Before the breach Using threat intelligence to stop attackers in their tracks

IBM Global Technology ServicesWhite Paper

Managed Security Services

2 Before the breach

Data breaches happen. They happen to big companies and small companies, government agencies and nonprofit organizations, hospitals and hotels. They happen every day, everywhere and under virtually every kind of circumstance you can imagine. And there’s no reason to believe that they’re going to stop happening anytime soon.

Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, strategic advantage and notoriety to attack your most valuable assets. Their operations are often well funded and businesslike. Attackers patiently evaluate targets based on potential effort and reward. They use social media and other entry points to track down people

with access, take advantage of trust and exploit them as vulnerabilities. At the same time, negligent employees can inadvertently put the business at risk as the result of simple human error.

IBM’s global monitoring operations and analysts have determined that the average company experienced more than 91 million security events in 2013 (see Figure 1)—a 12 percent increase over 2012. That reflects the continued worldwide growth of data, networks, applications and the new technology and innovations they support. It also reflects a growing number of targets for potential attacks.1

Figure 1. Security intelligence makes it possible to reduce the millions of security events detected annually in any one of our clients’ systems to an average of 16,900 attacks—and under 110 incidents—in a single organization over the course of a year.

Security events, attacks and incidents for 2013

Security events

Annual 91,765,453

Monthly 7,647,121

Weekly 1,764,720

Security attacks

Annual 16,856

Monthly 1,405

Weekly 324

Security incidents

Annual 109

Monthly 9

Weekly 2

Security IntelligenceCorrelation and analytics tools

Security IntelligenceIBM security analysts

IBM Global Technology Services 3

The damage can be severeIf consumers lose faith in a company’s ability to keep their personal data safe, that company can ultimately lose customers. In some cases, they can lose intellectual property. And they most certainly stand to lose money. By one estimate, the average cost of a single breach is more than $3.5 million.2 Taking the cost factor one step further, it’s also estimated that each lost data record costs companies an average of $145.3 In other words:

• A major retailer with millions of leaked credit cards could face more than $1 billion in direct costs, including fines.

• A university that leaked 40,000 records could suffer over $5.4 million in losses.

Unfortunately, security investments—and approaches—of the past may fail to protect against the highly sophisticated attacks we’re seeing today. As a result, more severe security breaches are taking place more often—and gaining more negative attention in the media. In fact, public reaction to these breaches has led 61 percent of organizations to say that data theft and cybercrime are the greatest threats to their reputation.4

The sobering truth is, threats and attacker strategies are advancing at a pace that most enterprises are unable to match. What’s more, sophisticated attackers can continue to steal valuable data for months—or even years—before they’re even detected.

Know your enemyWhen it comes to sophisticated attacks, there’s little doubt that the attacker has the advantage. Because while you’re busy trying to deploy your limited resources in defense of whatever attacks may come your way, attackers have the “luxury” of being able to zero in on a specific target or set of targets. They can choose to devote all their energy and resources to finding your vulnerabilities and exploiting them.

We all know that to protect your organization’s data, you need to have the right security strategy, technology, policies, and operations in place. But it’s become increasingly clear that access to the right information and intelligence may be the most important thing you need to help level the playing field against today’s attackers. With up-to-date intelligence about current and future threats, and a real understanding of how well your security strategy stands up to these threats, you’re in a better position to manage your defenses, reduce risk and make smarter investments.

Threat intelligence transforms the technical analysis required to identify the symptoms of an attack—such as malware and security events—into an understanding of who the attackers are and what their motives and capabilities may be. Armed with that information, you can gain the insight necessary to develop a proactive stance that makes it more difficult for attackers to succeed.

4 Before the breach

In other words, you can use information about the threats themselves to help manage risk. Taking advantage of threat intelligence to help prioritize your security controls can help you identify the latest attacks more quickly and increase the speed with which you’re able to respond to an incident.

Where should you start? If your organization is like most others today, you’ve probably got at least a basic security strategy in place—along with at least some defensive measures designed to keep outsiders out. But there are lots of ways to look at IT security and plenty of areas that can be of particular concern, making it virtually impossible to gather information on everything going in and out of your organization. So before you start thinking seriously about threat intelligence, you need to set your priorities. A good way to start is by answering the following questions:

• Which assets do you need to protect most? Customer data? Intellectual property? Financial and personal profiles of your organization’s leaders?

• Where in your organization would a security incident be likely to do the most damage?

• What kind of attack would hurt you the most?

It’s no coincidence that these are the very same questions an attacker might ask about you. That’s precisely why understanding attackers and their motivations is so critical to protecting your assets.

Next, you need to determine where you are now on the IT security continuum and where you want to end up. For example, just about every organization today maintains some type of process for handling security-related software updates. But you may not be doing much in the way of vulnerability

assessment, possibly because you don’t have the resources—in terms of time, budget or people—to identify your exposures or set priorities for eliminating them.

Or, if you’re already on board with assessing and prioritizing your vulnerabilities, you may also have a SIEM (security information and event management) system in place. You do? Then what are you doing with the monitoring data you’re collecting? Do you know which specific types of events should be cause for further investigation? You can improve your chances of detecting possible problems if you combine your SIEM findings with threat intelligence on the actors, tactics, tools and practices that are mostly likely to hurt your organization.

This is the type of intelligence that can allow you to spot the signs that an attack may be under way. And armed with that evidence, you can begin to take action well before an actual breach occurs.

Events, attacks and incidents defined

Security event: An event on a system or network detected by a security device or application. Security attack: A security event that has been identified by correlation and analytics tools as malicious activity that is attempting to collect, disrupt, deny, degrade or destroy information system resources or the information itself. Security incident: An attack or security event that has been reviewed by security analysts and deemed worthy of deeper investigation.

IBM Global Technology Services 5

Set priorities that make sense for your situationIt’s likely that your cyber security priorities will mirror many of the threats currently facing your particular industry. Recent reports show that the same five industries have topped the list of those struck by the most incidents over the past two years,5 with the same two continuing to hold the top spots (see

Figure 2). Those two accounted for nearly half of each year’s security incidents among the data collected. The only difference is that they swapped places in 2013. It’s likely that these two industries will continue to battle for the number one target spot in the years to come, since a breach in either one can result in both major business disruption and big paydays for successful cyber criminals.

Figure 2. The finance and manufacturing industries continue to offer attackers the most significant potential payoff.6

0 5 10 15 20 25 30 0 5 10 15 20 25

Retail and wholesale

26.5% 23.8%

20.9% 21.7%

2012 2013

18.7% 18.6%

7.3% 6.2%

6.6% 5.8%

Finance and insurance

Manufacturing

Information and communication

Health and social services

Retail and wholesale

Finance and insurance

Manufacturing

Information andcommunication

Health and social

services

Incident rates across monitored industries

6 Before the breach

Moving down the list, the two industries occupying fourth and fifth place have also swapped places—although together they accounted for 12 percent of the incidents in 2013, compared to 14 percent in 2012. Both the retail and health services industries deal directly with consumers, meaning they both have high visibility and access to a huge number of potential victims.

To see what it means to set priorities for threat intelligence, here’s a look at how companies in those top five industries might go about setting theirs.

In the finance and insurance industry—where business is all about handling sensitive customer and financial data—governance and compliance issues play a dominant role in determining security priorities. But threat intelligence priorities need to go beyond a “checking the boxes” mentality, which tends to focus on avoiding intrusions by patching software and servers, enforcing identity and access management policies and other similar programs. A sensible approach to developing threat intelligence priorities for the finance and insurance industry might include:

• Access to current insight into known threats and attack techniques that target financial businesses

• Monitoring access to tangible asset data for evidence of anomalies that might indicate fraud or criminal activity, and increasing the priority of alerts correlated to known threat techniques

• Regular and proactive assessments of security risks—including analysis of high-value resources for vulnerability to known and emerging attack techniques—and identification of highest priority issues, to help focus risk mitigation efforts

In the manufacturing industry intellectual property remains the prized catch for attackers. Product designs, manufacturing details and business plans for developing and marketing everything from next-generation consumer devices to government-funded aerospace programs are the big targets here. And breaches could result in serious consequences for both the companies involved and public safety. The threat of industrial espionage also makes it important for manufacturers to understand the role that insiders might play as potential attackers, which means their priorities could include:

• Tracking types and sources of email that’s been blocked or alerted by email security solutions for correlation with known attackers or threat techniques, such as advanced spearphishing attempts

• Reviewing security assessments of issues discovered in product development and fabrication systems to determine which gaps may be exploitable by known and emerging high-priority threats

• Penetration testing access to internal file sharing systems, looking for lapses in control that are known to be targeted by threat actors, or for unusual access patterns that could indicate internal threats

In the information and communication industry, which includes social media, it’s become increasingly difficult to rein in the exchange of sensitive information across systems, often making the systems themselves the conduit for attacks. While attackers regularly hide in plain sight, they can also hack their way into internal media networks and gain access to

IBM Global Technology Services 7

critical financial market data, where they could wreak havoc—undetected—in a matter of minutes. Threat intelligence priorities for information and communication organizations might include:

• Correlating detected activity in mission-critical networks with known adversaries or attack techniques that pose a threat to communications systems, their users, or the business-critical processes that depend on them

• Watching for anomalies in social media usage such as unusual access to legitimate accounts or activity inconsistent with normal account use, which might indicate account takeover or other exploitations of social media

• Content monitoring to detect the compromise of legitimate web properties to propagate “drive by” malware downloads, or to discover integrated third party services—such as advertising content—which could be used or hijacked to deliver threat payloads

In the retail industry, major security breaches dominated the news in late 2013, revealing the theft of over 110 million credit card records and shining a light on the vulnerability of credit card data. What’s more, those incidents resulted in serious financial and public trust issues for several major retailers. Because credit cards have become a hot commodity on the black market—and their value will likely keep them there for a long time—retailers have an urgent need to know as much as possible about the identity and motives of their attackers. Therefore, a retailer’s priorities could likely include:

• Regularly assessing payment processing systems for evidence of vulnerabilities known to be targeted by threat actors and emerging attack techniques, and hardening those systems against the ongoing evolution of attacks revealed by threat actor intelligence

• Performing regular gap analysis on payment card industry (PCI) compliance activities to determine whether there are patterns that correspond to known threat activity and merit further exploration

• Employing ongoing threat analysis services to help identify potential threats before an attack can take place

In the health and social services industry, complex compliance issues, many of which deal with patient and client privacy, are major security concerns. Security breaches could also disrupt the proper functioning of medical technology. Moving on from there, it’s easy to see how a breach could compromise an entire healthcare facility and potentially threaten critical care technology—which could lead to loss of lives. These are some of the reasons why threat intelligence priorities in this industry might include:

• Active vulnerability scanning and assessment informed by the latest insight into threat activity for systems handling confidential patent and client data

• Regular penetration testing for systems running life-support and medication delivery technologies for assessment of known or emerging threats to health and safety

• Investigating SIEM attack data relating to private patient and client records for identification of activity correlated to recognized health, safety or patient/client privacy threats

8 Before the breach

Penetration testing with a passion

When it comes to setting priorities for threat intelligence—in virtually any industry—you’re likely to find that penetration testing plays an important role. Penetration testing certainly isn’t a new idea. But you might want to consider some new ways to approach it. As we’ve seen over the past few years, attackers are continually becoming more sophisticated, developing new techniques and finding new ways to exploit their targets. That means you need to become more creative in developing your penetration testing plans. First, you and your testing personnel should determine the scope of a realistic test. While most organizations are reluctant to allow a penetration test to disrupt operational systems, attackers rarely share that concern. But system disruption may not be the goal of an attacker who prizes stealth in order to remain hidden—and effective—for as long as possible. A truly effective test doesn’t need to threaten the availability or integrity of business-critical resources. It should, however, reflect an understanding of what an attacker would regard as the most valuable prizes in your organization. Focus on these assets and you’re likely achieve truly actionable results. With that in mind, you probably need to update your image of the “typical” attacker. Today’s attackers are smart, detail-oriented and highly committed to achieving their goals. They’ve

broadened their repertoires, going beyond perimeter attacks to include spear phishing, social engineering and even on-site visits, all in the quest for access to an organization’s data. These people are passionate about what they’re doing—which means you need to be equally passionate about finding ways to stop them. Make sure that your penetration testers are driven by the same desire to “break things” as today’s hackers, who revel in the challenge of getting past your security measures. Second, ask your testers to try getting past your own users. Encourage them to send out fake emails and see how many takers they get—or how many users spot the potential scam. Give them your company phone directory and let them pose as members of your IT team, calling employees and asking for their passwords. Or tell them to try gaining access to secure areas by posing as employees or repair crews. The idea is not to embarrass people or point fingers, but to get an honest view of where you may have weak spots. And finally, remember that if at first they don’t succeed at getting what they want, many attackers will simply try again by taking a different approach. So make sure that your testers do the same thing and work all the angles—not just email, or only an on-premises visit, but both, as in a coordinated attack. You may be surprised by what you learn about your vulnerabilities. Still, that’s a lot better than being surprised by a breach.

IBM Global Technology Services 9

Conduct your own incident investigationYou can learn a lot about your vulnerabilities by carrying out your own incident investigation. In fact, you don’t even need to have a “real” incident to gain valuable insight into the types of vulnerabilities you may be facing. Take advantage of penetration testing to discover software or configuration

defects that wouldn’t necessarily show up in a vulnerability assessment that’s looking only for known issues. Penetration testing also lets you gain insight into how a human element might exploit aspects of your security measures. As a result, you can identify gaps in your ability to protect critical assets and see exactly what kind of intrusions your systems can withstand.

The journey from compliance to threat management

A large international insurance company with over 50,000 employees and more than 900 locations has made considerable progress along its IT security journey over the years. After starting out with basic security audits and compliance activities, and later incorporating a threat- and risk-focused approach, the company is now integrating security into its business strategy. But it’s taken some serious thought and effort to make that happen. A few years ago the company became concerned about a growing problem. They recognized that both internal and external actors could leverage any number of sophisticated attacks against its people, processes and technology. And if successful, those attacks could result in records theft, business disruption, customer dissatisfaction, lost revenue, fraud and a devaluation of the company’s brand. It turned out that the company’s continued use of its earlier security model—which had been designed for compliance, not threat detection—was at the root of the problem. The security system was reporting over 51 million events per hour, which required a manual, resource-intensive process to resolve.

Not surprisingly, that led to delays in log collection, reporting and analysis. It ended up taking five full days from the time an attack was first detected until the security analysis could be completed. Needless to say, a lot of damage could occur in five days if any of those events were found to be serious threats. That was when the company asked IBM to help improve the situation. Together they worked to create a new security model focused on threat detection instead of compliance. By developing a new use case-driven tool, they were able to reduce the “noise” generated by so many events. They also shortened the time it took from the moment an attack was detected until action could be taken. Now, instead of taking five days, the entire process is completed in a single day. In addition, they instituted a closed-loop process for incident follow-though and closure. And they began to produce trend information and metrics on relevant threats. The company has found that shifting their focus from audits and compliance to threats and risk required putting the right structures in place to support their new approach and then putting their security and IT teams in a position to support those structures. Finally, they discovered that visibility is key to successful threat management and risk mitigation—which is what’s now allowing them to measure their performance against business priorities.

10 Before the breach

Develop a strategy for targeting today’s threats With a security team that’s primed to hunt for attacks and breaches by collecting security-relevant data from multiple sources—and that’s got insight into the practices and tactics of your known adversaries—you can access the information you need to recognize evidence of threats before they surface. And by deploying security intelligence technologies that let you correlate those insights with malicious activity in real time, you can take action to thwart serious threats before they impact your business. You can also take advantage of new and more sophisticated sources of external threat intelligence and expertise—along with a set of newly emerging analytics capabilities and tools—to augment your own knowhow.

Why act now?The truth is, your business may be just a keystroke or credit card swipe away from being in the headlines. And that’s just the first reason. Here are a few more:

• Criminals will not relent: Once you’re a target, criminals will spend as much time trying to break into your enterprise as you spend on your core business. If you don’t have visibility into attacks as they happen, the criminals will succeed.

• Every business is affected: In the past, banks were among the primary targets of cyber criminals. Today, diverse actors move with lightning speed to steal tangible assets, intellectual property, customer information and confidential data across all sectors.

• Your perimeter may already have been breached: Recent attacks demonstrate that victims were compromised for months before they discovered it. Assuming that you have already been breached is today’s prudent security posture.

Security intelligence technologies let you take action to thwart serious threats before they impact your business.

IBM Global Technology Services 11

Why IBM Security?Traditional security defenses are no match for today’s unrelenting, well-funded attackers. And disruptive technologies are continuing to introduce new vulnerabilities to exploit. To stop attackers—regardless of how advanced or persistent they are—organizations must accelerate their ability to limit new risk and take advantage of intelligence to gain insight into attackers’ approaches and motives.

IBM’s advanced cyber threat intelligence services provide that insight. Monitoring our worldwide security operations centers allows us to collect information on billions of security events that occur daily. But that’s just the beginning. We then combine that information with our technology partners’ threat analyses to deliver the kind of meaningful data that can help you improve your security strategy.

IBM security experts have the industry knowledge to understand which threats are most applicable to you. And they coordinate with IBM managed and professional security services to provide you with the guidance you need to build a stronger security posture.

For more informationTo learn more about how IBM can help you protect your organization from cyber threats and strengthen your IT security, contact your IBM representative or IBM Business Partner, or visit this website:ibm.com/services/security

Follow us

© Copyright IBM Corporation 2014

IBM Corporation IBM Global Technology Services Route 100 Somers, NY 10589

Produced in the United States of America June 2014

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may be changed by IBM at any time. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

1 IBM Security Services 2014 Cyber Security Intelligence Index, April 2014.

2,3 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2014.

4 2012 Global Reputational Risk & IT Study, IBM.

5 IBM Security Services 2014 Cyber Security Intelligence Index, April 2014.

6 IBM Security Services 2014 Cyber Security Intelligence Index, June 2013, IBM Security Services 2014 Cyber Security Intelligence Index, April 2014.

Please Recycle

SEW03042-USEN-00