2011-10 The Path to Compliance


Published on

2011-10 The Path to Compliance
by Mark Brooks, Alert Logic

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • CC market 7B last year, russia 1/3 and growing 35% per yearpeople talk a lot about the chinese threat but that’s mainly bc they’re noisy & they get caught, to me means they’re not the ones you need to worry about so muchinteresting trends to note: the business models & roles evolving along similar lines as the legit IT industryon-demand & pay-per-useppl are taking on specialized roles either to limit personal risk or maximize effectivness & profit within the context of their own abilitiesT: things have evolved from single autonomous attackers to...
  • Credit cards – influenced by supply/demand, Sony PSN +70M cards stolen, if majority are valid & dumped on market, would push prices way downExploit packs cover multiple vulns, price based on agePPI - work like banner ad & browser toolbars affiliate programs developed in the 90’s with pay-per-view and pay-per-click models, malware install affiliate programs have sprung upT: I’m a young unemployed ukranian guy & i want in on the action
  • This is a screenshot of the old Dogma Millions website. This has since been taken down but you can see from the graphics the msg they send.Work for us & you can drive your own Porsche SUV on a blue water beach with Victoria’s Secret modelsT: unfortunately the English language sites aren’t as creative...
  • Payperinstall.com is a clearinghouse for pay per install groupsyou sign up with a affiliate, they provide a custom set of executables embedded with your affiliate IDfor every US machine you get the malware installed on, you get a dollar10,000 machines = $10,000
  • young student, intelligent, bored, maybe problems with authoritythink it’s cool, looking for a challenge, out defacing websites of organizations they disagree withunlikematthewbroderick, none of the guys i knew who were writing dos viruses in highschool ever had a girl in their bedroomscredibility, fame & recognition among their peers onlinehistorically they wrote worms attacking vuln network services - korgo, sasser, mostly static payload, built & released to run its courseT: things have changed a lot since then
  • overwhelming majority of attacks today are carried out by professional teams who do it for a livingthe goal is to control as many computers as they can to steal as much data as possiblethey can use directly or sell on the wholesale marketnot making noise, not defacing websitesremain undetected as long as they can to maximize profitsattack surface changed, even avg home networks typically have firewalls now blocking inbound connections. target vulns in client apps that sit behind the firewall & connect outonce they get code execution, malware installed to keep control of target systemsT: the new approach is working really well
  • Affiliates don’t care how you get their malware installedTons of websites vulnerable to XSS where you can inject Javascript that will redirect users to your hosted malware site with your fake AV software or whatever you’re deliverable isP2P are also easy, download any executable you want, use your malware kit to embed your affiliate’s code, share new binary back on the networkTrad Net Exploit – difficult bc most companies have firewalls blocking vulnerable ports, non-routable internal address space, even home networks have private addr & a firewall. All other techniques target the end user systems directly. Often after stealing that users data, malware will propagate to other systems on a corp network once it’s brought to work and connected behind the firewall, ex: conficker.Blackhat SEO – interesting & annoying at the same time. link farms and other techniques to game the search engine algorithms to get high rankings for the most common searches, justinbieber, brittney spears, most recently osama bin laden assassination videos.Flash drive example
  • One of the primary reasons our customers purchase our solution is to meet compliance standards. Our solutions cover the most expensive and labor intensive areas of compliance The following is a breakdown of the PCI and SOX requirements we satisfy with our solutions. For PCI we cover requirement 10, 11.2, and 11.4 which are the most costly and cumbersome to comply with. Examples: Vulnerability Assessment: 11.2 in PCI because Alert Logic is an Approved Scanning Vendor (ASV) for quarterly PCI scans Intrusion Protection: All mandates and regulations require or recommend an intrusion detection system. Log Management: We cover the majority of requirement 10 of PCI and DS 5.5 for Cobit. We make log review simple and automate the log management process.
  • One of the primary reasons our customers purchase our solution is to meet compliance standards. Our solutions cover the most expensive and labor intensive areas of compliance The following is a breakdown of the PCI and SOX requirements we satisfy with our solutions. For PCI we cover requirement 10, 11.2, and 11.4 which are the most costly and cumbersome to comply with. Examples: Vulnerability Assessment: 11.2 in PCI because Alert Logic is an Approved Scanning Vendor (ASV) for quarterly PCI scans Intrusion Protection: All mandates and regulations require or recommend an intrusion detection system. Log Management: We cover the majority of requirement 10 of PCI and DS 5.5 for Cobit. We make log review simple and automate the log management process.
  • Education – sounds extremely basic but some people don’t knowBrowsing – browsers are complex pieces of software & they all have holes, The majority of owned desktop systems I’ve seen were used by avid IE usersI use firefox, automatic updates and a number of plugins that improve your security like NoScript and RequestPolicythese tools can defeat CSRF and some XSS attacks even though the webapps you use are vulnerable.Filtering web proxies
  • Perimeter – many healthcare organizations block specific “bad” ports like SMTP and FTP, and even then do it inconsistently needs to be blocked in & out, exceptions specific to source & destination addresses & port numbers.Filtering web proxy... not worth much if you don’t do egress filtering at your border
  • Scripted Q&A- Which Hosing.com solutions support Alert Logic tools?  What are the benefits/features of Cloud compared to Dedicated? If I receive a security incident, how quickly will I be contacted by the Security Operations Center?- How long to you store log data in your data center?- Who owns the data that is stored in your data center?- How can I ensure my data is safe both during transport and in storage?- How often should I be running a vulnerability scan?- I only have to fill out Self Assessment Questionairre (SAQ) A, do I still have to monitor my log data?Thank you for joining our Webinar today. We hope you found the content useful and applicable to your role. If you have questions or would like further information regarding Alert Logic’s solutions, please visit the Hosting.com website and contact us via phone, email or live chat.  A recording of this session will be emailed to you in the next 48 hours. Thank you and have a wonderful day!
  • 2011-10 The Path to Compliance

    1. 1. Alert LogicThe Path to ComplianceSeptember 2011
    2. 2. Agenda• State of the security market – Organized Cybercrime – Common Attack Methodology• Compliance defined – The Compliance Two-Step – The Obligatory Response• A Security First Approach• Real World Examples
    4. 4. Recent AttacksMay 4, 2009 Virginia Prescription Monitoring Program, Richmond VirginiaCompromised Records: 531,400Type of Attack: Outside HackerOutcome: Attacker is still at-large. State notified 531,400 people of the breach by letterNovember 10, 2010 Holy Cross Hospital, Ft. Lauderdale FloridaCompromised Records: 44,000 (1500 Confirmed)Type of Attack: Internal Employee gained access to serverOutcome: Employee was fired and arrested. 5 other suspects have been charged.February 10, 2011 Texas Children’s Hospital, Houston TexasCompromised Records: 19,264Type of Attack: MalwareOutcome: Attacker is still at-large. All patients were notified by letter 4
    5. 5. 2010 Data Breaches Who is breaching data? How do breaches occur? 70% External Sources (-9%) 48% Involved Privilege Misuse (+26%) 48% Inside Sources (+26%) 40% Hacking (-24%) 11% Business Partners (-23%) 38% Malicious Code (<>) 27% Multiple Partners (-12%) 28% Employed Social Tactics (+16%) 15% Physical Threats (+6%) What Commonalities Exist 85% Attacks were not highly difficult 85% Breaches were the result of opportunistic attacks 96% Were considered avoidable through reasonable controls *Statistics from 2010 Verizon Business Data Breach Investigation Report 5
    7. 7. Cybercrime MarketThe Numbers – Global computer crime market estimated to be $7B in 20101 – Russia responsible for $2.5B – Growing ~35% per year overallInteresting Trends – Increase of specialization of participants – On-Demand and Pay-Per-Use services – Developing C2C market1 Group-IB Report - 2010
    8. 8. Crime PaysStolen Assets/Criminal Activity PayoutCredit Card Details $5-10, expected $1-2 post PSNBank Credentials $80-$700Bank Transfers 10% to 40% of amount transferredSocial Security Numbers $30-500Day Exploits $5,000 - $100,000Exploits for published vulnerabilities $5,000 - $50,000Exploit Packs $200 - $5,000Malware Pay-Per-Install Up to $1.50 for US victims, $0.15-0.60 for other countries
    9. 9. How it Works – The Business Model Register With Cybercrime Group 2 Data Sold Wholesale 5 BLACK MARKET Purchase Malware Pack CYBERCRIME1 GROUP 6 Payment Made 4 Infected Users Send Data to Group DISTRIBUTOR Infect Users, P2P 3 seeding, XSS VICTIMS
    11. 11. Traditional AttacksHacker Profile – Talented individual – Young, boredMotivation – To prove a point – Curiosity – CredibilityAttack Methods – Worms targeting memory vulns in network services – Attack payload not usually customized
    12. 12. Modern Attack ProfileHacker Profile – Organized Crime (84%) – Dedicated teams who are paid – Teams often work for criminal organizations as a careerMotivation – Targeted attack for financial gain – Desire anonymityAttack Methods – Vulnerable web applications – Client side applications – Malware used to keep control
    13. 13. Delivery/Attack Surface Infection Method Difficulty Effectiveness Websites Easy Good P2P Networks Easy Medium SPAM Easy Medium Paid Ads Medium Medium Phishing Easy Poor Traditional Network Exploit Difficult Poor Blackhat SEO Medium Medium Cross Site Scripting ‐ Most sites are vulnerable ‐ Easy to find and users trust the websites SQL Injection ‐ Easy to find ‐ Very commonSource: Veracode State of Software Security Report, April 2011
    15. 15. Security and Compliance Management isBecoming More Difficult Every Day Increasing number and sophistication in security threats • Improved organization and sophistication of attackers • Prolonged and persistent targeting with compressed timelines to react • Rise of contaminated spam, botnets, and social engineering for malicious breaches Increasing complexity in maintaining compliance • Continuous updates in requirements and reporting standards • Adoption of new regulatory compliance standards • Manual and laborious processes Increasing cost to support and maintain (HW, SW, FTEs) • Training on the latest compliance requirements and security threats • Updating, patching, and maintaining software, scripts, and processes • Rollout of new HW/SW to keep up with increased demand
    16. 16. Complicated and Costly Compliance Picture forHealthcare Implement People, Process, & Technology for Compliance • HIPAA 164.308 Administrative safeguards • HIPAA 164.312 Technical safeguards Penalties for EMR Non-Compliance Coming into Effect • Penalties and Fees up to $1.5M for neglect • Data Breach Notification to HHS and Local Media for breaches >500 patients What about PCI compliance? • PCI applies to every entity that stores, processes, or transmits cardholder information • Patient billing, pharmacy, etc.
    17. 17. Compliance… a costly problem HIPAA & HITECH Vulnerability 164.308 (a)(1)(ii)(A) Risk Analysis – Conduct Vulnerability Assessment Assessment 164.308 (a)(1)(ii)(B) Risk Management – Implement security measures to reduce risk of security breaches 164.308 (a)(1)(ii)(D) Information System Activity Review – Procedures to review system activity IDS/IPS/Log 164.308 (a)(5)(ii)(B) Protection from Malicious Software – Procedures to guard against malicious software host/network IPS Management 164.308 (a)(6)(i) Log-in Monitoring – Procedures and monitoring for log-in attempts on host IDS 164.308 (a)(6)(iii) Response & Reporting – Mitigate and document security incidents 164.312 (b)Log Management Audit Controls – Procedures and mechanisms for monitoring system activity
    18. 18. Compliance… a costly problem PCI DSS SOX (CobiT) Penalties: fines, loss of credit card processing, and Penalties: fines up to $5M, up to 10 year in prison level 1 merchant requirements DS 5.9 Malicious Software Prevention, 6.2 Identify newly discovered security Detection, and Correction Vulnerability vulnerabilities “put preventive, detection, and corrective measures in place Assessment 11.2 Perform network vulnerability scans (especially up-to-date security patches and virus control) across quarterly by an ASV the organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam)” DS 5.6 Security Incident Definition “clearly define and communicate the characteristics of potential 5.1.1 Monitor zero day attacks not covered by security incidents so that they can be properly classified and Intrusion Anti-Virus treated by the incident and problem management process” DS 5.10 Network Security Detection 11.4 Maintain IDS/IPS to monitor & alert “use security techniques and related management procedures personnel, keep engines up to date (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.” 10.2 Automated audit trails 10.3 Capture audit trails DS 5.5 Security Testing, Surveillance, and Monitoring Log 10.5 Secure logs “…a logging and monitoring function will enable the early Management 10.6 Review logs at least daily prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be 10.7 Maintain logs online for 3 months addressed.” 10.7 Retain audit trail for at least 1 year
    19. 19. The Ugly Truth• Compliance is the output of post-mortem – Some organization did not secure their data, and now everyone else must deploy solutions, software, policies, and guidelines• Compliance will always be a step behind the latest threat• Compliance will NEVER mean you are secure• Compliance mandates will continually be expanded, as hospitals, insurance companies, and other health care resources experience breaches, privacy violations, and security issues
    20. 20. The Compliance Two-Step• Organizations continue to check the compliance box and then struggle to maintain compliance• IDS, Log Manamement and Vulnerability Scanning are the most expensive and resource intensive – and also the most difficult for organizations to implement and maintain• Attacks are not being detected in an acceptable time• Organizations that achieve compliance are able to protect their patient data• Companies will continue to fail to achieve compliance due to lack of time, budget, and technical resources
    21. 21. The Obligatory Response Protective Technical Controls • Firewalls • Routers • Antivirus • System Patching • Complex Passwords • Data Access Controls • Whole Disk Encryption • VPNs
    23. 23. Analyzing the Facts• Companies aren‘t detecting attacks in an effective way – Why? Chasing false alarms, other priorities, etc…• Companies are not focusing on continuous security – Too many companies check a box and move on• Companies must review log data – Companies need to be more vigilant in this area• Most of the 99% of breaches could have been caught – With effective intrusion detection systems, log management and vulnerability assessment 25
    24. 24. Common Trends• Strong push towards SaaS and MSSPs to augment their staff• Some are looking towards cloud-based technologies to reduce technology expenditures• Moving away from general standards like HIPAA and SOX towards PCI and DISA Standards• Deploying centralization solutions to tie together their compliance efforts• Using GRC tools
    25. 25. Defending UsersAV Isn’t Enough – Malware evolves ahead of AV signaturesEducation – At least half of the executables on P2P network infected – Don’t install software from untrusted sources – Safe browsing – Flash drives
    26. 26. Infrastructure DefenseClose your Perimeter (egress too!)Patch your systemsVulnerability scanning – Automated vuln scans & review them regularlyIDS – Attempted botnet comm, network scans – Propogation over RPC exploits, brute forcing Windows sharesLog Management – Account lockouts due to brute force – Proxy logsWAF
    28. 28. Use Case #1: Security Issues and Identity Theft• Scenario • One of your system administrators returned from a two-week vacation and was unable to login • He believes his account has been locked out, but he’s not sure why• Key Questions to Answer: • Why is the account locked out? • Where did the lock out occur? • When did it occur? • How did it occur?
    29. 29. Effective Log Management Can Prevent Breachesand Provide Compliance Breached customer records cost businesses an average of $202 per record in 20091 “86% of victims had evidence of the breach in their logs…” “in most attacks, the victim has several days or more before data was compromised.”2 Breach or Suspicious Intrusion or Malicious IT alerted Log Activity Penetration Activity Without Too LateLog Mgmt With Breach isLog Mgmt Avoided Log collection and SOC is alerted and monitoring detects security containment activity; sends alert steps are executed
    30. 30. Compliance and Security Simplified: Security Issues and Identity Theft Key Compliance and Security Activities Investigating Monitoring Alerting Log in to a domain controller. Log in to a domain controller Examine the AD object for the daily. Create a filter on the Wait for the System Admin Without user to determine the time of username every day, and to call if their account isLog Management lock-out. Review the logs on review the logs. Repeat locked out again. each domain controller process for every domain manually. controller. Issue: Manual & Timely Issue: Expensive Issue: Reactive • Common index with search capabilities. With • Automated alerting and notification.Log Management • Regular reporting and forensics
    31. 31. Use Case #2: Audit Resolution Challenges• Scenario • A new policy is initiated to require any new Domain Administrators to only be added by the Security Department • A few weeks later, a routine audit discovers some new members in the Domain Admin Group• Key Questions to Answer: • When were these users added? • Who added them? • Who was added?
    32. 32. Compliance and Security Simplified: Audit Resolution Challenges Key Compliance and Security Activities Investigating Monitoring Alerting Log in to a domain controller. Log in to a domain controller Review the logs for group daily. Review Domain Admins Wait for the System Admin Without changes. Hope the logs are group and verify no one has to call if their account isLog Management still on the system and have been added or removed since locked out again. not rolled over. Repeat for the last review. each DC. Issue: Manual & Timely Issue: Expensive Issue: Reactive • Search on the Group Member Added and filter on Domain Admin. With • Save View and have the report emailed on a regular basis.Log Management • Build an automated alert to notify when users added, removed, changed
    33. 33. Use Case #3: Hacker/Attacker• Scenario • For several weeks your network has been running slow • Some systems have been performing abnormally and there are new user accounts that cannot be tied back to a particular user • Suddenly, you receive an odd e-mail from an alleged hacker who claims to have access to sensitive patient files• Key Questions to Answer: • Have you been hacked? • If so, when did it begin? • How would you respond? • Should you notify the media?
    34. 34. Compliance and Security Simplified: Business Critical Applications Key Compliance and Security Activities Investigating Monitoring Alerting Log in to the firewall/VPN Log in to VPN. Search inside gateway, look through the of the VPN Disconnect Wait for the Network Without logs (if it can store the logs). messages. See what time the Engineer to log in andIntrusion Detection Look for disconnect disconnect occurred and all discover it is down. messages, and errors. Etc. errors related to the VPN session. Issue: Manual & Timely Issue: Expensive Issue: Reactive • Use logs to search for suspicious message, account creation, firewall With messages.Intrusion Detection • Use IDS to look for attack attempts. • Focus efforts on actionable security incidents
    35. 35. With Complicated Threats, There is a Need for Security Expertise Lots of point solutions, but difficult to consume all the data It is nearly impossible to be aware of all forms of attacks and attack-responses, and perform all the other functions expected relating to daily operations Breach or Suspicious Intrusion or Malicious IT alerted Log Activity Penetration ActivityWithout IDS Too Late With IDS Breach is Avoided Log collection and Security containment monitoring detects steps are executed activity; sends alert
    36. 36. CONCLUSION
    37. 37. Meeting the Challenges Head On• Move from manual to automated log management – Keys to success: effective and sustainable log management and review• Choose a vulnerability assessment solution that aligns with your network – Keys to success: centralized view and remediation knowledge• Select an intrusion protection solution that doesn’t require costly implementation, configuration and management – Keys to success: Implement a solution that adapts to your network security policies and minimizes the work load of your resources
    38. 38. Q&A
    39. 39. Who is Alert Logic? Founded: 2002 Customers: 1,200+, spanning 3 continents Staff: 100+ Service Renewal Rate: ~99% Experienced Management Profitable w/ Strong Balance Sheet Patented SaaS Products Integrated Services Log Manager LogReview Threat Manager ActiveWatch • Easy to implement and deploy • 24x7 Security Operations Center • Flexible and Scalable • GIAC-certified security analysts • Improve security and threat visibility Delivering measurable • Meet compliance requirements • Lower, more predictable costs customer benefits • Quicker Time-to-Value
    40. 40. Contact• Mark Brooks• mbrooks@alertlogic.com