Evolution Of Cyber Threats & Defense Approaches Antony Abraham IT Architect, Information Security, State Farm Kevin McIntyre Tech Lead, Information Security, State Farm
Agenda About State Farm Evolution of Attacks Targeted Attacks Explained Legacy Defense Framework Based Defense An Approach to Protecting Passwords Big Data Security Analytics Bringing It All Together Conclusions Questions
About State Farm Ranked No. 41 on the Fortune 500 list of largest companies #1 Auto Insurance and life Insurance provider One of the largest private networks in the nation Network of 60,000 network nodes, and 24,000 network links installed Supports about 150,000 employees and agents Manages 625,000 devices 5,500 IT Staff Members 323 Security Experts and growing (Yes, we are hiring!!)
A Brief History of Cyber Attacks Talented Hackers Experiment or Attack Just Because They Can Often to Make Their Message Heard Louder All About Name and Fame Usually not About Money
A Brief History of Cyber Attacks Evolution of Attacks
Evolution Of Attacks Present Day Attackers Cyber Criminals Hactivists Nation States Cyber Terrorists?
Targeted Attacks In Depth Focused Cyber Attack Capture Credentials Steal Intellectual Property NPI Pivot Point to Attack Others Persistent High Success Rate
Targeted Attack In Depth Example - Email Based Attack
Targeted Attacks In Depth Watering Hole Attack
Targeted Attacks In Depth Post Compromise State
Legacy Defense LOL (Layers On Layers) Signature Based Stops Known Bad. But, What is Bad?
Framework Based Defense For a Defendable Network Four Pillars of Cyber Defense NIST Protect NIST Detect NIST Protect NIST Respond Recover
Framework Based Defense For a Defendable Network Four Pillars - Examples PREVENT DETECT PROTECT RESPONSE NextGen FWs IPS Antivirus Endpoint Protection Advanced Endpoint Protection Exploit Prevention (like EMET) Endpoint Execution Control SIEM Threat Feeds Security Analytics Network Sandboxes and BDS Endpoint Detection/Forensics Network Forensics DNS Analysis Flow Analysis Multifactor Auth Specific Use of Encryption Tokenization Network Segmentation Outbound traffic control Vulnerability Management Trained People Applicable Procedures Response & Recovery procedures Command structure 24/7 Monitoring and associated response Response Automation
Make It Harder For Bad Guys Using Capabilities From Different Pillars 6 Credentials Stolen 7 Data Exfil SIEM & Response Team Untrusted Trusted Enterprise Admins with Day to Day Credentials used for Email and Internet Hardened Virtual Machine Enforcing MFA Behind Separate Firewalls Enterprise Admins with Priviledged Credentials Separate From Their Day to Day Credentials
Security Analytics
System activity on workstations, networks and data centers generate log information.
Log information is collected and analyzed.
Log data is stored in multiple locations across the Enterprise.
Equals to Terabytes of log data collected each day.
Hadoop Platform is used to store and process data at scale. A combination of data scientists and security experts leverage analytic tools to dig deeper into the data set. Performing hunt activities Applying similar skills and tools we apply to business problem to security
Data is grouped in such a way to find anomalies and potential Indicators of Compromise (IoCs) and Indicators of Attack (IoA) within the Enterprise. Utilizing Machine learning algorithms and statistical models Hybrid Approach Buy and Build
We Are Sitting on Top Of a Goldmine. Lets Make use of It!
Bringing It All Together SIEM-Analytics Eco-System Hunt Team Intel Analyst Data Scientists Manual Correlation Rules Big Data to SIEM Correlation Rules (automatic) SIEM SIEM-Big Data Event Pull SIEM Console & Operator Database Database Database Database Delivered Reports for Business Partners Enterprise Log Sources
Bringing It All Together Integrated Defense Identity Management System Proxy Breach Detection System Encryption and Key Management End Point Security Big Data Defense System DNS NAC 1 Generic Preventive Control Firewall 2 DLP System
Conclusions Invest in Framework Based Defense to create a defendable network Be aware of blind spots and strive for greater visibility Make use of the logs you already collect. Mine for signals within all that noise. Automate threat response to the extend possible Invest in threat hunting capabilities Not only consume threat intelligence, but share it!
Questions Contact antony.abraham.ukuo@statefarm.com Kevin.mcintyre.hl1x@statefarm.com