2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information...

7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us

1/28

Jeff Brown

CISO

22 October, 2009

An Information

Assurance

Strategy for theRest of Us

Copyright 2009 Raytheon Company. All rights reserved.

Customer Success Is Our Mission is a registered trademark of Raytheon Company.

Sponsoredby

Aero Webinar Series


2/28

Page 2

Upcoming AIA/ISA Webinars

n Testing In A Real Environment Leads to Faster Cyber Security Innovationfeaturing General (Ret.) Charles Charlie Croom, Vice President of CyberSecurity Solutions, Lockheed Martin Information Systems & Global Services andCurt Aubley, Chief Technology Officer CTO, Lockheed Martin Operations &Next Generation Solutions. To be presented on 11/5/09

n Supply Chain Issues in Cyber Security A Framework for Moving Forwardfeaturing Scott Borg, Director and Chief Economist (CEO) at the U.S.Cyberconsequences Unit. To be presented on 11/19/09

n Legal Framework for Securing Unified Communications featuring JeffreyRitter, President, Waters Edge Consulting.


3/28

Page 3

Roadmap

7/19/12

The Environment

A Strategy BeyondDefense in Depth

3 AffordableWays to

Implement

the Strategy


4/28

Page 4

7/19/12

The Advanced Persistent Threat

n Increasingly sophisticated cyber threats by hostileentities designed to gain control of your network

for the long term

n Intellectual property theft on a grand scalen Not just one particular country or groupnAerospace companies are target #1!


5/28

Page 57/19/12

None of us big or small canstop a determined cyber attack

from succeeding!

We cant rely on traditional defenses (goodpatching, firewalls, IDS, AV, etc.) in the age of

social engineering and zero-day exploits


6/28

Page 67/19/12

But how much can you invest

in cyber security?

Likely not a fraction of whatDoD and the Big Primes are

investing.


7/28Page 77/19/12

So Where does that leave us?

We cant stop e-mail or web browsing


8/28Page 87/19/12

It would be easy to be pessimistic

But youd be wrong

There is a strategy that

can give you a lot of lift


9/28Page 97/19/12

A Strategy for the Rest of Us

n Recognize they will get in.

n Work to detect and disrupt outbound command and controlchannels.

If intruders get in, but cant get back out,

we win!


10/28Page 107/19/12

If your infrastructure addresses the factthat intruders will get in, the number of

intrusions becomes much less relevant.

Which has less risk?

n If 100 get in and cant get out or only last a daybefore C2 monitoring finds them

n If 10 get in and have free reign for 3 months beforea sys admin finds them


11/28Page 117/19/12

The Primary metric becomes

Dwell Time

How long were you exposed?


12/28Page 127/19/12

Your Goal

nYour goal should be to drive down DwellTime anyway you can.

n If Dwell Time trends down, your cybersecurity is improving

Days betweencompromise

and discovery

Incident/date


13/28Page 137/19/12

So Focus on Outbound Traffic

nIts easier and the highest payoff!

n There is far less noise on outbound trafficn It decouples malware detection from the

vulnerability

Disrupt and Deny Adversarys Command and Control Traffic


14/28


15/28Page 15

You can use other peoples money!

Collaboration is Cheap.

The Return on Investment is high

7/19/12

Blocking the Known

Discover and block C2 sites any way you can


16/28


17/28Page 177/19/12

You Dont Have to Share Much

n Youre not admitting you werecompromised, just that you

found something

Share the outbound traffic info!

We saw malwarebeaconing or

communicating towww. badsite.org or

123.45.67.211


18/28Page 187/19/12

Collaboration Opportunities

Measure of Merit: is it near-real time?

ISACS

Amongst Yourselves

Defense Industry BaseCyber Task Force

Law Enforcement(Infragard)

Defense SecurityInformation Exchange


19/28Page 197/19/12

3 Ways to Make This Strategy Real

Collaboration

Block the known C2

Server Segregation

Channel the Unknown

Web Authentication

Challenge the Unknown


20/28

Page 20

Servers - Its where the money is

7/19/12

n Servers are where theadversary wants to liveOn 24x7Contains the most valuable data

n Limit unknown traffic to andfrom them


21/28

Page 21

Channeling the Unknown

nMost servers have no businessinitiating traffic to the Internet

except for very specific sites

(Updates, etc.)

n It is easy to enumerate validdestinations

7/19/12

Im sorry, file server, I cantconnect you with

www.badguy.com


22/28

Page 22

Channel all Server Traffic

n Servers should only talk to the Internet throughknown choke point to known sitesPut them in a separate subnet(s)Point all to a separate proxyPermit only mission essential sites

lProxy denies become meaningful

l Allow sys admin 2-factor authentication overridesAbove all, prohibit sys admin e-mail and surfing

7/19/12


23/28

Page 23

What Does That Do For You?

n No way for malware to beacon to ownern

To access a server, they must compromise a client and move laterally Much noisier Combine with two factor authentication for servers and you really have

something

n Experience shows that all malicious traffic moves to clients overnight

And it cost nothing except the labor to consolidate server subnets and identifyvalid sites

7/19/12


24/28

Page 247/19/12

3 Ways to Make This Strategy Real

Collaboration

Block the known C2

Server Segregation

Channel the Unknown

Web Authentication



25/28

Page 25


nAll web proxy vendorscategorize sites and update

like AV

n The majority of malware C2 sitesare new and therefore fall into

the default uncategorized bin

nThis presents us with anopportunity

7/19/12

You want to gowhere?!!!


26/28


27/28

Page 277/19/12

The Bottom Line Dont Despair

Set yourselves up for success

By adding a C2 Denial Strategy to yourexisting Defense in Depth you can improve

your cyber security greatly without breaking

the bank


28/28

2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information...

Documents

Transcript of 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information...