Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO
The Data Breach Investigations Report 2016 from Verizon Enterprise has been released examining 64,199 security events resulting in 2,260 security breaches. Verizon specifies an incident as jeopardizing the integrity, confidentiality, or availability on an information asset, while a breach is a confirmed disclosure of data to an unapproved party. Because avoiding breaches is far less painful than enduring them Verizon offers several sections of recommended controls to be employed by security-conscious businesses. If you don’t care to read the full 80-page report, Ziften offers this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled recommended controls:
Vulnerabilities Recommended Controls
A strong EDR tool performs vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability direct exposure timelines showing vulnerability management efficiency. The direct exposure timelines are essential since Verizon stresses a systematic method that highlights consistency and protection, versus haphazard convenient patching.
Phishing Advised Controls
Although Verizon suggests user training to prevent phishing vulnerability, still their data indicates nearly a 3rd of phishes being opened, with users clicking the link or attachment more than one time in 10. Not good odds if you have at least 10 users! Provided the unavoidable click compromise, Verizon recommends placing effort into detection of irregular networking activity indicative of rotating, C2 traffic, or data exfiltration. A sound EDR system will not just track endpoint networking activity, but likewise filter it against network threat feeds determining destructive network targets. Ziften goes beyond this with our patent-pending ZFlow technology to augment network flow data with endpoint context and attribution, so that SOC personnel have vital decision context to rapidly resolve network alerts.
Web App Cyber Attacks Recommended Controls
Verizon recommends multi-factor authentication and tracking of login activity to prevent compromise of web application servers. A strong EDR system will monitor login activity and will apply anomaly inspecting to spot unusual login patterns a sign of compromised credentials.
Point-of-Sale Invasions Recommended Controls
Verizon recommends (and this has actually likewise been highly recommended by FireEye/Mandiant) strong network segmentation of Point of Sale devices. Once again, a solid EDR system ought to be tracking network activity (to determine anomalous network contacts). ZFlow in particular is of great worth in offering critical decision context for suspect network activity. EDR solutions will also address Verizon’s suggestion for remote login tracking to POS devices. Together with this Verizon recommends multi-factor authentication, but a strong EDR ability will enhance that with extra login pattern anomaly checking (considering that even MFA can be defeated with MITM attacks).
Insider and Privilege Abuse Suggested Controls
Verizon recommends “monitor the heck out of [employee] authorized day-to-day activity.” Continuous endpoint monitoring by a strong EDR product naturally provides this capability. In Ziften’s case our product tracks user existence periods of time and user focus activities while present (such as foreground application usage). Anomaly checking can determine unusual discrepancies in activity pattern whether a temporal anomaly (i.e. something has modified this user’s normal activity pattern) or whether a spatial abnormality (i.e. this user behavior pattern differs considerably from peer habit patterns).
Verizon also suggests tracking use of USB storage devices, which solid EDR systems provide, considering that they can act as a “sneaker exfiltration” path.
Miscellaneous Errors Advised Controls
Verizon recommendations in this area focus on keeping a record of past errors to serve as a caution of errors to not repeat in the future. Solid EDR products do not forget; they preserve an archival record of endpoint and user activity going back to their first release. These records are searchable at any time, possibly after some future event has uncovered an intrusion and response groups have to go back and “discover patient zero” to decipher the incident and recognize where mistakes may have been made.
Physical Theft and Loss Recommended Controls
Verizon suggests (and many regulators need) full disk encryption, specifically for mobile phones. A strong EDR system will verify that endpoint configurations are certified with business file encryption policy, and will alert on offenses. Verizon reports that data assets are physically lost 100 times more often than they are physically taken, however the effect is essentially the same to the impacted enterprise.
Crimeware Advised Controls
Again, Verizon emphasizes vulnerability management and consistent comprehensive patching. As noted above, appropriate EDR tools determine and track vulnerability direct exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it versus procedure image records from our endpoint tracking. This shows a precisely updated vulnerability evaluation at any time.
Verizon also advises recording malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s system can acquire samples of any binary present on business endpoints and send them for in-depth static and vibrant analysis by our malware research study partners.
Cyber-Espionage Advised Controls
Here Verizon particularly calls out use of endpoint threat detection and response (ETDR) tools, describing the security tool segment that Gartner now terms endpoint detection and response (EDR). Verizon likewise suggests a variety of endpoint setup hardening actions that can be compliance-verified by EDR tools.
Verizon also advises strong network protections. We have actually currently gone over how Ziften ZFlow can considerably improve conventional network flow monitoring with endpoint context and attribution, supplying a blend of network and endpoint security that is truly end-to-end.
Finally, Verizon suggests tracking and logging, which is the first thing 3rd party occurrence responders request when they get on-scene to help in a breach crisis. This is the prime function of EDR tools, considering that the endpoint is the most regular entry vector in a significant data breach.
Denial-of-Service Attacks Advised Controls
Verizon suggests managing port access to prevent enterprise assets from being used to take part in a DoS attack. EDR products can track port usage by applications and employ anomaly checks to recognize unusual application port usage that could show compromise.
Enterprise services migrating to cloud companies likewise require protection from DoS attacks, which the cloud service provider may supply. Nevertheless, looking at network traffic tracking in the cloud – where the business may lack cloud network visibility – options like Ziften ZFlow supply a method for collecting improved network flow data directly from cloud virtual servers. Don’t let the cloud be your network blind spot, otherwise opponents will exploit this to fly outside your radar.