LMTE Cyber Security Sping Summit 20 May 2015 - Presenters' slides

LMTE%&%Cyber%Security%Special%Spring%Summit%Fact,%fic:on,%foe%or%fortune?%

May%20th,%2015%at%3.30pm%–%5.30pm%followed%by%networking%drinks%

%

WELCOME%%

%%

•  LMTE%–%Who%are%we?%•  Membership%is%free%•  Our%aim%is%to%help%educate,%inform%and%allow%for%the%exchange%of%concepts%and%prac:ces%•  Experience%new%ideas%and%products%from%leading%suppliers%and%professional%services%firms%

from%across%the%globe%•  New%membership%cards%

•  They%are%yours%to%take%away%–%bring%them%to%future%events%•  Keep%them%safe%•  They%can%be%replaced,%for%a%small%admin%charge%

•  We’re%delighted%to%see%you%–%tell%your%colleagues%–%spread%the%word%%%

Today’s%running%order%%

London%Insurance%Market%Threat%vs%Opportunity%

Cyber Security Summit

ForewordAdrian RandsCEO, QuanTemplate

For data-driven decisions

Bank Muscat 2013

ATM Loss Data Theft

Sony customers2011

$39m 77m

2010/Stuxnet

Internet of Things

LSW983/Lloyd’s Electronic and Computer Crime policy

2015/Autopilot systems

2018/First self-driving cars

Professor Roy Isbell Principal Fellow of the University of Warwick, WMG Cyber Security CentreRashmi Knowles Chief Security Architect at RSA, The Security Division on EMCDaniel Beazer Senior Consulting Analyst, Peer1 Hosting

For data-driven decisions

Adrian RandsCEO, QuanTemplate

[email protected] @quantemplate

quantemplate.com/insights

“Cyber Hardening & the Future Enterprise” (Exploring the Current & Future Limits of the Cyber

Environment)

Roy Isbell (Prof.) FIET FBCS CITP

LMTE Cyber Security Special Spring Summit

Current'Trends'(Symantec'Internet'Security'Threat'Report'–'2015)'

Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)

Targeted Attacks Increasing Across All Sectors

Industry'Sectors'Breached'(Guide'to'Who'is'Under'Threat)'


•  Healthcare, retail, and education were ranked highest for the number of data breach incidents in 2014; the top three accounted for 58 percent of all data breaches.

•  The retail, computer software, and financial sectors accounted for 92 percent of all the identities exposed in 2014.

•  This highlights that sectors involved in the majority of data breaches don’t necessarily result in the largest caches of stolen identities, with the exception of retail.

Beyond'the'InformaBon'System'(New'AFack'Vectors'–'Vectors'of'the'Future)'


TerBary'• The'Service'Sector'or'Service'Industry'

Secondary'• Manufacturing'or'Goods'ProducBon'

Primary'• Raw'Materials'–'Agriculture,'Fishing'&'ExtracBon'(Mining)'

TRANSPORT

COMMUNICATIONS

COMMUNICATIONS BUSINESS DRIVERS:

•  Cost Reduction •  Improved Performance /

Productivity •  Increased Safety

Product Lifecycle Human'Control' SemiU

Autonomous' Autonomous'Source: Wikipedia

Source: Roy Isbell

Business'Sectors'GeVng'Smarter'(Business'Drivers)'


Primary'Sector'(Raw'Materials'–'Agriculture,'Fishing'&'ExtracBon'Mining)'

Water

Mining Raw Materials

Oil & Gas Drilling/Collection Aquaculture

Agriculture

Livestock Farming Source: unknown

Source: unknown

Source: unknown

Source: unknown

Source: unknown

Source: unknown


Unusual'Cyber'(Modulated'Water)'

140Bps - 100Gbs - 1Mbs - 1Mbs - 100Gbs

(Data Rates 35bps to 140bps)

PROCESS •  Modulated Water

•  Electrical Pulses

•  Data

•  Network Data

•  Processing

•  Satellite Communications

•  Network Data

•  Processing


Secondary'Sector'(Manufacturing'or'Goods'ProducBon)'

Food Supply & Demand Chain Automated Manufacturing

Water Management

Utility Supply Management

Automated Food Processing/Production Retail Management

Source: unknown Source: unknown

Source: unknown

Source: unknown

Source: unknown

Source: unknown


TerBary'Sector'(The'Service'Sector'or'Service'Industry)'

Integrated'Health'Integrated'

Emergency'Services'

Integrated'Waste'Management'

Source: unknown Source: unknown

Source: unknown

Integrated'Transport'

Source: ETSI

SPECTRUM)

Source: Lumeta


Source: Beecham Research

The'Internet'of'Things'Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)

What)is)needed?)• Human:)

• Understanding'how'cyber'influences/impacts'the'human'or'how'the'human'influences/impacts'cyber.'

• SituaBonal'Awareness:)• Understand'and'Awareness'of'how'all'aspects'of'Cyber'are'related.''

•  Informa>on/Data:)

•  IdenBficaBon'of'all'sources'of'data'&'informaBon'used,'the'data'flows'and'interUdependencies.'

• Spectrum:)

• MulBple'use'of'the'spectrum'from'DC'to'Light'and'beyond,'mobility.'

• Systems:)• IdenBfy'all'the'connected'cyber'systems,'their'relaBonships'and'the'relaBve'importance'to'the'overall'operaBon.'

•  Infrastructure:)• Knowledge'of'the'Physical'Infrastructure'as'well'as'data'and'informaBon'infrastructure.'

• Environment:)• Understanding'the'impact'of'the'external'environment'–'PESTEL.'

CONTEXT The set of circumstances or facts that surround a

particular event or situation.

Source: Roy Isbell

Source: Dictionary.Com

Cyberspace'&'Context'(CyberSpace'Through'a'Context'PRISM)'


Environment'

Human'

Awareness/Understanding'

InformaBon/Data'

Systems'

Spectrum'

Infrastructure'

Inte

rnet

+ +

+

Wor

ld W

ide

Web

The Internet A Communications Channel that we connect to in order to pass information

The World Wide Web A Trading Platform Where Information Is Exchanged

Source: Roy Isbell

Understanding'Where'We'Are'Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)

Source: Unknown Cyber–Physical

Engineered Systems

Cyber–Physical'Engineered'Systems'(Adding'Sensing'&'ActuaBon)'

Cyber–Physical Engineered Systems 1.  Effectively command and control systems that are

networked or distributed (i.e. employ networking and/or communications).

2.  Incorporate a degree of intelligence (adaptive or predictive).

3.  Work in real time to influence or actuate outcomes in the physical world.

Cyber–Physical Engineered Systems 4.  Found in transportation, utilities, buildings,

infrastructure & health care.

5.  Use sensors to detect and measure physical parameters and actuators to control physical processes.

6.  Utilise feedback loops for monitoring allowing degrees of autonomy.


Integrated'Transport'(Autonomous'Vehicles)'

Source: Rolls Royce Holdings Autonomous Shipping Autonomous Road Trains

Source: Volvo

Autonomous Planes Source: Northrop Grumman

Transport for London is

considering plans to roll out driverless tube trains across the Underground network by 2020

Source: Transport For London Autonomous Trains

The first commercially available semi

autonomous cars will be available in

2014 (E&Y Report)


Complex'System'of'Systems'(WHAT?'–'Complex'Cyber'Physical'Engineered'System)'

List of Technologies to Create a Self-driving Vehicle: •  Collision Avoidance (Steering) •  Vehicle-to-Vehicle Communication •  Vehicle-to-Infrastructure Communication •  Steer-by-Wire •  Lane Keeping •  Forward Collision Avoidance (Braking) •  Driver Performance Monitor •  Lane Sensing/Warning •  Active Roll Control •  Forward Collision Warning •  Adaptive Cruise Control •  Vision Enhancement •  Near Obstacle Detection •  Electronic Stability Control •  Adaptive Variable-Effort Steering •  Semi-Active Suspension •  Traction Control •  Anti-Lock Braking Systems Source: Byron Shaw, GM MD of Advanced Technology


Sensor Systems

Connecting Systems

Complex'System'of'Systems'(HOW?'–'External'Remote'Access)'

Sensor Systems – Constantly monitor the external environment to build a 360o picture that provides information to the command and control environment of the vehicle. (Influence, Jamming & Spoofing)

Infotainment – a combination of information and entertainment. (Access to vehicle subsystems for information, disruption, modification & control).

Telematics – the integrated use of telecommunications and informatics for control of vehicles on the move. (Access for information, disruption, modification & control).


Network'Based'ConnecBvity'(HOW?'–'Expansion'of'the'AFack'Vectors)'

Mobile Phone App – Sync with Head Unit. Head Unit OS – Windows, Android or Linux Variants

Laptop Access – Through Vehicle WiFi Hotspot

4G Access – Via Mobile Device

New Vehicle Apps – Access via Head Unit & Mobile Device

5G Access – Via Mobile Device

The Cloud – Dedicated Cloud Services or Generic Web Access

All the Security Issues Associated With Information Systems, Now Apply to Connected Vehicles

Bluetooth – Device Connect


Design'&'Manufacture'

Sales'&'DistribuBon'

Consumer'/'Owner'

Disposal'

Maintenance'–'(Maintainer'/'Valet)'

Fuel'–'(Fossil'/'Gas'/'Bio'/'Electrical)'

Vehicle Lifecycle

Analysis of the vehicle lifecycle provides for identification of those who are permitted to come into contact with the vehicle and the level of access. These individuals provide identification of the ‘Insiders’ for consideration of the ‘Insider Threat’

Vehicle'Lifecycle'(HOW?'–'The'Insider'Threat)'

Maintainers – Have physical access to the vehicle via technical equipment. Both the equipment and the personnel maybe an attack vector

In addition the vehicle software updating process needs to be considered as an attack vector.

The use of Power Line Carrier technology to communicate between the vehicle, off-board

charger, and smart grid.


Access Control: (As a function of) •  Role – Role based access control is not

enough.

•  Function – Consider adding function as an additional factor.

•  Time – Consider using time to achieve removal of legacy access.

Integrated'Transport'(The'Movement'of'Goods'and/or'People)'

Air'

MariBme'

Road'Rail'

Metro/'Under'Ground'

People'Goods'

Source: Hitachi.com

Source: Digital Age Transportation – The Future of Urban Mobility - Tiffany Dovey Fishman – Deloitte University Press.

Source: Roy Isbell DFM


1950 – 2050 Rise in Urban Population Source: WHO

Statistics 1.  60% World population urbanised by 2030

2.  Urban population in developing countries will more than double

3.  New development often on coastal plains, increasing risk from severe weather & global warming.

Challenges 1.  Developed countries existing infrastructures

already stretched.

2.  Proactive management required for costly and scarce resources.

3.  Technological advances allowing development of SMARTer cities.

4.  Evolving systems of systems of systems(n)

with complex and/or cascading failure.

5.  Greater automation and system autonomy for cost reduction and improved productivity.

Research: •  The City as a Platform

•  Understanding Cyber–Physical Engineered Systems •  Data & Systems Context

•  Resilience of Systems & Services

•  Deriving Cyber Security Needs


UrbanisaBon'(The'Move'to'the'City)'

SMART'Buildings'(Where'we'Live,'Work'&'Play)'

Source: Hasibat Information Technologies

Source: Arup Foresight & Innovation


Future'SMART(er)'CiBes'(A'Complex'Interconnected'Environment)'

Source: Unknown

Built Environment •  Commercial Buildings •  Living Accommodation •  Industrial Complex •  Utility Provision

Infrastructure & Services: •  Medical •  Transport •  Refuse Collection •  Utility Delivery •  Food Supply Chain •  Emergency Services


Access)

Informa>on)

CIA'Cyber'AFack'Triangle'

Capability)

CIA – Cyber Attack Triangle

Access – In order for any attack to even be contemplated some form of access to the target is required. Access may be physical or remote.

Capability – To effect a successful attack the attacker requires the correct tools and techniques to interact with the target and influence or affect the changes required to achieve the desired outcome.

Information – Before either access or capability may be achieved or determined, information (intelligence) on the target is required. The level of detailed information will determine the risk associated with any attack scenario being considered.

Like any three legged stool, absence of any leg renders the stool useless.

AEack)Anatomy)

AEack)Anatomy)–'Each'aFack'follows'a'sequence'of'acBviBes'with'each'acBvity,'once'completed'providing'either'informaBon,'access'or'a'capability'related'to'the'target'system.'

Cyber)AEack)Triangle)

The'Cyber'AFack'Triangle'(WHEN?'–'Understanding'the'PreUrequisites'for'an'AFack)'


AFack'MoBvators'

CRIME'(Including'Financial)'

(H)AckBvism'

Warfare'

Terrorism'(Including'Corporate'Blackmail)'

Espionage'(Including'Industrial'Espionage)'

Espionage – seeking unauthorised access to sensitive information (intellectual property, commercial information, corporate strategies, personal data, pattern of life) or using the vehicle as a reconnaissance tool:

•  State •  Commercial

(H)Acktivism – seeking publicity or creating pressure on behalf of a specific objective or cause:

•  Disruption of specific businesses/organisations (supplier or end user)

•  Disruption of specific geographic areas (cities, routes)

Criminal – largely driven by financial gain, but may include gang related violence:

•  Theft of a vehicle •  Theft from a vehicle •  Hijack of a vehicle •  Kidnap of a vehicle’s occupant(s) •  Criminal damage

Terrorism:

•  Use of vehicle as a weapon •  Attacks on vehicle and/or vehicle’s occupants •  Disruption of transport systems/infrastructure

Warfare – conflict between nation states

•  Disruption of transport systems/infrastructure to deny operational use

•  Disable specific modes of transport or vehicle types •  Destruction of vehicles

AFack'MoBvators'(Examples'Related'to'Autonomous/Connected'Vehicles)'


New'Models'for'EvaluaBng'Cyber'Security'&'Safety'

Possession)/)Control)

Integrity)Availability)

U>lity)

Authen>city)

Confiden>ality)

Parker DB; 2002

Parkerian Hexad

ConfidenBality'

Integrity'Availability'

Bishop M. 2004

CIA Triad

ConfidenBality'

Possession/Control'

Integrity'

AuthenBcity'Availability'

UBlity'

Safety' Boyes H. 2014

Cyber Security for Autonomous Systems

Element) Relevance)to)CPES)

ConfidenBality' ProtecBon'of'personal'&'other'sensiBve'data'

Possession/Control' Prevent'unauthorised'manipulaBon'or'control'of'systems'

Integrity' Prevent'unauthorised'changes'to'or'deleBon'of'data'&'maintenance'of'system'configuraBon'

AuthenBcity' PrevenBon'of'fraud'or'tampering'with'data'

Availability' Autonomous'Infrastructure'able'to'operate'without'disrupBon'or'impairment'

UBlity' Maintaining'data'&'systems'in'a'useful'state'throughout'their'lifecycle'

Safety' PrevenBon'of'harm'to'individuals,'assets'and'the'environment'


Autonomous'Systems'Defence'Capability'Strategies'

Prevent – the prevention of unauthorised users gaining access to subsystems, prevention of unauthorised modifications or changes to a systems configuration, prevention of a system going into an unsafe and unsecure mode of operation.

Protect – the protection of any data or information at rest, in transit or in operation using strong cryptographic and hashing techniques, the protection of the access portals from unauthorised connection through strong authentication .

Detect – the detection of hardware, software modification outside of operating parameters, the detection of unauthorised activity within the system, the detection of anomalous activity within operating parameters.

Deny – the denial of access either physical or remote, the denial of code or hardware modification without approval, the denial of an attack using active defence measures.

Respond – the ability to respond (automatically or otherwise) to events before safety or security countermeasures are activated, the ability to respond after safety or security countermeasures have been activated.

Prevent'

Protect'

Detect'Deny'

Respond'


Managing'Enterprise'Cyberspace'(Cyber'OperaBons)'

Source: Roy Isbell DFM


The'Edge'Connected'Human'(Thoughts'for'ConsideraBon)'

Wearable Technology

Prosthetics & Implants

Senses As

Sensors

Interaction

Source: unknown

Source: unknown

Source: unknown

Source: unknown

Source: unknown

Source: unknown

Source: unknown

Source: ETSI

Source: ETSI


Thank You for Listening

Questions?

LMTE Cyber Security Special Spring Summit

Where every interaction matters.

Risks and new technology Presented by Daniel Beazer Senior Consulting Analyst 20th May 2015

Today’s Agenda !  Introduction to Peer1

!  Changing face of risk in IT

!  Traditional IT vs Agile

!  A closer look at risk in two areas, one over exaggerated the other under exaggerated

!  Conclusions for the market

!  A takeaway slide and Q&A

2 Where every interaction matters.

15 30 45

We are not good at assessing risk

3

“If you both own a gun and a swimming pool in your backyard, the swimming pool is about 100 times more likely to kill a child than the gun is.”

Us in a nutshell We are a global web infrastructure and cloud hosting company specializing in customized solutions for eCommerce, SaaS applications and content publishing.

We use innovative technology to deliver exceptionally responsive, reliable and secure hosting experiences – we are obsessed with customer experience.

Most importantly, we care.


Our Services

Managed Hosting Services


Secure Datacenters

Scalable Infrastructure

Cloud Hosting Services

Massive disruption in IT creates new risk



The state of IT

8

A threatened species

IT spend is no longer exclusively with IT


▪  21% of spend is now outside IT (Gartner CIO Survey Feb 2015) ▪  Mostly in marketing, where predictive analytics and other digital

tools can give enterprises competitive advantage ▪  All C-levels now make IT decisions (eg to buy iPads for sales) ▪  IT struggles to meet this demand ▪  AWS’s Stephen Schmidt ‘we don’t talk to IT’ ▪  Many private (and public) clouds have been built and are unused


Traditional IT •  Top down command and control, everyone has to live with their

decisions

•  Black box: no one outside the function can understand (even less criticise) what they do

•  Not aligned with any +ve business objectives, only negative (keeping the lights on, stopping security breaches)

•  The customers, ie groups within the business have no choice but to use what IT offers

•  Uses monolithic proprietary applications hosted in house with strategic vendor, lead times, SLA, all below market


Traditional IT project •  Instructions received from another department

•  Scope and specifications issued via RFP to vendors

•  Plans are for maximum capacity

•  Lengthy procurement process

•  Monolithic hardware and software

•  Long contract periods

•  Testing staging and then live

•  Up to a year for a new project

An agile IT project Lead times < 1hour, no procurement

Usage based, automated, no contracts

Open source software (no time to negotiate)

No longer in house, distributed

Continuous live development

Tied to business outcomes


On Demand

13

Use cases… from a cost of $20mn to $5m and a lead time of a year to three months

Security and risk


Quis custodiet ipsos custodies?

15

The security industry

16

•  Generate most of the data in the industry and create most of the noise

•  True 3rd party advice hard to find: industry analysts and consultants have no incentive to doubt the prevailing ethos

•  Traditional ‘cleverest man in the room’ and FUD sales tactics

•  MO consists of finding more problems and defects so customers have to spend more

•  $76bn industry (Gartner 2015 estimate) vs Microsoft $86bn, IBM $92bn

A security vendor slide and a layer cake

17

The security group in enterprise

18

Perverse incentives

•  Rain dance argument

•  The group in the business where failure is rewarded

•  More breaches = more budget if politics are handled correctly

•  Infosec/CISO group has little influence

•  Buying a wall and a guard is enough

From the Annual Fraud Indicator


▪  67% of fraud is insider fraud ▪  Of the companies polled not one was able to recover the funds ▪  Online banking fraud £40mn ▪  Plastic card fraud £338mn ▪  Identity fraud £3.3bn ▪  Private sector fraud £15.5bn (40% of total)

Risks in the cloud


Where we think the risks lie


▪  27% lack of visibility into who can access data

▪  18% lack of confidence in the cloud providers security abilities

▪  12% unclear liability if there is an attack/loss of data

Source Gartner Survey December 2014

Where the risks really lie


▪  Cloud collapse -  Brittle business often go bust (Nirvanix) -  Outages common -  No cover for outages/business risk in contracts

▪  But.. many back/up security advantages (see next slide)

▪  Complacency Security incidents mostly caused by customer usage, eg sloppy code, old OSS, allowing ghost accounts from ex-employees to profilerate

▪  Regulatory breaches Rogue cloud usage, uncontrolled SaaS is universal

Source Gartner Survey December 2014

‘Cloud may secure than client server’ !  Ability to reimage/remove software and transfer it to another makes it

harder to carry out attacks

!  Organisations can secure end to end using encryption

!  IT depts find it hard to compete with cloud providers scale

!  Thousands of customers versus one,100Gbps vs 100Mbps of traffic

!  Benefits of pooled resources, scaled security, DDOS

!  The more physical the more insecure, paper, USBs (60% are lost containing corporate data)

!  Poorly maintained legacy equipment proliferates in enterprise


Gus Hunt CTO, CIA

Conclusion


▪  Opportunity for the market to drive best practices through genuine third party advice / consulting

▪  Lower premiums for organisations with lower risk

▪  Test and monitor! … and use the cloud to analyse all that big data

Ten questions your cloud provider doesn’t want you to ask


▪  Can you give us your three year availability history?

▪  Can you prove to us you will be in business in three years time?

▪  Can we audit your data centre? Can our auditors?

▪  If your cloud node goes down just before Xmas how much will you pay me?

▪  Can you guarantee performance? How?

▪  Can you walk me through what happens if I suffer a security breach?

▪  Or I decide to leave?

▪  Can you guarantee my data will not remain on your platform once I am gone?

Q&A


Early Warning Systems For Advanced Threat

Rashmi Knowles CISSP Chief Security Architect EMEA


more advanced

more mobile

diStrUcTive

2007 Today

METHODS

Worms/ Viruses

Simple DDoS

Phishing Pharming

APTs Multi-Stage

Hacker Collaboration

Disruptive Attacks

2020

Destructive Attacks

Intrusive Attacks

Advanced DDoS

Sophisticated Mobile Attacks

The Unknown??

2001


The RSA Research & Threat Intelligence Outputs

RSA Research &

Threat Intelligence

Threat Intelligence

Feeds via Live

Public Releases and Blogs via Speaking of

Security Portal

Reports & White Papers

via Community Forums Features and

Functionality Built Into RSA

Products & Services

Formal Threat Intel Exchange

Groups


RSA RESEARCH AND THREAT INTELLIGENCE

•  150 Analysts, 100+ languages •  16,000 ISPs and hosting authorities •  6,000,000,000 URLs/day •  800,000 attacks shutdown •  5hrs time to shut down

!  50-150K samples per week !  Static and dynamic analysis !  Credential recovery !  Mule accounts

!  Military-trained intel agents !  Tap fraud communication channels !  Passive & proactive monitoring !  Report on emerging threats and

attack vectors

AFCC RESEARCH LAB

INTEL TEAM


AS THE WORLS GOES MOBILE CYBERCRIME WILL FOLLOW


AS THE WORLD GOES MOBILE – SO DOES FRAUD


40% of all fraudulent

transactions came from Mobile Device

Source: RSA Adaptive Authentication


CYBERCRIME AS A SERVICE

Cybercriminals increase effectiveness of attacks even leverage big data principles


•  Exploit Kits

•  Botnet Infrastructures

•  Call Centre service

•  Facebook accounts/Ads

•  Bitcoin stealer

•  DDos attacks

CYBERCRIME AS A SERVICE


DARKNET PRICE LIST Infec&ons) $11)p/1000) There)are)"mul&7tenancy")(mul&ple)variants)on)1)machine))plans)that)reduce)cost)

Hos&ng) $507$100) Bullet)proof;)server)only)

Exploit)kit)hos&ng) ~$100) per)week,)~12%)gauranteed)infec&on)rate)

Malware)development) $2,500)) The)average)cost)of)commercial)malware)

Exploits) $10007$300,000) Varies)greatly)based)on)the)exploit…))

Turnkey)banking)trojan)service) $700)7)$1000)

Credit)card)data) $0.25)7)$60) Depending)on)the)amount)of)data)being)sold)(front7of7plas&c)vs)full)track)data);)exo&c)geo's,)such)as)China,)can)fetch)up)to)$300)per)card.)

Phishing)kit) $07$50)

Spam) $50)) to)~500,000)emails)

DDOS)As)a)service) ~$7)p/hour)

Proxy/RDP/SOCKS/VPN)access) $57$12) Price)per)IP)or)for)period)of)access)

Call)service) $107$15) Depending)on)the)required)language/accent)


Source: http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html

Ransomware – customized for legitimacy


•  Malware variants – RAM scraping

•  70-90% malware unique to an organisation

•  70% attacks were trusted third-party

•  Phishing associated with 95% of state sponsored attacks

•  50% open emails and click on link within an hour

•  99.9% of exploited vulnerabilities compromised more than a year after CVE published

THREAT LANDSCAPE SOURCE VERIZON DBIR2014


DEFENDER-DETECTION DEFICIT Source Verizon DBIR2014


COUNT OF MALWARE EVENTS SOURCE VERIZON DBIR2014

Responding to Cyber Threats


Speed Response Time 2 Decrease

Dwell Time 1

TIME

Attack Identified Response

System Intrusion

Attack Begins

Cover-Up Complete

Advanced Threats Are Different

Cover-Up Discovery Leap Frog Attacks

3 STEALTHY LOW AND SLOW 1 TARGETED

SPECIFIC OBJECTIVE 2 INTERACTIVE HUMAN INVOLVEMENT

Dwell Time Response Time


205 days – Average number of days threat groups were on a victims network without detection. The longest presence was 2,982 days. Source M-Trends 2015


It Will Become Increasingly Difficult To Secure Infrastructure

SECURITY MUST EVOLVE

We must focus on people, transactions, and the flow of data

Static, Perimeter-Centric & Compliance Oriented

Risk-based, Agile, & Contextual Visibility


ORGANIZATIONS MUST GET CREATIVE TO DETECT AND DISRUPT ATTACKS

!  Focus on early detection of breaches to minimize your window of vulnerability.

!  Move backward in the ‘Kill chain’ !  The key is actively preserving, aggregating and

reviewing data to detect a potential intrusion but also for post-event forensics.

Recon Weaponise Deliver Exploit Install C2 Action


STRATEGIC SECURITY INVESTMENT SHIFT NEEDED NOW!

Today’s Priorities

Prevention 80%

Monitoring 15%

Response 5%

Prevention 80%

Monitoring 15%

Response 5%

Prevention 33%

Intelligence-Driven Security

Monitoring 33%

Response 33%

BUILDING BLOCKS OF INTELLIGENCE DRIVEN SECURITY


Cloud On Prem

ANALYTICS

IDENTITY & ACCESS

DATA

Threat Fraud Compliance Identity

GOVERNANCE, RISK, & COMPLIANCE

INTELLIGENCE DRIVEN SECURITY IN ACTION

LOGS, PACKETS, NETFLOW, ENDPOINT, ID, VULNS, THREAT (INT & EXT)


•  Risk-driven –  Prioritize activity and resources

appropriately

•  Incremental and achievable –  New capabilities improve your maturity

over time

•  Future proof –  Enables response to changes in landscape

not based on adding new products

•  Agile –  Enables the business to take advantage of

new technology and IT-driven opportunities

BENEFITS OF THIS APPROACH


CUSTOMER MATURITY MODEL Advanced Threats Become the Major Spend Driver as Customers Mature

Security Level 4 Business risk-driven

Security fully embedded in enterprise processes

Assess business risks to drive security implementation

Security tools integrated with business tools e.g. eGRC Security breaches; customer demand

Security Level 1 Naïve/Cost-based Security is “necessary evil”

Reactive and de-centralized monitoring

Tactical threat defenses

Security Level 3 IT risk-driven

Proactive and assessment-based

Assess risks and detect threats for organization

Security tools integrated with common data and mgmt platform New leadership

Security Level 2 Compliance-driven Check-box mentality

Implement security to be compliant

Tactical threat defenses with tracking and reporting tools Regulatory Environment Catalyst

Approach

Scope

Technology


CHARACTERISTICS OF SECURITY MATURITY

Step 1: Threat Defense

Step 2: Compliance and Defense-in-Depth

Step 3: Risk-Based Security

Step 4: Business-Oriented

VISIBILITY

COLLABORATION

RISK

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

LMTE Cyber Security Sping Summit 20 May 2015 - Presenters' slides

Business

Transcript of LMTE Cyber Security Sping Summit 20 May 2015 - Presenters' slides