When POS Comes to Shove

Industry Perspectives 2022-05-23

In today’s blog post, FireEye examines the threats posed to retailers by crimeware, Point-of-Sale (POS) malware, and other threats. It is certainly a topic that is on the mind of many organizations and individuals these days. But with all the hype and buzz, what proactive steps can a CISO take to better defend his or her organization against these threats? There are many potential approaches that could be taken, but two foundational concepts that come to mind are:

  • Best practices and first principles
  • Continuous Security Monitoring (CSM)

Best practices and first principles are not rocket science, but they still rule the day. As discussed in additional detail in the FireEye blog post on BrutPOS best practices can go a long way towards helping an organization defend itself. First principles such as identity management, sensible permissions, adequate controls for remote logins, and others can help keep an organization from falling victim to the wide variety of threats that it faces today. CISOs can do their part by communicating their vision for assessing the weak links in the chain and strengthening them. It is an iterative process and one that will not be fully completed in a day, a week, or even a month. But the CISO that pushes and motivates his or her organization in this direction will be doing that same organization a great service. It is always better for the organization itself to find a weakness in its security posture than for the attackers to find it.

Despite our best efforts and intentions, however, intrusions and breaches will still inevitably occur. In those instances, our attention quickly turns from prevention to detection and response. Continuous Security Monitoring (CSM) is the formalized process through which we build and enhance our organizational capability to rapidly detect, analyze, contain, and remediate intrusions and breaches. After all, breaches happen, but what a CISO must truly be on the lookout for is the theft of sensitive, proprietary, or confidential data. The financial, legal, and PR damage caused by an intrusion of any scale can be minimized, but only if that intrusion is detected and responded to rapidly. Proactively enhancing the organization’s CSM capability allows a CISO to markedly improve the security posture of the organization.

As an example, consider the case of a Point-of-Sale (POS) malware sample entering an enterprise network. This will likely trip one or more alerts that will be sent to the organization’s work queue (I.e., SIEM, incident ticketing system, etc.).

The first challenge we encounter here is ensuring that this alert does not get overlooked or lost in the noise. This can be accomplished by ensuring that we methodically approach the process by which we develop content to generate alerts for the work queue. We want to ensure a high enough rate of true positives to false positives, or signal-to-noise ratio.

Next, we will need to ensure that an analyst vets, qualifies, and analyzes the relevant alert or alerts. We can ensure this occurs by following a rigorous, formalized incident response process at strategic and tactical levels, along with ensuring we adequately train our staff.

As the analyst reviews the alert, we will need to ensure that the appropriate contextual information in support of the alert can be retrieved quickly and easily. This requires visibility across the network, endpoint, and intelligence in order to enrich the alert data with supporting evidence that will allow us to draw a conclusion as to whether or not we have a compromise, along with the scope of that compromise.

Lastly, we will need to contain and remediate the intrusion. These steps ensure that we stop the POS malware’s progress dead in its tracks — before it can steal valuable and sensitive payment card information from our organization.

If this seems like the familiar people, process, and technology triad, there is good reason for that. We must remind ourselves that it is no one piece of malware or intrusion that lands us in trouble. Rather, it is not detecting and responding to that intrusion in a timely manner that causes the damage.

It is certainly not easy to be a CISO these days. The microscope and heat lamp seem continually focused upon those in the role. The good news is that through a combination of best practices and Continuous Security Monitoring, CISOs can take a proactive stance to defend and protect their organizations against the breaches of today and of tomorrow.