0

Into Warriors!

Simple lessons to fill the knowledge gap within your staff

Turning Your Cybersecurity Toddlers…

@shambanIT

Shira ShambanDome9 Security

1

2

3

4

5

You and your staffAre NOT going to

keep up with Technology

@shambanIT

Today, Enterprises Average…

ZDNet – “Security landscape plagued by too many. Nov. 2016

different security vendors installed in their company to solve problems

@shambanIT

ALERT!!!!ALERT!!!!

ALERT!!!!ALERT!!!!

ALERT!!!!ALERT!!!!

ALERT!!!!ALERT!!!!ALERT!!!!

ALERT!!!!

You and your staffAre NOT going to

keep up with Technology

@shambanIT

11 @shambanIT

Top 5 Causes of Data Breaches in Healthcare

The elephant in the figures is the number of incidents where the

discovery was measured in months or years….

12

Protected HealthInformation DataBreach ReportVerizon – March 2018

#1. Human Error: 33.5%

#2. Misuse: 29.5%

#3. Physical (mostly theft): 16.3%

#4. Hacking: 14.8%

#5. Malware: 10.8%

@shambanIT

Top Three Causes – JDL Group – January 2018

#3. Human ErrorReuters reports 73% of data breaches happen because of the people operating machines

14

#2. Ransomware & Malware

#1. Password Problems 63% of investigated breaches involved weak, stolen or default password

Verizon recently reported ransomware is the fifth most common type of malware.

@shambanIT

15

Why So Much Phishing? It Works...

@shambanIT

16

We All Have a Dave…

@shambanIT

Understanding the Basics of CD/CR Security

17 @shambanIT

We Don’t Need Faster Horses

“If I had asked people what they wanted, they would have said faster horses.”

19

― Henry Ford

@shambanIT

So, what is the secret ingredient?

Understanding the Basics of CD/CR Security

21

• Don’t monitor the logs, monitor the unusual findings“I don’t need logs, I have an AV”“I keep all of my logs…“I use the default AWS configuration”• 80% of the problems repeat themselves

• Whatever it is that you’re doing with your logs – It’s not working – time for a change

21

I think”

@shambanIT

Logs Provide…

Your Logs are the Secret Ingredient● How Long to Keep?

● Sources and Variety?

● Scalability

○ Easily add new (future) sources

● Detection Algorithms Used

○ How detailed/granularity

● Supporting User Interface

The Secret Recipe…

@shambanIT

Phishing email User clicked link

Username and password stolen

Criminal hacker has privileged

access to AWS

Criminal hacker deployed bitcoin

mining assets

Awareness program

URL scanning for email Enforce 2FA Least privilege

principleGive very specific policies to users regarding assetsprevent

Detection tool Detection tool Monitor login patterns

detectMonitor activity patterns and unusual events, like

creating of new keys, users etc

Monitor activity patterns and unusual events like

new assets, unusual billing, CPU, DNS requests

Money loss!

Typical Attack Vector

A Complete 360 Degree View Is Impossible…

Without Logs!

@shambanIT

PII breach, including emails and passwords

User re-used password for AWS account

Criminal hacker has privileged

access to AWS

Criminal hacker moves around the VPC, looking for

sensitive DB

Criminal hacker encrypted DB,

asking for ransom

Enforce strong password policy awareness

Enforce 2FA, least privilege least privilege Backup!

haveibeenpwnedMonitor login

patternsMonitor Internal port scan, failed login attempts

Monitor activity patterns and unusual events, like

creating of new keys, users etc

Monitor unusual account activity

prevent

detect

Money loss, reputation, compliance

Remember! Logging is For EVERYONE

Typical Attack Vector

@shambanIT

Love Your Logs!

30

Focus On The Big Rocks First

Automate Remediation

31

Repetitive problems are easier to remediate

Hire Expert(s) to Create Cluster- Address the Top 10 Recurring Problems

Hire Expert(s) to Prepare Appropriate Solutions

Allow Machine to Label Each ProblemIf Yes – Auto RemediateIf No – Escalate to Human

@shambanIT

33

I have a problem Other people have that problem (or similar)

I wonder how they solved it

I will share my solution with the community

ow they solved it

Others will share their own solutions, we exchange

knowledge

Security is improved!

Remediation – What’s The Future…Crowdsourcing

@shambanIT

Free Your Warriors!

34 @shambanIT

35

Thank YouAny Questions? I Dare You!

Shira ShambanHead of Security Research

@shambanITshira@dome9.com

@shambanIT