IoTA growing threat

Tony GillespieUS Public Sector StrategistTony.gillespie@forescout.com

Speaker

2

Tony Gillespie

Recently retired GS15 Assistant Chief of Staff G6/CIO for Marine Corps Installations East. 35 years in the Marine Corps active duty and Civil Service.

Was responsible for the Voice, Video, Data and Security for all USMC bases on the East Coast south of Quantico, Va.

Primary architect and Pilot for C2C for the DoD

1

2

3

Baseline Security

IoT is not coming.. It is HERE

Visibility

3

What do I need to know?

Fundamental Security baseline.. (we all must do it)

• The largest threat to networks is end points (Managed and unmanaged IoT)

• You MUST be able to discover, classify and perform real time risk assessments.

• Users are our only reason for having a network, is there a Patch for Stupid?

• Most Cybersecurity resources are performing fundamental baseline security tasks (vice pro-active measures)

• Significant # of compromises have proven to be old vulnerabilities (2+ years) that were exploited.

• Let’s lock our doors and roll up the windows! (Fundamental security automation) (AKA-”The “Stupid patch” or a wrench big enough to tighten the loose nut)

• How much time do you spend wrestling little alligators taking up YOUR cycles when you should be strategizing.

4

Consequences and Impact of Inadequate Visibility

Industry Stats:

• 80% of successful attacks leverage well-known vulnerabilities –

Gartner Security and Risk Management Summit

• 99% of exploits will continue to be from known vulnerabilities up to one year through 2020 - Gartner

• Top 10 exploited vulnerabilities are more than a year old - HP Security Research.

• 66% of networks will experience an Internet of Things based breach by 2018 – IDC

• 80% of all endpoints connected endpoints to the network will not support agent based technologies by 2020 Gartner

Business / Mission impact:

• Reputational damage which could impact funding.

• Breach remediation averages $4 Million per incident – Ponemon Institute, June 2016

• Critical citizen services become unavailable, unreliable

• Loss of grant funding or punitive damages due to non-compliance with Federal & State requirements

Gartner Security and Risk Management Summit, “Preparing for Advanced Threats and Targeted Attacks”, Kelly Kavanaugh, June 2014; Webtorials and ForeScout Internet of Things Security Report, June 2016

http://www.forbes.com/sites/gilpress/2016/01/27/internet-of-things-iot-predictions-from-forrester-machina-research-wef-gartner-idc/6/#26e32a1972a0; http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/

Desired State & Positive Mission Outcomes

6

Desired State:

1. Complete visibility: You cannot protect what you cannot see.”

2. Understanding configuration, posture, location, ownership of all devices on the network in real-time, supported or unsupported

3. Rapid response to prevent incidents & breaches through orchestration using current portfolio– self-defending network

4. Realtime dashboard of PCI, HIPAA etc. compliance

5. Automate remediation of findings from audits

Positive Mission Outcomes (per IDC)

1. 50% reduced chance of outage caused by cyber event.

2. 18% increased devices in compliance

3. 47% improved incident resilience

4. ResultPublic trust and confidence.

Required Capabilities - Going from Present State to Desired State

Agentless, Continuous Discovery & Situational Awareness

–Device Classification of ALL connected endpoints without the use of Agents

–Ability to rapidly deployment the solution enterprise-wide

–Defense In Depth – Monitor cyber hygiene of all endpoints and the required security controls in real-time

Automated Policy Enforcement

–Out-of-Box Integration with current tools Patch, Firewall, Antivirus

–Legacy equipment protection

–Complete asset inventory for HelpDesk, CMDB, Renewals

–Rogue Device/Activity detection and mitigation

Continuous and Situational State Asset Awareness

–Single pane of glass for detecting, mitigating, and remediating cyber incidents

7

DYNAMIC AND MULTI-FACETED

How ForeScout Sees Devices

Reference Acronym Glossary at the end of presentation8

Multiple MethodsPoll switches, VPN concentrators, APs and controllers for list of devices that are connected

Receive SNMP traps from switches and controller

Monitor 802.1X requests to the built-in or external RADIUS server

Monitor DHCP requests to detect when a new host requests an IP address

Optionally monitor a network SPAN port to see network traffic such as HTTP traffic and banners

Run NMAP scan

Use credentials to run a scan on the endpoint

Receive NetFlow data

Import external MAC classification data or request LDAP data

Monitor virtual machines in public/private cloud

Classify devices using PoE with SNMP

Use optional agent

A

B

C

D

E

G

F

H

I

JFTP/LDAP Server

ForeScout CounterACT®

RADIUSServer

SNMP Traps

G User Directory

L

A

E

C

DHCPRequests

D

B

NetFlowH

I

F

K

L

K

J

1

2

3

IoT Landscape

Threat Landscape

Visibility

9

A Perfect Storm of Threats Creating New Security Needs

Attacks Targeting Devices that Corporations Can’t See

IoT = Internet of Things10

5 out of 6 large

companies is hit

with targeted

attacks today

50%Of Enterprises lack visibility

on mobile99%Of IoT devices do not

support security agents

IoT Device Growth

11

PC

BYOD

IoT

1990 2015 2020

0

5 Billion

30 BillionThe Internet of Things is the

network of dedicated

physical objects (things) that

contain embedded

technology to sense or

interact with their internal

state or external

environment.

IoT = Internet of Things

A Perfect Storm of Threats Creating New Security Needs

12

Attack Surface Area is Growing Exponentially

5 out of 6 large

companies is hit

with targeted

attacks todayManagedUnmanaged

BYOD IoT

5 out of 6 large

companies is hit with

targeted attacks today

Time

De

vic

es

30BConnected devices by

202010Number of

connected devices per employee by

2020

1

2

3

IoT Landscape

Threat Landscape

Visibility

13

Foundation Security

SEE – If you can’t see it… you can’t determine risk

• IoT

• NO Agent - if it requires an agent how do you find it?

• BYOD

Control – automated and manual

• Determine Risk and Deny Access based on policy

• Allow access based on “the rest of the story”

Orchestrate – take action or pass

• Kick-off mitigation

• Kick-off scan

• Open Ticket or “Pop Up” notifications

IoT – Internet of Things BYOD = Bring Your Own Device14

15

ASSESS

Classify

Discover

1010011010001

1101001001

001101

00101101101

110010101101

1010011010001

1101001001

011001001101

1010011010001

1101001001

011001001101

110010101101

1010011010001

1101001001

00101101101

011001001101

00101101101

110010101101

1010011010001

110010101101

110010101101

00101101101

Security Starts with Visibility

So what?

• Staff realigned to proactive tasks (Analytics, Hunting, Forensics)

• Resource reduction (be careful with this one!)

• 99.x% compliance is not only achievable it can be YOUR the minimum standard!

2nd and 3rd order effects

• Increased security across the enterprise

• Immediate action and zero day mitigation

• Real-time knowledge of current security posture

• Asset and license management

• Portfolio Management

How do I get there?

16

Thank you!

Acronym Glossary

18

IM Instant Messaging

IOC Indicators of Compromise

iOS Apple operating system for mobile devices

IoT Internet of Things

IP Internet Protocol

ISE Cisco Identify Services Engine

MAB Mac Authentication Bypass

MTP FireEye’s Mobile Threat Prevention Platform

MTTD Mean Time to Detection

MTTR Mean Time to Resolution

NA Not Applicable

NAC Network Access Control

NERC North American Electric Reliability Corporation

Netbios Network Basic Inut/Output System

NIC Network Interface Card

NIMAPP Network Mapper

NIST National Institute of Standards and Technology

NMAP network mapper

NX FireEye’s Network Threat Prevention Platform (NX)

OS Operating System

P2P Peer to Peer

PCI Payment Card Industry

PKI Private Key Infrastructure

pxGrid Cisco Platform Exchange Grid

RADIUS Remote Authentication Dial-In User Service

Reauth Reauthorization

RTU Remote Terminal Unit

SCADA Supervisory Control and Data Acquisition

SDK Software Developer Kit

SGT Security Group Tags (Cisco)

SIEM Security Information and Event Management

SNMP Simple Network Management Protocol

SOX Sarbanes Oxley

SQL SQL Server

SSID Service Set Identifider

syslog standard for messaging logging

TACACS Terminal Access Controller Access Control

TAM FireEye’s Threat Assessment Manager

TAP FireEye’s Threat Analytics Platform

TCO Total Cost Ownership

USB Universal Serial Bus

VA Vulnerability Assessment

vFW Virtual Firewall

VM Virtual Machine

VPN VPN

AAA Authentication, Authorization and Accounting

ACL Access Control List

ACS Cisco Secure Access Control Server

ARP Address Resolution Protocol

ATD Advanced Threat Detection

ATP Advanced Threat Prevention

BYOD Bring Your Own Device

CA Certificate Authority

C&C Command and Control

CEF Cisco Express Forwarding

CoA Change of Authorization

DHCP Dynamic Host Configuration Protocol

DNS Domain Name Server

EMM Enterprise Mobility Management

EXFireEye’s Threat Prevention Platform for Email-based

Cyber Attacks

FERC Federal Energy Regulatory Commission

FW Firewall

GUI Graphical User Interface

HIPAA Health Insurance Portability and Accountability Act

HITECHHealth Information for Technology for Economic and

Clinical Health

HPS Host Property Scanner

HX FireEye’s Endpoint Threat Prevention Platform

ID Identification

Backup

20

21

Vendors are proliferating within these siloed environments

Source: Harbor Research, 2014; McKinsey Global Institute, 201522

IoT Device / Solution Vendors by Physical Environments

Personal Home CityFactory LogisticsRetailVehiclesOffice WorksiteMedical

Without standards or platforms, each vendor in each vertical environment tends to build their own respective specialized solution stack from scratch