Having the SOC feed the organization with FOOD and not FUD

Transcription

1 Having the SOC feed the organization with FOOD and not FUD My-Ngoc Nguyen (Pronounced Me-nop Wynn) CEO - Secured IT Solutions Making IT Happen, Making IT Secure Secured IT Solutions All Rights Reserved.

2 Who am I? CEO and Principal Consultant of Secured IT Solutions A Cyber Security and IT support and service provider for public and private sector organizations Some clients include the following: Switch; Long Beach, CA; Burbank, CA; U.S. Dept. of Energy; NNSA; U.S. Dept. of Defense; Clark County Water Reclamation District; Federal Communication Commission Certified SANS Instructor Experience 20 years in IT 15 years in Cyber Security Masters of Science in Management Information Systems Top industry certifications: GLSC, GSEC, CISSP, GCIH, GPEN, GISF QSA (lapse) Secured IT Solutions All Rights Reserved.

3 Agenda/Objective Communicating with the message needed for executives and board of directors and organization leaders. Having the SOC feed the organization with FOOD and not FUD- Designing and operating a SOC to provide information and support: Instilling trust and confidence with Executives and Board Strategy to address cyber security risks Enable and show continuous growth strength, maturity, and effectiveness of cyber security within the organization Enable an enterprise shared responsibility to address cyber security risks Enable five key principles for board of directors to provide Cyber-Risk Oversight per the National Association of Corporate Directors (NACD)

4 Communicating Goal: Remove emotions when communicating to CEOs, Boards, and other organization leaders Focus on protecting the business first Brand Revenue generating operations/mission support operations Focus on what matters

5 What matters most to organizations Operational and mission interruptions Financial Reporting and efficiencies Incident or risk that would be material to investors and stakeholders Legal liabilities and Law Suits Every security breach will result in legal action. For Private sectors: EBITDA Earnings Before Interest, Taxes, Deprecation, and Amortization Measures a company s operating performance Impact to stock prices

6 Communicating (cont.) What does a security program and security operations mean to the business What are the solutions and strategies to the problem and concerns Is the solutions and operations to secure the organization enough to self-insure Ensure that the solution(s) isn t worse than the problem Are things operating efficiently and effectively Is the fund provided effectively in use? If not, why and how to improve it.

7 What gets communicated: Fear, Uncertainty, and Doubt (FUD)

8 Fear, Uncertainty, and Doubt Emotions eventually wears thin. Board of Directors comments given to SANS (John Pescatore and Allen Paller) The CISO is great at talking about blood in the streets but very weak on strategy to avoid disasters. We know bad things will happen the CEO and CFO and VPs inform us of business problems frequently. We want to have confidence that basic competence and strategies are in place to reduce bottom line impact. NACD reports that only 15% of boards are very satisfied with the information they are getting. Understand the strategic information they are looking for See how operational statistics like percent systems patched, etc. help them understand and how it s matters to them or does it? Secured IT Solutions All Rights Reserved.

9 Secured IT Solutions All Rights Reserved.

10

11

12 Ex. Hype vs. Reality Headliners: July 20, 2018 New York Times Big Red Flag Automakers Trade Secrets Exposed in Data Leak July 21, 2018 Tech Crunch Data breach exposes trade secrets of carmakers GM, Ford, Tesla, Toyota. Reality Security researcher disclosed abilities to access and expose 156 GB of data from an engineering service firm within the supply chain for these companies. What does this mean if something like this happens to us? What is the material implication to those car makers?

13 Feeding to the FUD more

14 Organizations with Massive Yahoo (2016 / 2013) Initially thought 1 Billion 3 Billion Oct 2017 Yahoo (2016 / 2014) 500 Million ebay (2014) 145 Million Equifax (2017) Million Heartland Payment Systems (2009) 130 Million Target (2013) 110 Million Tk-TJ Max (2007) Data Breaches 94 Million JP Morgan Chase (2014) 83 Million Anthem (2015) 80 Million Sony Play Station (2011) 77 Million Home Depot (2014) 56 Million Ashley Madison (2015) 32 Million Office of Personnel Management (2015) 21.5 Million Source: USA Today and Business Insider Secured IT Solutions All Rights Reserved.

15 July 2015 Hacked by the Impact Team 32 million Ashley Madison users The 9.7 gigabytes of information released by the hackers included credit card information, names, billing details and home addresses less than a month before that episode, Ashley Madison executives seemed very keen on completing a series of internal security assessments, audits and security awareness training exercises for employees. Secured IT Solutions All Rights Reserved.

16 9.7 GB of Personal information contained 32 million clients released, lead to many reported cases of: Divorces, Resignations, Firings, and Suicides. Secured IT Solutions All Rights Reserved.

17 Password Ashley Madison 100 popular passwords Times used , ,452 password 39,448 default 34, ,620 qwerty 20, ,172 abc123 10,869 p***y 10, , ashley 8,793 Secured IT Solutions All Rights Reserved.

18 Password Times used football 7,872 baseball 7,710 f**kyou , ,572 ashleymadison 6,213 password1 5,959 madison 5,219 a**hole 5,052 superman 5,023 mustang 4,865 harley 4, ,729 Secured IT Solutions All Rights Reserved.

19 Password Times used ,612 hello 4,425 monkey 4, ,240 hockey 4,191 letmein 4, ,077 soccer 3,936 cheater 3,908 kazuga 3,871 hunter 3,869 shadow 3,831 michael 3, , ,704 Secured IT Solutions All Rights Reserved.

20 Password Times used iloveyou 3,671 qwertyuiop 3,599 secret 3,522 buster 3,402 horny 3,389 jordan 3,368 hosts 3,295 zxcvbnm 3,280 asdfghjkl 3,174 affair 3,156 dragon 3, ,123 liverpool 3,087 bigd**k 3,058 sunshine 3,058 yankees 2,995 Secured IT Solutions All Rights Reserved.

21 Password Times used asdfg 2,981 freedom 2,963 batman 2,935 whatever 2,882 charlie 2,860 f**koff 2,794 money 2,686 pepper 2,656 jessica 2,648 asdfasdf 2,617 1qaz2wsx 2, ,606 andrew 2,549 qazwsx 2,526 dallas 2, , ,498 Secured IT Solutions All Rights Reserved.

22 Password Times used abcd1234 2,489 anthony 2,487 steelers 2,470 asdfgh 2,468 jennifer 2,442 killer 2,407 cowboys 2,403 master 2,395 jordan23 2,390 robert 2,372 maggie 2,357 looking 2,333 thomas 2,331 george 2,330 matthew 2, ,294 amanda 2,273 Secured IT Solutions All Rights Reserved.

23 Password Times used summer 2,263 qwert 2,263 princess 2,258 ranger 2,252 william 2,245 corvette 2,237 jackson 2,227 tigger 2,224 computer 2,212 Secured IT Solutions All Rights Reserved.

24 Yahoo ½ Billion 2014 (reported September, 2016) 500 million user accounts compromised state-sponsored actor Peacefully sold account info for 200 million users 2 months prior to acknowledgement of this breach Secured IT Solutions All Rights Reserved.

25 Organizations with Massive Yahoo (2016 / 2013) Initially thought 1 Billion 3 Billion Oct 2017 Yahoo (2016 / 2014) 500 Million ebay (2014) 145 Million Equifax (2017) Million Heartland Payment Systems (2009) 130 Million Target (2013) 110 Million Tk-TJ Max (2007) Data Breaches 94 Million JP Morgan Chase (2014) 83 Million Anthem (2015) 80 Million Sony Play Station (2011) 77 Million Home Depot (2014) 56 Million Ashley Madison (2015) 32 Million Office of Personnel Management (2015) 21.5 Million Source: USA Today and Business Insider Secured IT Solutions All Rights Reserved.

26 Yahoo 3 Billion 2013 (reported December 2016) 1 billion user accounts compromised October 2017 reported 3 Billion Likely state-sponsored actor because: Information not posted online for sale, indicating a targeted attack focusing on specific users or resources Method of compromise involved forging cookies allowing access to a users account without access to the password. Secured IT Solutions All Rights Reserved.

27 Yahoo Account information may have included: names, addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers Financial data like bank account numbers and credit card data are NOT believed to be included Secured IT Solutions All Rights Reserved.

28 Equifax Reported Sept 2017 Breached discovered in July 2017 Unrelated breach in March 2017 Compromised personal information of 143 million US citizens and approximately 693,665 UK citizens (initial thought 400k) Exploited through a Apache Struts flaw with patch released in March 2017 Equifax ack that they were aware of this vulnerability at that time Insecure practices/criticism: Directed customers to wrong site used to phish visitors to that site set up a website to help people determine whether they had been affected. company's official Twitter account responded to customer inquiries by apparently directing them to a fake phishing site called Secured IT Solutions All Rights Reserved.

29 Equifax nsecure practices/criticism cont: CISO was music major Equifax can safely add Argentina if not also other Latin American nations where it does business to the list as well. Online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: admin/admin. Researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and address. The list of users page also featured a clickable button that anyone authenticated with the admin/admin username and password could use to add, modify or delete user accounts on the system. A search on Equifax Veraz at Linkedin indicates the unit currently has approximately 111 employees in Argentina. Secured IT Solutions All Rights Reserved.

30 Another Ex. Hype vs. Reality So what Reality Yahoo may cost their shareholders $250-$350 million in Verizon deal Ashley Madison U.S. judge approves $11.2 M settlement for hacked Ashley Madison users around July 2017 Still growing they got 55 million users as reported in an article in March 2018 Equifax Law suits and stock dipped but is climbing and never dropped lower than prices from 2015 at $105 per share

31 Tempering the Reporting The company breaches: Yahoo Ashley Madison Equifax FUD creates emotional business decisions that should be done by data and information instead FOOD

32 FOOD Separate the hype from the reality when briefing the board, CEO, and executives Factual Objective- Optimize- Data in order to Frame- Organize- Orchestrate- Deliver Frame conversations arounds the business benefits and costs coming from a SOC Organize with the right people, processes, and tools/technologies Orchestrate what is organized from the tools and people Deliver metrics and measurable results

33 Food from SOC SOC needs to be design and operated to provide FOOD to enable the 5 Principles for Cyber-Risk Oversight NACD 5 principles are: Principle 1: Approach cyber security as an enterprise-wide risk management issue, not just an IT issue Principle 2: Understand the legal implications of cyber risks Principle 3: Boards should have adequate access to cyber security expertise; cyber-risk management should be given adequate time on board agendas Principle 4: Directors should set expectations that management will establish an enterprise cyber-risk management framework Principle 5: Boards need to discuss details of cyber risk management and risk treatment

34 SOC Data FOOD for the 5 NACD Principles Does the SOC provide Factual Objective- Optimize- Data in order to Frame- Organize- Orchestrate- Deliver Framing conversations arounds the business benefits and costs coming from a SOC Organize with the right people, processes, and tools/technologies Orchestrate what is organized from the tools and people Deliver metrics and measurable results

35 NACD Principle 1: Cyber security is approached as an enterprise-wide risk management issue, not just an IT issue People, process, and technology Account for these aspect throughout the enterprise Since cyber-risks permeate all business processes, SOCs need to collect, manage and communicate data and information on all business processes and their elements that poses cyber security risks: Processes needing technological changes or deployment of disruptive technologies Can affect the time to detect and contain a data breach.

36 Enterprise Data People and Processes: Awareness & Training Policies, Procedures and Governing Documents Software Restriction Policies Categorize Data Business Impact Analysis Business Continuity Plan Incident Response Technology and Services: Application/System Inventory Network and system activities Access Controls Configuration Spam Filters, Detection Anti-virus & Malware Macro Scripts, App Whitelisting Network

37 Factual Objective- Optimize- Data Gathering all the facts and data Identify all possible data Assets and Identities ERP and GRC data Change controls Network data and metadata - Netflows - PCAPS - Network devices logs and rules Threat intel Authentication Access and access activities Server (Windows / Linux) Endpoints (client and mobile) IDS / IPS VPN Application Vulnerability

38 Factual Objective- Optimize- Data Gathering all the facts and data Identify all sources: External and Internal External feeds: Threat Intelligence and Incident analysis» ISAC, Law Enforcement, Agencies, Commercial services, Opensource, Community, Vulnerabilities Vendors Internal feeds: data and IT inventory, business impact analysis, analysis from past IR, past forensics, network and system activities, threat hunt / uncover / link events, ticket system, configuration library data base

39 Factual Objective- Optimize- Data Collect and Manage Automatically collect, aggregate and de-duplicate data feeds as well as normalize the data Centralize and create the single source of truth Ensure retention and integrity is addressed Be able to collect from any data source Automation / integration Categorize Correlate Improve operational efficiency using workflows Extract knowledge and intelligence to gain new insight with correlated data

40 NACD Principle 2: Understand the legal implications of cyber risks Compliance Reporting of incidents Time to detect and response is crucial Regulations (FISMA, PCI DSS, GDPR) Audits and assessments results Law suits: Due Care Difference between benchmarking with a balance prudent man rule

41 Compliance Understanding What does the regulation require? Has the entity established a cyber security Program that complies with the criteria set forth in the regulation? Has the entity conducted an appropriate Risk Assessment on which its cyber security policy is based? Was the assessment sufficiently comprehensive, and how often will additional assessments be conducted? In addition to retaining a CISO, has the entity utilized qualified cybersecurity personnel to manage the entity's cyber security risks?

42 NACD Principle 3: Reports and access to cyber security expertise - adequate time on board agendas Presenting to the board: Build trust and confidence Message needs to be around strategy and maturity of the program Corporate culture drive form, format and frequency of presentation

43 What Should the BoD Expect/Require to Hear from CISOs? Guidelines from the NACD: Situational Awareness Strategy and Operations Incident Response Industry Benchmarking Minimum quantitative metrics: Time to detect incident Time to restore operations Time to respond

44 Strategy Maintains clear visibility into assets and awareness of vulnerabilities; Obtaining and Utilizing up-to-date threat information. Establish measures, metrics, and monitoring frequencies to provide: known organizational security status; detect changes to information system infrastructure and environments of operation; and status of security control effectiveness in a manner that supports continued operation. Maturity plans (e.g. CMMI): Mature = Effective and efficient at dealing with risk (Threat, Vulnerability, Impact)

45 Benchmark Ponemon report: The faster the data breach can be identified and contained, the lower the costs. Report from 2017 study, organizations were able to reduce the days to identify the data breach from an average of approximately 201 in 2016 to 191 days and the average days to contain the data breach from 70 to 66 days. Attribute these improvements to investments in such enabling security technologies as security analytics, SIEM, enterprise wide encryption and threat intelligence sharing platforms.

46 NACD Principle 4: Expectations on establishment of an enterprise cyber-risk management framework NIST Cyber Security Framework Capability Maturity Model Integration SOC- Continuous monitoring and maturing

47 Approach Three-pronged monitoring program consisting of preventive controls, detective controls, and sustaining controls. monitor and prevent inappropriate or unauthorized changes to the security baseline from ever occurring monitor and detect changes to the security baseline when or shortly after they occur. active reporting of security risks and activities to sustain and mature the security baseline while ensuring improvement of both ongoing detective and preventive monitoring activities.

48 Leveraging CMMI for Continuous Monitoring/Ongoing Security Assessment CMMI 1 - Initial CMMI 2 - Repeat CMMI 3- Defined CMMI 4 - Managed CMMI 5 Optimized

49 CMMI Maturity Indicator Level (MIL) MIL defines a dual progression of maturity: an approach progression completeness, thoroughness, or level of development of an activity in a domain an institutionalization progression extent to which a practice or activity is ingrained in an organization s operations. The more deeply ingrained an activity, the more likely the organization will continue to perform the practice over time, under times of stress, and in a consistent, repeatable manner. MIL apply independently to each domain (10 domains for cyber security)

50 CMMI Maturity Indicator Level (MIL) MIL0: Not Performed Practices are incomplete or not done MIL1: Initiate Initial aspect of the practice is performed but most likely at ad hoc MIL2: Repeated Practices are planned and performed fully Adequate resources are provided for the practices MIL3: Defined Practices are defined and documented into standards or procedures to be used to guide practice implementation and maintenance. MIL4: Managed Practices are guided by policy (or other directives), periodically reviewed for conformance to policy Responsibility and authority for practices are clearly assigned to personnel with adequate skills and knowledge MIL5: Optimize Practices are shared. Information and resources are leveraged across multiple aspects and domains

51 NACD Principle 5: Boards need to discuss details of cyber risk management and risk treatment Threats, Vulnerabilities, and Impact Cyber insurance

52 Risks identified Examples from a sample of Financial Reports Technological changes; Risks associated with counterfeit and piracy of digital and print materials; Risks associated with data privacy, Information security and intellectual property; Disruptions to our information technology systems, infrastructure and data due to computer malware, viruses, hacking and phishing attacks, resulting in harm to our business and results of operations; Disruption of or interference with third party web service providers and our own proprietary technology

53 Factors that impacts Deployment of disruptive technologies can affect the time to detect and contain a data breach. Complexity (cloud-based applications and data as well as the use of mobile devices (including BYOD and mobile apps)) Can impact the ability to respond to data breaches. Can increase the complexity of dealing with IT security risks and data breaches.

54 Cyber Insurance Ponemon report the folllowing Purchase of cyber and data breach insurance can help manage the financial consequences of the incident year s study, insurance protection and business continuity management reduced the cost of data breach following the discovery of the incident. In contrast, the rush to notify victims without understanding the scope of the breach, compliance failures and the engagement of consultants all increase post data breach costs. Expenditures to resolve lawsuits also increase post data breach costs

55 Summary Ensure your SOC provide Factual Objective Optimize Data to your organization in order to Frame conversations arounds the business benefits and costs coming from a SOC Organize the right people, processes, and tools/technologies Orchestrate what is organized from the tools and people Deliver metrics and measurable results

56 Sources SANS Merriam-Webster Harvard Business Review Barnes & Noble Education Reports Third Quarter 2018 Financial Results Forbes Ponemon Gartner National Association of Corporate Directors

57 Questions??? My-Ngoc Nguyen Phone: (702) Web: SecuredITSolutions.com Location: 6795 Edmond Street Las Vegas, NV Secured IT Solutions All Rights Reserved.