Tripwire recently hosted a webcast entitled, “Hiding in Plain Sight: Protecting Against Bad Hashes.”Our presentation is led by Dave Meltzer and Dayne Cantu, Sr. Dave is Chief Research Officer at Tripwire, where he is responsible for working with customers, partners, and industry experts to imagine, innovate, and deliver on advancing the state of the art in protecting Tripwire’s customers from the most sophisticated attackers in the world. Dayne is Senior Systems Engineer at Tripwire, where he is also the Federal Systems Team Leader. Together, they use Tripwire’s most recent webcast to discuss the importance of validating the integrity and identity of files and patches that are incorporated into one’s network environment.
As the recent breaches at the Office of Personnel Management, the Internal Revenue Service, and more recently the anti-virus firm BitDefender illustrate, attackers are more than ever focused on gaining unauthorized access to organizations in an attempt to steal sensitive corporate and customer information. One tactic that malicious actors commonly employ is concealing malware within seemingly safe patches and updates. These exploits are dangerous to the extent that they can severely compromise an organization’s network without setting off any red flags, which in turn increases the gap in the time that elapses between a network compromise and the detection of said intrusion. Indeed, the 2015 Verizon Data Breach Investigations Report reveals that the difference in time between compromise and detection has been increasing over the past decade, although 2014 reported a lower value than previous years.Given the evolving threat landscape, it is more important than ever for security professionals to have the capability to protect their organizations’ networks against concealed threats. But how do they go about to do this?The answer rests with detecting a threat based upon its malicious behaviors, such as ARP spoofing, anomalous permissions changes, and attempts at changing DNS servers or IP routing. These activities can be understood collectively as “Indicators of Compromise” (IoC). As Dave explains in the webcast, more and more organizations are building threat intelligence programs that analyze IoC. Moreover, they are employing solutions including TAXII, STIX, and CybOX that facilitate the sharing of threat intelligence across and between organizations.One shortcoming that remains, however, is that human analysts still need to consume any threat intelligence that is received and then decide what to do with it. Ideally, security professionals could automate that step in the process.This is where active threat intelligence solutions such as Tripwire Enterprise come in. Via threat integrations with Palo Alto, Cisco, CheckPoint, and other partners, Tripwire Enterprise has the ability receive manual and automated threat feeds as part of a number of different intelligence transport configurations, including TAXII servers and sandbox threat analytics. Additionally, features that enable organizations to build detection rules and to scan for different hash types ensures maximum customization, which in turn provides for better up-to-date threat intelligence that can be used to record, quarantine, and delete suspicious files.
We all know that most organizations are working to avoid becoming the next breach victim. But the sophistication of threats confronting enterprises today means that security is not as simple as anti-phishing security campaigns. Security personnel need to be able to stay on top of what is coming into an organization’s network. For that purpose, they need threat intelligence solutions that actively and continuously scan corporate networks for indicators of compromise.To learn more about how Tripwire Enterprise can protect your organization, please click here and here.To view the entirety of Tripwire’s most recent webcast, please click here.Title image courtesy of ShutterStock