Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1
Largest Breach Ever 2
The Business Impact Equation All CEOs know stuff happens in business and in security The goal is reduce the impact to the bottom line: Impact = %Successful attacks X (Downtime/Breach costs +Response/Cleanup) + Cyber Defense Friction Prevent more, detect faster, resolve sooner The biggest lever is reducing the number of damage causing attacks that do succeed. There are a lot of security teams out there doing just that Many of the success stories don t involve asking for new Cybersecurity budget. 3
More waterproofing, less damage 4 4
Critical Security Controls 20) Penetration Tests and Red Team Exercises 19) Secure Network Engineering 18) Incident Response Capability 18 19 1) Inventory of Authorized and Unauthorized Devices 20 1 2 2) Inventory of Authorized and Unauthorized Software 3 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4 4) Continuous Vulnerability Assessment and Remediation 17) Data Protection 17 5 5) Malware Defense 16) Account Monitoring and Control 16 6 6) Application Software Security 15) Controlled Access Based on Need to Know 15 14) Maintenance, Monitoring and Analysis of Audit Logs 14 13) Boundary Defense 13 12) Controlled Use of Administrative Privileges 12 11 10 11) Limitation and Control of Network Ports, Protocols and Services 9 8 7 7) Wireless Access Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls, Routers, and Switches 5
Control Weaknesses Vary By Industry Source: Verizon Data Breach Investigation Report 6
There Are a Lot of Overcome Obstacles Out There Increase Effectiveness and Efficiency Avoid more vulnerabilities Block more attacks Detect incidents more quickly Free up budget to deal with emerging threats 7 7
Problem: Malware leading to breaches but more frequently to expensive PC reimaging Solutions that work: Lockdown Network-based Advanced Threat Detection Privilege Management/Whitelisting Endpoint Intrusion Prevention/Containment 8 8
% of files processed 100 Malware Vs. Top 4 Critical Controls 90 80 70 60 50 40 Successful Exploitation 30 Successful Execution 20 10 0 None Application Whitelisting Least Priv User Access OS Patching Cumulative security mitigation Application Patching 9
Advanced Threat Detection Problem: Typical university environment meant distributed management of desktops, lots of BYOD, high rate of malware being found on PCs. Solution: Network-based Advanced Threat Detection appliances (Fireeye) at Internet ingress point. Results: Intrusion Detection Rate increased 46% Incident rate (requiring corrective action) decreased 35% 10 10
Better Endpoint Security Problem: Financial services firm found traditional anti-viral was not able to address advanced targeted threats. Solution: Host based security (Invincea) on Windows PCs. Results: Baseline average was reimaging 4 PCs per week After deployment, reimaging 1 PC every 3 months Look at cheaper/free AV in the future? 11 11
Problem: Reducing Vulnerabilities Solutions that work: Spend less on the easy parts Innovative application testing approaches Mature and Secure Software Development Lifecycle 12 12
Reduce Cost of Vulnerability Scanning Problem: Healthcare Services firm was at renewal point for vulnerability scanning solution. Solution: Switched to Tenable Nessus/System Center Results: Reduced spending by 75% Able to use savings to increase frequency and coverage of scanning 13 13
More Effective Identification of Application Vulnerabilities Problem: Reduce vulnerabilities in revenue-bearing applications. Solution: Switched from consulting engagement to managed crowdsourced bug bounty approach (Bugcrowd) Results: Same spending resulted in 10x increase in vulnerabilities discovered Testers increased from 2-3 to 63 Higher quality/more developer-friendly vuln info provided reduced time to fix vulns 14 14
Reduce Cost and Risk of Corporate Applications Problem: Healthcare company needs to reduce threat exposure and bug fix costs across all corporate applications. Solution: Participated in Building Security In Maturity Model (Cigital) to reduce vulnerabilities in corporate apps Results: Defect density decreased by 92% for high/moderate vulnerabilities Apps using secure library increased each month Threat modeling approach reduced resource time from 40 hours to 2 Overall SDLC productivity increase of 15% estimated 15 15
Reduce Cost and Risk of Firewall Rule Changes Problem: Electronic trading environment includes 40,000 firewall rules with 5,000 added annually. Two FW admins could not keep up with change requests, high error rate. Solution: AlgoSec Security Policy Management Suite Results: Use of tools reduced FW rule change evaluation/approval/documentation/implement from 1 person-month to 1 person-day. Also reduced error rate and reduced time demonstrating compliance to auditors. 16 16
A Few Others DNS Sinkholing OpenDNS, others for essentially free added layer of phishing/drive-by protection Load balancer/cdn filtering web application firewalling without having to buy/administer another product. SOC Tools, Services skills first, but hunting automation, playbook as a service offerings out there as staff augmentation/force multipliers. 17
Action Steps Is a major transition coming? Windows migration, move to SaaS, etc Re-org, merger/acquisition Did one of your peers get breached? Security product refresh coming up? Is it time for an audit or penetration test? 19 19
Choose Where to Start Think like a shareholder Think like an attacker Think like a realist Choose a framework Critical Security Controls PCI Prioritization Guidelines UK CyberEssentials NIST/EO 20 20
Resources SANS What Works - http://www.sans.org/critical-securitycontrols/case-studies Critical Security Controls - http://www.counciloncybersecurity.org/critical-controls/ PCI Prioritization Guidelines - https://www.pcisecuritystandards.org/security_standards/prio ritized.php NSA Top Ten - https://www.nsa.gov/ia/_files/factsheets/i43v_slick_sheets/sl icksheet_top10iamitigationstrategies_web.pdf 21 21
Delivering Security Efficiency and Effectiveness Efficiency Decrease the cost of dealing with known threats Decrease the impact of residual risks Decrease the cost of demonstrating compliance Reduce business damage due to security failures Maintaining level of protection with less EBITDA impact Effectiveness Increase the speed of dealing with a new threat or technology Decrease the time required to secure a new business application, partner, supplier Reducing incident cost Less down time Fewer customer defections Security as a competitive business factor 22
Cyber-security Technology / Tools People & Devices People & Devices Identity & Access Management EndPoint Security People & Endpoints Internet Ext. Vulns People & Endpoint security External Vulnerability Scans Intrusion Detection System External Vulnerabilities External Threats Boundary Defense External vulnerability scanning Systems and networks vulnerable to external attacks Identify missing patches or system misconfigurations External threat mitigation Actively block threats from Internet Includes DDoS mitigation, content filtering, suspicious traffic Network firewall policy analysis Separate trusted network from untrusted Internet Reports produced for high-risk firewall policies DMZ Boundary Defense (Firewall) Web Application Firewall Internet DMZ Web Content Filtering Web Application Firewall DMZ Networks Web Content Filtering Web Application Firewalls Focus on application level threats (OWASP Top 10) Mitigate known attack vectors DMZ for web-facing applications Semi-trusted security zone for controlled access Separate security zones for isolating applications Web Content Filtering Continuous website monitoring for malicious code Web reputation & block access to suspicious websites PII Sensitive Data Data Center Security Database Security Int. Vulns NAC Asset Patch SIEM Internal Vulnerability Scans Internal PII Scans Network Access Control Asset & Config Management Patch Management Security Event Management Internal Vulnerabilities Sensitive Data Network Access Control Asset & Configuration Internal Threats Internal vulnerability scanning Systems and networks vulnerable to internal attacks Identify missing patches or system misconfigurations Internal PII Scanning Scan for sensitive data on desktops/laptops and share drives Discover sensitive data on websites, databases, e-mail, Network Access Control (NAC) NAC validates devices based on MAC filtering. Ensures device is patched and secure before allowing access Continuous management of university assets & configurations Assets servers, desktops/laptops, networks Configuration University standard configurations Continuous monitoring / alerting for internal threats Alert for privileged user account creation & deletion Alert for log-on failures and account lockouts Source: University of Massachusetts Database security technologies 23
24
Continuous Processes Threats Regulations Requirements OTT Dictates SIEM Security Analytics Incident Response Monitor/ Report Policy Discovery/Inventory Vuln Assessment/Pen Test Baseline Security Configuration Assess Risk Shield FW/IPS Anti-malware NAC Software Vuln Test Training Network Arch Privilege Mgmt Eliminate Root Cause Mitigate Patch Management Config Management Change Management 25
Critical Security Controls Cyber Defense Life Cycle Resource Hardening Privilege and Access Management Attacked detection/mitigation Compromise detection, response, recovery and reporting Hardware and Software Inventory CSC1 & CSC2 Admin Privileges CSC12 Malware Defenses CSC5 Data Recovery CSC8 Controlled Access CSC15 Boundary Defense CSC13 Audit CSC14 Secure Configurations CSC3, CSC7 CSC10 & CSC11 Account Monitoring CSC16 Data Protection CSC17 Vulnerability Assessment & Application Security CSC4 & CSC6 People and Processes Incident Response CSC18 The Critical Security Controls includes a number of security areas which focus on people and processes and are applicable across the entire lifecycle: CSC9 Security Skills Assessment and Training CSC 19 Secure Network Engineering CSC 20 Penetration Testing and Red Team Exercises 26