Defending Enterprise IT - beating assymetricality

World’s biggest Hack?

• They’ve lost...everything

• Was their security ”make believe”?

• Can they survive?

Defending enterprise IT- Some best practices to mitigate

cyber attacks

Going Aboveand Beyond Compliance

And staying away from Slide #1

About me

• Father of 3, happily married. I live in Luxembourg

• Head of IT for a Bank, and also independent IT/Infosec consultant. Any opinions presented here are my own and do not represent my employer.

• Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses)

• Member of the I am the Cavalry movement – trying to make connected devices worthy of our trust

• @ClausHoumann

• Find my work on slideshare

Cyber Security:”State of the (European) Union”

• Threats are abundant and on the rise

• http://map.ipviking.com/ is a good way to illustrate/visualize this

• Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp-

content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf

– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf

http://map.ipviking.com/

https://blog.mrg-effitas.com/wp-content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf

http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf







• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying to not purchase crappy products while trying to build some actual skills

• Tools are not the solution

• No silver bullets exist




Infosec Vendors










• It’s an assymetrical conflict




It’s an assymetrical conflict

X-wing











• A lot of companies fail to focus on the basics

• Train your people!




Train HarderAnd smarter











• A lot of companies fail to focus on the basics

• Train your people!

• Do not rely on compliance for security




Compliance

• Is

• NOT

• Security

• Which any of you who ever attended a Security conference will have already heard

• Compliance is preparing to fight yesteryears war

Want to beat assymetricality?Here’s how:

• A strategic approach to security leveraging methods that work

Pyramids- This one is Joshua Cormans.

Could be best definition of Defense-in-Depth

Defensible Infrastructure

Operational Excellence

Situational Awareness

Counter-measures

The Foundation


Software and Hardware built as ”secure by default” is ideal here. Rugged DevOps.

Your choices of tech impacts you ever after

You must assemble carefully, like Lego

Without backdoors or Golden Keys!

Mastery


Master all aspects of your Development, Operations and Outsourcing. Train like the Ninjas!

DevOps (Rugged DevOps)Change ManagementPatch ManagementAsset ManagementInformation classification & localizationBasically, all the cornerstones of ITILYou name it. Master it.

Gain the ability to handle situations correctly – Floodlights ON


”People don’t write software anymore, they assemble it” Quote Joshua Corman.-> Know which lego blocks you have in your infrastructure-> Actionable threat intelligence-> Automate as much as you can, example: IOC’s automatically fed from sources into SIEM with alerting on matches

Are we affected by Poodle? Shellshock? WinShock? Heartbleed? Should we patch now? Next week? Are we under attack? Do we have compromised endpoint? Are there anomalies in our LAN traffic?

Counter that which you profit from countering

• Decrease attacker ROI below critical threshold by applying countermeasures

• Most Security tools fall within this category

• Limit spending until you’re laid the foundational levels of the pyramid

Counter-measures

Footnote: Cyber kill chain is patented by Lockheed Martin.

Mapping to other strategic approaches




Counter-measures

Lockheed Martin patented

Nigel Wilson -> @nigesecurityguy

Defense-in-Depth

Defensible security posture via @Nigethesecurityguy

Kill chain actions

Source: Nige the security guy = Nigel Wilson

Defensive hot zones

• Basketball and other sports analysis ->

• – FIND the HOT zones of your opponents.

• Defend there.

Hot zones!

• You need to secure:

– The (Mobile) user/endpoints

– The networks

– Data in transit

– The Cloud

– Internal systemsSample protections added only, not the complete picture of course

Best Practices – High level

• Create awareness – Security awareness training

• Increase the security budget

– Justify investments BEFORE the breach.

– It’s easier when you’re actually being attacked. But too late.

• Use the Cyber Kill Chain model or Nigel Wilsons ”Defensible Security Posture” to gain capability to thwart attackers

• Training, skills and people!

Hot zone 1: EndpointsA safe dreamworld PC

• Microsoft EMET 5.1• No Java• No Adobe Flash Player/Reader• No AV (that one is for you @matalaz)• Kill all executable files on the Proxy layer (.exe .msi

etc.)• (Not even needed but works if something evades the

above):– Adblocking extension in browser– Invincea FreeSpace/Bromium

Vsentry/Malwarebytes/Crowdstrike Falcon

Hot zone 1:A real world PC

• Microsoft EMET 5.1• Java• Adobe Flash Player/Reader• AV • Executable files kill you, so use:

– Adblocking extension in browser– Invincea FreeSpace/Bromium

Vsentry/Malwarebytes/Crowdstrike Falcon– Secure Web Gateway– White listing, black listing

And then cross your fingers

Hot zone 1, more

• PC defense should include:– Whitelisting– Blacklisting– Sandboxing– Registry defenses– Change roll-backs– HIPS– Domain policies– Log collection and review– MFA– ACL’s/Firewall rules– Heuristics detection/prevention– DNS audit and protection

Hot zone 2:The networks

• Baselining everything

• Spot anomalies

• Monitor, observe, record

• Advanced network level tools such as Netwitness, FireEye, CounterAct

• Test your network resilience/security with fx Ixia BreakingPoint

• Don’t forget the insider threat

Hot zone 3+4:Data in Transit/Cloud

• Trust in encryption

• Great new mobile collaboration tools exist

• SaaS monitoring and DLP tools exist -> ”CloudWalls”

• Cloudcrypters

• And this for home study: https://securosis.com/blog/security-best-practices-for-amazon-web-services

Hot Zone 5

Best practices

• Use EMET

• Use advanced endpoint mitigation tools like Bromium Vsentry, Invincea FreeSpace, Malwarebytes, Crowdstrike Falcon

• Identify potential attackers and profile them

A safe(r) perimeter defense

• Avoid expense in depth

• Research and find the best counter measures

• Open Source tools can be awesome for example Suricata

• Full packet capture and Deep packet inspection/Proxies for visibility

• Watch and learn from attack patterns

Best practices - Mitigate risks

Source: Dave Sweigert

Automate Threat Intelligence IOC

• Use multiple IOC feeds

• Automate daily:

– IOC feed retrival,

– Insertion into SIEM,

– Correlation against all-time logfiles,

– Alerting on matches

• Example: Splunk Splice can do parts of this

• 5G: The rise of the Android DDoS’er. 1 gbit/s connections from phones easily hacked. Obvious threat?

• IPv6 – network reconnainsance surprisingly easily done: https://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-04. Damn, no security through obscurity to get there

• Countering Nation State Actors becomes a MUST

Future threat trends

https://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-04

And the unexpected extra win

• Real security will actually make you compliant in many areas of compliance

Q & A

• Ask me question, or I’ll ask you questions

Sources used

– http://www.itbusinessedge.com

– Heartbleed.com

– https://nigesecurityguy.wordpress.com/

– Lockheed Martins ”Cyber Kill Chain”

– Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome”

– Lego

http://www.itbusinessedge.com/

https://nigesecurityguy.wordpress.com/

Defending Enterprise IT - beating assymetricality

Technology

Transcript of Defending Enterprise IT - beating assymetricality