Archive for June, 2015

Chuck Leaver – Eight Keys To The Eight Principles Of The OMB Data Breach 30 Day Cyber Security Sprint

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

After suffering an enormous data breach at the Office of Management and Budget (OMB), agencies were commissioned by Tony Scott, Federal Chief Information Officer, to take instant and specific actions over the next 4 weeks to additionally enhance the security of their data and systems. For this large organization it was a vibrant step, however the lessons learned from software application development showed that acting fast or sprinting can make a lot of headway when approaching an issue in a small amount of time. For large organizations this can be particularly true and the OMB is definitely big.

There were 8 principles that were concentrated on. We have actually broken these down and provided insight on how each concept could be more efficient in the timeframe to help the government make substantial inroads in just a month. As you would expect we are looking at things from the endpoint, and by checking out the 8 principles you will find how endpoint visibility would have been key to an effective sprint.

1. Securing data: Better protect data at rest and in transit.

This is a good start, and rightly priority number one, but we would definitely recommend to OMB to add the endpoint here. Lots of data protection systems forget the endpoint, however it is where data can be most susceptible whether at rest or in transit. The group needs to check to see if they have the capability to evaluate endpoint software and hardware setup, including the presence of any data protection and system security agents, not forgetting Microsoft BitLocker setup checking. And that is just the start; compliance checking of mandated agents must not be forgotten and it should be performed continually, allowing for the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Improve indication and warning.

Situational awareness is similar to visibility; can you see exactly what is really happening and where and why? And obviously this needs to remain in real time. While the sprint is occurring it should be verified that identity and tracking of logged-in users,, user focus activities, user presence indicators, active processes, network contacts with process-level attribution, system stress levels, noteworthy log events and a myriad of other activity indications across numerous thousands of endpoints hosting large oceans of procedures is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security efficiency: Make sure a robust capacity to recruit and retain cyber security workers.

This is a difficulty for any security program. Finding fantastic skill is challenging and keeping it even more so. When you want to attract this type of skillset then encourage them by providing the current tools for cyber battle. Make sure that they have a system that offers total visibility of exactly what is taking place at the endpoint and the whole environment. As part of the sprint the OMB ought to analyse the tools that are in place and check whether each tool changes the security group from the hunted to the hunter. If not then replace that tool.

4. Increase awareness: Enhance overall threat awareness by all users.

Threat awareness starts with effective threat scoring, and luckily this is something that can be accomplished dynamically all the way to the endpoint and assist with the education of every user. The education of users is a problem that is never finished, as evidenced by the high success of social engineering attacks. But when security teams have endpoint threat scoring they have concrete products to show to users to demonstrate where and how they are vulnerable. This reality situational awareness (see # 2) boosts user knowledge, as well as supplying the security team with exact details on say, understood software vulnerabilities, cases of jeopardized credentials and insider attackers, along with constantly keeping track of system, user, and application activity and network points of contact, in order to apply security analytics to highlight elevated threats causing security personnel triage.

5. Standardizing and automating processes: Reduce time needed to handle configurations and patch vulnerabilities.

More protection ought to be demanded from security services, and that they are instantly deployable without tiresome preparation, network standup or substantial personnel training. Did the services in place take longer than a couple of days to implement and require another full time employee (FTE) or maybe 1/2 a FTE? If so you have to rethink those services due to the fact that they are most likely hard to use (see # 3) and aren’t getting the job done that you need so you will have to enhance the current tools. Also, search for endpoint services that not just report software application and hardware configurations and active services and processes, but applies the National Vulnerability Database to report on actual running exposed vulnerabilities and then associates an overall vulnerability rating for each endpoint to assist in patching prioritization by over worked support staff.

6. Controlling, containing and recuperating from events: Contain malware expansion, privilege escalation, and lateral motion. Quickly identify and deal with events and incidents.

The fast identification and response to problems is the primary goal in the new world of cyber security. Throughout their 1 Month sprint, OMB ought to examine their solutions and be sure to discover technologies that can not only monitor the endpoint, however track every process that runs and all of its network contacts consisting of user login efforts, to facilitate tracking of destructive software expansion and lateral network motion. The data stemmed from endpoint command and control (C2) accesses connected with major data breaches suggests that about half of compromised endpoints do not host recognizable malware, increasing the significance of login and contact activity. Proper endpoint security will monitor OMB data for long term analysis, considering that lots of indicators of compromise become available only after the occasion, or perhaps long afterwards, while relentless hackers may silently lurk or stay dormant for long periods of time. Attack code that can be sandbox detonated and identified within minutes is not a sign of advanced hackers. This capability to keep clues and connect the dots throughout both spatial and temporal dimensions is important to complete identification and complete non-recidivist resolution.

7. Strengthening systems lifecycle security: Boost inherent security of platforms by purchasing more secure systems and retiring traditional systems in a prompt manner.

This is a reputable goal to have, and a huge difficulty at a big organization such as OMB. This is another place where appropriate endpoint visibility can instantly measure and report endpoint software and hardware configurations, operating system SKUs and patch levels, system stress levels, endpoint mishaps (such as application crashes or hangs, service failures, or system crashes), and other indications of endpoints outlasting their helpful or secure service lives. Now you have a full stock list that you can focus on for retirement and replacement.

8. Minimizing attack surfaces: Reduce the complexity and quantity of things defenders have to protect.

If numbers 1 through 7 are implemented, and the endpoint is thought about properly, this will be a substantial step in minimizing the attack threat. However, in addition, endpoint security can likewise really offer a visual of the real attack surface. Consider the capability to quantify attack surface area, based upon a number of distinct binary images exposed throughout the whole endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image frequency stats produces a common “ski slope” distribution, with a long skinny distribution tail showing vast varieties of extremely unusual binary images (present on less than 0.1% of total endpoints). Ziften recognizes attack surface area bloat factors, including application sprawl and version expansion (which also intensifies vulnerability lifecycle management). Data from lots of customer deployments exposes egregious bloat elements of 5-10X, compared to a firmly managed and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas produces a target-rich attackers’ paradise.

The OMB sprint is a great reminder to all of us that good things can be achieved quickly, but that it takes vision, not to mention visibility. Visibility, to the endpoint, will be an important piece for OMB to consider as part of their 30-day sprint.

 

Chuck Leaver – The Cost Of Data Breaches Are Up And The Third Reason Will Surprise You

Written by Patrick Kilgore presented by Chuck Leaver CEO Ziften.

Just recently 2 significant reports were released that celebrated large anniversaries. On the one hand, we saw the Mary Meeker 20th yearly Internet study. A part of the original market analysis on the Internet was led by Meeker several years ago and this report saw her mark Twenty Years of affecting opinions on the Internet. And 10 years after Meeker’s very first observations on the Internet there was the first research study of data breach costs by the Ponemon Institute.

Just 10 years after the creation of the Internet it was revealed that there is an ugly drawback to the service that supplies significant benefits to our organizations and our lives. Today there are more annual research studies released about data breaches than the Internet itself. Recently we spent hours evaluating and absorbing two of the greatest data breach reports in the market, the already mentioned Ponemon report and the now very influential Verizon DBIR (the report is essential enough just to utilize an acronym).

There were intersections between the two reports, but the Verizon report is worthy of credit because if you’ve had the ability to do anything in security for 10 years, you must be doing something right. There are numerous interesting stats in the report but the reasons for the total costs of data breaches skyrocketing were of the most interest to us.

The Ponemon research studies have actually revealed 3 drivers behind the increased cost of a breach. The very first is that cyber attacks have increased in number and this has correlated in greater costs to remediate these attacks. An increased per capita cost from $159 to $170 year on year has actually been pointed out. That’s a 5% jump from 42% to 47% of the overall root causes of a breach. Likewise, lost profits as a result of a data breach have actually increased. In the aggregate, this increased from $1.33 M to $1.57 M in 2015. The reasons are because of the abnormal customer turnover, the increased acquisition activity, and loss of goodwill that results from being the target of a harmful attack. However, the most intriguing reason offered is that data breach expenses associated with detection and escalation have actually increased.

These expenses include examinations and forensics, crisis group management and audits and assessments. Now the trend appears to be gathering speed at just shy of an incredible $1Billion. Organizations are only now beginning to implement the solutions needed to continuously monitor the endpoint and offer a clear picture of the root cause and complete impact of a breach.

Organizations not just have to monitor the increase of gadgets in a BYOD world, however also look to enhance the security resources they have actually already invested in to minimize the costs of these investigations. Threats need to be halted in real time, rather than recognized retrospectively.

“Prevention may not be possible in the world we live in.” With malicious risks becoming increasingly more typical, organizations will have to evolve their M.O. beyond conventional AV solutions and look to the endpoint for total protection,” stated Larry Ponemon in his webcast with IBM.

 

The Increased Use Of BYOD Means Increased Risk Through Employee Sharing And Passwords – Chuck Leaver

Written By Ziften Technologies CEO Chuck Leaver

If your company has carried out a bring your own device (BYOD) policy then you will be putting yourself at increased risk of cyber criminal activity and the loss of your data, due to the fact that the devices will normally have insufficient control and endpoint security in place. With mobile devices, workers typically access customer cloud services and utilise password practices that are not secure enough, and this represents a large portion of the dangers connected to BYOD. The use of endpoint software that offers visibility into exactly what is running on a device can assist IT departments to understand and address their vulnerabilities.

BYOD is a typical approach for executives and employees to gain access to delicate corporate data on their individual tablets, laptop computers and mobile phones. Practically 9 from 10 businesses in Australia had given a variety of their senior IT staff member’s access to crucial company information by means of their own BYOD devices, and 57% asserted that they had provided it to a minimum of 80% of their management, exposed by a ZDNet Study. With less privileged personnel and those that were brand-new the numbers offered BYOD access was still up at 64%. These employees were not given access to financial info though.

With the number of BYOD devices growing, a lot of organizations have actually not implemented the proper endpoint management techniques to make their increasing mobile workflows safe. Almost 50% of the participants said that their organizations had no BYOD policies, and just 17% confirmed that their practices were ISO 27001 certified.

Safe BYOD Is Most likely At Most Risk From Passwords

Those companies that had actually taken actions to secure BYOD the application of password and acceptable use policies were the most common. But passwords may represent an important and special vulnerability in the execution of BYOD, because users frequently utilize the same passwords once again and they are not complex enough. While companies that have a BYOD policy will certainly increase the risks of a hacker attack, there may be an even higher threat which is internal said previous Federal Trade Commission executive Paul Luehr, in an interview with CIO Magazine’s Tom Kaneshige.

Luehr informed Kaneshige “the most common way BYOD policies affect data security and breaches remains in the cross-pollination of passwords.” “A person is probably utilizing the very same or extremely similar password as the one they use on their home devices.”

Luehr kept in mind that prime threats for organizations that allow BYOD are disgruntled workers who will often leak important data once they have been let go, are prime risks for companies that have allowed BYOD. Because of BYOD the distinction between work and home is disappearing, and risky habits such as using social media on business networks is being practiced by some employees, and this can be a prelude to eventually sharing sensitive info either wilfully or thoughtlessly utilizing cloud services. The performance gains that are made with BYOD have to be maintained with the application of comprehensive endpoint security.