[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
Base Rates And Security Monitoring Use Cases
\nAs we continue to work on our research about security monitoring use cases, a few interesting questions around the technology implementation and optimization arise.
\nAny threat detection system designed to generate alerts (new \u201canalytics\u201d products such as UEBA tools have been moving away from simple alert generation to using \u201cbadness level\u201d indicators \u2013 that\u2019s an interesting evolution and I\u2019ll try to write more about that in the future) will have an effectiveness level that indicates how precise it is, in terms of false positives and false negatives.
\nMany people believe that getting those rates to something like \u201clower than 1%\u201d would be enough, but the truth is that the effectiveness of an alert generation system includes more than just those numbers.
\nOne thing that makes this analysis more complicated than it looks is something known as \u201cbase rate fallacy\u201d.
\nWhat makes this extremely important to our security monitoring systems is that almost all of them are analyzing data, such as log events, network connections, files, etc, that have a very low base rate probability of being related to malicious activity.
\nFor a security system to detect that malicious activity only based on those logs it must have extremely low FP and FN rates in order to be usable by a SOC.
\nYou don\u2019t need to do a full statistical analysis of every detection use case to make use of this concept.
\nThat was all about base rates; there are other things to take into account when designing and optimizing use cases, such as the importance of the event being detected and the operational processes triggered by the alerts.
\nBut that\u2019s something for another post (and, of course, for that research report coming soon!)
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=520dcfc907&e=20056c7556<\/p>\n
European companies unsure of how to detect successful targeted cyber attacks
\nSenior IT decision makers at the helm of European companies are unsure how to work out if their organisations have been the subjects of targeted attacks, new threat intelligence from security firm Trend Micro has found.
\nOut of 251 surveyed organisations that had been successfully targeted, 31 were completely unaware if any of their data had been stolen and a further six knew they had been attacked but were unable to determine how much data had been taken.
\nDespite this, companies are perceived to be more competent than in previous years: just over a quarter of respondents said that European firms were \u201ccomplacent\u201d about breaches in 2013, but this year only six per cent said the same.
\nAlthough faring well overall, six British organisations found places in the report\u2019s top 40 worst attacks, including the worst and second worst attacks, incurring serious reputational damage, data losses and financial losses of more than \u20ac1 million.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=815cd34b36&e=20056c7556<\/p>\n
Cyber security skills gap: ‘Pay more and the problem will go away,’ says Reuters IT security chief
\nThe IT security “skills gap” could quickly be narrowed by simply paying security staff more, according to Thomson Reuters’ senior information security architect, Andy Boura, speaking on a panel at Computing’s Enterprise Security and Risk Management 2015 summit yesterday.
\nFurthermore, he argued, organisations could – indeed, should – help ordinary IT staff to upskill so that they can shift into IT security, removing the need for organisations to get the security skills they need by recruiting so-called black hats.
\n“The real issue,” he said, “is there’s a shortage of budget to pay people what you need to pay them to attract them, and to attract people in other industries.
\nAs regards to hiring black hats, Boura said he could imagine taking a “case by case” approach depending on the candidate’s suitability for certain tasks, with an emphasis on keeping them hands-off from the business.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b94d033f91&e=20056c7556<\/p>\n
Security Experts Warn of ‘Highly Sophisticated’ ModPOS Malware
\nThe Texas-based cybersecurity firm iSight Partners released a detailed report on ModPOS earlier this week, and has already briefed “numerous” retailers about the potential threat.
\nThe company said its experts are also working with the Retail Cyber Intelligence Sharing Center to help member businesses watch for and defend against the malware platform.
\nModPOS is not only difficult to detect, but can be configured to target multiple and specific parts of retailers’ POS systems.
\nBased on some IP addresses observed as they reverse-engineered the platform, iSight researchers believe the malware might have ties to Eastern Europe.
\nModPOS also features custom plugins and other specialized functions, Ward noted. “Given its sophistication, it has taken our malware analysis ninjas a substantial amount of time to reverse-engineer the software,” he said.
\nEven retailers with more advanced POS systems using EMV smart card (also called chip-and-PIN) technology can be vulnerable to ModPOS, according to iSight.
\nIf the POS system isn’t configured to support end-to-end encryption and encrypted data in memory, ModPOS — as well as other malware that uses RAM scraping techniques — can still enable access to customers’ payment card data, Ward said.
\nThat data can then be reused for online purchases where the physical presence of a payment card isn’t needed.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e134055b6c&e=20056c7556<\/p>\n
Microsoft enables potential unwanted software detection for enterprise customers
\nThe new feature is available in Microsoft’s System Center Endpoint Protection (SCEP) and Forefront Endpoint Protection (FEP) as an option that can be turned on by system administrators.
\nPUA signatures are included in the anti-malware definition updates and cloud protection, so no additional configuration is needed.
\nMicrosoft recommends that this feature be deployed after creating a corporate policy that explains what potentially unwanted applications are and prohibits their installation.
\nEmployees should also be informed in advance that this protection will be enabled to reduce the potential number of calls to the IT helpdesk when certain applications that worked before start being blocked.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ef9fd5bdbc&e=20056c7556<\/p>\n
BAE Systems identifies three key security strategies
\nThere are three information security strategies that are key to evening the odds between attackers and enterprise defenders, according to aerospace and defence firm BAE Systems.
\nFirst is to use threat intelligence to understand the latest attack group activities, their motivations, their tools, techniques and who they are targeting.
\nA second key strategy is network segmentation to ensure that when defences are breached, attackers do not have unfettered access to the entire network.
\nThe third key strategy advocated by BAE Systems is to combine the monitoring of operational and information technology, because attackers will exploit any system vulnerabilities to achieve their goals.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=887bcd86d6&e=20056c7556<\/p>\n
How to tackle cyber security as a collaborative team
\nCyber security has long been seen as a technology problem.
\nSpeak to any security professional and the proverbial \u2018needle in the haystack\u2019 often comes up when sifting through the different components in the wake of an attack.
\nTo transform companies from sitting ducks into cyber threat experts, four simple things are needed to get a single pane of glass view across operations and respond effectively to a threat:
\n– Collect network information from systems across your environment
\n– Collect end point data
\n– Understand user identity
\n– Threat intelligence
\nThe speed of response when a business is hit by an attack is crucial to the ability to fend it off.
\nFirst, organisations need to spot the most dangerous attacks.
\nThat means knowing what\u2019s in front of you and what automated action can be taken.
\nOf the millions of alerts you get, which ones need human attention, versus human interaction?
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4873db991a&e=20056c7556<\/p>\n
How Lockheed Martin, Cisco and PWC manage cybersecurity
\nThe capabilities and knowledge of your organization\u2019s customers and nontechnical staff has one been one of the greatest cybersecurity threats.
\nThe ability to persuade people and defeat security measures is known under the broad heading of social engineering.
\nSocial engineering tactics \u2013 specifically phishing emails \u2013 were at the core of the 2011 RSA SecurID breach which shook confidence in security across the world.
\nAs that incident shows, even highly respected firms and security technologies are vulnerable to social engineering threats.
\nLeading companies use several approaches to mitigate the risk.
\n\u201cAt Cisco, we have comprehensive training program that addresses information security,\u201d commented Patrick Harbauer, technical Lead for the Neohapsis PCI DSS services practiceat Cisco Systems. \u201cAnnual training and computer based testing is a key part of our practice to equip our staff with the skills to detect and avoid phishing and similar information security threats,\u201d Harbauer says.
\n\u201cAt Lockheed Martin, our security approach includes monitoring for high risk behavior flags.
\nThese flags are then investigated by a specialized team.
\nFor example, if an employee suddenly starts logging into the company network at 3am where they previously never did so, that would raise a flag,\u201d comments Angela Heise, vice president, commercial markets at Lockheed Martin. \u201cOf course, that person could have decided to check email after taking care of a young child in the night, so judgement is required to evaluate these flags,\u201d she says.
\n\u201cThe best CIOs and executives we work with use several monitoring strategies to address cyber security risk,\u201d shared Carolyn Holcomb, Partner and Leader of the Risk Assurance Data Protection and Privacy Practice at PricewaterhouseCoopers (PwC). \u201cIn managing vendors and third parties, the best approach is to request a SOC2 report where an independent party conducts a thorough assessment of security, privacy or other points,\u201d says Holcomb.
\nSOC2 is an internal controls report defined by the American Institute of CPAs that address security, availability, processing integrity, confidentiality and privacy matters.
\nAs business leaders, CIOs have limited time to manage security and lead other efforts.
\nGiven this reality of limited resources for security, Holcomb recommends increased security and attention on very important assets. \u201cCustomer data, merger and acquisition information, intellectual property and pre-release financial data are frequently targeted by hackers.
\nIt makes sense to apply additional controls and protection to this information,\u201d she says.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=279f9d5039&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage1.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=793acd2ede)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: Base Rates And Security Monitoring Use Cases As we continue to work on our research about security monitoring use cases, a few interesting questions around the technology implementation…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1174","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1174"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1174\/revisions"}],"predecessor-version":[{"id":3661,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1174\/revisions\/3661"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}