IT security professionals have long since admitted that they are struggling to keep pace with attackers, a situation that is only compounded year-on-year with "staggering" amounts of fresh malware making its way into the networks of businesses across the globe. In that context, information security experts have warned that it is more important than ever to have a robust incident response and handling contingency plan in place for when, not if, a company’s systems are breached.
James McLoughlin, senior systems engineer, DataSolutions, said that it is "pragmatic" at this point for companies to "consider that your prevention controls may fail". As such, he said, security is as much about detection and remediation after a system compromise as it is about prevention nowadays. "Many organisations need to rebalance their budgets to allow for a more real time approach to security, one that includes better detection controls," said McLoughlin.
Paul German, chief technology officer with Pbxwall said that customers, alongside security professionals, now know that "security of IT systems will never come from a single device" and in turn businesses must take a layered approach to defending themselves against threats and recovering from breaches.
"Detection systems would be useless without having the tools available to understand the threat, its source and the affected systems within your company, and the ability to eradicate the problem," he added. Cisco’s Irish country manager, Adam Grennan echoed German’s thoughts when he admitted that there’s no easy answer or "one-size-fits-all" security tool to ensure a breach doesn’t cause any harm, however he added that in fact, such tools "should not be the highest priority".
Security framework
Instead, he said, what’s actually important is having "subject matter experts, decision-making responsibilities and processes defined up front". Talking about how "network visibility and control are the two most important pillars within a good security framework", Grennan noted how "many security professionals have yet to fully realise the untapped security potential available within their network infrastructure".
For example, he said that by collecting, processing and analysing data which is "exportable from infrastructure devices", organisations can "extend the value of their network" in security terms. The Cisco man also noted that having "good instrumentation and management mechanisms in place" not only allows you to provision effective mitigations to your network devices, but it also helps you to maintain control of your environment".
As Don Smith, director of technology with Dell SecureWorks, put it "100% security does not exist", meaning it is imperative that organisations have an incident response plan in place and that such a strategy is engaged "at the first signs of a breach"
"Involve the technical team," continued Smith, "internal forensics and incident response team, and the legal team; if you lack the in-house expertise needed to fully understand the true extent of the breach, what has been compromised, and how to remove the threat, consider partnering with a forensics and incident response expert."
Lars Meyer, who is technical director with NextGen said that it’s vital for those who have suffered a breach to understand that these intrusions "are not just comprised of one type of attack". Attackers, he said, use a variety of tools in a phased approach which usually starts with the typical malware-based ‘infection’ of a corporate PC, followed by establishing a ‘remote control’ channel to the attackers command and control server. Then comes a third phase, "the escalation", to execute the actual security breach or to further explore the enterprise network; all of which points to the attackers relying then on "network communication in order to be successful".
This, Meyer noted, "makes network security solutions the most effective mitigation measure for security breaches". However, he added, "The reason why attackers are so effective nowadays is that most network security solutions like UTM firewalls, web proxies with URL filtering and anti-virus or standalone intrusion prevention systems address only a single type of threat which makes it very easy for attackers to avoid these security silos."
Hack yourself
Intriguingly, Robert McArdle of Trend Micro told ComputerScope that "regardless of what tools you decide to use a key approach is to hack yourself first". Explaining further, the senior advanced threat researcher said companies should ensure that "at least one person on your IT team who is responsible for securing your network is also fully skilled enough to break into it".
Said McArdle, "Focus on internal perimeters, the external one is gone or heavily eroded in this era of BYOD and consumerisation," said McArdle. "Ask yourself if your support team really needs to be on the same network as the development team or finance? Have your IT/information security practice moving laterally around the network with different privilege levels and see how far they can get."
Also looking at the issue slightly differently was IT security and cybercrime analyst with ESET Ireland, Urban Schrott, who said that while companies may generally take adequate steps to protect from external breaches "the majority of breaches are actually caused from within the company".
"Accidental and malicious insider threats have been identified by expert research as the main threat to company data integrity," said Schrott, who added that "if employers had a warrant to search their employees private computers, who knows how much company data would be found on them".
The most obvious remedy, in cases of accidental breaches, is employee training in the aftermath of an incident said Schrott, alongside putting in place monitoring technologies. In the case of the latter, Schrott says the technology is available to gain a bird’s eye view of "all activities on company computers", with reports being delivered to supervisors in order to prevent "all unauthorised copying, emailing, editing, of company files".
Details
Once an attack has taken place and is remedied as much as is possible, Cisco’s Grennan said incident response plans should include feedback loops that allow an IT manager, CTO or other authority within a company to "drive lessons back into the business to prevent future breaches". These types of "post-mortems" as Grennan puts it allow companies to "identify all weaknesses and holes in systems, infrastructure defences, or policies that allowed the incident to take place".
Trend Micro’s McArdle said that those who have found a breach should begin protecting against further data losses by detailing "every aspect of the incident" and learning from it. While Donnachadha Reynolds, security consultant, Integrity Solutions weighed in with a similar train of thought, noting that "20/20 vision is cheap… so use it!"
However, despite this seemingly simple advice, some companies it seems just don’t learn. Symantec’s product strategies manager for the EMEA region, Stuart Beattie for instance noted that in an era where "data breaches are quite a common occurrence", there is in fact a danger that people can become "desensitised to data losses" and in turn fail to take the necessary steps in the aftermath of a breach to ensure it does not happen again.
Forensics
Noting that the company’s recent ‘Cost of Data Breach’ study found that "negligent employees or contractors pose the biggest risk to organisations", as they were responsible for over a third of all data breaches, Beattie said "after a breach has been detected, it is critical for organisations to learn as much as they can about the incident so that they can prevent similar breaches from occurring again".
"In order to do this, network and host-based forensics need to be used to establish, where possible, how an attacker entered the network and systems. Find how they accessed [the network and systems], what they gained access to, what they stole from the system and what, if anything, they changed. Based on the forensic analysis findings," added Beattie, "they should put new policies in place, deploy appropriate technology to prevent future breaches, and update their vulnerability assessments to ensure that they proactively check for similar, preventable issues in future."
Cloud complications
The cloud has obviously complicated the security landscape for many companies around the country, and should an incident happen within a cloud environment, there can also be very real complications and data concerns for those involved. Managing director at Cloud Compare, Eamon Moore, said that in such situations the first point of response should be confirmation that the cloud service provider in question can "identify the incident without compromising other tenants within the cloud environment as well".
"That’s a big thing," he said, "though in addition, there should be the ability to have snapshots of the entire virtual environment and then the ability to restore to the snapshot. Then also being able to isolate the system, node, image or application that has been affected as quickly as possible, that would be a big element of a response policy as well."
In the case of a cloud provider, Moore suggested that companies using such services should "outline what’s required at the start" from both parties in terms of security and incident response, adding that at times businesses can let "responsibilities fall through the cracks" as they assume the cloud provider bares all the responsibility.
Blame game
While many of these measures are internal steps, Trend Micro’s McArdle said looking at the bigger picture in the aftermath of an attack could be beneficial for many companies as well. Organisations should, he said, "share experiences with other members of the industry in closed trusted groups, where fear of public reaction is not an issue". Noting that while "attackers communicate very well", relying on companies "not to talk to each other", this particular trend can be reversed.
"If ‘Company A’ tells its whole industry as soon as possible about how it was breached, the attacker can no longer use that same attack on its competitors-by doing so the industry actually becomes more resilient the more it gets attacked. Don’t play the blame game," added the Trend Micro representative.
DataSolutions’ McLoughlin said that this is, to a certain degree, already happening within the leading security vendors themselves, "including Check Point, RSA Security and Symantec", as they tend to allow their users to "opt in to share their security telemetry".
"This allows the manufacturers to correlate and quickly identify attack patterns at a global level. Being able to identify zero day attacks allows for speedier deployment of countermeasures," noted McLoughlin. "Products like Symantec’s Critical System Protection (CSP) allow organisations to lock down their systems so that only trusted activity is allowed. Anything unrecognised or unauthorised, including targeted malware, can be stopped in its tracks."
Playing with fire
Elsewhere, some information security experts have recently been touting the idea of monitoring, rather than halting, malware or other threats once they are detected in a network. Used to gain a better picture of what exactly the malicious software is looking for, the idea is not universally popular.
"I don’t think any responsible [systems administrator] does ‘live’ research on a production network," was how ESET’s Schrott bluntly put it, while Integrity’s Reynolds said "monitoring malware in controlled environments is playing with fire". Meanwhile, Dell SecureWorks’ Smith said, "we wouldn’t advise any organisation to attempt this without dedicated security support" adding it’s "risky approach and should only be attempted if the organisation is 110% sure that the malware couldn’t move" into another part their network.
Symantec’s Beattie though, did say that deploying solutions to monitor malware once it enters a network could be "particularly suitable" for critical infrastructure and other sectors that experience targeted, specific attacks which need to be analysed on an individual basis.
"These organisations," said Beattie, "frequently operate closed networks so they cannot simply feedback raw data to external vendors or consultants for further analysis. For this reason they need to operate their own CERT team with the necessary expertise to interpret the findings in the necessary business context."
Down the line
If monitoring malware is not the future of incident response and handling though, what is? Asked to look down the line at where solutions in this space are headed, Beattie felt it important to note that "organisations that are able to prioritise incident response and handling based on business needs will be able to recover their critical business operations quicker than those that prioritise based on technology-based metrics".
Continuing his point, the product strategies manager said that this meant products which are able to assist security departments by "presenting security incidents in terms of business impact rather than individual system impact" are likely to become more important in the next year to 18 months.
That time period will also, said Beattie, see a likely increase of "service-based delivery" resulting in organisations outsourcing their security operations centres (SOCs) as "threat analysis becomes more complicated and the expertise required increases".
Looking towards the next year, Cisco country manager Grennan admitted, "the sophistication of attacks and breaches are obviously increasing". This, he said, means that "along with tools" companies will need to look towards teaming up with a security expert partner or building "significant" in-house expertise if they haven’t already.
Grennan also said that with the general "evolution towards teleworking, BYOD, cloud, and software defined networks", understanding what is leaving the enterprise is more critical than it’s ever been before. "The challenge of securing a wide range of applications, devices, and users in an ‘any-to-any’ context will be something that will be to the forefront of many people’s minds over the next couple of years," said Grennan. "Any person, with any device, at any place can access data stored in any data centre or cloud at any location.
ESET’s Schrott also sees "a steady and obvious increase in mobile malware, as well as malware for platforms that previously weren’t considered prime targets", all of which must now be mitigated against. "We’ll see what gets thrown at us," he added. "Some things we expect, others will likely surprise us, and any response will have to be appropriate to the threat at hand.
Wake-up call
For Integrity’s Reynolds, the biggest influence in how industry handles incidents of data breaches will be the new European data protection regime; something he said will "be a wake-up call for Irish Government and business".
"The current voluntary code of conduct [under the] Data Protection Act is clearly not working," said Reynolds.
"When the new European directive comes into play and is transposed into Irish law, Ireland won’t be allowed to repeat the same laissez faire approach to protecting citizens’ data." While switching back to the technology itself, NextGen’s Meyer felt that moving the network perimeter of an enterprise into the cloud may become more commonplace over the next year.
"Going forward," he added, "this enables [a] managed security service provider to effectively manage the security infrastructure of an enterprise while gaining a level of experience to avoid and handle security breaches which would be impossible to establish for a single enterprise."
Subscribers 0
Fans 0
Followers 0
Followers