Speaking of Security – The RSA Blog and Podcast

Gone are the days when it was thought that size of the company matters to the cybercriminals. The latest PwC Information Security Breaches Survey 2013 shows that there has been a significant rise in the number of small businesses that were attacked by an unauthorized outsider in the last year – up by 22%. Interestingly large organizations only went up by 5%. The cybercriminal has moved on to stealing intellectual property or corporate secrets as that’s where the real money is and small companies become easy targets as many do not have the resources or budgets to fully protect their information.

It’s time to understand the differences between corporate secrets and custodial data.

• 

The level and sophistication of advanced threats is a constantly moving target pitting the advantages of smart and patient attackers against security teams that often times can’t possibly know what to look for when an attacker employs specialized techniques and tools designed to cloak their movements. What happens when an attacker doesn’t have to rely on malware to infiltrate their target or when an attacker is able to successfully blend in like a legitimate insider? In this edition of the Speaking of Security Podcast, Tom Chmielarski, Practice Lead in RSA’s Advanced Cyber Defense Services shares some of the attack techniques he’s seen used in real breach cases, along with best practices used in the detection and defense of these advanced attacks.

• 

Like most technologies, Identity and Access Management (IAM) has been challenged by new business and IT trends that are causing serious disruptions in how we approach information security. The exponential growth of digital identities coupled with the increasing use of software as a service and mobile and cloud platforms have made the traditional perimeter all but disappear. As a result, legacy IAM tools that have been a security mainstay for decades are simply failing to keep up.

• 

Organizations which deploy RSA Authentication Manager (SecurID) for enforcing two-factor authentication frequently think of their RSA SecurID solution only as an additional security control to enforce strong authentication to resources. However, by analyzing the wealth of log data that is generated by RSA Authentication Manager, organizations can gain valuable intelligence that can be useful to detect attacks and perhaps even predict new attacks.

• 

In my earlier blogs on Transforming Security Analytics and Transforming Trust, I wrote about the strong focus we have on cybersecurity at this year’s EMCworld, previewing several of the sessions that will highlight security topics. In addition to those presentations, we’ll also once again have a Birds-of-a-Feather session, focused on Building your Trusted Cloud. It’ll [...]

• 

Based on the last few Incident Response engagements I’ve participated in, the most common question I’ve heard is “what are the common indicators you are using to find evil?” This is not a question that has a simple answer. In this blog post, I’ll examine a Blackhole exploit kit session and discuss the various network indicators that analysts should be looking for when identifying host exploitation and associated binaries. The intent here is not to pick apart malware or de-obfuscate JavaScript, but to show how asking simple questions about your network traffic can reveal the bad stuff being missed by your other security products.

• 

In Part I of my post on Switch Targeting, I discussed the fundamentals of how adversaries use seemingly trusted hop points as vectors in and out of primary targets similar to how bank robbers target, stage and execute their robberies. Now I want to introduce the concept of the three “R’s” or R3 based on my experience in the field helping organizations position themselves to detect where these switch targets may be relative to their own attack infrastructure as part of designing a Next Generation Security Operations Center (SOC). R3 is comprised of three focal areas for the Chief Information Security Officer (CISO) to consider —- Readiness, Response and Resiliency.

• 

In part 1 of this blog, “Beyond the Zero Day” we focused on detecting malicious JVM [Java Virtual Machine] activity and identifying the ‘blob’ that was downloaded. No subsequent network activity was detected after the download, but that doesn’t discount successful malware delivery and deployment. We can certainly seize and forensically examine the host, but that might require massive time investment for an organization and we don’t even know what we’re looking for yet. The first place to start is by examining the Class file that kicked off the HTTP GET for our ‘blob’.

• 

This blog series examines response options to an enterprise intrusion of some sort, be it by “APT” or Hacktivists” or some other category involving a purpose-driven actor. I’ll refer to these as targeted attacks even though they are often not targeted too specifically, but that’s a different topic. These threats pose a risk to the organization that is, generally speaking, more severe than typical malware on a single system. A hactivist attempting to discredit your company will probably have more of a business impact than a single computer infected by the Zeus crimeware trojan. Of course, that “common” Zeus infection could happen to be on a system used by someone in finance who has access to company records, as seen in actual attacks, and may indicate a major threat to your organization.

• 

It’s an increasingly common question these days, and not an easy one at that. That is, do you build your security operations capabilities in house, or do you go with a Managed Security Service Provider (MSSP)? There are certainly advantages to both and bottom line wise; it is hard to say which one actually is cheaper. Ultimately, as with all things, it is a business decision that is made with an acceptable level of risk in mind.

•