When Malware Isn’t Enough: Why You Need to Invest In Securing Your Data

Recently, Chris Petersen (LogRhythm’s CTO and Co-Founder) recently published the Security Intelligence Maturity Model™ (SIMM™). The SIMM provides a systematic guide for an organization to assess and actively achieve a heightened security posture. In the SIMM, Chris stresses that the cyber-threat landscape is changing dramatically, and you must change your focus to stay sharp on this journey to be resilient to attacks and breaches.

The Current Cyber-Threat Landscape

Traditionally the industry has focused on detecting threats based off signatures and file types. But breaches in the past year seem to be more focused on the vulnerabilities of our end points and users. With the Internet of Things (IoT) growing wildly, you need to focus on the security activities of the malicious folks and the not just the known tools.

Big data analytics are crucial in helping you to hear the signal through the noise. Taking in your traditional log sources (e.g., domain controllers, AV, IDS/IPS, firewalls, etc.) will certainly give you a good understanding of the user, host and in/egress activity. But all of this information is not enough if you want to achieve resiliency.

A recent report by Trustwave indicated that the ROI on an exploit kit was an estimated 1,425%. If you do the numbers, that’s $84,100 net revenue for every $5,900 spent.

In addition, Net-Security conveys another concerning statistic: The average (mean) days intrusion to detection period appears to be approaching 200 days.

What You Don’t Know Won’t Hurt You. Right?  

In your fight against malware, exploit kits, spear phishing and so forth, you need to really look at the local forensics to fill in the shadows of your holistic view. There are many solutions out in the market that will help you wrangle in your endpoints and user behavior. But at what cost? How many consoles and what different skill sets are required?

In looking back at some of the major recent breaches, many of these instances were discovered by outsiders, took weeks to come to light and had several indicators that something was amiss. “If collecting data from existing security systems, correlating that data in a single repository and raising frequent alerts to trained security professionals is insufficient to detect and prevent (or at least stop) breaches, then exactly what is necessary to do the job? This is the question being raised by every organization with a mandate to protect its customer data, intellectual property, trade secrets and business strategies and, ultimately, its market value.” (The Cyber Threat Risk—Oversight and Guidance for CEOs and Boards).

To be effective, you must rely on skilled people, well-defined policies and processes and a range of integrated technologies. If you want to maintain a strong security posture, you must invest on heavily automated, end-to-end threat detection and response capabilities. This can be described as a progression of stages:

Learn more about how to establish a security intelligence model here.

Steven Russo stated, “The clear definition of the insanity in cyber today is that we continue to protect sensitive data the same way over and over again and expect a different result. I do not think there should be any doubt in that current methods are simply not good enough and something needs to change. The ever present threat of cyber-attack underscored by the recent array of mass-data breaches in most sectors of the economy are forcing business of all sizes to take action. The current need is for new ways to secure data at rest and data in motion from cyber-attack, mass data loss, and internal as well as external criminal exploitations.”


Tags: , , , ,

0 Comments | Security


There’s No Hacking in Baseball (or is There?)

One morning, last week, coffee in hand, I opened the sports page of my local newspaper and the top story wasn’t about the latest pitcher to toss a no-hitter. There was nothing on the front page about game 6 of the NBA finals. Instead, the lead story was that it was recently revealed that there is a federal investigation underway to determine whether the St. Louis Cardinals hacked into the computers of the Houston Astros.

So it’s come to this. Has cybercrime become so mainstream that sports teams will now employ sophisticated hackers to infiltrate rival’s systems to gain an edge on the competition? Will we see an asterisk in the history books next to the latest champion to win because it was found that the team used cyber espionage to gain the upper hand? I jest, but the fact is, this just isn’t funny.

According to the New York Times, “Investigators uncovered evidence that Cardinals employees broke into a network of the Astros that housed a special database the team had built…internal discussions about trades, proprietary statistics and scouting reports were compromised, said the officials…” According to investigators, the alleged break in can’t be credited to some sophisticated hacking scheme, but instead to a simple case of compromised credentials.

To those of us in the cyber security field, the sins of bad password hygiene are well known. SplashData’s Worst Passwords List shows that many people and organizations continue to put themselves in harm’s way by using easily guessable and weak passwords. In addition, the re-use of passwords across systems and websites has proven to be the door to many savings accounts.

In fact, our recent research on password security indicates that less than 21% of respondents use unique passwords for online accounts. And if the FBI’s investigation into the Astro’s data breach proves out their initial findings, it would be the classic case of poor password management.

So, what to do?  For the Astros, it’s “too little too late.” But take note: There are lessons to be learned.

I’m probably not telling anyone that would read this something that they don’t already know. But knowing and doing are two different things, and if you repeatedly hear that you should do something, then you’re probably more likely to do it. Here are a few ways you can make your passwords more secure:

  1. If you have anything at all running in your network that might still have a default password on it, change it.
  2. Make your passwords stronger. Eight character passwords are a start. But let’s be really secure and stop calling them passwords. Instead let’s change the way we think and start calling them passphrases—meaning 16 characters or longer with a mix of upper and lower case letters, numbers and special characters. But don’t make it so hard that you have to write it down.
  3. Learn from the mistakes of the Astros and never, ever, use the same password, or just one password. In other words, the password you use for your Facebook account shouldn’t be the same one you use for your mobile banking.

Would better password hygiene have been enough to keep the St. Louis Cardinals a bay? Good password management alone might have been enough to thwart these non-sophisticated cyber thieves. But if a baseball team’s staff members were able to steal another team’s sensitive data, just think of what vulnerabilities might be found if a real cyber-sleuth is creeping around your company’s back door?

Tags: , , , , ,

0 Comments | Security


Doing the Impossible: Building your Security Intelligence Maturity

“Start by doing what is necessary, then do what it possible; and suddenly you are doing the impossible.” – St. Francis of Assisi

In my 3+ years as a LogRhythm Professional Services & Security Consultant, I have often found customers with an appetite for security awareness, and the abilities to “look for the big things”, yet unable to satisfy their hunger.

Building the foundation: The security intelligence platform

From a traditional viewpoint, SIEM is typically classified as “Log Management”, but this is only a small portion of an effective SIEM. Log Management itself, is only one facet of true Security Management. In order to achieve a true Security Intelligence Platform, we need to include components such as Server Forensics, Network Forensics and Endpoint Forensics. Bundle up all this data, information, management and analytics and you are getting a much better picture of how SIEM has evolved into Security Analytics.


LogRhythm Security Intelligence Platform

As a precursor to this, if you’ve never heard of LogRhythm’s Security Intelligence Maturity Model, or would like to read up about it, then I recommend reading the whitepaper available here.


Cyber-Threat Lifecycle

Essentially, the model empowers users of the LogRhythm Security Intelligence platform to increase their awareness around the activity in their infrastructure, thus reducing the time taken to identity a potential threat, indicators of a breach or anomalous behaviour in their infrastructure. This resulting insight and visibility, reduces the overall mean time to detect (MTTD) and enhances the security posture of the organisation.


This lowered MTTD allows an organisation to better respond to whatever situation arose and consequently detected. Thus, the MTTR (mean-time-to response) is improved as well, due to the higher level of security intelligence leading to a far more rapid and effective decision making and response process.

Doing what is necessary: Base threat analytics

To address the fundamental requirement of “start by doing what is necessary”, LogRhythm developed a packaged module of rules around Base Threat Analytics using out-of-the-box features and intelligence to set up this foundation for implementation of Security Intelligence.

These rules have been designed to use LogRhythm’s AI Engine to detect correlations across various log sources, grouped into categories such as account anomalies, network anomalies, host anomalies and typical indicators of a compromise. Thus, the Base Threat Analysis suite encapsulates the “necessary” step for Security Intelligence.

From here, organisations need to begin to look at “What is possible?” Once the Base Threat Analytics  module has been successfully implemented, the groundwork has been laid for an effective Security Intelligence posture.

The MTTD will already be greatly reduced, as the enhanced capabilities provided by LogRhythm’s AI Engine are able to effectively correlate and identify security, operational and audit anomalies and scenarios that would be far too time consuming or impossible due to the sheer volume of information required.

Explore the possibilities: Identifying the next step in your security intelligence maturity

So just what is possible? How does an organisation determine a direction from here? Should your security posture be driven by management decisions or perhaps by device and equipment types available to you? What about projects or newer generations and iterations of devices? Should they dictate your next phase in Security Intelligence Maturity?

The truth is, it can often be a combination of all of these factors, as well as a multitude more LogRhythm can help not only with guiding those decisions, but also in ensuring a mapping and planning of the future direction is outlined, enabling you to reach a much higher level of security awareness and intelligence.

The beauty of this is that LogRhythm’s scalable platform is designed that these additional modules and evolutionary phases of the Security Intelligence Maturity Model can be implemented rapidly and effectively on your existing platform. All the building blocks and tools are provided for you, with LogRhythm Professional Services helping you to understand how these fit together and the best ways to implement these tools.

Doing the impossible: Rapidly identifying and responding to threats

Finally, we are now doing the (seemly) impossible. We have managed to implement a Security Intelligence model that has helped to decrease the MTTD from a manual, labour-intensive and slow process to a more rapid, dynamic and intuitive process. This enables you to identify and understand complex scenarios and indicators of threats and breaches within minutes of them occurring.

The result? Because of this increased awareness, your MTTR has also decreased as you have the information needed to make quick, rapid and well-informed decisions on how best to respond to the incidents that have been identified.

Tags: , , , , , ,

0 Comments | Security


IRS Breach: “Criminals Access 100,000 IRS Tax Returns”

IRS_BuildingOn June 3rd, I logged into my computer, opened up the BBC news and clicked to the Tech section. The top headline was “Criminals access 100,000 IRS tax returns.”

My immediate reaction was “so that’s where all the Anthem data went.”

This headline completely underpinned how today’s cyber criminal is becoming more and more sophisticated. It has become a harsh reality that criminals have so many weapons in their arsenal that it is becoming more and more difficult to keep up with them let alone predict their next plan of attack.

In this latest breach, stolen personal data was used to file bogus tax returns and claim $50M in refunds (at least that is the number which the IRS is willing to admit to). In all probability, the personal data, used in the bogus tax filings, was stolen during one or more of the recent high profile breaches reported in the mainstream media: Anthem, Ebay, JP Morgan Chase or one of the many others.

Unfortunately like many high profile breaches, I believe this one too could have been avoided had the IRS been given or, for that matter, requested a list of affected consumer data from earlier breaches. Had they done this, a trigger could have been set up to raise an alarm every time a tax return was filed for someone on the watch list. Additionally, an automatic response could have been set up to alert investigators, such as a follow-up phone call or a verification email, each time an alarm was triggered. These actions would have allowed further investigations to verify or discredit the return. This type of trigger could have easily been set up within a system like LogRhythm.

Furthermore, based off of the information provided by the IRS, it seems that for each one of the bogus tax returns a brand new on-line account was set up with a different email address from the one used for previous tax return filing. Again, a process to detect this type of activity could have easily been incorporated into the trigger I proposed above. All of which could be easily set up within LogRhythm.

Of course with the benefit of hind-sight, it is easy to see how major events like these could have easily be avoided, but someone should have seen this type of attack coming. There needs to be safeguards put in place for when sensitive data is stolen. For example, when a consumer’s credit card is compromised, they are sent a new credit card. However, when a social security number of an American Citizen is stolen, they are not issued a new one, nor are flags put in place to detect future unauthorized usage.

AEast_Political_AttackIf nothing else, as a result of this and other breaches over the last year, we have learned, that cyber crime is now more lucrative than drug crime. There is less risk and greater rewards. Organized crime gangs from Russia, China and other countries around the world are getting better and better at stealing personal data and then either using it or selling it for massive financial gains.

A well-recognized reality in today’s InfoSec community is “They Will Get In.” Therefore, it is what you do once criminals have breached your network and how fast you react that truly determines how devastating or otherwise a breach can be. Organizations face a giant game of chess, where they must act and react, being as predictive as possible.

Determining what data had been stolen during the Anthem breach and others, as well as its possible uses, might have led to the implementation of a system or process designed to prevent what happened at the IRS. Perhaps this latest high profile attack on one of the bastions of American society will provoke some far-reaching and more stringent systems and processes to be implemented. Perhaps not. Time will tell.

Tags: , , , , ,

0 Comments | SecuritySIEM


A Case of the Mondays: How a Routine Visit Discovered a Cyber Attack

Recently, I learned a valuable lesson from what appeared as though it would be a regular Monday. My day started off routinely, but along the way some surprising events unfurled.

I was scheduled to go on-site with a federal customer for a “knowledge transfer” (aka OJT) as a new NOC/SOC team was coming online. When I got there, it started out as a rather typical meeting—get an understanding of the team’s knowledge of LogRhythm, assess their goals, and introduce them to any new features/products available.

Prior research led me to believe that this was an older deployment that had been neglected for some time. I was pleasantly surprised to find out that this was not the case. Rather, it was a rather new XM-6350 running LogRhythm  6.3.3 and the latest KB. Not having to perform a system upgrade was a relief.

However, as I listened to the customers’ requirements and dug into the deployment deeper, I quickly realized that the system was only being used for log collection, and rarely were people logging in or monitoring the data being collected by the XM. I’d say they were using about 30% of the LogRhythm  features and functionality. Moreover, the WebUI wasn’t installed and AIE was disabled.

After a quick install of the WebUI, initialization of AIE, addition of the basic LOW/LOW-LOW rules found in the Post-Install Guide for POCs and setting up the third-party threat feeds (as well as some other customer requested tweaks)—the XM was back in fighting shape!

After a brief conversation, my sales rep and I started to walk the team through a quick demo using the customers XM, Data and WebUI. Within 10 minutes of talking, we happened to click on the Alarms tab, and to our surprise, we found some interesting data.

A few red alarm cards with ratings of 90 appeared denoting “Malware Found.” The team asked “What’s that all about?” We began to pivot drilldown and discovered the systems affected by the malware. Apparently this information was being reported by their Symantec and McAfee systems for quite some time and on the regular.

The NOC/SOC team quickly sprang into action to remedy the issue (albeit they were a bit annoyed). Moments later, we returned to the demo and another alarm fired with a score of 97. The team (almost in unison) said “What now!?”

After a quick drilldown, we discovered that their Fortinet deployment was reporting a breach coming from an “external IP” (outside the U.S.). Being that this was a government customer, we’d just tripped DEFCON-1 (and were called into the manager’s offices to explain the situation). The customer thanked us for helping to spot the external breach and asked us to leave for the day, as they were about to get very busy.

What was the lesson learned? Make sure that you always look under the hood of an existing LogRhythm deployment to verify that the basics have been covered. It’s important to understand what LogRhythm is capable of and how to best leverage the system to your advantage.

As one of the NOC/SOC employees put it, “If we’d been paying attention and using LogRhythm more regularly, we could have caught this sooner. Who knows how long we’ve been under attack.”

A typical Monday, indeed…

Tags: , , , , , , , ,

none | GeneralSecuritySIEM