eSentire Blog

OCIE-SEC and FINRA Release Groundbreaking Cybersecurity Guidance Reports

Posted by Mandy Bachus on Wed, Feb 11, 2015 @ 01:30 PM

by: Eldon Sprickerhoff

EldonSprickerhoff

The Office of Compliance Inspections and Examinations (OCIE) Securities and Exchange Commission (SEC), has released its hotly anticipated examination sweep summary results. The report summarizes the responses gathered from 100+ registered broker-dealers and investment advisors, as part of an initial fact-finding mission. The 28-point questionnaire was widely regarded as the first step toward the introduction and implementation of an industry-wide Cybersecurity Examination Initiative.

As previously reported, the OCIE-SEC will proceed with in-depth, independent testing not only in the U.S., but abroad. Testing is expected to delve deeper into areas evaluated through the initial 28-point questionnaire. The investigative phase was designed to give the SEC a better understanding of overall industry preparedness when it comes to cybersecurity.

Collectively, questions focused on the examined firms’ overall comprehension of the data they own, legislation that may regulate that data, existing cybersecurity risks and how they’re defending against those risks.

The findings promisingly highlight that a large number of participating firms have developed written security policies (93% of broker-dealers and 83% of advisors).

Results also indicate that a number of respondents have introduced proactive measures that include conducting regular risk assessments (93% of broker-dealers, 79% of advisors) and employing cybersecurity insurance (58% of broker-dealers, 21% of advisors).

Interestingly enough, industry regulatory authority FINRA (The Financial Industry Regulatory Authority) has also released an indispensable tool, dubbed the Report on Cybersecurity Practices (released February 2015).

As the SEC announced its Cybersecurity Examination Initiative in 2014, FINRA launched a targeted examination sweep to (similarly) gain an understanding of threats and vulnerabilities facing the industry today. The sweep was part of an ongoing FINRA cybersecurity initiative, which initially kicked off in 2007. FINRA’s extensive report details observations and findings that provide firms with incredible insight into key priorities as they work to strengthen their cybersecurity posture.

FINRA’s report groups its findings under several headings. Those include:

 - Cybersecurity governance and risk management

 - Cybersecurity risk assessment

 - Technical controls

 - Incident response planning

 - Vendor management

 - Staff training

 - Cyber intelligence and information sharing

 - Cyber insurance

FINRA describes the report as ‘an approach to cybersecurity grounded in risk management’, something that we at eSentire respect and staunchly promote.

Together, these two reports highlight the complexity of an industry undergoing radical change to confront evolving cybersecurity risks. Firms participating in these exams and fact-finding interviews are blazing a trail for the industry not just on a national platform - but also on a global stage. There’s no question that cyber threats will continue to pose significant risk to the industry. And while the ramifications from regulatory intervention may seem daunting, the resources developed as a result are critical tools that will help to defend the industry from cyber risk. 

Download the ‘Juggling Regulatory Compliance Strategies’ webinar from eSentire on demand to learn more about the SEC and FINRA findings.
Eldon Sprickerhoff is Founder and Chief Security Strategist at eSentire.

Tags: Compliance, Hedgefund Security, SEC Regulatory Developments

The Jury is In: LegalTech New York Highlights Industry Cybersecurity Risk

Posted by Mandy Bachus on Wed, Feb 11, 2015 @ 09:32 AM

by: Mark Sangster

MarkSangster2Last week eSentire participated in LegalTech New York, the legal industry’s largest technology event of the year. This annual conference provides firms and legal departments with practical tips that they can adopt to improve the way that their practice is managed. This year’s event offered an assortment of trend discussions, with the overarching theme focused squarely on cybersecurity and data protection.

The legal industry continues to face mounting pressures from government and industry regulators as they work to address cybersecurity defense gaps. And while it’s evident that there’s been a shift in thinking when it comes to cybersecurity defense planning, the industry remains largely unregulated.

Law firms have become a popular target with cybercriminals looking for easy access to rich data. With one strike, cybercriminals can interrupt mergers and acquisitions, manipulate business transactions or acquire business and client data. Contrary to what many might believe, small and medium-sized firms are just as vulnerable to attacks as larger firms. All client data is a target.

eSentire presented an emerging technology talk track at LegalTech New York to highlight industry recommendations and help firms understand how those new standards can be applied.

Attorney and author Jill D. Rhodes recently published The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals, a resource that is informally regarded as the industry's cybersecurity roadmap. The book helps to define cyber and data security risk and best practices, describes data security and lawyers’ legal and ethical obligations to the client.

Perhaps of greatest interest are the top ten measures that all firms should consider to defend their firm against cyber attacks. Recommended measures suggest that firms:

 1. Evaluate their cybersecurity risk profile.

 2. Evaluate client-specific data security considerations (regulatory).

 3. Organize and empower an information security and data governance committee.

 4. Appoint a Chief Information Security Officer (CISO/CSO) to run day-to-day operations.

 5. Define and implement an auditable, security program.

 6. Establish a stringent requirement for data security (in-house and vendor).

 7. Develop a security incident response protocol to address breaches.

 8. Develop controls on Internet access and personal devices (BYOD).

 9. Educate lawyers and staff within the firm of their cybersecurity obligations.

 10. Conduct routine audits and conduct vulnerability assessments.

Ms. Rhode’s suggestions reinforce the advice that eSentire regularly shares with clients as they work to beef up their cybersecurity defenses. At eSentire, we recognize that breaches are inevitable. The key in managing risk is to shift thinking from simply blocking and prevention to Detection and Response. Knowing where to start can be a challenge, so we’ve developed a best practices framework specifically for law firms to help build out (or expand) cybersecurity initiatives.

While last week’s conference emphasizes the real and present danger that cyber threats pose to the industry, attendees also made it clear that the industry is committed to strengthening its cybersecurity stance.

Download eSentire’s Cybersecurity Series Webinar to learn more about eSentire’s Best Practice Recommendations for Law Firms.

Mark Sangster is Vice President of Marketing at eSentire.

Tags: Security Recommendations, Legal Cybersecurity

Preparing for the Cybersecurity Paradigm Shift

Posted by Mandy Bachus on Tue, Feb 03, 2015 @ 01:54 PM

by Eldon Sprickerhoff

EldonSprickerhoffAt eSentire, we take our business seriously. We’re passionate about the work that we do and acknowledge the unique risks that clients specifically operating in the financial space face on a daily basis. To gain recognition for the work that we do in any capacity is icing on the cake.

Thus, we’re honored to have received the Best Security Solution and Most Innovative Technology Solution awards at this week’s HFM US Technology Awards gala!

And while we’re grateful for moments like this, we recognize that our work is far from over. The frequency and complexity that we see with cyber attacks today is only going to continue to grow. Organizations operating in the financial space in particular have felt increasing pressure with the introduction of a 28-point cyber review questionnaire and looming U.S. Securities and Exchange Commission’s (SEC) Office of Compliance, Inspections and Examinations (OCIE) testing.

Several months ago the SEC launched the first round of cyber reviews, targeting 100+ firms as part of an initial fact-finding mission. The feedback gathered in this stage was meant to provide a snapshot of the industry’s overall cybersecurity posture while providing context for upcoming industry-wide examinations.

The original timeline detailed by the SEC suggested that industry-wide examinations would launch in September of 2014. It was expected that the results of the cyber reviews would provide a glimpse into what the exams would bring.

Just last week, HFMWeek Online reported exclusively that after months of speculation, the SEC is ready to announce next steps. The first of which will focus on independent testing, which is expected to be more thorough than that experienced with the 28-point questionnaire. OCIE Director Drew Bowden suggested that while the information collected through the 28-point questionnaire was informative, it in no way declared the preparedness of the industry.  

If anything, the SEC’s initiative has spurred a radical shift in thinking. The OCIE expects that a summary of its questionnaire findings may be released sometime in March. In the meantime, plans are also underway to expand testing abroad (Europe, the UK and Asia).

The after-effects of last year’s record-breaking breaches continue to permeate the industry. Firms of all scale and scope recognize the very real risk of threats today. The SEC is just one regulatory association taking action to protect the national economy, and global assets. At eSentire, we recognize that education and preparation are fundamental steps in maintaining a sturdy cybersecurity posture. Taking a proactive stance can help firms protect their assets while preparing for any regulatory ask that might come their way.

In the spirit of planning, we’ve issued incident response and information security policy guidance framework documents. The checklist-style documents, available at no charge, provide an actionable framework for responding to and managing a proactive cybersecurity defense posture. Both documents have been released under a Creative Commons license (Creative Commons Attribution Non-Commercial (by-nc). Resources like these framework documents are a critical tool that firms can employ to build out fundamental cybersecurity plans and considerations. At eSentire we live by the adage that an ounce of prevention is worth a pound of cure. Last year’s radical paradigm shift exemplifies that point.

Eldon Sprickerhoff is Founder and Chief Security Strategist at eSentire (http://www.esentire.com)

Tags: US government security, Security Recommendations, Hedgefund Security

Would Active Threat Protection from eSentire Have Prevented the Sony Hack?

Posted by Mandy Bachus on Thu, Jan 15, 2015 @ 08:30 AM

by J.Paul Haynes

jpaulIn the weeks that have passed since the well-publicized Sony breach I have been asked the same question dozens of times, ‘could eSentire’s services have prevented this breach?’ I should say eSentire does not have all the details about this particular breach and we are relying on recent comments issued by FBI Director James Comey and Sony’s own CEO to give us insight to make a determination. In short, the answer is that there is a high probability that the type of threat Sony experienced would have been detected and contained had continuous monitoring like that provided by eSentire, been employed.

Regardless of how the threat actors (or hackers), gained initial network entry access, the resulting breach actually would’ve taken several weeks to achieve, not days. The combination of state-of-the-art detection technologies and human monitoring  – the core premise of Active Threat Protection – would have immediately flagged inconsistencies associated with the attack.

When a breach of this level occurs there are several red flags that arise before the damage is done. The key to preventing a serious breach is to identify the significance of those red flags and actively mitigate the harm. Here are some examples of the inconsistencies that should have set off alarm bells:

1. Numerous external connections using non-company proxy servers (eSentire Solution: Network InterceptorTM to identify the connection attempts and Asset Manager Protect and Country Killer to recognize blacklisted IP addresses).

2. Lateral movement within the network originated from different hosts (eSentire Solution: Network InterceptorTM and Host Interceptor).

3. For exploit deployment, numerous payload drops would have to occur (eSentire Solution: Active Forensics, Network InterceptorTM and Executioner).

4. Changes in logging, as privileges were escalated to gather the necessary data to extract (eSentire Solution: Log SentryTM).

5. Finally, Active Threat Protection would have caught and alerted a threat analysis as a result of the 100 TB data exfiltrating, as described by Sony’s CEO (eSentire Solution: Active Forensics and Network InterceptorTM).

In the world of Active Threat Protection, we act on each of these signals immediately. The elements of this attack are what we detect and block everyday. Intricate attacks such as these are becoming commonplace – so much so that leading analyst firm Gartner Research published a best practices framework (in 2014) to help organizations defend against and mitigate against these kinds of targeted attacks.

As we have seen with the case of Sony, the clean up work involved after a breach has occurred is far more complex and expensive than the preventative measures available to stop and prevent this level of damage.

Without forensic-level network traffic at your disposal, the job of tracking down the culprits and retrieving data is immeasurably more difficult – approaching impossible. In hindsight it is easy to say, “I should have used a working fire alarm,” after you’ve experienced a house fire. In the same way, we don’t want a business to find out too late that they could have had protection measures in place to protect their high value assets.

When we revisit the question of whether Active Threat Protection would help to prevent a breach like Sony’s, the answer is that every indicator points to yes.

J.Paul Haynes is CEO at eSentire (www.esentire.com).


Tags: Active Threat Protection, Data Breach

Just another day at the office: protecting clients from complex threat networks with Active Threat Protection from eSentire

Posted by Mandy Bachus on Wed, Dec 03, 2014 @ 02:38 PM

by J.Paul Haynesjpaul

On Dec. 1, a large US-based cybersecurity firm received extensive international media coverage for a reported cybersecurity incident. The incident focused on a threat actor classified as “FIN4”. Reports describe an active targeted phishing campaign with a focus specifically targeted at “the emails of C-level executives, legal counsel, regulatory risk, and compliance personnel, and other individuals who would regularly discuss confidential, market-moving information”.

The technique uses spear-phishing emails to gather credentials from users and return them back to the “FIN4” Command and Control servers (CnC) where the login credentials are then used to log into the users webmail remotely through TOR to escalate the attack. Again the level of angst was escalated further.

While this news article may be the first mention of “FIN4”, eSentire has been tracking and mitigating this very activity for more than a year. Late in 2013, eSentire issued a service advisory to its client base giving visibility to a .docm file circulating through the hedge fund atmosphere. At the time, eSentire’s Security Operations Center flagged what is now known as “FIN4” activity at its earliest inception. Then, the intent of the attack was the same: to drive a spear-phishing campaign with the explicit intent of accessing sensitive financial data in the hedge fund market through credential harvest.

The story surrounding “FIN4” is an important one, however, a story like this reminds us of the complexity and challenges faced by the Information Security industry. Complicated threats like these don’t pop up overnight. Dedicated forensics is critical in identifying and managing threats of this nature. eSentire clients have not been affected by “FIN4” attacks thanks to our Security Operations Center’s ongoing forensics and layered Active Threat Protection services.

What is it about the eSentire approach to Active Threat Protection that’s so unique? We’re able to see and mitigate threats of this nature through continuous monitoring. eSentire analysts continually monitor ALL our client’s network traffic, looking for signs of atypical behavior by utilizing ‘operationalized forensics’ - a technique pioneered by eSentire - which is the continuous analysis of all traffic flowing into and out of client networks.

As with the attack initially detected by eSentire in 2013, when a compromised word document containing the macro executes and connects to an external server and transfers data - in this case user credentials to an unfamiliar IP destination - we notice those unusual behavioral signals and immediately scrutinize it.

With our DVR-like capabilities, our skilled threat analysts rewind and replay the traffic and critically analyze it. If the traffic looks malicious, we block that specific connection on that customer’s network. Next, the block is propagated to all other eSentire subscriber networks through our Asset Manager Protect service, ensuring all clients are protected from the threat in question. At eSentire, this is standard operating procedure, 24/7/365, whether during business hours on Wednesday or at 2AM on Sunday.

If your first visibility into a major attack network like that publicized this week comes from a best-in-class forensic firm, the horse is likely already out of the barn. At this stage of breach you are also calling lawyers, regulators and law enforcement. Even worse, you have spent at least three to five full years of what Active Threat Protection services from eSentire would have cost. Let’s not rule out impact to reputation and brand which can trigger in a New York minute.

With Active Threat Protection from eSentire, clients benefit from immediate threat isolation, mitigation and real-time reports. Quite literally we are talking about an ounce of prevention versus a pound of cure. 

There’s a reason why eSentire is the trusted, award-winning security services provider to more than 450 financial services firms, legal, extractive and healthcare organizations. We can comfortably lay claim to pioneering Continuous Advanced Threat Protection, which leading analyst firm Gartner Research began covering in June 2014 as a best practices framework for defending against cybersecurity attacks.

In our world, managing and mitigating a threat like “FIN4” is simply another day at the office.

J.Paul Haynes is CEO at eSentire (www.esentire.com).

Tags: Active Threat Protection

Phishing Expedition: Protect Your Organization from Phishing Exploits

Posted by Mandy Bachus on Mon, Nov 10, 2014 @ 04:35 PM

by Eric Ritter

EricRitterTwo months ago, Home Depot announced it had been the target of an elaborate hack through a third-party vendor. The attack successfully embedded software within thousands of self-checkout machines across Canada and the United States, which silently harvested credit card information for months.

Just last week, new reports revealed more damage; in addition to the library of 56 million credit card accounts, hackers also gained access to 53 million customer email addresses. In the case of the Home Depot hack, cyber criminals accessed the enterprise with stolen vendor credentials, likely acquired through phishing campaigns.

The Home Depot hack is among several targeted major retailers this year. While businesses work to strengthen their cybersecurity posture, these attacks amplify the vulnerabilities of supply and distribution chains, and vendor systems used by countless organizations, regardless of industry.

Phishing scams are ubiquitous and often incredibly effective. ‘Smash and Grab’ describes attacks used to achieve quick monetary return, through access to specific financial data.

Spear-phishing is among a sub-set of phishing campaigns now gaining momentum. These attacks are far more surgical and often take more effort to execute. They target specific individuals within an organization, like a CFO or CEO. First cyber criminals gain access to the executive’s email account. Next they’ll drive the phishing campaign, usually by issuing a document to employee and requesting password confirmation for records update. In most cases employees will provide this information without hesitation, given that the source appears to be trusted.

These attempts are far more sophisticated than historical bids involving lottery or inheritance claims. Today, what we see are polished emails, perfectly branded to reflect a legitimate organization, like a trusted credit card company, bank or other vendor.

The objective is always the same – convince the recipient to enter their credentials by requesting identity verification. In a business setting, employees sifting through hundreds of emails daily could see such an email as innocuous, and click a link or submit credentials without thinking twice.

At eSentire, we see thousands of phishing attempts every week, and more than a dozen custom-crafted spear-phishing attacks.

So what can you do to protect your organization from the onslaught of phishing campaigns seeking to destroy and disrupt your organization? In addition to robust cybersecurity policies, staff training and education is critical. Be sure to communicate cybersecurity risks and the nuances of phishing to employees at any level across the organization.

In an era of multi-tasking and challenging workloads, employees must remain vigilant and cautious of suspicious emails as they are on the first line of attack. Legitimate organizations never ask clients or employees to click a link or enter confidential credentials via email or website submission. And if ever in doubt, don’t respond. Odds are an authentic request would be communicated by some other means.

Our motto at eSentire: don’t take the bait and don’t click the link.

Eric Ritter is Director, Security Operations Center and Client Experience at eSentire (www.esentire.com).
 Read more on phishing threats in this month’s issue of HFMTechnology.

 

Tags: Spear Phishing attack

ShellShocked: The Effects and Implications of the New "ShellShock" Exploit

Posted by Mark J. McArdle on Fri, Sep 26, 2014 @ 11:19 AM

markMcArdleeSentire has visibility into significant activity related to the “ShellShock” exploit (CVE-2014-6271 & CVE-2014-7169).

Our take: ShellShock is a powerful remote execution exploit affecting many systems running Bash on Linux and Mac OS. While this vulnerability was publicly disclosed September 24, it has the potential to be more damaging than Heartbleed. The primary resources at risk are Internet-facing services that utilize Bash, but there are also risks to consumers running Mac OS and Linux on their laptops and desktops. While Heartbleed was a narrow and focused event that was exploited by those with extensive technical knowledge, ShellShock enables attackers with very basic programming knowledge to launch command shells on a remote system and then have that shell execute any command permitted by the permissions configured on that system. 

Take action: A patch for Bash is now available, and everyone should be applying this patch as soon as possible. Unfortunately, there currently isn’t a patch available for Mac OS. eSentire has outlined several proactive actions for enterprises and will continue to release updates on ShellShock as it develops.

eSentire Security Operations Center (SOC) analysts have real-time access to attack traffic through our full packet capture and archiving, and can investigate not just the superficial aspects of the attack reported in event logs, but understand the specifics of the attack script. We can identify the payloads it may have brought down, the commands and file access it attempted etc. eSentire analysts also witnessed attackers attempting to perform reconnaissance and compromise systems by installing malware through simple scripts. 

Our analysts interpret events in real-time and utilize advanced tools that make security event information immediately actionable. In the case of ShellShock we were able to protect our client networks from potential exploits as they evolved. And with a capability we call Targeted Retrospection, we can rewind our analysis DVR-style to check if any attacks were attempted before Shellshock was publicly disclosed; this helps us identify previously compromised systems and significantly reduces the impact of an attack.

While traditional log information can tell you a specific attack signature has been invoked, attack signatures are generalized to be useful against a class of exploit and not just a specific instance.  When they get a hit, they record the event, but not the specifics of the attack payload. There is no forensic capability in a log file when it comes to attacks like this and we don’t think that’s a very effective approach to Continuous Advanced Threat Protection.

In the meantime, you can learn more about ShellShock through these resources:

http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

 https://access.redhat.com/security/cve/CVE-2014-6271

 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Mark J. McArdle serves as Chief Technology Officer for eSentire.

When Fiction Becomes Fact: Cyber Espionage on the Rise

Posted by Mandy Bachus on Wed, Aug 13, 2014 @ 04:23 PM

While cyber espionage has long been the lure of many thrilling Hollywood stories, it’s fast become headline news, splattered regularly throughout the pages of national publications. Take this recent admission from the National Research Council  (NRC) for example: Canada’s premier research and technology organization announced a major IT systems breach, which allowed perpetrators access to R&D data specific to aerospace, genetically modified foods, medical diagnostics and more. The Canadian government publically singled out China, while China, in return denied the “groundless” allegations.  This comes hot on the heels of the White House’s groundbreaking motion to file criminal charges against five Chinese army officers for alleged cybercrimes and cyber espionage.

As nation-state actors pursue government secrets, a slew of other threat actors lurk, quietly chasing intellectual property that is equally as valuable. The Cyber Security Protection Alliance released a study that noted that last year, 69% of Canadian businesses reported some kind of attack over a 12-month period. If recent news stories are any indication, this trend will unquestionably continue its steep incline.

At eSentire, we continue to partner with a multitude of organizations that recognize the need to evaluate and augment their security posture. Whether financial institutions guarding trading data, law firms protecting client information or extractive industries battling hacktivists, our Active Threat Protection platform protects clients and prevents attacks with real-time detection and mitigation, 24/7. We keep our clients OUT of the headlines, and provide aggregate reports that detail each and every blocked attack.   

If cyber criminals can penetrate government infrastructure, they will easily (and successfully) target organizations with a weak security posture. This Fall, eSentire will appear at a variety of industry conferences providing a platform for cyber security discussion and understanding. Don’t wait to become a headline – get the information you need to improve your security posture today.

Tags: cyber security, Active Threat Protection, Cyber Espionage

The Cyber Security Grand Slam

Posted by Mark Sangster on Mon, Mar 31, 2014 @ 09:00 AM

The long winter is over: today is the official opening day of the 2014 major league baseball season. Here in the Toronto area we are cautiously optimistic over the Blue Jays’ prospects while thinking very fondly of the 1992-93 seasons.

Of course, back in the early 1990s cyber crime wasn’t the big deal it is today. Back then the interconnected world in which we now live was just starting to take shape. Today, everything from bank assets and personal credit card data to intellectual property and trade secrets all reside on corporate networks that clever cyber criminals relentlessly target.

basball diamond resized 600

At eSentire, it occurred to us that the game of baseball provides a good analogy for cyber security preparedness and attack response.

Maximizing your cyber security posture can be likened to rounding the bases:

  • First Base. Many security products and services will get you here. They monitor events and even stop threats with a known signature. This is a basic capability every company needs, but it only gets you to first base.
     
  • Second Base. Some products can detect threats that got by first base, usually by analyzing aggregated log data.
     
  • Third Base. There are services such as legacy Managed Security Services Providers (MSSP) that will notify you, via an automated alert, email, or a phone call, that a suspected breach has occurred.

Now what? Getting from third base back to home is the great conundrum of the cyber security industry.

The vast majority of cyber security products and services concentrate on prevention. Very few offer practical remediation assistance.

Once they’ve notified you, the MSSP considers their job done, but you’re stuck on third base while your systems are being ransacked.

Cyber security has become an incredibly complex field. The only way to fully address a serious security incident such as an advanced threat or a zero day attack is with the help of trained experts.

In baseball, a pinch hitter is such an expert, who acts as a substitute batter. The team manager can use any player who has not yet entered the game as a substitute, and the tactic is often used to place specialized skills (base hitting ability) at the plate when they are most needed.

When a cyber attack commences, companies are facing a crisis situation. They need cyber security pinch hitters on their team – and they need them now. At eSentire, we call this Active Intervention.

Our Network Interceptor solution includes the concept of Embedded Cyber Security Incident Response. That is, our experts are already on your team, monitoring network events in the background. When a real threat unfolds, they are like a pinch hitter – ready to enter the game and get you back to home plate 

Any company that relies on a cyber security program without Active Intervention is operating without a safety net. They are doomed to be stranded on, at best, third base when a difficult security incident happens.

It’s tough (and expensive) to bring in experts when they aren’t already on your team. This year, you can take steps to maximize your cyber security posture by incorporating Active Intervention into your security program.

Go Jays.

Tags: cyber security, Embedded CSIR, Cyber Security Incident Response

Notes from RSA: It's Not Your Security Budget, It's How You're Spending It

Posted by Mark Sangster on Wed, Mar 05, 2014 @ 10:02 AM

One resounding theme to emerge from this year’s RSA Conference is that IT security budgets are skewed too much towards automated prevention technology and not enough towards incident response.

In a keynote, Art Gilliland discussed this over-investment on the prevention side, noting that it consumes the overwhelming majority (86%) of annual cyber security spend.

An intriguing session on Security Shelfware detailed how a surprising number of SIEM (and other) security products end up gathering dust instead of being actively used.

In a panel discussion on cyber security incident response, Ponemon Institute founder Larry Ponemon explained what’s behind the scarcity of CSIRT resources, recommending greater investment in incident response.

Then, on the RSA’s final day, Jay Leek – CISO at Blackstone – weighed in from the user’s viewpoint: A CISO’s Perspective: Protecting with Enhanced Visibility and Response.

This valuable session argued for reallocating IT security investment, moving some money from Prevention (where a lot of shelfware exists) to Visibility, Intelligence – and the underfunded Reactive area, upgrading it to a Planned Response footing.

Leek noted that the cost of response has sharply increased, up 75% from $200k to $341k per incident in 2011 – and we can be certain that the cost in 2014 is even higher. Unfortunately, the cost to attackers is much lower. In one slide Meek showed that attackers could breach a company over 2,000 times before spending as much as the company spends on a single incident.

These trends are not sustainable, according to Leek. To mitigate such high costs, investment in incident response, not just prevention, is needed.

This investment can take a variety of forms.

  • For better Visibility, organizations should acquire technology that provides real time awareness of network events, thus collapsing the time delay inherent to SIEM products that rely on system and device logs.
     
  • For greater Intelligence, defenses can be tuned based on behaviors and attack profiles.
     
  • For Planned Response, you need trained security analysts who have ready, real time access to actionable forensics.

The market for Prevention-focused products is saturated – but for vendors it’s a lot easier to program a product to identify and stop known threats than it is to provide a solution to an incident that has unknown attributes.

Response is difficult to automate. For serious threats, effective response always requires human expertise. You need security analysts who know how to examine the forensics and what actions to take.

Having ready access to this kind of expertise is a challenge – as Jon Oltsik noted in his session on the Security Skills Shortage.

Small to midsize companies with stretched IT resources are particularly exposed in the skills area – how can they make the investments all of these speakers have recommended?

There’s good news. The new field of Active Threat Protection is designed for just this sort of balanced approach to cyber security.

Key attributes of Active Threat Protection include the acquisition of network data in real time, the ability to detect suspicious behaviors, and Active Forensics that help to eliminate false positives while highlighting the real potential threats.

These capabilities are topped off by Embedded Cyber Security Incident Response, which is the integration of trained security analysts into the mix as network events are being assessed – instead of after a crisis has erupted when it’s too late to minimize the damage.

Active Threat Protection is surprisingly affordable, giving companies a practical way to rebalance their IT security budgets for greater impact and better ROI as numerous RSA sessions have recommended.

It enables organizations to increase their Visibility, develop greater threat Intelligence, and include active expertise into their Planned Response processes – all of which dramatically reduces the cost of handling an incident while maximizing cyber security protection.

Tags: cyber security, Active Threat Protection, RSA, Cyber Security Incident Response

    Subscribe by Email

    Follow Me