Browsing category

Incident Response (IR)

Access Management, Identity and Access Management (IAM), Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Detection,

Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions

Security operations centers (SOCs) are struggling to create automated detection and response capabilities. While custom security information and event management (SIEM) use cases can allow businesses to improve automation, creating use cases requires clear business logic. Many security organizations lack efficient, accurate methods to distinguish between authorized and unauthorized activity patterns across components of the enterprise network.

Even the most intelligent SIEM can fail to deliver value when it’s not optimized for use cases, or if rules are created according to incorrect parameters. Creating a framework that can accurately detect suspicious activity requires baselines, naming conventions and effective policies.

Defining Parameters for SIEM Use Cases Is a Barrier to SOC Success

Over the past few years, I’ve consulted with many enterprise SOCs to improve threat detection and incident response capabilities. Regardless of SOC maturity, most organizations struggle to accurately define the difference between authorized and suspicious patterns of activity, including users, admins, access patterns and scripts. Countless SOC leaders are stumped when they’re asked to define authorized patterns of activity for mission-critical systems.

SIEM rules can be used to automate detection and response capabilities for common threats such as distributed denial-of-service (DDoS), authentication failures and malware. However, these rules must be built on clear business logic for accurate detection and response capabilities. Baseline business logic is necessary to accurately define risky behavior in SIEM use cases.

Building a Baseline for Cyber Hygiene

Cyber hygiene is defined as the consistent execution of activities necessary to protect the integrity and security of enterprise networks, including users, data assets and endpoints. A hygiene framework should offer clear parameters for threat response and acceptable use based on policies for user governance, network access and admin activities. Without an understanding of what defines typical, secure operations, it’s impossible to create an effective strategy for security maintenance.

A comprehensive framework for cybersecurity hygiene can simplify security operations and create guidelines for SIEM use cases. However, capturing an effective baseline for systems can strengthen security frameworks and create order in chaos. To empower better hygiene and threat detection capabilities based on business logic, established standards such as a naming convention can create clear parameters.

VLAN Network Categories

For the purpose of simplified illustration, imagine that your virtual local area networks (VLANs) are categorized among five criticality groups — named A, B, C, D and E — with the mission-critical VLAN falling into the A category (_A).

A policy may be created to dictate that A-category VLAN systems can communicate directly with any other category without compromising data security. However, communication with the A-category VLAN from B, C, D or E networks is not allowed. Authentication to a jump host can accommodate authorized exceptions to this standard, such as when E-category users need access to an A-category server.

Creating a naming convention and policy for VLAN network categories can help you develop simple SIEM use cases to prevent unauthorized access to A resources and automatically detect suspicious access attempts.

Directory Services and Shared Resources

You can also use naming convention frameworks to create a policy for managing groups of user accounts according to access level in directory services, such as Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). A standardized naming convention for directory services provides a clear framework for acceptable user access to shared folders and resources. AD users categorized within the D category may not have access to A-category folders or _A.

Creating effective SIEM rules based on these use cases is a bit more complex than VLAN business logic since it involves two distinct technologies and potentially complex policies for resource access. However, creating standards that connect user access to resources establishes clear parameters for strict, contextual monitoring. Directory users with A-category access may require stricter change monitoring due to the potential for abuse of admin capabilities. You can create SIEM use cases to detect other configuration mistakes, such as a C-category user who is suddenly escalated to A-category.

Username Creation

Many businesses are already applying some logic to standardize username creation for employees. A policy may dictate that users create a seven-character alias that involves three last-name characters, two first-name characters and two digits. Someone named Janet Doe could have the username DoeJa01, for example. Even relatively simple username conventions can support SIEM use cases for detecting suspicious behavior. When eight or more characters are entered into a username field, an event could be triggered to lock the account until a new password is created.

The potential SIEM use cases increase with more complex approaches to username creation, such as 12-character usernames that combine last- and first-name characters with the employee’s unique HR-issued identification. A user named Jonathan Doerty, for instance, could receive an automatically generated username of doertjo_4682. Complex usernames can create friction for legitimate end users, but some minor friction can be justified if it provides greater safeguards for privileged users and critical systems.

An external threat actor may be able to extrapolate simple usernames from social engineering activities, but they’re unlikely to guess an employee’s internal identification number. SIEM rules can quickly detect suspicious access attempts based on username field entries that lack the required username components. Requiring unique identification numbers from HR systems can also significantly lower the risk of admins creating fake user credentials to conceal malicious activity.

Unauthorized Code and Script Locations

Advanced persistent threats can evade detection by creating backdoor access to deploy a carefully disguised malicious code. Standard naming conventions provide a cost-effective way to create logic to detects malware risks. A simple model for script names could leverage several data components, such as department name, script name and script author, resulting in authorized names like HR_WellnessLogins_DoexxJo. Creating SIEM parameters for acceptable script names can automate the detection of malware.

Creating baseline standards for script locations such as /var/opt/scripts and C:Program Files can improve investigation capabilities when code is detected that doesn’t comply with the naming convention or storage parameters. Even the most sophisticated threat actors are unlikely to perform reconnaissance on enterprise naming convention baselines before creating a backdoor and hiding a script. SIEM rules can trigger a response from the moment a suspiciously named script begins to run or a code file is moved into an unauthorized storage location.

Scaling Security Response With Standards

Meaningful threats to enterprise data security often fly under the radar of even the most sophisticated threat detection solutions when there’s no baseline to define acceptable activity. SOC analysts have more technological capabilities than ever, but many are struggling to optimize detection and response with effective SIEM use cases.

Clear, scalable systems to define policies for acceptable activity create order in chaos. The smartest approach to creating effective SIEM use cases relies on standards, a strong naming convention and sound policy. It’s impossible to accurately understand risks without a clear framework for authorized activities. Standards, baselines and naming conventions can remove barriers to effective threat detection and response.

The post Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ludek Subrt

CISO, Incident Response, Incident Response (IR), Incident Response Plan, Security Intelligence, Security Intelligence & Analytics, Security Operations Center (SOC), Security Professionals, Skills Gap, Threat Intelligence, Threat Sharing,

Need a Sounding Board for Your Incident Response Plan? Join a Security Community

Incident response teams face myriad uphill battles, such as the cybersecurity skills shortage, floods of security alerts and increasing IT complexity, to name just a few. These challenges often overwhelm security teams and leave security operations center (SOC) directors searching for strategies to maximize the productivity of their current team and technologies to build a capable incident response plan.

One emerging solution is a familiar one: an ecosystem of developer and expert communities. Collaborative online forums have always been a critical part of the cybersecurity industry, and communities dedicated to incident response are growing more robust than ever.

How to Get Involved in a Developer Community

Incident response communities can be a crucial resource to give security analysts access to hands-on, battle-tested experience. They can deliver highly valuable, lightweight, easy-to-use integrations that can be deployed quickly. Community-driven security can also provide playbooks, standard operating procedures (SOPs), best practices and troubleshooting tips. Most importantly, they can help foster innovation by serving as a sounding board for your team’s ideas and introduce you to new strategies and techniques.

That all sounds great, but how do you know what community can best address your incident response needs? Where do you begin? Below are a few steps to help you get started.

1. Find the Communities That Are Most Relevant to You

To combat new threats that are being coordinated in real time, more and more vendors and services are fostering their own communities. Identify which ones are most relevant to your industry and business goals.

To start, narrow down your search based on the security products you use every day. In all likelihood, you’ll find users in these product-based communities who have faced similar challenges or have run into the same issues as your team.

Once you’ve selected the most relevant communities, make sure you sign up for constant updates. Join discussion forums, opt in to regular updates, and check back frequently for new blogs and other content. By keeping close tabs on these conversations, you can continuously review whether the communities you’ve joined are still relevant and valuable to your business.

2. Identify Existing Gaps in Your Security Processes

Communities are disparate and wide-ranging. Establishing your needs first will save you time and make communities more valuable to you. By identifying what type of intelligence you need to enhance your security strategy and incident response plan ahead of time, you can be confident that you’re joining the right channels and interacting with like-minded users.

Discussion forums are full of valuable information from other users who have probably had to patch up many of the same security gaps that affect your business. These forums also provide a window into the wider purpose of the community; aligning your identified gaps with this mission will help you maximize the value of your interactions.

3. Contribute to the Conversation

By taking part in these conversations, you can uncover unexpected benefits and give your team a sounding board among other users. As a security practitioner, it should be a priority to contribute direct and honest information to the community and perpetuate an industrywide culture of information sharing. Real-time, responsive feedback is a great tool to help you build a better security strategy and align a response plan to the current threat landscape.

Contributing to a community can take various forms. Community-based forums and Slack channels give developers a voice across the organization. By leveraging this mode of communication, you can bring important intelligence to the surface that might otherwise go under the radar. Forum discussions can also expose you to new perspectives from a diverse range of sources.

A Successful Incident Response Plan Starts With Collaboration

For its part, IBM Security gathers insights from experienced users across all its products in the IBM Security Community portal. Through this initiative, IBM has expanded its global network to connect like-minded people in cybersecurity. This collaborative network allows us to adapt to new developments as rapidly as threats evolve.

Collaboration has always been cybercriminals’ greatest weapon. It creates massive challenges for the cybersecurity industry and requires us to fight back with a united front of our own. With the support of an entire security community behind you, incident response tasks won’t seem so overwhelming and your resource-strapped SOC will have all the threat data it needs to protect your business.

The post Need a Sounding Board for Your Incident Response Plan? Join a Security Community appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ted Julian

Artificial Intelligence (AI), Automation, Cognitive Security, Data Protection, Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence,

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

How did this happen?

It all started with a highly targeted spear phishing attack on your director of communications. He failed to notice the carefully disguised symbols in an email he thought was sent by the IT department and logged in to a spoofed domain. This credential theft resulted in the spread of zero-day malware and slowly escalated account privileges. While some of the criminals’ behavior triggered alerts in the SOC, your analysts categorized the incidents as benign positives. Your organization is now facing a multimillion-dollar cleanup and a serious loss of customer trust.

Why you need to master threat hunting

Why You Should Hunt Advanced Threats Before They Strike

Situations like the one described above are all too common in our industry. The majority of successful exploits attributed to human error fit a small series of predictable patterns that exploit known vulnerabilities in an organization’s network. As a result, many data breaches can be prevented with effective cyber hygiene tactics.

Advanced threats are a smaller proportion of incidents, but they are typically undetected and cause the most damage. In addition, the rise in state-sponsored crime and criminal activity on the dark web has created an ecosystem that fosters open exchange between the world’s most sophisticated and skilled criminals.

The cost of a serious breach is also trending upward. According to Ponemon, the average cost of a megabreach that results in the loss of more than 1 million customer records is $40 million. And more than 60 percent of data breaches have links to either state actors or advanced, organized crime groups, according to Verizon. APTs that evade detection can result in dwell times that range from three to 24 months, further increasing the total cleanup cost for a data breach.

How can security teams fight these kinds of threats? The majority of enterprise SOCs are now at least three years old, according to a recent study from Exabeam, and are increasing in maturity. While human analysts and manual research methodologies can act as a firewall against many risks, there’s a need to scale SOC intelligence and threat hunting capabilities to safeguard against APTs.

What Is Threat Hunting?

Threat hunting can be defined as “the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.” The practice uses techniques from art, science and military intelligence, with internal and external data sources informing the science of statistical and cognitive analysis. Human intelligence analyzes the results and informs the art of a response. Last year, 91 percent of security leaders reported improved response speed and accuracy as a result of threat detection and investigation, according to the SANS Institute.

Threat hunting is not defined by solutions, although tools and techniques can significantly improve efficiency and outcomes. Instead, it’s defined by a widely accepted framework from Sqrrl. These are the four stages of Sqrrl’s Threat Hunting Loop:

  1. Create a hypothesis.
  2. Investigate via tools and techniques.
  3. Discover new patterns and adversary tactics, techniques and procedures (TTPs).
  4. Inform and enrich automated analytics for the next hunt.

The goal for any security team should be to complete this loop as efficiently as possible. The quicker you can do so, the quicker you can automate new processes that will help find the next threat.

The 4 Characteristics of a Comprehensive Threat Hunting Capability

A mature threat hunting capability is closely associated with SOC maturity. The least mature SOCs have human analysts who act as a firewall. As SOCs approach maturity and adopt security information and event management (SIEM) tools, their capacity to reactively investigate indicators of compromise (IoCs) increases. The most mature SOCs take a proactive approach to investigating IoCs, with researchers, analysts, solutions and a clearly defined methodology to orchestrate both investigation and response. A comprehensive capacity for hunting threats is defined by four key characteristics:

  1. Data handling: The ability to handle a deluge of data across siloed networks, including insight into internal risks, advanced activities from external threat actors and real-time threat intelligence from third-party sources.
  2. Data analysis: The ability to correlate a high volume and velocity of disparate data sources into information and, ultimately, intelligence.
  3. Informed action: Resources to increase threat hunters’ skills and easily feed threat intelligence through training, policy and cognitive capabilities.
  4. Orchestrated action: Defined processes and methodologies to hunt threats in a repeatable and orchestrated way that informs proactive security capabilities throughout the organization.

Organizations that fail to increase SOC maturity and adopt the solutions and processes for hunting threats face a number of risks. Relying on manual research methodologies can lead to costly data breaches and permanent brand damage when APTs evade detection. A lack of solutions and methods for an orchestrated IoC investigation process means less efficient and accurate operations. The absence of SOC orchestration encourages heavily manual processes.

The Diverse Business Benefits of Hunting Threats

Using cognitive intelligence tools to enhance SOC capabilities, Sogeti Luxembourg successfully reduced the average time of root cause determination and threat investigation from three hours to three minutes. In the process, the financial institution sped up their threat investigation process by 50 percent and saw a tenfold increase in actionable threat indicators.

Hunting threats can offer a number of benefits to both the business and the security operations center. The outcomes include greater protection of reputation, a more intelligent SOC and orchestrated security response.

Reputation Protection

Falling prey to an APT can cause lasting damage to a brand. One core benefit of implementing a more sophisticated threat hunting capability is the potential to guard against the most costly data breaches, which typically result in millions of lost records or permanent data deletion.

SOC Maturity

SOC analyst stress and falsely assigned benign positives are at record highs. APTs can easily go unnoticed due to the sheer volume of noise, which creates a culture of alert fatigue.

Achieving mature threat detection capabilities can change how analysts work and allow organizations to implement a cognitive SOC. Security analytics platforms enhance human intelligence and reduce manual research, and correlation tools provide real-time insight from a variety of structured and unstructured third-party data sources.

Orchestrated Security Response

With the technological capabilities to outthink adversaries, organizations can inform a proactive, unified approach to incident response (IR) that begins in the SOC. Internal and external data sources augment the intelligence of human analysts, allowing real-time, informed decision-making. Investigations and response can inform action as soon as anomalous behaviors or patterns are detected. The result is a defined process that allows your organization to mitigate threats earlier in the Cyber Kill Chain.

Intelligent Response to Sophisticated Threats

The majority of threats your organization faces each day will fit predictable patterns. While APTs make up a statistically small percentage of incidents investigated by an SOC, sophisticated threat actors use unique tactics and techniques to evade detection in a noisy SOC. These threats are the most likely to evade detection and result in highly expensive cybercrime.

State-sponsored criminal activity and attacks launched by sophisticated crime collectives are increasing. To guard against these increasingly complex threat vectors, organizations need to proactively prepare their defenses. Implementing cognitive tools in the SOC can enable organizations to adopt proactive threat hunting capabilities that leverage both art and science. By combining repeatable processes for threat investigation with intelligent solutions and skilled analysts, organizations can respond to threats earlier in the kill chain and protect their most critical assets.

Read the e-book: Master threat hunting

The post Maturing Your Security Operations Center With the Art and Science of Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Bank Security, Banking & Financial Services, Cyberattacks, Financial Industry, Financial Institutions, IBM X-Force Command Center, Incident Response, Incident Response (IR), Threat Response, X-Force,

How the Financial Services Industry Is Preparing to Avoid and Respond to Systemic Cyberattacks

Recently, leading up to a major U.S. holiday, cybercriminals targeted a number of payment and credit card companies. These companies received notice that if they didn’t each pay a ransom in bitcoin, a cyberattack would be launched against the payment industry on the holiday, which happens to be a major shopping day. Financial services players and law enforcement soon massed to respond to this systemic cyberattack on the industry.

In the Financial Services Industry, a Data Breach Is Everyone’s Problem

Until recently, financial services firms focused almost entirely on preventing data breaches that would impact their own organizations. They sought to detect security risks such as phishing emails, malware, stolen databases and remote access to networks, and to stop them before the boom — the moment a cyberattack is discovered. But more and more, financial services and other industries are starting to recognize that it’s not a matter of if they’ll be breached, but when. In light of this realization, the sector’s efforts must shift to response, not simply detection and prevention, and acknowledge that these attacks run the risk of becoming systemic in nature, impacting the entire financial services industry.

Left and Right of the Boom in Incident Response

Given the interconnectedness that has developed within financial services, no one company can operate in a vacuum, either to prevent an attack or to respond to one. If there’s a breach within a bank, for example, that incident will soon extend to ATM networks, payment providers, clearing and settlement entities, and third-party services. The financial services industry is preparing for the likelihood of a systemic cyberattack and coming together in an effort to create runbooks that define the parameters of a coordinated response.

Industry Leaders Battle-Test Their Incident Response

This change has prompted competitors to collaborate for the good of the financial services industry. In October 2018, for example, the companies of the P20 Cyber Working Group and Board visited the IBM X-Force Command Cyber Range in Cambridge, Massachusetts, for a “war game” exercise. The global electronic payments industry, along with law enforcement and U.S. Department of Treasury representatives, came together for a cyberattack response challenge based on the aforementioned holiday scenario. Traditional cyberthreat preparedness focuses on evaluating technology controls and the completeness of incident response plans. However, a cyber war game exercise provides an opportunity to model attacks and practice response and resilience in a controlled environment.

The objective for phase one of the exercise was to test incident response communications, decision-making effectiveness and stakeholder notification during a data breach. This resulted in a strengths, weaknesses, opportunities and threats (SWOT) analysis that showed more weaknesses than strengths.

On the plus side, there was good organizational coordination among leadership and cross-functional teams. That said, it was clear that the industry still lacks a common taxonomy around crisis management, including what even constitutes a crisis. No processes or liaisons were in place for engaging government or law enforcement. Most chief information security officers (CISOs) lacked media training, and therefore didn’t know who to contact or what to communicate in media statements. Challenges were rife in detection, investigation and response. Finally, there was no commander’s intent to direct what a successful outcome would look like.

Commander’s Intent Is Crucial to a Systemic Response Plan

In many ways, a cyberattack is similar to a military attack, according to Lieutenant Colonel Hise Gibson, a visiting scholar at Harvard Business School. Gibson specializes in applying the lessons learned on the battlefield to cyberattacks in the business world. When command is decentralized — whether in military coalitions or financial services firms — building cohesive teams depends on mutual trust.

The team must create a shared understanding that results in a clear commander’s intent, or a “description and definition of what a successful mission will look like,” according to Harvard Business Review. In a business context, CEO intent empowers subordinates and guides initiative and improvisation in the event of a chaotic event, such as a cyber crisis.

Phase two of the war game exercise involved creating a customized, high-fidelity incident response simulation for the financial services industry. The simulation enabled participants to work together to develop an iterative playbook to respond to incidents, which requires a framework for partner and peer collaboration and data sharing.

A consistent “break-the-glass” response plan depends on individuals being empowered to act. Rather than ask for funds, the leader must be allowed to spend what’s needed; rather than worrying about stepping on toes, he or she must be empowered to make customers whole. Meanwhile, the team must practice the response plan until it becomes as natural as muscle memory.

Create a Workflow That Enables Incident Response Orchestration

In phase three of the exercise, the financial services industry participants will create a workflow that details response to a systemic cyberattack. Intelligent orchestration will support a guided response to complex attacks with agile playbooks that can adapt to incident details in real time and lay out roles, responsibilities and deadlines. This preparation will ultimately enable financial services firms to effectively contain incidents and prevent a domino effect that brings down the industry.

Financial services firms must continue to collaborate with their industry peers, create industry response exercises and runbooks, and rigorously test their plans at facilities such as the IBM X-Force Command Center. Learn more about the IBM X-Force Command Center and how companies are working to prepare for their worst day.

The post How the Financial Services Industry Is Preparing to Avoid and Respond to Systemic Cyberattacks appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Gary B. Meshell

Artificial intelligence, Chief Information Security Officer (CISO), CISO, Incident Forensics, Incident Management, Incident Response, Incident Response (IR), orchestration, Security Intelligence & Analytics, Security Leaders, Security Operations and Response, Security Operations Center (SOC), Security Professionals, Skills Gap,

Maximize Your Security Operations Center Efficiency With Incident Response Orchestration

It’s 5:48 a.m. — only 48 minutes into your 12-hour shift in the security operations center (SOC), and you’ve already investigated three threats. You were prepared for a long shift, but since an analyst on the night crew just quit, now you’re covering her shift, too. How is anyone supposed to stay vigilant in the thick of a monotonous 24-hour slog in the SOC?

When you first started, you tried talking to your boss about how incident response orchestration software and other tools might work more efficiently. Today, you’re just trying to survive. It’s hard to not feel completely numb when you’re buried in hundreds of alerts you can’t possibly review.

When the tools in the SOC don’t integrate seamlessly into a unified security immune system of solutions, analysts can’t make the most of their time. Given the widening cybersecurity skills gap, the rising cost of a data breach and the blinding speed at which alerts pile up in security information and event management (SIEM) logs, security leaders must empower their analysts to maximize their efficiency.

The first step is to give them the tools they need to accurate prioritize all those alerts — but what does intelligent incident response look like in practice, and how can orchestration and automation help tranform a reactive response system into a proactive security powerhouse? Let’s zoom in on what’s holding SOCs back and how an integrated ecosystem of tools can help analysts overcome these challenges before, during and after an attack.

Learn to orchestrate incident response

Reactive, Manual Processes in the Understaffed SOC

The average security analyst investigates 20–25 incidents each day. It takes the average analyst 13–18 minutes to compare indicators of compromise (IoC) to logs, threat intelligence feeds and external intelligence, and manual research can yield false positive rates of 70 percent or higher.

To make matters worse, as security analysts struggle against an increased volume of complex alerts, the SOC is facing a talent crisis: Sixty-six percent of cybersecurity professionals believe there are too few qualified analysts to handle alert volume in the SOC.

According to the Ponemon Institute’s “2018 Cost of a Data Breach Study,” the average cost of a breach globally is $3.86 million, a 6.4 percent increase from 2017. As threat actors become more effective at evading and targeting the enterprise, the majority of analysts can’t keep up. Twenty-seven percent of SOCs receive more than 1 million alerts each day, and the most common response to alert fatigue is to modify policies for fewer alerts.

Orchestration and automation can free overwhelmed analysts in the SOC and significantly improve cyber resiliency throughout the enterprise. In act, research has shown that SOC orchestration can triple incident response volume and reduce time to response significantly.

“While data breach costs have been rising steadily, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs,” said Dr. Larry Ponemon.

Automation reduces the average cost of a data breach by $1.55 million. To build a cyber resilient enterprise, security leaders need intelligent solutions for orchestration, automation, machine learning and artificial intelligence (AI).

What Are the Attributes of Intelligent Incident Response?

Enterprises can save an average of $1 million by containing a data breach in under 30 days, according to the Ponemon study. However, the average time to containment is 69 days. Security leaders should consider the risks of failing to adopt solutions to for intelligent and proactive response, including costlier data breaches caused by reactive response and longer containment times.

The SOC is facing a higher volume of more sophisticated threats, and there is a massive shortage of cybersecurity talent to boot. The right approach to intelligent response, therefore, encompasses solutions for the following:

  1. Orchestration and automation — An integrated, streamlined ecosystem can enable organizations to create dynamic incident response (IR) plans and automate remediation.
  2. Human and artificial intelligence — Operationalize human intelligence, leverage advanced threat intelligence and collaborate with experts.
  3. Case management — Establish systems for continual IR plan improvement while developing a clear understanding of internal workloads and skills.

Let’s take a closer look at how intelligence incident response orchestration works in practice and how it can help security leaders free up their overworked analysts for more pressing tasks.

3 Use Cases for Intelligent Incident Response Orchestration

A comprehensive ecosystem of security solutions can enable the enterprise to prepare for sophisticated cyberthreats, respond proactively to risks and apply lessons learned to create future safeguards. Intelligent orchestration creates efficiency and accuracy before an attack, during an incident and after remediation.

1. Before an Attack

Half of respondents to a recent survey believe it’s somewhat or highly likely that their organization will have to respond to a major incident in the next year, while 9 percent have “no doubt.” The right time to address SOC challenges, such as the increased volume of highly targeted threats and too many single-purpose solutions, is before an attack occurs.

The first step to build a cyber resilient enterprise involves adopting an advanced incident response platform to create automated, intelligent workflows that encompass people, processes and technology. This solution can be enhanced with a security information and event management (SIEM) solution to deliver comprehensive incident analytics and visibility into emerging threats.

Enlisting security operations consultants can help organizations supplement their internal talent. Collaborating with external IR experts, meanwhile, can help companies implement effective training and strategic preparation.

2. During an Attack

Minutes count when the enterprise is facing a sophisticated, targeted threat. The incident response platform (IRP) can act as a centralized solution for comprehensive response remediation. When coupled with cognitive intelligence, organizations can rapidly investigate threats without overwhelming their SOC staff.

When a critical incident is detected, the SOC can call in on-demand IR experts for assistance managing and remediating the incident. The IRP generates a response playbook, which updates dynamically as threat intelligence solutions provide analysis of the incident and endpoint analytics solutions deliver details of on-site infection and automated reporting to the legal team.

Using solutions for threat intelligence, forensics and other solutions, IR analysts can research the tactics used by attackers to pinpoint the source of the incident. By following instructions from the playbook, SOC analysts can coordinate with IT on remediation actions, such as global password resets and segregation of privileged accounts.

3. After an Attack

There are few genuinely random cybersecurity attacks. In the last 18 months, 56 percent of organizations that fell victim to a significant attack were targeted again in the same period.

When an attack is fully remediated, security analysts can prepare efficient reporting on the incident using data from security intelligence solutions, forensic investigation tools and insights from the response researchers. This research can be presented directly to the executive leadership team to communicate the status of the incident, actions taken and lessons learned.

By collaborating with third-party response experts and security service consultants, the SOC team can work to refine formal incident response policies and enhance security controls. As SOC operations resume, analysts can improve readiness with a customized response drill training.

Why Incident Response Orchestration Matters

By protecting the enterprise with solutions to automate and orchestrate incident response, security leaders can introduce the benefit of cyber resiliency to the organization. According to Forrester, “Technology products that provide automated, coordinated, and policy-based action of security processes across multiple technologies, [make] security operations faster, less error-prone, and more efficient.” Adding the right solutions for orchestration, cognitive intelligence, and case management can ease the burden on the SOC while reducing cybersecurity risks.

Six steps to proactive and resilient incident response

The post Maximize Your Security Operations Center Efficiency With Incident Response Orchestration appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Dan Carlson

Advanced Persistent Threat (APT), Advanced Threats, Authentication, Behavioral Analytics, CISO, Cost of a Data Breach, Data Breach, Incident Response, Incident Response (IR), Multifactor Authentication (MFA), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Intelligence,

Close the Gap on Advanced Threats With Integrated Security

The board of directors is finally starting to grasp that security risk equals business risk. But as you finalize your presentation on the company’s cybersecurity posture, you can’t help but second-guess yourself. You know the CEO, CFO and other senior leaders want to hear that the security team has an effective strategy for handling advanced threats, but the truth is that your analysts are drowning in data with little meaningful insight into risks.

Based on your knowledge of the rapidly expanding threat landscape, you know the company is vulnerable to a data breach it can’t afford. The problem is that you can’t demonstrate this risk without adequate visibility into the organization’s sensitive data and the vulnerabilities threat actors might exploit to steal it. What’s worse, your security operations center (SOC) is spread thin across the widening cyber skills gap, and alerts are piling up as analysts slog through manual processes. How can chief information security officers (CISOs) free up their SOC teams to investigate the most pressing alerts and minimize risks before they evolve into costly incidents?

Detect and stop advanced persistent security threats

Why Threats Are Outpacing the SOC

While the security profession is finally gaining respect and attention it deserves, understaffed SOCs are struggling to triage enormous volumes of security event data. And the problem is only getting worse; Cybersecurity Ventures predicted that the industry will have 3.5 million unfilled cybersecurity positions by 2021.

Despite the increased spend, many organizations are failing to see results from their security investments. Some organizations have 85 distinct security solutions from 45 unique vendors, but little confidence in their capacity to detect threats. No matter the size of your security arsenal, these standalone tools cannot adequately protect enterprise networks from today’s advanced threats in isolation.

Coupled with the skills crisis, the SOC is grappling with the increasing complexity of the threat landscape. Costly, difficult-to-detect insider attacks have increased by 46 percent since 2014. Meanwhile, 62 percent of security experts believe threat actors will weaponize artificial intelligence (AI) to launch targeted attacks at scale in the next year, according to a Cylance survey.

A New Approach to Detect and Stop Advanced Threats

Despite record-breaking spend on security solutions, the SOC is losing ground for more reasons than the skills shortage and evolving threats. Technology is a barrier for many enterprises in which the security organization lacks a comprehensive view of the risk landscape. Disconnected systems, the IT skills gap and a lack of automation have made it very difficult for these organizations to distinguish advanced threats from false positives.

The cost of failing to adopt a new approach to threat detection and remediation is higher than ever. According to the “2018 Cost of a Data Breach Study,” sponsored by IBM Security and conducted by the Ponemon Institute, a mega breach of 50 million or more records can cost as much as $350 million. Targeted, malicious attacks and botnets are among the most expensive types of security incident.

“With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach,” said Larry Ponemon, chairman and founder of Ponemon Institute.

By creating an integrated security ecosystem of solutions, policies and people, organizations can more efficiently and effectively detect advanced threats. AI, machine learning and automation can improve the accuracy and speed of threat investigations, while solutions to orchestrate systems, processes and users minimize the impact of incidents.

5 Use Cases for Advanced Threat Detection and Prevention

How’s this for a use case: With an intelligent security ecosystem, Wimbledon achieved 60 times greater efficiency in threat investigations over manual processes. IBM solutions helped the oldest brand in tennis investigate five times more incidents during the annual tournament, with zero security impact to operations.

Use cases for operations strategy, managed incident response, SOC automation, behavioral analytics and user authentication demonstrate how IBM Security solutions offer a complete spectrum of protection against sophisticated threats.

1. Operational Strategy

A recent survey of Black Hat 2018 attendees revealed that sophisticated, targeted attacks are the top concern for 47 percent of security professionals. Other frequently cited challenges facing the enterprise include social engineering, insider threats and cloud risks. When an enterprise is facing these known risks and lacks confidence in existing technologies, it’s critical to strengthen operations proactively.

Partnering with security operations and consulting services can enable the enterprise to design and build a comprehensive response with a cognitive SOC, SOC training and security incident event management (SIEM) optimization.

2. Incident Response

According to Marsh & McLennan, 14 percent of organizations are “not at all confident” or unsure if they are adequately prepared to respond to or recover from a cyber incident. As vulnerabilities and risks evolve, organizations need a culture of continuous improvement to weather the coming storm of advanced threats.

Developing relationships with industry detection and response experts can provide organizations with decades of threat intelligence experience. Managed SIEM services can offer cognitive intelligence for cybersecurity and comprehensive, compliant infrastructure.

3. SOC Automation

Enterprise SOCs encounter 200,000 unique security events each day on average. A cognitive SOC with automation, machine learning, AI and orchestration solutions eases the burden on analysts and improves effectiveness. Incident response automation can reduce the total cost of a data breach by $1.55 million. Meanwhile, intelligent SIEM solutions deliver cognitive security analytics and automation with contextual intelligence to identify significant risks.

4. Visibility Into Anomalies

According to Fidelis Security, 83 percent of SOCs triage less than half of the alerts received each day. This may be due in part to too much time spent chasing false alerts; manual research processes can yield false positive rates of 70 percent or higher.

Organizations can identify user risks and suspicious behavior by investing in behavioral analytics that provide at-a-glance visibility into anomalies.

5. User Authentication

As the enterprise pursues digital transformation, a smarter approach to identity is the new perimeter. While just 67 percent of respondents are currently comfortable using biometrics and other advanced forms of authentication, according to “The Future of Identity,” 87 percent believe they’ll be comfortable in the future.

With cloud-based multifactor authentication, organizations can simplify and scale a checkbox approach to authentication policies across web and mobile applications, including risk-based approaches to user access and biometric authentication methods.

Closing the Gap on Enterprise Threats

Enterprises are spending more than ever on security solutions. However, industry surveys and breach rates show that standalone tools aren’t providing meaningful protection against sophisticated threats.

As the threat landscape continues to evolve, organizations need an integrated ecosystem of solutions that provide visibility into internal and external risks. By continuously aligning systems, policies and people, security teams can improve the accuracy and speed of threat investigations and minimize the risks of advanced threats at each stage of the attack chain.

Advanced threats: 3 steps to safety

The post Close the Gap on Advanced Threats With Integrated Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Access Management, Artificial Intelligence (AI), Chief Information Officer (CIO), Chief Information Security Officer (CISO), CISO, Data Breaches, Data Protection, Data Security, database security, Hybrid Cloud, Incident Response (IR), Integrated Security, Network Security, Patch Management, Risk Assessment, Risk mitigation, Security Operations Center (SOC), Vulnerability Management,

Your Security Strategy Is Only as Strong as Your Cyber Hygiene

It’s an all-too familiar scenario: An email directive to apply a patch to a web server goes ignored, and no one follows up to be sure the patch has been applied. As a result of this simple lack of cyber hygiene, the organization falls prey to a widespread strain of malware.

The team that should have handled the update was probably busy and might not have been fully staffed. There may not have been enough budget to hire enough of the right kind of talent, or perhaps there were just too many factors to be checked and covered. None of that matters, though; the network was breached, and it was entirely preventable. Failure to cover the basics was the downfall, and it could lead to negative publicity and loss of business.

Learn more about enhancing security hygiene

Your Security Improvements Could Be Missing the Point

The average enterprise security team has more solutions in its arsenal than ever before. As reported by ZDNet, some companies have more than 70 unique security applications and tools in place. While chief information security officers (CISOs) and their teams  may be drowning in technology, the enterprise isn’t becoming more secure. In fact, the chances of facing a data breach have increased exponentially over the last several years, according to research from the Identity Theft Resource Center.

The truth is that the vast majority of data breaches can be prevented with basic actions, such as vulnerability assessments, patching and proper configurations. An Online Trust Alliance study estimated that 93 percent of reported incidents could have been avoided with basic cyber hygiene best practices, a figure that remains largely unchanged in the past decade. While advanced threats are growing in volume and sophistication, organizations are still getting breached due to poor key management, unpatched applications and misconfigured cloud databases.

CISOs aren’t blind to these trends. According to the “2018 Black Hat USA Attendee Survey,” 36 percent of leaders spend the majority of their time on any given day trying to accurately measure their organization’s security posture. Sixteen percent believe their organization’s greatest failure is “a lack of integration in security architecture” and “too many single-purpose solutions.” Security teams are drowning in alerts and grasping for solutions that streamline cyber hygiene activities.

What Does Cybersecurity Hygiene Entail?

Cyber hygiene refers to maintaining the security and health of an enterprise’s network, endpoints and applications through routine efforts to avoid vulnerabilities and other fundamental activities. It means perfecting the basics, including:

  • Deleting redundant user accounts;
  • Enforcing access and passwords with policy;
  • Backing up mission-critical data;
  • Securing physical and cloud databases;
  • Application whitelisting; and
  • Managing configurations.

When put into practice on an enterprise network, security hygiene is a continuous cycle of identifying vulnerabilities, mitigating risks and improving response capabilities. This begins with a vulnerability assessments of your network and data assets. After all, knowledge is the first step toward effective security hygiene.

Why Preventable Data Breaches Continue to Happen

Organizations that fail to perform basic security improvements face near-certain risks. Last year, IBM X-Force reported a twofold increase in injection attacks aimed at vulnerable applications and devices over the previous year. In total, injection attacks comprised 79 percent of all malicious network activity. An unpatched server or misconfigured cloud database can also lead to costly consequences. The loss of consumer trust could be more severe in the event that an organization is forced to admit it didn’t perform the basics.

The reason why organizations are struggling with cyber hygiene goes beyond human negligence. Networks are more complex than ever, and cyber hygiene requires the effective alignment of people, policies, processes and technology. Organizations fall prey to fully preventable attacks due to increased endpoints, cloud adoption, stolen credentials and the immense resources needed to address regulatory shifts.

“Security in a hyperconnected era presents a new set of challenges, but these can be greatly eased by implementing innovative practices and adopting a more integrated, holistic approach,” said Marc van Zadelhoff, former IBM Security General Manager, in a statement. “CISOs that prioritize these factors can help their organizations significantly improve business processes and achieve measurable success.”

Enterprise networks are complex, and fragmented security solutions for vulnerability assessment don’t reveal the full picture. Security operations centers (SOCs) are overwhelmed with alerts and relying on manual threat research. Performing basic security improvements is impossible without the right ecosystem to identify data risks.

5 Steps to Create an Effective Cyber Hygiene Practice

Hygiene is at the core of a security risk mitigation strategy. Security hygiene is a cultural mindset that spans security, IT, leadership and the individual. To adequately address basic risks, CISOs need full buy-in to continually review data management practices, improve response capabilities and enhance employee awareness. Let’s take a closer look at five steps organizations can take to create an effective cyber hygiene practice.

1. Identify Risks

Data is a modern organization’s most valuable asset. Solutions for security hygiene must comprehensively identify the location and sensitivity of business data, extending to risk assessment, remediation and vulnerability assessments of hybrid cloud environments.

Risk needs to translate into action, and CISOs should actively share knowledge of data security with other executives to improve privacy. Solutions for comprehensive, real-time vulnerability assessment can help in the development of a stronger approach to risk and compliance.

2. Prioritize Response

Security hygiene is a continuous effort to address risks in real time and prioritize the protection of the most sensitive data assets. Organizations must develop a response policy based on data sensitivity. Cognitive security solutions can help orchestrate efforts to remediate the highest-risk vulnerabilities and automate activities to enforce policy or regulatory requirements.

3. Improve Risk Awareness

CISOs, risk officers and business leaders should collaborate to improve incident response (IR) capabilities where hygiene is viewed as an imperative. Third-party expertise can increase risk awareness and orchestration capabilities and design thinking can help increase the use of cognitive technologies, artificial intelligence (AI) and risk management automation for streamlined security hygiene.

4. Secure Digital Transformation

Change is inevitable and constant in a contemporary enterprise network environment. Security hygiene involves a forward-thinking attitude that creates policies for secure deployment and management of new technologies. Change management efforts should incorporate discussions on how to actively secure Internet of Things (IoT) deployments and other emerging technologies.

5. Disseminate Responsibility

Leaders should create a culture that encourages compliant behaviors in employees. Silent security can safeguard data privacy across endpoints without sacrificing user productivity. A culture of shared responsibility helps mitigate the risks of shadow IT, especially when coupled with employee awareness initiatives.

Take Preventative Measures Against Meaningful Security Risks

The most crucial improvement to your organization’s security stance may not be acquiring new solutions; it could be a shift to a culture of cyber hygiene. CISOs must collaborate with other leadership to address one of today’s most significant business risks: failure to check off the basics effectively.

The majority of today’s security breaches are caused by inadvertent insider mistakes, such as unpatched systems, misconfigured cloud databases and incomplete risk assessments. Without full network visibility and regular utilization of cyber hygiene best practices, your enterprise could face very real, but entirely preventable, security risks.

Read the e-book: Enhance security hygiene

The post Your Security Strategy Is Only as Strong as Your Cyber Hygiene appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kami Haynes

Artificial intelligence, Artificial Intelligence (AI), Automation, CISO, Cloud Adoption, Compliance, Cybersecurity, Data Breach, Data Privacy, General Data Protection Regulation (GDPR), Incident Response, Incident Response (IR), Internet of Things (IoT), IoT Security, Machine Learning, privacy regulations, Risk Management, Security Intelligence & Analytics, Security Professionals, Security Trends,

Top 2019 Cybersecurity Predictions From the Resilient Year-End Webinar

2018 was another significant year for the cybersecurity industry, with sweeping changes that will impact security professionals for years to come.

The General Data Protection Regulation (GDPR) finally went into effect, dramatically reshaping the way companies and consumers manage data privacy. Security teams stepped up their battle against technology complexity by increasingly migrating to the cloud and adopting security platforms. And several emerging security technologies — such as incident response automation and orchestration, artificial intelligence (AI), and machine learning — continued to evolve and saw increased adoption as a result.

As security teams continue pushing to get ahead of adversaries, these trends will almost certainly have long-term impacts. But what do they mean for 2019?

Bold Cybersecurity Predictions for 2019

Recently, I was fortunate to host a panel of cybersecurity experts for IBM Resilient’s sixth annual end-of-year and predictions webinar, including Bruce Schneier, chief technology officer (CTO) at IBM Resilient and special advisor to IBM Security; Jon Oltsik, senior principal analyst at Enterprise Strategy Group; Ted Julian, co-founder and vice president of product management at IBM Resilient; and Gant Redmon, program director of cybersecurity and privacy at IBM Resilient.

During the webinar, the team discussed and debated the trends that defined 2018 and offered cybersecurity predictions on what the industry can expect in 2019. In the spirit of keeping our experts honest, below are the four boldest predictions from the panel.

Bruce Schneier: There Will Be a Major IoT Cyberattack … or Not

Last year, Bruce predicted that a major internet of things (IoT) cyberattack would make the news, perhaps targeting automobiles or medical devices. Fortunately, that wasn’t the case in 2018. But could it happen in 2019?

Bruce’s prediction: maybe (yes, he’s hedging his bet). There are certainly many risks and vulnerabilities associated with the rise of IoT devices. Regardless of whether a major attack is imminent, IoT security needs to be a top priority for security teams in 2019. This prediction is in line with Bruce’s latest book, “Click Here to Kill Everybody.”

Ted Julian: Security Automation Will Create Unintended Negative Consequences

Incident response automation and orchestration is an increasingly popular way for security teams to streamline repetitive processes and make analysts more efficient, but automating poorly defined processes could create bigger issues.

Automated processes accidentally taking down systems is a familiar problem in the IT space. In 2019, we will see an example of security automation hurting an organization in unforeseen ways.

To avoid this, organizations need to consider how they employ technology when orchestrating incident response processes. They should focus on aligning people, processes and technology and methodically employ automation to further empower their security employees.

Jon Oltsik: Continuous Risk Management Will Help Organizations Better Understand Risks

Today, risk assessments and vulnerability scans give organizations a point-in-time look at their security posture and threat landscape. But in 2019, that won’t be enough. Security leadership — as well as executives and board members — need real-time information about the risks they face and what needs to be done to improve. Establishing a system of continuous risk management will help security teams enable this reality.

Gant Redmon: New Laws Will Provide Safe Harbor to Compliant Organizations

A pending law in Ohio would provide a first in U.S. data privacy regulations: Providing safe harbor from tort claims to organizations that are in compliance with their security regulations. In other words, if an organization suffers a data breach but is in compliance with its regulatory obligations, it will be protected from lawsuits related to that breach.

While the Ohio law is the first of its kind, we will no doubt start to hear of similar regulations emerging throughout 2019.

What are your cybersecurity predictions for 2019? Tweet to us at @IBMSecurity and let us know!

Watch the complete webinar

The post Top 2019 Cybersecurity Predictions From the Resilient Year-End Webinar appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Maria Battaglia

Academia, Cybersecurity Jobs, Data Breach, Education, IBM X-Force Command Center, Incident Response, Incident Response (IR), Security Awareness, Security Professionals, Security Training,

How Allison Ritter Puts Security Lessons Into Action With Her Flare for Drama

Allison Ritter excuses herself from the interview. She has already described her role as “dynamic,” and we’re about to see that firsthand as she makes a call. Allison is filling in for a colleague and needs to make a guest appearance in a simulation — a chance for her to get hands-on with the security lessons she creates for the state-of-the-art IBM X-Force Command Center.

Based in Cambridge, Massachusetts, the Cyber Range drops clients into interactive breach simulations inspired by real-world cybersecurity scenarios. The immersive nature of the simulations helps security teams develop critical incident response and crisis management skills that can’t be learned from playbooks or how-to guides.

To say Allison has a fast-moving job is an understatement. As the creative director at the X-Force Command Center, she’s responsible for the overall look and feel of the simulations and also plays an integral role in managing the multidisciplinary team that develops the interactive experiences for Cyber Range participants.

Injecting Drama, Storytelling and the Arts Into Security Lessons

Allison has been with the Command Center team since the beginning, back when they were “still in hard hats.” She started as a threat gamification engineer before moving into the creative director role.

“I had the opportunity to help build the Cyber Range from the ground up,” she said. “This was a completely new space, so we had a lot of opportunities to create completely new experiences. What are the scenarios that we want to put people through? Visually, how do we want it to look?”

By the time Allison graduated from the Rochester Institute of Technology she had already interned with U.S. Representative Eliot L. Engel, worked with luxury cruise line Cunard to print and manage daily news for shipwide distribution, and served as editor-in-chief for Rochester’s School of Media Sciences. Her gamification role at IBM was only her second post-collegiate job.

Allison is a self-proclaimed lover of drama, so it’s easy to see how she ended up with the Command Center. Her daily work brings the data breach simulations to life through her interactions with clients as they navigate through the scenarios.

“It’s a very active environment; I have to always be ready with something new to throw a curveball into an experience, depending on what’s going on with the client and how they react,” she explained. “We want you to experience and feel what it would be like if your company was under a cyberattack. What do you need to do in a time of crisis? There’s not a lot of time to react, and you have to learn to manage an incident process during a time of chaos.”

Choose Your Own Security Adventure

Allison likens her creative director role to developing a choose-your-own-adventure book: It’s all about interactive storytelling. Her editorial background serves her well at the Command Center. When she worked in news, she had to keep a close eye on current events while maintaining enough flexibility to meet the needs of multiple audiences. This dynamic creativity laid the foundation for what she does today.

“I really enjoy the excitement of the learning that we create here,” Allison said. “To be able to show something to people and say you’re not just taking away a piece of paper, you’re really gaining some sort of experience. You’re dealing with the same situations that you might have to deal with if your company did go through a breach. It’s real-time learning.”

To Allison, a textbook or how-to guide is no substitute for hands-on experience.

“Diving in, talking with your peers, collaboration among different teams — we have people coming in from human resources, public relations, legal, communications, marketing security — people are bringing all different experiences to the table,” she explained. “We have a dynamic environment that changes, which is a great learning area for individuals.”

Allison Ritter, Creative Director of the IBM X-Force Command Center

In Security, the Drama Never Ceases

This role isn’t a traditional 9-to-5 job; Allison is very involved and is often on call. She also continues her passion for the arts through music, theater and painting in her free time. In short, she is living proof that the arts and technology can work — indeed, thrive — together.

“I’m dedicated to the space and the work we do,” she said. “I have this love for drama and a passion for creating immersive spaces that are visually engaging for individuals to experience.”

Allison is showing us that working in security is not just about developing and writing code. There are opportunities for people of all backgrounds, passions and inclinations to succeed in this industry — especially if they enjoy a bit of drama.

Meet Cybersecurity Gamification Strategist John Clarke

The post How Allison Ritter Puts Security Lessons Into Action With Her Flare for Drama appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff

Access Management, Advanced Threats, Antivirus, atm, CISO, Compliance, Credentials, cryptocurrency, cryptocurrency miner, Cybercrime, Cybercrime Trends, Data Breaches, Data Privacy, Data Protection, database security, Endpoint Protection, Financial Industry, General Data Protection Regulation (GDPR), IBM X-Force Incident Response and Intelligence Services, IBM X-Force Research, Identity and Access Management (IAM), Incident Response, Incident Response (IR), Malware, Obfuscation, Personal Data, Phishing, regulatory compliance, Security Trends, Social Security, Threat Intelligence, Vulnerabilities, X-Force,

IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape

Taking a look back at 2018, it amazes me that the cybercrime threat landscape continues to top itself year after year. Over the past year, we’ve seen historic breaches, the discovery of large-scale vulnerabilities, the emergence of the trust economy and regulators trying to help make sense of it all.

The looming General Data Protection Regulation (GDPR) deadline finally came in May after businesses spent years preparing. Now we’re in the GDPR era, and we’re still seeing organizations struggle to interpret and tackle the regulation. Businesses are asking themselves, should we disclose every possible incident to be covered or spend more time investigating incidents to confirm them?

We also saw many unintended consequences from the GDPR, including the removal of WHOIS data that threat intelligence experts rely on to identify malicious domains used by fraudsters. We learned that in Europe, organizations will need to go through work councils to receive approval to deploy endpoint protection tools in the wake of an incident due to the privacy regulation. This gives attackers a significant advantage to harvest data for an extensive amount of time — upwards of 30 to 90 days.

One of my security predictions for 2018 was that organizations will start to get response right. We’ve seen some progress on this, but there’s still a lot of work to be done here. Since we opened our Cyber Range in Cambridge, Massachusetts two years ago, we’ve had more than 2,000 people experience what it’s like to respond to an attack.

We’ve seen many industry groups come together in the Cyber Range and collaborate to help their entire industries. We also launched our Cyber Tactical Operations Center (C-TOC), an 18-wheeler that will be touring Europe in 2019 to address the increased demand for preparedness training. Of course, there’s always room for improvement, but our industry is making progress, and for that, I’m proud.

Security Predictions for the New Year

So what lies ahead in 2019? How will the cybercrime threat landscape change and evolve?

Top experts from IBM X-Force have been analyzing emerging trends and clues this year, which they believe are indicators of potential major cybercriminal activity in 2019. Below, these experts reveal their top security predictions for 2019 based on insights from their research and work with clients. The predictions span a range of potential attack schemes and consequences, from industry-specific prognostications to a rapid expansion of emerging criminal schemes.

First, a couple of my own predictions:

Social Insecurity Numbers Dropped for Access

With most Americans’ Social Security numbers a shared secret after 2017, corporations will start to move away from using the numbers as a form of access. In particular, corporate benefits programs often still use Social Security numbers as an identifier. Expect corporations and benefits programs to evolve their authentication methods ahead of regulators.

What organizations can do: Stop using Social Security numbers for identification. Instead, use one-time PIN to establish accounts tied to two-factor authentication. Also, further use of biometrics for authentication.

Unforeseen Consequences of the GDPR

2018 was all about implementation of GDPR and getting organizations prepared. In 2019, new, unforeseen impacts of GDPR on threat intelligence will be identified and have broader consequences in cybersecurity. With the elimination of WHOIS data, identification of malicious domains connected to bad actors becomes an enormous challenge, and we’ll likely see malicious domains ramp up. Organizations in Europe will struggle to remove attackers from networks and devices due to a 30- to 90-day waiting period to deploy endpoint protection after an incident. My hope is that regulators, work councils and security industry leaders can work together in 2019 to identify some exceptions in which security takes precedent.

Possible solution: Greater collaboration between regulators, work councils and security industry leaders to identify exceptions to regulations when security inadvertently could suffer due to the regulation.

Now, some predictions from my fellow X-Force team members:

Automated Customer Service Systems in Attackers’ Sights

Kiosk and other self-service systems have become more and more a part of our world. Retailers, airlines, hotels and public buildings are using these systems to speed up check-ins and reduce labor costs. In 2018, we saw a resurgence in ATM hacking, and we expect in 2019 to see public-facing self-service systems targeted as a way to harvest valuable customer data.

– Charles Henderson, X-Force Red

What organizations can do: Test hardware and software before criminals have a chance to. Harden physical interfaces and disable unused ports at the hardware level. When using third-party components, ensure that they are still supported by the manufacturer.

Listen to the podcast: Spotlight on ATM Testing

A Cyber Insurance Market Reality Check

The growth of cybersecurity insurance has risen alongside the epic growth of cybercrime. While a valuable tool to manage costs of a security incident or data breach, businesses have become too reliant on insurance, avoiding investment in other preventative technologies and response services. In 2019, we’ll see closer teaming between cyber insurance providers and security vendors to fill the emerging gap created by the market.

– Christopher Scott, X-Force Incident Response and Intelligence Services (IRIS)

Possible solution: Providers of managed security services and cyber insurance team up together to offer consulting services, assess risk and implement defensive strategies.

Have Data, Will Travel

Cybercriminals will shift their sights to the lucrative databases of personal data maintained by travel and hospitality companies. In 2018, we saw the tip of the iceberg with high-profile breaches at airlines and hotel chains. Expect more mega breaches in this area in 2019 as cybercriminals look to monetize rewards points and gather new credentials, such as passport numbers and driver licenses, to establish identities for online crime. This data could also lead to targeted, travel-related phishing, tapping a person’s interests, motivations and connections.

– Wendi Whitmore, X-Force IRIS

What organizations can do: Deploy data obfuscation technologies, encryption and regular database activity monitoring. Conduct regular security testing and have an incident response plan in place. Frequently audit the storage requirements for personally identifiable information (PII) and set expirations for how long sensitive data is stored.

Evidence of Cybercriminal Stock Manipulation

There’s growing speculation that some shorting of stocks can be tied to cyberattacks. Are criminals collaborating to time their attacks for financial gain? In 2019, we expect these schemes will be further exposed and possibly prosecuted as government regulators take notice of this activity.

– Dustin Heywood, X-Force Red

Possible solution: A breach of a public company is now both a technical crisis as well as a financial crisis. Rapid manipulation of stock prices can occur as a result of bad guys looking to profit or hedge funds reacting to breaking news. Your speed of response and precision of communications will matter. Organizations need to build and test their runbooks ahead of time.

Crypto-Mining Powered by PowerShell

PowerShell use for malicious activities has continued to grow in 2018. IBM X-Force IRIS saw the tool used by malicious actors to inject malware directly into memory, enhance obfuscation and evade antivirus detection software. In 2019, X-Force IRIS anticipates that crypto-mining tools will use PowerShell to load fileless malware onto compromised systems — similar to reported activity by the crypto-miner GhostMiner earlier this year.

– Dave McMillen, X-Force IRIS

What organizations can do: Enterprises will want to ensure that they are logging, tracking and auditing PowerShell use in their networks. This can be achieved by leveraging the latest version of PowerShell and enabling logging through Group Policy Settings. These logs should be forwarded to a central location where they can be analyzed.

In addition to logging, companies using Windows 10 should be sure to implement an antivirus solution that is compatible with the Anti Malware Scanning Interface (AMSI). This interface provides antivirus products the ability to inspect PowerShell code before it is executed, allowing the product to stop malicious PowerShell before it can run.

Meet more IBM Security All Stars

The post IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Caleb Barlow