1. T h e M a g a z i n e f o r i T M a n a g e r s i n T h e W o r l d ’ s l a r g e s T M u lT i P l aT f o r M e n T e r P r i s e s
2016: Issue 2
www.enterprIsesystemsmedIa.com
An
Enterprise Systems Media
Publication
Are You Ready
for an Attack?
How Dell SecureWorks Is Helping
Keep Organizations Safe
Welcometothelatestissueof
EnterpriseExecutive!
T H E M A G A Z I N E F O R I T M A N A G E R S I N T H E W O R L D ’ S L A R G E S T M U LT I P L AT F O R M E N T E R P R I S E S
2016: ISSUE 2
WWW.ENTERPRISESYSTEMSMEDIA.COM
2. 2016: Issue 2 | Enterprise Executive | 27
E
nterprise Executive recently caught up
with Jeff Multz, director and general
manager of Japan for Dell SecureWorks,
to get an update on security technology,
and to see how threats are changing,
how to be protected and what to do if
your network has been compromised.
Jeff writes an article for each issue of
Enterprise Executive, reviewing a wide
spectrum of security issues. He is a renowned
cybersecurity expert who presents live talks
and best practices throughout the world. So
far, he has had more than 200 articles
published on a variety of security topics.
Enterprise Executive: What are the latest
advances in security technology?
Jeff Multz: The new technologies focus on
behavior in your network to detect anomalous
activity as soon as it starts. The two that stand
out the most are technologies that monitor
and analyze activity on your endpoints
(workstations, laptops and servers) and
technologies that monitor advanced malware
and threats in your network and email traffic.
The former helps you spot anomalous activity
on your endpoints as soon as it begins and
analyzes forensics to understand when the
threat entered, what the attacker was seeking
and how he got in. The latter helps you
monitor and analyze suspicious inbound and
outbound web and email traffic to detect
advanced threats entering and leaving your
network. Traditional network defenses are no
longer enough to protect a network.
EE: What are those traditional defenses, and
do you still need them?
Multz: Traditional defenses include: firewalls;
antivirus (AV) technologies, such as software
and Intrusion Detection Systems/Intrusion
Prevention Systems (IDS/IPS); access control
lists, which permit or deny network traffic
based on lists that state where the traffic is
coming from or where it is directed; and Virtual
Private Networks (VPNs), which use passwords
and encryption to allow someone working from
outside the network, such as in a café or at an
employee’s home, to connect to the network.
In the past, malware was fairly simple.
Now, I’m simplifying this to make it easy to
understand, but basically, malware, also
known as malicious software that can harm
a computer, is made up of code. So, let’s say
I create a piece of malware whose code is
How Dell SecureWorks
Is Helping Keep
Organizations Safe
ByDennyYost
3. 28 | Enterprise Executive | 2016: Issue 2
<123ABC> and is designed to steal your
passwords whenever you go to a banking
website. If I send you an email and you click
on the link or attachment that is affiliated
with that email, either the link or the
attachment will automatically download that
code onto your computer, and you’ll have no
idea that it happened. Once that code gets into
your computer, each time you go to a banking
website, it steals your login credentials and at
some point the malware will connect back to
my computer and will send me all your login
credentials to all your banking websites. If I
keep using this same malicious code, at some
point security companies will recognize that
<123ABC> is a bad thing and must be
blocked. Once they write code that blocks my
code, when I or another threat actor sends you
an email with that code embedded in it, your
email security service would block that email
from ever getting to you. Instead of infecting
you via an email, a threat actor could also
embed that malicious code onto a legitimate
website he hacked without the owner even
knowing. For example, if an attacker hacked
into a retail website, he could create malware
that downloads when you click the link that
says Pants. When a user clicks on the link, it
downloads <123ABC>. But if your AV
technology has that code built into it, the code
will be stopped from downloading when a
user clicks on it.
EE: How has the malware changed since then?
Multz: For one thing, malware now is often
polymorphic, which means it changes once it
enters your system. The malware embedded
into the Pants link could actually be
<901299>, but once it enters a computer it
changes to <123ABC>. The people who create
AV have created code that saw <123ABC> was
bad and created software, which blocks that
code from entering a computer, but <901299>
is not blocked and that is what is going to be
downloaded onto a computer when a user
clicks on the link.
There are lots of estimates out there about
how much new malware is created each day.
I’ve seen the figure as high as 100,000. For
argument’s sake, let’s just say there are only
10,000 new pieces of malware created each
day. AV makers can’t reverse engineer 10,000
pieces of malware each day to discover what
the code is and then create new code to block
it. Even if they could do that, the first time
malware is created, it is going to slip by AV
because no one yet knows it’s bad because it
has never been seen before.
What’s more, the attackers are now finding
ways to get inside networks without even
using malware by obtaining people’s login
credentials. For example, an attacker might
send Sally at your office a phishing email
saying a certain department at her job needs
her to update some information. Sally’s a
diligent employee who tries to be efficient, so
she abides by the request and clicks on a link
to update the information. That link doesn’t
download malware, but it takes her to a sham
web page that is built to look as if it is
affiliated with a trusted company—perhaps
her own company—and instructs her to use
her work login credentials to update her home
address and phone number.
Once Sally logs in with her username
and password, the attacker saves that
information. Then, depending upon how the
network is set up, the attacker might be able
to access her computer remotely and sign in
as Sally. No malware is needed. Now, the
attacker can use Sally’s computer remotely
to peruse any files she has access to. Again,
depending upon how the network is set up,
from her computer the attacker might be
able to get the network administrators’
credentials, then the attacker has access to
the entire network, far more files than even
Sally could access. If Sally’s company’s
network were set up with strict security
controls, even if she did fall for that phishing
email, the attacker might never be able to do
anything with her login credentials because
he would have no access to her computer.
4. 30 | Enterprise Executive | 2016: Issue 2
Very few companies have their networks set
up in the best possible way, which leaves them
open to attacks. That’s why we recommend all
organizations meet with a security consultant
who is part of a cybersecurity company that
has architected hundreds of networks because
that person is going to know the tricks
attackers use and the settings that need to be
set to block them. Most likely, Sally’s company,
if it is like most companies, is not set up to
block the numerous ways hackers can enter
the network. However, no blocking technology
is failsafe. That is why you need to monitor
and analyze suspicious inbound and outbound
web and email traffic to detect advanced
threats entering and leaving your network,
and suspicious activity on your endpoints.
EE: So, how do the new technologies work?
Multz: They work by spotting anomalous
activity that has already gotten inside your
network. This is important because it
normally takes months before a company
even knows a threat is inside its network,
according to a report last year by the
independent research company Ponemon.
If you can recognize within one day that a
threat is inside your network, imagine all the
money and resources you save by getting that
threat out of your network before an attacker
has had time to gather information and then
send it to a server he has access to. Security
experts and regulatory agencies, such as the
Payment Card Industry Data Security
Standard (PCI DSS) and HIPAA, say you
must monitor your network 24x7x365 to spot
threats immediately and get them out of your
network before they have time to create
damage. That’s still important, but network
monitoring only monitors devices that
produce log data, such as servers, firewalls,
routers and IDS/IPS devices. Since endpoints
don’t output logs, organizations could go for
months without ever realizing an endpoint
has been compromised, possibly giving an
attacker time to access the entire network.
Advanced Endpoint Threat Detection
(AETD) is a service that alerts you when
there is anomalous activity on your endpoints.
That alert may happen as soon as something
malicious is downloaded onto the device or
when mischievous activity begins.
Organizations have a baseline of normal
activity on computers. When that baseline has
been established, when something strays from
the norm, an alarm goes off so the service
provider’s security analyst can research the
activity. If the activity seems suspicious, the
analyst has access to something similar to a
flight recorder that tracks every step the
threat actor has made since entering the
network. If the analyst believes there is a true
threat in your network, he can show you all
changes the attacker made to the registry, or
basic operating files, as well as all other
changes the attacker made to your computer
or network. If the attacker had created a
“backdoor,” also known as a secret way to get
back inside your computer, just in case you
were to find his existence and kick him out of
your network, the analyst would be able to see
that backdoor so that you could close it and
the attacker could not return. An analyst
would also be able to tell you how the attacker
got inside in the first place, then you could
implement countermeasures so it wouldn’t
happen again.
EE: How does that differ from the other
new technology?
Multz: Now, the other new technology that
companies should also implement is Advanced
Malware Protection and Detection (AMPD).
AMPD tracks traffic and emails going in or
out of the network in a technology called a
“sandbox,” which is a computing environment
that is isolated from the network and operates
virtually to test ways in which the malware
might perform. Applications, or code, in this
case malicious code, can be executed in the
isolated environment without harming a real
computing device that is part of the network.
5. 32 | Enterprise Executive | 2016: Issue 2
It works like this. An attacker sends a
piece of malicious code to a computer or
server. An exact copy of that same code
goes to the sandbox. In a good sandbox
the malware will detonate, and as soon as
anomalous activity is spotted, an alarm goes
off, notifying a security researcher who will
analyze the activity and the malware. The
analyst will contact the victim’s company to
let it know of the malware and can help the
company with remediation. Earlier, I talked
about how malware has changed in the past
couple of years. Attackers know companies
use sandboxes, so a lot of malware is created
that does nothing unless it thinks it is inside
a real computer. The attacker doesn’t want
his malware to detonate in a sandbox
because then the victim will know malware
has gotten inside his computer, and the
malware will be removed quickly, prohibiting
the attacker from gathering information. So,
attackers have created malware that only
detonates if the malware believes it is inside
a real computer. For this reason, it is
important to know the type of sandbox your
provider is using. We use one that is created
with a CPU, which is the brains of a
computer, so that the malware thinks it is
inside a real computer and detonates,
allowing an analyst to see exactly what the
malware did. Whatever it did in the sandbox,
it did or will soon take the same action in
your real computing environment. AMPD
also watches activity that is sent outside the
network. If the attacker got inside your
network without using any malware and
starts sending files outside the network, that,
too, would create an alert because AMPD
catches anomalous outbound traffic.
Those are the latest advances in technology.
As attackers change their tactics and
procedures, new security advances will
continue changing to stop them. EE
Denny Yost has more than 30 years of mainframe and IT
experience. He is the associate publisher and editor-in-
chief of Enterprise Executive and associate publisher of
Enterprise Tech Journal.
Email: denny@esmpubs.com
“Attackers know companies
use sandboxes, so a lot
of malware is created
that does nothing
unless it thinks it is
inside a real computer.”