Chuck Leaver – More Of The Same From The Verizon DBIR 2016 Report

Written By Dr Al Hartmann And Presented By Chuck Leaver, Ziften CEO

The Data Breach Investigations Report 2016 from Verizon Enterprise has actually been released evaluating 64,199 security incidents leading to 2,260 security breaches. Verizon specifies an incident as jeopardizing the integrity, privacy, or availability on an info asset, while a breach is a verified disclosure of data to an unapproved party. Given that preventing breaches is far less painful than enduring them Verizon provides a number of sections of recommended controls to be utilized by security-conscious businesses. If you don’t care to read the complete 80-page report, Ziften provides this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled recommended controls:

Vulnerabilities Suggested Controls

A strong EDR tool performs vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines highlighting vulnerability management efficiency. The exposure timelines are very important because Verizon emphasizes a methodical approach that highlights consistency and coverage, versus haphazard practical patching.

Phishing Recommended Controls

Although Verizon suggests user training to prevent phishing susceptibility, still their data indicates nearly a third of phishes being opened, with users clicking on the link or attachment more than 1 time in ten. Not good odds if you have at least 10 users! Provided the unavoidable click compromise, Verizon advises placing effort into detection of abnormal networking activity indicative of pivoting, C2 traffic, or data exfiltration. A sound EDR solution will not only track endpoint networking activity, but likewise filter it against network risk feeds determining harmful network targets. Ziften surpasses this with our patent-pending ZFlow innovation to enhance network flow data with endpoint context and attribution, so that SOC personnel have vital decision context to rapidly solve network notifications.

Web App Attacks Recommended Controls

Verizon advises multi-factor authentication and monitoring of login activity to prevent compromise of web application servers. A solid EDR service will monitor login activity and will use anomaly examining to detect uncommon login patterns a sign of compromised credentials.

Point-of-Sale Intrusions Recommended Controls

Verizon suggests (and this has also been strongly advised by FireEye/Mandiant) strong network division of Point of Sale devices. Once again, a strong EDR service ought to be tracking network activity (to recognize anomalous network contacts). ZFlow in particular is of fantastic worth in supplying important decision context for suspect network activity. EDR systems will likewise address Verizon’s recommendation for remote login tracking to POS devices. Along with this Verizon advises multi-factor authentication, but a strong EDR ability will enhance that with extra login pattern abnormality checking (since even MFA can be defeated with MITM attacks).

Insider and Privilege Abuse Recommended Controls

Verizon advises “monitor the heck out of [worker] licensed everyday activity.” Continuous endpoint monitoring by a solid EDR product naturally supplies this ability. In Ziften’s case our software tracks user existence periods of time and user focus activities while present (such as foreground application use). Abnormality monitoring can determine unusual variances in activity pattern whether a temporal abnormality (i.e. something has actually modified this user’s typical activity pattern) or whether a spatial abnormality (i.e. this user habits pattern differs considerably from peer habit patterns).

Verizon also advises tracking use of USB storage devices, which solid EDR systems offer, considering that they can act as a “sneaker exfiltration” route.

Various Errors Recommended Controls

Verizon suggestions in this area concentrate on keeping a record of past errors to serve as a caution of errors to avoid in the future. Solid EDR systems do not forget; they keep an archival record of endpoint and user activity going back to their first deployment. These records are searchable at any time, possibly after some future incident has actually uncovered an invasion and response teams have to return and “find patient zero” to unwind the incident and recognize where errors may have been made.

Physical Theft and Loss Advised Controls

Verizon advises (and many regulators need) full disk file encryption, specifically for mobile phones. An appropriate EDR system will validate that endpoint setups are certified with business encryption policy, and will inform on offenses. Verizon reports that data assets are physically lost one hundred times more frequently than they are physically stolen, however the effect is basically the exact same to the impacted business.

Crimeware Recommended Controls

Once again, Verizon emphasizes vulnerability management and constant thorough patching. As kept in mind above, appropriate EDR tools determine and track vulnerability exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint monitoring. This shows a properly upgraded vulnerability evaluation at any moment.

Verizon also recommends catching malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can acquire samples of any binary present on enterprise endpoints and submit them for in-depth fixed and vibrant analysis by our malware research study partners.

Cyber-Espionage Recommended Controls

Here Verizon particularly calls out use of endpoint threat detection and response (ETDR) tools, describing the security tool segment that Gartner now terms endpoint detection and response (EDR). Verizon also suggests a number of endpoint configuration solidifying actions that can be compliance-verified by EDR tools.

Verizon also suggests strong network defenses. We have already discussed how Ziften ZFlow can considerably enhance standard network flow monitoring with endpoint context and attribution, providing a fusion of network and endpoint security that is really end-to-end.

Lastly, Verizon suggests tracking and logging, which is the first thing 3rd party incident responders demand when they arrive on-scene to assist in a breach catastrophe. This is the prime function of EDR tools, since the endpoint is the most regular entry vector in a major data breach.

Denial-of-Service Attacks Suggested Controls

Verizon recommends managing port access to prevent enterprise assets from being used to take part in a DoS attack. EDR systems can track port use by applications and employ anomaly checks to determine unusual application port use that might indicate compromise.

Business services moving to cloud service providers also require defense from DoS attacks, which the cloud service provider might supply. However, looking at network traffic tracking in the cloud – where the business might lack cloud network visibility – options like Ziften ZFlow supply a means for gathering enhanced network flow data straight from cloud virtual servers. Do not let the cloud be your network blind spot, or else cyber attackers will exploit this to fly outside your radar.

~leaverchuck1


No Responses Yet to “Chuck Leaver – More Of The Same From The Verizon DBIR 2016 Report”

Leave a Reply