ISSA SoCal Symposium 2015 v1 Leidos · 2016-07-10 · 10.Security incident metrics tracking...
Transcript of ISSA SoCal Symposium 2015 v1 Leidos · 2016-07-10 · 10.Security incident metrics tracking...
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Enterprise Cybersecurity:Building an Effective Defense
Chris WilliamsOct 29, 2015
14‐Leidos‐0224‐1135
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
About the Presenter
Chris Williams is an Enterprise Cybersecurity Architect at Leidos, Inc. He has been designing, deploying, and operating cybersecurity solutions for government and commercial clients for over 20 years, and holds a patent for e‐commerce technology.
Co‐author of Enterprise Cybersecurity:How to Implement a Successful Cyberdefense Program Against Advanced Threats
2
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
About Leidos
3
• Formerly part of Science Applications International Corporation (SAIC)• Fortune 500® solutions leader with over $5 billion annual revenue• About 22,000 employees• Businesses: National Security, Health, Engineering
National Security
Engineering Health Cybersecurity
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Agenda
1. The Cyberdefense Challenge2. Anatomy of a Targeted Attack3. Axioms for Modern Cyberdefense4. Pragmatic Cyberdefense5. Today’s Cybersecurity “Top Ten”6. “Houston, We Have a Systems Problem”7. Generations of Weapons Systems8. Generations of Malware9. Generations of Cyberdefense10. The Cyberdefense Pyramid11. A Cybersecurity Program Framework12. Closing Thought
4
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
1. The Cyberdefense Challenge
In a complex environment:– Flaws are inevitable– Systems malfunction– People make mistakes
Therefore:– Attackers can always gain a foothold, eventually– If defenders can’t detect and catch the attackers on the inside, the attackers will eventually succeed
Attackers will always have lucky breaks.However, lucky attackers should not be the end of the defense.
5
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
2. Anatomy of a Targeted Attack
EstablishFoothold
Targeted attacks methodically work through victim defenses…
Command & Control
EscalatePrivileges
MoveLaterally
Completethe Mission
Initial Incursion
Server Vulnerability Compromised
Server
Compromised Endpoint
Application Vulnerability
BuyAccess
MaliciousWeb Site
Malicious Email
Endpoint Vulnerability
Web Site WebShell
Outbound Web Connection
ProtocolTunneling
Password Keylogger
HarvestCredentials
Pass theHash / Ticket
Exploit Vulnerabilities
RemoteShell
RemoteDesktop
RemoteAdmin Tools
NetworkMapping
ShareEnumeration
INTEGRITY:ModifyData
AVAILABILITY:DestroyData
CONFIDENTIALITY:ExfiltrateData
Attacker
Compromised Mobile Device
Compromised User Account
Internet‐FacingUser Account
The sequence gives defenders opportunities to succeed…
HijackSessions
MaintainPersistence
6
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
3. Axioms for Modern Cyberdefense
7
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
4. Pragmatic Cyberdefenses
• Rather than strive for “perfection,” strive for “good enough:”– Focus on real‐world attacks that are most likely to occur– Repel attacks when they occur, then improve defenses
• Design defenses to impede the attack:– Disrupt– Detect– Delay– Defeat
ManyInitial Attacks
Fewer PenetrationsDisrupt
Delay
Delay
Detect
Detect
Defeat
8
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Pragmatic Cyberdefense: Audit First
• Don’t try to protect everything• Design Security Around the Threats:
– How do you search for the threat?– What logs do you need to detect the threat?– Can you alert when the threat occurs?– Can you block the threat so it does not succeed?
AuditControls
ForensicControls
Detective Controls
PreventiveControls
ThreatAnalysis
9
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Pragmatic Cyberdefense: Cyber Castles
We can learn from history by looking at medieval towns:• Most of the productivity is in the undefended fields and village• The town is lightly defended, but the castle is heavily defended• To take the town, you have to control the castle
Fields = Regular Users
Town = Business Servers
Castle = Security Systems
Tower = Authentication Systems
10
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Pragmatic Cyberdefense: True Defense in Depth
Layer enterprise security to protect the security infrastructure best:• Each layer gives defenders an opportunity to detect and repel attack• Each layer’s defense can be somewhat porous – perfection not required• Defenses get stronger as attackers penetrate further inside• Goal is to give defenders 2 or more opportunities to catch the attack
Users: lightly protected
Servers and Infrastructure: better-protected
Security Systems: well-protected
Authentication Systems:very well-protected
11
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
5. Today’s Cybersecurity “Top Ten”
1. Emphasis on detection rather than protection2. Less reliance on endpoint security3. Network segmentation to provide defense in depth4. Two‐factor authentication for system administrators5. Application whitelisting for critical systems and assets6. Log aggregation and security information and event
management (SIEM)7. 24x7 security monitoring to detect incidents8. Forensics tools to track down attacks when they occur9. Incident rapid response to repel attacks in real time10. Security incident metrics tracking activities and threats
12
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
6. “Houston, We Have a Systems Problem”
Albert Einstein: “We cannot solve our problems with the same thinking we used when we created them”
13
John Gall: The Systems Bible
“Systems in general work poorly or not at all.”
“Any large system is going to be operating most of the time in failure mode.”
“Big systems either work on their own or they don’t. If they don’t, you can’t make them. … Pushing on the system doesn’t help.”
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
7. Generations of Weapons Systems
• Jet fighters since WWII are often grouped into generations• Each generation represents a leap forward in capability and
renders the previous generations obsolete
14Images courtesy Wikipedia
The F‐15 has a claimed combat record of 101 victories and zero losses in actual air‐to‐air combat
Gen 2:F‐8 Crusader
(1957)
Gen 1:F‐86 Sabre(1949)
Gen 3:F‐4 Phantom
(1960)
Gen 4:F‐15 Falcon(1976)
Gen 5:F‐22 Raptor
(2005)
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
8. Generations of Malware
15
12
34
56
78
9
IncreasingSophistication,
Stealth and Capability
• Malware can also be grouped into generations• Subsequent generations reflect increases in capability and threat
1. Static Virus2. Network‐based
Virus3. Trojan Horse
7. Intelligent8. Autonomous and
Polymorphic9. Firmware and
Supply Chain
4. Command and Control
5. Customized6. Polymorphic
Time
Soph
istication
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
9. Generations of Cyberdefense
• Cyberattacks and defenses can also be characterized as generations.• We are now in the transition from Generation 2 to Generation 3.
16
1. Hardening the Host2. Protecting the Network
4. Automated Response5. Biological Defense
3. Layered Defense and Active Response
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Gen 1: Hardening the Host
Attacks• Target unpatched host vulnerabilities
• Originate from attacker computers
• Exploit insecure protocols
17
Defenses• Security Technical Implementation Guides (STIGs)
• Host hardening• Regular patching• Air‐Gapping
The Challenge• Increases in the numbers of Internet‐connected systems• Multi‐user systems with large numbers of users• Network‐connected systems becoming more important
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Gen 2: Protecting the Network
18
Attacks• Automated tools scan and attack vulnerable systems
• Central control of compro‐mised systems (botnets)
• Theft of data and credentials
Defenses• Perimeter firewalls and defenses
• Private organizational networks (NAT)
• Automated endpoint management
The Challenge• More and more devices to patch / harden / protect• Vulnerable protocols / enterprise system architectures• Vulnerabilities that are impossible to patch
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Gen 3: Layered Defense and Active Response
19
Attacks• Follow the attack sequence to penetrate enterprise
• Use enterprise security systems against itself
• Conduct data theft on colossal scales
Defenses• Defenses are layered using segmentation
• Security infrastructure is “armored” against attack
• Active detection and response
The Challenge• Proliferation of external connections (VPN, cloud, partners)• Little visibility or protection once attackers get inside• Vulnerabilities in security and management systems
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Gen 4: Automated Response
20
Attacks• Proliferate and consume incident response resources
• Defenders must prioritize and cannot investigate everything
• Swift, catastrophic, attacks
Defenses• Automated detection and response
• Rapid containment and reconstitution of affected systems
• Strict configuration control
The Challenge• Proliferation of security technologies and complexity• Labor and cost for active detection and incident response• Speed of response against aggressive attacks
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Gen 5: Biological Defense
21
Attacks• Malware installed via zero‐day and supply chain
• Autonomous and stealthy malware evades detection
• Acts like an insider attack once inside the environment
Defenses• Defenses organized around the data, not the host or perimeter
• Analytics to recognize behavioral anomalies
• “Hunting” to find attacks
The Challenge• Proliferation of vulnerable devices providing attackers with footholds and stepping points within the environment
• Stealthy malware and unknown / unpatched vulnerabilities
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
10. The Cyberdefense Pyramid
Defenses Build Upon One Another…
5: Host, Network, Detection, Response, Analytics
4: Host, Network, Detection, Response
3: Host, Network, Detection
2: Host, Network
1: Host
22
There is little point in deploying advanced defensesif basic defenses are not in place first
Generation 1
Generation 2
Generation 3
Generation 4
Generation 5
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
11. A Cybersecurity Program Framework
23
A successful enterprise cybersecurity framework should:• Coordinate architecture, policy, programmatics, IT life cycle, and assessments • Enable organization, budgeting, delegation, and accountability• Align well with real‐world skills of cybersecurity professionals• Enable decision‐making for strategy, prioritization, and executive reporting
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
12. Closing Thought
With an ineffectivecyber defense, the defender has to do
everything perfectly to protect the enterprise.
With an effectivecyber defense, the attacker has to do
everything perfectly to attack it.
Which would you rather have?
24
Parts ©2015 Donaldson, Siegel, Williams, Aslam©2013 LEIDOS. ALL RIGHTS RESERVED.
Thank You!
25