Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Verizon 2016 DBIR – Incident Pattern Monitoring

by Megan Daudelin
May 18, 2016

The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that organizations can use to check themselves against the common threats described in the Verizon DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports suggestions are given for monitoring the network for each of these patterns. Based on best practices described in the DBIR, the Incident Pattern Monitoring ARC can assist an organization in monitoring their network for indications of common attack patterns and thus reduce the chances of a data breach.

Failing to monitor a network for vulnerability and patch management leads to a greater risk of compromised systems. Employing a multi-layered defense strategy across all endpoints provides the best protection against intrusions or attacks. Internet facing assets, including web servers and VPNs, need to be monitored to ensure that unauthorized users do not gain access to network resources. Systems must be adequately protected by antivirus so that critical systems are not left vulnerable to intrusions or attacks. Exploitable vulnerabilities and data leakage events must be addressed so that additional security risks are not introduced into the network. Organizations that do not continuously monitor and secure network defenses will not be able to respond or defend network assets effectively.

This ARC assists organizations in improving security and network defense controls. Policy statements included within this ARC report on systems that have detected intrusion or botnet activity, data leakage events, or outdated antivirus software. Additional policy statements report on continuous activity, compliance checks, and virus events. Having complete visibility of network security allows organizations to proactively respond to threats, mitigate vulnerabilities, and take preventative measures before any serious damage occurs.

The information provided in this ARC provides a baseline to measure the effectiveness of an organization's information security policies and whether the current policies being enforced are effective. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Security Industry Trends.

The dashboard requirements are:

  • Tenable.sc 5.3.1
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable.sc Continuous View (CV) provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. Tenable.sc is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. The Nessus Network Monitor (NNM) performs deep packet inspection to enable discovery and assessment of operating systems, network devices, hypervisors, databases, tablets, phones, web servers, cloud applications, and critical infrastructure. The Log Correlation Engine (LCE) performs deep log analysis and correlation to continuously discover and track systems, applications, cloud infrastructure, trust relationships, and vulnerabilities. By integrating with Nessus, NNM, and LCE, Tenable.sc CV’s continuous network monitoring is able to detect events and vulnerabilities across the enterprise.

The following policy statements are included in this ARC:

No systems are communicating with known botnets or command-and-control servers: This policy statement displays the ratio of systems detected interacting with known botnets to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Tenable.sc receives a daily updated list of IP addresses and domains that are participating in known botnets. Using this information, systems on the network that interact with known botnets can be detected. Any systems interacting with known botnets should be investigated immediately by the organization to minimize security risks.

No systems have detected virus events: This policy statement displays the ratio of systems with virus-related activity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Activity related to viruses can be indicative of successful or attempted infections. This policy statement helps identify systems that may be infected. Any systems with virus-related events detected should be investigated to determine whether remediation is required.

At least 90% of systems have active and up-to-date antivirus software and definitions: This policy statement displays the ratio of systems with active and up-to-date antivirus protection to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. All systems should have active and up-to-date antivirus software installed to protect against malware infections. Organization can use this information to identify and resolve antivirus software issues on systems.

At least 95% of systems have antivirus software installed: This policy statement displays the ratio of systems with antivirus software installed to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. All systems should have active and up-to-date antivirus software installed to protect against malware infections. Systems without antivirus protection or with outdated software should be reconfigured to ensure that current antivirus software is installed, running, and able to receive updates. Organization can use this information to identify and resolve antivirus software issues on systems.

No systems with data leakage events communicate outside the network: This policy statement displays the ratio of systems that have reported data leakage events and communicate outside the network to all systems with data leakage events. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data leakage events from systems that are communicating outside the network could be indicative of an intrusion or other malicious activity. Such systems should be investigated immediately to ensure that the outside communication is not exfiltrating sensitive data from the network.

Less than 25% of compliance checks failed on Windows, Linux, Solaris, and Mac OS X machines: This policy statement displays the ratio of failed to total compliance checks across Windows, Linux, Solaris and Mac OS X machines. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement will help an organization identify non-compliant systems, which can help to address outstanding compliance issues.

No systems in the organization have exploitable vulnerabilities: This policy statement displays the ratio of systems with exploitable vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems with exploitable vulnerabilities can expose the network to increased risk of malicious activity and should be patched.

Less than 5% of systems report continuous activity: This policy statement displays the ratio of systems reporting continuous activity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Continuous activity is activity that occurred over a long period of time. The activity may be legitimate, or may be activity such as port scanning, server issues, repeated login failures, or potential malware activity. The organization should further investigate any systems with continuous activity.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.