Threat Intelligence That Combines External and Internal Data Will Help You Determine What You Need to Care About in Your Environment
According to the Deloitte 2016 Holiday Survey consumers expect to spend roughly $430 million this holiday shopping season – evenly divided between online and in-store purchases for the first time ever. Two thirds of respondents will shop online and then purchase in store (webrooming); half will shop in store and then buy online (showrooming); and more than 4 in 10 will take advantage of “buy online, pick up in-store” offers. However the final numbers shake out, we know this is the biggest time of the year for retailers – and also for hackers. The stakes are high as the number of credit card transactions soars.
As validated by the many highly publicized breaches, in-store Point-of-Sale (POS) devices are proving to be high-value targets for cyber criminals for a number of reasons. They are difficult to secure due to their ubiquitous nature, often run on old operating systems, are difficult to patch, and use outdated software. What’s more, many retailers don’t include anti-virus (AV) or other security software on their POS devices. And even if they do, relying on AV alone is not enough to counter the threat of POS malware. With names like PoSeidon, POS Pro and POSCardStealer, these types of attacks tend to play out very similarly, establishing command and control communication back to the adversary’s infrastructure to send stolen credit card numbers and keylogging information. New Europay, MasterCard and Visa (EMV) chip-enabled cards make it more difficult to profit from credit card data; since a unique transaction code is created every time the card is used they can’t be copied. But this technology will not prevent breaches.
Online retailers tend to have more security tools at their disposal since they were built from the ground up in this digital age. Encryption, dual authentication, SSL certificates and firewalls can all help protect the theft of credit card and other personally identifiable information (PII). Consumers can also get involved in protecting their data with strong passwords, AV protection and making sure they update their operating systems and software on their devices. Still, attacks on online shopping sites can and do happen. The 2016 Verizon Data Breach Investigations Report, Retail finds that 45 percent of security incidents in the retail sector involved Denial of Service (DoS) attacks that can bring down websites for days and often infiltrate networks and steal data. Another 26 percent of retail breaches involve web app attacks that use keyloggers to steal credentials and conduct fraudulent transactions.
Regardless of the attack vector, once an intruder gains access to a retailer’s network they can remain undetected for long stretches of time, continuing to capture more data and wreak more havoc. Target, Home Depot, Neiman Marcus and Eddie Bauer can attest to this.
So what can retailers do? Threat intelligence based on a combination of external and internal data can help retailers detect the presence of malware and other malicious activity on their network so that they can take action more quickly and mitigate damage.
It starts by gathering external threat data usually compiled from multiple data feeds – commercial sources, open source and additional feeds from existing security vendors. Global threat data lets you see activities happening outside of your enterprise – not only attacks themselves, but how attackers are operating and infiltrating networks. This data, from disparate feeds and in disparate formats, needs to be gathered together into one manageable location and translated into a uniform format so you can use it.
Now that you have global threat data that you can use, you need to enrich and augment it with internal data. Only then will you have enough intelligence to know that you’ve been breached and how to deal with it most effectively.
Internal data includes, but is not limited to, threat and event data from your security information and event management (SIEM) system, log management repository and case management systems. By correlating events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, you can get a broader picture of not only what has happened but who may have done it and even how. And that information can help you anticipate what may happen next.
The combination of external and internal data will help you determine what you need to care about given your environment. That is extremely important in light of the shortage of skilled security professionals and a phenomenon called ‘alert fatigue’ (getting overwhelmed by the volume of alerts from SIEMs, ticketing systems and other security technologies). Most organizations don’t have enough resources to cut through the noise and identify what is actually happening in their environment. Relevant and contextual intelligence helps you focus on what matters most.
Let’s make sure adversaries don’t hack away at holiday cheer. Threat intelligence that incorporates external and internal data can go a long way toward helping you mitigate breaches during the holiday shopping frenzy.