Annual Cybersecurity Report

Transcription

1 Trusler some figures and facts Cisco 2018 Annual Cybersecurity Report Jan Minche Security Lead Cisco Danmark September 2018

2 Agenda Nyhederne denne morgen 43 Mio ekstra øremærket Cybersikkerhed til FET Rambøll rapport fra maj % af danske virksomheder ramt indenfor seneste 12 mdr. Center for Cybersikkerhed >20% har ingen plan for genetablering af sin infrastruktur Offentlige organisationer mål for fremmede magter Private organisationer mål for Cyberkriminielle

3 Malicious Binaries and Encryption Attackers embrace encryption to conceal their command-and-control activity November % 19% October % 70% 12% Increase 268% Increase Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption

4 Malicious Documents in Compared usage of malicious attachments from first portion of 2017 to second Office Archive PDF 55% 415% 255% January-May June-October

5 Volume Volume Sandbox Evasion Patterns Attackers are constantly testing sandbox evasion techniques Document Close Doc Embedded in PDF Oct 2016 Oct 2017 Oct 2016 Oct 2017 Malicious Samples Total Samples

6 Network-based Ransomware WannaCry and Nyetya: rapid-moving, self-propagating network-based attacks Network-Based Ransomware Worm With active, unpatched machines, these automated worms will attack again. Have you secured your network?

7 The Cloud Organizations increase reliance on the cloud 53% manage over half of their infrastructure in the cloud Appeal: Better security (57%) Scalability (48%) Ease of use (46%) Lack of internal workforce (41%)

8 IoT and DDos Application-layer attacks are rising, network-layer attacks are declining Burst attacks are increasing Complexity Frequency Duration Amplification attacks 2/5 of businesses experienced a reflection amplification attack in 2017 of those organizations 2/3 mitigated the attacks Source: Radware

9 Malicious Use of Legitimate Resources Cybercriminals are adopting command-and-control channels that rely on legitimate Internet services, making malware traffic almost impossible to shut down Easy Setup IP Address Reduce Burning Infrastructure Leverage Encryption for C2 Source: Anomali Whitelisted Subverts Domain and Certificate Intelligence Adaptability

10 Exposed Development Systems Percentage of DevOps servers left WIDE OPEN is creating a huge ransomware risk 75% CouchDB 75% Elasticsearch 100% MongoDB 20% Docker 80% Memcache To reduce risk of exposure to DevOps ransomware attacks: Develop solid standards for secure deployment Maintain active awareness of the company s public infrastructure Keep DevOps technologies up to date and patched Conduct vulnerability scans Source: Rapid7

11 Insider Threat Machine learning algorithms can greatly help detect internal malicious actors 5200 docs per user Data was the most popular keyword in doc titles PDFs were the most common file type 62% occur outside of normal work hours High* accuracy of malicious activity detection since June 2017

12 How Malicious Actors Leverage Domains 20% Other Type of Attack 60% Spam RLD Registered Times New or Reused Domains 20% Malvertising 20% Less than 1 week 80% More than 1 week 42% New 58% Reused Organizations need to minimize access to malicious domains

13 IT/OT Attack Sentiment 69% of organizations believe OT is a viable attack vector in % believe it will be eventually 10% believe it will remain in IT alone

14 ICS Vulnerabilities Threat actors are actively engaged in researching pivot points to facilitate future attacks Being Connected to the Internet USB or DVD as Entry Point Lack of Knowledge Known Vulnerabilities Rarely Patched Too Specialized Source: TrapX

15 Number of Detections High Severity Vulnerabilities and Patch Management High severity is driven by headlines MS Detections Patches double as organizations realize potential threat Microsoft warns of vulnerability Exploited vulnerability makes headlines Month Source: Qualys We need a better way to improve patch management processes

16 Orchestration Challenges As the number of vendors increases, orchestration challenges grow 8% 10% 21% 43% 55% Education Financial Services Government Healthcare Manufacturing Pharma Retail Telecom Transportation Utility/ Energy Very Challenging 17% 24% 16% 42% 14% 25% 19% 14% 12% 27%

17 Alerts Uninvestigated alerts still create huge business risk 8% Experienced NO Security Alert 44% of Alerts are NOT Investigated 56% of Alerts are Investigated 93% Experienced Security Alert 51% of Legitimate Alerts are Remediated 49% of Legitimate Alerts are NOT Remediated 34% of Investigated Alerts are Legitimate

18 Defenders Still Favor Best of Breed 72% use best-ofbreed vs. 28% use single vendor solution

19 Challenges and Obstacles Key Constraints Key Functions 34% Budget ( 5%) 27% Lack of Trained Personnel ( 5%) Mobile Devices 57% Find Very and Extremely Challenging to Defend Data in Public Cloud 56% Find Very and Extremely Challenging to Defend 27% Certification Requirements ( 2%) 27% Compatibility Issues ( 5%) User Behavior (For Example, Clicking Malicious Links in or Websites) 56% Find Very and Extremely Challenging to Defend Data Center/ Servers 56% Find Very and Extremely Challenging to Defend

20 Strategic, Operational, and Tactical Issues An overemphasis on product solutions can leave openings for attackers 26% can be addressed by products alone Products People Policies 74% might also require people and/or processes to address

21 The Need for Outsourcing In order to keep up, organizations are looking for outside help 54% Consulting (up 3%) 49% Monitoring (up 5%) 47% Incident Response (up 2%) Most Frequently Outsourced Services

22 Market Expectations and Emerging Capabilities Outcomes Technology Investment

23 Market Expectations: Threat Landscape The threat landscape to remain complex and challenging Few predict radically new threats on the horizon, but they see more capable and more diabolical bad actors Believe they ll need ever more sophisticated security arsenals to keep they at bay

24 Market Expectations: Modern Workplace The modern workplace will continue to create conditions that favor the attackers The footprint security executives must secure continues to expand Employees increasingly carry their work (and the company s data) with them wherever they go a welldocumented source of exposure Clients, partners and suppliers all need secure access to corporate resources With the increasing deployment of IoT sensors, etc., companies interfaces to the internet will multiply dramatically

25 Market Expectations: Scrutiny Additional scrutiny of their ability to secure the organization Many expect they ll be under additional scrutiny from regulators, executives, stakeholders, partners and clients Top scrutiny from Executive Leadership, Clients, and Business Partners (76%, each) Several CISOs mention that the need to meet others expectations for accessibility puts increasing strains on staff Current and potential clients can be particularly demanding of information regarding security processes and protocols

26 Market Expectations: Breaches Drive Budget Budgets will remain stable, unless a security breach drives unexpected investment! 51%: Budgets based on previous year s budget 51%: Organization s security outcome objective 46%: Percent of revenue 47%: Breach drove improvements to a great extent

27 Market Expectations: AI and Machine Learning More spending on AI/ML capabilities AI, ML and automation are all increasingly desired and expected 83%: Reliant on automation to reduce the level of effort to secure the organization 74%: Reliant on AI to reduce the level of effort to secure the organization CISOs expect to take increasing advantage of AI and robotics

28 Market Expectations: Safeguards Spending more safeguards for protecting critical systems 22.3% Protection 21.9% Identification 19.3% Detection 18.2% Recovery 18.1% Response

29 Market Expectations: Outsourcing More reliance on outsourcing services 53%: More cost efficient 52%: Desire for more unbiased insight 51%: More timely response to incidents

30 Observed Threats and TTD Cloud-based security technology has been a key factor in helping Cisco maintain a low median despite an increase in threat samples x Increase Number of Observed Threat Samples Cisco Annual Median TTD (Hours)

31 Conclusion/Recommendations Adversary tactics are continuously evolving, using encryption and legitimate Internet services to conceal their activity and undermine traditional security technologies Lead from the top: executives/board set the security tone, culture Top 7 Actions:. Educate by roles for maximum benefit. Adhere to corporate policies, practices for application, system, and appliance patching. Assume ownership of IoT device security and add scanning for these devices to security reviews. Review, practice security response procedures. Back up data often, test restoration procedures. Review third-party efficacy testing of security technologies to reduce risk of supply chain attacks. Conduct security scanning of micro-service, cloud service, and application administration systems