Save Your Network – Protecting Manufacturing Data from Deadly Breaches

Charles HerringConsulting Security Architect

Manufacturer Threats

© 2014 Lancope, Inc. All rights reserved.

Agenda

• Problem Description

• NBAD Definitions

• Protecting “Crown Jewels”

• Monitoring Insiders

• Audit Trails for Response

• StealthWatch Overview


Problem Description


Confirmed Manufacturing Targets

Intellectual Property

Loss $1M+ each

M&A Data

Loss $50M+ each


Aggressors

Activist

Ideology

Competitors

Money

Nation States

Geopolitical

Insider

Diverse


Manufacturing Vulnerabilities

Porous Access to Data

Human access to IP

Contractor/Partner collaboration

Geo distribution of teams


Manufacturing Vulnerabilities

Diverse systems/networks

Hard to build & monitor scopes

Ultra connectivity with manufacturing devices

Many types of users

Patch/support issues

Lack of device guidance on hardening


NBAD Definitions


What is NBAD

• Network Behavioral Anomaly Detection

• Data source = Network MetaData (NetFlow)

• Probe locations = Core or deeper

• Quantity/Metric Centric (not Pattern/Signature Centric)

• Sometimes used to refer to NetFlow Security Tools


Network Logging Standards

10

• NetFlow v9 (RFC-3950)

• IPFIX (RFC-5101)

• Rebranded NetFlow– Jflow – Juniper

– Cflowd – Juniper/Alcatel-Lucent

– NetStream – 3Com/Huawei

– Rflow – Ericsson

– AppFlow - CitrixBasic/Common

Fields

Signature

Anomaly Behavior

Advanced Detection Methods

Signature = Object against blacklist• IPS, Antivirus, Content Filter

Behavior = Inspect Victim behavior against blacklist• Malware Sandbox, NBAD, HIPS, SEIM

Anomaly = Inspect Victim behavior against whitelist• NBAD, Quantity/Metric based—not Signature

based

Signature Behavior Anomaly

Known Exploits BEST Good Limited

0-day Exploits Limited BEST Good

Credential Abuse Limited Limited BEST


Algorithmic Detection

1

• Based on knowing normal

• Dependent on raw NetFlow MetaData (multiple

sources)

• Does not require understanding of attack

• Output is security indices focused on host activity

Host Concern Index =

1,150,000

Slow Scanning

Activity : Add 325,000

Abnormal connections: Add 425,000

Internal pivot activity: Add

400,000


Crown Jewels


Crown Jewels

• Card holder data (PCI)

• Patient records (HIPAA)

• Trade secrets

• Research Information

• Competitive information (M&A)

• Employee data (PII)

• State Secrets

• Bio-devices

Data that is valuable to attackers

1


Why do attackers care?

Attacker Jewel Motivation

Criminals PCI Data $4-$12/card

Criminals Patient Records $20-$50/record

Activists Anything Shaming

State Sponsored Trade Secrets Geopolitical

State Sponsored Patient Records ?!?!!!!


WAN DATACENTER

ACCESS

CORE3560-X

Atlanta

New York

San Jose

3850 Stack(s)

Cat4k

ASAInternet

Cat6k

VPC Servers

3925 ISR

ASR-1000

Nexus 7000 UCS with Nexus 1000v


Where to Look?North, South, EAST AND WEST = Every Communication


By Data Grouping

• Find your data

• “Pull the thread” with Top Peers/Flow Tables

• Host Group Policies with lower tolerance

Find your jewels

1


Data Anomaly Alarms

• Suspect Data Hoarding

• Target Data Hoarding

• Total Traffic

• Suspect Data Loss

Counting Access

1


Map the Segmentation

• Logical vs. Physical

• Map Segmentation

Watch the logical roadways

1


Custom Events

• Evolution of HLV

• Alert when Segmentation fails

• Allows for NOR logic

Alert on Zero Tolerance

2


Monitoring Insiders


What is an Insider?

The Person The Credentials The Endpoint


The Insider-Person Threat

Person

Vulnerability Attack

Ideology/Disgruntlement

Recruitment

Financial hardship/Greed Bribe/Scam

Fear Extortion

Loneliness Friendship/Romance

Love of Family Kidnapping

Self Preservation Physical harm/torture

Ego Flattery

Boredom Bad decisions


The Insider-Credentials Threat

Credentials


Cryptographic Weakness Brute force

Personal Markers Public Record Dictionary Attack

Multi-domain usage SQLi

Analog-Digital Conversion Keylogger/Camera

Transmission MitM


The Insider-Endpoint Threat

Endpoint


Decisions Made by Human Malware

Open Ports Worm

Supply Chain Control-ware (C2)

“Walk ups” Credential Abuse


Impossible Statistics

• Malware free attacks

• Ability to cover tracks

• Detailed Knowledge of Detection and Response

• Increasing Availability of Tools and Knowledge

• Attribution to user (was it malware, credential theft?)


CERT: Common Sense Guide to Prevention and Detection of Insider Threats

IT Sabotage Financial Gain Business Advantage

% of cases: 45% 44% 14%

Employment: Former Current Current

Position: Technical Data Entry & Customer Services

Technical or Sales

Authorized Access? Rarely 75% 88%

Used their own credentials?

30% 85% Almost always

Compromised an account?

43% 10% Rarely

Attack wasnon-technical:

65% 84% Almost always

When: After hours Normal hours Normal hours

Where: Remote Local Local

IDed due to: Logs Logs Logs


Reducing Insider Vulnerabilities

• Background Checks (Financial, Ideological, Criminal)

• Better Authentication (Two-factor, Biometrics, Complex Passwords)

• Endpoint Hardening (Sandboxing, Policy)


Geographic User Anomaly


Data Hoarding


Data Loss


Increasing Risk to Insider through Audit Trails

• Criminals fear evidence

• Internal communications rarely monitored/collected

• Detection time exceeds data retention


Sources of visibility• Firewall logs

– Are you logging everything or just denies?

• Internal & Host IPS systems

– HIPS potentially has a lot of breadth

– Can be expensive to deploy

– Signature based

• Log Management Solutions/SIEM

– Are you collecting everything?

– You can only see what gets logged

• NetFlow

– Lots of breadth, less depth

– Lower disk space requirements

• Full Packet Capture

– Deep but not broad

– Expensive

– High disk space requirements

Tradeoffs:

• Record everything vs only bad things

• Breadth vs Depth

• Time vs Depth

• Privacy


DMZ

VPN

Internal

Network

InternetNetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more -NetFlow

3GInterne

t

3G Interne

t

NetFlow

NetFlow

NetFlow

Internal Visibility Through NetFlow

NetFlow

NetFlow

Collector

34


User Attribution through Context Awareness


Following the User

36

Sometimes investigations start with user intelligence


StealthWatch Overview

Lancope Overview

Alpharetta, GA–Headquarters

London, Germany, Dubai

$30m raised (last in 2005)

• Canaan Partners, HIG, Council Capital

• 4+ years profitability

Leadership from IBM, ISS, Dell SecureWorks, RSA,

Motorola/AirDefense, Gartner, Cisco. TripWire,

PolyCom, McKesson

• 100 +years combined experience

• 250+ employees

INVESTORS

LOCATIONS

TEAM

Leading provider of networkvisibility & security intelligenceFounded in 2000700+ Customers

StealthWatchDelivers:

StealthWatch System provides context-aware security,

enabling organizations to quickly detect a wide range of

attacks (e.g. APT, DDoS, malware, insider threat),

accelerate incident response, improve forensic

investigations and reduce enterprise risk.

Complete Network

Visibility & Security

Intelligence

Detect & Resolve

Advanced Threats

Accelerate Incident

Response & Forensic

Investigations

Reduce Operational

& Enterprise Risk



Use NetFlow Data

to Extend Visibility

to the Access Layer

WHO

WHAT

WHEREWHEN

HOW

StealthWatchYour Network Is Your Sensor

Visibility, Context, and Control

Internal Network

Identity

Routers & Switches

Firewall

Context

Hardware-enabledNetFlow Switch

Devices

Enrich Flow Data with Identity, Events and

Application to Create Context

Unify Into a Single Pane of Glass for

Detection, Investigation and Reporting

Everything must touch the network

KNOWevery host

Know what is NORMAL

What else can the

network tell me?

RECORD every conversation

Gain Context-Aware Security

Company Network

Assess

AuditPosture

Response

With StealthWatch…

Context

Detect

Alert to CHANGE

Store for MONTHS



Lancope Solution Portfolio

StealthWatchManagement

Console

StealthWatchFlowReplicator

StealthWatchFlowCollector

NetFlow,syslog, SNMP

NetFlow enabled routers, switches,

firewalls

StealthWatchFlowSensor

vSphere with StealthWatchFlowSensor VE

User and Device Information

ID1100


Thank you

Save Your Network – Protecting Manufacturing Data from Deadly Breaches

Technology

Transcript of Save Your Network – Protecting Manufacturing Data from Deadly Breaches