By Sergio Heker
GLESEC
CLAB 2014 CONFERENCE
Cyber-Security Operations and Intelligence
A current perspectiveSeptember 10-12, 2014
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
State of Affairs in Cyber-Security
• We are under cyber-attack
»whether we like it or not
“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it.” – Gartner, Inc., 2012
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
State of Affairs in Cyber-Security
“According to a Cisco examination of threat intelligence trends, malicious traffic is visible on 100 percent of corporate networks. This means there is evidence that sophisticated criminals or other players have penetrated these networks and may be operating undetected over long periods of time. “
NoteworthyAttack Persistent Threats (APT)Perimeter breach, detection and remediation
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
State of Affairs in Cyber-Security
Records of 25,000 Homeland Security Employees Stolen in Cyber Attack
Health care data breaches have hit 30M patients and counting
Massive 300Gbps DDoS attack on media firm fuelled by unpatched server flaw
Few and selected August 2014 attacks
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
State of Affairs in Cyber-Security
Source: August 2013 - Hackmagedon
It’s global. No country is spared…
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
State of Affairs in Cyber-Security
Source: August 2013 - Hackmagedon
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
State of Affairs in Cyber-Security
Banking sector9.5%
August 2013 reportSource: August 2013 - Hackmagedon
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
State of Affairs in Cyber-Security
Manufacturing 26.5%Finance and insurance 20.9%Information and communication 18.7%Health and social services 7.3%Retail and wholesale 6.6%
Source: IBM Annual 2013 report
Incident Rates Across Monitored Industries
Around 50% of attacks in two vertical sectors
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
State of Affairs in Cyber-Security
• Many organization prefer to think about this as if this is not happening to them
» ignoring the risk will not make it go away
• Some organization consider this to be a technology problem with no impact to the bottom line
» seriously?
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
State of Affairs in Cyber-Security
• There are many who think that buying a product will improve the chances from getting their security compromised
» There is no magic pill…
• Organization in general lack the dedicated info-sec personnel, focus and infrastructure to address cyber-attacks
» it is not their focus anyway…
“Organizations face an evolving threat scenario that they are ill-prepared to deal with.”
– Gartner. “Best Practices for Mitigating Advanced Persistent Threats.” January 2012.
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
State of Affairs in Cyber-Security
“The sophistication of the technology and tactics used by online criminals—and their nonstop attempts to breach network security and steal data—have outstripped the ability of IT and security professionals to address threats. Most organizations do not have the people or the systems to monitor their networks consistently and to determine how they are being infiltrated.”, based on CISCO 2014 Annual Report
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
The problem at hand…
• We must first recognize that there is a problem and that this problem can impact our organizations.
“Our experience shows that many organizations have not yet internalized the cyber-security risks that they are exposed to.” GLESEC
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
The problem at hand…
• We can define the problem as an on-going risk identification and mitigation.
– Risk conditions vary with time• Threats are growing• Vulnerabilities are growing
– Vulnerabilities and threats reported by Cisco IntelliShield® showed steady growth in 2013: as of October 2013, cumulative annual alert totals increased 14 percent year-over-year from 2012
• More assets are added on-line every second
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
The problem at hand…
• We can define the problem as an on-going risk identification and mitigation (cont).
– Complexity of countermeasures• Countermeasures adapt to the risk changes in a
dynamic way. • New countermeasures are created every day to
deal with new threats and vulnerabilities
– There is an on-going cost which should be compared with the impact for decision making purpose
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
The problem at hand…
• Countermeasure products provide an immense amount of information in real-time that has to be analyzed and acted upon.
• Ideal for BigData application
• The information gathered is intelligence information
• This is more valuable when more data sources are combined in a meaningful fashion.
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
The problem at hand…
In summary:– There are growing risks due to increase
threats and vulnerabilities
– There is growing complexity of defense mechanisms and new countermeasures that arrive to the market
– Data continues to grow for analysis and response
– Limited info-sec resources to deal with in-house
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
The problem at hand…
A case studyOrganization Type FinancialCountermeasures in-place Firewalls; IDS/IPS; Anti-malware
Incident On-line banking system is brought down by a DoS/DDOS attack and remains down for a period of days
Situation The organization did not have the "right" countermeasures
It did not have the focus on addressing this due to insuffient number of personnel/resources, not dedicated security experts
Impact Loss of potential business to clients Reputation Potential loss of clientsLessons learned Risk is changing
Countermeasures keep changing to adapt to risk
The organization should not focus internal resources in areas that are not their core-business
Remediation The organization outsourced to a security firm its information security
The organization receives an average of over 100,000 attacks per month; 4,000 of critical nature
The counter-measures in-place now are stopping attacks with the correlation of other security sources, infrastructure and dedicated security experts
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
The problem at hand…
A case study
Organization Type Health CareCountermeasures in-place Firewalls; IDS/IPS; Anti-malware
Incident Two internal systems are identified to have a variant of the Zeus malware
Situation The organization has contracted an information security company that is monitoring and managing cyber-security incidents
Impact Potential expansion of the malware to over 10,000 internal systems
Potential compromise of all banking activity realized by any of the institution's employees
Lessons learned The organization had taken the right steps to ensure someone is monitoring and protecting them
Countermeasures are in-place The risk was avertedRemediation The organization outsourced to a security firm its information security The organization receives an average of over 3,000,000 attacks per month
The counter-measures in-place now are stopping attacks with the correlation of other security sources, infrastructure and dedicated security experts
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
How do we deal with this situation?
• Think risk mitigation as justification not ROI
• Think process not product
• Operations alone is not enough, this is an intelligence game
• Consider the strengths and weakness of your organization
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
How do we deal with this situation?
• Think risk mitigation as justification not ROI
– Follow a risk gap analysis to arrive to the right countermeasures for your organization• Risk Conditions• Impact of these risk conditions• Countermeasures to specific risk conditions• Cost of these countermeasures• Risk analysis and decision making process• On-going process
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
How do we deal with this situation?
Source: GLESEC
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
Certain Risk Conditions
• Bank account take over – Zeus… other malicious apps• E-commerce or other business site account take over• Physical destruction of systems under cyber attack – IRAN
Nuclear Centrifuges, ARAMCO…• Information destruction under cyber attack• Information modification and altering under cyber attack• Information leakage, confidentiality breach, intellectual
property exposure• Lack of availability of business critical systems – DDOS
attacks…• Use of corporate assets to launch attacks to third parties --
LIABILITY• Use of corporate assets for non business activities• Non compliance with regulations such as HIPAA/HITECH; GLBA;
SOX;SBP-Panama; other• Ransomware• ……
Source: GLESEC
Sample list of Risk Conditions
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
How do we deal with this situation?
• Strong Authentication – two and three factors• Secure Browsing – critical area of concern• In-transit encryption – SSL vulnerabilities• Application Firewall• DDOS Protection and Attack Mitigation• UTM Protection• Sensitive Information Management and data leakage
protection• Privilege Identity Management – password management• Attack Persistent Threats• Breach Detection• End Point Security• …..
Source: GLESEC
Sample list of Countermeasures
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
How do we deal with this situation?
• Think process not product
Countermeasures are not just products and these should include all the necessary elements to produce the desired risk-mitigation, namely systems, personnel, processes.
It is our experience that when a countermeasure is not part of a security process the countermeasure becomes obsolete
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
How do we deal with this situation?
• ISO 27001 international standard promotes the importance of a process for the on-going improvement of the organization’s information security (Information Security Management System – ISMS).
• This includes:– Understand the organizational security requirements and the
need to establish policies and goals to manage information security.
– Implement and operate controls to manage the risks associated with information security.
– Monitor and audit information security.– On-going improvement based on the monitoring of results
against goals.
Think process not product
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
How do we deal with this situation?
• Operations alone is not enough, this is an intelligence game
– The operation of security systems is a necessary but not sufficient condition to derive the expected security protection.
– Security systems provide information that when correlated with the appropriate sources and acted upon provide the maximum benefit for this particular countermeasure.
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
How do we deal with this situation?
• Why Operations & Intelligence?
– Operations keeps the systems working properly
– Operations however does not have an insight to what is actually happening
“Cyber-Intelligence is the extraction of information with the purpose of understanding and responding to attacks and its mitigation”, GLESEC
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
How do we deal with this situation?
• Consider the strengths and weakness of your organization
If necessary outsource to experts if you cannot justify the internal investment of deviation of business focus from your core business
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
Closing Remarks
• If we adopt a risk-based model for justification and understand the dynamics of information security then we can derive a methodology for handling cyber-security
• Risk-based model• On-going process• Methodology
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
Closing Remarks
• Countermeasures should be considered as changing dynamically and including products, personnel, systems and processes.
• An on-going process based methodology should be utilized
• An outsourcing strategy is sometimes the best solution for an organization.
Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244
Thank you
Top Related