Monthly Archives: May 2016

  • 0

Turning the Tables on Network Attackers Requires Re-thinking Security

Category : Gigamon

One of the most pressing issues facing security today is the problem that network attackers can circumvent preventative security and go to work on a network completely undetected as they explore, establish a greater sphere of control and steal or damage assets. The industry average for dwell time—the amount of time required to detect a network attacker—hovers around five months. Even then, the victimized organization only makes the discovery 15% of the time; it is usually found by a law enforcement agency after the crime has been realized. The number is probably an underestimate, as many attacks are not reported, and some last for years.

Why Attackers Go Undetected

Today less that 1% of enterprises have the ability to find an active network attacker. The dark truth is that unless an attacker is detected during the initial intrusion, most companies are not equipped to find an invader. This represents a major failure of the security industry.

Ask your CISO, or yourself, do you currently have the means to tell if there is an active attacker on your network? If so, how and with what kind of certainty? 99% of security leaders will have to admit that they don’t have this ability.

Can it happen to you? Maybe you have an attacker already inside your network? The best pen testers will guarantee that they can break into any given network within two days. A properly motivated attacker will find a way in. They have a nearly unlimited number of possibilities, and a good number of them will involve a compromise to a user account or machine, if only through spear phishing or social engineering. A defender only has to make one mistake or have one single deficiency to assure the success of an attack.

So it’s likely that you will get a network intruder. It’s also likely that you won’t know about it until it’s far too late. What’s at stake if you aren’t particularly worried about a leak of personally identifiable information (PII) because you don’t deal with consumers?

The Stakes Are Big and Getting Bigger

To a large degree, the world is only seeing the tip of the iceberg of what’s possible with a network attacker. There have been a few hints of what could happen, and it’s worth reviewing these.

Loss of intellectual property (IP) is an important concern. Although there is little news coverage of such activity, it is frighteningly common. There is no standard or expectation to divulge such crime to the public, unless it is a material event for a public company, and even then the notification practices are murky. Most companies would prefer to keep it under wraps. Corporate espionage is widespread, and companies are victimized every day.

The cost of IP loss from American companies has been hundreds of billions of dollars and the loss of more than two million jobs according to a recent 60 Minutes segment.

Another threat is looming. Instead of the outright theft of trade secrets, cybercriminals can potentially access and manipulate data or alter a software-based product to create a backdoor or ticking time bomb that they can use for extortion or theft. Back in 2004, Microsoft Windows 2000 source code was obtained from a Microsoft partner and leaked out broadly. The scenario could have turned out differently where a cybercriminal could have secretly gained direct access to Microsoft, found the source code and modified it. In 2011, perpetrators accessed technology for RSA’s SecurID two-factor authentication product. Again, an unthinkable disaster was averted, but it doesn’t take much imagination to consider what could have been.

Requires a Fundamentally Different Approach

So what can a company do? Clearly the traditional security approach is not good enough. Being able to detect an active attacker on the network takes a fundamentally different approach that requires re-thinking of three major security tenants or practices: a new model of what and how to identify dangers; using the network as the starting point; and creating a system that will only issue a small number of alerts that are very focused on attacker activity.

A New Model for Security

The first “re-thinking,” and most significant, involves a new model for security. Today most solutions are based on a model of “known bad.” This means that a security solution needs to be aware of an exploit or threat and know how to identify it using a signature, hash, Indicator of Compromise (IOC), URL or domain or defined behavior for a software routine or application.

The known bad model is essentially reactive and requires an exploit to first be tried on potential victims. Once the exploit is discovered, security researchers find a technical artifact to identify it and then add that static definition to their software tool to block such threats in the future. The first number of victims end up getting compromised, but, ideally, this process occurs quickly and definitional updates can be rapidly created, distributed and applied among the customer base for that product. This means that the majority should benefit and have protection sometime after the initial discovery.

The known bad model is only really suited to malware and does very little to detect and stop a targeted attack being run by a real threat actor. When organizations put all of their focus on tools based on a known bad model the result is what largely exists today: network attackers going unnoticed for an average of five months with successful data breaches that put their victims on the front page of newspapers and cost them millions of dollars.

The only effective way to find an active attacker on the network is by their operational activities—especially the “east-west” steps of reconnaissance and lateral movement that are essential in understanding a network new to them and positioning themselves to get at valuable assets. Such activities can be detected using a model of “known good” or “normal,” such as Behavioral Attack Detection.

This known good model assumes nothing other than an attacker will eventually find their way to your network. Besides that, there are no preconceived or defined signs or conditions to check against. Good or normal are not defined in advance. They have to be learned based on the real users and devices and their usual activities within a particular network. Every company and every network will be different. The learnings produces continuously updated profiles of users and devices. From these profiles, one can detect anomalies, and with advanced machine learning it’s possible to refine the anomalies into just those with a high likelihood of being malicious. Machine learning can also be used to understand that multiple events may be associated and provide greater confidence in quickly and accurately detecting an attack.

Start with the Network

The second major shift in “re-thinking” to find an active network attacker is using the network as a starting point to find their activities. Basely on the likely assumption that an attacker is already in the network, the most effect approach is to see what they are doing on the network to explore, expand control and access assets. It’s difficult to see these things from an endpoint because there is a limited view of the network and no context outside of the endpoint.

Starting with a network view is critical. That is why we partner with Gigamon to optimize the intelligent delivery of select traffic to our platform. The GigaSECURE Security Delivery Platform simply and efficiently directs network traffic to our LightCyber appliance for passive network monitoring.

Stop the Flood

The third required shift involves changing the model for security alerts. Today’s systems alert on any sign of malware or individual events flagged in logs. The result is a brain-numbing number of hundreds or thousands of daily alerts that is dominated by false positives. Finding a useful indication of an active attack would require pure dumb luck.

Instead, a system designed to detect attackers should create a small handful of alerts that are both focused and accurate, pointing directly to an attack. Generally, there are numerous signals that can be indicative of attack activity and, when presented in together as a single alert, the result is accurate and actionable. A security operator can immediately respond, most likely catching the intruder early in their process.

Additive Ability

This new approach appends existing security rather than replaces it. Organizations still need preventative security, since it will stop some 95% of threats. Of course, 95% or even 99% is not good enough since that gives plenty of room for an attacker to find a way into your network. Most of these opportunities will likely come from compromising a user account or machine. Humans are often the weakest link, especially with well-researched social engineering or spear phishing. Gaining valid credentials makes it easy for an attacker to establish a foothold and begin a stealthy operation culminating with theft or damage to your assets.

Once an attacker is inside, they are fundamentally at a disadvantage since the won’t know anything about the network. When companies lack the ability to find an attacker letting them go undiscovered for months, that disadvantage quickly gives way to an impressive advantage. Without Behavioral Attack Detection, attackers have a high probability of accomplishing their goals. Many may never be discovered, and some could stay active for years without being seen. With the LightCyber Magna platform for Behavioral Attack Detection, the tables can be turned, however, so the organization can regain the inherent advantage. With this shift, companies need no longer be powerless victims of attack activity. –

  • 0

What Gartner’s Approach to Insider Threats is Missing

Category : Imperva

A recent blog by Gartner analysts Anton Chuvakin and Eric Heidt announced a paper on insider threats. Gartner’s definition of insider threat in the paper was limited to those “defined as individuals who were deliberate in their theft, misuse or destruction of data or systems.” It then goes on to state that the paper is “NOT focused on any outsiders who hacked in OR manipulated the insiders, and NOT focused on well-meaning insiders.”

The report itself is an analysis of data Gartner collected from its advisory board. Gartner limited its analysis to only deliberately malicious insiders. The paper is a good read. However, I’d like to take (friendly) issue with generally limiting the definition of an insider threat to deliberately malicious insiders.

About two years ago, we at Imperva decided to take on the challenge of insider threats and think through what our products could do to help solve the problem. From a product point of view, the ultimate result (so far) was our recently announced Imperva CounterBreach product line. But along the way we did a lot of research and customer trials. We then packaged that work into a research report (anonymized, of course) titled Insiders: The Threat is Already Within.

Our research findings revealed that any full accounting of the insider threat needed to include not only the malicious insider, but also what we call the careless and compromised insiders.

An example of a careless insider anomaly we saw involved a DBA who used a service account to access a sensitive database. This is a serious breach waiting to happen. First, service accounts have high privileges that cannot be managed, meaning users can access anything they like using these accounts. Second, the actual identity of the user responsible for operations conducted using a service account cannot be established, meaning there’s little traceability or accountability into these actions. That DBA could take whatever data they want and sell it to the highest bidder. So we can see that disregarding careless insiders is ignoring an imminent and potentially very damaging event.

An example of the compromised insider would be a case discovered by Imperva in which we observed multiple failed login attempts. It involved a user that usually accessed a specific database, but tried to log in to a different database they had never connected to previously, using three different DB accounts. The user finally succeeded in logging into the database using a service account that happened to exist on this machine. In fact, that user was a hacker using a compromised insider’s credentials and enumerating the network. This case illustrates the significant risk your hard working employees pose when infected by malware which enables external hackers to stroll around your corporate systems trying to hack into data sources, steal data and even infect other users. Without identifying compromised insiders, it’s likely this compromise would have continued on unnoticed, indefinitely.

A focus on the malicious insider, while ignoring the potential damage from the careless and the compromised insider, misses a significant part of the risk we’ve seen from insiders. My suggestion to the industry experts who focus on the narrower definition of insider threats is to widen their definition to include the careless and compromised insiders who pose just as much of a threat-if not more.

  • 0

Stop Data Exfiltration

Category : McAfee

In the McAfee Labs Threats Report: August 2015, we take an in-depth look into one of the key steps in the data theft process: data exfiltration.

This step entails the thief or actor moving or copying data from the owner’s network to one that the attacker controls.

In the past 10 years, the industry has seen unprecedented growth in data breaches and the volume of people and organizations that they affect. Breaches have changed from gathering just credit and debit card numbers to now stealing virtually every piece of information we place online: names, dates of birth, addresses, phone numbers, healthcare information, account credentials, and much more.
Unfortunately, individuals are not the only targets. Cyberespionage by nation-states, criminal organizations, and hacktivists put sensitive individual and organizational data everywhere at risk.

Stop Data Exfiltration

  • 0

Keeping Streets Safe with in-Car Police Video and NetApp Technology

Category : NetApp

Keeping Streets Safe with in-Car Police Video and NetApp Technology

The Challenge: Implement an in-car video solution for 600 patrol cars with automatic download and archiving of high resolution incident videos.

The Solution: Deploy two NetApp® FAS2240HA storage systems supporting secure, fast, and cost-efficient collection, management, and distribution of video evidence.


  • Enhances public and officer safety with access to high quality incident videos
  • Provides secure access to and 99.999% availability of digital video evidence
  • Reduces court time and accelerates prosecution and case resolution
  • Optimizes IP-based surveillance with easy storage management

  • 0

Privileged Account Security: The Foundation of an Enterprise Security Strategy

Category : Cyber-Ark

The most recent Verizon DBIR confirmed, yet again, that privileged account security is an essential part of an organization’s defense – protecting networks and data from cyber attacks and cyber criminals.

Over 100,000 security incidents and 2,260 confirmed breaches were analyzed to compile this year’s Data Breach Investigations Report (DBIR), which for the first time includes a separate section on credentials – a telltale sign on the increasing importance of Privileged Account Security.

According to the DBIR, approximately 80% of data breaches are executed by external actors and the predominant reason for the attacks is financial gain. One of the most notable findings is that the time it takes to compromise a network takes less than an hour in 93% of cases.

 “As previously alluded to, these cases begin with a phish, featuring an attachment whose mission in its malware life is to steal credentials. If you have legit creds, it doesn’t take a very long time to unlock the door, walk in and help yourself to what’s in the fridge.”

Once in, credentials represent the top data variety that attackers seek. This is mostly due to the large amount of opportunistic banking Trojans and the desire to acquire intellectual property.

 Within the credentials section, Verizon reports that 63% of confirmed data breaches involved weak, default or stolen passwords. Observing incident classification patterns – recurring combinations of who (Actors), what (assets), how (actions) and why (motive) among other incident characteristics, privilege misuse was the second most common reason for a credential attack.

Even more alarming, in Point of Sale attacks, “Ninety-seven percent of breaches featuring use of stolen credentials also had a vector of Partner. This is selected when the Actor uses legitimate partner access in the hacking action.”

In incidents of cyber espionage, the second most prevalent threat action is the use of malware. Specifically, malicious software was involved in 90% of cyber-espionage incidents. The report goes on to mention that whether it’s delivered via email, a web drive-by, or direct/remote installation, protecting the endpoint is critical to thwart malware attacks.

Achieving Privileged Account Security

In a recent presentation, Rob Joyce, Chief of the Tailor Access Operations of the NSA, remarked that privileged credentials of network administrators and other privileged users are sought after by persistent threat actors as a means for gaining access to critical systems. Privileged credentials are in fact, absolutely critical for this purpose and ultimately, to reach the heart of the enterprise.

As recommended by Mr. Joyce, privileged account security must be a strategic priority for an organization. It’s imperative for organizations to understand what normal privileged user behavior is and what isn’t. Effective protection requires implementing a robust and dynamic password policy that includes enforcing a policy of “least privilege” to ensure users have only enough privileges required to do their job. Finally, the increase in phishing attacks beckons the need for organizations to increase cyber security awareness to mitigate this type of attack.

Here are some important practices to keep in mind around privileged account security:

  • Understand what your privileged users do across your network; their credentials are a target that must be secured.
  • Implement least privilege and application whitelisting as a means to stop malware from spreading.
  • Do not lose sight of applications which may have hard-coded credentials built into scripts. These could expose hashes that compromise your most critical assets, such as domain controllers.
  • Understand anomalous behavior and how to stop it before it takes over your networks.

The importance for organizations to proactively secure privileged accounts is no secret. Privileged Account Security is not only essential in defending networks and data from cyber attacks and cyber criminals but also in building an effective and proactive cyber security posture that can standup to the most aggressive of attacks.

  • 0

Just 22% of IT Leaders Think Their Org is ‘Very Well Prepared’ to Deal with Cyber-attacks

Category : Imperva

As little as one in five (22%) IT leaders believe their organization is ‘very well prepared’ to identify and respond to cyber attacks, according to new research by Harvey Nash and KPMG.

Further, three in ten (28%) have had to respond to a major IT security or cyber attack on behalf of their company within the last two years, whilst 12% now believe their business is exposed in multiple areas.

George Quigley, cybersecurity partner at KPMG, explained that the complexity of cybersecurity is affecting the level of confidence among IT leaders regarding how well prepared companies are to ensure all reasonable risks are covered.

“If you look at cyber, it is a multi-dimensional problem; it’s also unpredictable, intangible and constantly changing,” he told Infosecurity. “It’s a very complex area to try and get your head around. We’ve seen a lot of large and sophisticated organizations breached, so if you’re sitting in an organization that is not as large, not as sophisticated and doesn’t have the same sort of budgets and standing, then culturally you’re also going to have your confidence dented.

“Are companies going to be bold enough to say ‘We’re really confident we can solve this problem’ when they see all of these other players being breached?”

The report also revealed substantial concerns about a lack of skills among employees, with 65% of respondents saying skills shortages are preventing them from keeping up with the pace of change in technology.

“There’s undoubtedly a significant skills gap in cyber,” Quigley said. “There are challenges in terms of getting people with a cyber-mindset; what we’re finding is security companies having to invest time and money in training people. Across the industry we’re probably paying more than you would otherwise do in a normal functioning market because you’ve got to pay to retain people.

“If I had one concern in this skills gap market and what we’re doing, it’s that we are still not attracting enough women into the cybersecurity field. It’s incredibly male dominated and we still struggle to attract women into the industry and I do think we would benefit from getting more women into it and widening out that pool,” he added.

Lastly, in terms of the cloud, the research discovered over a third of respondents are looking to significantly invest in cloud services this year, but almost half report data loss and privacy risks as the biggest challenge when it comes to adopting cloud technology.

KPMG’s global CIO advisory service network leader Lisa Heneghan argued that one of the main issues surrounding the cloud is that many services are being implemented outside of IT, and as such without the level of control that you would normally expect to see within the IT organization.

“There’s almost an assumption that, because these organizations professionally provide the [cloud] services, that’s going to deal with everything; therefore important things like processes and governance are not considered early enough, and there’s almost been a blindsided view of it,”

  • 0

NYC gangs turning to cybercrime, encryption thwarting investigations

Category : Gigamon

New York City’s crime rate has dropped precipitously since the 1990s – with Police Commissioner Bill Bratton predicting 2016 will end with 100,000 serious crimes on record, compared to 500,000 annually during the 1990s – but it seems that gangs are turning their attention to cyber crime.

“We’re seeing many of our gangs here in New York…turning away from dealing with drugs and other types of crimes, and focusing on getting very adept at cyber-related crime – the false identification cards, credit cards,” Bratton told listeners tuning into the John Catsimatidis AM 970 radio show on Sunday, according to a report in The Daily News.

The bad guys are getting better at using social media, much to law enforcement’s chagrin, but it is also a rich source of information.

“We have a lot more sources of intelligence to create our cases, but a bust in the sense that the push by the phone companies and the software technology companies to increasingly make phones more secure — it’s really causing us to go blind,” the police chief said, adding investigators have been aided by criminals bragging on social media.

He also claimed New York police investigations are being hampered by encryption, which has prevented authorities from accessing about 700 mobile phones.

  • 0

Achieving rapid success with WCCP and Websense Web Security Gateway

Category : Forcepoint

Switches and routers that support Web Cache Communication Protocol (WCCP v2) are frequently used to transparently redirect Web traffic to the Websense® Web Security Gateway Web proxy (Websense Content Gateway™ ). WCCP with Web Security Gateway is a time-tested, field-proven solution.

In October, Websense Technical Support experts will host an interactive, question-and-answer webinar to help our customers prepare for and achieve rapid success with WCCP deployments. The webinar will cover:

  • The role of WCCP in transparently redirecting traffic flow to Websense Web Security on V-Series appliances
  • How your unique network topology may impact or limit WCCP implementation

In our position as Technical Support specialists, we see a lot of WCCP issues related to network design, device limitations, and device and network configuration.

The goal of this webinar is to help you understand and identify those conditions in your network that may have a negative effect on implementing WCCP. We will pinpoint and share the most common configuration concerns.

This webinar is a perfect opportunity for you to query our Cisco Technical Support expert regarding WCCP.

Please join us for an extended tech-talk in which we will discuss and answer your questions.

After participating in this webinar, you will:

  • Know how to assess your network for best use of WCCP with Web Security Gateway
  • Know the best practices for configuring and deploying WCCP with Web Security Gateway
  • Know how to assess your current WCCP deployment for conformance with best practices

To view the recorded webcast, please Click Here
To view the webcast PDF slides, please Click Here

  • 0

Harvard Business Review: The Danger from Within

Category : Imperva

Today’s biggest enterprise security threat is inside the organization. It’s your employees, contractors and partners – with legitimate access to enterprise data – that become compromised, are careless or carry out malicious activity. Do you have the right tools in place to detect insider data abuse? Read Danger from Within by Harvard Business Review and learn why insider attacks are on the rise, and five ways you can uncover and neutralize these threats.


  • 0

Hewlett Packard Enterprise Announces New Machine Learning-as-a-Service Offering in HPE Haven OnDemand

Category : HP Security

Haven OnDemand, a machine learning-as-a-service platform from Hewlett Packard Enterprise, is now available commercially. This innovative cloud platform will equip developers with the groundbreaking tools necessary for building data-rich mobile and enterprise apps.

Enterprise app developers can use more than 60 APIs available through HPE Haven OnDemand to solve high-level business processes. Delivered as a service on Microsoft Azure, Haven OnDemand can deliver comprehensive analytics on data ranging from text, audio, image, social, web and video.

HPE Haven OnDemand has been in testing since its beta launch in December 2014, and the valuable feedback received by more than 12,750 registered developers has contributed to the creation of this cutting-edge deep learning tool.

One especially unique service provided by Haven OnDemand is its capability for advanced text analysis. The technology can gather detailed information on sentiment and ideas within text, such as email subject lines, to provide marketers with data they can turn into an increased ROI.

Some capabilities offered by HPE Haven OnDemand include advanced text analysis, image recognition and face detection, enterprise-search-as-a-service and predict and recommend functions.

According to Colin Mahony, SVP and GM of HPE Big Data, “Haven OnDemand democratizes big data by bringing the power of machine learning, traditionally reserved for high-end, highly trained data scientists, to the mainstream developer community.”

HPE offers a flexible approach that starts as a freemium service, enabling development and testing for free, and extends to a usage and SLA-based commercial pricing model for enterprise class delivery to support production deployments. This ensures that the platform can mature with enterprises and startups as their needs continue to scale.