More Related Content
Viewers also liked (16)
Similar to 2016April_EnterpriseExecutive_Jeff03 (20)
2016April_EnterpriseExecutive_Jeff03
- 1. T h e M a g a z i n e f o r i T M a n a g e r s i n T h e W o r l d ¡¯ s l a r g e s T M u lT i P l aT f o r M e n T e r P r i s e s 2016: Issue 2 www.enterprIsesystemsmedIa.com An Enterprise Systems Media Publication Are You Ready for an Attack? How Dell SecureWorks Is Helping Keep Organizations Safe Welcometothelatestissueof EnterpriseExecutive! T H E M A G A Z I N E F O R I T M A N A G E R S I N T H E W O R L D ¡¯ S L A R G E S T M U LT I P L AT F O R M E N T E R P R I S E S 2016: ISSUE 2 WWW.ENTERPRISESYSTEMSMEDIA.COM
- 2. 2016: Issue 2 | Enterprise Executive | 27 E nterprise Executive recently caught up with Jeff Multz, director and general manager of Japan for Dell SecureWorks, to get an update on security technology, and to see how threats are changing, how to be protected and what to do if your network has been compromised. Jeff writes an article for each issue of Enterprise Executive, reviewing a wide spectrum of security issues. He is a renowned cybersecurity expert who presents live talks and best practices throughout the world. So far, he has had more than 200 articles published on a variety of security topics. Enterprise Executive: What are the latest advances in security technology? Jeff Multz: The new technologies focus on behavior in your network to detect anomalous activity as soon as it starts. The two that stand out the most are technologies that monitor and analyze activity on your endpoints (workstations, laptops and servers) and technologies that monitor advanced malware and threats in your network and email traffic. The former helps you spot anomalous activity on your endpoints as soon as it begins and analyzes forensics to understand when the threat entered, what the attacker was seeking and how he got in. The latter helps you monitor and analyze suspicious inbound and outbound web and email traffic to detect advanced threats entering and leaving your network. Traditional network defenses are no longer enough to protect a network. EE: What are those traditional defenses, and do you still need them? Multz: Traditional defenses include: firewalls; antivirus (AV) technologies, such as software and Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS); access control lists, which permit or deny network traffic based on lists that state where the traffic is coming from or where it is directed; and Virtual Private Networks (VPNs), which use passwords and encryption to allow someone working from outside the network, such as in a caf¨¦ or at an employee¡¯s home, to connect to the network. In the past, malware was fairly simple. Now, I¡¯m simplifying this to make it easy to understand, but basically, malware, also known as malicious software that can harm a computer, is made up of code. So, let¡¯s say I create a piece of malware whose code is How Dell SecureWorks Is Helping Keep Organizations Safe ByDennyYost
- 3. 28 | Enterprise Executive | 2016: Issue 2 <123ABC> and is designed to steal your passwords whenever you go to a banking website. If I send you an email and you click on the link or attachment that is affiliated with that email, either the link or the attachment will automatically download that code onto your computer, and you¡¯ll have no idea that it happened. Once that code gets into your computer, each time you go to a banking website, it steals your login credentials and at some point the malware will connect back to my computer and will send me all your login credentials to all your banking websites. If I keep using this same malicious code, at some point security companies will recognize that <123ABC> is a bad thing and must be blocked. Once they write code that blocks my code, when I or another threat actor sends you an email with that code embedded in it, your email security service would block that email from ever getting to you. Instead of infecting you via an email, a threat actor could also embed that malicious code onto a legitimate website he hacked without the owner even knowing. For example, if an attacker hacked into a retail website, he could create malware that downloads when you click the link that says Pants. When a user clicks on the link, it downloads <123ABC>. But if your AV technology has that code built into it, the code will be stopped from downloading when a user clicks on it. EE: How has the malware changed since then? Multz: For one thing, malware now is often polymorphic, which means it changes once it enters your system. The malware embedded into the Pants link could actually be <901299>, but once it enters a computer it changes to <123ABC>. The people who create AV have created code that saw <123ABC> was bad and created software, which blocks that code from entering a computer, but <901299> is not blocked and that is what is going to be downloaded onto a computer when a user clicks on the link. There are lots of estimates out there about how much new malware is created each day. I¡¯ve seen the figure as high as 100,000. For argument¡¯s sake, let¡¯s just say there are only 10,000 new pieces of malware created each day. AV makers can¡¯t reverse engineer 10,000 pieces of malware each day to discover what the code is and then create new code to block it. Even if they could do that, the first time malware is created, it is going to slip by AV because no one yet knows it¡¯s bad because it has never been seen before. What¡¯s more, the attackers are now finding ways to get inside networks without even using malware by obtaining people¡¯s login credentials. For example, an attacker might send Sally at your office a phishing email saying a certain department at her job needs her to update some information. Sally¡¯s a diligent employee who tries to be efficient, so she abides by the request and clicks on a link to update the information. That link doesn¡¯t download malware, but it takes her to a sham web page that is built to look as if it is affiliated with a trusted company¡ªperhaps her own company¡ªand instructs her to use her work login credentials to update her home address and phone number. Once Sally logs in with her username and password, the attacker saves that information. Then, depending upon how the network is set up, the attacker might be able to access her computer remotely and sign in as Sally. No malware is needed. Now, the attacker can use Sally¡¯s computer remotely to peruse any files she has access to. Again, depending upon how the network is set up, from her computer the attacker might be able to get the network administrators¡¯ credentials, then the attacker has access to the entire network, far more files than even Sally could access. If Sally¡¯s company¡¯s network were set up with strict security controls, even if she did fall for that phishing email, the attacker might never be able to do anything with her login credentials because he would have no access to her computer.
- 4. 30 | Enterprise Executive | 2016: Issue 2 Very few companies have their networks set up in the best possible way, which leaves them open to attacks. That¡¯s why we recommend all organizations meet with a security consultant who is part of a cybersecurity company that has architected hundreds of networks because that person is going to know the tricks attackers use and the settings that need to be set to block them. Most likely, Sally¡¯s company, if it is like most companies, is not set up to block the numerous ways hackers can enter the network. However, no blocking technology is failsafe. That is why you need to monitor and analyze suspicious inbound and outbound web and email traffic to detect advanced threats entering and leaving your network, and suspicious activity on your endpoints. EE: So, how do the new technologies work? Multz: They work by spotting anomalous activity that has already gotten inside your network. This is important because it normally takes months before a company even knows a threat is inside its network, according to a report last year by the independent research company Ponemon. If you can recognize within one day that a threat is inside your network, imagine all the money and resources you save by getting that threat out of your network before an attacker has had time to gather information and then send it to a server he has access to. Security experts and regulatory agencies, such as the Payment Card Industry Data Security Standard (PCI DSS) and HIPAA, say you must monitor your network 24x7x365 to spot threats immediately and get them out of your network before they have time to create damage. That¡¯s still important, but network monitoring only monitors devices that produce log data, such as servers, firewalls, routers and IDS/IPS devices. Since endpoints don¡¯t output logs, organizations could go for months without ever realizing an endpoint has been compromised, possibly giving an attacker time to access the entire network. Advanced Endpoint Threat Detection (AETD) is a service that alerts you when there is anomalous activity on your endpoints. That alert may happen as soon as something malicious is downloaded onto the device or when mischievous activity begins. Organizations have a baseline of normal activity on computers. When that baseline has been established, when something strays from the norm, an alarm goes off so the service provider¡¯s security analyst can research the activity. If the activity seems suspicious, the analyst has access to something similar to a flight recorder that tracks every step the threat actor has made since entering the network. If the analyst believes there is a true threat in your network, he can show you all changes the attacker made to the registry, or basic operating files, as well as all other changes the attacker made to your computer or network. If the attacker had created a ¡°backdoor,¡± also known as a secret way to get back inside your computer, just in case you were to find his existence and kick him out of your network, the analyst would be able to see that backdoor so that you could close it and the attacker could not return. An analyst would also be able to tell you how the attacker got inside in the first place, then you could implement countermeasures so it wouldn¡¯t happen again. EE: How does that differ from the other new technology? Multz: Now, the other new technology that companies should also implement is Advanced Malware Protection and Detection (AMPD). AMPD tracks traffic and emails going in or out of the network in a technology called a ¡°sandbox,¡± which is a computing environment that is isolated from the network and operates virtually to test ways in which the malware might perform. Applications, or code, in this case malicious code, can be executed in the isolated environment without harming a real computing device that is part of the network.
- 5. 32 | Enterprise Executive | 2016: Issue 2 It works like this. An attacker sends a piece of malicious code to a computer or server. An exact copy of that same code goes to the sandbox. In a good sandbox the malware will detonate, and as soon as anomalous activity is spotted, an alarm goes off, notifying a security researcher who will analyze the activity and the malware. The analyst will contact the victim¡¯s company to let it know of the malware and can help the company with remediation. Earlier, I talked about how malware has changed in the past couple of years. Attackers know companies use sandboxes, so a lot of malware is created that does nothing unless it thinks it is inside a real computer. The attacker doesn¡¯t want his malware to detonate in a sandbox because then the victim will know malware has gotten inside his computer, and the malware will be removed quickly, prohibiting the attacker from gathering information. So, attackers have created malware that only detonates if the malware believes it is inside a real computer. For this reason, it is important to know the type of sandbox your provider is using. We use one that is created with a CPU, which is the brains of a computer, so that the malware thinks it is inside a real computer and detonates, allowing an analyst to see exactly what the malware did. Whatever it did in the sandbox, it did or will soon take the same action in your real computing environment. AMPD also watches activity that is sent outside the network. If the attacker got inside your network without using any malware and starts sending files outside the network, that, too, would create an alert because AMPD catches anomalous outbound traffic. Those are the latest advances in technology. As attackers change their tactics and procedures, new security advances will continue changing to stop them. EE Denny Yost has more than 30 years of mainframe and IT experience. He is the associate publisher and editor-in- chief of Enterprise Executive and associate publisher of Enterprise Tech Journal. Email: denny@esmpubs.com ¡°Attackers know companies use sandboxes, so a lot of malware is created that does nothing unless it thinks it is inside a real computer.¡±
- 6. ±¾ÙYÁϤϡ¢¡¸Enterprise Executive¡¹ÕI2016Äê¶ÈµÚ2ºÅ¤Î’÷ÝdÄÚÈݤò’i»‚¤·¤¿ÄÚÈݤǤ¹¡£ Öø×÷˜Ø¤Ï¡¢Enterprise system media¤ËŽ¢Êô¤·¤Þ¤¹¡£www.enterprisesystemmedia.com ¥ê¥Ë¥å©`¥¢¥ë¤·¤¿µ±É祵¥¤¥È¤ò¤´´_ÕJ¤¯¤À¤µ¤¤ www.secureworks.jp