Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO
The Data Breach Investigations Report 2016 from Verizon Enterprise has actually been released evaluating 64,199 security occurrences leading to 2,260 security breaches. Verizon specifies an event as compromising the stability, confidentiality, or accessibility on an information asset, while a breach is a confirmed disclosure of data to an unapproved party. Since preventing breaches is far less painful than sustaining them Verizon suggests numerous areas of recommended controls to be used by security-conscious enterprises. If you don’t care to check out the full 80-page report, Ziften offers this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled suggested controls:
Vulnerabilities Recommended Controls
A strong EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, consisting of vulnerability exposure timelines highlighting vulnerability management effectiveness. The direct exposure timelines are necessary since Verizon stresses a systematic approach that emphasizes consistency and protection, versus haphazard practical patching.
Phishing Recommended Controls
Although Verizon advises user training to prevent phishing susceptibility, still their data indicates almost a 3rd of phishes being opened, with users clicking on the link or attachment more than one time in 10. Not good odds if you have at least ten users! Given the inevitable click compromise, Verizon advises placing effort into detection of irregular networking activity a sign of rotating, C2 traffic, or data exfiltration. A sound EDR solution will not just track endpoint networking activity, however also filter it against network risk feeds identifying malicious network targets. Ziften goes beyond this with our patent-pending ZFlow technology to augment network flow data with endpoint context and attribution, so that SOC personnel have crucial choice context to quickly deal with network notifications.
Web App Cyber Attacks Recommended Controls
Verizon suggests multi-factor authentication and tracking of login activity to prevent compromise of web application servers. A solid EDR system will monitor login activity and will use anomaly inspecting to identify uncommon login patterns a sign of jeopardized credentials.
Point-of-Sale Intrusions Suggested Controls
Verizon advises (and this has also been highly advised by FireEye/Mandiant) strong network division of POS devices. Again, a strong EDR solution need to be tracking network activity (to determine anomalous network contacts). ZFlow in particular is of excellent worth in supplying crucial decision context for suspect network activity. EDR services will likewise address Verizon’s suggestion for remote login tracking to Point of Sale devices. In addition to this Verizon suggests multi-factor authentication, but a strong EDR ability will augment that with additional login pattern anomaly monitoring (since even MFA can be defeated with MITM attacks).
Insider and Privilege Misuse Advised Controls
Verizon advises “monitor the heck out of [staff member] licensed daily activity.” Continuous endpoint monitoring by a solid EDR product naturally provides this ability. In Ziften’s case our software tracks user existence periods of time and user focus activities while present (such as foreground application usage). Abnormality monitoring can recognize uncommon variances in activity pattern whether a temporal abnormality (i.e. something has modified this user’s typical activity pattern) or whether a spatial abnormality (i.e. this user behavior pattern varies significantly from peer behavior patterns).
Verizon also recommends tracking use of USB storage devices, which solid EDR systems offer, since they can act as a “sneaker exfiltration” path.
Various Errors Recommended Controls
Verizon suggestions in this area focus on preserving a record of past errors to serve as a warning of mistakes to avoid in the future. Solid EDR products do not forget; they maintain an archival record of endpoint and user activity going back since their first release. These records are searchable at any time, possibly after some future event has discovered an invasion and response groups have to go back and “find patient zero” to decipher the incident and identify where mistakes might have been made.
Physical Theft and Loss Advised Controls
Verizon suggests (and numerous regulators demand) complete disk file encryption, particularly for mobile devices. A proper EDR system will confirm that endpoint configurations are certified with business file encryption policy, and will inform on violations. Verizon reports that data assets are physically lost one-hundred times more frequently than they are physically taken, however the impact is essentially the same to the affected enterprise.
Crimeware Suggested Controls
Again, Verizon stresses vulnerability management and consistent thorough patching. As kept in mind above, correct EDR tools determine and track vulnerability exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint tracking. This reflects a precisely updated vulnerability evaluation at any moment.
Verizon also recommends catching malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can obtain samples of any binary present on business endpoints and submit them for comprehensive static and vibrant analysis by our malware research study partners.
Cyber-Espionage Advised Controls
Here Verizon specifically calls out use of endpoint threat detection and response (ETDR) tools, describing the security tool section that Gartner now terms endpoint detection and response (EDR). Verizon likewise suggests a number of endpoint configuration solidifying actions that can be compliance-verified by EDR tools.
Verizon likewise recommends strong network protections. We have currently gone over how Ziften ZFlow can significantly enhance traditional network flow tracking with endpoint context and attribution, supplying a combination of network and endpoint security that is genuinely end-to-end.
Finally, Verizon suggests monitoring and logging, which is the first thing 3rd party event responders request when they arrive on-scene to assist in a breach catastrophe. This is the prime function of EDR tools, given that the endpoint is the most frequent entry vector in a significant data breach.
Denial-of-Service Attacks Suggested Controls
Verizon recommends handling port access to prevent enterprise assets from being utilized to take part in a DoS attack. EDR systems can track port use by applications and use anomaly checks to determine unusual application port usage that might suggest compromise.
Business services moving to cloud services likewise need protection from DoS attacks, which the cloud provider may supply. However, looking at network traffic tracking in the cloud – where the business might lack cloud network visibility – alternatives like Ziften ZFlow provide a means for collecting enhanced network flow data directly from cloud virtual servers. Do not let the cloud be your network blind spot, or else enemies will exploit this to fly outside your radar.