Verizon 2014 data breach investigations report preview

At the recent RSA conference Verizon shared a brief preview of their upcoming 2014 Data Breach Investigations report;

 

http://www.darkreading.com/attacks-breaches/verizon-shares-glimpse-into-upcoming-201/240166380

 

Basically, the long and short if it is that attackers are getting better and quicker this 75% (or more) of attacks succeeding within days or less, and only 25% (or less) of the time do organisations discover the attack within a similar timeframe.

So attackers are getting into our networks very quickly and successfully, and we are still in general very bad at discovering the compromises until it is far too late.

This looks like a continuation of some of last years key messages, you will be breached, networks are so complex and pours, and applications still so very vulnerable.  Detection is key, having the ability to quickly spot, and act on, indicators of compromise (IOC).  Security must improve its detective and response capabilities;

Cyber Criminals keep getting better at what they do, the security is failing to keep pace.

What are your thoughts, how can we improve the situation?

One thing I often wonder about is the role of security in not only keeping up with the threat landscape and how to prevent (well reduce the likelihood of) breaches, and to ensure they are discovered, but to also communicate this to the wider IT and business teams.

How do we get the wider business and IT community to ‘get that security cannot be an afterthought’?

Across multiple different roles, much of my life seems to have been filled up with debates about what the minimum security requirements are, and what has to be down to scrape through regulatory audits.  The discussion should focus on what needs to be done to protect the data in our care.  Have you successfully moved this discussion on and changed a businesses culture to be focussed on how to deliver securely?

Some upcoming posts will cover both thoughts on how to deal with the evolving advanced threat landscape and advanced attacks, and also ways we can get security to have the right priority and focus – we don’t have to just deliver, we can deliver securely!

K

13 Security Myths Busted.. My thoughts.

I was recently sent a link to an article covering what were described as ’13 security myths – busted’ and asked my opinion.  As it was a fairly light and interesting I thought I would share the article and my thoughts;

The original article can be found here;

http://www.networkworld.com/slideshow/86918/13-of-the-biggest-security-myths-busted.html?source=NWWNLE_nlt_afterdark_2013-02-21

Have a read of the myths and why they thin they are myths, read my thoughts below, and it would be great to hear your thoughts.

1. AV – Possibly not super efficient, but I think still necessary – they kind of mix apples and oranges with the targeted attack comment, as it is not designed for that, but it still prevents the vast majority of malware, and general attacks.  Possibly and an environment where literally no one runs with admin privileges and there is strong white listing you could do without AV, but generally I’d say it is still relevant and required.

2. This one is hard to know as there is so much FUD around.  It is clear that in many circumstances (stuxnet etc, Chinese APT , US government espionage etc.) that governments are investing huge sums of money and employing extremely bright people to attack and defend in cyber land.  I suspect much will never be known as the NSA / Mi6 / <insert secret government money pit here> are by definition very secretive.  Remember all the speculation around the NSAs ability to crack encryption in the past..

3. Totally agree – just look at most businesses and the trouble they have getting control of authentication via AD / IAM.  However, many are moving in the right direction though so maybe soon we’ll have everything in IAM and / or AD..

4. I think this one proves itself incorrect in the text – Risk management is needed, you just need to work on understanding your adversaries and the actual risks you face, which includes understanding their motivations and the value they place on your data and IP.

5. This I totally agree with.  I have already highlighted I don’t really like the fact we as an industry use the term ‘best practice’ all over our standards and policy documents etc – who defines what it is? Is it best in any specific environment with it’s support skill sets and technology stack etc?

6. Half agree they are a fact of life, however you can have effective responses and strategies around privilege control and application controls etc. to massively mitigate the risks these pose.

7. I can’t comment on this one, but most national infrastructures are inadequately protected and tend to rely on old legacy systems for many of their functions so this is probably try in the UK for much supporting infrastructure as well.

8. Completely agree with this.  Compliance is a useful checklist, but compliance with standards should be a by product of good secure design and processes, not something we strive for as a product in itself.  If provides a driver but is very much the wrong focus if you want to be secure rather than compliant.

9. Agree – CISO may own security policy and strategy etc., but security is everyone’s problem and everyone should be accountable for performing their duties with security and security policies in mind.  I’m a big fan of security awareness training as a regular thing to help educate people and keep security at the forefront of the way we do business.

10. Likely has been true, in the same way as Mac / Linux are ‘safer’ than Windows, as it has not been the focus of as much malicious attention and has not been carrying as much functionality and valuable data.  This is rapidly shifting though as we rely more and more on mobile devices for everything from banking to shopping to actual business.  So I think this one is rapidly if not already becoming a myth.

11. Agree – you can likely never be 100% secure if you want to have a life or business online.  I think it was an American who coined ‘eternal vigilance is the price of freedom’  we should work to be secure, but freedom both individually and as a business is too important and hard won to give up.  Obviously some personal freedoms to do whatever you want with corporate devices have to be given up, but I think my point stands as a general concept.  As the guy in the article says (and I do above) work to understand your adversaries, their motivations and tools.

12. Agree with this one also – continuous monitoring, trending and learning are key to understanding and preventing or at least capturing todays advanced long term threats such as APTs.

13. I agree with this final one as well, and have actually blogged about this before.  We live in an ‘assume you have or will be breached’ world.  Put the detective measures and controls in place to ensure you rapidly detect and minimise the damage from any breach.  Read last years Verizon data breach report..

It would be great to hear your thoughts on this light article.

K

RSA conference Europe Wrap Up / Final Thoughts

I’ll keep this relatively brief as I have already covered this conference in some detail while blogging live from the event.  I think the write ups ended up around 12000 words in total across the three days!  I hope you have managed to read those covering content that was of interest to you – there was certainly a lot of information there that I found useful!

As usual with conferences like this some of the presentations had slight vendor bias, with an prime example being companies like EMC championing the need to prioritise spending from limited security budgets on more advanced tools for detecting and preventing longer term advanced threats (Advanced Persistent Threats – APT) at the expense of older more stable technologies such as AV.  EMC is currently selling and promoting products in this area..  This was followed by Symantec who obviously highlighted that they think AV is still critical and should continue to be invested in, unsurprising as anti-virus / anti-malware is still one of their key products and revenue streams.

On this point I fall between the two in that I completely agree AV is still important, but due to the maturity of the market and quality of most products you should be looking to drive costs down in this area while still maintaining an acceptable level of quality.  By managing costs in established areas and looking for end point solutions that cover multiple vectors such as AV, firewalling, DLP etc.  you should hopefully be able to free up budget to invest in some of the newer more advanced tools or improve key areas such as your log monitoring and correlation capabilities.

Overall the presentations remained fairly vendor neutral and contained loads of useful content.  Highlights for me included;

–          Wireless hacking demos

–          Man in the browser demos

–          Discussion around the state of the industry

–          Presentations on building a cyber-security capability and improving the way we in security can interact with the business

–          Presentations on the threat landscape

All of which were covered in the conference blog posts.

To wrap up my commentary of the conference, I’ll finish with a few of what were, for me, the key take away points;

–          Understand your environment and your industry – where is your data, what are your important assets and what are the key threats to your organisation.  If you don’t know this how can you know what to protect and how?

–          Following on from that, make sure you are protecting the right things and to correct level.

–          Read useful reports such as the Verizon Breach report – the data is frankly eye opening if you are not yet aware of the time most breaches take to be discovered and how poorly protected many businesses are (416 days and likely to rise..)

–          Become better at interfacing with the business – it is our job to make sure the decision makes at the highest level are aware of the risks and what they mean to our business / organisation.  Board level executives may choose to accept or ignore risks, but they should do with a full awareness of the threat landscape and our risks.  If the business / the board are unaware of the risks to the environment this is 100% our failing.  If they accept a risk and we are breached it is on them and they accepted the risk(s) with awareness they may be exploited.  If your organisation is exploited and the board / business were unaware then it is on us.

–          Finally it reminded me how much I love IT security and creating secure solutions and environments!  Take pride in what you do and do it well; jobs, money and peoples identities rely on us doing this right.

As always, feel free to ask if you want any more information, I’m more than happy to evangelise on these topics!

K