Evolution Of Cyber Threats & Defense Approaches

Transcription

1 Evolution Of Cyber Threats & Defense Approaches Antony Abraham IT Architect, Information Security, State Farm Kevin McIntyre Tech Lead, Information Security, State Farm

2 Agenda About State Farm Evolution of Attacks Targeted Attacks Explained Legacy Defense Framework Based Defense An Approach to Protecting Passwords Big Data Security Analytics Bringing It All Together Conclusions Questions

3 About State Farm Ranked No. 41 on the Fortune 500 list of largest companies #1 Auto Insurance and life Insurance provider One of the largest private networks in the nation Network of 60,000 network nodes, and 24,000 network links installed Supports about 150,000 employees and agents Manages 625,000 devices 5,500 IT Staff Members 323 Security Experts and growing (Yes, we are hiring!!)

4 A Brief History of Cyber Attacks Talented Hackers Experiment or Attack Just Because They Can Often to Make Their Message Heard Louder All About Name and Fame Usually not About Money

5 A Brief History of Cyber Attacks Evolution of Attacks

6 Evolution Of Attacks Present Day Attackers Cyber Criminals Hactivists Nation States Cyber Terrorists?

7 Targeted Attacks In Depth Focused Cyber Attack Capture Credentials Steal Intellectual Property NPI Pivot Point to Attack Others Persistent High Success Rate

8 Targeted Attack In Depth Example - Based Attack

9 Targeted Attacks In Depth Watering Hole Attack

10 Targeted Attacks In Depth Post Compromise State

11 Legacy Defense LOL (Layers On Layers) Signature Based Stops Known Bad. But, What is Bad?

12 Framework Based Defense For a Defendable Network Four Pillars of Cyber Defense NIST Protect NIST Detect NIST Protect NIST Respond Recover

13 Framework Based Defense For a Defendable Network Four Pillars - Examples PREVENT DETECT PROTECT RESPONSE NextGen FWs IPS Antivirus Endpoint Protection Advanced Endpoint Protection Exploit Prevention (like EMET) Endpoint Execution Control SIEM Threat Feeds Security Analytics Network Sandboxes and BDS Endpoint Detection/Forensics Network Forensics DNS Analysis Flow Analysis Multifactor Auth Specific Use of Encryption Tokenization Network Segmentation Outbound traffic control Vulnerability Management Trained People Applicable Procedures Response & Recovery procedures Command structure 24/7 Monitoring and associated response Response Automation

14 Make It Harder For Bad Guys Using Capabilities From Different Pillars 6 Credentials Stolen 7 Data Exfil SIEM & Response Team Untrusted Trusted Enterprise Admins with Day to Day Credentials used for and Internet Hardened Virtual Machine Enforcing MFA Behind Separate Firewalls Enterprise Admins with Priviledged Credentials Separate From Their Day to Day Credentials

15 Security Analytics

16 System activity on workstations, networks and data centers generate log information.

17 Log information is collected and analyzed.

18 Log data is stored in multiple locations across the Enterprise.

19 Equals to Terabytes of log data collected each day.

20 Hadoop Platform is used to store and process data at scale. A combination of data scientists and security experts leverage analytic tools to dig deeper into the data set. Performing hunt activities Applying similar skills and tools we apply to business problem to security

21 Data is grouped in such a way to find anomalies and potential Indicators of Compromise (IoCs) and Indicators of Attack (IoA) within the Enterprise. Utilizing Machine learning algorithms and statistical models Hybrid Approach Buy and Build

22 We Are Sitting on Top Of a Goldmine. Lets Make use of It!

23 Bringing It All Together SIEM-Analytics Eco-System Hunt Team Intel Analyst Data Scientists Manual Correlation Rules Big Data to SIEM Correlation Rules (automatic) SIEM SIEM-Big Data Event Pull SIEM Console & Operator Database Database Database Database Delivered Reports for Business Partners Enterprise Log Sources

24 Bringing It All Together Integrated Defense Identity Management System Proxy Breach Detection System Encryption and Key Management End Point Security Big Data Defense System DNS NAC 1 Generic Preventive Control Firewall 2 DLP System

25 Conclusions Invest in Framework Based Defense to create a defendable network Be aware of blind spots and strive for greater visibility Make use of the logs you already collect. Mine for signals within all that noise. Automate threat response to the extend possible Invest in threat hunting capabilities Not only consume threat intelligence, but share it!

26 Questions Contact