This document discusses Hewlett-Packard's Enterprise Security Services which provide consulting, managed security services, and threat intelligence to help organizations address security risks and the growing cyber threat landscape. It summarizes an HP presentation which outlines the retail security breach environment, lessons learned from recent high-profile retail breaches, and HP's portfolio of security services including rapid incident response, perimeter compromise checks, and threat intelligence from HP's global security operations centers and researchers.
A debit card processing company was breached in India. To breach into these companies, it is likely that profiles were developed on key employees…
There are experts who build profiles
I want to attack company X. I find out who the top execs are. I might go on LinkedIn. I look at their Facebook posts. I know his friends. Places he’s been. Restaurants he checks into. Find out what he likes to do. It makes the victim easy to attack because the profiler know things about him or her that not many people should know.
If you are an expert profiler, you can build these profiles and sell them on the black market, i.e, the internet to the highest bidder. I have 10 profiles from company X. Who wants them? Hackers buy these profiles because it is more efficient than doing the profiling themselves. It will take way less time to buy them than build them myself.
These hackers then breached the company. They might have used a phishing attack and installed malware to break into the network and use the employee’s credentials. They may build their own toolkits. Or go online and rent bot.net networks for $18/day. Or buy a Zeus kit for $7K or so. They only had to be right once. It could be likely that after these companies were breached that these hackers raised their hand and sold these breach points to the highest bidder. I have 50 access points. Who wants to buy that?
After the breach, we don’t know how long the adversary was there. It could have been months… years? Then the person who’s really good at using those access points, figuring out where your sensitive data is, being able to map your environment, figure out your configurations. They create this map… They raise their hand. Sell it on the Internet and sell it to the next person.
Eventually they criminals were able to access some critical databases and change the account profile including withdrawal limits and account codes. This information was taken out of the company and provided to their colleagues or sold to a third party. And from there the cards were made and the teams hit the streets to withdraw cash from the ATMs.
This information is monetized and feeds this entire ecosystem.
Are there vertically integrated bad guys? Yes. Nation states, large criminal organizations. But is someone is more efficient and more effective at doing one of those stages, why wouldn’t you just buy it? When talking about cyber security, we focus too much on the specific actors, whether state-sponsored, a “hacktivist” or a cyber criminal. We need to focus on the full marketplace in which these actors participate. The market organizes these actors around the market processes for breach, enabling disparate parties to collaborate. As actors specialize in this marketplace – in order to make more money – innovation is extraordinary. This criminal ecosystem is much more efficient at creating, sharing and acting on the security intelligence than the ecosystem that exists to defend our customers.
The standardization of Security policies has done a great deal to raise the bar for our industry. But it will continue to fail to make us secure because it lacks the focus on the adversary. No framework discussed in committee will be able to evolve as fast as a marketplace. We need to build our response in a way that disrupts the adversary at every step of their process.
Hacker researches target
Selects hvac vendor for phishing attack
Steals passwords via Citadel
Access Target internal servers/network with stolen credentials
Use SQLi to deliver Malware to POS systems
CC data scraped and sent to internal server
Data exported to external dump server
Credit cards ‘Dumps’ sold for $26 - $44 each
We need to look at solutions that help us determine that something is afoot.
In building out the capabilities for disrupting the discovery and capture stages, Big data and the ability to process large data sets in real time and at scale is powerful. We need to look at the data that you have in your organization to find something that is unusual. If a verified employee, i.e., the individual who’s profile was hacked, starts doing something uncharacteristic like accessing file shares they haven’t before or changing database records, you should know about it. If data flows don’t match predicted processes, alerts should be set off.
Now, what these criminals are looking for is your critical data. IP, customer information, etc. What are you doing to protect your critical data? Is it encrypted? You should know when it is being moved. Accessed inappropriately or being sent outside the organization in an email, a post on a Facebook account or stored on cloud storage. The increase in the types of information that can be correlated from all over the enterprise and from data outside the enterprise is phenomenal. Organizations are monitoring the cyber black markets for your enterprise’s sensitive data and including data from the cloud infrastructures in your security operations environment. We are working with companies to combine employee sentiment with abnormal access behavior to find malicious insiders.
Finally, the adversary will beat us at some point. What capabilities do we have for responding after they have won.
But no one knows this better than you. You deal with it every day. So none of these statistics really surprise you.
And you know, all too well, that it’s not really a question of “if” you will face these challenges, but “when” and, more importantly…”HOW” will you deal with them.
For instance, one number that really jumps out at me is that 94% of breaches are reported to organizations by a third party. In the US, there was a famous case of a credit card processer was hacked at a cost of $140M. They were told by a partner. And in the case of some of the largest breaches in the last several years, they found out via social media. Does your organization have a plan for that sort of thing? And how can we manage these things better?
As we talk about the trends and solutions, I hope you come away with three big ideas.
First, security has to be elevated to a board of directors level of concern. It has to be central to your objectives and strategy.
Second, you’re facing more pressure and more aggressive security challenges than ever before—and this requires a different, proactive approach to ensure your organization’s security.
Third, you need full visibility into the risks you face so that you have the information to make wise investments choices.
How CIRT transitions response and forensics actions and effort to a real-time, remotely managed model.
In brief, anything with Purple accent is either directly or remotely influenced by the capabilities of CIRT and therefore manageable by DIS
HP Security products and services help you disrupt the adversary, manage risk and extend your security capabilities to better protect your enterprise, allowing you to support your organization’s innovation requirements. HP also believes that we as security professionals need to do more - to better share and collaborate with each other to beat the bad guys and respond to imminent threats more quickly and effectively.
HP advocates an integrated approach to security, one that starts with a single, comprehensive view of risk across the extended enterprise, and driven by your enterprise priorities and goals. Although, we know that everything in an organization can never be completely secure, you can implement a more proactive and effective pan-enterprise approach to information security and risk management.
HP Security is designed with 3 principles in mind.
DISRUPT. HP Security -Next generation security solutions to disrupt the adversary market place
Enterprise security must evolve as the adversary market place has become more specialized and efficient. Enterprises must have real-time threat disruption capabilities. Instead of solely focusing on keeping the adversary out, HP advocates a security approach that involves disrupting the entire lifecycle of an attack, by investing more in prevention and detection from the application to bios layers. HP’s services, products, research and unparalleled experience provide real-time threat disruption; self-healing technology integrated with crowd sourced security intelligence to disrupt the adversary.
HP ‘s Zero Day Initiative, DV Labs and Threat Exchange find, disrupt and eliminate threats and vulnerabilities as they occur. HPs approach to disrupt the adversary market place will ultimately reduce your exposure time and increase your effectiveness in protecting your data from external and internal theft.
MANAGE
Although organizations are increasing spend on cyber security, CIOs and CISOs are faced with the challenge of identifying, retaining, and educating security professionals. Quite simply there are not enough resources to go around. HP Security provides expertise to extend your capabilities and complement your existing resources. HP’s experience across the entire IT landscape, from data centers through the cloud across hybrid infrastructures and on any device gives us the unique ability to offer the industry expertise and skills you need to help you reduce the cost and complexity of securing your infrastructure.
HP gives you access to 5,000 security industry specialists with a combined experience of over 657 million hours! We work with you from an initial security assessment through a security transformation program to full management of your environment.
And, in the event a breach does occur, HP’s security incident response services give you access to industry experts who will work with you to remediate and respond quickly to minimize the impact and exposure of a breach to your organization. HP has forensic, litigation and data recovery services with 24*7 monitoring capabilities, underpinned by rapid detection technologies in HP ArcSight to better respond and manage the effect of a data breach on your organization HP Security consultants help navigate new business models, as well as understand the ever-changing legal and regulatory landscape, to better protect your enterprise.
EXTEND
HP Security- Security solutions to better manage risk and compliance.
Internal security teams are struggling to cope as the nature and volume of attacks on our organizations increase, and the regulatory landscape becomes even more challenging,
HP Managed Security Services detect intrusions within 11.8 minutes1 of their arrival and resolve 92% of major incidents within 2 hours of identification, significantly reducing your risk exposure and avoiding fines as a result of non- compliance.
HP Managed Security Services (MSS) teams have extensive, industry specific knowledge of legal, regulatory and standard developments, HP teams have ISO270001 certification and work to international standards for information security management giving you the tools, teams and process you need to comply with (amongst others) PCI, SOX, HIPPA and EU Data Privacy laws.
EXTEND. HP Security – Extend your capabilities with HP
Your security effectiveness is only as good as the security research behind it and DVLabs has been the industry leader for years. In addition to our own in-house security researchers, DVLabs manages Zero Day Initiative (ZDI) which is a global organization of researchers constantly looking for new application vulnerabilities:
3000+ researchers registered
Typical profile: male, teen to mid twenties, hobbyist
3,400+ 0-day vulnerabilities submitted by these researchers
1100+ 0-day vulnerabilities purchased (30+%)
Plus, over 2000 customers leverage and contribute information to our ThreatLinQ security portal. ThreatLinQ houses up to the minute security information from around the globe that customers have access to 24 hours a day, 7 days a week.
We also partner with other leading research organizations like SANS, CERT and NIST to consolidate security intelligence resulting in the most advanced intelligence network anywhere in the world.
But nothing beats the actual experience gained in the day-to-day defense of client networks. Through our work managing and monitoring some of the largest, global networks, HP collects and analyzes vast amounts of threat information to identify not just the issue at hand, but to anticipate the next attack. That makes threat intelligence applicable and a powerful weapon our clients can use now.
The sheer volume of data and security events flowing through our operations centers gives us tangible experience to not just address today’s attack, but prepare for tomorrow’s innovation:
HP monitors more than 8 billion data log entries monthly through our global operations centers, identifying more than 2 billion security events every month that require review. (Source: HP internal data).
Studies indicate that more than 2 Billion devices will be in circulation in 2014 (Source: Gartner). HP currently monitors and manages more than 2.5 million enterprise endpoints and devices in 65 countries, and more than 40 million user accounts. (Source: HP internal data)
HP monitors and manages traffic across more than 7,000 enterprise and government networks globally. (Source: HP Internal Data)
For our consulting portfolio, it is vital to offer our clients a comprehensive portfolio(which is end to end, led from GRC-down and vendor agnostic)
Our service encompasses advisory and assessment, architecture, implementation, assurance and testing
Requirement that our consultants have deep knowledge of the complex security controls in any environment to offer you independent advise
Need to be agnostic - HP tech solutions + Partners
Need to be industry aligned given the threats facing industries are very different (as are the risk/compliance landscapes)
Our big investment area is scale and consistency across the globe; feedback has been when we provide this capability it is market leading/first class