Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... –...

31
SecureWorks Ever-Evolving Security Threat Landscape Jeff Multz Security Evangelist Dell SecureWorks

Transcript of Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... –...

Page 1: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

SecureWorks

Ever-Evolving Security Threat Landscape

Jeff Multz Security Evangelist

Dell SecureWorks

Page 2: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

• Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

Dell SecureWorks

Counter Threat Unit Research Team

– Elite cyber intelligence talent focuses on threat actors, tradecraft and countermeasures

Counter Threat Platform

– Next generation technology applies intelligence to protect thousands of customers worldwide

Global Security Operations Centers

– 7 resilient, high-security facilities provide vendor-neutral, in-region service delivery 24x7x365

Certified Security and Compliance Experts

– 1,000+ security and compliance professionals deliver award-winning services and customer satisfaction

We help thousands of organizations protect against cyber threats, simplify regulatory compliance and embrace innovation securely.

2

Page 3: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

• Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

The Internet is “where the bad guys will go because that’s where our lives are, and our money,

our secrets and our intellectual property,”

James Comey, FBI Director

Percentage of U.S. adults who named online banking as their preferred banking method in 2011

GLBA FFIEC NCUA

PCI HIPAA

NERC CIP FISMA

700+ Federal and state security-related

laws

50 U.S. states with

varying data breach laws

2013 480 million

records stolen

Page 4: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

4

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

DS

WR

XP

ric

e

Ow

ne

r Co

st

Ass

et

Cri

min

al C

ost

Cri

min

al

Co

st

Role of a managed security service provider

Increase risk Reduce reward Increase effort

Page 5: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

5

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

An integrated approach to security

Core Assets

Services

Business Value

Incident Response & Digital Forensics

Security & Risk Consulting

Managed Security

Flexible Approach

Vertical Expertise

Purpose-built Technology

Scalable Security

Operations CTU

Intelligence

Threat Intelligence

Cost Control

Compliance Flexibility Threat Mitigation

Visibility Rapid

Response

Certified Security Experts

Dell SecureWorks delivers a comprehensive suite of information security services powered by our proprietary technology, global threat visibility and deep security expertise

Page 6: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

6

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Recently ranked in Gartner’s “Market Trends: Managed Security Services, Worldwide, 2013”1 report as the number one MSSP to watch.

Information Security Leader

Page 7: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

8

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Cyber Security Threatscape

Page 8: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

9

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

• Large business are fortifying

their defenses

• Easy money

• Cyber criminals aren’t choosy

• Path of least resistance

• “low-hanging fruit”

• Gateway to ultimate target

• Malware testing ground

“Cybercriminals go after the big guys”

“Our core provider provides security”

“I don’t have any valuable data or assets”

SMBs targeted more than ever

Page 9: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

10

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks Global New Hire Orientation Global New Hire Orientation

Cyber Threat Macro Trends

Confidential 10

Notoriety Basic Intrusion

& Viruses

Fame Viruses

& Malware

Financial Theft & Damage

National Interests Government

Data/Networks Defense Industrial

Base

Th

rea

t S

ev

eri

ty

1990 1995 2000 2005 2007 2010 2014

Page 10: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

11

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

The threat landscape

Malware

Malicious software that disrupts computer operation, gather sensitive information, or gain unauthorized access to computers Computer viruses, worms, trojan horses, spyware, adware

A sophisticated and organized cyber attack to access and steal information from compromised computers

Advanced Threats

Denial-of-Service Distributed Denial-of-Service An attempt to make a computer or network resource unavailable to its intended users

DoS & DDoS

Cyber Warfare

Politically motivated hacking to conduct sabotage and espionage

Page 11: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

12

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Cyber attacks edging out terrorism as No. 1 threat to U.S.

“I am convinced there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

“No company is immune, from the Fortune 500 corporation to the neighborhood ‘mom and pop’ business.”

“In the not too distant future, we anticipate that the cyberthreat will pose the No. 1 threat to our country.”

Source: FBI Director Robert Mueller

Speaking at 2012 RSA Conference

Page 12: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

13

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

“In many cases, the skills of the adversaries are so substantial that they just leap right over the fence and you don’t even hear an alarm go off.”

Companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking – or the costs they may have already suffered.

He doesn’t believe there is a single secure, unclassified computer network in the U.S.

FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed.

In cases handled by one computer security firm where intrusions were traced back to China, 94% of the targeted companies didn’t realize they had been breached until someone else told them.

Companies need to do more than just react to intrusions

According to top cyber security experts

Source: “U.S. Outgunned in Hacker War”

The Wall Street Journal, March 28, 2012

Page 13: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

14

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Motivations behind cyber crime

• Gain financial advantage

• Intelligence gathering

• Gain competitive advantage

• Damage organizations’ brand, reputation and systems

• Obtain indirect access to a targeted business partner

• Prepare the field of battle for cyber warfare

Page 14: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

15

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Criminal to Criminal

Fourth generation

Increase in criminal-to-criminal activity

• Exploit auction houses (WabiSabiLabi)

• Forums and IRC (#Vxers, cybermafia.cc)

• Distribution service (IFRAMES.BIZ)

• Botnet rental (5Socks.net)

• Licensing model (storm worm)

• Identity auctions (76service)

• Social networks (ranking and escrow)

Page 15: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

16

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Identity Theft Market Value

US Based Credit Card

$1 - $2

Non-US Credit Card

$2 - $10

Prestige Credit Card

$200 - $400

PayPal account, verified balance

$2- $200

Compromised Computer $1 - $100

Verified PayPal Account w.

balance $50 - $500

Skype Acct. Premium) $1 - $100

Game

Accounts $100 -$1000

Med. Health Record

$50

Page 16: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

17

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

The Impact of Cyber Crime

#1 - Hacker’s Inc.

• Would be the largest company in the world

• Translate costs into “hacker revenue”

• Global costs of cyber crime is $500B

* - Center for Strategic and

International Studies (CSIS)2013

500

Page 17: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

18

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Losses due to “traditional" crimes

$10

$20

$30

$40

$50

$60

$70

$80

2003 2004 2005 2006 2007 2008 2009 2010 2011

Recovered

Net Loss

Source: FBI Bank Crime Statistics (BCS) Federally Insured Financial Institutions January 1, 2003-December 31, 2011

Mil

lio

ns

Page 18: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

19

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Cybercrime vs. traditional crime

$0

$10

$20

$30

$40

$50

$60

$70

$80

$90

$100

Bank Robbery, etc. ZeuS Group A

Millions

Recovered

Net Loss

Page 19: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

20

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Incident by Breach Type – May 2014

Source: OSF DataLossDB

52% of breaches are hacker activity

Page 20: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

21

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Incidents by Source – May 2014

Source: OSF DataLossDB

63% of incidents originate outside

your 4 walls

Page 21: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

22

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Vulnerability trend – year over year

Source: Dell SescureWorks Counter Threat Unit Intelligence

Page 22: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

23

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Top Ten Hacking Countries

Top Ten Hacking Countries, Bloomberg.com Apriil 23, 2013

“There are no safe neighborhoods… All of us are next-door neighbors on the Internet in the blink of an eye.”

FBI Director James Comey

1. China 2. Turkey 3. Russia 4. Taiwan 5. Brazil 6. Romania 7. India 8. Italy 9. Hungary 10. South Korea

Page 23: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

24

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

2013 Midsize Data Breaches - A sampling

Vendini 56,000

SnapChat 4,700,000

Sun and Sight Eyeworks

9,000

PlaySpan 100,000

Kirkwood Community

College 110,000

Evernote

50,000,000

High Tech Crime

Solutions 32,000

Hickory Grove Gas Station

100

Network Solutions 500,000+

Page 24: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

SecureWorks

Theat Intelligence

Page 25: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

26

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks Global New Hire Orientation Global New Hire Orientation

The Counter Threat Unit

Top security talent in the industry

– Former CERT, Army Global NOSC, USCYBERCOM, DoD, Natl. Labs, CISOs and SANS instructors

1,000+ security and compliance experts

– CISSP – INFOSEC – CISA – GIAC GCIA – GIAC GSEC – GIAC GCFW – GIAC GCIH – GIAC GCFA

– GIAC GCWN – GIAC GPEN – CCDP – CCNA – CCSE – CSPFA – CSVPN – CSIDS

– CCSP – CCIE – CCSA – CCDA – CCNP – INFOSEC – MCSA – MCSE

– MCP+I – MCSE+I – PMP – NCSA – CFE – CCSI – CEH – NOP

Highly regarded in the security community

– Black Hat, DEFCON, ShmooCon, ToorCon, DeepSec, U.S. DoD Cyber Crime Conference, CERT-EE, AusCERT, Hacker Halted, RECON, APWG

Page 26: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

27

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

CTU’s strategic focus

Focused on “who” and “how”

– Threat actors and their missions

– Tradecraft used in attacks

– “Kill chain” – how to disrupt attack process

Elite cyber-intelligence experts

– Current and historical rich attack data

– World-class intelligence platform and tools

– Industry and law enforcement relationships

Targeted

Broad

Advanced Commodity

Script Kiddies

Hactivists APT

CTU

AV Vendors

IPS Vendors

Organized Cybercrime

Page 27: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

28

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks Global New Hire Orientation Global New Hire Orientation

~70B Daily Cyber

Events

Global Threat Visibility • SOC and Data Center • SOC • Additional Staff

70+ Countries

3K+ Customers

1K+ Security Pros

100K+ Devices

3000+ Daily Escalations

Noida, India Providence, RI

Myrtle Beach, SC Plano, TX

Edinburgh, Scotland

Atlanta, GA

Chicago, IL

Bangalore, India

Hyderabad, India

Bucharest, Romania

Guadalajara, Mexico

Round Rock, TX

200+ Software Engineers

24 X 7 X 365

Kawasaki, Japan

London

Sydney

Page 28: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

29

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Risk-based approach

Direct loss risk Risk to reputation

Liability risk Compliance risk

Lost revenue, data

Litigation, civil damages

Lose market share

Fines, penalties

Page 29: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

30

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Real-time monitoring and analysis

Remaining Events of Interest

510,618,423 events

Event Consolidation

3,805,226

207,499

People

& P

rocess

Anomaly Filter

Positive

Filter

3,803,598 1,628

Negative Filter

506,813,197

Logic/Correlation Engines 5,633

Technolo

gy

Counter Threat Appliance and CTP Agent

Security Event Worm - Client Not Vulnerable

1 Incident (21 Events)

Security Event

Suspicious Activity

3 Incidents (32 Events)

Security Event Benign

5,532 Events

Security Event System /

Application 1 Incident 48 Events

Info

rmatio

n fro

m In

tellig

ence,

Scannin

g, T

rendin

g &

Auditin

g

Incident Handling Process: Aggregate, Correlate, Categorize, Assess Threat, and Respond

Low Threat

Incident is logged for future correlation and reporting, but no further action required.

Medium Threat

Incident requires near

term intervention by

Dell SecureWorks

and/or the customer

to prevent availability

or security issue.

High Threat

Incident requires immediate intervention by Dell SecureWorks and the customer to prevent and/or remediate availability or security issue in progress.

3 Firewalls 3 IDS / IPS 50 Servers / Other

Page 30: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

31 Services Confidential

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

The 50/30/20 Security Rule – Layered Security

50%

• Firewall

• First line of defense

30%

• Intrusion Prevention

• Identifies, examines and investigates

20%

• Servers, routers, switches, AND endpoints

• Securely direct traffic

Page 31: Ever-Evolving Security Threat Landscape - ISACA · Ever-Evolving Security Threat Landscape ... – GIAC GCIA – GIAC GSEC ... – GIAC GCFW – GIAC GCIH – GIAC GCFA – GIAC GCWN

32

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

• Test and assess

• Invest in prevention

• The 50/30/20 Security Rule

• Enable compliance

• Security awareness training

• Documented and tested incident response plan

Be proactive