XDR: Unifying incident detection, response and remediation

According to IBM’s Cost of a Data Breach Report 2020, the average time it took a company in 2019 to identify and contain a breach was 279 days. It was 266 days in 2018 and the average over the past five years was a combined 280 days. In other words, things haven’t gotten much better. It’s clear that time is not on CISOs’ side and they need to act fast.

XDR

What’s holding organizations back when it comes to detecting and remediating data breaches?

Let’s consider the top challenges facing security operations centers (SOCs). First, there are too many alerts, which makes it difficult to prioritize those that deserve immediate attention and investigation.

Also, there’s no unified view of the security information generated by the layers of tools deployed by most large enterprises. Finally, these problems are compounded by the fact that organizations are using hybrid on-premises and cloud architectures, as well as purely cloud environments.

Another major obstacle facing SOCs is that threat hunting and investigations are still manually intensive activities. They are complicated by the fact that the data sources SOCs use are decentralized and must be accessed from different consoles.

SOCs also lack visibility into a very significant component of threat hunting: identity. It has taken an even more prominent role now that so many people are working remotely due to COVID-19.

The analysis, control and response planes in current security architectures are not integrated. In other words, analytics are separated from the administration and investigation stack, which is also separated from the tools used to intercept adversaries and shut down an attack.

Enter XDR

A new architecture has emerged called XDR, which stands for “extended detection and response.” Research firm Gartner listed XDR as one of its top 9 security and risk trends for 2020. XDR flips the current security model on its head by replacing the traditional top-down approach with a bottom-up approach to deliver more precise and higher fidelity results.

The primary driver behind XDR is its fusing of analytics with detection and response. The premise is that these functions are not and should not be separate. By bringing them together, XDR promises to deliver many benefits.

The first is a precise response to threats. Instead of keeping logs in a separate silo, with XDR they can be used to immediately drive response actions with higher fidelity and greater depth knowledge into the details surrounding an incident. For example, the traditional SIEM approach is based on monitoring network log data for threats and responding on the network.

Unless a threat is simple, like commodity malware that can be easily cleaned up, remediation is typically delayed until a manual investigation is performed. XDR, on the other hand, provides SOCs both the visibility and ability to not just respond but also remediate. SOC operators can take precise rather than broad actions, and not just across the network, but also the endpoint and other areas.

Because XDR seeks to fuse the analysis, control and response planes, it provides a unified view of threats. Instead of forcing SOCs to use multiple interfaces to threat hunt and investigate, event data and analytics are brought together in XDR to provide the full context needed to precisely respond to an incident.

Unlike the SIEM model, which centralizes logs for SOCs to figure out what’s important, XDR begins with a view of what’s important and then uses logs to inform response and remediations actions. This is fundamental to how XDR inverts traditional SIEM and SOC workflows.

Another important benefit of XDR is that it provides SOCs the ability to investigate and respond to incidents from the same security technology platform. For example, an alert or analytics indicator might be generated from the endpoint which initiates an investigative workflow that is then augmented with network logs or other system logs that are part of the XDR platform for greater context.

Instead of moving between different consoles, all the data sources are in one place. XDR enables SOC operators to resolve and close out a workflow on the same technology platform where it was initiated.

Currently, most organizations have tools that can initiate a workflow and others that can augment a workflow, but very few that can actually resolve a workflow. The goal of XDR is to provide a single environment where incidents can be initiated, investigated and remediated.

Finally, by fusing analytics, the network and the endpoint, SOCs can respond to incidents across a variety of control planes, and customize actions based on the event, the system criticality, the adversary activity, etc.

What XDR makes possible

With XDR, SOCs can force a re-log on, or a log off through the integration with IAM tools. They can contain a host because they are directly connected to the end point. Using network analysis and visibility XDR can provide deeper insight and context into threats, including whether they are moving laterally, have exfiltrated data, and more.

Ultimately, XDR makes it possible for SOCs to respond to incidents in ways that were not possible in the past, such as taking more surgical network-based remediation actions.

Making XDR a reality requires implementing a horizontal plane that connects all existing security silos to unify analysis, control, and response – which won’t happen overnight. The benefits of XDR, however, are well worth the effort.

Paying a ransom to prevent leaking of stolen data is a risky gamble

Ransomware groups have realized that their tactics are also very effective for targeting larger enterprises, and this resulted in a 31% increase of the average ransom payment in Q3 2020 (reaching $233,817), ransomware IR provider Coveware shared in a recently released report.

They also warned that cases where the attackers exfiltrated data and asked for an additional ransom to delete it have doubled in the same period, but that paying up is a definite gamble.

“Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data,” they noted.

The data cannot be credibly deleted, it’s not secured and is often shared with other parties, they said. Various ransomware groups have posted the stolen data online despite having been paid to not release it or have demanded another payment at a later date.

ransom payment

“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end. Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future,” the company said.

“The track records are too short and evidence that defaults are selectively occurring is already collecting. Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.”

Other findings

Coveware’s analyst also found that improperly secured Remote Desktop Protocol (RDP) connections and compromised RDP credentials are the most prevalent way in for ransomware gangs, followed by email phishing and software vulnerabilities.

ransom payment

What’s interesting is that the “popularity” of RDP as an attack vector declines as the size of the target companies increases, bacuse larger companies are typically wise enough to secure it. The attackers must then switch to using more pricy means: RDP credentials can be purchased for less than $50, but email phishing campaigns and vulnerability exploits require more effort and time/money – even if they are performed by another attacker who then sells the access to the gang.

“The foothold created by the phishing email or CVE exploit is used to escalate privileges until the attacker can command a domain controller with senior administrative privileges. Once that occurs, the company is fully compromised and data exfiltration + ransomware are likely to transpire within hours or days,” they explained.

Companies/organizations in every industry can be a target, but attackers seem to prefer those in the professional services industry, healthcare and the public sector:

ransom payment

IT incident management challenges during the post-pandemic rush to digital

BigPanda revealed the results of an IDG Research survey conducted in the early days of the pandemic. The study explores challenges IT Ops, NOC, DevOps and SRE teams face as their organizations race to capture the digital-led market.

IT incident management challenges

The results of the survey show that, in addition to managing complex and ever-changing IT environments with many different tools, teams are now plagued with an increasing volume of IT incidents and outages which results in customer churn and costly service outages.

“An influx of data from multiple tools, coupled with low levels of automation, can have a paralyzing effect on IT incident management processes,” said Jen Garofalo, IDG’s Research Director.

“More than 40% of respondents indicate IT incident remediation is handled with a mix of manual and automated processes, while another 20% report these processes are mostly manual.”

Complex environments lead to longer incident management cycles

22% of respondents have 20 or more distinct IT teams supporting the different IT and business services at their organizations. On average, enterprises use 20 different monitoring and observability tools to detect potential issues with infrastructure, applications and services.

The average respondent reports that infrastructure is hosted in more than one location including on-premises infrastructure (60%), public cloud (57%), private cloud (47%) and commercial data centers (24%).

47% of IT Ops professionals said coordinating IT incident or outage detection, analysis, and response across siloed IT teams is the biggest challenge they face. Reasons why include:

  • More than 14,000 alerts are generated from IT monitoring tools on average, and 65% of respondents report that alerts have increased in frequency over the past 12 months.
  • 44% of alerts are caused by infrastructure or software changes made by someone in the organization who doesn’t have visibility across all systems to understand the impact of their change.
  • Respondents report an average of 12 hours to determine the root cause of a P1 (major) incident.
  • Further, the survey uncovered the largest business impacts of IT incident management challenges, including increased operating costs (43%), delays in time to market (42%) and decreased IT Ops productivity (41%).

While all of this is happening, more applications are being built and put into production — 74% of respondents expect Development/DevOps workloads to increase over the next 12 months, with 30% expecting a significant increase.

“For a variety of reasons, the COVID-19 pandemic is accelerating the pace at which enterprises are digitally transforming. This, in turn, increases the challenge facing IT Operations teams to keep their companies running smoothly,” said Assaf Resnick, CEO for BigPanda.

“The IDG report clearly shows that corporate executives are not just driving business teams to increase their digital footprint – they are doubling-down on IT’s parallel effort to adopt AI and automation in order to support those new revenue-generating initiatives.”

IT incident management challenges

Budgets for IT operations expected to increase

79% of respondents expect budgets for IT operations to increase over the next 12 months (34% significantly, 45% somewhat). This will be reflected in multiple areas including automating IT incident management, increasing communication/knowledge sharing and improving IT monitoring and event correlation, all of which were cited by more than 50% of respondents.

Meanwhile, most respondents have heard the term AIOps, and 44% are considering or already have a solution with AIOps in place. Those who are considering or already have a solution with AIOps in place are most likely to leverage it to automate IT incident response.

Overall, respondents are most interested in the potential to leverage AIOps to accelerate IT incident and outage resolution.

In the end, the survey confirmed that modern and constantly evolving IT environments require a best-of-breed IT operations toolkit.

Incident management tools and processes insufficient to enable innovation

Enterprise digital transformation budgets continue to increase despite a recession, developers find it challenging to innovate and standard incident management tools and processes hinder digital service resilience, an xMatters research reveals.

incident management tools

Digital service resilience is the ability to recover quickly, adapt and learn from incidents such as outages and interruptions to prevent future technology and customer-impacting issues.

The report also analyzed the varying degrees of incident management readiness or preparedness within an organization to identify its position in the Incident Management Spectrum.

The research found that comparatively, across the Incident Management Spectrum, only the most advanced organizations have isolated keys to success across business and incident management functions.

“Through a series of research reports over the past year, we studied the growing challenges faced by those tasked with the delivery and maintenance of digital services. Customer-impacting issues continue to be a roadblock to innovation as today’s digital, fast moving environment requires technology teams to spend more time supporting operations,” said Troy McAlpin, CEO at xMatters.

“However, there is an opportunity for technology professionals to evolve incident management approaches through incident response automation, collaboration and constant learning in order to achieve customer delight and further innovation.”

Pandemic forces digital transformation

Spending on digital transformation has increased continually since the November 2019 research. Twenty percent of companies with 1,001-5,000 employees are budgeting more than $10 million on digital transformation initiatives, compared with 9.3% in November 2019.

This focus on digital transformation was accelerated by the COVID-19 pandemic. Findings from the April 2020 Impact of COVID-19 on Digital Transformation survey showed more than half of consumers experienced a rise in application performance issues, forcing many companies to accelerate digital transformation in order to deliver accessible digital experiences for customers and employees.

Customer-impacting issues are a roadblock to innovation

The research found that the proportion of technology professionals affected by customer-impacting issues when building out services has increased by almost ten percentage points to 84.3%, compared to results from the November 2019 Incident Management in the Age of Customer-Centricity research. Overall, there is a marked need for improvement in customer experiences and an organizational commitment to innovation across industries.

72.3% of respondents—across a variety of titles including development, SRE, IT operations and management—reported that at least half of their team’s time is spent resolving incidents compared to time spent on innovation. Of these respondents, 27.3% said at least 80% of their team’s time is spent resolving incidents.

Opportunity for advancement in the Incident Management Spectrum

To assess the efficacy of incident management in organizations, the State of Automation in Incident Management analyzed components of a comprehensive incident management practice (i.e., team structure, tools) and how organizations detect, resolve and learn about incidents.

Responses to survey questions were further analyzed and scored to determine an organization’s position in the Incident Management Spectrum based on approaches to incident management.

The four categories within the Incident Management Spectrum include: ad hoc where there is no formal incident management practice; traditional incident management, an approach driven by service desk tickets and ITIL processes; modern incident management where individual teams detect and resolve service-based issues; and adaptive incident management where a scalable and service-centric model harnesses as much automation as possible.

The results of the research found that almost all respondents employ either a traditional (40.1%) or modern (58.6%) approach to incident management.

“Traditional teams spend much of their time on firefighting and completing non-value-added tasks compared to innovation, while modern teams, who have allocated more budget toward digital transformation, spend equal amounts of time resolving incidents and building out features,” continued McAlpin.

incident management tools

Automation, collaboration and learning are key to superior customer experiences

While most technology professionals reported the implementation of team-oriented incident management processes, there is room for advancement in multiple aspects of day-to-day processes.

43.4% of technology professionals deploy less sophisticated processes such as alerting; emailing and paging; conference bridges; or manual setup and outreach to engage team members, stakeholders and customers during an incident.

Most organizations who employ a traditional approach to incident management use service desks and process-heavy approaches, whereas modern organizations leverage incident management tools for incident response and management.

Moreover, as companies look to reliable digital services as an indicator of customer success, there is an opportunity to automate the postmortem process.

When asked about top benefits of using artificial intelligence or machine learning for incident management, respondents identified informing post-incident reporting with data from previous, related incidents (36%) and aggregation of data to detect anomalies early (28.9%).

Organizations facing surge in phishing attacks since the start of the pandemic

The frequency of phishing threats has risen considerably since the pandemic started, with companies experiencing an average of 1,185 attacks every month, according to a survey from GreatHorn.

phishing attacks pandemic

Phishing attacks and the pandemic

Additionally, 38% reported that a coworker fell victim to an attack within the last year. As a result, 15% of organizations are now left spending anywhere from one to four days remediating malicious attacks during what is already a precarious and strenuous time for many.

The report asked a sample of 317 professionals ranging from executives to IT security practitioners across the greater cybersecurity industry, to provide insights based on their personal experiences throughout the pandemic.

The report broke down the realities of how companies have actually fared in the face of phishing attacks throughout the crisis, how time and money budgeted towards cybersecurity efforts has fluctuated during this time and asked participants to assess their levels of awareness and proficiency in identifying and avoiding phishing emails.

Results showed a sharp uptick in the frequency of attempted phishing attacks, a major increase in time allocated towards attack mitigation, removal and additional incident response and highlighted the risks plaguing organizations that don’t prioritize employee cybersecurity awareness.

Proliferating threats result in increased costs

Cybersecurity threats are on the rise – 53% of those surveyed said that they had witnessed an increase in phishing activity since the start of the COVID-19 pandemic. The survey revealed that, on average, organizations are remediating 1,185 phishing attacks every month.

Even employees who are confident in their phishing identification skills are more likely to slip up when faced with a massive amount of malicious emails, and the impact of a successful attack is felt both monetarily and through time consumed by threat remediation.

With 15% of organizations spending 1-4 days remediating attacks, the amount of total time lost due to this increase in attacks is hurting the bottom line.

The stakes are rising, and victim-blaming is all too common

The survey also found that a promising 64% of employees feel confident in their ability to identify and avoid a phishing email in real time. However, the consequences of an unfortunate misstep are felt on a personal level.

38% of respondents confirmed that a member of their organization had fallen victim to a phishing attack within the last year, and 39% feel that such an error reflects poorly on the victimized employee. This kind of outlook can foster anxiety and risk hurting employees’ confidence in their own abilities.

It also strongly reinforces the need for ongoing awareness training and providing employees with the tools and information they need to empower better in-the-moment decisions as they engage with their email.

Employees receive some awareness training, but not nearly enough

Furthermore, while 76% of organizations conduct cybersecurity awareness training, only 30% train employees quarterly – and 27% conduct training only once a year. This is likely to be inadequate, especially when employees both young and old are similarly vulnerable – 62% of respondents believe that employees of all ages and generations are of equal likelihood of falling victim to a phishing attack. Today’s threats are evolving so rapidly that growing up with technology is no longer considered an advantage for younger workers.

phishing attacks pandemic

Cybercriminals are also less concerned with where employees stand on the organizational depth-chart. When asked to select who would most likely be targeted in phishing attacks, 56% said it’d be a mid-level manager, followed closely by entry-level staffer at 51% and the CEO or head of the company at 49% – dispelling the myth that only the C-suite is highly-targeted.

“This survey uncovered just how many phishing emails organizations are being targeted by,” said GreatHorn CEO Kevin O’Brien.

“With such a substantial portion of these attacks yielding success, the time lost on remediation can have a detrimental impact on productivity and profitability. Right now, it’s more important than ever that companies provide their employees with the knowledge and tools necessary to recognize and fend off phishing attacks.”

62% of blue teams have difficulty stopping red teams during adversary simulation exercises

New Exabeam research shows that 62 percent of blue teams have difficulty stopping red teams during adversary simulation exercises.

blue teams red teams

Respondents named threat detection, incident response and flexibility/openness to change while working remotely as the top three areas that blue teams must improve upon. This indicates an increase in technical and adaptability challenges since the same study was performed in 2019, where the focus fell heavily on teamwork and communication.

While 37 percent of blue teams always or often catch these ‘bad actors,’ 55 percent say they only succeed sometimes, and 7 percent rarely or never achieve this feat. On a positive note, these numbers indicate a trend in the right direction compared to last year’s study, which showed one-third rarely or never catching red teams.

Companies increasing security investment

The fact that less than half of blue teams are stopping bad actors a majority of the time demonstrates the priority organizations must place on constantly evaluating and adjusting their security investments to keep up with today’s digital adversaries.

The study indicates that many companies are consciously taking these steps, with 50 percent increasing security investment and 30 percent adding to their security infrastructure as a result of these exercises. Seventeen percent have done both, and just 2 percent have not adjusted their security tools or budget in response.

Interestingly, the frequency and approach to red team/blue team tests vary widely. On average, organizations conduct red team exercises every five months – breaking down to 26 percent once a month, another quarter every 2-6 months, 32 percent every 7-11 months and 8 percent once a year.

Just 7 percent don’t utilize red teams at all. Blue team exercise frequency understandably reflected similar percentages and averaged out to every six months.

Many companies use the ‘purple team’ approach, in which the red and blue teams come from their own staff and work together to determine security preparedness. One-third run these simulations every 2-6 months, while 50 percent perform them every 7-11 months, and 12 percent report yearly tests. Again, only 7 percent do not have purple teams in place.

blue teams red teams

Internal and external red teams equally effective

Also new to 2020’s report, 92 percent of respondents tap external red teams without prior knowledge of their internal security systems to help their teams prepare for real-life cyberattacks. However, 54 percent found internal and external red teams equally effective, with a slightly higher percentage (24 percent) citing internal red teams as more effective than external (19 percent).

“An additional study recently reported that more than 80 percent of businesses have experienced a successful cyberattack since the start of the pandemic. Paired with the fact that just over a third of respondents are frequently stopping simulated attacks, these trends illuminate the security fallout caused by the remote work shift, tighter budgets and increasingly sophisticated attack techniques,” said Steve Moore, chief security strategist, Exabeam.

“These red team/blue team exercises can be valuable proof points when presenting budgetary and technological needs to the C-suite and board to help keep up with these changes. While there is always room for teams and security postures to mature, it is extremely encouraging that so many companies are regularly performing these tests to identify their weak spots and shore up their defenses.”

In addition to threat detection, incident response and flexibility, communication and teamwork (41 percent), knowledge of threats/tactics (38 percent) and persistence (20 percent) were also listed as valuable skills blue teams should focus on.

Cyber crisis response failing to adapt to modern threats

Today, a stark disconnect exists between the inadequacy of crisis exercising and the desire to build an effective cyber crisis response function, according to an Osterman Research study.

cyber crisis response

The report into senior security leaders at 402 organizations with an average of 1900 employees in the US and UK found nearly 40% are not fully confident in their teams training to handle a data breach if one happened that week.

A spike in ransomware attacks

Looking at the evolution of ransomware alone, the number of ransomware detections in business environments rose by 365% between Q2 2018 and Q2 2019, and global organizations have seen a 148% spike in ransomware attacks amid COVID-19.

Meanwhile, more than a third of organizations surveyed say they space their tabletop exercises a year – sometimes two – apart, with 65% consisting of reviewing PowerPoint slides. In fact, slide-based sessions are nearly 20 times more common than practicing simulations and 64% ran three or fewer scenarios during their last exercise.

“If you did your ransomware training in January, you’re likely five ransomware techniques behind the curve now,” said James Hadley, CEO of Immersive Labs.

“With three quarters of organizations agreeing that business continuity was at the forefront of their minds, it is time to close the gap between attackers and defenders and shake up the outdated status quo. This requires faster, shorter crisis drills run with the people you will be standing shoulder to shoulder with when the worst happens. Crisis exercises must be made more contemporary.”

There is a need for more –and modernized – cyber training across organizations, not just on the security team.

Over reliance on plans contributes to low IR confidence

Despite organizations’ low confidence in their IR preparedness, 61% of respondents think having an IR plan is the single most effective way to prepare for a security incident. In fact, twice the amount of respondents thought an IR plan was more effective than regular table-top crisis exercising.

When they do perform crisis exercises, nearly 40% of all senior security leaders surveyed said the last exercise generated no action from the business.

Senior cybersecurity leadership skipping crisis exercises

Only a fraction of people who will be involved in a real crisis are present in training. A quarter of organizations surveyed ran crisis exercises without senior cybersecurity leadership in attendance, and only 20% of exercises involved communications team members, although the survey showed impact on brand is more important in security leaders’ minds when running crisis exercises at 47%, than share price (24%) or liquidity (27%).

Nearly half of security leaders said their organizations do not have a cross disciplinary cyber crisis group, of those who do, only 17% met monthly.

The pandemic exacerbates challenges with the human factor

20% of respondents said they find it impossible to effectively involve people in crisis response remotely from other geographies. Add to that, the human element of the cyber equation is being overlooked by crisis response exercises with only 15% saying they are focused on stress testing human cyber readiness.

cyber crisis response

Technology investments aren’t enough

Technology investments can’t save an organization alone, it’s time to focus on people. Nearly 60% of respondents think the best way to prepare for a crisis incident is to buy more technology, and more are interested in covering themselves legally (38%) than running effective tabletop exercises and fire drills to train their teams (32%).

“Dusting off the three-ring binder crisis plan does not cut it today,” added Hadley. “In the first 30 minutes of a crisis, it is highly unlikely you’re thinking of your plan. It’s the real-life, crisis simulation training that prepares organizations to effectively respond to security incidents.

“Micro-drills, or very focused exercises, designed to address particular risks must make their way into the mix. Much like exercising to stay fit, this needs to happen with regularity in dynamic environments, and involve all the right people, in order to keep current and be effective.”

Top security risks for companies to address as cloud migration accelerates

The ease and speed at which new cloud tools can be deployed is also making it harder for security teams to control their usage, IBM Security reveals.

cloud migration risks

According to the data, basic security oversight issues, including governance, vulnerabilities, and misconfigurations, remain the top risk factors organizations must address to secure increasingly cloud-based operations.

Additionally, an analysis of security incidents over the past year sheds light on how cybercriminals are targeting cloud environments with customized malware, ransomware and more.

With businesses rapidly moving to cloud to accommodate remote workforce demands, understanding the unique security challenges posed by this transition is essential for managing risk.

While the cloud enables many critical business and technology capabilities, ad-hoc adoption and management of cloud resources is also creating complexity for IT and cybersecurity teams.

According to IDC, more than a third of companies purchased 30+ types of cloud services from 16 different vendors in 2019 alone. This distributed landscape can lead to unclear ownership of security in the cloud, creating policy “blind spots” and potential for shadow IT to introduce vulnerabilities and misconfiguration.

Cloud environment threats and challenges

  • Complex ownership: 66% of respondents surveyed say they rely on cloud providers for baseline security; yet perception of security ownership varied greatly across specific cloud platforms and applications.
  • Cloud applications opening the door: The most common path for cybercriminals to compromise cloud environments was via cloud-based applications, representing 45% of incidents in IBM X-Force IRIS cloud-related case studies. Cybercriminals took advantage of configuration errors as well as vulnerabilities within the applications, which often remained undetected due to employees standing up new cloud apps on their own, outside of approved channels.
  • Amplifying attacks: While data theft was the top impact of attacks in the cloud, hackers also targeted the cloud for cryptomining and ransomware3 – using cloud resources to amplify the effect of these attacks.

“The cloud holds enormous potential for business efficiency and innovation, but also can create a ‘wild west’ of broader and more distributed environments for organizations to manage and secure,” said Abhijit Chakravorty, Cloud Security Competency Leader, IBM Security Services.

“When done right, cloud can make security scalable and more adaptable – but first, organizations need to let go of legacy assumptions and pivot to new security approaches designed specifically for this new frontier of technology, leveraging automation wherever possible. This starts with a clear picture of regulatory obligations and compliance mandate, as well as the unique technical and policy-driven security challenges and external threats targeting the cloud.”

Who owns security in the cloud?

Organizations that rely heavily on cloud providers to own security in the cloud, despite the fact that configuration issues – which are typically users’ responsibility – are most often to blame for data breaches (accounting for more than 85% of all breached records in 2019).

Additionally, perceptions of security ownership in the cloud varied widely across various platforms and applications. For example, 73% of respondents believed public cloud providers were the main party responsible for securing software-as-a-service (SaaS), while only 42% believed providers were primarily responsible for securing cloud infrastructure-as-a-service (IaaS).

While this type of shared responsibility model is necessary for the hybrid, multi-cloud era, it can also lead to variable security policies and a lack of visibility across cloud environments. Organizations who are able streamline their cloud and security operations can help reduce this risk, through clearly defined policies which apply across their entire IT environment.

Top threats in the cloud: Data theft, cryptomining and ransomware

In order to get a better picture of how attackers are targeting cloud environments, incident response experts conducted an in-depth analysis of cloud-related cases the team responded to over the past year. The analysis found:

  • Cybercriminals leading the charge: Financially motivated cybercriminals were the most commonly observed threat group category targeting cloud environments, though nation state actors are also a persistent risk.
  • Exploiting cloud apps: The most common entry point for attackers was via cloud applications, including tactics such as brute-forcing, exploitation of vulnerabilities and misconfigurations. Vulnerabilities often remained undetected due to “shadow IT,” when an employee goes outside approved channels and stands up a vulnerable cloud app. Managing vulnerabilities in the cloud can be challenging, since vulnerabilities in cloud products remained outside the scope of traditional CVEs until 2020.
  • Ransomware in the cloud: Ransomware was deployed 3x more than any other type of malware in cloud environments, followed by cryptominers and botnet malware.
  • Data theft: Outside of malware deployment, data theft was the most common threat activity observed in breached cloud environments over the last year, ranging from personally identifying information to client-related emails.
  • Exponential returns: Threat actors used cloud resources to amplify the effect of attacks like cryptomining and DDoS. Additionally, threat groups used the cloud to host their malicious infrastructure and operations, adding scale and an additional layer of obfuscation to remain undetected.

“Based on the trends in our incident response cases, it’s likely that malware cases targeting cloud will continue to expand and evolve as cloud adoption increases,” said Charles DeBeck, IBM X-Force IRIS.

“Malware developers have already begun making malware that disables common cloud security products, and designing malware that takes advantage of the scale and agility offered by the cloud.”

cloud migration risks

Maturing cloud security leads to faster security response

While the cloud revolution is posing new challenges for security teams, organizations who are able to pivot to a more mature and streamlined governance model for cloud security can reap significant benefits in their security agility and response capabilities.

The survey found that organizations who ranked high maturity in both Cloud and Security evolution were able to identify and contain data breaches faster than colleagues who were still in early phases of their cloud adoption journey.

In terms of data breach response time, the most mature organizations were able to identify and contain data breaches twice as fast as the least mature organizations (average threat lifecycle of 125 days vs. 250 days).

As the cloud becomes essential for business operations and an increasingly remote workforce, organizations should focus on the following elements to improve cybersecurity for hybrid, multi-cloud environments:

  • Establish collaborative governance and culture: Adopt a unified strategy that combines cloud and security operations – across application developers, IT Operations and Security. Designate clear policies and responsibilities for existing cloud resources as well as for the acquisition of new cloud resources.
  • Take a risk-based view: Assess the kinds workload and data you plan to move to the cloud and define appropriate security policies. Start with a risk-based assessment for visibility across your environment and create a roadmap for phasing cloud adoption.
  • Apply strong access management: Leverage access management policies and tools for access to cloud resources, including multifactor authentication, to prevent infiltration using stolen credentials. Restrict privileged accounts and set all user groups to least-required privileges to minimize damage from account compromise (zero trust model).
  • Have the right tools: Ensure tools for security monitoring, visibility and response are effective across all cloud and on-premise resources. Consider shifting to open technologies and standards which allow for greater interoperability between tools.
  • Automate security processes: Implementing effective security automation in your system can improve your detection and response capabilities, rather than relying on manual reaction to events.
  • Use proactive simulations to rehearse for various attack scenarios: This can help identify where blind spots may exist, and also address any potential forensic issues that may arise during attack investigation.

Money is still the root of most breaches

Verizon has released its annual Data Breach Investigations Report (DBIR), which offers an overview of the cyber security incidents and data breaches that happened in/were discovered in the past year.

Based on an analysis of incident and breach reports by 81 contributing organizations – companies, CERTs, law enforcement agencies and cybercrime units, etc. – from around the world, the DBIR offers insight into current cyber attack trends and the threats organizations in various industry verticals and parts of the world face.

2019 cyber attack trends: the “WHO”

The researchers analyzed 32,002 security incidents that resulted in the compromise of an information asset. Of those, 3,950 were data breaches, i.e., incidents that resulted in the confirmed disclosure of data to an unauthorized party.

The report is massive, so we’ll highlight some interesting tidbits and findings:

  • 70% of breaches perpetrated by external actors (except in the healthcare vertical, where it’s 51% external, 48% internal)
  • 86% of breaches were financially motivated
  • Organized criminal groups were behind 55% of breaches
  • 72% of breaches involved large business victims

2019 cyber attack trends

“This year’s DBIR has once again highlighted the principal motive for the vast majority of malicious data breaches: the pursuit of profit. This is surprising to some, given the extensive media coverage of national security-related breaches. However, it should not be. Most malicious cyber actors are not motivated by national security or geopolitical objectives, but rather by simple greed,” the data scientists who compiled the report noted.

“Financially motivated breaches are more common than Espionage by a wide margin, which itself is more common than all other motives (including Fun, Ideology and Grudge, the traditional ‘go to’ motives for movie hackers).”

2019 cyber attack trends: the “HOW”

The majority of data breaches (67% or more) are caused by credential theft, social attacks (phishing, business email compromise, pretexting) and errors (mostly misconfiguration and misdelivery of documents and email).

“These tactics prove effective for attackers, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts,” they advised.

Another interesting finding is that attacks on web apps were a part of 43% of breaches, which is more than double the results from last year. The researchers put this down to more workflows moving to cloud services and attackers adjusting to the shift.

“The most common methods of attacking web apps are using stolen or brute-forced credentials (over 80%) or exploiting vulnerabilities (less than 20%) in the web application to gain access to sensitive information,” they shared.

Less than 5% of breaches involved exploitation of a vulnerability, and it seems that most organizations are doing a good job at patching – at least at patching the assets they know about.

“Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defenses,” the authors pointed out.

Most malware is still delivered by email and the rest via web services. Attackers have mostly given up on cryptocurrency mining malware, RAM scrapers and malware with vulnerability exploits, but love password dumpers, malware that captures app data, ransomware and downloaders.

Even though it is a small percentage of all incidents, financially motivated social engineering is on the rise – and attackers have largely stopped asking for W-2 data of employees and switched to asking for the cash directly.

Cloud assets were involved in about 22% of breaches this year, while the rest were on-premises assets.

“Cloud breaches involved an email or web application server 73% of the time. Additionally, 77% of those cloud breaches also involved breached credentials. This is not so much an indictment of cloud security as it is an illustration of the trend of cybercriminals finding the quickest and easiest route to their victims,” they noted.

Use the information to improve defenses

An interesting finding that can be used by defenders to their advantage is that attackers prefer short paths to a data breach. Throwing things in their way to increase the number of actions they have to take is likely to decrease their chance of making off with the data.

Knowing which actions happen at the beginning, middle and end of incidents and breaches can also help defenders react quickly and with purpose.

2019 cyber attack trends

“Malware is rarely the first action in a breach because it obviously has to come from somewhere. Conversely, Social actions almost never end an attack. In the middle, we can see Hacking and Malware providing the glue that holds the breach together. And so, [another] defensive opportunity is to guess what you haven’t seen based on what you have,” the authors noted.

“For example, if you see malware, you need to look back in time for what you may have missed, but if you see a social action, look for where the attacker is going, not where they are. All in all, paths can be hard to wrap your head around, but once you do, they offer a valuable opportunity not just for understanding the attackers, but for planning your own defenses.”

What should organizations do to bolster their cyber security posture?

DBIR report author and Information Security Data Scientist Gabe Bassett advises organizations to keep doing what they are doing: anti-virus at the host, network, and proxy level plus patching and filtering (e.g., with firewalls) will help push the attackers towards other attacks.

“Address the human element. The top actions (phishing, use of stolen credentials, misconfiguration, misdelivery, and misuse) all involve people. No-one is perfect so find ways to set people up for success and be prepared to handle their mistakes,” he noted, and added that all organizations should have some level of security operations.

“You can’t make the defenses high enough, wide enough, deep enough, or long enough to keep an attacker out if you don’t have someone watching the wall. For large organizations this means having a dedicated security operations center. For smaller ones it may mean taking advantage of economies of scale, either by acquiring managed security services directly, or by using services (payment systems, cloud services, and other managed services that have security operations incorporated).

Finally, to add extra steps to attackers’ path and to deter all but the most persistent ones, they should use two factor authentication whenever possible.

Phishing is a huge concern among security decision-makers and influencers

A serious disconnect exists between how decision makers (i.e., CISOs, CIOs and CEOs), and security practitioners (i.e., IT managers and directors, security architects and security operations analysts) perceive phishing prevention, according to a research by Ironscales.

phishing prevention

The research is based on a detailed, cross-industry survey of 252 security professionals from the United States and the United Kingdom.

Among its key findings, the survey revealed that decision makers are four times more likely than security practitioners to consider email security the highest priority, suggesting that security personnel believe that they have a sufficient handle on phishing prevention while the C-Suite sees substantial business risk.

“The disconnect between security practitioners and decision makers is extraordinarily problematic for phishing prevention and incident response,” said Eyal Benishti, CEO at Ironscales.

“The cause for such a predicament – whether or not security professionals on the front lines don’t fully understand the long-term business impacts of a successful phishing attack or if the C-Suite is simply over-concerned – is irrelevant. What matters is that moving forward these two important constituencies get on the same page so that the proper time and attention can be allocated towards minimizing phishing risk.”

The survey revealed that there is a critical need for real-time threat intelligence to more thoroughly address the risk of phishing; that the security skills shortage is having a material impact on security teams’ ability to deal with phishing properly, and that most organizations are using several tools to combat phishing, with secure email gateways remaining the most common.

Key research findings

  • 24% of a 40-hour work week is spent by security analysts investigating, detecting or remediating phishing emails.
  • Only One in five organizations continuously updates and tweaks its corporate email security policies in a typical month.
  • Nearly three in five organizations train their users on proper email security protocols no more than twice per year, while only a third of organizations do so much more frequently (at least monthly or continuously).
  • More than 70% of organizations use only manual processes for reviewing user-reported phishing emails, making it far too labor and time-intensive to mitigate email threats at scale.

phishing prevention

Problems with phishing prevention

The survey also found that phishing emails continue to take organizations a substantial amount of time to detect, investigate and remediate. In total:

  • 70% of organizations take more than 5 minutes to remove a phishing attack from a corporate mailbox even though the average time-to-click is 82 seconds.
  • 75% of organizations cannot act on phishing intelligence automatically in real-time.
  • 90% of organizations cannot orchestrate phishing intelligence from multiple sources in real time in the context of their overall email security solution(s).

“The survey’s findings reinforce the significant challenges that email phishing attacks incur on organizations of all sizes,” said Michael Osterman, principal analyst at Osterman Research.

“Most immediately, decision makers and cybersecurity practitioners must work to overcome the disconnect that exists so that time, budget and resources can be properly allocated to reduce email phishing risk.”

What makes some organizations more cyber resilient than others?

Despite higher levels of investment in advanced cybersecurity technologies over the past three years, less than one-fifth of organizations are effectively stopping cyberattacks and finding and fixing breaches fast enough to lower the impact, according to a report from Accenture.

cyber resilient

Based on a survey of more than 4,600 enterprise security practitioners around the globe, the study explores the extent to which organizations prioritize security, the effectiveness of current security efforts, and the impact of new security-related investments.

Many are not cyber resilient

From detailed modeling of cybersecurity performance, the study identified a group of elite “leaders” — 17% of the research sample — that achieve significantly better results from their cybersecurity technology investments than other organizations.

Leaders were characterized as among the highest performers in at least three of the following four categories: stop more attacks, find breaches faster, fix breaches faster and reduce breach impact. The study identified a second group, comprising 74% of the respondents, as “non-leaders” — average performers in terms of cyber resilience but far from being laggards.

“Our analysis identifies a group of standout organizations that appear to have cracked the code of cybersecurity when it comes to best practices,” said Kelly Bissell, who leads Accenture Security globally. “Leaders in our survey are far quicker at detecting a breach, mobilizing their response, minimizing the damage and getting operations back to normal.”

For instance, leaders were four times more likely than non-leaders to detect a breach in less than one day (88% vs. 22%). And when defenses fail, 96% of the leaders fixed breaches in 15 days or less, on average, whereas 64% of non-leaders took 16 days or longer to remediate a breach — with nearly half of those taking more than a month.

The differences between leaders and non-leaders

Among the key differences in cybersecurity practices between leaders and non-leaders, the report identified:

  • Leaders focused more of their budget allocations on sustaining what they already have, whereas the non-leaders place significantly more emphasis on piloting and scaling new capabilities.
  • Leaders were nearly three times less likely to have had more than 500,000 customer records exposed through cyberattacks in the last 12 months (15% vs. 44%).
  • Leaders were more than three times as likely to provide users of security tools with required training for those tools (30% vs. 9%).

The study also found that 83% believe that organizations need to think beyond securing just their own enterprises and take better steps to secure their vendor ecosystems in order to become cyber resilient.

cyber resilient

Additionally, while cybersecurity programs designed to protect data and other key assets are only actively protecting about 60% of an organization’s business ecosystem, which includes vendors and other business partners, 40% of breaches come through this route.

“The sizable number of vendor relationships that most organizations have poses a significant challenge to their ability to monitor that business ecosystem,” Bissell said. “Yet, given the large percentage of breaches that originate in an organization’s supply chain, companies need to ensure that their cyber defenses stretch beyond their own walls.”

Cybersecurity industry predictions for 2020 and beyond

When it comes to cybersecurity industry predictions for 2020, Optiv researchers expect to see a focus on privacy, evolving threat actors, pervasive deepfake videos, and increased election interference.

cybersecurity industry predictions 2020

“As we look beyond 2019 and into 2020, we have a solid idea of what threats the industry is facing, and not just ransomware and phishing attacks, but new, hard-to-combat threats,” said Anthony Diaz, division vice president, emerging services, at Optiv.

“As is always the case, us ‘good guys’ are forced play catch up with bad actors, who constantly remain a step ahead. There is much IT and business leaders must be aware of when it comes to cybersecurity, as the pace of change is quite high.

“That is why we recommend cybersecurity programs focus on proactive risk mitigation and build out from there. This ensures your organization is actively looking for, combating, and identifying threats before they can cause damage.”

Hybrid threat actors may become more commonplace

A growing number of “hybrid threat actors” have been found. These are attackers who impersonate one type of adversary to disguise their true intentions (for example, a nation state imitating a generic hacker targeting a customer database, when its true aim is to steal intellectual property).

There could be an increase in the number of adversaries to adopt this technique and launch “imposter” attacks to obfuscate their true intentions, adding yet another layer of complexity to threat hunting and incident response.

Apple’s “privacy as a human right” campaign should cause others to follow

The world’s foremost technology organization going all-in on privacy will shift the competitive landscape. Security and privacy could become a competitive differentiator for companies that follow Apple’s lead and grab “first mover” status in their markets.

Laggards may risk meeting the unseemly fate of past organizations that failed to embrace important technology paradigms such as internet, cloud, and mobile computing.

Election misinformation campaigns could proliferate

The effectiveness of the Russian misinformation campaign of 2016 increases the possibility of increased copycat attacks for the 2020 election. These attacks could come from nation states as well as domestic groups supporting rival U.S. politicians. This activity threatens to trigger a major public/private response to the online misinformation problem.

We might see the first cases of deepfakes used to manipulate stock prices

There has been much publicity around the potential to impact elections using deepfakes (AI-doctored videos that enable individuals to make it appear people said things they never said). However, not enough attention has been paid to how cybercriminals can make money using deepfakes against businesses.

This might change in 2020, as it’s possible we will see the first deepfake attacks designed to impact stock prices, by having CEOs, financial analysts, Federal Reserve leaders or other powerful economic figures make phony statements that will cause stock market movements. Cybercriminals would use these videos to make quick fortunes in the market.

There should be widespread realignment of IT and security organizations

As boards view cybersecurity as a peer-level risk to traditional enterprise risks, such as lawsuits and product recalls, more CISOs should become peers of CIOs and other executives, rather than direct or indirect reports. This would cause a realignment of the IT and security organizations to eliminate conflicts and encourage collaboration.

The most critical of these will be the continued expansion of DevSecOps, in which security is fully integrated into the application development process; and patch management, which will move from being divided between security and IT (security finds vulnerabilities, IT patches them), to becoming a unified process with a single point of accountability.

Cybersecurity basics may continue to vex consumers and enterprise organizations

Whether insufficient passwords, lack of education and training around phishing attacks, or simple upkeep and compliance, the tiny details of cybersecurity will continue to be the cause of a vast portion of compromises if left unaccounted for.

Simple passwords (those without special characters or are extremely obvious, such as “password123”) only take minutes to crack by professional hackers and can be done inexpensively.

What is the actual role of a threat hunter?

The role and tasks of a threat hunter are confusing, according to a ThreatQuotient and SANS study based on data collected from 575 participating companies that either work with or operate their own threat hunting teams.

threat hunter role

Threat hunter role: How threat hunting teams are tasked in an environment

Unlike the Security Operations Centre (SOC) and Incident Response (IR) teams, threat hunters not only respond to network threats, they proactively search for them. This involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data.

“However, the reality within corporate IT is often different,” says Markus Auer, Regional Sales Manager CE at ThreatQuotient. “In many teams, the distinction between SOC, IR and threat hunting is too blurred, and threat hunters are used for reactive processes contrary to their actual role.”

The study confirms that most threat hunters react to alerts (40%) or data such as indicators of compromise from the SIEM (57%). Only 35% of participants say that they work with hypotheses during threat hunting – a process that should be part of the arsenal of every threat hunter.

“Responding to threats is important for security, but it is not the main task of the threat hunter. They should be looking for threats that bypass defenses and never trigger an alert,” Auer emphasises.

Targeted threat discovery is important

The fact that threat hunting is still in its infancy is evident based on suboptimal prioritization of resources. “Many companies are still in the implementation phase and are more willing to spend money on tools than on qualified experts or training existing employees to be threat hunters,” says Mathias Fuchs, Certified Instructor at SANS and co-author of the study.

“When threat hunting is carried out, it is more of an ad hoc approach than a planned program with budget and resources.” In fact, 71% of participating companies consider technology to be first or second in terms of resource allocation for threat hunting. Only 47% of respondents focus on hiring new personnel and 41% on training employees.

threat hunter role

Due to the proactive nature of threat hunting, companies often find it difficult to accurately measure the economic benefits of these security measures. Ideally, the experts prevent threats from becoming a critical problem in the first place. However, 61% of respondents said their overall IT security status has improved by at least 11% due to threat hunting.

These figures show that targeted threat discovery is important and that investing in dedicated threat hunting teams delivers measurable improvement in IT security for organizations.

Insight into NIS Directive sectoral incident response capabilities

An analysis of current operational incident response (IR) set-up within the NIS Directive sectors has been released by ENISA. The NIS Directive and incident response The EU’s NIS Directive (Directive on security of network and information systems) was the first piece of EU-wide cybersecurity legislation. It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure by bolstering capacities, cooperation and risk management practices across the Member … More

The post Insight into NIS Directive sectoral incident response capabilities appeared first on Help Net Security.

Cyber threats continue to evolve, but security teams remain confident

Coming off of a year of major data breaches making headline news, it’s easy to draw the conclusion that security teams are losing the cybersecurity battle, a DomainTools survey reveals. Security teams remain confident Security pros are reporting real progress being made as confidence in their programs continues to grow: Thirty percent of respondents gave their program an “A” grade this year, doubling over two years from 15 percent in 2017. Less than four percent … More

The post Cyber threats continue to evolve, but security teams remain confident appeared first on Help Net Security.

Only 11% of organizations can detect intruders in under one minute

The process of detecting, triaging, investigating, and containing a cyber incident takes organizations globally on average nearly seven days of working around the clock (totaling 162 hours), with an average of 31 hours to contain a cybersecurity incident once it has been detected and investigated, a CrowdStrike survey reveals. How fast can you detect intruders? As a result, the majority of respondents (80%) report that in the past 12 months, they have been unable to … More

The post Only 11% of organizations can detect intruders in under one minute appeared first on Help Net Security.

To improve incident response, you need to consider 3rd party solutions

Organizations reported an average 32% reduction in threat responder workload when they deployed a managed SIEM solution, according to CenturyLink and IDG. Improve incident response The research shows security leaders are turning to managed security services to help augment limited internal resources and bridge the security technology gap. “Security is an inherent ingredient in networking today; however, limited resources and budget constraints make it difficult for companies to develop with their own staff,” says Chris … More

The post To improve incident response, you need to consider 3rd party solutions appeared first on Help Net Security.

Android Trojan Compromises Credit Card Details and Then Locks Your Mobile

This nasty two-year-old Android trojan has evolved into an all-around threat.

trojan1An Android trojan detected by Russian security firm Dr.Web as Android.SmsSpy.88 evolved in the past two years from simple spyware to banking trojan, and now to a mobile ransomware threat.

First detected in April 2014, the trojan was initially distributed via SMS spam, and once it infected victims, it was capable of intercepting phone calls and SMS messages, usually used for two-factor authentication systems.

As time went by, the Android.SmsSpy trojan evolved and added the ability to phish for credit card details using a Google Play Store-like interface, as well as to show interstitials mimicking popular Russian bank logins.
“Android.SmsSpy came back stronger and more powerful than ever”

The biggest update happened at the end of 2015, when Dr.Web says the trojan gained the ability to phish for credentials from almost any bank around the world, along with the capacity to lock the user’s screen and ask for a ransom.

This increase of functionality also had an effect on its distribution model, which switched from SMS spam to fake apps posing as an Android version of Adobe Flash Player.

Dr.Web also noticed that the trojan started using a very customizable bank phishing popup system, which allows trojan operators to modify the popup’s content much more easily and target any bank or payment processor they’d like.

“Trojan is chock-full of features”

These latest versions of Android.SmsSpy need administrative privileges, a constant Internet connection, and are packed full of dangerous features.

These include the ability to send USSD requests, intercept MMS messages, send SMS spam to all phone contacts, exfiltrate SMS messages and more.

botnet1All of these are managed from C&C servers, and Dr.Web claims it detected over 50 different master servers, commanding as many different botnets.
“Android.SmsSpy is rented from underground cyber-crime forums”

The large number of different botnets is explained by the fact that Android.SmsSpy’s creator is extremely busy with advertising and renting out his infrastructure to other criminals on the Dark Web.

Dr.Web researchers claim that Android.SmsSpy made victims in 200 countries and infected at least 40,000 mobile devices. The hardest-hit country was Turkey, which accounted for nearly one-fifth of all infections, followed by India, Spain, Australia, Germany, and France.

The most targeted Android version was 4.4 (35.71%), but Android.SmsSpy also infected almost all Android version between 2.3 and 5.2.

“Android.SmsSpy.88.origin acts not only as a banking Trojan and a spyware program but also as a ransomware Trojan, allowing attackers to make more money on gullible users,” Dr.Web reported this week.
Geographical distribution of Android.SmsSpy victims

By Catalin Cimpanu