Breach Report- Review the Various Breach ReportsBreach Report- Review the Various Breach Reports...

Breach Report- Review the Various

Breach ReportsApril 23, 2019

Breach Report- Review the Various Breach Reports

Today’s web conference is generously sponsored by:

Gemaltohttps://www.gemalto.com/


Moderator

Matt Mosley is the Vice President of Security Products for Devo, a leading SIEM and big data analytics vendor. Matt is a recognized security expert and thought leader with more than 25 years of experience in numerous roles as a practitioner, consultant and software executive. Prior to joining Devo, Matt was the Director of Product Management for Symantec’s MSSP business, where he helped to launch new products and services to enhance the security of some of the world’s largest organizations. Matt has also held senior leadership roles with leading security firms including NetIQ, Internet Security Systems, Intellitactics, and Brabeion Software. As the chief security officer at early Internet pioneer DIGEX, Matt defined and implemented the security controls and best practices for the world’s first web hosting business and was a founding member of the ISP Security Consortium. Matt holds the CISSP, CISM, and CISA designations, is a regular speaker at security conferences, and taught CISSP classes for ISSA-NOVA for nearly a decade.

Matt Mosley, Vice President of Security Products, Devo


Speaker

Scott has been with Symantec for 20 years and is an Information Systems Security Association Distinguished Fellow with over 30 years of tactical and strategic information security experience across multiple control points – data centers, endpoints, and gateways with a focus on threat protection, information protection, cyber security services and security analytics.

Scott Parker, Sr. Principal Systems Engineer, Symantec

Scott Parker, CISSP, CISM | Sr Principal Systems Engineer

ISSA Distinguished Fellow

2017 Internet Security Threat Report | Volume 22

https://resource.elq.symantec.com/LP=6819?inid=symc_threat-report_istr_to_leadgen_form_LP-6819_ISTR-2019-report-main&cid=70138000001Qv0PAAS

https://resource.elq.symantec.com/LP=6819?inid=symc_threat-report_istr_to_leadgen_form_LP-6819_ISTR-2019-report-main&cid=70138000001Qv0PAAS

ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019

7

2018 At A Glance: Big Numbers

WEB ATTACKS

• Web attacks up by 56%

• 1 in 10 URLs analyzed by Symantec were identified as malicious in 2018

FORMJACKING

• On average 4,800 websites were compromised for formjacking attacks every month in 2018

• Symantec blocked 3.7M formjacking attacks in 2018 on endpoint devices

RANSOMWARE

• Enterprise ransomware infections up 12%

• Mobile ransomware infections increased by 33%

• Overall ransomware infections were down by 20% as attackers moved to more lucrative activities

TARGETED ATTACKS

• Attack groups target an average of 55 organizations each

• The number of attack groups using destructive malware grew by 25% in 2018

CRYPTOJACKING

• Symantec blocked 4 times as many cryptojacking events in 2018 compared to 2017

• Cryptojacking activity remains at high levels with Symantec blocking 3.5 million events in December 2018

• Over the course of 2018, total cryptojacking events dropped by 52% as cyptocurrency prices dropped by almost 90%

LIVING OFF THE LAND ANDSUPPLY CHAIN ATTACKS

• Use of malicious Powershell scripts increased by 1000%

• Office files accounted for 48% of malicious email attachments, up from 5% in 2017

• Supply Chain Attacks increased by 78%


8

FORMJACKING


9

Formjacking

Formjacking =

Virtual


10

Formjacking

o Symantec prevented potentially millions of dollars of cybercriminal revenue from formjacking

- With data from a single credit card fetching up to $45 on underground markets, just 10 credit cards stolen from each compromised website could result in up to $2.2 million in earnings each month for cyber criminals

- The British Airways attack alone may have allowed criminals to earn more than $17 million

Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY

Formjacking: The New Get Rich Quick Scheme

o Activity peaked towards the end of the year with +1 million blocks in November and December, the busiest online shopping period

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

Jan-18 Feb-18 Mar-18 Apr-18 May-18 Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18

o Trends show formjacking will be with us in 2019 and beyond

ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019 11


12

RANSOMWARE

AND

CRYPTOJACKING


13

Ransomware Narrows in on Enterprises

ENTERPRISE

2018CONSUMER19% of all

attacks


attacks


attacks


14

Ransomware Narrows in on Enterprises

12% Growth in Attacks Against Enterprises


15

The Evolution of Ransomware

o Largely use Windows

o May not have backed-up critical files

o Successful attack a larger payday for attackers

o Makes a business decision whether to pay or not

Why Business in 2018 Why Not Consumer in 2018

o Uses mobile OSs

o Files backed-up in cloud

o Loss of files an emotional cost , not necessarily $$$

o Makes budget or moral decision to pay

Turning a Profit with Cryptojacking

Example: WannaMine

Targeting corporations to harness more powerful computers on prem and in the cloud.

Criminals targeting enterprises by spreading via WannaMine using Eternal Blue exploit rendering some devices unusable due to high CPU usage.


17

The Diminishing Returns Of Cryptojacking


18

LoTL AND

SUPPLY CHAIN

WEAKNESSES


19

Living off the Land Tools & Supply Chain Weaknesses Spur Stealthier, More Ambitious Attacks

MALICIOUS EMAIL POWERSHELL

SUPPLY CHAIN ATTACKS


20

Malicious Powershell Usage

115,000 malicious Powershell scripts blocked each month

POWERSHELL

99%GOOD

1% BAD

High Risk of False Positives

Most Orgs CannotBlock all

PowerShell


21

Gallmaker Attacks

Executes various tools including:

o WindowsRoamingToolsTask: Used to schedule PowerShell scripts and tasks

o A "reverse_tcp" payload from Metasploit

o A legitimate version of the WinZip console: Used execute commands and communicate with the command and control (C&C) server; may also archive data for exfiltration

o Rex PowerShell library: Creates and manipulates PowerShell scripts for use with Metasploit exploits

NoBinary

Malware Used

Previously unknown espionage group, active since at least Dec. 2017


22

TARGETED

ATTACKS

GROWTH IN 2018

• More established, active groups are targeting more organizations than ever before – the number of organizations targeted per attack group increased from 42 to 55 between 2015-2018

• The number of attack groups using destructive malware grew by 25% in 2018

• Spear-phishing remains the primary vector for targeted attacks

MOTIVES

• Targets are diversifying, with a growing number of groups displaying interest in compromising operational systems, e.g. Thrip targeting operational systems that monitor and control satellites

• Intelligence gathering is still the primary motive overall

LIVING OFF THE LAND

• Zero-day vulnerabilities have become much more difficult to find, with only 23% of attack groups leveraging zero days in 2018 down from 27% in 2017 – led attackers to adopt more Living off the Land techniques and continues in 2018

ARRESTS

• Large increase in US indictments related to state-sponsored espionage: 49 in 2018 vs. 4 in 2017


23

Targeted Attacks

24


24

CLOUD


25

When it Comes to Security, the Cloud Is the New PC

• Poorly secured cloud databases continue to be the Achilles heel for organizations

• At least 70 million records leaked from S3 buckets in 2018, many from very large companies, typically as a result of poor configuration by the owner

• Numerous widely available online tools allow potential attackers to identify misconfigured cloud resources

• Discovery of vulnerabilities in hardware chips also place cloud services at risk: Meltdown, Spectre, Foreshadow

• An attacker who rents space on a cloud server with the Meltdown vulnerability could gain access to the protected memory spaces of other companies’ resources hosted on the same physical server

CloudComputing

TheNEW

PC

The risks of cloud computing are becoming clear

26


26

INTERNET OF

THINGS (IoT)

27


27


28

IoT an Entry Point for Targeted Attacks

A new breed of persistent, destructive IoT threat conducting MITM attacks and targeting SCADA

30

25

20

15

10

5

IDG, calls 2019 “a seminal year” for 5G, and predicts the market for 5G and related network infrastructure will exhibit a compound annual growth rate of 118 percent.

$B

ILLI

ON

MA

RK

ET

2022

$26 BillionApproximate • More 5G IoT devices will connect to the

5G network than a Wi-Fi router, making them more vulnerable to attack.

• For home users, it will be more difficult to monitor all IoT devices as they bypass a central router.

• More direct reliance on cloud-based storage will expose new targets.

IoT 2019 and Beyond

In time

Peak Data Rate (Gbps)

4G (1)

5G (10)

2018

$528 MillionApproximate

ISTR | INTERNET SECURITY THREAT REPORT | Volume 24 | February 2019 29

29


30

THANK [email protected]

@scottparkersymc

https://linkedin.com/in/netsecguy


Speaker

Gabe is a technologist at heart who has been tinkering from an early age. In addition to running ISSA-UK, he has worked in 14 countries and across numerous sectors, bootstrapped a cloud cryptocurrency crowdfunding platform into profitability, built security programs from the ground up, led multi-million pound security service transitions and performed in-depth security engineering in SCADA environments. His current passions involve security economics, shifting security left, and the changing perception of information security in both business and the public eye.

Gabe Chomic, President, ISSA-UK

Cyber Security Trends for Busy People

Or, How Not to Discuss Breach Reports

Me

• Gabe Chomic

• President, ISSA-UK

• [email protected]

• @infosecrow

• Expat gone native

• Worked in a lot of places

• 15+ years experience

• My dog is almost more stubborn than I am

• I have opinions

Cyber Security Trends for Busy PeopleHow Not to Discuss Breach Reports

mailto:[email protected]

Or, How Not to Discuss Breach Reports

Cyber Security Trends for Busy People

Some reasons...

➢ There are a lot of reports

➢ There are a lot of people and organisations who release reports

➢ There are even more people who write them than release them

➢ There are a lot of people who talk about the information contained in them

Why

Some reasons...

➢ There are a lot of reports

➢ There are a lot of people and organisations who release reports

➢ There are even more people who write them than release them

➢ There are a lot of people who talk about the information contained in them

Why

One thing we don’t have...

➢ We don’t have a lot of people talking about the breach reports themselves

Excessive number of reports available

➢ Strong security industry

➢ Media and public interest

➢ Heavy M&A and investment

Everyone is getting in the game

Many reports can be differentiated by

➢ Type

➢ Pedigree

➢ Topic

➢ Source

➢ Type❑ Breach reports

❑ Surveys

❑ Threat indices

❑ Resiliency Reviews

❑ Etc

➢ Pedigree

❑ Scale

❑ Reputation


➢ Topic❑ Contextually sensitive

❑ Varied readership targets

➢ Source

❑ Analysis methodology

❑ Data type

❑ Dataset Scope

❑ Rigour

➢ Type❑ Breach reports

❑ Surveys

❑ Threat indices

❑ Resiliency Reviews

❑ Etc

➢ Pedigree

❑ Scale

❑ Reputation


➢ Topic❑ Contextually sensitive

❑ Varied readership targets

➢ Source

❑ Analysis methodology

❑ Data type

❑ Dataset Scope

❑ Rigour

Goals• Improve operational posture?

• Competitive analysis?• M&A?

• Write a presentation?

match your reading list to your goals

Source: https://haveibeenpwned.com/

Source: Crowdstrike Global Threat Report 2019

Source: Crowdstrike Glboat Threat Report 2019

Look for value / alignment

Source: Aon 2019 Cyber Security Risk Report

Source: Aon 2019 Cyber Security Risk Report

Don’t assume authority

Common vocabulary is extremely important

Source: Verizon 2018 Data Breach Investigations Report

Economic and geopolitical factors are hard

Source: XKCD, https://xkcd.com/1966/

https://xkcd.com/1966/

➢ Plethora of resources, reports and sources of information out there

➢ Vastly varying quality, approach, scope and intent

➢ Use a critical approach

❑ Have a goal or a good reason for the research

❑ Consider data or author limitations

❑ Look for value in each report

❑ Don’t assume authority or read a book by its cover

❑ Be clear on vocabulary, definitions and metrics

❑ Take care with geopolitics and economics

Recap

Gabe [email protected]

@infoseccrow

mailto:[email protected]


Speaker

After spending nearly two decades co-founding start-ups and working within multi-national integrators and service providers, Gary Marsden is now bringing to market Thales’ latest innovation - SafeNet Data Protection On Demand. Following the path of new technologies and growth markets has led Gary into the heart of many exciting and innovative products and projects. He has been instrumental in the development of managed and cloud services for voice, data, IT infrastructures and security markets.

Joining CryptoCard in 2007 (later acquired by SafeNet) Gary led the development of the managed authentication service business, achieving a leadership position in the Gartner Magic Quadrant for four years in succession and growing the user base from 30 users to over 2.5 million users in 2015. His ability to tap into the latest global trends across the managed services market, such as Blockchain, Cloud Computing, Internet of Things and Digital Payments comes from the years spent building channel-oriented business models. With the ever increasing business focus on end-to-end security, from network layer through to applications integration, Gary’s experience is invaluable in building customer and channel-focused solutions and services, with a high level of focus on the whole value chain. Automating workflow processes, transforming data protection into a click and deploy model and allowing data owners to migrate between cloud providers are just a few of the ways Gary is helping vendors achieve success.

Gary Marsden, Senior Director, Data Protection Services, Gemalto

2019 Breach Reports

• A Slightly Heretical View?

Why Are We Here Today?

➢Is what we do each day having an effect?

➢Are we situationally aware?

➢Are we doing enough?

➢Are we doing the basics?

➢Are breach reports helping us?

IT Security Spend in last 5 years

➢ Spend on data security is low for many

6% 15% 16% 35% 79% 50%

Decrease About the same Increase

IT Security Spend

The Changing Face of Data Security2019 Thales Data Threat Report

How companies report changing security budgets2018

2019

Half of organizations surveyed reported only spending 6% to 15%of their security budget on data security, just 0.6% to 3% of their overall IT budget

Conclusion……. Maybe…..

We Need To Tear Up The Rule Book!

Hey, I just proved that you cantransform Data Protection

Retract your findings immediately we cant have customers finding out!!!

Only DEVILS think they can improve the world so others can

understand it

Do it for the good of the industry you HERETIC

The Security Market Needs to Transform!

61

“Encryption is a religion Marsden, and

you are a heretic”

No one wakes up in the morning to buy a HSM (Hardware Security Module)

“”

Don’t even think of selling me just one more product…

”“

Make it so my 5 year old can use it…. And I only want to pay for what I use… Period!“

”

Customer Challenge in 2019: Compliance in a Cloudy World

GOAL: All data is secured

Multiple borders and data silos

Too many solutions, high management overhead

Skills scarce and investment is prohibitive

Individual SaaS providers become Crypto custodians

Struggle to define a unified security policy

Lost of portability and control

Migration over time requires hybrid models

Result: 60% of data is NOT protected …..

……. which makes Data Protection and thus compliance TOUGH!!

SaaS ApplicationsInnovation

IoT

Data Protection Increasingly Cloud Bound

Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Applications

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Data

Machine/Volume-level

Key Broker

Key Management

Application-level

Tokenization

Folder/File System-level

Database Column

Root of Trust

SaaS

Paa

SIa

aS

On-premises Cloud


Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Applications

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Data


Key Broker

Key Management

Application-level

Tokenization


Database Column

Root of Trust

SaaS

Paa

SIa

aS

On-premises Cloud

Salesforce Shield

Cloud HSM


Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Applications

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Data

• Issues• Control over policies, Custodianship of encryption and keys • Too many “products”, help migration• Tool proliferation – each cloud needs different tools• Responsibility recognition – it is not up to the Cloud Provider!


Key Broker

Key Management

Application-level

Tokenization


Database Column

Root of Trust

SaaS

Paa

SIa

aS

On-premises Cloud

Salesforce Shield

Cloud HSM

Broad Cloud Security Concerns

Top Cloud Security Concerns

(rates of very/extremely concerned)

62%Lack of control over location of data

54%Meeting compliance requirements

Attacks at the Service Provider 64%

58%Security of my organization’s data in the cloud

58%Multiple cloud encryption key management

57%Custodianship of encryption keys

2018 Thales Data Threat Report

What Needs To Change?

➢ Issues❑ Tools that are inadequate?

❑ Solutions too complex?

❑ Responses too late?

❑ Basics not in place?

❑ Hold our breath and hope?

Encryption is lacking

44%Less than 30% of

respondents say they use encryption for a vast majority of use cases

Rated complexity as a perceived barrier to implementing data

security

The Changing Face of Data Security2019 Thales Data Threat Report

30%

PCs (data at rest)

Full Disk Encryption (FDE) within our data centers

Public cloud (IaaS, PaaS and SaaS) environments

Big data environments

File system/volume encryption within our data centers

Files and fields in databases

Mobile devices (laptops, smartphones, tablets)

IoT applications

Containers/Docker

Native encryption from storage (SAN) providers

Cloud native provider encryption

0% 5% 10% 15% 20% 25% 30% 35%

Basics not in place …. What do you mean?

➢What will our reports say next year?

➢Will we as an industry have done anything to make a fundamental change for our customers?

Breach Report- Review the Various Breach ReportsBreach Report- Review the Various Breach Reports...

Documents

Transcript of Breach Report- Review the Various Breach ReportsBreach Report- Review the Various Breach Reports...