uploading a single encrypted file to their Decryptolocker service, which extracts the master encryption key, users will receive back a free tool to decrypt all encrypted files on their hard drive.

That’s good news for Cryptolocker victims - FireEye estimates 137,000 PCs remain infected. But despite the recent high-profile disruption of the Cryptolocker campaign, many other types of ransomware remain at large. So it’s essential that security managers put a plan in place to defend corporate data - residing on PCs, servers, network shares, smart phones and cloud-based services - against ransomware attacks.

“Ransomware is now one of the fastest growing classes of malicious software,” says Fedor Sinitsyn, a senior malware analyst at the security firm Kaspersky Lab. “In the last few years

12 Advanced Threats, Advanced Solutions it has evolved from simple screen blockers demanding payments to “These are law firms that have something far more dangerous.” had their servers actually totally

Ransomware attacks fall into two categories: scareware and lockers. locked up by ransomware like Scareware is a social-engineering attack that displays an official- Cryptolocker… You can imagine a law looking notice of a fine, often for the PC having allegedly been used firm, their business is really file-level to view pornographic material. Much more insidious, however, are locking or “encryptor” attacks, which encrypt files, operating system transactions to and from servers. ... kernels or a master boot record, then throw away the encryption key You lock down those unless users or businesses quickly pay a ransom. servers, you’ve locked

Here’s how organizations can defend themselves against these types down their business.” of attacks: Carl Herberger, VP of Security Solutions, Radware 1. Don’t Rely on Takedowns

Law enforcement agencies have been targeting ransomware experts see signs that the attackers have already rebooted their networks and their operators, but do not expect these crackdowns operations (see Gameover Zeus Trojan Returns). As of July 31, Aviv to eliminate the threat. For example, one recent, high-profile law Raff, CTO at cloud-based security firm Seculert reports, a new enforcement operation - involving the combined efforts of the U.S. variant of Gameover Zeus had managed to infect at least 10,000 Federal Bureau of Investigation, Europol and NCA - managed to devices. disrupt the Gameover Zeus Trojan and Cryptolocker ransomware.

The two pieces of malware were being used as a one-two punch by 2. Employ Anti-Malware Tools the same gang to first steal financial information from victims’ PCs, Ransomware, as the name implies, is a form of malware, and thus and then to encrypt their contents and demand a payoff, according can be blocked on PCs by any anti-virus or anti-malware engine that to the U.S. Department of Justice. Over a two-month period, correctly signature-matches the malicious code. But many related Cryptolocker netted $27 million in ransom payments. attacks - often launched via phishing e-mails, fake downloads, and malicious URLs - originate with crimeware toolkits, which can But the Cryptolocker disruption campaign demonstrates the limits exploit any one of a number of vulnerabilities to install malware. of such operations. Notably, the malware mastermind behind Furthermore, by the time any ransomware is detected, an infected the operations, named in court documents as Russian Federation PC may already have played host to malware designed to steal resident Evgeniy Bogachev, remains at large, and with a little time financial details, launch distributed denial-of-service attacks or and effort, he could easily restart operations. In fact, some security relay spam.

ISMG Security Strategies eBook 13 For example, ransomware known as What type of ransomware has been “Critoni,” “CTB-Locker” as well as targeting Android? The Svpeng Trojan, “Onion,” which was discovered in June by for example, is designed to first steal the malware researcher Kafeine, is being credentials from mobile banking apps, and distributed by the Andromeda bot, which then to lock the mobile device and demand first infects PCs with an e-mail worm called a ransom. Another piece of ransomware, Joleee that’s designed to send spam e-mails discovered by Kafeine in May and dubbed and download further attack code. In recent Koler, locks the screens of infected Android attacks, one of the files it’s downloaded has devices, then demands between $100 and been the Critoni ransomware. $300 to unlock them.

Similarly, Cryptolocker was being pushed 4. Watch Servers “Encrypting data is the to PCs that were first infected by Gameover Beyond PCs and smartphones, a growing Zeus. First, attackers used Zeus to steal equivalent of destroying number of these attacks target servers, says financial information from the PC. Later, Carl Herberger, vice president of security it; the protection they encrypted infected hard drives and solutions at Radware. Some of his firm’s against the destruction held them to ransom, thus increasing their customers, in fact, have been targeted profits. of data is to make by Windows server ransomware, and he says small and medium-sized firms are copies.” 3. Safeguard Android Devices particularly at risk. William Hugh Murray, Beyond PCs, ransomware attackers have security consultant also been targeting Android devices. To “These are law firms that have had their defend against these types of attacks, servers actually totally locked up by ensure employees with Android devices ransomware like Cryptolocker, and the are using anti-malware tools. Many such entire business was down,” Herberger says. tools now also include cloud-based backup “You can imagine a law firm, their business capabilities, so infected devices can be is really file-level transactions to and from wiped and restored, which many security servers. ... You lock down those servers, experts say is the only reliable way of you’ve locked down their business.” eliminating infections.

14 Advanced Threats, Advanced Solutions 5. Back Up Everything 6. Maintain Offsite Backups

But any type of Internet-connected device that stores data is One of the best ways to battle ransomware that locks down servers potentially at risk from locking attacks. For example, on Aug. 3, or other systems is to maintain offsite backups. “Encrypting data is the user of a DiskStation network-attached storage appliance from the equivalent of destroying it; the protection against the destruction Synology reported suffering a “SynoLocker” ransomware attack of data is to make copies,” says security consultant William Hugh that left all contents on the device encrypted, and the administrator Murray. GUI inaccessible. “When I open the main page on the webserver, I get a message that SynoLocker has started encrypting my files Murray acknowledges that most enterprises already back up and that I have to go to a specific address on Tor network to get the corporate data to an offsite location. But he warns that too often, files unlocked,” the user says in a Synology community forum post. these backups can be directly accessed from the system where the According to a ransom demand posted by another DiskStation-using data originated. Many cloud-based services, for example Dropbox, victim, attackers are demanding a payment of 0.6 bitcoins (about allow access to storage directly from a user’s file system. $350) and promise the ransom demand will double if not received in one week. Instead, Murray says offsite or cloud-based backups must not only be stored offline, but also made to be not directly accessible from the Synology says it’s investigating the attacks, and notes the originating system. “If the file system can access the offsite or cloud- ransomware appears to be targeting a flaw in some versions of the based backup, so too can ransomware,” Murray says. Synology DiskStation Manager operating system, which the vendor patched in December 2013. So Synology recommends anyone using a vulnerable version of DSM update it immediately.

ISMG Security Strategies eBook 15 “While it might be 7. Don’t Expect Boy Scouts tempting to pay the Don’t expect to recover encrypted data without paying a ransom, because rapidly advancing ransom for encrypted ransomware is making reverse-engineering the attacks much more difficult. With Critoni, attackers are even obscuring their command-and-control activities by tapping The Onion files, there is no Network, a.k.a. Tor. The developers have also used an unusual cryptographic scheme, which guarantee that the “makes file decryption impossible, even if traffic is intercepted between the Trojan and the cybercriminals will server,” says Sinitsyn at Kaspersky Lab.

decrypt the ransomed But paying a ransom demand and getting in return a working decryption key relies on files.” trusting one’s attackers, says Eduardo Altares, a research engineer at security vendor Trend Micro, in a blog post. “While it might be tempting to pay the ransom for encrypted files, there Eduardo Altares, is no guarantee that the cybercriminals will decrypt the ransomed files.” Research Engineer, Trend Micro

Indeed, ransomware payoffs are a chance to test first hand whether there’s honor among thieves, says Brian Foster, CTO of threat-detection firm Damballa. “Of course you’re not talking about Boy Scouts here.”

That’s just one more reason it pays to prepare ransomware defenses in advance of being attacked. n

16 Advanced Threats, Advanced Solutions Data Breach Explosion Proves Costly NY Attorney General: ‘Nothing Short of Staggering’ by Eric Chabrow

If New York State is illustrative of a national trend, hacking poses a greater threat to businesses and other organizations than other types of data breaches. External cyberattacks represent 40 percent of the nearly 5,000 breaches recorded in the state from 2006 through 2013, according to a new report issued by the state attorney general.

Breaches over the eight years tracked by the AG exposed more than 22.8 million personal records of New Yorkers, according to the “In just eight years, the number of report titled Information Exposed: Historical Examination of Data victims in New York has exploded ... Breaches in New York State. jeopardizing the financial health and

With 7.3 million records exposed in 2013, the cost of last year’s well-being of countless New Yorkers 900-plus data breaches to the public and private sectors topped and costing the public and private $1.37 billion, which Atty. Gen. Eric Schneiderman characterizes sectors in New York - and around the as “nothing short of staggering.” Five of the 10 largest breaches reported to the New York AG have occurred since 2011. world - billions of dollars.” Eric Schneiderman, Attorney General, State of New York “In just eight years, the number of victims in New York has exploded ... jeopardizing the financial health and well-being of countless New Yorkers and costing the public and private sectors in New York - and around the world - billions of dollars,” Schneiderman says.

ISMG Security Strategies eBook 17 Healthcare Woes “It’s clear that a broad, concerted Healthcare is the sector with the largest number of records exposed public education campaign must since 2006, at more than 1 million. “As the healthcare industry take place to ensure that all of us - moves toward increasing digitization, it has become a repository for large troves of sensitive information, making the industry uniquely from large corporations, to small susceptible to data loss, particularly through lost or stolen electronic businesses and families - are better storage equipment,” the analysis says. protected.”

Other sectors with a significant number of businesses experiencing Eric Schneiderman three or more breaches include retail services, financial services and banking specifically.

The report offers five steps enterprises should take to help Although hacking and equipment losses resulted in the most protect sensitive personal information against unauthorized breaches, the number of breaches by insiders grew to 121 incidents disclosure: in 2013, a record high. But with the exception of 2007, the volume of

personal records exposed from insider actions generally decreased 1. Understand the types of information needed to operate the over the years. In 2007, a single event - the Certegy Check Services enterprise, what data has been collected and stored, how long the data is needed and steps to take to ensure information breach - accounted for about 80 percent, or 470,696, of New Yorkers’ security. records exposed that year. 2. Identify and minimize data collection practices. The AG says businesses and government agencies need to do a better 3. Create an information security plan that includes encryption. job educating people about cyberthreats. “Our expansive look at 4. Implement an information security plan that ensures data breaches found that millions of New Yorkers have been exposed employee awareness training, notify third parties of the without their knowledge or consent,” Schneider says. “It’s clear that security plan and conduct regular audits to assurance a broad, concerted public education campaign must take place to compliance with the plan. ensure that all of us - from large corporations, to small businesses 5. Offer mitigation services in event of a breach. and families - are better protected.”

Under New York’s breach notification law, notification is required only if personally identifying information such as a name, in addition to a protected number, such as a credit card or Social Security number, is disclosed. Such data reported to the state served as the basis for the AG report. n

18 Advanced Threats, Advanced Solutions CISOs Respond to Heartbleed Bug Outline Steps Taken to Mitigate Risks in Wake of Vulnerability by Jeffrey Roman

CISOs in all sectors are taking steps to because it does not use any of the vulnerable platforms. “Still, we mitigate the risks posed by the OpenSSL checked to be sure. We have a checklist for this vulnerability. We do partner with many others, so we have been cautious to validate the vulnerability known as the Heartbleed exposure of our peers, partners, vendors and customers,” he says. bug.

“PeaceHealth is reaching out to our strategic partners to confirm our shared remediation status. Most of our partners share our concern Christopher Paidhrin, security administration manager at and have taken steps to address this event.” PeaceHealth, a healthcare provider in the Pacific Northwest, says the entire security community has been “laser focused” on the Heartbleed bug. Three Steps

Elayne Starkey, chief security officer for the State of Delaware, says “The scope and potential depth of compromise should remind all of her department responded in three steps. “Step one was to learn us how interdependent we are on trust controls,” he says. everything we could about it,” she says. “Step two was to test our public-facing websites and identify what needed attention.” Paidhrin says PeaceHealth was not exposed to the vulnerability

ISMG Security Strategies eBook 19 Step three, Starkey says, “was to alert our A security leader at a major southeastern customer state agencies and begin the bank, who asked not to be identified, says process of applying patches and replacing the institution’s first action upon learning certificates.” about Heartbleed was to examine its Internet-facing services to determine if Starkey says some of the state’s systems and there was exposure. “Fortunately, there was servers were exposed to the Heartbleed not,” he says. “We then began scanning our vulnerability, so security specialists are internal network for systems which were continuing to apply patches and replace potentially vulnerable.” certificates.

Based on its investigation, the institution Organizations should remain vigilant found internal servers that were susceptible “Step one was to learn regarding the OpenSSL vulnerability, to the exploit, as well as additional low-level everything we could Starkey says. “Monitor advisories closely systems, such as printers. “We continue to about it. Step two was [and] promptly assess the situation before work with the vendors to receive patches taking action,” she advises. and replace the OpenSSL certificates which to test our public-facing could potentially be compromised.” websites and identify A Top Concern Kennet Westby, president at the risk what needed attention.” The Heartbleed issue is a top concern at the management consulting firm Coalfire, says University of Pittsburgh Medical Center, Elayne Starkey, Chief Security that a number of its internal platforms says CISO John Houston. Officer, State of Delaware were affected by the bug. Additionally, two service providers and a remote access “It is an OpenSSL issue that is very broad client were affected. “All of these have been in scope,” he says. “We have been actively addressed, patched and validated secure,” assessing the issue and have determined he says. that many of our systems are not affected. For those systems that are affected, we are Coalfire immediately initiated an internal developing plans to remediate the issue.” alert as soon as information about the vulnerability was released. “Initial Houston says his organization is also steps were to inventory any systems, implementing a signature on its network applications or service providers where we traffic scanner to actively watch for could identify the use/integration of the malicious traffic.

20 Advanced Threats, Advanced Solutions vulnerable version of OpenSSL,” Westby says. “We incorporated “Initial steps were to inventory any discovery and scanning tools to assist with this process as these systems, applications or service checks were released.” providers where we could identify Westby says the company will continue to focus on reducing the risk the use/integration of of any compromise by changing all account passwords in its internal the vulnerable version of systems, updating all SSL keys and certificates that could have been compromised and encouraging all users to change passwords with OpenSSL.” external service providers’ services. Kennet Westby, President, Coalfire

Heartbleed Updates

Technology companies Cisco and Juniper Networks, along with several other vendors, issued alerts about which of their products are vulnerable to the Heartbleed bug. Codenomicon says Fixed OpenSSL has been released and needs to be deployed now across websites vulnerable to the bug. Additionally, Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that organizations can use an online tool to see if their website is provides communication security and privacy over the Internet for vulnerable. applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know). The Federal Financial Institutions Examination Council issued a statement April 10 stating that it expects financial institutions “The Heartbleed bug allows anyone on the Internet to read the to incorporate patches on systems and services, applications and memory of the systems protected by the vulnerable versions of the appliances using OpenSSL and upgrade systems as soon as possible OpenSSL software,” says Codenomicon, the Finland-based security to address the Heartbleed vulnerability. n vendor that discovered the bug, along with a researcher at Google Security.

ISMG Security Strategies eBook 21 Testing Your APT Response Plan ISACA’s Robert Stroud Offers Insights, Assesses Survey Results by Eric Chabrow

Enterprises should test the processes »» Correlations between enterprises’ perceptions on whether they establish to respond to advanced they’ve been victimized by APTs and how they prepare for persistent threat attacks, just as they vet them; their business continuity plans, ISACA »» Why many information security professionals do not clearly understand APTs nor how to defend against them;

International President Robert Stroud »» How most organizations rely on firewalls and other perimeter says. defenses to protect systems from APTs, even though they aren’t necessarily well-suited for preventing and mitigating such attacks.

IT security leaders should test responses to specific APT attack

scenarios, such as one that targets credit card information, Stroud Understanding APTs says in an interview with Information Security Media Group. ERIC CHABROW: If APTs are still not clearly understood, tell us He advises that an APT attack response test should address how you define advance persistent threat? communicating with customers, triaging the computer environment and protecting the organization’s reputation. ROBERT STROUD: Advanced persistent threats are typically the types of threats that are going to come into our organizations and It’s not just the IT security team that needs to be involved in APT look to carry out some form of activity against the organization. attack response testing. They are stealthy in nature and will often use things like organization’s traffic and normal patterns of behavior to gain entry “This is the key aspect: The risk professional and the security professional and the business professional need to be joined at the hip, understand the scenario, understand how to act in an impressive “Ninety-two percent of the people way, go through the scenario, do the drill, have the plan written up,” he says. “And, then you execute it, pull it out and absolutely leverage surveyed this year identified that it.” advanced persistent threats pose a credible threat to national security or In the interview, Stroud also discusses the just-published ISACA report, 2014 Advanced Persistent Threat Awareness, which is based economic stability.” on a survey of more than 1,200 IT security professionals. Among the Robert Stroud, President, ISACA International points the study makes, and Stroud addresses:

22 Advanced Threats, Advanced Solutions “Now we’re starting to see people be aware that the APTs can actually target information security.” Robert Stroud

into the organization, and then sit there people would be targeted in terms of the that really surprised me. There are three and remain dormant for pieces of time, or way they attack today - with the total points that I’d like to make here. Number just take little pieces of information at a interconnectivity of systems and solutions one was that 92 percent of the people time. Ultimately there is an objective with that people are delivering and the total surveyed this year identified that advanced an APT. They may be looking to target a dependence on technology. We’re seeing a persistent threats pose a credible threat to person, individual, data, IP or even financial change in the threat profile. national security or economic stability. That information, all with an intended target. It’s reinforces the fact that people are starting almost like the world has emerged from the Now over time, people have a series of to become aware of and acknowledge them. old days of crime, which used to happen patterns of behaviors engrained in their

in terms of physical crime. Today we are work practices. What’s happening today CHABROW: Did that number surprise you moving to electronic crime. is you see the threat profile change, which being so high, and if so why? is proportional to the way that business

CHABROW: Why do you think some is changing. We’ve now gone from just STROUD: What that surprised me is confusion exists regarding APTs among leveraging technology for instrumentation to a formal point that we just made, the the 1,200 IT security professionals you and automation to the delivery of total awareness of APT. When we talk about the surveyed? business through technology. fact that in past years the awareness was not quite so high. Now we’re starting to see

STROUD: It’s an emerging area, and Surprising Survey Finds people be aware that the APTs can actually as an emerging area, one of the pieces target information security. A lot of that has CHABROW: What finding from the study is protecting our environments against been encouraged by what’s being going on surprised you the most? physical threat and putting in rings in the media lately where certain national of defense … not necessarily thinking state attacks got some coverage, and people STROUD: There were a couple of findings

ISMG Security Strategies eBook 23 are starting to become aware that there is new why of going about “These attacks are targeted for a getting at organizations and governance and information. That is particular gain of some sort. To through technology and they can leverage technology in the form of these types of attack. be that type of target, you have to have some form of credible data, CHABROW: What are your second and third points? information or business that I want

STROUD: This year we saw that one in five have experienced, to go after.” or acknowledged that they’ve experienced, an APT attack. If you Robert Stroud look back through last year’s survey, you’ll notice that the one in five number was the same last year. That’s interesting because that reinforces the point that the attacks have been getting organizations may not have thought that they were going to be a acknowledged. Also, the level of diligence and vigilance that people target and not so prepared. are putting in place, that number is still the same, which suggests that without the vigilant efforts, that number may have been higher. It’s very interesting that in terms of these types of attacks, it’s not That’s the assertion that I got off that number there. just like an old-fashion DDoS attack; where I want to stop your business by bombarding you. These attacks are targeted for a Expecting vs. Preparing to be Attacked particular gain of some sort. To be that type of target, you have to have some form of credible data, information or business that I want CHABROW: Reading this survey results there seems to be a to go after. What we’re seeing with this interconnected business correlation between people who expect to be attacked by APTs and and introduction of more mobility [has] certainly opened up more the preparedness for the attacks versus those who don’t expect to be avenues for people to get in. attacked and maybe they’re not as well-prepared.

STROUD: It’s really interesting in terms of the real publicized Information and Preparation attacks, there have been a number within certain segments of CHABROW: So the organizations aren’t taking the steps to prepare business that we acknowledge. Financial services are one sector for it or that this has happened to them? Are the other organizations that tend to acknowledge these types of things because they’ve just ignorant that it hasn’t happened to them, or do they look at it got financial information. Governments may have information on from a certain perspective that they don’t feel that they’re going to various pieces that people would want to do, and these types of have the kind of information that people may want? organizations are aware that these types of attacks may exist. They are at the forefront of information security and you’ve seen them STROUD: Your answer is a bit in each statement you just made. change their profile and posture and start to prepare, whereas other Number one is that you’ve got to undertake an appropriate risk

24 Advanced Threats, Advanced Solutions assessment to understand what the crown jewels are if you don’t recognize the risk. We recognize that it is a growing threat. It is mind that analogy. Do I have any that some attacker will care about? something we need to be concerned about, something we need to The answer is often that organizations have very good information take some action, and start thinking about how we would react in that could be a target for these types of attackers; like credit card this particular case.” A key point that I certainly consider is that at information is very sellable on black market. least if you’re aware, you can take action to do something about it.

Organizations are starting to now realize that protected data, credit Staffing for APT Mitigation card transactions and credit card information through normally CHABROW: When organizations recognize they have to do through PTI, those preventions and processes will assist them, something about APT, who are the people that should be involved? but you know these attackers may enter through something like a mobile gateway or transaction. And trying to admit that they need to STROUD: Security and risk professionals are very much aligned step up their level of precaution, prevention and observation to look to be in this age. One of the things we need to do here is elevate for changes in behavior and patterns. Some of these organizations this to the line of the CIO, and we certainly need to make boards haven’t quite got there yet. Or if these attacks have happened they’re aware of these types of activities where we have high risk items in just not aware of them yet. our business. That has already happened in many of the areas we touched on already, such as financial services. Information security CHABROW: There was a third point? teams, whether they live within information technology or, in some more forward thinking organizations, outside of information STROUD: It kind of fades into the first two that we’ve just been technology, they need to understand what the risk is. They need to discussing, and that was that 66 percent of organizations said it was work very closely with their risk team and enterprise management likely or very likely that their organization will experience an APT team to understand where the risk is. attack in the next 12 months. Very interesting statistic for a number of reasons. Number one, let’s be clear we’ve got 1,220 security and industry professionals here [who are] starting to says, “Yes, we

ISMG Security Strategies eBook 25 One of the key points of preventing or being diligent and acting after “Your incident management process you have an APT is to work with your enterprise risk organization needs to be put in place, to understand what you will do, what the crown jewels are and how to react. So it’s a combination between the enterprise risk team, and practiced, communicated and also the business owners. The owners of your business are probably effectively leveraged, such as we do going to know the areas that are most fundamentally critical to the business continuity plan.” business. So it has to be a partnership, a partnership between those three groups that are very new. Robert Stroud

Cyber Defense Disconnect

CHABROW: Cyber defense must be concentrated in the interior, to deal with APTs when they take place. You can do your best at or so some people think. Yet your survey shows that firewalls and providing preventative controls, but how do you react should you other perimeter defense technologies are among the top controls have an APT get through? It’s your response to deliver then that is enterprises use to protect sensitive data from ATP attacks. Is there a critical, and you need to be able to respond in the right way. disconnect here? Your incident management process needs to be put in place,

STROUD: One of the things we talk about with APTs is the fact practiced, communicated and effectively leveraged, such as we do that existing controls and solutions are good and they help, but business continuity plan. Every year we go and practice our business they are not the only controls we’re going to have to put in play. continuity plan to know how we would react in that scenario. With This changing world of interconnectivity, and the changing way advanced persistent threats, we at least need to have done some of connectivity from desktops and laptops from within secured scenario planning to be prepared to know how to do deal with them environments, to this total mobile workforce that we have today when they happen. That’s a new string to the bow that we need to shows that we need to really start looking at our mobile controls. add to our security professionals. How we access our environment, how the mobile controls are put in

place and how people enter the environment. These are areas that CHABROW: Organizations need to go through drills to handle the survey showed were in the lower level of technical controls used APTs. All of a sudden something goes down because of an APT. against APTs. Could you provide more details on what organizations should be doing to prepare for this? We need to start putting mobile security gateways in place, looking

at remote access technologies and of course mobile antimalware STROUD: There is a couple of aspects of the APT threat, and the controls need to be looked at as part of a changing profile. But one survey talks about it a fair bit. One piece we haven’t talked about other aspect of the changing profile is that we need to be prepared a lot is the skills gap, particularly in the industry right now. If you

26 Advanced Threats, Advanced Solutions mention security professionals, you’re saying they need to add scenario is very unlikely, we’re obviously spending a lot of resources another string to their bow, if you will, in terms of the areas they and time. If it’s very likely, we should absolutely spend some more need to cover and identify. That’s just one of them we need to add. time on it and put more preparation into it. Maybe we want to put We need to build up their skills and help with the professionals in some preventative controls in place. This is the key aspect; a risk this space, and when organizations indeed find they have an APT, professional, security professional and the business professional they need to deal with it in a positive way. need to be joined at the hips, understand these scenarios, understand how to act in appropriate way, do the drills, have the One of the aspects that we have always done in a risk management plan written up, and then if they need to execute it, pull it out and is scenario planning. We’ll go and look at a likely scenario of what absolutely leverage it. They’ll learn each time, and they need to will happen in our environment and how we will react. For instance, update those plans. One of the things we’re promoting at ISACA is if we have an APT in our organization, we know our credit card through our CSX, or Cybersecurity Nexus; an environment for the information is critical to our business and we suspect that our credit development of industry professionals, information sharing and card database has been perpetrated in some way, shape, or form, we of course we’re also looking to get the skills that are missing in the need to work through a scenario to know how to deal with it. How industry out there, as well as guidance to help people do their jobs we communicate to our customers, how we shut down the threat just a little bit better. n or exposure, how we triage the environments, how we handle even things like public relations to protect reputation risk. When you Robert Stroud, President, ISACA International have gone through those steps and practiced them, we can pull a Stroud became ISACA’s international president earlier this year. plan out straight away and execute immediately. This is one of the Previous, he served on ISACA’s Professional Influence and Advocacy areas that information security specialists are getting very good at; Committee. A past international vice president of ISACA, he served on understanding and going through scenarios. its professional influence and advocacy and framework committees. Stroud also is a governance evangelist as well as vice president of Now we shouldn’t do this just for the sake of scenarios. We have strategy, innovation and service management at CA Technologies. to understand the scenario based on the likelihood, because if the

ISMG Security Strategies eBook 27 Avivah Litan on ‘Context-Aware’ Security Gartner Analyst Describes How to Build an Effective Strategy by Howard Anderson

A multi-layered approach their desk and they’re doing this at 3 in the known as “context-aware morning, then that would look unusual and security” is the most that would raise a red flag.”

effective strategy for The use of context-aware security is not yet fighting both insider and common, Litan says, because most security external cyberthreats, says vendors have just begun building into Gartner analyst Avivah their systems a few of the many necessary capabilities, starting with device ID and Litan, who explains how location. this strategy works.

In the interview, Litan describes:

“Context-aware security is about making “The best airports in the »» The role of data analytics in this new your systems smarter,” Litan says in an approach to security;

world … have layers interview with Information Security Media »» How multiple layers of intelligent of security. That’s the Group at the Fraud Summit Chicago, where security can help pinpoint the most relevant alerts that systems generate; same thing with our she was a featured speaker. “Right now, there’s not a lot of situational awareness »» How context-aware security might have helped to detect the Target security systems. You in our security systems, so they’re pretty breach and Edward Snowden’s have to know where the linear. We can’t tell a good action from a bad activities at the National Security Agency; person is coming from, action, in many cases, because we lack that situational awareness.” »» Why continuous profiling of users, do background checks, accounts and devices is essential to fraud detection. “The only Litan notes that if a staff member is have different layers thing that’s going to work in fraud when they access your accessing credit card data, and that’s a detection and security is continuous routine part of their job, the activity may profiling of your users, your accounts and your devices and looking to see if system.” not be seen as a cause for concern. “But if new activity ... correlates with what Avivah Litan, Analyst, Gartner we’ve seen that the person has accessed you expect,” she says. the credit card data 2,000 miles away from

28 Advanced Threats, Advanced Solutions Context-Aware Security Circles of Security

HOWARD ANDERSON: Could you describe what you mean by ANDERSON: You talked about using circles of security. What do context-aware security and why we need it? you mean by that?

AVIVAH LITAN: Context-aware security is basically about making LITAN: The easiest way to think of that is the airport security. your system smarter. Right now there is not a lot of context or The best airports in the world, for example, in Israel, have layers situational awareness in our security systems, so they’re pretty of security. Meaning when you sign up for a flight, they’ve already linear, and we can’t tell a good action from a bad action in many done a background check on you, and then you go into the airport. cases. So, for example, if someone is accessing credit card data and There is a security gate that you have to drive through; then you that’s part of their job, we may ignore it. But, if we’ve seen that that go into the airport and there’s all kinds of video cameras; then you person is accessing the credit card data from 2,000 miles from their go through questioning; then you go through a security line; then desk and they’re doing this at three in the morning, then that would there’s security on the boarding process, so there’s multiple rings of look unusual, and it would raise a red flag. security. By the time you get on that airplane, you’ve been checked out, your background is checked out. They know where you’re

ANDERSON: Why isn’t context awareness used more often? flying, they know the context.

LITAN: Because most organizations buy their systems from That’s the same thing with our security systems. You have to know vendors. They don’t grow it themselves, and the vendors have just where the person is coming from, do background checks, have started putting context awareness into their systems. The most different layers when they access your system, when they get common application that we’ve seen is device ID and location, into your accounts, when they start moving money or conducting but they haven’t put in other information, like behavior, analytics, transactions. There are layers at every stage. information from threats on the movements of users, navigations or different types of ways to enrich the transaction set beyond just the device.

ISMG Security Strategies eBook 29 “You have to imagine that Target is Big Data Analytics probably getting thousands of alerts ANDERSON: Does big data analytics play a big role in this whole a day, why should these two alerts be approach?

that important? Even if they’re high LITAN: It’s another layer of context-aware security. It’s not in line priority, there are other high priority to the transactions, it’s at the end of the day, or the hour depending alerts.” on the timeliness, putting all the data together and looking for different patterns that you wouldn’t see in each transaction system Avivah Litan on its own. You’re able to get a whole listed view of all the entities in your organization and how they’re relating to each other, and that’s a piece of the analytics puzzle. It’s a big piece, and there’s a lot of The Missing Element ROI in that.

ANDERSON: What’s the missing element in the current security approach then? ANDERSON: You mentioned that this could have potentially theoretically helped with detecting the Target breach as well as the

LITAN: Well one of the missing elements is there is not context Snowden breach, an insider threat versus an outsider threat. How is awareness as we talked about. We’re not looking at these that? transactions in relation to past history, in relation to what’s

happening today, in relation to peers, so there’s not good situational LITAN: By putting these layers of security in and making what they awareness. Secondly, people are just doing the bare minimum they had more intelligent. So, for example, in the Target case, we all know can in many cases, because of budgetary constraints; they’re just from the press that there were alerts that were generated by a threat doing what the regulators will check off as enough. Third, if they’re detection system, but they weren’t in context of anything else. You doing even more than that, there’s a lot of siloed systems, so the have to imagine that Target is probably getting thousands of alerts a alerts are going off, and people can’t distinguish a false alarm from a day, why should these two alerts be that important? Even if they’re real alarm. high priority, there are other high priority alerts.

It’s a combination of not enough context awareness, relying on What context-aware security does is correlate the alerts coming out vendors that haven’t put it in yet, having a lot of false alerts and just of that threat detection system with other access alerts, for example, doing the bare minimum. from different layers of the staff. It’s making each layer smarter and correlating them, and now you can see the alerts you really need to pay attention to. If Target had these kind of layered systems that were intelligent, the thinking is that these alerts they did get and didn’t pay attention to would have been highlighted. You’ve got to

30 Advanced Threats, Advanced Solutions pay attention to this because this is correlated with other things that “It sounds a little creepy, but really we’ve seen in your organization and enterprise, and you really have the only thing that’s going to work to pay attention to this. It’s not an isolated event. in fraud detection and security is ANDERSON: And with Snowden? continuous profiling of your users, accounts and devices.” LITAN: Snowden, the same kind of thing. We don’t really know what the NSA had. They don’t talk about the defenses, but it should Avivah Litan have looked abnormal for this fellow Snowden to have used 25 passwords to get files out of the system that only less than 20 people something abnormal with John relative to his peers. It may not be could see. That should have raised alerts. strange relative to him, but it’s strange relative to all the people in his division. What that means is you have to continually profile John If they were looking at all this access in the context of past behavior, and all of his peers and look at everybody in relationship to each was it normal for these users with high privileges? Those 20 other. passwords that he either borrowed or stole, [was it normal] to be moving all these files to a USB drive in Hawaii? No, probably ANDERSON: Is this well suited to all industries, and just how costly not. Looking at this information in context with each other - is it to implement? the download of the files to the USB drives, the use of those 25 passwords, the abnormal access coming out of Hawaii - I’m sure LITAN: It’s suited to anyone that’s got threats, whether it’s theft he took great pains to cover his tracks. But if you looked at all these of intellectual property or money, and it can be very costly to different activities together, perhaps an alarm would have gone off implement. That’s a tough question to answer, but there are vendors that would have been paid attention to. that are putting this technology together for reasonable prices. n

Continuous Profiling Avivah Litan, Analyst, Gartner Litan, a vice president at Gartner Research, is a recognized authority ANDERSON: So to sum up, the end goal is continuous profiling in on financial fraud. She has more than 30 years of experience in the IT analytics? industry. Her areas of expertise include financial fraud; authentication; access management; identity proofing; identity theft; fraud detection LITAN: It sounds a little creepy, but it’s really the only thing and prevention applications; and other areas of information security that’s going to work in fraud detection and security is continuous and risk. She also covers security issues related to payment systems profiling of your users, accounts, devices and looking to see if this and PCI compliance. activity that’s coming in correlates with what you expect in these profiles and baselines. You get a lot out of that. Let’s say you see

ISMG Security Strategies eBook 31 Keys to Fighting Insider Fraud Fraud Summit Speaker Outlines Role of Data Analytics by Tracy Kitten

Even after the high-profile Edward Snowden leaks of information from the National Security Agency, most organizations still aren’t taking insider threats as seriously as they should be, says Michael Theis, a chief counterintelligence expert at Carnegie Mellon University’s CERT Insider Threat Center.

“You would think that the problem would be getting better,” Theis says in an interview with ISMG. “But according to our data, it has not changed over the last 10 years.”

Too many organizations have not yet identified insider threats as being a critical issue, he says. “It takes some analytics ... to identify the vulnerabilities,” Theis says.

Tracking and analyzing data that spans years is critical to detecting In this interview, Theis also discusses: patterns that may indicate collusion or some other type of insider compromise, Theis says. A common warning signs of insider fraud, »» Ongoing research conducted by his team on the most common types of insider threats; he says, is the downloading of files or documents that are not »» Why unintentional insider threats can be just as damaging as germane to an employee’s job. intentional fraud; and

»» How big data is opening new doors for fraud detection. During his presentations at Sept. 17 summit in Toronto and the Sept. 23 event in London, Theis will discuss the types of insider schemes organizations most commonly face and steps they can take to mitigate their risks. Registration information is available online.

32 Advanced Threats, Advanced Solutions Insider Threats “You would think that the problem TRACY KITTEN: Can you give some background about why so would be getting better, yet the many organizations still seem to be in the dark when it comes to amount of insider attacks that understanding and appreciating the real threats that insiders pose? organizations experience hasn’t MICHAEL THEIS: We’ve been doing this research since 2001, significantly changed over that entire and for about the last 10 years we’ve participated in doing market 10 years.” surveys to ask those kinds of questions. [Such as], how many organizations have experienced an insider attack? How did they Michael Theis, Chief Counterintelligence Expert, CERT respond to it? One of the interesting things we found is that over 10 Insider Threat Center years, the rate is about the same. So in other words, you would think that the problem would be getting better, yet the amount of insider attacks that organizations experience hasn’t significantly changed THEIS: One of the things that I talked about is the information that over that entire 10 years. we garnered from those surveys, of what organizations right now are saying their biggest problems are. We also talk about understanding That’s a little bit disheartening, but it’s understandable too. In a that fraud is different than intellectual property theft, which is couple of ways, organizations may not have recognized insider different than IT sabotage, which is different than unintentional threat until the last four or five years. That is an issue for them. type threats. Understanding that will help organizations realize The second thing is that we’re one of the few places that have there’s no one type of insider, so there’s no one type of solution. done enough research that will help [explain] what the models are. Although technologies are important and they’re enablers, they’re You have to actually know what it is that you’re trying to protect not actually going to just find fraud, or insider threat. It takes - from critical assets, to people, to information, to locations. Then analytics from a human perspective, of understanding what is the you can understand which models would apply to you and what model, who does this, how did they usually engage in it, and what strategies you would need to either prevent, detect, or respond to their purposes are. Then you can get a lot closer and not have so those types of threats. many incidents to evaluate, [so] that you can’t [even] find the actual malicious acts. Long-Term Perspective

Fraud Summit Discussions KITTEN: Can you give us some perspective about long term perspective on insider threats? KITTEN: What are some of the high points that you discussed at the various ISMG Fraud Summits? THEIS: So one of the things that we talk about is how fraud works over long periods of time, [and] who’s likely to be engaged - whether

ISMG Security Strategies eBook 33 “The reality turns out it’s managers or non-managers, whether Waging Internal Attacks there’s collusion involved between people to be that people like KITTEN: Could you give us some from the outside and inside, and also perspective about how many of these money, and they don’t collusion amongst other insiders. It’s going internal attacks are most often waged? usually like sharing it, to be interesting, and some of it will be a little bit counterintuitive when people so they might collude THEIS: So having exact numbers is very see some of these results. In addition to difficult, many organizations don’t want to with people outside that, we talk about mitigation strategies. I actually talk about their rates of incidents. provide some mitigation strategies that will the organization in We can do some of that collection through work for different kinds of threats, but very order to enable their anonymous market surveys. We have a specifically for fraud type threats, [that is] corpus of about 1,000 cases that we analyze. capabilities.” going to be the most interesting since it’s a About 25 to 30 percent of those are fraud fraud summit. Michael Theis cases, but again, that’s just because those are the cases we got access to, and are KITTEN: Some of the information you allowed to analyze. We wouldn’t want to say share could be counterintuitive … could that 30 percent of all threat is fraud, it’s just you explain a little bit more about what you 30 percent of our corpus. mean?

Recommendations for Banking THEIS: Well, for instance, you would Institutions expect that people would collude a lot more KITTEN: Could you talk about the often inside an organization in order to recommendations you might share conduct fraud. But, the reality turns out to with banking institutions and other be that people like money, and they don’t organizations that attend these events to usually like sharing it, so they might collude help them understand, and mitigate, these with people outside the organization in threats? order to enable their capabilities. They oftentimes do not like to share the wealth, THEIS: We have a lot of open, free so to speak, with other people that they resources available - because at our heart, work with. we are a research facility that likes to transition these types of things back to the public. I’ll be showing where people

34 Advanced Threats, Advanced Solutions can download certain things, like our best Michael Theis, Chief Counterintelligence practices for mitigating insider threats, Expert, CERT Insider Threat Center or a couple of foundational studies on Theis has more than 25 years of experience in unintentional insider threat that we’ve done counterintelligence, including his experience in the last couple of years. as a supervisory special agent supporting the U.S. intelligence community. Coupled Some of the strategies may sound simple, with his more than 30 years of concurrent but they just don’t always work out properly computer systems engineering experience, he - for instance, separation of roles. A lot of has helped the CERT Insider Threat Center organizations do a pretty good job of saying further its research and development of that a person in this job can maybe be a socio-technical controls in computational submitter but not an approver, and a person endoparacology, better known as insider in a different role can be an approver but threats. Previously, he was the first cyber not a submitter. But what happens when counterintelligence program manager for the that person started as a submitter and over National Reconnaissance Office. time gets promoted through the system. Now they’re at the point where they’re an approver; did the organization remember to take away the original permissions? Oftentimes you find that it doesn’t happen. They actually overlook, and forget to take away, permissions when they’re giving new ones. n

ISMG Security Strategies eBook 35 Are You Prepared for a Breach? Breach Response Tips from Michael Buratowski of General Dynamics Fidelis Cybersecurity Solutions

In this post-Target era of “It’s not a matter of if, but when,” how prepared is your organization for a data breach? Michael Buratowski of General Dynamics Fidelis Cybersecurity Solutions offers tips for breach planning and response.

The good news is: Many organizations do have breach response plans in place today, Buratowski says. But have they tested these plans appropriately? Different matter entirely.

“It’s one thing to have a plan written down,” he says. “But where the real value comes in is having actually practiced and gone through those plans as a tabletop exercise ... so that everyone starts committing those plans to muscle memory.”

In an interview about breach preparedness, Buratowski discusses: MICHAEL BURATOWSKI: I’d tell you there is a wide variety, but it’s absolutely getting better. A lot of companies now have plans in • Today’s average level of breach preparedness; place, and they’re using technologies much more efficiently. But • Proactive breach planning steps; what we find is that sometimes their plans aren’t as thorough as they • When and how to involve key third parties. should be, or there’s stuff that they just didn’t consider when they were putting the plan together.

Breach Preparedness Falling Down on the Job TOM FIELD: What’s the general level of breach preparedness that you see in organizations you come in contact with? FIELD: Where would you say organizations typically fall down when it comes to breach preparedness?

36 Advanced Threats, Advanced Solutions “Anything you can do to discover the BURATOWSKI: Having an independent party provide an breach early and react to it [means] assessment of their security posture, whether that be their infrastructure or policies, is really important. Oftentimes we can you’ve put in cost savings right off the become tunnel vision in our own work. Just like when you’re editing bat, because there’s less clean-up.” a document, you become so tunnel vision that you may miss some of the mistakes that are in there. Having an independent party come in Michael Buratowski, Vice President of Cybersecurity and take a look and provide feedback on ways to improve is a huge Services, General Dynamics Fidelis value.

Also, it’s really important to test against social and engineering attacks. At the end of the day, the weakest link in the chain is us.

BURATOWSKI: It’s one thing to be able to have a plan written We have the ability, or sometimes inability, to recognize that we’re down. So you’ve got a book you can go refer to, but the real value under attack. It’s not through any fault of our own necessarily. comes in having actually practiced and run through those plans at a Some of these attacks are unbelievably well-crafted, and it’s hard tabletop exercise, so that everybody starts committing those plans to to tell that it’s not from a trusted source. Being able to test that and muscle memory. Just like a professional team, they go out there and make sure people’s awareness is high is important. Then, have the practice things over and over again. Their particular responsibilities appropriate policies and procedures in place; but more importantly, become muscle memory. Well, you want to have that happen with follow them. You can have all the policy in the world, but if people your incident response plan as well. aren’t following them then your security posture is not there. It’s at a much lower state. The next thing is, a lot of companies underestimate the overall cost

of having to respond to a breach, and the remediation of that breach. Involving External Parties Where companies mostly fall down is identifying the breach early. FIELD: How much do they involve key external parties in the event Anything you can do to discover the breach early and react to it of a breach? [means] you’ve put in cost savings right off the bat, because there’s less clean-up. There is less damage to a company’s clientele, and BURATOWSKI: Well in today’s world, I find more and more that potentially less damage to their reputation that they need to repair companies have cyber insurance, which is great. It’s really important as well. to have a provider who works with you. [It’s important to know] who they are and who to call if something happens, and also what Proactive Steps your policy is going to cover. Underestimating the overall cost of a

FIELD: What are some key proactive steps that organizations breach happens all the time; making sure you have that stuff worked should incorporate in their plans? out ahead of time with your cyber insurance policy is important.

ISMG Security Strategies eBook 37 Having outside counsel who deal with cyber Determining the Scope of “At the end of the day, Attack the weakest link in the breaches and data privacy on a regular basis is so important. They bring an additional FIELD: What are some of the measures chain is us. We have the level of competency and knowledge because that organizations must take if they’re going ability, or sometimes they do it all the time. They have the ability to determine the true scope of the attack inability, to recognize to make it so that the attorney-client and not be misled by what they initially see? privilege is maintained, and are able to that we’re under attack.” navigate those challenges if a breach were BURATOWSKI: There’s a couple different Michael Buratowski ever to be brought to trial as far as a civil philosophies with incident response. litigation. There’s the whack-a-mole game, where you try and find the particular hosting chains Another aspect is having a public relations that were breached, and wind up moving firm. We’ve seen how so important it is and paving them just so you can get back to have a PR company that can help you into business. However, you really wind up message to the clientele. People have missing so much information about how become much more understanding that the bad guy got in. The way we approach breaches happen; at the end of the day breaches are, we ensure that we have full they’re going to continue to happen. But network visibility and monitoring, both on where they’re really not forgiving is if they the network and host level. What we found get the feeling that a company is being is, by having that security operations center, evasive or not forthcoming. you’re able to see what the bad guy is doing, what’s going on, and be able to adjust Finally, having an IR firm under retainer your expulsion event and remediation [is important]. Time is of the essence when accordingly. you figure out that you’ve been breached. And oftentimes companies don’t have the So you have a surgeon who’s responsible internal capability to appropriately respond for actually conducting the surgery, and to an attack or an incident response. But they do a great job at that. But at the head more importantly, having an IR firm that of the table you’ve got the anesthesiologist does it every day is going to reduce cost and who’s maintaining all the vitals that are make it so you can recover quicker. supporting the patient. That’s kind of what the security operations center does.

38 Advanced Threats, Advanced Solutions They maintain and see what’s going on [inside] the network and Making sure that you try to make the scenario as realistic as possible everything else while the investigation is going on. At the end of the and take it through to the end. It’s a relatively low investment to day, you wind up getting exceptional intelligence, and [learn] where take the time and talk through a scenario and figure out what’s going you need to improve your security. to happen. If you don’t do that, you don’t make that investment up front. You wind up extending how long an incident response is going

Testing Your Plan to take, and you make it more stressful than it really needs to be. You’re trying to make things go quickly, efficiently, and recover as FIELD: In terms of testing the breach preparation plan, what are quickly as possible. n some of the key dos and don’ts?

BURATOWSKI: Testing the plan has to happen on a regular basis. If you’re not doing it at least a couple of times a year, you really can’t get things committed to muscle memory. Make sure everybody who’s involved in your incident response plan is actually there and participates in it. Having a couple of people missing, you miss out on figuring out how everybody’s going to communicate and react during a situation.

ISMG Security Strategies eBook 39 About ISMG Contact

Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) (800) 944-0401 is a media company focusing on Information Technology Risk Management for vertical [email protected] industries. The company provides news, training, education and other related content for risk management professionals in their respective industries.

This information is used by ISMG’s subscribers in a variety of ways—researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape.

902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com