fbpx
Are You Missing These Benefits of a 24/7 SOC?

Are You Missing These Benefits of a 24/7 SOC?

by | Jul 20, 2022

Many businesses are turning to 24/7 SOC through a managed security services provider (MSSP) to protect their business. When it comes to protecting your business, there is no such thing as being too cautious. In today’s increasingly connected world, cyberattacks are becoming more and more common, and the stakes are higher than ever before.

SOC-as-a-Service

SOC-as-a-Service, or Security Operations Center (SOC) as a Service, is a remote monitoring and management service that provides around-the-clock security monitoring and incident response for organizations. A SOC as a Service can help organizations prevent, detect, and respond to cyberattacks before they cause damage.

By entrusting your security to a SOC-as-a-Service provider, you can rest assured that your business will be protected around the clock. SOC MSSPs have the resources and expertise to constantly monitor your systems for threats and respond quickly in the event of an attack.

siem soc 24 7

In addition, SOC-managed security services providers can help you to comply with industry regulations and protect your data from theft or loss. When it comes to safeguarding your business, MSSPs that offer 27/7 threat detection services through their SOC are essential tools.

What is a SOC?

A soc, or security operations center, is a team of security professionals that are responsible for monitoring, detecting, and responding to security threats. A SOC can be run internally by a company or it can be outsourced to a managed security services provider (MSSP).

What is an MSSP?

A managed security service provider (MSSP) is a company that provides organizations with expert security monitoring and guidance, typically on a subscription basis. MSSPs can provide a wide variety of services, from round-the-clock monitoring of an organization’s security systems to more comprehensive 00244d

that include incident response, vulnerability management, and compliance management.

Why do I need an MSSP?

There are many reasons why organizations might choose to outsource their security monitoring and management to an MSSP. One of the most common reasons is a lack of in-house expertise or resources.

Organizations may also choose to partner with an MSSP to supplement their existing security team or to free up their team to focus on other tasks.

What are the benefits of an MSSP?

Many organizations are averse to outsourcing their security to an MSSP. Why? Because they don’t want to give up control of their security or they’re concerned about the cost. However, there are several advantages to working with an MSSP, including:

24/7 soc

24/7 Monitoring and Protection from Cyber Threats

Managed Security Service Providers (MSSPs) provide 24/7 monitoring and protection from cyber threats for organizations of all sizes.

SIEM (security information and event management) is a key technology offered as a managed security service that collects and analyzes data from multiple sources to identify potential security threats. By identifying potential threats early, managed security services can help organizations avoid costly data breaches and other damage caused by cyber-attacks.

In addition to SIEM, managed security services can also include managed firewalls, intrusion detection, and prevention systems, malware protection, and more.

Access to Expert Security Resources and Guidance

When you partner with an MSSP, you gain access to a team of security experts. These experts can help you to develop and implement effective security strategies, choose the right security technologies, and stay up-to-date on the latest security threats.

By outsourcing your cybersecurity needs to managed security service providers, organizations can benefit from the expertise of experienced cybersecurity professionals. In today’s digital world, managed security services are an essential part of protecting businesses from the ever-growing threat of cyberattacks.

Relief from the Burden of Managing Security Systems

Managing your internal security systems internally can mean multiple full-time employees, even more, so when you consider staffing around the clock. For small and medium-sized businesses, this can be a daunting task, as they may not have the resources or expertise to effectively manage their security systems.

MSSPs can take on the burden of managing an organization’s security systems, freeing up time and resources that can be better spent on other tasks. If you are considering the costs of an internal SOC vs. outsourcing to an MSSP like Cybriant, download our eBook, “Insource vs. Outsource.”

Improved Compliance with Industry Regulations

MSSPs can help organizations meet complex compliance requirements, such as those related to PCI DSS, HIPAA, and GDPR.

compliance regulations

This can be anything from network log monitoring, vulnerability, and patch management, to security assessments. For government contractors, CMMC compliance is an up-and-coming regulation that will require a new set of requirements. Cybriant has the expertise to help guide you through any regulatory requirements.

Peace of Mind Knowing that Your Business is Being Protected by a Team of Experts

Knowing that your business is being protected by a team of experts can give you peace of mind and allow you to focus on other aspects of your business.

Cybriant’s 24/7 SOC provides a unique client portal that includes detailed reporting so you will always know the threats that have been blocked. If there is ever an issue, our team works hand in hand with your team to remediate any potential problem.

Seeing firsthand the threats that a team of 24/7 security analysts, enterprise-level technology, and threat intelligence will allow your organizations to sleep well at night.

Cost savings

What is the price for outsourcing your security services like 24/7 network monitoring, MDR, XDR, or vulnerability management? The easy answer – is it depends. Typically the cost is a low monthly fee that will be very competitive especially when you consider the cost of hiring full-time cyber security personnel.

When you factor in the cost of employee benefits, overhead, recruiting, and training it is easy to see the value in outsourcing to an MSSP.

The other cost saving that is often overlooked is the improvement to your company’s bottom line by avoiding a costly data breach or downtime caused by a malware attack on employees.

Improved Security Posture

24/7 soc

An organization’s security posture is its current level of security. This can be assessed through a variety of factors, including the organization’s cybersecurity preparedness, vulnerability to cyberattacks, and compliance with industry regulations.

An improved security posture means that your organization has a reduced threat landscape, which means less of an opportunity for hackers to exploit vulnerabilities. In other words, your organization is better protected from cyberattacks.

Reducing your risk of cyber threats will improve your customer retention. When clients feel safe working with you, they are more likely to stay with your company, which leads to increased revenue.

Improved Productivity

Another benefit of managed security services is improved productivity. When businesses outsource their cybersecurity needs, they free up time and resources that can be better spent on other tasks.

This allows businesses to focus on their core competencies and leaves security in the hands of experts. As a result, businesses can improve their overall efficiency and bottom line.

Faster Incident Response

mttd

Mean time to threat detection (MTTD) and mean time to response (MTTR) are two important metrics when it comes to cybersecurity. MTTD is the average time it takes for a threat to be detected, while MTTR is the average time it takes to resolve an incident.

Both metrics are important because they help organizations understand how quickly they can respond to incidents. The faster an organization can detect and respond to incidents, the less damage it will suffer.

Managed security services can help reduce MTTD and MTTR because they provide 24/7 monitoring and rapid response times. This means that incidents can be detected and resolved quickly, limiting the amount of damage done.

Concerns About Cybersecurity Staffing

One of the main benefits of working with an MSSP is that it can take the burden off of your organization when it comes to staffing your cybersecurity team. An MSSP can provide the expert guidance and around-the-clock monitoring that you need to keep your systems secure without having to worry about finding and hiring qualified cybersecurity professionals.

There is a cybersecurity skills shortage, and it will continue to get worse in 2022 and beyond. Organizations are already facing cybersecurity skills shortages, with not enough people having the skills and qualifications required to keep IT systems secure from breaches and other security threats.

Adding more fuel to the fire, organizations face a growing threat from cyber criminals and nation-state hackers, whose attacks are growing “in volume and sophistication”. Source

MDR Security Services

An MSSP can also provide managed detection and response (MDR) services that can help you quickly identify and respond to security incidents. MDR services can be particularly beneficial for organizations that lack the in-house resources or expertise to effectively manage their security incidents.

MDR is an endpoint security service that uses a combination of technology and human expertise to proactively detect, investigate, and respond to security incidents. MDR services can help you to quickly identify and respond to potential threats, minimizing the damages caused.

Vulnerability Management

Another benefit of working with an MSSP is that they can help you proactively manage your security risks and vulnerabilities. MSSPs can provide vulnerability assessments, patch management, and other services that can help you to reduce the likelihood of a successful attack.

When hackers determine that your organization has not patched a known vulnerability, they are more likely to target you with an attack. This is because they know that you have not taken the necessary steps to protect yourself, and they can take advantage of this to launch a successful attack.

Proactively patching vulnerabilities can help to reduce your risk of a successful attack, and working with an MSSP can ensure that your vulnerabilities are patched quickly and effectively.

SIEM with 24/7 SOC

XDR and SOAR

A SIEM (security information and event management) is a software platform that collects, analyzes, and reports on security-related data events. SIEMs are used to help organizations identify potential threats and respond to security incidents.

SIEMs are typically used in conjunction with other security tools, such as firewalls and intrusion detection/prevention systems (IDS/IPS). A SIEM can be deployed as a software solution or as a managed service.

A security operations center (SOC) is a team of security professionals that is responsible for monitoring and responding to security incidents. SOCs use a variety of tools and techniques to detect and respond to security threats.

The use of a SIEM can help SOCs more effectively monitor and respond to security incidents. By consolidating data from multiple security tools into a single platform, SIEMs make it easier for SOCs to identify potential threats and take appropriate action.

Conclusion – Benefits of 24/7 SOC

Organizations that don’t have an MSSP or a 24/7 SOC are at a much higher risk of suffering a data breach because they lack the around-the-clock monitoring and expert guidance that is needed to effectively identify and respond to potential threats.

Working with an MSSP can help organizations save money, improve security, meet compliance requirements, and reduce the risk of a successful attack.

An MSSP can provide the expert guidance and around-the-clock monitoring that you need to keep your systems secure without having to worry about finding and hiring qualified cybersecurity professionals. Additionally, an MSSP can help you to quickly identify and respond to potential threats, minimizing the damages caused.

The use of a SIEM can help SOCs more effectively monitor and respond to security incidents. By consolidating data from multiple security tools into a single platform, SIEMs make it easier for SOCs to identify potential threats and take appropriate action.

Overall, the biggest benefit of working with an MSSP is that they can help you to stop a breach before it happens or at the very least contain it to limit the damage. This is accomplished through around-the-clock monitoring and expert guidance that can help you quickly identify and respond to potential threats.

CybriantXDR

cybriant xdr

Cybriant combines technologies of the SIEM, MDR, and Vulnerability Management in CybriantXDR. This is a 24/7 managed security service that offers enterprise-level protection for business of all sizes.

As a result, our team can provide the expert guidance and around-the-clock monitoring that you need to keep your systems secure without having to worry about finding and hiring qualified cybersecurity professionals. Additionally, we can help you quickly identify and respond to potential threats, minimizing the damages caused.

If you’re interested in learning more about our services and how we can help you to improve your security posture, please contact us. We’d be happy to discuss your specific needs and recommend a solution that’s right for you.

Convince Your Boss You Need These Managed IT Security Services

How Does a SIEM Work?

How Does a SIEM Work?

by | Jan 9, 2020

How does a SIEM work? You probably know that many organizations utilize a SIEM for compliance and security monitoring reasons. But how does it work? Read on to learn more about the inner workings of a SIEM. 

SIEM stands for Security Information and Event Management and is software that gives security professionals both insight into and a track record of the actions within their organization’s network. SIEM solutions provide a holistic view of what is happening on a network in real time and assist IT teams to be more proactive in the battle against security threats.

SIEM technology has been around for more than a decade, originally developing from the log management discipline. It linked security event management (SEM) – which examines log and event data in real-time to provide threat monitoring, event correlation, and incident response – with security information management (SIM) which gathers, analyzes, and reports on log data.

It is a solution that aggregates and analyzes activity from many different resources across your entire IT base.

The Need for Data Monitoring

In today’s digital market, it’s necessary to watch and secure your company’s data against increasingly advanced cyber threats. And odds are, your company has more data than ever before. There is no discussion about the fact that attacks on computer systems are steadily on the rise. Coin mining, DDoS, ransomware, malware, botnets, phishing — this is just a small list of the threats those fighting the good fight today are facing.

In addition to complicated tools being used to attack businesses – the attack surface has become much wider due to the development in data traversing our IT infrastructure. The capability to monitor all this data is increasingly becoming a challenge. Luckily, we have security information and event management (SIEM).

Related: 3 Benefits of an Incident Response Plan

How Does a SIEM Work?

SIEM provides two main capabilities to an Incident Response team:

    • Reporting and forensics about security incidents
    • Alerts based on analytics that match a certain rule set, indicating a security issue

At its core, SIEM is a data aggregator, search, and reporting system. SIEM collects enormous amounts of data from your complete networked environment and consolidates and makes that data human-accessible. With the data classified and laid out at your fingertips, you can study data security breaches with as much detail as needed.

However, experts say enterprise demand for greater security measures has driven more of the SIEM market in recent years. This is why Managed SIEM has gained popularity. Many IT departments are unable to spend the time necessary to draw the data out of a SIEM that will allow them to properly detect cyber threats.

A Managed SIEM forensics team will identify the activity that could identify a threat to the organization by monitoring a SIEM. The Managed SIEM team will determine the validity of the threat and begin to remediate the threat. SIEMs produce a high amount of alerts based on the fine-tuning of the SIEM. With a team of analysts monitoring a SIEM 24/7, they have the expertise to determine the priority of an alert.

Traditionally larger organizations utilize a SIEM as the foundation for the security strategy. Whether an organization uses a SIEM or MDR it is important to have a means of monitoring activity to prevent security threats.

What are SIEMs Used For?

Security Monitoring

  • SIEMs help with real-time monitoring of organizational systems for security incidents.
  • A SIEM has a unique perspective on security incidents because it has access to multiple data sources – for example, it can combine alerts from an IDS with information from an antivirus product. It helps security teams identify security incidents that no individual security tool can see, and helps them focus on alerts from security tools that have special significance

Advanced Threat Detection

    • Malicious insiders – a SIEM can use browser forensics, network data, authentication, and other data to identify insiders planning or carrying out an attack
    • Data exfiltration (sensitive data illicitly transferred outside the organization) – a SIEM can pick up data transfers that are abnormal in their size, frequency, or payload
    • Outside entities, including Advanced Persistent Threats (APTs) – a SIEM can detect early warning signals indicating that an outside entity is carrying out a focused attack or long-term campaign against the organization

Forensics and Incident Response

  • SIEMs can help security analysts realize that a security incident is taking place, triage the event and define immediate steps for remediation.
  • Even if an incident is known to security staff, it takes time to collect data to fully understand the attack and stop it – SIEM can automatically collect this data and significantly reduce response time. When security staff discovers a historic breach or security incident that needs to be investigated, SIEMs provide rich forensic data to help uncover the kill chain, threat actors, and mitigation.

Compliance Reporting and Auditing

  • SIEMs can help organizations prove to auditors and regulators that they have the proper safeguards in place and that security incidents are known and contained.
  • Many early adopters of SIEMs used it for this purpose – aggregating log data from across the organization and presenting it in audit-ready format. Modern SIEMs automatically provide the monitoring and reporting necessary to meet standards like HIPAA, PCI/DSS, SOX, FERPA, and HITECH.

Benefits of Managed SIEM

There are many reasons to consider Managed SIEM including:

  • Finding and maintaining experienced SIEM/SOC Security Analysts is NOT EASY (and also expensive)
  • You could build it, but it will take much longer than outsourcing to a professional security services provider like Cybriant
  • You are getting everything from an MSSP only at a fraction of what you could spend internally
  • Scalable and Flexible
  • Greater Threat Intelligence – We’ve been doing this for a while and we’ve seen a lot of things.

Without the proper planning and expectations around people and processes up front, the odds of achieving even the minimal capabilities of a SIEM solution are slim to none.

Find out more about this: “Is Managed SIEM right for me?”

PREtect: A Tiered Approach to Cybersecurity

Find out more
Should You Hire or Outsource to Improve Cybersecurity?

Should You Hire or Outsource to Improve Cybersecurity?

by | Sep 5, 2019

Many businesses struggle with the decision of hiring in-house employees or choosing to use an MSSP to improve cybersecurity. However, outsourcing your IT needs in the workplace is almost always a better investment for your company.

Some of the benefits of using an outsourcing security monitoring service provider include the fact that you will only have to pay a fixed fee each month, which makes it easier to stay within budget without worrying about unpredictable costs. On the other hand, in-house IT employees will require ongoing training, fringe benefits, and overtime pay, and you will always have to deal with employees leaving. A managed service provider like Cybriant bypasses all of these extra costs, while still giving you access to experienced IT professionals at an affordable rate.

Interested in learning more? Here are three more reasons why is it wise to invest in an outsourced cyber security monitoring service provider.

Outsource to Improve Cybersecurity

Cyber attacks can cause significant data breaches and destroy the reputation of a business. Consider the newsworthy breaches at Equifax and Capital One. Many technology executives consider using their current staff to manage their cybersecurity needs. However, in-house IT teams do not have the experience and expertise to handle large-scale cyber attacks in the workplace. It’s possible to avoid this scenario by outsourcing your security monitoring to a managed security service provider for the ultimate cybersecurity protection.

An MSSP offers a variety of services to keep your data secure, such as advanced virus and malware protection, network monitoring, next-generation endpoint protection, risk assessments, and vulnerability & patch management services.

Access to Threat Intelligence

Keeping up with all of the latest changes in cybersecurity is never an easy task. However, an MSSP has access to the most recent threat intelligence to help your business stay prepared to fight the latest cyber threats. New cyber threats continue to evolve at a rapid speed, and an MSSP can help your organization keep pace and stay up to date with the latest technology.

On the other hand, an in-house IT department is more focused on maintaining your IT infrastructure and doesn’t have the extra resources to continue to invest in state-of-the-art technology.

Cybersecurity Expertise

An additional benefit of using an MSSP is that you will gain access to cybersecurity analysts that have many years of experience in cybersecurity. A managed security provider works with multiple clients in maximizing uptime and is always available to offer additional support. An MSSP will help maintain patching and vulnerabilities up to date and monitor your network for any potential areas of vulnerability. These cybersecurity professionals play a key role in minimizing downtime and improving the daily operations of your business.

Working with an MSSP like Cybriant is a great investment for companies in today’s highly competitive work environment. Improving cybersecurity, gaining access to new technology, and around-the-clock IT help desk support are just a few of the numerous advantages of outsourcing all of your technical needs in the workplace.

Technology is the key to a successful business, and a managed service provider is an affordable long-term investment that offers immense benefits compared to hiring an in-house IT team.

Cybriant makes Cybersecurity Easy

pretect

Learn More
Cybriant CTO: Analysis of a Phishing Email

Cybriant CTO: Analysis of a Phishing Email

by | Aug 27, 2019

I recently received an interesting phishing email that I shared with the rest of our company as part of our Internal Security Awareness program.  You might guess that as CTO of a security company I often receive phishing emails (and you’d be right), but this one caught my eye.  This phishing email was interesting for a few reasons:

  1. It made it past Microsoft’s ATP (Advanced Threat Protection) anti-phishing service in Office 365.
  2. It had a valid SPF record (no DKIM or DMARC).
  3. The phishing link had a clever URL encode redirect.

So, let’s take a look at the email:

There were several factors that tipped me off that things were amiss: 

  • I have never seen a similar voicemail email.
  • We don’t do business with any company named Alarmtech (looking at the email address).
  • We definitely DON’T do any business with any company named Alarmtech that has a Polish TLD (the “.pl” of “alarmtech.pl” domain in the email address).
  • The “local Wireless User” phone number was also odd.

So, I decided to take a look at the message’s full headers.

I was quite surprised to see that the email had a valid SPF record, and while it was unfortunate to see that a DKIM was not setup it is fairly common for less sophisticated admins to omit this type of email authentication.  This also explains part of why Office365 gave a phishing email a pass instead of convicting the email.

And, a quick check with MXToolbox confirmed that the SPF record was indeed valid.

Ok, at this point I was even more curious.  So, I copied the link for the “Play Record” button and utilized www.o365atp.com to de-obfuscate the link.  Bingo!  We’ve got something interesting!

Now, we have the de-obfuscated link (Office365 ATP uses a technology called Safe Links as an extra layer of protection).

__SNIP__

https://www.google.com.mx/url?q=ht%74p%73%3A%2F%2F6%34%65%35%33r%77%37.%62l%6fb.co%72%65.%77in%64%6f%77s.n%65%74%2F5%65%353%72%77%376%2F%69%6edex.%68t%6d%6c%26%236%33%3B%70z%6fne%26%23%36%31%3BY%575%6b%63mV%33Lmhh%62Wl%73d%479uQHB%79%61W1%31%63%33Nlcn%5a%70%592VzL%6dN%76%62Q%26%2361%3B%26%23%361&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

 

If you notice, the URL begins with http://www.google.com.mx/url?q= this is a clever way to have Google (in this case it’s the Mexico link for Google as it has a TLD – top level domain – of “.mx”) to redirect to the actual malicious website address, which is:

__SNIP__

ht%74p%73%3A%2F%2F6%34%65%35%33r%77%37.%62l%6fb.co%72%65.%77in%64%6f%77s.n%65%74%2F5%65%353%72%77%376%2F%69%6edex.%68t%6d%6c%26%236%33%3B%70z%6fne%26%23%36%31%3BY%575%6b%63mV%33Lmhh%62Wl%73d%479uQHB%79%61W1%31%63%33Nlcn%5a%70%592VzL%6dN%76%62Q%26%2361%3B%26%23%361&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

Yes, that is a valid FQDN and URL.  And, this is the other part of the reason why I believe that this phishing email made it past Office365’s ATP service.  It’s using a method called URL encoding.  URL encoding allows you to do things such as create spaces in a filename.  For example, the following two bullet point links would point to the exact same URL (Note:  I used a random domain name):

phishing email

The “%20” is the URL encoded value for a space “ “.  There are some genuine uses for URL encoding, and it is especially helpful when creating scripts or working with APIs.  For example, when dealing with APIs in our SOC (Security Operations Center) this is often how we have to get around restrictions such as using an “@” in a username.  Instead of user@cybriant.com it’d be: user%40cybriant.com

So, let’s de-obfuscate the link using https://urldecoder.org:

__SNIP__

https://64e53rw7.blob.core.windows.net/5e53rw76/index.html?pzone=YW5kcmV3LmhhbWlsdG9uQHByaW11c3NlcnZpY2VzLmNvbQ=&#61&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

There we have the REAL link.  Next, we’ll explode this link in Joe Sandbox to see it’s behavior.  Click on the following link to see the full Joe Sandbox analysis, and see what our SOC would discover if they were performing this for a customer.  I’ll give you a hint, it turns out it’s malicious:

https://www.joesandbox.com/index.php/analysis/166555/0/executive

Note:

When I first exploded the URL decoded link Joe Sandbox didn’t find anything interesting.  And so, the second time I utilized the link that was a google.com.mx referrer link.  When using the referring link Joe Sandbox determined that the final destination URL was indeed malicious.  In short, the bad actor built a check into their website to ensure that the full link was being used (confirmed by seeing Google.com.mx referring the user to the phishing website).  Pretty spiffy thinking on their part! 

Andrew Hamilton

Andrew Hamilton

CTO

Andrew Hamilton is a member of the executive management team of Cybriant, a leader in the cybersecurity services industry. As CTO he is responsible for the technical vision and the delivery of services at Cybriant. Since its founding in 2015, Andrew has led the selection, evaluation, and adoption of all security technology and tools utilized by Cybriant in the delivery of its managed security services.

Learn more about Cybriant’s Continuous Threat Detection & Remediation Services: http://cybriant.com/pretect

Capital One Data Breach: Importance of Cybersecurity Basics

Capital One Data Breach: Importance of Cybersecurity Basics

by | Aug 1, 2019

By now you’ve heard of the Capital One Data Breach that happened on July 29, 2019, where a hacker gained access to 100 million Capital One credit card applications and accounts. Read more about the thoughts from Cybriant’s Chief Technology Officer, Andrew Hamilton.

My first reaction when I saw that the Capital One data breach has been the same as many of you: someone misconfigured something and a former employee knew that misconfiguration.

What we most commonly see as a security company when organizations move to the cloud is the expectation that the cloud provider (AWS, Azure, Google) will automatically understand and take into account any security threat vector which may be particular to an organization.

Unfortunately, they can’t work in that manner because requirements and environments will always differ from one organization to the next.  What may be a potential threat vector to Capital One could be required functionality to another organization.

And so, the cloud providers afford their customers a high degree of flexibility, but they state in their Terms of Service (and recommendations) that the customer is responsible for securing their tenant.

Similarly, when we monitor a customer’s environment one of the first things we check for is whether we see customer endpoint devices utilizing external DNS servers instead of the official internal company DNS servers.

Malware loves to exfiltrate data via DNS because most of the time UDP/TCP 53 is wide open to the Internet.  And while there are certainly ways to exfiltrate data via valid CNAME and TXT records (which require additional techniques to monitor/block such as RPZ records) those are computationally less efficient than simply blasting data via a commonly trusted port DNS port and bypassing HTTPS SSL inspection.

There was an excellent article at InfoSecurity Magazine yesterday on the top 5 penetration test discoveries (link:  https://www.infosecurity-magazine.com/news/95-test-problems/).

All five boil down to good Systems Administration hygiene. They aren’t as “sexy” as buying a Palo Alto and bragging about it to friends, but instead are things that are often left by the wayside (requiring complex passwords, simple patch management, etc).

What can be even more puzzling is when we see organizations who want a VERY expensive penetration test, and yet they haven’t even begun resolving the issues found from their vulnerability scanner.  Unfortunately, this is the norm that we see across industries and company sizes.

To avoid a Capital Bank data breach at your organization, read to the end to see our recommendations.

Related: Top Cyber Security Websites

Capital One Data Breach Facts

On July 29th, 2019 Capital One Financial Corporation, a US-based bank holding company specializing in banking, credit cards, loans, and savings, today released a statement1 regarding the detection of a breach resulting in unauthorized access to personal data about over 100 million Canadian and US credit card applicants and customers.

  • The breach is believed to be one of the largest in the history of the banking industry;
  • According to the statement, Capital One does not believe the compromised data has been used fraudulently;
  • Capital One became aware of the breach following a responsible disclosure email alerting them to potentially leaked data on a GitHub account associated with the alleged threat actor (TA);
  • The breach reportedly exploited a configuration vulnerability in Capital One’s infrastructure, including at least one known firewall misconfiguration, permitting access to customer data stored on Amazon Web Services (AWS) cloud;
  • US Law Enforcement arrested an alleged TA, ‘Paige Adele Thompson’, a former Amazon Inc. employed S3 Systems Engineer2, also known as ‘Erratic’, in Seattle, WA (US) on suspicion of ‘Computer Fraud and Abuse’ as filed3 in a criminal complaint with the US District Court for the Western District of Washington at Seattle;
  • The hack is expected to cost the company up to $150 million in the near term, including paying for credit monitoring for affected customers.

Scope of breach

  • Personal data of more than 100 million US and 6 million Canadian customers (consumers and small businesses) including approximately: o 140,000 US Social Security numbers
    • 1 million Canadian Social Insurance Numbers (SIN);
    • 80,000 US bank account details;
    • Names, addresses, phone numbers & dates of birth;
    • Self-reported income;
    • Credit scores, limits, balances & payment history.
  • Stolen information about credit card applications from 2005 through 2019.

Capital One Data Breach Timeline

  • 12 March – 17 July 2019 – Period in which unauthorized access to Capital One’s infrastructure likely occurred;
  • 22 March 2019 – Capital One access logs confirm unauthorized access to AWS from a compromised account;
  • 21 April 2019 – Timestamp associated with leaked data hosted on GitHub in addition to unauthorized activity recorded by Capital One logs;
  • 26 June 2019 – Posts on a Slack channel associated with, and using an alias of, the TA include screenshots and directory listings of files belonging to Capital One and other potential victims;
  • 17 July 2019 – Responsible disclosure email received by Capital One, alerting them to ‘leaked s3 data’ hosted on a GitHub Gist account believed associated with the threat actor;
  • 18 July 2019 – Direct messages posted by the TA suggest that they were prepared to distribute the stolen data;
  • 29 July 2019 – US FBI agents arrested the TA and Capital One release a public statement about the breach (also establishing a dedicated data breach webpage4 with an FAQ for potentially affected customers).

Cybriant Recommendations:

  • Organizations using cloud-based services, such as Amazon S3, should ensure that assets are correctly configured to prevent inadvertent or unauthorized access to sensitive data. Cloud providers will provide documentation detailing identity and access policy configurations that can restrict access, be that by the user, file, bucket, or organization.
  • Patch Management is a vital service that is often overlooked or taken for granted. Cybriant offers a Responsive Patch Management service that will take the guesswork out of the administrivia of this task and maintain a healthy network.
  • Vulnerability scans may catch the majority of issues, but these need to be done continuously. If you are only scanning once a year or quarter, that leaves a long period for hackers to use those vulnerabilities for malicious purposes. The alerts that come from the scans need to be remedied. Our Risk-Based Vulnerability Management service will aid your team to identify vulnerabilities to protect your network.
  • Logging any incidents in your network is the best way to protect against advanced persistent threats, including insider threats. Our Managed SIEM with 24×7 Security Monitoring service is not only a potential compliance requirement but will address and resolve the most complex cyber risk issues.

 

Sources:

http://press.capitalone.com/phoenix.zhtml?c=251626&p=irol-newsArticle&ID=2405043
https://www.linkedin.com/in/PaigeAdeleThompson
https://www.justice.gov/usao-wdwa/press-release/file/1188626/download
https://www.capitalone.com/facts2019/

The Financial Industry’s Biggest Threat

 

Introducing PREtect: Tiered Cyber Risk Management Service

Affordable, Flexible Subscription-Based Service