Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, July 30, 2019

IR Security News - 28-Jul-2019

Table of Contents

  • Average cost of a data breach rises to $3.92 million: IBM study
  • Immunity's penetration testing utility now includes an exploit for BlueKeep flaw
  • MSP State of the Market report: MSPs give blunt feedback on what they really value from their vendor partners
  • Penetration Test Data Shows Risk to Domain Admin Credentials
  • Fujitsu opens SOC in Canberra
  • How DNS firewalls can burn security teams
  • Verint Systems selected as official supplier of Web Intelligence solutions to the UK police forces
  • Optiv Security opens the Dallas Innovation and Fusion Center
  • Analytics new battleground for MSSPs in Asia
  • Endace and Micro Focus Partnership Delivers New Security Insights for Threat Hunting and Investigation
  • ‘SOC’ It to ‘Em: How to Overcome Security Operations Center Challenges
  • D3 Security Creates First Proactive Response Platform by Bringing Together SOAR and the MITRE ATT&CK Framework—621x414@LiveMint_1563873527876.jpg Average cost of a data breach rises to $3.92 million: IBM study
Nandita Mathur
Live Mint
The cost of a data breach has risen 12% over the past five years and now costs $3.92 million on an average, said study by IBM Security on Tuesday.
Assessing the financial impact of data breaches on organisations, the report claimed that the rising expenses were representative of multi-year financial impact of breaches, increased regulation, and the complex process of resolving criminal attacks.
The report also found that companies with less than 500 employees suffered losses of more than $2.5 million on average – a potentially crippling amount for small businesses, which typically earn $50 million or less in annual revenue.
While an average of 67% of data breach costs were realized within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach.
The long tail costs were higher in the second and third years for organisations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals. 
The study also found that data breaches which originated from a malicious cyber attack were not only the most common cause of a breach, but also the most expensive.
Malicious data breaches cost companies, examined in the study, $4.45 million on average – over $1 million more than those originating from accidental causes such as system glitch and human error.
These breaches are a growing threat, as the percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42% to 51% over the past six years of the study (a 21% increase).
One particular area of concern is the mis-configuration of cloud servers, which contributed to the exposure of 990 million records in 2018, representing 43% of all lost records for the year, according to the IBM X-Force Threat Intelligence Index.
The report found that the average life cycle of a breach was 279 days with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach.
However, companies in the study who were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach.
A focus on incident response can help reduce the time it takes companies to respond, and the study found that these measures also had a direct correlation with overall costs. 
Companies that had both these measures in place had $1.23 million less total costs for a data breach on average than those that had neither measure in place ($3.51 million vs. $4.74 million).
Link: Immunity's penetration testing utility now includes an exploit for BlueKeep flaw
Dev Kundaliya
The exploit for the BlueKeep flaw is now included in CANVAS v7.23, enabling users to achieve remote code execution on unprotected PCs during penetration tests - in other words, able to open a shell on infected hosts.

The BlueKeep flaw, aka CVE-2019-0708, was first uncovered by security researchers in May, with Microsoft rushing out a patch to cover it.
According to Microsoft, it is a "wormable" vulnerability that can self-propagate from one vulnerable system to another without requiring user interaction - similar to the way that WannaCry and NotPetya were spread.
Link: MSP State of the Market report: MSPs give blunt feedback on what they really value from their vendor partners
Josh Budd
Channel Partner Insight
US and European providers anonymously share their experiences with vendors in CPI's MSP State of the Market report

Some MSP repsondents slammed their vendor partners for taking a short-term approach to the managed services market.
Our research finds that more than two thirds of MSPs are still running an "operationally immature" model where they are not selling a standardised and fully managed package.
Link: Penetration Test Data Shows Risk to Domain Admin Credentials
Jai Vijayan
Dark Reading
A new analysis of data from 180 real-world penetration tests in enterprise organizations suggests that cybercriminals who manage to get a foothold on an internal network have an opportunity to then gain domain administrator access in more than three in four cases.
But attacks on Internet-facing assets actually result in some kind of internal access only about 20% of the time because of the security controls that many organizations have implemented at the network perimeter.
Attacks on Web applications are likely to result in site-wide compromise even more rarely (3%) of the time, the study by security vendor Rapid7 showed.
Most of the flaws on the internal LAN tend to be Microsoft-centered and have an impact on data integrity.
The biggest problems here have to do with SMB relaying: a failure to apply critical patches and credentials being stored in cleartext.
In 11% of the client sites, Rapid7 found organizations had not deployed patches even for very old vulnerabilities and for extremely critical flaws like EternalBlue, which was exploited in the WannaCry ransomware attacks of 2017.
Unlike prior years, penetration testers were able to use SMB relaying as a viable attack only about 15% of the time, suggesting organizations are much more aware of the need for SMB signing and are getting rid of SMB clients that don't support signing, Beardsley says.
Link:—-threats/penetration-test-data-shows-risk-to-domain-admin-credentials/d/d-id/1335324 Fujitsu opens SOC in Canberra
Eleanor Dickinson
ARN, from IDG
Named the Cyber Resilience Centre (CRC), the facility will provide a centralised management hub for Fujitsu’s new security-as-a-service (SECaaS) offerings.

Aimed primarily at Federal and State Government customers, the facility will oversee managed and professional security services across the Oceania region using an unnamed Australian Signals Directorate-certified Protected Cloud as a host.
Operating on a consumption cost mode, the centre will provide services including: threat analytics, vulnerability management, threat intelligence and threat response.
Link: How DNS firewalls can burn security teams
Andrew Wertkin
Help Net Security
It’s easy to see how DNS firewalls could have thwarted 33% of data breaches.
For most IT and security teams, DNS has been an afterthought.
Or, worse, not even that.
The research, conducted by the Global Cyber Alliance, was absolutely still worth doing.
On the surface, this research is good news.
It suggests there is a low-hanging fruit in the cybersecurity space.
But it also suggests that a DNS firewall is the logical next step to improved security.
It’s not — at least not on its own.
Turning DNS data gathering inwards, towards the edge, will allow you to examine the contextual data you need to shut down malicious activity long before it attempts to smuggle data out of the network.
Compromised devices can, and often do, act locally to perform reconnaissance or hoover up data before communicating out.
These internal queries, to private DNS, are not seen at all by most external facing DNS firewalls.
Further, by having device attribution of this data, I can spot patterns that are difficult or impossible to find among a firehose of data that doesn’t have originating device attribution.
Link: Verint Systems selected as official supplier of Web Intelligence solutions to the UK police forces
Help Net Security
Verint Systems, a global provider of data mining software for Cyber Intelligence, announced it has been selected by The UK Police ICT Company as an official supplier of Web Intelligence solutions to the UK police forces, under Project IRIS.
Project IRIS represents all police forces in England and Wales as well as associated forces and agencies across the UK, including Police Scotland and the Police Service of Northern Ireland.
The total value of the IRIS procurement framework is £50 million over several years.
Link: Optiv Security opens the Dallas Innovation and Fusion Center
Help Net Security
Optiv Security, a security solutions integrator delivering end-to-end cybersecurity solutions across the globe, announced the opening of its new Dallas Innovation and Fusion Center, a state-of-the-art, more than 14,000-square-foot facility located in the HALL Park complex in Frisco, Texas.
The Center brings together a diverse team of cybersecurity experts – cyber digital and risk professionals, threat and innovation experts and others – working together with clients and industry partners to develop integrated, tailored and proactive cybersecurity solutions that address the speed of business change.
Link: Analytics new battleground for MSSPs in Asia
Kenny Yeo
Channel Asia
This lack of talent and the constant push to meet regulatory compliance is driving the adoption of managed security services (MSS) solutions.
Traditional security monitoring is no longer sufficient because of limited log collection and rule-based analysis.
This shift in enterprise focus from device management to threat management is expected to drive the MSS market from US$1.97 billion in 2017 towards US$4.34 billion in 2022, at a compound annual growth rate (CAGR) of 17.1 per cent.
Furthermore, MSSPs are investing in technologies such as anti-distributed denial of service (DDoS), advanced malware analysis and advanced endpoint protection to deliver cloud-based security services.
Ramona Zimmerman
Rent Fin
The Global Research report titled Threat Intelligence Market delivering key insights and providing a competitive advantage to clients through a detailed report.
The report contains 200 pages which highly exhibit on current market analysis scenario, upcoming as well as future opportunities, revenue growth, pricing and profitability.
An exclusive data offered in this report is collected by research and industry experts team.
The Threat Intelligence Market size is estimated to grow from US$ 5.3 Billion in 2018 to US$ 12.9 Billion by 2023, at a Compound Annual Growth Rate (CAGR) of 19.7%.
The report spread across 200 Pages, Profiling 25 Companies and Supported with 90 Tables and 41 Figures is now available in this research.
The SMEs segment is expected to grow at the highest CAGR, owing to the rising deployment of threat intelligence solutions by SMEs to proactively protect their digital assets.
SMEs are small in terms of their size but cater to a large number of customers globally.
Robust and comprehensive security solutions are not implemented in SMEs, due to financial constraints in these organizations.
Weak cyber security and low budget make the organizations more susceptible to advanced cyber-attacks such as ransomware, botnets, zero-day attacks, and Advanced Persistent Threats (APTs).
APAC includes emerging economies such as India, China, Australia, Hong Kong, and Japan, which are rapidly deploying threat intelligence solutions.
APAC is expected to grow at the highest CAGR during the forecast period.
The APAC threat intelligence market is gaining traction as it provides proactive security measures against the evolving cyber-attacks.
Link: Endace and Micro Focus Partnership Delivers New Security Insights for Threat Hunting and Investigation
Virtual Strategy
London, UK – July 24, 2019 – Endace, specialists in high speed network recording and analytics hosting, today announced a new partnership with Micro Focus®.
Alongside the partnership announcement, Endace and Micro Focus also announced new integration between ArcSight Enterprise Security Manager and the EndaceProbe™ Analytics Platform to deliver faster, more accurate response to cybersecurity threats.
This integration dramatically reduces the time required for security analysts to respond to cybersecurity threats, at scale.
Link: ‘SOC’ It to ‘Em: How to Overcome Security Operations Center Challenges
Ericka Chickowski
Channel Futures
According to a new study from SANS Institute, today’s SOCs are treading water when it comes to making progress on maturing their practices and improving their technical capabilities.
Experts say that may not be such a bad thing considering how quickly the threats and the tech stacks they monitor are expanding and changing.

Staffing levels. 
According to SANS, the size scales by organizational size, with organizations with between 10,000 and 15,000 employees generally running a SOC with six to 10 employees; organizations from 15,001 employees up to 100,000 putting together SOC teams of approximately 11-25 analysts; and very large enterprises with over 100,000 employees standing up SOCs with 26-100 analysts. 
SOC budgets. 
When asked about where they’d like to see more investments, 39% said they’d want to make additional investments in new/modern technology, 35% said they’d like to secure additional funding for staffing needs, and 34% would invest in automation to save time. 
Some 43% of organizations report that they outsource certain functions of their work.
The three most popular functions for outsourcing – both in prevalence and growth over the last year – were malware analysis expertise, threat analysis and threat intel services.
This is in line with SANS outsourcing findings, which broke up categories differently but found that monitoring and detection capabilities were outsourced to some degree by 76% of respondents. 
Top tech used. 
ccording to the SANS study, security information and event management (SIEM) platforms are far and away the front-running technology for security analysts to correlate and analyze all of the data feeds they must deal with on a daily basis.
That’s followed by threat intel platforms, log management systems, and security automation and orchestration tools (SOAR). 
SOC pain points.
Time wasted spinning wheels was one of the biggest pain points identified by those surveyed in the Exabeam study. 
Other common complaints were out-of-date systems or applications, false positives, and lack of visibility. 
SOC-NOC relationships. 
Getting SOC analysts to team with network operations center (NOC) analysts is still a tall task for most organizations. 
Proving SOC value with metrics. 
SANS analysts say that if SOC managers are going to get more budget to make the investments they need to move the needle on SOC maturity, they’ve got to get better at the metrics game. 
The No. 1-used metric to track and report the SOC’s performance is the number of incidents handled.
Meantime, only a very slim number of SOCs track monetary cost per incident or losses accrued versus losses prevented.
Link: D3 Security Creates First Proactive Response Platform by Bringing Together SOAR and the MITRE ATT&CK Framework
Business Wire
VANCOUVER, British Columbia—(BUSINESS WIRE)—D3 Security, an innovator in security orchestration, automation and response (SOAR) technology, has released ATTACKBOT, a unique solution that utilizes the MITRE ATT&CK framework to identify and address the entire kill chain of complex attacks.
ATTACKBOT is a significant enhancement to existing SOAR capabilities that allows organizations to predict attacker behavior and focus remediation efforts effectively for more conclusive incident response.
ATTACKBOT streamlines the identification of incidents by allowing security teams to monitor attack progress in real time, correlate incidents with known adversary behaviors, and take appropriate action with the assistance of decision-tree-based playbooks.
ATTACKBOT delivers proactive intervention against ongoing attacks by treating every event as a link in a large chain of adversarial intent instead of solely isolated incidents.
By enabling visualizations of what the attack is and how far it has progressed, organizations are able to proactively intervene before the kill chain is complete.

Posted on 07/30