It seems as if every week there is yet another news story about a company reporting a security breach. Organizations continue to find themselves under siege, and the attacks are not only increasing but are becoming more subtle and varied as well.
The recent Michaels breach, exposing at least 3,000,000 customer’s credit card information over the course of several months is the most recent example. According to the New York Times, two security firms brought in to review the breach stated that the attack was a result of “highly sophisticated malware that had not been encountered previously by either of the security firms.” The increasing complexity of these attacks are proving to be more than the traditional one-two punch of the firewall and antivirus set up can handle.
Today’s most sophisticated cybercriminals are increasingly bypassing traditional antimalware solutions and inserting advanced persistent threats (APTs) deep within networks. These highly targeted attacks evade established signature-based detection by masking their malicious nature in many ways — compression, encryption, polymorphism, the list of techniques goes on. Some have even begun to evade virtual “sandbox” environments using VM detection, “time bombs” and more.
Attackers are getting more creative and subtle with their attacks and companies need to be armed with the latest threat intelligence in order to protect their critical network infrastructure, their private data and especially their customers. With the cost per record breach as high as $225 per record, a single breach can put a company out of business. As a result, more organizations are turning to a Managed Security Service Provider to help secure their networks.
While the increase of business is great for this growing market segment, some estimates put the market at $15 Billion by 2015, the influx of new customers and the new breed of APTs can create problems for MSSPs. Customers need advice and MSSPs need to know the answers.
- What threats are hot?
- What attacks should the customer or MSSP be looking for in their particular geography?
- An attack was detected, what should I do?
- What were they trying?
Fighting today’s attacks requires a comprehensive and integrated approach, more than the firewall and antivirus combination, even more than antimalware. MSSPs need advance threat intelligence and the ability to “sandbox”, or run in a separate, non-production environment, new zero day attacks in order to combat these APTs.
Broken down to the basics, threat intelligence is a variety of correlated data regarding zero day attacks, threat conditions and vulnerabilities. An MSSP can subscribe to a series of feeds for anything from simple Website categorization all the way up to a global threat intelligence outlook. This data can be used by an MSSP to determine if a particular piece of malware is a threat to its customer base or if there is another vulnerability or attack that they should focus on instead. Threat intelligence feeds can also notify MSSPs the minute a vulnerability or attack is seen in “the wild”.
In a sandbox environment, suspicious code is tagged and subjected to multi-layer pre-filters prior to execution in the virtual OS for detailed behavioral analysis. These pre-filters can include a screen by a malware engine, queries to cloud-based threat databases and OS independent simulation with a code emulator, followed by execution in the full virtual runtime environment. Once malicious code is detected, results are submitted for antimalware signature creation as well as updates to other threat databases.
All classifications, malicious and high/medium/low risk, can be presented in a dashboard view with full threat information available via logging and reporting functions. This allows reports regarding new and sandboxed attacks to be created and shared with customers, or internally.
Pairing this type of intelligence with the ability to isolate suspicious code in a completely separate network creates a new weapon for MSSPs to protect their customers from the myriad of advanced attacks that these organizations face on an increasing basis. Perhaps this new methodology could have blunted the impact of the Michael’s attack. It can definitely help other organizations avoid a similar breach in the future.
About the author: Geoff Kreiling is the Manager of Fortinet’s Managed Security Service Providers – Americas division.