ISSA SoCal Symposium 2015 v1 Leidos · 2016-07-10 · 10.Security incident metrics tracking...

Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.

Enterprise Cybersecurity:Building an Effective Defense

Chris WilliamsOct 29, 2015

14‐Leidos‐0224‐1135


About the Presenter

Chris Williams is an Enterprise Cybersecurity Architect at Leidos, Inc. He has been designing, deploying, and operating cybersecurity solutions for government and commercial clients for over 20 years, and holds a patent for e‐commerce technology.

Co‐author of Enterprise Cybersecurity:How to Implement a Successful Cyberdefense Program Against Advanced Threats

2


About Leidos

3

• Formerly part of Science Applications International Corporation (SAIC)• Fortune 500® solutions leader with over $5 billion annual revenue• About 22,000 employees• Businesses: National Security, Health, Engineering

National Security

Engineering Health Cybersecurity


Agenda

1. The Cyberdefense Challenge2. Anatomy of a Targeted Attack3. Axioms for Modern Cyberdefense4. Pragmatic Cyberdefense5. Today’s Cybersecurity “Top Ten”6. “Houston, We Have a Systems Problem”7. Generations of Weapons Systems8. Generations of Malware9. Generations of Cyberdefense10. The Cyberdefense Pyramid11. A Cybersecurity Program Framework12. Closing Thought

4


1. The Cyberdefense Challenge

In a complex environment:– Flaws are inevitable– Systems malfunction– People make mistakes

Therefore:– Attackers can always gain a foothold, eventually– If defenders can’t detect and catch the attackers on the inside, the attackers will eventually succeed

Attackers will always have lucky breaks.However, lucky attackers should not be the end of the defense.

5


2. Anatomy of a Targeted Attack

EstablishFoothold

Targeted attacks methodically work through victim defenses…

Command & Control

EscalatePrivileges

MoveLaterally

Completethe Mission

Initial Incursion

Server Vulnerability Compromised

Server

Compromised Endpoint

Application Vulnerability

BuyAccess

MaliciousWeb Site

Malicious Email

Endpoint Vulnerability

Web Site WebShell

Outbound Web Connection

ProtocolTunneling

Password Keylogger

HarvestCredentials

Pass theHash / Ticket

Exploit Vulnerabilities

RemoteShell

RemoteDesktop

RemoteAdmin Tools

NetworkMapping

ShareEnumeration

INTEGRITY:ModifyData

AVAILABILITY:DestroyData

CONFIDENTIALITY:ExfiltrateData

Attacker

Compromised Mobile Device

Compromised User Account

Internet‐FacingUser Account

The sequence gives defenders opportunities to succeed…

HijackSessions

MaintainPersistence

6


3. Axioms for Modern Cyberdefense

7


4. Pragmatic Cyberdefenses

• Rather than strive for “perfection,” strive for “good enough:”– Focus on real‐world attacks that are most likely to occur– Repel attacks when they occur, then improve defenses

• Design defenses to impede the attack:– Disrupt– Detect– Delay– Defeat

ManyInitial Attacks

Fewer PenetrationsDisrupt

Delay

Delay

Detect

Detect

Defeat

8


Pragmatic Cyberdefense: Audit First

• Don’t try to protect everything• Design Security Around the Threats:

– How do you search for the threat?– What logs do you need to detect the threat?– Can you alert when the threat occurs?– Can you block the threat so it does not succeed?

AuditControls

ForensicControls

Detective Controls

PreventiveControls

ThreatAnalysis

9


Pragmatic Cyberdefense: Cyber Castles

We can learn from history by looking at medieval towns:• Most of the productivity is in the undefended fields and village• The town is lightly defended, but the castle is heavily defended• To take the town, you have to control the castle

Fields = Regular Users

Town = Business Servers

Castle = Security Systems

Tower = Authentication Systems

10


Pragmatic Cyberdefense: True Defense in Depth

Layer enterprise security to protect the security infrastructure best:• Each layer gives defenders an opportunity to detect and repel attack• Each layer’s defense can be somewhat porous – perfection not required• Defenses get stronger as attackers penetrate further inside• Goal is to give defenders 2 or more opportunities to catch the attack

Users: lightly protected

Servers and Infrastructure: better-protected

Security Systems: well-protected

Authentication Systems:very well-protected

11


5. Today’s Cybersecurity “Top Ten”

1. Emphasis on detection rather than protection2. Less reliance on endpoint security3. Network segmentation to provide defense in depth4. Two‐factor authentication for system administrators5. Application whitelisting for critical systems and assets6. Log aggregation and security information and event

management (SIEM)7. 24x7 security monitoring to detect incidents8. Forensics tools to track down attacks when they occur9. Incident rapid response to repel attacks in real time10. Security incident metrics tracking activities and threats

12


6. “Houston, We Have a Systems Problem”

Albert Einstein: “We cannot solve our problems with the same thinking we used when we created them”

13

John Gall: The Systems Bible

“Systems in general work poorly or not at all.”

“Any large system is going to be operating most of the time in failure mode.”

“Big systems either work on their own or they don’t. If they don’t, you can’t make them. … Pushing on the system doesn’t help.”


7. Generations of Weapons Systems

• Jet fighters since WWII are often grouped into generations• Each generation represents a leap forward in capability and

renders the previous generations obsolete

14Images courtesy Wikipedia

The F‐15 has a claimed combat record of 101 victories and zero losses in actual air‐to‐air combat

Gen 2:F‐8 Crusader

(1957)

Gen 1:F‐86 Sabre(1949)

Gen 3:F‐4 Phantom

(1960)

Gen 4:F‐15 Falcon(1976)

Gen 5:F‐22 Raptor

(2005)


8. Generations of Malware

15

12

34

56

78

9

IncreasingSophistication,

Stealth and Capability

• Malware can also be grouped into generations• Subsequent generations reflect increases in capability and threat

1. Static Virus2. Network‐based

Virus3. Trojan Horse

7. Intelligent8. Autonomous and

Polymorphic9. Firmware and

Supply Chain

4. Command and Control

5. Customized6. Polymorphic

Time

Soph

istication


9. Generations of Cyberdefense

• Cyberattacks and defenses can also be characterized as generations.• We are now in the transition from Generation 2 to Generation 3.

16

1. Hardening the Host2. Protecting the Network

4. Automated Response5. Biological Defense

3. Layered Defense and Active Response


Gen 1: Hardening the Host

Attacks• Target unpatched host vulnerabilities

• Originate from attacker computers

• Exploit insecure protocols

17

Defenses• Security Technical Implementation Guides (STIGs)

• Host hardening• Regular patching• Air‐Gapping

The Challenge• Increases in the numbers of Internet‐connected systems• Multi‐user systems with large numbers of users• Network‐connected systems becoming more important


Gen 2: Protecting the Network

18

Attacks• Automated tools scan and attack vulnerable systems

• Central control of compro‐mised systems (botnets)

• Theft of data and credentials

Defenses• Perimeter firewalls and defenses

• Private organizational networks (NAT)

• Automated endpoint management

The Challenge• More and more devices to patch / harden / protect• Vulnerable protocols / enterprise system architectures• Vulnerabilities that are impossible to patch


Gen 3: Layered Defense and Active Response

19

Attacks• Follow the attack sequence to penetrate enterprise

• Use enterprise security systems against itself

• Conduct data theft on colossal scales

Defenses• Defenses are layered using segmentation

• Security infrastructure is “armored” against attack

• Active detection and response

The Challenge• Proliferation of external connections (VPN, cloud, partners)• Little visibility or protection once attackers get inside• Vulnerabilities in security and management systems


Gen 4: Automated Response

20

Attacks• Proliferate and consume incident response resources

• Defenders must prioritize and cannot investigate everything

• Swift, catastrophic, attacks

Defenses• Automated detection and response

• Rapid containment and reconstitution of affected systems

• Strict configuration control

The Challenge• Proliferation of security technologies and complexity• Labor and cost for active detection and incident response• Speed of response against aggressive attacks


Gen 5: Biological Defense

21

Attacks• Malware installed via zero‐day and supply chain

• Autonomous and stealthy malware evades detection

• Acts like an insider attack once inside the environment

Defenses• Defenses organized around the data, not the host or perimeter

• Analytics to recognize behavioral anomalies

• “Hunting” to find attacks

The Challenge• Proliferation of vulnerable devices providing attackers with footholds and stepping points within the environment

• Stealthy malware and unknown / unpatched vulnerabilities


10. The Cyberdefense Pyramid

Defenses Build Upon One Another…

5: Host, Network, Detection, Response, Analytics

4: Host, Network, Detection, Response

3: Host, Network, Detection

2: Host, Network

1: Host

22

There is little point in deploying advanced defensesif basic defenses are not in place first

Generation 1

Generation 2

Generation 3

Generation 4

Generation 5


11. A Cybersecurity Program Framework

23

A successful enterprise cybersecurity framework should:• Coordinate architecture, policy, programmatics, IT life cycle, and assessments • Enable organization, budgeting, delegation, and accountability• Align well with real‐world skills of cybersecurity professionals• Enable decision‐making for strategy, prioritization, and executive reporting


12. Closing Thought

With an ineffectivecyber defense, the defender has to do

everything perfectly to protect the enterprise.

With an effectivecyber defense, the attacker has to do

everything perfectly to attack it.

Which would you rather have?

24


Thank You!

25

ISSA SoCal Symposium 2015 v1 Leidos · 2016-07-10 · 10.Security incident metrics tracking...

Documents

Transcript of ISSA SoCal Symposium 2015 v1 Leidos · 2016-07-10 · 10.Security incident metrics tracking...