Brought to you by:
2 Web CONFERENCE:
#ISSAWebConf
Breach Report Analysis
SWOT or SWAT
Breach Report Analysis – SWOT or SWAT?
http://www.issa.org/page/May2016
Welcome Conference Moderator
Jorge Orchilles Director, South Florida ISSA
Breach Report Analysis--SWOT or SWAT?
3 Breach Report Analysis – SWOT or SWAT?
• Pete Lindstrom Research Vice President – IDC
• Kevin Haley Director, Symantec Security Response
• Bhavesh Chauhan Principal Client Partner – Verizon
Speaker Introduction
Title goes here 4 Web CONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
Breach Report Analysis – SWOT or SWAT?
Presentation – Setting the Metrics Stage
Pete Lindstrom
• Vice President for Security
Strategies at IDC
• 25 years of industry experience
as an IT auditor, IT security
practitioner, and industry analyst
• Frequent contributor USA Today,
WSJ Online, Information
Security Magazine, VAR
Business, Searchsecurity.com,
and CSO Magazine
5 Breach Report Analysis – SWOT or SWAT?
• Metrics are recurring measures that provide insight into the EFFICIENCY and/or EFFECTIVENESS.
• Efficiency in IT Security relates to speed and/or cost. • Effectiveness in IT Security relates to reducing risk. • The primary goal of an IT Security program is “to reduce
the most risk for the least cost.”
6
Metrics: Setting the Stage
Breach Report Analysis – SWOT or SWAT?
7
Your Core Metrics Framework
Breach Report Analysis – SWOT or SWAT?
Control Outcomes
True Negative
True Positive
False Positive
False Negative*
Populations (Assets)
Company
Servers
Endpoints
Applications Populations (Events)
Connections
Sessions
Messages
Transactions Financial Elements
IT Value (costs)
Control Costs
Incident Costs
Possible Losses
8
Your Core Metrics Framework
Breach Report Analysis – SWOT or SWAT?
https://en.wikipedia.org/wiki/Matthews_correlation_coefficient
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 9
The One Security Metric to rule them all…
RISK-REDUCED per
UNIT COST (RRUC)
10
Digging Deeper
Breach Report Analysis – SWOT or SWAT?
• Elements can be classified and categorized as needed – location, business unit, tech platform, etc.
• Compliance metrics can be used to “keep score,” but
often ignore efficiency and effectiveness. • Duration metrics may provide some insight into efficiency. • Attack surface and encryption metrics may address
specific threats (physical, MITM, etc.)
11
How to use Industry Reports
Breach Report Analysis – SWOT or SWAT?
Best Usage: • Actionability matters! (use metrics to compare with your
own).
Challenges: • Denominators matter! (e.g. populations and events that
provide BASE RATES). • Consistency matters! (definitions and sources stay the
same every period). • Skepticism matters! (be skeptical, but use other evidence,
not your “gut”).
Presentation – Symantec’s Internet Security Threat Report
Kevin Haley
• Director of Product
Management for Symantec
Security Technology And
Response
• Technical advisor and main
spokesperson for Symantec
Internet Security Threat
Report
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this
function.
#ISSAWebConf
12 Breach Report Analysis – SWOT or SWAT?
Copyright 2016, Symantec Corporation
Kevin Haley Director, Symantec Security Response
2016 Internet Security Threat Report Volume 21 13
Copyright 2016, Symantec Corporation
In 2009 there were
2,361,414
new piece of malware created.
That’s
1 Million 179 Thousand a day.
In 2015 that number was
430,555,582
2016 Internet Security Threat Report Volume 21 14
Copyright 2016, Symantec Corporation
Founded: 1933 1 location 35 employees
2016 Internet Security Threat Report Volume 21 15
Copyright 2016, Symantec Corporation
Victim
Founded: 1933 1 location 35 employees
Attacker
Founded: 1938 5 location 285 employees
2016 Internet Security Threat Report Volume 21 16
Copyright 2016, Symantec Corporation
• In the network for two years
• Access data 157 times
2016 Internet Security Threat Report Volume 21 18
Copyright 2016, Symantec Corporation 2016 Internet Security Threat Report Volume 21 20
Org Size
2015 Risk Ratio
2015 Risk Ratio as Percentage
Attacks per Org
Large Enterprises
2,500+ Employees
1 in 2.7 38% 3.6
Medium Business
251–2,500 Employees
1 in 6.8 15% 2.2
Small Business
(SMB) 1–250
Employees
1 in 40.5 3% 2.1
Spear-Phishing Attacks by Size of Targeted Organization
Copyright 2016, Symantec Corporation
2012 2013 2014
• Recipients per Campaign
• Average Number of Email Attacks Per Campaign
• Campaigns
2016 Internet Security Threat Report Volume 21 21
2015
Targeted Attack Campaigns
300
600
900
1,200
1,500 150
120
90
60
30
12
25 29
122
111
23 18
11
1,305
841 779
408
55% increase
Copyright 2016, Symantec Corporation
Spear Phishing Attachment Types
22 2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
Vulnerabilities
2016 Internet Security Threat Report Volume 21 23
Copyright 2016, Symantec Corporation
2006
14
2007 2008 2009 2010 2011 2012 0
2
4
6
8
10
12
14
16
13
15
9
12
14
8
Zero-Day Vulnerabilities
2013 2014
24 23
2015
54
2016 Internet Security Threat Report Volume 21 24
Copyright 2016, Symantec Corporation
Top 5 most Frequently Exploited Zero-Day Vulnerabilities
Rank Name 2015 Percentage
1 Adobe Flash Player CVE-2015-0313 81%
2 Adobe Flash Player CVE-2015-5119 14%
3 Adobe Flash Player CVE-2015-5122 5%
4 Heap-Based Buffer Overflow aka ‘Ghost’ CVE-2015-0235
<1%
5 Adobe Flash Player CVE-2015-3113 <1%
2016 Internet Security Threat Report Volume 21 25
Copyright 2016, Symantec Corporation
Adobe Releases Out-of-Band Patch For Flash Vulnerability
• On June 23, Adobe released an out-of-band patch for a critical zero day vulnerability, designated CVE-2015-3113
• Within a week, five of the most well known exploit kits had integrated this vulnerability into their platforms
Exploit Kit First Seen
Magnitude June 27, 2015
Angler June 29, 2015
Nuclear July 1, 2015
RIG July 1, 2015
Neutrino July 1, 2015
2016 Internet Security Threat Report Volume 21 26
Copyright 2016, Symantec Corporation
Who Cares About Vulnerabilities on Websites?
28 2016 Internet Security Threat Report Volume 21
They Did
Copyright 2016, Symantec Corporation
“The accused men are alleged to have built the botnet by scanning the internet for servers running older versions of a “popular website content management software” that had not been updated to patch known vulnerabilities. These vulnerabilities allow them to install the Brobot malware on affected servers.”
29 2016 Internet Security Threat Report Volume 21
The Alleged Attackers Used DDoS Attacks
Copyright 2016, Symantec Corporation
35% Increase in Crypto-Ransomware Attacks
31 2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation 2016 Internet Security Threat Report Volume 21 32
Ransomware Families
• Android • Linux • OSX
Copyright 2016, Symantec Corporation
Dridex or Locky?
33 2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
Ransomware Evolution
• Targeted Ransomware Attacks
• Backup Infected or Destroyed
• Extortion –Because of on-line payments methods you don’t have to fool someone
to steal from them
34 2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
Professionalization of Cyber Crime
2016 Internet Security Threat Report Volume 21 35
Copyright 2016, Symantec Corporation
Branded Malware
On-line payment system makes ransomware possible
Could you make a customer wait 12 for verification of a purchase?
A free sample
TeslaCrypt – A Leading Ransomware Player
36
Copyright 2016, Symantec Corporation
TeslaCrypt Ransomware – Technical Support Available
37 2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
Butterfly – The Attackers Tools
• Hacktool.Bannerjack – use to locate vulnerable server on local network
• Hacktool.Multipurpose – basic network enumeration, hides activity by editing logs, deleting file, etc.
• Hacktool.Eventlog – parses event logs, dumps content, deletes entries
2016 Internet Security Threat Report Volume 21 38
Copyright 2016, Symantec Corporation
Hacktool.MultiPurpose
2016 Internet Security Threat Report Volume 21 39
Copyright 2016, Symantec Corporation
Dridex Gang - Number of Known Spam Runs Per Day
2016 Internet Security Threat Report Volume 21 40
Copyright 2016, Symantec Corporation
When Cyber Criminals
Work in Call Centers, Write Documentation and Take the Weekends Off
You Know its a Profession
41 2016 Internet Security Threat Report Volume 21
Thank you!
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Kevin Haley [email protected] @kphaley
Speaker Introduction
Bhavesh Chauhan
• Principal Client Partner –
Security Evangelist – Verizon
CTO organization
• 15 Plus years in Cyber Security
and Business Continuity
Systems
• Holds a Master’s of Science
Degree in Physics and
certifications of CISSP, CISA and
CISM
43 Breach Report Analysis – SWOT or SWAT?
• AT&T Cybersecurity Insights Report • Cisco Annual Security Report • Dell Security Annual Threat Report • Google Android Security Annual Report • IBM X-Force Cyber Security Intelligence Index Report • McAfee Labs Threat Predictions Report • Symantec Internet Security Threat Report • Verizon Data Breach Investigation Report • Juniper Research • Microsoft Security Intelligence Report
44
Breach Report Universe
Breach Report Analysis – SWOT or SWAT?
AT&T Cybersecurity Insights Report AT&T looked inside their giant global communications network and came out with their inaugural Cybersecurity Insights Report towards the end of last year. The report is aimed at helping businesses to secure their own data. “Every company either has been breached or will be breached,” said Ralph de la Vega, president and CEO, AT&T Mobile and Business Solutions, in the report. Takeaway: 458% increase in the number of times hackers searched Internet of Things connections for vulnerabilities
45
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Cisco Annual Security Report When detected, cyber criminals are evading and reconstituting their cyber attacks, according to the Cisco 2016 Annual Security Report. Cyber defenders lack collaboration with each other, and their ability to detect, defend and recover from attacks is failing. Corporate regulators and investors want a better view into an organization’s cyber risk. Cisco explains these trends and more, along with recommendations on how enterprises can strengthen their defenses. Takeaway: There’s a 221% increase in compromised WordPress sites
46
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Dell Security Annual Threat Report Dell’s SonicWALL Global Response Intelligence Defense (GRID) network gets daily feeds from more than one million firewalls and tens of millions of connected endpoints. Dell relies on this data to produce its annual threat report which details the latest trends in cybercrime. The latest report raises awareness around the growing cyber risk to smartphones. Takeaway: Malware attacks nearly doubled to 8.19 billion, with Android ecosystem being the prime target
47
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Google Android Security Annual Report Google protects users against Potentially Harmful Apps (PHAs), malware, network-based and on-device threats, and unsafe websites — by checking more than 6 billion apps per day, and scanning 400 million devices per day. All of this information is used to help compile the Google Android Security Report, which explains how Google protects the Android ecosystem. The 2015 annual report was released less than a month ago. Takeaway: Google notified Google Play developers about potential security issues, which led to better security for 100,000+ apps
48
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
IBM X-Force Cyber Security Intelligence Index Report The IBM Security division produces their annual X-Force Cyber Security Intelligence Index Report based on operational data collected from thousands of devices monitored in over 100 countries. The report looks at the global cyber threatscape and which industries face the greatest risk. The 2016 report provides many valuable insights — including the fact that 60% of all attacks suffered by IBM customers were carried out by ‘insiders’. Takeaway: The healthcare industry was the one most frequently attacked, speeding straight past financial services and manufacturing
49
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
McAfee Labs Threat Predictions Report The McAfee Labs 2016 Threat Predictions report came out at the end of last year. Unlike other reports which are based largely on analyses of network data and reported breaches, this one is based on interviews with more than 20 key people from the Intel / McAfee security teams. The predictions are how cyber criminals and cyber threats will change over the next five years, and how cyber defenses will adapt to them. Takeaway: Attacks on automobile systems will increase rapidly in 2016 due to the rapid increase in connected automobile hardware built without foundational security principles.
50
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Symantec Internet Security Threat Report The 2016 Internet Security Threat Report released by Symantec covers a wide range of global threats – including attacks on browsers and websites, corporate data breaches, spear phishing campaigns, ransonmware, and various types of cyber scams. The report also covers an explosion in fake tech support scams, and the cyber tricks being used by the scammers. Takeaway: Spear-phishing campaigns targeting employees increased 55% last year
51
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Verizon Data Breach Investigation Report Submissions from 67 contributors and taking a deep dive into 64,000+ incidents—and nearly 2,300 breaches. The report explains that cyber criminals are continuing to exploit human nature — and targeting the weakest point in enterprises, it’s people. No major new revelation Detection deficit graph – time between compromise and detection 89% of all cyber attacks involve financial or espionage motivations.
52
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Verizon Data Breach Investigation Report (Cont) Malware with C2 for Exfil Phishing and Credential theft Attackers are quicker - Compromise within minutes, exfiltration within days. Attackers more organized and efficient (Dridex also skewed results) Miscellaneous errors – simple mistakes hurt 30% of phishing messages were opened by their intended victims. 12% of those targets took the next step to open the malicious attachment or web link.
53
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Verizon Data Breach Investigation Report (Cont) 39% of crimeware incidents were ransomware. 95% of data breaches were motivated by financial gain. 93% of data breaches were compromised in minutes. 83% of victims took more than a week to detect breaches. 85% of successful traffic was attributed to the top 10 CVE vulnerabilities. Although difficult to quantify and validate, top vulnerabilities should be prioritized.
54
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Juniper Research Estimates cybercrime will costs businesses over $2 trillion by 2019. As cyber attacks and scams continue to proliferate, the biggest challenge appears to be a severe cybersecurity workforce shortage, which was reported in a CSO story last year. There were one million cybersecurity job openings entering 2016 — with a projected shortfall of 1.5 million by 2019.
55
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Microsoft Security Intelligence Report Cybercriminals are becoming faster and more efficient at launching attacks. However, the number of ways they use to compromise computers has not grown much. The report, which covers the second half of the 2015 calendar year, also notes that "high severity vulnerability disclosures were up more than 40%." This iteration of the report marks the first time Microsoft has incorporated security data from its cloud services. For the past several years, the most commonly exploited Windows vulnerabilities have had patches that came out in 2009 and 2010, pointing out old versions of IE still in use and/or just really, really bad patching
56
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Microsoft Security Intelligence Report (Cont) No new attack vectors are needed. As long as "Social Engineering," bait attacks, particularly "phishing," continue to work so well, no new methods are needed. It used to be that bait appealed to the "Seven Deadly Sins," but curiosity and familiarity seem to work even better. Exploit kits accounted for four of the 10 most commonly encountered exploits during 2H15. Ransomware was not on the top 10 during that period. Number of systems that encountered malware increased to 20.5%, a rise of 5.5% from the previous six months.
57
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Actionable Takeaways Train users. Users with permissions and trust are still the weakest link. Phishing continues to be highly effective for attackers to leverage poorly trained users to give them access. Protect financially valuable data from confidentiality, integrity, and availability attacks. Expect attacks, and be prepared to respond and recover.
58
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
Actionable Takeaways Speed up detection capabilities. Defenders must keep pace with attackers. When preventive controls fail, it is imperative to quickly detect the exploit and maneuver to minimize its overall impact. Patch top vulnerabilities in operating systems, applications, and firmware. Patch quickly or suffer. It is a race; treat it as such. Prioritize the work based upon severity ranking. Serious vulnerabilities should not languish for months or years!
59
Breach Report Details
Breach Report Analysis – SWOT or SWAT?
60
Open Discussion
Breach Report Analysis – SWOT or SWAT?
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this
function.
#ISSAWebConf
• Kevin Haley Director, Symantec Security Response
• Pete Lindstrom Research Vice President – IDC
• Bhavesh Chauhan Principal Client Partner – Verizon
May 2016 ISSA Web Conference
61 04/26/2016
Thank you Moderator Jorge Orchilles
Speakers
Kevin Haley
Pete Lindstrom
Bhavesh Chauhan
Thank you Citrix for donating the Webcast service
Breach Report Analysis – SWOT or SWAT?
Upcoming ISSA International Web Conference
62 04/26/2016
Legislative Impact: When Privacy Hides the Guilty Party 2-Hour Live Event: Tuesday, June 28, 2016
Start Time: 9:00 a.m. US-Pacific/ 12:00 p.m. US-Eastern/ 5:00 p.m. London Click here for more information and to register.
Overview:
Increasingly legislation and regulation are becoming extremely important drivers for what information security professionals have to do, and the pace of delivery seems to be increasing wherever you work in the world today. What are organizations and individuals approaches to what and how they do information security? How do we prioritize what is most important? What can we do to make compliance easier? How do we get our policies aligned with the differing regulatory environments across different jurisdictions? How do we deal with export controls (software and information)? In some cases the question might be – How do we stay out of jail? Join our industry experts to get their views and this topic and the questions around it.
Breach Report Analysis – SWOT or SWAT?
To take the survey and get CPE credit for attending the May ISSA International Web Conference, visit http://www.surveygizmo.com/s3/2802102/ISSA-Web-Conference-May-24-2016-Breach-Report-Analysis-SWOT-or-SWAT A recording of the conference will soon be available at: http://www.issa.org/page/May2016 If you or your company are interested in becoming a sponsor for the monthly ISSA International Web Conferences, please visit: https://www.issa.org/?page=BecomeASponsor
Web Conference Survey
63 04/26/2016
Breach Report Analysis – SWOT or SWAT?