It is that time of the year again, when we force ourselves to stop for a moment and reflect on the events and technologies that we have encountered over the past year then adjust our service offerings to better meet the needs of our clients and the information security industry as a whole.
In our case, DirectDefense is launching several new services in 2016 that will allow us to gain a deep understanding of the current security posture of our clients as well as potential customers while at the same time providing our clients with a more realistic view of the cyber threats that were observed in 2015 through our Threat Monitoring service
The most exciting service offering change is with our persistence assessment package. During this assessment, we act as the attacker with the defined goal of gaining access into our target’s internal network via targeted attacks. Once on the inside, we target specific goals to go after according to the initial rules of engagement. Additionally, once on the inside, we then inform the client they’ve been breached, which initiates phase 2 of the assessment. During this phase the client’s goal is to attempt to discover our unauthorized access and get us out of their network before we reach our goal. All of this activity is based on a certain time frame, typically one to three months. So how did our initial clients fair during 2015 when developing this new service offering? Well, unfortunately quite poorly on the first attempts. We got in 100% of the time, only a couple of clients noticed that we had gotten in after the first week, and none of them were able to get us out of their networks once we got in.
Additionally, when performing our compromised assessment service, we found that 100% of our clients had already been compromised in some manner. Approximately 20%-45% of the issues we found were due to malware, while the remaining 55%-80% of the issues were due to Riskware or just a general lack of control on applications being installed on desktops.
When we analyzed why organizations are doing so poorly, three common themes emerged:
1 – Too much faith in end-point protection solutions – It is about to be 2016, and many organizations still have way too much faith in legacy end-point protection solutions, more specifically, signature-based anti-virus. If you have not heard by now, then let us be the first to tell you that signature-based AV is generally useless and in our experience is only 10%-15% effective at blocking or alerting you to an attacker targeting your systems. Whitelisting solutions, which generally do a better job (50%-60% effective) at blocking or alerting you, are also starting to fail consistently due to default deployments and the configurations being used due to non-standard desktop deployments.
2 – Never testing a SIEM installation for blindspots – Log management is one of the most expensive endeavors an organization can tackle. Not only are the SIEM solutions themselves incredibly expensive, but the manpower required to properly configure all of your log sources can be as much as 3-4 times what most SIEM vendors recommend to properly deploy the solution (Note – most SIEM vendors say 3 FTEs as their generic answer BTW).
So what does your organization end up with? The short answer, is a very expensive data store that has only partial visibility into the important systems and services in your network. These issues are further compounded when we discover that the majority of the dashboards and reports that come with SIEMs are focused on compliance versus security operations, thus making your organization blind to active attacks and breaches as they occur.
3 – Still using old protocol based Firewalls and Intrusion Detection Solutions – Unfortunately, there’s no polite way of saying this. If your organization is still using “Stateful Inspection” or “Deep Packet Inspection” only solutions, your security organization has very little chance of detecting a breach once it has occurred at the perimeter level. These solutions have largely outlived their usefulness at this point, and if your perimeter security solutions cannot tell you the difference between someone checking Gmail as opposed to someone sending out attachments on Gmail, you will continue to be blind to breaches that have occurred in your network.
So why the year of change, you ask? All is not lost…yet, the good news is that in the last two years we have seen a rise of new technologies that can give you the visibility you need to start protecting your network, and enabling your organization to react in a timely manner to attacks.
How can your organization change the way it is approaching security?
1 – We’ve mentioned them before, and we mention them near daily. Cylance solves the end-point protection problem. In short, it works… end of discussion. Don’t believe us? Try it for yourself, or at the very least stop wasting money on the old signature-based solutions.
2 – Test your SIEM either internally or with a third-party. Focus on authentication tracking. It is the largest blindspot in every SIEM solution we’ve encountered and takes the most effort to resolve.
3 – It is time to go “Next Gen” with your firewall and your IDS/IPS. To have any chance of detecting a breach, you will need to have visibility at the application layer. Secondly, new approaches to breach and/or behavior anomaly detection have been brought to market. We leverage LightCyber for our compromised assessments, as well as our managed services. The LightCyber solution provides amazing visibility into internal threats, while also supercharging the incident response process due to its data collection techniques.
We will be the first to tell anyone that if you continue using the old end-point protection solutions, you need to install LightCyber, for when the inevitable happens and your network becomes compromised.
If anything, we hope that due to the volume of breaches the industry has seen this year, your organization takes 2016 as a chance to change the way things have been done, and looks for ways to start making impactful changes moving forward.
As always, if you would like some assistance or guidance in where and how to positively affect change in your environment, we here at DirectDefense will be here to help you in the coming year.
Happy New Years,
If you would like to learn more about our security testing and security management services, or learn more about how DirectDefense can assist your company in developing security strategies and solutions that work, please contact us at firstname.lastname@example.org.