Identify stolen credentials to improve security intelligence

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/article.php?id=2035

Data is the heart of an organization, and IT security teams are its
protectors. Businesses spend billions of dollars per year setting up
fortresses to safeguard data from anyone who dare try to take it. The
latest forecast from analyst firm Canalys has IT security spending
increasing to $30.1 billion by 2017. Despite this investment, data breaches
are on the rise.

The tools that hackers use are evolving at a rapid pace, making it
impossible for IT security teams to keep up. However, the tactics remain
the same. Companies that focus only on shielding themselves from obvious
intrusions, like malware, will find themselves in a losing battle against
sophisticated hackers. Successful IT security teams recognize the potential
in leveraging existing security event management and information (SIEM)
repositories to identify suspicious user activity that occurs after the
point of entry, yet before data is stolen.

An acute focus on malware detection as the basis of a security strategy
will have enterprises always playing catchup, as hackers immediately try to
find new ways around the latest defense technologies that come onto the
market. New malware threats are being created at a rate of 82,000 per day,
which helps explain why a recent study found that despite improved
defensive capabilities, 97 percent of surveyed networks still experienced a
breach.

As hard as businesses might try to prevent malware infection through
detection or employee education, all it takes is one employee clicking a
bad link and a hacker can gain a foothold on an organization’s IT network.
Check Point found in its 2014 Security Report that of the organizations it
tracked, 84 percent had malware infections. Even more alarming is that in
2013, 58 percent of organizations had malware downloaded by employees every
two hours or less, which was more than triple the amount from 2012.

Just as hackers’ tools evolve, so do the ways in which users interact with
the IT environment. The general idea of the office has become more
nebulous. From BYOD practices to cloud storage to remote working trends,
it’s easier than ever for an employee to VPN into a network from anywhere
in the world, be it his home, hotel or airport. While this helps improve
business efficiency, it opens up several new opportunities for hackers to
access a business network. Even if the business has an iron-tight security
posture, what about partners and outside vendors that also have access to
the network? It wasn’t an employee whose credentials were compromised in
last year’s Target data breach, for example, but those of an HVAC vendor.

To reverse this asymmetric advantage favoring hackers, enterprises can
focus on what happens after the point of compromise. The purpose of malware
is not to disrupt a network, but to steal user credentials to enable
hackers to sneak around IT environments undetected. Once activated, malware
removes any trace of its existence, typically within an hour. And it’s
working, as the majority of network intrusions are a result of stolen user
credentials. It’s time to take the steam out of the hacking engine.

Preventing data breaches shouldn’t be a land war, but an intelligence one.
While updating anti-virus signatures and investing in malware protection is
obviously important, companies need to also maximize security intelligence.
What makes this a challenge for IT security teams is that impersonating
users will typically fly under the radar without a system in place to
quantify security alerts or identify abnormal behavior. And with 10,000
alerts per day for the average U.S. company, with upwards of 150,000 for
more active ones, it’s easy to get desensitized. Target learned this the
hard way, and it resulted in one of the biggest data breaches in history.
The company received an alert to what was going on, but it got lost in the
shuffle until it was too late.

With the abundance of information SIEM systems produce, big data security
analytics can play an integral role in reducing data breaches. However,
companies need a better way to detect valid versus invalid user behavior.
IT security teams can make improvements by establishing a baseline of
normal user behavior for all network access credentials. In tracking these
users, businesses will know how and when they access IT assets. Once this
has been determined, IT security teams will have a better method of
detecting anomalies and determining how far they deviate from the norm. Of
course, not every anomaly is cause for concern, which is why it’s important
to quantify these by identifying patterns of suspicious behavior.

It’s not a matter of if a company suffers a data breach, but when. While
malware tools change, the tactical use of them to steal user credentials
hasn’t. Therefore, IT teams need to improve security intelligence to more
quickly respond to attempted theft. Focusing on what happens after the
point of compromise is where IT security teams can make significant
progress in preventing breaches.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!