Recently, we came across a malware sample that has been traversing the Internet disguised as an image of a woman. The malware sample uses several layers of obfuscation to hide its payload, including the use of steganography. Steganography is the practice of concealing a message, image, or file within another message, image, or file. Steganography can be used in situations where encryption might bring unwanted attention. Encrypted traffic from an unusual source is going to draw unwanted attention. Steganography allows malicious payloads to hide in plain sight. It also allows the attacker to bypass security devices. In our sample malware, steganography is used to decrypt and execute a second dropper, which in turn installs a user-land rootkit to further hide its intentions. The rootkit adds another layer of obfuscation by installing a DarkComet backdoor, using RC4 encryption to encrypt its configuration settings and send data to its command and control server.
According to the Breach Level Index, between July and September of this year, an average of 23 data records were lost or stolen every second – close to two million records every day.1 This data loss will continue as attackers become increasingly sophisticated in their attacks. Given this stark reality, we can no longer rely on traditional means of threat detection. Technically advanced attackers often leave behind clue-based evidence of their activities, but uncovering them usually involves filtering through mountains of logs and telemetry. The application of big data analytics to this problem has become a necessity.
To help organizations leverage big data in their security strategy, we are announcing the availability of an open source security analytics framework: OpenSOC. The OpenSOC framework helps organizations make big data part of their technical security strategy by providing a platform for the application of anomaly detection and incident forensics to the data loss problem. By integrating numerous elements of the Hadoop ecosystem such as Storm, Kafka, and Elasticsearch, OpenSOC provides a scalable platform incorporating capabilities such as full-packet capture indexing, storage, data enrichment, stream processing, batch processing, real-time search, and telemetry aggregation. It also provides a centralized platform to effectively enable security analysts to rapidly detect and respond to advanced security threats.
The OpenSOC framework provides three key elements for security analytics:
A mechanism to capture, store, and normalize any type of security telemetry at extremely high rates. OpenSOC ingests data and pushes it to various processing units for advanced computation and analytics, providing the necessary context for security protection and the ability for efficient information storage. It provides visibility and the information required for successful investigation, remediation, and forensic work.
Real-time processing and application of enrichments such as threat intelligence, geolocation, and DNS information to collected telemetry. The immediate application of this information to incoming telemetry provides the greater context and situational awareness critical for detailed and timely investigations.
The interface presents alert summaries with threat intelligence and enrichment data specific to an alert on a single page. The advanced search capabilities and full packet-extraction tools are available for investigation without the need to pivot between multiple tools.
During a breach, sensitive customer information and intellectual property is compromised, putting the company’s reputation, resources, and intellectual property at risk. Quickly identifying and resolving the issue is critical, but, traditional approaches to security incident investigation can be time-consuming. An analyst may need to take the following steps:
- Review reports from a Security Incident and Event Manager (SIEM) and run batch queries on other telemetry sources for additional context.
- Research external threat intelligence sources to uncover proactive warnings to potential attacks.
- Research a network forensics tool with full packet capture and historical records in order to determine context.
Apart from having to access several tools and information sets, the act of searching and analyzing the amount of data collected can take minutes to hours using traditional techniques.
When we built OpenSOC, one of our goals was to bring all of these pieces together into a single platform. Analysts can use a single tool to navigate data with narrowed focus instead of wasting precious time trying to make sense of mountains of unstructured data.
No network is created equal. Telemetry sources differ in every organization. The amount of telemetry that must be collected and stored in order to provide enough historical context also depends on the amount of data flowing through the network. Furthermore, relevant threat intelligence differs for each and every individual organization.
As an open source solution, OpenSOC opens the door for any organization to create an incident detection tool specific to their needs. The framework is highly extensible: any organization can customize their incident investigation process. It can be tailored to ingest and view any type of telemetry, whether it is for specialized medical equipment or custom-built point of sale devices. By leveraging Hadoop, OpenSOC also has the foundational building blocks to horizontally scale the amount of data it collects, stores, and analyzes based on the needs of the network. OpenSOC will continually evolve and innovate, vastly improving organizations’ ability to handle security incident response.
We look forward to seeing the OpenSOC framework evolving in the open source community. For more information and to contribute to the OpenSOC community, please visit the community website at http://opensoc.github.io/.
We listen to our customers all the time, and what they have been telling us about cloud security over the past 18 months is intriguing. There was a time when IT security leaders were clearly uncomfortable about the idea of trusting remotely delivered security; discussions about cloud security would be met with skepticism. Over the last year and a half, this attitude has undergone a sea of change, and moved through increasing levels of interest to today, where our customers are actively leaning in and engaging in the discussion about moving security functions to the cloud. There are several reasons for this dramatic shift.
Overall, the enterprise network no longer sits comfortably within four secure walls. Extended networks and new business models related to mobility, cloud, the Internet of Things (IoT) and Everything (IoE) are complicating network management and security for companies of all sizes. IT professionals are being tasked with supporting and protecting this ever-evolving environment with fewer resources. Hampered by tighter budgets and the IT security industry’s growing skills shortage customers need to work smarter, not harder.
Our customers are continuing to feel the pain of having to increasingly support off-premise mobile devices like smartphones and tablets. The critical need to rapidly onboard these devices to connect to corporate services and applications pretty clearly provides business with a competitive advantage (Cisco Enterprise Mobility Landscape Wave II Study – April 2014) in improving workforce efficiency.
Consider the sales person who needs to check a customer order from his corporate- sanctioned tablet in the customer’s lobby. Look at the contractor with their personal smartphone who needs to access project emails from home.
What is the big problem? The rush to provide access to these off-premise devices means we have reduced or even discarded needed security controls when it comes to remote connectivity for mobile devices. Offering access from any device, any location, anytime, opens the door to potential security threats. The mobile endpoint is a threat vector with 68% of organizations saying their mobile devices were targeted by malware in the last 12 months (Ponemon Research.)
What if I secure these devices using VPN technology in the same way as laptops? While, ”Turning On” VPN on any endpoint means that all traffic and applications (personal and enterprise) are all transmitted over the same VPN channel to access corporate networks. This co-mingling of corporate and user apps allows the possibility of un-compromised user applications polluting corporate infrastructure and increases the risk of threats to the network.
So now what? I don’t want to enable VPN every single time I try to look up a document or use salesforce.com or access email. That increases the complexity for the user and gives them a reason to either find a way around the process or nullifies the efficiency business want to promote with their mobile workforce.
The answer lies with the introduction of Cisco AnyConnect 4.0 offering customers the ability to deliver per-application secure access for only approved corporate applications in way that is seamless to the user. By just clicking on the registered corporate application I want to use, I can automagically create a secure connection for JUST that application each time. This means I don’t mix access to corporate resources between authorized applications and potentially infected user applications. It even reduces bandwidth and IT resource usage since user applications do not get tunneled back to corporate and has to go through user networks (mobile or WiFi).
Enterprises want to empower their mobile users to work from anywhere while IT wants a simple way to control and secure enterprise access consistently across any device whether on or off-premise. AnyConnect continues to evolve to provide integrated and flexible security and access control for any remote and/or mobile endpoints.
To learn more how to better secure your remote endpoints, check out Cisco AnyConnect
Enterprises, governments, and organizations of all sizes are moving to the cloud in record numbers. The cloud can offer resiliency, but it also introduces new security challenges. Security needs to be baked in from the beginning, across the board.
Cisco has invested over $1 billion in people, infrastructure, equipment, and services to address the cloud market. Most recently, we launched the Cisco Intercloud, a network of clouds from multiple cloud service providers across the world designed to meet customers’ needs for a globally-distributed cloud platform that enables federated workloads that can be moved from one cloud to another.