SESSION ID: SPO1-W12 CHARLES DARWIN, CYBERSECURITY VISIONARY Dan Schiappa SVP and GM, Products Sophos @dan_schiappa
It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change. 2 Charles Darwin (1809 1882)
Evolution 3
State of the Art Dashboard SECURITY OPERATIONS CENTER Alerts Management Response Logs Reports Significant step up Requires Analyst Resource intensive Manual analysis and response SECURITY CONTROLS Install Configure Set and Forget Firewall Web Wireless Email Server Encryption Mobile Endpoint RESOURCES AND ASSETS Users Applications Cloud Computing Instances SaaS Applications Devices Data Enterprise File Sharing
So Why Don t I Feel safer? You can t secure what you don t know is there You can t manage what you don t measure You can t fix what you don t know is broken 5
Evolution by Natural Selection Discovery Something is moving Identification Is this a predator, food, or a friend Response Fight or Flight 6 Analyze It could be predator or food depending on the situation
Evolution of Security Discovery Continuous discovery of devices, networks, apps, data, and workloads Identification Definition, collection, and organization Response Automated creation and enforcement Analyze Correlation and analysis of events, behaviors to the norm
Asset Discovery Config Benchmarking (CIS, etc.) Config Database Asset Database Compute Instance Data Libraries Applications [Containers] Operating System [Hypervisor] Physical Device Discovery Agents, APIs, passive observation, and active interrogation Classification Asset class determined by attributes and activity Evaluation Data valuation and configuration states 8
Class-based, Programmable Event Models ASSET CLASS EVENT MODEL Notebooks Servers Mobile Devices Domain Controllers IoT Devices EC2 instances Docker Containers Etc... { device": iphone X", "name": "William Brown", device_id": S3817216BA chip": A11 Bionic", storage": 128MB", osbuild : 15E218 }, { accelerometer": 37,23, ", gps": "51.6725448,- 1.2645493} } 9 Mobile Domain Controller { eventid": 4688", desc": New Process Created", account : administrator, cmdline : C:\temp\moosifer.bat }, { eventid": 4768", desc": Kerberos TGT requested", account": alexs", result": 0x12 },
Event Exchange Events Producer Events Consumer Optimization Coalesce Compress Serialize Privacy Anonymize Tokenize Encrypt Security Authentication Replay protection DoS protection. Performance Rate limiting Prioritization Queue management 10
SEAR: Sensors-Events-Analytics-Response Adaptive Response Agent Sensors Asset Event Model API (IaaS, SaaS, etc.) High Interaction Interfaces Analytics API Inferences Observations 11 Events Event Stream
Analytics Entity Models Threat Intelligence Identity Security Marketplace 12 Analytics Create mathematical models from events Continuously analyze against baseline Discover anomalies High-Interaction Interfaces Adaptively respond
Entity Modeling Entity Models Entity/Self Entity/Peers Entity/Enterprise Entity/Universe Analytics Model Construction Users, compute instances Continuously updated Modeled Data volumes URLs visited IP session partners File shares accessed Processes started Usage times and location Detections Outliers Anomalies / Impossibilities 13
Threat Intelligence Threat Intelligence Analytics Threat Intelligence Real-time and retrospective threat intelligence o o Sophos Labs 3 rd Party, supporting STIX and TAXII Vulnerability data Patch information 14
Identity and Continuous Authentication Identity SaaS Application Push Auth Confirmation Identity Provider Two Factor Analytics Authentication Federation and MFA Security attestations based on user/device health states Support for SAML, OAuth, and OpenID standards Support for push-auth Conditional authentication (and de-authentication) based on representations in Central Analytics platform 15
Security Marketplace Security Ecosystem API Everywhere Analytics External Data Access 3 rd parties can leverage data and events to develop complementary solutions (e.g. Dark Web analysis, training) Security Marketplace Data / Code Extensibility Trusted vendors could extend asset classes and event models, deliver new agents (e.g. VA, patch) 16
Darwinian View of Security Adaptive Response Agent Sensors Event Model Data Libraries Applications [Containers] Operating System [Hypervisor] Physical Device API (IaaS, SaaS, etc.) Entity Models Threat Intelligence Identity High Interaction Interfaces Analytics API Observations Events Security Marketplace Inferences Event Stream Identity Provider SaaS Application 17
Dynamic Policy Based on User Experience 1 Protection policies assigned to User Groups based on awareness 2 User awareness assessed via phishing simulations and training 4 Users get new policy based on Group membership 3 Users dynamically assigned to Groups based on behavior 18
Synchronized Security Use Case Hacker Employee Credential Compromise Command and Control Employee Data 2FA Phishing Email Enters Credentials CRM System Head of HR Applications CRM System Productivity Suite Designer Tools MFA Note Taking Collaboration Etc Install Backdoor Lateral Movement Crack Password Login and Search Set up Admin Accounts MFA Device Authentication accepted twice 1 2 3 4 5 6 Employee entering credentials on a site with no reputation Lateral movement to access Head of HR system Privilege escalation on Head of HR system Remote login to CRM system at same time as Head of HR Accept second factor authentication twice Multiple segmented downloads of employee database
Darwinian Compliance Coverage CIS TOP 20 SANS TOP 20 20
Apply What You Have Learned Today Now Next month Post Analysis In 6 Months Greatest survival benefit comes from adaptability Analyze your existing environment Do you know how many managed/unmanaged devices you have? Are you able to identify all the applications, users in your environment How much of your environment is on-prem, hosted, or shadow IT? Know thyself Define appropriate controls, changes for your environment Look for automation, not just information. You ll never be able to hire enough analysts and admins. Invest in systems which enable continuous discovery, threat scoring and adaptive response 21
Thank You! 22