Written By Dr Al Hartmann And Presented By Chuck Leaver, Ziften CEO
The Data Breach Investigations Report 2016 from Verizon Enterprise has been released evaluating 64,199 security incidents resulting in 2,260 security breaches. Verizon defines an occurrence as compromising the integrity, confidentiality, or accessibility on an info asset, while a breach is a verified disclosure of data to an unapproved party. Because avoiding breaches is far less painful than sustaining them Verizon offers numerous areas of advised controls to be used by security-conscious enterprises. If you don’t care to read the full 80-page report, Ziften provides this Verizon DBIR analysis with a spotlight on Verizon’s EDR-enabled recommended controls:
Vulnerabilities Advised Controls
A solid EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines highlighting vulnerability management efficiency. The exposure timelines are very important given that Verizon emphasizes a systematic method that emphasizes consistency and protection, versus haphazard practical patching.
Phishing Recommended Controls
Although Verizon suggests user training to prevent phishing vulnerability, still their data indicates almost a 3rd of phishes being opened, with users clicking on the link or attachment more than one time in ten. Bad odds if you have at least 10 users! Provided the unavoidable click compromise, Verizon advises putting effort into detection of unusual networking activity indicative of pivoting, C2 traffic, or data exfiltration. A sound EDR system will not only track endpoint networking activity, however likewise filter it against network risk feeds determining harmful network targets. Ziften exceeds this with our patent-pending ZFlow innovation to enhance network flow data with endpoint context and attribution, so that SOC staff have important choice context to quickly resolve network notifications.
Web App Attacks Advised Controls
Verizon suggests multi-factor authentication and tracking of login activity to prevent compromise of web application servers. A strong EDR service will monitor login activity and will apply anomaly inspecting to detect unusual login patterns indicative of jeopardized credentials.
Point-of-Sale Intrusions Suggested Controls
Verizon suggests (and this has actually also been highly suggested by FireEye/Mandiant) strong network division of POS devices. Again, a strong EDR service ought to be tracking network activity (to recognize anomalous network contacts). ZFlow in particular is of fantastic worth in providing critical decision context for suspicious network activity. EDR systems will also address Verizon’s suggestion for remote login tracking to Point of Sale devices. Together with this Verizon recommends multi-factor authentication, however a strong EDR ability will enhance that with extra login pattern anomaly checking (since even MFA can be beaten with MITM attacks).
Insider and Privilege Misuse Advised Controls
Verizon recommends “monitor the heck out of [staff member] licensed everyday activity.” Continuous endpoint monitoring by a solid EDR product naturally supplies this capability. In Ziften’s case our software tracks user existence periods of time and user focus activities while present (such as foreground application use). Anomaly monitoring can determine unusual deviations in activity pattern whether a temporal anomaly (i.e. something has modified this user’s normal activity pattern) or whether a spatial abnormality (i.e. this user behavior pattern varies considerably from peer behavior patterns).
Verizon likewise advises tracking usage of USB storage devices, which solid EDR systems provide, since they can function as a “sneaker exfiltration” path.
Various Errors Suggested Controls
Verizon recommendations in this area focus on maintaining a record of previous errors to serve as a warning of mistakes to not repeat in the future. Solid EDR systems do not forget; they maintain an archival record of endpoint and user activity going back since their very first deployment. These records are searchable at any time, possibly after some future occurrence has uncovered an intrusion and response teams have to go back and “find patient zero” to decipher the event and determine where errors may have been made.
Physical Theft and Loss Advised Controls
Verizon suggests (and lots of regulators need) complete disk file encryption, particularly for mobile devices. A proper EDR product will validate that endpoint setups are certified with business encryption policy, and will notify on violations. Verizon reports that data assets are physically lost 100 times more frequently than they are physically stolen, however the effect is basically the exact same to the impacted business.
Crimeware Recommended Controls
Again, Verizon stresses vulnerability management and constant extensive patching. As noted above, appropriate EDR tools determine and track vulnerability exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against procedure image records from our endpoint tracking. This reflects a properly upgraded vulnerability assessment at any moment.
Verizon likewise recommends catching malware analysis data in your very own enterprise environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can get samples of any binary present on business endpoints and send them for comprehensive static and dynamic analysis by our malware research partners.
Cyber-Espionage Recommended Controls
Here Verizon particularly calls out use of endpoint threat detection and response (ETDR) tools, referring to the security tool sector that Gartner now terms endpoint detection and response (EDR). Verizon likewise suggests a number of endpoint setup solidifying actions that can be compliance-verified by EDR tools.
Verizon also advises strong network securities. We have already discussed how Ziften ZFlow can significantly enhance conventional network flow monitoring with endpoint context and attribution, offering a combination of network and endpoint security that is really end-to-end.
Finally, Verizon recommends monitoring and logging, which is the first thing 3rd party event responders demand when they get on-scene to help in a breach catastrophe. This is the prime purpose of EDR tools, given that the endpoint is the most frequent entry vector in a significant data breach.
Denial-of-Service Attacks Suggested Controls
Verizon advises handling port access to prevent enterprise assets from being utilized to participate in a DoS attack. EDR products can track port usage by applications and employ anomaly checks to identify unusual application port use that could show compromise.
Enterprise services moving to cloud service providers likewise need security from DoS attacks, which the cloud company may supply. However, looking at network traffic tracking in the cloud – where the enterprise might not have cloud network visibility – choices like Ziften ZFlow offer a way for gathering enhanced network flow data directly from cloud virtual servers. Do not let the cloud be your network blind spot, otherwise hackers will exploit this to fly under your radar.