Retail Security: Closing the Threat Gap

Retail Security: Closing the Threat Gap

WITH CHARLES KOLODGY, RESEARCH VICE PRESIDENT, SECURITY PRODUCTS, IDC AND DWAYNE MELANÇON, CTO, TRIPWIRE

A Target on RetailCharles Kolodgy

Research VPSecurity Products

3

Today’s Presenters

Charles KolodgyResearch Vice President, Security Products, IDC

Dwayne Melançon CTO, Tripwire

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Agenda

• IT is Business• Modern POS systems• Threats• “________” Chain• PCI/DSS• Closing the Gaps• Analyst Summary


Information Technology is Business

Expand use of Information Technology to:• Expand business opportunities• Improve business operational efficiency• Provide information without barriers• Increase reliability, uptime and performance• Better service customers• Generate innovation• Reduce costs


Modern Point-of-Sale systems

• PoS systems are a huge investment• Platform to increase store staff efficiency, productivity, and workflow• Modern POS systems will generate customer data for:

> Demand intelligence

> Merchandising

> Pricing

> Loyalty processes

• Integrated within IT infrastructure to provide cloud resources at the platform, and application levels.

© IDC Visit us at IDC.com and follow us on Twitter: @IDCSource: The Checkout Technology Industry Explored — the United States IDC #RI244627

Modern Point-of-Sale systems

• PoS systems are a huge investment• Platform to increase store staff efficiency, productivity, and workflow• Modern POS systems will generate customer data for:

> Demand intelligence

> Merchandising

> Pricing

> Loyalty processes

• Integrated within IT infrastructure to provide cloud resources at the platform, and application levels.

© IDC Visit us at IDC.com and follow us on Twitter: @IDCSource: The Checkout Technology Industry Explored — the United States IDC #RI244627

Modern POS systems are complicated, important to business operations, and are tied into the IT environment.

Complexity Increases Risk

• Reduced visibility• Spend less time on one area• Long learning curves• Difficulty in integrating systems• Many trade-offs required• Mixture of mature and immature technologies• Expands Attack Surface


Threats

• Why• Who• How


Goals

• Show me the money!


Attackers• Attackers are diverse group

• Amateurs

• Insiders

• Hacktivists

• Organized crime

• Mercenaries - Privateers

• Nation state actors

• Most dangerous and costly attacks perpetrated by organized crime

• Attackers are competitors> Adversaries want to keep costs down

> What is cost to attack relative to value received?

> Expensive to attack organizations with a coherent IT Security process

Know your Adversary: “Bad guys can’t be deterred but competitors can”


Attack Components

Attack Tools• Viruses

• Trojans

• Bots

• SQL Injection

• Buffer Overflow

• Handcrafted Malware

• Multi-factor Attack

Attack Delivery• SPAM Emails

• Autorun

• Infected Websites

• Social Engineering

• Payload on other malware


ANATOMY of an ATTACK• Reconnaissance Activity

• Understand target

• Discover vulnerabilities

• Exploit Weaknesses• Technology or Policy based

• Install Rogue Software

• Gain Privileged Access

• Cover Tracks• Manipulate logs

• Disable Security

• Collect Compromised Data

ftp/443

Patience: Attack Cycle can take weeks or months

Point-of-Sale Malware

• Dexter• Project Hook• Alina• Chewbacca• VSKimmer• JackPoS• BlackPoS


Source: Verizon 2014 Data Breach Investigations Report

“Attack” Chain


“Kill” Chain


Recon Weaponize Deliver Exploit Control Execute Maintain

“Fail” Chain


Detect Contain Eradicate Recover

Network security logs are ignored

Alert from IPS that malware being installed is missed

Attacker penetrates network from supplier

Attacker uses lack of segmentation to traverse the network to sensitive areas

Lack of IAM monitoring allows credential escalation Signals of Data

Exfiltration are not monitored

Recent PoS Based Breaches

• February 2013 - Bashas' and Sprouts• April 2013 - Schnucks• June 2013 - Raley's• July 2013 - Harbor Freight• December 2013 - Target• January 2014 - Neiman Marcus• April 2014 - Michaels• June 2014 - P.F. Chang’s (suspected)


PCI/DSS

• The PCI/DSS provides an framework for developing a payment card data security process.

• Objectives> Build and Maintain a Secure Network

> Protect Cardholder Data

> Maintain a Vulnerability Management Program

> Implement Strong Access Control Measures

> Regularly Monitor and Test Networks

> Maintain an Information Security Policy

• Compliance v. Validation• Narrow Focus


Closing the Security Gap

• Holistic enterprise wide security process, including 3rd party relationships

• Security is “designed in” when deploying new IT capabilities

• Identify and reduce the avenues of attack• Utilize appropriate technology and sound

process, with trained personnel• Collect, analyze, and act on correlated

information• Measure status and progress


Security Process Pillars


2

• Draw data-driven conclusions which are defensible

• Prioritize remediation based on exploitability and business impact,not just vulnerability

• Establish quantifiable measurement with which to remediate risks

Prioritization

1

• Inventory all systems and networks

• Continuously monitor system state to identify those no longer in a “good state”

• Drive awareness, action and accountability with targeted metrics that tie to business goals

Visibility

3

• Automate assessment and remediation lifecycle to minimize likelihood of loss

• Facilitate continual assessments for better data accuracy

• Convey impact of IT risk in business-relevant terms

Automation

Analyst Summary

• Be paranoid• IT is critical to business• Modern PoS collects and share more data• Cyber-criminals are sophisticated and financially motivated• Monitor the Attack Chain, adopt the Kill Chain, avoid the

Fail Chain• PCI is a framework but for enterprise wide security deeper

activities are required• Close the Security Gap with Visibility, Prioritization, and

Automation


24

DELIVERING ADVANCED

CYBERTHREATSECURITY

25

The Retail Security Challenge

• Retailers are prime targets for cybercriminals

• Defensive measures to stop cyber attacks are not enough

• Retailers need the capability to detect attacks early to minimize loss

• Customer trust and brand equity is at stake

26

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Retail Security Cyberthreat Gap

27

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP


Detection GapTime between actual breach and discovery

Have we been breached?

28

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP


Response GapTime between discovery to remediation to limit damage

How bad is it?


Have we been breached?

29

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP



How bad is it?


Have we been breached?Prevention GapTime to put preventative

measures in place to avoid repeated attacks

Can we avoid this from happening again?

30

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP



How bad is it?


Have we been breached?Prevention GapTime to put preventative

measures in place to avoid repeated attacks

Can we avoid this from happening again?

31

Threat Detection GapHave we been breached? It’s not a simple question...

• Are we prioritizing the high-risk breach alerts for critical assets amongst thousands of them?

• Are there other events of interest or risky changes to business critical systems?

• Are these actionable high-confidence alerts from my “trusted security source”?

• Are we able to drill-down for root-cause analysis and forensics?

• Do we have Threat Intelligence to understand the nature and severity of the breach alerts?

DETECTIONGAP

32

Threat Response GapHow bad is it? How do we limit damage? We need to act quickly...

• What are all the affected systems, POS, servers, network devices, operating systems, databases, file systems, desktops etc.?

• What changed?• When?• By whom - authorized/unauthorized?

• What systems can we trust and what systems are compromised?

• Do we have control? Can we revert to the “good” baseline?

• Do we have policies, resources and tools to revert to a trusted production state?

RESPONSEGAP

33

Threat Prevention GapHow can we avoid this from ocurring or recurring? We need to elevate our game...

• Do we have full coverage? • Do we know which are our most

business-critical assets?• Secure management sponsorship and set key

system integrity indicators • Is our continuous monitoring and threat

detection process reducing our threat gaps• Finally, evolve to new best security practices

for our context – industry, region, size, type,legal requirements, etc.

PREVENTIONGAP

34

The Cyber Kill Chain®

Detect and Remediate Before Theft or Damage

• Attackers camouflage themselves as legitimate traffic

• Anti-malware typically detects a breach during the Malicious Action phase, after potential loss has occurred

35

The Cyber Kill Chain®

Detect and Remediate Before Theft or Damage

• Attackers camouflage themselves as legitimate traffic

• Anti-malware typically detects a breach during the Malicious Action phase, after potential loss has occurred

• The opportunity for proactive detection is highest during the Exploitation phase

36

Business Critical Endpoint & Systems Continuous Monitoring & Visibility

POS

Servers

Network Devices

Firewall / IPS/ Gateways

Critical Desktops

Unix/ Linux / Win

Win/ Mac/Linux

Continuous Monitoring Applications

Databases

37

Business Critical Endpoint & Systems Continuous Monitoring & Visibility

POS

Servers

Network Devices

Firewall / IPS/ Gateways

Critical Desktops

Unix/ Linux / Win

Win/ Mac/Linux

Continuous Monitoring Applications

Databases

Key Threat Indicators

Asset Discovery &

Profiling

Vulnerability & Risk

Assessment

Targeted Attack

Detection

Detecting Good & Bad

Change

State History

Who & When

38

Examples of Key Threat IndicatorsCyber Attackers - Activity Threat Indicator

Account credentials created outside standard processes

Active Directory ChangesLocal Admin Accounts

Malware injected on POS system File System ChangeTraffic to C&C server

Credit card data skimmed from memory and written to a temporary file

File System Change

Credit card data moved to exfiltration server Unusual network activityRogue services running on server

A unauthorized device accesses the network Rogue device detectedUnusual network activity

Man In The Middle attack ARP Cache poisoning

Hiding tracks / obscuring evidence Logging disabledLog data altered

Hiding data from traditional tools Data in alternate data streams

Elevation of privileges, obscuring identity Use of su / sudo to change user accounts

Inbound exploit destined for a vulnerable system Traffic with known payloadVulnerability present on target system

39

Examples of Key Threat IndicatorsCyber Attackers - Activity Threat Indicator

Account credentials created outside standard processes

Active Directory ChangesLocal Admin Accounts

Malware injected on POS system File System ChangeTraffic to C&C server

Credit card data skimmed from memory and written to a temporary file

File System Change

Credit card data moved to exfiltration server Unusual network activityRogue services running on server

A unauthorized device accesses the network Rogue device detectedUnusual network activity

Man In The Middle attack ARP Cache poisoning

Hiding tracks / obscuring evidence Logging disabledLog data altered

Hiding data from traditional tools Data in alternate data streams

Elevation of privileges, obscuring identity Use of su / sudo to change user accounts

Inbound exploit destined for a vulnerable system Traffic with known payloadVulnerability present on target system

• Tripwire Provides Focused, Actionable Alerts

• Buisness Context• Cyber Crime Controls• Open Integration Framework

40

eMail

CRM Application

Customers

Corporate WAN Production Data Center Management Segment

Active Directory

Backup

Understand Normal Activity

Service Accounts & Admin Tools

41

eMail

CRM Application

Customers


Active Directory

Backup

Understand Normal Activity


42

eMail

CRM Application

Customers


Active Directory

Backup

Scenario 1: Suspicious Access and Credential Use


43

eMail

CRM Application

Customers


Active Directory

Backup

Scenario 1: Suspicious Access and Credential Use


• Detect access from untrusted source (IP address, location, etc.)

• Enforce policy to prevent access from untrusted IP’s

• Detect direct access to database, bypassing application controls

44

eMail

CRM Application

Customers


Active Directory

Backup

Scenario 2: Creating “Trusted” Users To Evade Detection


45

eMail

CRM Application

Customers


Active Directory

Backup



46

eMail

CRM Application

Customers


Active Directory

Backup



47

eMail

CRM Application

Customers


Active Directory

Backup



• Detect access from untrusted source (IP address, location, etc.)

• Enforce policy to prevent access from untrusted IP’s

• Detect unauthorized user creation in Active Directory, creation of local administrator & DBA accounts

48

Tripwire Platform for Advanced Threat ProtectionClosing the Retail Security Threat Gap

Tripwire System State Intelligence

Asset Discovery &

Profiling

Good & Bad Change

Who & When

Business Context &

Priority

Vulnerability &

Risk

ConfigurationContext

TargetedAttack

Detection

State History

49


Tripwire Vulnerability Management

Tripwire Security Configuration Management

Tripwire Log Intelligence


Asset Discovery &

Profiling

Good & Bad Change

Who & When

Business Context &

Priority

Vulnerability &

Risk


TargetedAttack

Detection

State History

50


Tripwire Vulnerability Management

Tripwire Security Configuration Management

Tripwire Log Intelligence


Asset Discovery &

Profiling

Good & Bad Change

Who & When

Business Context &

Priority

Vulnerability &

Risk


TargetedAttack

Detection

State History

Tripwire Reporting & Analytics

APT / MPS

SIEM

Big Data/Security Analytics

Threat Intelligence

Reduce Threat Gap Cycle Time

51

Tripwire: Reducing The Enterprise Threat Gap

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Threat Detection Gap Real-time detection of

suspicious behavior Forward events of interest to

focus and enrich analysis & correlation

52


DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP




Threat Response Gap Prioritize based on business context Identify compromise by comparison

against baseline Support forensic & incident response

53


DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

DETECTIONGAP

RESPONSEGAP

PREVENTIONGAP

Threat Prevention Gap Discover & profile all IT

infrastructure Minimize vulnerabilities and

harden configurations to reduce threat surface




Threat Response Gap Prioritize based on business context Identify compromise by comparison

against baseline Support forensic & incident response

54

DELIVERING ADVANCED CYBERTHREAT SECURITY FOR CRITICAL SYSTEMS TO DETECT, PREVENT AND RESPOND TO ENTERPRISE THREATS

55