From Situational Awareness to Knowledge: Strategic Cyber Security Operations

Transcription

1 From Situational Awareness to Knowledge: Strategic Cyber Security Operations 25 June Christopher Barnett Chief Security Architect Intelligence Solutions Division

2 Discussion Topics Computer Network Defense: The Evolution of a Global Enterprise Cyber Security in a Cloud Context Managing Cyber in a Cloud Environment Risk Management Framework Moving to a Risk Based Security Framework 2

3 Computer Network Defense: The Evolution of a Global Enterprise

4 In the Beginning Enterprise network sensors were re-purposed, dual-homed desktops bound for the recycling bin or worse Open source detection tools only; budget minimal SSH for log xfer and remote management 4

5 Data Types/Amount Outpacing Analysts Ability Highly federalized enterprise; from 5K to >90K employees in <10 years Monitoring over 25 Internet Access Points; centralizing 200GB logs/day Consuming 12 TB, 63 TB Weekly, 265 TB Monthly. ~2 PB every six months 45K indicators managed and growing; dozens of weekly malware samples Historical data for trending, incident/le response and forensics required 5

6 Evolution of the Sensor Platform (Now) Modified BRO Sensor Application Meta Data extraction and retention High Volume Indicator Detection thru alerts generated from Meta-Data analysis SNORT IDS engine for deployment of community SNORT signatures File object malware analysis Flow Sensor (Lancope) Traffic flow capture and long term retention Anomaly based threat detection using flow Network Forensic Capture Capture and Presentation of PCAP data to analysts on demand True forensic record of actual events Event resolution not detection Analytical Platform(s) ArcSight SIEM Log Data Management (Splunk) Indicator Database SQL output to Subversion/GitHub (hourly updates to sensor grid) 6

7 7 From Indicators and Warnings to Situational Knowledge Cyber COP

8 CyberCOP Conceptual Architecture 8

9 Moving from Passive to Dynamic Cyber Defense Provides in-depth static analysis and reverse engineering of significant malware samples, typically associated with APT. Extracted indicators of compromise are fed back into the workflow, enhancing Detect and Countermeasures functions. Malicious Analysis Team (MAT) Incident Detection Team (IDT) Provides network monitoring and analysis for the purpose of identifying anomalous activity that has the potential be nefarious or non-compliant in nature. Incident Response Team (IRT) Uses dynamic analysis to expeditiously identify the intent of a file, and any indicators of compromise programmed within (e.g., command and control (C2) domains and IP addresses). Tracks targeted, APT, and emerging threat activity. This is accomplished by analyzing enterprise and community OSINT reporting and data for the purpose of identifying patterns that can ultimately be attributed to an individual or group. Collaborates with industry, DoD, IC, and LE/CI partners to provide attribution to cyber activity. Fusion Analysis Support Team (FAST) Defense Counter Measure Team (DCM) Implements and maintains active and passive signatures. Maintains continuous awareness of threat evolution and TTPs by tracking industry and community reporting, as well as the activity on the enterprise. 9

10 Cyber Security in a Cloud Context: Managing Security in a Cloud Environment

11 The Cloud Based Cyber Challenge 11

12 Cloud Based Cyber Strategy Evolving Technology Advancements Orchestration Layer hardening Integrating forensics findings from CSP(s) and app space (DFXML) Cross-app SSO (CloudMinder, Okta, PingIdentity, Centrify) Key recovery, management, destruction Post-signature world Industry Standards Evolving ISO/IEC Cloud Security Services Standard (draft) Cloud Security Alliance Guidance PCI DSS Cloud Computing Guidelines NIST Cloud Computer Security Reference Architecture EU Data Privacy Standards Data Centric Model Data protection at rest, in motion Automated data destruction per retention target Object-level tagging Synchronizing data controls across all cloud platforms and providers (where my data is) Government Policy Evolution DCID 6/3 to ICD 503 DIACAP to DIARMF Cloud First Strategy FedRAMP/NIST Approval of Commercial Cloud for DoD Level and 2 Services DISA/NSA/Service Guidance 12

13 Core Foundational Capabilities Cloud Services Cloud Based Attack Vectors Can be Mitigated User Tools Software as a Service (SaaS) / Applications Citizen Engagement Gov Productivity Wikis / Blogs / IM Gov Enterprise Apps Business Svcs Apps Application Integration User / Admin Portal Reporting & Analytics Social Networking Virtual Desktop Core Mission Apps API s Collaboration & Particpatory Tools Platform as a Service (PaaS) Database Office Automation Testing Tools Legacy Apps (Mainframes) Developer Tools Workflow Engine EAI User Profile Mgmt Order Mgmt Analytic Tools Reporting OEMS Directory Services Mobile Device Integration Trouble Mgmt Infrastructure as a Service (IaaS) Storage Virtual Machines Web Hosting Data Migration Tools Billing / Invoice Tracking App Services Content Distribution Network ETL Product Catalog Service Mgmt & Provisioning Service Provisioning SLA Mgmt Utilization Monitoring DR / Backup Operations Mgmt Data Mgmt Security & Data Privacy Data / Network Security Data Privacy Certification & Compliance Authentication & Authorization Auditing & Accounting Data Center Facilities Routers / Firewalls LAN / WAN Internet Access Hosting Centers

14 Cloud Forensics Challenges Who Owns the Data? Where is the data? What if it is stored, partially or in totem OCONUS? Identify Obfuscation (who did what when?) Overlapping and complex architectures requiring coordination between your IaaS, PaaS and SaaS provider(s) Encryption is good except when you don t want it (please tell me you have a master key) Transience (huge problem) 14

15 Cloud Forensics Opportunities You can literally do forensics from anywhere Easy snapshotting, multi-tb memory dumps available Faster investigation times and version comparisons API calls, machine instance activity logged and tagged (e.g., CloudTrail by AWS) aiding the investigator Investigator roles can be created and managed via the Orchestration Layer, providing some oversight CSPs typically have security team and tools to assist 15

16 Risk Management Framework: Moving to a Risk Based Security Framework

17 IC Directive 503 Overview ICD 503: Rescinds DCID 6/3 (DNI Signed 9/2008) Establishes IC policy for IT systems security risk management, certification and accreditation Adopts the RMF and CM for the IC Harmonizes IC C&A requirements and controls with DoD and FedCiv agencies Additional/augmented controls expected for SCI systems DIARMF: Replaces DIACAP (Effective 2014) Bottom line: DoD systems must transition to the RMF NLT their next re-accreditation Systems whose accreditation is expiring must transition to the new version of CNSSI 1253 immediately and execute RMF. NIST , Recommended Security Controls for Federal Agencies GDIT Proprietary 17

18 Risk Management Framework GDIT Proprietary 18

19 RMF vs. What Came Before Control Selection Risk Management Framework Granular but flexible (Low, Med. High) with overlays based on mission Legacy (DCID 6/3, DIACAP) More strictly defined based on mission Re- accreditation Continuous once granted Every three years Emerging Technology Can be accounted for in control matrix Difficult to categorize Continuous Monitoring of Selected Controls Constant, core RMF requirement Optional/Undefined Security Taxonomy Common across DoD, IC, FedCiv Department/agency dervied Upstream Security Reporting Core requirement, automated (eventually) Piecemeal, often non-automated Control Set Definitions NIST r4 IC guidance, DoDI Reciprocity Based on budget, threat, politics Based on budget, threat, politics Risk Awareness Potentially more enhanced sharing of risk data across/between organizations Limited organizational view SDLC Closely tied Loosely coupled GDIT Proprietary 19

20 Lessons in RMF Adoption Don t assume ISSOs/system owners know anything about RMF Engage system owners immediately upon program start-up/system design Define the categorization process for IT systems in the organization, and then decide whether to follow the security control binning found in NIST SP (for non-nss systems) or CNSSI 1253 (for NSS systems) Analyze NIST SP establishing what modifications needed to develop a process workflow meeting organizational requirements Identify and validate common, inherited controls Execute a process pilot, and then look for opportunities to automate Develop a communications and training plan for all stakeholders Know thy vendor Effective CM relies on commercial log technology; are your SE s prepared? GDIT Proprietary 20

21 Closing Thoughts A lot of challenges and exciting opportunities to collaborate across CND, cloud and risk Take stock of the research community; consider leveraging them for solutions if you are not already Are we entering a post-malware world? Analyzing the cost/benefit of the Comprehensive National Cyber Initiative (CNCI); total success or time to recalibrate? 21

22 Thank You and Contact Information Christopher Barnett (O) (M)

23 23