Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Making Security Intelligence a Standard Operating Procedure

by

From our partner LogRhythm’s Blog

By Dan Wilbricht

Protecting our Nation’s Interconnected Critical Infrastructure

National Cyber Security Awareness Month is coming to an end. Hopefully, we have all come away with some ideas on how to better protect ourselves, organizations, and our country. We must not slow down, take a break from building out protection, or pause on protecting our cyber demands. In fact, we need to be more resilient now more than ever.

We live in a world that is more connected than ever before. This interconnectedness touches almost all aspects of daily life—both professionally and personally. We saw how much we depend on the technology that connects us in last week’s DDoS attack on the public internet. We need to ensure that we take measures to protect our critical technology communications infrastructure.

In an article written last week in the San Diego Tribune in response to the attack, LogRhythm’s CTO and co-founder Chris Petersen said, “I’m an entrepreneur and don’t want more regulation. But as a cyberexpert, I don’t see much alternative in order to protect our nation from damaging cyberattacks.”

Improving Defenses by Making Security Intelligence a Standard Operating Procedure

Today we are at the disposal of terabytes of data to tell us who, what, when, where, and how an intrusion may have occurred. But because of the enormous amounts of information, we need to get better at identifying what is a threat and what is just noise.

We often do not know what we are looking for, and therefore, we need assistance in correlating all of the information. What we do know is that we need to make security intelligence a standard operating procedure (SOP) for all agencies, organizations, and individuals in order to effectively and efficiently cut through the noise and determine actionable intelligence to move the defense of our critical infrastructure forward.

Security Intelligence and Analytics in the Public Sector

The white paper Security Intelligence and Analytics in the Public Sector offers up a solution. While it’s not possible to prevent all threats from affecting an agency’s IT environment, this paper outlines the need to make threat detection and response capabilities an essential requirement.

A unified security intelligence and analytics approach is the best possible approach to threat detection and response. To learn more, download the whitepaper .

Ransomware Raises the Bar Again

by

From Dark Reading - Kelly Jackson Higgins

The infamous form of attack now ranks as the top threat to financial services, but preparedness can pay off for victims.

Ransomware just got even more real: it’s now the number one attack vector in the financial services sector, which traditionally has been considered a model industry for best security practices.

Some 55% of financial services firms recently surveyed by SANS report ransomware as the top attack threat, followed by phishing (50%), which previously held the top spot. More than 32% of financial firms say they’ve lost anywhere from $100,000 to a half-million dollars due to ransomware attacks.

Ransomware’s infiltration of the security-forward financial services industry underscores the dramatic rise in ransomware over the past year and growing pressure on preparedness. The malware that infects machines and holds them for ransom payment by the victim is the fastest-growing form of malware today, with more than 4,000 ransomware attacks per day since January 1 of this year. That’s an increase of 300% since 2015, and security experts at Trend Micro say ransomware cost enterprises some $209 million in the first half of 2016.

Attackers are also tucking ransomware alongside and inside other attacks. Some ransomware attacks hold the machine for ransom and then also use it to wage distributed denial-of-service (DDoS) attacks on other victims. More than half of DDoS attacks worldwide ultimately lead to ransomware and other malware attacks, according to a new study by Neustar.

Meanwhile, organizations of all sizes and industries are getting infected with ransomware. The difference between those who get stung and those who survive relatively unscathed is preparedness – and sometimes a little luck.

Take the Hyannis, Mass.-based Barnstable Police Department, which was hit with its first-ever ransomware infection last month. Craig Hurwitz, director of IT at the department, says he noticed something was amiss when the department’s dispatch software and records management system stopped working. He took a closer look and spotted files being encrypted and file extensions getting altered.

“I tried to get a file and it wasn’t there,” he recalls. “And there was a text file in the directory saying ‘pay me now.'”

The police department reverted to radio dispatch to patrol cars, and Hurwitz contacted the backup and array vendor from which the Barnstable Police Department had recently purchased a system for data backup and storage capacity, as well as its data timestamp feature. At the time the department purchased the storage array system from Reduxio Systems, it was more about protecting against hard drive corruptions and server crashes. “At the time we weren’t thinking about ransomware specifically,” he says.

The recovery process with the backup system took 35 minutes with no loss of data or any ransom payment to the attackers. The malware never spread beyond the application server where Hurwitz found it. “They [Reduxio] cloned the drives … and set the timestamp two minutes before the infection had started … and remounted the drives,” Hurwitz says.

Backing up data regularly and keeping a clean backup has always been one of the key recommendations for surviving a ransomware infection. Even endpoints running the most up-to-date software, email filters, and other security layers can get hit with ransomware: all it takes is for a user to fall for a phishing email and to open a malicious attachment or link.

But how a backup is managed can be the difference between losing data to the attackers unless you pay, or retrieving data and eradicating the ransomware.

Travis Smith, senior security research engineer at Tripwire, says the old 3-2-1 strategy applies: “Always have three copies of data, one that is offsite [or] offline,” he says. “What’s also very important for companies to adopt in today’s ransomware world: we’ve seen ransomware that targets backup systems, so when you try to bring backups back online you don’t have the ability to restore from the backups.”

Backups of critical data should be tested at least every six months, he says, to ensure the data is uncorrupted and accessible.

Smith says clean backups work for about three-fourths of ransomware victims. “Seventy-five percent are successful [in ransomware recovery] if they have backups,” he says, meaning they can get to their data and not pay any ransom to the bad guys.

Users shouldn’t be storing critical data on their endpoints, either, he notes. Stick with a shared server for that information. “So then you only need to back up one critical server,” he says. “If a laptop gets infected with ransomware and the data isn’t backed up on a centralized server, you’ve lost that data.”

If backups aren’t done properly, it may be cheaper for an organization to pay the ransom, which is not recommended. Regular backup tests can drive down the cost of data restoration and make it more cost-effective than having to resort to actually paying a ransom if the data isn’t properly backed up, he says.

The 3 Biggest Mistakes in CyberSecurity

by

August 23, 2016 - Chris Moschovitis - Information Management

Everyone, from the small business owner, to senior executives in businesses of every shape and size are confronting a seemingly insurmountable problem: Constant and rising cyber security breaches. It seems no matter what we do, there is always someone that was hacked, a new vulnerability exploited, and millions of dollars lost.

In an effort to stem the tide people have tried everything: From throwing money at it by buying the latest and greatest tech gizmos promising security, to outsourcing cyber security management, to handing it over to the IT folks to deal with it. And, every time the result is money lost, productivity decreased, and the attacks continue.

Many business people complain that we’re not just losing a battle here and there. We’re losing the war. Is that true?

The truth is that those that keep losing their cyber battles and risk losing the war are making three critical mistakes:

1. They think cyber security is a technology problem.

2. They follow a cyber security check list once-and-done.

3. They don’t have a cyber security awareness training program in place.

First, cyber security is not a technology problem. Far from it. It is a business-critical problem, and more importantly: It’s a people problem, and we need to address it at that level.

Second, cyber security is a constantly evolving battlefield. The threats evolve, the attacks take new paths, the underlying technologies change. A static check list solves yesterday’s problems, not today’s, and certainly not tomorrow’s.

Finally, if people don’t understand the threat they will not even see the attack coming, much less be able to respond and protect themselves. Cyber security awareness training is the only way to prepare everyone for the new reality we live and work in.

Cyber security is not an IT problem either, according to Prosyn. It is a risk management problem. This is easier to understand in you work in a regulated industry. There, the concept, language, even governance of risk management is part of the daily lexicon.

Not so with small and mid-market business less familiar with the risk management function. It doesn’t help that the very nature of the threat and the way the “payload” of the attack is delivered is via information technologies. It almost makes sense to have IT deal with cyber security. But the victims are not the computers. The victims are the businesses and their people.

More importantly: A company’s Information Technology generates Value. It does so a myriad different ways depending on the business you are in, from the actual delivery of goods to clients (e.g. software businesses, data businesses, media and technology businesses etc.) to complementing, enhancing, and realizing the mission and vision of the company (law firms, manufacturing, logistics, healthcare, etc.)

Cyber security, like all risk management, is there to protect value. Therefore, you can never have cyber security (the value protector) report to IT (the value creator). That creates a conflict of interest. Just like IT reports directly to the CEO, so must cyber security. They are parallel tracks keeping the business train aligned and moving.

Once you have the reporting structure correctly in place, you need to empower it with executive buy-in and engagement. Cyber security needs your direction on company goals and risk appetite so they can develop the right strategy to protect the company’s assets. Cyber security professionals, working with the board and executives, including IT and business units, will develop the right defense-in-depth strategy that is right for the company.

Cyber security doesn’t happen in isolation. It is not a set check list. It is dynamic, adjusting strategy to risk, asset value, and controls. As market conditions change, as company goals change, and as technology changes, so will the cyber security strategy.

Neither structure nor strategy will help if you ignore the most important element in cyber security: People. In 2016 ISACA published the top three cybersecurity threats facing organizations in that year. They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.

Excluding the advanced persistent threats typically targeted against large multinationals, governments, military, infrastructure and the like, the other two have one common element: People.

It is people that become the victims of cyber-attacks, and by extension, the businesses they work in or do business with. Be it through social engineering, extortion, or any of the many vulnerabilities that hackers can exploit, it is people that get compromised first. They are the ones that have to pick up the pieces when all the data is gone or when their identity is stolen.

The good news is that cyber security awareness training is one of the most effective controls against hackers. Training and sensitizing people to the threats, the methods used, vulnerabilities, even their own personal privacy risks, has been proven time and again as the one thing that makes a real difference in early detection, quick response and recovery during a cyber-attack. Having a quarterly lunch-and-learn will go a long way in developing a culture of cyber awareness, saving both your business and your employees from cyber-harm.

Avoiding these three mistakes in cyber security won’t help win every single battle. But it will guarantee you win the war.

LogRhythm Named a Leader - 5th Consecutive Year

by

LogRhythm Named a Leader for Fifth Consecutive Year in Gartner Magic Quadrant for Security Information and Event Management (SIEM)

LogRhythm recognized for completeness of vision and ability to execute

BOULDER, Colo.-(BUSINESS WIRE)-LogRhythm, The Security Intelligence Company, today announced that it has, once again, been positioned as a Leader by Gartner, Inc. in the 2016 “Magic Quadrant for Security Information and Event Management” research report. This is the fifth consecutive year that Gartner has recognized LogRhythm as a Leader among SIEM providers.

Magic Quadrant siem“Organizations are under immense pressure to quickly detect, respond to and neutralize increasingly sophisticated cyber threats,” said Chris Petersen, CTO and co-founder of LogRhythm. “We are honored to be recognized by Gartner and believe this year’s placement in the Leaders quadrant for SIEM speaks volumes about our leadership in the market, and our ability to address the most pressing customer needs in the areas of threat management, security and compliance. I believe this report validates the excellence and dedication of our engineering and product teams. With our latest up-and-to-the-right movement in the leadership quadrant, it is crystal clear that LogRhythm is delivering on our promise to help companies around the globe neutralize today’s cyber threats.”According to Gartner, the SIEM Leaders quadrant is composed of vendors that provide products that are a strong functional match to general market requirements, have been the most successful in building an installed base and revenue stream within the SIEM market, and have a relatively high viability rating (due to SIEM revenue or SIEM revenue in combination with revenue from other sources). In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for emerging and anticipated requirements. They typically have relatively high market share and/or strong revenue growth, and have demonstrated positive customer feedback for effective SIEM capabilities and related service and support.

LogRhythm’s security intelligence and analytics platform unifies next-generation SIEM, including log management, network monitoring and forensics, endpoint monitoring and forensics security analytics, and user, network and endpoint behavioral analytics. In addition to protecting customers from the risks associated with cyber threats, LogRhythm provides innovative compliance automation and assurance, and enhanced IT intelligence.

Reprinted from Business Wire

Zepto Ransomware Soars

by

InfoSecurity Magazine- Phil Muncaster

Security researchers are warning users of a spike in spam emails containing a variant of the infamous Locky ransomware, known as Zepto.

Cisco’s Talos team spotted 137,731 emails in just four days, containing over 3300 unique samples, according to technical lead, Warren Mercer.

Most of the emails used simple social engineering, asking the user to look at an attached document they had ‘requested.’

Emails are also crafted to appear more convincing by greeting the recipient by first name, he explained.

Once opened, the malicious JavaScript will run in the background, encrypting all files on a user’s machine with the .zepto extension.

Some samples only contacted one C&C server whilst others communicated with up to nine domains, the researcher continued.

Once the encryption has been done, the malware will display a message for the victim, demanding payment.

“The email attack vector will continue to be used as email is an everyday occurrence now and the ability to generate large lists of emails for spam campaigns like this is growing easier. The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign,” said Mercer.

“Ensuring users are careful with email attachments, like the ones used in this campaign, will help in an attempt to null the effects of this and further spam campaigns. Talos recommend you ensure you have a good backup strategy should you be hit with ransomware and we strongly advise that payment is never made to these actors.”

Meanwhile the Locky ransomware continues to evolve, causing devastation to individuals and businesses as it goes.

When it first burst onto the scene earlier this year, the botnet distributing it was shown to be the same one spreading Dridex banking malware.

In March, FireEye noted a sharp spike in Locky spam with users impacted in over 50 countries.

If you have any questions on Ransomware or how to protect yourself, contact us.