[BreachExchange] The Four Cybersecurity Terms Businesses Need to Know
Audrey McNeil
audrey at riskbasedsecurity.com
Wed Sep 7 18:48:48 EDT 2016
http://www.infosecurity-magazine.com/opinions/four-cybersecurity-terms/
Technological evolution yields a constantly changing threat landscape.
Those who learn survive, and those who don’t evolve and grow their
knowledge, are left behind. Just a few weeks ago at Black Hat, we heard a
number of different conversations on the four key areas below, cementing
their role as the cybersecurity hot topics of the near future.
Behavior Baselining
Time and time again we see undetected attackers lurking in organizations’
networks for months – even years. Just this past October, it came to light
that cyber-attackers linked to the Chinese government breached Samsung Pay
provider LoopPay for months without detection. Stories like these are a
reminder that our best means for minimizing a breach’s impact is to
differentiate between normal and abnormal activities.
The core concept of behavioral baselining is to understand the normal
behavior such that you can identify deviations from the norm. Most
organizations accomplish this by employing people and technologies using
data science and machine learning for automated analysis. They combine this
with fast access to forensic data to quickly spot abnormal activity
patterns and detect breaches before they take down an organization.
Active Response
As organizations get better at detecting threats, the number of alerts
their systems create also increase. This causes what security operations
center (SOC) managers call alert fatigue. Too many alerts, but not enough
time to respond to them. Imagine knowing about all the wildfires in an area
but not having a mechanism to prioritize and address the fire with limited
resources. Due to the inability to respond, breaches persist for long
periods of time. Just this summer the Democratic National Committee grabbed
headlines when it was revealed that Russian hackers were inside its servers
for over a year.
Active response is the ability to respond to an attack as soon as it is
detected within the organization’s environment. The response could include
communication with secondary systems such as a ticketing system, or it
could include creating a ticket or collecting additional data. It also
could be a configuration change such as modifying a firewall to block
communication with a bad actor. Active response can be fully automated or
it can be human-mediated. The goal of active response is to enable an
organization to make the best use of its people, process and technology
through automation.
Security Analytics
Identifying trends and patterns in an organization is a good starting point
to mitigate systemic problems as well as identifying threats. Security
analytics are the result of data analysis across multiple sources of data,
often log data enriched with non-log data such as threat intel. The purpose
of security analytics is to provide actionable knowledge to the security
analysts and to security managers.
Attackers regularly target outdated or unpatched systems. Many industrial
control systems (ICS) and infrastructure systems have been recently
targeted due to their ineffective and outdated defenses. An example of
security analytics in this case could be to identify the number of systems
that are vulnerable and accessible from the internet. This analytic enables
the actioning of vulnerability management efforts.
Other examples include analyzing data to spot an attack based on previously
known patterns, peer-group based analytics to spot outliers within
connections and activities of “like” individuals. There is a clear need for
security and IT teams to use analytics to broaden their security and
operations insights.
Public Key Cryptography
For many of us, the word cryptography reminds us of James Bond films with
incredibly smart yet evil mathematicians feverishly working to break the
code to a nuclear warhead. However today, we use public key cryptography
hundreds or thousands of times per day – whether it is purchasing a product
online, digitally signing a document or logging into a device or website
via a multi-factor authentication system. In an oppressive country, public
key cryptography may be the only way for citizens and dissidents to
exchange messages without risking their safety at the hands of governments.
In many circles, cryptography has become a controversial topic.
The HeartBleed bug in openssl and the various backdoors discovered in
network security devices have caused concerns of trust for a number of
manufacturers. Like these technologies, cryptography is embedded in many
software and hardware systems that form the core of our financial systems
and healthcare systems. In some cases, cryptography has been leveraged by
attackers, most notably in ransomware attacks against healthcare providers
during which attackers encrypt critical data and demand a ransom in return.
Just like cryptographic bugs in commercial hardware and software, even
malware has had crypto bugs.
It is important for all security practitioners to understand the
implications of cryptography to their business. Understand where the most
critical applications are, how they make use of cryptography, who manages
the cryptographic keys in your business, and how you will manage the next
big crypto-related vulnerability in your environment.
The Bottom Line
Security risks are heightened when organizations lack the ability to speak
the same language as security professionals, and because of its rapidly
shifting nature, cybersecurity is a moving target. It’s unreasonable to
expect everyone in your organization and external parties, like partners
and customers, to be experts, but making the risks easier to understand can
go a long way toward improving security hygiene.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160907/c333bc24/attachment.html>
More information about the BreachExchange
mailing list