Reducing Liability and Threats through Effective Cybersecurity Risk Measurement Does Your Security Posture Stand Up to Tomorrow s New Threat? Christopher Strand Security Compliance and Risk Officer 1
The state of The industry (The Threatscape) Statistics and Observations Apply Security Control measurement to obtain cyber clarity. Frameworks and Scorecards that can help reduce threats while bosting data and security accountability 2 I 2016 Carbon Black. All Rights Reserved. I CONFIDENTIAL
ABOUT ME Christopher Strand Security, Risk & Compliance Officer, Carbon Black >20 years of IT & Compliance experience Certified and trained IT Auditor and Security assessor Oversees development of security solutions that help deploy positive security to improve compliance and risk posture Held leadership positions at many leading Security and compliance companies 3
4 WE HAVE TO DEFEND AGAINST ALL OF THIS
THE CASE FOR SPEED 214 77 DAYS DAYS MEAN TIME TO IDENTIFY BREACH BY ROOT CAUSE MEAN TIME TO CONTAIN BREACH BY ROOT CAUSE FOR A BREACH THAT IS NOT CONTAINED WITHIN 30 DAYS THE AVERAGE ESTIMATED COST INCREASES BY $1 MILLION 5 Ponemon Institute 2017 Cost of Data Breach Study sponsored by IBM
NY DFS 17 First-in-the-nation cybersecurity regulation PCI DSS 18 Introduces 1-YR incremental changes to keep up with threats EXTERNAL THREAT LANDSCAPE 9.0 Billion Global records lost since 13 HIPAA 16 Stronger enforcement and oversight by OCR Phase 2 Audits GDPR 18 Global implications Strict penalties MAS TRM 16 New guidelines for outsourcing risk management Guidance on cloud services HKMA 16 Introduces Cybersecurity Fortification Initiative" (CFI) 183 Million Known global records lost 11 12 5.9 Billion Global records lost since 13 ASD 16 Move from Mandatory Top 4 to Essential 8 6 The Year of...
THREATS TO YOUR ENVIRONMENT The growth of cybercrime has brought forth innovations that allow malware to rapidly change its appearance ALL INDUSTRIES ARE UNDER ATTACK ATTACKERS ARE RELENTLESS & OUTPACING TRADITIONAL PREVENTION 1,368 CYBER ATTACK BREACHES TREND 1,028 KNOWN MALWARE OBFUSCATED MALWARE SCRIPTING ATTACKS 166 171 254 370 MEMORY ATTACKS POWERSHELL RANSOMWARE REMOTE LOGIN MACROS UNKNOWN MALWARE HEALTHCARE MFG EDUCATION RETAIL INFO PROC FINANCE 7 7 Source: 2016 Verizon Data Breach Investigations Report
CYBER SECURITY NOISE & DISTRACTIONS External landscape BREACH CREEP NEW PRIVACY LAWS B RECORDS LOST STRICTER PRIVACY LAWS COMPLIANCE CREEP Internal mandates & policies INDUSTRY GOVERNMENT 3 RD PARTY CORPORATE BLACK HATS OUTPACING WHITE HATS Threats to your environment OBFUSCATED MALWARE SCRIPTING ATTACKS RANSOMWARE CONSEQUENCES OF NOT KEEPING UP 8 8
Human Error THREAT 3 rd Party Policy & Awareness GOVERNANCE & COMPLIANCE Security Technology Corruption RISKS Loss Business Process FUNCTION Network CONNECTED SYSTEMS Physical Incident Management Theft IP Critical Asset Service Disruption Privacy Insider Threat Data Platform CONNECTED SYSTEMS DOS Modification Resilience & Disaster Recovery Monitoring & Assessment Supply Chain External Threat 9
10
11
The state of The industry (The Threatscape) Statistics and Observations Apply Security Control measurement to obtain cyber clarity. Frameworks and Scorecards that can help reduce threats while bosting data and security accountability 12 I 2016 Carbon Black. All Rights Reserved. I CONFIDENTIAL
13
14
15
16
17
The state of The industry (The Threatscape) Statistics and Observations Apply Security Control measurement to obtain cyber clarity. Frameworks and Scorecards that can help reduce threats while bosting data and security accountability 18 I 2016 Carbon Black. All Rights Reserved. I CONFIDENTIAL
DATA SECURITY RISK MEASURE RECIPE FRAMEWORK Prioritize BAU process & governance INDUSTRY GOVERNMENT 3 RD PARTY CORPORATE GET TO BASELINE POLICY Focus on data residency & high-risk assets PE0PLE ENDPOINTS SERVERS APPS & FILES IDENTIFY CURRENT RISK TO POLICY PRIORITIZATION VULNERABILITIES MEASURE Proactively assign risk & access MATURE YOUR DEFENSES 19
APPLY A FRAMEWORK National Institute of Standards and Technology EU General Data Protection Regulation Federal Financial Institutions Examination Council COBIT 5 An ISACA Framework Payment Card Industry Data Security Standard Sarbanes-Oxley Gramm Leach Bliley Act 20
CREATE A POLICY NIST 800 Series CIS CSC Top 20 FFIEC Cybersecurity Assessment Tool (CAT) SOC TYPE I & II Payment Card Industry Data Security Standard 3.2 Sarbanes-Oxley Gramm Leach Bliley Act 21
PRIORITIZE BASED ON BAU PROCESS & CRITICAL DATA Merge Traditional IT and Cyber Risk Audit Process Measure effectiveness and risk to critical security controls against: Corporate policy People, process and technology Actionable intelligence Enforce policy throughout the kill chain Continuously mitigate threats Monitor assets based on policy Combine pos/neg security to detect threats Assign trust rating & policy Emphasize the data 22 Classify assets by BAUs
RANSOMWARE: A LUCRATIVE BUSINESS 12-MONTH VOLUME SOURCE: OSTERMAN, PANDA & McAFEE YEARLY GROWTH SOURCE: FBI & CSO Online SCALABLE SOURCE: CERT 41% of companies hit 1 to 5x 05: New strains every 12 min 16: Every four sec Bad guys: 23 Traditional defense strategies can t keep up 15: $325M 16: $1B by 2020 range up to $200B Bad guys: Business growth that works 16: 4K daily attacks 300% from 15 Bad guys: Achieve mass-scale with victim volume
24 Anatomy of a Ransomware Attack
RANSOMWARE: CKC & BASELINE SECURITY CONTROLS PHASE 1 Preparation PHASE 2 Active Breach PHASE 3 Response/Fallout Recon Weapon Exploit Deliver Install Command & Control Action(s) on Target Identify Assets Detect Protect Respond Recover WHAT S THE RISK? Where is data residency? Who/what has access? What are they doing with it? Where is it vulnerable? What are we doing to fix it? How well is it protected? What s the newest threat? What is happening? Where did it start? How long? How quickly was it resolved? How do I enforce it? 25
Identify Assets CONTROLS: UNDERSTANDING AND CATAGORIZING COMMON SECURITY ERRORS: Not considering Technology, Processes, and People within your BAU Not checking Default access to sensitive data and Building Business Justification Not mapping users to BAUs 1 PRIORITIZE HIGH-RISK AND VULNERABLE DATA AND ASSETS 2 BROWSER ATTACHMENTS IDENTIFY BAU PROCESSES DATA ACCESS NETWORK ACCESS DOWNLOADS SHAREWARE UPLOADS APPLICATIONS OPENSOURCE SOCIAL 3 ASSIGN TRUST TO BAU PROCESSES BY BUSINESS JUSTIFICATION IT-Driven Trust Trusted Updater (e.g., SCCM, Chrome) Trusted Directory (e.g., \\gold_dir) Trusted Publisher (e.g., Mozilla) Trusted User (e.g., help_desk) CLOUD-Driven Trust Threat intelligence Risk ratings Automatically approves reputable software Permissions Role-based User approval IT approval Do not let run 26 PRIORITIZE ASSETS AND PROCESSES BY RISK
Detect COMMON SECURITY ERRORS: CONTROLS: MONITOR AND COLLECT INTELLIGENCE Collect without context or classification Not focusing on high-risk assets Not following the critical data Not taking your BAUs and building your monitoring strategy on the front end Event COLLECTION File modifications Cross-process events Event BEHAVIORS Registry modifications WATCH AND RECORD EVERYTHING BUT FOLLOW THE CRITICAL DATA File executions ENFORCE Policy Copy of every executed binary Network connections Event ANALYTICS 27
ATTACK PREVENTED Protect COMMON SECURITY ERRORS: 1 CONTROLS: PROTECTION AND ACCESS CONTROLS Relying only on negative security Point in Time defense strategies Inability to get to root cause of an event C A P T U R E E V E N T S 2 T A G E V E N T S 3 DATA EVENT RISK PROFILE A N A L Y Z E & P R E V E N T 28
Respond CONTROLS: THREAT MITIGATION AND REMEDIATION COMMON SECURITY ERRORS: Sifting through large amounts of data to gather in-scope information Not assigning alerts to change-detection events Analyzing all change 1 2 3 Filter out irrelevant changes on the front end Focus on authorized critical changes Scope out large amounts of data on in-scope Monitor log files for better audit and chain of custody USER BEHAVIOR, IOC S, UNWANTED CHANGES CONTROL AND PROVE ENFORCEMENT CONTROL Change Access Privilege 29 Create a scorecard with a prioritized approach to close gaps in your data security policy
Recover CONTROLS: ASSESS RISK AND CLOSE GAPS PHASE 1 Preparation PHASE 2 Active Breach PHASE 3 Response/Fallout Recon Weapon Exploit Deliver Install Command & Control Action(s) on Target Conform assets Protect data integrity Proactively monitor critical systems Threat mitigation Enforce security and compliance policy 30 CLOSE THE GAPS
The state of The industry (The Threatscape) Statistics and Observations Apply Security Control measurement to obtain cyber clarity. Frameworks and Scorecards that can help reduce threats while bosting data and security accountability 31 I 2016 Carbon Black. All Rights Reserved. I CONFIDENTIAL
CYBER SECURITY SCORECARD Merge Paradigm shift to close the SECURITY gap Measure across the CYBER KILL CHAIN Enforce policy throughout the kill chain Continuously mitigate threats Monitor assets based on policy Combine pos/neg security to detect threats Assign trust rating & policy Emphasize the data Classify assets by BAUs 32
TECHNICAL CONTROL SOLUTION FRAMEWORK Security Assurance Maturity Curve Security Compliance Maturity - File and network Integrity monitoring and control - Anti-malware - Positive and negative security - Forensics and IR technologies - Penetration testing - Vulnerability analysis - Attack simulation - Enforce framework or regulatory policy - Remediate deltas - Classification - Targeting gaps - Introduction with framework Time 33
DOCUMENTING YOU CYBER RISK TOLERANCE Cyber Risk Impact Tolerance Action Articulate Organization Data Security Risks Loss of customer data Business reputation Very low Prioritize and fix Loss of IP Competitive edge None Fix immediately Loss of business continuity Profitability targets Very low Prioritize and fix Web defacement / denial of service Customer experience Acceptable w/ sr. mgmt. approval Review and prioritize Loss of data integrity Internal apps and data None Fix immediately 34
35 RISK MATURITY MATRIX
IT OPERATIONS AND SECURITY MATURITY SCORECARD EXAMPLE - ISO ISO Control 0 1 2 3 4 5 Risk Management Policy Organization Asset Management Communications / Operations Access Control Legend: 0 - Non Existent 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Threat Protection and Development Incident Management Business Continuity 36
MINIMIZE GDPR RISK: FOCUS ON QUICK WINS GDPR CONCENTRATION AREAS PURPOSE UNDERSTAND YOUR DATA MONITOR AND CONTROL DATA ACCESS Data Process Clarity Continuous Assessment and audit of data and systems Detection, reporting, and investigation of a personal or corporate data incident Enact Privacy Impact Assessments guided against policy 37 ASSESS DATA SECURITY CONTROLS IMPLEMENT DATA PROTECTION IMPACT ASSESSMENTS
The state of The industry (The Threatscape) Statistics and Observations Apply Security Control measurement to obtain cyber clarity. Frameworks and Scorecards that can help reduce threats while bosting data and security accountability 38 I 2016 Carbon Black. All Rights Reserved. I CONFIDENTIAL
39 www.carbonblack.com