Stop Targeted Attacks Before They Stop Your Business

Embed Size (px)

Citation preview

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    1/11

     

    Stop Targeted Attacks

    Before They Stop Your Business

     

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    2/11

     

    © 2014 QuinStreet, Inc.

    Introduction

    IT security has always been a concern for businesses. For a long time security meant preparingfor a massive attack, like a Trojan Horse or a virus. It wasn't all that long ago that only the largest

    of companies had to worry about falling prey to sophisticated cyber attacks. This is no longer the

    case. According to the January 2014 Symantec Intelligence Report, attacks were fairly even split

    among organizations of all sizes and industries.

    While large-scale massive attacks are still prevalent and continue to evolve in cunningness, the

    days of merely worrying about these sorts of threats are simple and straightforward compared to

    today's landscape.

    Targeted attacks and advanced persistent threats are distinct threat types, and they require their

    own set of unique protection capabilities be deployed if an enterprise is to truly protect its entire

    infrastructure.

    To prevent attacks organizations need a security strategy in place to deflect both mass malware

    and targeted attacks. A targeted attack is, as its name implies, one that is aimed at a specific user,

    company or organization. These attacks are not widespread like a virus or worm, but rather are

    designed to attack and breach a specific target, with the ultimate goal of collecting various types of

    data.

    To truly protect themselves from a targeted attack, businesses must change their view of security

    from top to bottom. From strategic planning to implementation, organizations must stop believing

    endpoint antivirus and firewalls are enough and instead think in terms of proactive, multi-layered

    protection. An effective layered approach protects all vulnerable areas.

    This typically includes signature-based protection as well the security intelligence to provide

    contextual awareness and adaptive monitoring across three key vulnerable (and often valuable)

    areas:

    • Endpoints

    • Gateways

    • Data center 

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    3/11

    A sub-par protection plan opens the door to infections and creates significant costs, whether measureable

    in quantifiable dollars or something less tangible, like employee morale. A breach in your security will often

    result in lost or compromised data, expensive equipment replacement, lost productivity and loss of

    customer confidence. A breach also means reallocated resources, time lost, lots of backtracking, lost

    productivity, and ultimately lost revenue. There is both a short-term and a long-term impact.

    A security breach at any of those points will have a significant negative impact. In fact, even an infectionthat hasn't reached the level of a breach can impact productivity as it too will soak up IT resources and

    add real costs to your business.

    Targeted Attack Trends

    Targeted attacks are on the rise. Neither company size nor industry affords protection. According to

    the January 2014 Symantec Intelligence Report, small companies of 250 employees or less were

    targeted in 39 percent of attacks in January 2014, while those with 2,500 or more employees were

    targeted 38 percent of the time. The remaining 23 percent targeted enterprises in between. More than

    40 percent of attacks were on manufacturing and nontraditional services firms (e.g., hospitality,

    recreational, and repair services), while finance, insurance and real-estate (13.7 percent), professionalservices (11.4 percent) and wholesalers (11.0 percent) also fell prey.

    No company is immune from a targeted attack. If you think just because you have some sort of

    perimeter protection and you haven't yet been hit, you're ok, think again. Targeted attacks are stealthy

    complicated beasts. Oftentimes they sit silently, collecting information, for more than 10 months before

    they are discovered. Additionally, it's important to understand that smaller companies are often used

    as a gateway to attacking a larger company with which they have an established relationship.

    And don't think stopping the hackers from getting in is an easy solution either. It is near-impossible to

    know who's targeting you, as hackers are an increasingly diverse group - not one profile applies to

    them all - or what they're targeting you with because the tools attackers use adapt so rapidly to IT

    environments.

    Thus, it's imperative to cover all bases to protect your entire infrastructure. That includes gateways,

    endpoints, and data centers. Proactive, independent steps must be taken to protect these key touch

    points.

    Consider the data center, for example. The data center will always be a prime target for attacks. This

    is where your most important information lives and the heart of your functionality. Protecting the

    servers, both physical and virtual, on which data resides is critical. While most attacks aim for a weak

    point of entry, the true prize they're eyeing is in the data center. Although a breach is less likely to take

    place directly at the data center level than at a compromised endpoint or gateway, the data center

    requires security solutions to stop malware that may be trying to spread from endpoints or another

    weak point in the network.

    The dynamic nature of today's data center complicates this further. Optimized security for each unique

    type of server - web, file, application, database and so on - is needed as well as bearing in mind that

    http://www.symantec.com/offer?a_id=175265

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    4/11

    "servers" are virtual as well as physical. Without protection for all of these server types, the data

    center continues to be potentially at risk.

    The techniques used against servers today range from sophisticated penetration techniques to

    unintentional configuration mistakes by admins. Cybercriminals frequently target servers during the

    incursion, discovery, and capture phases of a data breach.

    Hence, traditional protection technologies and policies often employed, such as antivirus or patch

    updates, while still an important layer of defense, are often not up to the task of securing today's data

    center. Today's threat landscape warrants augmenting with real-time and proactive security to provide

    sufficient protection for servers to address greater confidentiality, integrity, and availability

    requirements of each system.

    A note of caution - while it may seem tempting and cost effective to bypass protecting gateways and

    endpoints, and instead put all of your security dollars into building a fortress around the data center, it

    is far from the most effective course of action. As important as it is to protect your assets directly, it is

    equally important to prevent targeted attacks from penetrating at all. No single layer of security can

    accomplish that on its own.

    There is no denying endpoint protection is critical, and organizations are wise to ensure it is part of

    their security arsenal. Endpoint security is becoming a more common IT security function and concern

    as more employees bring their own mobile devices to work and companies allow its mobile workforce

    to use these devices on the corporate network.

    Without some sort of endpoint security, there would be no protection in place for the corporate network

    when accessed via remote devices, such as laptops or other wireless and mobile devices. Each

    device with a remote connection to the network creates a potential entry point for security threats.

    Endpoint security is designed to secure each endpoint on the network created by these devices. The

    increase in employee-owned devices is further fueling these potential vulnerabilities exponentially. A

    typical endpoint security configuration consists of security software (e.g., antivirus, antispyware and

    firewall protection) located on a centrally managed and accessible server or gateway within the

    network, along with client software installed on each of the endpoints (or devices). The latter becomes

    an increasingly complex endeavor as employees circumvent policies and access the network from

    potentially unsecured devices.

    Thus, as comprehensive as end-point protection seems, it is important to bear in mind that given the

    nature of today's threats, endpoint protection is often not enough. It is important to also secure the

    gateways as well as the data center itself.

    Web protection is but one type of gateway protection. For web protection to truly be effective, you

    must secure email as well. Gateway protection secures nodes on a network that serve as an entrance

    to another network. The computer routing the traffic from a workstation to the outside network that is

    serving the web pages is serving a gateway function. In the past, a proxy server sufficed, but with the

    growing variety of web-borne malware, that is no longer enough. True web protection is able to identify

    new threats before they cause disruption in your organization.

    http://www.symantec.com/offer?a_id=175265

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    5/11

    However, focusing purely on the gateway is not enough. White listing, black listing, URL filtering and

    so on are helpful and necessary, but it is important to bear in mind that the web is a pass-through

    point and hackers are increasingly cagey. Spyware and other easily downloaded malware can quickly

    penetrate your network if not caught. It is also important to have a web gateway solution that is able to

    scan all outbound communications, as this can provide an early warning of a malware infection in

    progress.

    In addition, no matter how well you protect the your web servers and other web-based access points,

    they are not the endpoints, and the data center itself must also be protected to both stop a target

    attack from striking and, should it get in, stop it from doing damage.

    Email protection is considered one type of gateway protection. For email protection to truly be

    effective, you must secure web connections as well. Email has always been an easy gateway for

    hackers. First it was merely the annoyance of spam that had to be dealt with. The biggest problem

    with spam was its impact on productivity and bandwidth. Today, the security threats that come in via

    messaging are far more nefarious. Security threats take the form of spoofed addresses and phishing,

    malware infected files such as PDF or Office documents, embedded URLs and more.

    Having protection in place to ensure a targeted attack does not enter your network via a gateway,

    whether email or a web connection, is imperative. The gateway is but one component, however, and it

    is a mistake to overlook the endpoint and the data center itself.

    Protection Your Organization Needs to Keep Your IT Assets Safe

    Just as a chain is only as strong as its weakest link, an organization's security infrastructure is only as

    tight as the loosest vulnerable point. Thus it is important to protect your endpoints, gateways and data

    center from targeted attacks.

    Individually, the security of each component offers many advantages to the security of theorganization as a whole, but none are without limitations. Securing a single component will not bring

    end-to-end security to the enterprise. Rather all three areas must be protected from targeted attacks,

    ideally with a layered umbrella approach that treats the organization as a single entity.

    Take endpoints for example. Protecting your endpoints, has always been important, and the criticality

    continues to increase as a more employees bring consumer mobile devices to work, and companies

    allow their mobile workforces to use these devices on the corporate network. Endpoint security

    protects the corporate network when accessed via remote devices, such as laptops or other wireless

    and mobile devices.

    Generally, endpoint security is a security system that consists of security software located on a

    centrally managed and accessible server or gateway within the network, in addition to client software

    being installed on each of the endpoints (or devices). The server authenticates logins from the

    endpoints and also updates the device software when needed.

    Effective endpoint protection blocks threats as they travel over the network and try to take up

    http://www.symantec.com/offer?a_id=175265

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    6/11

    residence on a system. While endpoint security software differs by vendor, you can expect most

    software offerings to provide antivirus, antispyware, firewall and also a host intrusion prevention

    system. All of these offerings stop malware in its tracks. Ideally, endpoint protection should go beyond

    antivirus and offer layered protection at the endpoint.

    Stopping malware before it reaches gateways or the data center is certainly preferable to identifying a

    compromise that has already taken place. However, while a good endpoint security package canhandily protect endpoints, endpoints are not the not the only IT assets presenting vulnerable to a

    targeted attack. Nor is even the most inclusive security package immune to ever-evolving threats.

    Endpoint security, as important and effective as it is, is but one component of a comprehensive and

    layered security strategy.

    There's no escaping the web. Both having a web presence and using the web for daily operations are

    necessary components of an effective business strategy.

    The web, as well as email, is a gateway into the corporate network. This makes it vulnerable to a

    targeted attack as it is an easy conduit for a hacker to get to the organization's servers. Protecting this

    gateway from the multiple types of constantly mutating web-borne malware is critical. The most

    popular way to do this is with URL filtering. A URL-filtering solution filters out undesirable URLs to

    prevent employees from visiting sites known to be malicious sites as well as sites that violate company

    policy.

    Unfortunately, this is not enough for the current threat landscape. Rather than relying on what has

    already been proven to be malicious, a proactive approach is more effective. An ounce of prevention

    always goes further than a pound of cure.

    A predictive approach based on context, (e.g., age, frequency or location) better exposes threats

    otherwise missed. Relying on a pool of knowledge about potential threats is also a useful indicator.

    Ideally, the security tools in place at the web gateway will identify and block new and unknown

    malware, stopping it in its tracks before it reaches an endpoint or finds its way into the data center.

    Oftentimes, however, these tools are more value when they are not stand-alone. The ability to

    leverage the knowledge and technique from one security protection layer to another increase the odds

    of stopping a targeted attack in its tracks. In addition, being able to scan all outbound web traffic can

    help provide an early warning in case of infections on unmanaged or unprotected endpoints.

    Love it or hate it, email is a vital component of any organization's communications strategy. Email is

    used for both internal and external communications. For external communications in particular, it is

    often the easiest way to transmit files in any format.

    In the early days of email, bandwidth-hogging and time-consuming spam was an organization's

    biggest worry. Today, antispam is the tip of the iceberg. Email is a gateway into the corporate network.

    The ease with which a file can be attached to an email and a transmitted throughout the organization

    makes it an easy conduit for a targeted attack. An infected attachment or an embedded link to a

    http://www.symantec.com/offer?a_id=175265

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    7/11

    nefarious site can do a great deal of damage in a very brief amount of time.

    Thus, in addition to focusing on spam, which brings with it its own set of challenges, security software

    for the messaging gateway should ensure that the attachments are clean and malicious URLs are

    removed. One that can remove potentially malicious active content from documents attached to an

    email and send a clean version of the document to the user is even better.

    Basic antispam and antivirus functionality should not be overlooked either. Whitelisting/blacklisting and

    filtering at the server level all help reduce spam.

    To minimize the impact of falling victim to address spoofing or allowing spoofed messages to be

    passed on, look for messaging protection that is capable of blocking links and can check for emails

    with malicious, shortened links, and then stop them before they reach a recipient.

    Bear in mind, however, that email is but one component of the gateway layer of a security strategy. It

    is critical to have not just messaging protection in place but also protection for threats that could come

    in through the web. In addition, merely protecting gateways are not enough. Enterprises must be sure

    to also protect endpoints and the data center itself.

    The data center is the Holy Grail for many enterprises. Neglect to protect it or under-protect it, and no

    matter how much endpoint security or gateway protection you have in place, it's only a matter of time

    before a targeted attack is able to successfully breach the arsenal in place and have access to your

    most valuable data, regardless of whether it resides on physical and virtual infrastructure in the data

    center.

    To stop a targeted attack, IT has historically relied on traditional protection technologies such as

    antivirus and whitelisting. To secure today's physical and virtual data centers, this is no longer enough.

    Server protection must cover in-depth confidentiality, integrity, and availability requirements of each

    system. Oftentimes security must be customized for each server, be it web, file, application, ordatabase, due to data sensitivity or regulatory constraints.

    Granular, policy-based controls are one solution to this. In addition, a combination of host-based

    intrusion detection, intrusion prevention, and least privilege access control enables organizations to

    proactively safeguard heterogeneous server environments and the information they contain.

    While it may seem tempting and cost effective to bypass protecting gateways and endpoints, and

    instead put all of your security dollars into building a fortress around the data center, it is far from the

    most effective course of action. As important as it is to protect your assets directly, it is equally

    important to prevent target attacks from penetrating at all. No single layer of security can accomplish

    that on its own.

    Bridging the Gap

    Securing your enterprise against today's threats means rethinking the security measures you currently

    have in place. Basic antivirus protection doesn't cut it in this world of rapidly mutating malware and

    virulent targeted web attacks. In today's threat landscape, a multi-layered approach to security is

    http://www.symantec.com/offer?a_id=175265

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    8/11

    needed to protect your endpoints and gateways and ultimately your data canter.

    You know firsthand that a sub-par protection strategy not only opens the door to more infections but

    also creates real costs. A breach in security is serious business. As we noted previously, lost or

    compromised data, expensive equipment replacement, lost productivity and loss of customer

    confidence have a rippling and crippling impact on the core business, and you are often the one

    feeling the pain.

    Whether you've been officially tasked with improving security or are frustrated with the current

    situation and eager to develop a more secure IT environment, the first step is to assess what is

    currently being done. The following questions should be considered:

    What are you currently doing and using for security?

    What does the data center environment look like? Where are your endpoints and gateways?

    Do you have remote employees? What is your policy on BYOD?

    What critical data are you tasked with protecting?

    Only after those questions have been answered, and buy in and budget from senior management is

    received, is it time to seek out a solution.

    Next Steps - How Symantec Can Help

    Seeking a security solution is no easy task. There is no shortage of vendors from which to choose.

    Some are generalists, offering a wide range of security services, while others are specialist or niche

    players with one or two areas of security expertise.

    When it comes to IT security, more often than not, you get what you pay for. Thus, going with a

    smaller, niche-oriented vendor, perhaps one that is even best of breed for a given niche, may save

    you money upfront and may even deliver the highly configurable functionality you seek in a given area.

    However, in the medium term, it will result in a more complicated security architecture that will cost

    more over the long term and be less secure due to the need to bridge solutions together in a cohesive

    fashion and plug any potential gaps that are created. Ad hoc fixes to missing functionality will further

    complicate and create additional security holes leaving the organization more vulnerable to a targeted

    attack.

    On the flipside, a comprehensive solution from a single vendor is in effect putting all of your eggs in

    one basket. Finding a vendor that can meet all of your security needs on all fronts and allows for the

    desired configurability is no easy task.

    Fortunately there is such a vendor. Symantec brings decades of comprehensive intelligent security

    expertise, global intelligence and a broad portfolio that offers proactive and integrated protection fromtargeted attack at the endpoint, gateway and data center level. It offers a proven and holistic approach

    to protection.

    Symantec Endpoint Protection combines effectiveness and performance to deliver unparalleled

    security across physical and virtual systems that offers both maximum performance and advanced

    protection.

    http://www.symantec.com/offer?a_id=175265

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    9/11

    Symantec Endpoint Protection combines three technologies: Symantec Threat Protection, SONAR

    and Insight. Collectively, this powerful trifecta outperforms traditional antivirus protection: Network

    Threat Protection, Insight and SONAR caught 51 percent of all of the threats seen by Symantec in

    2012.

    Symantec Network Threat Protection analyzes incoming data streams via network connections and

    blocks threats before they actually hit the system. Network Threat Protection sits inside of browsersand scans more than 200 protocols to block attacks on vulnerabilities. It also monitors outgoing traffic

    to ensure sensitive data stays in.

    Symantec Insight, uses the collective wisdom of millions to help organizations reduce false-positives

    and determine whether a file being downloaded onto a corporate network is potentially malicious.

    Symantec Insight leverages factors such as age, prevalence, and source of any executable file to

    provide contextual awareness and score the potential risk of virtually every file.

    With Insight, the unique pieces of malware often used in targeted attacks would have a low reputation

    score since the prevalence of the file would be low. This gives organizations the ability to easily block

    something because Symantec Insight has never seen that particular file before.

    SONAR affords a real-time protection that detects potentially malicious applications when they run on

    your computers. SONAR provides "zero-day" protection, detecting threats before traditional virus and

    spyware detection definitions have been created to address the threats. SONAR detects the following:

    Heuristic threats  - tracks nearly 1,400 behaviors to determine if an unknown file behaves

    suspiciously and might be a high risk or low risk. It also uses reputation data to determine

    whether the threat is a high risk or low risk.

    System changes  - to detect if applications or the files that try to modify DNS settings or a host file

    on a client computer.

    Trusted applications exhibiting bad behavior  - if applications are behaving suspiciously or in a

    way outside of their norm.

    Protecting your gateways is a critical component of IT infrastructure protection. Powered by Insight,

    Symantec's reputation-based malware filtering technology, Web Gateway is more than just web

    content filtering software. Web Gateway protects organizations from multiple types of web-borne

    malware and gives organizations the flexibility of deploying it as either a virtual appliance or on

    physical hardware. Insight offers proactive protection against new, targeted or mutating threats,

    blocking not just web traffic, but also any port and protocol.

    Powered by the collective wisdom of more than 210 million systems, Web Gateway is able to detect

    threats as they are created. It uses context to reduce false positives and cut management overhead.

    In addition, because Web Gateway integrates with Symantec Data Loss Prevention Network Prevent

    for Web, it is able to prevent sensitive data from leaving the corporate network via the web, reduce risk

    of data loss by automatically enforcing security policies, and change users' behavior through real-time

    education on policies with notifications of policy violations. Web Gateway can also scan all outbound

    communications to detect infections on unmanaged or unprotected machines and send them to

    http://www.symantec.com/offer?a_id=175265

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    10/11

    quarantine to provide easier remediation.

    Key features of Web Gateway include: Web filtering software that integrates seamlessly with

    Symantec Data Loss Prevention, application control capabilities, Symantec RuleSpace URL filtering

    with flexible policy setting, SSL Decryption capabilities, multiple layers of malware protection, and

    integration with Symantec AntiVirus engine.

    Email is an essential universal tool for doing business, yet it is also a potential gateway for those

    wishing to do harm. Symantec Messaging Gateway and Email Security.cloud deliver powerful email

    protection, enabling organizations to secure their email and productivity infrastructure with effective

    and accurate real-time antispam and antimalware protection, targeted attack protection, advanced

    content filtering, data loss prevention and email encryption.

    Messaging Gateway is simple to administer and catches more than 99 percent of spam with less than

    one in 1 million false positives.

    Targeted Attack Protection is one Messaging Gateway's key features. Disarm, a proprietary Symantec

    technology, protects against targeted attacks and zero-day malware by removing active, potentially

    malicious, content from Microsoft Office and PDF attachments. It then re-assembles the attachment so

    that it is viewable by the end user without fear of infecting them.

    While Disarm protects on premises, organizations looking for Cloud-based protection can look to

    Skeptic for their messaging security needs. Part of the Symnatec.cloud offerings, Skeptic is a

    proprietary heuristic technology that does not rely on signatures to detect new, emerging or even

    variations of older malware. Using thousands of rules and dozens of advanced techniques, Skeptic

    detects new and emerging malware through techniques such as: application reputation, junk code

    analysis and "real-time-link-following," which offers protection against positively-identified viral URL

    links within emails. Skeptic then looks at all the evidence before reaching a conclusion and taking the

    appropriate actions. Because Skeptic is delivered as a cloud-based service, it is continually learning

    based on the volume of threats it sees and identifies and is thus able to stay one step ahead of

    potential threats.

    It would be a glaring security omission to neglect protecting data center. After all, this is where your

    most valuable business assets reside, and neglecting this layer at the very least will have serious

    repercussions throughout the business, should it be the victim of a targeted attack.

    Fortunately, Symantec has a solution to prevent this. Using host-based intrusion detection (HIDS) and

    intrusion prevention (HIPS), Symantec provides a proven and comprehensive solution for server

    security, for both physical and virtual servers.

    Critical System Protection offers a host of protective measures against targeted attacks. With file,

    system and admin lockdown, virtual and physical servers can be hardened to maximize system uptime

    and avoid ongoing support costs for legacy operating systems. Granular Intrusion Prevention Policies

    protect against zero-day threats and restrict the behavior of approved applications even after they are

    allowed to run with least privilege access controls.

    http://www.symantec.com/offer?a_id=175265

  • 8/9/2019 Stop Targeted Attacks Before They Stop Your Business

    11/11

    Critical System Protection's Least Privilege Access Control restricts user, application and network

    access, effectively locking malware out because it is not allowed to run. For organizations that operate

    a VMware infrastructure in the data center, Critical System Protection uses VMware's prescribed

    policies for virtual server hardening, including vCenter, hypervisors and guest operating systems.

    Other functionality in Critical System Protection includes integrity monitoring to identify changes to files

    in real-time, configuration monitoring, targeted prevention policy and integration with IT GRC andSIEM Solutions.

    Conclusion  

    Keeping the enterprise secure is no easy task. Protecting your organization from unknown threats

    is incredibly difficult. Choosing a best of breed vendor that offers end-to-end security goes a long

    way toward keeping your IT assets safe and preventing a targeted attack from taking a penetrating

    hit.

    Symantec offers a comprehensive portfolio that provides layered protection based around endpoint,

    gateways and data center assets. Give Symantec Endpoint Protection a try - download the

    trialware version at http://www.symantec.com/offer?a_id=175265 .

    To learn more about how Symantec's offerings can prevent a targeted attack from impacting your

    organization, go to http://www.symantec.com/endpoint-

    protection/?om_ext_cid=biz_US_ad_Quinstreet_EndpointProtection_aid176053  or call 855-210-

    1103 to speak with a Symantec representative

     

    http://www.symantec.com/offer?a_id=175265http://www.symantec.com/endpoint-protection/?om_ext_cid=biz_US_ad_Quinstreet_EndpointProtection_aid176053http://www.symantec.com/endpoint-protection/?om_ext_cid=biz_US_ad_Quinstreet_EndpointProtection_aid176053http://www.symantec.com/offer?a_id=175265http://www.symantec.com/endpoint-protection/?om_ext_cid=biz_US_ad_Quinstreet_EndpointProtection_aid176053http://www.symantec.com/endpoint-protection/?om_ext_cid=biz_US_ad_Quinstreet_EndpointProtection_aid176053http://www.symantec.com/offer?a_id=175265