Breach Report- Review the Various Breach ReportsBreach Report- Review the Various Breach Reports...
Transcript of Breach Report- Review the Various Breach ReportsBreach Report- Review the Various Breach Reports...
Breach Report- Review the Various
Breach ReportsApril 23, 2019
Breach Report- Review the Various Breach Reports
Today’s web conference is generously sponsored by:
Gemaltohttps://www.gemalto.com/
Breach Report- Review the Various Breach Reports
Moderator
Matt Mosley is the Vice President of Security Products for Devo, a leading SIEM and big data analytics vendor. Matt is a recognized security expert and thought leader with more than 25 years of experience in numerous roles as a practitioner, consultant and software executive. Prior to joining Devo, Matt was the Director of Product Management for Symantec’s MSSP business, where he helped to launch new products and services to enhance the security of some of the world’s largest organizations. Matt has also held senior leadership roles with leading security firms including NetIQ, Internet Security Systems, Intellitactics, and Brabeion Software. As the chief security officer at early Internet pioneer DIGEX, Matt defined and implemented the security controls and best practices for the world’s first web hosting business and was a founding member of the ISP Security Consortium. Matt holds the CISSP, CISM, and CISA designations, is a regular speaker at security conferences, and taught CISSP classes for ISSA-NOVA for nearly a decade.
Matt Mosley, Vice President of Security Products, Devo
Breach Report- Review the Various Breach Reports
Speaker
Scott has been with Symantec for 20 years and is an Information Systems Security Association Distinguished Fellow with over 30 years of tactical and strategic information security experience across multiple control points – data centers, endpoints, and gateways with a focus on threat protection, information protection, cyber security services and security analytics.
Scott Parker, Sr. Principal Systems Engineer, Symantec
Scott Parker, CISSP, CISM | Sr Principal Systems Engineer
ISSA Distinguished Fellow
2017 Internet Security Threat Report | Volume 22
https://resource.elq.symantec.com/LP=6819?inid=symc_threat-report_istr_to_leadgen_form_LP-6819_ISTR-2019-report-main&cid=70138000001Qv0PAAS
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
7
2018 At A Glance: Big Numbers
WEB ATTACKS
• Web attacks up by 56%
• 1 in 10 URLs analyzed by Symantec were identified as malicious in 2018
FORMJACKING
• On average 4,800 websites were compromised for formjacking attacks every month in 2018
• Symantec blocked 3.7M formjacking attacks in 2018 on endpoint devices
RANSOMWARE
• Enterprise ransomware infections up 12%
• Mobile ransomware infections increased by 33%
• Overall ransomware infections were down by 20% as attackers moved to more lucrative activities
TARGETED ATTACKS
• Attack groups target an average of 55 organizations each
• The number of attack groups using destructive malware grew by 25% in 2018
CRYPTOJACKING
• Symantec blocked 4 times as many cryptojacking events in 2018 compared to 2017
• Cryptojacking activity remains at high levels with Symantec blocking 3.5 million events in December 2018
• Over the course of 2018, total cryptojacking events dropped by 52% as cyptocurrency prices dropped by almost 90%
LIVING OFF THE LAND ANDSUPPLY CHAIN ATTACKS
• Use of malicious Powershell scripts increased by 1000%
• Office files accounted for 48% of malicious email attachments, up from 5% in 2017
• Supply Chain Attacks increased by 78%
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
8
FORMJACKING
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
9
Formjacking
Formjacking =
Virtual
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
10
Formjacking
o Symantec prevented potentially millions of dollars of cybercriminal revenue from formjacking
- With data from a single credit card fetching up to $45 on underground markets, just 10 credit cards stolen from each compromised website could result in up to $2.2 million in earnings each month for cyber criminals
- The British Airways attack alone may have allowed criminals to earn more than $17 million
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Formjacking: The New Get Rich Quick Scheme
o Activity peaked towards the end of the year with +1 million blocks in November and December, the busiest online shopping period
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
Jan-18 Feb-18 Mar-18 Apr-18 May-18 Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18
o Trends show formjacking will be with us in 2019 and beyond
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019 11
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
12
RANSOMWARE
AND
CRYPTOJACKING
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
13
Ransomware Narrows in on Enterprises
ENTERPRISE
2018CONSUMER19% of all
attacks
2017CONSUMER51% of all
attacks
2016CONSUMER69% of all
attacks
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
14
Ransomware Narrows in on Enterprises
12% Growth in Attacks Against Enterprises
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
15
The Evolution of Ransomware
o Largely use Windows
o May not have backed-up critical files
o Successful attack a larger payday for attackers
o Makes a business decision whether to pay or not
Why Business in 2018 Why Not Consumer in 2018
o Uses mobile OSs
o Files backed-up in cloud
o Loss of files an emotional cost , not necessarily $$$
o Makes budget or moral decision to pay
Turning a Profit with Cryptojacking
Example: WannaMine
Targeting corporations to harness more powerful computers on prem and in the cloud.
Criminals targeting enterprises by spreading via WannaMine using Eternal Blue exploit rendering some devices unusable due to high CPU usage.
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
17
The Diminishing Returns Of Cryptojacking
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
18
LoTL AND
SUPPLY CHAIN
WEAKNESSES
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
19
Living off the Land Tools & Supply Chain Weaknesses Spur Stealthier, More Ambitious Attacks
MALICIOUS EMAIL POWERSHELL
SUPPLY CHAIN ATTACKS
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
20
Malicious Powershell Usage
115,000 malicious Powershell scripts blocked each month
POWERSHELL
99%GOOD
1% BAD
High Risk of False Positives
Most Orgs CannotBlock all
PowerShell
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
21
Gallmaker Attacks
Executes various tools including:
o WindowsRoamingToolsTask: Used to schedule PowerShell scripts and tasks
o A "reverse_tcp" payload from Metasploit
o A legitimate version of the WinZip console: Used execute commands and communicate with the command and control (C&C) server; may also archive data for exfiltration
o Rex PowerShell library: Creates and manipulates PowerShell scripts for use with Metasploit exploits
NoBinary
Malware Used
Previously unknown espionage group, active since at least Dec. 2017
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
22
TARGETED
ATTACKS
GROWTH IN 2018
• More established, active groups are targeting more organizations than ever before – the number of organizations targeted per attack group increased from 42 to 55 between 2015-2018
• The number of attack groups using destructive malware grew by 25% in 2018
• Spear-phishing remains the primary vector for targeted attacks
MOTIVES
• Targets are diversifying, with a growing number of groups displaying interest in compromising operational systems, e.g. Thrip targeting operational systems that monitor and control satellites
• Intelligence gathering is still the primary motive overall
LIVING OFF THE LAND
• Zero-day vulnerabilities have become much more difficult to find, with only 23% of attack groups leveraging zero days in 2018 down from 27% in 2017 – led attackers to adopt more Living off the Land techniques and continues in 2018
ARRESTS
• Large increase in US indictments related to state-sponsored espionage: 49 in 2018 vs. 4 in 2017
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
23
Targeted Attacks
24
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
24
CLOUD
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
25
When it Comes to Security, the Cloud Is the New PC
• Poorly secured cloud databases continue to be the Achilles heel for organizations
• At least 70 million records leaked from S3 buckets in 2018, many from very large companies, typically as a result of poor configuration by the owner
• Numerous widely available online tools allow potential attackers to identify misconfigured cloud resources
• Discovery of vulnerabilities in hardware chips also place cloud services at risk: Meltdown, Spectre, Foreshadow
• An attacker who rents space on a cloud server with the Meltdown vulnerability could gain access to the protected memory spaces of other companies’ resources hosted on the same physical server
CloudComputing
TheNEW
PC
The risks of cloud computing are becoming clear
26
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
26
INTERNET OF
THINGS (IoT)
27
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
27
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
28
IoT an Entry Point for Targeted Attacks
A new breed of persistent, destructive IoT threat conducting MITM attacks and targeting SCADA
30
25
20
15
10
5
IDG, calls 2019 “a seminal year” for 5G, and predicts the market for 5G and related network infrastructure will exhibit a compound annual growth rate of 118 percent.
$B
ILLI
ON
MA
RK
ET
2022
$26 BillionApproximate • More 5G IoT devices will connect to the
5G network than a Wi-Fi router, making them more vulnerable to attack.
• For home users, it will be more difficult to monitor all IoT devices as they bypass a central router.
• More direct reliance on cloud-based storage will expose new targets.
IoT 2019 and Beyond
In time
Peak Data Rate (Gbps)
4G (1)
5G (10)
2018
$528 MillionApproximate
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019 29
29
ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019
30
THANK [email protected]
@scottparkersymc
https://linkedin.com/in/netsecguy
Breach Report- Review the Various Breach Reports
Speaker
Gabe is a technologist at heart who has been tinkering from an early age. In addition to running ISSA-UK, he has worked in 14 countries and across numerous sectors, bootstrapped a cloud cryptocurrency crowdfunding platform into profitability, built security programs from the ground up, led multi-million pound security service transitions and performed in-depth security engineering in SCADA environments. His current passions involve security economics, shifting security left, and the changing perception of information security in both business and the public eye.
Gabe Chomic, President, ISSA-UK
Cyber Security Trends for Busy People
Or, How Not to Discuss Breach Reports
Me
• Gabe Chomic
• President, ISSA-UK
• @infosecrow
• Expat gone native
• Worked in a lot of places
• 15+ years experience
• My dog is almost more stubborn than I am
• I have opinions
Cyber Security Trends for Busy PeopleHow Not to Discuss Breach Reports
Or, How Not to Discuss Breach Reports
Cyber Security Trends for Busy People
Some reasons...
➢ There are a lot of reports
➢ There are a lot of people and organisations who release reports
➢ There are even more people who write them than release them
➢ There are a lot of people who talk about the information contained in them
Why
Some reasons...
➢ There are a lot of reports
➢ There are a lot of people and organisations who release reports
➢ There are even more people who write them than release them
➢ There are a lot of people who talk about the information contained in them
Why
One thing we don’t have...
➢ We don’t have a lot of people talking about the breach reports themselves
Excessive number of reports available
➢ Strong security industry
➢ Media and public interest
➢ Heavy M&A and investment
Everyone is getting in the game
Many reports can be differentiated by
➢ Type
➢ Pedigree
➢ Topic
➢ Source
➢ Type❑ Breach reports
❑ Surveys
❑ Threat indices
❑ Resiliency Reviews
❑ Etc
➢ Pedigree
❑ Scale
❑ Reputation
Everyone is getting in the game
➢ Topic❑ Contextually sensitive
❑ Varied readership targets
➢ Source
❑ Analysis methodology
❑ Data type
❑ Dataset Scope
❑ Rigour
➢ Type❑ Breach reports
❑ Surveys
❑ Threat indices
❑ Resiliency Reviews
❑ Etc
➢ Pedigree
❑ Scale
❑ Reputation
Everyone is getting in the game
➢ Topic❑ Contextually sensitive
❑ Varied readership targets
➢ Source
❑ Analysis methodology
❑ Data type
❑ Dataset Scope
❑ Rigour
Goals• Improve operational posture?
• Competitive analysis?• M&A?
• Write a presentation?
match your reading list to your goals
Source: https://haveibeenpwned.com/
Source: Crowdstrike Global Threat Report 2019
Source: Crowdstrike Glboat Threat Report 2019
Look for value / alignment
Source: Aon 2019 Cyber Security Risk Report
Source: Aon 2019 Cyber Security Risk Report
Source: Aon 2019 Cyber Security Risk Report
Source: Aon 2019 Cyber Security Risk Report
Don’t assume authority
Common vocabulary is extremely important
Source: Verizon 2018 Data Breach Investigations Report
Economic and geopolitical factors are hard
Source: XKCD, https://xkcd.com/1966/
➢ Plethora of resources, reports and sources of information out there
➢ Vastly varying quality, approach, scope and intent
➢ Use a critical approach
❑ Have a goal or a good reason for the research
❑ Consider data or author limitations
❑ Look for value in each report
❑ Don’t assume authority or read a book by its cover
❑ Be clear on vocabulary, definitions and metrics
❑ Take care with geopolitics and economics
Recap
Breach Report- Review the Various Breach Reports
Speaker
After spending nearly two decades co-founding start-ups and working within multi-national integrators and service providers, Gary Marsden is now bringing to market Thales’ latest innovation - SafeNet Data Protection On Demand. Following the path of new technologies and growth markets has led Gary into the heart of many exciting and innovative products and projects. He has been instrumental in the development of managed and cloud services for voice, data, IT infrastructures and security markets.
Joining CryptoCard in 2007 (later acquired by SafeNet) Gary led the development of the managed authentication service business, achieving a leadership position in the Gartner Magic Quadrant for four years in succession and growing the user base from 30 users to over 2.5 million users in 2015. His ability to tap into the latest global trends across the managed services market, such as Blockchain, Cloud Computing, Internet of Things and Digital Payments comes from the years spent building channel-oriented business models. With the ever increasing business focus on end-to-end security, from network layer through to applications integration, Gary’s experience is invaluable in building customer and channel-focused solutions and services, with a high level of focus on the whole value chain. Automating workflow processes, transforming data protection into a click and deploy model and allowing data owners to migrate between cloud providers are just a few of the ways Gary is helping vendors achieve success.
Gary Marsden, Senior Director, Data Protection Services, Gemalto
2019 Breach Reports
• A Slightly Heretical View?
Why Are We Here Today?
➢Is what we do each day having an effect?
➢Are we situationally aware?
➢Are we doing enough?
➢Are we doing the basics?
➢Are breach reports helping us?
IT Security Spend in last 5 years
➢ Spend on data security is low for many
6% 15% 16% 35% 79% 50%
Decrease About the same Increase
IT Security Spend
The Changing Face of Data Security2019 Thales Data Threat Report
How companies report changing security budgets2018
2019
Half of organizations surveyed reported only spending 6% to 15%of their security budget on data security, just 0.6% to 3% of their overall IT budget
Conclusion……. Maybe…..
We Need To Tear Up The Rule Book!
Hey, I just proved that you cantransform Data Protection
Retract your findings immediately we cant have customers finding out!!!
Only DEVILS think they can improve the world so others can
understand it
Do it for the good of the industry you HERETIC
The Security Market Needs to Transform!
61
“Encryption is a religion Marsden, and
you are a heretic”
No one wakes up in the morning to buy a HSM (Hardware Security Module)
“”
Don’t even think of selling me just one more product…
”“
Make it so my 5 year old can use it…. And I only want to pay for what I use… Period!“
”
Customer Challenge in 2019: Compliance in a Cloudy World
GOAL: All data is secured
Multiple borders and data silos
Too many solutions, high management overhead
Skills scarce and investment is prohibitive
Individual SaaS providers become Crypto custodians
Struggle to define a unified security policy
Lost of portability and control
Migration over time requires hybrid models
Result: 60% of data is NOT protected …..
……. which makes Data Protection and thus compliance TOUGH!!
SaaS ApplicationsInnovation
IoT
Data Protection Increasingly Cloud Bound
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Applications
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Data
Machine/Volume-level
Key Broker
Key Management
Application-level
Tokenization
Folder/File System-level
Database Column
Root of Trust
SaaS
Paa
SIa
aS
On-premises Cloud
Data Protection Increasingly Cloud Bound
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Applications
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Data
Machine/Volume-level
Key Broker
Key Management
Application-level
Tokenization
Folder/File System-level
Database Column
Root of Trust
SaaS
Paa
SIa
aS
On-premises Cloud
Salesforce Shield
Cloud HSM
Data Protection Increasingly Cloud Bound
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Applications
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Data
• Issues• Control over policies, Custodianship of encryption and keys • Too many “products”, help migration• Tool proliferation – each cloud needs different tools• Responsibility recognition – it is not up to the Cloud Provider!
Machine/Volume-level
Key Broker
Key Management
Application-level
Tokenization
Folder/File System-level
Database Column
Root of Trust
SaaS
Paa
SIa
aS
On-premises Cloud
Salesforce Shield
Cloud HSM
Broad Cloud Security Concerns
Top Cloud Security Concerns
(rates of very/extremely concerned)
62%Lack of control over location of data
54%Meeting compliance requirements
Attacks at the Service Provider 64%
58%Security of my organization’s data in the cloud
58%Multiple cloud encryption key management
57%Custodianship of encryption keys
2018 Thales Data Threat Report
What Needs To Change?
➢ Issues❑ Tools that are inadequate?
❑ Solutions too complex?
❑ Responses too late?
❑ Basics not in place?
❑ Hold our breath and hope?
Encryption is lacking
44%Less than 30% of
respondents say they use encryption for a vast majority of use cases
Rated complexity as a perceived barrier to implementing data
security
The Changing Face of Data Security2019 Thales Data Threat Report
30%
PCs (data at rest)
Full Disk Encryption (FDE) within our data centers
Public cloud (IaaS, PaaS and SaaS) environments
Big data environments
File system/volume encryption within our data centers
Files and fields in databases
Mobile devices (laptops, smartphones, tablets)
IoT applications
Containers/Docker
Native encryption from storage (SAN) providers
Cloud native provider encryption
0% 5% 10% 15% 20% 25% 30% 35%
Basics not in place …. What do you mean?
➢What will our reports say next year?
➢Will we as an industry have done anything to make a fundamental change for our customers?