Embed Size (px)
Citation preview
An IDC InfoBrief | September 2017
Battling Cyber Threats in Asia PacificWith Optimized Threat Lifecycle Management
Sponsored by
IT security has become a top-of-mind concern for many organizations in the Asia Pacific region as a result of a number
of high profile cyberattacks globally, as well as a marked increase in attacks within the region, many of which are resulting in significant financial loss or loss of market capitalization.
The proliferation of digital technologies and innovations adopted by Asia Pacific organizations has opened up even more attack vectors and given greater incentives for threat actors whose motives include profit or sabotage. The level of automation and broad distribution of attacks have also reached unprecedented heights. In this new security landscape, no country, industry or organization is fully immune from cyberattacks or breaches.
The New Security LandscapeHigh Profile Cyberattacks are the New Normal
1IDC MaturityScape Benchmark: IT Security in Asia/Pacific (Excluding Japan), 2016
84%Asia Pacific Organizations Remain Vulnerable
of organizations across Asia Pacific are operating with less-than-ideal IT security strategies in place.1
Approximately 6.3 million children’s profiles from VTech
compromised.
7.93 million users’ personal information
from JTB compromised.
Over 200,000 computers in 150 countries infected.
US$81 million stolen by hackers, highlighting
weaknesses in the global financial system.
Many organizations in Ukraine and over 10 large multinational corporations around the world(e.g., TNT [FedEx] and Maersk)
affected by the cyberattack, with some receiving permanent damage.
Hong Kong-Based Electronic Toymaker
Leading Japanese Travel Agency
Global Attack by WannaCry Ransomware
Bangladesh Bank
Global Attack by NotPetya
2016 20172015
Recent High Profile Attacks
National University of Singapore and Nanyang Technological University
hacked in attempt to steal government data.
Universities in Singapore
Australian Nuclear Science and Technology Organisation (ANSTO)
breached with usernames and passwords stolen.
Research Facility in Australia
Approximately 120,000 bitcoins (US$65 million worth of funds) stolen
from Bitfinex.
World’s Largest Bitcoin Exchange
An IDC InfoBrief: Battling Cyber Threats in Asia Pacific With Optimized Threat Lifecycle Management
2
The explosive growth of security incidents, including variants of malware, in recent years underscore the effective adoption of automation and advanced analytics by cybercriminals. Automated attacks are becoming increasingly less expensive, easier and more efficient to launch, as well as more difficult to defend against. In addition, malware defenses such as Crypters and fully undetectable (FUD) tools attempt to deceive pattern-based or behavior-based detection engines by disguising as a harmless program, extending the time to detect.
The New Security LandscapeRise of Automated and Sophisticated Cyber Threats
2NTT Security 2017 Global Threat Intelligence Report3Symantec 2017 Internet Security Threat Report4Trend Micro 2017 Threat Report5LogRhythm, The Ransomware Threat: A Guide to Detecting an Attack Before It’s Too Late, 2016 6Mandiant M-Trends 2016 APAC Edition
Malware is the top type of attack in Asia (both as a
target and as an originated source)2
The number of new malware variants reached 357 million in
2016 (about 1 million a day)3
The number of ransomware families
increased by 752% in 20164
No.1 357 Million 752%
It takes 15 minutes from initial infection to a ransom demand
being made5
The average number of days to detect infiltration in Asia Pacific is 520 days
(3 times the global average)6
15 Minutes 520 DaysAutomated attacks account for 90% of all malicious attack traffic, and 90% of security incidents are from automated Web robots.
CYBERCRIMINALS ARE AUTOMATING, WHY CAN’T WE?
3
An IDC InfoBrief: Battling Cyber Threats in Asia Pacific With Optimized Threat Lifecycle Management
Attack and DefendA Closer Look at Both Sides of the Cyber Battle
Cybercriminals usually take time to scope out a specific organization or an individual; and most likely leverage phishing email or an exploit kit to push the malware.
Following the exploit and infection phase, the actual malware executable will be delivered to the victim’s system and persistence mechanisms will be put in place upon execution.
If it’s ransomware, it targets the backup files and removes them to prevent restoring from backup.
Once the attacker has exploited the host system, quite often, they beacon back to an external command and control (C2) server (e.g., the file encryption phase for ransomware).
After which, cybercriminals will perform their objectives, be it data extraction or ransom demand.
More importantly, cybercriminals have increasingly leveraged automation to create a vast amount of malware variants or fraudulent activities, and also analytics to greatly improve attack efficiency and bypass most defenses.
In most organizations, much effort is put into threat prevention in comparison to other necessary phases. Threat detection is based on various security sensors that attempt to look for known signatures of malicious activity or anomalous behavior.
Security sensors include firewalls, intrusion detection/prevention systems, application gateways, anti-virus, endpoint protection, and more.
Two key metrics used for measuring the effectiveness of an organization’s security capabilities are mean time to detect (MTTD) and mean time to respond (MTTR).
Unfortunately, many organizations operate in a mode where MTTD and MTTR would be measured in weeks, months or even years (e.g., 520 days). Very often, this is attributed to security teams that failed to rapidly identify the threats that really matter (due to overwhelming security alerts and lack of appropriate tools to prioritize these alerts), let alone respond to them in a timely manner.
How Do Cybercriminals Attack? How Do Organizations Typically Defend Themselves?
4
An IDC InfoBrief: Battling Cyber Threats in Asia Pacific With Optimized Threat Lifecycle Management
In this day and age of automated and sophisticated cyber threats, relying on the current approach of a prevention-centric strategy is not enough. Organizations need to take a lifecycle view on threat management and measure the effectiveness by MTTD and MTTR instead. Below highlights the various approaches to threat management from least proficient to optimized.
How Optimized Is Your Threat Management Strategy?
Prevention-oriented mindset.Employ signature-based antimalware on endpoints and at key network gateways.Indicators of threats exist, but nobody is looking.No security intelligence capabilities. Isolated logging based on tech/functional silos.
Monitor logs and security alerts from key IT resources to identify incidents and other security-related events. Track them over time for compliance reporting.Use signature-based detection techniques for antimalware on key systems (not all) and intrusion detection and prevention on important networks.No integrated view or measurement on effectiveness.
Holistically monitor alerts and events 24/7 throughout IT environment (e.g., functional security operations center [SOC] established). React/respond based on root cause analysis of affected resources and notify accordingly.Detect threats/breaches using signatures, sandbox detonation, and heuristics on networks, endpoints, servers, data and applications.
Run SOC with real-time analytics using contextual information and threat intelligence. Holistically detect threats/breaches using signatures, sandbox detonation, behaviors, and heuristics on networks, endpoints, servers, data and applications. Leverage some level of commercial grade, multi-vector threat intelligence.
Capture IT usage activity across resources and have a holistic environmental risk characterization.Identify root causes, involve legal for notification and employ retrospective analysis to proactively hunt for breaches.Holistic IR orchestration and automated response.Detect threats with signatures, sandbox detonation and machine learning. Intercept sensitive data leaks, and use deception techniques like honeypots, honeytokens and generated noise.
IMMATURELEAST
PROFICIENTMATURE
MOST
OPTIMIZED
Over 80% of Asia Pacific organizations have taken a less-than-proficient approach when it comes to threat management.
80%Only less than 10% of Asia Pacific organizations have adopted a more mature approach toward threat management.
10%
5
Threat Management Proficiency Landscape Across Asia Pacific
Generally, the Asia Pacific markets are underdeveloped in terms of their threat management approaches.
Mature markets like Australia and New Zealand take a more holistic view of threat management, with significant use of analytics, threat intelligence and automation. However, the majority of organizations in these markets still scored less than 3, indicating that there is more room for improvement and more effort is needed to achieve resilience.
Maturing markets like Hong Kong, South Korea and Singapore rely heavily on a functional SOC and monitor alerts/events tirelessly (not necessarily effective).
Emerging markets like Malaysia, the Philippines and Thailand take a narrowed view on threat management; and reliance on signature-based tools lead to ineffective results (e.g., long MTTD and MTTR) and a vulnerable environment.
NEW ZEALAND
PHILIPPINESAUSTRALIA
SOUTH KOREA
HONG KONG
TAIWAN
THAILAND
SINGAPORE
MALAYSIA
INDONESIA
INDIA
6
An IDC InfoBrief: Battling Cyber Threats in Asia Pacific With Optimized Threat Lifecycle Management
Time to Rethink Your Strategy against Cyber Threats
Copyright 2017 IDC. Reproduction without written permission is forbidden. This IDC InfoBrief was produced by IDC Asia/Pacific Custom Solutions. Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For more information, visit: www.ap.idc.asia or email: [email protected].
Essential Guidance
Attempting to prevent attacks is important, but organizations must acknowledge
that attacks that are stealthy by nature can be crafted to get past the preventive measures. As such, a more balanced and
holistic view is needed, including measures like retrospective root causes analysis,
proactive threat hunting, incident response orchestration and legal notification.
The intense stream of threat data (in an enterprise, typical stream serves events at the rate of thousands or tens of thousands
per hour) blinds a security team in a fog of noise. As such, actionable security
intelligence is required to clearly identify threats that matter and significantly
improve an organization’s MTTD and MTTR.
When a threat engages with the target environment, evidence will be left behind. The evidence will exist in forensic data that is collected across the environment. Hence, capturing IT usage activity across resources
and having a holistic environmental risk characterization are critical steps for a threat lifecycle management approach. Moreover, to separate the signal from the noise, threat
qualification and risk determination are important. Lastly, automation in support
of incident response process and the deployment of countermeasures will help
shorten the MTTR.
Go Beyond Prevention-Centric Practices
Focus on Actionable Security Intelligence
Take the End-to-End Threat Management Lifecycle Approach
Threat management practices have to evolve as cybercriminals become more efficient and effective with their attacks.
The new imperative is moving from a prevention-centric approach to a holistic and risk-based one, powered by automation and advanced analytics.
7
Accelerating the Threat Lifecycle Management with LogRhythm
Fully analyze the threat and associated risk, determine if an
incident has or is occurring.
Assess threat and determine if it may
pose risk and whether a full investigation
is required.
Implement countermeasures and controls that mitigate
risk presented by the threat.
Fully eradicate, clean up, report, review
and adapt.
INVESTIGATEQUALIFY
TIME TO DETECT TIME TO RESPONDDISCOVERFORENSIC
DATAMITIGATE RECOVER
UserAnalytics
Captured Log &Machine Data
GeneratedForensic Sensor
Data
Event Data
MachineAnalytics
UNIFIED SECURITY INTELLIGENCE PLATFORM
LogRhythm offers unparalleled forensic visibility by collecting the widest variety of machine data in real-time, including security events, audit logs, flow data, and more.
LogRhythm provides broad and deep visibility, and enables precise threat detection and prioritization and false-positive minimization by applying diverse techniques against a full set of log and environmental data. Purpose-built forensic sensors also provide visibility into network communications and endpoint activity.
In addition, LogRhythm continuously monitors for threats using multidimensional, scenario-based algorithms.
Holistic Security Analytics and User Entity Behavior Analytics (UEBA) provide out-of-the-box capabilities for rapidly detecting a wide range of user-based threats such as compromised accounts and privilege abuse.
Sophisticated “big data” analytical techniques, including machine learning, behavior profiling, statistical analysis and black/whitelisting, enable LogRhythm to quickly determine and verify threats.
LogRhythm’s Risk-Based Prioritization algorithm uses environmental risk characteristics and threat context to assign a 100-point score to all alarms. This helps quickly adopt a risk-based monitoring strategy, reducing alarm fatigue and effectively focusing your teams’ time where it matters most.
LogRhythm has a fully integrated case and incident management system that provides a full audit history and real-time dashboard of all active investigations and incidents.
An evidence locker centralizes all forensic data associated with active investigations.
By automating routine investigatory actions, LogRhythm is able to conduct proactive mitigation of threats without human interaction (i.e., significantly reduce the MTTD).
Actions can be initiated without human interaction.
Unparalleled Visibility Patented Advanced Analytics and Data-Process Capabilities
Threat Intelligence Operationalization
Fully Integrated Forensics Workflow
Highly Automated Incident Response
A LogRhythm Viewpoint 8
