Modeling an effective threat detection and response program

Know Your Enemy

Cybersecurity breaches reached unprecedented levels in 2017. Few were spared as businesses and government entities alike -- including Equifax, the British National Health Service and even the U.S. National Security Agency, as well as dozens of others -- were hit with data breaches. While frequent targets like the financial sector and retail industries experienced their fair share of attacks, the healthcare sector is now the primary target of hackers, accounting for 25 percent of all data breaches. Understanding why this is happening and the consequences of it will help you improve your company's cybersecurity defenses and mitigate future threats.

With data breaches in the healthcare industry increasing exponentially, it's critical for those in leadership positions to get serious about HIPAA security and enforcement. You need to understand not only why HIPAA is important but how the rule enforcement process works and the penalties that can be implemented.

What Is a Phishing Attack?

Cyber security is on the mind of every business executive in the world. Modern security challenges are not easy to fix or even identify, and despite some misleading advertising from vendors, there is no one-size-fits-all solution. We frequently observe large visibility gaps in existing security implementations, providing even obvious red flags to slip under the radar. Firewalls and traditional antivirus software are important, but only react to known threats. Too many organizations rely on passive preventative technology for network security. Good attackers employ stealth and polymorphic tools that defy signature-based detection, allowing them to bypass these technologies all together. We must assume that threats will get in, and no system is impenetrable.  

As penetration testers, we get a lot of joy out of compromising Windows networks. They are basically our favorite targets because of how insecure they are by default. Microsoft has always favored backward compatibility over security, and while it is possible to really lock down an AD (Active Directory) environment, it takes a lot of effort. While setting up an organization’s network in the first place, many admins take the stance of, “Let’s just get it working, and then we’ll add security on afterwards.” Nine times out of ten, they never go back and enable the security features until after there is an incident.

Threat detection has grown to a complex and messy activity in organizations. Many utilize Security Information and Event Management systems which can play a critical role in today's enterprise.  In order to do their job, SIEMs depend on the logs generated by the enterprise's various systems. Sounds simple enough. However, in a typical Fortune 500 company scenario, an astounding amount of log data is generated. It's not at all unusual to see 10 Terabytes of plain text per month. Fact is, there can be hundreds, even thousands of sources of log data in the typical enterprise. Even small and medium sized businesses will be overwhelmed trying to collect, analyze, and store their log data. The questions are, then, “Can you collect AND analyze them all? Should you? Will the the infrastructure support storage and ongoing detection? Do you have the expertise in place to analyze logs and maintain the infrastructure to do so?”  

Discussing Cybersecurity in the Boardroom

Cyber warfare is a very real and present danger, with more companies finding themselves on the losing end of the battle. Statistics from security monitoring services show that in a single hour alone, there are about 184,188 recorded cyber security breaches. This should be a wake-up call to key stakeholders, the majority of whom assume that cybersecurity is simply an IT problem and responsibility.

If you haven’t heard already, Equifax one of the “big-three” U.S. credit bureaus has announced a data breach that may have affected 143 million Americans, including consumer Social Security numbers, birth dates, addresses and some driver’s license numbers. For a good rundown of what has transpired so far, Krebs on Security has a solid in-depth article on it here. Every time there is a breach in the news, most other outlets swarm to a few different types of articles. Some popular directions are attribution, defense advice, or sensationalist journalism.