Protection at all stages of cyber attack
HPE solutions allow you to build a comprehensive system of defense against cyber attacks, including those implemented using fundamentally new ways to penetrate corporate systems.
Cyber ​​attacks are becoming more massive and sophisticated. One of the key reasons for the mass character of cyber attacks is their affordability. For example, in a report on the 2015 Cost of Cyber ​​Crime Study: Global , published in October 2015 by the Ponemon Institute with sponsorship from HPE, the average cost of a cybercrime in Russia is estimated at only 100-150 rubles, in dollars on average, it decreased from $ 3.33 in 2014 to $ 2.37 in 2015.
One of the main problems of the lack of effectiveness of protection against cyber attacks often lies in the fact that in most cases protection against attacks is fragmented, while not all risks are adequately taken into account. Experience shows that approximately 80% of the budgets allocated for the purchase of IS funds are spent on the acquisition and implementation of prevention tools to protect against intrusion into the network. For this, firewalls, IPS systems, various gateway solutions are installed. Protection against intruders' actions after penetration accounts for the remaining 20% ​​of the money spent on information security tools (IB). The key task of the information security service is to provide a holistic, comprehensive, uniform protection against attacks at all its stages, avoiding failures in defense.
Hewlett Packard Enterprise offers solutions proven by the international community to build such multistage protection against cyber attacks and very effectively minimize the damage they cause. In addition to extremely effective products, HPE also has a methodology for protection against hacker attacks. Creating on their basis a comprehensive protection of user information systems is the key task of HPE partners.
')
HPE's portfolio of solutions is built around the attacker's attack stages. The first stage is the collection of information about the victim: which IP addresses are used in the organization, which services are hosted, what protection measures are used, etc. The second stage of the attack is penetration, which can be performed using only technological means or using methods social engineering, for example, making phone calls to users or sending phishing messages to them. The third stage of the attack: the attacker penetrated into the organization's network and searches for data (for example, accounting or customer bases) that he could use to his advantage, for this he tries to penetrate into certain protected network segments. Fourth stage: the attacker penetrated the protected segment, installed malware on computers or network devices and tries to get the data he needs (by the way, if they are encrypted — and HPE has the right tools for that — then getting it is not so easy ). The last, fifth stage is sending data to remote computers controlled by a hacker, with a view to their further use (for example, selling to competitors or making public in order to undermine the reputation of the victim).
HPE has a Security Research division that analyzes threats and trends in information security. Every year, HPE Security Research publishes information security reports that present the most current and key trends in four areas:
For each of these areas, the Hewlett Packard Enterprise Security portfolio, a division that develops information security solutions, has its own products that solve the corresponding task groups. Total HPE portfolio has about four dozen security products.
The HPE ArcSight family of solutions contains technologies that perform the following tasks:
The ArcSight family includes more than a dozen different products. In Russia, it has been used since 2007. Users of ArcSight are about half of the Russian banks from the first hundred, almost all major telecommunications companies and about 15 out of two dozen leading event monitoring and incident management centers (Security Operation Center, SOC). ArcSight is also used in many Russian situational centers.
In our country, there are more than 200 certified experts on ArcSight (uncertified, probably ten times more). In addition, there is a certified training center, an ecosystem of HPE partners implementing ArcSight. So, for example, Solar Security uses the ArcSight family of products to provide information security services to its customers.
Another important reason for the popularity of this family of information security technologies is that, working with ArcSight, IT and information security professionals will be able to significantly improve their professional level, since the products of the ArcSight family have absorbed the experience of a huge number of customer organizations and their expert experience.
In addition to ArcSight, Hewlett Packard Enterprise Security offers the market a powerful family of solutions for complex protection of applications at the stage of developing source codes, their static analysis, and also for dynamic analysis of the integrity of protection systems of already compiled applications (HPE Fortify), as well as a set of intrusion prevention tools (Intrusion Prevention). System, IPS) and Network Threat Protection - HPE TippingPoint, as well as various encryption tools.
In this article, we will focus on three products of the ArcSight family - Enterprise Security Manager (ESM), DNS Malware Analytics (DMA) and User Behavior Analytics (UBA).
The functionality of HPE ArcSight ESM goes far beyond the traditional information security event management systems (SIEM), and, as experience with this product in Russia shows, it can be used to solve many different practical tasks. For example, it can be used to monitor financial transactions in banking systems, business scenarios in ERP systems, integrate into a single enterprise management console, etc. Often, ArcSight ESM is used in tasks related to risk management, including ensuring compliance with regulators .
However, most often ESM is used in systems aimed at detecting and repelling hacker attacks, as well as at preventing consequences from them. There are many cases of failures due to such malicious actions. Many of them could be prevented or prevented before causing noticeable damage by, first, checking the installed software for malicious codes and / or vulnerabilities and, second, continuously monitoring the behavior of software products in information systems. It is no secret that from the penetration of a hacker into the system before the start of serious malicious actions it can take a considerable time. Thus, according to the Ponemon Institute (see Figure 3), an average of one and a half months passes from penetration to suppression of the action of malicious codes, and about two months from the start of activity of malicious insiders to its suppression. During this time, it is quite possible to track with the help of ESM deviations in the behavior of programs and notify the system administrator.
ESM provides not only the collection of information security events, but also many other types of processing, including the analysis of the correlations of these events. ESM can also be viewed as a platform for automating security tasks, not only informational, but also physical: ESM can be used to monitor IT events that are not directly related to information security and to collect information about traditional threats and tools that confront them . Nothing interferes, for example, with tracking, KPI parameters of information security - appropriate logic can be put into the product. When collecting information from anti-virus systems, it is completely unimportant how many of their types are deployed in the enterprise. Nothing prevents you from tracking the situation in a heterogeneous environment of antivirals, while KPIs will be assessed uniformly, allowing you to analyze, not only the current situation, but also the one that took place, for example, a year or two ago - this can be useful for analyzing the dynamics of KPI and determining trends.
In addition, ESM can be used to protect against fraud by analyzing information from business applications, such as ERP systems. If the detection logic can be formalized, then in this case it will certainly be possible to lay it in the ESM.
ESM can use the HPE Vertica DBMS platform for storing and processing very large amounts of data, significantly speeding up the execution of search queries formulated by security analysts. The integration of ArcSight and Vertica can be used not only to monitor information security events, but also, for example, to track events in business processes that store data in Vertica, in particular, in order to prevent fraudulent activities. For system integration there is a special connector.
In September, at the annual conference of HPE Protect, a new converged hardware and software solution was announced - HPE ArcSight DMA, designed to monitor network traffic and analyze DNS domain name system queries in it. It quickly and accurately detects malware-infected servers, network and user devices, including workstations and mobile gadgets, analyzing DNS traffic in order to detect in real time "bad" packets moving between servers, network equipment and devices connected to networks. This gives enterprises the ability to quickly defend themselves against new, previously unknown threats — this is important because they represent the greatest risk to business applications, systems, and data. Using DMA, users can identify threats without overloading the SIEM system with additional work on analyzing huge amounts of data from the DNS system logs.
At the core of DMA is an idea that, at first glance, seems to lie on the surface — one of HP Labs’s experts in information security expressed it: in almost all attacks on computer networks, DNS is used in one way or another (in particular, to ensure connectivity, transmission commands or tunneling data transmitted by cybercriminals), and if you teach a computer system to recognize DNS queries, it will be able to identify those that may be relevant to hacker attacks.
An experimental model of such a system was created at HP Labs and deployed at HP SOC, the IS incident management center located in California, which collects and analyzes information about IB events from 365,000 HP and HPE employees. In the course of more than a year of running-in, the system was trained and after reaching the required level of maturity, it was released to the market as an independent product - DMA. Patterns and bases for analysis come from HPE.
The customer of the product has at its disposal a web interface that displays a visualized picture of network activity and highlights components with suspicious activity. In fact, it implements the concept of a “red button”, which makes it possible to detect hacker attacks without making any effort on the part of the user - they are required to repel and prevent attacks, but not to track their beginnings.
A very important feature is product scalability. HPE SOC processes about 20 billion DNS requests daily — traffic that is commensurate with the traffic of large telecommunications companies, indicating an unusually high scalability.
Working with traditional SIEM-systems, IS specialists usually act as follows: they take signs of a known incident, lay them in the form of correlation logic, and then follow these rules to monitor data streams. If signs of an incident are detected, an alert or notification of the duty administrator is initiated, after which the incident is processed manually or automatically. This approach (from the particular to the general) cannot always be applied, especially in cases where the signs of malicious activity cannot be identified in advance.
The approach embodied in HPE ArcSight UBA involves moving in the opposite direction: user accounts containing patterns of their typical behavior are built up for accounts and audit events, and then, in the course of monitoring events, atypical users' behavior during their work with applications and data is revealed.
The UBA product released in April 2015 allows analyzing any events related to user activity: access to databases, file directories, work with removable media, operations in corporate information systems (billing, payments, workflow, work with personal data), etc. In addition, UBA, based on ready-made mathematical models for activity profiling based on received events, allows for the grouping of single-type events (peer group analysis), the detection of anomalies (anomaly detection), profiles of user experience (baseline profiling), to determine the frequency of occurrence of the event (event rarity). Applying the results of the work of mathematical models to the problems of information security, UBA allows you to identify insiders, monitor privileged users, detect unusual activity in corporate systems (including “dormant accounts”, detect access to cards of VIP clients, etc.).
Importantly, UBA allows you to complement security events with information about the user, his work environment, job responsibilities, and other attributes. Even if the event contains only an IP address, you can use the UBA to determine the real name of the user associated with this event. Thus, UBA means you can create a “universal” user card in which all of its current attributes (dates of hiring and dismissal, position, division, region, etc.) and accounts in corporate systems will be automatically supported.
Based on this information, it is possible to identify various IS incidents, for example, to detect the activity of one of their users, markedly different from the activity of its colleagues. For example, an average bank operator opens documents for 20 clients per day. However, one of the operators opened documents to 200 clients. Such atypical user behavior - a good reason to think about what is happening? Why did this transaction officer take 10 times more documents than others? Maybe his boss got him some atypical work? Or was it the operative who was given the burden of a sick chief? Or, in preparation for the dismissal, the cashier began to copy information about the bank's customers to his media (or to take pictures on his phone)? The final conclusion can be made by conducting an internal investigation.
Another example: the amount of transactions performed on one of the products of a bank or telecom operator exceeds the normally observed values ​​for the calculated time intervals (hour of the day, day of the week, day of the month, month, weekend, etc.) - this is a reason to think whether this activity is hidden hacker or cheater insider.
In both cases, it is important that using UBA atypical user behavior, or you can identify and then learn what lies behind it.
Of course, the monitoring tools, with the help of which it was possible to track the behavior of users and programs and, having assessed the dynamics, to identify the atypical behavior of some of them, could have been earlier. The advantage of UBA is that using this tool has made it much easier. For example, trying to implement the functions of analyzing user behavior in traditional SIEM tools, we had to study a lot of regulations and job descriptions, but they often did not provide a complete or reliable picture of user behavior, because, firstly, not all employees strictly adhere to job descriptions, and - secondly, the regulations, as a rule, are not too deeply detailed, and the arrangement of priorities and accents in the regulations is usually impossible to see (in particular, it’s impossible to determine ak should look like the main activity of the employee in the organization in terms of information systems, with which it works). Using UBA, you can build profiles of user behavior by classifying them by job position and groups of duties, include in the list of monitored parameters any events relating to user behavior and reflected in the company's information systems, and then track deviations from typical behavior. What is important, in this way, it is possible to control not only internal users, but also external ones - for example, to quickly stop hacking into remote banking systems or illegally connect telecommunications companies to accounts.
However, as a rule, the largest losses are associated with the actions of insider attackers, and the higher the insider's position, the more damage he can inflict with his actions. Now HPE, together with the developers of leading ERP, CRM, SCM systems, is developing protection systems against insiders, reducing the risks of abuse of power, corruption, fraud, economic espionage, etc. In addition, HPE is willingly sharing with its partners organizations of various industries and sectors.
HPE ArcSight ESM, DMA UBA products can significantly minimize the risks that companies, their partners and customers could bear, significantly increasing the security of corporate systems and data. Most importantly, they help prevent damage from previously unknown threats and risks, timely detecting suspicious activities and helping to find gaps in IT systems. All of these products have emerged in response to new challenges in the field of information security, helping HPE customers to keep their business running smoothly and securely.
Types of attacks identified in 252 companies:
Source: Ponemon Institute, "2015 Cost of Cyber ​​Crime Study: Global", October 2015
The average cost of damage caused during the year as a result of exposure to cyber attacks:
Source: Ponemon Institute, "2015 Cost of Cyber ​​Crime Study: Global", October 2015
The average duration of attacks to suppress them (in days):
Source: Ponemon Institute, "2015 Cost of Cyber ​​Crime Study: Global", October 2015
Cyber ​​attacks are becoming more massive and sophisticated. One of the key reasons for the mass character of cyber attacks is their affordability. For example, in a report on the 2015 Cost of Cyber ​​Crime Study: Global , published in October 2015 by the Ponemon Institute with sponsorship from HPE, the average cost of a cybercrime in Russia is estimated at only 100-150 rubles, in dollars on average, it decreased from $ 3.33 in 2014 to $ 2.37 in 2015.
One of the main problems of the lack of effectiveness of protection against cyber attacks often lies in the fact that in most cases protection against attacks is fragmented, while not all risks are adequately taken into account. Experience shows that approximately 80% of the budgets allocated for the purchase of IS funds are spent on the acquisition and implementation of prevention tools to protect against intrusion into the network. For this, firewalls, IPS systems, various gateway solutions are installed. Protection against intruders' actions after penetration accounts for the remaining 20% ​​of the money spent on information security tools (IB). The key task of the information security service is to provide a holistic, comprehensive, uniform protection against attacks at all its stages, avoiding failures in defense.
Hewlett Packard Enterprise offers solutions proven by the international community to build such multistage protection against cyber attacks and very effectively minimize the damage they cause. In addition to extremely effective products, HPE also has a methodology for protection against hacker attacks. Creating on their basis a comprehensive protection of user information systems is the key task of HPE partners.
')
HPE's portfolio of solutions is built around the attacker's attack stages. The first stage is the collection of information about the victim: which IP addresses are used in the organization, which services are hosted, what protection measures are used, etc. The second stage of the attack is penetration, which can be performed using only technological means or using methods social engineering, for example, making phone calls to users or sending phishing messages to them. The third stage of the attack: the attacker penetrated into the organization's network and searches for data (for example, accounting or customer bases) that he could use to his advantage, for this he tries to penetrate into certain protected network segments. Fourth stage: the attacker penetrated the protected segment, installed malware on computers or network devices and tries to get the data he needs (by the way, if they are encrypted — and HPE has the right tools for that — then getting it is not so easy ). The last, fifth stage is sending data to remote computers controlled by a hacker, with a view to their further use (for example, selling to competitors or making public in order to undermine the reputation of the victim).
HPE has a Security Research division that analyzes threats and trends in information security. Every year, HPE Security Research publishes information security reports that present the most current and key trends in four areas:
- incident monitoring and response (including user behavioral analysis);
- source code analysis;
- network security;
- encryption.
For each of these areas, the Hewlett Packard Enterprise Security portfolio, a division that develops information security solutions, has its own products that solve the corresponding task groups. Total HPE portfolio has about four dozen security products.
The HPE ArcSight family of solutions contains technologies that perform the following tasks:
- collecting, consolidating and correlating information security incidents - HPE ArcSight Enterprise Security Manager / Express / Logger;
- integration with more than 350 event sources, as well as a convenient SDK for connecting any other systems - HPE ArcSight Smart / FlexConnectors;
- investigation and timely detection of threats using a large number of standard correlation rules and Compliance Insight Packages;
- behavioral analysis of all types of events - HPE ArcSight ThreatDetector; user behavior analysis - HPE ArcSight User Behavior Analytics to monitor the activity of internal intruders;
- subscribe to alerts on current information security threats to counter corporate intrusion and sensitive data leakage detection - HPE ArcSight Reputation Security Monitor;
- Centralized management of deployed HPE ArcSight infrastructure — HPE ArcSight Management Center;
- combat the shortage of human and time resources during incident investigation - HPE ArcSight Risk Insight.
The ArcSight family includes more than a dozen different products. In Russia, it has been used since 2007. Users of ArcSight are about half of the Russian banks from the first hundred, almost all major telecommunications companies and about 15 out of two dozen leading event monitoring and incident management centers (Security Operation Center, SOC). ArcSight is also used in many Russian situational centers.
In our country, there are more than 200 certified experts on ArcSight (uncertified, probably ten times more). In addition, there is a certified training center, an ecosystem of HPE partners implementing ArcSight. So, for example, Solar Security uses the ArcSight family of products to provide information security services to its customers.
Another important reason for the popularity of this family of information security technologies is that, working with ArcSight, IT and information security professionals will be able to significantly improve their professional level, since the products of the ArcSight family have absorbed the experience of a huge number of customer organizations and their expert experience.
In addition to ArcSight, Hewlett Packard Enterprise Security offers the market a powerful family of solutions for complex protection of applications at the stage of developing source codes, their static analysis, and also for dynamic analysis of the integrity of protection systems of already compiled applications (HPE Fortify), as well as a set of intrusion prevention tools (Intrusion Prevention). System, IPS) and Network Threat Protection - HPE TippingPoint, as well as various encryption tools.
In this article, we will focus on three products of the ArcSight family - Enterprise Security Manager (ESM), DNS Malware Analytics (DMA) and User Behavior Analytics (UBA).
HPE ArcSight Enterprise Security Manager
The functionality of HPE ArcSight ESM goes far beyond the traditional information security event management systems (SIEM), and, as experience with this product in Russia shows, it can be used to solve many different practical tasks. For example, it can be used to monitor financial transactions in banking systems, business scenarios in ERP systems, integrate into a single enterprise management console, etc. Often, ArcSight ESM is used in tasks related to risk management, including ensuring compliance with regulators .
However, most often ESM is used in systems aimed at detecting and repelling hacker attacks, as well as at preventing consequences from them. There are many cases of failures due to such malicious actions. Many of them could be prevented or prevented before causing noticeable damage by, first, checking the installed software for malicious codes and / or vulnerabilities and, second, continuously monitoring the behavior of software products in information systems. It is no secret that from the penetration of a hacker into the system before the start of serious malicious actions it can take a considerable time. Thus, according to the Ponemon Institute (see Figure 3), an average of one and a half months passes from penetration to suppression of the action of malicious codes, and about two months from the start of activity of malicious insiders to its suppression. During this time, it is quite possible to track with the help of ESM deviations in the behavior of programs and notify the system administrator.
ESM provides not only the collection of information security events, but also many other types of processing, including the analysis of the correlations of these events. ESM can also be viewed as a platform for automating security tasks, not only informational, but also physical: ESM can be used to monitor IT events that are not directly related to information security and to collect information about traditional threats and tools that confront them . Nothing interferes, for example, with tracking, KPI parameters of information security - appropriate logic can be put into the product. When collecting information from anti-virus systems, it is completely unimportant how many of their types are deployed in the enterprise. Nothing prevents you from tracking the situation in a heterogeneous environment of antivirals, while KPIs will be assessed uniformly, allowing you to analyze, not only the current situation, but also the one that took place, for example, a year or two ago - this can be useful for analyzing the dynamics of KPI and determining trends.
In addition, ESM can be used to protect against fraud by analyzing information from business applications, such as ERP systems. If the detection logic can be formalized, then in this case it will certainly be possible to lay it in the ESM.
ESM can use the HPE Vertica DBMS platform for storing and processing very large amounts of data, significantly speeding up the execution of search queries formulated by security analysts. The integration of ArcSight and Vertica can be used not only to monitor information security events, but also, for example, to track events in business processes that store data in Vertica, in particular, in order to prevent fraudulent activities. For system integration there is a special connector.
HPE ArcSight DNS Malware Analytics
In September, at the annual conference of HPE Protect, a new converged hardware and software solution was announced - HPE ArcSight DMA, designed to monitor network traffic and analyze DNS domain name system queries in it. It quickly and accurately detects malware-infected servers, network and user devices, including workstations and mobile gadgets, analyzing DNS traffic in order to detect in real time "bad" packets moving between servers, network equipment and devices connected to networks. This gives enterprises the ability to quickly defend themselves against new, previously unknown threats — this is important because they represent the greatest risk to business applications, systems, and data. Using DMA, users can identify threats without overloading the SIEM system with additional work on analyzing huge amounts of data from the DNS system logs.
At the core of DMA is an idea that, at first glance, seems to lie on the surface — one of HP Labs’s experts in information security expressed it: in almost all attacks on computer networks, DNS is used in one way or another (in particular, to ensure connectivity, transmission commands or tunneling data transmitted by cybercriminals), and if you teach a computer system to recognize DNS queries, it will be able to identify those that may be relevant to hacker attacks.
An experimental model of such a system was created at HP Labs and deployed at HP SOC, the IS incident management center located in California, which collects and analyzes information about IB events from 365,000 HP and HPE employees. In the course of more than a year of running-in, the system was trained and after reaching the required level of maturity, it was released to the market as an independent product - DMA. Patterns and bases for analysis come from HPE.
The customer of the product has at its disposal a web interface that displays a visualized picture of network activity and highlights components with suspicious activity. In fact, it implements the concept of a “red button”, which makes it possible to detect hacker attacks without making any effort on the part of the user - they are required to repel and prevent attacks, but not to track their beginnings.
A very important feature is product scalability. HPE SOC processes about 20 billion DNS requests daily — traffic that is commensurate with the traffic of large telecommunications companies, indicating an unusually high scalability.
HPE ArcSight User Behavior Analytics
Working with traditional SIEM-systems, IS specialists usually act as follows: they take signs of a known incident, lay them in the form of correlation logic, and then follow these rules to monitor data streams. If signs of an incident are detected, an alert or notification of the duty administrator is initiated, after which the incident is processed manually or automatically. This approach (from the particular to the general) cannot always be applied, especially in cases where the signs of malicious activity cannot be identified in advance.
The approach embodied in HPE ArcSight UBA involves moving in the opposite direction: user accounts containing patterns of their typical behavior are built up for accounts and audit events, and then, in the course of monitoring events, atypical users' behavior during their work with applications and data is revealed.
The UBA product released in April 2015 allows analyzing any events related to user activity: access to databases, file directories, work with removable media, operations in corporate information systems (billing, payments, workflow, work with personal data), etc. In addition, UBA, based on ready-made mathematical models for activity profiling based on received events, allows for the grouping of single-type events (peer group analysis), the detection of anomalies (anomaly detection), profiles of user experience (baseline profiling), to determine the frequency of occurrence of the event (event rarity). Applying the results of the work of mathematical models to the problems of information security, UBA allows you to identify insiders, monitor privileged users, detect unusual activity in corporate systems (including “dormant accounts”, detect access to cards of VIP clients, etc.).
Importantly, UBA allows you to complement security events with information about the user, his work environment, job responsibilities, and other attributes. Even if the event contains only an IP address, you can use the UBA to determine the real name of the user associated with this event. Thus, UBA means you can create a “universal” user card in which all of its current attributes (dates of hiring and dismissal, position, division, region, etc.) and accounts in corporate systems will be automatically supported.
Based on this information, it is possible to identify various IS incidents, for example, to detect the activity of one of their users, markedly different from the activity of its colleagues. For example, an average bank operator opens documents for 20 clients per day. However, one of the operators opened documents to 200 clients. Such atypical user behavior - a good reason to think about what is happening? Why did this transaction officer take 10 times more documents than others? Maybe his boss got him some atypical work? Or was it the operative who was given the burden of a sick chief? Or, in preparation for the dismissal, the cashier began to copy information about the bank's customers to his media (or to take pictures on his phone)? The final conclusion can be made by conducting an internal investigation.
Another example: the amount of transactions performed on one of the products of a bank or telecom operator exceeds the normally observed values ​​for the calculated time intervals (hour of the day, day of the week, day of the month, month, weekend, etc.) - this is a reason to think whether this activity is hidden hacker or cheater insider.
In both cases, it is important that using UBA atypical user behavior, or you can identify and then learn what lies behind it.
Of course, the monitoring tools, with the help of which it was possible to track the behavior of users and programs and, having assessed the dynamics, to identify the atypical behavior of some of them, could have been earlier. The advantage of UBA is that using this tool has made it much easier. For example, trying to implement the functions of analyzing user behavior in traditional SIEM tools, we had to study a lot of regulations and job descriptions, but they often did not provide a complete or reliable picture of user behavior, because, firstly, not all employees strictly adhere to job descriptions, and - secondly, the regulations, as a rule, are not too deeply detailed, and the arrangement of priorities and accents in the regulations is usually impossible to see (in particular, it’s impossible to determine ak should look like the main activity of the employee in the organization in terms of information systems, with which it works). Using UBA, you can build profiles of user behavior by classifying them by job position and groups of duties, include in the list of monitored parameters any events relating to user behavior and reflected in the company's information systems, and then track deviations from typical behavior. What is important, in this way, it is possible to control not only internal users, but also external ones - for example, to quickly stop hacking into remote banking systems or illegally connect telecommunications companies to accounts.
However, as a rule, the largest losses are associated with the actions of insider attackers, and the higher the insider's position, the more damage he can inflict with his actions. Now HPE, together with the developers of leading ERP, CRM, SCM systems, is developing protection systems against insiders, reducing the risks of abuse of power, corruption, fraud, economic espionage, etc. In addition, HPE is willingly sharing with its partners organizations of various industries and sectors.
* * *
HPE ArcSight ESM, DMA UBA products can significantly minimize the risks that companies, their partners and customers could bear, significantly increasing the security of corporate systems and data. Most importantly, they help prevent damage from previously unknown threats and risks, timely detecting suspicious activities and helping to find gaps in IT systems. All of these products have emerged in response to new challenges in the field of information security, helping HPE customers to keep their business running smoothly and securely.
Types of attacks identified in 252 companies:
Source: Ponemon Institute, "2015 Cost of Cyber ​​Crime Study: Global", October 2015
The average cost of damage caused during the year as a result of exposure to cyber attacks:
Source: Ponemon Institute, "2015 Cost of Cyber ​​Crime Study: Global", October 2015
The average duration of attacks to suppress them (in days):
Source: Ponemon Institute, "2015 Cost of Cyber ​​Crime Study: Global", October 2015
Source: https://habr.com/ru/post/278465/
All Articles