Download - 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us

7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us

1/28

Jeff Brown

CISO

22 October, 2009

An Information

Assurance

Strategy for theRest of Us

Copyright 2009 Raytheon Company. All rights reserved.

Customer Success Is Our Mission is a registered trademark of Raytheon Company.

Sponsoredby

Aero Webinar Series


2/28

Page 2

Upcoming AIA/ISA Webinars

n Testing In A Real Environment Leads to Faster Cyber Security Innovationfeaturing General (Ret.) Charles Charlie Croom, Vice President of CyberSecurity Solutions, Lockheed Martin Information Systems & Global Services andCurt Aubley, Chief Technology Officer CTO, Lockheed Martin Operations &Next Generation Solutions. To be presented on 11/5/09

n Supply Chain Issues in Cyber Security A Framework for Moving Forwardfeaturing Scott Borg, Director and Chief Economist (CEO) at the U.S.Cyberconsequences Unit. To be presented on 11/19/09

n Legal Framework for Securing Unified Communications featuring JeffreyRitter, President, Waters Edge Consulting.


3/28

Page 3

Roadmap

7/19/12

The Environment

A Strategy BeyondDefense in Depth

3 AffordableWays to

Implement

the Strategy


4/28

Page 4

7/19/12

The Advanced Persistent Threat

n Increasingly sophisticated cyber threats by hostileentities designed to gain control of your network

for the long term

n Intellectual property theft on a grand scalen Not just one particular country or groupnAerospace companies are target #1!


5/28

Page 57/19/12

None of us big or small canstop a determined cyber attack

from succeeding!

We cant rely on traditional defenses (goodpatching, firewalls, IDS, AV, etc.) in the age of

social engineering and zero-day exploits


6/28

Page 67/19/12

But how much can you invest

in cyber security?

Likely not a fraction of whatDoD and the Big Primes are

investing.


7/28Page 77/19/12

So Where does that leave us?

We cant stop e-mail or web browsing


8/28Page 87/19/12

It would be easy to be pessimistic

But youd be wrong

There is a strategy that

can give you a lot of lift


9/28Page 97/19/12

A Strategy for the Rest of Us

n Recognize they will get in.

n Work to detect and disrupt outbound command and controlchannels.

If intruders get in, but cant get back out,

we win!


10/28Page 107/19/12

If your infrastructure addresses the factthat intruders will get in, the number of

intrusions becomes much less relevant.

Which has less risk?

n If 100 get in and cant get out or only last a daybefore C2 monitoring finds them

n If 10 get in and have free reign for 3 months beforea sys admin finds them


11/28Page 117/19/12

The Primary metric becomes

Dwell Time

How long were you exposed?


12/28Page 127/19/12

Your Goal

nYour goal should be to drive down DwellTime anyway you can.

n If Dwell Time trends down, your cybersecurity is improving

Days betweencompromise

and discovery

Incident/date


13/28Page 137/19/12

So Focus on Outbound Traffic

nIts easier and the highest payoff!

n There is far less noise on outbound trafficn It decouples malware detection from the

vulnerability

Disrupt and Deny Adversarys Command and Control Traffic


14/28


15/28Page 15

You can use other peoples money!

Collaboration is Cheap.

The Return on Investment is high

7/19/12

Blocking the Known

Discover and block C2 sites any way you can


16/28


17/28Page 177/19/12

You Dont Have to Share Much

n Youre not admitting you werecompromised, just that you

found something

Share the outbound traffic info!

We saw malwarebeaconing or

communicating towww. badsite.org or

123.45.67.211


18/28Page 187/19/12

Collaboration Opportunities

Measure of Merit: is it near-real time?

ISACS

Amongst Yourselves

Defense Industry BaseCyber Task Force

Law Enforcement(Infragard)

Defense SecurityInformation Exchange


19/28Page 197/19/12

3 Ways to Make This Strategy Real

Collaboration

Block the known C2

Server Segregation

Channel the Unknown

Web Authentication

Challenge the Unknown


20/28

Page 20

Servers - Its where the money is

7/19/12

n Servers are where theadversary wants to liveOn 24x7Contains the most valuable data

n Limit unknown traffic to andfrom them


21/28

Page 21

Channeling the Unknown

nMost servers have no businessinitiating traffic to the Internet

except for very specific sites

(Updates, etc.)

n It is easy to enumerate validdestinations

7/19/12

Im sorry, file server, I cantconnect you with

www.badguy.com


22/28

Page 22

Channel all Server Traffic

n Servers should only talk to the Internet throughknown choke point to known sitesPut them in a separate subnet(s)Point all to a separate proxyPermit only mission essential sites

lProxy denies become meaningful

l Allow sys admin 2-factor authentication overridesAbove all, prohibit sys admin e-mail and surfing

7/19/12


23/28

Page 23

What Does That Do For You?

n No way for malware to beacon to ownern

To access a server, they must compromise a client and move laterally Much noisier Combine with two factor authentication for servers and you really have

something

n Experience shows that all malicious traffic moves to clients overnight

And it cost nothing except the labor to consolidate server subnets and identifyvalid sites

7/19/12


24/28

Page 247/19/12

3 Ways to Make This Strategy Real

Collaboration

Block the known C2

Server Segregation

Channel the Unknown

Web Authentication



25/28

Page 25


nAll web proxy vendorscategorize sites and update

like AV

n The majority of malware C2 sitesare new and therefore fall into

the default uncategorized bin

nThis presents us with anopportunity

7/19/12

You want to gowhere?!!!


26/28


27/28

Page 277/19/12

The Bottom Line Dont Despair

Set yourselves up for success

By adding a C2 Denial Strategy to yourexisting Defense in Depth you can improve

your cyber security greatly without breaking

the bank


28/28