2011-10 The Path to Compliance by Mark Brooks, Alert Logic

1. Alert Logic
The Path to Compliance
September 2011

2. Agenda
• State of the security market
– Organized Cybercrime
– Common Attack Methodology
• Compliance defined
– The Compliance Two-Step
– The Obligatory Response
• A Security First Approach
• Real World Examples

3. STATE OF THE SECURITY MARKET

4. Recent Attacks
May 4, 2009 Virginia Prescription Monitoring Program, Richmond Virginia
Compromised Records: 531,400
Type of Attack: Outside Hacker
Outcome: Attacker is still at-large. State notified 531,400 people of the breach by letter
November 10, 2010 Holy Cross Hospital, Ft. Lauderdale Florida
Compromised Records: 44,000 (1500 Confirmed)
Type of Attack: Internal Employee gained access to server
Outcome: Employee was fired and arrested. 5 other suspects have been charged.
February 10, 2011 Texas Children’s Hospital, Houston Texas
Compromised Records: 19,264
Type of Attack: Malware
Outcome: Attacker is still at-large. All patients were notified by letter
4

5. 2010 Data Breaches
Who is breaching data? How do breaches occur?
70% External Sources (-9%) 48% Involved Privilege Misuse (+26%)
48% Inside Sources (+26%) 40% Hacking (-24%)
11% Business Partners (-23%) 38% Malicious Code (<>)
27% Multiple Partners (-12%) 28% Employed Social Tactics (+16%)
15% Physical Threats (+6%)
What Commonalities Exist
85% Attacks were not highly difficult
85% Breaches were the result of opportunistic attacks
96% Were considered avoidable through reasonable controls
*Statistics from 2010 Verizon Business Data Breach Investigation Report
5

6. ORGANIZED CYBERCRIME

7. Cybercrime Market
The Numbers
– Global computer crime market estimated
to be $7B in 20101
– Russia responsible for $2.5B
– Growing ~35% per year overall
Interesting Trends
– Increase of specialization of participants
– On-Demand and Pay-Per-Use services
– Developing C2C market
1 Group-IB Report - 2010

8. Crime Pays
Stolen Assets/Criminal Activity Payout
Credit Card Details $5-10, expected $1-2 post PSN
Bank Credentials $80-$700
Bank Transfers 10% to 40% of amount transferred
Social Security Numbers $30-50
0Day Exploits $5,000 - $100,000
Exploits for published vulnerabilities $5,000 - $50,000
Exploit Packs $200 - $5,000
Malware Pay-Per-Install Up to $1.50 for US victims, $0.15-0.60 for
other countries

9. How it Works – The Business Model
Register With
Cybercrime Group 2 Data Sold Wholesale
5
BLACK MARKET
Purchase Malware Pack CYBERCRIME
1 GROUP
6 Payment Made
4 Infected Users Send
Data to Group
DISTRIBUTOR
Infect Users, P2P 3
seeding, XSS
VICTIMS

12. COMMON ATTACK METHODOLOGY

13. Traditional Attacks
Hacker Profile
– Talented individual
– Young, bored
Motivation
– To prove a point
– Curiosity
– Credibility
Attack Methods
– Worms targeting memory vulns in network services
– Attack payload not usually customized

14. Modern Attack Profile
Hacker Profile
– Organized Crime (84%)
– Dedicated teams who are paid
– Teams often work for criminal
organizations as a career
Motivation
– Targeted attack for financial gain
– Desire anonymity
Attack Methods
– Vulnerable web applications
– Client side applications
– Malware used to keep control

15. Delivery/Attack Surface
Infection Method Difficulty Effectiveness
Websites Easy Good
P2P Networks Easy Medium
SPAM Easy Medium
Paid Ads Medium Medium
Phishing Easy Poor
Traditional Network Exploit Difficult Poor
Blackhat SEO Medium Medium
Cross Site Scripting
‐ Most sites are vulnerable
‐ Easy to find and users trust the websites
SQL Injection
‐ Easy to find
‐ Very common
Source: Veracode State of Software Security Report, April 2011

16. COMPLIANCE DEFINED

17. Security and Compliance Management is
Becoming More Difficult Every Day
Increasing number and sophistication in security threats
• Improved organization and sophistication of attackers
• Prolonged and persistent targeting with compressed timelines to react
• Rise of contaminated spam, botnets, and social engineering for malicious breaches
Increasing complexity in maintaining compliance
• Continuous updates in requirements and reporting standards
• Adoption of new regulatory compliance standards
• Manual and laborious processes
Increasing cost to support and maintain (HW, SW, FTEs)
• Training on the latest compliance requirements and security threats
• Updating, patching, and maintaining software, scripts, and processes
• Rollout of new HW/SW to keep up with increased demand

18. Complicated and Costly Compliance Picture for
Healthcare
Implement People, Process, & Technology for Compliance
• HIPAA 164.308 Administrative safeguards
• HIPAA 164.312 Technical safeguards
Penalties for EMR Non-Compliance Coming into Effect
• Penalties and Fees up to $1.5M for neglect
• Data Breach Notification to HHS and Local Media for breaches
>500 patients
What about PCI compliance?
• PCI applies to every entity that stores, processes,
or transmits cardholder information
• Patient billing, pharmacy, etc.

19. Compliance… a costly problem
HIPAA & HITECH
Vulnerability 164.308 (a)(1)(ii)(A)
Risk Analysis – Conduct Vulnerability Assessment
Assessment
164.308 (a)(1)(ii)(B)
Risk Management – Implement security measures to reduce risk of security breaches
164.308 (a)(1)(ii)(D)
Information System Activity Review – Procedures to review system activity
IDS/IPS/Log 164.308 (a)(5)(ii)(B)
Protection from Malicious Software – Procedures to guard against malicious software host/network IPS
Management
164.308 (a)(6)(i)
Log-in Monitoring – Procedures and monitoring for log-in attempts on host IDS
164.308 (a)(6)(iii)
Response & Reporting – Mitigate and document security incidents
164.312 (b)
Log Management Audit Controls – Procedures and mechanisms for monitoring system activity

20. Compliance… a costly problem
PCI DSS SOX (CobiT)
Penalties: fines, loss of credit card processing, and Penalties: fines up to $5M, up to 10 year in prison
level 1 merchant requirements
DS 5.9 Malicious Software Prevention,
6.2 Identify newly discovered security
Detection, and Correction
Vulnerability vulnerabilities
“put preventive, detection, and corrective measures in place
Assessment 11.2 Perform network vulnerability scans (especially up-to-date security patches and virus control) across
quarterly by an ASV the organization to protect information systems and technology
from malware (e.g., viruses, worms, spyware, spam)”
DS 5.6 Security Incident Definition
“clearly define and communicate the characteristics of potential
5.1.1 Monitor zero day attacks not covered by security incidents so that they can be properly classified and
Intrusion Anti-Virus treated by the incident and problem management process”
DS 5.10 Network Security
Detection 11.4 Maintain IDS/IPS to monitor & alert
“use security techniques and related management procedures
personnel, keep engines up to date
(e.g., firewalls, security appliances, network segmentation,
intrusion detection) to authorize access and control information
flows from and to networks.”
10.2 Automated audit trails
10.3 Capture audit trails DS 5.5 Security Testing, Surveillance, and
Monitoring
Log 10.5 Secure logs
“…a logging and monitoring function will enable the early
Management 10.6 Review logs at least daily prevention and/or detection and subsequent timely reporting of
unusual and/or abnormal activities that may need to be
10.7 Maintain logs online for 3 months addressed.”
10.7 Retain audit trail for at least 1 year

21. The Ugly Truth
• Compliance is the output of post-mortem
– Some organization did not secure their data, and now everyone else
must deploy solutions, software, policies, and guidelines
• Compliance will always be a step behind the latest threat
• Compliance will NEVER mean you are secure
• Compliance mandates will continually be expanded, as
hospitals, insurance companies, and other health care resources
experience breaches, privacy violations, and security issues

22. The Compliance Two-Step
• Organizations continue to check the compliance box and then
struggle to maintain compliance
• IDS, Log Manamement and Vulnerability Scanning are the most
expensive and resource intensive – and also the most difficult
for organizations to implement and maintain
• Attacks are not being detected in an acceptable time
• Organizations that achieve compliance are able to protect their
patient data
• Companies will continue to fail to achieve compliance due to
lack of time, budget, and technical resources

23. The Obligatory Response
Protective Technical Controls
• Firewalls
• Routers
• Antivirus
• System Patching
• Complex Passwords
• Data Access Controls
• Whole Disk Encryption
• VPNs

24. A SECURITY FIRST APPROACH

25. Analyzing the Facts
• Companies aren‘t detecting attacks in an effective way
– Why? Chasing false alarms, other priorities, etc…
• Companies are not focusing on continuous security
– Too many companies check a box and move on
• Companies must review log data
– Companies need to be more vigilant in this area
• Most of the 99% of breaches could have been caught
– With effective intrusion detection systems, log management and
vulnerability assessment
25

26. Common Trends
• Strong push towards SaaS and MSSPs to augment their staff
• Some are looking towards cloud-based technologies to reduce
technology expenditures
• Moving away from general standards like HIPAA and SOX
towards PCI and DISA Standards
• Deploying centralization solutions to tie together their
compliance efforts
• Using GRC tools

27. Defending Users
AV Isn’t Enough
– Malware evolves ahead of AV signatures
Education
– At least half of the executables on P2P network infected
– Don’t install software from untrusted sources
– Safe browsing
– Flash drives

28. Infrastructure Defense
Close your Perimeter (egress too!)
Patch your systems
Vulnerability scanning
– Automated vuln scans & review them regularly
IDS
– Attempted botnet comm, network scans
– Propogation over RPC exploits, brute forcing Windows shares
Log Management
– Account lockouts due to brute force
– Proxy logs
WAF

29. REAL WORLD EXAMPLES

30. Use Case #1: Security Issues and Identity Theft
• Scenario
• One of your system administrators returned from a two-week vacation
and was unable to login
• He believes his account has been locked out, but he’s not sure why
• Key Questions to Answer:
• Why is the account locked out?
• Where did the lock out occur?
• When did it occur?
• How did it occur?

31. Effective Log Management Can Prevent Breaches
and Provide Compliance
Breached customer records cost businesses an average of $202
per record in 20091
“86% of victims had evidence of the breach in their logs…”
“in most attacks, the victim has several days or more before
data was compromised.”2
Breach or
Suspicious Intrusion or Malicious IT alerted
Log Activity Penetration Activity
Without
Too Late
Log Mgmt
With Breach is
Log Mgmt Avoided
Log collection and SOC is alerted and
monitoring detects security containment
activity; sends alert steps are executed

32. Compliance and Security Simplified:
Security Issues and Identity Theft
Key Compliance and Security Activities
Investigating Monitoring Alerting
Log in to a domain controller. Log in to a domain controller
Examine the AD object for the daily. Create a filter on the Wait for the System Admin
Without user to determine the time of username every day, and to call if their account is
Log Management lock-out. Review the logs on review the logs. Repeat locked out again.
each domain controller process for every domain
manually. controller.
Issue: Manual & Timely Issue: Expensive Issue: Reactive
• Common index with search capabilities.
With • Automated alerting and notification.
Log Management • Regular reporting and forensics

33. Use Case #2: Audit Resolution Challenges
• Scenario
• A new policy is initiated to require any new Domain Administrators to
only be added by the Security Department
• A few weeks later, a routine audit discovers some new members in the
Domain Admin Group
• Key Questions to Answer:
• When were these users added?
• Who added them?
• Who was added?

34. Compliance and Security Simplified:
Audit Resolution Challenges
Key Compliance and Security Activities
Investigating Monitoring Alerting
Log in to a domain controller. Log in to a domain controller
Review the logs for group daily. Review Domain Admins Wait for the System Admin
Without changes. Hope the logs are group and verify no one has to call if their account is
Log Management still on the system and have been added or removed since locked out again.
not rolled over. Repeat for the last review.
each DC.
Issue: Manual & Timely Issue: Expensive Issue: Reactive
• Search on the Group Member Added and filter on Domain Admin.
With • Save View and have the report emailed on a regular basis.
Log Management • Build an automated alert to notify when users added, removed, changed

35. Use Case #3: Hacker/Attacker
• Scenario
• For several weeks your network has been running slow
• Some systems have been performing abnormally and there are new
user accounts that cannot be tied back to a particular user
• Suddenly, you receive an odd e-mail from an alleged hacker who
claims to have access to sensitive patient files
• Key Questions to Answer:
• Have you been hacked?
• If so, when did it begin?
• How would you respond?
• Should you notify the media?

36. Compliance and Security Simplified:
Business Critical Applications
Key Compliance and Security Activities
Investigating Monitoring Alerting
Log in to the firewall/VPN Log in to VPN. Search inside
gateway, look through the of the VPN Disconnect Wait for the Network
Without
logs (if it can store the logs). messages. See what time the Engineer to log in and
Intrusion Detection Look for disconnect disconnect occurred and all discover it is down.
messages, and errors. Etc. errors related to the VPN
session.
Issue: Manual & Timely Issue: Expensive Issue: Reactive
• Use logs to search for suspicious message, account creation, firewall
With messages.
Intrusion Detection • Use IDS to look for attack attempts.
• Focus efforts on actionable security incidents

37. With Complicated Threats, There is a Need for
Security Expertise
Lots of point solutions, but difficult to consume all the data
It is nearly impossible to be aware of all forms of attacks and
attack-responses, and perform all the other functions expected
relating to daily operations
Breach or
Suspicious Intrusion or Malicious IT alerted
Log Activity Penetration Activity
Without IDS
Too Late
With IDS Breach is
Avoided
Log collection and Security containment
monitoring detects steps are executed
activity; sends alert

38. CONCLUSION

39. Meeting the Challenges Head On
• Move from manual to automated log management
– Keys to success: effective and sustainable log management and review
• Choose a vulnerability assessment solution that aligns with your
network
– Keys to success: centralized view and remediation knowledge
• Select an intrusion protection solution that doesn’t require
costly implementation, configuration and management
– Keys to success: Implement a solution that adapts to your network
security policies and minimizes the work load of your resources

40. Q&A

41. Who is Alert Logic?
Founded: 2002
Customers: 1,200+, spanning 3 continents
Staff: 100+
Service Renewal Rate: ~99%
Experienced Management
Profitable w/ Strong Balance Sheet
Patented SaaS Products Integrated Services
Log Manager LogReview
Threat Manager ActiveWatch
• Easy to implement and deploy • 24x7 Security Operations Center
• Flexible and Scalable • GIAC-certified security analysts
• Improve security and threat visibility
Delivering measurable • Meet compliance requirements
• Lower, more predictable costs
customer benefits • Quicker Time-to-Value

42. Contact
• Mark Brooks
• mbrooks@alertlogic.com