Retail Security: Closing the Threat Gap

of 55 /55
Retail Security: Closing the Threat Gap WITH CHARLES KOLODGY, RESEARCH VICE PRESIDENT, SECURITY PRODUCTS, IDC AND DWAYNE MELANÇON, CTO, TRIPWIRE

description

Retail data breaches can have a serious impact on profitability and the costs of a cybersecurity incident may impact the C-Suite as well as consumer trust. Tripwire’s chief technology officer Dwayne Melançon (@ThatDwayne) and vice president of security products at IDC Charles Kolodgy (@ckolodgy_idc) discuss the current retail cyber threat landscape with a focus on strategies to mitigate the cybersecurity risks and reduce the costs of potential security breaches, including: - How to identify the early stages of a data breach - Why point-of-sale and other business-critical systems require a different approach to data security - How retailers can use the Top 20 Critical Security Controls to make businesses ‘unattractive’ to cybercriminals - Qualified attendees will earn one CPE credit for participation in this webcast A recording of the webcast that accompanies this slide deck can be found here: http://www.tripwire.com/register/retail-security-closing-the-threat-gap/

Transcript of Retail Security: Closing the Threat Gap

Page 1: Retail Security: Closing the Threat Gap

Retail Security: Closing the Threat Gap

WITH CHARLES KOLODGY, RESEARCH VICE PRESIDENT, SECURITY PRODUCTS, IDC AND DWAYNE MELANÇON, CTO, TRIPWIRE

Page 2: Retail Security: Closing the Threat Gap

A Target on RetailCharles Kolodgy

Research VPSecurity Products

Page 3: Retail Security: Closing the Threat Gap

3

Today’s Presenters

Charles KolodgyResearch Vice President, Security Products, IDC

Dwayne Melançon CTO, Tripwire

Page 4: Retail Security: Closing the Threat Gap

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 5: Retail Security: Closing the Threat Gap

Agenda

• IT is Business• Modern POS systems• Threats• “________” Chain• PCI/DSS• Closing the Gaps• Analyst Summary

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 6: Retail Security: Closing the Threat Gap

Information Technology is Business

Expand use of Information Technology to:• Expand business opportunities• Improve business operational efficiency• Provide information without barriers• Increase reliability, uptime and performance• Better service customers• Generate innovation• Reduce costs

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 7: Retail Security: Closing the Threat Gap

Modern Point-of-Sale systems

• PoS systems are a huge investment• Platform to increase store staff efficiency, productivity, and workflow• Modern POS systems will generate customer data for:

> Demand intelligence

> Merchandising

> Pricing

> Loyalty processes

• Integrated within IT infrastructure to provide cloud resources at the platform, and application levels.

© IDC Visit us at IDC.com and follow us on Twitter: @IDCSource: The Checkout Technology Industry Explored — the United States IDC #RI244627

Page 8: Retail Security: Closing the Threat Gap

Modern Point-of-Sale systems

• PoS systems are a huge investment• Platform to increase store staff efficiency, productivity, and workflow• Modern POS systems will generate customer data for:

> Demand intelligence

> Merchandising

> Pricing

> Loyalty processes

• Integrated within IT infrastructure to provide cloud resources at the platform, and application levels.

© IDC Visit us at IDC.com and follow us on Twitter: @IDCSource: The Checkout Technology Industry Explored — the United States IDC #RI244627

Modern POS systems are complicated, important to business operations, and are tied into the IT environment.

Page 9: Retail Security: Closing the Threat Gap

Complexity Increases Risk

• Reduced visibility• Spend less time on one area• Long learning curves• Difficulty in integrating systems• Many trade-offs required• Mixture of mature and immature technologies• Expands Attack Surface

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 10: Retail Security: Closing the Threat Gap

Threats

• Why• Who• How

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 11: Retail Security: Closing the Threat Gap

Goals

• Show me the money!

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 12: Retail Security: Closing the Threat Gap

Attackers• Attackers are diverse group

• Amateurs

• Insiders

• Hacktivists

• Organized crime

• Mercenaries - Privateers

• Nation state actors

• Most dangerous and costly attacks perpetrated by organized crime

• Attackers are competitors> Adversaries want to keep costs down

> What is cost to attack relative to value received?

> Expensive to attack organizations with a coherent IT Security process

Know your Adversary: “Bad guys can’t be deterred but competitors can”

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 13: Retail Security: Closing the Threat Gap

Attack Components

Attack Tools• Viruses

• Trojans

• Bots

• SQL Injection

• Buffer Overflow

• Handcrafted Malware

• Multi-factor Attack

Attack Delivery• SPAM Emails

• Autorun

• Infected Websites

• Social Engineering

• Payload on other malware

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 14: Retail Security: Closing the Threat Gap

ANATOMY of an ATTACK• Reconnaissance Activity

• Understand target

• Discover vulnerabilities

• Exploit Weaknesses• Technology or Policy based

• Install Rogue Software

• Gain Privileged Access

• Cover Tracks• Manipulate logs

• Disable Security

• Collect Compromised Data

ftp/443

Patience: Attack Cycle can take weeks or months

Page 15: Retail Security: Closing the Threat Gap

Point-of-Sale Malware

• Dexter• Project Hook• Alina• Chewbacca• VSKimmer• JackPoS• BlackPoS

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Source: Verizon 2014 Data Breach Investigations Report

Page 16: Retail Security: Closing the Threat Gap

“Attack” Chain

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 17: Retail Security: Closing the Threat Gap

“Kill” Chain

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Recon Weaponize Deliver Exploit Control Execute Maintain

Page 18: Retail Security: Closing the Threat Gap

“Fail” Chain

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Detect Contain Eradicate Recover

Network security logs are ignored

Alert from IPS that malware being installed is missed

Attacker penetrates network from supplier

Attacker uses lack of segmentation to traverse the network to sensitive areas

Lack of IAM monitoring allows credential escalation Signals of Data

Exfiltration are not monitored

Page 19: Retail Security: Closing the Threat Gap

Recent PoS Based Breaches

• February 2013 - Bashas' and Sprouts• April 2013 - Schnucks• June 2013 - Raley's• July 2013 - Harbor Freight• December 2013 - Target• January 2014 - Neiman Marcus• April 2014 - Michaels• June 2014 - P.F. Chang’s (suspected)

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 20: Retail Security: Closing the Threat Gap

PCI/DSS

• The PCI/DSS provides an framework for developing a payment card data security process.

• Objectives> Build and Maintain a Secure Network

> Protect Cardholder Data

> Maintain a Vulnerability Management Program

> Implement Strong Access Control Measures

> Regularly Monitor and Test Networks

> Maintain an Information Security Policy

• Compliance v. Validation• Narrow Focus

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 21: Retail Security: Closing the Threat Gap

Closing the Security Gap

• Holistic enterprise wide security process, including 3rd party relationships

• Security is “designed in” when deploying new IT capabilities

• Identify and reduce the avenues of attack• Utilize appropriate technology and sound

process, with trained personnel• Collect, analyze, and act on correlated

information• Measure status and progress

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 22: Retail Security: Closing the Threat Gap

Security Process Pillars

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

2

• Draw data-driven conclusions which are defensible

• Prioritize remediation based on exploitability and business impact,not just vulnerability

• Establish quantifiable measurement with which to remediate risks

Prioritization

1

• Inventory all systems and networks

• Continuously monitor system state to identify those no longer in a “good state”

• Drive awareness, action and accountability with targeted metrics that tie to business goals

Visibility

3

• Automate assessment and remediation lifecycle to minimize likelihood of loss

• Facilitate continual assessments for better data accuracy

• Convey impact of IT risk in business-relevant terms

Automation

Page 23: Retail Security: Closing the Threat Gap

Analyst Summary

• Be paranoid• IT is critical to business• Modern PoS collects and share more data• Cyber-criminals are sophisticated and financially motivated• Monitor the Attack Chain, adopt the Kill Chain, avoid the

Fail Chain• PCI is a framework but for enterprise wide security deeper

activities are required• Close the Security Gap with Visibility, Prioritization, and

Automation

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Page 24: Retail Security: Closing the Threat Gap

24

DELIVERING ADVANCED

CYBERTHREATSECURITY

Page 25: Retail Security: Closing the Threat Gap

25

The Retail Security Challenge

• Retailers are prime targets for cybercriminals

• Defensive measures to stop cyber attacks are not enough

• Retailers need the capability to detect attacks early to minimize loss

• Customer trust and brand equity is at stake

Page 26: Retail Security: Closing the Threat Gap

26

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Retail Security Cyberthreat Gap

Page 27: Retail Security: Closing the Threat Gap

27

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Retail Security Cyberthreat Gap

Detection GapTime between actual breach and discovery

Have we been breached?

Page 28: Retail Security: Closing the Threat Gap

28

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Retail Security Cyberthreat Gap

Response GapTime between discovery to remediation to limit damage

How bad is it?

Detection GapTime between actual breach and discovery

Have we been breached?

Page 29: Retail Security: Closing the Threat Gap

29

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Retail Security Cyberthreat Gap

Response GapTime between discovery to remediation to limit damage

How bad is it?

Detection GapTime between actual breach and discovery

Have we been breached?Prevention GapTime to put preventative

measures in place to avoid repeated attacks

Can we avoid this from happening again?

Page 30: Retail Security: Closing the Threat Gap

30

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Retail Security Cyberthreat Gap

Response GapTime between discovery to remediation to limit damage

How bad is it?

Detection GapTime between actual breach and discovery

Have we been breached?Prevention GapTime to put preventative

measures in place to avoid repeated attacks

Can we avoid this from happening again?

Page 31: Retail Security: Closing the Threat Gap

31

Threat Detection GapHave we been breached? It’s not a simple question...

• Are we prioritizing the high-risk breach alerts for critical assets amongst thousands of them?

• Are there other events of interest or risky changes to business critical systems?

• Are these actionable high-confidence alerts from my “trusted security source”?

• Are we able to drill-down for root-cause analysis and forensics?

• Do we have Threat Intelligence to understand the nature and severity of the breach alerts?

DETECTIONGAP

Page 32: Retail Security: Closing the Threat Gap

32

Threat Response GapHow bad is it? How do we limit damage? We need to act quickly...

• What are all the affected systems, POS, servers, network devices, operating systems, databases, file systems, desktops etc.?

• What changed?• When?• By whom - authorized/unauthorized?

• What systems can we trust and what systems are compromised?

• Do we have control? Can we revert to the “good” baseline?

• Do we have policies, resources and tools to revert to a trusted production state?

RESPONSEGAP

Page 33: Retail Security: Closing the Threat Gap

33

Threat Prevention GapHow can we avoid this from ocurring or recurring? We need to elevate our game...

• Do we have full coverage? • Do we know which are our most

business-critical assets?• Secure management sponsorship and set key

system integrity indicators • Is our continuous monitoring and threat

detection process reducing our threat gaps• Finally, evolve to new best security practices

for our context – industry, region, size, type,legal requirements, etc.

PREVENTIONGAP

Page 34: Retail Security: Closing the Threat Gap

34

The Cyber Kill Chain®

Detect and Remediate Before Theft or Damage

• Attackers camouflage themselves as legitimate traffic

• Anti-malware typically detects a breach during the Malicious Action phase, after potential loss has occurred

Page 35: Retail Security: Closing the Threat Gap

35

The Cyber Kill Chain®

Detect and Remediate Before Theft or Damage

• Attackers camouflage themselves as legitimate traffic

• Anti-malware typically detects a breach during the Malicious Action phase, after potential loss has occurred

• The opportunity for proactive detection is highest during the Exploitation phase

Page 36: Retail Security: Closing the Threat Gap

36

Business Critical Endpoint & Systems Continuous Monitoring & Visibility

POS

Servers

Network Devices

Firewall / IPS/ Gateways

Critical Desktops

Unix/ Linux / Win

Win/ Mac/Linux

Continuous Monitoring Applications

Databases

Page 37: Retail Security: Closing the Threat Gap

37

Business Critical Endpoint & Systems Continuous Monitoring & Visibility

POS

Servers

Network Devices

Firewall / IPS/ Gateways

Critical Desktops

Unix/ Linux / Win

Win/ Mac/Linux

Continuous Monitoring Applications

Databases

Key Threat Indicators

Asset Discovery &

Profiling

Vulnerability & Risk

Assessment

Targeted Attack

Detection

Detecting Good & Bad

Change

State History

Who & When

Page 38: Retail Security: Closing the Threat Gap

38

Examples of Key Threat IndicatorsCyber Attackers - Activity Threat Indicator

Account credentials created outside standard processes

Active Directory ChangesLocal Admin Accounts

Malware injected on POS system File System ChangeTraffic to C&C server

Credit card data skimmed from memory and written to a temporary file

File System Change

Credit card data moved to exfiltration server Unusual network activityRogue services running on server

A unauthorized device accesses the network Rogue device detectedUnusual network activity

Man In The Middle attack ARP Cache poisoning

Hiding tracks / obscuring evidence Logging disabledLog data altered

Hiding data from traditional tools Data in alternate data streams

Elevation of privileges, obscuring identity Use of su / sudo to change user accounts

Inbound exploit destined for a vulnerable system Traffic with known payloadVulnerability present on target system

Page 39: Retail Security: Closing the Threat Gap

39

Examples of Key Threat IndicatorsCyber Attackers - Activity Threat Indicator

Account credentials created outside standard processes

Active Directory ChangesLocal Admin Accounts

Malware injected on POS system File System ChangeTraffic to C&C server

Credit card data skimmed from memory and written to a temporary file

File System Change

Credit card data moved to exfiltration server Unusual network activityRogue services running on server

A unauthorized device accesses the network Rogue device detectedUnusual network activity

Man In The Middle attack ARP Cache poisoning

Hiding tracks / obscuring evidence Logging disabledLog data altered

Hiding data from traditional tools Data in alternate data streams

Elevation of privileges, obscuring identity Use of su / sudo to change user accounts

Inbound exploit destined for a vulnerable system Traffic with known payloadVulnerability present on target system

• Tripwire Provides Focused, Actionable Alerts

• Buisness Context• Cyber Crime Controls• Open Integration Framework

Page 40: Retail Security: Closing the Threat Gap

40

eMail

CRM Application

Customers

Corporate WAN Production Data Center Management Segment

Active Directory

Backup

Understand Normal Activity

Service Accounts & Admin Tools

Page 41: Retail Security: Closing the Threat Gap

41

eMail

CRM Application

Customers

Corporate WAN Production Data Center Management Segment

Active Directory

Backup

Understand Normal Activity

Service Accounts & Admin Tools

Page 42: Retail Security: Closing the Threat Gap

42

eMail

CRM Application

Customers

Corporate WAN Production Data Center Management Segment

Active Directory

Backup

Scenario 1: Suspicious Access and Credential Use

Service Accounts & Admin Tools

Page 43: Retail Security: Closing the Threat Gap

43

eMail

CRM Application

Customers

Corporate WAN Production Data Center Management Segment

Active Directory

Backup

Scenario 1: Suspicious Access and Credential Use

Service Accounts & Admin Tools

• Detect access from untrusted source (IP address, location, etc.)

• Enforce policy to prevent access from untrusted IP’s

• Detect direct access to database, bypassing application controls

Page 44: Retail Security: Closing the Threat Gap

44

eMail

CRM Application

Customers

Corporate WAN Production Data Center Management Segment

Active Directory

Backup

Scenario 2: Creating “Trusted” Users To Evade Detection

Service Accounts & Admin Tools

Page 45: Retail Security: Closing the Threat Gap

45

eMail

CRM Application

Customers

Corporate WAN Production Data Center Management Segment

Active Directory

Backup

Scenario 2: Creating “Trusted” Users To Evade Detection

Service Accounts & Admin Tools

Page 46: Retail Security: Closing the Threat Gap

46

eMail

CRM Application

Customers

Corporate WAN Production Data Center Management Segment

Active Directory

Backup

Scenario 2: Creating “Trusted” Users To Evade Detection

Service Accounts & Admin Tools

Page 47: Retail Security: Closing the Threat Gap

47

eMail

CRM Application

Customers

Corporate WAN Production Data Center Management Segment

Active Directory

Backup

Scenario 2: Creating “Trusted” Users To Evade Detection

Service Accounts & Admin Tools

• Detect access from untrusted source (IP address, location, etc.)

• Enforce policy to prevent access from untrusted IP’s

• Detect unauthorized user creation in Active Directory, creation of local administrator & DBA accounts

Page 48: Retail Security: Closing the Threat Gap

48

Tripwire Platform for Advanced Threat ProtectionClosing the Retail Security Threat Gap

Tripwire System State Intelligence

Asset Discovery &

Profiling

Good & Bad Change

Who & When

Business Context &

Priority

Vulnerability &

Risk

ConfigurationContext

TargetedAttack

Detection

State History

Page 49: Retail Security: Closing the Threat Gap

49

Tripwire Platform for Advanced Threat ProtectionClosing the Retail Security Threat Gap

Tripwire Vulnerability Management

Tripwire Security Configuration Management

Tripwire Log Intelligence

Tripwire System State Intelligence

Asset Discovery &

Profiling

Good & Bad Change

Who & When

Business Context &

Priority

Vulnerability &

Risk

ConfigurationContext

TargetedAttack

Detection

State History

Page 50: Retail Security: Closing the Threat Gap

50

Tripwire Platform for Advanced Threat ProtectionClosing the Retail Security Threat Gap

Tripwire Vulnerability Management

Tripwire Security Configuration Management

Tripwire Log Intelligence

Tripwire System State Intelligence

Asset Discovery &

Profiling

Good & Bad Change

Who & When

Business Context &

Priority

Vulnerability &

Risk

ConfigurationContext

TargetedAttack

Detection

State History

Tripwire Reporting & Analytics

APT / MPS

SIEM

Big Data/Security Analytics

Threat Intelligence

Reduce Threat Gap Cycle Time

Page 51: Retail Security: Closing the Threat Gap

51

Tripwire: Reducing The Enterprise Threat Gap

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Threat Detection Gap Real-time detection of

suspicious behavior Forward events of interest to

focus and enrich analysis & correlation

Page 52: Retail Security: Closing the Threat Gap

52

Tripwire: Reducing The Enterprise Threat Gap

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Threat Detection Gap Real-time detection of

suspicious behavior Forward events of interest to

focus and enrich analysis & correlation

Threat Response Gap Prioritize based on business context Identify compromise by comparison

against baseline Support forensic & incident response

Page 53: Retail Security: Closing the Threat Gap

53

Tripwire: Reducing The Enterprise Threat Gap

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Threat Prevention Gap Discover & profile all IT

infrastructure Minimize vulnerabilities and

harden configurations to reduce threat surface

Threat Detection Gap Real-time detection of

suspicious behavior Forward events of interest to

focus and enrich analysis & correlation

Threat Response Gap Prioritize based on business context Identify compromise by comparison

against baseline Support forensic & incident response

Page 54: Retail Security: Closing the Threat Gap

54

DELIVERING ADVANCED CYBERTHREAT SECURITY FOR CRITICAL SYSTEMS TO DETECT, PREVENT AND RESPOND TO ENTERPRISE THREATS

Page 55: Retail Security: Closing the Threat Gap

55