IoT A growing threat - Georgia Technology Authority · 2019-05-23 · •Top 10 exploited...
Transcript of IoT A growing threat - Georgia Technology Authority · 2019-05-23 · •Top 10 exploited...
Speaker
2
Tony Gillespie
Recently retired GS15 Assistant Chief of Staff G6/CIO for Marine Corps Installations East. 35 years in the Marine Corps active duty and Civil Service.
Was responsible for the Voice, Video, Data and Security for all USMC bases on the East Coast south of Quantico, Va.
Primary architect and Pilot for C2C for the DoD
1
2
3
Baseline Security
IoT is not coming.. It is HERE
Visibility
3
What do I need to know?
Fundamental Security baseline.. (we all must do it)
• The largest threat to networks is end points (Managed and unmanaged IoT)
• You MUST be able to discover, classify and perform real time risk assessments.
• Users are our only reason for having a network, is there a Patch for Stupid?
• Most Cybersecurity resources are performing fundamental baseline security tasks (vice pro-active measures)
• Significant # of compromises have proven to be old vulnerabilities (2+ years) that were exploited.
• Let’s lock our doors and roll up the windows! (Fundamental security automation) (AKA-”The “Stupid patch” or a wrench big enough to tighten the loose nut)
• How much time do you spend wrestling little alligators taking up YOUR cycles when you should be strategizing.
4
Consequences and Impact of Inadequate Visibility
Industry Stats:
• 80% of successful attacks leverage well-known vulnerabilities –
Gartner Security and Risk Management Summit
• 99% of exploits will continue to be from known vulnerabilities up to one year through 2020 - Gartner
• Top 10 exploited vulnerabilities are more than a year old - HP Security Research.
• 66% of networks will experience an Internet of Things based breach by 2018 – IDC
• 80% of all endpoints connected endpoints to the network will not support agent based technologies by 2020 Gartner
Business / Mission impact:
• Reputational damage which could impact funding.
• Breach remediation averages $4 Million per incident – Ponemon Institute, June 2016
• Critical citizen services become unavailable, unreliable
• Loss of grant funding or punitive damages due to non-compliance with Federal & State requirements
Gartner Security and Risk Management Summit, “Preparing for Advanced Threats and Targeted Attacks”, Kelly Kavanaugh, June 2014; Webtorials and ForeScout Internet of Things Security Report, June 2016
http://www.forbes.com/sites/gilpress/2016/01/27/internet-of-things-iot-predictions-from-forrester-machina-research-wef-gartner-idc/6/#26e32a1972a0; http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/
Desired State & Positive Mission Outcomes
6
Desired State:
1. Complete visibility: You cannot protect what you cannot see.”
2. Understanding configuration, posture, location, ownership of all devices on the network in real-time, supported or unsupported
3. Rapid response to prevent incidents & breaches through orchestration using current portfolio– self-defending network
4. Realtime dashboard of PCI, HIPAA etc. compliance
5. Automate remediation of findings from audits
Positive Mission Outcomes (per IDC)
1. 50% reduced chance of outage caused by cyber event.
2. 18% increased devices in compliance
3. 47% improved incident resilience
4. ResultPublic trust and confidence.
Required Capabilities - Going from Present State to Desired State
Agentless, Continuous Discovery & Situational Awareness
–Device Classification of ALL connected endpoints without the use of Agents
–Ability to rapidly deployment the solution enterprise-wide
–Defense In Depth – Monitor cyber hygiene of all endpoints and the required security controls in real-time
Automated Policy Enforcement
–Out-of-Box Integration with current tools Patch, Firewall, Antivirus
–Legacy equipment protection
–Complete asset inventory for HelpDesk, CMDB, Renewals
–Rogue Device/Activity detection and mitigation
Continuous and Situational State Asset Awareness
–Single pane of glass for detecting, mitigating, and remediating cyber incidents
7
DYNAMIC AND MULTI-FACETED
How ForeScout Sees Devices
Reference Acronym Glossary at the end of presentation8
Multiple MethodsPoll switches, VPN concentrators, APs and controllers for list of devices that are connected
Receive SNMP traps from switches and controller
Monitor 802.1X requests to the built-in or external RADIUS server
Monitor DHCP requests to detect when a new host requests an IP address
Optionally monitor a network SPAN port to see network traffic such as HTTP traffic and banners
Run NMAP scan
Use credentials to run a scan on the endpoint
Receive NetFlow data
Import external MAC classification data or request LDAP data
Monitor virtual machines in public/private cloud
Classify devices using PoE with SNMP
Use optional agent
A
B
C
D
E
G
F
H
I
JFTP/LDAP Server
ForeScout CounterACT®
RADIUSServer
SNMP Traps
G User Directory
L
A
E
C
DHCPRequests
D
B
NetFlowH
I
F
K
L
K
J
1
2
3
IoT Landscape
Threat Landscape
Visibility
9
A Perfect Storm of Threats Creating New Security Needs
Attacks Targeting Devices that Corporations Can’t See
IoT = Internet of Things10
5 out of 6 large
companies is hit
with targeted
attacks today
50%Of Enterprises lack visibility
on mobile99%Of IoT devices do not
support security agents
IoT Device Growth
11
PC
BYOD
IoT
1990 2015 2020
0
5 Billion
30 BillionThe Internet of Things is the
network of dedicated
physical objects (things) that
contain embedded
technology to sense or
interact with their internal
state or external
environment.
IoT = Internet of Things
A Perfect Storm of Threats Creating New Security Needs
12
Attack Surface Area is Growing Exponentially
5 out of 6 large
companies is hit
with targeted
attacks todayManagedUnmanaged
BYOD IoT
5 out of 6 large
companies is hit with
targeted attacks today
Time
De
vic
es
30BConnected devices by
202010Number of
connected devices per employee by
2020
1
2
3
IoT Landscape
Threat Landscape
Visibility
13
Foundation Security
SEE – If you can’t see it… you can’t determine risk
• IoT
• NO Agent - if it requires an agent how do you find it?
• BYOD
Control – automated and manual
• Determine Risk and Deny Access based on policy
• Allow access based on “the rest of the story”
Orchestrate – take action or pass
• Kick-off mitigation
• Kick-off scan
• Open Ticket or “Pop Up” notifications
IoT – Internet of Things BYOD = Bring Your Own Device14
15
ASSESS
Classify
Discover
1010011010001
1101001001
001101
00101101101
110010101101
1010011010001
1101001001
011001001101
1010011010001
1101001001
011001001101
110010101101
1010011010001
1101001001
00101101101
011001001101
00101101101
110010101101
1010011010001
110010101101
110010101101
00101101101
Security Starts with Visibility
So what?
• Staff realigned to proactive tasks (Analytics, Hunting, Forensics)
• Resource reduction (be careful with this one!)
• 99.x% compliance is not only achievable it can be YOUR the minimum standard!
2nd and 3rd order effects
• Increased security across the enterprise
• Immediate action and zero day mitigation
• Real-time knowledge of current security posture
• Asset and license management
• Portfolio Management
How do I get there?
16
Thank you!
Acronym Glossary
18
IM Instant Messaging
IOC Indicators of Compromise
iOS Apple operating system for mobile devices
IoT Internet of Things
IP Internet Protocol
ISE Cisco Identify Services Engine
MAB Mac Authentication Bypass
MTP FireEye’s Mobile Threat Prevention Platform
MTTD Mean Time to Detection
MTTR Mean Time to Resolution
NA Not Applicable
NAC Network Access Control
NERC North American Electric Reliability Corporation
Netbios Network Basic Inut/Output System
NIC Network Interface Card
NIMAPP Network Mapper
NIST National Institute of Standards and Technology
NMAP network mapper
NX FireEye’s Network Threat Prevention Platform (NX)
OS Operating System
P2P Peer to Peer
PCI Payment Card Industry
PKI Private Key Infrastructure
pxGrid Cisco Platform Exchange Grid
RADIUS Remote Authentication Dial-In User Service
Reauth Reauthorization
RTU Remote Terminal Unit
SCADA Supervisory Control and Data Acquisition
SDK Software Developer Kit
SGT Security Group Tags (Cisco)
SIEM Security Information and Event Management
SNMP Simple Network Management Protocol
SOX Sarbanes Oxley
SQL SQL Server
SSID Service Set Identifider
syslog standard for messaging logging
TACACS Terminal Access Controller Access Control
TAM FireEye’s Threat Assessment Manager
TAP FireEye’s Threat Analytics Platform
TCO Total Cost Ownership
USB Universal Serial Bus
VA Vulnerability Assessment
vFW Virtual Firewall
VM Virtual Machine
VPN VPN
AAA Authentication, Authorization and Accounting
ACL Access Control List
ACS Cisco Secure Access Control Server
ARP Address Resolution Protocol
ATD Advanced Threat Detection
ATP Advanced Threat Prevention
BYOD Bring Your Own Device
CA Certificate Authority
C&C Command and Control
CEF Cisco Express Forwarding
CoA Change of Authorization
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
EMM Enterprise Mobility Management
EXFireEye’s Threat Prevention Platform for Email-based
Cyber Attacks
FERC Federal Energy Regulatory Commission
FW Firewall
GUI Graphical User Interface
HIPAA Health Insurance Portability and Accountability Act
HITECHHealth Information for Technology for Economic and
Clinical Health
HPS Host Property Scanner
HX FireEye’s Endpoint Threat Prevention Platform
ID Identification
Backup
20
21
Vendors are proliferating within these siloed environments
Source: Harbor Research, 2014; McKinsey Global Institute, 201522
IoT Device / Solution Vendors by Physical Environments
Personal Home CityFactory LogisticsRetailVehiclesOffice WorksiteMedical
Without standards or platforms, each vendor in each vertical environment tends to build their own respective specialized solution stack from scratch