More Related Content Similar to Strategies to Combat New, Innovative Cyber Threats - 2017 (20) Strategies to Combat New, Innovative Cyber Threats - 20171. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
STRICTLY PRIVATE & CONFIDENTIAL © 20171
Strategies to Combat New,
Innovative Cyber Threats - 2017
2. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
2 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Enterprise Security for 2017
Key Cyber Threats to Defend Against in 2017
Key
Cyber Strategies
to Deploy in 2017
Ransomware and its evolving
variants
Compromised business
processes
Increased organizational
social engineering
Insider technical
compromises
Threats to non-perimeter
assets
Analytical machine learning
based detection
Enhanced end-point
detection
Orchestrated responses
Digital VM systems
CloudOps and DevOps
security
3. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
3 STRICTLY PRIVATE & CONFIDENTIAL © 2017
New, Innovative Threats to Watch out for
IOT threats
AI & voice first attacks
Smart cities attack
Bionics attack
The Mirai worm and Dyn attack exposed
vulnerability of IOT systems, acting as a launch
pad for other attacks. IOT device usage is
expected to rise by 400% in 2017, making this a
significant threat.
Attacks on IOTs such as cars, drones, industrial
systems, and others should also be considered
The rise in social media, self publishing ,and the
shrinking attention span of readers has caused
an increase in fake news circulation. This will
soon be used for cyber fraud by luring users to
act on false information—such as selling of
stock and other schemes
As we move beyond touch to voice based
interactions, new forms of attacks are likely.
Example #1: Tricking AI algorithms with fake data
to gain info and then having the voice-enabled
system fool users into performing an action.
Example #2: Your banking bot could talk consumers
into giving away credentials to attackers.
Smart city grids that control transportation, utilities,
communication, financial services, and other citizen life data
will be prone to innovative attacks that leverage a single
vector; impacting multiple facilities. Eg: using business logic
weaknesses to obtain data that enables compromise
Attacks on medical devices such as
pacemakers are already being
researched. As greater integration of
human capability and technology occurs,
attacks will become life threatening.
2017 will see more concept level threats
showcased by researchers. The future
will see a combination of neuro and
cyber weapons as criminals catch on
Fake news attacks
4. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
STRICTLY PRIVATE & CONFIDENTIAL © 20174
Key Threats 2017
5. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
5 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Ransomware and Variants
Malware objectives between 2001- 2017
now include file deletions, network
clogging, botnet creation, data stealing &
selling, and data encryption for ransom
Ransowmworm: ransomware
combining worm capabilities
that spreads fast.
Double dipping: adding data
stealing capabilities along with
encryption to double profits—
once through ransom from the
organization and then through
the underground selling of data
2017 WILL SEE
Aided by more data on end points and
easy anonymous pay gate options
Increased by 4 times compared to
2015
Total losses due to ransomware attacks
cost over one billion USD, affecting
over 100 thousand companies
2016 SAW A RAPID INCREASE IN RANSOMWARE
Ransomware variations have also increased
Layered infections that include Trojans and key loggers along with ransomware
Selective files and folder encryption
Attackers are targeting high risks sectors such as Financial services,
healthcare, utilities and SMB.
Refer to Paladion paper for top variants of ransomware during 2016
and their IOCs for detection
Opportunity
6. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
6 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Business Process Compromise (BPC)
BPC is complex attacks using-
social engineering, malwares,
account takeovers, man-in-
middle attacks, sniffing and
data exfiltration
Cyber criminals are targeting entire business processes more and more.
Attacks on banks target payment processes involving multiple assets, users, and intimate
transaction knowledge (e.g. Bank of Bangladesh). Several copycat attacks on payment systems
were reported in the financial sector during 2016. Attackers also targeted inventory
management processes, vendor payment processes, and supply chain processes.
These attacks have a higher payoff (averaging millions of USD as opposed to hundreds for
ransomware). Larger, more organized cyber crime gangs and rogue nation state players will be
attracted to such attacks. They take more time, skills and knowledge of internal processes, but
the pay-off is significantly higher.
Global losses are estimated at over 2 billion USD; affecting thousands of organizations.
Organizations’ abilities to defend themselves are weaker today. The focus is on protecting
individual assets and applications, while ignoring attack campaigns on business processes.
2017 prediction: The average value in BPC attacks will go up, causing some organizations to lose
tens of millions of USD. The number of affected organizations will still be lower given the effort
involved in launching such attacks.
7. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
7 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Targeted Business Social Engineering
Business social
engineering schemes
included- CEO fraud,
bogus invoice schemes,
legal scare scams,
identity takeover of
executives, PII data
stealing
Social engineering attacks on organizations have increased; with attackers
conducting research on employees and company strategies before scamming
high level employees.
Attacker research includes social media data, company news releases,
technology case studies, and internal data obtained through sniffing. Attackers
then target lower level employees with emails, social media communications,
and customized website messages.
The majority of BPC attacks involve long campaigns of targeted social
engineering.
These attacks could also be short non-technical attacks such as Business Email
Compromise (BEC) attacks which saw a rise in 2016. BEC utilizes the
knowledge of an organization’s internal processes to trick employees into
conducting payments and other transactions on behalf of attackers.
The estimated losses from BEC alone were over 3 billion USD in 2016,
affecting over fifty thousand organizations globally.
2017 prediction: Given the amount of available online data on employees and
organizations this type of attack is easy to carry out. Innovation will no longer
be on the technical aspects of an attack, but rather on fraud schemes. 2017
will see many variations in tricking employees to give away data or money.
@
8. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
8 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Hi-Tech Insider Abuse
Insider threats have received reduced attention due to the stream of news about external attacks.
But insider threats continue to affect organizations, despite their small number compared to external
attacks. (60% external versus less than 30% internal)
Over the past few years, two key controls—data leakage detection and privileged identity management—
have contained this threat
Insider threats continue to rise as the workforce composition changes. Today there is more technical knowhow
and teleworking, but less organizational empathy. The following attacks will get more sophisticated:
Data leakage bypass through encryption
Chunking through micro blogging
Masquerading as normal traffic
Collaboration with external threat actors
2017 predictions: Insider attacks will become as hi-tech as advanced external attacks. These attacks will
involve longer campaigns, multiple evasive tools, and co-worker social engineering for credential thefts
Nine Things You Need to know about Insider Threats
Types of Incidents
35% of organizations have experienced at least one
insider threat, with the following breakdown (the total
does not equal 100% as some respondents had more
than one type of incident)
Data leak: 49%
Fraud: 41%
Data breach: 36%
IP theft: 16%
9. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
9 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Threats to non-perimeter assets
3 trends have already reached
tipping point
Threats to these assets and
data outside of enterprise
perimeters are a reality. Cloud
and social media incidents
related to corporate data have
seen a 70% rise
Organizations have not
formalized risk modeling
frameworks for assets and data.
In addition, their on-premise
risk mitigation isn’t easily
transferrable. E.g. monitoring
for threats in a cloud requires
different architecture and data
collection; and existing IPS and
SIEM cannot be extended the
same way cloud assets are
2017 prediction: Attacks
focused only on non-perimeter
assets will increase.
Organizations will have a
significant delay in discovering
them—compared to the
average 150 days for on-
premises attacks
Teleworking and personal
devices used for an
increasingly mobile
workforce
Cloud-first strategy for both
native cloud and SaaS
applications
Social media administering
corporate information and
marketing activities
25% of employees work remotely at
least part of the time
32% have used personal devices in
addition to corporate devices.
57% of organizations have cloud assets
today
Organizations on average have 3 SaaS
apps deployed
Corporate data is 40% as likely to be in
social media as in internal stores.
10. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
STRICTLY PRIVATE & CONFIDENTIAL © 201710
Key Strategies 2017
11. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
11 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Strategy 1: Analytical and Machine Learning systems
Advanced threats are bypassing
rule based systems. Malware,
account takeover attacks,
lateral movements, data
exfiltration and fraudulent
transactions are being modified
by attackers to avoid detection
The typical advanced attack is a
long drawn out campaign;
similar to a war with multiple
battles within one single attack.
Current detection systems are
unable to link individual threats
into the full campaign,
preventing a big picture view of
the attack.
2017 will see organizations
adopt more analytical systems
with machine learning
capabilities and big data
storage approaches to solve the
latter two problems. Gartner
estimates that over 50% of
organizations will have security
data warehouses with analytics
data within the next four years.
(For a detailed description of
this strategy, refer to the
Paladion 2 report on next Gen
SOC and security analytics)
Machine learning analytics will
be applied for network
analytics, end point analytics,
user & entity behavior
analytics, and for deeper
mining of security alerts.
Use analytical and machine learning
based systems for advanced malware
and ransomware, slow and low attacks,
unknown attack methods, data
exfiltration, transaction frauds and to
see long drawn out campaigns
12. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
12 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Variation of this Diagram
Visual Layer Collaboration
Active Discover
Raw Data Context Data Alert Data
Connector Layer
Active Response
Alerts
Big data technology with data sciences
Machine learning methods
Outlier algorithms
Pattern search algorithms
Association algorithms
Rare event algorithms
Graph Theory
Link analysis
Visual analytics
Multi-node streaming rule engine Data mining
Statistical & Probabilistic
modelling
13. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
13 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Strategy 2 : End Point Threat Detection
Organizations have matured via logs and network threat
monitoring; made possible by wide adoption of SIEM, IPS
and network sandboxing technologies. Advanced
attackers are now bypassing these technologies by
attacking users and their end point devices. DBIR data
shows over 40% of today’s breaches are caused by end
point compromises.
Traditional anti-malware technologies can no longer contain
these advanced attacks
New malware that bypasses signatures and detect
sandboxing
Malware using scripts and batch files
Account takeovers via social engineering or privilege
escalation attacks on endpoints
Organizations will enable similar 24/7 monitoring for
endpoints as done for networks and logs today. This
monitoring will continuously search for threat &
compromise indicators on endpoints using a
combination of rules, signatures, behavior anomalies,
and peer profiling.
2017 will see large organizations rolling out EDR
technologies and services. IDC estimates that
over 80% of organizations will have this capability
by 2018. Refer to Paladion’s report on IST for
more details on how to monitor threats at end
points.
14. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
14 STRICTLY PRIVATE & CONFIDENTIAL © 2017
SHORTER FORM OF THIS DIAGRAM
Remediation at scale5
Endpoints with agents installed1 Paladion ETDR – as a Service2
Analysis and Investigation4 Fast, Accurate,
Complete Detection at scale
3
Fix Issues quickly and Completely
Data
Leakage
Malware
Activity
User
Behaviors
Lateral
Movement
IR
for alerts
Continuous Monitoring
on Endpoints
Validate Prioritize Mitigate
15. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
15 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Strategy 3 : Response Automation and Orchestration
Manual incident response is a time consuming process. The
average time for responses involving triage, incident analysis,
containment, recovery, and eradication is over 35 days.
Furthermore, organizations do not have runbooks for handling
common incidents, and end up being unprepared for threats.
2017 will see organizations invest in central incident response
platforms with automation for various stages of incident
management. Organizations will build or acquire runbooks that
integrate with these platforms. The platform will also have
analytical capabilities to analyze incidents in-depth, uncovering the
full blast radius and patient zero for long campaigns.
Forrester estimates that over 37% of organizations are
currently planning to automate incident response
management through analytics. For more details on how to
implement this strategy, refer to Paladion’s reports on Next
Gen SOC and security analytics & orchestration.
16. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
16 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Response Automation Diagram
Alert Validation
Verify how relevant the alert
is in your context and the
likelihood of damage
Investigate the impact,
attacker, attack campaign
and extent of compromise
Quickly contain the attack
and its impact to stop the
spread
Design security features to
remove root causes and
prevent repeat breaches
Incident Analysis Containment
Root Mitigation
……………. across the lifecycle 24/7
17. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Strategy 4: Digital VM Programs
Continuous Automated
Intelligence
Vulnerability management programs in most organizations are slow and
cumbersome. Automation of test planning, scheduling, reporting,
mitigation, analytics generation, and distribution is limited
The vulnerability results are not prioritized for attack scenarios; i.e.
which vulnerability will be exploited in an organization’s own
context and hence needs faster remediation. There is limited threat
intelligence gathering and correlation of vulnerabilities
Digital VM programs aim to automate analytics and threat
intelligence so that vulnerability discovery, mitigation, and
stakeholder collaboration is fast tracked. These enable VM
programs to run continuously like existing security monitoring
programs
2017 will see organizations implement digital VM programs with a
centralized VM platform. Gartner estimates that enterprises that
implement a strong vulnerability management process will
experience 90% less successful attacks
Refer to Paladion’s report on this topic. It’s time to stop being
complacent about vulnerabilities and execute this strategy
Analytics
Discovery
Testing
Triaging
Mitigation
18. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
18 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Digital VM platform
Workflow Management Vulnerability Analytics
Asset
Aggregator
Test
Manager
Security
Telemetry
Triage
Engine
Solution
Store
Policy
Enforcer
Test
Administrators PenTesters
Vulnerability
Analysts Solution SME Remeditators
19. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
19 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Strategy 5 : Security for CloudOps and Devops
Organizations moving to cloud
for their development—in
terms of testing and
production systems—will look
for integrating security into
their CloudOps and DevOps.
DoS attacks are already happening on
the cloud. It’s the APT kind of attacks
that will be difficult to detect in a cloud
environment, and this can potentially
affect multiple tenants simultaneously.
The two main requirements for security will be:
speed of controls given that CloudOps and DevOps are both highly automated in providing resources,
changing configurations, and deploying systems & users
Seamless use of cloud technologies such as native APIs of cloud providers, configuration management
systems such as chef/puppet, and ChatOps system such as Slack
Securing CloudOps and DevOps need
tools that are differently built. This can
be in security monitoring, vulnerability
testing, configuration reviews, or
identity & user activity monitoring.
In 2017, organizations will adopt
new security architecture &
practices to secure cloud assets
and a more agile development
environment. They will then look
at integrating these security
processes into their traditional on-
premise security management
systems for an integrated view.
20. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
20 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Cloud Architecture
Cloud Trail
FlowLogs
CloudWatch
IAM
Docker
Collector
Network Threat
Module
Windows servers
Unix servers
Amazon Console
Scanners
Automation
Script
Cloud Security Platform
On
premise SOCs
21. Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
21 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Contact us today to combat today’s
sophisticated cyber threats
www.paladion.netVisit
sales@paladion.netE-mail
Editor's Notes Non perimeter- mobile/ remote, cloud, customers and partners