Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO
The Data Breach Investigations Report 2016 from Verizon Enterprise has been released reviewing 64,199 security occurrences leading to 2,260 security breaches. Verizon defines an event as compromising the stability, privacy, or accessibility on an info asset, while a breach is a verified disclosure of data to an unauthorized party. Since avoiding breaches is far less unpleasant than sustaining them Verizon provides numerous sections of advised controls to be utilized by security-conscious businesses. If you don’t care to check out the complete 80-page report, Ziften provides this Verizon DBIR analysis with a spotlight on Verizon’s EDR-enabled recommended controls:
Vulnerabilities Advised Controls
A solid EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, consisting of vulnerability exposure timelines showing vulnerability management efficiency. The direct exposure timelines are very important given that Verizon emphasizes a methodical method that emphasizes consistency and coverage, versus haphazard practical patching.
Phishing Recommended Controls
Although Verizon advises user training to prevent phishing vulnerability, still their data shows almost a third of phishes being opened, with users clicking on the link or attachment more than one time in 10. Not good odds if you have at least ten users! Provided the inevitable click compromise, Verizon suggests placing effort into detection of abnormal networking activity indicative of pivoting, C2 traffic, or data exfiltration. A sound EDR solution will not just track endpoint networking activity, however likewise filter it against network threat feeds recognizing harmful network targets. Ziften exceeds this with our patent-pending ZFlow technology to enhance network flow data with endpoint context and attribution, so that SOC personnel have crucial choice context to quickly fix network notifications.
Web App Attacks Suggested Controls
Verizon advises multi-factor authentication and monitoring of login activity to avoid compromise of web application servers. A strong EDR solution will monitor login activity and will apply anomaly inspecting to spot uncommon login patterns a sign of jeopardized credentials.
Point-of-Sale Invasions Advised Controls
Verizon advises (and this has actually likewise been highly recommended by FireEye/Mandiant) strong network division of POS devices. Again, a strong EDR solution ought to be tracking network activity (to determine anomalous network contacts). ZFlow in particular is of great worth in providing important choice context for suspect network activity. EDR systems will also deal with Verizon’s suggestion for remote login tracking to POS devices. In addition to this Verizon suggests multi-factor authentication, however a strong EDR ability will augment that with additional login pattern abnormality checking (since even MFA can be defeated with MITM attacks).
Insider and Privilege Misuse Advised Controls
Verizon recommends “monitor the heck out of [staff member] authorized day-to-day activity.” Continuous endpoint monitoring by a strong EDR product naturally provides this capability. In Ziften’s case our product tracks user presence periods of time and user focus activities while present (such as foreground application usage). Anomaly checking can identify unusual variances in activity pattern whether a temporal anomaly (i.e. something has actually modified this user’s typical activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern varies considerably from peer habit patterns).
Verizon also suggests tracking usage of USB storage devices, which solid EDR products offer, because they can function as a “sneaker exfiltration” route.
Miscellaneous Errors Advised Controls
Verizon recommendations in this area concentrate on maintaining a record of past errors to serve as a warning of errors to avoid in the future. Solid EDR products do not forget; they preserve an archival record of endpoint and user activity going back to their first release. These records are searchable at any time, perhaps after some future event has actually discovered an invasion and response groups need to return and “find patient zero” to unravel the incident and determine where errors may have been made.
Physical Theft and Loss Suggested Controls
Verizon suggests (and numerous regulators demand) full disk file encryption, particularly for mobile phones. A strong EDR system will verify that endpoint configurations are compliant with business file encryption policy, and will notify on infractions. Verizon reports that data assets are physically lost one-hundred times more frequently than they are physically stolen, however the effect is essentially the very same to the affected enterprise.
Crimeware Recommended Controls
Once again, Verizon emphasizes vulnerability management and constant extensive patching. As kept in mind above, proper EDR tools identify and track vulnerability direct exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it versus procedure image records from our endpoint monitoring. This reflects a precisely updated vulnerability assessment at any moment.
Verizon also advises catching malware analysis data in your very own enterprise environment. EDR tools do track arrival and execution of brand-new binaries, and Ziften’s product can acquire samples of any binary present on enterprise endpoints and send them for in-depth static and dynamic analysis by our malware research partners.
Cyber-Espionage Recommended Controls
Here Verizon particularly calls out usage of endpoint threat detection and response (ETDR) tools, referring to the security tool sector that Gartner now terms endpoint detection and response (EDR). Verizon likewise recommends a number of endpoint setup solidifying actions that can be compliance-verified by EDR tools.
Verizon likewise advises strong network securities. We have actually currently discussed how Ziften ZFlow can greatly boost standard network flow monitoring with endpoint context and attribution, supplying a combination of network and endpoint security that is truly end-to-end.
Finally, Verizon advises monitoring and logging, which is the first thing third party incident responders demand when they show up on-scene to assist in a breach crisis. This is the prime purpose of EDR tools, because the endpoint is the most frequent entry vector in a major data breach.
Denial-of-Service Attacks Suggested Controls
Verizon suggests handling port access to prevent enterprise assets from being used to take part in a DoS attack. EDR products can track port use by applications and utilize anomaly checks to identify uncommon application port use that might suggest compromise.
Business services moving to cloud providers also require protection from DoS attacks, which the cloud service provider may provide. However, taking a look at network traffic tracking in the cloud – where the business might lack cloud network visibility – alternatives like Ziften ZFlow supply a means for gathering enhanced network flow data directly from cloud virtual servers. Do not let the cloud be your network blind spot, otherwise enemies will exploit this to fly under your radar.