Verizon’s 2015 Data Breach Investigation Report (DBIR) was published last month, building on the findings of 2014’s DBIR report. We’ll take a look at the major findings of the 2015 report in our next post, but in the spirit of heading for the dessert bar first, we’ll start with the goodies. The conclusion of the report includes a table of the top Critical Security Controls (CSCs) from the SANS Institute which cover the majority of the observed threats:
|CSC 13-7||Two-factor authentication for remote logins.|
|CSC 6-1||Make sure applications are up to date, patched and supported versions.|
|CSC 11-5||Verify that internal devices available on the internet are actually required to be available on the internet.|
|CSC 13-6||Use a proxy on all outgoing traffic to provide authentication, logging, and the ability to whitelist or blacklist external sites.|
|CSC 6-4||Test web applications both periodically and when changes are made. Test applications under heavy loads for both DOS and legitimate high use cases.|
|CSC 16-9||Use an account lockout policy for too many failed login attempts.|
|CSC 17-13||Block known file transfer sites.|
|CSC 5-5||Scan email attachments, content, and web content before it reaches the user’s inbox.|
|CSC 11-1||Remove unneeded services, protocols and open ports from systems.|
|CSC 13-10||Segment the internal network and limit traffic between segments to specific approved services.|
|CSC 16-8||Use strong passwords – suggested:
|CSC 3-3||Restrict admin privileges to prevent installation of unauthorized software and admin privilege abuse.|
|CSC 5-1||Use antivirus software on all endpoints and log all detection events.|
|CSC 6-8||Review and monitor the vulnerability history, customer notification process, and patching/remediation for all 3rd party software.|
This is not a comprehensive list – it’s a starting point. Some CSCs listed above may not apply to your company, and other CSCs critical to your environment may not be in the list. The technology used to implement CSCs updates over time to keep up with threats is more often than not playing catch up. The bottom line is that even with a well-controlled environment you can still be vulnerable to unknown threats.
The key to detecting unknown threats is to know the baseline behavior for your network and look for deviations from that baseline. If you know what normal login traffic looks like you can see when there are attempts to log in from unusual locations or at unusual times. You can detect attempts to upload files to unknown ftp sites. You can detect an unusual spike in web traffic. More importantly – you can isolate and investigate the behavior.
Logs from domain controllers, or web servers, or syslogs from network devices exist by default, but there is no easy way to correlate across the logs in their raw form to analyze problems. We recommend Splunk® for its ability to correlate fields across different log formats, and its dashboard and alerting capabilities to highlight activity that deviates from baselines.