In the past month, more and more GCSIT clients are requesting budgetary quotes for security-related services and assets. This surge in interest prompted me to compile a prioritized list of the most requested services and assets and why they are important to control environments.
1. Anti-Virus In terms of advanced threat prevention, most anti-virus solutions are perhaps 30% effective. That being said, A/V is still a necessary evil. However, managing and responding to malware infections is an increasing drain on limited IT resources. When you factor in the amount of time spent mitigating malware infections combined with the cost of most commercial solutions (McAfee, Symantec, Kaspersky, etc.), outsourcing this function not only reduces cost, but provides real-time monitoring and response which eases the burden on limited staff resources..
2 Monitoring You can install all the firewalls and IDS/IPS appliances you want, but if they’re not being monitored threats will get past your defenses unnoticed. It’s impractical for SMB’s however, to have staff dedicated to monitoring critical perimeter defenses and infrastructure. Threat actors work 24x7x365 and organizations should be monitoring their critical infrastructure just the same. Outsourcing this critical function is not only cost effective, but also expands on any incident response capability by improving detective controls.
3 Data Protection & Business Resiliency Data disruptions happen whether you want them or not. Ensuring that data protection and recovery strategies are aligned with business processes is a challenging task that few organizations do well. Backups are a no-brainer – everyone does them. Executing a recovery process that is aligned to business risk is an often overlooked and under planned function. Backup and data protection strategies are useless without recovery strategies.
In many cases, this can be automated by leveraging in-house and cloud based virtualization technology while aligning with business recovery time and recovery point objectives (RTO/RPO). Understanding your RTO/RPOs for critical business processes is a critical first step towards developing a comprehensive recovery strategy. Outsourcing all or a portion of this business function eases staff burdens, storage and hardware capex, as well as redundant physical data centers that sit dormant 99% of the time.
1 Security Assessment Not to be confused with penetration testing, a security assessment examines all aspects of your technology control environment including administrative, physical, and technical controls. Automated and manual testing procedures provide immense visibility into an organizations environment, identifies areas of weakness, and an actionable report with detailed and prioritized recommendations for improvement that are aligned with business objectives and organizational risk factors. If you don’t know where to start with addressing security concerns, this is a good place.
2 Incident Response How will you respond to a data breach or network intrusion? Your network will be breached, it’s just a matter of when. Having a thoroughly tested response plan in place that is aligned with business objectives will shave days and weeks off of your recovery time. In a network compromise scenario, it’s important to educate first responders to proper procedures for triaging an event or valuable clues and evidence will be lost. An incident response plan identifies and documents the people, processes, and technology necessary to identify, isolate, mitigate, and recover from an active threat.
1 Network Threat Prevention You might think this is a glorified way of saying “firewalls”, but it’s not. Some of today’s perimeter defense platforms are much more than just firewalls. If you’re considering a firewall refresh, then you need to look at appliances that not only provide defenses, but also with the capability to detect and block unknown threats and correlate suspicious activity with endpoints in your environment. Appliances from Palo Alto and FireEye do just that and provide extensive visibility into all traffic within an environment as well as integrated endpoint protection capabilities. These appliances are also capable of identifying and blocking unknown threats by executing suspicious code in a virtualized sand box environment and observing behavior. The unique thing about these solutions over most other vendors is that once a new threat is discovered, their cloud based technology delivers the indicator of compromise to all appliances subscribed to that service – not just the ones in your environment. Signature-less threat detection is critical to the protection of your environment.
Every environment is unique and understanding your risks is critical to defining your control environment and aligning with business objectives. Understanding the services that IT provides to the business and how those services align with technology assets is an important first step in identify risks and defining the types of controls necessary to provide operational continuity and minimize the disruptive nature of a security incident.
The services described above are just a few of the more common security related requests that GCSIT has provided recently. We’ve also performed several forensic investigations in the past couple months that have helped our clients determine appropriate actions in response to a security incident (hint: include a forensic response capability in your incident response plan).
Start the conversation today by emailing email@example.com or calling us about your security concerns (there’s no charge for a phone call).
Disasters – and accidents – do happen.
Without a means of business continuity, system outages or lost data can halt productivity and incur potentially unrecoverable losses to customer satisfaction, sales, reputation and revenue. When systems fail, you want the peace of mind that your applications and data can be restored quickly.
POWERFULLY SIMPLE: GCSIT DATA PROTECTION & IT RECOVERY AS A SERVICE
GCSIT protects your data, applications and IT infrastructure from downtime (so you can sleep better at night) – all for flat monthly fee.
GCSIT helps companies keep employees productive, IT systems running, and data always accessible from anywhere at any time.
We do this with unique cloud technology that mirrors the company's entire IT infrastructure in the cloud and gives you multiple recovery options from a single image-based snapshot of your systems. Recover data, failover servers, or virtualize the entire office with a click from a single Web-enabled interface.
With this service in place, experience a 60% reduction in overall costs related to data protection while improving their Recovery Time Objective (RTO) to just minutes.
GCSIT brings its expertise and proven methodolgy, along with Axcient's consolidated hybrid cloud solution, to deliver a fully managed solution that provides both local and cloud protection. You never have to worry about downtime since you have the ability to instantly failover locally or to the cloud in case a server does fail.
DATA AND APPLICATION PROTECTION
TRUE BUSINESS CONTINUITY
In the event of a server outage, you can run servers with a single click until the new hardware is ready.
When I talk to clients about malware defense, the usual response is “Oh, we run xyz anti-virus.” Modern malware is often designed to avoid, attack, or disable traditional malware defenses such as common anti-virus software. Because of the constantly changing dynamics of malware, a multi-tiered approach to malware defense is critical to preventing malware installation, execution, and spread.
A report published by Panda Security over a year ago claims that 160,000 new samples are discovered every day. That's almost 2 new pieces of malware every second.
The problem with traditional AV software is that it is primarily signature based. This means that they are incapable of detecting zero-day or yet publicized vulnerabilities and with the volume of new malware, it's impossible for them to keep up with the distribution of signature files.
Traditional defenses such as firewalls, IPS, and AV cannot defend against advanced threats. Detecting and responding to these threats requires advanced solutions. There is a vast underground market for zero-day vulnerabilities. Threat actors purchase these vulnerabilities to incorporate them into their malware and compromise networks.
Currently, the median number of days that attackers are present on a victim network before detection is 243.
The Critical Security Controls for Effective Cyber Defense defines the objectives of an effective malware defense program as:
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of the defense, data gathering, and corrective action.
Detection, containment, and recovery are critical components to combating today's advanced malware and attacks. An effective defense program addresses all stages of advanced attacks by protecting against inbound attacks, outbound callbacks, and malware executable downloads.
ADVANCED CONTROLS FOR ADVANCED THREATS
To define appropriate controls for your environment, it's important to first understand primary attack vectors. For most organizations those attack vectors are:
› Email › Web traffic › Portable storage devices (USB drives)
The goals for any advanced threat detection should include:
Prevent – Stop the attack from happening in the first place.
Detect – Identify an attack as early as possible.
Respond – When an attack does happen, how will you react?
Contain – Stop the attack from spreading.
Attacks are most commonly through email phishing, malicious web traffic, or through malware infected USB devices although mobile device attacks are definitely on the rise and are predicted to soon be a primary means of initial compromise. All of these vectors target the end user.
1. Email Attackers are very creative when it comes to tricking unsuspecting users into clicking on malicious links. While we still see the "shotgun" approach to phishing where the same email is sent to hundreds of users in the hopes that one person will open a malicious link or attachment, the trend now is to send targeted emails to a very specific set of users with seemingly detailed information about them or their organization.
The emails often will appear to come from an employee within the organization (attackers will often use social networking sites such as LinkedIn and Facebook to learn about a company's employees, their habits, hobbies, etc. or use a recent news event, a particular time of the year or month, or even things that nobody can resist like funny cat videos – yes, that works almost always.
For example, if I were targeting an organization in March of any year, I might send an email to several employees stating that there was a mistake in their W-2 and a corrected version is attached. I might also include a link, just in case they can't open the attachment, either of which will lead to compromise. This is one example of hundreds that are actively used.
2 Web-Based Most people don’t realize that when you visit a web site such as CNN.com, you are actually visiting multiple third party web sites. The below graphic shows the number of third party websites visited when connecting to CNN.com.
Yes, that’s 30 different third party sites just by visiting CNN.com. Any one of those sites could be used to deliver malicious code to your end users’ workstations.
Other attack methods include malicious pop-ups that warn unsuspecting users that their computer contains malware and to install their program to fix it. Of course these claims are false, but the average user often will not realize it and try to do the right thing by “fixing” it themselves. Unbeknownst to them, they’re actually installing malware.
3 External Devices It takes very little effort to create a malicious payload on a USB device. These devices can be configured to auto-run the malicious file and/or configured with a .pdf file that has been embedded with a malicious executable.
For example, if I took 10 USB thumb drives, labeled them with something like “Executive Bonuses – 2015”, and “dropped” one at several building entrances or within the building lobby, what are the chances that someone will look at the files on that drive?
Open source penetration testing platforms like Metasploit have the built-in capability to embed malicious executable files within common file formats such as a .pdf file. All I would need to do is craft that embedded executable to open up a connection to my listening computer and as soon as that file is opened, I’m connected to your internal network.
Mitigating the threat of these types of advanced attacks requires a multi-pronged approach:
1 Education End users are our weakest link, but also our first line of defense. It’s important to have an active awareness program that not only provides users with the information they need to identify suspicious emails, or web traffic but also to test their readiness. Simply sending out emails on a regular basis about these topics does not go far enough to educate users.
Organizations should regularly conduct internal phishing exercises to educate employees and identify areas of weakness within the organization.
2 Gateway Protection Preventing these types of attacks from entering your network should be your first line of defense. Next Generation firewalls and security platforms like FireEye and Palo Alto Networks provide these defenses as well as deep visibility into your inbound and outbound network traffic. These types of devices don’t rely on signatures and will actually open links and attachments and make a decision as to whether the contents of the email are malicious. It’s critical that your protection strategy have the capability to identify unknown malware. Further, these devices provide event correlation to give you the intelligence needed to combat advanced attacks across multiple vectors.
3 Endpoint Protection Let’s face it, end users don’t always make good decisions. An effective endpoint protection strategy is critical to ensuring complete security coverage of your environment. Your endpoint protection strategy should have a few key characteristics:
Monitored – As with any security technology, your endpoint protection should be constantly monitored.
Performance – A system scan shouldn’t take 2-3 hours and installation of an endpoint security solution should not degrade system performance.
Non-signature based – Your endpoint protection solution should have the capability to identify previously unseen threats by certain behavioral characteristics.
Recovery – The ability to recover from a malware infection should not require a system reformat. Endpoint protection software should have the ability to roll-back the system to a previously uninfected state.
Managing a complex cyber defense infrastructure requires expertise that most organizations do not have. At GCSIT, our security engineers are trained and certified to design, implement, manage, and monitor your security infrastructure.
Start the conversation today by emailing firstname.lastname@example.org and one of our security experts will get in touch with you shortly.
Infrastructure – FirEye, Palo Alto Networks, Cisco
GCSIT Managed Services – Awareness training, log monitoring (SIEM), Endpoint Security, Patch Management, Email Security, Backup and Disaster Recovery
Professional Services – Incident Response, Forensics, Vulnerability Assessment, IT Audit