Charles Leaver – New Verizon DBIR Report Continues With The Same Message

Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO

The Data Breach Investigations Report 2016 from Verizon Enterprise has actually been released reviewing 64,199 security incidents resulting in 2,260 security breaches. Verizon defines an incident as jeopardizing the integrity, privacy, or accessibility on an info asset, while a breach is a validated disclosure of data to an unapproved party. Considering that avoiding breaches is far less unpleasant than enduring them Verizon offers a number of sections of recommended controls to be utilized by security-conscious enterprises. If you don’t care to check out the complete 80-page report, Ziften provides this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled advised controls:

Vulnerabilities Recommended Controls

A solid EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines showing vulnerability management efficiency. The exposure timelines are essential since Verizon stresses a systematic technique that stresses consistency and protection, versus haphazard convenient patching.

Phishing Suggested Controls

Although Verizon advises user training to avoid phishing vulnerability, still their data indicates almost a third of phishes being opened, with users clicking on the link or attachment more than one time in 10. Bad odds if you have at least ten users! Provided the inevitable click compromise, Verizon advises putting effort into detection of unusual networking activity a sign of pivoting, C2 traffic, or data exfiltration. A sound EDR solution will not only track endpoint networking activity, however likewise filter it against network risk feeds recognizing harmful network targets. Ziften exceeds this with our patent-pending ZFlow innovation to enhance network flow data with endpoint context and attribution, so that SOC staff have crucial decision context to rapidly resolve network alerts.

Web App Attacks Advised Controls

Verizon recommends multi-factor authentication and monitoring of login activity to prevent compromise of web application servers. A solid EDR solution will monitor login activity and will apply anomaly inspecting to spot uncommon login patterns indicative of jeopardized credentials.

Point-of-Sale Invasions Suggested Controls

Verizon advises (and this has actually likewise been strongly recommended by FireEye/Mandiant) strong network division of POS devices. Once again, a solid EDR service should be tracking network activity (to identify anomalous network contacts). ZFlow in particular is of excellent value in providing important choice context for suspect network activity. EDR solutions will likewise address Verizon’s recommendation for remote login tracking to POS devices. Together with this Verizon advises multi-factor authentication, but a strong EDR capability will augment that with additional login pattern anomaly monitoring (because even MFA can be beaten with MITM attacks).

Insider and Privilege Misuse Advised Controls

Verizon recommends “monitor the heck out of [staff member] licensed day-to-day activity.” Continuous endpoint monitoring by a solid EDR system naturally supplies this capability. In Ziften’s case our product tracks user presence time periods and user focus activities while present (such as foreground application usage). Abnormality checking can identify uncommon discrepancies in activity pattern whether a temporal anomaly (i.e. something has modified this user’s normal activity pattern) or whether a spatial abnormality (i.e. this user behavior pattern differs substantially from peer habit patterns).

Verizon also suggests tracking usage of USB storage devices, which solid EDR products offer, because they can serve as a “sneaker exfiltration” route.

Miscellaneous Errors Advised Controls

Verizon recommendations in this area focus on preserving a record of previous errors to serve as a caution of mistakes to not repeat in the future. Solid EDR systems do not forget; they maintain an archival record of endpoint and user activity going back to their very first deployment. These records are searchable at any time, perhaps after some future occurrence has actually uncovered an invasion and response groups need to return and “find patient zero” to decipher the incident and determine where errors might have been made.

Physical Theft and Loss Advised Controls

Verizon suggests (and lots of regulators demand) complete disk encryption, especially for mobile phones. A strong EDR product will confirm that endpoint configurations are compliant with business file encryption policy, and will notify on offenses. Verizon reports that data assets are physically lost one hundred times more often than they are physically stolen, however the impact is basically the same to the impacted enterprise.

Crimeware Advised Controls

Again, Verizon stresses vulnerability management and constant extensive patching. As noted above, proper EDR tools determine and track vulnerability direct exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it versus procedure image records from our endpoint tracking. This shows a precisely updated vulnerability assessment at any moment.

Verizon also suggests capturing malware analysis data in your very own enterprise environment. EDR tools do track arrival and execution of new binaries, and Ziften’s system can acquire samples of any binary present on business endpoints and send them for comprehensive static and vibrant analysis by our malware research study partners.

Cyber-Espionage Recommended Controls

Here Verizon particularly calls out usage of endpoint threat detection and response (ETDR) tools, describing the security tool section that Gartner now terms endpoint detection and response (EDR). Verizon also recommends a number of endpoint configuration solidifying actions that can be compliance-verified by EDR tools.

Verizon also suggests strong network protections. We have already talked about how Ziften ZFlow can considerably boost standard network flow tracking with endpoint context and attribution, providing a blend of network and endpoint security that is really end-to-end.

Lastly, Verizon advises monitoring and logging, which is the first thing third party incident responders demand when they arrive on-scene to assist in a breach crisis. This is the prime purpose of EDR tools, since the endpoint is the most regular entry vector in a significant data breach.

Denial-of-Service Attacks Recommended Controls

Verizon advises handling port access to prevent enterprise assets from being utilized to take part in a DoS attack. EDR products can track port use by applications and employ anomaly checks to recognize unusual application port usage that might indicate compromise.

Enterprise services migrating to cloud providers likewise require defense from DoS attacks, which the cloud company might provide. However, taking a look at network traffic tracking in the cloud – where the enterprise might lack cloud network visibility – choices like Ziften ZFlow offer a method for gathering improved network flow data directly from cloud virtual servers. Do not let the cloud be your network blind spot, or else assailants will exploit this to fly outside your radar.