Breaking the Cycle of Failure: Why breaches from known threats still happen.

Transcription

1 Breaking the Cycle of Failure: Why breaches from known threats still happen. Don Smith Dell SecureWorks Session ID: STAR-207 Session Classification: Advanced

2 Security Domain Slide

3 Dell SecureWorks in numbers

4 Dell SecureWorks Operations Centers Edinburgh, Scotland Bucharest, Romania Chicago, IL Plano, TX Providence, RI Myrtle Beach, SC Atlanta, GA Noida, India Guadalajara, Mexico Hyderabad, India Security Operations Center (SOC) SOC and Data Center Partner SOC

5 Leading Provider of Information Security Services Gartner Magic Quadrant for MSSPs H The Forrester Wave: Managed Security Services, North America, Q The Magic Quadrant is copyrighted 28 November 2011 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the Leaders quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

6 Changing Context 6

7 Cloud SaaS IaaS Credit : Chuck Mortimore, SalesForce

8 Credit : Chuck Mortimore, SalesForce

9 Transparency 9 Confidential 10/10/2012

10 10 Confidential 10/10/2012 Transparency?

11 New Actors..

12 Grafitti Artists..

13 Financial Fraudsters, botmasters..

14 Hacktivists..

15 Journalists.

16 Intellectual Property Thieves

17 Nation State, Spooks..

18 The view from the SecureWorks SOC Bad Guys operating with impunity

19 Professionalism of the adversary

20 Blackhole Exploit Kit

21 Blackhole Exploit Kit

22 Java 0-day Vulnerability (CVE ) Access violation vulnerability that allows an attacker to download and run arbitrary programs on the victim s computer Cross-platform Not mitigated by memory corruption protections (DEP, ASLR, etc.) Indicators show the vulnerability was likely used in targeted attacks preceding discovery Added to Metasploit Added to Blackhole Exploit Kit Malware IDS Indicators Vulnerability Goes Public

23 Exploit Java 0-day - CVE <iframe src=" allowtransparency="true" height=0 width=0 scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>

24 Link To Nitro Attacks 0-day Domain Shared IP Address Nitro Attacks Nitro Domain Malware IDS Indicators Vulnerability Goes Public

25 Java & IE 0-day thoughts Targeted: Same threat actors using both vulns IE 0-day appears once Java is patched Linked to previous APT campaigns Likely used for months prior to disclosure Commodity: Metasploit modules created in 24 hours Commercial exploit kits updated in 24 hours

26 Be pragmatic The bad guys move quickly 26

27 I know that half my marketing budget is wasted but I don t know which half.

28

29

30

31 Simplify IT is too complicated Business Demands on IT Unnecessar y ISOLATE Unavoidable Standardise Consolidate Rationalise Automate Automate Run in Cloud Tactical & Non- Discretionary Strategic Invest $$$

32

33 Re-imagine IT Post-Modern Business Simplicity Creative Destruction

34 Where s your data?

35 Classify your data be pragmatic

36 Good Enough..?

37 37 Confidential

38 Standards

39 Change and Configuration Management

40 Embrace Strategic Change

41 Compliance You don t fatten a pig by weighing it

42 Compliance - Effectiveness of technical controls

43 User Education

44 Protect users from themselves

45 Oversecure?

46

47 47

48 New Security Initiatives

49 New Vocabulary for Security 49

50 How to express policy in 2012? Traditional firewalls define policy in terms of which network locations can access other locations Security professionals need to start thinking about controls at different layers of the technology stack. Who can access what, not which subnet can access which other subnet

51 Identity Bridges Providing the glue for enterprise in the 21 st Century

52 This is how the industry describes it

53 This is how the user sees it

54 This is delivered to the security team

55 Tokens not sessions

56 56 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, Andreas Mayer, Jörg Schwenk, Marco Kampmann, and Meiko Jensen

57 Credit : Chuck Mortimore, SalesForce

58 GONE!!

59 A glimpse of the future 59

60 Three Key Things 60

61 61 Confidential

62 62 Confidential

63 63 Confidential

64 Takeaways from this session In the next three months: Ask if your current projects will really deliver What s unnecessary, what s necessary, unavoidable tactical/strategic? Technology Think twice before investing, are the supporting processes there? Identify Critical Data Assets Talk to your business what are they scared about losing? Align protective and detective controls to your data assets Practise good enough security Within six months you should: Implement root & branch user education program Define new security roadmap: people, process & technology

65 Practical advice

66 Thanks 66