Written By Dr Al Hartmann And Presented By Chuck Leaver, Ziften CEO
The Data Breach Investigations Report 2016 from Verizon Enterprise has actually been launched examining 64,199 security occurrences leading to 2,260 security breaches. Verizon defines an incident as jeopardizing the integrity, privacy, or availability on an info asset, while a breach is a confirmed disclosure of data to an unapproved body. Given that preventing breaches is far less unpleasant than enduring them Verizon suggests numerous sections of controls to be employed by security-conscious businesses. If you don’t care to read the full 80-page report, Ziften provides this Verizon DBIR analysis with a spotlight on Verizon’s EDR-enabled recommended controls:
Vulnerabilities Recommended Controls
A solid EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines highlighting vulnerability management effectiveness. The exposure timelines are essential given that Verizon stresses a systematic approach that stresses consistency and coverage, versus haphazard expedient patching.
Phishing Suggested Controls
Although Verizon advises user training to prevent phishing vulnerability, still their data indicates nearly a 3rd of phishes being opened, with users clicking the link or attachment more than 1 time in 10. Not good odds if you have at least 10 users! Given the inevitable click compromise, Verizon advises putting effort into detection of unusual networking activity a sign of rotating, C2 traffic, or data exfiltration. A sound EDR system will not just track endpoint networking activity, but also filter it against network risk feeds recognizing destructive network targets. Ziften exceeds this with our patent-pending ZFlow technology to enhance network flow data with endpoint context and attribution, so that SOC personnel have important decision context to quickly solve network notifications.
Web App Attacks Suggested Controls
Verizon advises multi-factor authentication and monitoring of login activity to avoid compromise of web application servers. A strong EDR service will monitor login activity and will use anomaly inspecting to find uncommon login patterns indicative of compromised credentials.
Point-of-Sale Intrusions Advised Controls
Verizon recommends (and this has actually also been highly advised by FireEye/Mandiant) strong network division of POS devices. Again, a solid EDR system should be tracking network activity (to determine anomalous network contacts). ZFlow in particular is of great worth in offering critical decision context for suspect network activity. EDR systems will also deal with Verizon’s suggestion for remote login tracking to POS devices. Together with this Verizon recommends multi-factor authentication, however a strong EDR capability will augment that with additional login pattern anomaly checking (because even MFA can be defeated with MITM attacks).
Insider and Privilege Misuse Advised Controls
Verizon recommends “monitor the heck out of [worker] authorized everyday activity.” Continuous endpoint monitoring by a strong EDR product naturally supplies this capability. In Ziften’s case our product tracks user existence periods of time and user focus activities while present (such as foreground application usage). Abnormality monitoring can determine unusual deviations in activity pattern whether a temporal anomaly (i.e. something has modified this user’s typical activity pattern) or whether a spatial anomaly (i.e. this user habits pattern differs significantly from peer behavior patterns).
Verizon also suggests tracking use of USB storage devices, which strong EDR systems supply, since they can act as a “sneaker exfiltration” route.
Various Errors Recommended Controls
Verizon suggestions in this area concentrate on preserving a record of previous mistakes to serve as a warning of mistakes to avoid in the future. Strong EDR products do not forget; they preserve an archival record of endpoint and user activity going back since their first deployment. These records are searchable at any time, perhaps after some future occurrence has discovered an intrusion and response groups need to return and “find patient zero” to decipher the event and identify where mistakes might have been made.
Physical Theft and Loss Advised Controls
Verizon advises (and lots of regulators need) full disk encryption, particularly for mobile devices. A strong EDR system will confirm that endpoint setups are certified with enterprise file encryption policy, and will alert on infractions. Verizon reports that data assets are physically lost one-hundred times more frequently than they are physically taken, but the impact is essentially the exact same to the affected enterprise.
Crimeware Recommended Controls
Once again, Verizon emphasizes vulnerability management and constant comprehensive patching. As kept in mind above, proper EDR tools identify and track vulnerability exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint tracking. This shows an accurately updated vulnerability assessment at any time.
Verizon also suggests catching malware analysis data in your own business environment. EDR tools do track arrival and execution of brand-new binaries, and Ziften’s system can acquire samples of any binary present on enterprise endpoints and submit them for comprehensive fixed and dynamic analysis by our malware research study partners.
Cyber-Espionage Advised Controls
Here Verizon particularly calls out use of endpoint threat detection and response (ETDR) tools, referring to the security tool segment that Gartner now terms endpoint detection and response (EDR). Verizon also suggests a number of endpoint setup solidifying actions that can be compliance-verified by EDR tools.
Verizon also suggests strong network protections. We have actually currently gone over how Ziften ZFlow can considerably enhance conventional network flow monitoring with endpoint context and attribution, providing a fusion of network and endpoint security that is genuinely end-to-end.
Lastly, Verizon recommends tracking and logging, which is the first thing third party occurrence responders request when they arrive on-scene to help in a breach crisis. This is the prime function of EDR tools, given that the endpoint is the most frequent entry vector in a major data breach.
Denial-of-Service Attacks Recommended Controls
Verizon advises handling port access to prevent enterprise assets from being utilized to participate in a DoS attack. EDR systems can track port use by applications and use anomaly checks to determine uncommon application port use that might suggest compromise.
Business services moving to cloud companies likewise require defense from DoS attacks, which the cloud supplier might supply. However, taking a look at network traffic tracking in the cloud – where the enterprise may not have cloud network visibility – options like Ziften ZFlow offer a method for collecting improved network flow data straight from cloud virtual servers. Don’t let the cloud be your network blind spot, or else enemies will exploit this to fly outside your radar.