Save Your Network – Protecting Manufacturing Data from Deadly Breaches
-
Upload
lancope-inc -
Category
Technology
-
view
87 -
download
0
Transcript of Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Charles HerringConsulting Security Architect
Manufacturer Threats
© 2014 Lancope, Inc. All rights reserved.
Agenda
• Problem Description
• NBAD Definitions
• Protecting “Crown Jewels”
• Monitoring Insiders
• Audit Trails for Response
• StealthWatch Overview
© 2014 Lancope, Inc. All rights reserved.
Problem Description
© 2014 Lancope, Inc. All rights reserved.
Confirmed Manufacturing Targets
Intellectual Property
Loss $1M+ each
M&A Data
Loss $50M+ each
© 2014 Lancope, Inc. All rights reserved.
Aggressors
Activist
Ideology
Competitors
Money
Nation States
Geopolitical
Insider
Diverse
© 2014 Lancope, Inc. All rights reserved.
Manufacturing Vulnerabilities
Porous Access to Data
Human access to IP
Contractor/Partner collaboration
Geo distribution of teams
© 2014 Lancope, Inc. All rights reserved.
Manufacturing Vulnerabilities
Diverse systems/networks
Hard to build & monitor scopes
Ultra connectivity with manufacturing devices
Many types of users
Patch/support issues
Lack of device guidance on hardening
© 2014 Lancope, Inc. All rights reserved.
NBAD Definitions
© 2014 Lancope, Inc. All rights reserved.
What is NBAD
• Network Behavioral Anomaly Detection
• Data source = Network MetaData (NetFlow)
• Probe locations = Core or deeper
• Quantity/Metric Centric (not Pattern/Signature Centric)
• Sometimes used to refer to NetFlow Security Tools
© 2014 Lancope, Inc. All rights reserved.
Network Logging Standards
10
• NetFlow v9 (RFC-3950)
• IPFIX (RFC-5101)
• Rebranded NetFlow– Jflow – Juniper
– Cflowd – Juniper/Alcatel-Lucent
– NetStream – 3Com/Huawei
– Rflow – Ericsson
– AppFlow - CitrixBasic/Common
Fields
Signature
Anomaly Behavior
Advanced Detection Methods
Signature = Object against blacklist• IPS, Antivirus, Content Filter
Behavior = Inspect Victim behavior against blacklist• Malware Sandbox, NBAD, HIPS, SEIM
Anomaly = Inspect Victim behavior against whitelist• NBAD, Quantity/Metric based—not Signature
based
Signature Behavior Anomaly
Known Exploits BEST Good Limited
0-day Exploits Limited BEST Good
Credential Abuse Limited Limited BEST
© 2014 Lancope, Inc. All rights reserved.
Algorithmic Detection
1
• Based on knowing normal
• Dependent on raw NetFlow MetaData (multiple
sources)
• Does not require understanding of attack
• Output is security indices focused on host activity
Host Concern Index =
1,150,000
Slow Scanning
Activity : Add 325,000
Abnormal connections: Add 425,000
Internal pivot activity: Add
400,000
© 2014 Lancope, Inc. All rights reserved.
Crown Jewels
© 2014 Lancope, Inc. All rights reserved.
Crown Jewels
• Card holder data (PCI)
• Patient records (HIPAA)
• Trade secrets
• Research Information
• Competitive information (M&A)
• Employee data (PII)
• State Secrets
• Bio-devices
Data that is valuable to attackers
1
© 2014 Lancope, Inc. All rights reserved.
Why do attackers care?
Attacker Jewel Motivation
Criminals PCI Data $4-$12/card
Criminals Patient Records $20-$50/record
Activists Anything Shaming
State Sponsored Trade Secrets Geopolitical
State Sponsored Patient Records ?!?!!!!
© 2014 Lancope, Inc. All rights reserved.
WAN DATACENTER
ACCESS
CORE3560-X
Atlanta
New York
San Jose
3850 Stack(s)
Cat4k
ASAInternet
Cat6k
VPC Servers
3925 ISR
ASR-1000
Nexus 7000 UCS with Nexus 1000v
© 2014 Lancope, Inc. All rights reserved.
Where to Look?North, South, EAST AND WEST = Every Communication
© 2014 Lancope, Inc. All rights reserved.
By Data Grouping
• Find your data
• “Pull the thread” with Top Peers/Flow Tables
• Host Group Policies with lower tolerance
Find your jewels
1
© 2014 Lancope, Inc. All rights reserved.
Data Anomaly Alarms
• Suspect Data Hoarding
• Target Data Hoarding
• Total Traffic
• Suspect Data Loss
Counting Access
1
© 2014 Lancope, Inc. All rights reserved.
Map the Segmentation
• Logical vs. Physical
• Map Segmentation
Watch the logical roadways
1
© 2014 Lancope, Inc. All rights reserved.
Custom Events
• Evolution of HLV
• Alert when Segmentation fails
• Allows for NOR logic
Alert on Zero Tolerance
2
© 2014 Lancope, Inc. All rights reserved.
Monitoring Insiders
© 2014 Lancope, Inc. All rights reserved.
What is an Insider?
The Person The Credentials The Endpoint
© 2014 Lancope, Inc. All rights reserved.
The Insider-Person Threat
Person
Vulnerability Attack
Ideology/Disgruntlement
Recruitment
Financial hardship/Greed Bribe/Scam
Fear Extortion
Loneliness Friendship/Romance
Love of Family Kidnapping
Self Preservation Physical harm/torture
Ego Flattery
Boredom Bad decisions
© 2014 Lancope, Inc. All rights reserved.
The Insider-Credentials Threat
Credentials
Vulnerability Attack
Cryptographic Weakness Brute force
Personal Markers Public Record Dictionary Attack
Multi-domain usage SQLi
Analog-Digital Conversion Keylogger/Camera
Transmission MitM
© 2014 Lancope, Inc. All rights reserved.
The Insider-Endpoint Threat
Endpoint
Vulnerability Attack
Decisions Made by Human Malware
Open Ports Worm
Supply Chain Control-ware (C2)
“Walk ups” Credential Abuse
© 2014 Lancope, Inc. All rights reserved.
Impossible Statistics
• Malware free attacks
• Ability to cover tracks
• Detailed Knowledge of Detection and Response
• Increasing Availability of Tools and Knowledge
• Attribution to user (was it malware, credential theft?)
© 2014 Lancope, Inc. All rights reserved.
CERT: Common Sense Guide to Prevention and Detection of Insider Threats
IT Sabotage Financial Gain Business Advantage
% of cases: 45% 44% 14%
Employment: Former Current Current
Position: Technical Data Entry & Customer Services
Technical or Sales
Authorized Access? Rarely 75% 88%
Used their own credentials?
30% 85% Almost always
Compromised an account?
43% 10% Rarely
Attack wasnon-technical:
65% 84% Almost always
When: After hours Normal hours Normal hours
Where: Remote Local Local
IDed due to: Logs Logs Logs
© 2014 Lancope, Inc. All rights reserved.
Reducing Insider Vulnerabilities
• Background Checks (Financial, Ideological, Criminal)
• Better Authentication (Two-factor, Biometrics, Complex Passwords)
• Endpoint Hardening (Sandboxing, Policy)
© 2014 Lancope, Inc. All rights reserved.
Geographic User Anomaly
© 2014 Lancope, Inc. All rights reserved.
Data Hoarding
© 2014 Lancope, Inc. All rights reserved.
Data Loss
© 2014 Lancope, Inc. All rights reserved.
Increasing Risk to Insider through Audit Trails
• Criminals fear evidence
• Internal communications rarely monitored/collected
• Detection time exceeds data retention
© 2014 Lancope, Inc. All rights reserved.
Sources of visibility• Firewall logs
– Are you logging everything or just denies?
• Internal & Host IPS systems
– HIPS potentially has a lot of breadth
– Can be expensive to deploy
– Signature based
• Log Management Solutions/SIEM
– Are you collecting everything?
– You can only see what gets logged
• NetFlow
– Lots of breadth, less depth
– Lower disk space requirements
• Full Packet Capture
– Deep but not broad
– Expensive
– High disk space requirements
Tradeoffs:
• Record everything vs only bad things
• Breadth vs Depth
• Time vs Depth
• Privacy
© 2014 Lancope, Inc. All rights reserved.
DMZ
VPN
Internal
Network
InternetNetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -NetFlow
3GInterne
t
3G Interne
t
NetFlow
NetFlow
NetFlow
Internal Visibility Through NetFlow
NetFlow
NetFlow
Collector
34
© 2014 Lancope, Inc. All rights reserved.
User Attribution through Context Awareness
© 2014 Lancope, Inc. All rights reserved.
Following the User
36
Sometimes investigations start with user intelligence
© 2014 Lancope, Inc. All rights reserved.
StealthWatch Overview
Lancope Overview
Alpharetta, GA–Headquarters
London, Germany, Dubai
$30m raised (last in 2005)
• Canaan Partners, HIG, Council Capital
• 4+ years profitability
Leadership from IBM, ISS, Dell SecureWorks, RSA,
Motorola/AirDefense, Gartner, Cisco. TripWire,
PolyCom, McKesson
• 100 +years combined experience
• 250+ employees
INVESTORS
LOCATIONS
TEAM
Leading provider of networkvisibility & security intelligenceFounded in 2000700+ Customers
StealthWatchDelivers:
StealthWatch System provides context-aware security,
enabling organizations to quickly detect a wide range of
attacks (e.g. APT, DDoS, malware, insider threat),
accelerate incident response, improve forensic
investigations and reduce enterprise risk.
Complete Network
Visibility & Security
Intelligence
Detect & Resolve
Advanced Threats
Accelerate Incident
Response & Forensic
Investigations
Reduce Operational
& Enterprise Risk
© 2014 Lancope, Inc. All rights reserved.
© 2014 Lancope, Inc. All rights reserved.
Use NetFlow Data
to Extend Visibility
to the Access Layer
WHO
WHAT
WHEREWHEN
HOW
StealthWatchYour Network Is Your Sensor
Visibility, Context, and Control
Internal Network
Identity
Routers & Switches
Firewall
Context
Hardware-enabledNetFlow Switch
Devices
Enrich Flow Data with Identity, Events and
Application to Create Context
Unify Into a Single Pane of Glass for
Detection, Investigation and Reporting
Everything must touch the network
KNOWevery host
Know what is NORMAL
What else can the
network tell me?
RECORD every conversation
Gain Context-Aware Security
Company Network
Assess
AuditPosture
Response
With StealthWatch…
Context
Detect
Alert to CHANGE
Store for MONTHS
© 2014 Lancope, Inc. All rights reserved.
© 2014 Lancope, Inc. All rights reserved.
Lancope Solution Portfolio
StealthWatchManagement
Console
StealthWatchFlowReplicator
StealthWatchFlowCollector
NetFlow,syslog, SNMP
NetFlow enabled routers, switches,
firewalls
StealthWatchFlowSensor
vSphere with StealthWatchFlowSensor VE
User and Device Information
ID1100
© 2014 Lancope, Inc. All rights reserved.
Thank you