Doing it Right: Organizations That Seem Immune to Security Attacks

Transcription

1 Doing it Right: Organizations That Seem Immune to Security Attacks April 22, 2014 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London Join the conversation: 1

2 Generously sponsored by: 2

3 Welcome Conference Moderator Jorge A. Orchilles South Florida, USA Chapter ISSA Web Conference 3

4 Agenda Speakers Dr. Eric Cole Senior Fellow, SANS Institute; Founder and Chief Scientist, Secure Anchor Consulting Fred Kost Vice President, Security Solutions, Ixia Elliott Franklin Director of IT Security at a Quick Service Restaurant Company Open Panel with Audience Q&A Closing Remarks 4

5 Doing It Right: Organizations That Seem Immune to Security Attacks Dr. Eric Cole Senior Fellow, SANS Institute; Founder and Chief Scientist, Secure Anchor 5

6 Doing It Right: Organizations That Seem Immune to Security Attacks Dr. Eric Cole Secure Anchor Consulting. All rights reserved.

7 Current Threat Level: RED 1Q 2014 Current Risks: 7 Data Theft Long term compromise Command and control capability Competitive advantage Current Threats: Trusted Insiders Supply Chain Current Vulnerabilities Lack of segmentation No data discovery Systems not properly hardened

8 Targeting Common methods adversaries are using to target an organization: 8 Identify a weakness with an organization Unpatched systems Extraneous services Target an individual Spearing phishing Drive by downloads Target a vendor Supply chain exploitation Back channel attacks

9 Attacker Kill Chain 1) Reconnaissance a) WHOIS DNS Servers b) NSLookup IP Addresses c) ARIN IP Address Range 2) Scanning a) Hping2 Visible IP s b) NMap Open ports c) Vuln Scanners Services and exposures 3) Exploitation a) Pivot Points b) Internal Reconnaissance c) Internal Scanning d) Data Exploitation 4) Creating Back Doors 5) Covering Tracks 9

10 Core Characteristics of Attacks Target an individual/system Deliver payload to system Upload files to the system Run processes Survive a reboot 10 Make outbound connections (beacons to C2) Perform internal reconnaissance Pivot into the network

11 Why Attacks are Successful? Organizations do not have security devices properly configured Not understanding the difference between a product and a solution Lack of data classification Not sufficient logging and correlation Too much visibility on the internal network Minimal asset management and configuration control Failure to institute least privilege 11

12 Prevention is Ideal But Detection is a Must 12

13 Back to the Basics Limit visibility Implement principles from 2000 with targeted systems being: Isolated Contain no sensitive data Heavily firewalled Think out of the box Contain dangerous applications Dynamic NAC Crypto free zone 13

14 Paradigm Shift Deliberate/Malicious Insider Accidental Insider 14 Source of the damage External Cause of the damage Internal

15 Preventing Insider Threat Deliberate Insider Difficult More focus on authorization and access Accidental Insider - Possible 15 Differentiate between required functionality and optional functionality Typical avenues of attack Exe attachments Macros embedded in Office documents Active scripting HTML embedded content

16 Detecting Insider Threat There are differences in activity between a normal user and an insider threat. Activity patterns focused on data: Amount of data accessed Failed access attempts Data copied or sent to external sources 16

17 Detecting Accidental Insider Focus on Command & Control Channel Accidental insider is being targeted by external entity Almost all external attackers setup C2 Focus on outbound traffic Number of connections Length of the connections Amount of data Percent that is encrypted Destination IP address 17

18 WHY? PREVENT DETECT RESPONSE Core to Success: - Asset Inventory - Configuration Management - Change Control 18

19 Bottom Line. It is time to take control of your data 19 Let s stop making an easy target for the adversary

20 THANK YOU for your time Dr. Eric Cole Twitter: drericcole 20

21 Question and Answer Dr. Eric Cole Senior Fellow, SANS Institute; Founder and Chief Scientist, Secure Anchor 2 21

22 Security Blind Spots: Reducing Uncertainty Fred Kost Vice President Security Solutions, 22

23 We All Have Blind Spots 23

24 Information Security Blind Spots Source: CyberEdge Group, 2014 Cyberthreat Defense Survey 24

25 Uncertainty Remains an Issue Source: CyberEdge Group, 2014 Cyberthreat Defense Survey 25

26 A Question of When Not If DDoS Malware APTs Botnets 26

27 More Security Not Always Better Security NGFW IPS Advanced Threat Detection Anti-Malware Firewall DDoS Mitigation WHAT ABOUT? Security effectiveness and performance under load Complex system interactions Content inspection configurations Product vulnerabilities 27

28 Asymmetric Advantage The attacker only has to be right once 28

29 Vulnerability Versus Resiliency Security Assessment Options Penetration Testing Vulnerability Assessment Security Audits Code Testing Static assessments Limited in scope Fail to stress test Not the real world Security Test and Assessment Test with real-world, recent attacks Real-world apps and loads Assess devices and systems Validate data sheet performance Scale for extensive test cases Reduce Security Uncertainty 29

30 GLOBAL ELECTRONICS MANUFACTURER Gain visibility into network performance bottlenecks Objectives Validate scalability of internet services Recreate failure conditions - Netscaler Performance under attack conditions Key Results Replace in-house testing mechanisms Recognition by Internet Services teams Data Center SLB Servers IMAP/HTTP/SMTP End Point Ixia BreakingPoint 30

31 GLOBAL DIVERSIFIED ENTERTAINMENT COMPANY New Data Center to support massive growth of online applications Objectives Assess architecture performance Expose limitations Evaluate customer QoE Clients Cloud Key Results Revealed 70% performance impact of security features Observe limitations under adverse conditions Load Balancer NGFW IPS Servers HA Data Center HA HA Perimeter Security 31

32 FINANCIAL TRADING EXCHANGE New initiatives potentially vulnerable to attacks Objectives Evaluate DDoS Service Provider Assess impact to legitimate traffic Evaluate workflow DDoS Traffic Key Results Initial failed results isolated fault Tuning of systems & processes DDoS Service Provider DDoS Suppression Ixia BreakingPoint Load Generation Legitimate Application Traffic Forensics Target Web Servers 32

33 Real World Assessment and Validation Functional Testing Device Application Traffic Client Transactions (1-Arm Testing) Common Network Infrastructure Servers & Applications Application Traffic Test Software Client - Server Transactions (2-Arm Testing) Router Firewall IPS Switch Load Balancer Ixia BreakingPoint Load Generation Database 33

34 Security and Performance Test Simulation and Testing Application and Threat Intelligence Real Attacks 6,000+ live security attacks 35,000+ pieces of live malware 180+ evasions DDoS and botnet simulation Custom attacks Research and frequent updates Real-World Applications 240+ application protocols Social, peer-to-peer, voice, video Web, ent. applications, gaming Mobile Storage workloads Custom applications Frequent updates 34

35 Real World Security Testing at Any Scale FireStorm ONE 40 Gbps of stateful application traffic 30 million concurrent TCP sessions FireStorm 120 Gbps of stateful application traffic 90 million concurrent TCP sessions PerfectStorm 960 Gbps of stateful application traffic 720 million concurrent TCP sessions 35

36 Wrap-up There will always be blind spots Security testing reduces uncertainty Ixia enables real world validation and test For more information visit security.ixiacom.com 36

37 Thank 37

38 Question and Answer Fred Kost Vice President Security Solutions, 7 38

39 Back to Basics Elliott Franklin Director of IT Security at a Quick Service Restaurant 35

40 Core Components Governance and Organization Information Security Strategy Information Security Framework Security Risk Management Risk, Threat and Vulnerability Remediation Measurement and Metrics 40

41 Governance and Organization A structure around how organizations align security strategy with business strategy, and implementing methods to manage the performance and continual improvement of the organization responsible for information security operations. 41

42 Governance and Organization Organization Reporting Is Security Risk Management on senior mgmt radar? Risk Management activities embedded in the project management lifecycle? Documented Information Security Management Forum with participation from key business leaders? Roles and responsibilities reviewed regularly to ensure business representation and visible endorsement from senior management? 42

43 Information Security Strategy A formal, high-level, communicated plan approved by executive management that asserts how the organization intends to treat and protect business sensitive information. 43

44 Information Security Strategy Do you have a stated vision? Alignment to business objectives? Documented roles and responsibilities? Strategy endorsed by senior management? Business buy-in? Flexible and adaptive to changing business needs, risks and objectives? 44

45 Information Security Framework Selection and implementation of a set of security program components generally recognized by industry and business partners. 45

46 Information Security Framework Methodology for assessing effectiveness of controls? Aligned to industry best practices? Reactive and unfocused? Means for assessing whether security controls are complete and coherent Widely communicated? Reviewed regularly to ensure continued relevance and consistency with security strategy? 46

47 Security Risk Management Processes and procedures to continually identify, analyze, consider and treat risks based on business context and risk appetite of the organization. 47

48 Security Risk Management Organization wide Addresses risk from strategic to tactical level Establish context for risk-based decisions Evaluates existing controls Adequate to mitigate risks? Ensure controls are consistently applied? Enable decision makers to understand key risks and agree on controls to keep those risks within acceptable limits. Criteria for project go-live? 48

49 Risk, Threat and Vulnerability Remediation Set of actions implemented to reduce, transfer or eliminate factors that can impact information systems in an adverse manner. 49

50 Risk, Threat and Vulnerability Remediation Documented process or methodology? Automated remediation tools? Documented escalation procedures for newly discovered risks, threats and vulnerabilities? Historical tracking of remediation? Asset identification and classification? Continual identification of sensitive data with corresponding, prioritized action plans? 50

51 Measurement and Metrics Methods used to record, track and report key performance indicators. Metrics support a continual improvement process for security 51

52 Measurement and Metrics Agreed set of requirements to measure against? Requirements aligned to industry best practices? Ability to measure gap between current and target compliance levels? Action plan to ensure target compliance levels are achieved? Automated tools to ensure real-time monitoring? Dashboard to act as a key input into risk management decisions? 52

53 Core Components Governance and Organization Information Security Strategy Information Security Framework Security Risk Management Risk, Threat and Vulnerability Remediation Measurement and Metrics 53

54 Question and Answer Elliott Franklin Director of IT Security at a Quick Service Restaurant 54

55 Open Panel with Audience Q&A Dr. Eric Cole Senior Fellow, SANS Institute; Founder and Chief Scientist, Secure Anchor Consulting Fred Kost Vice President, Security Solutions, Ixia Elliott Franklin Director of IT Security at a Quick Service Restaurant Company 55

56 Closing Remarks Thank you to our Sponsor Thank you to Citrix for donating this Webcast service Online Meetings Made Easy 56

57 CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link: Web-Conference-Doing-it-Right-Organizations-That- Seem-Immune-to-Security-Attacks-April