[BreachExchange] Detecting the Cyberthreats that Matter

[Audrey McNeil]

http://deloitte.wsj.com/cio/2016/10/03/detecting-the-
cyberthreats-that-matter/

After morning coffee at his desk, a car rental company employee clicks on
an email from an internal corporate address and unsuspectingly transfers
malware onto the company’s global network. Weeks later, a junior
cybersecurity analyst in the company discovers the malware and classifies
it as a low-level danger, given the latest known threats provided by the
company’s intrusion detection system.

More time passes before the company’s customer loyalty rewards program team
starts receiving an unprecedented flood of customer complaints about
inaccuracies in their reward point balances. Separately, the fraud
detection department is seeing an unusually high number of reward
redemptions. After a month-long investigation, the company finally connects
the dots: A criminal network has hijacked the loyalty rewards program and
cashed out hundreds of thousands of dollars of gift cards.

Cybersecurity failures like these are all too common today. As use of data
explodes, cybersecurity monitoring teams struggle to keep pace with
proliferating opportunities for cyberattackers. One of the biggest hurdles:
How to identify the most potentially harmful breaches from the stream of
alerts generated by security monitoring systems. The most effective way to
stay one step ahead is to get smarter by infusing greater business
awareness into cybersecurity monitoring programs. Only then can companies
quickly identify, understand, and respond to cyber incidents that pose the
biggest business risks. Every company needs a tailored view.

Separating the Signal from the Noise

Collaboration between the cybersecurity program and business leadership is
essential. Without the context of business criticality, differentiating
between a benign cybersecurity event and a costly breach can be nearly
impossible. Security protocols and practices must align with established
and evolving business process management. Up-to-date classification of data
and business operations sensitivity—for example, personnel with legitimate
access rights, and baseline behavioral patterns—provide some context by
which cyberanalysts can begin to separate the signal from the noise.

To start, business units and cybersecurity teams can discuss both today’s
business priorities and upcoming strategies to enable a more informed cyber
monitoring plan. For example, if a digital marketing campaign is in the
works, including mobile apps and other new potentially vulnerable channels,
the security team should know. Then, by understanding how the application
should be used, and how transactions should occur, cyberspecialists can
design ways of detecting things that look suspicious. Focusing on activity
that doesn’t fit expected business patterns is essential because malware
detection tools alone can’t keep up with the pace of change.

Lessons from Common Pitfalls

The following scenarios explore how improving information-sharing between
cybersecurity and business teams could help prevent or blunt the impact of
potentially damaging breaches:

Shape monitoring around clear business priorities. In the example above of
the car rental company, the failure to evaluate cyber risks in the context
of business priorities enabled malware to slip in without much notice. If
instead, the cybersecurity and business units had collaborated to
incorporate these priorities into cybermonitoring, any security alert
related to the company’s key central payment system would automatically
escalate to a senior-level cybersecurity analyst for follow-up
investigation. The high-priority alert would also trigger behavioral
analysis of data from a range of business units, including the loyalty
program and fraud departments, where anomalous spikes in customer
complaints and reward redemptions could help the company stop attacks in
process and contain the damage.

Know where the sensitive data is stored and how it is used. In an
all-too-common scenario, a business unit might inadvertently keep sensitive
information, such as employee social security numbers, in a shared file
accessible to everyone in the company. In case of a breach, the business
unit might blame the cybersecurity team for failing to protect them.
However, the security team can’t protect the right data or know it’s been
compromised without guidance on what data is sensitive, who should be given
access, and how data is handled during normal operations. Leading practices
are a process by which business users receive training needed to classify
the data and lock down access according to their needs. This basic security
hygiene also includes timely purges of inactive email accounts and access
privileges of former employees, contractors, and business partners—a step
that would have created more hurdles for the adversary in the rental car
company example.

Know your behavioral patterns. Establishing a baseline of normal business
patterns within key corporate functions also helps security analysts detect
suspicious behavior. Say a securities broker-dealer knows that a particular
client living in Kansas never logs into her online account. One day, she
logs on from Korea and orders the company to sell her blue chip holdings
and use the proceeds to purchase low-volume penny stocks. The order
triggers a high alert, and the broker-dealer is confident enough that this
is an example of a “pump and dump” fraud to suspend the transfer. In the
case of the car rental company, knowledge of usual loyalty rewards
redemption patterns helped alert the fraud department to possible foul
play. However, it took many precious weeks to tie the redemptions to the
malware breach due to lack of coordination between the security and fraud
units.

Coordination between cybersecurity and business units may not prevent
breaches, but it raises the chances of detecting and blunting some of the
most damaging ones. Collaborative habits also go a long way toward
effective crisis response should a breach lead to business disruption.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161003/0ff20687/attachment.html>