What Happened? IoT, OT and Convergence

Transcription

1 What Happened? IoT, OT and Convergence Tony Gillespie US Public Sector Strategist

2 Speaker Tony Gillespie Recently retired GS15 Assistant Chief of Staff G6/CIO for Marine Corps Installations East. 35 years in the Marine Corps active duty and Civil Service. Was responsible for the Voice, Video, Data and Security for all USMC bases on the East Coast south of Quantico, Va. Primary architect and Pilot for C2C for the DoD 2

3 Yesterday.. Managed Workstations Today.. IP based devices Baseline Security IoT is not coming.. It is HERE Visibility 3

4 Fundamental Security baseline.. (we all must do it) The largest threat to networks is end points (Managed and unmanaged IoT) You MUST be able to discover, classify and perform real time risk assessments. Most Cybersecurity resources are performing fundamental baseline security tasks (vice pro-active measures) Significant # of compromises have proven to be old vulnerabilities (2+ years) that were exploited. Let s lock our doors and roll up the windows! (Fundamental security automation) (AKA- The Stupid patch or a wrench big enough to tighten the loose nut) How much time do you spend wrestling little alligators taking up YOUR cycles when you should be strategizing. 4

5 Consequences and Impact of Inadequate Visibility Industry Stats: 80% of successful attacks leverage well-known vulnerabilities Gartner Security and Risk Management Summit 99% of exploits will continue to be from known vulnerabilities up to one year through Gartner Top 10 exploited vulnerabilities are more than a year old - HP Security Research. 66% of networks will experience an Internet of Things based breach by 2018 IDC 80% of all endpoints connected endpoints to the network will not support agent based technologies by 2020 Gartner Business / Mission impact: Reputational damage which could impact funding. Breach remediation averages $4 Million per incident Ponemon Institute, June 2016 Critical citizen services become unavailable, unreliable Loss of grant funding or punitive damages due to non-compliance with Federal & State requirements Gartner Security and Risk Management Summit, Preparing for Advanced Threats and Targeted Attacks, Kelly Kavanaugh, June 2014; Webtorials and ForeScout Internet of Things Security Report, June

6 How do we get there? Desired State: 1. Complete visibility: You cannot protect what you cannot see. 2. Understanding configuration, posture, location, ownership of all devices on the network in real-time, supported or unsupported 3. Rapid response to prevent incidents & breaches through orchestration using current portfolio self-defending network 4. Realtime dashboard of PCI, HIPAA etc. compliance 5. Automate remediation of findings from audits Positive Mission Outcomes (per IDC) 1. 50% reduced chance of outage caused by cyber event % increased devices in compliance 3. 47% improved incident resilience 4. Result Public trust and confidence. 6

7 Required Capabilities - Going from Present State to Desired State Agentless, Continuous Discovery & Situational Awareness Device Classification of ALL connected endpoints without the use of Agents Ability to rapidly deployment the solution enterprise-wide Defense In Depth Monitor cyber hygiene of all endpoints and the required security controls in real-time Automated Policy Enforcement Out-of-Box Integration with current tools Patch, Firewall, Antivirus Legacy equipment protection Complete asset inventory for HelpDesk, CMDB, Renewals Rogue Device/Activity detection and mitigation Continuous and Situational State Asset Awareness Single pane of glass for detecting, mitigating, and remediating cyber incidents 7

8 How ForeScout Sees Devices DYNAMIC AND MULTI-FACETED A Multiple Methods Poll switches, VPN concentrators, APs and controllers for list of devices that are connected B Receive SNMP traps from switches and controller A C RADIUS Server K E ForeScout CounterACT B SNMP Traps H D DHCP Requests NetFlow C D E F Monitor 802.1X requests to the built-in or external RADIUS server Monitor DHCP requests to detect when a new host requests an IP address Optionally monitor a network SPAN port to see network traffic such as HTTP traffic and banners Run NMAP scan G Use credentials to run a scan on the endpoint J L F H I Receive NetFlow data Import external MAC classification data or request LDAP data G User Directory I FTP/LDAP Server J K Monitor virtual machines in public/private cloud Classify devices using PoE with SNMP L Use optional agent Reference Acronym Glossary at the end of presentation 8

9 1 2 3 IoT Landscape Threat Landscape Visibility 9

10 A Perfect Storm of Threats Creating New Security Needs Attacks Targeting Devices that Corporations Can t See 99% Of IoT devices do not support security agents 50% 5 out of 6 large companies is hit with targeted attacks today Of Enterprises lack visibility on mobile IoT = Internet of Things 10

11 IoT Device Growth The Internet of Things is the network of dedicated physical objects (things) that contain embedded technology to sense or interact with their internal state or external environment. 0 5 Billion 30 Billion IoT BYOD PC IoT = Internet of Things 11

12 1 2 3 IoT Landscape Threat Landscape Visibility 12

13 Foundation Security SEE If you can t see it you can t determine risk IoT NO Agent - if it requires an agent how do you find it? BYOD Control automated and manual Determine Risk and Deny Access based on policy Allow access based on the rest of the story Orchestrate take action or pass Kick-off mitigation Kick-off scan Open Ticket or Pop Up notifications IoT Internet of Things BYOD = Bring Your Own Device 13

14 So what? Staff realigned to proactive tasks (Analytics, Hunting, Forensics) Resource reduction (be careful with this one!) 99.x% compliance is not only achievable it can be YOUR the minimum standard! 2 nd and 3 rd order effects Increased security across the enterprise Immediate action and zero day mitigation Real-time knowledge of current security posture Asset and license management Portfolio Management 14

15 Thank you!

16 Acronym Glossary AAA Authentication, Authorization and Accounting IM Instant Messaging pxgrid Cisco Platform Exchange Grid ACL Access Control List IOC Indicators of Compromise RADIUS Remote Authentication Dial-In User Service ACS Cisco Secure Access Control Server ios Apple operating system for mobile devices Reauth Reauthorization ARP Address Resolution Protocol IoT Internet of Things RTU Remote Terminal Unit ATD Advanced Threat Detection IP Internet Protocol SCADA Supervisory Control and Data Acquisition ATP Advanced Threat Prevention ISE Cisco Identify Services Engine SDK Software Developer Kit BYOD Bring Your Own Device MAB Mac Authentication Bypass SGT Security Group Tags (Cisco) CA Certificate Authority MTP FireEye s Mobile Threat Prevention Platform SIEM Security Information and Event Management C&C Command and Control MTTD Mean Time to Detection SNMP Simple Network Management Protocol CEF Cisco Express Forwarding MTTR Mean Time to Resolution SOX Sarbanes Oxley CoA Change of Authorization NA Not Applicable SQL SQL Server DHCP Dynamic Host Configuration Protocol NAC Network Access Control SSID Service Set Identifider DNS Domain Name Server NERC North American Electric Reliability Corporation syslog standard for messaging logging EMM EX FERC Enterprise Mobility Management FireEye s Threat Prevention Platform for -based Cyber Attacks Federal Energy Regulatory Commission Netbios NIC NIMAPP Network Basic Inut/Output System Network Interface Card Network Mapper TACACS TAM TAP Terminal Access Controller Access Control FireEye s Threat Assessment Manager FireEye s Threat Analytics Platform FW Firewall NIST National Institute of Standards and Technology TCO Total Cost Ownership GUI Graphical User Interface NMAP network mapper USB Universal Serial Bus HIPAA HITECH HPS Health Insurance Portability and Accountability Act Health Information for Technology for Economic and Clinical Health Host Property Scanner NX OS P2P FireEye s Network Threat Prevention Platform (NX) Operating System Peer to Peer VA vfw VM Vulnerability Assessment Virtual Firewall Virtual Machine HX FireEye s Endpoint Threat Prevention Platform PCI Payment Card Industry VPN VPN ID Identification PKI Private Key Infrastructure 16

17 Backup

18 18

19 19

20 Vendors are proliferating within these siloed environments IoT Device / Solution Vendors by Physical Environments Personal Home Office Medical Vehicles Worksite Factory Retail Logistics City Without standards or platforms, each vendor in each vertical environment tends to build their own respective specialized solution stack from scratch Source: Harbor Research, 2014; McKinsey Global Institute,