Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Similar documents
News Flash: Some Things Actually Do Work in Security!!!

K12 Cybersecurity Roadmap

Designing and Building a Cybersecurity Program

CyberSecurity: Top 20 Controls

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

How Breaches Really Happen

ISE North America Leadership Summit and Awards

Cybersecurity Today Avoid Becoming a News Headline

Cyber Protections: First Step, Risk Assessment

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

External Supplier Control Obligations. Cyber Security

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

NEN The Education Network

10 FOCUS AREAS FOR BREACH PREVENTION

Automating the Top 20 CIS Critical Security Controls

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Compliance Audit Readiness. Bob Kral Tenable Network Security

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

locuz.com SOC Services

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

From Managed Security Services to the next evolution of CyberSoc Services

Internet of Things Toolkit for Small and Medium Businesses

WHO AM I? Been working in IT Security since 1992

Total Security Management PCI DSS Compliance Guide

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

CompTIA Cybersecurity Analyst+

Endpoint Security for DeltaV Systems

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Think Like an Attacker

Back to Basics: Basic CIS Controls

Unlocking the Power of the Cloud

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

CYBERSECURITY RISK LOWERING CHECKLIST

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Reinvent Your 2013 Security Management Strategy

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Carbon Black PCI Compliance Mapping Checklist

Are we breached? Deloitte's Cyber Threat Hunting

CompTIA CSA+ Cybersecurity Analyst

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

TestBraindump. Latest test braindump, braindump actual test

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

Protect Your Organization from Cyber Attacks

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Cybersecurity Session IIA Conference 2018

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Tripwire State of Cyber Hygiene Report

Changing face of endpoint security

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Vulnerability Management. If you only budget for one project this year...

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Datacenter Security: Protection Beyond OS LifeCycle

CCISO Blueprint v1. EC-Council

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Building Resilience in a Digital Enterprise

How NOT To Get Hacked

Building Secure Systems

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Defense in Depth Security in the Enterprise

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Personal Physical Security

Juniper Vendor Security Requirements

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Proactive Approach to Cyber Security

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

One Hospital s Cybersecurity Journey

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

Protect Your End-of-Life Windows Server 2003 Operating System

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Digital Wind Cyber Security from GE Renewable Energy

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

SECURITY RISK METRICS: THE VIEW FROM THE TRENCHES. Alain Mayer CTO, RedSeal Systems

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

RiskSense Attack Surface Validation for IoT Systems

Critical Hygiene for Preventing Major Breaches

Title: Planning AWS Platform Security Assessment?

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Protect Your End-of-Life Windows Server 2003 Operating System

Transcription:

Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1

Largest Breach Ever 2

The Business Impact Equation All CEOs know stuff happens in business and in security The goal is reduce the impact to the bottom line: Impact = %Successful attacks X (Downtime/Breach costs +Response/Cleanup) + Cyber Defense Friction Prevent more, detect faster, resolve sooner The biggest lever is reducing the number of damage causing attacks that do succeed. There are a lot of security teams out there doing just that Many of the success stories don t involve asking for new Cybersecurity budget. 3

More waterproofing, less damage 4 4

Critical Security Controls 20) Penetration Tests and Red Team Exercises 19) Secure Network Engineering 18) Incident Response Capability 18 19 1) Inventory of Authorized and Unauthorized Devices 20 1 2 2) Inventory of Authorized and Unauthorized Software 3 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4 4) Continuous Vulnerability Assessment and Remediation 17) Data Protection 17 5 5) Malware Defense 16) Account Monitoring and Control 16 6 6) Application Software Security 15) Controlled Access Based on Need to Know 15 14) Maintenance, Monitoring and Analysis of Audit Logs 14 13) Boundary Defense 13 12) Controlled Use of Administrative Privileges 12 11 10 11) Limitation and Control of Network Ports, Protocols and Services 9 8 7 7) Wireless Access Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls, Routers, and Switches 5

Control Weaknesses Vary By Industry Source: Verizon Data Breach Investigation Report 6

There Are a Lot of Overcome Obstacles Out There Increase Effectiveness and Efficiency Avoid more vulnerabilities Block more attacks Detect incidents more quickly Free up budget to deal with emerging threats 7 7

Problem: Malware leading to breaches but more frequently to expensive PC reimaging Solutions that work: Lockdown Network-based Advanced Threat Detection Privilege Management/Whitelisting Endpoint Intrusion Prevention/Containment 8 8

% of files processed 100 Malware Vs. Top 4 Critical Controls 90 80 70 60 50 40 Successful Exploitation 30 Successful Execution 20 10 0 None Application Whitelisting Least Priv User Access OS Patching Cumulative security mitigation Application Patching 9

Advanced Threat Detection Problem: Typical university environment meant distributed management of desktops, lots of BYOD, high rate of malware being found on PCs. Solution: Network-based Advanced Threat Detection appliances (Fireeye) at Internet ingress point. Results: Intrusion Detection Rate increased 46% Incident rate (requiring corrective action) decreased 35% 10 10

Better Endpoint Security Problem: Financial services firm found traditional anti-viral was not able to address advanced targeted threats. Solution: Host based security (Invincea) on Windows PCs. Results: Baseline average was reimaging 4 PCs per week After deployment, reimaging 1 PC every 3 months Look at cheaper/free AV in the future? 11 11

Problem: Reducing Vulnerabilities Solutions that work: Spend less on the easy parts Innovative application testing approaches Mature and Secure Software Development Lifecycle 12 12

Reduce Cost of Vulnerability Scanning Problem: Healthcare Services firm was at renewal point for vulnerability scanning solution. Solution: Switched to Tenable Nessus/System Center Results: Reduced spending by 75% Able to use savings to increase frequency and coverage of scanning 13 13

More Effective Identification of Application Vulnerabilities Problem: Reduce vulnerabilities in revenue-bearing applications. Solution: Switched from consulting engagement to managed crowdsourced bug bounty approach (Bugcrowd) Results: Same spending resulted in 10x increase in vulnerabilities discovered Testers increased from 2-3 to 63 Higher quality/more developer-friendly vuln info provided reduced time to fix vulns 14 14

Reduce Cost and Risk of Corporate Applications Problem: Healthcare company needs to reduce threat exposure and bug fix costs across all corporate applications. Solution: Participated in Building Security In Maturity Model (Cigital) to reduce vulnerabilities in corporate apps Results: Defect density decreased by 92% for high/moderate vulnerabilities Apps using secure library increased each month Threat modeling approach reduced resource time from 40 hours to 2 Overall SDLC productivity increase of 15% estimated 15 15

Reduce Cost and Risk of Firewall Rule Changes Problem: Electronic trading environment includes 40,000 firewall rules with 5,000 added annually. Two FW admins could not keep up with change requests, high error rate. Solution: AlgoSec Security Policy Management Suite Results: Use of tools reduced FW rule change evaluation/approval/documentation/implement from 1 person-month to 1 person-day. Also reduced error rate and reduced time demonstrating compliance to auditors. 16 16

A Few Others DNS Sinkholing OpenDNS, others for essentially free added layer of phishing/drive-by protection Load balancer/cdn filtering web application firewalling without having to buy/administer another product. SOC Tools, Services skills first, but hunting automation, playbook as a service offerings out there as staff augmentation/force multipliers. 17

Action Steps Is a major transition coming? Windows migration, move to SaaS, etc Re-org, merger/acquisition Did one of your peers get breached? Security product refresh coming up? Is it time for an audit or penetration test? 19 19

Choose Where to Start Think like a shareholder Think like an attacker Think like a realist Choose a framework Critical Security Controls PCI Prioritization Guidelines UK CyberEssentials NIST/EO 20 20

Resources SANS What Works - http://www.sans.org/critical-securitycontrols/case-studies Critical Security Controls - http://www.counciloncybersecurity.org/critical-controls/ PCI Prioritization Guidelines - https://www.pcisecuritystandards.org/security_standards/prio ritized.php NSA Top Ten - https://www.nsa.gov/ia/_files/factsheets/i43v_slick_sheets/sl icksheet_top10iamitigationstrategies_web.pdf 21 21

Delivering Security Efficiency and Effectiveness Efficiency Decrease the cost of dealing with known threats Decrease the impact of residual risks Decrease the cost of demonstrating compliance Reduce business damage due to security failures Maintaining level of protection with less EBITDA impact Effectiveness Increase the speed of dealing with a new threat or technology Decrease the time required to secure a new business application, partner, supplier Reducing incident cost Less down time Fewer customer defections Security as a competitive business factor 22

Cyber-security Technology / Tools People & Devices People & Devices Identity & Access Management EndPoint Security People & Endpoints Internet Ext. Vulns People & Endpoint security External Vulnerability Scans Intrusion Detection System External Vulnerabilities External Threats Boundary Defense External vulnerability scanning Systems and networks vulnerable to external attacks Identify missing patches or system misconfigurations External threat mitigation Actively block threats from Internet Includes DDoS mitigation, content filtering, suspicious traffic Network firewall policy analysis Separate trusted network from untrusted Internet Reports produced for high-risk firewall policies DMZ Boundary Defense (Firewall) Web Application Firewall Internet DMZ Web Content Filtering Web Application Firewall DMZ Networks Web Content Filtering Web Application Firewalls Focus on application level threats (OWASP Top 10) Mitigate known attack vectors DMZ for web-facing applications Semi-trusted security zone for controlled access Separate security zones for isolating applications Web Content Filtering Continuous website monitoring for malicious code Web reputation & block access to suspicious websites PII Sensitive Data Data Center Security Database Security Int. Vulns NAC Asset Patch SIEM Internal Vulnerability Scans Internal PII Scans Network Access Control Asset & Config Management Patch Management Security Event Management Internal Vulnerabilities Sensitive Data Network Access Control Asset & Configuration Internal Threats Internal vulnerability scanning Systems and networks vulnerable to internal attacks Identify missing patches or system misconfigurations Internal PII Scanning Scan for sensitive data on desktops/laptops and share drives Discover sensitive data on websites, databases, e-mail, Network Access Control (NAC) NAC validates devices based on MAC filtering. Ensures device is patched and secure before allowing access Continuous management of university assets & configurations Assets servers, desktops/laptops, networks Configuration University standard configurations Continuous monitoring / alerting for internal threats Alert for privileged user account creation & deletion Alert for log-on failures and account lockouts Source: University of Massachusetts Database security technologies 23

24

Continuous Processes Threats Regulations Requirements OTT Dictates SIEM Security Analytics Incident Response Monitor/ Report Policy Discovery/Inventory Vuln Assessment/Pen Test Baseline Security Configuration Assess Risk Shield FW/IPS Anti-malware NAC Software Vuln Test Training Network Arch Privilege Mgmt Eliminate Root Cause Mitigate Patch Management Config Management Change Management 25

Critical Security Controls Cyber Defense Life Cycle Resource Hardening Privilege and Access Management Attacked detection/mitigation Compromise detection, response, recovery and reporting Hardware and Software Inventory CSC1 & CSC2 Admin Privileges CSC12 Malware Defenses CSC5 Data Recovery CSC8 Controlled Access CSC15 Boundary Defense CSC13 Audit CSC14 Secure Configurations CSC3, CSC7 CSC10 & CSC11 Account Monitoring CSC16 Data Protection CSC17 Vulnerability Assessment & Application Security CSC4 & CSC6 People and Processes Incident Response CSC18 The Critical Security Controls includes a number of security areas which focus on people and processes and are applicable across the entire lifecycle: CSC9 Security Skills Assessment and Training CSC 19 Secure Network Engineering CSC 20 Penetration Testing and Red Team Exercises 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback