You are on page 1of 11
Stop Targeted Attacks Before They Stop Your Business

Stop Targeted Attacks Before They Stop Your Business

Stop Targeted Attacks Before They Stop Your Business
Introduction
Introduction
Introduction IT security has always been a concern for businesses. For a long time security meant

IT security has always been a concern for businesses. For a long time security meant preparing for a massive attack, like a Trojan Horse or a virus. It wasn't all that long ago that only the largest of companies had to worry about falling prey to sophisticated cyber attacks. This is no longer the case. According to the January 2014 Symantec Intelligence Report, attacks were fairly even split among organizations of all sizes and industries.

While large-scale massive attacks are still prevalent and continue to evolve in cunningness, the days of merely worrying about these sorts of threats are simple and straightforward compared to today's landscape.

Targeted attacks and advanced persistent threats are distinct threat types, and they require their own set of unique protection capabilities be deployed if an enterprise is to truly protect its entire infrastructure.

To prevent attacks organizations need a security strategy in place to deflect both mass malware and targeted attacks. A targeted attack is, as its name implies, one that is aimed at a specific user, company or organization. These attacks are not widespread like a virus or worm, but rather are designed to attack and breach a specific target, with the ultimate goal of collecting various types of data.

To truly protect themselves from a targeted attack, businesses must change their view of security from top to bottom. From strategic planning to implementation, organizations must stop believing endpoint antivirus and firewalls are enough and instead think in terms of proactive, multi-layered protection. An effective layered approach protects all vulnerable areas.

This typically includes signature-based protection as well the security intelligence to provide contextual awareness and adaptive monitoring across three key vulnerable (and often valuable) areas:

• Endpoints • Gateways • Data center

© 2014 QuinStreet, Inc.

A sub-par protection plan opens the door to infections and creates significant costs, whether measureable in quantifiable dollars or something less tangible, like employee morale. A breach in your security will often result in lost or compromised data, expensive equipment replacement, lost productivity and loss of customer confidence. A breach also means reallocated resources, time lost, lots of backtracking, lost productivity, and ultimately lost revenue. There is both a short-term and a long-term impact.

A security breach at any of those points will have a significant negative impact. In fact, even an infection that hasn't reached the level of a breach can impact productivity as it too will soak up IT resources and add real costs to your business.

Targeted Attack Trends

Targeted attacks are on the rise. Neither company size nor industry affords protection. According to the January 2014 Symantec Intelligence Report, small companies of 250 employees or less were targeted in 39 percent of attacks in January 2014, while those with 2,500 or more employees were targeted 38 percent of the time. The remaining 23 percent targeted enterprises in between. More than 40 percent of attacks were on manufacturing and nontraditional services firms (e.g., hospitality, recreational, and repair services), while finance, insurance and real-estate (13.7 percent), professional services (11.4 percent) and wholesalers (11.0 percent) also fell prey.

No company is immune from a targeted attack. If you think just because you have some sort of perimeter protection and you haven't yet been hit, you're ok, think again. Targeted attacks are stealthy complicated beasts. Oftentimes they sit silently, collecting information, for more than 10 months before they are discovered. Additionally, it's important to understand that smaller companies are often used as a gateway to attacking a larger company with which they have an established relationship.

And don't think stopping the hackers from getting in is an easy solution either. It is near-impossible to know who's targeting you, as hackers are an increasingly diverse group - not one profile applies to them all - or what they're targeting you with because the tools attackers use adapt so rapidly to IT environments.

Thus, it's imperative to cover all bases to protect your entire infrastructure. That includes gateways, endpoints, and data centers. Proactive, independent steps must be taken to protect these key touch points.

Consider the data center, for example. The data center will always be a prime target for attacks. This is where your most important information lives and the heart of your functionality. Protecting the servers, both physical and virtual, on which data resides is critical. While most attacks aim for a weak point of entry, the true prize they're eyeing is in the data center. Although a breach is less likely to take place directly at the data center level than at a compromised endpoint or gateway, the data center requires security solutions to stop malware that may be trying to spread from endpoints or another weak point in the network.

The dynamic nature of today's data center complicates this further. Optimized security for each unique type of server - web, file, application, database and so on - is needed as well as bearing in mind that

"servers" are virtual as well as physical. Without protection for all of these server types, the data center continues to be potentially at risk.

The techniques used against servers today range from sophisticated penetration techniques to unintentional configuration mistakes by admins. Cybercriminals frequently target servers during the incursion, discovery, and capture phases of a data breach.

Hence, traditional protection technologies and policies often employed, such as antivirus or patch updates, while still an important layer of defense, are often not up to the task of securing today's data center. Today's threat landscape warrants augmenting with real-time and proactive security to provide sufficient protection for servers to address greater confidentiality, integrity, and availability requirements of each system.

A note of caution - while it may seem tempting and cost effective to bypass protecting gateways and endpoints, and instead put all of your security dollars into building a fortress around the data center, it is far from the most effective course of action. As important as it is to protect your assets directly, it is equally important to prevent targeted attacks from penetrating at all. No single layer of security can accomplish that on its own.

There is no denying endpoint protection is critical, and organizations are wise to ensure it is part of their security arsenal. Endpoint security is becoming a more common IT security function and concern as more employees bring their own mobile devices to work and companies allow its mobile workforce to use these devices on the corporate network.

Without some sort of endpoint security, there would be no protection in place for the corporate network when accessed via remote devices, such as laptops or other wireless and mobile devices. Each device with a remote connection to the network creates a potential entry point for security threats. Endpoint security is designed to secure each endpoint on the network created by these devices. The increase in employee-owned devices is further fueling these potential vulnerabilities exponentially. A typical endpoint security configuration consists of security software (e.g., antivirus, antispyware and firewall protection) located on a centrally managed and accessible server or gateway within the network, along with client software installed on each of the endpoints (or devices). The latter becomes an increasingly complex endeavor as employees circumvent policies and access the network from potentially unsecured devices.

Thus, as comprehensive as end-point protection seems, it is important to bear in mind that given the nature of today's threats, endpoint protection is often not enough. It is important to also secure the gateways as well as the data center itself.

Web protection is but one type of gateway protection. For web protection to truly be effective, you must secure email as well. Gateway protection secures nodes on a network that serve as an entrance to another network. The computer routing the traffic from a workstation to the outside network that is serving the web pages is serving a gateway function. In the past, a proxy server sufficed, but with the growing variety of web-borne malware, that is no longer enough. True web protection is able to identify new threats before they cause disruption in your organization.

However, focusing purely on the gateway is not enough. White listing, black listing, URL filtering and so on are helpful and necessary, but it is important to bear in mind that the web is a pass-through point and hackers are increasingly cagey. Spyware and other easily downloaded malware can quickly penetrate your network if not caught. It is also important to have a web gateway solution that is able to scan all outbound communications, as this can provide an early warning of a malware infection in progress.

In addition, no matter how well you protect the your web servers and other web-based access points, they are not the endpoints, and the data center itself must also be protected to both stop a target attack from striking and, should it get in, stop it from doing damage.

Email protection is considered one type of gateway protection. For email protection to truly be effective, you must secure web connections as well. Email has always been an easy gateway for hackers. First it was merely the annoyance of spam that had to be dealt with. The biggest problem with spam was its impact on productivity and bandwidth. Today, the security threats that come in via messaging are far more nefarious. Security threats take the form of spoofed addresses and phishing, malware infected files such as PDF or Office documents, embedded URLs and more.

Having protection in place to ensure a targeted attack does not enter your network via a gateway, whether email or a web connection, is imperative. The gateway is but one component, however, and it is a mistake to overlook the endpoint and the data center itself.

Protection Your Organization Needs to Keep Your IT Assets Safe

Just as a chain is only as strong as its weakest link, an organization's security infrastructure is only as tight as the loosest vulnerable point. Thus it is important to protect your endpoints, gateways and data center from targeted attacks.

Individually, the security of each component offers many advantages to the security of the organization as a whole, but none are without limitations. Securing a single component will not bring end-to-end security to the enterprise. Rather all three areas must be protected from targeted attacks, ideally with a layered umbrella approach that treats the organization as a single entity.

Take endpoints for example. Protecting your endpoints, has always been important, and the criticality continues to increase as a more employees bring consumer mobile devices to work, and companies allow their mobile workforces to use these devices on the corporate network. Endpoint security protects the corporate network when accessed via remote devices, such as laptops or other wireless and mobile devices. Generally, endpoint security is a security system that consists of security software located on a centrally managed and accessible server or gateway within the network, in addition to client software being installed on each of the endpoints (or devices). The server authenticates logins from the endpoints and also updates the device software when needed. Effective endpoint protection blocks threats as they travel over the network and try to take up

residence on a system. While endpoint security software differs by vendor, you can expect most software offerings to provide antivirus, antispyware, firewall and also a host intrusion prevention system. All of these offerings stop malware in its tracks. Ideally, endpoint protection should go beyond antivirus and offer layered protection at the endpoint.

Stopping malware before it reaches gateways or the data center is certainly preferable to identifying a compromise that has already taken place. However, while a good endpoint security package can handily protect endpoints, endpoints are not the not the only IT assets presenting vulnerable to a targeted attack. Nor is even the most inclusive security package immune to ever-evolving threats.

Endpoint security, as important and effective as it is, is but one component of a comprehensive and layered security strategy.

There's no escaping the web. Both having a web presence and using the web for daily operations are necessary components of an effective business strategy.

The web, as well as email, is a gateway into the corporate network. This makes it vulnerable to a targeted attack as it is an easy conduit for a hacker to get to the organization's servers. Protecting this gateway from the multiple types of constantly mutating web-borne malware is critical. The most popular way to do this is with URL filtering. A URL-filtering solution filters out undesirable URLs to prevent employees from visiting sites known to be malicious sites as well as sites that violate company policy.

Unfortunately, this is not enough for the current threat landscape. Rather than relying on what has already been proven to be malicious, a proactive approach is more effective. An ounce of prevention always goes further than a pound of cure.

A predictive approach based on context, (e.g., age, frequency or location) better exposes threats otherwise missed. Relying on a pool of knowledge about potential threats is also a useful indicator.

Ideally, the security tools in place at the web gateway will identify and block new and unknown malware, stopping it in its tracks before it reaches an endpoint or finds its way into the data center. Oftentimes, however, these tools are more value when they are not stand-alone. The ability to leverage the knowledge and technique from one security protection layer to another increase the odds of stopping a targeted attack in its tracks. In addition, being able to scan all outbound web traffic can help provide an early warning in case of infections on unmanaged or unprotected endpoints.

Love it or hate it, email is a vital component of any organization's communications strategy. Email is used for both internal and external communications. For external communications in particular, it is often the easiest way to transmit files in any format.

In the early days of email, bandwidth-hogging and time-consuming spam was an organization's biggest worry. Today, antispam is the tip of the iceberg. Email is a gateway into the corporate network. The ease with which a file can be attached to an email and a transmitted throughout the organization makes it an easy conduit for a targeted attack. An infected attachment or an embedded link to a

nefarious site can do a great deal of damage in a very brief amount of time.

Thus, in addition to focusing on spam, which brings with it its own set of challenges, security software for the messaging gateway should ensure that the attachments are clean and malicious URLs are removed. One that can remove potentially malicious active content from documents attached to an email and send a clean version of the document to the user is even better.

Basic antispam and antivirus functionality should not be overlooked either. Whitelisting/blacklisting and filtering at the server level all help reduce spam.

To minimize the impact of falling victim to address spoofing or allowing spoofed messages to be passed on, look for messaging protection that is capable of blocking links and can check for emails with malicious, shortened links, and then stop them before they reach a recipient.

Bear in mind, however, that email is but one component of the gateway layer of a security strategy. It is critical to have not just messaging protection in place but also protection for threats that could come in through the web. In addition, merely protecting gateways are not enough. Enterprises must be sure to also protect endpoints and the data center itself.

The data center is the Holy Grail for many enterprises. Neglect to protect it or under-protect it, and no matter how much endpoint security or gateway protection you have in place, it's only a matter of time before a targeted attack is able to successfully breach the arsenal in place and have access to your most valuable data, regardless of whether it resides on physical and virtual infrastructure in the data center.

To stop a targeted attack, IT has historically relied on traditional protection technologies such as antivirus and whitelisting. To secure today's physical and virtual data centers, this is no longer enough. Server protection must cover in-depth confidentiality, integrity, and availability requirements of each system. Oftentimes security must be customized for each server, be it web, file, application, or database, due to data sensitivity or regulatory constraints.

Granular, policy-based controls are one solution to this. In addition, a combination of host-based intrusion detection, intrusion prevention, and least privilege access control enables organizations to proactively safeguard heterogeneous server environments and the information they contain.

While it may seem tempting and cost effective to bypass protecting gateways and endpoints, and instead put all of your security dollars into building a fortress around the data center, it is far from the most effective course of action. As important as it is to protect your assets directly, it is equally important to prevent target attacks from penetrating at all. No single layer of security can accomplish that on its own.

Bridging the Gap

Securing your enterprise against today's threats means rethinking the security measures you currently have in place. Basic antivirus protection doesn't cut it in this world of rapidly mutating malware and virulent targeted web attacks. In today's threat landscape, a multi-layered approach to security is

needed to protect your endpoints and gateways and ultimately your data canter.

You know firsthand that a sub-par protection strategy not only opens the door to more infections but also creates real costs. A breach in security is serious business. As we noted previously, lost or compromised data, expensive equipment replacement, lost productivity and loss of customer confidence have a rippling and crippling impact on the core business, and you are often the one feeling the pain.

Whether you've been officially tasked with improving security or are frustrated with the current situation and eager to develop a more secure IT environment, the first step is to assess what is currently being done. The following questions should be considered:

What are you currently doing and using for security? What does the data center environment look like? Where are your endpoints and gateways? Do you have remote employees? What is your policy on BYOD? What critical data are you tasked with protecting?

Only after those questions have been answered, and buy in and budget from senior management is

received, is it time to seek out a solution.

Next Steps - How Symantec Can Help

Seeking a security solution is no easy task. There is no shortage of vendors from which to choose. Some are generalists, offering a wide range of security services, while others are specialist or niche players with one or two areas of security expertise.

When it comes to IT security, more often than not, you get what you pay for. Thus, going with a smaller, niche-oriented vendor, perhaps one that is even best of breed for a given niche, may save you money upfront and may even deliver the highly configurable functionality you seek in a given area. However, in the medium term, it will result in a more complicated security architecture that will cost more over the long term and be less secure due to the need to bridge solutions together in a cohesive fashion and plug any potential gaps that are created. Ad hoc fixes to missing functionality will further complicate and create additional security holes leaving the organization more vulnerable to a targeted attack.

On the flipside, a comprehensive solution from a single vendor is in effect putting all of your eggs in one basket. Finding a vendor that can meet all of your security needs on all fronts and allows for the desired configurability is no easy task.

Fortunately there is such a vendor. Symantec brings decades of comprehensive intelligent security expertise, global intelligence and a broad portfolio that offers proactive and integrated protection from targeted attack at the endpoint, gateway and data center level. It offers a proven and holistic approach to protection.

Symantec Endpoint Protection combines effectiveness and performance to deliver unparalleled security across physical and virtual systems that offers both maximum performance and advanced protection.

Symantec Endpoint Protection combines three technologies: Symantec Threat Protection, SONAR and Insight. Collectively, this powerful trifecta outperforms traditional antivirus protection: Network

Threat Protection, Insight and SONAR caught 51 percent of all of the threats seen by Symantec in

2012.

Symantec Network Threat Protection analyzes incoming data streams via network connections and blocks threats before they actually hit the system. Network Threat Protection sits inside of browsers and scans more than 200 protocols to block attacks on vulnerabilities. It also monitors outgoing traffic to ensure sensitive data stays in.

Symantec Insight, uses the collective wisdom of millions to help organizations reduce false-positives and determine whether a file being downloaded onto a corporate network is potentially malicious. Symantec Insight leverages factors such as age, prevalence, and source of any executable file to provide contextual awareness and score the potential risk of virtually every file.

With Insight, the unique pieces of malware often used in targeted attacks would have a low reputation score since the prevalence of the file would be low. This gives organizations the ability to easily block something because Symantec Insight has never seen that particular file before.

SONAR affords a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection, detecting threats before traditional virus and spyware detection definitions have been created to address the threats. SONAR detects the following:

Heuristic threats - tracks nearly 1,400 behaviors to determine if an unknown file behaves suspiciously and might be a high risk or low risk. It also uses reputation data to determine whether the threat is a high risk or low risk.

System changes - to detect if applications or the files that try to modify DNS settings or a host file on a client computer. Trusted applications exhibiting bad behavior - if applications are behaving suspiciously or in a way outside of their norm.

Protecting your gateways is a critical component of IT infrastructure protection. Powered by Insight, Symantec's reputation-based malware filtering technology, Web Gateway is more than just web content filtering software. Web Gateway protects organizations from multiple types of web-borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Insight offers proactive protection against new, targeted or mutating threats, blocking not just web traffic, but also any port and protocol.

Powered by the collective wisdom of more than 210 million systems, Web Gateway is able to detect threats as they are created. It uses context to reduce false positives and cut management overhead. In addition, because Web Gateway integrates with Symantec Data Loss Prevention Network Prevent for Web, it is able to prevent sensitive data from leaving the corporate network via the web, reduce risk of data loss by automatically enforcing security policies, and change users' behavior through real-time education on policies with notifications of policy violations. Web Gateway can also scan all outbound communications to detect infections on unmanaged or unprotected machines and send them to

quarantine to provide easier remediation.

Key features of Web Gateway include: Web filtering software that integrates seamlessly with Symantec Data Loss Prevention, application control capabilities, Symantec RuleSpace URL filtering with flexible policy setting, SSL Decryption capabilities, multiple layers of malware protection, and integration with Symantec AntiVirus engine.

Email is an essential universal tool for doing business, yet it is also a potential gateway for those wishing to do harm. Symantec Messaging Gateway and Email Security.cloud deliver powerful email protection, enabling organizations to secure their email and productivity infrastructure with effective and accurate real-time antispam and antimalware protection, targeted attack protection, advanced content filtering, data loss prevention and email encryption.

Messaging Gateway is simple to administer and catches more than 99 percent of spam with less than one in 1 million false positives.

Targeted Attack Protection is one Messaging Gateway's key features. Disarm, a proprietary Symantec technology, protects against targeted attacks and zero-day malware by removing active, potentially malicious, content from Microsoft Office and PDF attachments. It then re-assembles the attachment so that it is viewable by the end user without fear of infecting them.

While Disarm protects on premises, organizations looking for Cloud-based protection can look to Skeptic for their messaging security needs. Part of the Symnatec.cloud offerings, Skeptic is a proprietary heuristic technology that does not rely on signatures to detect new, emerging or even variations of older malware. Using thousands of rules and dozens of advanced techniques, Skeptic detects new and emerging malware through techniques such as: application reputation, junk code analysis and "real-time-link-following," which offers protection against positively-identified viral URL links within emails. Skeptic then looks at all the evidence before reaching a conclusion and taking the appropriate actions. Because Skeptic is delivered as a cloud-based service, it is continually learning based on the volume of threats it sees and identifies and is thus able to stay one step ahead of potential threats.

It would be a glaring security omission to neglect protecting data center. After all, this is where your most valuable business assets reside, and neglecting this layer at the very least will have serious repercussions throughout the business, should it be the victim of a targeted attack.

Fortunately, Symantec has a solution to prevent this. Using host-based intrusion detection (HIDS) and intrusion prevention (HIPS), Symantec provides a proven and comprehensive solution for server security, for both physical and virtual servers.

Critical System Protection offers a host of protective measures against targeted attacks. With file, system and admin lockdown, virtual and physical servers can be hardened to maximize system uptime and avoid ongoing support costs for legacy operating systems. Granular Intrusion Prevention Policies protect against zero-day threats and restrict the behavior of approved applications even after they are allowed to run with least privilege access controls.

Critical System Protection's Least Privilege Access Control restricts user, application and network access, effectively locking malware out because it is not allowed to run. For organizations that operate a VMware infrastructure in the data center, Critical System Protection uses VMware's prescribed policies for virtual server hardening, including vCenter, hypervisors and guest operating systems.

Other functionality in Critical System Protection includes integrity monitoring to identify changes to files in real-time, configuration monitoring, targeted prevention policy and integration with IT GRC and SIEM Solutions.

Conclusion

Keeping the enterprise secure is no easy task. Protecting your organization from unknown threats is incredibly difficult. Choosing a best of breed vendor that offers end-to-end security goes a long way toward keeping your IT assets safe and preventing a targeted attack from taking a penetrating hit.

Symantec offers a comprehensive portfolio that provides layered protection based around endpoint, gateways and data center assets. Give Symantec Endpoint Protection a try - download the trialware version at http://www.symantec.com/offer?a_id=175265.

To learn more about how Symantec's offerings can prevent a targeted attack from impacting your organization, go to http://www.symantec.com/endpoint- protection/?om_ext_cid=biz_US_ad_Quinstreet_EndpointProtection_aid176053 or call 855-210- 1103 to speak with a Symantec representative