Verizon DBIR Says You Can’t Stop the Storm—But You Can See It Coming

The 2016 Verizon Data Breach Investigations Report (DBIR) paints a grim picture of the unavoidable enterprise data breach. But accepting the inevitability of breaches doesn’t mean accepting defeat. It’s like severe weather: you can’t prevent a tornado or hurricane. But with the right visibility tools, you can recognize patterns and mitigate your risk.

Likewise with data security, visibility is critical. “You cannot effectively protect your data if you do not know where it resides,” says Verizon.

Most enterprises plagued by poor data visibility
The report shows that most organizations lack the data visibility tools for effective breach remediation. Hackers gain access more easily than ever, with 93 percent of attacks taking just minutes to compromise the enterprise ecosystem. Yet without the ability to see what’s happening on endpoint devices, 4 in 5 victimized organizations don’t catch a breach for weeks—or longer.

Here’s a look at how data visibility solves many of the major threats highlighted in the 2016 DBIR:

Phishing: See when users take the bait
The report showed users are more likely than ever to fall for phishing. One in ten users click the link; only three percent end up reporting the attack. Instead of waiting for the signs of an attack to emerge, IT needs the endpoint visibility to know what users are doing—what they’re clicking, what they’re installing, if sensitive data is suspiciously flowing outside the enterprise network. The “human element” is impossible to fix, but visibility lets you “keep your eye on the ball,” as Verizon put it, catching phishing attacks before they penetrate the enterprise.

Malware and ransomware: Encryption + endpoint backup
With laptops the most common vector for the growing threats of malware and ransomware, Verizon stresses that “protecting the endpoint is critical.” The report urges making full-disk encryption (FDE) “part of the standard build” to gain assurance that your data is protected if a laptop falls into the wrong hands. Continuous endpoint backup is the natural complement to FDE. If a device is lost or stolen, IT immediately has visibility into what sensitive data lived on that device, and can quickly restore files and enable the user to resume productivity. Plus, in the case of ransomware, guaranteed backup ensures that you never truly lose your files—and you never pay the ransom.

Privilege abuse: “Monitor the heck” out of users
Authorized users using their credentials for illegitimate purposes “are among the most difficult to detect.” There’s no suspicious phishing email. No failed login attempts. No signs of a hack. And for most organizations, no way of knowing a breach has occurred until the nefarious user and your sensitive data is long gone. Unless, of course, you have complete visibility into the endpoint activities of your users. Verizon urges enterprises to “monitor the heck out of authorized daily activity,” so you can see when a legitimate user is breaking from their use pattern and extricating sensitive data.

Forensics: Skip the hard part for big cost savings
The most costly part of most enterprise data breaches—accounting for half of the average total cost—involves figuring out what data was compromised, tracking down copies of files for examination, and other forensic tasks required for breach reporting and remediation. Most often, an organization must bring in legal and forensic consultants—at a steep price. If you have complete visibility of all enterprise data to begin with, including endpoint data, you can skip much of the hard work in the forensics phase. If you already have continuous and guaranteed backup of all files, all your files are securely stored and easily searchable. Modern endpoint backup solutions go a step further, offering robust forensic tools that make it easy and cost-effective to conduct breach remediation, forensics and reporting tasks without eating up all of IT’s time, or requiring expensive ongoing consultant engagement.

See your data, understand your patterns, mitigate your risk
The whole point of the DBIR is to shed light on data to see the patterns and trends in enterprise data security incidents—to mitigate risk through greater visibility. So read the report. Understand the common threats. But make sure you apply this same methodology to your own organization. With the right data visibility tools in place, you can see your own patterns and trends, learn your own lessons, and fight back against the inevitable data breach.

Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.

Susan Richardson, Manager/Content Strategy, Code42

[Cloud Security Alliance Blog]

Watch: Prevention Against Targeted Phishing Attacks

In this Lightboard session, Martin Walter explains how the integration of Palo Alto Networks global URL Filtering service (PAN-DB) works with the single-pass architecture of our next- generation firewalls and our Threat Intelligence Cloud to allow you to safely enable web access while protecting against malware or phishing sites.

Learn more

[Palo Alto Networks Research Center]

Women in Cybersecurity/IT: A Matter of Strategy

If an organization has a culture of diversity and inclusiveness, there is typically a strategy in place to hire more women in cybersecurity/IT. This is especially true in consulting, where there is a concerted effort to hire more women. From a recruiting perspective, there is a small talent pool of women in cyber/IT to hire from. But I am starting to see more effort/focus on pipeline development coming from schools and organizations.

A female CISO I recently spoke to said, “I am not seeing a lot of women enter the field, but I am seeing STEM (science, technology, engineering, and math) efforts, encouraging students in college to enter the technical fields where they may see an avenue toward cybersecurity.”

Bringing More Women into Cybersecurity/IT Careers
As I said, building that talent pipeline is key. More effort and investment need to be made at the high school level to encourage girls to take the cybersecurity/IT career path. We need to show that it is cool, that it is in demand, that Fortune 500 companies are looking for women in cybersecurity/IT, and that it is a rewarding career. This effort should underline the fact that the pay disparity between women and men in cyber/IT is significantly less than in other fields.

Unfortunately, studies show that girls are actually discouraged from STEM careers by their school counselors, who often lack the information needed to steer them toward nontraditional female roles. Girls also do not study for cybersecurity/IT careers, because they do not know anyone in these fields or what they do. Getting into the schools is critical to developing that pipeline.

I recently attended a career night at my daughter’s school. There were a lot of dads in IT and the students that stopped by were primarily boys. We need to change this. Girls need to know that this is a field for them too, and that it is a great way to make an impact on an organization and earn a great salary.

Engagements with cyber professionals allow students to have more knowledge and envision pathways for themselves to pursue cyber careers. It is critical that we give girls cyber experience so they can make their own discoveries and impacts. They are more likely to pursue cyber careers if they have had hands-on experience, so experiential learning is vital to generating interest.

Scholarships and Mentoring
Mentoring and coaching girls and women toward cybersecurity/IT careers is a must. When employees and employers make a commitment to positively impact the community by volunteering, everyone benefits. We need more scholarships for women studying cybersecurity/IT. There should also be a focus on under-represented students, such as those from low-income families or minority populations. We need male leaders to visibly support all of these efforts.

Another critical focus is retention. Even if women are in cyber/IT, most leave the profession after an average of 10 years, because there are so few female role models in senior leadership. A lack of sponsorship also contributes to this problem. Sponsorship differs from coaching/mentoring. Sponsors have authority and influence. They put their personal capital at stake to “talk up” women when they are not there at leadership meetings. Sponsors can put them in front of the right people and recommend them for leadership opportunities, experiences or promotions.

Fostering a Culture of Diversity
We need to have more women in cyber speak at conferences. I’m always amazed when I speak at a conference and women come up to me to say, “It’s nice to see a female speaker at these events.” It should not be so rare to see a woman cyber leader in a keynote speaker role.

Having a culture where diversity and inclusiveness are valued is crucial. A significant part of that is the recognition that diverse teams and perspectives enable organizations to be successful. Organizations need to set performance metrics related to hiring women in cyber/IT to affect executive bonuses and put succession plans in place that purposely provide for future female cyber leaders.

Editor’s note:  As part of ISACA’s celebration of Women in Technology Month this month, we have launched a pilot of theConnecting Women Leaders in Technology program, an effort to engage female professionals in the areas of education, awareness and advocacy. ISACA is seeking women in tech to guest blog on the subject of their choice. If you are interested in learning more, please contact news@isaca.org.

Debbie Lew, Executive Director, Ernst & Young LLP

[ISACA Now Blog]

The Need to Isolate Remote, Wide-Area Communications Into a Separate Zone

In our Reference Blueprint for Industrial Control and SCADA, we describe the need to isolate remote communication technologies into a separate zone. Devices like iNets, unlicensed and licensed microwave, satellite, AMI meters and other forms of longer-range, radio-based communications need to be looked at carefully before being implemented and extra consideration of these types of technology is essential to preventing unintentional access into enterprise and OT systems.

Benefits of Remote Communication Technologies

With the advent of the Industrial Internet of Things (IIoT), or Industry 4.0, new highly efficient, low-energy and low-cost wide-area communication devices are continually being produced, providing more bandwidth and flexibility in deployment items deemed essential in an ICS/SCADA environment.

Improvements in communication technology not only make the possibility of remote automation doable but also attractive, if not a necessity. These advancements in communication help with automation, and make it possible to place more intelligent devices further out, and they reduce labor costs, as an army of people would no longer be required to travel to remote destinations, retrieve information and bring it back. Improved communications would allow operators to gather this information back to a single location, cutting many of the expenses associated with vehicle maintenance, gas and hourly wages.

Remote automation is not only cost-effective, dependable, and safe, it enables owner/operators to be competitive in several ways:

  • It helps improve the efficiency of the system, allowing for real-time, or near real-time, information at regular intervals.
  • It produces data for analytics, which helps improve system performance, increase efficiencies and produce higher yields in a product.
  • It increases visibility into our systems, allowing us to adjust as necessary.

There is, however, a downside to these innovations in communications for ICS/SCADA, which is the need for greater enforcement of security at remote locations.

Challenges of Remote Communication Technologies

Putting high-speed, high-bandwidth connections in remote unmanned areas makes them ideal beachhead attack points, and some areas can take hours to reach due to the remoteness and terrain, serving as an excellent foothold for an adversary because of the access to both enterprise and OT systems. The remoteness of the asset provides attackers with ample time to come and go as needed.

At remote facilities, it is possible for someone to install micro-computing devices that can be left in place and go unnoticed for months, if not years, if the physical placement of equipment and site layout goes unaudited for a long period of time. On-premise equipment could be reloaded with weaponized or malicious code and leveraged against the owner/operator’s internal systems, giving the ability to cause major disruptions.

Placing more intelligent devices further out at remote locations – devices with far more computing power than those previously used – can give attackers better internal resources with which to attack our systems.

Today’s broadband technology, in most cases, is some form of shared medium, meaning people with the right skill set and tools are capable of eavesdropping on others, making for insecure communications on systems that run critical real-time production.

One other key element many fail to consider when deploying communication technologies, such as satellite or microwave, is that many of these technologies are easy to remove and relocate. It is not uncommon for satellite dishes to go missing. Just think about what happens when the outdoor unit, dish and block upconverter (BUC), and the indoor unit (IDU) satellite modem go missing, and the relocation still shows online.

Another nefarious scenario is using these remote access points as an attack vector against a competitor or generating denial of service (DoS) attacks against others routed through the owner/operator’s network.

With all of these advances in communication technologies, older forms like frame relay or dedicated leased lines are no longer in use. If they are, they are very expensive to maintain. But older technologies, being point-to-point in nature, do provide slightly more security at remote facilities, unlike most of today’s Internet-based communication technologies, which is why greater attention much be paid to the security, both physical and cyber, of remote communication technologies.

Securing Remote Communication Technologies

Physical security at these locations is difficult to maintain due to their remoteness, but cybersecurity and ensuring the traffic coming in from a field site is only that which is required – and nothing more – is an achievable, sustainable objective.

At Palo Alto Networks® we believe in and follow the best practices of Zero Trust networking. In the Zero Trust networking model, it is highly advised that access to and from remote assets be set in an entirely separate zone, and that communications be restricted to only the applications, ports, and protocols needed for the process.

By following this tactic, a company can minimize its attack surface and limit possible exposure caused by breaches with their communications link. By zoning remote connections into a separate isolated enclave restricted by application and user ID, the field of focus is narrowed, providing better visibility into attempts to use the sites’ communications.

Unauthorized attempts to access the OT/IT networks would be painfully obvious in the logs, which would be seen as failed or dropped attempts at communication, especially if contact attempts are made with resources that the zone has no need to communicate with. This would be a clear indicator of compromise (IoC) from that device or facility.

To learn about other useful strategies to help you better secure your ICS/SCADA/PCN networks, go to visit the ICS/SCADA industry page at paloaltonetworks.com and download our reference blueprint architecture for industrial control and SCADA systems.

[Palo Alto Networks Research Center]

Palo Alto Networks Named Top Next Generation Firewall by NetworkWorld Asia — Again!

Palo Alto Networks recently bagged the Next-Generation Firewall award category at NetworkWorld Asia’s Information Management Awards in Singapore. We won the same category last year, and are pleased at the consistent growth and recognition of our platform in this fast-growing region.

NetworkWorld Asia is one of the leading publications in the region that provides CIOs, CTOs, Head of IT, IT Directors and IT Managers with updates, perspectives, tips and guides on how to leverage leading-edge technologies, tools and strategies to achieve performance, cost savings and business success.

This particular award recognizes Asia’s leaders in Information Security, Storage and Data Management for the huge advanced made in these fields over the last few years. It is an honor!

 KP Unnikrishan, Senior Marketing Director, Asia Pacific & Japan for Palo Alto Networks (left) receiving the award from Tan Hoon Chiang, CIO, National Institute of Education (right)

Victor Ng, South East Asia Editor in Chief (left) and Khoo Boo Leong, Senior Editor (Right) at Questex Media Group with KP Unnikrishnan

[Palo Alto Networks Research Center]

English
Exit mobile version