1 / 36

Top Security Priorities 2018

Top Security Priorities 2018. Agenda. Defining Cybersecurity. Cybersecurity Challenges. Evolving our Strategy. Cybersecurity Models. Reactive to Proactive. Defining Cybersecurity. Defining Cybersecurity. Information Security. Physical Security. IT Security. IoT Security. OT Security.

hayesd
Download Presentation

Top Security Priorities 2018

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Top Security Priorities 2018

  2. Agenda Defining Cybersecurity Cybersecurity Challenges Evolving our Strategy Cybersecurity Models Reactive to Proactive

  3. Defining Cybersecurity

  4. Defining Cybersecurity Information Security Physical Security IT Security IoT Security OT Security Cybersecurity Cybersecurity is an organizational challenge, not an IT, InfoSec, or compliance challenge.

  5. Defining Cybersecurity “Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services. A range of traditional crimes is now being perpetrated through cyberspace. This includes banking and financial fraud, intellectual property violations, and other crimes, all of which have substantial human and economic consequences.” – Source: U.S. Department of Homeland Security

  6. Cybersecurity Challenges

  7. Cybersecurity challenges

  8. Cybersecurity challenges

  9. Cybersecurity challenges

  10. Cybersecurity challenges

  11. Cybersecurity challenges Patching continues to be an issue both externally and internally

  12. Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching

  13. Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue

  14. Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue • External vulnerabilities < Internal vulnerabilities (as expected) • Now time to focus on internal

  15. Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue • External vulnerabilities < Internal vulnerabilities (as expected) • Now time to focus on internal • SSL issue totals are significant (particularly weak ciphers and versions) • Not a major issue at this time but could be something to watch out for in the future

  16. Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue • External vulnerabilities < Internal vulnerabilities (as expected) • Now time to focus on internal • SSL issue totals are significant (particularly weak ciphers and versions) • Not a major issue at this time but could be something to watch out for in the future • Exploits and vulnerabilities continue to increase as time goes on

  17. Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue • External vulnerabilities < Internal vulnerabilities (as expected) • Now time to focus on internal • SSL issue totals are significant (particularly weak ciphers and versions) • Not a major issue at this time but could be something to watch out for in the future • Exploits and vulnerabilities continue to increase as time goes on • Every few years a major “one-click” exploit • MS08-67, Heartbleed, shellshock, MS15-034 MS17-010“wannacry”

  18. Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue • External vulnerabilities < Internal vulnerabilities (as expected) • Now time to focus on internal • SSL issue totals are significant (particularly weak ciphers and versions) • Not a major issue at this time but could be something to watch out for in the future • Exploits and vulnerabilities continue to increase as time goes on • Every few years a major “one-click” exploit • MS08-67, Heartbleed, shellshock, MS15-034 MS17-010“wannacry” • Most vulnerable ports windows 445 and web 443

  19. Evolving our Strategy

  20. Evolving our Strategy 1. Most Cybersecurity Controls are Preventative in Nature Preventative Controls • Detective Controls • Firewalls / Next-Gen Firewalls • Intrusion Prevention Systems (IPS) • Anti-virus / Anti-malware • Application Whitelisting • Internet Proxies • Web Application Firewalls • Web Content Filters • Data Loss Prevention (DLP) • Network Admission Control (NAC) • Intrusion Detection Systems (IDS) • Security Information and Event Management (SIEM)

  21. Evolving our Strategy 2. Cybersecurity is still a people problem • Security is not “Fire and Forget” • Preventative controls are not 100% effective. When they fail, we need a detective control in place • We can't respond to attacks we don't see coming • Having a defined response plan is key

  22. Evolving our Strategy • Have been hacked. • Will be hacked. • Won’t admit it 3. Prevention is ideal but detection is a must • There are three kinds of entities:

  23. Evolving our Strategy 4. Shift focus from preventing attacks to preventing attacker success • Moving to a goal-oriented defense strategy • Assess your risk / know your environment and know what attackers are after • Detect attackers moving toward their goals and execute a rapid response • Increase Threat Intelligence (know your enemy) • Leverage security methodologies and models to your advantage

  24. Cybersecurity models

  25. Cyber Kill Chain – Attack, Defense and Internal Controlslivery Cyber Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Action on Objectives The attack can be disrupted at any point in the kill chain. Ideally, a company will have controls at each point to create a defense in depth strategy. “Cyber kill chain” model shows, cyber attacks can and do incorporate a broad range of malevolent actions, from spear phishing and espionage to malware and data exfiltration that may persist undetected for an indefinite period.

  26. MITRE ATT&CK Framework Recon Weaponize Deliver Exploit Control Execute Maintain • Persistence • Privilege Escalation • Defense Evasion • Credential Access • Discovery • Lateral Movement • Execution • Collection • Exfiltration • Command and Control MITRE MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

  27. Reactive to proactive

  28. What is threat hunting? A technique to uncover hidden threats that bypass both preventative and detective controls A proactive process of looking for traces of attackers in your IT environment An approach that applies threat intelligence, analytics, security tools and human analysis

  29. Why threat hunting? • Increased stakeholder • and Board concerns New, more targeted threats • Increased regulatory • and • compliance attention • High-profile breaches result in questions about organizational capabilities for detection and response • Breach detection may not be formally evaluated by Internal Audit • Due diligence should be conducted by at-risk organizations • Increasingly hostile cyber-security environment • Nation-state sponsored attacks on US companies • Criminal organizations focused on credit card and identity theft • More regulatory agency scrutiny across the board • Increased industry regulation demands (e.g. PCI-DSS) • State and pending federal breach notification laws

  30. A Different Approach If you know the enemy and know yourself, you need not to fear the result of a hundred battles. Sun Tzu

  31. Let’s get to know the enemy Insider threats and compliance “threats” are a different presentation… Credit Card / PII Thieves Ransomware Crooks Wire Transfer Fraudsters Botnet Herders Political Attackers Intellectual Property Thieves

  32. Let’s get to know ourselves Easier Questions • What does our network look like (systems, network, users)? • Where is our sensitive data? • What are our weaknesses? Harder Questions • What programs should be running on our systems? • What type of traffic is “normal” for us? • What user activity is normal? What’s the Risk? • Not knowing what you have makes it hard to know what to protect. • Not knowing your weaknesses makes it hard to know where you will be hit. • Not knowing what is normal makes it hard to know what is abnormal.

  33. Approach to threat hunting Checking enterprise event logs (SIEM, IDS, FIM, etc.) for signs of hacking tools or customized malware used by attackers. Additionally, gather basic configuration from enterprise systems (running processes, registry, autoruns, etc.) Enterprise-Based Threat Hunting Network-Based Threat Hunting Examine network activity logs, netflow information and listening ports for a period of time for unusual destinations or patterns of activity that could indicate a persistent attacker connection. Host-Based Threat Hunting Detailed analysis of running processes, memory dumps and file systems on a sample of systems, looking for signs of malware or malicious activity.

  34. Example Issues Uncovered Uninvestigated connections are being made between the organization’s network to suspicious destinations (e.g., Russia, China) Uninvestigated suspicious patterns of connections are being made from the organization’s network to external IP addresses (e.g., a connection every 5 minutes) There is a high volume of non-business-critical traffic interfering with the ability to recognize a breach in progress. Unauthorized programs are present on key servers without clear business rationale or formal approval. Anti-virus detected hacking tools that could indicate an attacker was in the network, but such detections were not investigated (e.g., how did the tool get on the system?). Key events are not being monitored or logged, hindering the detection and investigation of potential breaches. Existing monitoring efforts are focused only on detecting common malware or hacking attempts, and no proactive searching for targeted attacks occurs.

  35. Thank You Mike Ortlieb Director, Protiviti mike.ortlieb@protiviti.com Orlando, FL 407.849.3940

More Related