Cyber Risk Management

Transcription

1 Cyber Risk Management It s complex and we need a solution Joe Leonard, CISO CISM, CISA, CRISC, CISSP, CEH v1

2 Agenda q Introduction q Today s Cyber Challenges q Lessons learned from the Field q q q q Strategy Architecture Testing SecOps q The Solution q q Summary NGRM Adaptive Security 2

3 Introduction Presidio - CISO Over 12 years at Presidio 39 Years in Security Organizations US Army (Electronic Warfare) EDS (Cellular Communications) GTE Internetworking (ISP) Digex (Network/Web Hosting) Northrop Grumman ( Security Consulting) Presidio (Cyber Consulting) Certifications CISM, CISA, CRISC, CISSP, CEH, CCSK

4 Today s Session

5 Discussion Cyber security is creating new challenges for many organizations. These challenges include an expanding attack surface, increased compliance requirements, shortage of cyber security resources and questions from the board on what does our risk posture look like. A frequent question, How secure are we? During this session, we will introduce Presidio s Next Generation Risk Management (NGRM) solution that addresses today s cyber risk challenges. We will discuss how we integrate strategy, architecture, continuous testing and security operations into a comprehensive risk management solution that addresses today s cyber challenges. 5

6 Today s Cyber Challenges

7 Today s Cyber Challenges Attack Vectors Disruption Technology Business Challenges Data Risks Visibility Expanded Attack Surface Where do I start Board Issue I Don t Know What I Don t Know Resource Shortage Compliance Criminals, Insiders, Hacktivists and Nation States

8 People, Process and Technology People Process Technology Focus 8

9 Lessons learned from the field

10 Strategy Lessons Learned from the field

11 Strategy - Common Findings YR 3 Business YR 2 YR 1 Security No Plan No Roadmap Not Aligned Not Compliant

12 Strategy - Common Findings (cont.) No Policies ISO No Testing Create Policies PCI CHD Check the Box Inadequate Testing Resource Shortage 12

13 What is your Security Strategy 13

14 Architecture Lessons learned from the field

15 Architecture - Common Findings PCI Segmentation & Compliance No Visibility Users Data Assets Architecture Challenges Admin Priviledges

16 Testing Lessons learned from the field

17 Testing - Common Findings Red Team Think Like The Enemy No Testing Assessments Inconsistent & Not Actionable No Verification Advanced Testing 17

18 SecOps Lessons learned from the field

19 SecOps Common Findings Red Team Think Like The Enemy Monitoring Not Watched Systems Not Updated Alert Fatigue Nonexistent IR 19

20 The Solution - NGRM Adaptive Security

21 Next Generation Risk Management Adaptive Security Risk Reduction NGRM Adaptive Security services address todays changing and expanding cyber threat landscape. Strategy Architecture Testing YR Q2 Q3 Q4 SecOps Business Intelligence (Customer) Roadmap Threat Intelligence Benefits: Continuous Risk Management lifecycle approach Strategy aligned with business goals and risk Governance (Security Framework) Architecture Roadmap Continuous Testing Managed Services Incident Response Program Executive level KPIs À la carte consumption model Leverage customer investments

22 Cyber Security Capabilities Adaptive Security Adaptive Strategy Adaptive Architecture Adaptive Testing Adaptive SecOps Security Strategy Architecture Consulting Baseline Assessments Engagement Management Compliance & Gap Analysis Security Architecture Penetration Testing Reporting HIPAA Cloud and IoT Red Team Managed Security Services PCI Firewall Analysis Red/Blue (Purple) Remediation Services NIST FISMA/FedRAMP Policy and Procedures Security Awareness Training GDPR NIST Cyber Security Framework NIST ISO Device Hardening Segmentation Workshop Active Directory Analysis PKI Architecture Assessment Architecture Design Architecture Implementation NERC-CIP Application Security Assessment Mobile Application Assessment On-Demand and Quarterly Testing Social Engineering Security Analysis M&A Testing Security Controls Implementation Staff Augmentation Incident Response CIS 20 Controls 22

23 CYBER SECURITY METHODOLOGY An approach that uses a risk-based methodology to assess, architect, implement and maintain an information security program for protecting customer s critical business data. A vendor agnostic approach that provides customers the expertise to understand threats, vulnerabilities, technologies, regulatory compliance and industry best practices. Industry expert security consultants that leverage best of breed solutions to help protect your business in the face of an everchanging threat landscape.

24 Comprehensive Framework Hierarchical Approach NIST R4 CIS 20 V7 ISO

25 Governance Framework NIST Cyber Security Framework (CSF) Identify Protect Detect Respond Recover Asset Management (AM6) Business Environment (BE5) Governance (GV4) Risk Assessment (RA6) Risk Management Strategies (RM3) Supply Chain Risk Management (SC5) Identity Management and Access Control (AC7) Awareness and Training (AT5) Data Security (DS8) Information Protection Processes and Procedures (IP12) Maintenance (MA2) Protective Technology (PT5) Anomalies and Events (AE5) Security Continuous Monitoring (CM8) Detection Processes (DP5) Response Planning (RP1) Communication (CO5) Analysis (AN5) Mitigation (MI3) Improvements (IM2) Recovery Planning (RP1) Improvements (IM2) Communications (CO3) 1. Partial 2. Risk Informed 3. Repeatable 4. Adaptive 25

26 ISO Annex A - 14 Domains - 35 Control Objectives Controls 26

27 CIS 20 Critical Controls

28 HIPAA Services Security Standards: General Rule Administration Safeguards Technical Safeguards Physical Safeguards Organization Safeguards Policies, Procedures and Documentation Requirements Protection of ephi and PHI (Security and Privacy Rule) Risk Assessment Privacy Rule Security Rule NIST Meaningful Use Roadmap Development Remediation HIPAA Consulting 28

29 PCI Services Merchant Level Level 1 6 million transactions and up per year Level 2 1 million to 6 million transactions per year Level 3 20,000 to 1 million transactions per year Level 4 < 20,000 transactions per year Validation Requirements Level 1 Annual QSA onsite + Quarterly ASV Scan Level 2 Annual PCI DSS Self Assessment Questionnaire + Quarterly ASV Scan Level 3 Annual PCI DSS Self Assessment Questionnaire + Quarterly ASV Scan Level 4 Annual PCI DSS Self Assessment Questionnaire + Quarterly ASV Scan PCI DSS Requirements Build and maintain a secure network (2) Protect cardholder data (2) Maintain a vulnerability management program (2) Implement strong access-control measures (3) Regularly monitor and test networks (2) Maintain an Information Security Policy (1) Merchant accepts, transmits or stores any cardholder data. Annual Assessment Report of Compliance (ROC) Annual Penetration Testing Quarterly Scan by Approved Scanning Vendor (ASV) Gap Analysis Presidio is a Qualified Security Assessor (QSA) Presidio partners with ASV 29

30 PCI Data Security Standard PCI DSS Requirements Compliance doesn t mean good security Example logging There is no requirement to identify what levels of security get logged. Weakness! Who defines what should be logged on the firewall, IPS or servers? Review the following at least daily: All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusionprevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 30

31 NIST Services Business and Security Requirements Discovery Understand business, operations and security requirements Understand NIST reporting requirements Technical Control Discovery Understand and document current-state technical controls Administrative Control Discovery Understand current-state governance and administrative controls Protecting Controlled Unclassified Information (CUI) in Nonfederal information systems and organizations. Gap Analysis 14 control families, 110 controls Deliverables SSP, POAM Gap Analysis Perform gap analysis of controls against NIST Show status of control implementation Recommendations Development Define target architecture Define any additional controls needed Define enhancements to existing controls Establish NIST baseline reporting 31

32 GDPR WHAT IS IT EUROPEAN PRIVACY LAW THAT PROTECTS E.U. CITIZENS PRIVACY BUSINESSES ALL ENTITIES DOING BUSINESS WITHIN THE E.U. SYSTEMS ALL SYSTEMS THAT MANIPULATED E.U. CITIZENS DATA. CHANGES NEW SYSTEMS, CONFIGURATIONS, AND PROCESSES WHEN LESS THEN ONE YEAR 32

33 Cyber Security Capabilities Adaptive Security Adaptive Strategy Adaptive Architecture Adaptive Testing Adaptive SecOps Security Strategy Architecture Consulting Baseline Assessments Engagement Management Compliance & Gap Analysis Security Architecture Penetration Testing Reporting HIPAA Cloud and IoT Red Team Managed Security Services PCI Firewall Analysis Red/Blue (Purple) Remediation Services NIST FISMA Policy and Procedures Security Awareness Training GDPR NIST Cyber Security Framework NIST ISO Device Hardening Segmentation Workshop Active Directory Analysis PKI Architecture Assessment Architecture Design Architecture Implementation NERC-CIP Application Security Assessment Mobile Application Assessment On-Demand and Quarterly Testing Social Engineering Security Analysis M&A Testing Security Controls Implementation Staff Augmentation Incident Response CIS 20 Controls 33

34 Segmentation Challenges Sounds so simple Crosses too many boundaries Security wants to implement Understand impact and operational challenges Desktop and Servers Don t know where to start Data Center Segmentation What do you segment? What are your critical assets? What do you prioritize?

35 Segmentation Workshops

36 Security Architecture Workshops Business Requirements Summary The discovery process Goals consists of a series of Presidio client interviews and questionnaires. The objective of the discovery Controls phase is to clearly identify and document business and technical requirements, dependencies and risks. Infrastructure Document Goals and Objectives Identify Key Stakeholders Identify Business Requirements Document Intended Benefits Categorize and Document Security Goals Identify and Document Gaps and Risks Document Organization Interactions and Process Dependencies Technical Requirements Summary Perform IT Infrastructure Discovery and Analysis Identify Current Gaps in Infrastructure and Supporting Systems Develop High Level Design (HLD) and Low Level Designs Build Production Pilot Environment for Extensive Testing and Validation Identify and Document Integration Strategy Develop architecture roadmap Align technical requirements, dependencies and risks to business requirements 36

37 RoadMap Immediate (Day 0-90) IP Addressing Scheme LogRhythm TLM Platform Top 5 Differentiators Short Term (Day ) Mid Term (Day ) Long Term (365+) Migrate Hosts and Devices Identify Critical Systems Gather Connectivity Requirements Isolate and Control 3 rd Party Evaluate Vendor Solutions Enhance Visibility to Internal Traffic Deploy Data Center Firewalls Implement Zones and Networks Deploy Secure Administration Environment VMware NSX Environment Enhancements Implementation and Migration of Common Services Legend: Planning Implementation Optimization

38 Device Hardening Best Practices are not followed Infrastructure vulnerable Making basic mistakes that should be avoided Device hardening guidelines are not followed Example IoT talking to the Internet when it should be segmented Who audits the device hardening?

39 Cyber Security Capabilities Adaptive Security Adaptive Strategy Adaptive Architecture Adaptive Testing Adaptive SecOps Security Strategy Architecture Consulting Baseline Assessments Engagement Management Compliance & Gap Analysis Security Architecture Penetration Testing Reporting HIPAA Cloud and IoT Red Team Managed Security Services PCI Firewall Analysis Red/Blue (Purple) Remediation Services NIST FISMA/FedRAMP Policy and Procedures Security Awareness Training GDPR NIST Cyber Security Framework NIST ISO Device Hardening Segmentation Workshop Active Directory Analysis PKI Architecture Assessment Architecture Design Architecture Implementation NERC-CIP Application Security Assessment Mobile Application Assessment On-Demand and Quarterly Testing Social Engineering Security Analysis M&A Testing Security Controls Implementation Staff Augmentation Incident Response CIS 20 Controls 39

40 Baseline Testing Internal Assessment External Assessment Wireless Infrastructure Penetration Testing Physical Security Governance Remote Access Web Applications Yearly Testing Quarterly Testing and remediation testing Monthly Testing On-demand testing Compliance - HIPAA, PCI, GDPR, FISMA, NIST CUI Penetration Testing NIST R4, NIST , CIS 20 Validation of new controls Device Hardening Social Engineering 40

41 Penetration Testing Reconnaissance OSINT Penetration Basic o o Local system privilege escalation Validate additional accessible hosts Escalation & Lateral Movement Moderate o o Basic Perform additional penetration testing on accessible hosts Clean-Up Full o o Moderate Attempt to discover critical data on exploitation process Documentation

42 Red Team Think like the Enemy Analysis Cleanup Presentation Intelligence Gathering External Internal Attacks Scope Intelligence Gathering External / Internal Attacks Command & Control (C&C) Analysis / Lessons Learned Improved Incident Response Replicate Real World Attacks Increase Security Awareness Command & Control Deliverables Executive Summary Detailed Red Team Analysis (ROE) Onsite After Action Review

43 Social Engineering Analysis Cleanup Presentation Intelligence Gathering Command & Control In Person/Remote Attacks Intelligence Gathering OSINT Threat Modeling Attack Scenario Development In Person / Remote Attacks Spearphishing Impersonation Unknown Device Command & Control Establish Foothold Escalate Privilege Pivot & Lateral Movement Analysis / Lessons Learned Improved Incident Response Replicate Real World Attacks Increase Security Awareness 43

44 Execution Perform Social Engineering Attacks Dear John Doe We are happy to announce a special promotion together with our partner (ABC) giving away 10 ipad Minis to our employees, The promotion starts November 1, 2017 and ends December 1, The promotion is open to all employees of company X. To take part in the 2017 ABC Promotion, please visit and enter your windows username and password.

45 Security Analysis Sensitive Data Traffic Visibility Unauthorized Applications C&C IOC Patch Configuration Discover Vulnerabilities Tap Span Services: Malware file based analysis Traffic Analysis PCAP Analysis IDS/IPS Passive Vulnerability Assessment Passive Module (Tap /Span) Reporting Benefits: Identify Indicators of Compromise (IOC) Identify Targeted Attacks Identify traffic anomaly Identify attackers 45

46 Testing the Environment Why is it Important?

47 Testing the Environment Penetration Testing Picking the Lock Impersonation Phishing Red Team 47

48 Story 1 Penetration Testing Target OWA Access OSINT Gathering Identified accounts to target A-Z appended to 1000 last names Password sprayed against accounts One account access gained Downloaded VPN client OSINT identified VPN ports open Gained access through account No restrictions flat network Waited for user desktop to come online Pinged desktop Popped hash from memory Looked for account with elevated privileges Created domain account Gained Access ID badge, SSN, invoices, collections, voice recording for legal, audit data, HR data and legal data 48

49 Story 3 Multi-tier Attacks Attacks Reconnaissance (badge) Phishing Tailgate USB Human Error < 20 minutes on-site 1 inserted USB Server room compromised 7 sets of credentials compromised 12 sets of spear phishing Full VPN Access Full access 49

50 Story 5 Red Team GOAL Gain access to pharmaceutical price list 1st night dumpster diving price lists found 2 nd night reconnaissance on building door locks vulnerable Gained access knitting hook picked door lock (loiding) Badge ID System left out in open guessed easy password Created admin account and badges Deleted forced entry alerts from camera and door security system Used newly created badges to access environment Installed keystroke loggers on keyboards Gained domain admin privileges Gained full admin access to pharmaceutical server 50

51 Cyber Security Capabilities Adaptive Security Adaptive Strategy Adaptive Architecture Adaptive Testing Adaptive SecOps Security Strategy Architecture Consulting Baseline Assessments Engagement Management Compliance & Gap Analysis Security Architecture Penetration Testing Reporting HIPAA Cloud and IoT Red Team Managed Security Services PCI Firewall Analysis Red/Blue (Purple) Remediation Services NIST FISMA/FedRAMP Policy and Procedures Security Awareness Training GDPR NIST Cyber Security Framework NIST ISO Device Hardening Segmentation Workshop Active Directory Analysis PKI Architecture Assessment Architecture Design Architecture Implementation NERC-CIP Application Security Assessment Mobile Application Assessment On-Demand and Quarterly Testing Social Engineering Security Analysis M&A Testing Security Controls Implementation Staff Augmentation Incident Response CIS 20 Controls 51

52 Managed Security Services Services: 24 x 7 x 365 coverage Advanced Security Managed Platform Detection, analysis, response, escalation and mitigation Security event correlation Threat Intelligence Service Device Management Reporting Benefits: Comprehensive platform Governance & Compliance Service Device Management 52

53 Incident Response Services: Subscription services Incident coordination, containment and investigation Log, host and network forensics Creation of IR processes Remediation planning Threat & Incident Reporting Table Top Exercises Are you ready? Emergency or Retainer? What is your SLA? Benefits: Organization understands role Security readiness for attack Incident containment Central communication point Reduce brand damage 53

54 Static to Dynamic Reports Benefits: Dynamic Risk Score Improved Risk Visibility Improved Vulnerability Tracking over static reports 54

55 NGRM Reporting DEMOS AVAILABLE IN THE RED SKY BOOTH 55

56 Summary q Today s Cyber Challenges q Lessons learned from the Field q q q q Strategy Architecture Testing SecOps q The Solution q NGRM Adaptive Security 56

57 FIND OUT Why youtube.com/presidio fb.com/presidioit linkedin.com/company/presidio