Written By Dr Al Hartmann And Presented By Chuck Leaver, Ziften CEO
The Data Breach Investigations Report 2016 from Verizon Enterprise has been launched examining 64,199 security events leading to 2,260 security breaches. Verizon specifies an event as jeopardizing the stability, privacy, or availability on an info asset, while a breach is a verified disclosure of data to an unauthorized body. Because avoiding breaches is far less painful than withstanding them Verizon suggests a number of sections of controls to be used by security-conscious enterprises. If you don’t care to check out the complete 80-page report, Ziften provides this Verizon DBIR analysis with a spotlight on Verizon’s EDR-enabled recommended controls:
Vulnerabilities Recommended Controls
A solid EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines highlighting vulnerability management efficiency. The direct exposure timelines are essential because Verizon emphasizes a systematic method that highlights consistency and protection, versus haphazard practical patching.
Phishing Advised Controls
Although Verizon advises user training to prevent phishing susceptibility, still their data shows almost a 3rd of phishes being opened, with users clicking the link or attachment more than 1 time in 10. Not good odds if you have at least ten users! Provided the inevitable click compromise, Verizon recommends placing effort into detection of unusual networking activity indicative of pivoting, C2 traffic, or data exfiltration. A sound EDR system will not just track endpoint networking activity, but likewise filter it against network threat feeds recognizing harmful network targets. Ziften surpasses this with our patent-pending ZFlow technology to augment network flow data with endpoint context and attribution, so that SOC personnel have crucial choice context to quickly resolve network alerts.
Web App Cyber Attacks Recommended Controls
Verizon recommends multi-factor authentication and tracking of login activity to avoid compromise of web application servers. A solid EDR solution will monitor login activity and will use anomaly examining to discover unusual login patterns a sign of jeopardized credentials.
Point-of-Sale Intrusions Recommended Controls
Verizon advises (and this has also been highly advised by FireEye/Mandiant) strong network segmentation of POS devices. Once again, a solid EDR solution must be tracking network activity (to recognize anomalous network contacts). ZFlow in particular is of great value in providing crucial decision context for suspicious network activity. EDR services will also address Verizon’s recommendation for remote login tracking to POS devices. In addition to this Verizon recommends multi-factor authentication, however a strong EDR capability will augment that with extra login pattern abnormality checking (considering that even MFA can be defeated with MITM attacks).
Insider and Privilege Abuse Recommended Controls
Verizon advises “monitor the heck out of [employee] authorized day-to-day activity.” Continuous endpoint monitoring by a solid EDR product naturally offers this capability. In Ziften’s case our software tracks user existence periods of time and user focus activities while present (such as foreground application use). Abnormality monitoring can determine uncommon variances in activity pattern whether a temporal abnormality (i.e. something has modified this user’s normal activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern differs significantly from peer habit patterns).
Verizon likewise advises tracking use of USB storage devices, which strong EDR products supply, given that they can function as a “sneaker exfiltration” route.
Miscellaneous Errors Advised Controls
Verizon suggestions in this area concentrate on preserving a record of past mistakes to serve as a warning of mistakes to avoid in the future. Solid EDR products do not forget; they keep an archival record of endpoint and user activity going back to their first deployment. These records are searchable at any time, perhaps after some future incident has actually discovered an invasion and response groups need to go back and “find patient zero” to decipher the incident and identify where errors may have been made.
Physical Theft and Loss Suggested Controls
Verizon advises (and many regulators demand) complete disk file encryption, specifically for mobile devices. A strong EDR system will verify that endpoint configurations are compliant with enterprise file encryption policy, and will alert on violations. Verizon reports that data assets are physically lost one hundred times more frequently than they are physically taken, but the effect is essentially the exact same to the affected business.
Crimeware Advised Controls
Again, Verizon stresses vulnerability management and constant extensive patching. As kept in mind above, correct EDR tools recognize and track vulnerability direct exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against procedure image records from our endpoint tracking. This reflects a precisely upgraded vulnerability evaluation at any moment.
Verizon likewise suggests capturing malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can get samples of any binary present on enterprise endpoints and submit them for detailed fixed and dynamic analysis by our malware research study partners.
Cyber-Espionage Suggested Controls
Here Verizon particularly calls out use of endpoint threat detection and response (ETDR) tools, describing the security tool section that Gartner now terms endpoint detection and response (EDR). Verizon likewise suggests a variety of endpoint setup solidifying steps that can be compliance-verified by EDR tools.
Verizon also suggests strong network securities. We have actually currently discussed how Ziften ZFlow can considerably improve traditional network flow tracking with endpoint context and attribution, offering a combination of network and endpoint security that is genuinely end-to-end.
Finally, Verizon suggests monitoring and logging, which is the first thing third party incident responders demand when they arrive on-scene to help in a breach crisis. This is the prime purpose of EDR tools, because the endpoint is the most regular entry vector in a significant data breach.
Denial-of-Service Attacks Advised Controls
Verizon suggests managing port access to prevent business assets from being utilized to participate in a DoS attack. EDR products can track port usage by applications and employ anomaly checks to identify unusual application port use that might suggest compromise.
Business services migrating to cloud services likewise require protection from DoS attacks, which the cloud company may offer. However, looking at network traffic tracking in the cloud – where the enterprise might not have cloud network visibility – alternatives like Ziften ZFlow offer a means for gathering boosted network flow data directly from cloud virtual servers. Do not let the cloud be your network blind spot, otherwise cyber attackers will exploit this to fly under your radar.