Posts

The SOC Dilemma: Build, Buy or In Between?

IT security teams have a very difficult job, with an ever-changing threat landscape and the fact that a cyberattack only has to succeed once for an organization to be negatively affected. At the same time, most organizations are strapped for resources, especially when it comes to training and keeping experienced in-house security staff. A recent study conducted by Cybersecurity Ventures on the cybersecurity skills shortage found that the staffing shortage will grow to 3.5 million open positions by 2021.

Now, more than ever, organizations need to think about whether it makes sense to fully manage their own security operations in-house, share their cybersecurity responsibilities with a managed security services provider (MSSP), or outsource their cybersecurity operations completely.  

To Build Or Not To Build

Many organizations that currently operate an in-house security operations center (SOC), started on this path at a time when there were fewer acceptable alternatives. Large organizations with the scale to build SOCs see the benefits in terms of control of operations and data and the ability to customize processes to their specific needs. CIOs making the build vs. buy decision today would likely weigh the pros and cons differently from their predecessors

For starters, the cost of hiring, training and retaining staff will only increase as the cybersecurity skills shortage continues to grow. While the upfront costs to invest in security products and operational systems is significant, the real challenges are the time it takes to operationalize these investments and the high risk of building a security operations center that does not effectively prevent security breaches. In-house SOCs also risk becoming insular and are seldom the first to identify and respond to new threats.

To build a SOC from scratch can take 18 months. Time and resources are consumed with hiring staff, acquiring and optimizing technology, building security use cases, fine tuning threat intelligence and analytics, defining and documenting procedures and more. Tweet This Fact! Like any significant project, the risk is that it will take longer and cost more than originally planned.

The Co-Managed/Hybrid Model

In a hybrid model, the duties of managing the SOC are shared between the organization and an MSSP. Through co-management, enterprises can build on the existing investments they have made in people and technology. By picking and choosing the services they need most, leveraging advanced use cases and content and extending their security monitoring to 24×7 coverage, enables IT security teams to become more effective and responsive.

In a Co-Managed security model, the cost savings can be significant, compared to keeping everything completely in-house. Based on a  three-year total cost of ownership, the cost of a co-managed SOC model is typically half the cost of an in-house model.

Completely Outsource

A third option for enterprises is to outsource the SOC completely and leverage a managed security services provider’s expertise and resources. This will greatly improve overall scalability and can save on costs associated with having to build your own cybersecurity program from scratch, or share SOC management duties.

Just like the other two options, there are pros and cons to the fully outsourced model as well.  

Cons: Outsourcing security operations to a managed security service provider creates a dependency on a third party and requires coordination between the internal and external teams. Depending on the MSSP’s ability to customize their services, organizations may have to compromise on the method of service delivery. Where an MSSP can align the way it detects threats, escalates alerts, and responds to security events to a customer’s unique environment, the efficacy of their service is considerably increased. Therefore it is important to choose an MSSP that is responsive and can be a true extension of your IT team.

Pros: At its heart, the job of a SOC is to accurately detect indicators, attack or compromise and quickly contain them. To do this effectively requires a significant investment in people, processes, and technology. Many organizations simply do not have the budget, expertise or scale to do this function completely in-house. To staff this function requires a range of talent that includes SIEM content development, security engineering, threat research and tiers of SOC Analysts. Hiring and retaining this talent is less challenging for MSSPs who have the opportunity to provide a career path for employees. Experienced MSSPs are better able to operate a 24×7 security monitoring service or distribute the function on an around-the-clock basis.

The decision to use an MSSP is not just a question of cost and logistics – it is also an efficacy issue. After all, nobody is thanked for “failing cheaply”. By choosing the right MSSP, an organization should benefit from a world-class security detection and response service which can be quickly implemented, tailored to the client’s needs and is scalable. Effective MSSPs use both advanced analytics and expert investigations to detect and prioritize relevant threats and discover suspicious behavior. New threats often move across industries and geographies and MSSPs can use their visibility into their diverse customer base to minimize the risk of a security breach.

Next-generation firewalls and endpoint security products are an important part of a modern cyber defense strategy. However, not all organizations have the expertise to deploy and manage these technologies. MSSPs can offer services to off-load management tasks like configuration management, tuning, patch management, and managed response, as well maximize the effectiveness of these investments.

Choosing What’s Right For You

When business decision-makers are trying to choose the right solution, whether it’s building an in-house SOC, Co-Managing or Fully Outsourcing, there are a number of questions they should ask themselves, including:

  • What is your existing approach to security operations and how is it working?
  • Do you have the budget and ability to recruit and grow an in-house team?
  • What is your organization’s risk profile as it relates to cyber threats?
  • How dynamic is your environment – is your organization growing, acquiring companies, introducing new services or products?

It’s important to assess the needs of your organization, thoroughly evaluate potential providers, crunch the numbers, and consider your timeline before choosing the deployment or an MSSP that’s right for you.

If you find yourself needing an MSSP solution, check out our customizable services here.

ATTACKER – Dark Tequila banking campaign hits Mexico

An active financial malicious campaign dubbed “Dark Tequila” heavily targeting Mexico since at least 2013 has been recently analyzed by the Kaspersky Lab researchers. According to reports, the malware primarily aims at stealing sensitive information, including but not limited to financial data, login credentials to popular websites, domain registers and file storage accounts.

Five operational modules have been identified by the researchers within the multistage payload, spread via spear-phishing or infected USB devices. The supporting infrastructure reportedly proved to be “unusually sophisticated” and the payload activates only if certain specific technical conditions are met. All the stolen data is then encrypted and uploaded to the C2 server.

The campaign was considered to be against Mexican institutions since the malware has a mechanism that will uninstall itself if the system is not in Mexico or the host infected is a “casual” infection. The target list retrieved from the final payload of the malware also contained the names of several Mexican banking institutions and some of the comments in the code were written in Spanish.

Proficio Threat Intelligence Recommendations:

  • Refrain from opening email from unknown senders and insert USB keys of unknown origin.
  • Deploy a SPAM filter that detects malicious attachments
  • Always make sure antivirus, software and operating systems are up-to-date.


General Information – Click Here

TARGET – Cosmos Global Bank Hack

Cosmos Bank, a co-operative bank based in India with an over 100 year-old history was hit with a globally coordinated attack between August 11th to August 13th. Attackers appeared to coordinate with what is suspected to be several individuals to siphon $13.4 million dollars (Rs 94 crore).

Although many details are not confirmed regarding the incident, reporting so far details that over 14,000 ATM transactions within 28 countries are under investigation that were suspected to steal Rs 78 crore from the bank. The ATM transactions took place in various countries such as Canada, Hong Kong, and India. Additionally, around Rs 13.92 crore ($1.8 milion) was transferred on August 13th to Hong Kong using fraudulent transactions targeting the SWIFT system the bank uses for financial transactions.

It is unconfirmed but suspected that the attackers may have compromised the firewall that protects the servers that authorize ATM transactions. There may have been a some type of setup or redirection that may have allowed ATM withdrawals without actually checking whether cards were genuine that were being used to make the withdrawals. The bank has alerted the authorities and a police investigation is taking place.

Please note the level of complexity and coordination for this attack is extremely advanced. The coordinated withdrawals of ATMs all over the world would likely indicate the presence of several individuals involved with this particular campaign.

Proficio Threat Intelligence Recommendations:

  • Monitor government agencies for intelligence around global hacking campaigns that may affect the organization
  • Validate infrastructure that processes SWIFT transactions and ATM withdrawals cannot be hacked through organized penetration testing..

General Information – Click Here

TARGET: Two Major Canadian Banks Breached

Two Canadian banks claim to have been breached by attackers this week. Simplii Financial which is owned by CIBC, has claimed that it may have lost personal and account information for over 40,000 bank customers. The Bank of Montreal then followed this news by claiming that they too had been breached and lost up to 50,000 individuals’ personal and account information.

The attackers had tipped off both banks that they possessed the data and threatened to take the information public if they were not paid one million dollars worth of cryptocurrency each. Based on the nature of the situation, both banks decided to go public and not give in to the attacker’s demands.

The attacker’s actions are unusual compared to recent trend of events. Most recent “ransom” attacks have involved gaining control of assets within an organization and then encrypting the contents held within those assets using ransomware. In this particular attack, the attackers attempted to blackmail the banks by threatening to release information regarding the breach if the banks did not pay up.

The method of how the banks were breached are unknown at this time. It is suspected that the attackers may have targeted some type of account reset feature held on servers that store user account information. They may have then used an application that had some type of algorithm that could access bank account numbers and then systematically pull user account information.

Proficio Threat Intelligence Recommendations:

  • Ensure the application security of password reset features on relevant applications
  • Enforce strict access controls and monitoring against assets that hold personal user information, especially banking applications that may hold bank account information.

General Info – Click Here

Target: Expedia Orbitz – 880K data breach

Travel giant Expedia Orbitz, has disclosed a security breach that’s affected at least 880,000 customer payment cards. It appears that the attackers had potential access to the data between the Oct. 1, 2017 and Dec. 22, 2017. The investigation revealed that the attackers had potentially exposed customer names, addresses, payment card information and email addresses when the Orbitz.com legacy site was compromised. Expedia Orbitz reported the issue on March 27th and says the issue was addressed when it was discovered on the 1st of October 2017.

Orbitz doesn’t have direct evidence of what information was actually stolen at this time. Working closely with law enforcement, Orbitz was able to confirm that no U.S. social security numbers were exposed.

General information on the data breach –Click Here

What should be done to prevent more credit data hacks like Equifax’s

In the wake of the hacking last week of U.S. consumer credit reporting agency Equifax Inc., security experts bemoaning are calling for big changes, including big penalties for the data brokers that hold so much information critical to everyone’s financial life.

“For far too long, businesses have under-invested in software integrity, relying on network-based defenses that are incapable of protecting many exploit vectors, including those associated with open source security defects,” Wayne Jackson, chief executive officer of Sonatype Inc., told SiliconANGLE. “The Equifax breach and loss of 143 million records (including mine) serves as a painful reminder of why every link in the software supply chain must be automatically and continuously managed. To do otherwise is simply negligent.”…

Read More

Targeted Wire Transfer Scams on the Rise

While not new, targeted wire transfer scams are alive and well and we recommend that you check your processes to guard against them.

These scams start by targeting corporate executives and attempt to convince their targets to wire funds to accounts controlled by the fraudsters.

In one variant of the attack, the scammer will register a domain name with a similar spelling to the target and establish an email service on the domain. They will then search online for the names of the CFO and managers in the finance department. The attack begins with the attacker sending a targeted email to a manager from what looks like the CFO’s email using a variation of the domain name. If the manager responds, the attacker will stage a malicious funds transfer request after gathering information from the Manager. The attacker will request that the manager perform a wire transfer to a bank account within a short period of time, using language they have phished from the email threads. The manager thinks the CFO is requesting the transfer, requests approval, and the attacker pretending to be the CFO approves the transfer.

In another variant, the attacker impersonates an executive at another company that is likely to be doing business with the target company. The initial email uses a domain name that closely resembles the corporate domain name of the organization being impersonated. The body of the email instructs the target to pay all new or outstanding invoices via wire transfer to a new bank account. This attack leverages the likelihood that Accounts Payable at the target company will have actual invoices from the spoofed company.

In both cases, once the funds are transferred, they are quickly rerouted to other hard to trace accounts.

Who is Being Targeted by Wire Transfer Scams

Scammers frequently attempt to exploit the finance departments of medium to large-sized organizations who are likely to have a high volume of transactions.

Recommended Countermeasures

  1. Internal education – undertake organization-wide phishing awareness training and ensure finance department personnel are familiar with this type scam.
  2. Require validation of new banking information with trusted accounting contacts at suppliers and business partners.
  3. Identify lookalike email domains that could be used by scammers in the above scenarios and create email filters to treat these emails as spam. The following tool generates variations of email domains that could be used in a phishing attack or for URL hijacking: http://www.morningstarsecurity.com/research/urlcrazy.
  4. While you could also block the source IP of the attack, expect that future attacks will come from a different IP address.