data security breachIf your entire company’s value were converted into cash, and stored in a warehouse, how would you go about protecting it? You’d probably start with physical security — a reinforced structure, razor wire, and a secure entryway to prevent unauthorized entry and exit. You’d add access controls to the entryway, requiring multiple pieces of ID to enter, such as biometric scans, key cards and passwords.

 

You’d add surveillance, including cameras motion detectors and remote alarms. You’d probably also want to set up a regular maintenance program to make sure all of your security controls are working properly, and revamp security in response to new threats.

 

Lastly, you’d come up with a system to vet and track your security personnel. You’d use background checks and your instincts to make sure you hired trustworthy people, but you’d also put a system in place to audit and supervise the guards.

 

In other words, you’d trust, but verify.

 

After all, with all of your company’s money there for the taking, there’d be a big incentive for an insider attack. You couldn’t afford to be wrong about someone — even once.

 

But when it comes to protecting against a data security breach, many companies simply assign some security staff, throw a budget at them, and call it a day. They don’t carefully plan a cyber security services infrastructure like they’d do with physical services, and they don’t supervise or verify their security team. They just post a few guards at the door, give them some money to install a fence and call it a day.

 

Many Organizations Don’t Understand the Risks of a Data Security Breach

 

The cost of cyber attacks is growing. A recent worldwide study of 237 organizations sponsored by Hewlett Packard Enterprise found that cyber attacks cause an astonishing average annual loss of $9.5 million — a full 23% increase over the previous year. In the United States, the average cost has gone up to $17.36 million. And no, those numbers aren’t misprints.

 

Even more shockingly, the study found cybercrime affects nearly 100% of businesses. Security stats always differ between studies — another prominent report showed that 70% of companies had been cyber victims in the past year (a CAGR of 66% over the previous year) — but the consensus is clear: you’re more likely to be successfully attacked than to come out unscathed.

 

To their credit, most businesses are at least starting to understand that they’re in danger from all of this. In 2015, 20% of global companies budgeted between $1 to $4.9 million dollars, and a full 58% have created an overall security strategy. 54% have appointed a CISO, and more than half have employee security training and awareness programs (53%). It’s a start, but it’s not good enough. With only 49% of global companies conducting threat assessments and 48% engaging in active security intelligence monitoring and analysis, it’s clear that many, many companies have onsite cyber security programs that are way behind where they need to be.

 

And although companies are more aware of cyber security issues than ever, there’s still a major disconnect — most people either don’t believe it’s going to happen to them, or overrate their own security. Companies are particularly unprepared for insider threats. A 2015 survey showed that although 74% of IT security professionals are concerned about insider threats, 32% believe their organizations lacked the capability to stop an insider data security breach, and 28% say their organizations don’t prioritize insider threat detection and prevention.

 

This isn’t just a matter of failing to prepare for, say, opportunistic threats or vengeful ex-employees. Insider mistakes or negligence play a role in the vast majority of breaches, so having no mechanism in place to watch insiders makes organizations much more vulnerable to outsiders as well. And with new challenges like IoT cyber security straining onsite teams, the situation for many companies will get worse before it gets better.

 

Traditional Security Can’t Address All Cyber Security Risks: There are an almost limitless number of ways insiders can let hackers in. If a worker uses a weak password, or reuses a password, it increases the risk of a hacker gaining access to the account, which can be used to facilitate a data security breach — either by stealing the information that the compromised employee has access to, or using that employee’s access as a wedge to gain access to other parts of the system.

 

Unsafe browsing habits are another major source of data security breaches — usually through malware infection. A temp in a partner’s office clicking on a cute cat photo on social media in July can be the cause of a massive breach in December. Stolen laptops and smartphones, unsecured wireless connections, and countless other seemingly minor avenues of attack will open cyber security vulnerabilities to hackers.

 

Traditional security tools attempt to stop data security breach events using tools like malware scanners and firewalls. However, these perimeter defenses aren’t completely effective. If a hacker enters your landscape using a stolen account, or a partner’s compromised landscape, their activities may look completely normal to many perimeter security devices.

 

Even against malware, these defenses may prove inadequate. Modern hackers often use crypting services to make malware harder to detect, reducing the effectiveness of traditional defenses against cyber attacks. Perimeter security is still an important part of your defenses, but it’s no longer sufficient to stop a determined hacker from executing a data security breach. Without the right security and compliance monitoring program, the situation is hopeless.

 

Cyber SecuritySecurity Information & Events Management (SIEM) Stops Data Security Breaches

 

The only way to hacker-proof your security is constant vigilance. SIEM prevents data security breach events by combining state of the art technology with 24/7/365 “eyes on glass” monitoring and incident response. An SIEM approach reduces the risks of data security breach events by logging, gathering and analyzing security data in real time, then passing it off to trained security professionals to determine the nature of the threat and counter it.

 

SIEM analyzes security data across your system, looking for suspicious activity that may indicate a potential. For example, if a particular IP address is repeatedly scanning your system or someone is making multiple unsuccessful login attempts, it may indicate a hacker trying to gain access to your system.

 

When the software sees suspicious activity, it will generate alerts and tickets that are forwarded to a security team for analysis. That team will then examine the alert, confirm whether it represents a real threat or a false alarm, and then take appropriate actions to resolve it. The software tracks each step in the incident detection and response process. This assists forensics, ensures quick and professional incident response and resolution, and facilitates regulatory compliance.

 

Kill Chain Analysis — Protect Data Security By Thinking Like a Hacker

 

Kill chain analysis is a conceptual tool that facilitates cyber security by modeling the stages of a cyber attack. Kill chains identify seven stages in a cyber security attack, and pose defenses for each stage. The stages are:

 

  • Reconnaissance: selecting a target, gathering info and probing for vulnerabilities
  • Weaponization: creating or selecting a weapon, such as a worm, to attack the target
  • Delivery: delivering the weapon to the target — e.g. by spear phishing
  • Exploitation: activating the weapon — e.g. when the victim clicks a malicious link
  • Installation: Installing a backdoor or other vulnerability for the intruder to use
  • Command and Control: creating a system to remotely control the victim’s system
  • Action on Objective: achieving a goal, such as data theft.

 

Kill chain analysis isn’t an exact, unvarying model of every type of attack. For example, in an opportunistic data security breach, a hacker may simply guess a password and grab information from a user’s account without using any “weapon.” Additionally, thinking about threats is constantly evolving. IT security and compliance professionals observe changes in hacker behavior and tweak their paradigms and strategies to stay one step ahead.

 

However, kill chain analysis is still an invaluable tool, because it allows analysts to think like hackers, and more effectively anticipate what those hackers might do. Rather than looking for a single critical event (for example, a failed malware scan), a good managed security services provider can use SIEM to look for indicators of multiple steps in the kill chain.

For example, attackers will often use a combination of passive and active reconnaissance in the initial phase of the attack. During passive reconnaissance, hackers interact with a server in a normal way (e.g. by visiting a website) and then analyzing the data to learn more about the target, such as the software they’re running. With active reconnaissance, hackers send packets to a server to look for vulnerable ports.

 

By looking at all the ways a particular actor is interacting with your network, security professionals can get a good idea of whether they’re probing your network, what they may know about you and even where they believe you’re vulnerable. That intelligence can be used to check and reinforce security (for example, through hardening or refining network security architecture) and anticipate and prevent future attacks.

 

Similarly, if you see unusual traffic coming from a particular user account, it could indicate an Advanced Persistent Threat (APT) actor — i.e. someone who is inside your system, and is carefully preparing to make their move. Based on their behavior, you can model where they are in the attack and respond appropriately.

 

Next Generation Firewalls

 

As perimeter security device, firewalls have had to evolve rapidly to keep up with the demands of cloud security. Traditional firewalls inspect packets — units of data — as they enter or exit the network. Based on where the packet is coming from, and other information about the connection, the firewall decides whether to let the packet through.

 

Unfortunately, traditional firewalls don’t have a particularly sophisticated understanding of the traffic they’re scanning. In some case, they can be fooled by traffic using an unexpected port or deceptive header, preventing them from catching certain types of security breaches.

 

Next Generation Firewalls (NGFs) are better able to identify the source and nature of traffic, and catch potential data security breaches before they happen. Application awareness allows them to look at what application is sending or receiving a particular stream of traffic, and identify awareness shows which users are sending the traffic.

 

These features are integrated with an Intrusion Detection and Protection System, which uses the enhanced visibility provided by the NGF to stop a wide variety of attacks. If the firewall detects threat signatures or spots unusual user or application behavior, it can quickly alert security professionals, allowing them to investigate and shut down the attack.

 

File Integrity Monitoring

 

A data security breach is rarely a snatch-and-grab affair. Hackers often spend months or even years inside a system, exploring, increasing their access privileges and planning before the attack occurs. No matter how carefully the hacker proceeds, this will leave recognizable traces — but only if the data security providers know where to look.

 

File integrity monitoring can spot the changes attackers make as they invade your landscape. Altered privileges, credentials and security settings can indicate a threat agent has been manipulating your ERP environment to gain more access to the information they’re targeting for a data security breach. Other improperly altered files can indicate a hidden piece of malware, designed to allow a hacker to control your landscape.

 

File integrity monitoring is also a part of regulatory compliance. Regimes like PCI-DSS and SOX compliance require you to keep track of how data is accessed and altered in your landscape. An unapproved change could indicate a sophisticated insider cooking the books or trying to cover their tracks, or it could be a sign of some hardware or software issue that is compromising file integrity. Either way, integrity monitoring can help you spot and correct the problem quickly.

 

Trust Won’t Stop a Data Security Breach

 

It’s good to trust the people who work for you, but trust won’t stop a data security breach. If you want to protect your data and your business, you need a robust, multi-layer defense. Ensure your IT landscape is protected at every level, using robust architecture, sophisticated security tools and around-the-clock monitoring by a crack team of security professionals.

 

About Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.