LMTE Cyber Security Sping Summit 20 May 2015 - Presenters' slides
-
Upload
roger-oldham -
Category
Business
-
view
171 -
download
3
Transcript of LMTE Cyber Security Sping Summit 20 May 2015 - Presenters' slides
LMTE%&%Cyber%Security%Special%Spring%Summit%Fact,%fic:on,%foe%or%fortune?%
May%20th,%2015%at%3.30pm%–%5.30pm%followed%by%networking%drinks%
%
WELCOME%%
%%
• LMTE%–%Who%are%we?%• Membership%is%free%• Our%aim%is%to%help%educate,%inform%and%allow%for%the%exchange%of%concepts%and%prac:ces%• Experience%new%ideas%and%products%from%leading%suppliers%and%professional%services%firms%
from%across%the%globe%• New%membership%cards%
• They%are%yours%to%take%away%–%bring%them%to%future%events%• Keep%them%safe%• They%can%be%replaced,%for%a%small%admin%charge%
• We’re%delighted%to%see%you%–%tell%your%colleagues%–%spread%the%word%%%
Professor Roy Isbell Principal Fellow of the University of Warwick, WMG Cyber Security CentreRashmi Knowles Chief Security Architect at RSA, The Security Division on EMCDaniel Beazer Senior Consulting Analyst, Peer1 Hosting
For data-driven decisions
Adrian RandsCEO, QuanTemplate
[email protected] @quantemplate
quantemplate.com/insights
“Cyber Hardening & the Future Enterprise” (Exploring the Current & Future Limits of the Cyber
Environment)
Roy Isbell (Prof.) FIET FBCS CITP
LMTE Cyber Security Special Spring Summit
Current'Trends'(Symantec'Internet'Security'Threat'Report'–'2015)'
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Targeted Attacks Increasing Across All Sectors
Industry'Sectors'Breached'(Guide'to'Who'is'Under'Threat)'
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
• Healthcare, retail, and education were ranked highest for the number of data breach incidents in 2014; the top three accounted for 58 percent of all data breaches.
• The retail, computer software, and financial sectors accounted for 92 percent of all the identities exposed in 2014.
• This highlights that sectors involved in the majority of data breaches don’t necessarily result in the largest caches of stolen identities, with the exception of retail.
Beyond'the'InformaBon'System'(New'AFack'Vectors'–'Vectors'of'the'Future)'
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
TerBary'• The'Service'Sector'or'Service'Industry'
Secondary'• Manufacturing'or'Goods'ProducBon'
Primary'• Raw'Materials'–'Agriculture,'Fishing'&'ExtracBon'(Mining)'
TRANSPORT
COMMUNICATIONS
COMMUNICATIONS BUSINESS DRIVERS:
• Cost Reduction • Improved Performance /
Productivity • Increased Safety
Product Lifecycle Human'Control' SemiU
Autonomous' Autonomous'Source: Wikipedia
Source: Roy Isbell
Business'Sectors'GeVng'Smarter'(Business'Drivers)'
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Primary'Sector'(Raw'Materials'–'Agriculture,'Fishing'&'ExtracBon'Mining)'
Water
Mining Raw Materials
Oil & Gas Drilling/Collection Aquaculture
Agriculture
Livestock Farming Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Unusual'Cyber'(Modulated'Water)'
140Bps - 100Gbs - 1Mbs - 1Mbs - 100Gbs
(Data Rates 35bps to 140bps)
PROCESS • Modulated Water
• Electrical Pulses
• Data
• Network Data
• Processing
• Satellite Communications
• Network Data
• Processing
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Secondary'Sector'(Manufacturing'or'Goods'ProducBon)'
Food Supply & Demand Chain Automated Manufacturing
Water Management
Utility Supply Management
Automated Food Processing/Production Retail Management
Source: unknown Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
TerBary'Sector'(The'Service'Sector'or'Service'Industry)'
Integrated'Health'Integrated'
Emergency'Services'
Integrated'Waste'Management'
Source: unknown Source: unknown
Source: unknown
Integrated'Transport'
Source: ETSI
SPECTRUM)
Source: Lumeta
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Source: Beecham Research
The'Internet'of'Things'Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
What)is)needed?)• Human:)
• Understanding'how'cyber'influences/impacts'the'human'or'how'the'human'influences/impacts'cyber.'
• SituaBonal'Awareness:)• Understand'and'Awareness'of'how'all'aspects'of'Cyber'are'related.''
• Informa>on/Data:)
• IdenBficaBon'of'all'sources'of'data'&'informaBon'used,'the'data'flows'and'interUdependencies.'
• Spectrum:)
• MulBple'use'of'the'spectrum'from'DC'to'Light'and'beyond,'mobility.'
• Systems:)• IdenBfy'all'the'connected'cyber'systems,'their'relaBonships'and'the'relaBve'importance'to'the'overall'operaBon.'
• Infrastructure:)• Knowledge'of'the'Physical'Infrastructure'as'well'as'data'and'informaBon'infrastructure.'
• Environment:)• Understanding'the'impact'of'the'external'environment'–'PESTEL.'
CONTEXT The set of circumstances or facts that surround a
particular event or situation.
Source: Roy Isbell
Source: Dictionary.Com
Cyberspace'&'Context'(CyberSpace'Through'a'Context'PRISM)'
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Environment'
Human'
Awareness/Understanding'
InformaBon/Data'
Systems'
Spectrum'
Infrastructure'
Inte
rnet
+ +
+
Wor
ld W
ide
Web
The Internet A Communications Channel that we connect to in order to pass information
The World Wide Web A Trading Platform Where Information Is Exchanged
Source: Roy Isbell
Understanding'Where'We'Are'Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Source: Unknown Cyber–Physical
Engineered Systems
Cyber–Physical'Engineered'Systems'(Adding'Sensing'&'ActuaBon)'
Cyber–Physical Engineered Systems 1. Effectively command and control systems that are
networked or distributed (i.e. employ networking and/or communications).
2. Incorporate a degree of intelligence (adaptive or predictive).
3. Work in real time to influence or actuate outcomes in the physical world.
Cyber–Physical Engineered Systems 4. Found in transportation, utilities, buildings,
infrastructure & health care.
5. Use sensors to detect and measure physical parameters and actuators to control physical processes.
6. Utilise feedback loops for monitoring allowing degrees of autonomy.
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Integrated'Transport'(Autonomous'Vehicles)'
Source: Rolls Royce Holdings Autonomous Shipping Autonomous Road Trains
Source: Volvo
Autonomous Planes Source: Northrop Grumman
Transport for London is
considering plans to roll out driverless tube trains across the Underground network by 2020
Source: Transport For London Autonomous Trains
The first commercially available semi
autonomous cars will be available in
2014 (E&Y Report)
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Complex'System'of'Systems'(WHAT?'–'Complex'Cyber'Physical'Engineered'System)'
List of Technologies to Create a Self-driving Vehicle: • Collision Avoidance (Steering) • Vehicle-to-Vehicle Communication • Vehicle-to-Infrastructure Communication • Steer-by-Wire • Lane Keeping • Forward Collision Avoidance (Braking) • Driver Performance Monitor • Lane Sensing/Warning • Active Roll Control • Forward Collision Warning • Adaptive Cruise Control • Vision Enhancement • Near Obstacle Detection • Electronic Stability Control • Adaptive Variable-Effort Steering • Semi-Active Suspension • Traction Control • Anti-Lock Braking Systems Source: Byron Shaw, GM MD of Advanced Technology
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Sensor Systems
Connecting Systems
Complex'System'of'Systems'(HOW?'–'External'Remote'Access)'
Sensor Systems – Constantly monitor the external environment to build a 360o picture that provides information to the command and control environment of the vehicle. (Influence, Jamming & Spoofing)
Infotainment – a combination of information and entertainment. (Access to vehicle subsystems for information, disruption, modification & control).
Telematics – the integrated use of telecommunications and informatics for control of vehicles on the move. (Access for information, disruption, modification & control).
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Network'Based'ConnecBvity'(HOW?'–'Expansion'of'the'AFack'Vectors)'
Mobile Phone App – Sync with Head Unit. Head Unit OS – Windows, Android or Linux Variants
Laptop Access – Through Vehicle WiFi Hotspot
4G Access – Via Mobile Device
New Vehicle Apps – Access via Head Unit & Mobile Device
5G Access – Via Mobile Device
The Cloud – Dedicated Cloud Services or Generic Web Access
All the Security Issues Associated With Information Systems, Now Apply to Connected Vehicles
Bluetooth – Device Connect
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Design'&'Manufacture'
Sales'&'DistribuBon'
Consumer'/'Owner'
Disposal'
Maintenance'–'(Maintainer'/'Valet)'
Fuel'–'(Fossil'/'Gas'/'Bio'/'Electrical)'
Vehicle Lifecycle
Analysis of the vehicle lifecycle provides for identification of those who are permitted to come into contact with the vehicle and the level of access. These individuals provide identification of the ‘Insiders’ for consideration of the ‘Insider Threat’
Vehicle'Lifecycle'(HOW?'–'The'Insider'Threat)'
Maintainers – Have physical access to the vehicle via technical equipment. Both the equipment and the personnel maybe an attack vector
In addition the vehicle software updating process needs to be considered as an attack vector.
The use of Power Line Carrier technology to communicate between the vehicle, off-board
charger, and smart grid.
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Access Control: (As a function of) • Role – Role based access control is not
enough.
• Function – Consider adding function as an additional factor.
• Time – Consider using time to achieve removal of legacy access.
Integrated'Transport'(The'Movement'of'Goods'and/or'People)'
Air'
MariBme'
Road'Rail'
Metro/'Under'Ground'
People'Goods'
Source: Hitachi.com
Source: Digital Age Transportation – The Future of Urban Mobility - Tiffany Dovey Fishman – Deloitte University Press.
Source: Roy Isbell DFM
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
1950 – 2050 Rise in Urban Population Source: WHO
Statistics 1. 60% World population urbanised by 2030
2. Urban population in developing countries will more than double
3. New development often on coastal plains, increasing risk from severe weather & global warming.
Challenges 1. Developed countries existing infrastructures
already stretched.
2. Proactive management required for costly and scarce resources.
3. Technological advances allowing development of SMARTer cities.
4. Evolving systems of systems of systems(n)
with complex and/or cascading failure.
5. Greater automation and system autonomy for cost reduction and improved productivity.
Research: • The City as a Platform
• Understanding Cyber–Physical Engineered Systems • Data & Systems Context
• Resilience of Systems & Services
• Deriving Cyber Security Needs
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
UrbanisaBon'(The'Move'to'the'City)'
SMART'Buildings'(Where'we'Live,'Work'&'Play)'
Source: Hasibat Information Technologies
Source: Arup Foresight & Innovation
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Future'SMART(er)'CiBes'(A'Complex'Interconnected'Environment)'
Source: Unknown
Built Environment • Commercial Buildings • Living Accommodation • Industrial Complex • Utility Provision
Infrastructure & Services: • Medical • Transport • Refuse Collection • Utility Delivery • Food Supply Chain • Emergency Services
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Access)
Informa>on)
CIA'Cyber'AFack'Triangle'
Capability)
CIA – Cyber Attack Triangle
Access – In order for any attack to even be contemplated some form of access to the target is required. Access may be physical or remote.
Capability – To effect a successful attack the attacker requires the correct tools and techniques to interact with the target and influence or affect the changes required to achieve the desired outcome.
Information – Before either access or capability may be achieved or determined, information (intelligence) on the target is required. The level of detailed information will determine the risk associated with any attack scenario being considered.
Like any three legged stool, absence of any leg renders the stool useless.
AEack)Anatomy)
AEack)Anatomy)–'Each'aFack'follows'a'sequence'of'acBviBes'with'each'acBvity,'once'completed'providing'either'informaBon,'access'or'a'capability'related'to'the'target'system.'
Cyber)AEack)Triangle)
The'Cyber'AFack'Triangle'(WHEN?'–'Understanding'the'PreUrequisites'for'an'AFack)'
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
AFack'MoBvators'
CRIME'(Including'Financial)'
(H)AckBvism'
Warfare'
Terrorism'(Including'Corporate'Blackmail)'
Espionage'(Including'Industrial'Espionage)'
Espionage – seeking unauthorised access to sensitive information (intellectual property, commercial information, corporate strategies, personal data, pattern of life) or using the vehicle as a reconnaissance tool:
• State • Commercial
(H)Acktivism – seeking publicity or creating pressure on behalf of a specific objective or cause:
• Disruption of specific businesses/organisations (supplier or end user)
• Disruption of specific geographic areas (cities, routes)
Criminal – largely driven by financial gain, but may include gang related violence:
• Theft of a vehicle • Theft from a vehicle • Hijack of a vehicle • Kidnap of a vehicle’s occupant(s) • Criminal damage
Terrorism:
• Use of vehicle as a weapon • Attacks on vehicle and/or vehicle’s occupants • Disruption of transport systems/infrastructure
Warfare – conflict between nation states
• Disruption of transport systems/infrastructure to deny operational use
• Disable specific modes of transport or vehicle types • Destruction of vehicles
AFack'MoBvators'(Examples'Related'to'Autonomous/Connected'Vehicles)'
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
New'Models'for'EvaluaBng'Cyber'Security'&'Safety'
Possession)/)Control)
Integrity)Availability)
U>lity)
Authen>city)
Confiden>ality)
Parker DB; 2002
Parkerian Hexad
ConfidenBality'
Integrity'Availability'
Bishop M. 2004
CIA Triad
ConfidenBality'
Possession/Control'
Integrity'
AuthenBcity'Availability'
UBlity'
Safety' Boyes H. 2014
Cyber Security for Autonomous Systems
Element) Relevance)to)CPES)
ConfidenBality' ProtecBon'of'personal'&'other'sensiBve'data'
Possession/Control' Prevent'unauthorised'manipulaBon'or'control'of'systems'
Integrity' Prevent'unauthorised'changes'to'or'deleBon'of'data'&'maintenance'of'system'configuraBon'
AuthenBcity' PrevenBon'of'fraud'or'tampering'with'data'
Availability' Autonomous'Infrastructure'able'to'operate'without'disrupBon'or'impairment'
UBlity' Maintaining'data'&'systems'in'a'useful'state'throughout'their'lifecycle'
Safety' PrevenBon'of'harm'to'individuals,'assets'and'the'environment'
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Autonomous'Systems'Defence'Capability'Strategies'
Prevent – the prevention of unauthorised users gaining access to subsystems, prevention of unauthorised modifications or changes to a systems configuration, prevention of a system going into an unsafe and unsecure mode of operation.
Protect – the protection of any data or information at rest, in transit or in operation using strong cryptographic and hashing techniques, the protection of the access portals from unauthorised connection through strong authentication .
Detect – the detection of hardware, software modification outside of operating parameters, the detection of unauthorised activity within the system, the detection of anomalous activity within operating parameters.
Deny – the denial of access either physical or remote, the denial of code or hardware modification without approval, the denial of an attack using active defence measures.
Respond – the ability to respond (automatically or otherwise) to events before safety or security countermeasures are activated, the ability to respond after safety or security countermeasures have been activated.
Prevent'
Protect'
Detect'Deny'
Respond'
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Managing'Enterprise'Cyberspace'(Cyber'OperaBons)'
Source: Roy Isbell DFM
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
The'Edge'Connected'Human'(Thoughts'for'ConsideraBon)'
Wearable Technology
Prosthetics & Implants
Senses As
Sensors
Interaction
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: ETSI
Source: ETSI
Cyber Hardening & the Future Enterprise (Exploring the Current & Future Limits of the Cyber Environment)
Where every interaction matters.
Risks and new technology Presented by Daniel Beazer Senior Consulting Analyst 20th May 2015
Today’s Agenda ! Introduction to Peer1
! Changing face of risk in IT
! Traditional IT vs Agile
! A closer look at risk in two areas, one over exaggerated the other under exaggerated
! Conclusions for the market
! A takeaway slide and Q&A
2 Where every interaction matters.
15 30 45
We are not good at assessing risk
3
“If you both own a gun and a swimming pool in your backyard, the swimming pool is about 100 times more likely to kill a child than the gun is.”
Us in a nutshell We are a global web infrastructure and cloud hosting company specializing in customized solutions for eCommerce, SaaS applications and content publishing.
We use innovative technology to deliver exceptionally responsive, reliable and secure hosting experiences – we are obsessed with customer experience.
Most importantly, we care.
4 Where every interaction matters.
Our Services
Managed Hosting Services
5 Where every interaction matters.
Secure Datacenters
Scalable Infrastructure
Cloud Hosting Services
IT spend is no longer exclusively with IT
9 Where every interaction matters.
▪ 21% of spend is now outside IT (Gartner CIO Survey Feb 2015) ▪ Mostly in marketing, where predictive analytics and other digital
tools can give enterprises competitive advantage ▪ All C-levels now make IT decisions (eg to buy iPads for sales) ▪ IT struggles to meet this demand ▪ AWS’s Stephen Schmidt ‘we don’t talk to IT’ ▪ Many private (and public) clouds have been built and are unused
10 Where every interaction matters.
Traditional IT • Top down command and control, everyone has to live with their
decisions
• Black box: no one outside the function can understand (even less criticise) what they do
• Not aligned with any +ve business objectives, only negative (keeping the lights on, stopping security breaches)
• The customers, ie groups within the business have no choice but to use what IT offers
• Uses monolithic proprietary applications hosted in house with strategic vendor, lead times, SLA, all below market
11 Where every interaction matters.
Traditional IT project • Instructions received from another department
• Scope and specifications issued via RFP to vendors
• Plans are for maximum capacity
• Lengthy procurement process
• Monolithic hardware and software
• Long contract periods
• Testing staging and then live
• Up to a year for a new project
An agile IT project Lead times < 1hour, no procurement
Usage based, automated, no contracts
Open source software (no time to negotiate)
No longer in house, distributed
Continuous live development
Tied to business outcomes
12 Where every interaction matters.
On Demand
The security industry
16
• Generate most of the data in the industry and create most of the noise
• True 3rd party advice hard to find: industry analysts and consultants have no incentive to doubt the prevailing ethos
• Traditional ‘cleverest man in the room’ and FUD sales tactics
• MO consists of finding more problems and defects so customers have to spend more
• $76bn industry (Gartner 2015 estimate) vs Microsoft $86bn, IBM $92bn
The security group in enterprise
18
Perverse incentives
• Rain dance argument
• The group in the business where failure is rewarded
• More breaches = more budget if politics are handled correctly
• Infosec/CISO group has little influence
• Buying a wall and a guard is enough
From the Annual Fraud Indicator
19 Where every interaction matters.
▪ 67% of fraud is insider fraud ▪ Of the companies polled not one was able to recover the funds ▪ Online banking fraud £40mn ▪ Plastic card fraud £338mn ▪ Identity fraud £3.3bn ▪ Private sector fraud £15.5bn (40% of total)
Where we think the risks lie
21 Where every interaction matters.
▪ 27% lack of visibility into who can access data
▪ 18% lack of confidence in the cloud providers security abilities
▪ 12% unclear liability if there is an attack/loss of data
Source Gartner Survey December 2014
Where the risks really lie
22 Where every interaction matters.
▪ Cloud collapse - Brittle business often go bust (Nirvanix) - Outages common - No cover for outages/business risk in contracts
▪ But.. many back/up security advantages (see next slide)
▪ Complacency Security incidents mostly caused by customer usage, eg sloppy code, old OSS, allowing ghost accounts from ex-employees to profilerate
▪ Regulatory breaches Rogue cloud usage, uncontrolled SaaS is universal
Source Gartner Survey December 2014
‘Cloud may secure than client server’ ! Ability to reimage/remove software and transfer it to another makes it
harder to carry out attacks
! Organisations can secure end to end using encryption
! IT depts find it hard to compete with cloud providers scale
! Thousands of customers versus one,100Gbps vs 100Mbps of traffic
! Benefits of pooled resources, scaled security, DDOS
! The more physical the more insecure, paper, USBs (60% are lost containing corporate data)
! Poorly maintained legacy equipment proliferates in enterprise
23 Where every interaction matters.
Gus Hunt CTO, CIA
Conclusion
24 Where every interaction matters.
▪ Opportunity for the market to drive best practices through genuine third party advice / consulting
▪ Lower premiums for organisations with lower risk
▪ Test and monitor! … and use the cloud to analyse all that big data
Ten questions your cloud provider doesn’t want you to ask
25 Where every interaction matters.
▪ Can you give us your three year availability history?
▪ Can you prove to us you will be in business in three years time?
▪ Can we audit your data centre? Can our auditors?
▪ If your cloud node goes down just before Xmas how much will you pay me?
▪ Can you guarantee performance? How?
▪ Can you walk me through what happens if I suffer a security breach?
▪ Or I decide to leave?
▪ Can you guarantee my data will not remain on your platform once I am gone?
2 © Copyright 2015 EMC Corporation. All rights reserved.
CYBER THREAT LANDSCAPE SOURCE M-TRENDS 2015
2007 Today
METHODS
Worms/ Viruses
Simple DDoS
Phishing Pharming
APTs Multi-Stage
Hacker Collaboration
Disruptive Attacks
2020
Destructive Attacks
Intrusive Attacks
Advanced DDoS
Sophisticated Mobile Attacks
The Unknown??
2001
5 © Copyright 2015 EMC Corporation. All rights reserved.
The RSA Research & Threat Intelligence Outputs
RSA Research &
Threat Intelligence
Threat Intelligence
Feeds via Live
Public Releases and Blogs via Speaking of
Security Portal
Reports & White Papers
via Community Forums Features and
Functionality Built Into RSA
Products & Services
Formal Threat Intel Exchange
Groups
6 © Copyright 2015 EMC Corporation. All rights reserved.
RSA RESEARCH AND THREAT INTELLIGENCE
• 150 Analysts, 100+ languages • 16,000 ISPs and hosting authorities • 6,000,000,000 URLs/day • 800,000 attacks shutdown • 5hrs time to shut down
! 50-150K samples per week ! Static and dynamic analysis ! Credential recovery ! Mule accounts
! Military-trained intel agents ! Tap fraud communication channels ! Passive & proactive monitoring ! Report on emerging threats and
attack vectors
AFCC RESEARCH LAB
INTEL TEAM
7 © Copyright 2015 EMC Corporation. All rights reserved.
AS THE WORLS GOES MOBILE CYBERCRIME WILL FOLLOW
9 © Copyright 2015 EMC Corporation. All rights reserved.
40% of all fraudulent
transactions came from Mobile Device
Source: RSA Adaptive Authentication
10 © Copyright 2015 EMC Corporation. All rights reserved.
CYBERCRIME AS A SERVICE
Cybercriminals increase effectiveness of attacks even leverage big data principles
11 © Copyright 2015 EMC Corporation. All rights reserved.
• Exploit Kits
• Botnet Infrastructures
• Call Centre service
• Facebook accounts/Ads
• Bitcoin stealer
• DDos attacks
CYBERCRIME AS A SERVICE
12 © Copyright 2015 EMC Corporation. All rights reserved.
DARKNET PRICE LIST Infec&ons) $11)p/1000) There)are)"mul&7tenancy")(mul&ple)variants)on)1)machine))plans)that)reduce)cost)
Hos&ng) $507$100) Bullet)proof;)server)only)
Exploit)kit)hos&ng) ~$100) per)week,)~12%)gauranteed)infec&on)rate)
Malware)development) $2,500)) The)average)cost)of)commercial)malware)
Exploits) $10007$300,000) Varies)greatly)based)on)the)exploit…))
Turnkey)banking)trojan)service) $700)7)$1000)
Credit)card)data) $0.25)7)$60) Depending)on)the)amount)of)data)being)sold)(front7of7plas&c)vs)full)track)data);)exo&c)geo's,)such)as)China,)can)fetch)up)to)$300)per)card.)
Phishing)kit) $07$50)
Spam) $50)) to)~500,000)emails)
DDOS)As)a)service) ~$7)p/hour)
Proxy/RDP/SOCKS/VPN)access) $57$12) Price)per)IP)or)for)period)of)access)
Call)service) $107$15) Depending)on)the)required)language/accent)
13 © Copyright 2015 EMC Corporation. All rights reserved.
Source: http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html
Ransomware – customized for legitimacy
14 © Copyright 2015 EMC Corporation. All rights reserved.
• Malware variants – RAM scraping
• 70-90% malware unique to an organisation
• 70% attacks were trusted third-party
• Phishing associated with 95% of state sponsored attacks
• 50% open emails and click on link within an hour
• 99.9% of exploited vulnerabilities compromised more than a year after CVE published
THREAT LANDSCAPE SOURCE VERIZON DBIR2014
15 © Copyright 2015 EMC Corporation. All rights reserved.
DEFENDER-DETECTION DEFICIT Source Verizon DBIR2014
16 © Copyright 2015 EMC Corporation. All rights reserved.
COUNT OF MALWARE EVENTS SOURCE VERIZON DBIR2014
18 © Copyright 2015 EMC Corporation. All rights reserved.
Speed Response Time 2 Decrease
Dwell Time 1
TIME
Attack Identified Response
System Intrusion
Attack Begins
Cover-Up Complete
Advanced Threats Are Different
Cover-Up Discovery Leap Frog Attacks
3 STEALTHY LOW AND SLOW 1 TARGETED
SPECIFIC OBJECTIVE 2 INTERACTIVE HUMAN INVOLVEMENT
Dwell Time Response Time
19 © Copyright 2015 EMC Corporation. All rights reserved.
205 days – Average number of days threat groups were on a victims network without detection. The longest presence was 2,982 days. Source M-Trends 2015
20 © Copyright 2015 EMC Corporation. All rights reserved.
It Will Become Increasingly Difficult To Secure Infrastructure
SECURITY MUST EVOLVE
We must focus on people, transactions, and the flow of data
Static, Perimeter-Centric & Compliance Oriented
Risk-based, Agile, & Contextual Visibility
21 © Copyright 2015 EMC Corporation. All rights reserved.
ORGANIZATIONS MUST GET CREATIVE TO DETECT AND DISRUPT ATTACKS
! Focus on early detection of breaches to minimize your window of vulnerability.
! Move backward in the ‘Kill chain’ ! The key is actively preserving, aggregating and
reviewing data to detect a potential intrusion but also for post-event forensics.
Recon Weaponise Deliver Exploit Install C2 Action
22 © Copyright 2015 EMC Corporation. All rights reserved.
STRATEGIC SECURITY INVESTMENT SHIFT NEEDED NOW!
Today’s Priorities
Prevention 80%
Monitoring 15%
Response 5%
Prevention 80%
Monitoring 15%
Response 5%
Prevention 33%
Intelligence-Driven Security
Monitoring 33%
Response 33%
24 © Copyright 2015 EMC Corporation. All rights reserved.
Cloud On Prem
ANALYTICS
IDENTITY & ACCESS
DATA
Threat Fraud Compliance Identity
GOVERNANCE, RISK, & COMPLIANCE
INTELLIGENCE DRIVEN SECURITY IN ACTION
LOGS, PACKETS, NETFLOW, ENDPOINT, ID, VULNS, THREAT (INT & EXT)
25 © Copyright 2015 EMC Corporation. All rights reserved.
• Risk-driven – Prioritize activity and resources
appropriately
• Incremental and achievable – New capabilities improve your maturity
over time
• Future proof – Enables response to changes in landscape
not based on adding new products
• Agile – Enables the business to take advantage of
new technology and IT-driven opportunities
BENEFITS OF THIS APPROACH
26 © Copyright 2015 EMC Corporation. All rights reserved.
CUSTOMER MATURITY MODEL Advanced Threats Become the Major Spend Driver as Customers Mature
Security Level 4 Business risk-driven
Security fully embedded in enterprise processes
Assess business risks to drive security implementation
Security tools integrated with business tools e.g. eGRC Security breaches; customer demand
Security Level 1 Naïve/Cost-based Security is “necessary evil”
Reactive and de-centralized monitoring
Tactical threat defenses
Security Level 3 IT risk-driven
Proactive and assessment-based
Assess risks and detect threats for organization
Security tools integrated with common data and mgmt platform New leadership
Security Level 2 Compliance-driven Check-box mentality
Implement security to be compliant
Tactical threat defenses with tracking and reporting tools Regulatory Environment Catalyst
Approach
Scope
Technology
27 © Copyright 2015 EMC Corporation. All rights reserved.
CHARACTERISTICS OF SECURITY MATURITY
Step 1: Threat Defense
Step 2: Compliance and Defense-in-Depth
Step 3: Risk-Based Security
Step 4: Business-Oriented
VISIBILITY
COLLABORATION
RISK