Penn State University network attack
Penn State’s College of Engineering revealed that it was the target of sophisticated cyberattacks that shut down its network.
An official at Penn State mentioned “In fact, on an average day last year, Penn State alone repelled more than 22 million overtly hostile cyberattacks from around the world.” This is an interesting number, however I would surmise they are counting the amount of perimeter based source IP addresses they are blocking using general static firewall, VPN, and IPS rules that stop general drive by attacks blasting the internet.
What may be more important are how many known abusive attackers are hitting their perimeter, how many are permitted through their firewalls, and how many of those are target attacks or return communication to an already compromised device. In our Security Operations Centers we are finding organizations with a similar size to the single College at Penn State will need to monitor over 250 million security events per day from internal and permitter resources in an attempt to discover the 3-5 Actionable Incidents a day that indicate a compromise they need to block in the kill chain within minutes to prevent continuation of the attack toward an ultimate breach or malicious event.
Putting this into more perspective, we find on average an organization of this size will be attacked by known abusive attackers more than 10,000 times per day and roughly 3-5% of the communications are permitted through the firewalls of most organizations. Most organizations can’t or don’t block these communications because they have to keep certain ports open for normal business communications or they do not have strong perimeter security policies enforced (or in some cases their policy doesn’t match their configuration – sound familiar). Of the 3-5% of permitted communications from known abusive attackers that we track for our clients, we discover on average 2 to 3 targeted attacks per day performing reconnaissance or staging, and 2-3 correlated events considered to be a compromises per week.
Even with the best SIEM 2.x generation technologies finely tuned with advanced correlation and behavior algorithms in place, an organization will maybe reduce the 250 million security events per day down to 100 suspicious threats per day they need to ‘investigate’ to determine the 3-5 events that require immediate ‘Action’ on a daily basis. The additional two part challenge is 1) who has a minimum of 20 trained security analysts in a SOC to monitoring and investigate 100 suspicious threats per day, and 2) how do you react immediately to break the communication with the abusive attacker, quarantine the device, or disable the User account while you wait for your in-house remediation response team or contracted forensic investigators to role?
In our view, most organizations just don’t have the capital, desire, or ability to staff and manage a 20 (or more) person Security Operations Center to perform advanced SIEM management, 24×7 security event monitoring, or incident investigations. The answer to this equation today is to partner with a SOC-as-a-Service company that also offers a SIEM-as-a-Service. These companies provide the world class SOC services needed by all sizes of organizations to compete with the large number of world class threat actors.
We would also recommend venturing toward a provider that is more than the traditional MSSP providing general firewall management and more toward a new generation of SOC-as-a-Service provider that provides advanced Use Case correlation tuned to your business context, and provides automated active Breach Prevention activities to break the communication with the abusive attacker, quarantine the device, or disable the user account. This provides visibility into your security program posture, knowledge of who is attacking you and what they are targeting, as well as active defenses allowing you time to role in the reinforcements.
By Brad Taylor, CEO, Proficio (www.proficio.com)
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.