Verizon Enterprise has released its annual Data Breach Investigations Report reviewing 64,199 security incidents resulting in 2,260 security breaches. Verizon defines an incident as compromising the integrity, confidentiality, or availability on an information asset, while a breach is a confirmed disclosure of data to an unauthorized party. Since preventing breaches is far less painful than enduring them Verizon offers several sections of recommended controls to be employed by security-conscious enterprises. If you don’t care to read the full 80-page report, Ziften offers this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled recommended controls:
Vulnerabilities Recommended Controls
A solid EDR tool performs vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines illustrating vulnerability management effectiveness. The exposure timelines are important since Verizon stresses a methodical approach that emphasizes consistency and coverage, versus haphazard expedient patching.
Phishing Recommended Controls
Although Verizon recommends user training to avoid phishing susceptibility, still their data shows nearly a third of phishes being opened, with users clicking on the link or attachment more than one time in ten. Not good odds if you have at least ten users! Given the inevitable click compromise, Verizon recommends placing effort into detection of abnormal networking activity indicative of pivoting, C2 traffic, or data exfiltration. A sound EDR solution will not only track endpoint networking activity, but also filter it against network threat feeds identifying malicious network targets. Ziften goes beyond this with our patent-pending ZFlow technology to augment network flow data with endpoint context and attribution, so that SOC staff have vital decision context to rapidly resolve network alerts.
Web App Attacks Recommended Controls
Verizon recommends multi-factor authentication and monitoring of login activity to prevent compromise of web application servers. A solid EDR solution will monitor login activity and will apply anomaly checking to detect unusual login patterns indicative of compromised credentials.
Point-of-Sale Intrusions Recommended Controls
Verizon recommends (and this has also been strongly recommended by FireEye/Mandiant) strong network segmentation of POS devices. Again, a solid EDR solution should be tracking network activity (to identify anomalous network contacts). ZFlow in particular is of great value in providing critical decision context for suspicious network activity. EDR solutions will also address Verizon’s recommendation for remote login tracking to POS devices. Along with this Verizon recommends multi-factor authentication, but a strong EDR capability will augment that with additional login pattern anomaly checking (since even MFA can be defeated with MITM attacks).
Insider and Privilege Misuse Recommended Controls
Verizon recommends “monitor the heck out of [employee] authorized daily activity.” Continuous endpoint monitoring by a solid EDR product naturally provides this capability. In Ziften’s case our product tracks user presence time periods and user focus activities while present (such as foreground application usage). Anomaly checking can identify unusual deviations in activity pattern whether a temporal anomaly (i.e. something has altered this user’s normal activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern differs significantly from peer behavior patterns).
Verizon also recommends tracking usage of USB storage devices, which solid EDR products provide, since they can serve as a “sneaker exfiltration” route.
Miscellaneous Errors Recommended Controls
Verizon recommendations in this section focus on maintaining a record of past errors to server as a warning of mistakes to avoid in the future. Solid EDR products do not forget; they maintain an archival record of endpoint and user activity going back since their first deployment. These records are searchable at any time, perhaps after some future incident has uncovered an intrusion and response teams need to go back and “find patient zero” to unravel the incident and identify where mistakes may have been made.
Physical Theft and Loss Recommended Controls
Verizon recommends (and many regulators demand) full disk encryption, especially for mobile devices. A proper EDR product will verify that endpoint configurations are compliant with enterprise encryption policy, and will alert on violations. Verizon reports that data assets are physically lost one-hundred times more frequently than they are physically stolen, but the impact is essentially the same to the affected enterprise.
Crimeware Recommended Controls
Again, Verizon stresses vulnerability management and consistent thorough patching. As noted above, proper EDR tools identify and track vulnerability exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint monitoring. This reflects an accurately updated vulnerability assessment at any point in time.
Verizon also recommends capturing malware analysis data in your own enterprise environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can obtain samples of any binary present on enterprise endpoints and submit them for detailed static and dynamic analysis by our malware research partners.
Cyber-Espionage Recommended Controls
Here Verizon specifically calls out usage of endpoint threat detection and response (ETDR) tools, referring to the security tool segment that Gartner now terms endpoint detection and response (EDR). Verizon also recommends a number of endpoint configuration hardening steps that can be compliance-verified by EDR tools.
Verizon also recommends strong network protections. We have already discussed how Ziften ZFlow can greatly enhance traditional network flow monitoring with endpoint context and attribution, providing a fusion of network and endpoint security that is truly end-to-end.
Finally, Verizon recommends monitoring and logging, which is the first thing third party incident responders request when they arrive on-scene to assist in a breach crisis. This is the prime purpose of EDR tools, since the endpoint is the most frequent entry vector in a major data breach.
Denial-of-Service Attacks Recommended Controls
Verizon recommends managing port access to prevent enterprise assets from being used to participate in a DoS attack. EDR products can track port usage by applications and employ anomaly checks to identify unusual application port usage that could indicate compromise.
Enterprise services migrating to cloud providers also require protection from DoS attacks, which the cloud provider may provide. However, looking at network traffic tracking in the cloud — where the enterprise may lack cloud network visibility — options like Ziften ZFlow provide a means for collecting enhanced network flow data directly from cloud virtual servers. Don’t let the cloud be your network blind spot, or else attackers will exploit this to fly outside your radar.