SCOTTSDALE, Ariz. (August 5, 2024) — Lumifi Cyber, Inc. (Lumifi), a next-generation leader in the cybersecurity space, announces the availability of their Managed Detection and Response (MDR) services in the Microsoft Azure Marketplace. Lumifi customers can now use the trusted and productive Azure cloud platform, with security tools Microsoft Azure Sentinel and Microsoft Defender for Endpoint.
Lumifi’s MDR services on Azure Marketplace empower organizations to significantly enhance their cybersecurity posture. By integrating continuous automated threat hunting with orchestration and response, Lumifi provides proactive managed cybersecurity services that ensure comprehensive protection for businesses nationwide against ransomware and emerging security threats.
“With our MDR services now available on Microsoft Azure, we can give our customers the choice to enhance their security posture on the cloud platform that best suits their needs,” said Grant Leonard, Field CISO at Lumifi. “This reinforces our commitment to providing businesses with the tools they need to protect themselves and their customers in an ever-evolving cyber threat environment.”
Microsoft provides the only security platform with fully integrated, native-level support between XDR and SIEM. Microsoft Sentinel offers scalable, cloud-native SIEM performance with advanced Security Orchestration, Automation, and Response (SOAR) capabilities in one place, while Microsoft Defender for Endpoint enables automation through highly customizable detection and response workflows.
“Our MDR services added to the Azure Marketplace is a significant milestone for Lumifi,” said Michael Malone, CEO and Founder at Lumifi. “Not only are we able to expand our reach, but we can deliver our cutting-edge cybersecurity solutions in a more accessible, scalable, and easy way.”
To learn more about Lumifi’s MDR services with Microsoft Defender for Endpoint and Microsoft Sentinel and its capabilities on Azure Marketplace, please visit: https://www.lumificyber.com/partners/technology-partners/microsoft/
ABOUT LUMIFI CYBER INC:
Lumifi Cyber Inc. (Lumifi) is the only next-generation managed detection and response (MDR) services provider that provides Fortune 500-grade security for companies of all sizes at an affordable monthly price. Lumifi’s cutting-edge platform combines continuous automated threat hunting with orchestration and response, pairing this with a proactive managed cybersecurity service to deliver continuous end-to-end protection for businesses nationwide against ransomware and the latest security threats. Lumifi’s state-of-the-art Security Operations Center is staffed by our team of US-based analysts, ex-military and former DoD security experts with dozens of security certifications to monitor and manage customer environments continuously. For more information, visit www.lumificyber.com.
A healthcare company with multiple service locations experienced a severe ransomware attack that completely shut down their systems. Lumifi, alongside other partners, BOK and Solytics Partners, provided critical project and remediation services. This case study explores how Lumifi's intervention not only resolved the immediate crisis but also transformed the healthcare company's IT infrastructure, significantly enhancing their security posture.
Company Size: 500 Employees
Industry: Healthcare
Locations: 11 service locations, 2 corporate locations
A large healthcare company fell victim to a ransomware attack on all their systems. Leadership was alerted in the middle of the night when the attack took place. Employees could not access their files, there were ransom notes on computers, the entire environment was down and the company was forced to operate without immediate access to patient information and other valuable resources accessible through infected devices.
The healthcare company had an IT department but lacked a Security Operations Center (SOC) for monitoring. This lack of protection left them vulnerable to a ransomware attack, which occurred unexpectedly in the middle of the night. The entire system was down, and no one could access files, bringing the business to a standstill.
Specific Challenges:
Challenge Impact:
Initial Response:
Steps Taken:
Long-term Solutions:
Recovery and Improvement:
Quantifiable Outcomes:
Client Sentiment:
Proofpoint is a cybersecurity platform that protects workers and data from cybercriminals that target email, social media, and mobile devices. It provides enterprise-level cloud-based solutions against phishing, social engineering, and Business Email Compromise (BEC) attacks.
Proofpoint Email Protection is the flagship product, protecting user inboxes from phishing scams, imposter emails, and advanced cybersecurity threats by analyzing incoming messages using highly refined AI-enabled filters.
94% of public data breaches begin through email. Without a strong email security solution in place, organizations are highly vulnerable to sophisticated threat actors who can impersonate co-workers and trusted third-party contacts.
Proofpoint helps reduce the risks associated with email phishing, credential-based attacks, email account compromise, and malware. Since email is one of the most popular vectors for gaining initial access to target networks, excellent email security can make a significant difference in an organization’s overall security posture.
Proofpoint’s email security and protection platform actively blocks malware, spyware, and trojan horse attacks. It helps organizations reduce the risk of email fraud and provides security leaders with visibility into email-related compliance and policy risks.
Proofpoint uses multi-layered threat detection to stop email threats from arriving in the inbox altogether. This reduces the need to train employees how to distinguish between phishing emails and legitimate messages.
Here are some of the technologies and features included in each layer of security Proofpoint includes in its email defense solutions:
Proofpoint’s email security solutions are designed to offer an optimal balance between security and usability. Its products are cloud-native and compatible with a wide combination of technologies, enabling organizations to maintain granular control over risks associated with advanced email threats.
Since many of Proofpoint’s email security technologies prevent spam, unwanted emails, and malicious attachments from arriving in the inbox altogether, end-users experience minimal friction when using the solution—if they notice it at all.
Proofpoint provides security leaders and IT administrators with multiple tools and reports for improving operational and cloud security throughout the organization. Here are a few examples:
1. Dynamic risk scoring
Proofpoint scores threats from a scale from one to 1,000 based on the following factors: threat actor sophistication, spread and focus of attack targeting, type of attack and overall attack volume. These dynamic risk scores accompany incoming messages as they enter the network.
The score helps companies to understand the risk for both the individual user and the overall risk for the company. Security leaders can filter and search for messages using these scores to understand which threats need to be prioritized first.
2. Custom rules and configurable controls
Email classification using Proofpoint can be done in many languages. Emails will be divided in specific quarantine categories based on potential threat: spam, phishing, imposter email, malware, bulk email, and adult content.
The analysis function will identify graymail and mark those emails at a lower priority to limit inbox clutter. Users can “promote” emails to a higher priority or move emails to a lower priority.
Companies can customize the rules of what is considered “acceptable use” while using Proofpoint to better align with their specific needs.
3. Deep visibility and message tracing
Proofpoint has an advanced message tracing features a high-performance search engine which allows users to pinpoint hard-to-find log data.
Security leaders have access to sixty different real-time reports detailing mail flow and security trends. This allows organizations to be proactive when addressing any potential issues and trends as they are identified.
Users have the ability to create “safe” and block lists of email senders as well. This allows security leaders to proactively reduce the organization’s attack surface while keeping trusted contacts accessible.
4. Opportunities to reduce your attack surface
Proofpoint delivers intelligence about your organization’s high-impact targets — which it calls Very Attacked People (VAPs). The platform will inform security teams where sensitive information is potentially being exposed across email and the cloud. Companies will have the ability to lock down access to specific files in the cloud, prevent data loss and archive communications.
Proofpoint offers security awareness training that helps users prepare for what a potential threat might look like. The training alerts users to the most recent phishing attacks and lures through their “Attack Spotlight Series”. Training materials are interactive and game-based, keeping users engaged while providing valuable insight into modern email threats.
Keep hackers and cybercriminals out of your organization’s inbox and prevent them from spoofing your email domain name to launch attacks on others. Proofpoint is a vital part of your overall security tech stack, but it is not the only tool that matters.
Lumifi can help you detect and respond to threats in real-time, providing 24/7 monitoring and response that integrates email security, endpoint security, and comprehensive security log management into a single, unified service. Find out how Lumifi ShieldVision™ provides unlimited visibility and deep context into security events on your network in near real-time.
In theory, cybersecurity is simple. Most managed cybersecurity service providers would agree they know what best practices should be implemented, and they know what technologies, skillsets and processes are required to achieve them. We all have a favorite cybersecurity framework to help compartmentalize and systematize a robust and comprehensive cybersecurity operation too.
But here’s the problem – cybersecurity doesn’t happen in a vacuum. One business’s SecOps has to factor in all of the unique business needs, industry requirements, and IT systems in place… oh, and the familiar restrictions of budget and staff.
Mo Customers. Mo Problems.
For Managed Service Providers, the challenge is multiplied by the number of unique business clients. There is no one-size-fits-all SecOps model, so you’re faced with two big questions:
Here are some recommendations to answer these two questions.
Delivering Right-Sized Cybersecurity Starts with a Proper Assessment
MSPs face the challenge of managing multiple clients with different cybersecurity postures, demands and risk tolerances. So, you need to be willing and able to address their particular needs. A cybersecurity gap assessment untangles cybersecurity issues and presents them in an organized manner, allowing you to compartmentalize and analyze them more clearly and confidently.
However, most cybersecurity assessments are one-size-fits-all and assume that you want to immediately get to the best/optimal state in all categories. Again, cybersecurity doesn’t work in a vacuum. This can be frustrating for many organizations as the assessment just tells them where they fall short of every “ideal” best practices. That's where our Cybersecurity Maturity Model and Gap Analysis comes in.
Netsurion’s Cybersecurity Gap Analysis and Maturity Roadmap allows you to measure your current state against a desired state, not just a universally determined “best state".
Where to Start
Our Cybersecurity Gap Analysis and Maturity Roadmap allows organizations and their service providers to assess their current state and define their desired state, providing them with a roadmap to their desired end state, not a universally determined “best state”. Every business is unique, and not everyone needs or wants the Ferrari F8 Tributo of cybersecurity. The point is to assess where your business is today and where your business should be tomorrow.
The Benefits
Check out our free Cybersecurity Gap Analysis and Maturity Roadmap for a clear, organized, and customizable way to assess your goals and needs. You can run it for yourself. You can run it for your clients. Every time, you'll get a customized Maturity Model current score and end score overall broken down by predict, prevent, detect, and respond capabilities. In addition, a customized PDF report is generated that provides a list of priorities to focus on in building your roadmap to your desired state. It also allows you to:
Netsurion’s Maturity Model allows you to define your current and desired state, and offers recommendations to fill the gap.
Netsurion’s Gap Analysis organizes your current capabilities and desired capabilities across the cyberthreat timeline so you can focus on predict, prevent, detect, or respond shortcomings.
Delivering Right-Sized Cybersecurity Efficiently and Cost-Effectively
Now, you might be thinking “Great, delivering tailored cybersecurity to every client means infinite complexities for my business operations and more technology investments”. Discovering and articulating the unique challenges and goals of your client is nice, but how do you realistically deliver it?
We think the answer centers around the concept of Managed Open XDR partnership.
In addition, Managed Open XDR providers are increasingly offering capabilities in the Predict and Prevent categories such as vulnerability management and managed endpoint security.
The result is not more technology and more complexity. The result is a technology and service partnership that flexes to deliver right-sized SecOps to the full spectrum of your client base.
Cloud computing offers many advantages for modern businesses, such as flexibility, scalability, efficiency, and innovation. But it also poses its own challenges and security risks. How can you secure your data and assets in the cloud? Who is in charge of what in the cloud environment?
The shared responsibility model helps address these questions and more. The shared responsibility model is a framework that defines the security and compliance roles and responsibilities of cloud service providers (CSPs) and customers for different components of the cloud environment. CSPs are responsible for securing the cloud infrastructure and services, such as servers, networks, storage, and databases. Customers are responsible for securing their data and applications in the cloud, as well as their operating systems, software, and network configurations, depending on the type of cloud service they use. The shared responsibility model aims to prevent cloud security gaps and ensure accountability resulting in a stronger security posture for all parties.
However, the shared responsibility model is not foolproof. There are many pitfalls that can compromise this model and expose customers to security threats. Here are five of these pitfalls and how to avoid them.
Pitfall 1: Misunderstanding Cloud Security
One of the common difficulties regarding the shared responsibility model is misunderstanding cloud security. Some customers have extreme views on cloud security, either too optimistic or too pessimistic. For example, some customers may think that the cloud is so secure that they have nothing left to do. They may assume that the CSP has done it all and that they can relax and enjoy the benefits of the cloud without worrying about security. This is not true, as there are many aspects that remain in the customer’s domain, such as data protection, access management, configuration settings. Relying on the CSP alone can lead to security gaps or missed opportunities.
On the other hand, some customers may think that the cloud is so insecure that they can’t use it. They may fear that it exposes them to more threats and vulnerabilities than their own data centers. They may also distrust the CSP’s ability or willingness to protect their data and assets. This is also not true, as there are many advantages of cloud security that customers can leverage, such as scalability, automation, resilience, intelligence, etc. The CSPs have a strong incentive to maintain a high level of security for their customers, as their reputation and revenue depend on it.
So, the truth is somewhere in between these two extremes. Cloud security is neither a magic formula nor a nightmare. It is a shared responsibility that requires both parties to work together and understand their roles and obligations.
Cloud Security Myths vs. Facts | |
---|---|
The CSP is liable for any security breach or data loss in the cloud. | The CSP is only liable for breaches or losses that result from their own negligence or misconduct. The customer is still responsible for complying with laws and regulations, securing their own data and applications, and reporting any incidents or issues. |
The customer has no control or visibility over their data and assets in the cloud. | The customer has full ownership and control over their data and assets in the cloud. They can choose where to store their data, how to encrypt it, who can access it, how to monitor it, etc. They can also use tools and services provided by the CSP or third parties to enhance the visibility and auditability of their cloud environment. |
The customer can use the same security tools and practices in the cloud as they do on-premises. | The customer may need to adapt or adopt new security tools and practices in the cloud to match the different characteristics and challenges of cloud computing. For example, they may need to use more automation and orchestration tools to manage their security configurations across multiple cloud services and regions. They may also need to use more identity-based and data-centric security approaches to protect their data and assets in a dynamic and distributed cloud environment. |
Pitfall 2: Over-delegation of Responsibility
Another hazard in the shared responsibility model is over-delegation of responsibility. Some customers may not fully understand what really remains on their plate when they move systems to the cloud. They may make the assumption that the CSP is responsible for everything and do not pay attention to their own obligations. This can be risky and result in compliance issues or breaches.
For example, some customers may think that they do not need to worry about patching or updating their software or applications in the cloud because they assume that the CSP will do it for them. However, this depends on what type of cloud service model they use. If they use Infrastructure as a Service (IaaS), they are still responsible for patching and updating their guest operating systems and applications running on top of the CSP’s infrastructure. If they use Platform as a Service (PaaS), they are still responsible for patching and updating their application code running on top of the CSP’s platform. If they use Software as a Service (SaaS), they may not need to patch or update anything, but they still need to configure their settings and preferences according to their security requirement.
Therefore, it is important to read carefully what the provider has said in their documentation about their responsibilities and limitations. They may say it in detail, but it can be exhausting and sometimes not very clear. Some of the key documents to look for are:
By reviewing these documents carefully, customers can avoid potential misunderstandings and unrealistic expectations about what the provider can or cannot do for them.
Pitfall 3: Capability vs. Responsibility Gap
A third risk in the shared responsibility model is the capability vs. responsibility gap. Some customers may not have the skills, resources, or tools to fulfill their responsibilities in the cloud. They may lack the expertise, staff, or budget to implement effective security measures for their data within the new cloud environment.
This can be problematic since they could miss critical vulnerabilities or threats while failing to comply with applicable regulatory requirements or industry standards present in their cloud environment.
One way to address this gap is to invest in training, hiring, or retaining skilled staff who can handle their cloud security responsibilities effectively.
Another way to address this gap is to use specialized tools or services provided by independent software vendors (ISVs) or other CSPs to enhance their security capabilities in the cloud. However, this can further complicate who is responsible for what and forces teams to manage and monitor yet another CSP.
One of the most popular, and secure, methods is to leverage third-party vendors or partners to help with cloud security needs. For example, utilizing a managed service providers (MSPs) or managed security service providers (MSSPs) to outsource some or all security tasks in the cloud helps offload the management of cloud-based platforms and IT infrastructure to a single vendor, simplifying security and management at once.
Pitfall 4: Default Settings and Configurations
A common mistake in the shared responsibility model is using default settings and configurations for cloud services or applications without changing or reviewing them. This can create security vulnerabilities and expose user systems to attacks.
Default settings and configurations can be problematic for several reasons. They can enable unwanted features that consume resources or disable important services that provide security. They can also leave some options open or unclear, resulting in confusion or inconsistency.
For example, some customers may not enable multi-factor authentication (MFA) for their accounts or resources in the cloud, because they think that it is too cumbersome or unnecessary, making them more susceptible to credential theft or compromise. Many users may not consider changing default encryption keys or algorithms for their data in transit or at rest in the cloud. However, this can make them more vulnerable to data breaches or leaks, because these defaults may not meet their specific security requirements or standards. They may also be shared with other customers or known to attackers. Customers should use their own encryption keys or algorithms that are unique, strong, and compliant with their policies.
It is important to customize the default settings and configurations of your cloud services or applications according to your risk acceptance level, security requirements, and best practices. You should also monitor and update them regularly to keep up with changes in your environment and use the tools and services offered by your CSP or third parties to help you manage and automate them effectively.
Pitfall 5: Lack of Visibility and Accountability
A fifth breakpoint in the shared responsibility model is lack of visibility and accountability. Some customers may lack insight into their cloud environment or enough oversight of their CSP’s actions. They may not know what is happening in their cloud environment, what their CSP is doing for them, or have enough documented evidence to prove their compliance and performance.
For example, cloud users may not have a clear inventory of their cloud-based assets such as servers, databases, and applications. They may not know what they have, where they are, who owns them, who uses them, how they are configured, how they are protected, or how they are performing. This can make them more prone to errors, waste, and insecurities.
Another example is some customers may not have a clear audit trail of their activities in the cloud, such as who did what, when, where, why, and how. They may not have logs, reports, or alerts to monitor and measure their actions and outcomes, making them more vulnerable to incidents and may also fail to comply with some regulations and standards.
Therefore, it is important to have a high level of visibility and accountability for your cloud environment and your CSP’s actions. You should also have:
The shared responsibility model is a key concept for understanding cloud security and defining who is responsible for what in a cloud environment. It helps both CSPs and customers to prevent gaps in security and ensures accountability across the cloud and customer environments. By avoiding these pitfalls, you can improve your cloud security posture and performance, while still enjoying the benefits from cloud computing.
Cybersecurity is one of the most in-demand and rewarding fields in the IT industry. As cyberthreats continue to evolve and pose challenges to individuals and businesses, cybersecurity professionals need to have a diverse set of skills to protect data, networks, and systems.
We understand that each organization and security operations team will vary somewhat, and that some of these skills may be of more or less importance depending on the roles within each organization. That is to say, there’s not a one-size-fits-all set of skills.
However, given the trends of the increasing complexity and sophistication of cyberthreats, the ongoing shortage of cybersecurity talent, and the expanding scope of cybersecurity domains, these diverse skills are more valuable than ever.
Here are 8 skills that are essential for modern cybersecurity professionals:
Additional Skills that are helpful for cybersecurity:
These are some of the top skills for modern cybersecurity professionals that can help you succeed in this dynamic field. By developing these skills, you can not only protect your organization’s data but also advance your career prospects.
For many of you reading this, it’s Q4 and you might be looking at your YTD sales and scratching your head about the low customer adoption of your cybersecurity services. Cybersecurity is a hot commodity, right? Every business needs it, right? So why aren’t your sales numbers rocketing right off your spreadsheet?
In talking to MSPs on a regular basis about go-to-market strategies, marketing, and sales enablement, I noticed something that is all too common that is stifling sales and as a result perpetuating the risk exposure of SMBs.
You may have built a world-class cybersecurity solution – hired the right staff, chose the right tech, picked the right partners – but the way you present it to your customers is everything.
The problem I see is MSPs have organized their offering into the typical Good-Better-Best packaging model we’re all super familiar with in the SaaS market. There are two big problems with that.
Cybersecurity is not something any business is excited to spend more money on. When was the last time you bought the BEST life insurance policy? What about the BEST car insurance you could find? You need them, but are you looking for the BEST, or the best-fit for your risk tolerance level? Unless you’re a wealthy hypochondriac or a terrible driver with a Ferrari, I’m going to guess you weren’t drawn to the BEST plans. And come to think of it, are insurance plans ever packaged in a Good-Better-Best way? No. And for good reason. So, step 1 – take a page from their playbook.
The Good-Better-Best model works for a single-purpose SaaS product. But cybersecurity is much more complex – it’s a combination of multiple products, various levels of service, and a sliding scale of asset coverage. When you borrow this tiered packaging model from the SaaS market, you’re forcing your buyer into making a very difficult choice with very few options. Not only does your buyer not like buying cybersecurity, but they also don’t fully understand the ramifications of their choices. So, they’re going to do what humans do… hedge their bets. When you had to purchase something that frankly was over your head, what did you choose? The most expensive premium option? The dirt-cheap option? Nope. You probably hedged your bets and went with the middle or, if you’re a cheapskate like me, the one slightly-below-middle-but-not-the-cheapest.
Remember that for most SMBs, telling them all of the cybersecurity services they need is like you being told you need an Automatic Pulsation Vacuum Double Cow Milker with Food-grade Silicone Cups and Tube and Stainless Steel Bucket (apparently it’s a thing!), but you have to choose whether you want to pay a little or a lot for it.
So, in addition to looking at the insurance industry for a hint that borrowing the SaaS Good-Better-Best model might not be appropriate, you don’t have to look far to consider a better approach to cybersecurity packaging. Consider home security services. Instead of asking consumers plainly whether they want good, better, or best security, the packaging options are centered on “scope” (what do you want to protect) and “service” (how much work do you want to avoid).
The answer to smarter cybersecurity packaging is thankfully right under our noses. I’m sure you’ve heard of the NIST Cybersecurity Framework (CSF). If not, this framework is quickly becoming the standard for both explaining and architecting cybersecurity capabilities, and more frequently being used by cyber insurance providers to evaluate policyholders and determine premiums.
Simplify cybersecurity conversations using the NIST Cybersecurity Framework
Align your cybersecurity products and services to these five NIST CSF functions and now your customer can better understand the scope of cybersecurity and what they are choosing. Allow them to configure the protection that fits their risk tolerance.
Don’t make it a “this or that” choice. That is too limiting when it comes to cybersecurity complexity and the variations amongst business IT estates. Instead, you could offer choices within each NIST CSF function. Within these single-purpose NIST CSF functions, it is totally practical to build out tiered choices based on size/scope of coverage or sophistication of solution.
Give your customer the ability to customize their cybersecurity to fit their needs.
As a buyer, I can now begin to wrap my head around the cybersecurity functions I need from you and can choose the good-better-best levels within these areas based on risk tolerance and what’s a “best-fit” for my organization. It’s no longer an all-or-nothing situation where perhaps you’ve currently lumped all your truly recommended capabilities into the “BEST” option which the buyer perceives as overkill.
Now that you haven’t boxed your customer in to choosing “good” cybersecurity or possibly “better” cybersecurity, but rarely the “best” cybersecurity, look forward to seeing more of those advanced cybersecurity functions going to work for your revenue numbers and your customers’ cybersecurity posture.
I realize this is all well and good if your cybersecurity stack allows you to mix and match different solutions within these five NIST CSF functions. You’ll certainly need vendors and partners that allow you flex scope and service amongst things like endpoint protection, security monitoring, threat hunting, SIEM coverage, and more on a per client basis to make this practical and affordable.
Contact Lumifi for a more flexible way to scale your cybersecurity services across your full range of customers.
Whether you use the NIST Cybersecurity Framework above or another, the important part is to help your clients make the best choice for them and to feel confident in their choice. Using a gap analysis is a great method to consult your client and help them make informed decisions.
In terms of new critical vulnerabilities released, each year seems to be worse than the last. Unfortunately, it’s a trend that security analysts are unlikely to see decrease anytime soon. As businesses integrate new technology into their tech stack, they also introduce new avenues of attack. And these attackers are relentless.
Malicious actors are able to alter a script or modify a piece of malware more quickly than the time it typically takes to release security updates and implement patching. For that reason, organizations are constantly on their heels when it comes to cyber threat protection.
But all hope is not lost! While it’s easy to get overwhelmed by the sheer number of new threats, focusing on the rather limited number of attack vectors can make cybersecurity a lot less frightening.
Credential theft, or compromised credentials, refers to instances where unauthorized individuals obtain usernames and passwords, frequently due to phishing, social engineering, or data breaches. These stolen login credentials offer a direct route into an organization's digital assets and infrastructure.
Once they obtain access to credentials, malicious actors can use them in attacks in a variety of ways. One of the most popular techniques is "credential stuffing," in which attackers attempt to access several internet accounts utilizing stolen credentials, exploiting the unfortunate practice of using the same password across various platforms. Additionally, credential theft can act as a springboard for lateral movement within a network, enabling hackers to advance undetected from one system to another and escalate their attack.
While not quite as exciting as other attack vectors included below, compromised credentials are one of the most common and easiest ways for cyber criminals to gain access and expand the scope of their attacks. In fact, the 2023 Verizon Data Breach Investigation (DBIR) revealed that 83% of breaches involved external actors and of these breaches, 49% involved the use of stolen credentials.
Limit the potential impact by implementing:
Social engineering can be summed up as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
Better stated, social engineering is a deceptive tactic cybercriminals use to exploit the vulnerability of human psychology rather than technical flaws. The intention is to trick someone into disclosing private information, allowing unwanted access, or taking activities that can jeopardize security.
“Social engineering" refers to a broad class of attacks, but it covers specific types of attack techniques, including phishing. Most are familiar with phishing, which involves sending deceptive messages that appear to be from a trusted or reliable source, enticing recipients to click on malicious links, download malware, or divulge confidential information.
More recently, attackers have opted for targeted phishing methods, or spear-phishing, as a more effective method of access. Rather than simply playing on general human weakness, spear-phishing usually contains company-specific information in targeted campaigns. Think of an email from your CEO asking you to wire $100,000 to a vendor you are familiar with. Obviously, the bank information doesn’t go to the vendor bank, but to the bank of the attackers. Targeted spear-phishing attacks also continue to be one of the most common ways to inject malware into a victim’s network and systems.
In fact, phishing has become such a popular method of attack that multiple government agencies recently joined forces to create a Phishing Guidance document, “STOPPING THE ATTACK CYCLE AT PHASE ONE”.
Social engineering attacks are particularly difficult to defend since they exploit human weaknesses and not a particular device or system. Humans want to be helpful and efficient. Phishing and other social engineering attacks prey on this by creating a sense of urgency and authority.
The good news is by being vigilant and implementing employee training and policies, you can decrease the risk of falling victim to social engineering attacks. The most effective defense against social engineering is simply awareness and education. Be sure to educate yourself and your employees on social engineering tactics and methods.
Here are some quick tips to reduce compromise from these types of attacks.
Before taking any action, you should always confirm the legitimacy of the sender. Inspect the sender's email address and domain to ensure it matches the official contact information of the organization. Be cautious of lookalike characters masquerading as the real deal.
Attackers who utilize social engineering frequently create a closed-loop communication mechanism. For instance, an email that demands you text a strange phone number or contains a dubious link to wire money. Break the cycle by contacting the person or business using a separate method of contact to confirm their legitimacy.
Be cautious about the information you disclose. Phishers often use seemingly innocuous details to craft convincing messages. Avoid oversharing personal or sensitive data, even if a message appears trustworthy.
Evaluate the credibility of the message. Are the claims, demands, or offers within the communication realistic and reasonable? A red flag should be raised if anything looks too good to be true.
Attackers that use social engineering and phishing frequently create a false sense of urgency to manipulate targeted victims. Successful phishing attacks are frequently the result of hasty decisions. Slow down and take the time to scrutinize emails, messages, and requests.
By following these steps you'll reduce the likelihood of a successful social engineering attack.
One of the most often exploited vulnerabilities by cybercriminals is unpatched software. It's common for software developers to address security flaws when they release new updates. However, failing to update your software opens your system to attack. Cybercriminals are constantly on the lookout for outdated software, as it provides an easy point of entry into a system.
Aside from the known vulnerabilities exist zero-day threats, which are vulnerabilities previously unknown to security experts. When cybercriminals discover these vulnerabilities before security experts, they can exploit the flaw to infiltrate systems, typically without detection.
The first step is to ensure that all software is kept up to date. However, with over 50% of the vulnerabilities in the national vulnerability database scoring high or critical on the CVSS, it’s not feasible that an IT team dedicated solely to patching would be able to keep up with this rate. Realistically, an average organization could likely patch 10% of the high or critical vulnerabilities each month. If you don't have time to manually update all software on a regular basis, it is best to invest in a managed service that will handle updates automatically.
Results from vulnerability scanning typically leave IT professionals to determine the patching order on their own, often without the context needed to make an informed determination. Vulnerability management helps organizations by providing prioritization of scan results and performing automated tasks, allowing time to focus on what truly matters: proactively addressing critical vulnerabilities and strengthening their overall security posture. This not only streamlines the patching process but also frees up valuable resources for strategic security planning, threat mitigation, and continuous monitoring to stay one step ahead of evolving cyber threats. It's also important to use security software that is designed to detect threats and prevent them from infiltrating your system.
The use of cloud-based applications has become extremely popular over the years as businesses search for convenient methods to store and retrieve their data. However, this convenience can result in a significant security trade-off. Many cloud application providers boast an expansive user base but weak default settings. These misconfigurations and a potentially large number of victims make them an attractive target for attackers.
In cloud/user agreements, the user is typically. in charge of protecting the applications and data they choose to host on the cloud services, while cloud service providers are responsible for safeguarding the network, hardware, and equipment required to deliver their cloud services.
Unfortunately, end users often fail to adhere to security best practices when configuring their cloud applications, leaving them open to attack. Typically, default configurations or misconfigurations of cloud-based applications are what leave an organization vulnerable. Hackers can exploit these weaknesses to gain access to sensitive data, install malicious software, and even take control of the entire network. Default configurations are such a common concern that CISA listed it as #1 in a recent article on the Top Ten Cybersecurity Misconfigurations advisory.
First and foremost, it's crucial to ensure that your cloud-based applications are correctly configured. Regularly review and update your security settings, check for any known vulnerabilities, and address them immediately. Review access controls frequently and ensure that only those who require access have it. Implementing multi-factor authentication (MFA) adds an additional layer of security, making it more challenging for hackers to gain access to your data. To further enhance your security, consider implementing a managed extended detection and response (XDR) solution to help detect and respond to potential threats in real time.
The weaponization of legitimate tools is not a new concept, but it has become increasingly common in recent years. Cybercriminals use these tools because they are often overlooked by security teams and can easily bypass traditional security measures. Additionally, these tools often have legitimate functionality that allows malicious actors to move laterally across a network and exfiltrate data without raising suspicion.
Nowhere was this made more apparent than CL0P and its weaponization of Cobalt Strike. Cobalt Strike is a legitimate tool used for penetration testing, but in the hands of cybercriminals, it becomes a powerful weapon for lateral movement and data theft. While not specifically a method of entry, CL0P (and other ransomware groups) leveraged Cobalt Strike as a means of lateral movement and as a remote access trojan. This approach takes a threat from compromised credentials to a multi-faceted attack.
The first step is to ensure that all legitimate tools used in your organization are properly secured and monitored. This includes ensuring that they are updated regularly, access is limited to authorized personnel, and all activity is logged and monitored. It's also important to implement a zero-trust approach to your network security, meaning that no user or device is trusted until thoroughly verified.
What happens when a means of security turns malicious?
As multi-factor authentication is more widely recognized and adopted as a strong security policy, cybercriminals have developed intricate means of access by bypassing or intercepting MFA methods. These methods take advantage of the flow of authentication methods used by MFA systems. In the case of token hijacking, attackers are going after MFA systems in an effort to steal an authentication token that will give them access to the user's account secretly. They do this by seizing the authentication token and sending it to themselves during the process. Once the attacker gets the token, they can use it whenever they want to gain access to the user's account, even after the user has logged out.
MFA token hijacking is a relatively new cyber-attack technique that exploits the flow of authentication tokens used by MFA systems. MFA token hijacking is a dangerous threat because MFA has long been considered the gold standard for securing user accounts. This attack exposes the vulnerability of modern MFA systems and demonstrates the need for more advanced security measures. It also underscores the need for constant vigilance on the part of system administrators and users alike.
There are several actions you can take to reduce or mitigate the risk of MFA token hijacking. First, use complex passwords that are hard to guess, and avoid using the same password for multiple accounts. This may seem like a no-brainer, but weak or reused passwords are still a significant problem. Longer-term solutions would be:
Having security prevention basics like AV and endpoint protection is still important, but far from complete protection. In fact, these scary attack vectors typically evade most legacy endpoint security solutions. Since perfect prevention is not possible, it’s important that IT security teams adjust their mindset to assume that it’s a matter of when, and not if a breach will occur.
Rather than focus on a prevention-only defense, it’s vital to include threat detection and incident response solutions in your security strategy. Incorporating relevant security frameworks like NIST and a defense-in-depth approach helps detect threats quickly and respond to incidents faster, minimizing the damage an attack could have on your business.
By making security a top priority and being proactive in implementing these cybersecurity measures, businesses can better protect themselves against these and other emerging threats.
The IT security industry’s skill shortage is a well-worn topic. Survey after survey indicates that a lack of skilled personnel is a critical factor in weak security posture. If the skills are not available in your organization then you could: a) ignore the problem and hope for the best, or b) get help from the outside. Approach “a” is simply a dereliction of duty, and approach “b” has some negative connotations associated with the word “outsource”. It throws up images of loss of control and misaligned priorities.
As a service provider, we agree, and prefer to describe our SIEMphonic services as co-sourcing. Is it a panacea? Not really. Nothing is ever a silver bullet. There are security functions that do well when co-sourced, and then there are those that really must be performed internally. How do you know which is which?
This opinion from a Gartner Analyst breaks down defines defense as requiring deep knowledge of what to defend and how to defend. The former requires detailed knowledge of your IT environment, business processes, assets, systems, application, personnel, company culture, mission, and other knowledge of your IT, business and culture. The latter requires detailed understanding of threat actors, attacks methods, exploits, attacks, vulnerabilities, security architecture, and other security domain knowledge.
Using the above general guideline as a touchstone, here are two areas that can be done outside:
Here are two tasks that should remain in-house:
If your organization is affected by skill shortage, then consider co-sourcing. Just be mindful of what does well vs. poorly with this model, and plan accordingly.
EventTracker’s co-sourced solutions can provide your organization with advanced tools, backed by world-class experts that monitor your network 24/7.
So you got hit by a data breach, an all too common occurrence in today’s security environment. Who gets hit? Odds are you will say the customer. After all it’s their Personally Identifiable Information (PII) that was lost. Maybe their credit card or social security number or patient records were compromised. But pause a moment and consider the hit on the company itself and how that affects the cybersecurity professionals. The hit includes attorney fees, lost business, reputational damage, and system remediation costs.
They deserve it, you say? They were negligent and must suffer the consequences. But spare a thought for the individuals on the “front line,” defending their organizations against the entire world of cyber criminals. They are victims, too. And it may not be a lack of diligence or due care on their part either. In the meantime they may experience the same disappointment and grief as a customer whose data is compromised. They are confused. They may feel a lack of focus and confidence in themselves. They may have sleepless nights and an increased level of anxiety. Not very different than a caregiver to a sick patient.
As in the patient/caregiver scenario, all the attention is focused on the patient. Consider this excerpt from American Nurse that says, “While nurses may not suffer the same way patients do, we experience pain, frustration, lack of resources, and many other forms of suffering when delivering care to patients and their families. In our highly regulated healthcare environment, administrators commonly view nursing as the highest cost center instead of a revenue generator. Typically, nursing is factored into room and board on the patient’s bill.”
This will sound eerily familiar to the IT staff on the front line of responding to a data breach.
How can you help?
In simpler times, security technology approaches were clearly defined and primarily based on prevention with things like firewalls, anti-virus, web, and email gateways. There were relatively few available technology segments and a relatively clear distinction between buying security technology purchases and outsourcing engagements.
Organizations invested in the few well-known, broadly used security technologies themselves, and if outsourcing the management of these technologies was needed, they could be reasonably confident that all major security outsourcing providers would be able to support their choice of technology.
Gartner declared this was a market truth for both on-premises management of security technologies and remote monitoring/management of the network security perimeter (managed security services).
Net result? The “human element” is back into the forefront of security management discussions. The skilled security analyst and subject matter expert for the technology in use have become exponentially more difficult to recruit, hire, and retain. The market agrees: The security gear is only as good as the people you are able to get to manage it.
With the threat landscape of today, the focus is squarely on detection, response, prediction, continuous monitoring and analytics. This means a successful outcome is critically dependent on the “human element.” The choices are to procure security technology and:
If co-sourcing is a thought, then selection criteria must consider the expertise of the provider with the selected security technology. Our Co-managed SIEM offering bundles comprehensive technology with expertise in its use.
Technology represents 20% or less of the overall challenges to better security outcomes. The “human element” coupled with mature processes are the rest of the iceberg, hiding beneath the waterline.
Why should you, as a merchant, comply with the PCI Security Standards?
At first glance, especially if you are a smaller organization, it may seem like a lot of effort, and confusing to boot. But not only is compliance becoming increasingly important, it may not be the headache you expected.
Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences.
Here are some reasons why.
You’ve worked hard to build your business – make sure you secure your success by securing your customers’ payment card data.
Your customers depend on you to keep their information safe – repay their trust with compliance to the PCI Security Standards.
Network Security Basic Training Series: Patching
In this series of articles, we will explore some of the basic ways that business of all sizes can keep their computer systems safer.
While it is impossible to say that a system can never be breached, if you are not doing some of the basics to help protect your system and your data, then you are more likely to experience a breach. In this first article, we will discuss system and application patching.
How can patching help your business’ security?
If you are not keeping up with regular patching of your computer and the programs that run on it – then you are simply asking for trouble. Many of the breaches that make the news (and I am sure many more that don’t make headlines) are caused by holes in software for which a patch existed by the vendor.
If you buy a new PC from the local computer retailer, chances are you have had to update it with a lot of patches soon after taking it out of the box. These updates come out typically on a monthly basis, and they should be allowed to download to your system and be applied.
In larger companies where there are hundred or thousand s of computers to update, there will most likely be a commercial patching solution used that can download the update files once and then apply them to all the systems that need them on a rolling basis.
What you want to avoid is the delay of these patches from getting applied.
Sure, there are times where the patches want to update your system and then reboot, and the time the patches choose to be applied may not be the perfect time for you to stop what you are doing.
It is ok to postpone the application of patches until later in your day or when you shutdown the computer, but you should never delay more than needed and I would say it is never advised to go more than 48 hours after the patches are available to get them applied.
What is being referred to above is mostly the operating systems patches, but what about 3rd party programs such as Adobe, Java, Flash, etc.?
These too need to be updated often, and even though it may be annoying to see the pop-up on your screen notifying you of available patches, you should always take the time to apply the latest updates to keep your system protected.
Even if you don’t use a particular program but it is installed on your computer, you should keep that up to date as well so it cannot be exploited.
There are even free utilities such as Update Checker from FileHippo that can run as a separate program and check your computer to see what available updates exist for you. “The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases. These are then neatly displayed in your browser for you to download.”
The Update Checker works on any PC running Windows 8, 7, Vista, XP, 2012, 2008, 2003, 2000, ME or 98. I have found this utility particularly useful for keeping programs up to date that I didn’t even know had updates available for – including Skype, Google Earth, and more.
If you leave your systems unpatched, then hackers or software exploits may use holes in older versions of software to find a way to get into your computer and/or steal your data. Hackers could also use these software weaknesses in unpatched software to gain information about you and your web activities in order to scam you later via email or phone.
Probably the worst example of what hackers can do nowadays once they are able to get into a computer is the rise of ransomware, where the contents of your hard drive are locked until you pay a ransom to the hackers.
Keep in mind that a compromised system may hurt not only that one system, but others as well. If you use your computer on a network that includes other computers, your issue could affect them as well.
If you use a laptop at home and it gets compromised, then you bring the laptop to work, that issue could follow you to your workplace and affect the other computers on the corporate network as well.
In summary, it is best practice to keep your system up to date at all times. Be sure to turn on any automatic updates that are available to your operating system and any 3rd party applications.
If you need to use a utility to scan your computer for 3rd party applications that may need updates, be sure to file on like the Update Checker noted above and use it regularly.
In future articles we will discuss more topics that can help you keep your system and your data safer.
Incomplete cybersecurity information visibility comes at a cost. Without real-time comprehensive visibility, organizations experience blind spots that handcuff your cybersecurity protection and increase risk. IT environments are increasingly complex as they span on-premises, cloud, endpoint, and hybrid approaches. This wide and diverse infrastructure leaves plenty of room for attackers to hide and emerge when least expected.
Why Endpoint Security Coverage is Critical
Non-technical users, and in particular the endpoints they use, make soft targets for cyber criminals. Regardless of how well your servers and firewalls are monitored and protected, what level of risk are you willing to take when your sensitive data and reputation are at stake?
A data breach now takes on average 127 days to detect and costs $2.64 million, according to Ponemon Institute. Comprehensive visibility and real-time analysis of telemetry provides an early warning of cybersecurity threats before extensive damage occurs. Threats caught earlier, are easier to defend and remediate against, and less expensive to address.
You may already have a threat protection platform and a 24/7 security operations center (SOC). However, if that platform’s sensors aren’t deployed across an organization’s entire attack surface, crucial log data will not be collected and visibility reduced, creating a security gap that exposes you to damaging exploits.
Why Organizations Fail at Endpoint Security Despite Capable Technology
Endpoint Protection Platforms (EPPs) like anti-virus and anti-malware alone are insufficient to safeguard sensitive data. If technology alone could solve for cybersecurity gaps, businesses today would be more effective at defending against well-funded threat actors, instead of facing rampant data leaks and ransomware attacks. Also, organizations may implement log sensors that only monitor core devices like firewalls and servers, leaving endpoints exposed.
Benefits of comprehensive network and infrastructure visibility include:
Learn more about how endpoint security reduces SMB Cyber Risks.
Full Visibility Shouldn’t be Challenging
Many organizations believe that they need to invest heavily in cybersecurity technology, and then go it alone. What makes endpoint security reach its full potential is managed security experts with the knowledge and time to manage it. When managed in-house, endpoint security often becomes a sideline task and falls aside to other large projects and daily routines and meetings.
Business leaders are either unaware of the importance of endpoint security coverage or convinced that their organization has sufficient coverage, justifying their lack of spending on endpoint protection. There’s not a silver bullet to achieve instant visibility. As the table below illustrates, evolve your security maturity in stages, from perceived high-value devices like core firewalls and servers as well as endpoints.
Entry-level visibility | Better visibility | Ideal visibility |
---|---|---|
Monitoring core devices like firewalls and servers. | Monitoring on-network endpoints like laptops and workstations. | Monitoring all core devices such as firewalls and servers, as well as workstations, especially remote. |
Ask yourself if you have the staff and skills to keep your cybersecurity optimized. Your team is too busy already so don’t just throw more tech on the stack. Find a Managed Endpoint Security partner that offers people, process, and technology in the right combination to scale and increase efficiency.
Proactive Protection 24/7/365 by Security Experts
Overcoming advanced threats requires mature technology, skilled people, and a more rapid incident response than in years past. It is challenging to hire and retain cybersecurity staff with the over two million current IT job openings. A managed Security Operations Center (SOC) monitors and protects customer infrastructure around the clock without the cost and overhead of building it yourself. SOC-as-a-Service is a managed SOC solution that enables you to mature your security position quickly and at scale. Instead of being reactive regarding threats, rest assured that your infrastructure and customers are monitored and protected by a fully staffed team of experts.
Optimize your Endpoint Coverage
Budget-constrained businesses out to cut corners are fooling themselves that endpoint security doesn’t matter. More than ever, endpoint security is a crucial layer in a defense-in-depth approach to cybersecurity. Operational simplicity eliminates the need to constantly update and tune sensors, rely on internet connectivity, or worry about burdensome maintenance to keep pace with threats.
As a managed security service provider and trusted advisor, look for opportunities to consolidate not only your own tech stack but that of your end customers. You can take easy steps to minimize cybersecurity risk, enhance compliance, and eliminate visibility gaps without breaking the bank. Learn how extended detection and response (XDR) coverage in our Managed Threat Protection delivers capabilities like holistic visibility and attack surface reduction to predict, prevent, detect, and respond to incidents faster.
Log monitoring is difficult for many reasons. For one thing there are not many events that unquestionably indicate an intrusion or malicious activity. If it were that easy the system would just prevent the attack in the first place. One way to improve log monitoring is to name implement naming conventions that imbed information about objects like user accounts, groups and computers such as type or sensitivity. This makes it easy for relatively simple log analysis rules to recognize important objects or improper combinations of information that would be impossible otherwise.
However asking for special naming convention changes for the sake of log monitoring may be difficult to pull off. It’s common to treat log monitoring as strictly one-way activity in relation to the production environment. By that I mean that security analysts are expected to monitor logs and detect intrusions with no interaction or involvement with the administrators of the systems being monitored other than for facilitating log collection.
I realize that such a situation may not be easy to change but if security analysts can have some input in the standards and procedures followed upstream from log collection they can greatly increase the detectability of suspicious or questionable security events. Here’s a few examples.
There are at least 3 kinds of user accounts that every organization uses:
• End-user accounts
• Privileged accounts for administrators
• Service/application accounts
Each of these 3 accounts are used in different ways and should be subject to certain best practice controls. For instance no person should ever logon to an interactive logon session (local console or remote desktop) with a service or application account. But of course a malicious insider or external threat actor is more than happy to exploit such accounts since they often have privileged authority and are frequently insecure because of difficulties in managing these accounts. Conversely, end-user and admin accounts assigned to people should not be used to run services and applications. Doing so will cause all kinds of problems. For instance, if Service A is running as User B and that user leaves the company, Service A will fail the next time it is started after User B is disabled. In audits I’ve seen highly privileged admin accounts of long departed employees still active because staff knew that there were different applications and services running with these credentials. This of course creates all kinds of security holes including residual access for the terminated employee.
Event ID 4624 makes it easy to distinguish between different logon session types with the Logon Type field. See the table below. But of course Windows can’t tell you what type of account just logged on. Windows doesn’t know the difference between end user, admin or service accounts. But if your naming convention embeds that information you can easily compare account type and logon type and alert on inappropriate combinations. Let’s say that your naming convention specifies that service accounts all begin with “s-“. Now all you need to do is set up a rule to alert you whenever it sees Event ID 4624 where Logon Type is 2 or 10 and account name is like “s-*”.
This is just one example of why it is so valuable to implement naming conventions that embed key information about objects. If you name groups with prefixes or something else that tags privileged groups as such, it now becomes very easy to detect whenever a member is added to privileged group. Perhaps you follow certain procedures to protect privileged accounts from pass-the-hash attacks such as limiting admins to only logging on to certain jump boxes. If privileged accounts and jump box systems are recognizable as such by their name then you can easily alert when a privileged account attempts logon from a non jump box system.
This of course requires upfront cooperation from administrators who may resistant to changing their naming styles just for the sake of logs. And you need to get to know the procedures and controls used to keep your network secure so that you can configure your SIEM to recognize when intruders or malicious insiders bypass these controls. But both challenges are worth the effort to face.
In the wake of their breach, Target announced on March 5, 2014 that their CIO, Beth Jacob was announcing her resignation.
In December of 2013, Target announced to the public that it had been the victim of a cyber crime resulting in the loss of 40 Million credit cards and possibly as many as 70 million personal records of its customers. When something of this magnitude is announced to the public, there needs to be someone to blame and the Chief information Officer (CIO) is the perfect scapegoat.
In many corporate cultures, the role of the CIO was often overshadowed by the Chief Technology Officer (CTO). In fact, many boards viewed the CIO as a subordinate of the CTO and the corporate structure was organized in that manner.
Recently, with the need to focus on “Big Data”, compliance initiatives (such as PCI, HIPPA, or SOX), and data security, the CIO has been elevated in status. This heightened status comes with the additional burden of being responsible for the systems when things go wrong.
In the case of Target, Ms. Jacob, resigned while Target is working to restructure its payment environment so that a similar breach cannot happen in the future. An interim CIO will be put into place to oversee the overhaul, and the long-term plan for the company has not yet been announced.
In the modern corporate landscape, the CIO is often held responsible for the electronic security of their company. When a hacker succeeds, the CIO may be held as failing in their duties and letting down the company.
Data security is a complicated matter, and it is important to always keep in mind that to protect data you must always be perfect. For a hacker to steal data, he only has to succeed once.
In today’s business world, a major draw for many customers is the ability to stay connected to the outside world while outside the office. Having access to the Internet is a must to accomplish this.
In order to provide this connectivity, this typically means having a wireless network set up for your customers to use. However, it also means placing your business at a potential risk.
In one of the highest profile cases of its time in 2007, the retailer TJX, operator of stores such as T.J. Maxx, Marshalls, and Sierra Trading Post, suffered a breach with over 45 million customer credit and debit card numbers stolen. Brian Krebs of Krebs on Security contributes the breach of TJX to a wireless network being hacked and wireless security.
Outlined below are three steps that will help ensure that a guest wireless network will not put your business at risk for a breach or any other illegal action.
The most common mistake in wireless security comes when the wireless network is not properly segmented. All too often, a wireless router will be purchased and plugged into the POS network. This allows any user accessing the network the chance to retrieve sensitive information in the POS network.
A proper segmentation makes it so that no customer can have access to the sensitive cardholder data. Some businesses go as far as to have a separate Internet connection for its guest wireless networks. While this does completely isolate the cardholder data from the wireless network, a properly segmented network will accomplish the exact same thing.
Even with a properly segmented network, a white-list or category filter is very important to keep your Wi-Fi safe.
For instance, if a customer uses your wireless Internet connection for illicit purposes such as to torrent music or movies, the Internet Service Provider can send the owner of the business a cease and desist letter. One way to block this access is to enable a category filter on the guest wireless network.
When using a category filter, customers are not allowed to websites that have been classified as adult, criminal, hacking, or whichever categories you wish to block. By not allowing your customers access to these types of websites, you eliminate the potential risk of the police or FBI visiting your location.
The risks of wireless do not end when your business day ends. A wireless router will continue to broadcast its wireless network through the off hours. This provides the opportunity for a passerby to be able to log into the wireless network.
While this may occur with good-natured intent, it is possible that the connection will be used for malicious purposes, as well. Even with the above wireless recommendations in place, it is possible to use a wireless connection in a secure manner, but with illegal consequences. One instance of this would be for a person to create an anonymous connection to the Internet in order to transfer money for illegal purposes. With this in mind, a store front could become a hive of illegal activity at night.
Log collection, SIEM and security monitoring are the journey not the destination. Unfortunately, the destination is often a false positive. This is because we’ve gotten very good at collecting logs and other information from production systems, then filtering that data and presenting it on a dashboard. But we haven’t gotten that good at distinguishing events triggered by bad guys from those triggered by normal everyday activity.
A honeynet changes that completely.
At the risk of perpetuating a bad analogy, I’m going to refer to the signal-to-noise ratio often thrown around when you talk about security monitoring. If you like that noise/signal concept then the difference is like putting an egg timer in the middle of Times Square at rush hour. Trying to hear it is like trying to pick out bad guy activity in logs collected from production systems. Now put that egg timer in a quiet room. That’s the sound of a bad guy hitting an internal honeynet.
Honeynets on your internal network are normally very quiet. The only legitimate stuff that’s going to hit them are things like vulnerability scanners, network mapping tools and… what else? What else on your network routinely goes out and touches IP addresses that it’s not specifically configured to communicate with?
So you either configure those few scanners to skip your honeynet IP ranges, or else you leverage them as positive confirmation that your honeynet is working and reporting when it’s touched. You just de-prioritize that expected traffic to an “honorable mention” pane on your dashboard.
On the other hand, (unless someone foolishly publishes it) the bad guy isn’t going to know the existence of your honeynet or its coordinates. So as he routinely scans your network, he’s inevitably going to trip over your honeynet — if you’ve done it right. But let’s talk about some of these points.
First, how would a bad guy find out about your honeynet?
So, honeynets are definitely a matter of security through obscurity. But you know what? We rely on security through obscurity a lot more than we think. Encryption keys are fundamentally security through obscurity. Just really, really, really, good obscurity. And security through obscurity is only a problem when you are relying on it as a preventive control – like using a “secret” port number instead of requiring an authenticated connection. Honeynets are detective controls.
But what if you are up against not just a persistent threat actor but a patient, professional and cautious one who assumes you have a honeynet and you’re listening to it? He’s going to tiptoe around much more carefully. If I were him, I would only touch systems out there that I had reason to believe were legitimate production servers. Where would I collect such information? Places like DNS, browser history, netstat output, links on intranet pages and so on.
At this time, most attackers aren’t bothering to do that. It really slows them down and they know it just isn’t necessary in most environments. But this is a constant arms race, so it’s good to think about the future. First, a bad guy who assumes you have a honeynet is a good thing because of what I just mentioned. It slows them down, giving more time for your other layers of defense to do their job.
But are there ways you to optimize your honeynet implementation for catching the honeynet-conscious, patient attacker? One thing you can do is go through the extra effort and coordination with your network team to reserve more and smaller sub-ranges of IP addresses for your honeynet so that it’s widely and granularly dispersed throughout address space. This makes it harder to make a move without hitting your honeynet, and further reduces the assumption that attackers usually find it safe to make — that all your servers are in range for static addresses, workstations in another discreet range for DHCP, and then another big block devoted to your honeynet.
The bottom line though is honeynets are awesome. You get very high detection with a comparatively small investment. Checkout my recent webinar on Honeynets sponsored by EventTracker, who now offers Honeynet-as-a-Service that is fully integrated with your SIEM. Deploying a honeynet and keeping it running is one thing, but integrating it with your SIEM is another. EventTracker nails both.
Ransomware, while not a new model for hackers, has certainly been wreaking havoc on businesses in 2016 – particularly in healthcare and financial services.
While your business’ data security program should consist of many components, perhaps the most effective defense to ransomware is building a culture of data security amongst your employees.
By nature, ransomware relies primarily on “social engineering”, baiting people into clicking a link in an email or other method of ultimately downloading a malicious program into the company network. Once on the network, the ransomware goes to work encrypting files or an entire hard drive rendering them inaccessible followed by a demand for money in exchange for decrypting the data again.
While there are certainly technology and protocols that should be employed to defend against ransomware, malware, and any other form of data breach, let’s start with the “people” factor as that is the vulnerability ransomware most frequently preys on.
Chief Information Security Officers and data security experts agree that the weakest link in a company’s security chain is typically people. Businesses of all sizes should consider building a culture of data security by 1) Training, 2) Empowering, and 3) Incentivizing employees to be on guard for data breach attacks.
Offer employees interactive training resources like seminars, webinars as a benefit to help them protect their own personal data security. Employees that are more security-savvy for their own personal data safety are going to be great defenders of the company’s data as well.
This can be built into and marketed as an employee benefit along with common benefits like medical, dental, legal counsel, and more.
Communication from upper-management on the danger of cyber-threats and the critical role every individual plays in protecting the business’ and customers’ data. Every employee should walk away feeling that cybersecurity is a real threat to them and their colleagues and that they are encouraged to be vigilant and report concerns to IT.
One way companies can really solidify this culture of security is through Gamification. For instance, consider developing a scoring system by which employees can report/forward suspicious emails to the IT security department. Should the email be a legitimate threat, points are given the employee.
The points can be displayed on a leaderboard for bragging rights and also points could be exchanged for rewards once certain levels are achieved. It may sound silly, but if the rewards are appealing and the bragging rights are fun, that may easily be enough to make every single employee a security watch dog for your company!
Building a culture of security amongst your employees is one “cog” in your security system. There are many others.
As a small- to medium-size business (SMB) owner, you know how important a smooth, uninterrupted transaction process is to your bottom-line. To ensure this smooth process, you have network security in place that includes mandated Payment Card Industry Data Security Standard (PCI DSS) compliance activities that happen to land within your responsibility.
Should you not comply with PCI DSS, and a breach occurs, the fines and penalties can be quite costly, not to mention brand and business reputation damage. PCI DSS is necessary, but quite cumbersome for an SMB to maintain.
We believe that every business should have the means to protect themselves and their customers from cyberattacks, and the PCI Security Standards Council (PCI SCC) shares this belief. We’re working together to make compliance management more efficient, and therefore, strengthen the security of all merchants.
Take a look at the following PCI-relevant questions. Though this list is far from complete, if you answer no to any of these, we can guarantee you are not meeting the PCI requirements and could use assistance.
As small merchants and Netsurion customers know, PCI DSS ensures that all companies that process, store or transmit credit card information maintain a secure environment. Complying with the standard means a company’s systems are secure, and perhaps most importantly, that customers can trust that brand when they hand over their sensitive payment card data.
Small businesses, however, often operate remotely with minimal IT budgets and internal resources. They often cannot fortify their payment systems on their own—let alone keep track of their PCI compliance statuses.
Lengthy self-assessment questionnaires and multiple cybersecurity layers that need to be put in place to remain compliant can lead to confusion and frustration.
Luckily, the PCI SSC Small Merchant Task Force exists as a dedicated global effort to help improve payment data security for small businesses
Co-chaired by Barclaycard and the National Restaurant Association (NRA), the task force collaborates on guidance and resources that simplify data security and PCI Data Security Standard (PCI DSS) compliance for some of the most vulnerable businesses preyed upon by cybercriminals.
This task force relies on the vast knowledge of its members to provide:
PCI DSS applies to all organizations or merchants that accept, transmit, or store cardholder data, regardless of size or number of transactions. This means that even small restaurants, retailers, hotels, and doctors’ and lawyers’ offices all need to stay on top of their compliance statuses.
SMB retailers vary from small operations with one or a few locations, to larger entities with many edge locations, such as franchises or branch offices. The dispersed nature of their businesses can create security gaps and challenges, leaving them vulnerable to data breaches.
Reputational damage and revenue loss from breach news going public impact the individual edge locations, as well as the corporate brand on a national or even global scale.
According to the 2016 Verizon Data Breach Investigations Report, “remote attacks against the environments where card-present retail transactions are conducted” resulted in 534 total breach incidents, of which 525 had confirmed data disclosure. Clearly, more needs to be done to improve security at each and every location under the brand umbrella.
Mark Cline, Vice President of Sales, was appointed to this special task group. He will focus efforts on serving as your voice, to help make compliance more achievable and understandable for SMBs across the globe.
Mark has been working in cybersecurity and compliance since 2005 with an early stage security startup in Atlanta, GA. Mark has worked with thousands of small-and-medium size merchants to help understand and navigate compliance requirements as well as supporting fortune 500 companies with high level cybersecurity and consulting engagements. Mark has also led functions for a security consulting firm specializing in, PCI, HIPAA, FISMA, FedRAMP, SOC compliance audits, penetration testing, social engineering, and vulnerability scanning.
All businesses, even small merchants, need to be able to quickly detect and prevent threats from causing massive damage to their networks and systems, by monitoring and protecting all of their endpoints.
One of the most important things to note is that a managed firewall is essential but no longer a significant enough barrier on its own when it comes to today’s evolving threat landscape. Risk mitigation has become crucial, including monitoring outbound traffic for exfiltrating data.
Netsurion and EventTracker are extremely honored to have members of the task force, so we can use our industry expertise and information to help shape the PCI standard for the better.
If you’re aiming to improve your organization’s threat detection and incident response (TDIR) capabilities, I’m willing to bet you’re annoyed and frustrated by trying to navigate the managed cybersecurity market that’s rife with imprecise terminology and vendors willing to bend definitions to fit their solutions. As a result, you have an extremely difficult job in trying to find the right solutions, let alone pick the best one.
So, in short, if you are looking for wider attack surface coverage, deeper threat detection, and faster incident response, I hope this article gives you some clarity and confidence in your evaluation process.
Step 1: Untangle the Market Categories
Unfortunately, cybersecurity market analysts and vendors invent a new solution category every time they simply improve a feature or introduce a new approach. As a result, to improve threat detection and incident response, you have to sift through the following market categories. I’ll explain my take on what actual nuances matter in each category.
Step 2: Consider Attack Surface Coverage
Once you understand the nuances of the categories and can articulate what scope of technology and service are important to you, next is to evaluate which vendors have the wherewithal to protect your environment. This is a great way to quickly pare down the field of contenders. Look for an online library of data source integrations or similar terminology. Disqualify any platform that doesn’t cover your IT estate, especially vulnerable legacy systems that might not always be fully patched.
Protect more than your “Digital Front Door”
Your business has many points of cyber-attack vulnerability
Step 3: Inspect the Detection
So, you’ve shortlisted the type of provider and shortlisted those that cover your assets. Now, it's time to inspect that coverage as not all data source integrations are created equal. Watch out for really weak integrations that may collect data but not really mine intelligence and serve up actionable alerts. Ask your vendor to explain their Common Indexing Model (CIM) which is what makes it possible for their system to identify Indicators of Compromise (IoCs) across multiple assets. A vendor’s integration is much more than ingesting data. Ask to understand these five (5) elements – Parsing Rules, Correlation Rules, Alerts, Dashboards, and Reports. A common requirement is in-depth Microsoft 365 integration.
Step 4: Be Skeptical About Response
This is where the rubber meets the road as they say. Because of the multiple stages and hands-on activity involved, Incident Response requires particular attention. Reality is you and the vendor should accept a shared responsibility (or “shared fate”) mentality to truly have a successful outcome. Ask your vendor about how much involvement you have in shaping the SecOps Runbook and IR Playbook. Ask about Automated Response as well as Guided Remediation support. Both machine and human involvement should be expected. Speaking of humans, throughout the tuning, monitoring, detection and response stages, insist on a full understanding of their SOC’s dedication to your environment and specialized roles in malware analysis, threat intelligence, threat hunting, incident response, and customer success management.
BONUS: Consider an MSP
Because of their intimate knowledge of the IT environment and advantages of an existing relationship, IT managed service providers (MSPs) are taking on more managed cybersecurity responsibilities including threat detection and incident response. A winning cybersecurity combination for many organizations is to work with an MSP that is a cybersecurity generalist but brings a Managed XDR specialist into the SecOps picture. Such vendors must be MSP-ready and account for multi-tenant management, flexible pricing models for continuous scaling up and down, and simple deployment.
Your business’s IT network is constantly connected to the Internet, includes countless SaaS applications and API connections, and is accessed by employees and vendors located anywhere in the world. As a result, your business is always exposed to cyber-risk, some of which is avoidable, but also some of which is unavoidable. Your cyber-risk tolerance, the types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value, governs your cybersecurity spend and correspondingly your cybersecurity posture. In simpler times, deploying a firewall to guard the network and installing signature-based anti-virus at the endpoints was considered appropriate to get a medium level of cybersecurity. The evolution of the threatscape makes such a posture antiquated and consequently exposes the organization to very high levels of cyber-risk.
Avoidable risks are those you can address by implementing standard cybersecurity practices (i.e. patch management, multi-factor authentication, strong password policies, least privilege access, security awareness training, and more). The big question to ask yourself and your organization is “what is acceptable exposure to unavoidable risk (our cyber-risk tolerance) and how do we best align to it (our cybersecurity posture)?
What Are These Unavoidable Cyber Risks?
They basically fall into these three camps:
Mitigating these risks essentially require:
What’s the Best Way To Improve Your Cybersecurity Posture?
Managed Detection & Response (MDR) services are enjoying high rates of acceptance with organizations that accept that such services are a must for modern threat defense.
Not to be confused with simply Managed Endpoint Detection & Response software, MDR services can have a wider scope of coverage.
The global MDR market size is expected to grow from an estimated value of USD 2.6 billion in 2022 to USD 5.6 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 16.0% from 2022 to 2027. Some of the factors that are driving the market growth includes addressing the shortage of skilled cybersecurity professionals and budget constraints, government regulations, and strict regulatory compliance.
What benefits do MDR services provide in terms of risk reduction? In a nutshell, this service reduces unavoidable cyber-risk.
Is There a Scalable MDR Approach for Your Business’s Needs Today and Tomorrow?
Your organization is not static. It’s always changing – and hopefully growing. As organizations grow, typically their cyber-risk tolerance shrinks. How do you invest in a proper MDR solution to solve for today’s risk tolerance while avoiding a future rip-and-replace to meet a more stringent risk tolerance in the future?
There are two axes on which your MDR solution should flex with your organization’s cyber-risk tolerance to deliver an aligned cybersecurity posture.
What Other Characteristics of MDR Can Impact Cyber-Risk Tolerance and Cybersecurity Posture Alignment?
There are three primary characteristics to dive into when selecting an MDR solution:
Is it Extended Detection & Response (XDR)? XDR (Extended Detection & Response) is an evolution of threat detection and incident response (TDIR) that successfully breaks down the traditional data and environment silos of legacy SecOps platforms to deliver wider attack surface visibility, deeper threat detection – and ultimately, faster incident response. XDR does not necessarily mean other security controls are rendered obsolete. Rather, XDR platforms must ingest, normalize, and correlate telemetry from all sources such as SIEM, EDR, and UEBA to reduce noise, identify true Indicators of Compromise (IoCs), trigger appropriate automated response, and deliver actionable alerts.
Is it Open? Open XDR is a class of XDR that is vendor-agnostic in terms of its protection scope. Open XDR, sometimes called Hybrid XDR, is designed to integrate with other security technologies to avoid ripping and replacing them – thus they are “open” to ingest anything and everything the platform can. The key, however, is to inspect the quantity and quality of data source integrations the Open XDR platform provides.
Is it Managed? Managed XDR delivers this platform as-a-service combined with our 24x7 SOC (Security Operations Center) to not only provide platform hosting and tuning, but also a jointly defined SecOps Runbook, an IR Playbook, around-the-clock security monitoring, proactive threat hunting, and guided remediation support.
Do you ever wonder where malware names come from? What's in a name, after all? There’s Heartbleed, Melissa, and GooLoad. There’s even ILOVEYOU. All these names appear to have come from nowhere, just like the malware they’re attached to.
There is no universally adopted standard for naming malware, although you’d think there would be (more on this later). After all, thanks to the World Meteorological Organization, we have official annual lists of names for hurricanes. The International Astronomical Union has formalized the familiar cultural names for hundreds of stars like Betelgeuse and Sirius and defined an alphanumeric nomenclature for the millions of other celestial bodies in the universe. And the World Health Organization names virus variants, like Omicron for Coronaviruses and H1N1 for influenza.
Is There a Method to the Malware Naming Madness?
The short answer is sort of. Usually, malware is named by the threat researcher who discovers it. These analysts work in the computer and network security industry, typically for commercial or government organizations. And there are patterns that these researchers often follow.
For example, there are names for malware types that are based on functionality, such as banker, downloader, backdoor, dropper, spyware, keylogger, or Trojan. Similarly, a name is sometimes based on the method by which the malware actually operates. Heartbleed, for example, was so named because it bled secret banking information back to the attacker - information considered to be the heart of the victim organization. The media latched onto the name Heartbleed because it is so descriptive and emotional - as well as sufficiently scary - garnering it a lot of attention.
Names may also designate a malware family. Malware authors continue to innovate, often creating new variants of existing malware to avoid detection or increase their impact. If the researcher can identify commonality in the code signature, malicious commands, and attack style, then it is likely the new threat is based on a known malware family.
Sometimes threats are named by the malware author, rather than a researcher, and promoted as a kind of branding. For example, the Janus syndicate was especially aggressive in promoting its ransomware modules, Petya and Mischa (or Misha). These were sold as a pair in underground forums, and Janus was anxious to make sure that the names were something that they controlled because they generated billions of dollars in revenue.
When Patterns Don’t Apply, Malware Names Can Get Interesting
Sometimes the people naming malware just get creative. Many years ago there was ILOVEYOU, named for its email attachment “love-letter-for-you.txt,” a file that carried malicious code. This is back when we were quite naive about these malicious attachments. What made it suspicious was that the attack arrived as an email from a business contact. Typically, you don’t get love letters in this environment. But it was a simple virus for a much simpler time.
Here are some other interesting names out there in the wild:
Attempts To Tame the Mess
While there is no single, global registry of official names for all the malware out there, there have been attempts to establish standards for naming. In 1991 the Computer Antivirus Research Organization (CARO) came up with the first Virus Naming Convention. It looked like this:
Family_Name.Group_Name.Major_Variant.Minor_Variant[[:Modifier]
The malware landscape has changed considerably since then, as have the means of detection, rendering the 1991 convention obsolete. However, CARO meets annually and has continued to update what it today calls the CARO Malware Naming Scheme. Formally adopted by some organizations, including Microsoft, the format of the current scheme is:
Type:Platform/Family.Variant!Suffixes
In practice, a name following scheme looks like this:
Email-Worm:Win32/Bagle.aav!dll
In reality, however, every anti-virus (AV) vendor uses its own naming convention, although most are a variation of the CARO scheme. The result? Things are still messy. For example, names of the email worm Bagle (and its variants) that turn up in a web search include w32.Beagle.A@mm, I-Worm.Bagle.gen, Email-Worm.Ein32.Bagle.ge, and Worm:HTML/Bagle!mail. So much for standardization!
It doesn’t help that antivirus (AV) terminology itself is very quirky and inconsistent. Most AV products defend against malware, and “malware” is much broader than “virus.” But in the mind of the public, the word “virus” has stuck and is often used interchangeably with malware. Similarly, “Trojan” is often used as a synonym for virus. But in fact, it is an attack vector.
So, if malware names in the news amuse you, or leave you scratching your head, you’re not alone. Don’t dismay. The name makes some kind of sense, at least to the person who named it.
A common dysfunction in many companies is the disconnect between the CISO, who views cybersecurity as an everyday priority, versus top management who may see it as a priority only when an intrusion is detected. The seesaw goes something like this: If breaches have been few and far between then leaders tighten the reins on the cybersecurity budget until the CISO proves the need for further investment in controls. On the other hand, if threats have been documented frequently, leaders may reflexively decide to overspend on new technologies without understanding that there are other, nontechnical remedies to keep data and other corporate assets safe.
Does your organization suffer from any of these?
Myth: More spending equals more security
McKinsey says, “There is no direct correlation between spending on cybersecurity (as a proportion of total IT spending) and success of a company’s cybersecurity program.” Companies that spend heavily but are still lagging behind their peers may be protecting the wrong assets. Ad hoc approaches to funding (goes up when an intrusion is reported, goes down when all is quiet on the western front) will be ineffective in the long term.
Myth: All threats are external
Too often, the very people who are closest to the data or other corporate assets are the weak link in a company’s cybersecurity program. Bad habits — like sharing passwords or files over unprotected networks, clicking on malicious hyperlinks sent from unknown email addresses, etc. — open up corporate networks to attack. In this study by Intel Security, threats from inside the company account for about 43 percent of data breaches. Leaders must realize that they are actually the first line of defense against cyberthreats, which is never the sole responsibility of the IT department.
Myth: All assets are equally valuable
Are generic invoice numbers and policy documents that you generate in-house as valuable as balance sheets or budget projections? If not, then why deploy a one-size-fits-all cybersecurity strategy? Does leadership understand the return they are getting on their security investments and associated trade-offs? Leaders must inventory and prioritize assets and then determine the strength of cybersecurity protection required at each level. McKinsey cites the example of a global mining company that realized it was focusing a lot of resources on protecting production and exploration data, but had failed to separate proprietary information from that which could be reconstructed from public sources. After recognizing the flaw, the company reallocated its resources accordingly.
These three myths are common, but the list goes on…Now it’s time to decide what to do about it. Research is a great start, but time is of the essence. According to a 2017 Forbes survey, 69% of senior executives are already re-engineering their approach to cybersecurity. What’s your next step?
EventTracker reviews billions of logs daily to keep our customers safe. See what we caught recently and view our latest demo.
The traditional method for calculating standard Return on Investment (RoI) is that it equals the gain minus the cost, divided by the cost. The higher the resulting value, the greater the RoI. The difficulty in calculating a return on security investment (RoSI), however, is that security tends not to increase profits (gain), but to decrease loss – meaning that the amount of loss avoided rather than the amount of gain achieved is the important element.
Following the standard RoI approach, RoSI can be calculated by the sum of the loss reduction minus the cost of the solution, divided by the cost of the solution. In short, a high result is better for RoI, and a low result is better for RoSI.
This is where it gets difficult: how do you measure the ‘loss reduction’? To a large extent it is based on guesswork and surveys. Bruce Schneier in The Data Imperative concluded, “Depending on how you answer those two questions, and any answer is really just a guess — you can justify spending anywhere from $10 to $100,000 annually to mitigate that risk.”
What we find as a practical outcome of delivering our SIEM-as-a-service offering is that many customers value the anecdotes and statistics that are provided in the daily reports and monthly reviews to demonstrate RoSI to management. Things such as how many attacks were repulsed by the firewalls, how many incidents were addressed by criticality, anecdotal evidence of an attack disrupted or misconfiguration detected. We publish some of these anonymously as Catch of the Day.
It’s a practical way to demonstrate RoSI which is easier to understand and does not involve any guesses.
As advanced threats continue to morph and escalate, it’s easy to gravitate towards the latest tool or “shiny object” in the news. An estimated 80% of threats and vulnerabilities are more than twelve months old, highlighting the challenge of legacy infrastructure and products. Use good cyber hygiene to prevent or mitigate security problems with IT practices that maintain health and resiliency.
This article outlines the challenges of adopting cyber hygiene, security, the benefits of implementing these foundational practices, and how MSPs can recommend practical steps to cyber hygiene.
What is Cyber Hygiene
Like brushing teeth, cyber hygiene is part routine and part repetition. Protective routines reinforce procedures and user behavior that keep sensitive customer data safe. In the face of rapid change, cybersecurity fundamentals never go out of style.
Cyber Hygiene Obstacles Abound
It can be challenging to balance fighting new and emerging cyber threats while maintaining legacy systems and IT processes. Small-to-medium-sized businesses (SMBs) face the same threats as larger enterprises but with far fewer resources.
“Over the last 18 months, Netsurion’s EventTracker Security Operations Center (SOC) detected attackers performing reconnaissance to look for unpatched systems, unnecessary ports and protocols, and security gaps to exploit,” states Shavonn Mealing, vice president of channel at Netsurion. “Attack surface complexity has also grown, requiring protection across servers, datacenters, and cloud computing assets.”
The ongoing shortage of IT and cybersecurity experts means that small security gaps compound into far-reaching consequences.
Minimize Risk and Complexity with Cyber Hygiene
Poor IT practices increase exposure and cost. IT complexity can unfold over time, resulting in a lack of process understanding and system manageability.
Enhance security operations efficiency with a balance of cyber hygiene technology and routines. For example, implementing good user password practices reduces authentication risks. MSSPs are well poised to advise SMBs regarding solutions and best practices like automation and repeatable outcomes.
Good Habits Safeguard Data and Users
There are several crucial steps to develop best practices and an operational routine for cyber hygiene:
Implementing robust cybersecurity procedures is vital to defend against modern threats. Cyber hygiene helps maintain a strong security posture and minimize vulnerabilities.
Enhance People Vigilance
Embrace foundational security that the Cybersecurity and Infrastructure Security Agenda (CISA) terms “being Cyber Smart” to make it easier to manage the inevitable attacks and third-party software gaps. Remember that people are often the weakest link in protecting organizations to become more proactive and overcome blind spots. According to a Stanford University study, human error causes 88% of all data incidents and breaches. Netsurion’s Mealing points out, “Process repetition and training reinforcement are just some ways to help bolster cyber hygiene with your employees and customers.”
How MSSPs Can Help
It’s easy for businesses and service providers to become distracted by the latest buzzword or point product. Help your customers be proactive and vigilant regarding cyber hygiene basics. As a trusted advisor, stay focused on baseline cybersecurity actions that remove the most significant risk at the least cost. Overcoming advanced threats requires more mature technology, skilled people, and comprehensive incident response than in years past. Netsurion’s Managed Threat Protection offering provides an integrated approach beyond standalone solutions. Learn more about the advantages of co-managed security at Netsurion.
We all hear it over and over again: complying with data protection requirements is expensive. But did you know that the financial consequences of non-compliance can be far more expensive?
The Ponemon Institute once again looked at the costs that organizations have incurred, or are incurring, in meeting mandated requirements, such as the EU General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI-DSS), and the Healthcare Information Portability and Accountability Act (HIPAA). The results were compared with the findings from a 2011 Ponemon survey on the same topic. The differences were stark and telling.
Average costs of compliance have increased 43%, up from around $3.5 million in 2011 to just under $5.5 million this year, while non-compliance costs surged from $9.4 million to $14.8 million during the same period. On average, organizations that are found non-compliant with data protection obligations these days can expect to fork out at least 2.71 times more money getting started and proving compliance than if they had been compliant in the first place.
For most enterprises, the cost associated with buying and deploying data security and incident response technologies account for a bulk of their compliance-related expenditure. On average, organizations in the Ponemon survey spent $2 million on security technologies to meet compliance objectives. The study found that businesses today are spending on average about 36% more on data security technologies and 64% more on incident response tools compared to 2011.
Financial companies tend to spend a lot more - $30.9 million annually - on compliance initiatives than entities in other sectors. Organizations in the industrial sector and energy/utilities sector also have relatively high compliance-related expenses of $29.4 million and $24.8 million respectively, on an annual basis.
So, what is the hardest regulation to satisfy? GDPR. 90% of the participants in the Ponemon studied pointed to GDPR as being the most difficult regulation to meet.
Need to get off to a fast start? Thinking NIST 800-171 or PCI-DSS? Our Managed SIEM service, powered by EventTracker technology, was designed to do just that. Check out all the compliance regulations we support.
It's a paradox, but the less you might spend, the more you might pay.
Threats and threat actors continue to evolve and morph, creating advanced and even more dangerous tactics to mitigate. October is National Cybersecurity Awareness Month (NCSAM). NSCAM 2019 centers on the theme of Own IT. Secure IT. Protect IT., advocating a proactive approach to enhanced cybersecurity in the workplace and at home.
Your online web presence is the crown jewel of your business or government organization. Your website conveys your brand to prospective customers and often facilitates e-commerce and citizen services. It is also a doorway into your business, servers, and valuable financial data, as well as links you to a global supply chain network. Good website security is vital for data protection and even disaster recovery and resiliency.
Impacts and Motivations of Website Attacks Threats and attacks against your website or portal can lead to reduced revenue, dissatisfied visitors, compliance fines, and a lack of trust by valuable customers, e-commerce buyers, and business partners. Hackers have a wide range of motivations for website attacks:
Regardless of the hacker’s initial motivation, website threats are real and require a range of countermeasures to deter these attacks. Build cybersecurity into your site technology and staff practices from the start, don’t bolt it on after it’s too late.
Use authentication best practices. Eliminate credential compromise and account takeover by requiring strong passwords, implementing role-based access controls (RBAC), and eliminating logins immediately for departing employees and vendors. System admins with their privileged access to data centers and servers are especially targeted. Don’t make it easy for hackers to buy and sell your organization’s logins on criminal forums.
Disable unnecessary accounts and web plug-ins. You can’t manage and patch assets that are long forgotten and sitting unused. Hacker tactics, techniques, and procedures (TTPs) actively exploit legacy applications and systems with known security gaps that provide low hanging fruit to attack.
Implement regular vulnerability assessments. Avoid website attacks by identifying vulnerabilities, malware, and configuration gaps that leave you exposed. Think like a hacker with a systematic approach to vulnerability scanning and remediation.
Maintain good cyber hygiene. Don’t forget cybersecurity basics that are low hanging fruit for attackers: use network segmentation to partition your network to limit the “blast radius” and ease restoration after a cyber attack. Avoid vendor default settings that represent the first path that threat actors will attempt. Rapidly apply security patches when they are released, especially for website software and tools.
Automate data backups. Ensure regular data backups and store them separately from your operating network and servers. A robust backup strategy is crucial for data security as well as disaster recovery and continuity requirements for frameworks such as PCI DSS (Payment Card Industry Data Security Standards). Organizations with current backups who were impacted by malicious ransomware have been able to recover and return to operations with minimal impacts.
Add advanced endpoint protection. Always-on tablets, laptops, and mobile devices make soft targets for attackers. It only takes a single user or misconfigured device for attackers to gain malicious access. Managed services such as EventTracker SIEM with Endpoint Detection and Response (EDR) fortify your security and reduce attack surface that can make your organization and sensitive data vulnerable.
Enable visibility with full logging and monitoring. Today’s threat landscape demands more than a “set it and forget it” approach. Continuous monitoring 24/7 by cybersecurity experts provides early detection of targeted attacks as well as insider threats.
We understand that your website is crucial, representing your brand, building community trust, facilitating citizen services, and generating online revenue. Hackers are actively targeting websites with advanced tools that require advanced security to remain protected. A proactive approach to website security ensures compliance with regulatory mandates such as HIPAA (Health Insurance Portability and Accountability Act) and Protected Health Information (PHI). SOC-as-a-Service (SOCaaS) provides 24/7 visibility from security experts with an award-winning Security Information and Event Management (SIEM) that strengthens your website defenses, controls costs, and optimizes your existing IT and Security teams.
Constant internet connectivity provides opportunity for innovation and modernization, but also presents an opportunity for potential cybersecurity threats that can compromise your most valuable asset: customer and financial information. Your website is vital for brand visibility and to conduct business. It is crucial to maintain site security and access to the rest of your organization’s data and valuable assets. While there is no silver bullet, we covered some practical countermeasures to help you Own IT. Secure IT. Protect IT. and reduce the likelihood of website attack.
Open source software is an attractive option for many IT leaders and teams, especially at small and mid-sized organizations. Instead of paying large licensing fees to an enterprise software vendor, your team can customize the source code of free open source platforms and security tools.
The overall market for open source software services market was worth $30 billion in 2023 and is estimated to hit nearly $120 billion by 2032. That translates to an annual compound growth rate of 16%:
Source: Global Market Insights
Cybersecurity tools corner a large market share of open source software. There are plenty of free open source cybersecurity tools that meet requirements for enterprise-grade security software.
Many of these free open source security tools do not offer the same capabilities as the paid enterprise alternative. Some cybersecurity professionals use open source solutions to test a wide range of options before deciding on the full enterprise security tool they want to integrate.
However, since you can modify the code base of open source security solutions, they may offer greater flexibility than some commercial tools. In this case, it's up to your security team to customize that tool to meet the needs of your unique security posture.
Small and mid-size enterprises often use a combination of free and paid open source tools to improve their organization's cybersecurity in a cost-effective way. Customizing open source solutions to protect digital assets and networks reduces the need to pay licensing fees, but you'll still pay for the infrastructure they use to host and manage those tools.
Kali Linux is an open source Debian-based Linux distribution offering a variety of free software, cyber security utilities and penetration testing tools. It is one of the main open source penetration testing tools that new ethical hackers use to hone their craft.
It is one of the few hacking-focused Linux distributions that comes pre-packaged with tools for reconnaissance and delivering payloads, as well as several other penetration-testing utilities. Use Kali Linux to test cybersecurity postures, discover security vulnerabilities, and conduct ethical hacking operations.
Kali uses WSL (Windows Subsystem for Linux), which allows users to run Linux executable files directly from a Windows 10 system. The Kali OS supports embedded devices such as Raspberry Pi, Beaglebone, Odroid, HP & Samsung Chromebook as well as popular mobile device operating systems like Android OS.
KeePass is a free and open source password manager that securely stores passwords. This security tools enables users to have a single place for their unique passwords for websites, email accounts, webservers or network login credentials.
KeePass works by storing passwords in a secure database, which unlock by entering a single master key. Database encryption is using the most secure encryption algorithms available: AES-256, ChaCha20 and Twofish. It encrypts the complete database, which means user names, notes, and more are encrypted along with the password fields.
Like many open source access management and network security tools, KeePass comes under a freemium model. You can download and use the basic version of the tool for free, but you'll need to pay for the commercial version if you want an advanced range of features like a one-time password generator or built-in browser extension.
Metasploit is an exploitation and vulnerability validation tool that you can use offensively to test your systems for known and open vulnerabilities. As one of the most popular open source vulnerability scanners available, independent security professionals often use it for security auditing and network security assessments.
This security tool helps you divide the penetration testing workflow into manageable sections. You can also use it to set up your own workflows. Since it is owned by Rapid7, some of its more valuable security workflows are only available through the commercial solution.
Metasploit enables security teams to conduct a wide range of techniques for auditing and network port scanning, which scans about 250 ports usually exposed to external services. An auto-exploitation feature works by cross-referencing open services, vulnerability references and fingerprints to find corresponding exploits. It supports a variety of platforms but is particularly well-suited to testing web server components in mid-sized Linux environments.
Nikto is a free and open source web server scanner, which scans web servers for multiple vulnerabilities. The testing covers thousands of potential vulnerabilities and harmful files, and additionally conducts patch management for more than a thousand web server systems. The web server scanner finds version-specific problems on hundreds of different servers.
Users can also perform checks for server configuration issues such as the presence of multiple index files and HTTP server options. This open source security tool identifies installed web servers and software as well.
Nikto uses a command-line interface, which makes it well-suited for technically competent security consultants and auditors. However, the project is not a large, well-funded institution, and the package of exploit rules you need to use Nikto effectively is not free. This extra hidden cost can make it less attractive to cybersecurity experts who expect a fully open source vulnerability scanning solution
Nmap—also called Network Mapper—is used for penetration testing and security auditing. It uses NSE scripts to detect vulnerabilities, misconfigurations and security issues concerning network services.
Nmap discovers network and ports before a security audit starts and then uses the scripts to detect any recognizable security problems. The app fetches raw data and then determines a host type, type of operating system (OS) and all the hosts available within the network.
Network administrators can use Nmap also for performing tasks around network inventory, service upgrade schedules and monitoring uptime. It is commonly included in educational courses that focus on cybersecurity technical skills, so many cybersecurity teams are already familiar with it.
The open source security tool runs on Linux, Windows and Mac OS X. While it does have a graphical user interface, most security professionals and penetration testers prefer the command-line tool. It is designed specifically for scanning large networks but can be used to scan single hosts.
OpenVAS is an open source and full-fledged vulnerability scanner, free for use. Users can perform unauthenticated testing and authenticated testing for various high level and low-level Internet and industrial protocols.
This tool also enables performance tweaking for large-scale scans. Users can perform any type of vulnerability test by taking advantage of its internal programming language.
OpenVAS provides comprehensive vulnerability scanning capabilities for a free solution, and it is supported by an active online community. However, it can be overwhelming for inexperienced users and its interface is not the most modern.
OSSEC is an open source, scalable and multi-platform Host-based Intrusion Detection System (HIDS) that allows organizations to detect malicious activities and analyze security incidents effectively.
Use OSSEC on-premises and in the cloud for the purpose of server protection or as a log analysis tool that monitors and analyzes firewalls, IDSs, web servers and authentication logs.
OSSEC can withstand cyberattacks and system changes in real-time utilizing firewall policies, integration with third parties such as CDNs and support portals. The application features self-healing capabilities and provides application and system-level auditing for compliance with many common standards such as PCI-DSS and CIS.
OSSEC can be combined with other open source tools to create a functioning Security Information and Event Management (SIEM) solution. Although the process is complex, you can equip it with customized threat detection rules and even add machine learning support for basic behavioral analytics.
Security Onion is a Debian-based Linux distribution for detecting threats, enterprise security monitoring and log management. True to its name, it incorporates multiple layers of security tools such as Elasticsearch, Logstash, Kibana, Snort, Suricata, Zeek, OSSEC, Wazuh, Sguil, Squert, NetworkMiner and others to protect an organization against cyber threats.
It is an all-in-one open source security solution that provides users with various tools to detect threats and monitor their systems, but it relies on a wide variety of third-party open source tools. This adds to the complexity of running operational security systems with Security Onion, since you'll need a technically competent team capable of handling potential security issues across the entire tech stack.
VeraCrypt is a security tool for disk encryption. It runs on Windows, Mac OSX and Linux and creates a virtual encrypted disk within a file before mounting it as a real disk.
This tool encrypts an entire partition or storage device such as a USB flash drive or hard drive before dumping it the cloud or elsewhere. Users can also pre-boot authentication by encrypting a partition or drive where the Windows OS is installed.
VeraCrypt encrypts in real-time and supports hidden drives and hidden operating systems on a machine. However, misconfigurations can cause critical file failures and other undesired results. Since VeraCrypt doesn't perform file-by-file encryption, making a change to a single file in a partition will invalidate the entire disk image. Synchronizing encrypted backups with VeraCrypt can be a time-consuming process.
Wireshark is a free and open source tool for network protocol analysis. This cybersecurity tool enables security professionals to observe network traffic at a deep level. It shows each element of individual data packets, allowing analysts to identify the packet format and troubleshoot network issues with great accuracy.
It is available for multiple platforms including Windows, Linux, and macOS. It supports deep inspection of hundreds of protocols, live capture, and offline analysis of network data. Advanced users can decrypt multiple protocols including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
Since Wireshark is designed for manually investigating individual network connections and assets, it does not offer the level of visibility of a full-featured Network Detection and Response (NDR). It is more of a tool for observing specific instances of network traffic in response to potential threats or other issues.
In recent months, the Ivanti product suite has encountered several high-profile vulnerabilities, raising concerns within the cybersecurity community. Since the start of the calendar year, four critical vulnerabilities have been associated with Ivanti Connect Secure, Policy Secure, and Neurons. While the vendor has diligently addressed each vulnerability and deployed mitigations, the recurrence of vulnerabilities within a short timeframe underscores the importance of maintaining vigilance when managing Ivanti products.
Overview of Vulnerabilities
These vulnerabilities, when exploited together, create a high impact attack chain. For instance, CVE-2024-21893 has been observed being leveraged alongside CVE-2024-21887, resulting in remote code execution. The unauthenticated SSRF vulnerability within CVE-2024-21893 can be used to perform an arbitrary HTTP GET request, which can then be modified to exploit the command injection vulnerability within the '/api/v1/license/keys-status' endpoint, potentially leading to the establishment of a reverse shell with an attacker's machine.
Additionally, CVE-2023-46805, an authentication bypass vulnerability, can be exploited via a path traversal vulnerability found in the "/api/v1/totp/user-backup-code" endpoint. Due to the lack of authentication on this endpoint, adversaries can access public-facing endpoints. This vulnerability has also been observed being exploited in conjunction with CVE-2024-21887, facilitating remote code execution.
Customer Call to Action
Lumifi's Response
Traditional threat models posit that it is necessary to protect against all attacks. While this may be true for a critical national defense network, it is unlikely to be true for the typical commercial enterprise. In fact many technically possible attacks are economically infeasible and thus not attempted by typical attackers.
This can be inferred by noting that most users ignore security precautions and yet escape regular harm. Most assets escape exploitation because they are not targeted, not because they are impregnable.
As Cormac Herley points out “a more realistic view is that we start with some variant of the traditional threat model, e.g., it is necessary and sufficient to defend against all attacks” but then modify it in some way, e.g., defense effort should be appropriate to the assets.” However, while the first statement is absolute, and has a clear call-to-action, the qualifier is vague and imprecise. Of course we can’t defend against everything, but on what basis should we decide what to neglect?”
One way around this is by risk classification. The more you have to lose, the harder you must make it for the attacker. If you can make the value of the attack to be less than the monetization value then a financially motivated attacker will move on as its not worth it.
Want to present a hard target to attackers at an efficient price? Consider our Co-managed SIEM service. You can get 80% of the value of a SIEM for 20% of the do-it-yourself price.
Your SOC is where most of your organization’s security processes take place. Those processes require specialized equipment and expertise. Consolidating that footprint into a single place makes economic sense and drives security performance.
That doesn’t mean every organization has to fill a windowless room with floor-to-ceiling flatscreen monitors and hire dozens of analysts. A small business SOC might be able to run with no more than two or three humans, though burnout becomes real as does single points of failure..
Achieving 24/7 alarm monitoring and coverage does require a significant investment in equipment, personnel, training, and maintenance. An effective SOC is more than the physical location where the security team works — it’s also the software and tech stack that team uses to detect and respond to security threats.
Taken altogether, they allow the security team to proactively address security threats and mitigate risks in real-time. Some of the activities that take place there include:
To achieve these goals, the organization must equip its SOC appropriately. Read on to find out how your organization can achieve that and what it might cost, depending on your security needs.
The Security Operations Center has three main components — people, process, and technology. The unit can only function when each of these three components works effectively in tandem.
Security leaders spend a great deal of time optimizing each of these three components and making sure they work together flawlessly. The SOC cannot function without all three components working together.
The first and most important SOC component is its people. It’s also the one that is disrupted most frequently. There are currently 4 million unfilled roles in the cybersecurity industry, which means almost all SOCs work in a resource-strained environment.
The typical SOC has four roles:
Processes are formalized policies that inform security operations. Without comprehensive written policies, SOC team members would be unable to communicate or collaborate effectively.
Successful SOCs have exhaustive sets of policies for addressing a wide range of security threats, technological issues, and more. Many establish policies according to an industry-wide cybersecurity framework like NIST or SANS. Most change and test policies frequently.
A few examples of formal processes you may include in your SOC include:
Your security tech stack determines the capabilities that your team has when detecting and responding to threats. Thousands of different security technologies exist, and every security leader equips the SOC according to its unique needs.
Many security architects build their organization’s capabilities around the SOC Visibility Triad:
Building an effective SOC means accurately identifying the size, scope, and scale of your organization’s security needs. A small business requires a completely different approach than a multinational enterprise or a government organization.
The SOC model you choose will deeply impact the cost of building and maintaining it. Most security architects follow one of the six core SOC models:
Here are the costs you can expect to pay to build an SOC in 2024. These figures assume 24/7 security monitoring and alert coverage for a network supporting 5000 users, with a one-time implementation cost.
Personnel
Equipment
Personnel and equipment are not the only costs associated with building an SOC. You will also have to invest in training, maintenance, and additional support for security operations. This is especially true if your organization is large, complex, or operating in a regulated industry.
Also, you should consider the impact of skills scarcity on your in-house security staff over time. Cybersecurity professionals know that their skills are in high demand, and will ask for better compensation at every opportunity. If you delay raises too long, you may find yourself understaffed when competing organizations offer them a better deal.
Choosing to build an in-house SOC comes with challenges, but many security leaders feel it is the best way to ensure top security performance. Here are some of the pros and cons associated with building and staffing your own dedicated SOC:
Pros:
Cons
Pros:
Cons:
The cost and complexity of building a fully in-house dedicated SOC makes it infeasible for all but the largest organizations. Given that an industry-wide cybersecurity talent shortage exists, small businesses and enterprises will have to outsource some of their security capabilities to managed service providers.
For many security leaders, the key question is deciding how to split their security program between internal and external solutions. Working with reputable security vendors on value-generating initiatives can make the difference between building a successful SOC or wasting huge amounts of time and resources on implementation projects that don’t succeed.
Your organization may benefit from freeing its internal security team to focus on high-impact strategic initiatives like crafting new policies and improving processes. Bringing in a reputable managed detection and response vendor like Lumifi to mitigate attack risks allows you to make the most of your SOC while leveraging world-class expertise and technology in a sustainable, scalable way.
Artificial intelligence has been an integral part of the cybersecurity industry for several years now. However, the widespread public adoption of Large Language Models (LLMs) that took place in 2023 has brought new and unexpected changes to the security landscape.
LLMs like OpenAI’s ChatGPT, Google’s Bard, and others have opened new capabilities — and new threats — across the global economy. Security leaders in every sector and industry will need to change their approach to accommodate this development.
It’s almost certain that new AI-powered tools will increase the volume and impact of cyberattacks over the next few years. However, they will also enhance the capabilities of cybersecurity leaders and product experts. Lumifi’s Research and Development uses the latest AI tools to refine our MDR capabilities every day.
These developments will likely occur at an uneven pace, typical of a global arms race. Cybercriminals may gain a temporary advantage at some point, only to be subdued by new cybersecurity deployments, and then the cycle will repeat.
This volatile environment should inspire cybersecurity professionals to increase their AI proficiency. Individuals with broad experience, product expertise, and a successful track record will be highly sought after in the industry.
LLMs enable anyone to process large amounts of information, democratizing the ability to leverage AI. This offers significant advantages to people and organizations who want to improve the efficiency, intelligence, and scalability of data-centric workflows.
When the cybersecurity industry was dominated by hardware products, security leaders only changed products when the next version of their preferred hardware was available. Now, AI-powered software can update itself according to each individual use case, requiring security teams to continuously evaluate LLM systems for safety and compliance.
Let’s look more closely at each use case and how it’s likely to evolve as AI technology advances.
There are two major advantages to leveraging LLM capabilities in cybersecurity.
These two benefits will certainly improve over time and lead to new AI capabilities for security teams. SOC analysts may soon be able to read thousands of incident response playbooks at once and identify security gaps and inconsistencies in near real-time.
This will require the creation of a domain-specific cybersecurity LLM capable of contextualizing incident response playbooks at the organizational level. AI-powered SIEM platforms like Exabeam already provide in-depth behavioral analytics for users and assets, and in time we’ll see similar capabilities expanding into threat response and recovery workflows as well.
LLMs are invaluable for threat actors, especially when it comes to gaining initial access to their victims’ assets. By practically eliminating language, cultural, and technical communication barriers between people communicating, they’ve made it much harder for people to reliably flag suspicious content.
Cybercriminals are already using AI to enhance and automate operations in four key areas:
According to one report, phishing attacks have surged more than 1200% since ChatGPT was first released in November 2022. Credential phishing attacks have risen by an astonishing 967% in the same time frame.
It’s no secret that influential tech leaders and investors are pouring significant resources into AI. Some thought leaders warn that the emerging technology will change every aspect of our lives — going so far as to say we’re charging headfirst into an AI apocalypse fueled by the development of Artificial General Intelligence (AGI).
While the technology is new, exaggerating the danger of disruptive technology is a familiar cycle. Plato was famously skeptical of writing, and 16th century Europeans destroyed printing presses out of fear. It’s normal to be anxious about new technology.
Like writing, printing, and every other technology before it, artificial intelligence has limitations. Security leaders who understand those limitations will be able to navigate the challenges of a society increasingly reliant on AI-powered technologies.
Many tech leaders think this is an engineering problem and believe that eventually LLMs will contextualize information with human-like accuracy.
This may not be true. We still don’t know how the human brain contextualizes information and articulates it into language. Contextualizing insight by combining data with real-world experience remains a task best-suited to human experts.
1. AI-powered workflows are resource-intensive
According to the International Energy Agency, training a single AI model uses more electricity than 100 US homes consume in a year. A typical ChatGPT query consumes 2.9 watt-hours of electricity — about the same amount of energy stored in a typical AA battery.
By comparison, the human brain consumes about 300 watt-hours of energy per day. Yet it accomplishes significantly more during this time than even the most efficient LLMs.
This suggests that there’s more to improving neural network performance than simply adding more nodes and introducing more parameters. It also places an upper limit on the feasibility of increasingly energy-intensive AI processes. At some point, the costs will outweigh the benefits.
2. I models have difficulty contradicting consensus
AI training models operate on consensus. If a significant majority of parameters suggest that a certain LLM response is likely to be correct, the LLM will confidently declare the corresponding answer. If the training set data is not accurate, the answer won’t be either.
When it comes to pure facts, overcoming this limitation may be technically feasible. But when it comes to opinions, values, and judgements, AI-powered tools are not equipped to offer anything but the most basic responses.
This means that even highly advanced future AI tools may not be able to make convincing arguments against popular consensus. It’s easy to see how this can lead to severe security consequences, especially in cases where popular wisdom turns out to be wrong.
3. You can’t credit (or blame) AI models for the decisions they make
AI ethics remains a challenging issue for technology experts, cognitive scientists, and philosophers alike. This problem is deeply connected to our lack of understanding of human consciousness and agency.
Currently, there is no real consensus about the moral status of artificially intelligent algorithms. This makes it impossible to attribute moral decisions to AI-powered tools or claim they know the difference between “right” and “wrong”.
We can’t treat AI algorithms as moral agents without also attributing some form of “personhood” to them. Most people strongly doubt that LLMs like ChatGPT are “people” in that sense, which means someone else must take responsibility for the decisions that AI algorithms make — including their mistakes.
Security leaders are beginning to distinguish between generative AI and predictive AI. While people are understandably excited about generative AI, the true information security workhorse is predictive AI, which is a must-have technology in today’s security operations center environment.
As the stakes of AI-powered cybercrime get higher, leaders will become increasingly risk averse. Few executives or stakeholders will be willing to risk their livelihoods on unproven security solutions and vendors.
In this scenario, security leaders who entrust their detection and response workflows to reputable product experts with proven track records will be rewarded. If your detection and response provider doesn’t leverage proven AI expertise in its blue team operations, it will eventually fall behind.
Positive security incident outcomes may become difficult to achieve, but guaranteeing them will be crucial. Learn more about how Lumifi achieves this critical goal by combining AI-enriched data with human expertise and best-in-class automation. Secure your spot for our webinar, Unveiling ShieldVision's Future & New Series of Enhancements, taking place on February 14th to learn more.
Lumifi is a managed detection and response vendor with years of experience driving consistent results with the world’s most sophisticated AI technologies. Find out how we combine AI-enhanced automation with human expertise through our ShieldVision™ SOC automation service.
The cybersecurity industry is notorious for coining terms and acronyms that rise and fall out of favor before they even have a chance to be fully understood. We get it – rapid innovation can be messy and lead to confusion and clutter. While it’s exciting and encouraging to see so many solution providers invent new solutions and improve upon others, resulting in new concepts, sometimes all of this terminology is honestly just an effort to stand out from the crowd. As a result, business and IT leaders are left wondering what cybersecurity solutions they truly need, which ones are redundant, and which ones are complementary.
So, this is Lumifi’s effort to clear the air, to help you separate fact from fiction, and ultimately make the best choice in cybersecurity solutions for your organization.
This has been a hot term in recent years. Managed Detection and Response (MDR) is actually missing a word. That assumed word is “threat”, as in managed threat detection and response. Some argue that the missing word is “endpoint”, but then again, that gets into EDR, which yes, could be delivered as a managed service…but we’ll get into that later.
What exactly constitutes MDR? MDR isn’t a technology – it’s a service. What makes MDR unique is its focus on leveraging technology and expertise to continuously monitor IT assets, to quickly detect and effectively respond to true cybersecurity threats.
The technology behind an MDR service can include an array of options, and this is an important thing to understand when evaluating MDR providers. The technology stack behind the service determines the scope of attacks accessible to detect. Cybersecurity is about “defense-in-depth” – having multiple layers of protection to counter the multiple attack vectors possible. Various technologies are used to provide more complete visibility and thus more complete detection and response capabilities. To name a few, some of the technologies behind an MDR service include:
If MDR is about managed threat detection and response, what is EDR? EDR stands for endpoint detection and response. Again, that word “threat” is missing as the name of the game isn’t detecting that endpoints exist. Sometimes referred to, less commonly but more correctly, as ETDR, the difference between MDR and EDR is scope. EDR is focused on threat detection and response on the endpoint environment specifically. This means that EDR is focused on activity on the device as opposed to on the network – think laptops, servers, and critical business devices like POS systems.
To better understand what EDR is and is not, you first have to realize that “detection and response” are only two elements of the Predict, Prevent, Detect, and Respond cybersecurity framework. For full disclosure, in true cybersecurity fashion of having competing and overlapping terminology, this is very similar to the NIST Cybersecurity Framework’s five functions of: identify, protect, detect, respond, recover. But stay with me, let’s understand this in light of the Predict, Prevent, Detect, and Respond framework.
EDR deals with threats that have gotten past the Predict and Prevent functions. Very important – yes, but not a complete endpoint protection platform. Which brings us to our next term – EPP.
EPP stands for endpoint protection platform. Don’t worry about the introduction of the term “platform” at this point, as that can start a whole other nerd fight here. Rather, focus on the term “protection”. While EDR focuses on detecting and responding to endpoint threats, EPP is more complete in that it covers the four cybersecurity functions of Predict, Prevent, Detect, and Respond while still being solely focused on the endpoint environment. As such, EPP solutions to various degrees may encompass EDR. But the devil is in the details. What’s important to note is since no EPP is 100% effective, you must ask what detection and response you have in place for attacks that evade the prevention controls.
Speaking of prevention, EPP is more commonly replacing the basic prevention solutions like anti-virus and anti-malware that are only effective to various degrees against known threats. More advanced EPP solutions leverage Artificial Intelligence (AI) to increase the ability to thwart unknown or zero-day attacks, or even fileless attacks that don’t leave signature-based footprints.
In short:
MDR is a managed cybersecurity service backed by various technologies to provide a range of threat detection and response capabilities to mitigate damage caused by cyber attacks that evade prevention controls. The layers of technology employed, and vigilance and expertise of the staff determine how truly effective an MDR provider can be.
EDR is similar in purpose but focused on endpoint environments only. EDR solutions may be technology-only or a managed service – as in Managed EDR. I apologize now for adding that term to the mix.
EPP is a more comprehensive protection covering the lifecycle of a threat, from prediction and prevention to detection and response. However, how effective it is on each of those four functions varies from vendor to vendor.
No, we’re not gaslighting you. We have another detection and response term. The “X” in XDR conveys the concept of threat detection and response across multiple security controls – considering both endpoint and network activity. Yes, endpoint and network threat detection and response is a natural evolution, or perhaps convergence, of several solutions, primarily SIEM and EPP. You may begin to see more buzz around XDR, but in reality, it’s a useful term to denote that a solution is capable of aggregating and correlating telemetry from many security controls to more holistically defend the IT infrastructure. Just remember that this term alone does not encapsulate which specific controls are included. Nor does it imply that the solution is managed by a Security Operations Center (SOC) team.
But that’s not all. What’s an MSSP? A Managed Security Service Provider is broader in nature and refers to an organization (people + technology), not a single service. While MDR is a service many MSSPs deploy, which focuses on active threat detection and response, an MSSP is also concerned with centralized log management for compliance reporting and investigative reports. An MSSP should also have a robust, fully-staffed SOC equipped with technology – typically a SIEM-based platform – and a range of cybersecurity experts including security platform administrators, security analysts, malware analysts, a threat intelligence lab, and incident response analysts. Generally speaking, an MSSP has the wherewithal to bring MDR, EDR, and EPP functionality to bear in a complete package. This may be most ideal for resource-strapped IT teams that must focus on more than just cybersecurity and want the confidence of knowing a team of experts with the right tools are watching their back.
Highlights from the 2016 Verizon Breach Investigations Report (Part 1 of 3)
The 80 page 2016 Verizon Breach Investigation Report is packed with valuable insights that every business owner should be aware of to be inform about the dangers & effects of a data breach and prevent it too.
We know time is valuable so we decided to save you some time and point out to you the 3 main topics you should understand from this report:
1. Who is at risk and why?
2. What tools are hackers using to access businesses’ networks
Unfortunately, there is no region, industry or organization that is risk-free from hackers. Every business possesses valuable information that attracts hackers.
However, some industries get impacted more than others.
As per the report’s definition, an incident is a security event that compromises the confidentiality, integrity, or availability (CIA) of an information asset. A breach is the confirmed disclosure, not just the potential exposure of data to an unauthorized party.
The financial services industry took the lead with 795 breaches in 2015.
This should not be a surprise, as the information that financial firms and banks hold is vital. Hackers entering the network of any of these businesses in the financial industry will have access to customers’ account numbers, social security numbers, date of birth, addresses, and it goes on. This is all a hacker needs to steal a person’s identity and sell it.
"The financial sector ranks behind healthcare and pharmaceuticals in per capita data breach cost at $259 per record lost. In 2015 alone, over 169 million records were exposed."
The accommodation (lodging) industry was greatly impacted last year and stands in second place with 282 breaches.
Trump’s hotels and Rosen Hotels & Resorts were just a couple of the hotels that made the headlines. In these particular breaches, their payment card network was the one infected.
This mean that names, payment card numbers, expiration dates and CVV codes for cards used at these hotels were collected by hackers - different data than obtained from financial businesses, but vital nonetheless.
The fact that the payment card network was hacked shows that it can happen to just about any business who takes credit cards, not just hotels.
Rounding out the top 5 industries breached in 2015 is finance (795), accommodation (282), information (195), public (193) and Retail (137).
Whether your business’ industry made the top 5 or not, it doesn’t mean you are off the hook. Regardless of size, industry or location, any business that holds customers’ data in their network, processes payment data or offers free Wi-Fi to guests, is an attractive target to hackers. Does your business fall into one of these 3 categories?
Yet another recent report confirms the obvious, that SMBs in general do not take security seriously enough. The truth is a bit more nuanced than that, of course—SMB execs generally take security very seriously, but they don’t have the dollars to do enough about it—although it amounts to the same thing.
This year, though, SMBs are going to have to look at security differently. Why? That is because enterprise execs are repeatedly seeing their own networks hurt because of less-than-terrific security from SMB partners that do distribution, providing supplies or handling anything from backup to bookkeeping. Faced with their own security mandates—whether from PCI, HIPAA, European Union or any other external body—they are going to crack down on SMB partners.
Hence, unless you want those enterprise-level contracts to take a walk, your security return-on-investment (ROI) calculation just got a lot messier.
What new actions can SMBs expect from their enterprise-level partners in 2016? Until now, most have satisfied their obligations and kept their corporate counsels at bay through contractual agreements. In short, they put in their partner contracts that the partner is obligated to comply with a laundry list of security measures. Write it down, make SMB partners sign it and they’re all done.
The problem with enterprises going solely with the contractual obligation route is that the proverbial stick (as in carrot and stick) is limited to reactive situations. If something bad happens with the enterprise operation’s security and a forensic investigation eventually points the finger at the SMB partner and that probe specifically concludes that the SMB had violated the contract’s obligations, that SMB partner doesn’t merely lose the contract. They will also certainly be sued for the resultant damages, which could easily bankrupt some SMBs. That’s sufficient incentive/deterrent, right?
Not anymore. From the enterprise’s perspective, that stick only kicks in after a breach and only if enough evidence exists to tie it back to the SMB partner. Given the ever-increasing talent of many cyberthieves to hide and delete their trails, it’s a gamble that many cash-strapped SMBs are willing to take. What are the odds of both of those things happening, those SMB execs think, given the vast security arsenal deployed by their multi-billion-dollar enterprise partner?
Therefore, to up the real—as opposed to merely pledged—compliance with its SMB-partner security rules, enterprises are going to start surprise snap inspections and demanding access to sensitive IT systems. Some might even go so far as to try and entrap partners by creating fake sub-suppliers to respond to the SMB partner’s RFPs and see if they follow the rules and demand what they are supposed to demand.
Why would enterprises go through this effort, seemingly to hurt partners? Because that’s what will be required. If XYZ enterprise doesn’t loudly and publicly expose and punish a couple of SMB partners, a sufficient deterrence won’t exist.
The whole point here is to change that SMB exec’s ROI calculation. By increasing the number of ways an SMB partner’s lack of security compliance can be caught/detected, they want that ROI to force those partners to invest the security dollars. The rationale is essentially: “If you won’t invest in security because you need to for your own company’s protection, or because you have signed a contract that you will, then do so because we need to make an example of somebody and you don’t want that to be you.”
Next Step: how to deliver the most cost-effective security. Once you have conceded to the new ROI calculations and have decided that you must increase your security budget, the natural inclination—especially in an SMB environment—is to calculate the absolute minimum dollars to comply.
This is also known as checklist security, which is frowned upon. That said, it’s a step-up from rolling the dice that you won’t get caught. Here’s a trick: Guarantee your safety by having your people work with the enterprise partner’s IT security people on what your options are.
You may be surprised at how reasonable they can be. The best part is that by doing so—in e-mail as much as possible, to create a powerful paper trail—you are protected. Despite the bogus reputation of enterprise IT that they don’t sweat pricing details, they do. No one is better at squeezing a contractor nickel than a Fortune 500 IT security manager.
Not only will they steer you to the most cost-effective options, but they might even make a referral for you, so that you can benefit from a small taste of your partner’s volume-purchasing pricing. They might even help you out by participating directly in those vendor calls. After all, you are a partner.
And because you are working with them—and don’t forget that paper trail—you can’t be blamed for choosing whoever the enterprise IT people suggested.
OK, in reality, you can be blamed for anything.
The Georgia based fast food company, Chick-fil-A, has confirmed that it is investigating a potential credit card breach.
The investigation is focused on the company’s point-of-sale (POS) network at some of its restaurants and the breach is thought to have occurred between December of 2013 and September of 2014.
Brian Krebs, an Internet blogger who specializes in banking security, reported that one financial institution claims that the common thread among approximately 9,000 of its affected customers are purchases at Chick-fil-A restaurants.
It is important to stress that security breaches of this nature can be caused by a variety of issues – newly discovered software flaws, lax security from a service provider, insider fraud, weak network security and countless other avenues.
There is also the possibility that the data which has been compromised did not originate from Chick-fil-A at all.
Theft can occur at numerous places along the payment chain. For example, it may be necessary to examine the bank where the electronic transactions were processed.
In one sense, it does not matter how the breach occurred. The fact that credit cards at a major corporation have once again been stolen highlights the threat that all quick serve restaurants and retailers of every size are facing from data thieves.
Businesses interested in keeping their networks and data secure should start with simple security measures that can effectively mitigate the growing problem that hackers represent.
While nothing is fool proof, the following suggestions could have prevented most (if not all) of the breaches that have garnered so much attention in the past 12 months:
The first step in stealing data is finding an avenue into the targeted business.
All of a business’ data circuits and its Internet connections must be protected by a robust and adaptable firewall, protecting the business from unwanted incoming traffic.
When permitting remote access to a network for the management of POS and other systems, it is essential that this access is restricted and secure.
At a minimum, access should only be granted to individual (not shared) user accounts using 2-factor authentication and strong passwords. Remote access activities should also be logged so that an audit trail is available.
It is critical to keep all anti-virus / anti-malware software up to date with the latest versions and definitions.
The companies that make anti-malware software monitor threats constantly and regularly update their packages to include preventative measures and improvements to thwart malware seen in other attacks.
Much like anti-virus / anti-malware updates, Point-of-Sale manufacturers are constantly improving their software to prevent hackers from stealing data, especially if a criminal manages to bypass the built-in security.
It is essential that the latest security releases and patches be installed on all POS systems.
In addition to blocking unwanted traffic from getting into a location, it is always a good practice to selectively block outgoing traffic as well.
Many modern breaches involve software that becomes resident on your network and then tries to send sensitive data to the hacker’s system via the Internet. No system can completely prevent unwanted malware or viruses, so a good last line of defense is making sure secure data doesn’t leave your network without your knowledge.The same firewall used in Step One should be configured to monitor outgoing traffic as well as incoming.
These suggestions might on the surface seem simplistic, but almost every major breach in the last 12 months failed to incorporate at least one of them.
Of course, this list is not an all-inclusive way to prevent every type of credit card theft, but it is interesting to ponder, how much theft could have been prevented if just these five elements had been implemented correctly.
Remember that it costs nothing for data thieves to attempt to hack a business, so for them every business is a worthwhile target.
Netsurion specializes in providing state-of-the-art-data cloud-based firewall solutions tailored for organizations like Chick-fil-A, and has been a leader in the field for more than seven years.
2017 has been a banner year for IT Security. The massive publicity of attacks like WannaCry have focused public attention like never before on a hitherto obscure field. Non-technical people, including board members, nod gravely when listening as the CISO or wise friend harangue them for attention, behavior change or budget on the topic of IT Security. It’s in a way comforting to think that such attention is a good thing. After all, there’s no such thing as bad publicity, right? This is certainly the age of “I don’t care what the news papers say about me as long as they spell my name right".
Not so fast, my friend. Despite all of the attention, all of the massive investment by venture funds in IT Security, all of the hand wringing and tut-tutting after the latest attack makes the front pages, there are some deeply rooted inconsistencies if you look closely at the scene.
Paradox #1: More data, less information
For some time now, we are drowning in data but starving for insight. This recent survey of CIOs shows that:
In 2010, Eric Schmidt, of Google noted that every two days, we create as much information as we did from the dawn of civilization up to 2003. Data is everywhere, but insight is not. Why? Because the barriers to producing data are so low. In the Middle Ages, when paper was a sign of wealth, and books were locked up in monasteries, knowledge was considered valuable and creating it was costly. Today the challenge is different. We live at the opposite extreme, where instrumentation in practically every network connected device emits data, nonstop. The challenge, as always, is what does it all mean, to me, now? That level of insight continues to be elusive. Getting at it requires a mix of technology, data science and domain expertise and process discipline — a trifecta that is rare.
Paradox #2: More connectivity, less understanding
Today more and more of our lives are online. Every desktop, phone, tablet, watch, automobile and x-ray machine is online and generating reams of data. Networks are interconnected leading to even larger networks. So much so that no less a personage than Elon Musk worries that Skynet is about to become self-aware. Sure, connectivity has created tremendous positive changes, including new markets in developing nations, efficiencies in the marketplace and benefits for social interaction that were unthinkable a mere decade ago. But the same connectivity that lets you travel the globe in one click works the other way also. Deplorables from far flung locales can be at your doorstep with one click.
The sprawling network also begets the problem of not knowing your “home” turf. There is increasingly less understanding of the ways into and out of complex interconnected networks which makes them harder to defend. And, what of the Mir Jafar‘s amongst us — the scary thought of the insider threat? Effective defense demands actionable intelligence. It’s essential to answer the 4 Ws (who, what, where, when), but prevention and effective countermeasures require the 5th W (why), which is knowing motive, i.e., understanding. In his blog, David Bianco describes network defense as defenders working to push attackers up the pyramid pf pain. The highest form of defense is to understand the attackers’ tactics, techniques and procedures (TTP) so as to deny them their prize.
Paradox #3: The wisdom of crowds, the irrelevance of crowds
The latest buzzword in IT Security circles for the past couple of years has been threat intelligence, or crowd-sourced observations of bad behavior with the attendant publishing of these actors and their actions on a global scale. If the bad guys collaborate and share info on TTPs (ransomware as a service?) then should defenders do the same? Should every defender be left to analyze artifacts from the past and work in isolation to determine the future?
Surely the answer is no, and yet there’s the question of applicability and relevance to our specific network. If Ivan the Terrible is on the rampage in Kazakhstan, should the sheriff of Middleburg, VA worry and shore up his defense against the TTP used there? Probably not. And so the paradox. While crowds can give you a million eyes, it doesn’t necessarily translate into actionable intelligence to defend your network.
Disruption is a good word, signifying creativity and innovation—shaking up things in a good way. But disruption often has unintended consequences. More information, connectivity and crowdsourcing are also shrinking insight, eroding understanding and empowering irrelevant data points. These are points to ponder as we journey deeper into this 21st century.
Tip of the hat to Amy Zegart whose article in The Atlantic got the neurons firing.
Unstructured data access governance is a big compliance concern. Unstructured data is difficult to secure because there’s so much of it, it’s growing so fast and it is user created so it doesn’t automatically get categorized and controlled like structured data in databases. Moreover unstructured data is usually a treasure trove of sensitive and confidential information in a format that bad guys can consume and understand without reverse engineering the relationship of tables in a relational database.
Most of this unstructured data is still found on file shares throughout the network, and file system permissions are the main control over this information. Therefore knowing when permissions change unstructured is critical to governance and control. File permissions should normally be fairly static but end-users are (by default) the owner of files and subfolders they create and can therefore change permissions on those files. And of course, administrators can change permissions on any object. Either way you need to know when this happens. Here’s how to do it with the Windows Security Log.
First we need to enable the File System audit subcategory. You’ll find this in any group policy object under Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationSystem Audit PoliciesObject Access. Enable File System for success. (By the way, make sure you also enable Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Force audit policy subcategory settings to override audit policy category settings to make sure your audit policy takes effect.) Now you need to enable object level auditing on the root folders containing your unstructured data. For example, if you have a shared folder called c:files, go to that folder in Windows Explorer, open the security tab of the folders properties, click Advanced and select the Auditing tab. Now add an entry for Everyone that enables successful use of the Change permissions as shown below.
At this point Windows will begin generating two events each time you change permissions on this folder or any of its subfolders or files. One event is the standard event ID 4663, “An attempt was made to access an object”, which is logged for any kind of audited file access like read, write, delete, etc. That event will show WRITE_DAC under the Access Request Information but it doesn’t tell you what the actual permission change was. So instead, use event ID 4670, “Permissions on an object were changed”, which provides the before and after permissions of the object under Permissions Change as shown in the example below.
“What does D:AI(A;ID;FA;;;AU)(A;ID;FA;;;WD)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU) mean?” This is the original access control list of asdf.txt but in the very cryptic Security Descriptor Definition Language (SDDL). SDDL definitely isn’t something you want to manually parse and translate on a regular basis, but you can when necessary.
Look for the “D:” which is close to the beginning of the string or even the very beginning in this case. “D:” means Discretionary Access Control List (DACL) which are the actual permissions on the object as opposed to other things that show up in a security descriptor – like owner, primary group and the audit policy (aka SACL). Until you hit another letter-colon combination like “S:” you are looking at the object’s permissions. An ACL is made up of Access Control Entries which correspond to each item in the list you see in the Permissions tab of an object’s properties dialog. But in SDDL before listing the ACEs comprising the ACL you will see any flags that affect the entire ACL as a whole. In the example above you see AI as the first element after D:. AI stands for SDDL_AUTO_INHERITED which means permissions on parent objects are allowed to propagate down to this object.
Now come the ACEs. In SDDL, each ACE is surrounded by parenthesis and the fields within it delimited by semicolons. The first ACE in the event above is (A;ID;FA;;;AU). The first field tells you what type of ACE it is – either A for allow or D for deny. The next field lists any ACE flags that specify whether this ACE is an inherited ACE propagated down from a parent object and if and how this ACE should propagate down to child objects. The only flag in this ACE is ID which means the ACE is in fact inherited. The next field lists the permissions this ACE allows or denies. In this example FA stands for all file access rights. The next 2 fields, Object Type and Inherited Object Type, are always blank on file system permissions (hence the 3 semicolons in a row); they are only used places like Active Directory where there are different types of objects (user, group, computer, etc) that you can define permissions for. Finally, the last field is Trustee and identifies the user, group or special principal begin allowed or denied access. Here you will either see the SID of the user or group if the ACE applies to a so-called “well-known” SID you’ll the corresponding acronym. In this example AU stands for Authenticated Users.
Event ID 4670 does a great job of alerting you when permissions change on an object and telling you which object was affected and who did it. To go further and understand what permissions where actually changed you have to dive into SDDL. I recommend Ned Pyle’s 2-part TechNet blog, The Security Descriptor Definition Language of Love for more information on SDDL.
Is your organization still using Windows 7? Microsoft support is coming to a close in a few short months. If you think end-of-support for legacy systems doesn’t impact your organization, think again.
Microsoft ends all support for Windows 7 on January 14, 2020. This end-of-support means no more Windows 7 patching, bug fixes, or security updates to protect older systems that may include your e-commerce server or point-of-sale (POS) system or financial database with Personally Identifiable Information (PII).
How pervasive is the Microsoft Windows 7 user base? According to Dublin-based StatCounter GS, the global Windows 7 Server Pack 1 (SP1) market share is still 33.6% as of May 2019. Windows 7 will become increasingly vulnerable without security updates. Anecdotal evidence garnered from threats like WannaCry following Windows XP end-of-support says that adversaries will step up attacks on Windows 7 users as these organizations have lower security maturity, making them attractive targets.
Migrating Windows 7 operating systems (OS) requires time and money and with just months remaining until January 2020, you need to come up with a plan. These Windows cycles might especially impact small and medium-sized businesses (SMBs) who have more finite IT teams lacking skill sets to address the changes. While it might be tempting to look for workarounds, this is the end of the line for Windows 7. Non-compliance penalties for HIPAA (Health Insurance Portability and Accountability Act) or PCI DSS (Payment Card Industry Data Security Standard) are likely to far outweigh the risk and expense of migrating and being compliant.
Performance and security are two areas that have evolved considerably over the last three or four years, and your organization may have some unique considerations to assess in order to optimize your limited resources. Recent technical advancements mean that you can improve security and protection all while reducing complexity and cost. Here are some crucial questions that you may be asking as you move ahead, or even wrap up your Windows 7 migration.
Microsoft will discontinue all Windows 7 support on January 14, 2020. Microsoft has been forthcoming about the Windows product lifecycle, so this should not come as a surprise. However, you may have found that day-to-day IT priorities and security firefighting has overtaken migration planning. Allocating resources for migration may be a challenge for organizations such as city and state government, as well as educational institutions. Windows 7 is not the only product facing end-of-support. Here is a list of Microsoft support deadlines to note:
Product | End-of-Support Date |
---|---|
Windows 7 Server Pack 1 | January 14, 2020 |
Windows Server 2008 R2 SP1 | January 14, 2020 |
SQL Server 2008 SP4 | July 9, 2019 |
Office 2010 | October 13, 2020 |
The time to mobilize is now. Develop a migration plan that encompasses any IT timelines that your vertical industry or organization may follow. For example, allow extra time to freeze ordering and shipping system development 60 days before the retail holiday season or year-end break for educational institutions.
Some of the organizational impacts of older systems and hardware include:
Obsolete platforms are at greater risk of malware and viruses that adversaries can exploit to access your data or other businesses in your supply chain and operating network. In the event of a data breach due to unpatched legacy software or hardware, sizable compliance fines or negative publicity may result if the data breach is deemed to be preventable.
Organizations have four possible paths when migrating off legacy operating systems and devices:
Here’s what Microsoft has to say to businesses running Windows 7.
In a nutshell: yes. Running Windows 7 after January 14, 2020 could violate security and privacy safeguards such as PCI DSS and HIPAA for organizations of all sizes. Criteria 6.2 of PCI DSS requires the installation and maintenance of current security patches on POS devices; patches for Windows 7 will stop after the end-of-support date. HIPAA similarly requires the ability to apply patches to devices that handle PHI (Protected Health Information) and Windows 7 devices would not be compliant after the looming January date.
If migration is not an option or there are unforeseen delays, compensating controls may be used to address compliance and audit requirements. These compliance-related compensating controls involve identifying, examining, and mitigating risks along with documenting and maintaining security levels over time. Notify your PCI QSA (Qualified Security Assessor) of any compensating controls or document them in your organization’s self-assessment reports.
The optimal approach is to successfully migrate to Windows 10 with plenty of time built in for contingencies. Always consult a PCI DSS or HIPAA expert for compliance recommendations about your specific entity and protected data.
Here are some practical tips for robust security controls to help you think like a hacker when it comes to protecting your Windows 7 infrastructure as you prepare for migration:
Note that Microsoft customers with Windows 7 support contracts will continue to receive any updates, patches, and bug fixes that Microsoft provides through January 14, 2020.
There are three primary steps to consider in your migration to Windows 10.
Don’t wait until the last minute when new workstations may be in short supply along with vacationing IT staff and users who may hinder migration. Engage outside help to leverage experts who have done this consistently to avoid surprises if your organization doesn’t have a lot of migration experience.
Endpoint technology has seen significant advancements since Windows 7’s introduction in 2009. EDR capabilities are one of the newer layered defense tools in the endpoint battle that block known malware and unknown, or Zero-day attacks, to protect organizations from costly data breaches. Anomaly detection to maximize endpoint security is a crucial step to prevent, detect, respond to, and predict threats. EDR also supports threat hunting by pinpointing attacks in progress and isolating impacted endpoints or servers, while minimizing false positives that waste your valuable time. EventTracker EDR is a 24/7 managed service that closes security gaps created by legacy systems with a defense-in-depth strategy that bolsters endpoint security to contain threats early and reduce dwell time across all stages of the threat chain.
A move to Windows 10 provides numerous benefits such as increased performance, usability, and operating efficiencies. Hardware today is optimized for Windows 10, and legacy OS users face security risks, rising operating costs, lost productivity, and an inability to capitalize on hardware and software improvements. While migrating requires time and money, the benefits outweigh the disadvantages that could include compliance fines, data breaches, and damaged brand reputation.
As you eliminate Windows 7, keep security top of mind as you assess the strategic choices available to you today. EDR can be another compensating control to place legacy equipment like Microsoft Windows 7 in lockdown mode. Advanced cybersecurity threats have increased in severity and volume, and your security solutions must likewise protect your sensitive data and customer trust. Security risks increase as the looming end-of-support date of January 14, 2020 approaches.
Are you facing a Windows 7 migration? Watch our webcast on Windows 7 Migration: A Cybersecurity Reboot to learn more about your options for protecting your employees and customers, sensitive data, and infrastructure.
By Randy Franklin Smith
Interest continues to build around pass-the-hash and related credential artifact attacks, like those made easy by Mimikatz. The main focus surrounding this subject has been hardening Windows against credential attacks, cleaning up artifacts left behind, or at least detecting PtH and related attacks when they occur.
All of this is important – especially because end-users must logon to end-user workstations, which are the most vulnerable systems on the network.
Privileged admin accounts are another story. Even if you eliminated pass-the-hash, golden ticket, and other credential artifact attacks, you would remain vulnerable whenever admin accounts logon to insecure endpoints. Keystroke logging, or simply starting a process under the current user’s credentials, are viable methods for stealing or hijacking the credentials of a locally logged-on user.
So, the big lessons learned with Mimikatz and privileged accounts are to avoid using privileged credentials on lower security systems, such as any system in which web browsing or email occurs, or any type of file or content is downloaded from the internet. That’s really what ESAE (aka Red Forest) is all about. But privileged accounts aren’t limited to just the domain admin accounts contemplated by the Red Forest. There’s many other privileged accounts for member servers, applications, databases, devices, and so on.
Privileged accounts should only be used from dedicated administrative workstations maintained at the same level of security as the resources being administered.
How do you implement controls that really enforce this kind of written policy? And how do you detect attempts to circumvent?
When it comes to Windows, you have a few options:
I’ll briefly explain each one and show how you can monitor attempts to violate the policies.
Logon Rights
There’s five logon types and corresponding “allow and deny rights” for each, with “deny” overriding “allow”, of course. You define these in group policy and they are enforced by the local systems in which the group policy objects are applied. For instance, if you have an OU for end-user Workstations and you assign “deny logon locally” to an AD admin group, those members won’t be able to logon at the console of workstations regardless of their authority.
If someone tries to violate a “deny logon” right you can catch this by looking for <a data-cke-saved-href=" www.ultimatewindowssecurity.com="" />event ID 4625 – an account failed to logon with status or sub-status code 0xc000015b. But be aware that these events are logged via the local workstation – not on the domain controller. This is another reason to use native Windows Event Collection to get events from your workstations.
Workstation Restrictions
This is something you’d have to specify on individual user accounts as shown below in Active Directory User and Computers. This control only applies to interactive logons.
In this example, I’ve allowed Tamas to logon only at SAW1 (secure admin workstation 1). Depending on how many SAWs and admins you have, this could be tedious. If Tamas tried to logon at a different workstation, that computer would log <a data-cke-saved-href=" www.ultimatewindowssecurity.com="" />event ID 4625 – an account failed to logon with status or sub-status code 0xC0000070. The domain controller would log event ID 4769 with failure code 0xC.
Authentication Silos
This is a new feature of AD that allows you to carve out groups of computers and users, and limit those users to those computers – centrally from AD Authentication policy silos, which are containers you can assign user accounts, computer accounts, and service accounts to. You can then assign authentication policies for this container to limit where privileged accounts can be used in the domain. When accounts are in the Protected Users security group, additional controls are applied, such as the exclusive use of the Kerberos protocol. With these capabilities, you can limit high-value account usage to high-value hosts. Learn more about silos in Implementing Win 2012 R2 Authentication Silos and the Protected Users Group to Protect Privileged Accounts from Modern Attacks.
When a user tries to logon outside the silo of permitted computers, the domain controller will log event ID 4820: A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.
Bad guys have more methods and shrink-wrapped tools than ever to steal credentials, so it’s especially important to lock down privileged accounts and prevent artifacts of their credentials from being littered throughout your network where the bad guys can find them. Windows gives you controls for enforcing such policies and provides an audit trail when someone attempts to violate them. Remember that besides just non-compliant or forgetful admins, these events may signal a bad guy who’s successfully stolen privileged credentials but is unaware of the controls you’ve put in place. So, take these events seriously.
While you’ve been busy defending against ransomware, the bad guys have been scheming about new ways to steal from you. Let’s review a tactic seen in the news called bitcoin mining.
Hackers broke into servers hosted at Amazon Web Services (AWS) that holds information from multi-national, multi-billion-dollar companies, Aviva and Gemalto. The criminals were using computer power to mine the cryptocurrency, bitcoin.
Though anyone could try to mine bitcoin off their computer services, the process is very energy intensive, and could be costly in electricity expenses alone. But it’s worthwhile for many hackers because a successful attempt can be very lucrative.
To avoid the high cost of going at it alone, most bitcoin miners join a pool of different computers that combine their powers to solve complex algorithms. Successfully solving the problem generates a set number of new bitcoin, which are worth upwards of $4,300 each. Bitcoin can be mined until there are a total of 21 million bitcoin that exist.
How should you defend against this? Know your baseline and watch for anomalies. See how EventTracker caught a bitcoin miner, hidden behind a rarely used server dedicated for key-fob provisioning.
If attackers can deploy a remote administration tool (RAT) on your network, it makes it so much easier for them. RATs make it luxurious for bad guys; it’s like being right there on your network. RATs can log keystrokes, capture screens, provide RDP-like remote control, steal password hashes, scan networks, scan for files and upload them back to home. So if you can deny attackers the use of RATs, you’ve just made life a lot harder for them.
We are getting better at catching so-called advanced persistent threats by detecting the malware they deploy on compromised systems. We can say this because experts are seeing more attackers “living off the land.” Living off the land means an attacker goes malware-free and instead relies on the utilities, scripting engines, command shells and other native resources available on systems where they gain an entry point.
By living off the land, they keep a much lower profile. They aren’t stopped as much by application control and whitelisting controls. There’s no malware for antivirus to detect.
And Windows provides plenty of native resources for this kind of attacker. (Linux and UNIX do too, but I’m focusing on Windows since client endpoints initially targeted by today’s attackers mostly run Windows.) You might be surprised how much you can do with just simple batch files, let alone PowerShell. And then there’s WMI. Both PowerShell and WMI provide a crazy amount of functionality. You can access remote systems and basically interface with any API of the operating system. You can open up network connections for “phoning home” to command and control servers, and more. This is all stuff that in years past required an EXE or DLL. Now you can basically do anything that a custom built EXE can do but without touching the file system which so much of our current security technology is based on.
How do you prevent attacks like this? PowerShell has optional security restrictions you can implement for preventing API access and limiting script execution to signed script files. With WMI it’s not as clear. Obviously, all the normal endpoint security technologies have a part to play.
But let’s focus on detection. It’s impossible to prevent everything and mitigate every vulnerability. So we can’t neglect detection. The challenge with detecting attackers that are living off the land is twofold. The activities you need to monitor:
Both of these create big challenges. Let’s talk about #1 first. A.N. Ananth and I describe the types of activities that are clues to possible attacker living off the land in 5 Indicators of Evil on Windows Hosts using Endpoint Threat Detection and Response and I encourage you to watch that session which is full of good technical tips. But the point is that what you need to watch for isn’t in the Windows security log or other logs. Instead, detection requires a combination of file scanning, configuration checks, querying of running processes and so on — all stuff that requires code running on the local system or very powerful and complex remote access. If we were only talking about servers, we could consider deploying an agent. But to catch today’s threats, you need to be monitoring where they begin, which is on client endpoints — the desktops and laptops of your employees. And there’s no way to remotely reach into that many systems in real time, even if you overcame the technical hurdles of that kind of remote access. So that leaves agents, which always cause a degree of pushback.
But it’s time to stop calling them agents. Today what we need on endpoints are sensors. It’s a subtle but important shift in mindset. In the physical world, everyone understand the need for sensors, and that sensors have to be deployed where the condition is being monitored. If you want to know when someone enters your building at night, you need a sensor on every door. Likewise, if you want the earliest possible warning that your organizations have been compromised, you need a sensor on every endpoint.
So I encourage you to start thinking and speaking in terms of leveraging your endpoints as a sensor rather than yet another system that requires an agent. And look for security vendors that get this. EventTracker has done a great job of evolving their agent into a powerful and irreplaceable endpoint security agent that “sees” things that are just impossible to see any other way.
The past year has been a hair-raising series of IT security breakdowns and headlining events reaching as high as RSA itself falling victim to a phishing attack. But as the year set on 2011, the hacker group Anonymous remained busy, providing a sobering reminder that IT Security can never rest.
It turned out that attackers sent two different targeted phishing e-mails to four workers at its parent company, EMC. The e-mails contained a malicious attachment that was identified in the subject line as “2011 Recruitment plan.xls” which was the point of attack.
Back to Basics:
Prevent:
Using administrative controls such as security awareness training, technical controls such as firewalls, and anti-virus and IPS, to stop attacks from penetrating the network. Most industry and government experts agree that security configuration management is probably the best way to ensure the best security configuration allowable, along with automated patch management and updating anti-virus software.
Detect:
Employing a blend of technical controls such as anti-virus, IPS, intrusion detection systems (IDS), system monitoring, file integrity monitoring, change control, log management and incident alerting can help to track how and when system intrusions are being attempted.
Correct:
Applying operating system upgrades, backup data restore and vulnerability mitigation and other controls to make sure systems are configured correctly and can prevent the irretrievable loss of data.
The 5 W’s of security management
I’ve seen it happen about a thousand times if I’ve seen it once. A high profile project ends up in a ditch because there wasn’t a proper plan defined AHEAD of time. I see this more often in “squishy” projects like security management because success isn’t easily defined. It’s not like installing a web application firewall, which will be deemed a success if it blocks web attacks.
Security management needs a different set of drivers and a more specific and focused discussion of what is “success,” before solutions are evaluated. Before vendors are consulted. Before you do anything. I know it’s hard, but I want you to take a deep breath. If you can’t answer the following questions about your project, then you have a lot of work to do before you are ready to start thinking about specific solutions.
First and foremost, you need to have a clear understanding of your goals and your budget and make sure to line up your executive support. Ultimately someone is going to have to pay the check for whatever it is you want to buy. So you will be a lot better off if you take a bit of time up front and answer all these sticky questions.
A favorite tactic of mine is to ask the 5 W’s. You remember those, right? It was a grade school thing. Who, what, where, when and why? Pretty much anything you need to do can be clarified and distilled by isolating the issues into the 5 W’s. I’m going to kick start your efforts a bit and walk you through the process I take with clients as they are trying to structure their security management initiative.
Why?
The first thing to understand is WHY you are thinking about security management? What is the driver for the project? Are important things falling through the cracks and impacting your operation efficiency? Did an incident show a distinct lack of data that hindered the investigation? Maybe an auditor mandated a more structured approach to security management? Each of these (and a ton of other reasons) is a legitimate driver for a security management project and will have a serious impact on what the project needs to be and accomplish.
Once you have a clear understanding of why, you need to line up the forces for the battle. That means making sure you understand who has money to pay for the project and who has the final approvals? If you don’t understand these things, it’s very unlikely you’ll drive the project through.
Who?
After you have a clear idea of which forces will be at your disposal, you can determine the WHO, or which folks need to be part of the project team. Do the network folks need to be involved, the data center folks and/or the application folks? Maybe it’s all of the above, although I’d push you to focus your efforts up front. You don’t want to be in a position where you are trying to boil the ocean. You want to be focused and you want to have the right people on the team to make sure you can achieve what you set out to achieve. Which brings us to the next question…
What?
This gets down to managing expectations, which is a blind spot for pretty much every security professional I know. Let me broaden that. It’s an issue for everyone I know, regardless of what they do for a living. If you aren’t clear and thus your senior team isn’t clear about what this project is supposed to achieve, it’s going to be difficult to achieve it.
Any organization looking at security management needs to crisply define what the outcomes are going to be and design some success metrics to highlight those outcomes. If it’s about operations, how much more quickly will issues be pinpointed? What additional information can be gathered to assist in investigations, etc? This is really about making sure the project has a chance of success because the senior team (the ones paying the bill) knows where it’s going ahead of time.
Where?
This question is all about scope. Believe me, defining the scope effectively is perhaps the most critical thing you can do. Get it wrong on the low side and you have budget issues, meaning you don’t have nearly enough money to do what your senior team thinks is going to get done. Budget too high and you may have an issue pushing the project through or getting the approval in the first place.
Budgeting is much more of an art, rather than a skill. You need to understand how your organization gets things done to understand how you can finesse the economic discussion. A couple of questions to understand are: Is this an enterprise deployment? Departmental? Regional? Most importantly, is everyone on board with that potential scoping?
When?
The last W is about understanding the timeline. What can/should be done first? This is where the concept of phases comes into play, especially if your budget is tight. How do you chunk up the project into smaller pieces that can be budgeted for separately? That usually makes a big number go down a bit easier.
The key is to make sure you have a firm understanding of the end goal, which is presumably an enterprise-wide deployment of a security management platform. You can get there in an infinite number of ways, depending on the project drivers, the budget, and the skill set you have at your disposal.
But you certainly can’t get there if you don’t ask these questions ahead of time and determine a logical strategic plan to get to where you need to be. Many projects fail from a lack of planning rather than a lack of execution. As long as all of your ducks are in a row when you start the process, you have a much better chance to get to the end of the process.
Or you can hope for a good outcome. I heard that’s a pretty dependable means of getting things done.
Industry News
Cyber-crime bigger threat than cyber-terror
Although the threat of cyber-terrorism exists, the greatest risk to Internet communication, commerce and security is from cyber-crime motivated by profit. Attacks have evolved from cracking passwords into vast coordinated attacks from thousands of hijacked computers for blackmail and theft.
Healthcare organizations and providers focus on offering a high-level of care for their patients’ health and wellbeing; however, what is often overlooked is providing that same level of care when handling patients’ personally identifiable information (PII).
That's not to say that practices and healthcare organizations are purposely careless with sensitive information.
What's closer to the truth is in many circumstances, when a breach occurs, the practice has implemented at least some of the security measures to comply with necessary requirements, but end up in the headlines anyway, including having to face hefty fines.
It goes far beyond the minimal technical requirements of HIPAA and involves a precise balance of technical knowledge of IT teams, properly trained office or hospital staff, and even third-party vendors that service systems within an organization. All too frequently in healthcare settings, these responsibilities are pushed aside, proven by the recent major hacks at health insurers, hospital networks, and medical centers.
According to Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, nearly 90 percent of healthcare organizations suffer data breaches.
The answer is quite simple: profit. Personal health information is extremely attractive due to its lasting value.
Think about it this way, if credit card information is stolen, the cardholder can cancel the card and report it to the credit bureaus as soon as the theft or fraud is noticed, destroying any future profitability.
However, when identity theft is accomplished through stolen healthcare data, the amount of money a hacker can generate by opening fraudulent credit accounts in someone’s name makes credit card theft seem like a drop in the bucket. The higher the amount of money the hacker makes, the greater the impact the theft has on the life of the individual – causing potential mistrust for the compromised healthcare organization.
In 2016 it was reported that victims of medical identity theft paid an average of $13,500 to resolve the crime!
It's important to understand that cybercriminals are aware of these facts and figures. Efforts to exploit this have resulted in hackers, once perceived as lone individuals, becoming more organized in their approach, running their malicious operations like full-time businesses. They are well-funded with labs, and an abundance of time and resources devoted toward research and development.
Healthcare organizations need an array of security technologies that can be used to prevent malicious attacks and keep personal healthcare information safe, while retaining the day-to-day ease-of-use.
In early 2016, it was discovered that nearly 400,000 records were compromised when a staff member’s computer was stolen due to unencrypted records. HIPAA technical requirements state that electronic personal health information (ePHI)—whether at rest or in transit—must be encrypted.
Ransomware is still as relevant today as it was when we first began covering stories of healthcare organizations becoming targets.
Your employees are one of your greatest defenses against ransomware. Proper ongoing training on how to not only handle sensitive records, but also how to identify potential threats is imperative.
The risk of mobile threats and privacy issues continues to grow at alarming rates due to the millions of apps available for all ages, and the growth of devices used globally. Cisco predicts that by 2020 the number of people who own mobile phones will exceed the amount of people that have access to running water and electricity.
Not only is the use of mobile devices prevalent from a personal standpoint, from shopping to banking, the healthcare industry has started leveraging those devices more to keep up with competition and demand for better, faster, more convenient service.
USB devices, such as flashkeys and thumb drives can easily infect computers with self-replicating viruses that spread—similar to the floppy disks of years past. A USB device can emulate a keyboard and install malware and other malicious material. A USB drive or external hard drive can infect connected computers upon initial start, before antivirus tools have a chance to catch the attack.
Your systems may be secure, but what happens when you require outside assistance with an issue? Ensure that all vendors you use follow guidelines to secure their related technology to keep both you and your data safe and secure.
There is a strategy known as “vendor as vector”, which can be a direct attack on a healthcare system or an attack on a smaller practice’s IT vendor in order to breach many clients at once.
Ensuring these third-party companies have the latest endpoint security in place is also part of the healthcare practice’s responsibility.
This is a fairly new addition since it's been an expensive technology, typically elusive for many smaller practices and organizations. With advances in technology, there are breach detection and response solutions for SMBs at a reasonable price-point.
SIEM has become a key technology in fighting off cybercriminals and keeping healthcare companies informed of suspicious network activity. SIEM platforms ingest the millions of logs generated by all the systems and devices in the infrastructure and then sort through them for you, in real-time.
Proper SIEM systems can pinpoint a threat in real-time and alert you immediately, helping stop an attack in its tracks, while tracking it to the device it started in.
Whatever size healthcare organization, every patient should have peace-of-mind that their personal information is safe when they step into a provider’s office and fill out a form with their full medical history and personal information.
Today’s cyberthreats require new ways of thinking and new tools to protect healthcare organizations against breaches, and the resulting company and patient data loss.
It’s time that the industry make use of these advanced tools packaged with the services needed to use them effectively to keep them safer and better protected from the relentless attacks—creating a healthier security posture and fostering patient trust.
Ransomware burst onto the scene with high profile attacks against hospitals, law firms and other organizations. What is it and how can you detect it?
Ransomware uses the same methods to initially infect an endpoint such as drive-by-downloads, phishing emails, etc. Then it generates necessary encryption keys, communicates with command and control servers and gets down to business encrypting every file on the compromised endpoint. Once that’s done it displays the ransom message and waits for the user to enter an unlock code purchased from the criminals. So at the initial stages of attack, trying to detect ransomware is like any other end-point based malware. You look for new EXEs and DLLs and other executable content-like scripts. For this level of detection check out my earlier webinars with EventTracker:
As criminals begin to move from consumer attacks to targeting the enterprise, we are going to see more lateral movement between systems as the attackers try to either encrypt enough endpoints or work their way across the network to one or more critical servers. In either case their attacks will take a little longer before they pull the trigger and display the ransom message because they need to encrypt enough end-user endpoints or at least one critical server to bring the organization to its knees. These attacks begin to look similar to a persistent data theft (aka APT) attack.
Detecting lateral movement requires watching for unusual connections between systems that typically don’t communicate with each other. You also want to watch for user accounts attempting to logon to systems they normally never access. Pass-the-Hash indicators tie in closely with later movement and that one of the things discussed in “Spotting the Adversary with Windows Event Log Monitoring: An Analysis of NSA Guidance”.
So much of monitoring for ransomware is covered by the monitoring you do for any kind of malware as well as persistent data theft attacks. But what is different about ransomware?
Detonation
When ransomware begins encrypting files, it’s going to generate a massive amount of file i/o – both read and write. It has to read every file and write every file back out in encrypted format. The write activity may occur on the same file if directly being re-written, the ransomware can delete the original file after writing out an encrypted copy. In addition, if you watch which files ransomware is opening you’ll see every file in each folder being opened one file after another for at least read access. You will also see that read activity in bytes should be matched by write activity.
Of course there are potential ways ransomware could cloak this activity by either going low and slow, encrypting files over many days or by scattering its file access between many different folders instead of following an orderly process of all files in one folder after another. But I think it will a long time before enough attacks are getting foiled by such detection techniques that the attackers go to this extra effort.
How prone to false positives is this tactic? Well, what other legitimate applications have a similar file i/o signature? Backup and indexing programs would have a nearly identical file read signature but would lack the equal amount of write activity.
The downside to ransomware detonation monitoring is that detection means a ransomware attack is well underway. This is late stage notification.
Speed
Ransomware attacks against an enterprise may proceed much faster than persistent data theft attacks because data thieves have to find and gain access to the data that is not just confidential but also re-saleable or otherwise valuable to the attacker. That may take months. On the other hand, ransomware criminals just need to do either of the following:
So beefing up your ransomware monitoring means continue with what you are (hopefully) already doing: monitoring for indicators of any type of malware on your network and watching for signs of lateral movement between systems. But for ransomware you can also possibly detect late stage ransomware attacks by watching for signature file i/o by unusual processes. So you need to be fast in responding.
And that’s the other way that ransomware differentiates itself from data theft attacks: the need for speed. Ransomware attacks can potentially reach detonation much faster than data thieves can find, gain access and exfiltrate data worth stealing. So, while the indicators of compromise might be the same for most of a ransomware or persistent data theft attack, reducing your time-to-response is even more important with ransomware.
Marketplace changes are inevitable. Rapid shifts to remote work, cloud computing, and digitalization have all led to increased demand and spending on IT and cybersecurity in recent years. Enterprises and Service Providers face economic challenges of inflation, rising labor costs (if you can even hire talent), and supply chain issues. Financially motivated attacks are likely to accelerate in times of economic uncertainty. Smart channel leaders should be proactive and guide clients on prioritizing cybersecurity investment as a driver of business growth.
Is Cybersecurity More Immune to Budget Downturns?
High-profile data breaches and bad publicity have made cybersecurity a Board of Directors and executive leadership priority. The cost of a data breach now approaches $4 million, and attackers remain undiscovered internally for an average of four months. Protecting sensitive data and assets is no longer a compliance checkbox but now a way to instill consumer and investor confidence. Some might argue that unlike discretionary goods, cybersecurity spending is immune to economic pressures and business downturns. While financial forecasts vary widely regarding the likelihood of a slowdown, it’s an opportunity to better prepare for whatever lies ahead.
Use this effective 6-point plan to prepare for any possible cost-cutting or reprioritization.
1. Boost operational agility: Decisions like transitioning from products to SaaS (Software-as-a-Service) can streamline operations but also create challenges and risks. Remain focused on your ideal client audience to enhance profitability, differentiate on value, and instill customer loyalty. Over time, remember to frequently re-evaluate any packaging and pricing decisions to ensure continued fit with the marketplace and changing customer expectations. Minimize startup risk and investment by selecting a managed cybersecurity partner with broad capabilities such as 24/7 experts and advanced threat protection.
2. Balance cyber risk and business growth: Managed Security Service Providers (MSSPs) want the ability to tailor their solution portfolio to distinct customer requirements that grow over time; your cybersecurity portfolio should also adapt and evolve with the marketplace. Enhance your agility and flexibility by scaling your cybersecurity portfolio as your client base expands or account penetration deepens. Look for vendor partners that can:
Business growth and technological innovation cannot occur without cybersecurity - as costly data breaches demonstrate. It’s no longer one or the other, and organizations must do both to be successful.
3. Augment your IT team: At best, hiring IT and cybersecurity professionals in today’s job market is difficult and retaining them even more challenging. Evaluate areas where you can augment your team by partner with outside experts who free up your team for other strategic projects and activities. Rather than creating and staffing your own DIY Security Operations Center (SOC), for example, consider a SOC-as-a-Service approach that lets you provide 24/7 monitoring on your behalf without having to hire hard-to-retain experts. A co-managed cybersecurity service enables you to have as much or as little hands-on operation and involvement as you prefer. A managed service helps you retain your existing staff knowing that additional expertise is available, especially to augment smaller IT teams.
4. Explore ways to streamline or consolidate: Most enterprises likely have too many cybersecurity vendors and tools to manage effectively. That’s primarily because new security measures tend to get deployed one at a time. The net result is a technology sprawl that can create siloes and cybersecurity gaps. Partners and their clients want to run fast and learn, but too many tools and the lack of support add cost and complexity. Look for tool and solution overlaps and redundancies that provide an opportunity to streamline vendors and processes. These challenges have prompted organizations to turn to MSSPs for managed services to simplify cybersecurity operations.
As you plan ahead, future-proof your cybersecurity operations by simplifying processes and increasing agility.
5. Automate and orchestrate where feasible: Automation, machine learning (ML), and artificial intelligence (AI) are all commonplace in cybersecurity now. These sophisticated tools and technologies accelerate threat correlation and speed up threat response times. While staff shortages and rising labor costs are sometimes catalysts for automation and orchestration, they can help detect stealthy attacks that evade detection and enhance time-to-respond (TTR). However, automation and technology need to be combined with cybersecurity professionals to balance human and artificial intelligence.
6. Prioritize cost management: “Cash is king” in times of financial uncertainty. It’s crucial to invest in growing business profitably while maintaining responsible spending. Use cost avoidance by assessing a managed cybersecurity solution as you skip DIY hardware purchases and expensive tech hires.
Keep A Step Ahead
Don’t let economic headwinds and changes catch you off guard and unprepared. Top channel leaders bring both optimism and front-line practicality to the conversation. Some best practices for uncertain economic times include automating and streamlining where possible, managing expenses, and using a managed service to augment staffing and capabilities. As their trusted advisor, you can help savvy organizations securely grow their business and navigate marketplace changes. Our adaptive security solution, Netsurion Managed Threat Protection, integrates with your existing security investments and technology stack, quickly scaling to evolving business needs.
This holiday season will be like no other with the continued use of remote work, greater online sales, third-party sourcing from across the globe, and employees taking much-needed time off. Cyber criminals will take advantage of these seasonal distractions to steal sensitive data, hold it for ransom, or use you as a stepping-stone to more lucrative victims. Hackers often strike when businesses let their guard down, gaining access to networks but laying low to strike later. Once centered on key shopping days like Black Friday and Cyber Monday, cyber attacks are now extending across all of November and December and into the new year, making comprehensive vigilance and 24/7 visibility even more challenging. It’s time to fight back against cyber criminals with defense-in-depth resiliency for proactive protection at this crucial time of year.
Here’s a list of 8 threats to watch for and best practices to defend against them:
‘Tis the season to be wary of cyber crime, as hackers don’t just attack larger enterprises. Cyber criminals also use advanced persistent threats (APTs) to target MSPs and mid-sized businesses. Adversaries often target mid-sized businesses because they are supply chain partners of larger firms or may have security gaps that are easy to exploit. Hackers are continually reinventing their tactics, techniques, and procedures (TTPs) to catch you off guard and evade detection, so it’s important to stay on top of vulnerabilities and real-world attacks. And as you look towards the future, ensure cybersecurity is a year-round priority.
I found out how quickly a brand could change from being a favorite of mine to becoming an entity I would never trust again. The result was a new sense of awareness the hard way, and my last visit to our favorite food joint.
I was sitting in my office at work and decided to take a break to balance my credit card with my checking account. I went to my personal email to catch up as well, and saw an alert for a card. But the odd thing was, the alert was for a card I had recently closed and should have been at a zero balance.
The email notification showed it over $5,000!
This caused some feelings I don’t wish to recall. Had my identity been stolen? Who was to blame?
My eyes opened to this vulnerable position for the first time 10 years ago, and then shut indefinitely to the brand that happened to be part of this experience.
As a consumer, I decide what brands to purchase from or invest in based on my gut feelings about them.
I search for bargains, but I am also willing to pay more for quality, peace of mind, atmosphere, and how the experience of the brand makes me feel. Once I find a brand I like, I stick with it, loyally, unless something goes very wrong.
I go through a number of checkpoints all at once when making buying decisions, automatically. Things run through my head like: Do I like the packaging, the atmosphere, the product, the service, the price, and most of all do I trust them?
This applies to all industries, from food, hotel, and travel, to healthcare and retail.
We frequented this wonderful place often. It was a micro-brewery with an amazing menu, nice atmosphere, great service, and best of all, it was a newer restaurant close to home.
By the time I was expecting my second child, our visits became weekly occurrences. I loved the healthy options they offered and my husband reveled in the sweet treats and savory fare.
This restaurant was a sit-down establishment, with wait staff. I would never have dreamed that our credit card data would be compromised there.
I hadn’t even thought about it being a possibility at small retail locations or large brand-name establishments for that matter.
Taking a step back, there is something you should understand about me. I am a Type A personality and completely in control of our finances. I love to save, I have a very high credit score, and have never in my life paid interest on a credit card, as I pay them off in full every month.
I earned my credit score by being responsible, which also came easy. I not only bought only what I could afford, I often passed on buying things that I could afford, and do this even more today. I used credit cards then, and now, because of the convenience, the points, and the sense of security in them over a debit card or cash.
It all started with a peculiar email notification from my past credit card company, showing thousands of dollars in recent purchases on a card that was not in use. I picked up the phone and called the card’s customer service line immediately.
I told them the scenario: My card had been closed weeks prior, it should have shown a zero balance, and it showed that it not only had over $5,000 on it, the purchases were made overseas!
The customer service rep asked me if I lost the card because the purchases were made with a physical card on location. No, I had not. In fact, I had cut it up when I closed it.
That’s when a sense of loss, vulnerability, violation, and anger set in.
It felt very creepy too.
The card company of course took care of this right away for me and ensured the card was not used any longer. It did not impact me financially, but it did impact me emotionally.
After some research, I discovered that people can steal magnetic strip information from your card with a special tool, and sometimes there could even be servers at restaurants who might do this. They accept your card and take it with them for a few minutes, which is part of protocol, so we never noticed anything strange at first.
Once they have the magnetic strip, they can make a new physical card and sell it!
We narrowed it down to this scenario being the culprit, at our favorite place. This theft halted our weekly visits and in 10 years, we haven’t returned.
I think about this scenario from time to time, and realize how important it is for me to be able to trust the place that I’m doing business with.
Although the restaurant brand itself didn’t steal from me, their employee did, and so their brand was ruined.
This particular experience I shared was 10 years ago. Cyber criminals have been on the rise for years, continuing to find new ways to steal. My experience was a singular one. Imagine the implications of thousands or millions or consumers like me, experiencing a full breach of data. A brand is only as strong as the people who support it.
Today, I focus on protecting myself with security measures that include card monitoring services, on top of the fact that I review my accounts weekly and check every line item.
When I think of this, it begs the question: If a restaurant, hotel, doctor’s office, etc. decides to accept credit cards as payment, then why don’t they all want to protect themselves, let alone their customers?
This customer holds companies and brands collecting my data to high standards.
The bottom line is that royalty leads to loyalty. The customer is king and always right. When a brand operates under this assumption, their business thrives.
This story was written by a consumer, based on a real-life scenario she experienced a few years back.
In the wake of the most recent terrorist bombing in Boston, it is easy to understand why some people would be willing to sacrifice a few liberties to the government in favor of more security.
A common train of thought is that an honest person does not have anything to hide, so the intrusion into our private lives is really a minor thing.
In a Utopian society, I would tend to agree with that sentiment, but we live somewhere else.
When it comes right down to it, think about what makes up our government. There are the buildings, the laws, and even the history, but in essence, our government is a collection of people.
For the most part, they are our friends and neighbors dedicated to servicing our needs and keeping our great country running. When you have a group of people, you can expect most of them to be upstanding citizens, but it would be naive to think that none of them would be unscrupulous. When the dishonest ones are given access to power, especially intruding into our lives, the results can be catastrophic.
While I hope he is proven innocent and that there has been some kind of misunderstanding, Edwin Vargas (a government representative), has been charged with paying a hacking firm to break into approximately 40 e-mail accounts (21 have been reported to be from fellow officers).
Also, he is accused of illegally accessing the National Crime Information Center database, which he is allowed to access because of his status as a police officer. There are rules governing the use of this database, and Mr. Vargas allegedly ignored them.
According to published reports, this activity had been going on between 2010-2012.
This kind of behavior is neither unique to Mr. Vargas nor surprising when you consider that some people just have a tendency to abuse power when they obtain it. With a quick search on the Internet, you can find thousands of cases where government officials abused their offices.
Ben Franklin got it right in 1775 when he said, “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”
We need to remember that the freedoms we give up to the “government” are being put into the hands of real people who may not have our best interests at heart.
Security Information and Event Management (SIEM) is a term coined by Gartner in 2005 to describe technology used to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.
The core capabilities of SIEM technology are the broad scope of event collection and the ability to correlate and analyze events across disparate information sources. Simply put, SIEM technology collects log and security data from computers, network devices and applications on the network to enable alerting, archiving and reporting.
Once log and security data has been received, you can:
Logs from firewalls and IDS/IPS sensors are useful to uncover external threats; logs from e-mail servers, proxy servers can help detect phishing attacks; logs from badge and thumbprint scanners are used to detect physical access
Computers, network devices and application logs are used to develop a trail of activity across the network by any user but especially users with high privileges
Most enterprises have critical data repositories in files/folder /databases and these are attractive targets for attackers. By monitoring all server and db resource access, security is improved.
With all logs and security data in one place, an especially useful benefit is the ability to correlate user activity across the network.
Often the source of funding for SIEM, when properly setup, auditor on-site time can be reduced by up to 90%; more importantly, compliance is to the spirit of the law rather than merely a check-the-box exercise
Answer Who, What, When, Where questions. Such questions are the heart of forensic activities and critical to draw valuable lessons.
SIEM technology is routinely cited as a basic best practice by every regulatory standard and its absence has been regularly shown as a glaring weakness in every data breach post mortem.
Want the benefit but not the hassle? Consider SIEM, our service where we do the disciplined blocking and tackling which forms the core of any security or compliance regime.
Do you embrace the matrix?
Not this one, but the IT Organizational Matrix, or org chart. The fact is, once networks get to a certain size, IT organizations begin to specialize and small kingdoms emerge. For example, endpoint management (aka Desktop) may be handled by one team, whereas the data center is handled by another (Server team). Vulnerability scanning may be handled by a dedicated team but identity management (Active Directory? RSA tokens?) is handled by another. At this level of organization, these teams tend to have their own support infrastructure.
However, InfoSec controls are not separable from IT. What this matrix at the organizational level becomes is a graph of security dependencies at the information level. John Lambert explains in this blog post.
For example, the vulnerability scanning systems may use a “super privileged account” that has admin rights on every host in the network to scan for weaknesses, but the scanners may be patched or backed up by the Server team with admin rights to them. And the scanner servers themselves are accessed with admin rights from a set of endpoints that are managed by the Desktop team.
This matrix arising from domain specialization creates a honeycomb of critical dependencies. Why is this a problem? Well because it enables lateral movement. Attackers who don’t know the map or org chart can only navigate the terrain as it exists. In this case, though, the defenders may manage from the network map like good little blue tin soldiers.
If this is your situation, it’s time to simplify. Successful defenders manage from the terrain, not the map.
“You see, but you do not observe. The distinction is clear.” Sherlock Holmes said this to John Watson in “A Scandal in Bohemia.” Holmes was referring to the number of steps from the hall to the rooms upstairs. Watson, by his own admission, has mounted those steps hundreds of times, but could not say how many there were. The same can be said in the world of IT cybersecurity. A lot of data, an overwhelming amount actually, is available from hundreds of sources, but rarely is it observed. Having something and getting value from it are entirely different.
This is also underlined in the story, “Peace Health employee accessed patient info unnecessarily.” On Aug. 9, a Vancouver medical center, Peace Health, discovered that an employee accessed electronic files containing protected health information, including patient names, ages, medical records, account numbers, admission and discharge dates, progress notes, and diagnoses. An investigation revealed that the employee accessed patient information between November 2011 and July 2017.
What? This had been going on for 5 years and was just discovered? It would seem this is another case of “You see but do not observe,” and indeed the distinction is clear. Log data showing what this employee was doing had been accumulating and faithfully archived, but it was never examined.
What was the impact? There was reputational damage, plus the costs incurred (letters, call center expenses, etc.), and possible fines by HHS for the HIPAA violation. Plus, there was disruption of regular tasks to investigate the extent and depth of this incident and related incidents that may have occurred.
Ben Franklin observed that an ounce of prevention is worth a pound of cure. The same is true in cybersecurity. We at EventTracker know that it’s hard to pay attention given the volume of security data that is emitted by the modern network. Therefore, we provide security monitoring as a service, so that you don’t just get more technology thrust your way, you gain the actual outcome you desire.
How many days go by between news stories involving computer breaches?
In the last month alone, with the Sony breach fresh on everyones mind, Anthem Inc. announced that they lost 80 million records, Chick-fil-A announced that they were investigating a potential credit card security breach, and several Marriott locations managed by White Lodging (which already had a different incident in 2013), are looking into a newly reported credit card breach.
If these were the only incidents, it would still be considered a huge amount.
However, this list fails to include the over 25 small businesses that announced breaches during the same time period. Merchants, especially small ones, wonder how they are supposed to operate their businesses effectively in the new corporate landscape which has cyber criminals attempting to steal data, especially credit cards, at every turn.
The truth of the matter is that as long as sensitive data is gathered by merchants, thieves will attempt to steal it. We are referring not only to credit card numbers, but driver’s licenses, social security numbers, or other personal or confidential information that can be sold on the black market, as well.
The crux of the issue is that many small merchants are currently unable to protect this data when faced with the ever-changing technological advancement the cyber criminals are making. Clinging to the hope of a “Silver Bullet” that can fix all their woes, merchants are hoping that as the US moves to EMV chip cards for payment (like the ones used in Europe), that credit card theft will become a thing of the past.
The credit card companies are pressuring merchants to accept this new type of payment card, and merchants who fail to upgrade will specifically be responsible for all credit card fraud after October of this year.
For more information about merchant liability, check out this link.
However, there is a misconception regarding EMV that any business accepting credit cards should understand.
With EMV cards, it is difficult to replicate the physical credit card if stolen from a merchant at the time of the swipe, similar to what happened with the Target breach. That does not mean that the transactions are safe from being retrieved by hackers.
In fact, EMV transactions still send credit card data in clear text that hackers can use for credit card fraud. Since creating fake cards is more difficult with these EMV cards, hackers steal the data from merchants and then perpetrate on-line fraud instead of in person fraud.
In other words, criminals will steal the data and then use the credit cards to purchase merchandise from those who sell goods or services on the web.
The answer is not complicated, but it does require a shift regarding how business is conducted.
Protecting data needs integration into how things run, and security measures should not be considered “add-on” components which are really outside of the core operations of the business. Security should include using up-to-date software for point of sale operations, best practices for network security such as highly secure firewalls, employee education, and testing to validate those measures in place.
A good starting point is implementing the PCI Data Security Standards. Unfortunately, many merchants find this set of requirements difficult, or impractical, to implement on their own. While it is true that PCI Data Security is complex, it is also true that there are options for managing many of the PCI components that cause small businesses so many headaches.
Much like physical security or an alarm system, experts are brought in to verify that physical inventory and cash are protected. There is no reason this should be different for electronic security as well.
There are many complicated issues when it comes to protecting sensitive data. That does not mean that you cannot find support and help to both mitigate your risk and simplify what it takes to keep your electronic data secure.
In the same way that the hacking community has grown in sophistication, so has the managed security industry. With minimal effort it should be possible to determine where you have gaps in your data and security plans, and with the right consultant you should be able to find an affordable solution to help you keep your customer’s information safe.
Hacking is the new reality, and it is up to merchants to accept the fact that in the electronic era, there is a huge amount of data that entices criminals to pay attention to what is stored.
If you cannot manage the scope of the problem yourself it is prudent to look for professional help. There are no longer options to ignore the problem and hope that you skate under the radar of the criminals.
Businesses are always looking for ways to deliver increased value to clients while optimizing efficiency, and this year is no exception. Digital transformation, remote work, and economic uncertainty are just some of the challenges impacting organizations today. As you plan next year’s budget, it’s a good idea to assess current operational successes and opportunities to increase efficiency and effectiveness. Here are some practical recommendations to increase cybersecurity effectiveness and help you optimize finite budgets and time.
Recent security breaches and ransomware attacks have led to a proliferation in point products that can add complexity and cost. Organizations have an average of 75 security tools, and “tool bloat” requires more experts to hire, train, and operate the technology. You can minimize cyber sprawl in order to enhance security and operational efficiency. According to Ponemon Institute’s “Cost of a Data Breach 2022” report, security system complexity was the top item of 25 that increased data breach costs.
While there’s no silver bullet or single vendor covering the entire threat chain, streamlining your technical infrastructure saves time and money. First, evaluate whether your organization has unused or even unsanctioned applications that create risk and can be jettisoned. Second, lo ok for cybersecurity solutions that improve attack surface coverage and address the broadest vulnerabilities and risks, all tailored to your security posture. Finally, consider integrated solutions like Netsurion’s Managed Open XDR that offers defense-in-depth with single-pane-of-glass visibility and a predict, prevent, detect, and respond approach to advanced threats.
The global shortage of over 3 million security professionals has created a cybersecurity staffing crisis. Almost 60% of organizations state that the staffing shortage impacts their risk posture. If you could hire a cybersecurity expert, retaining them over time becomes an even more significant challenge as larger enterprises woo staff away. Managed XDR offers an affordable and flexible approach to enhance your existing staff and technical skills and scale up and down instantly.
With Managed XDR, you receive the Security Operations Center (SOC) “function” in a SaaS model along with cybersecurity experts, comprehensive technologies like SIEM and Endpoint Protection, and managed services like vulnerability assessments and network flow scanning. Our research shows that an in-house SOC requires 9-12 months to implement, involves 12 dedicated professionals for 24/7/365 coverage, and can cost anywhere from $1.5 to $5 million/year. On the other hand, Managed XDR accelerates your security maturity without CAPEX and the challenge of hiring and retaining technical experts. You can rapidly onboard your users with Managed XDR that scales with you.
Managed Open XDR can include SaaS-based cloud deployment options. With no hardware to purchase or maintain, cloud-based security controls reduce total cost of ownership (TCO) with a pay-as-you-grow model. The platform is already implemented, provisioned, tested, and often paired with a managed service that speeds up onboarding and time-to-value. SaaS solutions make Work-from-Home (WFH) easy with its anytime, from anywhere access. In addition, a centralized cloud console lets you focus on your business and not on managing hardware. Also, log storage in the cloud scales with your customers to simplifying meeting compliance requirements. To deter today’s financially motivated threat actors, it’s crucial to protect sensitive data with comprehensive visibility across endpoints, mobile devices, and cloud.
Security complexity is increasing in the face of exploding cyber threats. But there are ways to streamline IT operations and spend, all without sacrificing compliance, data security, and customer engagement:
Staying competitive and profitable in this challenging environment requires a unified blend of people, processes, and technology. Whether you are implementing a SOC for the first time or augmenting to add weekend and after-hours coverage, 24/7 cybersecurity analysts in a managed service work as an extension of your in-house team.
At Black Hat 2019, Eric Doerr, GM of the Microsoft Security Response Center, reminded attendees of the interconnectedness of enterprise software supply chains and of their vulnerability to attack. Eric highlighted how supply chain compromises come in many guises:
The list of supply chain attack vectors is long and nefarious, and of course applies to hardware as well – peripherals, networking equipment, IoT devices, even server blades.
Supply chain cybersecurity best practices dictate a number of straightforward defenses:
But as Eric pointed out, “I’m in your supply chain, and you’re probably in mine.” Software and services produced by one vendor can, and do, end up in other vendors’ manifests and stacks, propagating deep among suppliers and consumers. The multiplicity of organizations, code and services in this cascade of supply and consumption almost guarantee the inclusion of exploitable vulnerabilities and embedded hostile code.
Today, in the face of international sourcing, admixture of proprietary and open source code, and huge variability in vendor practices, securing the enterprise supply chain borders upon the impossible. What steps can CISOs and IT security teams take to mitigate risk from vendor and community-supplied software and firmware?
The first step is developing a strategy. Certainly, it makes sense to follow and enforce the supply chain security practices outlined above. But how do you mitigate the threats that survive the vendor-consumer gauntlet? Once past these protections, having effectively side-stepped perimeter defenses, supply chain attacks can run amok on your networks, inside your applications and across your data, on par with privilege escalations and high-level insider attacks.
Until the modern software supply chain cleans up its act, through self-regulation or government mandate, the best way to mitigate sourcing risk is with comprehensive Security Information and Event Management (SIEM) – integrating security monitoring, threat detection and response, combined with Endpoint Detection and Response (EDR). Netsurion’s EventTracker SIEM and EDR together address supply chain threats, as follows:
In today’s landscape of interwoven ecosystem relationships and complex provenance of software and firmware, securing your technology supply chain ranges from daunting to near impossible. CISOs worry about fully vetting the integrity of software and hardware sourcing. They lose sleep thinking about potential ingress of malicious and vulnerable code across purchasing, development, IT and other entry points. With Netsurion SIEM and EDR, CISOs and security practitioners can rest easier and devs continue leveraging high value ecosystem software and firmware. Try it today.
MSSPs need airtight threat detection and rapid, reliable remediation. The optimal way to do this is to ensure you have top-notch MDR capabilities 24/7/365. Many MSSPs partner with an MDR provider to achieve this.
MSSPs face frequent hurdles in their quest to grow their security business, maintain current customer satisfaction, and enhance IT operations and efficiency:
Service Providers can embrace MDR as a crucial layer of cybersecurity defense. Managed Detection and Response (MDR) can overcome these real-world customer challenges with fast deployment, continual adaptation, and much-needed cybersecurity expertise as a managed security service.
What is MDR
Managed Detection and Response (MDR) is a managed cybersecurity solution that delivers services tied to 24/7 threat monitoring, detection, and response. MDR minimizes the burden of running complex software and tools by combining and managing the right security analytics and technology. It encompasses a Security Operations Center (SOC) that includes tech stack expertise and extends value by aggregating, analyzing, and executing an incident response playbook.
MDR provides multiple layers of protection to counter the multiple attack vectors possible. Various technologies used to provide enhanced visibility and better detection and response include Security Information and Event Management (SIEM), and Endpoint Protection Platforms (EPP).
Challenges that MDR Addresses
There are three critical capabilities that an MDR solution must provide:
How MSSPs Can Help
Advanced cybersecurity is becoming more critical as sophisticated threats have accelerated, from financially-motivated cyber criminals to well-funded nation-state attackers targeting software supply chains. According to Gartner, “By 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment capabilities.” With strong business community relationships, MSSPs are well-positioned to embrace MDR and evolve their technology stack. There are several options to adopt MDR: purchase MDR tech and manage it yourself, team up with a proven MDR service provider, or a hybrid approach.
Avoid MDR Pitfalls
When deciding to embrace and adopt MDR, focus on how that solution adds value to your customer relationships and brings in new revenue streams without tying up capital and adding business risk. Whether you are purchasing and managing your own MDR tool, teaming up with an MDR service provider, or have found a hybrid approach, be aware of the hazards you can face when evaluating moving forward with an MDR solution:
Netsurion provides MDR services that enable MSSPs to quickly improve their cybersecurity maturity to substantially decrease risk.
MDR Buyer’s Guide
MDR addresses the technology and human element needed for cybersecurity outcomes against advanced threats. Interest in MDR services is growing as organizations look for ways to defend against stealthy and persistent cyber criminals. MSSPs will find a wide range of MDR definitions and approaches, so becoming an educated decision maker is crucial. Find the managed cybersecurity solution that’s right for your customer base and augments your current capabilities. Netsurion empowers MSSPs to better predict, prevent, detect, and respond to threats with a defense-in-depth approach to MDR. Learn more in our comprehensive MDR Buyer’s Guide.
In what should only be considered a victory for the U.S. Department of Justice, 2 of the 4 alleged Subway hackers have already been sentenced, and one of the remaining criminal’s trial is set to begin shortly.
The 4th identified co-conspirator, has not yet been brought to justice, but hopes run high that he will also be caught and convicted.
These men who perpetrated a sophisticated attack against the computers systems of the famous sandwich chain have been responsible for potentially $10 Million dollars in computer fraud, according to a press release from the U.S. Department of Justice.
As a security professional, I am usually the first one to stand up and cheer when I hear that hackers have been found and arrested.
While it is true that most of these criminals do not violently attack their victims, they continually erode the confidence consumers and businesses have in general as it comes to individual security. Every time a card is electronically stolen, the retail industry as a whole suffers
The only issue I have with recent events is that the sentences seem too light to deter other hackers from following in the footsteps of these Romanians.
For what could be a $10 Million crime, Iulian Dolan, 28, of Craiova, Romania was sentenced to 7 years. That’s 1 year for every $1.4 Million stolen.
More recently, Iulian’s co-conspirator, Cezar Butu, 27, of Ploiesti, Romania was sentenced to 21 months. That’s 1 month for every $476 Thousand stolen.
Hackers are like any other criminal. They perpetrate these crimes to make money. One of the costs of doing business is being arrested and going to jail.
With these sentences, both men will soon be back on the street, having served their jail time, and free to electronically look for more pockets to pick.
I commend the efforts of law enforcement to capture these elusive criminals. I just wish the sentences were more commiserate with the severity of the crimes. Other hackers now have a baseline to determine if their activity is worth risking a short stint in a U.S. prison.
In other words, a criminal can easily see himself risking a few months in jail if the payoff is big enough. Longer jail times means that a hacker might reconsider his crime because the risk is greater for every dollar stolen.
The word “ransomware” has been in the headlines quite a bit this year. The Institute for Critical Infrastructure Technology (ICIT) has even called 2016 the year of ransomware.
Ransomware is a business’ worst nightmare. This malware infects computers and restricts the users from accessing any of their data until paying the ransom.
Imagine a hospital unable to access patients’ data or a financial institution unable to manage their customers’ accounts? What would you do to get that data back?
Victims of ransomware have been presented with the following choices: Restore their backups (if they had any and if they do, it takes quite a few days to retrieve it all) or pay the ‘ransom’ to get the data back.
Assuming they get the data back, at that point these businesses have had operations grind to a halt for days, spent money on retrieving this data and most of all, their business’ reputation has taken a hit.
In addition to having Netsurion’s remote-managed network security as your first line of defense against ransomware, here are a few things you can do yourself to protect your business.
Netsurion remote-managed network security is your best first line of defense against ransomware! Contact us today to learn more.
1 in 3 people who are affected by a data breach will also be a victim of identity theft or fraud.
The number of data breaches continues to increase. Cybercrime affects your brand, your customers and your employees in ways that are unrecoverable at times.
Javelin Strategy & Research, reported that 1 in 3 people who are affected by a data breach will also be a victim of identity theft or fraud. Along with that, U.S. consumers lost more than $16 billion last year alone.
Our remotely-managed network and data security services, and PCI compliance solutions, ensure your brand is secure from all security threats - both internally and externally.
Netsurion protects your brand so you can focus on growing your business.
Organizations can no longer afford to be just reactive, relying solely on detection and response when it comes to cybersecurity. Threat hunting is the next step. It is a proactive approach to uncovering threats that otherwise go undetected, like multi-stage ransomware attacks and malware that lies dormant in your network until activated to exfiltrate data.
What is Threat Hunting?
Threat hunting is the human-executed process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. This proactive line of defense creates a rapid response before attackers change their methods or escape detection. Threat hunting is a necessary component of comprehensive, layered security.
Common Fallacies About Threat Hunting Hold Adoption Back
Recent research from the SANS Institute shows that threat hunting adoption is growing, and it works. Sixty-eight percent of organizations measuring their threat hunting saw a 25% to 75% improvement in overall security posture. However, lack of staff and skills — along with common misconceptions about what threat hunting is — all stand in the way of broader adoption. Here are some of the fallacies our Netsurion Security Operations Center (SOC) experts have encountered “in the wild,” and what you really need to know about threat hunting.
1. Threat hunting and incident response are the same thing. Threat hunting is “before.” Incident response is “after.” They are not the same thing. If you are threat hunting, you are proactively looking for a sign of an incursion or anomalous activity in your network as part of prevention and detection. If you find something, you need to escalate it so the appropriate IT or IT security person can take action. That action, which follows the threat hunting activity, is incident response.
2. Compliance mandates require threat hunting. By compliance mandates, we’re typically talking about complying with the security requirements put forth by the Payment Card Institute Data Security Standards (PCI DSS), General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) frameworks for instance. Their security mandates address two things: security hygiene, and best practices in terms of security configuration. You can be compliant with these regulations and still have security breaches because most requirements address the least common denominator of security. As such, these regulations do not mandate threat hunting. Threat hunting is going above and beyond the basic requirements set forth by regulatory mandates.
3. Threat hunters have to know what they are looking for. Not always. Threat hunting may be triggered by an alert or an alarm that the threat hunter investigates to determine the cause. Or it can be triggered by security news, as in the case of log4j, Hafnium, and SolarWinds vulnerability new coverage, or an internal observation.
These hunts are for a known/known threat — you know what it is and that it happened. Another kind of threat hunting is looking for an unknown/unknown threat — the most difficult to find. Threat hunters proactively investigate anomalous activity in the network — like a spike in the number of attacks on a website or scans on a firewall, or an unusual number of login failures. The focus is on Root Cause Analysis (RCA).
4. Artificial intelligence and Machine Learning can take care of threat hunting. We see Machine Learning (ML) as a force multiplier for threat hunting, not a replacement for it. There are a lot of nuances and variabilities that human threat hunters are much better equipped to address. At Netsurion, we use ML for anomaly detection, which the human threat hunters then pursue. But can we give the job entirely to ML? Not yet. The technology today is still quite limited compared to the scope of the problem, but it is definitely the way of the future.
5. If you have threat intelligence, you don’t need threat hunting. Threat intelligence and threat hunting are two different things. You need threat intelligence to do threat hunting. This includes both internal threat intelligence, such as understanding your network and the baseline for what is normal. You can also subscribe to threat intelligence from any number of vendors. It consists of information about threat actor motives, targets, and attack behaviors that has been aggregated to provide threat context and insight for security professionals. If you find something unusual in your network, these threat databases give you a place to look up whether it is a known threat.
Threat hunting, performed by an elite team of threat hunters working out of our SOC, is an integral component of Netsurion’s Managed Open XDR solution. We integrate MITRE ATT&CK® threat intelligence with our hypothesis-driven approach to proactive, continuous threat hunting. Learn more here, or watch this webinar for a demo of threat hunting using our platform.
I often get asked how to audit the deletion of objects in Active Directory. It’s pretty easy to do this with the Windows Security Log – especially for tracking deletion of users and groups which I’ll show you first. All you have to do is enable “Audit user accounts” and “Audit security group management” in the Default Domain Controllers Policy GPO. You’ll find these 2 policies under Security SettingsAdvanced Audit Policy Configuration. Make sure you also enable the Security Option named “Audit: force audit policy subcategories to override…”; this option ensures that the latter settings actually take effect.
Within a few minutes all your domain controllers will begin auditing changes to domain users and groups – including deletions. The events to look for are
4730 – A security-enabled global group was deleted
4734 – A security-enabled local group was deleted
4758 – A security-enabled universal group was deleted
4726 – A user account was deleted
Here’s an example of event ID 4726:
A user account was deleted.
Subject:
Security ID: WIN-R9H529RIO4YAdministrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1fd23
Target Account:
Security ID: WIN-R9H529RIO4Ybob
Account Name: bob
Account Domain: WIN-R9H529RIO4Y
Additional Information:
Privileges –
As you can see there’s a different event ID for each scope of group which I’ve indicated by underlining above. The fields under Subject, as always, tell you who deleted the group and under Deleted Group you’ll see the name and domain of the group that was removed. Then of course there’s 4726 for the deletion of user accounts. Interpreting this event is easy; the Subject fields identify who did the deleting and the Target fields indicate the user account that is now gone.
Monitoring deletions of organizational units (OUs) and group policy objects (GPOs) requires a few more steps. First you need to enable “Audit directory service changes” in the same GPO as above. But Active Directory doesn’t automatically start auditing deletions of OUs and GPOS yet. Next you need to open Active Directory Users and Computers. Select and right-click on the root of the domain and select Properties. Click the Security tab, then Advanced and then the Audit tab. Now you are looking at the object level audit policy for the root of the domain which automatically propagates down to child objects. Here you need to add 2 entries that audit the successful use of Delete permission for organizationalUnit and groupPolicyContainer objects as shown below.
Within a few minutes your domain controllers should start logging event ID 5141 whenever either type of object is deleted. To determine what kind of object was deleted look at the Class field which will be either organizationalUnit or groupPolicyContainer. The other fields under Object: and Directory Service provide the name a domain of the object deleted and of course the Subject tells us who deleted the object. Here’s an example of a deleted GPO. Notice that the GUID of the GPO is listed instead of is more friendly Display Name. That’s because the GPOs are identified in their official Distinguished Name by GUID.
A directory service object was deleted.
Subject:
Security ID: ACMEadministrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x30999
Directory Service:
Name: acme.com
Type: Active Directory Domain Services
Object:
DN: CN={8F8DF4A9-5B21-4A27-9BA6- 1AECC663E843},CN=Policies,CN=System,DC=acme,DC=com
GUID: CN={8F8DF4A9-5B21-4A27-9BA6-1AECC663E843}ADEL:291d5001- 782a-4b3c-a319-87c060621b0e,CN=Deleted Objects,DC=acme,DC=com
Class: groupPolicyContainer
Operation:
Tree Delete: No
Correlation ID: {140c9cef-8dc1-48f4-8b4a-de79230731a6}
Application Correlation ID: –
Going back to users and groups for a moment, remember that the method described above also results in all other changes to users and groups to be audited as well which I think is important to do. But if you really only want to track deletions you can actually use the same method just described for OUs and GPOs for users and groups too. All you need to do is add audit entries to the root of the domain for user and group objects. Then Active Directory will start recording 5141 for user and group deletions too.
Ransomware risk changed dramatically for Managed Security Service Providers (MSSPs) and their clients in 2021. The Kaseya hack used a vulnerability in the popular Virtual System Administrator (VSA) remote management software to spread ransomware through MSSPs to an estimated 1,500 small-to-medium-sized businesses (SMBs) worldwide. The Cybersecurity and Infrastructure Security Agency (CISA) warns that more of the same is coming in 2022.
This article provides insights about mutual ransomware responsibilities to set expectations, ensure threat lifecycle coverage, and enhance client satisfaction.
MSSP Mitigation Responsibilities Against Ransomware
Clients know about the escalating ransomware threats and are understandably concerned. As an MSSP, are you making it clear where your responsibilities begin and end for both you and your clients? Miscommunication regarding ransomware and cybersecurity roles and responsibilities can lead to finger pointing, a lack of action in the middle of a security incident, and even dissatisfaction with the business relationship.
Justifiably, MSSP clients should expect their service providers to do everything they can to protect them against ransomware and widespread vulnerabilities like Log4j. Service providers should take both strategic and tactical approaches to multi-layered security.
MSSPs should also be ready to demonstrate that they meet cyber hygiene fundamentals on their own systems, including encryption of network traffic and effective patch management. In particular, you must make sure that you are proactive in patching and keeping current on remote monitoring and management tools used to access client systems. Cyber criminals are actively targeting MSSPs as a steppingstone to targeted client accounts and other supply-chain partners.
Other mitigations and hardening within MSSP control that clients expect, include:
The Precedent for Shared Cybersecurity Responsibility
At the same time, MSSPs can expect their clients to assume responsibility for the elements of cybersecurity under their control — with joint responsibilities clearly defined in writing if possible.
There is established precedent for shared security responsibility by cloud providers. For example, this matrix from Microsoft makes it clear that responsibility for information and data, end user devices, and accounts and identities is always retained by the client. Microsoft is always responsible for physical hosts, the physical network, and the physical data center. However, responsibility for the layers in the middle – operating system, network controls, applications, and identity and directory infrastructure – varies depending on the type of cloud service and may be shared by the client and Microsoft.
Clients Can Retain or Delegate their Responsibilities
MSSP clients can be expected to perform basic security practices such as their own patching of operating systems and applications if they are not part of a managed security service offering. Unless otherwise stated, client security responsibilities can include endpoint protection, vulnerability management, account privilege policy management, security awareness training for employees, virtual private networks (VPNs) for internet access and remote work, and Multi-factor Authentication (MFA) for network and application access.
Alternatively, clients can engage their MSSP to provide any or all of these security capabilities. As a trusted advisor, you can help elevate cybersecurity and ransomware protection as a strategic priority and shared responsibility. Given the high visibility of third-party vulnerabilities and the continued threat of ransomware, now is a good time to talk to clients about their level of protection and how you can help.
Key Takeaways
What is important for MSSPs and their clients is clarity about who is responsible for what aspects of cybersecurity management. MSSPs, especially those serving SMBs that have limited in-house IT or security expertise, should use plain language in outlining ransomware and cybersecurity roles and responsibilities so there can be no misunderstandings.
A Solution That Makes It Easier for MSSPs and Their Clients
Use these four steps to predict, prevent, detect, and respond to escalating ransomware:
Lumifi’s approach to managed threat protection ensures transparency and allows you to set client expectations regarding cybersecurity responsibilities and deliverables.
Scottsdale, AZ (October 24, 2023) Lumifi, a cybersecurity industry leader, is embarking on a strategic expansion plan by targeting MDR Cybersecurity Firms. This strategic direction gains its foundation from Lumifi's recent landmark acquisition, Castra, valued at $14 million, which further fortifies the SOC Visibility Triad, a concept initially introduced in a Gartner® research report titled "Apply Network-Centric Approaches for Threat Detection and Response"1 We believe that Lumifi has followed this path diligently followed for 15 years.
By integrating top-tier cybersecurity analysts with cutting-edge systems, Lumifi steadfastly maintains its gold standard in safeguarding its esteemed clientele. This development comes in the wake of Lumifi's $30 million acquisition of Datashield from ADT in April 2022. The company is now primed to secure 2-4 more acquisitions within the next 6 to 18 months, bolstering its position in the cybersecurity landscape.
According to Gartner® “The renewed focus on the human element continues to grow among this year’s top cybersecurity trends,” says Gartner Senior Director Analyst Richard Addiscott. “Security and risk management leaders must rethink their balance of investments across technology, structural, and human-centric elements as they design and implement their cybersecurity programs.” 2
Each day brings new threats and challenges, further compounded by artificial intelligence (AI). Cybercriminals have become more sophisticated, and thus, the detection and mitigation of security threats must be thorough. Lumifi’s approach to cybersecurity integrates system, network, and device monitoring with human expertise. The company’s advanced security framework is monitored 24 hours a day/7 day a week by a team of U.S.-based cybersecurity analysts and former military and DoD experts.
Lumifi/DataShield is the pioneer in managed detection and response (MDR), and has established itself as a prominent industry leader. With over 15 years of experience, initially focusing on packet captures and forensics, Lumifi/Datashield gained recognition in its early stages from Lumifi/Datashield for their instrumental role in shaping the current MDR landscape. Today, Lumifi stands as a premier outsourced service, dedicated to equipping organizations with specialized threat-hunting capabilities and swift responses to emerging security risks.
“We are experiencing increasing demand for our comprehensive and proactive MDR services,” said Michael Malone, CEO of Lumifi. “Keeping our customers out of harm’s way 24/7 requires the perfect combination of breakthrough yet highly reliable and proven technology solutions and qualified human expertise. Now, our next steps for expansion necessitate finding and acquiring the best MDR companies that complement and expand upon all that we are presently offering.”
While many cybersecurity solutions necessitate regular oversight, Lumifi sets itself apart by providing a cutting-edge Managed Detection and Response (MDR) service. This unique approach synergizes the capabilities of our Security Operations Center with our in-house developed platform, ShieldVision™. Recognized as a top-tier Security Orchestration Automation and Response (SOAR) solution, ShieldVision™ stands out in threat detection, proactive hunting, and immediate automated interventions. As Lumifi pursues acquisitions of firms like Castra, the company’s focus is not just on expanding our tech arsenal, but also on deepening it’s engineering expertise.
David Norlin, CISO at Lumifi, notes, “Our strategic partnerships with technology frontrunners like Palo Alto Cortex, Extrahop, and Exabeam highlight our dedication to pushing boundaries and strengthening our industry leadership.”
Lumifi's growth strategy has garnered unwavering support from its investors, who eagerly anticipate expanding its technology stack and human capital. The recent success of the Castra acquisition has further fueled investor excitement as they eagerly look forward to Lumifi surpassing customer expectations across diverse industries, including Fortune 500 companies, prominent government agencies, and discerning legal firms. Castra recently was recognized for the second year in a row as one of CRN’s fastest growing technology vendors in North America.
“We are amazed about the high caliber of protection technology and services provided by Lumifi,” said Chris Graber, Managing Director, Corporate Investments & Acquisitions at BOK Financial. “They have a winning combination of human and cybersecurity integrated solutions that effectively detect and thwart cyberattacks. The Lumifi cybersecurity services are resonating with top-tier clients.”
Staying ahead of cybercriminals is no easy task, but Lumifi continues to evolve and innovate. The strategic initiative to acquire new MDR partners is another game-changing move that further strengthens Lumifi’s capabilities to provide unparalleled defense of critical customers.
“Lumifi is defining the future of cybersecurity,” said Frank Mora, Senior Partner of HCAP Partners. “The company is well positioned to acquire additional MDR partners and will fortify their customers with the best possible system, network, and device monitoring capabilities.”
For cybersecurity firms looking to explore collaborative opportunities and consider becoming a part of the Lumifi family, contact Matthew Decker at [email protected]. We are eager to engage with partners who share our vision and commitment to excellence.
1 Gartner, “Top Strategic Cybersecurity Trends for 2023,” Lori Perri, published April 19, 2023.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
2 Gartner, “Applying Network-Centric Approaches for Threat Detection and Response,” Augusto Barros et al., March 18, 2019, ID G00373460
About Lumifi
Lumifi, headquartered in Scottsdale, is a vanguard in the cybersecurity industry, dedicated to protecting digital assets and fortifying cyber defenses for businesses across the board. With a team of experts and state-of-the-art technology, Lumifi is shaping the future of cyber safety.
About SkySong, The ASU Scottsdale Innovation Center
SkySong, The ASU Scottsdale Innovation Center is one of the premier economic engines in the Valley of the Sun. The project’s success is a direct result of a focus on innovation and technology that attracts companies ranging from some of the world’s best known brands to one-or two-person startups.
###
Copyright ©2023 Lumifi. All rights reserved. Lumifi and ShieldVision are trademarks or registered trademarks of Lumifi. Trademarks of other companies mentioned appear for identification purposes only and are property of their respective companies.
This post got me thinking about a recent conversation I had with the CISO of a financial company. He commented on how quickly his team was able to instantiate a big data project with open source tools. He was of the view that such power could not be matched by IT security vendors who, in his opinion, charged too much money for demonstrably poorer performance.
The runaway success of the ELK stack has the DIY crowd energized. Why pay security vendors for specialist solutions when a “big data” project that we already have going on, based on this same stack, can work so much better, the thinking goes. And it’s free, of course.
What we know from 10+ years of rooting around in the security world is that solving the platform problem gets you about a quarter of the way to the security outcome. After that comes detection content, and then the skills to work the data plus the process discipline. Put another way, “Getting data into the data lake, easy. Getting value out of the data in the lake, not so much.”
In 2017, it is easier than ever to spin up an instance of ELK on premises or in the cloud and presume that success is at hand just because the platform is now available. Try using generic tools to solve the security problem and you will soon discover why security vendors have spent so much time writing rules and why service providers spend so much effort on process/procedure and recruitment/training.
Three key advantages for SIEM-As-A-Service
Security Information and Event Management (SIEM) technology is an essential component in a modern defense-in-depth strategy for IT Security. SIEM is described as such in every Best Practice recommendation from industry groups and security pundits. The absence of SIEM is repeatedly noted in Verizon Enterprise Data Breach Investigations Report as a factor in late discovery of breaches. Indeed attackers are most often successful with soft targets where defenders do not review log and other security data. In addition, all regulatory compliance standards, such as PCI-DSS, HIPAA, FISMA etc specifically require SIEM technology be deployed and more importantly be used actively.
This last point (“be used actively”) is the Achilles heel for many organizations and has been noted often, as “security is something you do, not something you buy.” Organizations large and small struggle to assign staff with necessary expertise and maintain the discipline of periodic log review.
New SIEM-As-A Service options
SIEM services are available for buyers that cannot leverage traditional on premise, self-serve products. In such models, the vendor assumes responsibility for as much (or as little) of the heavy lifting as desired by the user including: Installation, Configuration, Tuning, Periodic review, Updates and responding to incident investigation or audit support requests.
Such offerings have three distinct advantages over the traditional self-serve, on premise model.
1) Managed Service Delivery: The vendor is responsible for the most “fragile” and “difficult to get right” aspect of a SIEM deployment – that is installation, configuration, tuning and Periodic review of SIEM data. This can also include upgrades, performance management to get speedy response and updates to security threat intelligence feeds.
2) Deployment options: In addition to the traditional on premise model, such services usually offer cloud based, managed hosted or hybrid solutions. Options for host based agents and/or premise based collectors/sensors allow for great flexibility in deployment
3) Utility pricing: Contrast with traditional perpetual models that require capital expenditure and front loading, SIEM-As-A-Service follows the utility model with usage based pricing and monthly expenditure. This is friendly to Operational Expenditures.
SIEM is a core technology in the modern IT Enterprise. New As-A-Service deployment models can increase adoption and value of this complex monitoring technology.
The insider threat is typically much more infrequent than external attacks, but they usually pose a much higher severity of risk for organizations when they do happen. While they can be perpetrated by malicious actors, it is more common the result of negligence. In addition to investing in new security tools and technology to protect against external threats, companies should place higher priority on identifying and fixing internal risks. Here are the top 3 high risk behaviors that compromise IT security:
1) Sharing login credentials: Convenience is the enemy of security. It is far too often more convenient to share credentials than create a unique login for each user. However, by doing so they leave the company vulnerable to data breach. While it may not be practical to completely eliminate shared credentials, a password manager that is accessible to multiple persons who need common access can shield the actual password from the user but still make it available.
2) Shadow IT or installing web applications: Users download unauthorized applications to their work computers or mobile devices. It also can occur when they subscribe to Software as a Service (SaaS) applications without IT approval. As employees spend large amounts of time at their desktop or laptop, it’s inevitable that they consider the device personal. The intention may be harmless–streaming music, looking for travel deals, shopping for personal items–but the danger is very real. Malvertising on such popular sites is frequently the reason for compromise.
3) Uploading of files to personal storage: Dropbox, Google Drive, etc. are often convenient ways of sharing company documents either between employees for collaboration or for use at home and work. The dedication is commendable, the behavior is still a risky one. Popular services were created for convenience and not necessarily for security.
What’s the remedy? Frequent updates and reminders. It’s so different than the procedures used in manufacturing facilities to minimize accidents. One single training session during onboarding isn’t enough. Regular IT and security updates are essential.
How did we decide on these particular behaviors, you ask? It’s based on observations by our EventTracker Essentials team; we review more than 1 billion logs every day to keep our customers safe. While training is a must, monitoring is also necessary. Many of these behaviors can be observed and appropriate measures such as training can be taken as a result.
As President Reagan observed, Doveryai, no proveryai.
Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Servers. According to reports, observations of attacks leveraging the critical vulnerabilities are increasing very rapidly. In the span of a few days, over 30,000 organizations – small businesses and municipalities included - across the U.S. have been hacked.
Since then, Microsoft has issued emergency, out-of-band patches to address the security flaws. In the meantime, it is critical that organizations take appropriate action to quickly detect and effectively respond to exploit attempts.
Cyber criminals are actively exploiting these vulnerabilities and the result of not addressing it can be very damaging, including the leak/loss of emails, lateral movement within your network, or execution of ransomware. Use this guide to better understand the exploit and 10 concrete actions you should take to defend your network.
What’s the Impact?
Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. After successful exploitation activities, attackers can gain access to email accounts and install additional malware/ scanning tools to remain persistent on the network.
Note: this impacts on-premises versions of Microsoft Exchange Server and does not impact Exchange Online.
What Happened?
Advanced Persistent Threat (APT) group, HAFNIUM, leveraged a chain of four zero-day vulnerabilities, together dubbed ProxyLogon. Since then, at least 10 other APTs have followed suit in targeting servers around the world. These vulnerabilities, also called Common Vulnerabilities and Exposures (CVE) are:
What Should You Do Now?
Netsurion’s Security Operations Center (SOC) actively monitors customer networks for Indicators of Compromise (IOCs) such as ProxyLogon. If you are not protected by a managed security service provider already taking action on this threat, our SOC recommends the following immediate course of action:
What Should You Do Long-term?
You may find more detailed information from Cybersecurity & Infrastructure Security Agency’s (CISA) Alert AA21-062A.
Lastly, our recommendation is to instill comprehensive 24/7 security monitoring, threat detection and response capabilities with a managed security service provider (MSSP) to plug gaps in expertise and availability of your on-staff resources.
Netsurion customers are kept updated in this Security Advisory in regard to actions taken within our Managed Threat Protection service and our EventTracker threat protection platform.
Hackers will find a way in, and customers will then look for a way out.
Persistent threats affecting businesses of all sizes and in all verticals are becoming more consistent and hitting more frequently. The 2016 Verizon Data Breach report analyzed 100,000 incidents across industries and verticals, of which 3,141 were confirmed data breaches.
According to the report, phishing and point-of-sale (POS) attacks are still extremely common—but can wreak the most havoc.
Though these attack vectors aren’t new, phishing emails are becoming more and more convincing as cybercriminals improve the URL and domain appearances, colors, logos and email content, as not to raise red flags.
Once the phishing links are activated, either installing malware or stealing credentials, they can wreak havoc on the network, the company’s reputation (in the case of the infamous W-2 phishing scam that hit dozens of companies this year) or the compromised individual’s identity.
In the most recent cases of Eddie Bauer and a slew of hotels, including Millenium, Kimpton, HEI and more, once POS malware gets onto the network, it exfiltrates sensitive information, including customer card data, negatively impacting customer loyalty, reputation and company finances, especially once the news hits the media (and it almost always will).
These are just two examples. The breach report also names DDoS attacks, crimeware varieties and web app attacks as some of hackers’ evolving choice methods.
Cybersecurity firm Proofpoint specifically called out ransomware—where your device is locked down, and all of your files are encrypted until you can pay a designated amount of Bitcoin— as the most preferred malware type for cybercriminals in 2016.
As these methods progress, the underground world of cybercrime is becoming more industrialized. Hacker groups see themselves as full-on, functioning businesses. According to the 2016 Symantec Internet Security Threat Report, cybercriminals are forming professional networks and becoming significantly bolder in which targets they pursue… and the amounts of money they seek. The report states:
“Just as legitimate businesses have partners, associates, resellers, and vendors, so do those enterprises operating in the shadows.”
With all of these advancements lurking on the Dark Web, companies need a combination of the best security technologies and defenses to protect their sensitive data and brands. And IT service providers need to make these offerings available to their customers.
IT service providers that don’t offer information security solutions are leaving clients highly vulnerable to all of the threats we know—and the terrifying amount that we don’t. This vulnerability, if exploited, could greatly impact clients—not only because of the immediate monetary loss in breach damages but because of future profit impact, decrease in customer loyalty and harm to overall brand reputation.
In turn, the IT service provider could also suffer. Most customers understand the risk that cybercriminals pose to their businesses, and they expect the outsourced providers to give them options to protect themselves. If the outsourced provider has access to a customer’s confidential information, and that company is breached, the provider could be hit with some of the financial burden.
In addition, if current and prospective customers find out that the provider is not offering sufficient data security options —they could take their business elsewhere, creating an overall recipe for reputational disaster.
Today, businesses are motivated to consolidate IT service providers to get as many services “under one roof.” The fewer vendors and providers they have to coordinate with and spend money on—the better. And security is top of mind.
CompTIA ran a survey earlier this year called Security in the IT Channel and found that customers are no longer just paying lip service to security—they’re expecting action and offerings along with their other IT services.
The channel firms surveyed said their customers expressed the most interest in firewalls and antivirus, with newly emerging interest in security information and event management (SIEM).
It may sound intimidating for the service provider—but there is one way to make filling the information security services gap faster and easier: through partnerships. This approach leads to lower costs, higher profits and more effective solutions, since you’re pairing up with an expert in that security specialty.
If cybercriminals are forming partnerships to advance their ‘business success,’ IT service providers need to do the same with security services firms…so they don’t lose the fight or their customers’ trust.
Netsurion, for example, is partnering with IT service providers to help improve the state of security for businesses—and to help them stay ahead of the most advanced threats. Netsurion's solution partners provide merchants with payment processing and/or merchant technology solutions protected by Netsurion remote-managed network security, secure Wi-Fi and PCI compliance management services.
We are a partner channel-focused company because we realize the best way to safeguard consumers, merchants, and businesses alike is to deliver comprehensive integrated solutions resulting in strong, simple and affordable data security. We’re currently offering a variety of layered solutions, including:
Netsurion’s managed security services are resold by established IT service providers including Resource Point of Sale, CoCard, DCR and POS Solutions.
Take it from our recently announced partners— adding security services to your offerings will only bode well for your business:
“At ReSource Point of Sale, we understand the importance that network security has in the POS industry. As a company whose priority is providing excellent customer service, we know how much our customers will benefit from having the peace of mind that their POS data is secured,” said Nik Parra, CTO, ReSource Point of Sale. “We are excited to partner with Netsurion to strengthen our customers’ networks and continue to excel in the services we provide.”
“CoCard is owned and managed by ISOs for the benefit of the individual ISO. Our mission is to provide a pathway for ISOs and agent resellers to maximize individual business strategies within the payment processing arena and enhance the overall economic return for all members,” said Ray Raya, a vice president at CoCard. “We’re excited to offer Netsurion’s services alongside our own—giving our customers state-of-the-art essentials for merchant processing, security and compliance, all under one roof.”
Interested in learning more about securing your customers? Visit our partner page.
An area of audit logging that is often confusing is the difference between two categories in the Windows security log: Account Logon events and Logon/Logoff events. These two categories are related but distinct, and the similarity in the naming convention contributes to the confusion. That being said, what is the difference between authentication and logon? In Windows, when you access the computer in front of you or any other Windows computer on the network, you must first authenticate and obtain a logon session for that computer. A logon session has a beginning and end. An Account Logon event is simply an authentication event, and is a point in time event. Are authentication events a duplicate of logon events? No: the reason is because authentication may take place on a different computer than the one into which you are logging.
Let’s start with the simplest case. You are logging onto at the console (aka “interactive logon”) of a standalone workstation (meaning it is not a member of any domain). The only type of account you can logon with in this case is a local user account defined in Computer Management Local Users and Groups. You don’t hear the term much anymore but local accounts and SAM accounts are the same thing. In this case both the authentication and logon occur on the very same computer because you logged on to the local computer using a local account. Therefore you will see both an Account Logon event (680/4776) and a Logon/Logoff (528/4624) event in its security log.
If the workstation is a member of a domain, at this point it’s possible to authenticate to this computer using a local account or a domain account – or a domain account from any domain that this domain trusts. When the user logs on with a domain account, since the user specifies a domain account, the local workstation can’t perform the authentication because the account and its password hash aren’t stored locally. So the workstation must request authentication from a domain controller via Kerberos. An authentication event (672/4768) is logged on which ever domain controller handles the authentication request from the workstation. Once the domain controller tells the workstation that the user is authenticated, the workstation proceeds with creating the logon session and a records a logon event (528/4624) in its security log.
What if we logon to the workstation with an account from a trusted domain? In that case one of the domain controllers in the trusted domain will handle the authentication and log 672/4768 there, with the workstation logging 528/4624 the same as above.
In all such “interactive logons”, during logoff, the workstation will record a “logoff initiated” event (551/4647) followed by the actual logoff event (538/4634). You can correlate logon and logoff events by Logon ID which is a hexadecimal code that identifies that particular logon session.
After logging on to a workstation you can typically re-connect to shared folders on a file server. What gets logged in this case? Remember, whenever you access a Windows computer you must obtain a logon session – in this case a “network logon” session. You might assume that the logon session begins when you connect to the share and then ends when you disconnect from it – usually when logging off your local workstation. Unfortunately this is not the case: Windows servers only keep network logon sessions alive for as long as you have a file open on the server. This accounts repeated logon/logoff events on Windows file servers by the same user throughout the course of the day. With network logons, Windows 2003 logs 540 instead of 528 while Windows 2008 logs 4624 for all types of logons.
When you logon at the console of the server the events logged are the same as those with interactive logons at the workstation as described above. More often though, you logon to a member server via Remote Desktop. In this case the same 528/4624 event is logged but the logon type indicates a “remote interactive” (aka Remote Desktop) logon. I’ll explain logon types next.
When looking at logon events we need to consider what type of logon are we dealing with: is this an interactive logon at the console of the sever indicating the user was physically present, or is it a remote desktop logon? For that matter the logon could be associated with a service starting or a scheduled task kicking off. In all such cases you will need to look at the Logon Type specified in the logon event 528/540/4624. A full list of Logon Types is provided at the provided links for those events but in short:
Logon Type |
Description |
2 |
Interactive (logon at keyboard and screen of system) |
3 |
Network (i.e. connection to shared folder on this computer from elsewhere on network) |
4 |
Batch (i.e. scheduled task) |
5 |
Service (Service startup) |
10 |
RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) |
When you logon to your workstation or access a shared folder on a file server, you are not “logging onto the domain”. Each Windows computer is responsible for maintaining its own set of active logon sessions and there is no central entity aware of everyone who is logged on somewhere in the domain. After servicing an authentication request, the domain controller doesn’t maintain information about how you were logging (console, remote desktop, network, etc) or when you logged off.
On domain controllers you often see one or more logon/logoff pairs immediately following authentication events for the same user. But these logon/logoff events are generated by the group policy client on the local computer retrieving the applicable group policy objects from the domain controller so that policy can be applied for that user. Then approximately every 90 minutes, Windows refreshes group policy and you see a network logon and logoff on the domain controller again. These network logon/logoff events are little more than noise. In forensic situations, they provide an estimate of how long the user was logged on (as long as the user remains logged on group policy will refresh about every 90 minutes), and can help to infer that the preceding authentication events for the same user were in conjunction with an interactive or remote desktop logon as opposed to a service or scheduled task logon.
What about the other service ticket related events seen on the domain controller? Basically, after your initial authentication to the domain controller which logs log 672/4768 you also obtain a service ticket (673, 4769) for every computer you logon to including your workstation, the domain controller itself for the purpose of group policy and any member servers such as in connection with shared folder access. Then as computers remain up and running and users remain logged on, tickets expire and have to be renewed which all generate further Account Logon events on the domain controller.
Both the Account Logon and Logon/Logoff categories provide needed information and are not fungible: both are distinct and necessary. Here are some important facts to understand, and accept about authentication and logon/logoff events.
Account Logon (i.e. authentication) and Logon/Logoff events. All things considered, I’d like to see both categories enabled on all computers ideally. I haven’t seen these events create a noticeable impact on the server but the amount of log data might exceed your log management / SIEM solution’s current capacity. If you can’t afford to collect workstation logs, I still suggest enabling these 2 categories on workstations and letting the log automatically wrap after reaching 100MB or so. Chances are the data will be there if you need it for forensic purposes.
Detecting virus signatures is so last year. Creating a virus with a unique signature or hash is quite literally child’s play, and most anti-virus products catch just a few percent of the malware that is active these days. You need better tools, called endpoint detection and response (EDR), such as those that integrate with SIEMs, that can recognize errant behavior and remediate endpoints quickly.
The issue is that hackers are getting better at covering their tracks, and leaving very few footprints of their dastardly deeds.
I like to think about EDR products in terms of hunting and gathering. Most traditional endpoint products that come from the anti-malware heritage are gatherers: they are used to collect malware that they can identify, based on some known patterns. That works well in the era when writing malware was a black art that had specialized skills and tools. Now there are ready-made exploit kits, such as Angler and tools called packers and crypters. These have made it so easy to produce custom malware that the average teen can do it with a Web browser and little programming knowledge.
But gathering is just one part of the ideal EDR product: they also need to be hunters too. They should be able to find that proverbial needle in the haystack, especially when you don’t even know what a needle looks like, except that it is sharp and can hurt you. The ideal hunter should be able to track down malware based on a series of unfortunate events, by observing behaviors such as making changes to the Windows registry, dropping a command shell remotely or from within a browser session, or by inserting an infected PDF document. While some “normal” apps exhibit these activities, most don’t. For example, some EDR products can track privilege escalation and credential spoofing, common activities of many hackers today that like to gain access to your network from a formerly trusted endpoint and use it as a base of operations to collect and export confidential data. To block this kind of behavior, today’s tools need to map the internal or lateral network movement so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.
Part of the hunting experience is also being able to record what is happening to your network so you can go to the “videotape” playback function and see when something entered your environment and what endpoints it has infected. From there you should be able to isolate and remediate your PCs and return them to an uninfected state. Some EDR products offer a special kind of isolation feature that basically turns their network connection off, except for communicating back to the central monitoring console. That is a pretty nifty feature.
Finally, an EDR product should be able to use big data techniques to visualize trends and block potential attacks. Another aspect of this is to integrate with a variety of security event feeds and intelligence from Internet sources such as VirusTotal.com. You might as well leverage what researchers around the world already know and have already seen in the wild. Microsoft has jumped into this arena with their Windows Defender Advanced Threat Protection. Announced at the RSA show in March, it will be slowly rolled out to all Windows 10 users (whether they want it or not) thanks to Windows Update. Basically what Microsoft is doing is turning every Windows 10 endpoint into a sensor with this tool, and sending this information to its cloud-based detection service called Security Graph. Other EDR vendors do similar things with their endpoint agents.
When you go shopping for an EDR product, ask your vendor these questions:
EventTracker offers EDR functionality within its SIEM platform. You can learn more about it here.
Chapel Hill, NC and Scottsdale, AZ — October 4, 2023 — Lumifi’s recent acquisition of Castra Managed Services aims to expand its capabilities and reinforce its commitment to the Gartner Visibility triad. With Castra’s expertise in Exabeam, the SIEM capabilities will reach new heights.
Lumfi®, a leading innovator in managed detection and response (MDR), proudly announced its acquisition of Castra Managed Security. Castra is a revered enterprise-level MDR firm specializing in Exabeam, a security information and event management (SIEM) platform.
The partnership between Lumifi and Castra amplifies the Gartner SOC Visibility Triad, enhancing visibility through combined expertise in network detection and response (NDR), endpoint detection and response (EDR,) and SIEM within their security operations centers. This collaboration powers a 24/7/365 cutting-edge Security Operations Center (SOC), merging Lumifi’s innovative ShieldVision™ software with Castra’s distinguished MDR services. ShieldVision ™ an advanced multi-tenant platform that excels in threat hunting, detection, and swift automated responses. At the same time, Castra’s expertise in the Exabeam infrastructure ensures top-tier security at cost-effective rates for businesses of all scales.
Grant Leonard, co-founder of Castra, emphasized the value of partnerships, saying, ” I am excited about the immediate synergies between Lumifi and Castra. We are excited to bring honed Castra services to a much larger audience and scale.”
David Norlin, CISO of Lumifi, expressed his enthusiasm for the partnership, stating, “We’re thrilled to join forces with Castra. This collaboration strengthens our SIEM capabilities, offering our clients more choices and control in designing their security architectures. We remain committed to providing diverse technological options that guarantee unparalleled service quality, and the Castra acquisition exemplifies this commitment.”
Tony Simone, co-founder of Castra, emphasized the value of partnerships, saying, “Castra’s journey has been about forging valuable collaborations. Our partnership with Lumifi allows companies to elevate their SIEM capabilities and adopt next-generation programs, enabling security leaders to enhance their infrastructure while aligning with their business objectives.”
Michael Malone, CEO of Lumifi, highlighted the broader impact of the collaboration, stating, ” With the escalating threats across all areas of cybersecurity, many companies find themselves vulnerable. Partnering with Castra is a decisive step, leveraging our recent growth capital to realize our broader vision. Together, we’re bridging the cybersecurity skills gap, ensuring businesses are fortified against the diverse and evolving threats of today.”
To provide peace of mind against the latest cyber threats, Lumifi offers a turn-key cybersecurity monitoring and management solution at an affordable monthly price. This solution delivers advanced levels of security to businesses of all sizes across regulated industries, including energy, manufacturing, healthcare, finance, and more.
About Lumifi:
Lumifi is a leading provider of managed detection and response (MDR) services, offering Fortune 500-level security solutions to support security-conscious teams. Their approach integrates system, network, and device monitoring with human expertise, following the Gartner Visibility Triad principles, to create a robust protective shield for businesses of all sizes. Lumifi’s exclusive software, ShieldVision™, delivers state-of-the-art attack simulation, automated remediation, and continuous threat monitoring. This advanced security framework is monitored around the clock by a team of US-based cybersecurity analysts and former military and DoD experts, ensuring businesses are always secure. To discover how Lumifi can safeguard your business, visit lumificyber.com.
About Castra Managed Services:
Since its inception in 2012 by co-founders Tony Simone and Grant Leonard, Castra has been a beacon in managed detection and response services, serving over 2000 organizations globally. This year, Castra ranked 104th on the top 250 global MSSP/MDR list, marking its 3rd appearance on the prestigious list. Additionally, Castra secured the second spot in the “fast-growth” top 150 from CRN and received multiple “Partner of the Year” awards from Exabeam. With unmatched SIEM and SOAR expertise, Castra ensures customers maintain a security edge without compromising transparency. Catering to a diverse clientele—from Fortune 50 giants to nimble startups—Castra’s services span various industries. Learn more at castra.io.
For press inquiries, contact:
Brittany Kent
Growth Marketing Lead
Lumifi
Email: [email protected]
It's National Small Business Week! Let's celebrate the hard work you do and make sure your business continues to grow.
Have you ever thought about what would happen if your business is affected by a data breach?
We constantly hear in the news about well-known brands being breached. You watch the news and you may think to yourself “Oh that would never happen to me… The big guys are the easy targets for hackers.”
In a way, hackers do love going after “The Big Guys” since the bigger the company, the more credit card information they have, hence more money for the hackers to go after.
Big corporate brands have a whole IT team working to make their networks secure, so it makes it much harder for a hacker. Yet, as we have seen, many times they still manage to get in.
So imagine just how quickly a hacker can get into multiple networks of small businesses since small businesses tend to not have an IT staff monitoring their network activity.
Easy target, right?
Do you ever hear the news about the small restaurant down the street that got breached?
Not really, but just because it isn’t front page worthy does not mean that small businesses aren’t getting breached as well. They are just not making the headlines in the news.
The sad truth is that a breach will hurt a small business and its reputation.
According to First Data Market Insight, $36,000 is the average cost of a data breach for small businesses.
Could you imagine the effects that it will take on your profits? What about your customers?
You may not make it in the news, but your customers will find out. On top of the costs of a data breach, your regular customers may stop shopping or dining at your store or restaurant.
In fact, 31% of customers have terminated their relationship with a business after being breached.
Check out the following measures you must take to prevent a data breach.
The PCI data security standards prescribe firewalls for compliance. A managed firewall is the first and most important line of defense for your network.
The best way to determine if your systems have been compromised is to scan them regularly for vulnerabilities.
For relatively low annual fees, a security vendor will remotely scan all of your external systems access points to determine if any are vulnerable to intrusion.
Many restaurants leave their firewalls open to outside entry by managers working remotely or vendors who routinely perform maintenance on systems.
Create strong passwords instead of using the default codes, and change them often.
Similarly, always change default firewall settings to allow only essential access, and limit remote access to secure methods such as VPN.
If you have older POS equipment that sends raw credit card data to a back-office server, it may be time to upgrade.
Modern, secure POS systems encrypt credit card data as soon as a card is swiped, and they immediately send that data to the payment processor without temporarily storing data.
Double-check your POS system to make sure it complies with PCI standards.
For example, make sure your POS data traffic is separate from your Wi-Fi, security cameras, digital menu boards and other connections.
If you want to enable managers to connect to the POS via Wi-Fi, connect them through a virtual LAN that separates authorized traffic into a security zone.
Sounds like adding a lot more duties on your plate?
Luckily, you can always outsource these duties to a specialized team whose main job is pretty much all of the above and more.
The cost of a data breach will always be higher than the cost of protecting your business. When it comes to protecting your business, Netsurion knows that many small businesses do not have the IT staff needed to make sure your network is secure.
Hence, we take care of security, so you can take care of your business and customers.
In the wake of Heartbleed, comes a new form of exposure that could potentially do much more damage than any other vulnerability of its kind.
It is known as Shellshock. Shellshock affects Linux and UNIX implementations that use the BASH command interpreter.
The fix for the issue is simple. Upgrade your version of BASH to one that is not vulnerable. The problem lies in the sheer number of servers, workstations, and devices that have this issue.
For years, due to stability, inherent security, and cost factors, Linux (and its variants) have been the most widely deployed Internet and backbone systems in the world. In other words, the servers and purpose built appliances that run the websites and route traffic on the Internet potentially have this vulnerability. Shellshock simply tricks the BASH command interpreter to execute unauthorized commands when it encounters what it believes is a variable.
The patches to fix this are readily available, but the number of systems involved with this upgrade are mind boggling. Across the world, it is estimated that millions of servers and other equipment must be patched, and that is only referring to the core systems that manage and control the Internet.
On top of these systems come the workstations and purpose built appliances that are based on Linux.
Many home automation controls use a version of Linux as well as household electronics such as cable boxes and DVD players. Every one of them could be affected by Shellshock, meaning a hacker could cause anything from disruption in services to potential infiltrating your home network and stealing personal information.
As if the previous 2 scenarios were not enough, many Apple products that run iOS have this vulnerability as well. Therefore, iPhones and iPads are not exempt from the issue either. Usually, you can depend on the security of these devices, but this time, it is the underlying operating system that is at risk.
Luckily, a security update / patch is all that is needed to properly protect against this issue. But the real question on people’s mind is whether or not we will find any other rampant security flaw in Linux or UNIX.
Here at Netsurion, our customers can rest assured that our security devices are not susceptible to Shellshock, while other firewalls are. It is, therefore, critical to look to your vendor, if you do not use Netsurion, to ensure that your systems have been updated properly.
Like Heartbleed, Shellshock reminds us that security is an ongoing process. Updates and patches are part of any good security program, and the longer you allow yourself to fall behind in the update process, the more you could be leaving your systems exposed to serious security threats.
MITRE ATT&CKcon 3.0, the conference dedicated to the ATT&CK community, returned at MITRE headquarters in Virginia last month. As a refresher, MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on real-world observations.
In this article, I’m excited to share insights that I gathered from both speakers and conversations with global defenders at ATT&CKcon 3.0. These insights are about community involvement, tailoring cybersecurity data to the right audience, linking disparate events together to accelerate identification, and capitalizing on the untapped opportunity to educate small-to-medium-sized businesses (SMBs).
1. Community Involvement with MITRE ATT&CK Remains Strong
The ATT&CK community has formed to discuss, exchange, and improve the use of adversarial tactics, techniques, and procedures (TTPs) in practical use cases. The record-high 155 global submissions and contributions made to ATT&CK last year exemplify how the community is committed to cybersecurity threat sharing and analysis. In turn, MITRE enhanced the ATT&CK framework by adding coverage for areas such as cloud and Industrial Control Systems (ICS).
This vendor-neutral collaboration continues to evolve in the ever-changing threat landscape. Enterprises and government entities continue to learn about ATT&CK and are in various stages of adoption and day-to-day utilization.
2. Lead with the Data and User Stories
ATT&CKcon 3.0 speakers highlighted lessons learned in communicating with data. It’s crucial to tailor technical content and messaging to each audience, such as conveying risk and outcomes to executives and more operational details to technical professionals. Many presenters took their own advice and put the bottom-line up front (BLUF) in a concise summary. Avoid the HiPPO effect where a High Paid Person’s Opinion (HiPPO) weighs more than data and facts in driving cybersecurity decisions. Finally, research has shown that human beings relate to and recall more when storytelling and emotion are used in communication, so work to weave in use cases and examples where feasible.
3. Optimize Analyst Efficiency with a Threat-Informed Defense
Many red team analysts and threat hunters experience alert fatigue in dealing with today’s expanding volume of cybersecurity alerts. Limited context and threat enrichment make it challenging to distill actual adversary actions and outcomes. Presenters at the ATT&CK conference spoke about threat-informed defense and risk-based alerting to better prioritize and correlate insights. Connecting the dots on seemingly unrelated or innocuous security events in your environment, especially using ATT&CK tactics and techniques, enables faster incident response. Risk prioritization and threat automation also improve Security Operations Center (SOC) analyst efficiency and effectiveness in a world of limited resources.
4. Cybersecurity is Human-centric Security
Over three million unfilled cybersecurity job openings necessitate even smarter cyber threat detection and incident prioritization to enhance the efficiency and effectiveness of limited resources. There is no silver bullet in cybersecurity; it takes a balance of people, process, and technology. Devices alone are insufficient to create actionable threat intelligence. It requires hands-on expertise from humans in the form of SOC analysts, threat intelligence analysts, and threat hunters.
Cybersecurity teams are spread thin, so it’s even more crucial to automate routine tasks and prioritize how human experts, like SOC analysts, can address more stealthy and dangerous threats. The TTPs of ATT&CK enable smaller teams with finite staff and expertise to understand adversaries and better defend themselves. On a different note, it was encouraging to meet the all-female team of cyber analysts from Temple University who presented at ATT&CK regarding how students map social engineering techniques to the ATT&CK matrix. For many of us, myself included, it was the first face-to-face conference and training attended in more than 20 months. With in-person attendance limited, the ATT&CK team plans to post all the conference’s video presentations online.
5. Continue to Educate SMBs
Larger organizations and vendors were first to embrace ATT&CK and integrate it into their tech stack and product portfolios. It was exciting to see ATT&CK users and presenters sharing insights and collaborating for a more robust global defense. But with over 80 percent of organizations deemed SMBs, it’s crucial that they be educated and involved in adopting the standard terminology and TTPs. As a master Managed Security Service Provider (MSSP), Netsurion is focused on arming IT service providers and end customers with up-to-date means to defend against advanced persistent threats.
Final Thoughts for Optimizing Cybersecurity
Whether you are just starting your cybersecurity career or looking to enhance your capabilities and efficiencies, the ATT&CK framework improves outcomes and fosters information sharing. It also simplifies Cybersecurity Threat Intelligence (CTI) for global defenders, collecting and analyzing current and future attacks to enhance decision making. We have led the way with ATT&CK’s integration in Netsurion’s Managed Threat Protection solution to help organizations of all sizes better prepare for today’s advanced cyber criminals.
For the past several months, there have been numerous stories about major retailers that have been breached by hackers. The result is that millions of credit cards have been stolen.
In the case of Target, so far it is reported that 40 Million customer credit cards have been exposed, and 70 Million total records with personal information have been stolen. The customers who are affected in such a breach feel let down by the merchants who lost their data, and the merchants feel like victims because thieves stole data from them, but they are being blamed.
Inevitably, a big retailer like Target makes some generic announcement talking about the efforts they are making to boost their security, and usually some kind of free credit monitoring service is offered.
In the case of Target, the website that was supposed to handle this service was so inundated by requests, that for several days, it was nearly impossible for their customer to sign up. This caused quiet a negative rash of social media backlash, and people in general seemed dissatisfied with Target’s response.
Compounding the issue is the fact that Target is facing huge lawsuits, so it is obvious that every announcement is being screened by both public relations personnel and their legal team.
I propose that Target and other large retailers who have been victimized use their capital resources to greater effect. Not only can they win back the hearts and minds of their customers who have had their credit cards stolen, but they will also cause other hackers to pause before attempting something as brash as stealing 40 Million credit cards.
Think about what would happen if Target offered $1 Million to anyone who provides information that leads to the arrest and conviction of the party (or parties) who were responsible for the breach.
When hackers launch attacks of this nature, rarely can they do it without assistance from multiple sources who have specific knowledge or skills as it relates to security. Programmers for example rarely also have skills to penetrate firewalls. Therefore, a team of people is usually assembled to pull off a major breach like the one that happened at Target. The thing is, groups of people rarely have the ability to keep everyone completely silent.
Also, this culture is ruled by the almighty dollar, and $1 Million is enough of a reward, that if someone let critical information out, it is likely the person they told would be swayed to turn them in rather than keep their confidence. Despite the old saying, there really is no honor among thieves, and it has been our experience that they will turn on each other when a profit is to be made.
Of course, it is easy from our perspective to spend Target’s money for them, and they have teams of people whose job it is to monitor and improve their image.
On the other hand, if you saw a full-page ad this weekend in the Wall Street Journal announcing that Target was offering this reward to help catch the thieves who have caused them so much trouble, would your opinion of the brand go up? Especially if Target went on a campaign talking about how we are all victims.
The idea would be that Target would spend its money to bring the criminals to justice so that we can all sleep better at night. Maybe it would have no affect, but the people we have polled thought that it would do wonders for Target’s image. All retailers might want to consider this kind of response instead of hiding behind a legal barricade.
It’s just a thought, but remember, ID theft is an attack that people take personally, so showing victims something that makes them feel better is the first step to helping them move on.
Microsoft 365 is immensely popular across all industry verticals in the small-to-medium-sized business (SMB) space. It is often the killer app for a business and contains valuable, critical information about the business. Accordingly, Microsoft 365 resiliency and defense are top concerns on IT leader’s minds.
Is Microsoft 365 defense totally up to the vendor, Microsoft, and the user has no responsibility? Hardly. Microsoft is merely providing the software-as-a-service, hosted on their infrastructure. While they do have some responsibility for securing the infrastructure and keeping the application up to date, you are the admin and it’s your data; therefore it is your responsibility to secure your tenant.
While the motivations and capabilities of attackers vary widely, most attacks still follow a common process, a basic pattern, and proceed from one step to the next to achieve the desired outcomes. This step-wise process can be defended against by focusing defense measures on choke points in the chain. Of course, any step can be bypassed through exploit technologies, so the best strategies apply defenses at every step along the threat chain that is shown below.
Concern 1: Data Exfiltration
Microsoft 365 encompasses many different types of data including: Email, documents, Teams converations and SharePoint data. In fact, even breaching your Active Directory information can be useful to an attacker. Data can be stolen in any number of ways, including through a breach of an account with access to the data, or through system and infrastructure attacks that give them local or system admin privileges to computers that store the data outside of Microsoft 365. Why would cyber criminals want to do this? Many reasons such as the theft of intellectual property, the desire to blackmail you, the intention to sell your data on the black market, or to use the data to further entrench themselves in your systems.
Prevention: Focus on not just the data, but also the accounts needed to access the data. Enforce least privilege, establish access control lists, define external sharing policies, and use data classification schemes to identify high risk data.
Detection: Finding a breach is complicated because it is difficult to distinguish normal usage from abnormal usage patterns, especially since the data will most likely be accessed with an account that has the needed privileges. Out-of-ordinary behavior detection within Security Information and Event Management (SIEM), platforms are useful in such cases. Especially when reviewed by experienced eyes to catch anomalous interactions with data, especially for large downloads. Conversely, attackers can also use a “low and slow” approach to avoid detection and remove data slowly, especially if they are knowledgeable insiders.
Remediation: This is the hardest attack scenario to fix because the cat is already out of the bag. Two things to focus on
Concern 2: Privilege escalation and lateral movement
The attacker has managed to compromise one or more accounts in your tenancy and is now working towards global administrator privileges.
Prevention: Make your global administrator community small; a minimum of two and a maximum of five for any size of tenant. Require multi-factor authentication (MFA) for global administrators, and regularly review activity of such users.
Detection: The key here is to monitor activity. This type of attack causes anomalous activity that deviates from a well-understood baseline.
Remediation: Enable multi-factor authentication. Examine everything that the attacker has done to your data and what they have done to further entrench themselves in your tenancy. Look for new accounts that have had recent changes (such as promotion to tenant admin), global configuration changes, and every interaction with data from the affected accounts.
Concern 3: Account compromise
An account in your Microsoft 365 tenant is breached such that it can be used by an attacker to interact with either resources in Microsoft 365, or with your on-premises infrastructure. There are a variety of ways that this can happen including spear phishing for credentials with harvesting websites, or spear phishing with malware to install rootkits and keyloggers.
Prevention: Use high quality authentication mechanisms such as passwords and MFA. Monitor for multiple failed logon attempts.
Detection: The key to an effective account breach detection is understanding what a normal pattern of activity looks like for your users. There are several features that exist in the activity data that you can use to find illicit or anomalous activity. For example, the data includes the following: IP addresses (which can be correlated to geographies), date and time, the specific action performed, and user agent.
Remediation: Enabling Multi-Factor Authentication (MFA) is a common, and powerful, remediation to keep the account safe after it has been breached. Monitor the account for a period of time to ensure it hasn’t been re-breached.
While Microsoft has provided guidelines on how a user should secure their Microsoft 365 tenant, making sure everything is secure and remains secure can become complicated and is time consuming. Looking for IT and cybersecurity simplicity? We make securing Microsoft 365 and your systems easier by providing predefined reports, dashboards, and alerts via the Netsurion Managed Threat Protection solution. The service is backed by a 24/7 Security Operations Center (SOC) to be ever vigilant.
PCI compliance: that daunting phrase you always hear in the world of payments…but never truly understand.
We’re here to sum it up for you—what it is, why it’s important and what you need to meet this standard.
With this blog, we hope to demystify the concept, so you can take the necessary steps to keep your payment card data secure—and your customers feeling confident in your brand.
As the Payment Card Industry (PCI) rapidly expanded, the Payment Card Industry Security Standards Council (PCI SSC) developed a set of requirements called the Payment Card Industry Data Security Standard (PCI DSS). These specifications ensure that all companies that process, store or transmit credit card information maintain a secure environment.
PCI applies to all organizations or merchants that accept, transmit or store cardholder data, regardless of size or number of transactions.
This means restaurants, retailers, hotels, doctors’ and lawyers’ offices—and much, much more—all need to stay on top of their compliance statuses.
Complying with the standard means your company’s systems are secure, and perhaps most importantly, that your customers can trust you when they hand over their sensitive payment card data.
Customers that feel confident in your security are more likely to be loyal, repeat customers and may recommend you to others in the long run. Not to mention that it improves your reputation with the partners you need to do business—the acquirers and payment brands.
Compliance also offers indirect benefits—for example, through your efforts to comply with PCI-DSS, you’ll likely be better prepared to comply with other relevant regulations like HIPAA or SOX.
It will also be a solid basis for a corporate security strategy and will help you identify ways to improve the overall efficiency of your IT infrastructure.
If you fall out of compliance—or are not compliant from the start—it could lead to disastrous consequences.
If your business experiences a financial data breach, your customers, your business success and reputation, and the associated financial institutions might all be negatively impacted.
Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future. Account data breaches can lead to catastrophic loss of sales, relationships and good standing in your community, and depressed share price if it’s a public company.
Possible negative consequences also include lawsuits, insurance claims, cancelled accounts, payment card issuer fines and government fines.
Read more about The Impact of a Data Breach.
Well, becoming and staying PCI compliant is not easy, but it’s certainly achievable.
Compliance is an ongoing process, not a one-time event. But there’s a major benefit to all of that work. It helps prevent security breaches and theft of payment card data, not just today, but in the future.
As data compromise becomes ever more sophisticated, it becomes more difficult for an individual merchant to stay ahead of the threats. The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them through enhancements to PCI Security Standards and by the training of security professionals.
When you stay compliant, you are part of the solution—a united, global response to fighting payment card data compromise
Take a look at the following PCI questions. This list of questions is by no means complete, but we can guarantee that if you answer “no” to even one of the following questions, then you are not PCI compliant:
How did you do? To supplement our recommendations, here is a full PCI compliance checklist from the PCI Security Standards Council.
No worries, here’s how Lumifi can help!
We’ve been helping merchants with PCI compliance since its inception by providing affordable systems and services that make compliance easy and efficient.
Your focus should remain on running your business, not worrying about the status of your compliance. That’s why Netsurion helps you get compliant through enterprise-class firewalls with best-in-class security architecture, helping you stay compliant with efficient internal and external network scanning and online training.
We can also help you conveniently report your compliance with our PCI Compliance Management portal.
The Cyber Kill Chain model by Lockheed Martin describes how attackers use the cycle of compromise, persistence and ex filtration against an organization. Defense strategies that focus exclusively on the perimeter and on prevention do not take into account the kill chain life cycle approach; this is a reason why attackers are continuing to be so successful. Defending against persistent and advanced threats requires methods that detect and deny threats at each stage of the kill chain.
Focusing on perimeter defenses gives the appearance of concentrating resources on the most exposed assets and attack vectors. This thinking means the attacker needs to be successful only once out of an unlimited number of attempts. Defenders, conversely, must be right every time. This is not only wrong but also untenable. Just because there has been a successful malware infection or SQL injection attack against your network, it does not follow that the attacker has won and you have lost. The kill chain highlights that this is clearly not the case, because the attacker wins only when all phases of the Cyber Kill Chain have been executed successfully. A successful attack is an end-to-end process and described as a “chain” because an interruption at any stage can interrupt the entire attack. This turns the burden on the attacker who must now succeed at each and every step whereas a defender must succeed at only on step.
The EventTracker Enterprise solution is a mix of technology, skilled experts and process discipline designed to address defense across the entire cyber kill chain. Here’s how EventTracker Enterprise maps to the Cyber Kill Chain.
Recon — Defined as identification, target selection, organization details, information on technology choices. EventTracker Enterprise detects attempts by receiving and analyzing Web server logs, performing vulnerability scan, external penetration testing, all integrated with local, global and community threat intelligence. Our EventTracker Honeynet offering is designed to deceive attackers and expose them by their actions rather than by reputation (which is too often neutral).
Deliver — Transmission of the malware is initiated by either the target (users browse to a malicious Web presence, leading to the dropping of malware, or they open a malicious PDF file) or by the attacker (SQL injection or network service exploitation). EventTracker Enterprise provides security analytics and network behavioral analysis integrated with threat intelligence to detect such attempts.
Exploit — After delivery to the user or endpoint, malware will gain a foothold by exploiting a known vulnerability. Sadly it is most likely that a patch has been available for months or years but not implemented. The EventTracker Enterprise vulnerability Management service provides a managed service to systematically discover vulnerabilities and make it easier to remediate them thereby reducing the attack surface.
Install — Usually this is a remote-access trojan (RAT), stealthy in its operation, allowing persistence or “dwell time” to be achieved. The attacker seeks to control this without alerting the defenders. EventTracker Enterprise technology includes Endpoint Threat Detection features which catches threats that evade the signature based anti virus. The Change Audit (aka FIM) feature tracks file changes at endpoints and is a robust technique to detect unwanted installation.
C&C — Now that the attacker has control of assets inside the network, using methods such as DNS, Internet Control Message Protocol (ICMP), websites he tells the controlled “asset” what to do next and what information to gather. A staging host is identified to which all internal data is copied, and then compressed and/or encrypted and made ready for exfiltration. EventTracker Enterprise can detect such activities by analysis of DNS activity, file integrity monitoring and network traffic analysis all integrated with IP reputation intelligence.
Exfiltrate – In this final phase the attacker exfiltrates data and maintains dwell time in the network and then takes measures to identify more targets, expand their footprint. After the compromise, subsequent attack activity is performed as internal user. EventTracker Enterprise activity monitoring function performs continuous monitoring to identify out of ordinary user access to data, including frequency, times of day and from locations previously unseen. Network behavioral analysis highlight devices that are moving data around that is not part of its role (traffic to hosts that stand out), an exceedingly high volume of DNS traffic to an external DNS server that is not defined for external host name resolution, traffic protocols being actively used that are against policy or trusted user attempting clearly malicious activity such as an FTP session to an unexpected destination.
Defending a network in today’s threat landscape requires a blend of technology, expertise and process discipline. EventTracker Enterprise can help at an attractive price point.
Highlights from the 2016 Verizon Breach Investigations Report (Part 2 of 3)
On our previous post regarding what puts a business at risk of a data breach, we showed you that regardless of the business’ size, location or industry, many of them are targets to hackers.
So how are hackers getting into these businesses’ networks and stealing data?
There are 3 items to focus on before we speak about the type of incidents that lead to a breach: vulnerabilities, phishing and credentials.
It is important to understand what these 3 items mean as they are usually present in many of the attacks that are classified as breaches in the Data Breach Investigation Report.
These weaknesses in a network are what every business should protect themselves from.
However, according to the report, many existing vulnerabilities remain open. Older vulnerabilities are still being targeted and businesses are not pursuing a permanent procedure to fix these vulnerabilities.
These are ways in which hackers will deceive malware through mediums such as an email, attachment or an ad. Once the recipient opens or clicks on one of these malicious links, the recipient becomes the next hacker’s victim.
A perfect example of this is ransomware which has been and continues to affect many businesses, especially in the healthcare and financial sector.
We can’t stress enough the importance of strong and Two-Factor Authentication passwords.
Stolen credentials continue to be the main causes of breaches. In fact, 63% of confirmed breaches in 2015, involved weak, default or stolen passwords.
With that said, let’s dig into the some of the patterns on the DBIR that caused breaches in 2015:
Web App attacks were the number one cause of breaches in 2015.
This is due to vulnerabilities in the application as well as weak credentials which mostly affected the finance, information and retail industries. The application layer is after all, the hardest for businesses to defend.
The reality is that businesses need to keep up with their customers’ wants and needs. In today’s world, a customer will expect to do quite everything through a website: request info, pay online, order online, view information, submit their own information, view records, etc.
Hence, businesses are creating this great complex infrastructure that is then making the web application servers a target for any hacker.
Point-of-Sale Intrusions follow right under Web App attacks with the most breaches in 2015. Remote attacks to these systems is the main occurrence, followed by actual physical tampering or swapping out devices.
If a business takes credit cards, it is important to know that merchant is responsible for securing the POS environment and protecting credit card information. It is not the POS Company’s responsibility.
As if taking care of the POS environment isn’t enough of a task… Payment card skimmers made the list of top causes of breaches in 2015 as well.
When a POS device has a skimming device implanted to it, is called tampering. This skimming device will then read the magnetic stripe data from any payment card that is swiped and steal all the credit card information they need.
Hence, a bit of physical security will be needed here.
The last pattern to touch upon from the DBIR is Cyber-espionage. This is mainly any unauthorized access to a network or system with the purpose of espionage. Hence it is mostly common in the public, information, and manufacturing industry.
The use of phishing leads hackers to use malware as the entry point. If phishing isn’t used, then the browser or plug-in vulnerabilities are the next options for hackers.
A secure and monitored internal environment is key to preventing hackers from doing this to any business.
These are only a few ways a hacker can access a business’ data. We have provided a few of the patterns explained in the DBIR, however, businesses must understand that these can be prevented with the correct team and procedure in place.
Next week, we will discuss solutions that a business can do to prevent each of these threats.
It is important to keep in mind, that if a business does not have the IT staff to fully manage a network, a third party with experience can always help. Let our team give you a hand! At Netsurion, we have years of experience in managing network security to prevent any of the incidents explained earlier.
Intrusion detection and compliance are the focus of log management, SIEM and security logging. But security logs, when managed correctly are also the only control over rogue admins. Once root or admin authority has been given to, or acquired by, a user, there is little they cannot do: with admin authority, they can circumvent access or authorization controls by changing settings or using tools to leverage their root access to tamper with the internals of the operating system.
Audit logs, when properly managed, can serve as a control and deterrent against the privileged super user’s authority. Simply enabling auditing and deploying a log management solution may not suffice; to really be a deterrent, the audit log must be protected from deletion or tampering by rogue admins.
First and foremost, log data must be moved as frequently as possible from the system where it is generated to separate secure log repository. Today’s enterprise log management solutions do a great job of frequent log collection and long term archiving. However, who has privileged access to the log management solution and the systems on which it runs?
A log management process is not an effective control if administrators have privileged access to the log management components. Though administrators should not be denied access to run reports, configure alerts or research logs, privileged access to the log management solution that allows someone to disable, erase or otherwise compromise the integrity of the log collection and archival process should be carefully managed.
A log management solution cannot serve as a deterrent over administrators who have privileged access at the application level or any of the infrastructure components on which it runs. This includes:
And if the log management application or any of the above components run inside a virtual machine this also includes:
Physical access to any of these components could potentially allow administrators to compromise the integrity of the audit trail. To the extent possible, the log management solution should run on a completely separate infrastructure.
Remember such separation is a protection against not just internal rogue admins but outsiders who succeed in obtaining privileged access. Typically the larger the organization, the more important and practical it is to achieve maximum separation between the log management solution and the environment it monitors.
Beyond hardware and software separation, the log management application, database servers, storage, OS and other components also need careful management. Larger organizations generally have dedicated information security teams, and usually within that group is someone responsible for the audit log management process. For full accountability and separation of duty, that team should have no privileged access to production business systems monitored by the log management process. Ideally that group would provide the oversight necessary for all components in the log management solution and supervise any action that touches the audit log to insure its integrity and prevent the introduction of backdoors into the system.
There are a host of reasons why even “supervised access” can be compromised: staff in smaller IT shops aren’t always able to specialize so the possibility for separation of skills and duties may not exist. When an in-house log management system can’t be physically and logically separated, log management as a service may be an alternative to consider. With cloud-based log management, the entire system is controlled by a professional service team at a separate site. Services can be set up with role-based access control so the ability to erase audit logs is controlled. If organizations can overcome the frequent pushback to sending audit logs to the cloud, full isolation and integrity of log data can be achieved without building a separate log management system, and without the requirement of expertise for audit log management.
Whether an organization goes with an in-house audit log management or turns to the cloud-based service, it should carefully assess its choices in architecture and administrative responsibility. When the worst happens, audit logs may be the only deterrent and detective control over rogue admins. Are they secure?
Threat researchers detected threat group NOBELIUM conducting several waves of malicious spear phishing email campaigns. Each wave used different technical lures and social engineering to fine-tune which threat performed best against targeted government agencies, consultants, and non-profits in over 20 countries.
What’s at Risk
This most recent spear phishing campaign is attributed to NOBELIUM, the threat group believed responsible for the wide-scale SolarWinds Orion attack. Also known as Cozy Bear and APT29, NOBELIUM demonstrates their stealth and ability to adapt their cyber criminal techniques to evade detection. NOBELIUM phishing emails contain malware that could inflict damage by:
Mitigation Requires Vigilance
Modern threats require organizations to PREVENT, DETECT, and RESPOND to active threats and even PREDICT future attacks before they happen. Effective cybersecurity mitigation uses multiple layers of security controls that combine people, process, and technology.
Cyber attacks have become more sophisticated as technology has become more pervasive and complex. Cyber criminals often tailor their malicious attacks and techniques to specific business victims because the payout outweighs the time spent. Boost your organizational security by taking these recommended steps to reduce NOBELIUM’s impact:
As always, we can help you detect never-before-seen threats and block these new threat variants. Netsurion’s Managed Threat Protection offers extended detection and response (XDR) capabilities such as improved visibility and multiple security controls.
Longer-Term Implications
Constant vigilance is key against cyber criminals that capitalize on our reliance on technology. Attackers vary their malicious techniques, looking for every security gap that they can exploit. Avoid a reactive approach or “check-box mentality” as these threats escalate in volume and complexity; proactive protection can help enterprises overcome cybersecurity pitfalls.
This rise in cyber attack sophistication and scale has also served to raise concerns by world leaders. At the G7 Summit held in the United Kingdom, common initiatives were discussed to protect critical infrastructure, privacy, and financial systems like payments.
We also commit to work together to urgently address the escalating shared threat from criminal ransomware networks. We call on all states to urgently identify and disrupt ransomware criminal networks operating within their borders and hold those networks accountable for their actions.
-G7 member states as quoted in Cyber Defense Magazine
https://www.cyberdefensemagazine.com/g7-calls-on-russia/
Protecting our global infrastructure and supply chains requires an industry-wide effort across government, businesses, and supply chain partners like service providers.
Use a proactive approach to cybersecurity to stay ahead of well-funded and trained cyber criminals. These advanced threats are also increasing faster than the talent pool of security analysts and experts. With Netsurion and our 24/7 SOC, we are an extension of your team and provide coverage around the clock against these ever-present threats. Let us work with your stakeholders to share past outcomes and successes with similar organizations.
Related Resources
The following references and resources provide insight to avoid falling prey to exploitive cyber criminals.
During our recent webinar “Ask Netsurion Anything,” our panel of experts addressed questions on topics ranging from meeting customer needs to business best practices. Here are the key takeaways from that session and guidance for MSPs offering security services to their customers.
Is partnering an effective way to add security services to my offering stack?
MSPs are looking toward partnerships when they don’t have the bandwidth or the expertise in-house to offer security services. Partnering with an established security services vendor is key for delivering best-of-breed services. For example, you could build your own SOC, but our research shows that it costs anywhere from $1.5 to $5 million. Alternatively, you can partner with someone already in that business and bundle it into your services stack. Partnering is definitely something we are seeing more and more of.
How do I properly align our clients’ security expectations with what we are providing?
Start with an understanding of your client’s level of risk tolerance and the level of protection they want. A gap analysis will reveal their full threat landscape and the risks they are looking at. It’s up to the MSP to determine what’s required to meet that client’s security expectations. That may be a SIEM and a SOC with Managed Detection and Response (MDR) . It may be that the client needs to invest in Endpoint Detection and Response (EDR). Or the client may need a full-stack solution.
Then you can set expectations by being clear about the solution that you can offer and how it addresses their risks. Be explicit about what is included, what reports will be issued when, how alerts happen, and who is responsible for what when responding to those alerts.
What’s the best approach to getting customers to adopt advanced threat detection and response or any other more advanced offering?
One approach that we’ve seen work well is to version your security services offerings — V1, V2, V3, and so on. This allows you to bring additional services to your offering stack in phases and communicate with your customers about the new features and the benefits they convey. When it comes time for renewals, customers are primed to move to the new version to get the new capabilities. In this approach, you also specify a window of time before retiring earlier versions to give customers a chance to plan for the transition.
If a prospect insists on retaining a legacy anti-virus product because the license is still valid, should we insist on an upgrade to modern EDR before we accept them as a customer?
The short answer is yes. The customer is looking to you for your expertise. They have anti-virus, but they need improved, next-generation protection. This is an opportunity to show your value by explaining the risks of relying solely on anti-virus for protection. Remember that when you’re looking at a prospect, you’ll be adopting their challenges. You don’t want to put yourself or your other clients at risk. Sometimes we all need to be willing to walk away from an opportunity that is not a good fit for business or risk reasons.
When it comes to regulatory compliance, who is responsible for the data – the business owner, the MSP, or the security services vendor?
The owner of the data, unequivocally, holds the ultimate responsibility. The MSP and the vendor are responsible to their respective customers to protect the data as best as possible and to identify events that indicate an intrusion into their network. But the customer is ultimately responsible for the security of their data.
Will 24x7 monitoring of security events reduce my client’s cyber insurance premiums?
That depends on the insurance company, but it’s definitely possible that 24x7 monitoring will help reduce rates. There are some cyber insurance companies that won’t cover companies that don’t have the protection that managed detection and response offer.
How can I show a business owner the ROI from 24x7 security monitoring?
Make sure you work with a security services partner that provides detailed reports that you can share with your client to address this. For example, our weekly or monthly reports show all the priority one events we’ve seen during the reporting period, whether or not they turned out to be true positives. This demonstrates that there’s a lot of work being done by the 24/7 SOC so your customer doesn’t have to do it themselves or invest in the expertise it takes. The customer is paying for a level of protection that will be there when that event is a positive, and they get a phone call alerting them to take action to protect their data.
How much protection do small and medium-sized businesses need? Are ransomware attackers going after small and medium-sized businesses as opposed to large ones?
Size does not matter. If your customer brings in a profit that can be stolen, they are subject to attack. No one is too small — as we say, “security by obscurity” no longer exists. Rather, it’s a question of how easy a company is to infiltrate. Ransomware attackers are targeting more businesses than before, including small and medium-sized operations. They are specializing on industries that are lagging behind in security. These industries as well as small businesses lack security maturity in general and thus are easy targets for ransomware and all kinds of attacks.
Conclusion
The need for security, and the consequences of going without it, are gaining visibility across businesses of all sizes, including the small and medium-sized businesses that are the sweet spot for MSPs, and more companies are looking to outsource security. Partnering with a security services provider like Netsurion to offer these services creates a new revenue stream for you without the time and cost it would take to build and run an in-house solution. Given the growing opportunity in this area, it is an exciting time to be an MSP.
In 2005, the Department of Homeland Security commissioned Livermore National Labs to produce a kind of pre-emptive post-mortem report. Rather than wait for a vengeful ex-KGB hacker agent to ignite an American pipeline until it could be seen from space, the report issued recommendations for preventing an incursion that had yet never happened, from ever happening again.
Recommendation Number 1: Know your perimeter.
"The perimeter model is dead," pronounced Bruce Schneier, author of The New York Times' best seller Data and Goliath, and the CTO of IBM Resilient. "But there are personal perimeters. It doesn't mean there exists no perimeters. It just means it's not your underlying metaphor any more. So, I wouldn't say to anyone running a corporate network: There are no perimeters, zero."
"The traditional fixed perimeter model is rapidly becoming obsolete," stated the CSA's December 2013 white paper,” because of BYOD and phishing attacks providing untrusted access inside the perimeter, and SaaS and IaaS changing the location of the perimeter. Software defined perimeters address these issues by giving application owners the ability to deploy perimeters that retain the traditional model's value of invisibility and inaccessibility to ‘outsiders’, but can be deployed anywhere – on the internet, in the cloud, at a hosting center, on the private corporate network, or across some or all of these locations."
This reality invalidates the model of safeguarding the corporate network via the fortress model, one where all assets are inside and a well-defined perimeter exists, which can be defended. Instead, each asset requires a micro-fortress around it, regardless of where it is located. The EventTracker sensor enables a micro-fortress around and near the endpoint on which it operates. It provides host-based intrusion detection, data leak protection and endpoint threat detection. While the sensor itself operates on any Windows platform, it is able to act as a forwarder for any local syslog sources, relaying logs over an encrypted connection.
Welcome to your software defined perimeter.
By Randy Franklin Smith
Ransomware is about denying you access to your data via encryption. But that denial has to be of a great enough magnitude create sufficient motivation for the victim to pay. Magnitude of the denial is a factor –
If the motivation-to-pay is about the value of the data, remember that the data doesn’t need to be private. It just needs to be valuable. The intrinsic value of data (irrespective of copies) is only the first factor in determining the value of the criminally encrypted copy of the data. The number copies of the data and their level of availability exert upward or downward pressure on the value of the encrypted data. If the victim has a copy of the data online and immediately accessible, the ransomware encrypted copies have little to know value. On the other hand, if there are no backups of the data, the value of the encrypted copy skyrockets.
But ransomware criminals frequently succeed in getting paid even if the value of the encrypted copy of data is very low. And that’s because of the operations interruption. An organization may be hit by ransomware that doesn’t encrypt a single file containing data that is intrinsically valuable. For instance, the bytes in msword.exe or outlook.exe are not valuable. You can find those bytes on billions of PCs and download them at any time from the Internet.
But if a criminal encrypts those files, you suddenly can’t work with documents or process emails. That user is out of business. Do that to all the users and the business is out of business.
Sure, you can just re-install Office, but how long will that take? And surely the criminal didn’t stop with those two programs.
Criminals are already figuring this out. In an ironic twist, criminals have co-opted a white-hat encryption program for malicious scrambling of entire volumes. Such system-level ransomware accomplishes complete denial of service for the entire system and all business operations that depend on it.
Do that to enough end-user PCs or some critical servers and you are into serious dollar losses no matter how well prepared the organization.
So we are certainly going to see more system-level ransomware.
But encrypting large amounts of data is a very noisy operation that you can detect if you are watching security logs and other file i/o patterns which just can’t be hidden.
So why bother with encrypting data in the first place. Here’s 2 alternatives that criminals will increasingly turn to:
Storage device level ransomware
I use the broader term storage device because of course mechanical hard drives are on the way out. Also, although I still use the term ransomware, storage device level ransomware may or may not include encryption. The fact is that storage devices have various security built-in to them that can be “turned.” As a non-encryption but effective example, take disk drive passwords. Some drives support optional passwords that must be entered at the keyboard prior to the operating system booting. Sure the data isn’t encrypted and you could recover the data, but at what cost in terms of interrupted operations?
But many drives, flash or magnetic, also support hardware level encryption. Turning on either of these options will require some privilege or exploitation of low integrity systems but storage level ransomware will be much quieter, almost silent, in comparison to application or driver level encryption of present-day malware.
Threat of release
I’m surprised we haven’t heard of this more already. Forget about encrypting data or denying service to it. Instead exfiltrate a copy of any kind of information that would be damaging if it were released publicly or to another interested party. That’s a lot of information — not just trade secrets. HR information. Consumer private data. Data about customers. The list goes on and on and on.
There’s already a burgeoning trade in information that can be sold – like credit card information. But why bother with data that is only valuable if you can sell it to someone else and/or overcome all the fraud detection and lost limiting technology that credit card companies are constantly improving?
The data doesn’t need to be intrinsically valuable. It only needs to be toxic in the wrong hands.
Time will tell how successful this will be it will happen. The combination of high read/write I/O on the same files is what makes ransomware standout right now. And unless you are doing transparent encryption at the driver level, you have to accomplish it in bulk as quickly as possible. But threat-of-release attacks won’t cause any file system output. Threat-of-release also doesn’t need to process bulk amounts of information as fast as possible. Criminals can take their time and let it dribble out of the victim’s network and their command and control systems. On the other hand, the volume of outbound bandwidth with threat of release is orders of magnitude higher than encryption-based ransomware where all the criminal needs to send is encryption keys.
As with all endpoint based attacks (all attacks for that matter?) time is of the essence. The time-to-detection will continue to determine the magnitude of losses for victims and profits for criminals.
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure all companies that process, store or transmit credit card information maintain a secure environment.
We often hear business owners tell us all kinds of reasons on why they do not need to be PCI compliant or even explain to us that they are PCI compliant without knowing that they are not.
We get it, taking care of a business is a lot of work and learning about PCI compliance can be a whole other full time job. PCI is a continuous effort to be and stay compliant while also keeping track of its updates. See latest PCI DSS updates.
The reality is that PCI applies to any company of any size that accepts credit card payments. If your company accepts credit card payment, stores it, process it and transmits cardholder data, you must have that data secured with a PCI compliant provider.
PCI compliance can be confusing, however that doesn't mean that it has to be difficult. Understanding PCI involves understanding the definitions of the terminology used such as compliance, validation, and assessments.
We have gathered what have been common comments that we hear from business owners. And today, we would like to bust these myths! Here we go!
We have heard this comment from many business owners. According to the PCI security Standards, if you do at least ONE credit card transaction, you must be PCI compliant.
Your small business is as much of a target for hackers as the big corporations are.
Remember when you opened your business bank account? There are VISA regulations you adhere to when doing so.
If you store, process or transmit credit card data, you (not the bank or POS company) are responsible for being PCI compliant. In the case that your business gets breached and you are not PCI compliant, the fines and compensation requirements by the bank will negatively affect your business’ profits.
The Self-Assessment Questionnaires (SAQ) are validation tools intended to assist merchants and service providers report the results of their PCI self-assessment. You must be honest with these answers as they are crucial to validating your PCI compliance.
If you say ‘Yes’ without being correct, you will be exposing your business to a huge risk of a payment card data breach.
And we both know, that nobody wants a data breach on their brand’s reputation.
Whether your customers purchase your goods and services online or in-store, you will need PCI. Payment risks can occur from online services as well as from POS devices. Most of the biggest data breaches that you hear on the news have come from POS devices. Hackers will try every way they can to access payment data.
Compliance, in terms of PCI, is meant as an ongoing activity, not simply an endpoint goal. The overall objective is not only to become compliant but to also maintain that compliance within the requirements of PCI DSS.
Validation on the other hand, is the process of verifying, or validating that compliance (or lack thereof). This could include audit activities (SAQ) or technical validations such as your vulnerability scanning or penetration testing.
Many business owners falsely believe that simply scheduling vulnerability scans and completing the yearly SAQ makes them compliant when in fact, scans only account for 1 out of 6 subsections of requirement #11 in the PCI DSS.
The standard has 12 total requirements, which means that vulnerability scans account for less than 8% of total requirements.
We hope these myths are cleared out for you now. Learning about PCI is vital to the security of your business and most of all, your customers!
If you are interested in continuing your PCI education and learn about the different merchant and validation levels please read more here. And of course, reach out to us for any questions you may have.
As the summer traveling season quickly approaches, most travelers envision exchanging work clothes and school books for shorts, flip flops, and beach umbrellas as they look forward to that well-deserved vacation. While planning their road trips and flights, many can’t wait to see faraway attractions for the first time, or feel the sand between their toes with a cool drink in hand while watching the waves roll in from the horizon.
Unfortunately, hackers have their own plans this summer — to steal travelers’ personal information from their laptops, smartphones, and other devices connected to the internet through public Wi-Fi at airports and hotels.
Hackers can access personal information from public Wi-Fi-connected devices through an attack that emulates a legitimate Wi-Fi access portal. This allows nearby threat actors to see everything public Wi-Fi users do online, including logging into their bank accounts, entering credit card numbers on websites, or checking email.
A hacker can also trick public Wi-Fi users into accessing what looks like a safe website when they are actually opening a fake version that asks to download a “security patch” or another critical update. Upon complying, it is possible that the Wi-Fi users unknowingly consent to install malware, which can give cyberthieves more access to their computers, phones or tablets — even after they return home from vacation.
Because hackers can easily access personal information over public Wi-Fi, travelers should practice great caution and diligence in defending themselves against becoming the next cyberattack victim while waiting at airports and staying at hotels.
Nearby hackers can set up fake Wi-Fi access portals through a “man-in-the-middle” attack to access this information and, ultimately, all your money.
Be wary of thieves looking over your shoulder to record your password or other sensitive information as you type it in. Privacy screens, which mask on-screen information from nearby individuals, are sold at most airports and office supply stores.
If you have highly personal or sensitive information, you should turn off file sharing on your computer to keep it away from hackers. While sharing provides a convenient way to move files on a trusted connection, hackers can copy files that are left open or not protected with permissions while you are on an insecure connection such as public Wi-Fi.
They typically indicate something is wrong with “certificate of location you are trying to access.” If you see these, you should stop using that connection altogether. Certificate errors are the most common sign that someone is trying to trick you so they can see your data.
Many carriers, such as AT&T, Verizon, and Sprint have a means to allow you to set up your phone to be a secure Wi-Fi hotspot that can be accessed by other devices. Utilizing this connection instead of free Wi-Fi means your data is not available to the nearby hacker looking for victims.
When connecting to a public Wi-Fi network at a hotel or airport — or anywhere else for that matter, use a virtual private network. By doing so, you will be using a “private tunnel” that encrypts your data to prevent cybercriminals lurking on the network from intercepting your data.
Make sure all your devices — computers, tablets, laptops, smartphones, and so on are safeguarded from hackers by rigorous anti-malware and security software. Also, ensure that your software and devices are updated regularly.
In addition to taking precautions when using public Wi-Fi at hotels and airports, travelers should also think twice about posting their activities on social media such as Facebook, Twitter, Instagram, or LinkedIn while they are far from home.
While it may be fun to share vacation adventures with friends or work activities with colleagues in real time, this can tip off cyberthieves — who may have home addresses. Even if the hackers aren’t following the travelers directly, they can easily find who is on vacation through Twitter by simply logging into the site and looking up #Hawaii, for instance.
These thieves can arrive at travelers’ homes disguised as repair technicians or delivery persons and steal their personal belongings without arousing suspicion. Given the risk, travelers should wait until they get home before sharing their travel pictures and comments on social media.
While away from home on vacation on business this summer, travelers using public Wi-Fi at hotels and airports must play it safe when connecting to the internet or posting to social media. After all, hackers are always out there in cyberspace, looking to steal whatever they can from the next victim.
With these tips, however, vacationers should be able to finally unwind and relax.
While you are reveling in the holiday season and all of the shopping deals it has to offer, also consider sharing these tips to help family and friends stay safe when they head out on the hunt for the perfect gift.
Though there are many companies out there responsible for securing merchant locations from the risks of data breaches, people’s own risky behavior often leads to their ID theft problems, no matter how well merchants protect them.
And with more and more merchants accepting chip cards this year, hackers are likely to go back to tried and true methods for preying on individual cardholders.
Here is a simple checklist of dos and don’ts to help make sure your credit card information doesn’t become a nicely wrapped present for some hacker.
Hackers snoop public Wi-Fi connections and even create their own fake hotspots. The risk is that everything you do is visible to data thieves, including login information for bank accounts, email, or your credit card numbers.
Save your online shopping for a trusted network like your home or office, or a known network that is password-protected.
Chip cards are here because they are much more secure for in-store payments. Really. So, insert if you can, instead of swiping.
Did you know most data breaches are not discovered by the breached company, but by someone else?
So, take responsibility for your own safety. Many credit and debit card companies let you set an alert for card usage. Sign up and see what is happening on your account instantly.
Phishing remains the top way hackers put malware—bad software used to steal your sensitive data—on your PC. Hackers create new attacks much faster than anti-virus programs can find them and update their software to protect you from the latest “zero-day” threat.
Try not to click on links; instead go to the company’s website yourself to login. Or at least mouse over links and make sure they really are going to the company you think sent you the email.
And do not click on attachments from suspect sources.
Make sure you are connecting with online merchants and banks over a secure web channel. Look for “https” in the address. That means you have a secure connection and hackers cannot snoop your data.
So if you want to make sure all of your personal information is safe this holiday season, be sure to remember these easy steps. Never let your guard down, not even for one second, because the one step you skip could lead to the one time a hacker chooses you.
I think one of the most underutilized features of Windows Auditing and the Security Log are Process Tracking events.
In Windows 2003/XP you get these events by simply enabling the Process Tracking audit policy. In Windows 7/2008+ you need to enable the Audit Process Creation and, optionally, the Audit Process Termination subcategories which you’ll find under Advanced Audit Policy Configuration in group policy objects.
These events are incredibly valuable because they give a comprehensive audit trail of every time any executable on the system is started as a process. You can even determine how long the process ran by linking the process creation event to the process termination event using the Process ID found in both events. Examples of both events are shown below.
Process Start | WinXP/2003 | 592 | A new process has been created.Subject:
Security ID: WIN-R9H529RIO4YAdministrator Process Information: New Process ID: 0xed0 |
Win7/2008 | 4688 | ||
Process End | WinXP/2003 | 593 | A process has exited.Subject:
Security ID: WIN-R9H529RIO4YAdministrator Process Information: Process ID: 0xed0 |
Win7/2008 | 4689 |
Trying to determine what a user did after logging on to Windows can be difficult to piece together. These events are valuable on workstations because often, they are the most granular trail of activity left by end-users: for example, you can tell that Bob opened Outlook, then Word, then Excel and closed Word.
The process start event tells you the name of the program and when it started. It also tells you who ran the program and the ID of their logon session with which you can correlate backwards to the logon event. This allows you to determine the kind of logon session in which the program was run and where the user (if remote) was on the network using the IP address and/or workstation name provided in the logon event.
Process start events also document the process that started them using Creator Process ID which can be correlated backwards to the process start event for the parent process. This can be invaluable when trying to figure out how a suspect process was started. If the Creator Process ID points to Explorer.exe, after tracking down the process start event, then it’s likely that the user simply started the process from the start menu.
These same events, when logged on servers, also provide a degree of auditing over privileged users but be aware that many Windows administrative functions will all show up as process starts for mmc.exe since all Microsoft Management Console apps run within mmc.exe.
But beyond privileged and end-user monitoring, process tracking events help you track possible change control issues and to trap advanced persistent threats. When new software is executed for the first time on a given system it’s important to know that, since it implies a significant change to the system or it could alert you to a new unauthorized and even malicious program running for the first time.
The key to this seeing this kind of activity is to compare the executable name in a recent event 592/4688 to executable names in a whitelist – and thereby recognizing new executables.
Of course, this method isn’t foolproof because someone could replace an existing executable (on your whitelist) with a new program but with the same name and path as the old. Such a change would “fly under the radar” with process tracking. But my experience with unauthorized changes that bypass change control and APTs indicates that while certainly possible, the methods described here-in will catch their share of offenders and attackers.
To do this kind of correlation you need to enable process tracking on applicable systems (all systems if possible, including workstations) and then you need a SIEM solution that can compare the executable name in the current event to a “whitelist” of executables.
How you build that whitelist is important because it determines if your criteria for a new executable is unique to “that” system, or if it is based on a “golden” system, or your entire environment. The more unique your whitelist is to each system or type of system, the better. You can build the whitelist by either scanning for all the EXE files on a given system or by analyzing the 592/4688 events over some period of time. I prefer the latter because there are many EXE files on Windows computers that are never actually executed and I’d like to know the first time any new EXE is run – whether it came with Windows and installed applications out of the box or whether it is a new EXE recently dropped onto the system. On the other hand if you only want to detect when EXEs run which were not present on system at the time the whitelist was created, then a list built from simply running “dir *.exe /s” will suffice.
If you opt to analyze a period of system activity make sure that the period is long enough cover the full usage profile and business process profile for that system – usually a month will do it. Take some time to experiment with Process Tracking events and I think you’ll find that they are valuable for knowing what running on your system and who’s running it.
Contributed by: Meaghan Moraes, Blog and Social Media Manager at Continuum
For MSPs serving clients in the healthcare industry, protecting data can be complex. With compliance enforcement like HIPAA , for instance, distinguishing the owner of your clients’ data is critical —especially due to the lack of security awareness training amidst healthcare end users. The 2018 Cloud Security In-depth Report by Netwrix shows that 55% of healthcare organizations rated their own employees as the biggest security risk. In fact, according to the recently published Verizon PHI Data Breach Report, 58% of healthcare data breach incidents involve insiders, the highest percentage of insider threats in any industry.
In this post, you will learn the five key data security tips to better protect SMB clients in healthcare, ultimately enabling your posture as a trusted healthcare Information Technology (IT) security partner.
Oftentimes, business owners believe that the IT team is responsible for data security. The reality is that the company’s owner, Board of Directors, Managing Partner, CEO, President, or CFO are whom will get dragged into litigation after a data breach. They are considered the owners of the data, they also approve budget for cybersecurity, and have the responsibility to protect data. And it is they who will be asked to show what steps they took towards due care in protecting their clients’ data.
This distinction is extremely important for the healthcare industry, and for MSPs to understand as you work to avoid and prevent breaches of this sensitive data. Here are some important places to start.
At this stage in the evolution of cybersecurity and managed services, it’s crucial that you have the advanced tools to help identify the current inventory of devices on your clients’ networks and are notified when new devices are added — enabling network visibility.
With managed SIEM services and 24/7 support from cybersecurity experts, you’ll have real-time alerting, network logs, and activity monitoring to help you demonstrate healthcare compliance.
Implementing incremental patching and software updates are key steps in preventing cyber attacks and mitigating risk. This helps ensure the highest levels of security are upheld, from the MSP, to the healthcare data owner, to the end user.
Access to sensitive and critical data should remain on a need-to-know-basis, and users with access should only be able to see information critical to their jobs. You should also make sure to automatically remove access when it’s no longer needed.
There’s an even greater emphasis on limiting access for end users in healthcare. For example, healthcare professionals who need to access a patient's electronic health records through a clinical portal should be following a protocol to ensure the information is only accessed by those who have permission to view it. Access to health data should be restricted to authorized staff, and this access should be reviewed frequently. In addition, the system should employ multi-factor authentication (MFA) and access control lists for administrative access to the system.
While one simple click on the wrong link is all it takes for an environment to become infected, many of these threats can be easily avoided with the right level of education. Offering training courses is an inexpensive way to reinforce your defenses by providing your employeesRemove term: managed services provider (MSP managed services provider ( with the means to recognize and report suspected attacks such as phishing and malware.
Outsourcing cybersecurity services and employing advanced tools built for MSPs will help you ensure your healthcare security strategy is strong and that your clients’ data is safe, while freeing up your own employees so they can focus on other business priorities.
With advanced threats continuing to permeate the healthcare industry, your clients in this space will continue to turn to your expertise and ultimately, your security protections. With these tactics in place, data ownership and risk status will remain clear.
Bad actors/actions are more and more prevalent on the Internet. Who are they? What are they up to? Are they prowling in your network?
The first two questions are answered by Threat Intelligence (TI), the last one can be provided by a SIEM that integrates TI into its functionality.
But wait, don’t buy just yet, there’s more, much more!
Threat Intelligence when fused with SIEM can:
• Validate correlation rules and improve base lining alerts by upping the priority of rules that also point at TI-reported “bad” sources
• Detect owned boxes, bots, etc. that call home when on your network
• Qualify entities related to an incident based on collected TI data (what’s the history of this IP?)
• Historical matching of past, historical log data to current TI data
• Review past TI history as key context for reviewed events, alerts, incidents, etc.
• Enable automatic action due to better context available from high-quality TI feeds
• Run TI effectiveness reports in a SIEM (how much TI leads to useful alerts and incidents?)
• Validate web server logs source IP to profile visitors and reduce service to those appearing on bad lists (uncommon)
and the beat goes on…
Want the benefits of SIEM without the heavy lifting involved? SIEM may be for you.
In the wake of the numerous recent data breaches, many consumers are demanding answers into the how and why surrounding companies who have inadvertently allowed data to be compromised given security measures accessible today.
After a breach is confirmed, the process typically involves PCI Forensic Investigators spending time researching and investigating compromised networks, logging files, and any other pieces of the system traceable to not only how the hackers gained access, but once in control of a machine, how data was removed or retrieved.
Investigative reports post-breach have uncovered vast amounts of useful information employed to reactively secure networks going forward. The industry, as a whole, has learned that in many of the instances the culprit responsible for the data theft is linked to businesses utilizing remote access, or more specifically, insecure remote access.
It would come as no surprise then that the method of choice for many blackhats (a.k.a. computer hackers) looking to enter a system has been identifying insecure remote access.
This method includes several different remote platforms, of which you can read more about in the DHS article on Backoff: New Point of Sale Malware. Hackers search for such inconsistencies and once located, it is only a matter of moments before they are able to connect to machines remotely, many times gaining administrative privileges in the process.
Once they have these privileges, it is quite easy for them to download the Backoff malware on the machine in order to begin sending credit card data to their destination of choice. Gaining access however, is only one step of the hacker's overall goal: retrieving sensitive information from systems with malicious intent.
Before moving forward, it is important to understand that the Backoff malware is not infectious. That is to say, simply visiting a web page will not result in the malware being downloaded onto a machine, rather it must be installed, much like any other application used for legitimate purposes.
Therefore, the most common way that Backoff, and its latest variants, have infiltrated systems is through the use of insecure remote access. The Department of Homeland Security brief about Backoff points out that of the 1000 plus businesses affected by Backoff, the majority were compromised through the use of remote access lacking sufficient security measures.
Imagine for a moment if remote access granted to a vendor serving all locations for a particular company were to become compromised. Then it is highly plausible that a savvy hacker could penetrate not only the single location, but could obtain access to an entire brand, tarnishing their reputation and ultimately plunging profits in the process.
Backoff works by allowing criminals to (remotely) control the infected system, seizing credit card data out of memory, writing files with sensitive authentication data, and ultimately transmitting the stolen information using standard HTML posts.
There is nothing particularly innovative about how Backoff works, but the completeness of its design and simplicity has allowed some of the biggest credit card thefts in history.
Not only is the software itself fairly simplistic, but hackers can easily obtain a copy of Backoff from the Internet, streamlined so it causes few issues when installing on a remote machine; and it was so well written it is extremely effective at stealing data once it is in place.
The original Backoff software sent data in clear text that could be detected using a network sniffer, or Intrusion Detection System. The sniffer examined the data traveling over the network and could detect credit card data in the stream, preventing malicious traffic from being sent from the POS system.
Clever cyber-criminals, however, tend to stay one step ahead, continually creating new and enhanced versions of malware and other attack techniques.
Need proof? Just look at the latest version of Backoff, Backoff ROM. It was updated with the ability to encrypt outbound credit card data, making sniffer detection and prevention methodology all but ineffective. To a network sniffer, encrypted data appears as gibberish, removing any patterns that would allow the sniffer to recognize the transmission as credit card data.
It typically takes several months for security and anti-virus providers to identify new strains of viruses and react through incorporating added protection into their products and services. Factoring in the time and effort needed to fully deploy the updates and systems have now been unprotected with out-of-date software for months.
The glaring issue here is software solutions, such as anti-virus programs, are usually between 6 to 12 months behind major malware releases, and therefore not enough to protect against sophisticated threats. It is therefore necessary for companies to embrace a more holistic approach when looking to protect your business is necessary.
Maintaining an effective defense against all vulnerabilities, new and unknown, along with forward thinking initiatives to protect against other modes of cyber-attack requires using techniques that focuses on blocking the behaviors that attackers use, rather than any one specific attack or malware.
Firewall installation and proper configuration are integral parts to security, but what happens when the firewalls are not setup correctly?
Many SMB's rely on internal IT teams lacking the security expertise or discipline required to continually monitor firewall security, keep abreast of the latest threats, and make the adjustments necessary to thwart attacks. A large portion of these businesses mistakenly believe a firewall can be set up once and will continue to provide adequate protection for an infinite amount of time.
However, as we mentioned before, effective firewall protection requires a combination of continually updated technology complemented by expert monitoring and adjustment. Firewall protection falls short when businesses fail to initially configure their firewalls properly, or when they deploy firewalls that may lack particular modes of protection necessary to thwart certain types of attacks like Backoff.
Having a dedicated security expert managing your firewall can make the difference between a costly breach and a bullet-proof defense. A security expert will be able to recognize when an unusual event has occurred, investigate to determine the level of danger posed by the event, and take the appropriate measures to ward off present and future attacks.
A common complaint surrounding data security is that the steps required to maintain protection tend to interfere with efficiency, thus causing employees to blur the line or even outright circumvent the security measures which easily leads to break down in the overall protection of the network quite quickly.
This isn't to say that you have to compromise efficiency for security. What is closer to the truth is the need for understanding throughout the company on why security initiatives and processes were determined as best practices in the first place, and continuing to follow through with them.
Some of the methods that protected against Backoff are fairly basic security measures, those of which too many retailers have ignored. These methods are recommended regardless of initiatives like the Payment Card Industry Data Security Standard (PCI).
First and foremost, verify your remote access is secure. This includes using:
In following the advice above you are ensuring that passwords in place are sufficient to deter the time and energy to crack, especially considering that 2-factor authentication is an added security measure hackers rarely have direct access to view. In utilizing a single user per username, or unique credentials, activity can then be tracked back to a specific user.
In addition, developing a proper firewall protection program that incorporates limiting both inbound and outbound traffic to the necessary minimum is critical. Consistency in reviewing your practices and updating when necessary is key to make sure that you are, and stay, protected.
Best practices should be followed to minimize risk.
For example, firewall segmentation limiting access separates the channels storing info in order to minimize access to sensitive data along with the overall data that can be breached.
During the recent rise in data breaches, Lumifi has remained successful in preventing penetration and data export, even before the Backoff threat was known and understood.
By combining our advanced capabilities such as the double-duty firewall design, DNS blocking and network segmentation with proper firewall configuration, along with testing and continuous updating and adjustment, Lumifi managed firewalls effectively protected from threats, both new and even those unknown at the time.
Accessing a network remotely is an essential capability for most businesses. Unfortunately, opening up an unsecured port compromises the network’s integrity and can also invite hackers.
Some of the largest breaches in recent history can be attributed to weak remote access or unsecured VPN connections.
We provide not only secure remote access SSL VPN into a network, but through our partnership with Juniper Networks, we offer Host Checker, a service that performs a check on all endpoint computers ensuring they conform to security requirements before access over the VPN is allowed.
Domain Name Servers (DNSs) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them into Internet Protocol (IP) addresses. This is necessary because, although domain names are easy for people to remember, computers access Websites based on IP addresses.
Our industry leading IP-based web traffic routing technology provides battle-tested protection against malware-based data theft where other firewalls have fallen short. Unlike most self managed solutions, and even some third party solutions, we created outbound traffic restrictions as part of our base configuration. These outbound restrictions were instrumental in stopping Backoff from affecting numerous businesses infected by this malware.
As an added layer of security, Lumifi's centrally managed firewall network allows us to control where network traffic goes, preventing it from resolving malicious sites or based on countries, as well as denying traffic requests containing other potential vulnerabilities.
Backoff attempted transmission and was examined by the intermediary DNS security component, determining it suspicious. Data was therefore blocked from being sent to the requested Backoff server address. Because the Web address to which the Backoff server was attempting to send the credit card data was not a known or listed entity, our firewall (and it's unique configuration) refused the request, rendering Backoff ineffective.
The knowledge that even the most secure firewall can be accessed, be it via improper configuration or an employee error, is essential. Malware will continue to be a significant issue for businesses accepting credit cards in the foreseeable future, and it is key that all businesses become aware of how to secure their environments.
It would be irresponsible to ignore the problem or pretend that it could never happen to you. Taking the appropriate steps today will help you avoid joining the ever-increasing list of businesses that realize they are a hacker's latest victim. Proper management of security and consistent maintenance should be the goal of any security program.
Cybercrime has grown to epidemic proportions, and the effects on multi-location brands, individual franchisees and other small businesses can be devastating and unrecoverable. We believe franchisors, franchisees and SMBs that lack IT resources should be able to access and benefit from enterprise-class network security.
Our goal is to ensure our customer's brands are protected from both internal and external threats by providing them robust and powerful network management, security, and compliance services at a fraction of the costs associated with a self-managed solution.
The evolution of Security Information and Event Management (SIEM) solutions has made a few key shifts over time. It started as simply collecting and storing logs, then morphed into correlating information with rules and alerting a team when something suspicious was happening. And now, SIEM solutions are providing advanced analytics and response automation.
Today’s advanced SIEM solutions:
Advanced SIEM requires continual tuning to learn what is deemed abnormal behavior for a given organization.
At EventTracker, this all happens through our ISO 27001 certified Security Operations Center (SOC), where expert analysts work with this intricate data to learn the customer network and the various device types (OS, application, network devices etc.). Ideally, these experts work in tandem with the customers’ internal IT teams to understand their definition of normal network activity.
Next, based on this information and the available knowledge packs within EventTracker, we schedule suitable daily and weekly reports, along with configure alerts. The real magic happens when this data becomes “flex reports”. These reports focus on valuable information that is embedded within the description portion of the log messages. When these parameters are trended in a graph, all sorts of interesting, actionable information emerges.
User and Entity Behavior Analytics
In addition to noticing suspicious network behavior, SIEMs have evolved to include User Behavior Analytics (UBA), or User and Entity Behavior Analytics (UEBA). UBA/UEBA triggers an alert when unusual user or entity behavior occurs. This is an important feature now that compromised credentials make up 76% of all network intrusions.
When credentials are stolen, they tend to be used in unusual ways, places, and times. For instance, if a log in occurs that is outside the normal pattern, then this is immediately flagged for investigation. If user ‘‘Susan’’ usually logs in to “Workstation5” but suddenly logs in to “Server3”, then this is out of ordinary and may merit an investigation.
Security Orchestration Automation and Response (SOAR)
While alerts to suspicious behavior are necessary, the real goal is acting on the suspicious behavior as quickly and effectively as possible. That’s the next evolution of SIEM: Security Orchestration Automation and Response (SOAR).
While traditional SIEMs can “say” something, those that incorporate SOAR can “do” something.
SOARs consolidate data sources, use information provided by threat intelligence feeds, and automate responses to improve efficiency and effectiveness.
For example, with EventTracker, if an infected USB is plugged into a laptop, even if it’s off the network at the time, and malware begins to run, EventTracker will detect the insertion of the USB, as well as detect any suspicious communication to a low-reputation IP address. It will also catch any suspicious processes that begin to run. Once detected, EventTracker automatically stops the communication and the executable, preventing a potential data breach.
Get the Most Out of Your SIEM
As attacks continue to become more sophisticated and persistent, traditional security tools that just focus on protecting the perimeter will continue to be replaced by solutions that also have detection and response capabilities, in particular on the endpoint devices.
The Riddler is one of Batman’s enduring enemies who takes delight in incorporating riddles and puzzles into his criminal plots—often leaving them as clues for the authorities and Batman to solve.
Question: When is a door, not a door?
Answer: When it’s ajar.
So riddle me this, Batman: When is an alert not an alert?
Users of the EventTracker platform know that one of its primary functions is to apply built-in knowledge to reduce the flood of all security/log data to a much smaller stream of prioritized alerts. However, in most cases, without applying local context, this is still too noisy. Netsurion provides a risk score that is computed based on the asset value and the Common Vunlerability Scoring System rank of the source.
This allows us to separate “alerts” into different priority levels. The broad categories are:
And so, there are alerts and then there are actionable and prioritized alerts. Over-reacting to awareness or compliance alerts will drain your energy and eventually sap your enthusiasm, not to mention cost you in real terms. Under-reacting to actionable alerts will also hurt you by inaction that could reduce attacker dwell time and minimize the damage of ransomware or a data breach.
Return on investment (ROI) — it is the Achilles heel of IT management. Nobody minds spending money to avoid costs, prevent disasters, and ultimately yield more than the initial investment outlay. But is the investment justified?
It is challenging to calculate the ROI for any IT investment, and security information and event management (SIEM) tools are no exception.
We recently explored some basic precepts or “pillars” of the ROI of SIEM tools and technology. These pillars provide some sensible groundwork for the difficult endeavor to justify intangible costs of SIEM tools and technology.
Pillar 1. Think Risk: Before and After
Before and after — meaning life with SIEM tools and, subsequently, life without. SIEM tools help eliminate risk. In most cases, risk has a quantifiable cost. While it’s difficult to say how much was saved by avoiding a major intrusion, examining the effect by comparing conditions before, and after, is a good start.
In an ROI analysis, develop a statement such as “before we invested in SIEM practices, tools, or technique X, we were greatly at risk. After we deployed XX, our risk was greatly reduced, if not eliminated.”
Then prove and substantiate the statement. The after statement may be characterized with quantitative data, such as the number of intrusions or access points that were eliminated. The more you can quantify, the better. If you can’t quantify, estimate as best you can, but be consistent and realistic.
Pillar 2: Think Cost Avoidance versus “Return”
In other words, don’t expect revenues or a gain from the investment. Rather, the return is the prevention of intrusion and costly security disaster that SIEM afforded. Cost avoidance is your return.
When the security IT firm RSA published a whitepaper on this very topic (SIEM and ROI), they focused on this dimension of ROI: it’s more about cost avoidance than it is about “return.” Cost avoidance is at the heart of the value that SIEM provides.
RSA wrote, “Most experts — who for years argued for or against a ‘return on security investment (ROSI)’ — agree that the value an SIEM solution brings is primarily in the realm of cost avoidance, not ‘return’ as it’s defined in the purest economic sense. So whether you’re looking for an ROI, ROSI, total cost of ownership (TCO), or a breakeven point, the goal is demonstrable value.”
The value of a SIEM solution must be viewed differently. It’s better seen in the cost it avoided rather than the direct dividend or revenue it yielded. As the whitepaper stated: “it’s not a cotton candy machine.”
Pillar 3: Focus on A Variable That Can Be Measured: Time
If you don’t focus on quantifiable variables in your ROI analysis, you’ll be loaded up with assumptions. And assumptions carry little weight in business justification exercises.
Instead of assuming, use time as a key variable that SIEM helps improve in several ways. Explore how much time is saved. For example, if you are in a market or industry characterized by heavy compliance and auditing, consider the preparation that such compliance requires. SIEM tools save preparation time. Time saved can be redirected to other security needs that are already competing for attention in the daily schedule of today’s busy security manager.
In addition to time saved, there’s also an improvement in reaction time. When the sky is falling, the ability of an organization to trace, find and secure swiftly and promptly is critical. Good tools enable that. Improvements in reaction time can be measured.
Add time saved and reaction time improved, and you’re using a quantifiable variable as a measure of value and ultimately ROI.
Pillar 4: Consider the Cost of a Solution — Without Early Discovery
Disaster recovery has many costs that are both tangible and intangible. Liken a security intrusion or major breach to a medical problem: the earlier you discover it, the more options you can implement and the greater are the chances that you can mitigate risk. SIEM tools help discover noncompliance and implement detection earlier. This allows more courses of action and presents them sooner — often before an incident occurs or begins to spiral.
Without early discovery, damage may ensue. But how much does it cost?
Cost estimates of security breaches may be found in news reports. For example, the following cost estimates of data breaches were found with a simple media search:
“Maricopa Community College data breach cost $20 million, including $2.3 million in lawyer fees.”
“The Target breach cost $17 million in third-quarter expenses.” It should be noted there were later citations that said their fourth quarter recognized $60 million in costs, and then another editorial estimated $1 billion in costs when all was said and done.
Yet another is a headline that read: “Navy Intranet Breach Cost $10 Million.”
And the list goes on and on, with the point being that citing news media reports is a quick and somewhat reliable means of presenting the costs associated with remediation and recovery. It strengthens the case for SIEM tool purchases and helps put some urgency into cost avoidance — and is based on someone else’s hardships after an intrusion, not yours. But it paints a picture of what the price of disaster and a large-scale breach could look like.
Determining the ROI of SIEM is not hard when it is approached in a logical way with known information built on a foundation of cost avoidance, time saved, and improved reaction time.
The ROI of SIEM is best explained in the trouble it avoids and the disaster it prevents.
Contributed by: Meaghan Moraes, Blog and Social Media Manager at Continuum
The legal world is centered on offering clients protection—and in the current technology environment, that extends to cybersecurity. With the proper security procedures, policies, training, and IT security in law firms, advanced cybersecurity is yet another way that lawyers can protect their clients today.
However, that’s much easier said than done, as firms and other organizations in the legal space have extremely desirable data, yet many are inadequately prepared for sophisticated breach attempts—making businesses in this vertical primary targets of cyber attacks.
In fact, according to a survey by law firm eWranglers, only 33% of responding firms had implemented data protection policies, and a similar 33% had implemented employee cybersecurity training. It’s clear that these types of small businesses need to seriously invest in cybersecurity in order to withstand the landscape for years to come. Oftentimes, this requires the help of a managed IT service provider (MSP) that can provide the tools, support, and security partnership that these legal firms otherwise wouldn’t have access to.
So, how can you seize that opportunity as an MSP to protect your legal clients with the enhanced cybersecurity that will safeguard their data? The following three steps will help you improve your clients’ security posture and mutual business growth.
Implementing clear and explicit cybersecurity policies for clients is an effective way to not only better protect their data, but to instill trust and forge a lasting partnership that they can turn to. The best way to execute these policies and procedures is through initial and consistent security awareness training. It’s important that your set of policies address these four things:
Every policy you develop for your clients should have accompanying procedures that illustrate what actions must occur.
Another key finding from the eWranglers survey was that, with only 25% with device encryption and a mere 17% with directory security, many law firms lack a fully developed prevention infrastructure. While many legal organizations have some aspects of cybersecurity-related compliance policies, they often don’t have real, comprehensive preventative measures dedicated to security.
Prevention can include employee background checks, implementing user accounts, asset controls, network security protocols, browser filters, and data encryption. But, in this volatile IT landscape, prevention only goes so far and planning for an undesired incident is crucial.
Helping your clients create an incident response plan brings pragmatism and order to a chaotic situation, and ultimately helps them recover faster. Essentially, the plan just takes some road mapping and internal and external collaboration.
Once you can ensure your legal clients are identifying circumstances, safeguarding against further damage, collecting external intelligence, collecting logs and data, and notifying necessary parties, they’ll be as prepared as possible for whatever is thrown their way.
Covering these three areas will allow you to offer your legal clients the advanced protection they now demand.
The rising level of security threats and public incidents demand new approaches to people, processes, and technology that optimize manual processes and harness the benefits of automation. Automation and machine learning (ML) remove inefficiencies and the potential for error or security gaps. While programmatic threat detection and incident response minimize false positives along with staff and skill shortages, it is not a panacea or quick fix. Human analysts are still the most vital link in cybersecurity defense that differentiates you in the marketplace.
Trends Driving Adoption of Automation
There are six top trends prompting Managed Service Providers (MSPs) and enterprises to embrace automated threat detection and response. In addition to challenges in hiring and retaining hard-to-find cybersecurity professionals, there are hidden costs inherent in the massive amounts of alerts that can trigger false positives.
In light of global IT challenges like staff shortages, ML and automated threat detection and response enhance efficiency, job satisfaction, and retention of cybersecurity experts – whether in Netsurion’s Security Operations Center (SOC) or partner and customer environments.
However, some inhibitors of automation and ML include the lack of talent to implement, the time and cost involved, and a focus on day-to-day security operations.
Benefits and Challenges of Automation
Cybersecurity incorporates automation, machine learning (ML), and artificial intelligence (AI) to accelerate threat correlation and reduce incident response times when minutes matter. Rising labor costs are often the catalyst to exploring automation benefits. A more programmatic threat defense improves efficiency and effectiveness by:
It can also be used to chain together seemingly disparate insights that can reveal more persistent and advanced threats lurking stealthily in your organization. Ideally, automation enhances Security Operations Center (SOC) analyst effectiveness by streamlining routine tasks and providing insight and threat context that results in better decision making.
However, some inhibitors of automation and ML include the time and cost involved, as well as a focus on day-to-day security operations instead of future-oriented SecOps improvements. Another downside of automation and ML is the human expertise needed to develop the algorithms and ongoing system tuning and optimization.
Advantages and Pitfalls of Human Experts
Given the shortage of cybersecurity staff to fill an estimated 3 million IT and security role, it’s no wonder that automation and machine learning is viewed as a viable solution to the ongoing IT staff and cybersecurity skills shortage. A proactive defense requires constant vigilance and robust security operations. Security must work in tandem with automation and ML along with dedicated experts to implement defense-in-depth protection and future-proof your security investment.
One of the arguments against human-led threat response is that it is labor intensive and therefore more expensive. But the security gap or technology misstep that results in a data breach is equally costly in terms of damaged brand reputation, lost customers and revenue, and possible compliance fines.
Pitfalls of humans include time away due to vacation or training as well as the key challenges of hiring and retaining security experts in the first place. If you don’t have the expertise or an in-house SOC, leverage 24/7/365 SOC experts like Netsurion to augment your team and customize cybersecurity to customer environments.
A Blend of Security Automation and Human Expertise is Needed
Cybersecurity experts are needed to architect the customer solution, prepare the necessary runbooks and playbooks, tailor and prioritize threat detection, respond to suspicious events and possible incidents, and enhance threat remediation over time. While automation and machine learning are leveling the playing field for small-to-medium-sized businesses (SMBs) and their service providers, it doesn’t stand alone. Humans are still needed to reduce business and cybersecurity risk and assess qualitative and quantitative results over time. Some IT decisions have performance and productivity impacts, so incorporate humans in-the-loop when blocking devices and quarantining access to users for the first time. MSSPs must demonstrate why a two-pronged approach of automation and human-led cybersecurity is warranted.
Evolve From Alerts to Proactive Threat Response
Overcoming advanced and morphing threats requires more mature technology, skilled people, and rapid incident response than in years past. Service providers must blend automation and ML along with dedicated security experts to implement defense-in-depth protection and future-proof security investments used by their customers. To enhance customer resilience, balance the best of both options - human and artificial intelligence. Netsurion provides a comprehensive managed service and complete platform for MSSPs to predict, prevent, detect, and respond to escalating threats.
Passwords keep your accounts and network safe but may also be a gateway for hackers. It's very important that you create strong passwords that will keep you protected.
Below are tips that we recommend you use when creating your passwords. Take a look at the infographic and check if you are already practicing these techniques.
If not, take a moment to do so.
At Lumifi, we encourage you to create strong passwords and even enable two-factor authentication, as well. Two-factor authentication will validate the identity of the person logging into the network.
First, make sure your first factor is strong by following these tips and second, enable two-factor authentication to ensure that whoever is accessing the network is actually who they claim to be.
Small-to-medium-sized businesses (SMBs) are continuously seeking ways to safeguard their data and resiliency against persistent criminals through increased cyber defenses. But their security service providers often find that they are ill equipped to address advanced threats, let alone know where to begin. Managed Detection and Response (MDR) solutions are gaining traction with resource-constrained organizations looking for 24/7 proactive protection. The threat landscape and MDR marketplace is evolving, creating confusion for Managed Security Service Providers (MSSPs) and customers alike.
This blog separates MDR fact from fiction. Read on to learn the most common myths our team hears, along with MDR insights and realities to help discover the best-fit solution.
MYTH # 1: MDR is just the latest “shiny object” in cybersecurity.
Fact: MDR is here to stay as it solves real customer challenges like the skills shortage.
Resource-constrained SMBs are actively looking for a security solution provider with the right expertise and services for 24/7 monitoring, threat detection, and comprehensive response. To address escalating cyber threats, MDR providers integrate more log sources, high-fidelity alerting, and a rapid response to minimize lateral movement and attacker dwell time. It also reduces the impact of a cybersecurity incident by providing advanced detection and response that organizations can’t efficiently operate on their own.
Managing an outsourced detection and response capability is not new, and MDR is service rather than software or hardware. It provides a 24/7 Security Operations Center (SOC) that offers better visibility into the growing attack surface that cyber criminals can exploit. While it’s impossible to predict the future, MDR addresses actual market problems and has seen rapid adoption by MSSPs as well as by end customers. By 2025, 50% of organizations will be using MDR services, according to Gartner.
MYTH # 2: My customers are too small for MDR safeguards.
Fact: MDR’s proven results benefit organizations of all sizes.
Today’s cybersecurity threats readily evade signature-based detection like anti-virus and anti-malware. Financially motivated cyber criminals target businesses large and small, especially those with intellectual property or supply chain contacts. A patchwork of siloed products and tools lack holistic visibility that creates unintended security gaps. Over 40% of cybersecurity incidents have impacted SMBs and cyber criminals in SMB organizations take longer to uncover and mitigate them.
Don’t be lulled into a false sense of security that creates a risk gap due to insufficient investment, as well as increased cyber threats and targeted attacks. Navigate through the options of MDR to move from a reactive approach to a more proactive coverage of business-critical networks, servers, data centers, and cloud data for your customers.
MYTH # 3: MDR is complicated and costly for MSSPs to adopt.
Fact: Reduce the risk of an inadequate MDR solution that wastes time and money.
As the first step in an MDR evaluation process, know that it is not another siloed point product. MDR is generally a Software as a Service (SaaS) solution, requiring no hardware or capital investment. MDR can consolidate the number of tools and vendors to purchase, onboard, and manage – saving valuable time.
With MDR, a more robust cybersecurity posture can also pay dividends. It prepares organizations to rapidly detect and effectively respond to advanced threats that could cause a security incident and jeopardize resiliency.
MYTH # 4: I must build my own Security Operations Center for MDR.
Fact: SOC-as-a-Service augments your team with 24/7 coverage and expertise.
A SOC is a cybersecurity command center that monitors, detects, investigates, and responds to suspicious activities and incidents. Standing up a SOC is costly with hardware, software, and people expenses like hiring, training, and retaining hard-to-find cybersecurity experts. Instead of building a SOC on your own or operating it around-the-clock, SOC-as-a-Service enables you to quickly scale your security capabilities without the cost and overhead. Cybersecurity analysts in the SOC work as an extension of your in-house team on incident handling, threat intelligence, and threat hunting.
MYTH #5: Every MSSP is ready to offer an MDR solution.
Fact: One size does not fit all. Tailor your service provider solutions to your goals, capabilities, and target customers.
Conduct an assessment regarding MDR along with your future objectives and current capabilities. Be careful not to overextend yourself and risk poor service delivery and disappointed customers. While MDR definitions vary, your current offerings may be closer to defense-in-depth coverage than you realize. Look to add comprehensive visibility and simplicity with as much increased attack surface coverage as possible and a streamlined tech stack; point products merely add more complexity. If you don’t possess the staff or expertise for DIY MDR, consider a co-managed MDR solution from an MSSP provider who has your back and is committed to your success.
Conclusion
MSSPs can assist organizations in becoming more proactive regarding the escalating threat landscape and to invest in more capable threat detection and response. MDR evolved to help security teams overcome the challenge of an ever-expanding attack surface without the same resources and staff as larger enterprises. As you evaluate MDR solutions, look for providers with the most comprehensive coverage and proven track records. Align your staffing and budget with Lumifi's MDR to address continuously evolving threats. By enhancing your security operations with these four steps – predict, prevent, detect, and respond – your customers will be well-positioned to address today’s security challenges and the uncertain threat landscape.
Over the years, security admins have repeatedly asked me how to audit file shares in Windows. Until Windows Server 2008, there were no specific events for file shares. The best we could do was to enable auditing of the registry key where shares are defined. But in Windows Server 2008 and later, there are two new subcategories for share related events:
File Share Events
This subcategory allows you to track the creation, modification and deletion of shared folders (see table below). You have a different event ID for each of those three operations. The events indicate who made the change in the Subject fields, and provides the name the share users see when browsing the network and the patch to the file system folder made available by the share. See the example of event ID 5142 below.
A network share object was added.
Subject:
Security ID: W8R2wsmith
Account Name: wsmith
Account Domain: W8R2
Logon ID: 0x475b7
Share Information:
Share Name: *AcmeAccounting
Share Path: C:AcmeAccounting
The bad news is that the subcategory also produces event ID 5140 every time a user connects to a share. The data logged, including who accessed it, and their client IP address is nice, but the event is logged much too frequently. Since Windows doesn’t keep network logon sessions active if no files are held open, you will tend to see this event frequently if you enable the “File Share” audit subcategory. There is no way to configure Windows to produce just the share change events and not this access event as well. Of course, that’s the point of a SIEM and log management platform which is at the heart of Netsurion Open XDR, which filters out the noise.
5140 | A network share object was accessed |
5142 | A network share object was added. |
5143 | A network share object was modified |
5144 | A network share object was deleted. |
Detailed File Share Events
Event ID 5140, as discussed above, is intended to document each connection to a network share, and as such it does not log the names of the files accessed through that share connection. The “Detailed File Share” audit subcategory provides this lower level of information with just one event ID – 5145 – which is shown below.
A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: SYSTEM
Account Name: WIN-KOSWZXC03L0$
Account Domain: W8R2
Logon ID: 0x86d584
Network Information:
Object Type: File
Source Address: fe80::507a:5bf7:2a72:c046
Source Port: 55490
Share Information:
Share Name: *SYSVOL
Share Path: ??C:WindowsSYSVOLsysvol
Relative Target Name: w8r2.comPolicies{6AC1786C-016F-11D2-945F-00C04fB984F9}MachineMicrosoftWindows NTAuditaudit.csv
Access Request Information:
Access Mask: 0x120089
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Access Check Results:
READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD)
ReadEA: Granted by D:(A;;0x1200a9;;;WD)
ReadAttributes: Granted by D:(A;;0x1200a9;;;WD)
This event tells identifies the user (Subject fields), the user’s IP address (Network Information), the share, and the actual file accessed via the share (Share Information) and then provides the permissions requested and the results of the access request. This event actually logs the access attempt and allows you to see failure versions of the event as well as success events.
Be careful about enabling this audit subcategory because you will get an event for every file accessed through network shares each time the application opens the file. This can be more frequent than imagined for some applications like Microsoft Office. Conversely, remember that this category won’t catch access attempts on the same files if a locally executing application accesses the file via the local patch (e.g. c:docsfile.txt) instead of via a patch.
You might also want to consider enabling auditing on individual folders containing critical files and using the File System subcategory. This method allows you to be much more selective about who, which files and what types of access are audited.
For most organizations, enable the File Share subcategory if it’s important to you to know when new folders are shared. You will probably want to filter out the 5140 occurrences. Then, if you have file level audit needs, turn on the File Access subcategory, identify the exact folders containing the relevant files and enable auditing on those folders for the specific operations (e.g. Read, Write, Delete) needed to meet your audit requirements. Don’t enable the Detailed File Share audit subcategory unless you really want events for every access to every file via network shares.
Microsoft has confirmed that Internet Explorer 8 (IE8) has a “Zero Day Vulnerability” that has already been exploited to enable the compromise of computer systems.
This is a technical way of saying that the issue with IE8 is currently unpatched, and other security mechanisms are not currently effective in preventing the exploit.
RELATED READING: Why is patching important to the security of your business?
Given time (beyond “Day Zero”), this vulnerability will be patched or other systems will be able to prevent the issue, but because this issue is so new, it is currently able to reek havoc on systems that visit compromised websites.
This type of issue with a browser is so damaging because computer hackers who take advantage of it, can execute malicious code on the affected machines without the user needing to download anything or without any indication that the machine has been compromised.
All a user has to do to be infected is to go to a website that has a malicious script embedded on it, and viola you have been hacked! No bells, no whistles, no pop-ups of any kind will appear in your browser. You will not have any indication of an issue (until something bad happens on your machine).
Most of the time, the hackers are installing Remote Access Trojans so that they can get information about the affected machines or take them over completely.
Well, there are a couple of options.
You can make sure that you pay attention to Microsoft bulletins and down load the patch when they release it. They are aware of the issue, and that is step one in fixing it. They have promised that a fix to this problem will be coming shortly.
Your other option is to upgrade to other versions of Internet Explorer.
At the time of this publishing, IE9 and IE10 did not have the same vulnerabilities.
IE8 is old, but it is still the most used version of IE today. It is its popularity that makes it such an attractive target for hackers.
If you use IE8, update your system regularly and be careful where you browse.
How much security is enough? That’s a hard question to answer. You could spend $1 or $1M on security and still ask the same question. It’s a trick question; there is no correct answer. The better/correct question is how much risk are you willing to tolerate? Mind you, the answer to this question is a “beauty in the beholder” deal, and again there is no one correct answer.
The classic comeback from management when posed this question by the CISO is to debate what risk means, in a business context, of course. To answer this, consider the picture below.
This is your tax dollars at work. It comes from a NIST publication called “Small Business Information Security” and is available here. It presents a systematic method to first identify and thereafter mitigate the elements of risk to your business. To a small business owner, this may all be very well but can be overwhelming.
Did you know that you are not alone in tackling this problem? Our SIEMphonic program is specifically designed to provide co-management. We get that for a small business owner, it’s difficult to deploy, manage and use an effective combination of expertise and tools that provide early detection of targeted, advanced threats and insider threats. With SIEMphonic Enterprise Edition and SIEMphonic MDR Edition, we work together with you to analyze event data in real-time, then collect, store, investigate, and report on log data for incident response, forensics and regulatory compliance. Let us help you strengthen your security defenses, respond effectively, control costs and optimize your team’s capabilities through SIEMphonic.
You must have a heard light bulb jokes, for example:
How many optimists does it take to screw in a light bulb? None, they’re convinced that the power will come back on soon.
So how many people does it take to run a SIEM?
Let me count the ways.
Assuming the SIEM has been installed and configured properly (i.e, in accordance with the desired use cases), a few different skill sets are needed (these can all be the same person but that is quite rare).
SIEM Admin: This person handles the RUN function and will maintain the product in operational state and monitor its up-time. Other duties include deploying updates from the vendor and optimizing system performance. This is usually a fraction of a full time equivalent (FTE). About 4-8 hours/week for the typical EventTracker installation.
Security Analyst: This person handles the WATCH function and uses EventTracker for security monitoring. In the case of an incident, reviews activity reports and investigates alerts. Depending on the extent of the infrastructure being monitored, this can range from a fraction of an FTE to several FTEs. Plan for coverage on weekends and after hours. Incident response may require notification of other admin personnel.
SIEM Expert: This person handles the TUNE function and refines/customizes the SIEM rules/content and creates rules to support new use cases. This function requires the highest skill level, familiarity with the network and expertise with the SIEM product.
Back to the (bad) joke:
Q. So how many people does it take to run a SIEM?
A. None! The vendor said it manages itself!
The CDC estimates that close to 80% of office-based physicians use some form of electronic medical records. This proliferation of EMR, coupled with recent breaches of patients’ personal healthcare information and personal identifiable information has highlighted the need for security of medical office networks.
HIPAA mandates the need to place safeguards to protect patients’ healthcare information which is becoming more complicated as facilities offer WiFi to their patients and employees.
Netsurion's regulatory compliant managed network services ensure your patients’ PHI and PII are protected.
With data breaches continually on the rise, it is critical to have a trusted managed network and data security solution in place that is compatible with all EMR solutions, includes enterprise-level firewalls, and provides 360 web traffic monitoring - all at an affordable cost for small- and medium-sized practices.
Change is the only constant in the IT security space. Here at Netsurion, we strive to empower organizations to take on ever-evolving cyber threats regardless of the size and scope of their business operations. With this core mission in mind, we are proud to introduce John Addeo as our new Chief Revenue Officer. He is equipped with over 20 years of Enterprise IT business experience and an impressive history of jumpstarting channel growth at cybersecurity and IT companies including Rapid7 and Red Hat.
Q: John, what inspired you to join Netsurion’s leadership team?
A: I want to start by saying that I am thrilled to be part of such a talented team. Through my time in the cybersecurity industry, I’ve been able to reflect on just how important managed security solutions are for companies regardless of their vertical market or security maturity. Joining Netsurion gives me an opportunity to dig into the big issues that prevent organizations from improving their security posture, namely, the struggles of attracting and retaining skilled cybersecurity expertise, technology challenges in deployment and ongoing management, and the high cost of attack surface protection. I’m excited to showcase Netsurion’s top-notch managed extended detection and response (XDR) as a solution to those problems. Cybersecurity protection is not the core of most companies’ offerings, and as organizations are more aware of the need the biggest obstacle is how to start and where to go for help. We want to make sure organizations know we are here to help solve these complex challenges and protect their company. There’s a big opportunity to simplify security and make it affordable and I’m happy to lead Netsurion’s efforts.
Q: What are you most looking forward to in your new role as CRO?
A: I’m really looking forward to helping our customers and partners address real-world challenges. We give them the cybersecurity expertise and tools they need to protect their business. We also have a great partner program that allows MSPs and MSSPs to leverage our resources to offer managed XDR services to their own customer base. Ultimately though, I’d like to expand both our channel and sales offerings even further by tapping into the needs of solution providers who want to help their clients solve complex security challenges and leverage an award-winning managed security offering. We can help them build their business by giving them the power to start customers on their journey toward security maturity.
Discussions about cybersecurity are in boardrooms without a doubt. A data breach can cost companies millions of dollars and disrupt operations, so this is a business problem as much as it is a cyber problem. Netsurion sponsored a recent CyberEdge report which found that 85% of organizations suffered from a successful cyber attack last year and 63% of ransomware victims paid hackers to get their data back. Netsurion partners are solving customers’ cybersecurity challenges on the front lines, and we want to ensure they have the tools and support needed to lead the charge.
Q: In closing, what message would you like to convey to current and prospective customers and partners?
A: I believe the primary goal of any great CRO is to create a strategy to facilitate meaningful, lasting relationships with our customers and partners. The cyber threat landscape is more complex than ever before, and we recognize that cybersecurity solutions must be tailored to the risks, goals, and attack surface of each organization. Whether you’re a small business, a healthcare organization, an MSP, a larger enterprise, or a partner, we can help you predict, prevent, detect, and respond to escalating cyber threats. I’m delighted to be able to help drive cross-functional alignment and agile execution in this rapidly changing technological world.
Black Hat 2019 was a learning experience and success for all. All of the hackers, presenters, vendors, and attendees have gone home, but what you learned in Vegas doesn’t have to stay in Vegas. Hopefully you are bringing new information and insights back to your daily operations. Here are some of Netsurion’s key takeaways from Black Hat 2019.
1. Government organizations continue to be a primary target for cyber attacks. Guarding governments from threats can be complex due to the types of operations and requirements, not to mention that they have some of the most sought-after sensitive information in the world. The news has been filled with city and state government attacks which are becoming more and more prevalent. We talked with many government employees at Black Hat this year who were concerned about properly protecting their sensitive data from cyber attacks.
2. Supply chains are vulnerable to attacks due to interconnectedness of systems. Thursday presenter, Eric Doerr of Microsoft, reminded us during his talk that supply chain compromises come in many different ways including:
These compromises will continue to be an issue if the supply chain can’t clean up its act. The best way to mitigate sourcing risk is with comprehensive Security Information and Event Management (SIEM) combined with Endpoint Detection and Response (EDR). Netsurion’s EventTracker SIEM and EDR together help prevent, detect, respond to, and even predict supply chain threats. Read the full blog post that recaps Eric Doerr’s talk here.
3. The cybersecurity skills gap is being addressed. There are over 1 million unfilled cybersecurity jobs, which make it difficult for IT teams to recruit, training, and retain talent. We spoke to many students who were part of a Black Hat scholarship program. While this program won’t be the only answer to the gap, we were happy to see it being addressed.
Due to a lack of staff (and other factors at play), companies utilizing a SIEM, or other cybersecurity tools, struggle to properly protect themselves from advanced threats. In a recent survey, over half of respondents rated their Security Operations Center’s (SOC) ability to investigate and find the source of threats as ineffective. Turnover in a SOC is high due to the demanding workload and long hours, leading 65 percent to quit their jobs. If your company is in this boat, you’re not alone. Building and retaining staff for a 24/7 SOC can be made a reality for your company with SOC-as-a-Service (SOCaaS).
All in all, we also learned many organizations out there still struggle to find the right cybersecurity partner that can offer a turn-key yet customizable solution for their IT security, threat protection, and compliance management needs. If we did not have the pleasure of meeting with you at Black Hat, or you didn’t have time to see a demo of our solutions, we’d like to invite you to our next product demo.
Tax season is a busy time of year for hackers, given the ample opportunities to steal personal and financial information through phishing, hacking into computer networks, or other underhanded methods.
Hackers are targeting these businesses – whether a small CPA firm or tax-preparation franchise -- during this period because of the high volume of tax returns and other documents that they handle in preparing people’s taxes. These documents – often transmitted through cyberspace and stored on PCs or in the cloud -- contain copious amounts of personally identifiable information (PII), which can be used to conduct identity theft or fraud and sold on the black market.
And don’t think that being small or in a remote office makes you an uninteresting target. In fact, it’s just the opposite. Hackers see small businesses as more vulnerable, having committed cyberattacks against 42 percent of them in 2015, according to the National Small Business Association.
Here are five tips that go beyond the basics you probably already know, like watching out for phishing and malware, keeping your anti-virus software up-to-date and using different hard-to-guess passwords for different services.
Remotely accessing your office PCs through a laptop or tablet may let you keep your business going while you’re on the road or at home, but it also creates opportunities for hackers to attack your network and steal vital information.
That’s why it’s critically important to make sure you have secure remote access, and here are two ways to do just that:
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol, or code, over which data is sent between your browser and the website you are viewing. The “S” stands for “Secure,” meaning all communications between your browser and the website are encrypted, so make sure your target web address begins with HTTPS and not just HTTP.
You should also make sure your browser bar contains a “padlock” symbol, usually to the left in the target address bar. This means your browser has an SSL Certificate, which, when installed on a web server, activates the padlock and the HTTPS protocol, thus allowing a secure connection from the website to the browser.
If you can, you should secure your username for remote login to your PCs by using two-factor authentication, where two pieces of information known only to you are needed to log in successfully.
Authentication information typically falls under the categories of knowledge (something you know), possession (something you have) or inherence (something you are). Two-factor authentication is becoming increasingly available for common web tools like GoToMyPC, PayPal, Facebook and Google.
It is often difficult to know for sure whether the Wi-Fi hotspot you’re using while sitting on a park bench or in the corner coffee shop is safe, so you should take a few precautions while on public Wi-Fi. Never enter a password for any web service or credit-card information on public Wi-Fi, unless you double-checked that you have an HTTPS connection and clicked on the padlock to confirm you are at the site that you think you are.
Even with that, be very wary of accessing your bank information or paying with a credit card. Also, if you see a pop-up message that indicates something is wrong with the “certificate” of the location you are trying to access, then you should immediately stop using that connection altogether. Certificate errors are the most common sign that someone is trying to trick you into revealing your data.
You may want to avoid the issue altogether by using your smartphone as a tethered internet device. Many carriers, such as AT&T, Verizon and Yahoo, and Sprint, have a way to let you set up your phone as a secure Wi-Fi hotspot that can be accessed by other devices such as your laptop or tablet. This way, your data is unavailable to a nearby hacker since the connection is through a cellular network.
You should encrypt files on your computer with passwords to deter hackers from getting access to information stored in those files, in the event you are breached. If a file is sent to someone through email, the password should be sent to the recipient in segments through different channels, such as text, IM or over the phone. This will prevent hackers from obtaining the password to the encrypted file, if they have compromised your PC, for example.
Most businesses have several firewalls in their PCs, cable modems and servers, and maybe even a dedicated firewall device. An improperly configured firewall, however, offers no defense at all, and proper management is a highly specialized skill that even a highly trained IT specialist may not have.
Your firm should hire a managed security service provider, or MSSP, to make sure it has the firewall protection it needs. Your business should also create strong passwords for firewalls, servers, and network devices instead of using default codes – and change them often – to limit remote access to the appropriate people such as managers or vendors who perform routine system maintenance.
Large firms employ an advanced security technology called security information and event management (SIEM) to help monitor their network and device alerts, and breach detection to detect and block threats. These technologies, however, are really complicated to operate and manage, which has put them out of reach for small businesses.
SIEM and breach detection are available as a managed service from certain providers. As a result, this protection is in reach of any size company or remote office, so firms will be able to focus on providing the best service to their clients with the peace of mind of having enterprise-class security to protect them.
Whatever the size of your financial services firm, you should ensure that you have the proper cybersecurity measures and follow best practices to prevent your business from falling victim to the next cyberattack. Hackers are continually coming up with newer, more sophisticated ways to steal valuable information through breaches, so it is imperative that you remain ever vigilant against the next attack to protect the security of your business and your clients - not only during tax time but throughout the entire year.
With data breaches and Snowden-like information grabs, I’m getting increased requests for how to track data moving to and from removable storage, such as flash drives. The good news is that the Windows Security Log does offer a way to audit removable storage access. I’ll show you how it works, and since Netsurion's Open XDR has some enhanced capabilities in this area, I’ll briefly compare native auditing to Open XDR.
Removable storage auditing in Windows works similar to and logs the exact same events as File System auditing. The difference is in controlling what activity is audited.
To review, with File System auditing, there are 2 levels of audit policy. First you enable the Audit File System audit subcategory at the computer level. Then you choose which folders you wish to audit and enable object level auditing on those folders for the users/groups, permissions and success/failure results that need to be monitored. For instance, you can audit Read access on C:documents for the SalesReps group.
However Removable Storage auditing is much simpler to enable and far less flexible. After enabling the Removable Storage audit subcategory (see below) Windows begins auditing all access requests for all removable storage. It’s equivalent to enabling auditing Full Control for Everyone.
As you can see, auditing removable storage is an all or nothing proposition. Once enabled, Windows logs the same Event ID 4663 as for File System auditing. For example, the event below shows that user rsmith wrote a file called checkoutrece.pdf to a removable storage device Windows arbitrarily named DeviceHarddiskVolume4 with the program named Explorer (the Windows desktop).
How do we know this is a removable storage event and not just normal File System auditing? After all, it’s the same event ID as used for normal file system auditing. Notice the Task Category above which says Removable Storage. The information under Subject tells you who performed the action. Object Name gives you the name of the file, relative path on the removable storage device and the arbitrary name Windows assigned the device the first time it was connected to this system. Process information indicates the program used to perform the access. To understand what type of access (e.g. Delete, Write, Read) was performed look at the Accesses field which lists the permissions actually used.
If you wish to track information being copied from your network to removable storage devices you should enable Audit Removable Storage via group policy on all your endpoints. Then monitor for Event ID 4663 where Task Category is Removable Storage and Accesses is wither WriteData or AppendData.
As you can see Microsoft took the most expedient route possible to providing an audit trail of removable storage access. There are events for tracking the connection of devices – only the file level access events of the files on the device. These events also do not provide the ability to see the device model, manufacturer or serial number. That device information is known to Windows – it just isn’t logged by these events since they captured at the same point in the operating system that other file access events are logged. On the other hand, Netsurion's Open XDR logs both connection events and information about each device. In fact, Open XDR event allows you selectively block or allow access to specific devices based on policy you specify.
Virtual Private Networks (VPNs) are a major piece of internet infrastructure holding together the work-from-home workforce right now. VPNs are responsible for encrypting web traffic, keeping data safe, and protecting privacy.
With most employees working from home amid COVID-19 (coronavirus) outbreak, VPN servers have now become paramount to a company's backbone, and their security and availability must be the focus going forward for IT teams. It is now more important than ever that companies and IT staff set up systems to capture metrics about the performance and availability of VPN services.
CISA (Cybersecurity and Infrastructure Security Agency) has issued an advisory for all VPN servers and client software.
Here are some tips for securing company resources in remote working:
In the light of an expected increase in VPN phishing attacks, companies should look very closely at enabling a multi-factor authentication (MFA) solution to protect VPN accounts from unauthorized access. In a report last year, Microsoft said that enabling a MFA solution for online accounts usually blocks 99.9% of all account takeover (ATO) attacks, even if the attacker has valid credentials for the victim's account.
In addition to enabling MFA to protect VPN accounts for employees working from home, organizations should review the patching levels of corporate VPN products.
Previous attacks have targeted VPN servers from vendors such as Palo Alto Networks, Fortinet, Pulse Secure, and Citrix. Patches should be applied, and advisories should be followed, for critical vulnerabilities mentioned below:
With more and more companies needing VPN capabilities to allow workers to log into private corporate systems and do their duties, IT staff are responding by putting up more VPN servers to deal with the surging traffic. IT staff now need to pay close attention to the new VPN servers they are putting up and make sure these systems have been patched for the vulnerabilities listed above, which are some of the most targeted vulnerabilities today.
With so many organizations moving their employee workforce to work-from-home roles, there is now a new threat on the horizon -- extortions. Hackers could launch DDoS attacks on VPN services and exhaust their resources, crashing the VPN server and limiting its availability for mission-critical operations.
With the VPN server acting as a gateway to a company's internal network, this would prevent all remote employees from doing their jobs, effectively crippling an organization that has little to no workers on-site. Furthermore, SSL-based VPNs (like Pulse Secure, Fortinet, Palo Alto Networks, and others) are also vulnerable to an SSL Flood (DDoS) attack, just like web servers.
The rapid introduction of work-from-home accelerates risk from adversaries. Remind employees to stay aware of potential phishing attempts, and if in doubt, don’t open or click on unknown or suspicious emails. People are sometimes the weakest link that malicious actors target in their stealthy attempts to inflict damage or steal sensitive data.
With the increased use of remote work, organizations should ensure that their VPN solution is monitored, patched, and closely managed to protect against active exploits. Expect phishing emails and social engineering attempts related to COVID-19 to continue, especially against high-value targets like sys admins in order to steal credentials. Please don’t hesitate to contact Lumifi or your customer success manager with any questions or to discussion something suspicious.
Resources
When you think of the name Nordstrom, what comes to mind?
A large department store with valuable products at fair prices? Crowds pushing and squeezing their way to critical mass as the last few items left on the sales rack are consumed? How about an easy avenue for thieves to steal your credit cards?
The department store giant garnered unwanted attention earlier this month when they announced that a Florida store fell victim to a team of thieves who attached extremely small devices called key loggers in line with their keyboards where they plug into the registers. These devices look like extensions to a standard keyboard, and they are extremely hard to detect.
According to a statement made by local law enforcement, the men were captured on video adding the devices.
In a nutshell, these small pieces of hardware are designed to capture everything that is typed on the keyboard. This is also the same interface that the credit card machines can use to process credit cards.
Therefore, through this technology, it is possible to steal passwords and credit cards without anyone being the wiser.
In this particular case, Nordstrom believes that they detected the issue and removed the dangerous equipment before the thieves could return and retrieve sensitive information.
The reason this story has captured so much attention is because the devices used are so small that there was an excellent chance that they could have gone unnoticed. Also, more sophisticated models of key loggers have built-in wireless capabilities. They are still only about 1.5 inches long, but they too can steal key stokes, credit cards, or other sensitive data.
In turn, they can then send that data to an outside receiver without anyone coming back into the store. Thieves would be using radio waves to gather sensitive data, and it would be nearly impossible to detect the theft until people noticed the fraudulent charges to their accounts.
The real problem with this type of theft is that there has been a noticeable rise in thieves using these purpose-built devices to assist them with their activities. ATMs and convenience stores have been the two industries most heavily targeted historically, but back in 2011 Michaels had approximately 90 stores in 20 states affected by a similar theft. Unlike Nordstrom, Michaels did not stop the thieves before credit cards were stolen.
We are ushering in a new era in electronic data theft – hackers are adding electronics to POS systems, so look for strange behavior around your registers and devices you do not recognize.
Following many high-profile data breaches, consumers have elevated data privacy to front-page news and included it as criteria for brand selection and engagement. Consumers around the globe now realize that they aren’t always aware or informed about how their private information is used or shared. Fifty-four percent of consumers are more concerned with protecting their personal information than they were a year ago, according to a survey reported by Security Magazine. Furthermore, 78% of respondents stated they would stop engaging with a brand online if the brand experienced a data breach. When a business practices strong privacy compliance, it can shorten the sales cycle and increase customer trust, according to another third-party study. Data privacy impacts the bottom line and business executives are more keenly aware of its growing importance in today’s always-on digital environment.
Read on to learn why data privacy is critical to your business and view some easy-to-use tools to help along the way to reach your goals. With an estimated 2.5 quintillion bytes of data created daily, it’s imperative to have better transparency and control regarding data use and sharing. A data breach can lead to sensitive personal information getting into the hands of cybercriminals, competitors, and dangerous nation-state attackers. Password reuse also means that leaked personal login details likely impact professional applications and resources as well.
Data privacy involves ensuring the confidentiality, integrity, and availability of data to safeguard against unauthorized use. It’s defined as exercising control over how Personally Identifiable Information (PII) is collected, stored, or used for an individual. Organizations like yours are responsible for being good data stewards of your employee data as well as customer data. For businesses, data security builds upon PII to protect intellectual property, operating plans, and confidential financial results.
The data privacy landscape is changing as regulations such as the California Consumer Privacy Act (CCPA) and General Data Protection Act (GDPR) raise the bar for organizations to adopt in meeting consumer expectations and new legislation. Data privacy and cybersecurity are converging as people, processes, and technology protect against advanced threats and stealth data breaches. As NIST points out, an investment in data privacy increases trust in systems, products, and services across your entire supply chain. You will need to balance the risk and reward of data privacy and information security according to your security maturity and risk posture. Staying ahead of evolving data privacy requirements simplifies operations and enhances your customer loyalty, compliance mandates, and competitive advantage.
Data privacy regulations are stringent. Not complying with them could result in fines, damage to your company’s reputation, or could force you to close your doors. Below are a few data privacy resources to leverage online.
As a business, here are a few things you can do to ensure you’re safeguarding your customers’ data.
Protecting information for your business is just as important as protecting your personal information. Here are some tips to safeguard your data.
EventTracker is Netsurion’s SOC-as-a-Service (SOCaaS) solution with its scalable multi-tenant architecture and proven outcomes that provides powerful, affordable threat protection and data security to your customers. Learn more about Lumifi.
Windows supports the digitally signing of EXEs and other application files so that you can verify the provenance of software before it executes on your system. This is an important element in the defense against malware. When a software publisher like Adobe signs their application they use the private key associated with a certificate they’ve obtained from one of the major certification authorities like Verisign.
Later, when you attempt to run a program, Windows can check the file’s signature and verify that it was signed by Adobe and that its bits haven’t been tampered with such as by the insertion of malicious code.
Windows doesn’t enforce digital signatures or limit which publisher’s programs can execute by default, but you can enable that with AppLocker. As powerful as AppLocker potentially is, it is also complicated to set up, except for environments with a very limited and standardized set of applications. You must create rules for at least every publisher whose code runs on your system.
The good news, however, is that AppLocker can also be activated in audit mode. And you can quickly set up a base set of allow rules by having AppLocker scan a sample system. The idea with running AppLocker in audit mode is that you then monitor the AppLocker event log for warnings about programs that failed to match any of the allow rules. This means the program has an invalid signature, was signed by a publisher you don’t trust or isn’t signed at all. The events you look for are 8003, 8006, 8021 and 8024 and these events are in the logs under AppLocker as shown here:
If you are going to use AppLocker in audit mode for detecting untrusted software remember that Windows logs these events on each local system. So be sure you are using a SIEM with an efficient agent, like EventTracker, to collect these events or use Windows Event Forwarding.
Better yet, if you have EventTracker, don’t bother with AppLocker – use EventTracker’s automatic Digital Forensics Incident and Incident Response feature for unknown processes. EventTracker watches each process (and soon each DLL) that your endpoints load and checks the EXE’s hash against your environment’s local whitelist (which EventTracker can automatically build). If not found there, EventTracker checks it against the National Software Reference Library. If the EXE still isn’t found to be legit, EventTracker posts it to the dashboard for you to review. EventTracker automatically provides publisher information if the file is signed, and other forensics such as the endpoint, user and parent process. With one click you can check the process against anti-malware sites such as VirusTotal. EventTracker goes way beyond AppLocker in its ability to detect suspicious software and giving the tools and information to quickly determine if the program is a risk or not, including the use of digital signatures.
There are some other issues to be aware of, though, with digitally signed applications and certificates. Certificates are part of a very complicated technology called Public Key Infrastructure (PKI). PKI has so many components and ties together so many different parties there is unfortunately a lot of room for error. Here’s a brief list of what has gone wrong in the past year or so with signed applications and the PKI that signatures depend on:
So, certificates and code signing are far from perfect — show me any security control that is. I really encourage you to try out AppLocker in audit mode and monitor the warnings it produces. You won’t break any user experience, the performance impact is hardly measurable and if you are monitoring those warnings you might just detect some malware the first time it executes instead of the 6 months or so that it takes on average.
While the threats have changed over the past decade, the way systems and networks are managed have not. We continue with the same operations and support paradigm, despite the fact that internal systems are compromised regularly. As Sean Metcalf notes, while every environment is unique, they all too often have the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more.
There is also the reality of what we call the Assume Breach paradigm. This means that during a breach incident, we must assume that an attacker a) has control of a computer on the internal network and b) can access the same resources of legitimate users through recent log on activity.
Active Directory (AD) is the most popular Lightweight Directory Access Protocol (LDAP) implementation and holds the keys to your kingdom. It attracts attackers, as honey attracts bees. There are many best practices to secure Active Directory, but to start, let’s ensure you stay away from common pitfalls. Below are three common mistakes to avoid:
By avoiding these pitfalls, and securing Active Directory properly, you are on your way to keeping your “kingdom” safe. But like Thomas Paine said, “Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it.” There are a number of ways to reap the benefits of a secure infrastructure, but there are many intracacies required to make this a reality. Solutions, like SIEMphonic Enterprise, takes on “fatigue” required to with a dedicated 24/7 SOC.
Click here for more details or sign up for a free demo today.
We all know that data breaches cost a lot—an average of $3.6M per organization.
For cyber criminals, everyone’s a target—and perfect prevention isn’t practical. We must assume that, at some point, every organization’s IT infrastructure will be breached. That’s why we need to continuously monitor, investigate, and respond to cyber threats 24/365 if we are to avoid costly breaches and the potential impact to reputation, revenue, and customer confidence.
What better way to provide continuous monitoring and analysis than through a security operations center (SOC)? With the people, processes, and platform to continuously look across the entire organization’s networks, servers, endpoints, applications, and databases, a SOC applies expert knowledge to detect and dig into potential threats. One of the key benefits of a SOC is preventing the devastating impact of a breach by reducing the dwell time (the time between when an attacker compromises a network—minutes—and when the organization discovers the threat—typically months!)
Any way you look at it, a SOC is complex and expensive. It requires a lot of specialized hardware and software to generate events and alerts, which must be examined by highly skilled security analysts who can determine which ones represent real threats.
The platform is costly.
You need a well-tuned SIEM (security information and event management) to provide the visibility foundation, along with firewalls, IPS/IDS, vulnerability assessment tools, endpoint monitoring solutions, and more. All of this must be fed by threat intelligence that is specific to your organization’s goals and risk tolerance, and the results need to be augmented by machine learning and fine-tuned by human experts.
Processes are costly as well.
Detailed organization-specific playbooks need to be written, spelling out what should happen when ransomware, malware infections, distributed denial of service attacks, or other threats are seen. They specify how to investigate, what evidence to gather, and when and how to escalate.
Perhaps the most expensive component is people.
It’s difficult enough to hire a team of highly skilled security analysts with the bandwidth and expertise to perform continuous monitoring, while we are experiencing a worldwide shortage. It’s even harder to retain them in the face of stiff competition for scarce talent.
Reaching the goal of continuous coverage is not a simple make/buy decision: it’s more of a buy/rent/co-manage decision: should you build your own SOC, outsource your SIEM (or SOC) platform, or leverage a co-managed SOC solution.
You incur all the platform, process, and people costs – but you are in total control over where you are going and how to get there (i.e. what your organization sees as risks, threats, and responses). Of course, the cost and complexity could be prohibitive.
You don’t have to make the capital outlay for hardware, but you still need to carry out all the processes—and you must hire, train, and retain your own SOC team. It’s less expensive than building your own SOC, but still quite pricy.
You augment your own internal team with seasoned security experts with mature processes driving a powerful SIEM platform, yet you remain in control of the ultimate destination. A co-managed SOC ensures that the collective team is operating in concert to reach your organization-specific goals.
The goal is to get from Point A (your organization’s current security and compliance posture) to Point B (stronger security posture, compliance confidence, and incident readiness). Clearly, the most cost-effective way to reach that goal is via a co-managed SOC – the Uber approach. You get the best of both worlds: the best people, processes, and platform, at the lowest cost. Not only do you avoid the people and process costs, you retain control over the aspects that are specific to your organization: your risk tolerance, your market realities, and your definition of what’s most important to you.
Maybe it’s time to follow the lead of the ride-sharing world, and take the smarter route to a SOC. Netsurion is the only managed security service provider that combines our own ISO-certified 24/7 SOC with our own award-winning SIEM platform for a truly integrated co-managed security solution.
Security professionals know the dangers associated with distributed denial-of-service attacks (DDoS). These attacks typically target the core data transmission protocols that form the foundation of every organization' internet services.
Cloud security is getting attention and that’s as it should be. But before you get hung up on techie security details, like whether SAML is more secure than OpenID Connect and the like, it’s good to take a step back. One of the tenets of information security is to follow the risk. Risk is largely a measure of damage and likelihood. When you are looking at different threats to the same cloud-based data then it becomes a function of the likelihood of those risks.
In the cloud we worry about the technology and the host of the cloud. Let’s focus on industrial-strength infrastructure and platform-as-a-service clouds like AWS and Azure. And let’s throw in O365 – it’s not infrastructure or platform, but its scale and quality of hosting fits our purposes in terms of security and risk. I don’t have any special affection for any of the cloud providers, but it’s a fact that they have the scale to do a better, more comprehensive, more active job on security than my little company does, and I’m far from alone. This level of cloud doesn’t historically get hacked because of stupid operational mistakes or flimsy coding practices with cryptography and password handling, or because of obscure vulnerabilities in standards like SAML and OpenID Connect (they are present). It’s because of tenant-vectored risks. Either poor security practices by the tenant’s admins or vulnerabilities in the tenant’s technology which the cloud is exposed to or on which it is reliant.
Here are just a few scenarios of cloud intrusions with a tenant origin vector
S.no. | Tenant Vulnerability | Cloud Intrusion |
1. | Admin’s PC infected with malware | Cloud tenant admin password stolen |
2. | Tenant’s on-prem network penetrated | VPN connection between cloud and on-prem network |
3. | Tenant’s Active Directory unmonitored | Federation/synchronization with on-prem AD results in an on-prem admin’s account having privileged access to the cloud. |
I’m going to focus on the latter scenario. The point is that most organizations integrate their cloud with their on-prem Active Directory, and that’s as it should be. We hardly want to go back to the inefficient and insecure world of countless user accounts and passwords per person. We were able to largely reduce that of the years by bringing more and more on-prem apps, databases and systems online with Active Directory. Let’s not lose ground on that with the cloud.
But your greatest risk in the cloud might just be right under your nose here in AD on your local network. Do you monitor changes in Active Directory? Are you aware when there are failed logons or unusual logons to privileged accounts? And I’m not just talking about admin accounts. Really, just as important, are those user accounts who have access to the data that your security measures are all about. So that means identifying not just the IT groups in AD, but also those groups which are used to entitle users to that important data. Very likely some of those groups are re-used in the cloud to entitle users there as well. Of course the same goes for the actual user accounts.
Even for those of us who can say our network isn’t connected by VPN or any direct connections (like ExpressRoute for Azure/O365) and there’s no federation or sync between our on-prem and cloud directories your on-prem, internal security efforts will make or break your security in the cloud and that’s simply because of #1. At some point your cloud admin has to connect to the cloud from some device. And if that device isn’t secure or the cloud admin’s credential handling is lax, you’re in trouble.
That’s why I say that for most of us in the cloud need to first look inward for risks. Monitoring, as always, is key. The detective control you get with a well implemented and correctly used SIEM is incredible and often the only control you can deploy at key points, technologies or processes in your network.
We live in a brave new world where the spies of yesteryear, like James Bond and Jason Bourne, are truly falling away into the realm of fantasy.
These smooth operators have been replaced by the slightly awkward, pasty-faced, computer hacker, who can gather more data or do more damage with a keyboard than a field agent could ever hope to accomplish with a gun and some daring.
Traditionally speaking, hackers were primarily criminals looking to make a buck or cause some havoc.
More recently, many nations utilize them as a military tactical unit meant to wage war on the electronic battlefield. Much like a bombing run would damage targets in the physical sense, hackers use technology to disrupt the digital front.
This latest attack, which was aimed at Sony, is a prime example of how a nation can bring this new weapon into play. According to claims by an FBI press release on 12/19/2014 and statements made by FBI Director James Comey on 1/7/2015, Sony was the victim of state-sponsored hacking.
Evidence cited indicates that North Korea targeted the media company when it planned to release a movie in which a couple of bumbling TV personalities are hired by the CIA to assassinate Kim Jong-un.
Before the hacking incident, this movie was destined to be released; watched by a few die-hard Seth Rogan and James Franco fans; and immediately go into the annals of movie obscurity.
That, of course, was not the case once Sony garnered international attention after the alleged state sponsored hacking. If Sony was indeed attacked by North Korea in the manner claimed by the FBI it could reasonably be considered an act of war.
The Sony breach has now become international news and the movie is on the mind of the world. Sony was heavily pressured by the public to release the film after the hacking incident.
Originally, Sony indefinitely postponed the release after consulting with theater owners. The decision was based on the promised physical violence that hackers claimed would follow if they did. Claiming it was concerned for the welfare of US movie goers, Sony decided to cancel the US release.
Even President Obama criticized Sony in a press conference about this decision, stating that the company should not have pulled The Interview from theaters.
Since then, Sony has released the film on-line and in some movie theaters across the US. In response to this attack The Whitehouse plans to focus (at least in part) on cyber security during the upcoming State of the Union Address. Experts agree that a new Whitehouse sponsored cyber bill will be forthcoming.
There are several reasons that countries are moving to cyber warfare.
First of all, it is normally quite difficult to prove who originated an attack. Even with all the evidence gathered by the FBI and other government agencies, many experts do not agree that we can definitively claim who was responsible for the attack. In fact, it is completely plausible that a group of rogue hackers managed to essentially frame North Korea because the US was already looking at other possible state sponsored hacking attacks before the incident involving Sony
Despite who is to blame, one thing is certain from looking at the disruptive nature of this attack. The hackers spent, comparatively speaking, very little in time, money, and resources to infiltrate Sony.
On the other hand, the company has since spent millions of dollars in cyber security, logistics, press releases, and slew of other unplanned expenditures. They have shouldered a huge financial burden due to this attack.
In the same vein, the US government has had congressional meetings, inquiries, and spent countless man hours trying to trace the origin of this attack and in developing, as President Obama stated, “An appropriate response.”
Even if North Korea was responsible for this attack and it can be proven, can we honestly claim victory? From a cost perspective in both time and money, hackers have the advantage.
The Internet has been unsafe for several years. Malware, salacious material, and cyber bullying are not new issues that we have not faced previously, however, security has never been more critical than it is currently.
State sponsored hacking is still in its infancy and look what it has already achieved. Managing Internet connections and protecting sensitive networks is more crucial now than at any other time in history.
For more information on how you can protect yourself and your business, check out this article regarding the Five Steps to Protect Retailers from Credit Card Theft.
Traditional areas of risk - financial risk, operational risk, geopolitical risk, risk of natural disasters - have been part of organizations’ risk management for a long time. Recently, information security has bubbled to the top, and now companies are starting to put weight behind IT security and Security Operations Centers (SOC).
Easier said than done, though. Why you ask? Two reasons:
From our own experience creating and staffing an SOC over the past three years, here are the top three rules:
1) Continuous communication
It’s the fundamental dictum (sort of like “location” in real estate). Bi-directional management to the IT team.
Management communicates business goals to the technology team. In turn, the IT team explains threats and their translation to risk. Management decides the threat tolerance with their eye on the bottom line.
We maintain a Runbook for every customer which records management objectives and risk tolerance.
2) Tailor your team
People with the right skills are critical to success and often the hardest to assemble, train and retain. You may be able to groom from within. Bear in mind, however, that even basic skills, such as log management, networking expertise and technical research (scouring through blogs, pastes, code, and forums), often come after years of professional information security experience.
Other skills, such as threat analysis, are distinct and practiced skill sets. Intelligence analysis, correlating sometimes seemingly disparate data to a threat, requires highly developed research and analytical skills and pattern recognition.
When building or adding to your threat intelligence team, especially concerning external hires, personalities matter. Be prepared for Tuckman’s stages of group development.
3) Update your infrastructure
Security is 24x7x365 – automatically collect, store, process and correlate external data with internal telemetry such as security logs, DNS logs, Web proxy logs, Netflow and IDS/IPS. Query capabilities across the information store requires an experienced data architect. Design fast and nimble data structures with which external tools integrate seamlessly and bi-directionally. Understand not only the technical needs of the organization, but also be involved in a continuous two-way feedback loop with the SOC, vulnerability management, incident response, project management and red teams.
Easy, huh?
Feeling overwhelmed thinking about a Security Operations Center? Get SIEM Simplified on your team.
As a small business, how would you survive an abrupt demand for $250,000? It’s ransomware, and as this poll shows, that’s what an incident would cost a small business. Just why has ransomware exploded on to the scene in 2017? Because it works. Because most bad guys are capitalists and are driven by the profit motive. Because most small business have not taken the time to guard their data. Because they are soft targets. What makes the news headlines are the attacks on large companies like Merck, Maersk or large government, NHS Hospitals in the UK, etc. But make no mistake, small businesses get hit every day – they’re just not in the headlines. After all, more people miss work due to the common cold, but this never makes the news. On the other hand, a single case of Ebola and whoa!
Unfortunately this leads to confirmation bias. Since you don’t hear about it, it must not be a thing, right? That’s dangerous thinking for a small business. The large corporations can bounce back from cyberattacks; they have the depth of pocket to hire the experts needed during the crisis. But how does a small businesses cope? Breach costs can go to $250,000, not to mention the destruction of client trust if word gets out that confidential information was leaked.
So what do you do? Try these three steps:
Educate It starts with you and your employees. Know your digital assets and maintain an up-to-date inventory. Invest in training of employees, as they are the weakest link in the IT security game. |
|
Protect Minimum diligence includes up-to-date anti-virus, a managed next-gen firewall and regular patching. Step it up with endpoint protection. Regular reviews of user and system activity is a solid, low-cost improvement to close the gap. |
|
Co-source Get an expert on your team. It’s too expensive to get dedicated resources, but this doesn’t mean you have to go it alone. Co-sourcing is an excellent technique to have an expert team on call that specializes in cybersecurity. |
Overwhelmed by the hype from security vendors in overdrive? Notice the innovation and trends and feel like jumping on the bandwagon? It’s a urge that many buyers in mid-size companies feel and it can be overpowering. That flashy vendor demo, that rousing speech at a tradeshow, that pressure of keeping up with the Joneses. So what have you done for your security lately is a nagging thought.
Relax and take a deep breath. Let’s look calmly and identify some security actions that you can take which a) won’t break the budget b) can be practically implemented and c) will scale.
So what can you practically do to improve your security posture? Three things you can DO:
And the one DON’T:
Cybersecurity requires a multi-layer strategy encompassing prevention, detection, and response. Work with a security partner who can deliver on these three components, augment your team with security expertise, and deliver it as a managed service to make things simple. As the UK government said in 1939 in preparation for World War II, Keep Calm and Carry On. Good advice like best practices never go out of style.
Red teams attack, blue teams defend.
That’s us – defending our network.
So what attack trends were observed in 2015? And what do they portend for us blue team members in 2016?
The range of threats included trojans, worms, trojan downloaders and droppers, exploits and bots (backdoor trojans), among others. When untargeted (more common), the goal was profit via theft. When targeted, they were often driven by ideology.
Over the years, attackers have had to evolve their tactics to get malware onto computers that have improved security levels. Attackers are increasingly using social engineering to compromise computer systems because vulnerabilities in operating systems have become harder to find and exploit.
Ransomware that seeks to extort victims by encrypting their data is the new normal, replacing rogue security software or fake antivirus software of yesteryear that was used to trick people into installing malware and disclosing credit card information. Commercial exploit kits now dominate the list of top exploits we see trying to compromise unpatched computers, which means the exploits that computers are exposed to on the Internet are professionally managed and constantly optimized at an increasingly quick rate.
However, one observation made by Tim Rains, Chief Security Advisor at Microsoft was, “although attackers have accumulated more tricks and tactics and seem to be using them in a more focused, fast paced way, they still focus on a relatively small number of ways to compromise computers.” These include:
In fact, Rains goes on to note: “Notice I didn’t use the word ‘advanced.’”
As always, it’s back to basics for blue team members. The challenge is to defend:
If this feels like Mission Impossible, then you may be well served by a co-managed service offering in which some of the heavy lifting can be taken on by a dedicated team.
Time is money. Downtime is loss of money. The technological revolution has introduced a plethora of advanced solutions to help identify and stop intrusions. There is no shortage of hype, innovation, and emerging trends in today's security markets. However, data leaks and breaches persist. Shouldn't all this technology stop attackers from gaining access to our most sensitive data? Stuxnet and WannaCry are examples of weaknesses in the flesh-and-bone portion of a security plan. These attacks could have been prevented had it not been for human mistakes.
Stuxnet is the infamous worm (allegedly) authored by a joint U.S.-Israeli coalition, designed to slow the enrichment of uranium by Iran's nuclear program. The worm exploited multiple zero-day flaws in industrial control systems, damaging enrichment centrifuges. So, how did this happen?
If human beings had updated their systems, we may never have added "WannaCry" to our security lexicon. WannaCry and its variants are recent larger-scale examples. Microsoft had issued patches for the SMBv1 vulnerability, eventually removing the protocol version from Windows. Still, some 200,000 computer systems were infected in over 150 countries worldwide to the tune of an estimated $4 billion in ransoms and damages.
The lesson here? We care too much about gadgets and logical control systems, and not enough about the skilled staff needed to operate this technology. Gartner estimates that 40 percent of mid-size enterprises don't have a cybersecurity expert in their organization. A labor shortage for security professionals will prevent you from filling this talent gap for at least three years. A logical solution is to assess which security functions can be effectively delivered as a service to minimize internal staffing requirements.
Services (such as EventTracker Enterprise) solve popular use cases including:
The cost of doing nothing is significant.
Winning a marathon requires dedication and preparation. Over long periods of time. A sprint requires intense energy but for a short period of time. While some tasks in IT Security are closer to a sprint (e.g., configuring a firewall), many, like deploying and using a Security Information and Event Management (SIEM) solution, are closer to a marathon.
What are the hard parts?
Surveys show that 75% of organizations need to perform significant discovery to determine which devices, platforms, applications and databases should be included in the scope for log monitoring. The point is that when most companies really evaluate their log monitoring process, most of them don’t really know what systems are even available for them to include. They don’t know what they have. Additionally, 50% of organizations later realize that this initial discovery phase is not sufficient to meet their security needs. So, even after performing the discovery, they are not sure they have identified the right systems.
While on-boarding new clients, we usually identify legacy systems or firewall policies that generate large volumes of unnecessary data. This includes discovery of service accounts or scripts with expired credentials that appear to generate suspicious looking login failures. Other common items uncovered include network health monitoring systems which generate an abnormal amount of ICMP or SNMP activity, backup tools and internal applications using non-standard ports and cleartext protocols. Each of these false positives or legitimate activities add straw to the haystack(s), which makes it more difficult to find the needle. Every network contains activities that might appear suspicious or benign to an outside observer that lacks background on everyday activities of the company being monitored. It is important for network and security administrators to provide monitoring tools with additional context and background detail to account for the variety of networks that are thrown at them.
Reviewing the data with discipline is a difficult ask for organizations with a lean IT staff. Since IT is often viewed as a “cost center,” it is rare to see organizations (esp. mid-sized ones) with suitably trained IT Security staff.
Take heart — if getting there using only internal resources is a hard problem, our EventTracker Enterprise service gets you there. The bonus is the cost savings compared to a DIY approach.
If you think your organization is too small to be targeted by threat actors, think again. Over 60% of organizations have experienced an exploit or breach, so the stealthy and ever-evolving hacker may already be in your organization performing reconnaissance or awaiting strategic command and control (C&C) instructions. Businesses of all sizes are targeted by adversaries for a range of objectives, from monetizing data to making a political statement. Small and mid-sized businesses are especially at risk due to their limited IT and security resources and the evasive nature of advanced persistent threats. Organizations are now going on the offensive and considering a proactive approach to threat hunting given the evolving threat and risk landscape.
Threat hunting can uncover threats you might otherwise not discover until some damage is done. Some organizations are already performing threat hunting, whether formally or informally, to detect data breaches sooner and reduce dwell time – the time cybersecurity hackers spend lurking in your systems and doing damage. Threat hunting is defined as:
The process of proactively and iteratively searching through networks to detect isolate advanced threats that evade existing security solutions.1
While not new, threat hunting has gained traction and focus recently as organizations look for additional ways to identify system and data compromise. Concerning threat management, a research study states that 43% of respondents ranked proactive threat hunting as an organizational priority for the next 12 months.2 More mature security organizations are taking a “hunt or be hunted” mentality to cybersecurity to augment alert management and incident response functions that tend to be more reactive.
Threat hunting can minimize or even counterbalance the risks of a data breach: lost revenue, decreased customer loyalty, defections among IT and security staff, and poor brand reputation. Some organizations with high security maturity and staff expertise may decide to build these threat hunting skills internally; whereas other organizations large and small may choose to augment their staff and skills with external threat hunting expertise. As Figure 1 below illustrates, organizations can evolve from a security foundations role to passive defense before adopting a more active defense capability. Network security monitoring is an essential and recommended step in the sliding scale. An active defense posture involves proactive learning from adversaries to use threat and log data to make smarter decisions faster.
According to this SANS Institute framework, only the very largest and mature organizations and government entities have the resources to use legal measures and a true offensive position to combat cyber attackers.
There are many advantages to a more proactive approach to cyber defense:
On the other hand, concerns about adding threat hunting to IT and security team workloads include the lack of data and visibility, a shortage of cybersecurity and threat hunting skills or staff, and the tradeoffs of proactive hunting versus day-to-day operational responsibilities such as alert and incident management. Larger firms may opt to have specific threat hunting analysts or to utilize external expertise for assistance. Embracing threat hunting can provide a cybersecurity payoff but requires planning and patience.
Proactive threat hunting can help identify adversaries faster and reduce the risk of data loss but requires balancing people, processes, and technology to be most effective. Businesses looking to embark on this journey should consider the following:
You can watch the webinar “Let’s Go Threat Hunting: Gain Visibility and Insight Into Potential Threats and Risks” to learn more about where threat hunting fits in the threat lifecycle, what is needed to hunt, and how to start your proactive investigation process.
ENDNOTES
1 "Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic". TechRepublic. Retrieved 2018-11-05.
2 “Threat Monitoring, Detection and Response Report: 2017”, Crowd Technology Partners. Retrieved 2018-11-07.
3 “The Sliding Scale of Cyber Security,” SANS Reading Room, August 2015, p. 2, Figure 1.
You’ve seen it over and over again in the headlines – small subcontractors are often soft-target gateways for hacking large clients. Middle-tier businesses are very attractive and vulnerable targets for ransomware attacks. And, as recently seen in the news, Managed Service Providers (MSPs) attacked through trusted supply-chain software vendors can put their own clients at risk. These unfortunate facts have created a demand for IT service providers, including MSPs, to expand their cybersecurity offerings or at least explain their own security preparedness to customers.
In this article you will learn how Reliable IT, a Meriplex company, became even more valuable to its clients without the burden and expense of expanding their own cybersecurity staff.
Offering Security Services as an MSP is Within Reach
The demand for advanced Managed Threat Protection services is enormous. Worldwide spending on information security and risk management technology and services is expected to grow more than 12 percent this year, reaching $150.4 billion according to Gartner.
The jump to offering Managed Security Service Provider (MSSP) services, however, for an MSP can be daunting and costly. If you DIY, you must ante up for a team of very expensive cybersecurity professionals to staff a basic set up, let alone trying to staff a 24/7/365 Security Operations Center (SOC) to respond to cybersecurity alerts as they happen. And on top of that, a cybersecurity skills shortage is making it more difficult than ever to find and retain experienced staff.
Seventy-six percent of security professionals say it is difficult to recruit cybersecurity staff, and there are so many job openings that it can be hard to keep excellent employees from jumping ship when you find them. Along with the cost and skills shortage comes the even greater challenge of managing a SOC effectively. You could be faced with process latency issues, a lack of adequate monitoring and management tools, and knowledge imbalances among staff.
How Reliable IT Got Started Quickly with a Master MSSP
Reliable IT recognized how partnering with a Master MSSP would be the link to not only their own business’ cybersecurity, but also a great offering to grow their business as well. They knew that adding managed security services to their IT service offerings could differentiate their company, increase loyalty, and prevent them from putting their own clients at risk.
Reliable IT’s core markets – healthcare organizations and financial services – are often prime targets for cyber attacks, including data breaches. As of May 2021, nearly 60 percent of ransomware incidents in the healthcare sector worldwide impacted organizations in the U.S., according to research by the Health Sector Cybersecurity Coordination Center. At least 72 percent of those incidents resulted in data leaks. In the banking and healthcare industries IT is often relegated to small teams that don’t specialize in cybersecurity. In Reliable IT’s other core market, community banking, cybersecurity rapidly became table stakes for IT service providers.
To solve the security services dilemma quickly, affordably, and effectively, Reliable IT turned to Master MSSP Netsurion to augment its services with a comprehensive security offering. The term Master MSSP is a new approach pioneered by Netsurion, which provides cybersecurity services to very large enterprises directly. It also enables MSPs, like Reliable IT, and other remote service providers to offer world-class threat prevention, detection, and response cybersecurity services to their clients with fast time to value.
Reliable IT chose to partner with Netsurion as the MSSP for their clients and to also protect their own business. With this approach, instead of starting from scratch and investing significant resources and time, Reliable IT gave its client base immediate access to a proven team and Managed Threat Protection solution from a company ranked 23rd worldwide in MSSP Alert’s Top 250 MSSPs list.
One important differentiator that Reliable IT benefits from is access to Netsurion’s proprietary and powerful Security Information and Event Management (SIEM) platform which delivers real-time alerting and incident response, threat intelligence, system behavior analysis and correlation, log searching, and forensic analysis. The partnership also includes cybersecurity experts around the clock, providing threat hunting and incident response support. This provides the human expertise necessary to manage and use the adaptive threat protection technology to predict, prevent, detect, and respond to threats across the entire attack surface.
Reliable IT also benefits from Netsurion’s PCI DSS compliance support through Self-Assessment Questionnaire (SAQ) assistance, a centralized portal for vulnerability scan management, file integrity monitoring, audit-ready reporting, and a data breach financial protection program. On the healthcare side, Netsurion simplifies HIPAA compliance through real-time security incident detection and compliance report review processes. By providing “single-click” issue flagging and report annotation, HIPAA audit-ready summaries are available on demand.
Without the proper support and guidance, many end-customers assume Endpoint Protection Platforms (EPPs) like anti-virus and anti-malware are advanced enough to deter hacking attempts. Nothing could be further from the truth. But with Netsurion, Reliable IT now helps clients stay on top of potential threats.
We’ve had clients where we’ve seen potentially successful logins from a bad actor and we were immediately able to block it within minutes, so no damage was done.
Aaron Biehl
Senior VP at Meriplex
“Successful attacks take time, but with rapid detection and response the attack chain is broken. Cyber criminals never really have a chance to move laterally. We may have even prevented attacks from being successful several times. Without this level of protection, it could take months for you to identify a threat to your environment. If that happens, the worst-case scenario is you — or your client — eventually learns about the compromise from a ransomware demand or an FBI alert that your data is for sale on the dark web. With a SIEM, you’re likely to catch that threat before the damage is done,” Biehl added.
By partnering with a Master MSSP, Reliable IT expanded beyond their core success in IT administration, usability, and performance management. Learn more about Reliable IT’s managed IT support and guidance services and Netsurion’s Master MSSP partner program online.
So when you are a hacker and you write the most successful financial transaction hacking software in history, what do you do next?
Well, if your are the makers of Backoff, you upgrade it.
There is a new version of Backoff that has been found, and it is called “ROM” or “Backoff ROM”. Like its predecessor, it is designed to steal credit card data from POS systems and send that data to servers on the Internet.
The reason that Backoff ROM is making such a splash is that the communication channel it uses (unlike previous versions) is encrypted. Therefore, several of the successful mechanisms that were used to detect the software and the transmission of credit card data will no longer work.
In other words, it just became more difficult for users to even detect that they have the malware than it was before.
The original software sent data in clear text, and by using a network “sniffer” or Intrusion Detection System it was possible to examine the data traveling over the network, detect credit cards in the stream, and prevent the malicious traffic. Now that Backoff ROM has the ability to encrypt that data, this methodology will no longer work. To a network scanner, encrypted data looks like gibberish.
Therefore, finding a pattern that can be matched up to a credit card is nearly impossible.
So does that mean it is not possible to prevent Backoff ROM? Does everyone who runs a POS system have little to no defense?
The answer is no. You can protect yourself against this threat because Backoff ROM and Backoff have the same basic architecture when it comes to deployment and data exfiltration.
As we stated in our previous blog article about Backoff, the malware is not infectious. This means that it is not a computer virus that can cripple a machine just because a user goes to a dangerous web page. Instead, Backoff must be installed, much like any other application that you would use for legitimate purposes. Therefore, the most common way that Backoff, and its latest variants infiltrate a system is through the use of insecure remote access.
The Department of Homeland Security brief about Backoff points out that in a majority of the 1000 businesses that have been affected by Backoff were mainly compromised through the use of remote access that did not have enough security measures in place.
Therefore, the first step is to use good security for remote access. It should require complex passwords, be two factor authenticated, assigned to individual users, and have a mechanism to log access. Requirement 8 in the Payment Card Industry Data Security Standards (PCI DSS) has many components which if they were all being followed would have prevented numerous cases where Backoff managed to penetrate a network.
Click here for a look at the PCI standard if you want to know what the payment card brands expect that you will be doing if you run a retail establishment.
For the most part, Backoff and Backoff ROM tries to capture credit cards in the stream of a POS transaction and then send that data over the Internet. With Backoff ROM, that transmission is now harder to read because it is encrypted, but you can still limit where on the Internet your systems can send data.
Therefore, having restrictive firewall rules that limit outbound traffic from within your point of sale network will be critical in the event that you do have an installation of Backoff on your systems. Strong firewall rules that only allow traffic to known sites will be a great measure that you can take to protect your network from Backoff.
This is why PCI requires (as its first Requirement) strong firewall management.
Our customers have had no data stolen by Backoff because the security measures that are most effective against this software is part of our PCI compliance solutions:
Skyrocketing ransomware threats and extortion demands show no sign of slowing down in 2022. Average ransomware demands surged by 518% in the first half of 2021 compared to 2020, while payments climbed by 82% in the same period, according to Infosecurity Magazine. Crippling ransomware attacks caused an average business downtime of six days with costs in the millions.
Cyber criminals actively target SMBs who often lack the resources to fortify defenses against malware like ransomware. In 2022, MSPs can play an even more crucial role in safeguarding small-to-medium-size businesses (SMBs) against ransomware.
This article will provide insights into how MSPs can protect their own house, and their customers, against ransomware with a layered approach to cybersecurity.
Multi-prong assaults require a multi-layered strategy
Netsurion’s security analysts often detect ransomware as part of a multi-faceted assault. Deployed by cyber criminals using leaked or stolen login credentials, these attacks appear like valid users on the network. Ransomware tactics often include a “low and slow” approach that evades detection from siloed tools that lack 24/7 visibility.
REvil, Conti, and Darkside are just a few examples of criminal gangs that successfully use a ransomware tactic called double extortion. In 2022, organizations will continue to uncover exploitation by these well-funded ransomware gangs who adapt and morph their proven techniques. Ransomware-as-a-service (RaaS) enables less sophisticated attackers to scale up to disrupt unsuspecting victims. Proactive prevention is needed upfront to block as many threats as possible, and rapidly detect and remediate everything else.
What would your layered approach look like?
Imagine trying to keep up with the constant shower of threats, including what happens when they do get in – which will occur. A layered approach to cybersecurity provides redundancy in case of security control failure or a future vulnerability is uncovered. Defense-in-Depth security protects against a wide range of threats to cover all the bases. The optimal balance of people, process, and technology can safeguard your customers as well as your own operations. Use a 4-step approach to predict, prevent, detect, and respond (PPDR) to ransomware.
Defense-in-depth security helps you prepare for and prioritize the most dangerous threats, both known and unknown.
MSP benefits of defense-in-depth
As you prepare for the new year, now’s the time to evaluate your product and service portfolio in response to rising ransomware. MSP advantages include:
Expertise plus technology safeguards your entire attack surface across servers, network devices, cloud assets, and endpoints.
Is it possible to avoid security breaches? Judging from recent headlines, probably not. Victims range from startups like Kreditech, to major retailers like Target,to the US State Department and even the White House. Regardless of the security measures you have in place, it is prudent to assume you will suffer a breach at some point. Be sure to have a response plan in place — just in case.
If you find it difficult to justify the time needed to develop a response plan, consider how long you will have to formulate a response once an attack begins. According to a 2013 Verizon study, 84% of successful attacks compromised their targets in a matter of hours. The brief time window for detecting and mitigating attacks requires not only constant monitoring but a rapid response. That means having a plan in place.
As you formulate your strategy for handling breaches, keep in mind four key aspects of incident response including: analysis and assessment, response strategy, containment, and prevention of a subsequent attack.
The first step in managing a security breach is detecting it. This is one of the most difficult challenges facing IT professionals. You are trying to detect a stealth adversary with many potential points of entry into your system and you have no knowledge of when the attack will occur. Also, attack-related events may occur in rapid succession or over extended periods of time. Some of the steps in the attack may appear innocuous, such as an executive unknowingly downloading and opening malicious content. Others may be more apparent, such as a disgruntled employee downloading large volumes of customer data to a USB drive. In all cases, analyzing logs and integrating data from multiple application and servers logs can help identify events indicative of an attack.
The response strategy spans both technical and business aspects of your organization. An incident response team should be in place to address the breach. This will include containing the threat (discussed below), notifying stakeholders, and communicating the progress of the response efforts. There may be a need to coordinate with those responsible for business continuity and disaster recovery in cases of large-scale attacks, such as suffered by Sony last year.
Containment is the process of isolated compromised devices and network segments to limit the spread of a breach. Containment can be as crude as cutting power to a compromised device. If malicious activity originates with a mobile device, a mobile device management (MDM) system can block that device from accessing network resources. Network administrators can change firewall filtering rules to limit traffic into and out of a subnet. They may also consider updating DNS entries of compromised servers to point to failover servers, assuming those have not been compromised. Monitoring application, operating system, and network logs during containment operations can help understand the effects of your responses
The fourth issue to keep in mind is preventing subsequent attacks. A security breach can have wide and unexpected consequences. It is also a potential opportunity to learn how your security measures were compromised. Was someone tricked by a phishing lure? Was an administrator account compromised by simple, brute force dictionary attack? Did an insider take advantage of excessive privileges? Security Information and Event Management systems support forensic analysis and can help integrate event data from across your infrastructure. This may enable you to find correlations between events that lead to insights about the behavior of the attackers and the vulnerabilities in your systems.
This brief discussion of incident response planning touches on just some of the most salient aspects dealing with a breach. Sources, such as CERT, provide detailed resources to help organizations create computer security incident response teams and incident response best practices.
A common dedication to providing excellent client services, a driving need to enhance cybersecurity capabilities and an outstanding cyber monetization opportunity generated tremendous energy and focus among attendees at the recently concluded first annual MSSP Live event.
Our onsite team gleaned these key takeaways from session presentations and conversations with global services providers.
1. Partnership is a must
The overarching consensus was that partnerships are key to winning the cybersecurity battle. Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) can partner with cybersecurity vendors to bring powerful cybersecurity services down market to small and medium businesses (SMBs) and small and medium enterprises (SMEs), a greenfield for cyber monetization.
2. Time to market is critical
Clients are looking for ways to operationalize a shared security model tailored to their organization. Like yesterday. With costs of a U.S. cybersecurity incident now reaching $4.35 Million, customer organizations understand it’s crucial that they move fast and with confidence in battling advanced threats.
3. Buyers are informed and ready
Even SMBs and SMEs are aware they are soft targets at high risk and are looking for solutions they can afford, and trust. By partnering with a managed open Extended Detection and Response (XDR) platform provider like Netsurion, MSPs and MSSPs can boost security readiness for their clients and get it done fast.
4. 24x7 SOCs, open XDR and proven track record are best in class requirements
A cybersecurity vendor/partner is essential to protect the expanded attack surface from on premise to cloud to mobile, gain deeper threat detection and increase response effectiveness with trained resources and state-of-the art technology. Security Operations Center (SOC) experts like those at Netsurion augment your staff and can prevent cyber attacks.
5. DIY is a non-starter
The barriers are high for MSPs and even MSSPs for delivering high quality cybersecurity services efficiently and cost effectively to best serve clients. The recruiting, retention and oversight staffing issues alone are daunting. Add to that the resources required in technology and facilities, the demands of keeping pace, the time needed to stand up a facility and the skepticism of clients for new entrants that make DIY a non-starter.
If you are not convinced, see our blog on The True Cost of Setting Up and Operating a 24x7 Security Operations Center (SOC) | Netsurion.
Next Steps
In business, as in sports, teamwork makes the dream work. Cybersecurity is a perfect example of how MSPs, MSSPs and businesses of all sizes can team up with Netsurion and win the fight against data breaches, ransomware, identity theft and all of the other threats facing us all.
Learn more about how Netsurion's MSP/MSSP Partner Program Benefits online or contact our channel team.
There are five different ways you can log on in Windows called “logon types.” The Windows Security Log lists the logon type in event ID 4624 whenever you log on. Logon type allows you to determine if the user logged on at the actual console, via remote desktop, via a network share or if the logon is connected to a service or scheduled task starting up. The logon types are:
There are a few other logon types recorded by event ID 4624 for special cases like unlocking a locked session, but these aren’t real logon session types.
In addition to knowing the session type in logon events, you can also control users’ ability to logon in each of these five ways. A user account’s ability to logon is governed by five user rights found in group policy under Computer Configuration/Windows Settings/Security Setting/User Right Assignments. There is an allow and deny right for each logon type. In order to logon in a given way you must have the corresponding allow right. But the deny right for that same logon type takes precedence. For instance, in order to logon at the local keyboard and screen of a computer you must have the “Allow logon locally” right. But if the “Deny logon locally” right is also assigned to you or any group you belong to, you won’t be able to logon. The table lists each logon type and its corresponding allow and deny rights.
Logon rights are very powerful. They are your first level of control – determining whether a user can access a given system at all. After logging in of course their abilities are limited by object level permissions. Since logon rights are so powerful it’s important to know if they are suddenly granted or revoked. You can do this with Windows Security Log events 4717 and 4718 which are logged whenever a given right is granted or revoked respectively. To get these events you need to enable the Audit Authentication Policy Change audit subcategory.
Events 4717 and 4718 identify the logon right involved in the “Access Granted”/”Access Removed” field using a system name for the right as shown in corresponding column in the table above. The events also specify the user or group who was granted or revoked from having the right in the “Account Modified” field.
Here’s an example of event ID 4717 where we granted the “Access this computer from the network” to the local Users group.
System security access was granted to an account.
Subject:
Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Account Modified:
Account Name: BUILTINUsers
Access Granted:
Access Right: SeNetworkLogonRight
One consideration is that the events do not tell you who (which administrator) granted or revoked the right. The reason is that user rights are controlled via group policy objects. Administrators do not directly assign or revoke user rights on individual systems; even if you modify the Local Security Settings of a computer you are really just editing the local group policy object. When Windows detects a change in group policy it applies the changes to the local configuration and that’s when 4717 and 4718 are logged. At that point the user making the change directly is just the local operating system itself and that’s why you see SYSTEM listed as the Subject in the event above.
So how can you figure out who a granted or removed the right? You need to be tracking group policy object changes, a topic I’ll cover in the future.
With distressing regularity, new breaches continue to make headlines. The biggest companies, the largest institutions both private and government are affected. Every sector is in the news. Recounting these attacks is fruitless. Taking action based on the trends and threat landscape is the best step. Smarter threats that evade basic detection, mixed with the operational challenge of skills shortage, make the protection gap wider.
An overemphasis on prevention defines the current state of defenses as shown in the pie chart below.
According to a 2015 cybersecurity report, over 85% of senior IT and business leaders report that they feel there is a labor crisis of skilled cybersecurity workers. Gartner believes approximately 50% of budgeted security positions are vacant; on average, technical staff spend about four years in a position before moving on. The threats that this outnumbered corps are working to confront are evolving so fast that security departments’ staffing methods are often hopelessly out of date.
The main lesson to learn is that “perfect protection is not practical, so monitoring is necessary.”
Are you feeling overwhelmed with the variety, velocity and volume of cyber attacks? Help is at hand. Our EventTracker managed detection and response offering blends best-in-class technology with a 24/7 iSOC to help strengthen your security defenses while controlling cost.
We hear a lot about tracking privileged access today because privileged users like Domain Admins can do a lot of damage. But more importantly, if their accounts are compromised the attacker gets full control of your environment.
In line with this concern, many security standards and compliance documents recommend tracking changes to privileged groups like Administrators, Domain Admins and Enterprise Admins in Windows, and related groups and roles in other applications and platforms.
But in some systems you can also granularly delegate privileged access, ultimately giving someone the same level of authority as a Domain Admin, but “underneath the radar.” This is especially true in AD. This capability is a double-edged sword. It’s necessary if you are going to implement least privilege, but it also creates a way for privileged access to be granted inadvertently, or even maliciously in such a way that will go unnoticed unless you are specifically looking for it. Here’s how:
First you need to enable “Audit Directory Service Changes” on your domain controllers — probably using the Default Domain Controllers Policy GPO.
Then open Active Directory Users and Computers and enable Advanced Features under View. Next select the root of the domain and open Properties. Navigate the Audit tab of the domain’s Advanced Security Settings dialog shown below.
Add an entry for “Everyone” that audits “Modify permissions” on all objects like the entry highlighted above. At this point domain controllers will record Event ID 5136 whenever someone delegates authority of any object in the domain — whether an entire OU or a single-user account. Here’s an example event:
A directory service object was modified.
This event tells you that a MTGpad-rsmith (that’s me) modified the permissions on the Scratch organizational unit in the MTG.local domain. nTSecurityDescriptor and “Value Added” tell us it was a permissions change. The Class field tells the type of object and DN gives us the distinguished name of the object whose permissions were changed. Subject tells us who made the change. I removed the lengthy text for Attribute Value because it’s too long to display and it’s in SDDL format which isn’t really human readable without a significant amount of effort. Technically, it does provide you with the full content of the OU’s new access control list (aka Security Descriptor) but it’s just not practical to try to decode it. It’s probably going to be faster to actually find the object in Active Directory Users and Computers and view its security settings dialog via the GUI.
So the Security Log isn’t perfect, but this method does give you a comprehensive audit trail of all permission changes and delegation within Active Directory. If you combine this with group membership auditing you’ll have a full picture of all changes that could impact privileged access in AD which is a key part of security and compliance.
Scottsdale, AZ (September 13, 2023), Lumifi Cyber, a leading player in the cybersecurity arena, proudly announces its significant long-term commitment through 2030 at SkySong, The ASU Scottsdale Innovation Center. This strategic move is an endorsement of Scottsdale’s burgeoning tech community and a testament to Lumifi Cyber’s commitment to growth, innovation, and community development.
Unlike other cybersecurity solutions that require constant management and oversight, Lumifi Cyber delivers Managed Detection and Response (MDR) services that actively hunt and assess threats while keeping costs low and working with existing cybersecurity toolsets. Lumifi Cyber’s team of cybersecurity professionals defend large and small organizations all over the world. The company has clients in nearly every industry with a long history of supporting mission-critical assets for institutions in government, healthcare, financial and legal sectors.
Jim Sadler, LOCATE AI broker responsible for the SkySong corporate services solution for Lumifi Cyber, expressed great excitement about this development, saying, “LOCATE and our technology and real estate services team are thrilled to support the industry leading cybersecurity firm and Lumifi Cyber’s significant growth trajectory. They’re at the forefront of redefining our city’s tech landscape and their operation fits nicely with SkySong, The ASU Scottsdale Innovation Center.”
Michael Malone, CEO of Lumifi Cyber, shared his enthusiasm: “This commitment marks a pivotal moment in Lumifi Cyber’s journey. Not only does it reflect our relentless pursuit of excellence in cybersecurity, but it also signifies our belief in Scottsdale’s potential to be a global tech powerhouse. Our commitment to our customers remains unwavering as we grow – to provide top-tier solutions and service. Furthermore, by deepening our roots here, we aim to contribute positively to the local economy and community.”
“We’re proud to be working with both Sadler and Lumifi Cyber again on this important phase of growth at SkySong,” said Sharon Harper, Chairman and CEO of Plaza Companies, the master developer of SkySong. “Michael Malone’s entrepreneurial growth and industry leadership exemplify the enterprise growth and path towards accelerating technology transfer at SkySong that we strive to embody.”
Plaza Companies is the master developer of SkySong, in partnership with University Realty, the City of Scottsdale and Holualoa Companies.
Lumifi Cyber’s Expansion will bring these Key Highlights:
HCAP Partners, a California-based private equity firm and Tulsa, Oklahoma-based BOK Financial Corporation are investors.
In conclusion, the expansion underscores Lumifi Cyber’s commitment to growth, community engagement, and innovation. Positioned within the SkySong hub, which serves as a nexus for technology, research, education, and entrepreneurship, Lumifi Cyber is perfectly poised to drive forward ASU, Greater Phoenix, and the global knowledge economy.
About Lumifi Cyber
Lumifi Cyber, headquartered in Scottsdale, is a vanguard in the cybersecurity industry, dedicated to protecting digital assets and fortifying cyber defenses for businesses across the board. With a team of experts and state-of-the-art technology, Lumifi Cyber is shaping the future of cyber safety.
About SkySong, The ASU Scottsdale Innovation Center
SkySong, The ASU Scottsdale Innovation Center is one of the premier economic engines in the Valley of the Sun. The project’s success is a direct result of a focus on innovation and technology that attracts companies ranging from some of the world’s best known brands to one-or two-person startups.
About Plaza Companies
Plaza Companies is the developer of the project in partnership with University Realty, the City of Scottsdale and Holualoa Companies. Lee and Associates provides the brokerage services and Plaza Companies provides the property management and construction services.
Today’s modern attack surface encompasses the network, cloud, endpoints, mobile devices, and applications and is constantly under attack from well-armed cyber criminals. Vulnerability management offers strategic insight into vulnerable applications and devices from the viewpoint of a cyber criminal, that you can plug before attackers can exploit. Vulnerability management is for service providers as well as their end-customers. Cyber criminals are actively targeting MSSPs; a more comprehensive approach to threat and vulnerability management can assist service providers in protecting the crucial supply chain.
This article will take you through a risk-based approach to vulnerability management, the benefits as an MSSP, partnership considerations, and pitfalls to avoid.
What is Vulnerability Management
A formal vulnerability management program helps your team become more proactive with cybersecurity and to speed up detection and remediation, all while staying compliant. According to the International Organization for Standardization (ISO 27002), a vulnerability is defined as, “… a weakness of any asset or group of assets that can be exploited by one or more threats.” Vulnerability management is a foundational component of compliance frameworks like PCI DSS and HIPAA. Unlike one-time scanning, vulnerability management is an ongoing approach to risk management, vulnerability assessment, and rapid response.
Vulnerability Management Pitfalls
While vulnerability scans and assessments are not new, many organizations lack the structure and scale to provide the comprehensive vulnerability management and actionable remediation that end- customers demand. Legacy vulnerability software and tools are often complex and lack important requirements like risk prioritization, customization to individual organizational risks, as well as visibility into modern configuration, cloud, and container risks and threats. Service providers and businesses alike may also lack the staff and skills to advise on best practices for managing vulnerabilities and reducing risk.
MSSP Benefits of Providing Vulnerability Management
Given that a data breach now costs over $4 million dollars, any improvement in vulnerability management effectiveness and coverage is a welcomed addition. Here are some benefits of adding managed vulnerability capabilities to your MSSP portfolio:
Reinforces your trusted advisor role: Risk-based vulnerability management positions you with end-customer executive decision makers. Vulnerability management isn’t about scanning, but rather, improving your cybersecurity maturity over time.
Increase revenue: Offering another in-demand service creates an attractive up-sell opportunity. If you aren’t offering vulnerability management services today, chances are your end-customers are purchasing them from another third-party vendor, minimizing your ability to land-and-expand incremental revenue.
Strengthens end-client retention: Boost customer loyalty and engagement by augmenting IT tasks that offload time-consuming tasks, allowing your end-clients to focus on other programs and technologies.
Prioritization is Key
There will inevitably be more vulnerabilities identified than can be immediately addressed, so a successful vulnerability management program reduces the false positives and “noise”. Tailor your vulnerability management offering to end-customer risks, corporate goals, IT staff and expertise, and cybersecurity maturity. Look beyond routine CVSS (Common Vulnerability Scoring System) outcomes to identify vulnerabilities, misconfigurations, and risky software to focus on what’s most urgent. Continue to work with end-customers to maintain that visibility and configuration control over time by reducing drift.
Prioritize vulnerabilities with the greatest impact to your end-customers by evaluating asset value, the severity of vulnerability gaps, and the level of threat it poses to each unique organization. Rank detected vulnerabilities from highest to lowest severity to pinpoint areas with the greatest cybersecurity impact. This prioritization improves your analyst efficiency and effectiveness.
As you evaluate vulnerability management programs, be aware that vulnerability management is not a “one-size-fits-all” approach, but rather should be customized to your business and associated risk profile.
Partner Considerations for Vulnerability Management
You may already be using vulnerability scanning software and tools, but have found that they are time-consuming, often don’t cover today’s diverse assets, and produce a deluge of raw data that is not always actionable. Overcome the disadvantages of legacy vulnerability management tools and software that can’t keep up with modern threats and well-funded cyber criminals. Look for a vulnerability management solution that provides:
The Good News
Service providers can leverage vulnerability management to significantly improve an organization’s defenses against breaches and crippling ransomware. Instead of relying on complex software or tools that don’t scale, a managed program for vulnerabilities establishes you as a trusted advisor that scales up as your efforts grow over time. The addition of vulnerability management as a service is straightforward, well understood by Small-to-Mid-sized Businesses (SMBs) and does not require costly hardware and software. MSSPs are well positioned to take the vulnerability management recommendations and work with end-customers on remediation steps and plans.
The Bottom Line
Attack surface protection is crucial as networks expand along with risks from remote employees and connections from third-party supply chain partners. Vulnerability Management helps reduce dwell time, the time that hackers are in an environment performing reconnaissance or even removing sensitive data. Move beyond traditional scanning to continuous visibility and actionable remediation as your end-customers evolve their security maturity. Protect customer infrastructure and assets while reducing the level and magnitude of threats. When offered as a managed service, risks are eliminated, hacker dwell time is cut short, and data breaches are avoided. Learn more about Netsurion’s comprehensive vulnerability management program that enhances visibility and prioritization with a managed service that augments your staff and skills.
Here’s our list of the Top 5 SIEM complaints:
What’s an IT Manager to do?
Get a co-managed solution, of course.
Here’s our solution to Top 5 SIEM complaints.
Are you familiar with the Kübler-Ross 5 Stages of Grief model?
SIEM implementation (and indeed most enterprise software installations) bear a striking resemblance to that 5 stage model.
Managed service providers face a double-edged sword in the world of cyber security and cybercrime. In May 2022, a joint cybersecurity advisory from the UK, Australia, Canada, New Zealand and the US warned that MSPs are increasingly being targeted by cyber criminals. And cyber attacks on MSP customers, small-and medium-sized businesses (SMBs), will also continue to rise. It’s shaping up to be another year of increasingly sophisticated cyber incidents. Here are seven trends shaping the IT security landscape that MSPs should be particularly aware of for 2023.
1. Accelerated shifts to hybrid work and cloud weaken the perimeter.
Endpoints are increasingly disconnected from the “office” network and instead are much more mobile. People work from anywhere (WFA) these days - home, grandma’s house, their kids’ soccer game. At the same time, servers are rapidly migrating from in-house data centers to public (or private) cloud. This continues to weaken the traditional notion of “perimeter” and what is inside versus outside the network. Attackers are adapting to exploit new weaknesses and the new network diagram. Are your protection and detection capabilities doing the same? Can you scan for vulnerability independent of location? Is your XDR service up to the task of detecting attacks in the public cloud?
2. Ransomware and attacks on operational tech (OT) will increase.
It’s sad to say, but crime does pay, and the takeaway for criminal gangs is that there are many, many weaknesses that can be exploited profitably in the always-on, rich Western world. Ransomware is expected to increase in volume and proliferate beyond North America to Europe. High-interest targets will include industries that have been slow to get on the security bandwagon or have a broad operational technology and IoT attack surface, or both — like manufacturing. Industries that have more to defend, such as medical/pharmaceutical companies whose revenue grew manyfold during pandemic times, will also be specific targets.
3. Wicked skill shortage of security professionals continues.
This trend has been true for some years now and shows no signs of slowing. As Blue Teams expand their recruiting globally, we will see the shortage of experienced security staff following this trend. From a buyer’s perspective, one way of adding scarce skills to your team is to selectively and carefully add services from external providers. For suppliers of such services, more automation and more training of junior staff are a must.
4. Bad guys do their homework. Do you?
Postmortems for successful attacks repeatedly show patient attackers who take their time to lure victims, place malware, map the network, and learn patterns to stay below the detection threshold of even the most vigorously defended networks. Are you also doing homework to stay up to date on your own network, its map and its changes? Do you include the detection/protection you have in place, its efficacy, coverage and trends? For medium and large networks, it’s a job in itself — one that is apparently thankless and low ROI, but there is no escaping it. Company boards are beginning to have specific dedicated cybersecurity committees that will demand accountability.
5. Cyber risk will dictate business transactions.
Given that risks increasingly come through an organization’s supply chain and extended interconnected vendor and partner network, more and more medium and large businesses will use cyber risk as a determining factor in selecting partners and vendors. In days of yore, it was product quality, price and availability that largely determined vendor selection – now add cyber risk to the equation. Are you prepared to explain and demonstrate your cyber security posture to a customer? To your cyber insurance provider?
6. Data privacy laws will cover more and more endpoints.
GDPR-like data privacy laws in countries outside the EU will cover more and more users and endpoints. Governments are recognizing that such laws may be needed to protect their citizens and commerce. The intent is to increase the baseline minimum standards for ecommerce in much the same way as laws for motor safety evolved in the previous century with the growing risks of automobiles on the highways. While this is well intentioned, implementation and enforcement will be spotty and whimsical. The onus will fall on the network owner. Using external “expert” providers is a lower cost way of addressing this requirement and scaling over time. Most companies do not themselves adapt their legal contracts to satisfy GDPR but outsource that work to legal experts who specialize in this area. Expect the same with cybersecurity compliance.
7. Identity is the new endpoint.
With the dissolving of the enterprise and network "perimeter" (see number one above), you are who you authenticate as. Remote access is the rule, not the exception. Attackers have noticed and work hard to compromise users. When they are successful, you will find yourself dealing with an insider attack, which is much harder to detect. Methods such as enforcing multi-factor authentication (MFA), especially for high value admin accounts, and using User & Entity Behavior Analytics (UEBA) to identify out-of-ordinary or first-time-seen actions are the way out. These require meaningful data collection, machine learning and an active 24x7 SOC. Are these detections part of your XDR service provider’s repertoire?
Next steps for MSPs
As these trends manifest in the coming year, MSPs can help their SMB clients be aware of changes in their risk profile and new vulnerabilities they need to protect. Likewise, MSPs should keep in close contact with their security service provider partners. Don’t hesitate to ask the tough questions to make sure your service provider’s capabilities are evolving to address changes in attacker behavior and the IT landscape.
The cybersecurity threat landscape is in constant motion – ever evolving. According to Kaspersky Labs, 323,000 new malware strains are discovered daily! Clearly, this rate of increased risk to a company’s assets and business continuity warrants a smart investment in cybersecurity. Unfortunately, many companies are not keeping pace with their increasing risk, nor could they ever be expected to if their leadership views cybersecurity as a cost center while still viewing other innovations, such as digital transformation, as an investment.
For any digital transformation project to be successful and return the anticipated value, cybersecurity must be considered foundational.
Just as that new $500 suit is an investment to help you get that new job, the cost to have it tailored is part of that investment. The same goes for digital transformation and cybersecurity. But for many companies, the digital transformation is long underway, and cybersecurity desperately needs to catch up. That new suit needs to be tailored quickly before another person sees you in that poor-fitting getup.
A successful cybersecurity strategy is without much hope if executive leadership does not champion the proper investment and prioritize the efforts. The result is too often organizations piecemealing pointed IT security solutions one-at-a-time, failing to prioritize wholistic cybersecurity projects. This only exacerbates the risks to the business, but also hampers the efficiency in accomplishing other technology projects deemed as competitive differentiators.
So, where do you start to improve your cybersecurity posture ASAP?
Here are some tools to help you along your journey…
Cybersecurity Maturity Model
It’s important to take a step back and understand where you are today, where you should be, and where you want to go next. By considering all four key aspects of a complete security architecture – prevent, detect, respond, and predict – a good Cybersecurity Maturity Model provides a practical stair-step approach toward the appropriate level for your organization.
SIEM Total Cost of Ownership Calculator
Security Information and Event Management (SIEM) is the foundation of any well-grounded IT security strategy. However, depending on your organization’s unique requirements, staffing, and deployment situation, the total cost of SIEM can vary widely. Use our SIEM TCO calculator to compare 1-year and 3-year costs of self-managed and Co-Managed SIEM solutions.
The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.
The Council's five founding global payment brands - American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. - have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council.
All five payment brands, along with Strategic Members, share equally in the Council's governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization. Other industry stakeholders are encouraged to join the Council as Strategic or Affiliate members and Participating Organizations to review proposed additions or modifications to the standards.
On this website you'll find useful information about the PCI Security Standards Council, the PCI DSS requirements for merchants, vendors and security consulting companies, and the Council's certification and merchant support services, all created to mitigate data breaches and prevent payment cardholder data fraud.
Note that enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual payment brands and not by the Council. Any questions in those areas should be directed to the payment brands.
For most organizations, the network map has changed dramatically. Once organizations had a defined network perimeter that clearly distinguished “inside” from “outside.” Endpoint devices like workstations and desktops were “inside,” physically and virtually. They could be authenticated once and trusted thereafter. After all, these devices never left the building.
Physical security further reinforced the fortress approach. Users were authenticated by the card reader at the front door or the security officer at the front desk, assuring their identity. Once inside they were clearly visible to co-workers, making it difficult for an outsider to pretend to be that trusted employee John.
Three trends are dissolving the network perimeter
Three major trends have completely upended this concept of the corporate IT network providing a protective perimeter around IT assets and data. Today, virtually every organization employs SaaS (software as a service) applications that, along with their associated data, reside outside of the network. Additionally, hybrid cloud has become the new normal, with IT resources residing in the public cloud as well as on premises.
And now, with mobility and employees working remotely, your endpoints and their users could be anywhere - grandma’s house, the kids’ soccer game, or on vacation in Costa Rica. The additional methods you used to rely on to validate that user - the front door card reader, the security guard, the co-workers - are long gone.
You can’t make assumptions about users based on IP address, because people can access your network from anywhere on the internet. When Netsurion went to a work-from-home mode during the pandemic, we got an alert that there was a successful login to our network from Cuba. It turned out Cuba was home to one of our South Florida employees. So, when we said, “Work from home,” he went home. But that location was out of the ordinary for us, so it got our attention. We investigated, and his manager confirmed that the location was valid. It was not a case of credential compromise.
The point is, location has changed so drastically that the assumption you made in the past - that if you know the endpoint and the IP address, you know the user - no longer applies.
The big risk: when outside attackers look like insiders
Why is protecting identity so important? If an attacker succeeds in masquerading as a legitimate user, then that outsider suddenly looks like an insider - and insider attacks are typically extremely difficult to detect. The potential for damage from an outsider masquerading as an insider is significant. The attacker can stay undetected inside your network for a long time, lying dormant or sniffing around to scout out valuable data to steal. Their behavior looks legitimate, and they don’t leave a trail of invalid or failed logins that usually indicate a breach.
If the attacker compromises a user with administration privileges, that’s an open door to go anywhere in the network that your configurations allow. That happened to one organization we know that failed to subdivide their network into domains, and an attacker was able to login to multiple departments over several months and access systems and data. The attacker got spooked by the arrival of law enforcement at the front door. Mistakenly assuming he had been detected, he burned the infrastructure down. In the subsequent postmortem, a pattern of unexpected logins showed the probing conducted by the attacker in the months prior to detection.
Looking forward, user identity is the new endpoint to be protected, rather than only the device
That means you have to find a way to authenticate that your user John really is John, and not an attacker who has found a way to log on as John.
Passwords versus multi-factor authentication
If you are only relying on passwords, your protection is weak. Passwords are relatively “soft” targets that, in today’s interconnected world, are easily compromised. Stolen passwords are always for sale on the dark web, and there are many easy-to-access password cracking tools that attackers can use. And even though user education has gotten much better, the attackers using phishing and social engineering are also persistent in compromising user identities.
Much stronger protection comes from good password hygiene, like requiring password changes every 30 or 60 days, and even more so from multi-factor identification (MFA). With MFA, the user has to have two things simultaneously: something they know, like a password, and something they have, like a mobile phone where you can receive a one-time authentication code or a fingerprint for a biometric fingerprint reader on a laptop.
In our experience, convenience is the greatest enemy of security. When people bypass the default or don’t elect to implement MFA to protect their identity, they put your network at risk.
The next level of protection: User and Entity Behavior Analytics
The defense against insider attacks - or outsiders that have gained insider access - is User & Entity Behavior Analytics (UEBA). It uses machine learning (ML) to establish a baseline of normal behavior for each network user. Then the ML monitors massive amounts of telemetry to detect behavior that falls outside that normal range.
Anomalous user behavior revealed one of the largest security breaches of the 21st century. A security company (not ours) questioned a long-time employee’s request to register a new phone for MFA. By contacting the employee, the analyst discovered that the request came from an attacker already inside the network. That started the forensics that ultimately led to discovering the supply chain breach involving SolarWinds remote management software.
Netsurion employs UEBA as part of our Managed Open XDR solution, using our ML technology and analyst expertise to stop malicious insiders and outsiders masquerading as insiders. Once our ML identifies anomalous behavior by a user or a system, it is automatically elevated to a Security Operations Center (SOC) analyst for review. With advance directives from the customer, we can immediately block the suspicious action to protect highly sensitive data or systems.
Alternatively, we escalate what we’ve observed to the network owner for visibility. That’s how we found out that it was our employee logging in from Cuba, not an attacker. You can learn more about our UEBA capability here, or schedule time with a Cybersecurity Advisor to see if our managed service is a good fit.
Highlights from the 2016 Verizon Breach Investigations Report (Part 3 of 3)
Last week we covered the main tools hackers are using to access businesses’ networks.
As you learned, there are 3 items to focus on which caused most data breaches last year: vulnerabilities, phishing and weak credentials. Under these 3 focus points, we covered the 4 patterns of attack used by hackers, expanded on how dangerous these attacks are and how hackers are making it hard to protect your business.
But did you know, many of these attacks can be prevented with a little help and knowledge?
We all know anything that is valuable should be password protected; any valuable information in a business should be as well.
But is one password enough?
No. Two-Factor Authentication is key to protecting any critical information in a business. One of the easiest ways hackers will access a network is through keylogging malware.
Ensure that you are validating inputs to prevent things such as users passing commands to the database via the customer name field or making sure an image isn’t a web shell.
Not trying to sound like a broken record, but Two-Factor Authentication is important in preventing POS intrusions as well.
Make sure you are able to monitor login activity for any unusual patterns. And don’t forget to talk to your vendors to ensure they are using Two-Factor Authentication to access you POS environment.
This is a critical environment attracting numerous hackers for an obvious reason: credit cards data.
There are plenty of monitoring options available for a POS environment. Do you have one in place?
Monitoring will help track remote logins and verify each activity.
If your business has Wi-Fi for guests or even for employees, it is important to segment each environment.
Your POS environment should be separate from your corporate LAN and should never be visible to the entire internet.
To prevent these card skimmers, physical security will be needed. It is important to note that both, the business, and the consumer will need to take their own precautions.
Use endpoint protection. 90% of Cyber-Espionage incidents this year, involved malicious software. This can happen via an email, web drive-by, or direct/remote installation.
Have an email protection strategy. Do you currently have in place spam protection, block lists and reporting procedures for suspected phishing attempts?
One of the main things to take care of is protecting your network. And three ways of doing this is by:
Along with protecting your network you must monitor internal networks, devices, and applications.
Implementing such security can greatly reduce your chances of having your business be the next victim of a data breach. These aren’t easy and simple steps but they sure are better than the steps a business owner deals with after their business is breached. Not to mention, the money lost in a breach. If any of these steps are complicated to carry on your own or by your IT staff, Lumifi can always help. We focus on taking care of the security of businesses, so business owners can run their business worry-free.
This is our last post from our 3 part series of Highlights from the 2016 Verizon Breach Investigations Report. If interested in reading the previous 2, click on the titles below:
Threat Summary:
On September 11th, 2023, MGM Resorts suffered a crippling ransomware attack that resulted in 10 days of computer system downtime as well as an estimated overall loss of $80,000,000. The threat actor, dubbed Scattered Spider, is claiming ownership of this hack and alleges to have ties with the infamous ALPHV/BlackCat ransomware gang. In this threat brief we will detail the events that occurred from initial access to recovery of MGM’s systems, common TTPs observed from this threat actor and other affiliated groups, as well as review detection, prevention, and mitigation options that would have been crucial to MGM’s security in all stages of this attack.
Lumifi’s Analysis:
To fully understand this attack, we need to look back into the previous operations of this threat actor. Throughout 2022 and early 2023, this threat actor primarily targeted systems that would provide access to SIM swapping attacks, as well as performing privilege escalation through BYOVD attacks (CVE-2015-2291.) Performing a SIM swapping attack would allow the threat actor to gain access to any data sent to the victim’s phone number. By establishing pre-requisite access to these systems, the threat actor already had the infrastructure in place to receive MFA codes sent to the target’s phone number via SMS, as well as masquerade as the target when making outbound calls.
Fast forward to September 8th, 2023; The threat actor places a call to MGM Resort’s internal IT helpdesk impersonating a legitimate employee (whose information was likely located on social media such as LinkedIn or Facebook.) Once connected with a helpdesk agent, a password reset is requested and processed for the impersonated user account, with MFA being bypassed via SIM swapping, resulting in initial access for the attacker. Currently, this is all the information that has been confirmed in regard to the MGM compromise, however, the rest of the attack chain is predictable based on previous activity from this threat actor.
After gaining initial access, this threat actor has been observed using a VPN or local proxy to geolocate to the local area where the attack is occurring, in an attempt to blend in with the regular traffic and evade detection. Then the threat actor installs legitimate remote access software such as TeamViewer or AnyDesk as a persistence mechanism into the compromised environment. In the past, this threat actor has also been observed creating publicly accessible VMs in the victim’s cloud environment as a means of persistence.
Once persistence is established, this threat actor will spend significant time reviewing internal documentation, resources, and chat logs in an attempt to help with privilege escalation and long-term persistence. Additionally, this threat actor often achieves privilege escalation by targeting password managers and PAM systems as well as utilizing tools such as Mimikatz, Trufflehog and GitGuardian. After gaining escalated privileges, this group will begin to move laterally in the environment and performing internal reconnaissance to identify critical infrastructure.
After successfully gaining access to critical infrastructure, this threat actor will begin performing exfiltration of sensitive data via tools like RClone and DropBox. After the desired data is exfiltrated, the Volume Shadow Copy service is stopped and all shadow copies are deleted or corrupted. Finally, this threat actor will deploy the ALPHV ransomware variant resulting in the encryption of critical systems and leave threatening notes in text files, contact executives via email and text, as well as infiltrating communication channels used to respond to incidents.
Lumifi’s Current Coverage and Mitigation Recommendations:
The Scattered Spider APT is also known to have overlap and ties to a number of other ransomware groups and APTs as demonstrated via the below screen capture from a Mandiant threat researcher at Sleuthcon 2023. Considering the wide array of connections and overlap between these groups, there is also a high likelihood of the tactics observed by one group being utilized by others.
Link between Threat Actors (Lapsus, Oktapus, Scattered Spider)
Source: Jake Nicastro, Mandiant, at Sleuthcon 2023
Mitigation for the threats posed by this APT would include:
The Netsurion team was lucky enough to attend the RetailNOW 2016 conference last week, hosted by the Retail Solutions Providers Association (RSPA) in Grapevine, Texas.
The event, aimed at connecting the point-of-sale (POS) technology ecosystem, was extremely successful because it gave us the perfect platform to further connect with our existing partners—and to meet and interact with industry leaders.
Cybersecurity and breach prevention were some of the hottest topics at the conference—and we were able to share our expertise in these areas through breakout sessions and presentations.
Our “What’s up breaches!” tee shirts were also a great way to get the word out, with plenty of attendees sporting them throughout the week.
There have been many high profile breaches at well-known, big-budget chain restaurants and hotels recently. This just shows that even companies with expansive, big-budget security are still being targeted.
During our speaking sessions, we emphasized network security as the most important first line of defense.
It all comes down to this:
A well segmented network can be the difference between a successful business and a business in the headlines of the latest data breach.
According to the National Cyber Security Alliance:
96 percent of data breaches target the payment card industry. Such breaches can be caused by POS malware, employee mistakes, and internal or external hacking.
Not to mention that as businesses protect themselves from these threats, new technologies, such as EMV, biometrics and mPOS, arise. Technology gets better; hackers get smarter…so what are businesses doing to keep their brands and data secured?
Sure, it’s important for businesses to embrace technology for the convenience of their customers and to stay competitive in the market. However, also important to remember the security risks that new (and more) technology brings.
This threat landscape and new technologies should ultimately push retailers to embrace network security as a first line defense strategy. Data security and PCI compliance should be the priority of any business in today’s market.
And businesses of all sizes deserve a chance to achieve enterprise-level data and network security.
Netsurion’s goal is to provide multi-location businesses with affordable but equally effective alternatives to self-managed security solutions—keeping the burden off the owners’ shoulders and away from their brand reputation.
Post-RetailNOW, Jim Roddy, reseller & ISV business advisor at Vantiv, posted this excellent conference roundup.
In the write-up, he stated:
“Managed services is no longer a far-off concept for POS providers. Many resellers I talked with have fully embraced the recurring revenue business model and are looking to expand it even further in their business. There are now model resellers you can pattern your business after if you want to move to the as-a-Service model.”
Mark Bartig, our senior vice president of Sales & Marketing, actually appeared on a panel discussion carried by Vantiv called “Security as A HUGE revenue opportunity.” The panel of experts offered best practices and tips around how providers can position security products and managed services to monetize security recurrently.
And we’re lucky enough to have extremely supportive resellers who see the value in making their customers more secure. They’re a major factor in making our ultimate network and data security goals for all businesses a reality.
We are honored that they feel our support for them in return. To wrap up a productive and educational few days at the conference, we were thrilled to learn that we were selected as the ‘Reseller Support Services’ winner at the 2016 RSPA Vendor Awards of Excellence.
The annual awards are honors given to RSPA vendor members in recognition of their outstanding achievements in service, quality and channel engagement.
Netsurion was nominated by our partners and voted as the winner by the RSPA members. Our award was the last one introduced by RSPA. They mentioned it received an "overwhelming" response from the RSPA reseller community and that Netsurion was the only company worthy of being nominated for this category. This was truly a tribute to the entire Netsurion team, as it shows that our partners appreciate us as much as we appreciate them.
Thank you to everyone who helped make RetailNOW an overall success for Netsurion—we look forward to talking security with you all next year!
The FBI estimates that more than 4,000 ransomware attacks have occurred daily since the beginning of 2016. That’s a 300% increase from the previous year. This is due in part to the thriving sector of “ransomware-as-a-service.” Individuals don’t need to possess a certain skill set, but rather, malware developers advertise their ransomware on the dark web to be distributed by less sophisticated attackers. This allows developers/advertisers to take their cut from the ransom amount paid.
The cyber criminals behind these attacks aren’t necessarily picky; they target big companies, small businesses, government entities, and individuals. But the damage they cause to small- and medium-size businesses (SMBs) is particularly alarming. A recent report by a security firm last year noted that 22% of SMBs affected by ransomware had to cease operations immediately. One-third had suffered a ransomware attack in the previous year.
“If you haven’t been a victim of ransomware or any other type of computer attack, you have to operate as if it’s just a matter of time before you are – and take the steps to protect yourself and mitigate the resulting damage or loss,” says Sheraun Howard, supervisory special agent with the FBI’s Cyber Division in Washington, D.C.
How it Works
While the names, details, and entry points of each attack vary, the concept remains the same. First, the bad actors deliver the ransomware. This is often done by spearphishing emails – targeted phishing emails aimed at specific employees that contain personal details to perpetuate the fraud. These emails or email attachments will contain an exploit for a particular software application vulnerability that provides the attacker access to your computer. After the attacker has access to your computer, they typically use additional malware to propagate throughout your network and drop their ransomware onto your environment. Once the ransomware has been delivered in one way or another, it prevents the targeted user from accessing their data or systems by encrypting their files. The targets receive an email, text file, or screen message demanding that they pay a ransom in order to regain that access.
How to Defend Yourself
The FBI recommends that all businesses take the following steps to reduce their risk of a ransomware attack:
These six recommendations are a solid start for individuals and companies, but at some point, advanced threat protection with Co-Managed SIEM will need to be evaluated and adopted to truly stay ahead of attacks.
By Randy Franklin Smith
Computers do what they are told, whether good or bad. One of the best ways to detect intrusions is to recognize when computers are following bad instructions – whether in binary form or in some higher level scripting language. We’ll talk about scripting in the future, but in this article I want to focus on monitoring execution of binaries in the form of EXEs, DLLs and device drivers.
The Windows Security Log isn’t very strong in this area. Event ID 4688 tells you when a process is started and provides the name of the EXE – in current versions of Windows you thankfully get the full path – in older versions you only got the file name itself. But even the full pathname isn’t enough. This is because that’s just the name of the file; the name doesn’t say anything about the contents of the file. And that’s what matters because when we see that c:windowsnotepad.exe ran how do we know if that was really the innocent notepad.exe that comes from Microsoft? It could be a completely different program altogether replaced by an intruder, or more in more sophisticated attacks, a modified version of notepad.exe that looks and behaves like notepad but also executes other malicious code.
Instead of just the name of the file we really need a hash of its contents. A hash is a relatively short, finite length mathematical digest of the bit stream of the file. Change one or more bits of the file and you get a different hash. (Alert readers will recognize that couldn’t really be true always – but in terms of probabilistic certainty, it’s more than good enough to be considered true.)
Unfortunately, the Security Log doesn’t record the hash of EXEs in Event ID 4688, and even if it did, that would only catch EXEs – what about DLLs and device drivers? The internal security teams at Microsoft recognized this need gap as well as some which apparently led to Mark Russinovich, et al, to write Sysmon. Sysmon is a small and efficient program you install on all endpoints that generates a number of important security events “missing” from the Windows Security Log. In particular, sysmon logs:
Together these 3 events created a complete audit record of every binary file loaded (and likely executed) on a system where sysmon is installed.
But, in addition to covering DLLs and drivers, these events also provide the hash of the file contents at the time it was loaded. For instance, the event below shows that Chrome.exe was executed and tells us that the SHA 256-bit hash was 6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57.
Process Create:
UtcTime: 2017-04-28 22:08:22.025
ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
ProcessId: 6228
Image: C:Program Files (x86)GoogleChromeApplicationchrome.exe
CommandLine: “C:Program Files (x86)GoogleChromeApplicationchrome.exe” –type=utility –lang=en-US –no-sandbox –service-request-channel-token=F47498BBA884E523FA93E623C4569B94 –mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:Program Files (x86)GoogleChromeApplication58.0.3029.81
User: LABrsmith
LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
LogonId: 0x7EB05
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ParentProcessId: 13220
ParentImage: C:Program Files (x86)GoogleChromeApplicationchrome.exe
ParentCommandLine: “C:Program Files (x86)GoogleChromeApplicationchrome.exe”
Now, assuming we have the ability to analyze and remember hashes, we can detect whenever a new binary runs on our network.
Sysmon allows you to create include and exclude rules to control which binaries are logged and which hashes are computed based on an xml configuration file you supply sysmon at installation time or any time after with the /c command. Sysmon is easy to install remotely using Scheduled Tasks in Group Policy’s Preferences section. In our environment, we store our sysmon.xml file centrally and have our systems periodically reapply that configuration file in case it changes. Of course, be sure to carefully control permissions where you store that configuration file.
Just because you see a new hash – doesn’t necessarily mean that you’ve been hacked. Windows systems are constantly updated with Microsoft and 3rd party patches. One of the best ways to distinguish between legitimate patches and malicious file replacements is if you can regularly whitelist known programs from a systems patched early – such as patch testing systems.
Once sysmon is installed you need to collect the sysmon event log from each endpoint and then analyze those events – detecting new software. EventTracker is a great technology for accomplishing both of these tasks.
HIPAA Logging HOWTO, Part 2
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant security and privacy standards for health information – both electronic and physical. The main mission of the law is “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery” (HIPAA Act of 1996 http://www.hhs.gov/ocr/privacy/). A recent enhancement to HIPAA is called Health Information Technology for Economic and Clinical Health Act or HITECH Act. The act seeks to “promote the adoption and meaningful use of health information technology” and “ addresses the privacy and security concerns associated with the electronic transmission of health information.“(HITECH Act of 2009 )
As we mentioned before, HIPAA itself does not descend to the level of security controls and technologies to implement. This requires the organizations affected by HIPAA – also known as “covered entities” –to try to follow the spirit of the regulation as opposed to its letter. What is also interesting to note is that insurance companies and many hospitals that accept payment cards are subject to both HIPAA and PCI DSS (covered in our previous newsletters). Understandably, the scope of their applicability across the organization might be different since payment processing systems should not store patient health information and vice versa. Still, considering the same technical and administrative controls for both regulations is prudent and will save money in both the short term and long term.
The previous newsletter focused on general HIPAA logging and log review processes and platform logging. This newsletter installment covers application logging issues specific to medical applications.
While platform level logging is useful for protecting sensitive health information, and it is a fact that a majority of health information is stored in databases and processed by healthcare specific applications and. Such applications are either procured from specialty vendors or developed internally – war via outsourced developers.
HIPAA of audit controls, mentioned in Section 164.312(b), apply to application logging as much or more than to platform logging. This means that custom applications need to be engineered to have adequate logging. Existing application logging needs to be assessed having adequate logging – it should be noted that many legacy applications will often not record sufficient details for events and might even skip logging events altogether. Thus, before embarking on this project, it makes sense to determine which applications within your organization contain Protected Health Information (PHI) and what their existing levels and methods of logging are.
Let’s define some of the guidance for what to log to satisfy the spirit and letter of HIPAA Security Requirement as well as NIST 800-66 HIPAA clarifications.
Before we can define good HIPAA logging, let’s consider typical security use for log data.
From high-level, best audit logs tell you exactly what happened – when, where and how- as well as who was involved. Such logs are suitable for manual, semi-automated and automated analysis. Ideally, the can be analyzed without having the application that produced them at hand – and definitely without having the application developer on call. In case of healthcare applications, such developer might not be an available at all and the security team will have to proceed on their own. From the log management point of view, the logs can be centralized for analysis and retention. Finally, they should not slow the system down and can be proven reliable, if used as forensic evidence.
Two primary things need to be defined.
It should also be noted that certain details should never be logged. The example is obvious: application or system passwords should never appear in logs (this, sadly, still happens for web applications sometimes). Just as obviously, the health information itself should be kept out of logs.
What events to log?
What is the overall theme for selecting which events to log?
Clearly, we need to know who, when and why accesses any of health information. We also need to know who adds, changes or deletes it. But this is not all – we also need to note who tries but fails to read, change or delete information. If we are unable to record access to each piece of data, we need to carefully record all access to the application itself.
Next, we need to know who performs other actions on systems that process health information as such activities might affect future access to healthcare data. For example, we need to record if somebody turns logging off or adds a new component to the system which might enable unfettered access to data. In addition, we need to record other critical events a caring on health information systems, as such events might present circumstantial evidence for unauthorized access.
The following list presents a structured view of the above criteria:
While creating a comprehensive ”what to log” list for every healthcare application in existence is probably impossible, the above list should give you a useful starting point for your relevant applications. It can be converted into your application logging policy without much extra work. Please refer to previous newsletter for setting up log monitoring and review process.
What details to log?
Next, what data should you log for each event, and at what level of detail should you log it? The overall theme we use here is the following:
Who was involved?
What happened?
Where did it happen?
When did it happen?
Why did it happen?
How did it happen?
The list below gives you a starting point based on that theme:
Timestamp + time zone : this helps to answer “when” question, time zone is essential for distributed applications
System, application or component: this helps to answer “where” question and needs to provide relevant application context as well
Source: for messages related to network connectivity or distributed application operation, logs also need to answer “where from” question by providing a network source.
Username: this helps to answer “who” question – for those events that are relevant to user or administrator activities
Action: this helps to answer “what” question by providing the nature of the event that is recorded in the log
Object: this also helps to answer “what” question by helping to know which system component or other object (such as user account) has been affected
Status: this also helps to answer “what” question by explaining whether the action aimed at the object succeeded or failed (other types of status are also possible, such as “deferred”)
Priority: last but not least, every logged event should have an indication of how important it is. While creating a uniform scale for renting events by importance is impossible since different organizations will have different priorities (for example, events affecting availability vs. confidentiality of information might be read differently)
Thus, a useful application audit log message might look like this:
2010/12/31 10:00:01AM GMT+7 priority=3, system=mainserver, module=authentication, source=127.0.0.1, user=anton, action=login, object=PHI_database, status=failed, reason=“password incorrect”
By the way, notice that another field is added to the above example log message in order to explain the reason for failure. Also notice that the above examples is not in XML – as we mention above, human readability is a useful property to have in logs and computers can deal with name=value pairs just as well as with XML. XML Health Level Seven (HL7) based messages can be easily converted to text, for those application that can log in HL7.
We also mentioned above that being able to easily centralize logs is essential for distributed log analysis either across multiple systems or across multiple application components of a distributed application. While syslog has been the king of log centralization due to its easy UDP delivery, modern cross-platform application frameworks like a call for publish/subscribe model for log delivery, similar to the ones used in modern Windows versions. In this case security monitoring tool can request a subscription for a particular type of a logged event – and receive all relevant logs in near real-time, if needed.
In addition to that very basic conclusion – you must log access to sensitive healthcare data– we have to remind our readers that the importance of logging will only grow – along with growing application complexity. In particular, the need to analyze application behavior and movement of sensitive information across distributed and cloud-based application calls for us to finally get application logging under control.
Software architects and implementers need to “get” logging – there is NO other way since infrastructure logging from network devices and operating systems won’t do it for detecting and investigating application level threats to ePHI. Security team – ultimately responsible for log review – will need to guide developers towards useful and effective logging that can be used for both monitoring and investigative activities.
Certainly, logging standards such as MITRE CEE (cee.mitre.org) will help – but it might take a few years before they developed and their adoption increases. Pending a global standard, an organization should quickly build and then use its own application logging standard for applications. HIPAA compliance presents a great motivation to creating and adopting such logging standards.
Industry News
Pirate Bay hack exposes user booty
Security weaknesses in the hugely popular file-sharing website thepiratebay.org have exposed the user names, e-mail and Internet addresses of more than 4 million Pirate Bay users… An Argentinian hacker named Ch Russo said he and two of his associates discovered multiple SQL injection vulnerabilities that let them into the user database for the site.
Zeus is back with terrorism-themed spam run
Trojan-laden emails claiming to offer official terrorism information have been hitting inboxes… The emails are spoofed to look like they originate from the U.S. Department of Homeland Security, Pentagon or Transportation Security Administration. Users are encouraged to click on two links, supposedly leading to reports, but which are actually ZIP files containing the insidious Zeus, or Zbot, trojan.
Related Resource: Webinar – Learn how implementing change control in your enterprise can help you handle critical security challenges including BOTnet and zero-day attacks.
Database admin gets 12 months for hacking employer
A former database administrator for Houston’s GEXA Energy was sentenced to 12 months in prison and fined $100,000 for hacking into his former employer’s network. He remotely accessed the GEXA Energy network without authorization, impaired the availability of data and copied a database file containing personal information. GEXA Energy estimates that Kim’s actions resulted in a loss of at least $100,000.
Did you know? Security violations by insiders are often the hardest to discover, but cause the greatest damage and cost the most to repair. EventTracker helps by monitoring all user and admin activity, automatically detecting policy violations and out-of ordinary or suspicious behavior
Aristotle put forth the idea in his Poetics that a drama has three parts — a beginning or protasis, middle or epitasis, and end or catastrophe. Far too many SIEM implementations are considered to be catastrophes. Having implemented hundreds of such projects, here are the three parts of a SIEM implementation which if followed will in fact minimize the drama but maximize the ROI. If you prefer the video version of this, click here.
The beginning or protasis
The middle or epitasis
The end or catastrophe
The cybersecurity market is loaded with ambiguous buzzwords and competing acronyms that make it very difficult to clearly distinguish one infosecurity capability from another.
If your efforts to understand what cybersecurity components you need to focus on have left you frustrated, you're not alone.
Let’s cut to the chase and separate fact from fiction regarding cybersecurity’s biggest buzzwords.
That’s right. These big three really all belong in one group.
Artificial intelligence (AI) and machine learning (ML) are two very significant concepts right now, and often seem to be used interchangeably. However, while related, they are not quite the same thing.
Artificial intelligence is the wider concept of machines being able to carry out tasks in a way that we would consider "smart" while ML is the application of AI based on the idea that machines should be able to learn on their own from the data provided to them.
An actionable security intelligence platform uses machine learning to understand and predict normal system activities and event occurrences within an enterprise. In the context of cybersecurity, machine learning is leveraged for User and Entity Behavior Analytics (UEBA).
UEBA capabilities use machine learning to gain an understanding of how users (humans) and entities (machines) typically behave within an environment. It looks for risky, anomalous activity that deviates from normal user behavior, and alerts accordingly based on what may indicate a threat.
Common examples include a user accessing a system at an unusual time or location, or simply accessing a system not in their routine. In terms of entity behavior, an example would be a compromised computer being used as an entry point to attempt to log into various other servers and assets.
All of this analysis, correlation, and reporting is done by first collecting and storing event and log data within the SIEM (Security Information and Event Management) technology – bottom-line, an actionable security intelligence platform.
But wait, you may be asking yourself "Didn't some vendor tell me 'SIEM is dead"? Nothing could be further from the truth. What's really being said is the first-generation SIEM platform is dead. That being the one that was nearly impossible to deploy, collected massive amounts of logs, and spit out an umanageable pile of false positive alerts for an analyst to ignore. Of course, that SIEM is, and should be, dead.
What's misleading in that statement is today's understanding and expectations of a SIEM is much different. Any SIEM solution worth its salt is going to incorporate functionality originally delivered by point-solutions such as endpoint threat detection and response (EDR), intrusion detection system (IDS), user and entity behavior analysis (UEBA), threat intelligence feeds, and more.
Furthermore, today's most effective SIEM solutions should offer practical pricing models, deployment options, and managed services.
Machine learning capabilities allow a platform to more effectively find the proverbial "needle in a haystack" by detecting and alerting to real threats and minimizing false positives.
But security analysts still need to respond to such incidents.
EventTracker incorporates SOAR functionality to reduce response times, improve remediation consistency, and increase SOC productivity. For instance, unknown processes can be immediately terminated, monitored for propagation of suspected malware, and placed in an incident report in an enterprise's IT management platform (Security Orchestration).
In such case, when EventTracker detects a threat, it does not just "say something", it "does something" (Automated Response).
Technology is only part of the equation. Many organizations lack the staff and resources to realize the full potential of their investment in threat lifecycle management.
A comprehensive managed solution includes a team of security analysts armed with global and local threat intelligence, which is layered on top of a SIEM platform to perform 24/7 monitoring, analysis, and incident response.
This is basically SOC-as-a-Service. The “i" in iSOC means that this group includes a threat research lab, which in some cases is an entity in and of itself.
An iSOC typically consists of:
With Netsurion's Managed Threat Protection solution, the iSOC understands the unique needs of an organization and manages systems administration and tuning, builds out response play books, and conducts regular executive summaries using critical observation reports (CORs).
This co-managed SIEM solution is, for many organizations, a much more cost-effective method to achieve security and compliance results.
So, there you have it. Artificial intelligence (AI), machine learning (ML), User and Entity Behavior Analytics (UEBA), Security Orchestration and Automated Response (SOAR), and Intelligence-Driven Security Operations Center (iSOC) are concepts that are often misconstrued or misused, but when properly understood, they really do convey beneficial cybersecurity concepts and capabilities.
The best way to apply these concepts to your organization, depends on your unique situation. Talk to a Netsurion expert to find out what cybersecurity solution is right for you.
Threat Summary:
Flax Typhoon is a suspected China-based, nation-state threat actor whose TTPs appear to be closely aligned with espionage objectives and extended persistence. Despite activity tracing back to mid-2021, this APT's final objectives are unknown and they have been observed mostly targeting government, education, and critical manufacturing organizations in Taiwan; Though a small subset of attacks have occurred in North America, Africa, and Southwest Asia. The tactics and techniques utilized in these attacks are easily modified for use against a broad range of networks and industries and could have disastrous outcomes if carried out against an organization. With minimal "out-of-the-box" coverage by traditional security vendors, Lumifi aims to break down the attack methods of this threat actor as well as provide coverage and mitigation guidance for potential attacks following a similar attack chain.
Lumifi's Analysis:
Flax Typhoon has been observed utilizing tools such as Mimikatz, China Chopper Webshell, Metasploit, and the SoftEther VPN client in the past, however they primarily specialize in hands-on keyboard activity as well as Living-off-the-Land techniques.
This threat actor gains initial access by exploiting known vulnerabilities in public-facing servers across a variety of services, including (but not limited to) VPN, SQL, Java, and web applications with the goal of dropping a web shell allowing for remote code execution (RCE) against the targeted server. Once the server is compromised, if the threat actor doesn't have administrative permissions, they will run a piece of malware such as Juicy Potato to obtain local system permissions to gain access to WMIC, Powershell, or Command Line with local administrator permissions.
Once full system access is achieved, Flax Typhoon disables network-level authentication for RDP and modifies the sticky keys binary to launch Windows Task Manager as a debugger, giving the threat actor access to launch a Windows command interface and create memory dumps with system level permissions. While RDP is typically running only on an internal-facing network interface, the threat actor will also install a legitimate VPN bridge to call back to the network infrastructure under their control, giving them long-term system level access to a compromised host.
To deploy this VPN, the threat actor uses one of many LOLBins, such as Powershell, BITSAdmin, or CertUtil, to download the executable for SoftEther VPN from their infrastructure. Once this file is downloaded, a service or scheduled task is created to automatically launch the VPN bridge upon startup of the compromised machine. In order to make detection more difficult, the file's name is changed to 'conhost.exe' or 'dllhost.exe' to imitate legitimate Windows components. The actor also utilizes a VPN over HTTPS mode built-in to the VPN to blend in with legitimate HTTPS traffic and helps evade most network security controls.
At this point, a foothold is established on a compromised host and an unusual pattern emerges. In some cases, LOLBins such as WinRM and WMIC will be used to move laterally to other systems on the network, or the threat actor will attempt to dump LSASS and access the SAM registry hive in order to access account password hashes to access other resources on the network via password cracking or pass-the-hash attacks. However, in most cases minimal activity occurs after persistence is established on a network. Due to this behavioral pattern and the lack of data-collection/exfiltration objectives, it is suspected that these attacks are part of a larger espionage campaign, though final objectives of this campaign have not been observed.
Lumifi's Current Coverage and Mitigation Recommendations:
Lumifi currently has a number of detections in our content library that would successfully detect this threat actor at multiple points in their attack chain. The usage of tools such as Metasploit and Mimikatz would be detected via our rule 'LMFI - Powershell Exploitation Framework Activity'. Usage of BITSAdmin or CertUtil to download a malicious file would be detected by our rules 'LMFI - Persistence using BITSadmin' and 'LMFI - Suspicious Certutil Usage' respectively. Along with these detections, we have also created detections specifically focused on this attack chain, which detect the persistence mechanisms associated with disabling NLA for RDP and spawning any suspicious processes from accessibility functions such as command-line consoles and task manager. These rules are titled 'LMFI - NLA for RDP Tampering' and 'LMFI - Suspicious Process Spawned from Accessibility Functions'.
As for mitigations and defending against Flax Typhoon, this starts with vulnerability management, especially on any systems exposed to the public internet. Additionally, registry auditing should be enabled so that any registry changes made to critical registry keys is logged and can be used for threat hunting and event correlation. RDP usage should be reduced to a minimum and any systems that are not expected to maintain RDP connections should generate an alert. Finally, utilize MFA on all accounts and regularly change passwords.
We are delighted that EventTracker is now part of the Netsurion family.
On October 13, 2016 we announced our merger with managed security services Netsurion. As part of the agreement, Netsurion’s majority shareholder, Providence Strategic Growth, the equity affiliate of Providence Equity Partners, made an investment in EventTracker to accelerate growth for our combined company. Netsurion’s managed security services protect multi-location businesses’ information, payment systems, and on-premise public and private Wi-Fi networks from data breaches, data loss, and other risks posed by hackers.
We are thrilled to join with a dynamic and leading security organization to provide a managed network security service that couples our cutting-edge managed SIEM offering with a state-of-the-art managed firewall.
As the threat landscape evolves rapidly and hackers become more sophisticated, it’s become clear that comprehensive security solutions, like SIEM, are necessary to protect organizations from current and emerging threats and ensuring your brand is safe. However, many small and multi-location businesses cannot afford, and do not have the knowledge to manage such complex systems. Combining our cloud-based SIEM capabilities with Netsurion’s expertise in managed security services allows us to deliver SIEM to a class of businesses that previously was unable to afford and manage such sophisticated security measures. Now any sized branch or remote office, franchise, or sole proprietor operation can use Netsurion’s managed network security service or EventTracker’s SIEM services without the costs and complexity of full-time dedicated resources.
This transaction is only the beginning of a series of amazing new offerings we will be announcing in the coming months. We will soon be introducing a new product offering that will bring enterprise-level SIEM security down to the multi-location environment, as well as enhanced PCI-DSS compliance services, including a new FIM solution and PCI QSA consulting services.
I am often asked that if Log Management is so important to the modern IT department, then how come more than 80% of the market that “should” have adopted it has not done so?
The cynic says “unless you have best practice as an enforced regulation (think PCI-DSS here)” then twill always be thus.
One reason why I think this is so is because earlier generations never had power tools and found looking at logs to be hard and relatively unrewarding work. That perception is hard to overcome even in this day and age after endless punditry and episode after episode has clarified the value.
Still resisting the value proposition? Then consider a recent column in the NY Times which quotes Dov Seidman, the C.E.O. of LRN who describes two kinds of values: “situational values” and “sustainable values.”
The article is in the context of the current political situation in the US but the same theme applies to many other areas.
“Leaders, companies or individuals guided by situational values do whatever the situation will allow, no matter the wider interests of their communities. For example, a banker who writes a mortgage for someone he knows can’t make the payments over time is acting on situational values, saying: I’ll be gone when the bill comes due.”
At the other end, people inspired by sustainable values act just the opposite, saying: I will never be gone. “I will always be here. Therefore, I must behave in ways that sustain — my employees, my customers, my suppliers, my environment, my country and my future generations.”
We accept that your datacenter grew organically, that back-in-the-day there were no power tools and you dug ditches with your bare hands outside when it was 40 below and tweets were for the birds…but…that was then and this is now.
Get Log Management, it’s a sustainable value.
–Ananth
Providing your patients with Wi-Fi while they wait, obtaining their information from an iPad, or allowing them to check their records online is simply expected and not seen as a luxury anymore. While you focus on providing the best health service for your patients, it is easy to under-estimate the risks that you may be putting your practice should you implement mobile tech without basic security measures.
With hackers out there “turning doorknobs” looking for unlocked networks, it’s absolutely necessary to not forget about security.
Many healthcare practices think a data breach will never happen to them. But the truth of the matter is that only “The Big Guys” like Anthem, Excellus and Premera (to name a few) make the Data Breach headlines… precisely why hackers primarily go after small practices!
After all, those smaller practices tend to lack the resources to keep their network security top-of-mind.
Provide your patients with the latest and most convenient technology you can while keeping their data and your practice secured. See how Lumifi can help make that happen.
Cyber criminals are constantly developing increasingly sophisticated and dangerous malware programs. Statistics for the first quarter of 2016 compared to 2015 shows that malware attacks have quadrupled.
Why DNS traffic is important
DNS has an important role in how end users in your enterprise connect to the internet. Each connection made to a domain by the client devices is recorded in the DNS logs. Inspecting DNS traffic between client devices and your local recursive resolver could reveal a wealth of information for forensic analysis.
DNS queries can reveal:
Identifying the threats using EventTracker
While parsing each DNS log, we verify each domain accessed against:
Any domain which matches any of the above mentioned criteria warrants attention and an alert is generated along with the client which accessed it, and the geological information of the domain (IP, Country).
Using behavior analysis, EventTracker tracks the volume of connections to each domain accessed in the enterprise. If the volume of traffic to a specific domain is more than average, alert conditions are triggered. When a domain is accessed for the first time, we check the following:
Recent trends show that cyber criminals may create dynamic domains as command and control centers. These domains are activated for a very short duration and then discarded, which makes the above checks even more important.
EventTracker does statistical/threshold monitoring of query, client, record type and error. This helps in detecting many DDOS attacks like NXDOMAIN attack, Phantom domain attack, random sub-domain attack, etc. EventTracker’s monitoring of client DNS settings will help to detect DNS hijacking and generate an alert for anything suspicious, including information about the client as well as its DNS setting. The EventTracker flex dashboard helps in correlating attack detection data and client details, making attack detection simpler.
Monitoring the DNS logs is a powerful way to identify security attacks as they happen in the enterprise, enabling successful blocking of attacks and fixing vulnerabilities.
Just how much should you be spending on IT Security? It’s a vexing question to answer for many reasons as each situation has their unique circumstances and factors. But here are some insights garnered over the last decade in cybersecurity.
First off, what constitutes security spending? Dedicated security hardware, software, personnel, and services for sure, but security spending is often embedded in other areas in hidden ways. It can vary by industry, geography, and corporate culture. IT security spend will be higher in regulated environments with stringent compliance requirements and can also increase if a new threat is acknowledged, or in the aftermath of a breach.
Who spends the least on security? Two kinds of organizations - those that are ignoring the problem and underspending, and those that have a mature IT program. The process discipline and safeguards established by mature IT programs minimize unexpected incidents and thus reduce unforeseen costs.
Spending on technologies such as firewalls remains constant because of continually changing threats. Older threats will be addressed more efficiently, but new technologies and an ever-changing threat landscape bring new threats that necessitate a spending increase. Spending for "letting the good guys in" such as multi-factor authentication and access management is often discretionary, but often required for strategic business initiatives such as home banking or regulatory compliance. Such projects that get funded and implemented as part of larger IT projects are usually not part of the information security budget.
On average, a security spending level of 3 - 6 percent of total IT budget is considered the norm. If you add in compliance spending as part of security, that's another 3 - 6 percent of the IT budget. If you include business continuity spending, that's another 2 percent bringing it to 10 -14 percent of the total IT budget. If you spend much less than the norm, be advised to revisit your security assumptions and posture given today’s advanced threats.
Make your security dollars go farther and respond quickly to new threats by co-sourcing IT security functions, such as security monitoring, vulnerability management, endpoint protection, and SOC-as-a-Service (SOCaaS). For a small to mid-sized organization, the added benefit in such a managed services plan helps solve the IT security talent shortage.
Learn more about how Lumifi advances protection without breaking the bank.
Imagine the lost revenue for a major retailer if they needed to shut down all of their stores for a few days, or even a few hours, especially over the busy holiday season. It would be worth millions to have those systems unfrozen.
It will not be long before cybercriminals utilize ransomware that freezes all of a business’ POS systems, and the ransom will not be for the release of data, it will be for the ability to get back in business. The impact would be devastating.
“We are not far away from a major breach of a POS system that has nothing to do with stealing credit card data, but instead is intended to hold the business’ ability to conduct transactions hostage for a large ransom. Stealing credit card data takes months, whereas ransomware takes minutes.
- Kevin Watson, CEO, Netsurion1
If it seems like there is a new data breach every day, you’re right. As of August 30, 2017, there have been 956 breaches reported and more than 19 million records exposed.
Not all breaches make the news but when they do, it’s because countless individuals have been affected and a company’s or brand’s reputation has been destroyed.
Malware, or “malicious software,” can take on many forms including viruses, worms, Trojan horses, spyware, adware, scareware, and ransomware. Malware is any piece of code designed to infect a computer or mobile device for malicious purposes, such as recording or stealing personal data, passwords, credit card information, etc. The information is then studied for behavioral purposes, stored and used against a person or company, or sold online through the “Dark Web.”
The universal purpose is financial. Malware allows hackers to steal personal identities, corporate or government secrets, and even unreleased movies, books, or music. There is no end to what information can be stolen and repurposed for illicit gain.
It can also be used to access and control corporate, educational, recreational, healthcare, or government computer systems and alter the way those systems conduct business; anything from changing grades on report cards, to voter fraud, to cutting power to homes.
Just as one strain of malware strikes, gets identified and a fix created, copycat variants begin appearing almost immediately, making it more and more difficult to combat. New complex strains are getting progressively more destructive to individuals and businesses, making it difficult to predict and prevent future attacks.
Ransomware is the current trend and, potentially, the most dangerous to a company or brand.
Often transmitted by email, it locks your computer and prevents access to your data until a ransom (usually in Bitcoin) is paid. While this type of attack is not new, it has become much more sophisticated by encrypting files and data with a coded “lock” and the hacker has the “key.” To get the key, you must pay the ransom. Of course, there’s no guarantee you will ever get your data or use of your computer system back, regardless if you pay.
If you sell goods or services, and accept credit card payment, you are at a high risk and held accountable by PCI DSS compliance regulations, no matter your industry.
Point-of-sale (POS) malware continues to make headlines and inflict damage on brand reputation and profit margins alike. Cybercriminals can widely impact most or even all locations by exploiting the POS system itself.
It’s not much of a leap to go from POS malware stealing credit card data to POS ransomware holding a business hostage. The difference: Typical credit card malware must successfully persist on the target’s network for months while it syphons off credit card data. A ransomware attack needs only minutes to execute its plan.
What would the victimized retailer be willing to pay to unlock their POS systems? If a brand was bleeding millions per day in actual revenue and potentially more in resulting data breach fines, brand reputation, and loss of customer loyalty, one could easily foresee the company being willing to pay a ransom of $2 million, which may be less than what they’d lose if they successfully restored operations on their own in just two or three days.
While this is good, sound advice, it is not enough for a corporate entity that has multiple endpoints and relies on many internal and external users, third-party software providers, and needs to have internet access.
No matter what size of the business, it’s rare to find a truly robust and large InfoSec team prepared to handle every endpoint security threat. The hard reality is that distributed, or frequently referred to as “edge” locations, are usually far too small to have the kind of dedicated cybersecurity expertise and teams that are available at the corporate level.
The result is that these independently owned stores and franchise locations are often the weak link, a fact that is not lost on cybercriminals.
For most retailers, network security currently consists of a firewall and anti-virus installed on each workstation and server. Unfortunately, as cybercriminals have become more sophisticated in their attacks, these defense measures alone are not enough to protect the network.
Specifically, firewalls and anti-virus software are vulnerable to compromised third-party remote access tools, zero-day malware, and abnormal user behavior, all of which have been seen before in major retail breaches.
Since most ransomware is a form of a zero-day malware, firewalls and anti-virus software cannot prevent most ransomware attacks. To prevent these types of vulnerabilities, additional protection is required.
Unfortunately, IT teams are overwhelmed just maintaining the current systems and no longer have time to review log files or track every suspicious incident. And most are not trained in cybersecurity. It is becoming impossible for companies to exist without dedicated security teams, either on staff or outsourced to a third party. Finding the budget and other resources for such a staff is no longer an option.
In addition, the compliance industry standards in existence today, including PCI DSS, HIPAA, SOX 404, FISMA/NIST 800-53, SANS CAG, GLBA, NISPOM, etc., are constantly being updated to meet current security and economic needs.
Regular IT teams are overwhelmed just maintaining the current systems and no longer have time to review log files or track every suspicious incident. And most are not trained in cybersecurity. It is becoming impossible for companies to exist without dedicated security teams, either on staff or outsourced to a third party. Finding the budget and other resources for such a staff is no longer an option.
Anti-virus and anti-malware are not enough. Firewalls are not enough. Security patches and endless updates are not enough. The solution is to go beyond bare-bones regulatory compliance-based security and begin implementing real security measures that predict, prevent, detect, and respond to advanced threats.
If you want to prevent or stop a malware attack today, you need an extensive security network that includes a detailed road map, sophisticated software packages, and a team of experts that are certified in cybersecurity and dedicated solely to monitoring log files, analyzing data, recognizing threats and being able to combat those threats in real time while proactively working to prevent future attacks.
A company’s or brand’s reputation is on the line every time there is a data breach or ransom attack. These attacks can target third-party providers that are used by dozens of recognizable companies. If you own a major hotel, for example, and your third-party POS provider is hacked, your customers and brand suffer. The same goes for every industry.
Even with all of the latest, greatest software and security teams in place, another form of malware is just around the corner, waiting to break into some unsuspecting system. Companies today need to stay vigilant in the war on cyberterror, not just protecting themselves from known threats, but being proactive to defend against future threats.
Cybersecurity and the protection of corporate and client data should be the top priority for 2018. Budgets and resources should be adjusted accordingly.
These cyberterrorists won’t go away until things like ransomware cease to be profitable for them.
Logging for Incident Response: Part 1 – Preparing the Infrastructure
From all the uses for log data across the spectrum of security, compliance, and operations, using logs for incident response presents a truly universal scenario –you can be forced to use logs for incident response at any moment, whether you’re prepared or not. An incident response (IR) situation is one where having as much log data as possible is critical. You might not use it all, and you might have to work hard to find the proverbial needle in the haystack of logs – still, having reliable log data from all – affected and unaffected – systems is indispensable in a hectic post-incident environment.
The security mantra “prevention-detection-response” still defines most of the activities of today’s security professionals. Each of these three components is known to be of crucial importance to the organization’s security posture. However, unlike detection and prevention, the response is impossible to avoid. While it is not uncommon for an organization to have weak prevention and nearly non-existent detection capabilities, they will often be forced into response mode by attackers or their evil creations – malware. Even in cases where ignoring the incident that happened might be the chosen option, the organization will implicitly follow a response plan, even if it is as ineffective as to do nothing.
In this paper, we will focus on how to “incident-response-proof” your logging – how to prepare your logging infrastructure for incident response. The previous six articles focused on specific regulatory issues, and it is not surprising that many organizations are doing log management just to satisfy compliance mandates. Still, technology and processes implemented for PCI DSS or other external mandates are incredibly useful for other uses such as incident response. On top of this, many of the same regulations prescribe solid incident response practices (for additional discussion see “Incident management in the age of compliance”)
Basics
Even though a majority of incidents are still discovered by third parties (seeVerizon Breach Report 2010 and other recent research), it is clear that organizations should still strive to detect incidents in order to limit the damage stemming from extensive, long-term compromises. On the other hand, even for incidents detected by the third parties, the burden of investigation – and thus using logs for figuring out what happened –falls on the organization itself.
We have therefore identified two focal points for use of logs in incident response:
Sometimes the latter use-case is called “forensics” but we will stay away from such definitions since we would rather reserve the term “forensics” for legal processes.
Incident Response Model and Logs
While incidents and incident response will happen whether you want it to or not, a structured incident response process is an effective way to reduce the damage suffered by the organization. The industry-standard SANS incident response model organizes incident response in six distinct stages (see (http://www.sans.org/rr/whitepapers/incident/Incident Management 101 Preparation & Initial Response (aka Identification) By: Robin Dickerson (posted on January 17, 2005)
Preparation includes tasks that need to be done before the incident: from assembling the team, training people, collecting, and building tools, to deploying additional monitoring and creating processes and incident procedures
Logs are extremely useful, not just for identification and containment as we mention above, but for all phases of incident response process. Specifically, here is how logs are used at each stage of the IR process:
As a result, the IT infrastructure has to be prepared for incident response logging way before the first signs of an incident are spotted.
Preparing the Infrastructure
In light of predominantly 3rd party incident discovery, the incident response process might need to be activated at any moment when notification of a possible incident arrives. From this point onward, the security team will try to contain the damage and investigate the reason for the attack or abuse based on initial clues. Having logs will allow an organization to respond better and faster!
What logs needs to be collected for effective IR? This is very simple: any and all logs from networks, hosts, applications, and other information systems can be useful during response to an incident. The same applies to context data – information about users, assets, and vulnerabilities will come in handy during the panic of incident response. As we say above, having as much log data as possible will allow your organization to effectively investigate what happened, and have a chance of preventing its recurrence in the future.
Specifically, make sure that the following log sources have logs enabled and centrally collected:
Detailed discussion of logging settings on all those systems goes beyond the scope of this paper and might justify not just reading a document, but engaging specialty consultants focused on logging and log management.
Tuning Log Settings for Incident Response
What logs should be enabled on the systems covered above? While “log everything” makes for a good slogan, it also makes log analysis a nightmare by mixing together more relevant log messages with debugging logs which are used much less often, if at all. Still, many logging defaults should be changed as described below.
A typical Unix (Solaris, AIX, etc.) or Linux system will log the following into syslog: various system status and error messages, local and remote login/logout, some program failures, and system start/stop/restart messages. Logs that will not be found will be all logs tracking access to files, running processes, and configuration changes. For example, to log file access on Linux, one needs to use a kernel audit facility, and not simply default syslog.
Similarly, on Windows systems the Event Log will contain a plethora of system status and error messages, login/logout records, account changes, as well as system and component failures. To have more useful data for incident response , one needs to modify the audit policy to start logging access to files and other objects.
Most web servers (such as Apache and Microsoft IIS) will record access to web resources located on a server, as well as access errors. Unlike the OS platforms, there is not a pressing need for more logging, but one can modify the /etc/http/httpd.conf to add logging of additional details, such as referrer and browser type.
Databases such as Oracle and MS SQL Server log painfully little by default, even though the situation is improving in recent database versions such as Oracle 11g. With older databases, you have to assume to have no database logs if you have not enabled them during the incident preparation stage. A typical database will log only major errors, restarts, and some administrator access, but will not log access, or changes to data or database structures.
Firewalls typically log denied or blocked connections, but not the allowed connections by default: as our case study showed, connection allowed logs are one of the most indispensable for incident response. Follow the directions for your firewall to enable such logging.
VPN servers will log connections, user login/logouts, errors; default logging will be generally sufficient. Making sure that successful logins – not just failures- are logged is one of the important preparation tasks for VPN concentrators.
Network IDS and IPS will usually log their alerts, various failures, user access to the sensor itself; the only additional type of “logging” is recording full packet payload.
Implementing Log Management
Log management tools that can collect massive volumes of diverse log data without issues are hugely valuable for incident response. Having a single repository for all activity records, audit logs, alerts, and other log types allows incident responders to quickly assess what was going on during an incident, and what led to a compromise or insider abuse.
After logging is enabled and configured for additional details and additional logged events, the logs have to be collected and managed to be useful for incident response. Even if a periodic log review process is not occurring, the logs have to be available for investigations. Following the maturity curve (see http://chuvakin.blogspot.com/2010/02/logging-log-management-and-log-review.html), even simply having logs is a huge step forward for many organizations.
When organizations start collecting and retaining logs, the question of retention policy comes to the forefront. Some regulations give specific answers: PCI DSS for example, mandates storing logs for one year. However, determining proper log storage for incident response can be more difficult. One year might still be a good rule of thumb for many organizations, since it is likely that investigating incidents more than one year after they happened will be relatively uncommon,but certainly possible – so longer retention periods such as three years may be useful).
In the next paper, we will address how to start reviewing logs for discovering incidents, and also how to review logs during incident response. At this point, we have made a huge step forward by making sure that logs will be around when we really need them!
Conclusions
Even though compliance might compel organizations to enable logging, deploy log management, and even start reviewing logs, incident response scenarios allow the value of logs to truly manifest itself.
However, in order to use logs for incident response, the IT environment has to be prepared – follow the guidance and tips from this paper in order to “IR-proof” your logging infrastructure. A useful resource to jumpstart your incident response log review is “Critical Log Review Checklist for Security Incidents” which can be obtained at http://chuvakin.blogspot.com/2010/03/simple-log-review-checklist-released.html in various formats.
About Author
Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books “Security Warrior” and “PCI Compliance” and a contributor to “Know Your Enemy II”, “Information Security Management Handbook”; he is now working on a book about computer logs. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry.
In addition, Anton teaches classes (including his own SANS class on log management) and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups.
Currently, Anton is building his security consulting practice www.securitywarriorconsulting.com, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.
There’s plenty of interest in all kinds of advanced security technologies like threat intelligence, strong/dynamic authentication, data loss prevention and information rights management. However, so many organizations still don’t know that the basic indicators of compromise on their network are new processes and modified executables. This is so important because in every high profile case of data breaches over the past few years a common thread has been the presence of a malicious program that provided the attackers with persistent access to the internal network of the victim organization.
Moreover, some security technologies – such as strong authentication – are no defense if you have malicious code running on the endpoint of a strongly authenticated user.
So rapid detection of malicious code is paramount and the importance can’t be over-stated. Detecting malicious code isn’t easy and traditional signature-based AV is only going to catch comparatively “old” and widely distributed malware. It isn’t likely to catch the targeted attacks we are up against today in which the bad guy uses shrink wrapped tools to build and package a unique malicious agent to use against your organization.
How do you detect and even prevent malware like this?
Like everything it takes a defense-in-depth approach. Advanced 3rd party application white-list and advanced memory protection are very effective. But whether you have such technologies deployed or on the radar, your SIEM solution can provide you early warning when new software is observed on your network.
The key thing is to look for Event ID 4688 in the Windows security log. Compare the executable name in that event to a list of whitelisted EXEs you expect to see –or better yet a list of executables that automatically build from past events.
You want these events from every possible system – including workstations. If you are concerned about the amount of log data involved, the sponsor of this article, Netsurion Open XDR, provides an agent that can efficiently forward just the relevant events you want from thousands of endpoints.
Will there be false positives? Yes – especially until you refine your rules to take into account patches.
Will this catch every malicious agent? Of course not. After all, there are multiple ways to insert malicious code on an endpoint and some are completely in-memory with no new executable involved. 3rd party advanced memory protection products or Microsoft’s EMET can provide some help with detecting memory exploits though using your SIEM to collect and monitor those events is the obvious thing to do if you use EMET or another memory protection technology.
Some malware embeds itself in the existing, trusted EXEs and DLLs so it makes sense to monitor for modifications to such files. Again you want this from your workstations – not just server endpoints. Getting EXE/DLL modification events requires either Windows file monitoring or a file integrity monitoring (FIM) solution. Enabling auditing of just EXE and DLL files with Windows file auditing though is not that easy. You can’t configure audit policy on files with Group Policy without also impacting permissions. The reason why widely distributed scripts would be required. FIM is definitely an easier route. Again, it’s worth mentioning that Netsurion Open XDR agent includes FIM monitoring making it easy to catch changes to existing software as soon as it happens.
The bottom line is this: to stop breaches we’ve got to detect and respond to malicious agent software. Are you listening to your endpoints?
SC Magazine released the results of a research survey focused on the rising acceptance of SIEM-as-a-Service for the small and medium sized enterprise.
The survey, conducted in April 2016, found that SMEs and companies with $1 billion or more in revenue or 5,000-plus employees faced similar challenges:
This come as no surprise to us. We’ve been seeing these trends rise over the past several years. Gartner reports that by 2019, total enterprise spending on security outsourcing services will be 75 percent of the spending on security software and hardware products, and that by 2020, 40 percent of all security technology acquisitions will be directly influenced by managed security service provider (MSSP) and on-premises security outsourcing providers, up from less than 15% today.
It used to be that firewalls and antivirus were sufficient enough stop gaps; but in today’s complex threatscape, the cyber criminals are more sophisticated. The weak point of any security approach is usually the unwitting victim of a phishing scam or the person who plugs in the infected USB; but “securing the human” requires the expertise of other humans, trained staff with the certification and expertise to monitor the network and analyze the anomalies. An already busy IT staff can become even more overburdened; identifying, training and keeping security expertise is hard. So is keeping up with the alerts that come in on a daily basis, and being current on the SIEM technology.
Thus, the increasing movement towards a co-managed SIEM which allows the enterprise to have access to the expertise and resources they need to run an effective security program without ceding control. SIEM-as-a-Service: saving time and money.
It has grown more challenging to protect patient privacy and secure sensitive data under HIPAA (Health Insurance Portability and Accountability Act) as the volume and persistence of cyber attacks have increased in recent years. Healthcare institutions often have vast databases of sensitive information such as credentials and credit card data that cyber criminals seek to monetize and sell on the dark web. Threat actors use advanced threats like Zero-day attacks to target healthcare organizations, using ransomware like Emotet and Locky to spread and infect other systems. HIPAA outlines requirements for healthcare organizations and their supply chain partners to follow in areas such as risk management, security incident handling and investigation, log monitoring, encryption, and security awareness training. These ever-increasing HIPAA mandates create challenges for healthcare providers, health plans, and healthcare clearing houses to stay current and compliant with healthcare mandates.
The 700,000 + healthcare provider and payor organizations in the United States face a myriad of compliance and security mandates that represent a sizable target for threat actors to exploit. It is crucial for IT Pros to understand the following compliance facts and security criteria if they plan to, or already support, healthcare organizations that are covered by the privacy and cybersecurity aspects of HIPAA:
Disclosure of PHI/ePHI due to careless mistakes or willful neglect are violations of HIPAA compliance regulations.
EventTracker SIEM provides solutions to help both healthcare providers and payers improve security, simplify compliance, and protect sensitive patient data. Ensure your organization has the people, processes, and technology to remain vigilant to the healthcare sector’s ever-increasing threats.
Description of Pain or Challenge:
An accounting company’s internal IT strategy prompted the move to a colo data center, which offered security monitoring services. While the accounting team initially favored our service, they were not given the option to retain it. After observing another partner’s attempt to manage a SIEM (now required to use Azure Sentinel), they found the newly mandated service lacking in knowledge, security expertise, and consultative guidance. Consequently, the accounting company initiated internal efforts to return to Datashield (Lumifi).
Solution Overview:
With previous experience in NetWitness, the organization transitioned to Azure Sentinel, necessitating thorough onboarding. Lumifi, supporting Sentinel as a monitored SIEM solution, expedited the adoption process, achieving operational status within weeks, a significant improvement from their previous provider.
Leveraging Lumifi’s Sentinel expertise, the organization swiftly embraced logging best practices and operational monitoring. This laid a robust foundation for further development, encompassing custom content creation, parsing, and dashboard development. Lumifi’s contributions enhanced SIEM maturity. Beyond technical implementation, Lumifi delivers continuous threat hunting, content development, and insights into emerging cybersecurity threats and events
Technology Description:
Formerly NetWitness, Migration to Azure Sentinel, Lumifi Managed Security Services
Challenge: An existing RSA customer, a hospital, recognized the need for enhanced security operations despite using a Government, Risk & Compliance (GRC) solution.
Solution: We proposed RSA NetWitness as a comprehensive solution, seamlessly integrating with their current SIEM, EDR solution, firewalls, and existing network infrastructure. Our 24/7/365 Managed Detection and Response (MDR) services provided improved visibility. Partnering with a dedicated MDR provider who communicated regularly and acted as an extension of their security team was crucial. This allowed the hospital's security team to focus on proactive, strategic initiatives, boosting efficiency and achieving GRC goals.
Technology Description: RSA NetWitness for Packets and Logs, Lumifi Managed Security Services, Lumifi ShieldVision
Security Tools: Palo Alto XSIAM
Description of Pain or Challenge: The client had deployed RSA NetWitness and Palo Cortex but was unsatisfied with the deployment's progress. They sought to consolidate into a single solution, eliminate the need for multiple systems, and required custom ingest and alert content for their proprietary solutions. Staffing a 24/7 SOC proved challenging, and they lacked the expertise to manage the technology effectively.
Solution Overview: Lumifi provided a solution that replaced multiple legacy SIEM deployments, enhancing visibility and enabling the SOC to take additional actions during incidents. This consolidation streamlined their technology stack onto the Palo Alto Networks platform. XSIAM, deployed via SaaS, granted remote access to employees.
Lumifi's expertise and differentiators expanded account services, delivering a positive customer experience through exceptional service quality.
Technology Description: Content Development, Palo Alto XSIAM, In-depth knowledge of the client's environments, and understanding of specific vertical needs.
Organizations use 40+ products and IT tools on average to manage networks, SaaS applications, and endpoints. This fragmented approach creates data siloes and blind spots that hamper detection and incident response. Attackers actively look for easy targets like misconfigured websites and unpatched applications to exploit. Service Providers can leverage their strong business relationships and trusted advisor roles to help businesses protect their expanding attack surface and be more proactive regarding malware and breaches.
Expanding Attack Surfaces
An attack surface encompasses all the avenues that cyber criminals or unauthorized users can initiate an attack or extract data. Attack surfaces include networks, endpoints, cloud infrastructure, and SaaS applications. Digital transformation, work-from-anywhere, and always-on devices have expanded the attack vectors that defenders must safeguard.
Minimizing attack vectors to improve attack surface protection is not new. It’s a cybersecurity best practice in compliance frameworks such as the NIST Risk Management Framework (RMF).
Attack Surface Coverage Improves Business Security
Businesses have many points of vulnerability, too many to monitor and protect on their own. Executives may not be aware or prepared for today’s sophisticated threats. IT decision makers may be so focused on daily operations and putting out fires that they overlook tool sprawl that limits visibility and actual cybersecurity effectiveness. Some benefits of attack surface coverage include:
Service providers are well-positioned to defend against financially motivated attackers looking for easy business targets.
Best Practices to Minimize Attack Surface Risk
Reduce the potential for a successful attack with these practical steps:
Step 1: Identify and shore up any vulnerability gaps
Layered security defenses are needed to quickly mitigate threats posed by persistent and well-funded adversaries. The first tactic used by cyber criminals is network reconnaissance which looks for unpatched vulnerabilities and configuration errors. Think like a hacker to help your clients shrink their attack surface with rigorous scanning, vulnerability management, and guided remediation steps.
Step 2: Boost endpoint protection where attackers often enter
Endpoint security is vital as 70% of data breaches occur via compromised laptops and workstations. Coverage gaps and the lack of insight into where critical data resides hamper device security.
Service providers can use a prevention-first approach followed by detection and response against known and unknown threats to minimize attacker exploits on business endpoints.
Step 3: Simplify tech stack complexity
The explosion in point products and tools leads to integration blind spots, underutilized investments, and alert fatigue trying to swivel between them all. Eliminating unused or default functionality and redundant products can reduce attack surfaces and risks. Streamline and simplify your infrastructure with solutions like extended detection and response (XDR) that offer improved visibility and the ability to “connect the dots” for faster threat detection and response.
Step 4: Increase cloud security for comprehensive protection
Software-as-a-Service (SaaS) applications and public cloud infrastructures like Amazon Web Services (AWS), Microsoft Azure, and Microsoft 365 (M365) are mission critical. The widespread adoption of cloud computing and shortage of cloud security expertise make cloud security even more essential. Cyber criminals know that cloud attack surfaces are often overlooked and misconfigured. Holistic attack surface coverage that includes cloud security can alert you to cloud security gaps and guided remediation steps long before a disastrous failure occurs.
Step 5: Implement network segmentation
Break the network up into logical groups with separate security policies and access. The goal of micro-segmentation is to limit the impact of any unforeseen data incident and make it more difficult to move laterally across an organization. While not new, network segmentation is a relatively easy way to protect infrastructure and attack surface.
Step 6: Enhance visibility and event correlation
One crucial way to improve visibility is to unify logs and device telemetry for a single source of truth. Log integration across firewalls, applications, databases, and cloud infrastructures enable service providers to respond rapidly to security incidents at scale. Look for vendor-neutral partners that leverage existing infrastructure, security licenses, and telemetry out of the box. This open approach provides greater visibility and avoids rip-and-replace projects. Cybersecurity experts in a 24/7 security operations center (SOC) then augment technology to provide guided remediation steps that simplify service provider operations.
Netsurion Brings it all Together
In a connected and always-on world, ignoring security gaps jeopardizes networks and business resiliency. Safeguarding IT infrastructure and sensitive data is challenging and requires constant vigilance and 24/7/365 monitoring. A managed solution augments IT teams and decreases false positives, a boon to overworked MSPs and cyber defenders.
The rise in ransomware attack volume and sophistication is a wake-up call for executives and IT departments alike. Traditional perimeter-focused defenses, such as firewalls, are no longer sufficient against stealthy and financially-motivated attackers. There are several ways to achieve a Managed Detection and Response (MDR) outcome:
MDR’s defense-in-depth benefits organizations by enhancing threat visibility, augmenting skills and expertise, responding to current vulnerabilities, and adding proactive prevention, detection, and response. Here is a recommended approach for evaluating MDR and what it entails:
Do you have a SIEM for full visibility? Organizations must protect an ever-increasing attack surface that encompasses physical servers, workstations, endpoints, and mobile devices. To ensure comprehensive visibility, you need to correlate log data in a security information and event management (SIEM) platform for quick search, analysis, and incident response. Cybersecurity experts view SIEM as a foundational capability that organizations of all sizes and maturity levels should adopt.
Do you use MITRE ATT&CK for better threat correlation? Developed by MITRE, the ATT&CK® framework is based on real-world threat observations. The framework’s tactics, techniques, and procedures (TTPs) enable security defenders to improve threat hunting and complete discovery of ongoing attacks. Implementing MITRE ATT&CK on your own can be complex and time-consuming. Our threat protection platform, EventTracker, natively maps the ATT&CK knowledge base into its console for enhanced visibility and threat enrichment, so you benefit from the MITRE ATT&CK framework without doing the heavy lifting.
Do you have EDR to protect the endpoint? A significant percentage of today’s threats originate from always-on endpoints like laptops, tablets, servers, and virtual machines. Organizations can improve threat detection time with endpoint detection and response (EDR) capabilities, especially when protecting legacy and unpatched devices. Stopping an attack early in the cyber attack lifecycle restricts adversary access, reconnaissance, and damage. Our deep learning capabilities even accelerate threat prevention across a broad range of operating systems and file types. The business case for EDR is simple, with its proven results to protect your critical devices from Zero-day attacks and mutating malware.
Can you automate cybersecurity? Automation can reduce mundane tasks repeated hundreds of times a day by cybersecurity analysts, leaving more time for proactive tasks like threat hunting. Streamlining cybersecurity reduces false positives and ensures that you only see validated and high priority threats. We speed up the predict, prevent, detect, and respond process while improving analyst efficiency and accelerating threat detection. Netsurion’s security simplifies IT operations and provides learn-once-defend-everywhere insights.
Do you have a SOC for 24/7 incident response capability? A Security Operations Center (SOC) allows organizations to fully monitor, detect, investigate, and respond to cyber threats 24/7/365. Hackers don’t work only Monday through Friday, and neither should your cybersecurity protection. But the obstacles to build and maintain an in-house SOC are significant. The high cost of hardware and software alone is daunting, but even more expensive is recruiting, training, and retaining cybersecurity analysts. Lumifi delivers SOC-as-a-Service with analysts who work as an extension of your in-house team.
MDR solutions and provider capabilities can vary widely. Make sure to tailor your assessment and selection process to current as well as future requirements.
Checklist for a More Proactive Defense
Consider the following criteria when navigating the MDR selection process:
Future Steps
MDR solutions are gaining traction because they offer powerful yet practical cybersecurity capabilities while potentially consolidating technology and costs. Netsurion offers unified MDR capabilities such as:
Our managed detection and response solution overcomes the challenges of DIY point tools. Learn how MDR from Lumifi aligns your staffing and budget with technology that drives the outcomes you need for today’s advanced threats.
CVE-2023-38035 Threat Summary:
CVE-2023-38035 allows an unauthenticated attacker to access sensitive admin configuration APIs on versions 9.18 and prior of Ivanti Sentry over port 8443. These configuration APIs are then used by the MobileIron Configuration Service (MICS), which upon successful exploitation, could lead to remote code execution with root permissions and configuration changes to MICS.
Lumifi's Analysis:
Exploiting this vulnerability is only possible via internal access by a threat actor or if the MICS is configured on a port exposed to the internet. If the threat actor does not have access to this service initially, then this vulnerability can be chained with two other vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2023-35078 and CVE-2023-35081) to lead to the successful exploitation of this Ivanti Sentry authentication bypass.
Lumifi's Recommendations:
While the Lumifi content library contains many detections that would alert on a variety of theoretical attack paths that could spawn from this vulnerability, there currently isn't enough information regarding the exact mechanism of exploitation to reliably detect this vulnerability. As such, Lumifi recommends restricting access to Ivanti Sentry to a management network only IT administrators can access and ensure that the System Manager Portal (on port 8443 by default) is not exposed to external networks. Additionally, any vulnerable versions should be patched via the RPM scripts available on Ivanti's KB (https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US).
For many years now, the security industry has become somewhat reliant on ‘indicators of compromise’ (IoC) to act as clues that an organization has been breached. Every year, companies invest heavily in digital forensic tools to identify the perpetrators and which parts of the network were compromised in the aftermath of an attack.
All too often, businesses are realizing that they are the victims of a cyber attack once it’s too late. It’s only after an attack that a company finds out what made them vulnerable and what they must do to make sure it doesn’t happen again.
This reactive stance was never useful to begin with and given the threat landscape, is totally undone as described by Ben Rossi.
Given the importance of identifying these critical indicators of attack (IoAs), here are eight common attack activities that IT departments should be tracking in order to gain the upper hand in today’s threat landscape.
Here are three IoAs that are both meaningful and relatively easy to detect:
Can you detect out-of-ordinary or new behavior? To quote the SANS Institute…Know Abnormal to fight Evil. Read more here.
Think about the burglar alarm systems that are common in residential neighborhoods. In the eye of the passive observer, an alarm system makes a lot of sense. They watch your home while you’re asleep or away, and call the police or fire department if anything happens. So for a small monthly fee you feel secure. Unfortunately, there are a few things that the alarm companies don’t tell you.
1) Between 95% and 97% of calls (depending on the time of year) are false alarms.
2) The police regard calls from alarm companies as the lowest priority and it can take anywhere between 20-30 minutes for them to arrive. It only takes the average burglar 5 minutes to break and enter, and be off with your valuables.
3) In addition to this, if your call does turn out to be a false alarm, the police and fire department have introduced hefty fines. It is about $130 for the police to be called out, and if fire trucks are sent, they charge around $410 per truck (protocol is to send 3 trucks). So as you can see, one false alarm can cost you well over $1,200.
With more than 2 million annual burglaries in the U.S., perhaps it’s worth putting up with so many false positives in service of the greater deterrent? Yes, provided we can sort out the false alarms which sap the first responder.
The same is true of information security. If we know which alerts to respond to, we can focus our time on those important alerts. Tuning the system to reduce the alerts, and removing the false positives so we can concentrate only on valid alerts, gives us the ability to respond only to the security events that truly matter.
While our technology does an excellent job of detecting possible security events, it’s our service, which examines these alerts and provides experts who make it relevant using context and judgement, that makes the difference between a rash of false positives and the ones that truly matter.
Given today’s threat landscape, let’s acknowledge that a breach has either already occurred within our network or that it’s only a matter of time until it will. Security prevention strategies and technologies cannot guarantee safety from every attack. It is more likely that an organization has already been compromised, but just hasn’t discovered it yet.
Operating with this assumption reshapes detection and response strategies in a way that pushes the limits of any organization’s infrastructure, people, processes and technologies.
In the current threat landscape, a prevention-only focus is not enough to address determined and persistent adversaries. Additionally, with common security tools, such as antivirus and Intrusion Detection Systems (IDS), it is difficult to capture or mitigate the full breadth of today’s breaches. Network edge controls may keep amateurs out, but talented and motivated attackers will always find the means to get inside these virtual perimeters. As a result, organizations are all too often ill prepared when faced with the need to respond to the depth and breadth of a breach.
Assume Breach is a mindset that guides security investments, design decisions and operational security practices. Assume Breach limits the trust placed in applications, services, identities and networks by treating them all—both internal and external—as not secure and probably already compromised.
While Prevent Breach security processes, such as threat modeling, code reviews and security testing may be common in secure development lifecycles, Assume Breach provides numerous advantages that help account for overall security by exercising and measuring reactive capabilities in the event of a breach.
With Assume Breach, security focus changes to identifying and addressing gaps in:
Assume Breach verifies that protection, detection and response mechanisms are implemented properly — even reducing potential threats from “knowledgeable attackers” (using legitimate assets, such as compromised accounts and machines).
To defend effectively, we must:
Since this can be overwhelming for any but the largest organizations, our SIEM Simplified service is used by many organizations to supplement their existing teams. We contribute our technology, people and processes to the blue team and help defend the network.
Symptom
Account Lockouts in Active Directory
Additional Information
“User X” is getting locked out and Security Event ID 4740 are logged on respective servers with detailed information.
Reason
The common causes for account lockouts are:
Troubleshooting Steps Using EventTracker
Here we are going to look for Event ID 4740. This is the security event that is logged whenever an account gets locked.
Once done hit search at the bottom.
You can see the details below. If you want to get more information about a particular log, click on the + sign
Below shows more information about this event.
Now, let’s take a closer look at 4740 event. This can help us troubleshoot this issue.
Log Name | Security |
Source | Microsoft-Windows-Security-Auditing |
Date | MM/DD/YYYY HH:MM:SS PM |
Event ID | 4740 |
Task Category | User Account Management |
Level | Information |
Keywords | Audit Success |
User | N/A |
Computer | COMPANY-SVRDC1 |
Description | A user account was locked out. |
Subject: | |
---|---|
Security ID | NT AUTHORITYSYSTEM |
Account Name | COMPANY-SVRDC1$ |
Account Domain | TOONS |
Logon ID | 0x3E7 |
Account That Was Locked Out: | |
Security ID | S-1-5-21-1135150828-2109348461-2108243693-1608 |
Account Name | demouser |
Additional Information: | |
Caller Computer Name | DEMOSERVER1 |
Field | My Description |
---|---|
DateTime | This shows Date/Time of event origination in GMT format. |
Source | This shows the Name of an Application or System Service originating the event. |
Type | This shows Warning, Information, Error, Success, Failure, etc. |
User | This is the user/service/computer initiating event. (Name with a $ means it’s a computer/system initiated event. |
Computer | This shows the name of server workstation where event was logged. |
EventID | Numerical ID of event. |
Description | This contains the entire unparsed event message. |
Log Name | The name of the event log (e.g. Application, Security, System, etc.) |
Task Category | A name for a subclass of events within the same Event Source. |
Level | Warning, Information, Error, etc. |
Keywords | Audit Success, Audit Failure, Classic, Connection etc. |
Category | This shows the name for an aggregative event class, corresponding to the similar ones present in Windows 2003 version. |
Subject: Account Name | Name of the account that initiated the action. |
Subject: Account Domain | Name of the domain that account initiating the action belongs to. |
Subject: Logon ID | A number that uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. |
Subject: Security ID | SID of the locked out user |
Account Name | Account That Was Locked Out |
Caller Computer Name | This is the computer where the logon attempts occurred |
Resolution
Logon into the computer mentioned on “Caller Computer Name” (DEMOSERVER1) and look for one of the aforementioned reasons that produces the problem.
To understand further on how to resolve issues present on “Caller Computer Name” (DEMOSERVER1) let us look into the different logon types.
LogonType Code | 0 |
LogonType Value | System |
LogonType Meaning | Used only by the System account. |
Resolution | No evidence so far seen that can contribute towards account lock out |
LogonType Code | 2 |
LogonType Value | Interactive |
LogonType Meaning | A user logged on to this computer. |
Resolution | User has typed wrong password on the console |
LogonType Code | 3 |
LogonType Value | Network |
LogonType Meaning | A user or computer logged on to this computer from the network. |
Resolution | User has typed wrong password from the network. It can be a connection from Mobile Phone/ Network Shares etc. |
LogonType Code | 4 |
LogonType Value | Batch |
LogonType Meaning | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
Resolution | Batch file has an expired or wrong password |
LogonType Code | 5 |
LogonType Value | Service |
LogonType Meaning | A service was started by the Service Control Manager. |
Resolution | Service is configured with a wrong password |
LogonType Code | 6 |
LogonType Value | Proxy |
LogonType Meaning | Indicates a proxy-type logon. |
Resolution | No evidence so far seen that can contribute towards account lock out |
LogonType Code | 7 |
LogonType Value | Unlock |
LogonType Meaning | This workstation was unlocked. |
Resolution | User has typed a wrong password on a password protected screen saver |
LogonType Code | 8 |
LogonType Value | NetworkCleartext |
LogonType Meaning | A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
Resolution | No evidence so far seen that can contribute towards account lock out |
LogonType Code | 9 |
LogonType Value | NewCredentials |
LogonType Meaning | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
Resolution | User initiated an application using the RunAs command, but with wrong password. |
LogonType Code | 10 |
LogonType Value | RemoteInteractive |
LogonType Meaning | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
Resolution | User has typed wrong password while logging in to this computer remotely using Terminal Services or Remote Desktop |
LogonType Code | 11 |
LogonType Value | CachedInteractive |
LogonType Meaning | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
Resolution | No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case. |
LogonType Code | 12 |
LogonType Value | CachedRemoteInteractive |
LogonType Meaning | Same as RemoteInteractive. This is used for internal auditing. |
Resolution | No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case. |
LogonType Code | 13 |
LogonType Value | CachedUnlock |
LogonType Meaning | This workstation was unlocked with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
Resolution | No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case. |
How to identify the logon type for this locked out account?
Just like how it is shown earlier for Event ID 4740, do a log search for Event ID 4625 using EventTracker, and check the details.
Log Name | Security |
Source | Microsoft-Windows-Security-Auditing |
Date | date |
Event ID | 4625 |
Task Category | Logon |
Level | Information |
Keywords | Audit Failure |
User | N/A |
Computer | COMPANY-SVRDC1 |
Description | An account failed to log on. |
Subject: | |
---|---|
Security ID | SYSTEM |
Account Name | COMPANY-SVRDC1$ |
Account Domain | TOONS |
Logon ID | ID |
Logon Type | 7 |
Account For Which Logon Failed: | |
Security ID | NULL SID |
Account Name | demouser |
Account Domain | TOONS |
Failure Information: | |
Failure Reason | An Error occurred during Logon. |
Status | 0xc000006d |
Sub Status | 0xc0000380 |
Process Information: | |
Caller Process ID | 0x384 |
Caller Process Name | C:WindowsSystem32winlogon.exe |
Network Information: | |
Workstation Name | computer name |
Source Network Address | IP address |
Source Port | 0 |
Detailed Authentication Information: | |
Logon Process | User32 |
Authentication Package | Negotiate |
Transited Services | – |
Package Name (NTLM only) | – |
Key Length | 0 |
Logon Type 7 says User has typed a wrong password on a password protected screen saver.
Now we understand what reason to target and how to target the same.
Applies to
Microsoft Windows Servers
Microsoft Windows Desktops
Contributors
Ashwin Venugopal, Subject Matter Expert at EventTracker
Satheesh Balaji, Security Analyst at EventTracker
Network Security Basic Training Series: Data
In this fifth article of the series, we continue to explore some of the basic ways that businesses of all sizes can keep their networks safer. These include tools you can implement on your own and understand why taking action is so important to the safety of your business.
Today we will discuss the topic of data and ways to keep track of where sensitive data resides and where it is going.
It’s a common phrase used in the IT community that “you can’t secure what you can’t manage”, or another way to think of this is that you cannot secure what you don’t even know exists on your network.
In order to tackle the task of securing your company data, you first have to know that it exists in the first place. Many corporate users don’t realize where they may be putting their data, and many corporate network administrators and executives may not realize where their employees may be putting the data that runs their company.
To get started, I recommend that you take inventory of what PCs, servers, laptops, tablets, and phones are on your network and able to connect to your shared drives, email, and other systems. If you already have an inventory, chances are it may reside in a spreadsheet or other document, and if it is a little outdated or not complete, it’s time to do it again.
Ideally you should have a system in place that is doing automatic inventory, and keeping a central database up-to-date with any new devices or changes to the systems that are being monitored. Before you do any type of inventory of corporate owned devices, be sure that you have permission (in writing) first before you start.
You shoul