Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Verizon 2016 DBIR - Network and Host Security

by Cody Dumont
May 18, 2016

Verizon 2016 DBIR - Network and Host Security Dashboard Screenshot

The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that organizations can use to check themselves against the common threats described in the Verizon DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, best practices are noted for each pattern that can assist in thwarting the attacks. By monitoring Never Before Seen (NBS) events, anomaly tracking, and other log correlation events, this dashboard provides analysts with detailed information to help them be aware of potentially malicious events to protect the organization.

While researching components for this dashboard, the Tenable.sc Research team also reviewed the Mandiant M-Trends 2016 report. The M-Trends report describes several trends that should be monitored. The trends identified in both reports include destructive attacks on the organization, exfiltration of personally identifiable information, and focused attacks on network devices. The M-Trends report suggests gaining a good understanding of the organization’s threat landscape. To fully understand the threat landscape, the organization must be able to identify areas of risk and Internet-facing points of entry into the organization. Some questions for the organization to consider are:

  • How can the attacker gain access to customer data or sensitive business information?
  • How can the attacker maintain access?
  • What is the timeline to the attack and our response?
  • Was data stolen and what is the significance?
  • Could the incident be contained?

Analysts using this dashboard can assist the organization in answering those questions during the incident response investigation. Organizations that use Tenable’s Log Correlation Engine (LCE) are able to process and normalize data from Tenable’s Nessus Network Monitor (NNM). The data correlated by LCE and NNM, along with data gathered from LCE clients, provide security teams with the ability to identify and track malicious activity throughout the organization. Additionally, by conducting daily active scans with Nessus, the organization can detect and track changes to compromised systems.

The M-Trends and DBIR both describe the importance of monitoring sources of user account authentication. By monitoring outsourced service provider logins, VPN logins, wireless authentications, and user authentication sources, the organization can more effectively monitor user activity and identify potential issues. This dashboard provides several components that focus on these account-centric events so analysts can be aware of the connections entering and leaving the organization.

Tenable provides several threat indicators such as AutoRun monitoring, potential malicious Windows persistence mechanisms, suspicious process detection, botnet tracking, malicious URL tracking, and event-based threatlist monitoring. This dashboard contains components based on traffic flow analysis and alerts analysts to active ports to be aware of potentially new capabilities within the organization. By taking a continuous monitoring approach, the data presented to analysts can assist in data breach investigations by monitoring for botnet activities, traces of malware, and threatlist analysis.

This dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Security Industry Trends. The dashboard requirements are:

  • Tenable.sc 5.3.1
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable.sc Continuous View (CV) provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. Tenable.sc is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. The Nessus Network Monitor (NNM) performs deep packet inspection to enable discovery and assessment of operating systems, network devices, hypervisors, databases, tablets, phones, web servers, cloud applications, and critical infrastructure. The Log Correlation Engine (LCE) performs deep log analysis and correlation to continuously discover and track systems, applications, cloud infrastructure, trust relationships, and vulnerabilities. By integrating with Nessus, NNM, and LCE, Tenable.sc CV’s continuous network monitoring is able to detect events and vulnerabilities across the enterprise.

The following components are included in this dashboard:

  • Verizon DBIR - Top Network Connections: This component displays the top sessions collected using data collected from the Network Monitoring and Netflow collectors. The table uses the Connection Summary tool to identify the session between two hosts.
  • Verizon DBIR - Forensic Indicators: This component provides several indicators useful during a forensic investigation. Identifying threat information sources such as bot-net activity, forensic artifacts such as AutoRun settings, schedulers, and malicious processes provides the analyst with key methods to identify IOCs.
  • Vulnerabilities by Common Ports - Counting Hosts by Common Ports: This component contains six columns that enumerate the number of hosts with vulnerabilities on a specific port.
  • Indicators - Malicious Process Monitoring:This component takes many of the various detection technologies for botnets, malicious file hashes, anomalous network traffic, spikes in system logs and continuous scanning activity and places them into one spot.
  • Verizon DBIR - Network TCP Port Usage: This table provides a list of the top 100 TCP ports in use on the network. This table can be useful when monitoring network flows or establishing a baseline of traffic. Any new ports discovered should be investigated to determine their source and purpose.
  • Verizon DBIR - Indicator of Comprise (IOC) Events: This component provides indicators of normalized events that are known to be useful when looking for indications of compromise.
  • VPN Summary - User Summary: This table component presents the analyst with a User Summary of '*VPN*' events over the last 7 days.
  • VPN Summary - Logins from Unusual Sources: This table presents event data from the Tenable Log Correlation engine's VPN_Login_From_Unusual_Source event where the LCE has seen a VPN authentication occur from a source that is not normal for the user ID. Once the LCE determines a users 'Normal Source', it will alert on any unusual sources of logins for that user.
  • Event Trending By Type - NBS: This component provides a 7-day trend analysis of the Never Before Seen (NBS) events. The LCE tracks all normalized events that have occurred for each host. As new normalized events are logged for the host, the LCE will generate secondary events based on the event type. This is a core type of correlation performed by the LCE.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training