November 2017 Midwest Cyber Security Alliance Meeting. Continuing Education Credit 11/30/2017. Thursday, November 30, :30 p.m. 6:30 p.m.

Transcription

1 Thursday, November 30, 2017 November 2017 Midwest Cyber Security Alliance Meeting 4:30 p.m. 6:30 p.m. CT Continuing Education Credit CLE: Foley & Lardner LLP will apply for continuing legal education (CLE) credit after the program, wherever applicable. Foley & Lardner LLP certifies that this activity has been approved for California MCLE credits by the State Bar of California. Foley & Lardner LLP is a State Bar of California MCLE approved provider. Please note that participants must be in attendance on the date of the event; credit may not be obtained by viewing and/or listening to a program recording after the event. Before leaving today, be sure to sign next to your name on the CLE sign-in sheet available at the registration table. If the sheet does not already include your bar state(s) and/or license number(s), please add in that information. Certificates of attendance will be distributed to eligible participants approximately eight weeks after the program via . CPE: This program may be eligible for continuing privacy education (CPE) credit toward CISA, CISM, CGEIT, and/or CRISC certifications and maintenance. Please visit the ISACA website to review the specific CPE requirements for your certification and verify whether the topic(s) addressed in this program align with one or more of your certification s job practice areas: CISA, CISM, CGEIT, CRISC. If believed to be eligible, you may pick up a copy of the ISACA Verification of Attendance form at the registration table. Attendees are responsible for submitting this form to ISACA; Foley cannot submit this form on your behalf. PROGRAM SURVEY: We welcome your feedback. Please take a few moments to complete the questionnaire before leaving the program today. CONTINUING EDUCATION QUESTIONS: Contact Allison Jones at ajones@foley.com. 1

2 MidwestCyber.org Full chart available for download at: 2

3 3

4 Thank You to Our Co-Sponsors Presenters MODERATOR: Jennifer Rathburn Partner Foley & Lardner LLP Joseph Abrenio Founder and Chief Executive Officer CyberSquire, LLC Zach Forsyth Security Architect Juniper Networks 4

5 When Does a Managed Security Service Makes Sense for Your Business? Got Security? Date Breach of the Day Uber's disclosure that hackers accessed the personal information of 57 million riders and drivers last year, a breach it didn't disclose publicly until Tuesday, adds new potential legal woes for the already troubled company. 5

6 Causes of Data Breaches 28% 47% Malicious or criminal attack System glitch Human error 25% Data Breach Findings that have Implications for Organizations Who s behind the breaches? 75% perpetrated by outsiders. 25% involved internal actors. 18% conducted by state-affiliated actors. 3% featured multiple parties. 2% involved partners. 51% involved organized criminal groups. What tactics do they use? 62% of breaches featured hacking. 51% over half of breaches included malware. 81% of hacking-related breaches leveraged either stolen and/or weak passwords. 43% were social attacks. 14% Errors were causal events in 14% of breaches. The same proportion involved privilege misuse. 8% Physical actions were present in 8% of breaches. Source: 2017 Verizon Data Breach Investigations Report 6

7 Data Breach Findings that have Implications for Organizations (cont.) Who are the victims? 24% of breaches affected financial organizations. 15% of breaches involved healthcare organizations. 12% Public sector entities were the third most prevalent breach victim at 12%. 15% Retail and Accommodation combined to account for 15% of breaches. What else is common? 66% of malware was installed via malicious attachments. 73% of breaches were financially motivated. 21% of breaches were related to espionage. 27% of breaches were discovered by third parties. Source: 2017 Verizon Data Breach Investigations Report The Threat The Defensive Dilemma Source: Cisco 2017 Security Capabilities Benchmark Study 7

8 The Cyber Dilemma Cybercrime is poised to be a $2 trillion problem by Nearly 1.5 million Sec-Ops jobs will go unfulfilled because of a lack of skillsets by The Enterprise Strategy Group indicates that 45 percent of organizations report a problematic shortage of cybersecurity skills today, more than any other area within IT 3. 1 Source: Forbes, January 17, Source: CSO Magazine, July 28, Source: What is a Managed Security Service? A Managed Security Services Provider (MSS) defends client networks by anticipating, detecting, and responding to internal and external cyber threats. Security Operations Center (SOC) Syracuse University, Syracuse New York CuseLabs Training & Innovation Center 8

9 Security Stack MANAGED SECURITY SERVICES SERVICE TYPE Managed Firewall Managed Intrusion Prevention System (IDSS) and Intrusion Detection Systems (IDSS) Managed Anti-Malware Managed Managed Gateway DDoS SIEM Log Management What We Do Asset Discovery Know who and what is connected to your environment at all times. Vulnerability Assessment Find and remediate your vulnerabilities before an exploit or intrusion. Intrusion Detection Be alerted to suspicious activities with HIDS, NIDS, and Cloud IDS. Behavioral Monitoring Identify anomalous or suspicious behaviors in your environment. SIEM & Log Management Correlate and analyze event data from across your environment. 9

10 Cyber Defense Program Proactive Threat Defense Visibility Event Priority Sustainable & Affordable Program Focus on your Business Evolving Threat Landscape Targeted attacks Zero-day vulnerabilities and rootkits Attack kits Mobile threats Cyber Defense Program Proactive Threat Defense Visibility Event Priority Sustainable & Affordable Program Focus on Your Business Where are the gaps? Endpoint Protection Security monitoring NIDS Firewall HIDS Endpoint Web Proxy OS & Apps WebApp Firewall Network Infra. VA 10

11 Cyber Defense Program Stay ahead of threats Visibility Event Priority Sustainable & Affordable Program Focus on your Business Actionable Incidents Eliminate irrelevant events. Focus on the most critical events. Avoid over and under-reacting to events. Cyber Defense Program Stay ahead of threats Visibility Focus on top priorities Sustainable & Affordable Program Focus on Your Business Security Operation Center 24x7 Security State of the Art technologies Well-trained staff 11

12 Stay ahead of threats Visibility Cyber Defense Program Focus on top priorities Build a sustainable program Focus on Your Business How to Demonstrate Value? Protect revenue Process improvement Predictable cost-base Measure and report on effectiveness and improvement The Cyber Risks Personal Liability for data breaches Financial Costs Legal Costs Brand Damage GLBA NERC CIP FFIEC SOC 2 PCI DSS ISO HIPPA 12

13 Business Case for Moving to a MSSP People Demand for dedicated skilled manpower to defend the enterprise network. Lack the in-house capabilities required to keep pace with changing business demands, compliance mandates, and emerging threats requiring strategic implementation of new IT security solutions. Have in-house IT staffs that spend too much time on day- to-day operational security issues versus new strategic projects. Security staffing and budgeting constraints. Process Increasing regulatory compliance and data protection laws. Technology Depend on IT security tools and processes that provide a reactive, rather than proactive, approach to mitigating risk and minimizing data loss and downtime. Increase in spending on IT infrastructure security. Continuous growth in deployment of cloud services, mobile, and apps. Software-Defined Secure Networks Zach Forsyth - Security Architect 13

14 A defender has to be flawless every single time A defender has to be flawless every single time An attacker only needs to succeed once! 28 PAC File 1 Web Filter Sandbox SSL DLP Aggregation firewall 27 2 SSL Client - side SSL tunnel Load balancers Flow management 11 15, 16 Inspection Log files Perimeter firewalls 14

15 WannaCry had surprising victims Every single day attackers are using zero dollar tools, written in 2006, to circumvent million dollar solutions built in 2017 via exploits in code that we knew how to fix way back in

16 16

17 Phishing is still the #1 threat vector because it just works It is the #1 delivery method for ransomware 85% of organizations have suffered a phishing compromise 1 in 3 companies have been victims of a CEO fraud filtering will never be 100% effective End user training is important, but users will still fall for well crafted s Traditional detection falls short September

18 18

19 19

20 Malware is continually evolving Payloads are encrypted before transit Memory injection is used and files are never written to disk Appears to exfiltrate data to google web addresses, but sends it elsewhere via dns Data appended to fake image headers in post requests Multi-part payloads are downloaded and then compiled locally 20

21 Ransomware timeline C&C communications are well camouflaged 21

22 Fake DNS request set up subsequent communication to toolbarqueries.google.com What s powershell really doing on your network? 22

23 23

24 You can t trust LinkedIn either 24

25 Never underestimate attack complexity 25

26 Drive-by Cryptocurrency Mining Drive-by Cryptocurrency Mining One week snapshot 35,000+ unique URLs associated with coinhive.min.js. 144 unique IP addresses 1,025 unique hostnames 6,000-10,000 newurls per day leading to the coinhive script 26

27 Devices are built without fundamental security Breaches aren t being discovered internally 27

28 Payloads are almost always unique Rapid Response is critical Time to compromise Time to exfiltration 28

29 28 PAC File 1 Web Filter Sandbox SSL DLP Aggregation firewall 27 2 SSL Client - side SSL tunnel Load balancers Flow management 11 15, 16 Inspection Log files Perimeter firewalls 29

30 Software Defined Secure Networks 30

31 Software Defined Secure Networks AV NGFW WAF IPS Sandbox Web SIEM Uncoordinated and perimeter focused Orchestrated, holistic system encompassing security + infrastructure Global Policy Orchestration, Policy Engine Open and Unified Threat Detection Dynamic, Automated Enforcement How do we get there? Day 0 Human-driven automation Day 1 Event-driven automation Day N Machine-driven automation Establish standard-based network interfaces and data models Automate network provisioning & management Simplify security and network operations Gather security & network information (Telemetry) Intelligence drives automated response and policies Rule-based action on critical network events (Closed loop automation) Use machine-learning tools to train the system Machines makes decisions and drives network change Humans make decisions where machines cannot 31

32 SDSN Architecture POLICY DETECTION ENFORCEMENT DETECTION Security Director + Policy Enforcer Policy Enforcement, Visibility, Automation Switches Threat Intelligence Physical Firewalls Sandbox Advanced Threat Prevention (ATP) Analysis Routers Third Party Threat Intel Virtual Firewalls Third Party Elements Detection Fast, effective protection from advanced threats Integrated threat intelligence Policy Adaptive enforcement to firewalls, switches, 3 rd party devices and routers Robust visibility and management Enforcement Consistent protection across physical/virtual Open and programmable environment The Network fabric is now a single enforcement domain What if your Network could be a Firewall? DETECTION & ENFORCEMENT DETECTION POLICY You need true end-toend visibility to secure the entire network Instant threat intelligence and detection Dynamically adapting policy, deployed in realtime Enforce security everywhere Sally School District Network 32

33 How does SDSN completely isolate infected host? Stateful filter on Firewall + Access list on the switch port SKY ATP Infected Host = NGFW NGFW SWITCH SWITCH Data Center Micro-segmentation Internet Perimeter Firewall Cluster Internal Firewall Cluster vfw DMZ VLAN IT Web vfw DMZ VLAN DATA CENTER vfw Fin Web vfw vsrx Policy 3 rd Party Feeds SKY ATP Threat Feeds SDSN Policy Engine POLICY Policy defined in Policy Engine 1. IT Applications cannot access Finance Applications even if they share same VLAN 2. Traffic in and out of Infected Applications should be logged DETECTION Sky detection applicable for infected applications scenario (#2 above) IT App IT DB DB_VLAN Fin App Fin DB Switch ACLs Provisions vsrx in Service Chain SDN Controller Security Groups IT Apps Fin Apps ENFORCEMENT VM related traffic controls enforced in vsrx Physical to physical traffic controls in access/aggregation switches 33

34 Juniper SDSN Portfolio Security Director Policy Enforcer Management, Visibility, Automation Secure Analytics SIEM Sky Advanced Threat Prevention Advanced Malware Defense Service Application Security SSL Inspection Intrusion Prevention User Firewall UTM Next Gen Security Services SRX300 4Gb/s (2 vcpu) 25Gb/s (16 vcpu) vsrx csrx* 5RU 480Gb/s 2RU 1RU 1RU 1RU 5.5Gb/s 5Gb/s 20Gb/s 40Gb/s SRX500 SRX1500 SRX4100 SRX4200 SRX5400 8RU 960Gb/s SRX5600 SRX5800 Branch Campus Data Center Cloud Service Provider 16RU 2Tb/s Beta* Ecosystem Partners CASB Access Security Endpoint Security Cloud App Risk Management Visibility and Control Malware and Threat Protection for Cloud Extend Security Policy Context-based BYOD Onboarding Role-based Network Access Assignment Access Control and Enforcement Discovery of All Endpoints Vulnerability and Patch Management Continuous Policy Enforcement Ready to Deploy End to End Security Solutions 34

35 Q&A Thank You CONTACT US: Jennifer Rathburn Joseph Abrenio Zach Forsyth ATTORNEY ADVERTISEMENT. The contents of this document, current at the date of publication, are for reference purposes only and do not constitute legal advice. Where previous cases are included, prior results do not guarantee a similar outcome. Images of people may not be Foley personnel Foley & Lardner LLP 35