Be effective in protecting against the cybercrime INTEGRATED SECURITY FOR A NEW ERA Domenico Raguseo Domenico Scardicchio Luca Bizzotto Simone Riccetti Technical Sales Manager, Europe Software Procdut Management SWAT X-Force Red IBM MERMEC IBM IBM @domenicoraguseo @bizzotech
Objective of the paper Understanding the most relevant risks for Railway Indentify the most relevant attach patterns Develop prototypes and provide reccomendation on how to mitigate risks 2
What happens if something goes wrong? Best case, train stops Worse case, train incident Economical Impact Loss of trust Human casualities 3
Railways components ( E.g. ERTMS / ETCS System) Central Systems Network Connections Trackside Equipment Radio Link On-board Equipment Power Management Diagnostic & Maintenance 4
Observations Principal security controls is based on a safety concent, anything goes wrong, trains stops The Central Systems are the ones that can be more easly attached Can rely on concepts from other critical domains An attacher should have access to a large number of information 5
1. proactively detect an attach to rails by monitoring all the document an hacker should have in order to perform an attack. On the SIEM create define an offence with all events coming by those elements 2. Match the rail healthcheck with events in the control rooms to capture the attach as soon as possible. 6
Outcomes Electric Tractions: SCADA bag - Prototype Diagnostic & Maintenance : Implementing security controls and adopting congitive technologies Central System : Offence 7
SCADAbag Power Management - Railways 1 x Wago 750-841 - PLC 2 x Wago 750-501 Digital Output Module 1 x Wago 750-403 Digital Input Module 1 x Wago 750-653 Modubus RS485 port. 1 x Wago 750-461 PT100 1 x Wago 750-600 Terminator 1 x Wago 750-923 USB/Serial Cable 1 x Wago 787-712 - Primary switch mode power supply unit 1 x PT100 Temperature Sensor 1 x Modbus LED Display 1 x TP-Link Gigabit Easy Smart Switch (configurable switch with a SPAN port) 1 x GL-AR150 portable WiFi Router 1 x Samsung Galaxy S3 2 x AXIS USB 3 Gigabit Ethernet Interfaces A fistfull of LED and cable A switch MAX case rugged box 8
9 Network Diagram
10 Electric Tractions: SCADA bag - Prototype
Comments Attack network, difficult to prevent Focus on detection What can realy be done for prevention? 11
Diagnostic & Maintenance : Implementing security controls and adopting cognitive technologies
WannaCry patterns 1. Email containing a malicious attachment is received 2. Attachment is opened and a malware is launched 1. Malware communicates with outside 2. Malware compromise the system using a known vulnerability 3. Ransom is requested in Bitcoin 13
Security Controls violated during WannaCry ( some or... at least ) 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Data Recovery Capability 7. Data Protection 14
An integrated and intelligent security immune system Endpoint detection and response Endpoint patching and management Malware protection Malware analysis Indicators of compromise Threat sharing Network forensics and threat management Firewalls Sandboxing Virtual patching Network visibility and segmentation Threat and anomaly detection User behavior analysis Transaction protection Device management Content security Vulnerability management Cognitive security Incident response Threat hunting and investigation Fraud protection Criminal detection Data protection Data access control Application scanning Application security management Cloud identity and access Workload protection Privileged user management Identity governance and administration Access management IDaaS Mainframe security 15
Applied cognitive technologies Cognitive Cognitive Cognitive Cognitive Cognitive Cognitive Cognitive Cognitive 16
Drivers for cognitive adoption Intelligence gap #1 most challenging area due to insufficient resources is threat research (65% selecting) #3 highest cybersecurity challenge today is keeping current on new threats and vulnerabilities (40% selecting) Speed gap The top cybersecurity challenge today and tomorrow is reducing average incident response and resolution time This is despite the fact that 80% said their incident response speed is much faster than two years ago Accuracy gap #2 most challenging area today is optimizing accuracy alerts (too many false positives) #3 most challenging area due to insufficient resources is threat identification, monitoring and escalating potential incidents (61% selecting) Addressing gaps while managing cost and ROI pressures 17
Incident Analysis I investigate potential threats EXTERNAL THREAT RESEARCH Know Business Industry-Relevant Trends How and why is this different from normal system behavior? INTERNAL THREAT RESEARCH Investigate Potential Network Problems MONITOR Alarm Queues and Potential Threats How much will it hurt our organization? Do I need to deal with this now? REPORT Vulnerabilities and Issues TUNE Improve Rules Who is this information from? Are they trustworthy? Informed Consulted Accountable Responsible 18
Revolutionizing how security analysts work SECURITY ANALYST SECURITY ANALYST and WATSON GAIN POWERFUL INSIGHTS!!! Human Generated Security Knowledge Tap into the vast array of data to uncover new patterns Get smarter over time and build instincts Enterprise Security Analytics Cognitive techniques to mimic human intuition around advanced threats REDUCE THE SECURITY SKILLS GAP Triage threats and make recommendations with confidence, at scale and speed 19
Helps analysts hunt for threats like never before Speeds up investigations with automates analysis Correlates local threat information against billions of nodes Fed with millions of security documents, blogs and more 20
Central System : Offence
1. proactively detect an attach to rails by monitoring all the document an hacker should have in order to perform an attack. On the SIEM create define an offence with all events coming by those elements 2. Match the rail healthcheck with events in the control rooms to capture the attach as soon as possible. 22
A large Japanese railway operator deploys IBM QRadar Security Intelligence Platform and IBM Security Guardium Database Activity Monitor software to protect its infrastructure from external and internal threats Solution highlights Proactive identification of threats across the entire IT infrastructure Comprehensive database monitoring Integration into a single dashboard Advanced analytics and correlation analyses assess network activity in real time Rule-based security management Automated compliance controls Alerting of abnormal database activity Centralized security management Real-time visibility Intelligent incident analysis SECURITY OPERATIONS AND RESPONSE 23
THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.