Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense...
Transcript of Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense...
![Page 1: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/1.jpg)
Cyber Defense Tool Limitations and What Our Leaders Should Be
Doing About Them
Current state of cyber breaches, tool gaps, and future advancements
![Page 2: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/2.jpg)
Tim Ryan
• Partner, Ernst and Young LLP, US Cyber Investigations Leader• Lead cyber investigations for audit and non-audit clients
• Led the cyber security and investigations group at an international risk management firm
• Led the largest cyber squad in the US for the FBI and led one of the largest criminal computer forensic labs for the FBI• Special agent and computer forensic examiner
• JD Rutgers; MS IT/IA Univ. MD
The views expressed in presentation are my own and not, necessarily, of EY. This presentation is for educational purposes only.
![Page 3: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/3.jpg)
Perspective
• It’s not if you will get hacked, it’s how bad will the hack be.
• Perspective is on the root cause and mitigation of cybersecurity failures
![Page 4: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/4.jpg)
Core problems
• Systems are detecting intruders and then nothing happens• Case study: alert 2 months prior to
investigation
• Failing to eradicate the intruder• Clean the initial deployment of
malware but do not understand how it has metastasized
• Common vulnerabilities• Technical debt. Lack of investment
in system maintenance.
![Page 5: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/5.jpg)
What is lacking from a tool perspective• Too many false positives
• They are not automatically baselining the system. So detecting anomalies is difficult.
• The alerts do not automatically trigger the appropriate response. It gets handed to a human which is where things sometimes go wrong.
• Training and experience dependencies are not factored into tool purchase
Detection
Evidence destruction
Other detection and machines
wiped
Company unable to look for
attacker fingerprints
Unknown level of compromise
![Page 6: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/6.jpg)
Alert Drill Extrapolate Contain Eradicate Report
Developments: Integration and Orchestration
Integration and Orchestration
Detection systems
Alerting work flows
Response integration
![Page 7: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/7.jpg)
Developments: Training
• User Awareness• Phishing
• Compliance/Policy
• Incident Response Planning and Table Top Exercises• Table Top Exercise is a simulated
event meant to tease out critical principles and identify response challenges
• Operationalize policy (IRP) into tactical decision-making
User Compliance and Policies
Corporate Table Top Exercise
User Attack Sensitization
Corporate Simulated
Attack
Training
![Page 8: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/8.jpg)
Developments: Endpoint focusThe endpoint is usually the workstation that a user is operating (either desktop or laptop). Many attacks begin by implanting malware on the endpoint. From here the attacker gains a foothold inside the castle and starts looking around for what he can steal.
Therefore the endpoint is often a critical piece of the attack. Effectively monitoring and controlling the endpoint is important. Expert analysis required.
![Page 9: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/9.jpg)
Developments: Zero Trust Networks
![Page 10: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/10.jpg)
The Problem With Trust
• Old paradigm
• Current attacks
![Page 11: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/11.jpg)
What Zero Trust Looks Like
• All devices belong to an inventory
• All communications are encrypted
• Authorization is based on the device identity, the user identity, and the requested resource identity.
For example:
Tim Ryan using an up to date, hardened corporate laptop, wants to access his corporate email.
![Page 12: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/12.jpg)
Developments: Security as a product of cloud migration• Hygiene
• Security at Scale
versus
![Page 13: Cyber Defense Tool Limitations and What Our Leaders Should Be … · 2019-05-14 · Cyber Defense Tool Limitations and What Our Leaders Should Be Doing About Them Current state of](https://reader033.fdocuments.us/reader033/viewer/2022050408/5f850798bc144e491e125c53/html5/thumbnails/13.jpg)
Developments: Defense and Response
Response
Defense