Archives for November 2016
From our partner LogRhythm’s Blog
Protecting our Nation’s Interconnected Critical Infrastructure
National Cyber Security Awareness Month is coming to an end. Hopefully, we have all come away with some ideas on how to better protect ourselves, organizations, and our country. We must not slow down, take a break from building out protection, or pause on protecting our cyber demands. In fact, we need to be more resilient now more than ever.
We live in a world that is more connected than ever before. This interconnectedness touches almost all aspects of daily life—both professionally and personally. We saw how much we depend on the technology that connects us in last week’s DDoS attack on the public internet. We need to ensure that we take measures to protect our critical technology communications infrastructure.
In an article written last week in the San Diego Tribune in response to the attack, LogRhythm’s CTO and co-founder Chris Petersen said, “I’m an entrepreneur and don’t want more regulation. But as a cyberexpert, I don’t see much alternative in order to protect our nation from damaging cyberattacks.”
Improving Defenses by Making Security Intelligence a Standard Operating Procedure
Today we are at the disposal of terabytes of data to tell us who, what, when, where, and how an intrusion may have occurred. But because of the enormous amounts of information, we need to get better at identifying what is a threat and what is just noise.
We often do not know what we are looking for, and therefore, we need assistance in correlating all of the information. What we do know is that we need to make security intelligence a standard operating procedure (SOP) for all agencies, organizations, and individuals in order to effectively and efficiently cut through the noise and determine actionable intelligence to move the defense of our critical infrastructure forward.
Security Intelligence and Analytics in the Public Sector
The white paper Security Intelligence and Analytics in the Public Sector offers up a solution. While it’s not possible to prevent all threats from affecting an agency’s IT environment, this paper outlines the need to make threat detection and response capabilities an essential requirement.
A unified security intelligence and analytics approach is the best possible approach to threat detection and response. To learn more, download the whitepaper .
Sophos Central has integrated many of the products a business needs to stay secure. However, they realize that many organizations have products from multiple vendors and leverage a SIEM (security information and event management) to try to make sense of all the security events produced by all those disparate products. With data flowing fast, IT teams face a big challenge when it comes to maintaining some semblance of coherent visibility into the vast amounts of information they’re constantly receiving from all their different vendor products.
In that spirit, they are pleased to announce that SIEM integration has been added to Sophos Central. Whether you use Splunk, ArcSight, or any other major SIEM, you’ll find it easy to connect to Sophos Central. You’ll get real-time insight into the events and alerts for all your Sophos Central products. It’s one integration whether you’re using Endpoint Advanced, or Wireless, or our next gen endpoint, Intercept X, or Email protection, or Encryption… they all work together so it’s a single integration.
Setup couldn’t be easier. Take a look at this short demo video to get an idea of how to get SIEM integration up and running within your organization:
With the recently released audit logs and RBAC features, SIEM integration is yet another step forward to improve the efficiency of IT teams large and small.
Contact us for more information
Real-time behavioral threat analytics is the next frontier in security. Learn how a behavioral threat assessment tool can protect your enterprise systems and data.
And you’ve probably discovered a couple of whopping flaws with your approach.
First, it’s expensive and unsustainable. Very few enterprise organizations can afford to hire dozens of security analysts every year, if they can even find them. (And estimates are that the global market is generating a million unfilled security analyst job openings per year.)
Second, and more important, it’s slow. Even if you had the proper staff, the backlog of analysis means that the average breach goes undetected for months, according to many breach reports. And as the time to exploit an attack continues to increase, that could mean trouble.
Behavioral threat assessment to the rescue
The solution? Consider deploying real-time behavioral threat analytics (BTA). Real-time BTA tools come from vendors like Bay Dynamics, Exabeam, Fortscale, Gurucul, LightCyber, Securonix and Splunk (through its Caspida acquisition). Although the algorithms are different from vendor to vendor, real-time BTA products provide a layer of analysis on top of existing monitoring and logging products.
That is, BTA tools create a behavioral threat assessment by plugging into security information and event management tools, intrusion detection systems and intrusion prevention systems and others — like firewalls — and importing their log information. They then perform correlation analysis on that information to determine what behavior is normal for users, devices and systems. The next step for developing a behavioral threat assessment is additional analysis to determine whether anomalous behavior is just that — anomalous, but harmless — or represents a true threat. BTA products do all this by applying machine learning to the data streams so that security analysts don’t need to program in rules about what comprises normal behavior.
That means that one of the huge benefits BTA tools can provide is minimizing the number of alerts and false positives — things that look like threats but aren’t. Organizations that have deployed such systems say they bring the number of false positives down from 500 or more a day — clearly an unmanageable amount — to two or three real threats.
Getting BTA launched
To start deploying a BTA, set up selection criteria, beginning with the existing and planned security architecture. What monitoring and logging tools are core to your environment, and what are the data security tools you’ll count on for the next few years? Integration into those systems will be a critical selection criterion for your BTA products. You should also think about what form factor you’d prefer: on premises or cloud-based. Most security professionals are uncomfortable uploading security logs to the cloud, so on premises may be the best way to go.
Then you’ll want to set up a proof of concept (POC). Ideally, this will be in a self-contained network with a defined set of users, like a stand-alone department or geographical division. Why? Because you’ll be able to get a feel for the BTA tool’s capabilities — and if it works out, the business owner of that division or department will be your top evangelist in advocating for the system in the rest of the company.
Assessing a BTA tool
When you run your POC, look for several factors. First, how long does the BTA tool take to “learn” your environment? Most vendors say the tools begin delivering value in a few days — the sooner, the better.What do you think the main challenge is to installing and using a BTA tool?
Second, what’s the rate of false positives? Are you seeing a dramatic drop or just a minor reduction? In other words, is the data security tool creating a behavioral threat assessment that is of value to you?
Finally, how does the data security tool display information? Are there dashboards that can be used by less-technical folks like business stakeholders? Are threats prioritized clearly? Does the system recommend actions and next steps?
Once you’ve run your POC, you should have a feel for the business benefits such a tool can provide. In addition to reining in the unsustainable growth of security teams, a real-time BTA can enable you to respond to threats in a far timelier fashion — thereby increasing your security stance — and impressing the board with your new agility. Depending on the system, you also may have a more effective approach to documenting threats and compliance concerns.
The bottom line? If you want to understand the threats occurring in your environment, where they’re happening, who’s affected and what you should do about them, it is likely you need a behavioral threat assessment. It’s time to consider a real-time BTA product.
Q3 cyber threat study by Kaspersky Lab says ransomware modifications have risen 3.5 times and newer countries are coming under attack.
The IT threat evolution report for Q3 says cybercriminals appear to have moved to greener pastures with places like Croatia, South Korea, Tunisia, and Bulgaria featuring for the first time in the list of the top five ransomware-attacked countries.
Also noticeable was Trojan-Downloader.JS.Cryptoload being behind most of the attacks with CTB-Locker, Locky and CryptXXX highly popular.
“Crypto ransomware continues to be one of the most dangerous threats, both to private users and to businesses,” explains Fedor Sinitsyn of Kaspersky Lab.
Have a question on how to prevent ransomware from your network – give us a call, or drop us an email.