IGLOO's Press

マスコミに報道されたイグルーコーポレーションの最新ニュースです。

Security Monitoring Standing at the Forefront of Cyber Attacks

2016.11.15

1,397

Due to a recent news story that a major conglomerate in S. Korea suffered from a financial damage amounting to several millions of US dollars by an email-hacking trading fraud, so to speak, a ‘scam’, alerts to cyber threats targeting major organizations and corporations have been heightened. According to Korean National Police Agency, more than 150 email-hacking trading frauds occurred last year, and until April this year, more than 40 damaging incidents have already been reported, shockingly.

 

Along with email-hacking trading frauds, ransomeware attacks that encrypt important documents and business secrets, and request money as a reward for decrypting them is also increasing further. Many security experts predict that since hackers make significant monetary profits using ransomeware, there will be more advanced ways of attacking, taking advantage of this trend as a growth momentum to target corporations beyond individuals.

 

As we have witnessed in the aforementioned episode, security threats aiming at corporations, and organizations by employing long-term attacks have progressed towards retrieving more information, thus inflicting more financial losses. Indeed, according to the cyber attack stats that an Italian security expert, Paolo Passeri, published in his blog, hackmageddon.com, April this year, the motives of cyber attacks are cyber crimes(73.9%), hacktivism(12.0%), and cyber espionage(3.3%), in order, and from this, we may know that cyber crimes cover a large portion amongst them.

 

 

▲ Cyber Attack Motives (Source: hackmageddon.com)


As the alerts towards cyber threats to major organizations and corporations have increased, efforts to cope with numerous security threats through the introduction of new security technology solutions have been accelerated. Typical examples are preventing the leakage of inside information via preemptive controls over leakage routes at end points or in the network end, or encrypting important documents of a corporation.

 

However, despite the introduction of security solutions armed with new technologies, cyber attacks on organizations and corporations have continually increased, and the size of damages resulting from such attacks is also on the rise. According to the report that Ponemon Institute published after surveying American corporations from 2009 to 2015, although the average cost spent on grappling with cyber attacks per corporation has increased 82% from 1.9million dollars in 2009 to 65million dollars in 2015, the scale of damages from cyber attacks has not decreased. It has rather increased 20% per annum.

 

Domestic security environments exhibit similar trends. After the 3.20 Cyber Terror that took place in 2013, many corporations and organizations checked their information security levels and expedited establishing safe information security systems via procuring a variety of new security equipment. However, a voice came out criticizing that those are only short-term measures as large-scale cyber attacks, such as the inside material leakage from Korea Hydro & Nuclear Power(KHNP), have continually occurred.

 


 The Importance of Security Monitoring to Counteract Advanced Security Threats


What would be the reason that more security accidents are still happening in the teeth of the introduction of security solutions loaded with new capabilities and high performance?

 

First, we may locate problems in that a significant number of corporations keep passive and limited defense strategies only concentrated on the warning basis. Because they focus on warnings only alerted from outside to inside without securing visibility over a corporation’s IT environment, there must be limitations in detecting behaviors of an intelligent attacker who changes intrusion routes frequently, disguises oneself as an employee, and moves across internal systems of a corporation over several months to find vulnerable points. It is like an intruder is already inside, yet only trying to keep the doors locked.

 

Also, the fact that standardized security monitoring processes were not established was pointed out as a problem. Advanced cyber attacks are a wrestle with time. If a series of reactive processes, which range from information collection to analysis, response to an accident, reports, and follow-ups, are not established, there is a potential risk that damages caused by an attack may spread further due to the inability to counteract speedily despite the detection of the attack.

The corporations and organizations capable of establishing a set of reactive processes independently are very rare. For there are a lack of real situation experiences gained from the forefront of cyber attacks as well as difficulty to conduct reactive exercises continuously due to the budget issue.

 

Above all, we should pay attention to the point that it is difficult to acquire proved professional human resources able to do the complete spectrum of security solution operations and managements, detections/analyses/response, and preemptive tasks. The intervening by such people equipped with professional ability, knowledge, and experience is necessary by all means to perceive an event raised from security systems along with any abnormal symptoms and accurately determine whether it is a threat or not.

 

However, realistically, it is true that there are limitations imposed for all corporations with regard to collecting and analyzing large-sized security data efficiently as well as acquiring professional human resources who are able to preemptively act against security threats.

 

From this point of view, the demand for security monitoring services that act as an agent for operation and management of information protection systems to monitor for 24x365 to keep the internal IT infra of corporations and organizations from being exposed to security threats and to immediately counteract in case of discovering any hazardous factor.

 

This is for securing visibility across an entire corporation based upon accumulated experiences and professional knowledge over many years, resolving complexity of security managements, and making a fast and accurate decision against threats. In this regard, let us take a time to get to know the areas and types of security monitoring services and core building blocks.

 

 

- Status of Designated Professional Security Monitoring Enterprises in S. Korea (Source: Korea Internet & Security Agency)

 

 1

 IGLOO SECURITY

 8

 Wins

 2

 ICT Intelligent Security

 9

 Lotte Data Communication

 3

 Ahnlab

 10

 A3 Security

 4

 Korea Electric Power Knowledge Data Network

 11

 SecureOne

 5

 CyberOne

 12

 Hansol NexG

 6

 SK Infosec

 13

 POSCO ICT

 7

 UNET system

 14

 KT DS

 

 

 

The Core Work Areas and the Offering Types of Security Monitoring


Generally, depending upon the work nature, security monitoring works are largely categorized into 3 areas.

 

First, it is the ‘Operation and Management’ work, which includes a set of activities such as diagnosing system faults, checking histories, and checking the compliance with security regulations. Required is the ability to frequently manage and properly operate diverse security equipment to see whether or not various security equipment are properly operating for the IT environment of a corporation and whether or not policies are correctly configured. Of course, knowledge as per different security equipment such as firewalls, IDS, IPS, UTM, WAF, and DDoS counteracting equipment as well as usage experiences, and knowledge of latest security regulations should be underpinned.

 

Second, it is the work of ‘detections/analyses/counteractions’ that detects behaviors of an attacker quickly and decides priority issues, threat elements, and accidents quickly as well to counteract. As much as attacks are getting intelligent and diverse nowadays, the ability to check the flow of information across overall networks faster and more accurately to identify different threats, and to counteract accordingly are required. Intrusion incidents, receiving emails including malicious codes/links, leakages of inside information, and DDoS attacks against corporations correspond to this category.

 

Third, it is the ‘preventive’ work to prevent occurrences of accidents and minimize damages by counteracting nimbly in case of an occurrence. Its primary focuses are to increase defense capabilities against advanced threats and to improve awareness of information security to employees such as checking vulnerable points of servers, applications, networks, and software to swiftly counteract both known and unknown threats, updating latest threat information such as harmful IPs, and malicious URLs, and performing mock exercises for the employees.

 

Security monitoring tasks can also be categorized in accordance with reactive processes. Generally, it is divided into 4 steps: ▲‘Information Collection Process’, which gathers various security data from disparate security equipment ▲‘Monitoring/Analysis Process’, which analyzes intrusion incidents and hacking patterns following alarms alerted and cross-examines the security data created from various equipment and the latest security threat information collected from inside and outside ▲‘Response/Actions Process’, which prepares causes and counteractive measures with regard to events determined as attacks, and then performs counteractions ▲‘Report Process’, which organizes the results of processing intrusion incidents and faults, and forwards them to the relevant departments.


Generally, security monitoring services can be roughly categorized into 3 patterns according to the types of service offered, considering the attributes of customers. ▲‘Remote Monitoring’, the type that remotely operates and manages security systems of customers from the monitoring center, hence showing excellence in cost efficiency ▲‘Dispatch Monitoring’, which enables immediate reactions in times of intrusions/faults by having security monitoring staff always stay at the customer premise. ▲‘Hybrid Monitoring’, which remotely monitors ordinarily, but dispatch its fleet quickly in times of intrusion or faults to counteract.

 


Core Building Blocks of Security Monitoring - Organic Combination of Systems, Processes, and Fleets

 

As such, as the scopes and the types of security monitoring works broaden and refine, core building blocks of security monitoring such as monitoring systems, monitoring processes, and monitoring fleets reiterate changes likewise. ▲A Monitoring System that gathers a vast amount of security data from disparate information security systems at the boundaries of a corporation as well as each internal linkage point; ▲a Monitoring Fleet who searches and analyzes such collected data, verifies validity of attacks, and sets priorities of countermeasures; and ▲a Monitoring Process that minimizes damages by blocking and responding to attacks according to the priorities, must be prepared.

 

 

Security Systems That Become a Major Weapon of Security Monitoring


What’s required on priority is to set up an integrated monitoring environment that enables intuitive recognition at a glance of the flow of all the information by collecting security data gathered at each point end to one place. As it is possible that a security hole, which can endanger an entire corporation to a fatal threat by a trivial attack, can happen, it is necessary to monitor all events taking place, to spread any abnormal signs as soon as they are discovered, to check thoroughly to see if there is any vulnerable defense point, and to mend such a point if found.

In case of previous ESM solutions, in which inconveniences existed because they have to re-check the log of the corresponding security equipment while doing an analysis due to the fact that all logs were not collected in one place, recent security monitoring systems are evolving toward the type in which security data at the gigabyte level created from various disparate security equipment such as firewalls, IDS, IPS, UTM, WAF, and DDOS counteraction equipment can be collected and stored at one place, analyze them to detect vulnerable points and threat elements a step ahead, and react to such hazards. It is to reduce the activity time of attackers so as to prevent bigger damages occurring.

Especially, a number of noteworthy changes have been made in the aspect of implementing ‘correlation analysis’ function that analyzes a vast amount of security data created from disparate security equipment. Advancing from existing singular log analysis, it is the type in which the accuracy of monitoring is increased by collecting all logs, network data, and system events created from disparate security equipment, and analyzing them with threat information from both inside and outside collectively to verify the effectiveness of the attack.

 


Security Monitoring Processes That Play a Role as a Screw


‘Processes’ streamlined through continuous trainings are also considered to be an important element in establishing a security monitoring system. If not reacted to attacks quickly enough due to the lack of standardized monitoring processes, damages can be snowballing.

 

Security monitoring processes have been evolving to react to real attacks and crisis situations more nimbly from information collection to analysis, responding to incidents, reports, and follow-ups. Typical examples are to check monitoring rule sets and response processes via continuous mock exercises of counteractions similar to real environments, to check whether or possible to collaborate with related organizations and to jointly react, and check if the roles are clearly defined for officers in each stage.

 

 

Security Fleets Capable of Nimbly Reacting to Advanced Attacks


The security fleet to counteract to advanced cyber attacks more nimbly is also an indispensable core building block in security monitoring. Since security equipment just triggers alarms, and not analyze them by themselves, professional security fleets, in addition to checking alarms, are required to accurately analyze whether they are attacks or not, and if they are attacks, to determine exactly which attack is more hazardous, to be followed by necessary counteractions.

Hence, major security monitoring service enterprises such as IGLOO SECURITY regularly conduct combined mock exercises based upon education and scenarios for latest intelligent threats. It is to secure professionals who have the insights for the correlation between the security events, and to respond to the present threats as well as potential future threats.

 


 Must Stave Off Cyber Threats Getting Intelligent Daily by Establishing Preemptive Security Monitoring Systems

 

‘1:29:300’

 

It is Heinrich’s theory that in a workplace, for every accident that causes a major injury, there are 29 related accidents that cause minor injuries and prior to that, more than 300 minor signs. Information security field is also no exception to this theory. As cyber attacks that started as simple viruses at the beginning are getting more diverse and refined, slipping a single abnormal behavior may cause a massive damage such as an entire corporation's infra getting down or a leakage of highly important information.

 

Today’s cyber threat that gets intelligent day by day requires establishing a security monitoring system that organically integrates a monitoring system, a monitoring process, and a monitoring fleet. To secure visibility of the threats aiming at corporations’ IT environments, and to build an intelligent security monitoring system capable of swiftly counteracting to attacks via analyzing a vast amount of security data seems an undeniably indispensable requirement, which affects heavily on the growth and long-lasting existence of corporations.