Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO
The Data Breach Investigations Report 2016 from Verizon Enterprise has actually been launched reviewing 64,199 security occurrences leading to 2,260 security breaches. Verizon defines an incident as jeopardizing the integrity, confidentiality, or availability on an information asset, while a breach is a validated disclosure of data to an unauthorized party. Given that preventing breaches is far less agonizing than withstanding them Verizon suggests numerous sections of recommended controls to be utilized by security-conscious businesses. If you don’t care to check out the full 80-page report, Ziften provides this Verizon DBIR analysis with a spotlight on Verizon’s EDR-enabled suggested controls:
Vulnerabilities Suggested Controls
A solid EDR tool performs vulnerability scanning and reporting of exposed vulnerabilities, consisting of vulnerability exposure timelines highlighting vulnerability management efficiency. The direct exposure timelines are necessary since Verizon emphasizes a methodical method that highlights consistency and coverage, versus haphazard convenient patching.
Phishing Suggested Controls
Although Verizon suggests user training to avoid phishing vulnerability, still their data shows nearly a 3rd of phishes being opened, with users clicking the link or attachment more than 1 time in 10. Not good odds if you have at least 10 users! Provided the inescapable click compromise, Verizon suggests placing effort into detection of unusual networking activity indicative of rotating, C2 traffic, or data exfiltration. A sound EDR system will not only track endpoint networking activity, however also filter it against network risk feeds recognizing destructive network targets. Ziften goes beyond this with our patent-pending ZFlow innovation to enhance network flow data with endpoint context and attribution, so that SOC personnel have vital decision context to rapidly fix network alerts.
Web App Attacks Recommended Controls
Verizon advises multi-factor authentication and monitoring of login activity to avoid compromise of web application servers. A strong EDR solution will monitor login activity and will use anomaly examining to spot unusual login patterns a sign of jeopardized credentials.
Point-of-Sale Invasions Advised Controls
Verizon suggests (and this has actually also been highly suggested by FireEye/Mandiant) strong network segmentation of Point of Sale devices. Once again, a strong EDR service ought to be tracking network activity (to recognize anomalous network contacts). ZFlow in particular is of terrific value in supplying vital choice context for suspect network activity. EDR services will likewise deal with Verizon’s recommendation for remote login tracking to POS devices. Together with this Verizon recommends multi-factor authentication, however a strong EDR ability will enhance that with additional login pattern anomaly monitoring (since even MFA can be beaten with MITM attacks).
Insider and Privilege Misuse Advised Controls
Verizon suggests “monitor the heck out of [employee] licensed everyday activity.” Continuous endpoint monitoring by a solid EDR product naturally supplies this capability. In Ziften’s case our software tracks user presence periods of time and user focus activities while present (such as foreground application use). Anomaly checking can identify unusual deviations in activity pattern whether a temporal abnormality (i.e. something has actually changed this user’s regular activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern varies considerably from peer habit patterns).
Verizon also suggests tracking usage of USB storage devices, which solid EDR systems provide, considering that they can work as a “sneaker exfiltration” path.
Various Errors Advised Controls
Verizon recommendations in this area concentrate on keeping a record of previous errors to serve as a warning of mistakes to not repeat in the future. Solid EDR products do not forget; they maintain an archival record of endpoint and user activity going back to their very first release. These records are searchable at any time, perhaps after some future occurrence has revealed an intrusion and response groups need to return and “find patient zero” to unravel the incident and recognize where errors might have been made.
Physical Theft and Loss Suggested Controls
Verizon suggests (and lots of regulators demand) complete disk file encryption, specifically for mobile devices. A strong EDR system will confirm that endpoint configurations are compliant with business file encryption policy, and will notify on infractions. Verizon reports that data assets are physically lost one-hundred times more often than they are physically taken, however the impact is basically the same to the impacted business.
Crimeware Suggested Controls
Once again, Verizon emphasizes vulnerability management and consistent comprehensive patching. As noted above, correct EDR tools determine and track vulnerability direct exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint tracking. This reflects an accurately upgraded vulnerability evaluation at any point in time.
Verizon likewise suggests capturing malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s system can get samples of any binary present on enterprise endpoints and send them for comprehensive static and vibrant analysis by our malware research partners.
Cyber-Espionage Advised Controls
Here Verizon particularly calls out usage of endpoint threat detection and response (ETDR) tools, describing the security tool segment that Gartner now terms endpoint detection and response (EDR). Verizon also suggests a variety of endpoint configuration solidifying steps that can be compliance-verified by EDR tools.
Verizon likewise advises strong network protections. We have currently talked about how Ziften ZFlow can considerably enhance conventional network flow tracking with endpoint context and attribution, providing a blend of network and endpoint security that is genuinely end-to-end.
Finally, Verizon advises tracking and logging, which is the first thing 3rd party incident responders request when they arrive on-scene to assist in a breach crisis. This is the prime purpose of EDR tools, given that the endpoint is the most frequent entry vector in a significant data breach.
Denial-of-Service Attacks Suggested Controls
Verizon recommends handling port access to prevent enterprise assets from being used to take part in a DoS attack. EDR products can track port use by applications and use anomaly checks to identify uncommon application port use that could suggest compromise.
Business services moving to cloud providers also need defense from DoS attacks, which the cloud supplier might provide. However, taking a look at network traffic tracking in the cloud – where the enterprise might lack cloud network visibility – options like Ziften ZFlow provide a method for collecting enhanced network flow data straight from cloud virtual servers. Do not let the cloud be your network blind spot, otherwise assailants will exploit this to fly under your radar.