[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Base Rates And Security Monitoring Use Cases
As we continue to work on our research about security monitoring use cases, a few interesting questions around the technology implementation and optimization arise.
Any threat detection system designed to generate alerts (new “analytics” products such as UEBA tools have been moving away from simple alert generation to using “badness level” indicators – that’s an interesting evolution and I’ll try to write more about that in the future) will have an effectiveness level that indicates how precise it is, in terms of false positives and false negatives.
Many people believe that getting those rates to something like “lower than 1%” would be enough, but the truth is that the effectiveness of an alert generation system includes more than just those numbers.
One thing that makes this analysis more complicated than it looks is something known as “base rate fallacy”.
What makes this extremely important to our security monitoring systems is that almost all of them are analyzing data, such as log events, network connections, files, etc, that have a very low base rate probability of being related to malicious activity.
For a security system to detect that malicious activity only based on those logs it must have extremely low FP and FN rates in order to be usable by a SOC.
You don’t need to do a full statistical analysis of every detection use case to make use of this concept.
That was all about base rates; there are other things to take into account when designing and optimizing use cases, such as the importance of the event being detected and the operational processes triggered by the alerts.
But that’s something for another post (and, of course, for that research report coming soon!)
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=520dcfc907&e=20056c7556
European companies unsure of how to detect successful targeted cyber attacks
Senior IT decision makers at the helm of European companies are unsure how to work out if their organisations have been the subjects of targeted attacks, new threat intelligence from security firm Trend Micro has found.
Out of 251 surveyed organisations that had been successfully targeted, 31 were completely unaware if any of their data had been stolen and a further six knew they had been attacked but were unable to determine how much data had been taken.
Despite this, companies are perceived to be more competent than in previous years: just over a quarter of respondents said that European firms were “complacent” about breaches in 2013, but this year only six per cent said the same.
Although faring well overall, six British organisations found places in the report’s top 40 worst attacks, including the worst and second worst attacks, incurring serious reputational damage, data losses and financial losses of more than €1 million.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=815cd34b36&e=20056c7556
Cyber security skills gap: ‘Pay more and the problem will go away,’ says Reuters IT security chief
The IT security “skills gap” could quickly be narrowed by simply paying security staff more, according to Thomson Reuters’ senior information security architect, Andy Boura, speaking on a panel at Computing’s Enterprise Security and Risk Management 2015 summit yesterday.
Furthermore, he argued, organisations could – indeed, should – help ordinary IT staff to upskill so that they can shift into IT security, removing the need for organisations to get the security skills they need by recruiting so-called black hats.
“The real issue,” he said, “is there’s a shortage of budget to pay people what you need to pay them to attract them, and to attract people in other industries.
As regards to hiring black hats, Boura said he could imagine taking a “case by case” approach depending on the candidate’s suitability for certain tasks, with an emphasis on keeping them hands-off from the business.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b94d033f91&e=20056c7556
Security Experts Warn of ‘Highly Sophisticated’ ModPOS Malware
The Texas-based cybersecurity firm iSight Partners released a detailed report on ModPOS earlier this week, and has already briefed “numerous” retailers about the potential threat.
The company said its experts are also working with the Retail Cyber Intelligence Sharing Center to help member businesses watch for and defend against the malware platform.
ModPOS is not only difficult to detect, but can be configured to target multiple and specific parts of retailers’ POS systems.
Based on some IP addresses observed as they reverse-engineered the platform, iSight researchers believe the malware might have ties to Eastern Europe.
ModPOS also features custom plugins and other specialized functions, Ward noted. “Given its sophistication, it has taken our malware analysis ninjas a substantial amount of time to reverse-engineer the software,” he said.
Even retailers with more advanced POS systems using EMV smart card (also called chip-and-PIN) technology can be vulnerable to ModPOS, according to iSight.
If the POS system isn’t configured to support end-to-end encryption and encrypted data in memory, ModPOS — as well as other malware that uses RAM scraping techniques — can still enable access to customers’ payment card data, Ward said.
That data can then be reused for online purchases where the physical presence of a payment card isn’t needed.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e134055b6c&e=20056c7556
Microsoft enables potential unwanted software detection for enterprise customers
The new feature is available in Microsoft’s System Center Endpoint Protection (SCEP) and Forefront Endpoint Protection (FEP) as an option that can be turned on by system administrators.
PUA signatures are included in the anti-malware definition updates and cloud protection, so no additional configuration is needed.
Microsoft recommends that this feature be deployed after creating a corporate policy that explains what potentially unwanted applications are and prohibits their installation.
Employees should also be informed in advance that this protection will be enabled to reduce the potential number of calls to the IT helpdesk when certain applications that worked before start being blocked.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ef9fd5bdbc&e=20056c7556
BAE Systems identifies three key security strategies
There are three information security strategies that are key to evening the odds between attackers and enterprise defenders, according to aerospace and defence firm BAE Systems.
First is to use threat intelligence to understand the latest attack group activities, their motivations, their tools, techniques and who they are targeting.
A second key strategy is network segmentation to ensure that when defences are breached, attackers do not have unfettered access to the entire network.
The third key strategy advocated by BAE Systems is to combine the monitoring of operational and information technology, because attackers will exploit any system vulnerabilities to achieve their goals.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=887bcd86d6&e=20056c7556
How to tackle cyber security as a collaborative team
Cyber security has long been seen as a technology problem.
Speak to any security professional and the proverbial ‘needle in the haystack’ often comes up when sifting through the different components in the wake of an attack.
To transform companies from sitting ducks into cyber threat experts, four simple things are needed to get a single pane of glass view across operations and respond effectively to a threat:
– Collect network information from systems across your environment
– Collect end point data
– Understand user identity
– Threat intelligence
The speed of response when a business is hit by an attack is crucial to the ability to fend it off.
First, organisations need to spot the most dangerous attacks.
That means knowing what’s in front of you and what automated action can be taken.
Of the millions of alerts you get, which ones need human attention, versus human interaction?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4873db991a&e=20056c7556
How Lockheed Martin, Cisco and PWC manage cybersecurity
The capabilities and knowledge of your organization’s customers and nontechnical staff has one been one of the greatest cybersecurity threats.
The ability to persuade people and defeat security measures is known under the broad heading of social engineering.
Social engineering tactics – specifically phishing emails – were at the core of the 2011 RSA SecurID breach which shook confidence in security across the world.
As that incident shows, even highly respected firms and security technologies are vulnerable to social engineering threats.
Leading companies use several approaches to mitigate the risk.
“At Cisco, we have comprehensive training program that addresses information security,” commented Patrick Harbauer, technical Lead for the Neohapsis PCI DSS services practiceat Cisco Systems. “Annual training and computer based testing is a key part of our practice to equip our staff with the skills to detect and avoid phishing and similar information security threats,” Harbauer says.
“At Lockheed Martin, our security approach includes monitoring for high risk behavior flags.
These flags are then investigated by a specialized team.
For example, if an employee suddenly starts logging into the company network at 3am where they previously never did so, that would raise a flag,” comments Angela Heise, vice president, commercial markets at Lockheed Martin. “Of course, that person could have decided to check email after taking care of a young child in the night, so judgement is required to evaluate these flags,” she says.
“The best CIOs and executives we work with use several monitoring strategies to address cyber security risk,” shared Carolyn Holcomb, Partner and Leader of the Risk Assurance Data Protection and Privacy Practice at PricewaterhouseCoopers (PwC). “In managing vendors and third parties, the best approach is to request a SOC2 report where an independent party conducts a thorough assessment of security, privacy or other points,” says Holcomb.
SOC2 is an internal controls report defined by the American Institute of CPAs that address security, availability, processing integrity, confidentiality and privacy matters.
As business leaders, CIOs have limited time to manage security and lead other efforts.
Given this reality of limited resources for security, Holcomb recommends increased security and attention on very important assets. “Customer data, merger and acquisition information, intellectual property and pre-release financial data are frequently targeted by hackers.
It makes sense to apply additional controls and protection to this information,” she says.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=279f9d5039&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=793acd2ede)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)