IT Insights Cyber Security and Data Analytics
Tackling cyber security with data analytics IN APRIL 2016, Verizon released its ninth annual Data Breach Investigations Report which seeks to address and analyze reported security trends and breaches, incidents and other vulnerabilities over the previous year. The report consisted of 67 contributing organizations, 100,000 security incidents, 2,260 confirmed data breaches and 82 countries represented. Key report findings indicated: • 89 percent of breaches had a financial or espionage motive. • 63 percent of confirmed breaches involved weak, default or stolen passwords. • 90 percent of cyber-espionage breaches capture trade secrets or proprietary information. • 95 percent of confirmed web application breaches were financially motivated. • 89 percent of phishing campaigns are executed by organized crime syndicates.
Much Has Been Done to Combat Breaches, but Acute Threats Remain MASSIVE DATA SECURITY BREACHES continue to surface against well-known businesses with similar trends as in prior years, such as point-of-sale intrusions, payment card skimmers, phishing attacks and hacking, and malware activity. Top industries targeted were purported to be public sector, finance, professional services and healthcare. Organizations have made considerable efforts to enhance IT security since then. Recently-enacted legal statutes and regulatory practices also recognize the need for enhanced security. In 2015, the following actions were taken: • The Federal Financial Institutions Examination Council (FFIEC) issued its Cyber Security Assessment Tool in June 2015 to help financial institutions identify risks and evaluate cyber security preparedness. • The Payment Card Industry Security (PCI) Standards Council issued an update in April 2016 to PCI version 3.2. The Secure Sockets Level (SSL) method of encryption was deemed unacceptable by that update, prompting affected organizations to adopt Transport Layer Security (TLS) as a protocol for protecting the privacy of transmitted data. • President Barack Obama signed an Executive Order in February 2015 to promote private sector cyber security information sharing as a means of combatting risks and enhancing organizations’ capabilities to respond to cyber security incidents.
IT Insights: Cyber Security and Data Analytics Consumer protection laws now hold corporate officers accountable for cyber breaches. State Attorney Generals’ offices are targeting companies for non-disclosure of cyber breaches. Improperly-handled cyber attacks are now considered breaches of fiduciary duty. Despite the increased emphasis on deterring security breaches, the threat potential keeps increasing. Zero-day malware – malware that is by definition unknown – is a crucial concern. As a result, anti-virus tools cannot detect it and there are no patches to protect against it. Therefore zero-day malware will remain active until it is discovered, anti-virus tools are updated, and patches are created and released by software vendors and then applied. Increasing use of smartphones, tablets and laptops also means that mobile devices used for business purposes are now a potential door for anyone committed to attempting a security breach. While considerable attention in recent years has focused on personal and financial data exposed in security breaches, cyber criminals are also targeting trade secrets, intellectual property and other confidential information. Preventing such data security attacks is ideal, but rapid detection is essential. Analytics can play a vital role in helping organizations take a risk-based approach toward identifying security breach attempts.
‘‘
‘‘
Preventing such data
security attacks is ideal, but
rapid detection is essential.
Establishing Security Analytics EVERY ORGANIZATION SHOULD take a risk-based approach toward cyber security and determine what IT assets present the greatest risk in terms of likelihood of attack and potential impact. For a bank, that greatest risk might be its core banking application. For a retailer, that risk might be customer credit numbers and email addresses. Source code may be a vital asset for a software company. Once an organization identifies what requires the greatest level of protection, IT tools, such as Splunk, Tripwire or IBM QRadar can be deployed to search and analyze immense volumes of IT activity log entries. Some of the IT tools can assist in port scans or identify unusual or questionable actions, such as repeated unsuccessful
2
login attempts, rejected IP addresses, outbound activity from internal servers or unauthorized connections. The IT tool may also assist in verifying that configurations within the firewall are operating and denying activity as set up (i.e., that a blocked port is not allowing traffic). IT tools may be set up to perform ongoing reviews, and alerts can be issued whenever questionable activity occurs; or such events may be highlighted in periodically-occurring monitoring. A software package can be a great tool, but it may be time intensive to set up and refine to each organization, as well as potentially cost-prohibitive. Thorough research for any tool should be performed to determine whether the tool is scalable to the organization and that it addresses the needs of the organization. Having personnel to support the overall IT environment and the additional tools may not even be an option for some organizations. Before jumping into the purchase of a robust network analytic tool, organizations may already have analytical tools at their disposal, such as ACL and IDEA, through the internal audit department. Such tools may be able to assist in performing analysis over IT activity. If budget constraints restrict IT or network-centric tools, data analytic tools in other departments, such as the internal audit department, may be used to perform a proof of concept on the value of analyzing the data and support the need for more robust monitoring procedures. Based on the activity, the internal audit analytic tools can provide deeper insight into network and cyber security issues, as well as insight into which network analytic tool may provide the most benefit to the organization.
Using Analytics to Detect Anomalies THE FIRST STEP IN analyzing data is to know the questions to ask. The data can provide a lot of information, and some exploratory analysis can be performed once the organization is comfortable with the data. But understanding the initial questions helps to determine whether the required data is available. Initial things to consider include asking if the network activity captures the following items: • Remote access attempts (to identify potentially inappropriate after-hours activity) • Failed log-in attempts (to identify password cracking or hacking attempts) • Interactive system / service account usage (to identify exploited accounts usage or inappropriate account usage) • Network protocol traffic, i.e., TCP/IP, UDP (to identify inappropriate traffic on non-standard protocols)
IT Insights: Cyber Security and Data Analytics
After understanding an initial set of questions, the second step is to ensure that the data is being logged and stored, and that there is a sufficient volume of data that is maintained to provide valuable results. The nature and frequency of the activity being logged and the appropriate detail of the logged activity needs to be assessed to ensure that appropriate data is maintained and will be useful in analysis. If data is available for only a month, the analysis of those logs may not show when spikes in activity over the year occurred; if data is available for only a year, the analysis of those logs may not identify whether spikes in activity is the average or if it is due to a anomalous event (such as market, geographic or weather conditions). Trend analysis may require more log data than is currently available at the organization. Organizations should assess what initial information can be gleaned from the data and then determine retention periods to ensure that appropriate trend conclusions can be drawn from the data. Once data is identified and available, the data needs to be cleaned and formatted in such a way to ensure that it can be analyzed. With the data in a state ready for analysis, the data needs to be analyzed to determine anomalies. The analysis can be performed through executing analytical procedures on the data, whether through developing scripts or utilizing standard reporting/ summary functionality within the IT tools to provide initial information. The results will then need to be analyzed to determine if there are any correlations or causations within the data.
Analyzing Results FOR THE ANOMALIES, further investigation may reveal that no improper intent was behind the questionable activity or that a breach attempt was unsuccessful. In other cases, a security breach may be identified. The sooner a breach is discovered and disclosed, the sooner a company can take steps to mitigate damage. An example is reviewing remote network log-in activity after hours. If analyzing a 30-day period, there may be a few individuals that log in at the beginning of the month. This may be tied to finance and accounting personnel working on closing the period. If analyzing a year, that trend should readily make it apparent from spikes at the beginning of each month. However, an hourly employee’s account showing usage after hours clustered around a few days in a year may be cause for follow up to determine if it is access by an unauthorized individual, inappropriate access by the employee, or appropriate access by the employee to work outside of normal hours on a project. Because of the various outcomes that may result from the analysis of the data, IT cannot be the only team involved in the overall initiative. Analyzing network activity cannot be the sole activity of a network administrator or a data analyst specialist; the two individuals or teams need to work together to obtain the best results of understanding “the story that the data is telling.�
3
IT Insights: Cyber Security and Data Analytics Building and Sustaining Cyber Resiliency NEW FORMS OF MALWARE CONTINUALLY EMERGE, and the potential consequences a company faces, both reputational and financial, are becoming more severe. Mitigating the risks requires developing cyber resiliency – continual attention to concerns crucial for maintaining IT security and being resilient during an incident. Not only should prevention be a high priority within organizations, detection should also be emphasized. Along with utilizing the log data to detect activity and develop plans to address issues, cyber resiliency should be implemented and practiced. Cyber resiliency encompasses: • Asset management and classification: Being aware of data that matters most • Controls management: Being aware of the controls – and their effectiveness – for IT systems • Configuration and change management: Being aware of application or operating system misconfiguration risks that present opportunities for breaches, particularly crucial when updates or any sort of changes are made • Vulnerability management: Being aware of potential vulnerabilities as a means of proactively approaching IT security • Incident management: Being aware of what needs to be done if an incident is identified • Service continuity management: Being aware of what is needed to keep IT functions operational while an incident is addressed • Risk management: Being aware of what specific vulnerabilities present the greatest risks and therefore require the greatest degrees of protection • External dependency management: Being aware of vendors relied upon for various IT functions and attaining assurance those vendors sufficiently identify and mitigate risks • Training and awareness: Being aware of the dangers individuals throughout the company face from phishing and other social engineering efforts, as well as training them to recognize security risks and to take appropriate preventive measures • Situational awareness: Being aware of what constitutes regular operations as a means of recognizing a potential incident and responding appropriately No organization is immune from a security breach, but incorporating cyber resilience – with the aid of analytics – enables a company to more effectively mitigate IT security risks.
CONTACT US Brittany George, CSA, QSA Senior Manager IT Advisory Services brittany.george@weaver.com Reema Parappilly, CISA Senior Manager IT Advisory Services reema.p@weaver.com
Weaver’s IT advisory services group focuses on delivering performanceenhancing consultations that address your IT and business agendas. We work directly with CIOs and others to create a more risk-aware, effective IT organization that can drive process efficiencies throughout your company and better support and deliver transformational business change. Specific services we provide include: • • • • • • • • • • • •
Application controls review Business continuity/disaster recovery Cloud computing assessment Data analytics Data privacy Information security and vulnerability assessment ISO27001 reviews IT audit IT governance and organizational effectiveness IT risk assessment Pre- and post-implementation application reviews Service Organization Controls (SOC) reporting
Disclaimer: This content is general in nature and is not intended to serve as accounting, legal or other professional services advice. Weaver assumes no responsibility for the reader’s reliance on this information. Before implementing any of the ideas contained in this publication, readers should consult with a professional advisor to determine whether the ideas apply to their unique circumstances. © Copyright 2016, Weaver and Tidwell, L.L.P.
www.weaver.com | 800.332.7952