11

Know What You Are Protecting

2014 Vietnam Information Security Day

December 2014

Philip Hung Cao

CISM, CCSK, CNSE, VTSP-NV

| ©2014, Palo Alto Networks. Confidential and Proprietary.2

…changing

what we do,

how we think,

how we

construct our

networks…

3

The Changes

Our Government Networks

Remote

CLOUD(s)

• Hospitals

• Universities

• Schools

• Libraries

• City services

• State services

• Federal services

4

The Evolution of The Network

Greater mobility, more applications, private, hybrid and public cloud use.

VNC

SMB

pop3

snmpdns

telnet

LDAP

ftp

SSL

5

Data improves all of our services

National

government

“Local”

governmentLower education Higher education Public Healthcare

Your citizens’, students’, employees’, patients’ worlds are changing –

so will yours.

6

INFORMATION SECURITY MANAGEMENT

Known threats

Identity compromise

Zero-day exploits / vulnerabilities

Evasive command-and-control

Unknown & polymorphic malware

Mobility threat

DATA IS LUCRATIVE FOR ALL

But governments are

often not ready &

operate in the blind

despite these drastic

changes

7

Vision

Connecting

– Your Citizens

– Your Students

– Your Patients

– Your Employees

to

– INFORMATION

When and where they need it

Securing it … contextually – ensuring the RIGHT people get the

RIGHT information … SMART Security

8

The changing demand for data requires rethinking our

security strategy

9

In the demand for access to more data, faster

Our network security has not kept up

• Add patchwork of security

functions

• Stay in the comfort zone

• Focus on most frequent

attack vectors

• Ignore lateral

movements and

callbacks

Know what is happening on your network

Start with the Basics

10

Visibility to applications, content and users

What is the status of your data use policies?

How are they enforced?

What is your data segmentation strategy?

Who is running what applications with what information?

Know the pitfalls

– Common applications and protocols are often used

maliciously

– Common applications are highly targeted for exploits

– Malicious actors hide their C2 and other traffic within

encrypted communications

– Attackers hide “in plain sight”

– Normal hours

– Normal traffic

– Credential theft

11

Your Network has encrypted traffic – is it good or bad?

TDL-4

Poison IVYRustock

APT1Ramnit

Citadel

Aurora

BlackPOS

12

Common Applications have heaviest exploit activity

10 applications transmitted 94% of the exploit logs

Source: Palo Alto Networks Application Usage and Threat Report (AUTR) – survey of >5,500 networks

13

IT and OT

IT NetworkSCADA/ICS Network

14

Civilian agency – lack of segmentation example

Maintain access

Spearphished

or waterholed

executive

Moved laterally

within network

Exfiltrated

dataRecon on

agency and

typical patterns

Breached

network with

stolen

credentials

15

National Association of Counties

“We needed to take a

proactive approach to

managing the risk to our

business caused by P2P

and malware. Our existing

firewall offered very limited

visibility into what was

happening on my network...

I now know what is going on

with my network, and I can

proactively tackle issues

before they become

problems. I can also enforce

policy for what applications

are allowed on the network.”

- Bert Jarreau, CIO, NACo

• 3,066 county governments in the U.S.

• Resource for elected county officials

• Access value-added services: Grant submissions,

population counts, economies, transportation funding and

financing, etc.

• Access from locations all over the country

16

BEST PRACTICES

17

Best Practices for a Data-driven Government

Establish good data hygiene and data protection plan

– ISO 27000 series

– OECD privacy principles

– Government Security classifications

– Cloud Security Alliance (CSA) Cloud Controls Matrix

Regularly review data, application use cases with stakeholders

Review security and network architecture

Cultivate a workforce of joint ownership

– Network and security

– IT & SCADA

18

Tactics, including Network Segmention

Establish ongoing visibility: All applications,

content and use cases– Contextual user access: Tie applications to users

– Block or tightly control unknown traffic

– “Decrypt and inspect” select applications

Segment the Network

– Eliminate the risk, eliminate free lateral movement

throughout the orgn

– Treat ICS/SCADA differently and lock down all but

short list of protocols

– Tie users: applications with centralized policies

– Particularly important for mobile, operational

users

– Consider all connected devices

19

Evolve into a Strategic Intelligence Team

• Transition “incident response”

• Consistent, repeatable process

• Senior leaders drive direction

• Follow Intel lifecycle

• Inform your “Community”

• Reduce alert data

• Automate correlation of security

insights – from all critical

locations

• Stop any point in the kill chain*

Direction

Collection

Analysis

Dissemination

20

Cultivate an Innovative Workforce

• Increased efficiency

• New revenue streams

• Better citizen connectedness

• Competitive differentiation

• Improved government:

citizen/patient/student experience

Cultivate a New Information Security mindset

| ©2014, Palo Alto Networks. Confidential and Proprietary.21

SMART GOVERNMENT needs

SECURE GOVERNMENT

22

THANK YOU