GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
Transcript of GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
Cyber Threats & Information SharingSyed Peer
2AGENDA CYBER THREAT
LANDSCAPEChanging Face of Friend or Foe
CISA : SHARING PROS AND CONS To share or Not to share ?
CONCLUSIONAre we there yet ?
CHALLENGES FOR INDUSTRYWhere do we go today ?
BACKGROUND & HISTORYDefinition, NIST Core Guide, Best Practices, CISA
2015
CYBER THREAT LANDSCAPE
Changing face of Friend and Foe ?
4
AGILITY Highly technical players leverage new vulnerability within hours. Black market for tools and Zero day exploits. Vendors always in catch up mode.
EVOLUTIONRapid code sharing and active community generated variants in multiples. No longer rocket science or requiring large funding hardware or exceptional talent.
SLAService Level Agreements are based on predictable behavior. Need to learn to love the unpredictable and unexpected.
DIVERSITYModern day exploits so varied and diverse that old risk models are inadequate. Simple ISO 27001 compliance provides no guarantees for security.
DIGITAL FRAUD On an epidemic scale with yearly estimated losses in the billions. Well coordinated and often teams / gang based across global geographies.
STATE SPONSORED Highly productive and well funded teams. Links to military and government. Often done by known adversaries or allies. e.g US elections 2016 – Fancy Bear, Cozy Bear.
CYBER THREAT LANDSCAPE
CHALLENGES FOR INDUSTRY
Where do we to go today ?
6
INTERNAL SKILLS DEFICIT Lack of specialized resources for CTI. Unable to leverage expensive tools fully. Under staffed NOC/SOC for 24/7 diligence.
DATA OVERLOADImmense volumes of data available from CTI sources, vendors, public/private sharing platforms and international CERTS. Resources drowning in data without a reprieve.
VENDOR SOLUTIONSDifficult to easily identify correct CTI Vendor solution in a crowded market. Vendors need to be constantly providing latest relevant CTI feeds. Room for patch latency and being behind the curve.
MANAGEMENT SUPPORTHard climb to get top level management support for sharing CTI -- especially to outside agencies and teams.
POLICIES & PROCEDURESDevelop using a risk based approach. Work with business owners to classify data criticality. Bake in BCP and DR plan and drill schedules.
COMMUNICATION CHANNELNeed to build effective information exchange channels between CTI teams and internal business function owners.
CHALENGES FOR INDUSTRY
BACKGROUND & HISTORY
Definition, NIST Core Guide, Best Practices, CISA
2015
8
Cyber threat information is any information that can help an organization identify, assess, monitor, and respond to cyber threats. Examples of cyber threat information include indicators (system artifacts or observables associated with an attack), TTPs, security alerts, threat intelligence reports, and recommended security tool configurations. Most organizations already produce multiple types of cyber threat information that are available to share internally as part of their information technology and security operations efforts..”
DEFINITION
GUIDE TO CYBER THREAT INFORMATION SHARING
“
NIST SP 800-150
9
INVENTORYPerform an inventory to catalog existing information an organization possesses and perhaps still yet to be produced. The inventory should document the circumstances in which the information could be shared
EXCHANGE Exchange of CTI, tools and techniques with sharing partners. When sharing CTI organizations learn from each other; gain a more complete understanding of adversary's tactics, technique and procedures; craft effective strategies to protect systems; and take action, either independently or collectively, to address known threats.
OPEN STANDARDSUse open, standard data formats and transport protocols for efficient and effective exchange of CTI. This fosters interoperability and allows different products, data repositories and tools to rapidly exchange data.CI.
PARTNEREnhance cyber security posture and maturity by augmenting local data collection, analysis and management processes using information from outside sources. Helps organizations develop a deeper understanding about activities on their networks, identify cyber attack campaigns and better detect blended threats that use multiple methods of attacks.
BEST PRACTICES : INFORMATION SHARING (NIST)
ADAPTIVE Define Cyber Security approach adaptive to the lifecycle of an attack bydeveloping defensive measures that detect, limit or prevent reconnaissance and delivery of malicious payloads. Approach should mitigate the execution of exploits that allow an adversary to establish or maintain a persistent network presence.
RESOURCES Ensure resources required for continuing participation in a sharing community are available. Participation might require an organization to commit personnel; deliver training; and provide hardware, software, services and other infrastructure needed to support continuing data collection, storage, analysis and dissemination..
AWARENESSMaintaining continuing awareness of information security, vulnerabilities and threats. Organizations should implement the security controls to protect its sensitive information, enforce sharing rules and ensure that information received from external sources is protected in accordance with data sharing agreements.
INFRASTRUCUTURE Establish infrastructure necessary to maintain cyber security posture and identify the roles and responsibilities for installing, operating and maintaining these capabilities. Organizations should have basic asset, vulnerability and configuration management capabilities in place to ensure to monitor and manage the hardware and software on their networks for timely patching..
BEST PRACTICES : INFORMATION SHARING (NIST) 10
INFORMATION SHARING : PROCESS MAP (NIST) 11
1Establish core Cyber Security
capabilities
2Establish and participate in sharing and coordination
activities
5Use basic threat intelligence to
support decision making
processes
7Develop and
deploy advanced Cyber Security
capabilities
10Use advanced threat Intel to
support decision making processes
3Consume basic
threat Intel from external sources
8Consume
advanced threat Intel from
external sources
11Share advanced threat Intel with external partners
4Create basic threat Intel
6Share basic
threat Intel with external partners
9Create advanced
threat Intel
12
CISA : Cyber Security Information Sharing ActDecember 18, 2015
01 02 03 04 05 06
Establish
Establishes a process for the U.S. government to share cyber threat information with businesses that voluntarily agree to participate in the program
Share
Encourages companies to share malicious code, suspected recon, vulnerabilities, anomalous activity, and identify signatures and techniques that could pose harm to an IT system
ExemptionProvides antitrust exemption for companies that share their threat data with other businesses
Alerts
Allowing government agencies to move more quickly to alert companies when they have been hacked
CTI HubDesignates the Department of Homeland Security (DHS) to act as the cyber threat information-sharing hub between government and business, and set up automated systems
ExecutiveAllows president, (after notifying Congress) to set up a second information sharing center, if needed
13
CISA : SHARING PROS & CONS
To Share or Not to Share ?
14
“He who controls the past controls the future. He who controls the present controls the past. ”
CISA : SHARING PROS AND CONS
VOLUNTARY PROGRAM TO JOIN BI PARTISAN
PROTECTION FROM LIABILITY, DISCLOSURE, ANIT-TRUST COMPLEMTARY TO EXECUTIVE ORDERS AND FRAMEWORK
CITIZENS DATA PRIVACY CONCERNS COMPROMIZED GATE KEEPER ACCESS REPUTATIONAL RISK AND RANSOMEWARE OPPOSED BY TECH - APPLE, TWITTER, GOOGLE, MS
1984 George Orwell
LACK OF FEDERAL AGILITY AND FUNDING INTER DEPARTMENTAL SHARING – IRS, FBI, LOCAL
POLICE EXCUSES COS FROM LIABILITY IN VIOLATING PRIVACY LAWS
PROVIDES SAFEGUARDS FOR PRIVACY AND CIVIL LIBERTIES
15CONCLUSION : CYBER THREAT INFORMATION IMPERATIVES
IT must have the ability to set expectations for service quality, availability and timeliness. High availability and data protection are integral for IT to set these expectations.
Build strategy to stay current with CTI and push to improve infrastructure to support the vision. A stitch in time saves lives.
Aim for ease of acquiring, deploying, and managing IT Cyber Security infrastructure, and deploying IT workloads.
SERVICE DELIVERY
Maintain Availability and Customer Satisfaction as always or better. CTI gathering should never impede the business model.
LONG TERM
Realise long term Cost Saving by spending wisely now. Invest in staff training and building out PEN and NOC skills and staffing.
SIMPLICITY
Use the KISS Rule to ensure that you are not over reaching the expectation
Syed PeerIT Manager
QAFCOQatar
Phone(974) 5571 6658
THANK YOU
LinkedInhttp://www.linkedin.com/in/syedpeer