EMERGING THREATS & STRATEGIES FOR DEFENSE Paul Fletcher Cyber Security Evangelist @_PaulFletcher
Threats by Customer Environment Cloud Environment On Premise Environment 1.96% 0.13% 0.02% application-attack Application Attack 5.29% 0.03% 0.02% application-attack Application Attack 10.60% brute-force Brute Force 7.40% brute-force Brute Force 18.75% 40.55% suspicious-activity recon 15.67% 40.79% trojan-activity suspicious-activity trojan-activity recon 28.01% denial-of-service 22.36% denial-of-service other other Source: Alert Logic CSR 2015
Threats by Customer Industry Vertical Suspicious Activity Recon DoS Brute Force 100% 90% 80% 70% 60% 50% Application Attack 40% 30% 20% 10% 0% Source: Alert Logic CSR 2015
Global Analysis
Internet of Things Planes, Trains and Automobiles
Internet of Things Keyfobs and Garage Doors
Latest News Update as needed
Latest Activity Darkode taken down on July 15, 2015 Arrests made in 20 countries Despite Coordinated law enforcement efforts BotNet takedowns are more effective
HOW DO WE DEFEND AGAINST THESE ATTACKS
Security Architecture Firewall/ACL Intrusion Detection Deep Packet Forensics Netflow Analysis Network NAC DDOS Scanner Vulnerabilities Log Mgmt SDLC Patch Mgmt Server/App Mail/Web Filter Scanner Backup Anti-Virus Encryption GPG/PGP FIM Host Anti Malware IAM Central Storage
Data Correlation is the Key
Enterprise Cyber Security Teams
24x7 Security Operations Center and Intelligence Monitor intrusion detection and vulnerability scan activity Escalate incidents and provide guidance to the response team to quickly mitigate Incidents Search for Industry trends and deliver intelligence on lost or stolen data Identify and implement required policy changes Cross product correlate data sources to find anomalies Monitor for Zero-Day and New and Emerging attacks Collect data from OSINT and Underground Sources to deliver Intelligence and Content
SECURITY BEST PRACTICES
10 Best Practices of Cloud Security 1. Secure your code 2. Create access management policies 3. Data Classification 4. Adopt a patch management approach 5. Review logs regularly 6. Build a security toolkit 7. Stay informed of the latest vulnerabilities that may affect you 8. Understand your cloud service providers security model 9. Understand the shared security responsibility 10. Know your adversaries
1. Secure Your Code Test inputs that are open to the Internet Add delays to your code to confuse bots Use encryption when you can Test libraries Scan plugins Scan your code after every update Limit privileges Stay informed
2. Create Access Management Policies Identify data infrastructure that requires access Define roles and responsibilities Simplify access controls (KISS) Continually audit access Start with a least privilege access model
3. Data Classification Identify data repositories and mobile backups Identify classification levels and requirements Analyze data to determine classification Build Access Management policy around classification Monitor file modifications and users
4. Adopt a Patch Management Approach Inventory all production systems Devise a plan for standardization, if possible Compare reported vulnerabilities to production infrastructure Classify the risk based on vulnerability and likelihood Test patches before you release into production Setup a regular patching schedule Keep informed, follow bugtraqer Follow a SDLC
5. Importance of Log Management and Review Monitoring for malicious activity Forensic investigations Compliance needs System performance All sources of log data is collected Data types (Windows, Syslog) Review process Live monitoring Correlation logic
6. Build a Security Toolkit Recommended Security Solutions Antivirus IP tables/firewall Backups FIM Intrusion Detection System Malware Detection Web Application Firewalls Forensic Image of hardware remotely Future Deep Packet Forensics Web Filters Mail Filters Encryption Solutions Proxies Log collection SIEM Monitoring and Escalation Penetration Testing
7. Stay Informed of the Latest Vulnerabilities Websites to follow http://www.securityfocus.com http://www.exploit-db.com http://seclists.org/fulldisclosure/ http://www.securitybloggersnetwork.com/ http://cve.mitre.org/ http://nvd.nist.gov/ https://www.alertlogic.com/weekly-threat-report/
8. Understand Your Service Providers Security Model Understand the security offerings from your provider Probe into the Security vendors to find their prime service Hypervisor Example Questions to use when evaluating cloud service providers
9. Service Provider & Customer Responsibility Summary Apps Secure coding and best practices Software and virtual patching Configuration management Access management Application level attack monitoring Hosts Hardened hypervisor System image library Root access for customer Access management Patch management Configuration hardening Security monitoring Log analysis Customer Responsibility Cloud Service Provider Responsibility Networks Logical network segmentation Perimeter security services External DDoS, spoofing, and scanning prevented Network threat detection Security monitoring Provider Services Compute Storage DB Network
10. Understand your Adversaries
To Follow our Research Twitter: - @AlertLogic - @StephenCoty - @_PaulFletcher Blog: - https://www.alertlogic.com/resources/blog Newsletter: - https://www.alertlogic.com/weekly-threat-report/ Websites to follow http://www.securityfocus.com http://www.exploit-db.com http://seclists.org/fulldisclosure/ http://www.securitybloggersnetwork.com/ http://cve.mitre.org/ http://nvd.nist.gov/ https://www.alertlogic.com/weekly-threat-report/ Cloud Security Report - https://www.alertlogic.com/resources/cloud-security-report/ Zero Day Magazine - http://www.alertlogic.com/zerodaymagazine/
Thank you.