APT’S & Zero-day Threats & Data-Loss
Security threats are ever-changing in today’s world. It is critical for businesses as well as government organizations to do more than just blocking malware or stopping targeted attacks. Brian Contos, Vice President and Chief Information Security Officer, Advanced Threat Protection Group, Blue Coat Systems talks about advanced and zero-day threats and data-loss.
An attacker is going to a lot of trouble to post spam messages to Craigslist.
Researchers at Solera Networks have come across an attack where malware is using compromised machines to post poorly worded ads for an Android application marketed at parents for the purposes of monitoring the activities of their teens. The software reportedly tracks the device’s location, as well as SMS and phone logs.
“Enterprises are really looking for a solution that elevates the security, speeds and feeds technical problem to be more about a business risk problem,” [Shillingford] explained. “Customers are becoming less and less included to try and fill functional holes with subject matter experts or complex integration; they really want providers who maintain key pieces of real estate in their network.”
The combined Solera-Blue Coat platform leverages what Blue Coat calls its WebPulse Collaborative Defence Cloud cloud-security platform, which manages millions of crowdsourced malware samples on an ongoing basis based on scans conducted by the 80m customers endpoints currently running the company’s security tools.
Federal Blue Print
This is one of the key insights from a recent Federal Blue Print interview with Brian Contos, the Vice President and CISO of the Advanced Threat Protection Group, with Solera Networks.
Blue Coat Systems recently announced its intention to acquire Solera Networks, which is a leading provider of big data security intelligence and analytics for advanced threat protection.
Black Hat Sponsor Newsletter
John Vecchi, VP strategy, Advanced Threat Protection Group at Solera Networks, talks about being purchased by Blue Coat Systems, the increasing cost of malicious data breaches, and the new Solera BlackBox Recorder
As organizations adjust to today’s “post-prevention” world, the inevitability of targeted attacks and security breaches is now accepted by even the most fortified enterprises and organizations. As a result, there is a shift toward “preparedness” With this shift comes a need for network visibility, security analytics, and dynamic threat intelligence to cope with an increasingly dangerous threat. The evolution of advanced malware and zero-day attacks requires a new approach — one that includes Big Data Security Analytics and comprehensive Advanced Threat Protection technology that can not only detect and block threats, but also tell you the how, what, where, when, and why of advanced targeted attacks while delivering end-to-end visibility of data exfiltration and malware infiltration on the network.
Add incident detection/response. In spite of all the threat prevention in the world, the bad guys keep hacking into large organizations. This is where Solera fits in with real-time big data analytics. Solera excels at incident detection and problem isolation so organizations can isolate problems and remediate them quickly – before they lead to costly/embarrassing data breaches. Blue Coat can now talk threat prevention, detection, and response.
Many developing nations see cyber as an equalizer – a mechanism to shift advantage in the face of superior technology and numbers. As a result, these countries are making investments to develop talent, techniques and technology related to information warfare. For example, it’s difficult to get empirical evidence about North Korea, but it has been sited that in North Korea approximately 500 “cyber warriors” graduate every year.
About a year ago, Shillingford and Blue Coat CEO Greg Clark began exploring partnerships that would make the most of their compatible technologies. Under the agreement, announced Wednesday morning in New York, Solera will become a division of Blue Coat, which will use Solera’s threat-protection hardware and software to expand further into the security industry.
“The future of the industry is moving beyond just blocking malware and stopping targeted attacks to also identifying and resolving the full scope of the attacks in real time,” said Greg Clark, CEO at Blue Coat Systems, in a statement. “Retrospective capture and analytics are now an essential component of modern security architecture, and Solera has pioneered this field, creating a DVR for the network that records traffic and allows customers to easily mine that information.”
Steve Shillingford, CEO at Solera Networks, describes the company’s technology as a “security camera” on a network. “Along with the big data security analytics and intelligence needed to see zero-day threats and advanced cyberattacks in real-time, Solera DeepSee provides unmatched security forensics to help enterprises answer critical post-breach questions on the nature of the attack and how to prevent it in the future,” he noted in a statement.
Interview of Brian Contos at Interop 2013
According to the results of a recent Ponemon Institute study commissioned by Solera Networks, the average cost of a malicious data breach has risen to $840,000, with the average cost per record at $222. Still, only 40 percent of organizations surveyed say they have the tools, personnel and funding in place to track down the root causes of a breach.
“It’s difficult to discern the intent of a criminal targeting visitors to such a specific Web site, but clearly this was planned well in advance, and was not intended to reach a wide audience of potential victims,” said security researcher Andrew Brandt. A relatively obscure portion of the U.S. Department of Labor Web site was hacked, and malware placed there.
Because Solera Networks has very tight integration relationships to other security tools, including firewalls and SIEM products, the company is focused on partnering with resellers that are already selling many of these products because Solera’s solution is a “natural add-on sale,” according to Seton.
“Both our solution and program are designed to create new revenue and growth opportunities for partners,” he said. “Delivering big data security analytics and advanced threat protection into end-user networks augments many other solutions and services that these partners are already providing.”
“The Solera DeepSee BlackBox Recorder is like having a black box flight recorder for the network—providing incident responders with all the critical information necessary to effectively investigate and resolve a security breach or targeted attack,” explained Steve Shillingford, president and CEO at Solera Networks.
What sets the DeepSee BlackBox Recorder apart from previous Solera offerings is that it can be deployed and installed at no initial cost, the company told SecurityWeek. License purchase is required only when incident responders “break the glass” to retrieve the captured security intelligence when an incident occurs.
Security Bistro recently caught up with Andrew Brandt, Threat Research Director at Solera Networks. He penned a blog post last week about a new spam campaign featuring URLs that direct individuals to — what appeared to be — compromised personal and small business web sites.
“It does appear that the volume of malicious spam, which we consider to be messages with either an attached malware executable (usually zipped) or with one or more embedded URLs that lead to sites which perform browser exploits as a method of infection, significantly increased over what we saw in February,” Brandt told Security Bistro. “There was a big spam push around the end of the year. During that period, Solera Networks saw a large amount of spam between the week before Christmas and New Year’s. Since then, it slowed down in January and February, and is starting to pick back up again.”
Brian Contos, worldwide vice president of field engineering at Solera Networks, said doxxing has moved attacks from targeting nameless, faceless organizations and governments to individuals.
“We’ve seen examples of this type of incident in Latin America, where hacktivists targeted specific individuals at organizations like police forces and published their names, photos, address, phone numbers, and other personal information,” he told us. “With vast amounts of personal information available about most people online — much of which is shared voluntarily via social networking sites — nefarious individuals are finding doxxing to be easier than ever.”
But with 28% of organizations unable to determine the root cause of malicious breaches, their ability to respond is severely hampered. “Organizations that can’t tell you the root cause of a breach often can’t determine the entire impact” of the incident, said John Vecchi, VP of marketing with Solera Networks. “Unless organizations have the tools to determine the cause, there is very little chance they can respond effectively to future incidents.”
“Organizations sometimes think they don’t need to know the gory details” about how a breach occurred, Ponemon said, adding that they oftentimes choose to remain tight-lipped about such incidents or simply don’t have the detection tools in place to make an accurate assessment. “They need to know”, he insisted.
Regardless of who’s behind it, the Apple attack and all of the others in the last few weeks and months point to a certain amount of realism that needs to come into play when determining a cyber defense. “In today’s post-prevention world, it’s crucial that companies accept that successful breaches on highly fortified networks are inevitable, and the scope of targeted enterprises and organizations will only widen day by day,” cautioned John Vecchi, vice president of marketing at Solera Networks, in an email to Infosecurity.
He added, “Once attackers are past our perimeter defenses – via an advanced targeted attack – they own our network. As such, there needs to be a shift toward ‘preparedness’ and a modern, multi-layered defense. It is likely that cyberattackers are already on our networks, so we must focus on attaining the context, content and visibility needed to see and eradicate them.”
“Executive orders like this are generally not designed to address and tackle some of the big areas of comprehensive cyberlegislation,” says John Vecchi, vice president of marketing for Solera Networks. “Rather, it will certainly serve as an instrument to apply pressure to Congress to pass more formal cybersecurity legislation. That legislation would then include a more concrete framework for government/private sector cybersecurity. It would also likely address some of the complex policy areas, such as industry incentives and liability protection that an executive order could not.”
A strong post-breach security system, such as security intelligence and analytics, can watch every packet for forensic analysis. “Yes, a server got attacked. Yes, it contained 235,000 records,” said Contos. “But now, instead of guessing on the number of records stolen, you know that only one database table was accessed, and perhaps it only contained records for 500 people. This greatly limits your disclosure costs.”
“There has been a ‘seismic shift’ in how malware is developed and distributed, says Andrew Brandt, director of threat research at Solera Networks. Malware developers are increasingly crafting one-time-use malware, so by the time an antivirus vendor has released a signature to detect the malware sample, the bad guys have most likely moved on to a new version.”
“Provides complete visibility into network traffic, including virtual networks. Captures, classifies and reconstructs up to 10 terabytes of packets, sessions and files per virtual instance with clustering capabilities into the petabyte range.”
“With the ever-growing security gap in the defensive capabilities of traditional network forensics tools, the landscape is rife with new digital threats, which drove us to partner with the next generation in security intelligence solutions, Solera Networks…”
Help Net Security
“Having the ability to deploy a flexible and cost-effective virtual appliance for network analysis, visibility and intelligence is critical to effectively securing virtual infrastructure from today’s advanced malware and cyber-threats.”
“…the reality that breaches will happen. And when they do quickly you need to be able to answer very important questions: what happened? who did this to us? what information was extricated or accessed? is this breach over and have we contained it…”
New York Times
“Solera Networks, a security start-up that tracks intrusions in real time, has raised over $50 million from Intel Capital and others, and many say it is ripe for a nine-figure acquisition.”
“There is a need for tighter integration between network operations and security. This is…good news for Solera Networks.”
“President and CEO Steve Shillingford and CTO Joe Levy told me that its technology was about offering the extended visibility that log management and security incident and event management (SIEM) failed to achieve.”
IT Security Pro
“The idea behind the new – and effectively shrink-wrapped version of DeepSee – is that it uses deep packet capture to analyse what is going on at the IP layer on a network, and develop a context awareness approach to security that should allow IT staff to spot any advanced targeted attack (ATA) that may be operating on their network resources.”
“It would not be surprising if the investigation slowly reveals that the breach involved techniques such as Web application exploitation, maneuvering from a compromised public system into the internal systems, and that the presence on the network was a longer term than estimated,” says Joe Levy, CTO of Solera Networks.”
CSO Security and Risk
“This is unfortunately reminiscent of the Heartland Payment Systems breach that started in 2007 and was finally discovered and disclosed in early 2009,” said Joe Levy, CTO of Solera Networks.”
“Joe Levy, chief technology officer of Solera Networks, believes there may be more to the hacks, which have occurred in the past in cases like Heartland Payment Systems.”
“At Solera Networks, we believe that all organizations need better tools to identify advanced malware, and we are excited to deliver Real Time Extractor, an engine that enables unprecedented levels of network detection and analysis,” said Steven Shillingford, president and CEO of Solera Networks.”
“If you don’t know what is happening on your network and need to respond quickly and intelligently to malware and other attacks, you might want to look at SoleraSix from Solera Networks. I took a look at this security appliance for my most recent video screencast review that you find here.”
“Aubrey Merchant of Solera networks gives V3 a walkthrough of DeepSee, the company’s real-time traffic monitoring and packet analysis platform.”
The Wall Street Journal
“Solera Networks has raised $20 million in Series D funding led by Intel Capital for technology that detects cyber attacks by collecting and classifying network traffic in real time. Solera’s revenue grew 100% last year because of the growing concern among Fortune 500 companies over targeted cyberattacks, although government agencies that may be battling nation-state cyberattacks remain important customers too.”
“The company says its DeepSee Platform can index and classify all network traffic, giving companies a comprehensive picture of their network security in real-time, either for spotting risks before a security breach or responding quickly once a breach has occurred. Both domestic and international sales supposedly grew more than 100 percent last year.”
CSO Security and Risk
“This, from Alan Hall, security expert and director at Solera Networks: “Without full visibility of the entire attack, organizations can only guess or assume that all records were taken and then address their response to the full extent of possible damage — 24M in this case. An appropriate response includes more detail of ‘how did they get in, where did they go and what was accessed, seen, and removed from the network?’”
The Huffington Post
“Despite the increased frequency and severity of online crime and espionage in 2011, many American corporations and consumers are still not taking the threat seriously,…”
Tech News World
“It is indeed possible to stop even determined hackers, suggested Andrew Brandt, director of threat research at Solera Networks Research.
“It just takes a guard or team of guards, equipped with the right tools to get the job done, and an equal or greater degree of determination, to stop them,” he told TechNewsWorld.”