breach report analysis--swot or swat? - c.ymcdn.comc.ymcdn.com/sites/ · pdf filebreach report...

Breach Report Analysis--SWOT or SWAT?

May 24th, 2016

Brought to you by:

2 Web CONFERENCE:

#ISSAWebConf

Breach Report Analysis

SWOT or SWAT

Breach Report Analysis – SWOT or SWAT?

http://www.issa.org/page/May2016

Welcome Conference Moderator

Jorge Orchilles Director, South Florida ISSA

Breach Report Analysis--SWOT or SWAT?

3 Breach Report Analysis – SWOT or SWAT?

• Pete Lindstrom Research Vice President – IDC

• Kevin Haley Director, Symantec Security Response

• Bhavesh Chauhan Principal Client Partner – Verizon

Speaker Introduction

Title goes here 4 Web CONFERENCE:

#ISSAWebConf

To ask a question:

Type in your question in the Chat area of your screen.

You may need to click on the double arrows to open this function.


Presentation – Setting the Metrics Stage

Pete Lindstrom

• Vice President for Security

Strategies at IDC

• 25 years of industry experience

as an IT auditor, IT security

practitioner, and industry analyst

• Frequent contributor USA Today,

WSJ Online, Information

Security Magazine, VAR

Business, Searchsecurity.com,

and CSO Magazine


• Metrics are recurring measures that provide insight into the EFFICIENCY and/or EFFECTIVENESS.

• Efficiency in IT Security relates to speed and/or cost. • Effectiveness in IT Security relates to reducing risk. • The primary goal of an IT Security program is “to reduce

the most risk for the least cost.”

6

Metrics: Setting the Stage


7

Your Core Metrics Framework


Control Outcomes

True Negative

True Positive

False Positive

False Negative*

Populations (Assets)

Company

Servers

Endpoints

Applications Populations (Events)

Connections

Sessions

Messages

Transactions Financial Elements

IT Value (costs)

Control Costs

Incident Costs

Possible Losses

8

Your Core Metrics Framework


https://en.wikipedia.org/wiki/Matthews_correlation_coefficient

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 9

The One Security Metric to rule them all…

RISK-REDUCED per

UNIT COST (RRUC)

10

Digging Deeper


• Elements can be classified and categorized as needed – location, business unit, tech platform, etc.

• Compliance metrics can be used to “keep score,” but

often ignore efficiency and effectiveness. • Duration metrics may provide some insight into efficiency. • Attack surface and encryption metrics may address

specific threats (physical, MITM, etc.)

11

How to use Industry Reports


Best Usage: • Actionability matters! (use metrics to compare with your

own).

Challenges: • Denominators matter! (e.g. populations and events that

provide BASE RATES). • Consistency matters! (definitions and sources stay the

same every period). • Skepticism matters! (be skeptical, but use other evidence,

not your “gut”).

Presentation – Symantec’s Internet Security Threat Report

Kevin Haley

• Director of Product

Management for Symantec

Security Technology And

Response

• Technical advisor and main

spokesperson for Symantec

Internet Security Threat

Report

To ask a question:


You may need to click on the double arrows to open this

function.

#ISSAWebConf


Copyright 2016, Symantec Corporation

Kevin Haley Director, Symantec Security Response

2016 Internet Security Threat Report Volume 21 13


In 2009 there were

2,361,414

new piece of malware created.

That’s

1 Million 179 Thousand a day.

In 2015 that number was

430,555,582



Founded: 1933 1 location 35 employees



Victim


Attacker




• In the network for two years

• Access data 157 times



Org Size

2015 Risk Ratio

2015 Risk Ratio as Percentage

Attacks per Org

Large Enterprises

2,500+ Employees

1 in 2.7 38% 3.6

Medium Business

251–2,500 Employees

1 in 6.8 15% 2.2

Small Business

(SMB) 1–250

Employees

1 in 40.5 3% 2.1

Spear-Phishing Attacks by Size of Targeted Organization


2012 2013 2014

• Recipients per Campaign

• Average Number of Email Attacks Per Campaign

• Campaigns


2015

Targeted Attack Campaigns

300

600

900

1,200

1,500 150

120

90

60

30

12

25 29

122

111

23 18

11

1,305

841 779

408

55% increase


Spear Phishing Attachment Types

22 2016 Internet Security Threat Report Volume 21


Vulnerabilities



2006

14

2007 2008 2009 2010 2011 2012 0

2

4

6

8

10

12

14

16

13

15

9

12

14

8

Zero-Day Vulnerabilities

2013 2014

24 23

2015

54



Top 5 most Frequently Exploited Zero-Day Vulnerabilities

Rank Name 2015 Percentage

1 Adobe Flash Player CVE-2015-0313 81%



4 Heap-Based Buffer Overflow aka ‘Ghost’ CVE-2015-0235

<1%

5 Adobe Flash Player CVE-2015-3113 <1%



Adobe Releases Out-of-Band Patch For Flash Vulnerability

• On June 23, Adobe released an out-of-band patch for a critical zero day vulnerability, designated CVE-2015-3113

• Within a week, five of the most well known exploit kits had integrated this vulnerability into their platforms

Exploit Kit First Seen

Magnitude June 27, 2015

Angler June 29, 2015

Nuclear July 1, 2015

RIG July 1, 2015

Neutrino July 1, 2015



Who Cares About Vulnerabilities on Websites?


They Did


“The accused men are alleged to have built the botnet by scanning the internet for servers running older versions of a “popular website content management software” that had not been updated to patch known vulnerabilities. These vulnerabilities allow them to install the Brobot malware on affected servers.”


The Alleged Attackers Used DDoS Attacks


Ransomware



35% Increase in Crypto-Ransomware Attacks



Ransomware Families

• Android • Linux • OSX


Dridex or Locky?



Ransomware Evolution

• Targeted Ransomware Attacks

• Backup Infected or Destroyed

• Extortion –Because of on-line payments methods you don’t have to fool someone

to steal from them



Professionalization of Cyber Crime



Branded Malware

On-line payment system makes ransomware possible

Could you make a customer wait 12 for verification of a purchase?

A free sample

TeslaCrypt – A Leading Ransomware Player

36


TeslaCrypt Ransomware – Technical Support Available



Butterfly – The Attackers Tools

• Hacktool.Bannerjack – use to locate vulnerable server on local network

• Hacktool.Multipurpose – basic network enumeration, hides activity by editing logs, deleting file, etc.

• Hacktool.Eventlog – parses event logs, dumps content, deletes entries



Hacktool.MultiPurpose



Dridex Gang - Number of Known Spam Runs Per Day



When Cyber Criminals

Work in Call Centers, Write Documentation and Take the Weekends Off

You Know its a Profession


Thank you!

Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Kevin Haley [email protected] @kphaley

Speaker Introduction

Bhavesh Chauhan

• Principal Client Partner –

Security Evangelist – Verizon

CTO organization

• 15 Plus years in Cyber Security

and Business Continuity

Systems

• Holds a Master’s of Science

Degree in Physics and

certifications of CISSP, CISA and

CISM


• AT&T Cybersecurity Insights Report • Cisco Annual Security Report • Dell Security Annual Threat Report • Google Android Security Annual Report • IBM X-Force Cyber Security Intelligence Index Report • McAfee Labs Threat Predictions Report • Symantec Internet Security Threat Report • Verizon Data Breach Investigation Report • Juniper Research • Microsoft Security Intelligence Report

44

Breach Report Universe


AT&T Cybersecurity Insights Report AT&T looked inside their giant global communications network and came out with their inaugural Cybersecurity Insights Report towards the end of last year. The report is aimed at helping businesses to secure their own data. “Every company either has been breached or will be breached,” said Ralph de la Vega, president and CEO, AT&T Mobile and Business Solutions, in the report. Takeaway: 458% increase in the number of times hackers searched Internet of Things connections for vulnerabilities

45

Breach Report Details


Cisco Annual Security Report When detected, cyber criminals are evading and reconstituting their cyber attacks, according to the Cisco 2016 Annual Security Report. Cyber defenders lack collaboration with each other, and their ability to detect, defend and recover from attacks is failing. Corporate regulators and investors want a better view into an organization’s cyber risk. Cisco explains these trends and more, along with recommendations on how enterprises can strengthen their defenses. Takeaway: There’s a 221% increase in compromised WordPress sites

46



Dell Security Annual Threat Report Dell’s SonicWALL Global Response Intelligence Defense (GRID) network gets daily feeds from more than one million firewalls and tens of millions of connected endpoints. Dell relies on this data to produce its annual threat report which details the latest trends in cybercrime. The latest report raises awareness around the growing cyber risk to smartphones. Takeaway: Malware attacks nearly doubled to 8.19 billion, with Android ecosystem being the prime target

47



Google Android Security Annual Report Google protects users against Potentially Harmful Apps (PHAs), malware, network-based and on-device threats, and unsafe websites — by checking more than 6 billion apps per day, and scanning 400 million devices per day. All of this information is used to help compile the Google Android Security Report, which explains how Google protects the Android ecosystem. The 2015 annual report was released less than a month ago. Takeaway: Google notified Google Play developers about potential security issues, which led to better security for 100,000+ apps

48



IBM X-Force Cyber Security Intelligence Index Report The IBM Security division produces their annual X-Force Cyber Security Intelligence Index Report based on operational data collected from thousands of devices monitored in over 100 countries. The report looks at the global cyber threatscape and which industries face the greatest risk. The 2016 report provides many valuable insights — including the fact that 60% of all attacks suffered by IBM customers were carried out by ‘insiders’. Takeaway: The healthcare industry was the one most frequently attacked, speeding straight past financial services and manufacturing

49



McAfee Labs Threat Predictions Report The McAfee Labs 2016 Threat Predictions report came out at the end of last year. Unlike other reports which are based largely on analyses of network data and reported breaches, this one is based on interviews with more than 20 key people from the Intel / McAfee security teams. The predictions are how cyber criminals and cyber threats will change over the next five years, and how cyber defenses will adapt to them. Takeaway: Attacks on automobile systems will increase rapidly in 2016 due to the rapid increase in connected automobile hardware built without foundational security principles.

50



Symantec Internet Security Threat Report The 2016 Internet Security Threat Report released by Symantec covers a wide range of global threats – including attacks on browsers and websites, corporate data breaches, spear phishing campaigns, ransonmware, and various types of cyber scams. The report also covers an explosion in fake tech support scams, and the cyber tricks being used by the scammers. Takeaway: Spear-phishing campaigns targeting employees increased 55% last year

51



Verizon Data Breach Investigation Report Submissions from 67 contributors and taking a deep dive into 64,000+ incidents—and nearly 2,300 breaches. The report explains that cyber criminals are continuing to exploit human nature — and targeting the weakest point in enterprises, it’s people. No major new revelation Detection deficit graph – time between compromise and detection 89% of all cyber attacks involve financial or espionage motivations.

52



Verizon Data Breach Investigation Report (Cont) Malware with C2 for Exfil Phishing and Credential theft Attackers are quicker - Compromise within minutes, exfiltration within days. Attackers more organized and efficient (Dridex also skewed results) Miscellaneous errors – simple mistakes hurt 30% of phishing messages were opened by their intended victims. 12% of those targets took the next step to open the malicious attachment or web link.

53



Verizon Data Breach Investigation Report (Cont) 39% of crimeware incidents were ransomware. 95% of data breaches were motivated by financial gain. 93% of data breaches were compromised in minutes. 83% of victims took more than a week to detect breaches. 85% of successful traffic was attributed to the top 10 CVE vulnerabilities. Although difficult to quantify and validate, top vulnerabilities should be prioritized.

54



Juniper Research Estimates cybercrime will costs businesses over $2 trillion by 2019. As cyber attacks and scams continue to proliferate, the biggest challenge appears to be a severe cybersecurity workforce shortage, which was reported in a CSO story last year. There were one million cybersecurity job openings entering 2016 — with a projected shortfall of 1.5 million by 2019.

55



Microsoft Security Intelligence Report Cybercriminals are becoming faster and more efficient at launching attacks. However, the number of ways they use to compromise computers has not grown much. The report, which covers the second half of the 2015 calendar year, also notes that "high severity vulnerability disclosures were up more than 40%." This iteration of the report marks the first time Microsoft has incorporated security data from its cloud services. For the past several years, the most commonly exploited Windows vulnerabilities have had patches that came out in 2009 and 2010, pointing out old versions of IE still in use and/or just really, really bad patching

56



Microsoft Security Intelligence Report (Cont) No new attack vectors are needed. As long as "Social Engineering," bait attacks, particularly "phishing," continue to work so well, no new methods are needed. It used to be that bait appealed to the "Seven Deadly Sins," but curiosity and familiarity seem to work even better. Exploit kits accounted for four of the 10 most commonly encountered exploits during 2H15. Ransomware was not on the top 10 during that period. Number of systems that encountered malware increased to 20.5%, a rise of 5.5% from the previous six months.

57



Actionable Takeaways Train users. Users with permissions and trust are still the weakest link. Phishing continues to be highly effective for attackers to leverage poorly trained users to give them access. Protect financially valuable data from confidentiality, integrity, and availability attacks. Expect attacks, and be prepared to respond and recover.

58



Actionable Takeaways Speed up detection capabilities. Defenders must keep pace with attackers. When preventive controls fail, it is imperative to quickly detect the exploit and maneuver to minimize its overall impact. Patch top vulnerabilities in operating systems, applications, and firmware. Patch quickly or suffer. It is a race; treat it as such. Prioritize the work based upon severity ranking. Serious vulnerabilities should not languish for months or years!

59



60

Open Discussion


To ask a question:


You may need to click on the double arrows to open this

function.

#ISSAWebConf

• Kevin Haley Director, Symantec Security Response

• Pete Lindstrom Research Vice President – IDC

• Bhavesh Chauhan Principal Client Partner – Verizon

May 2016 ISSA Web Conference

61 04/26/2016

Thank you Moderator Jorge Orchilles

Speakers

Kevin Haley

Pete Lindstrom

Bhavesh Chauhan

Thank you Citrix for donating the Webcast service


Upcoming ISSA International Web Conference

62 04/26/2016

Legislative Impact: When Privacy Hides the Guilty Party 2-Hour Live Event: Tuesday, June 28, 2016

Start Time: 9:00 a.m. US-Pacific/ 12:00 p.m. US-Eastern/ 5:00 p.m. London Click here for more information and to register.

Overview:

Increasingly legislation and regulation are becoming extremely important drivers for what information security professionals have to do, and the pace of delivery seems to be increasing wherever you work in the world today. What are organizations and individuals approaches to what and how they do information security? How do we prioritize what is most important? What can we do to make compliance easier? How do we get our policies aligned with the differing regulatory environments across different jurisdictions? How do we deal with export controls (software and information)? In some cases the question might be – How do we stay out of jail? Join our industry experts to get their views and this topic and the questions around it.


http://www.issa.org/page/June2016

To take the survey and get CPE credit for attending the May ISSA International Web Conference, visit http://www.surveygizmo.com/s3/2802102/ISSA-Web-Conference-May-24-2016-Breach-Report-Analysis-SWOT-or-SWAT A recording of the conference will soon be available at: http://www.issa.org/page/May2016 If you or your company are interested in becoming a sponsor for the monthly ISSA International Web Conferences, please visit: https://www.issa.org/?page=BecomeASponsor

Web Conference Survey

63 04/26/2016


http://www.surveygizmo.com/s3/2802102/ISSA-Web-Conference-May-24-2016-Breach-Report-Analysis-SWOT-or-SWAT

























https://www.issa.org/?page=BecomeASponsor

https://www.issa.org/?page=BecomeASponsor

breach report analysis--swot or swat? - c.ymcdn.comc.ymcdn.com/sites/ · pdf filebreach report...

Documents