Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Defend against APTs with big data security analytics

by

Information Security - February 2015

Without a trace: Cybersecurity incident response teams must follow the thread of security events through volumes of log data from increasingly diverse sources.

Organizations that start to address information security in a meaningful way will come to a point in their maturity when they have a lot of machine data. The challenge many CISOs face is how to leverage that data quickly and correlate events dynamically across the enterprise to track down advanced persistent threats (APTs). The Sony Pictures Entertainment hacking incident in November underscores the importance of security monitoring and rapid incident response to clamp down on damages before disaster strikes.

IT security managers cannot protect what they cannot see, and to “see” associations or patterns that can help detect APTs enterprises must have comprehensive logging in place across multiple layers within a network. The greater the visibility, the larger the machine data, and the harder it is for cybersecurity incident response teams to “follow the thread” and correlate security events with threat intelligence in a meaningful way. The answers to many security questions about fraudulent activity, user behavior, communications, security risk and capacity consumption lie within these large data sets.

Why so much logging? Most advanced adversaries gain access to a victim’s network via malware, drive-by links or Web shells. Once the initial attack phones home — malware will initiate outbound connection to C2 hosts to get around inbound firewall rules — root kits are delivered, and they quickly gain access to a user account and drive around the network as a fully credentialed user. It is difficult to lock down a Microsoft network in any meaningful way without destroying its functionality. A successful strategy to defeat this type of attack includes the following:

  • Detect the malware or drive-by links before users click on them. To do this a cybersecurity incident response team has to be able to compare user behavior against threat intelligence. This requires full packet logging of all ingress and egress traffic on an enterprise’s edge.
  • Detect malware or rootkit delivery to the endpoint. To do this the cybersecurity team needs verbose logging on antimalware and endpoint protection systems.
  • The cybersecurity team needs to be able to analyze user behaviors and access across the entire enterprise. Security information and event management (SIEM) tools can alert you to unusual activity, such as account usage during off hours. This is only possible with comprehensive logging of Active Directory (AD) and host access events.

To read the full article - > Click here

For more information on how to defend against APT, malware or security analytics please contact us.

 

 

Employees are weak link in company cyber attacks

by

Mark Burnette, For The Tennessean 11:11 p.m. CDT April 29, 2015

Today’s companies face a truly daunting task when trying to protect their computer systems and sensitive data from compromise. Attackers are better coordinated and more sophisticated than ever before, and their tools are easier to obtain and use.

While there are many security issues for businesses to be concerned about (some of which are covered in other installments of this series), an all-too-common problem at companies of all sizes is attacks directed at the computer users themselves. The vulnerable users are workers in the company who have user accounts and passwords and use desktops, laptops, tablets and other devices to interact with a company’s data and network. Hackers and other bad guys target these users because they have access to sensitive data and systems, their account passwords are typically easy to guess or crack, and they are often willing to open a malicious file, click on an emailed link or even willingly type their password into a bogus site.

Protecting your company against end-user attacks requires a two-pronged approach: 1) train your users to help them be more aware of how end-user security attacks occur and 2) configure your systems to make it harder for the bad guys to successfully get in if a user slips up. Here’s a list of steps you should take:
•Keep up to date with security patches provided by software vendors for end-user machines. In addition to operating system patches, be sure to patch application software such as Adobe, Java and web browsers, as older versions of those tools have well-known vulnerabilities that are frequent vectors of attack.

•Provide spam filtering for every machine, with sensitivity controls turned up. One of the most common tactics attackers use to make initial entry into a company’s network is enticing end users to click on a spam email link that installs malware. While this won’t stop every phishing attempt, if you can filter out even one, that is one fewer opportunity for an unsuspecting user to click a bad link.

•Remove local administrator rights from end-user machines. Local administrator rights give a user more power to make changes to a computer, and if an attacker gains control of a machine with those rights, damage to the network can be much more significant.

•Make sure there is up-to-date anti-virus/malware protection installed on every machine.

•Require IT personnel to use different passwords when they work on servers. Even IT administrators can fall victim to email phishing attacks when they are working on their own computer. If they click on a bad link while logged in as an administrator, attackers can gain big-time access to your network using their privileged credentials.

•Develop a security awareness program for all personnel to help them understand their responsibilities when using a company computer system and/or handling sensitive data. This training should also teach users how to create good passwords (ones that are easy to remember, but difficult to guess).

•And perhaps most importantly, require “two-factor authentication” for users logging on to the network from a remote location. That means that a password alone is not enough to gain access; another form of authentication is needed. That could take the form of such things as a fingerprint, a token (a physical device that generates a code that is entered on the machine) or a digital certificate. If two-factor authentication is in place, an attacker who successfully captures a user’s access credentials still won’t be able to remotely connect to the network without the second factor (the token).

Taking all these measures will not completely eliminate the possibility of a successful attack, but it will greatly reduce your exposure to this common attack path, which just might make a potential attacker move on to a more vulnerable target.
Mark Burnette is a partner in the Security and Risk Services practice at LBMC, the largest regional accounting and financial services family of companies based in Tennessee, with offices in Brentwood, Chattanooga and Knoxville.

HawkEye G 3.0 Released

by

Hexis Cyber Solutions Releases HawkEye G 3.0 with Real-Time Host Event Detection and Integration of Third-Party Security Technologies with Automated Threat Removal

HANOVER, Md., April 20, 2015 Hexis Cyber Solutions, Inc.(Hexis), a wholly-owned subsidiary of The KEYW Holding Corporation (NASDAQ: KEYW), and a provider of advanced cybersecurity solutions for commercial companies and government agencies, today announced a significant new release of its integrated cybersecurity platform, HawkEye G. New capabilities include ThreatSync™ for evidence-based detection and validation of unknown and known threats, and integration with third-party security technologies such as Palo Alto Networks and FireEye for detection and Splunk for increased threat intelligence.

New Capabilities Provide Accurate Policy-Based Automated Threat Removal
Point security solutions and manual remediation processes cannot adequately address today’s increasingly complex cyber threats. Point solutions lack the features, depth and speed needed to stop the external threat actors as they penetrate the perimeter, install malware, establish persistence and move laterally to reach the target. Furthermore, these point solutions generate large quantities of alerts and false positives, leaving it to the inundated incident responders and security teams to find serious threats hidden in all the alerts – making today’s networks more vulnerable than ever.
“Most industry benchmarks have concluded that the time between exploitation and discovery of malicious activity is measured in weeks, if not months,” said Jon Oltsik, senior principal analyst, Enterprise Strategy Group. “Reducing the time required for detection and removal of cyber threats is the priority for security professionals today. Protecting business critical data, coupled with the overwhelming advanced skills shortage, has created the need for a unified solution that can detect, verify and remove threats at machine speed.”

In a recent report1 Forrester analysts John Kindervag and Stephanie Balaouras concur stating, “Given the consequences of data breaches, businesses can no longer rely on passive, manual procedures to defend against them. The only way to protect the exfiltration of our data by hackers and cybercriminals is to provide our security teams with a set of rules that will incentivize automated response.”

Working in conjunction with HawkEye G’s policy-based, automated threat removal engine, ThreatSync™ will lower the time between perimeter breach, detection and threat verification, thus empowering security teams to quickly and confidently defend themselves using machine speed removal of sophisticated adversaries.

New Analytics and Third Party Integrations Add More Context Improving Organizations’ Ability to Detect and Remove Threats
Leveraging threat fusion and analytics capabilities from ThreatSync™, and threat intelligence from third-party security solution providers, HawkEye G 3.0 operates as an evidence-based threat removal platform that combats attacks at machine speed. This also enables the security operations teams to more effectively leverage existing security investments as HawkEye G removes the alerts and alarms generated by the third party security products.

Gartner2analyst Lawrence Pingree highlights the importance of “Bringing together system events, network activities and indicators of compromise mapped across a graphical kill-chain timeline and comprehensive analytics capabilities are essential to operationalize and simplify EDR [endpoint detection and response] for security operations personnel.”

HawkEye G 3.0 not only provides its own host-based and network-based detection capabilities, but also integrates with enterprises’ existing security infrastructure by consuming, fusing and verifying third-party alerts. The new ThreatSync™Unified Threat Scoring Model measures threat alerts based on how successfully the adversary is meeting its objectives. If the threat is confirmed to be engaged in malicious activity, the threat score is raised and incident responders can execute automated countermeasures or receive an alert that will allow them to follow machine-guided actions to remove the threat. HawkEye G also integrates transparently into security systems, applications, and processes already in place at organizations, sending threat alerts and response actions to third-party reporting, dashboard and event management systems including Splunk, SIEMs and HawkEye AP.

“The staggering amount of false positives and ghost alerts generated by perimeter-based security devices has left security teams searching for a way to cut through the overwhelming noise,” said Chris Carlson, senior director of Product Management, Hexis Cyber Solutions. “With HawkEye G’s new ability to corroborate actual endpoint behavior captured on the platform’s host detection sensors with third-party data, our continuous monitoring capabilities will help capture, analyze, and remove malicious activity before compromise in the enterprise. This is truly a second generation product, and the customer responses from our initial installations have been extremely positive.”

Availability
HawkEye G 3.0 will be available April 30 through Hexis Cyber Solutions’ network of channel partners.

SolarWinds Automates Key Network Monitoring Tasks

by

From IT World Canada

SolarWinds has added new features to its Network Performance Monitor (NPM) tool to help IT administrators better manage the increasing number of mobile devices connecting to the corporate network.

The ramp up in mobile adoption and the bring-your-own-device trend has added considerable complexity to the enterprise network. However many IT departments are still monitoring networks the way they did about a decade ago. It is not uncommon to see some IT outfit employing a collection of different solutions to keep track of different devices and conduct various monitoring tasks manually.

SolarWinds (NYSE: SWI) said its updated NPM now has wireless heat mapping that allows IT pros to maintain automatic, real-time maps of wireless network signal strengths. The tool also enables continuous wireless coverage and speeds up troubleshooting.

A new forecasting feature also automatically monitors critical network resources to help administrators predict future needs and prevent outages.

With NPM’s new wireless network heat maps, IT pros can automatically map their wireless networks to show signal strength according to their floor plans – whether in a small doctor’s office or a 40,000/sf campus – with a visual display of critical status and performance metrics,” said Chris LaPoint, vice-president, product management, SolarWinds.

With the heat maps, IT departments can now:

  • Troubleshoot client connectivity issues, keeping mobile end-users working with minimal disruption to their productivity
  • Generate user-sourced wireless signal strength surveys for coverage in all network locations, including remote sites
  • Prioritize wireless signal strength where it is most needed and proactively make adjustments such as adding wireless access points,modifying the environment, etc.
  • Use client location tracking to find any wireless-connected device within the network, helping IT keep track of end-users and rogue or misplaced devices

The new capacity forecasting capability automates planning for bandwith, wide area network, circuits and other network needs. IT departments can now:

  • Use historical data from NPM on CPU, memory, volumes,connected wireless clients, node, and interface traffic utilization to provide automated assessments of average and peak use
  • Answer the question, “How many days before I run out of disk space /CPU/bandwidth, etc. and it impacts a user’s network connectivity?”
  • Set customizable alerts to proactively secure the necessary network resources to get ahead of those situations

 

Why you need Network Access Control?

by

In discussions with organizations about security initiatives that they are planning over the next 12 months, I am surprised that very few say they plan to purchase and implement Network Access Control. This is a solution that comes very low on the totem pole, and in fact, if discussing with some sys admins, it is more a cause of frustration than deemed a valuable asset, or essential tool for security. One of the key features of a NAC is providing a snapshot of all assets – both trusted and untrusted – within a network, providing a visual representation of what an organization must protect, because you cannot protect what you don’t know you have.

A Network Access Control product provides immense benefit, and the return on investment is almost immediate.

Looking at one of the most referenced documents when it comes to security – the Critical Security Controls, a NAC provides the easy wins for a number of controls, including asset inventory, continuous vulnerability assessment, and malware defenses. In addition NACs provide visibility into your network, the ability to enforce policies at a granular level and protection against Advance Persistent Threats and malware.

Looking at the Critical Security Controls and how the NetBeat NAC can facilitate:

Item One: Inventory of authorize and unauthorized devices:

Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device.

The diagram below provides a snapshot that is provided by the NetBeat NAC, from the diagram you can see the IP address, the time it was first detected, MAC Address, and operating system including service packs and the manufacturer.

Item 4 - Continuous Vulnerability Assessment and Remediation
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk.

The NetBeat NAC vulnerability scanner helps you identify the most urgent patches needed to harden your network against attack. After you run scans, detailed reports alert you if an attached device has a problem, or you can simply block an asset if it fails a vulnerability scan. These are very helpful in complying with requirements mandated by HIPAA/HITECH, PCI, GLBA, and other security standards.

Item 5 – Control Malware

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

As you can see from the image above, the risk profiler will provide immediate notification of a threat, in addition to blocking traffic to C&C (command and control), and in essence stopping exfiltration of data.

The NetBeat NAC scans for real-time malware traffic back to known malware sites. The database is synchronized multiple times a day to protect networks against zero-day threats. Because it can be integrated with the blocking engine, threats can be blocked within 10 milliseconds of detection versus just receiving an alert

Another benefit includes better BYOD control, without having to install additional software on mobile devices as well as segregating guests to their own VLAN.

For more information on how a NAC can supplement your existing security solutions, contact us.