Building Resilience in a Digital Enterprise Prioritizing investments to manage risk from targeted threats

Transcription

1 Building Resilience in a Digital Enterprise Prioritizing investments to manage risk from targeted threats To be successful in business today, an enterprise must operate securely in the cyberdomain. We re in a period of unprecedented change where transformative technology is creating new opportunity for business innovation and new ways for cybercriminals or state actors to threaten the business. Building resilient digital services and safeguarding sensitive data are essential to establishing trust with the customers and maintaining business continuity. As such, improving business resilience against targeted and persistent cyberattacks should be an executive priority. The goal of this paper is to help business and security executives prioritize their cybersecurity investments to maximize their resilience and confidently move in new business directions. Challenges Every enterprise from big government and finance to small retail faces a number of challenges to manage the risk from targeted cyberthreats. The first challenge is attack speed and sophistication. A targeted attack has multiple stages and typically starts with passive reconnaissance of the company and employee to acquire information useful for social engineering of an internal user. The target user then receives a spear-phishing containing either a malicious link or a Trojan. By clicking on the link or opening the file, the attacker exploits vulnerabilities, typically in Adobe Flash, Microsoft Office, or Java, dropping unknown malware that is silently executed on the target computer. The attacker now has command and control of an internal system and a foothold in the organization. From this point, the attacker can use stolen administrator credentials or take advantage of weak internal boundaries to move around the network, locate valuable data, and then ex-filtrate it. This attack, which may have taken months of planning, usually takes just a short time to execute. This presents a serious challenge to security professionals, who have to prevent and respond within a very short window of opportunity. Unfortunately, breaches usually aren t discovered for weeks or months, as lack of continuous monitoring, compounded by an incomplete sensor grid and insufficient use of threat intelligence slows speed of response. The second challenge is operational security capacity. Enterprise security operations are faced with analyzing millions of security events, terabytes of network flows, and thousands of suspicious files to find evidence of a targeted threat. Often this analysis is manual or short-term, which greatly reduces the scope and speed of response.

2 The final challenge is business complexity. Organizations today are a complex mix of interconnected operating environments. This interconnectivity increases attack surface and creates cyber risk for the business. These operating environments house sensitive intellectual property, applications, and processes that, if lost or degraded, will have a serious impact on business continuity. Attackers understand that operating environments, such as manufacturing sites, tactical military networks, industrial systems, or point-of-sale devices, often lack fundamental cybersecurity controls and represent a potentially easier entry point into the business networks. Enterprise Security Architecture for Business Resilience Building a trusted environment, enabling business innovation, and tackling the challenges of targeted threats requires a new approach to enterprise security. For many years, most enterprises focused on prevention as the only means of cybersecurity. Organizations deployed a varied set of preventative technologies as the primary means of risk management, and compliance was the main driver for security investments. However, targeted, persistent threats, whether insider or external, are multifaceted problems, and a one-dimensional or check-box approach to security architecture only increases the risk to the business. Speed Agility Collaboration Business Resilience Vision/Strategy Culture Change Transformation Digital Enterprise Data Devices Servers Boundaries APIs Applications Business Objectives Digital Architecture Aligned to Enabling Built into Enterprise Security Architecture Force Requiring Enhanced with Powered by Security Building Blocks Security Components Anticipation Identification Prevention Detection Response Management Automation Integration Analytics Intelligence Figure 1. A model of a resilient security architecture. Building a resilient digital business requires an enterprise architecture approach to cybersecurity. What do we mean by this? It means cybersecurity shouldn t be treated as an afterthought or an inhibitor to business agility. It means that if security is to enable business innovation, it must be embedded in the enterprise architecture of the business and operate at the speed of business. Transforming enterprise security architecture to enable business resilience and innovation involves multiple pillars: balanced security capability building blocks powered by people, processes, and technologies enhanced by the force multipliers of intelligence, automation, analytics, and interoperability to optimize speed and built-into all digital business architecture components. Building Resilience in a Digital Enterprise 2

3 Security force multipliers are critical enabling elements to the enterprise security architecture. Moving security capability from a relatively static stage to one that moves at the speed of the business requires more automation of analysis tasks and integration of security technologies to enable faster security decisions. For example, to address some of the key challenges of speed and capacity, it is essential to fully integrate sensor technology at the endpoint or network with automated malware analysis capability and intelligence from multiple types of sources to reduce the time-to-protect or time-to-detect. Building Cyber Resilience against Targeted Threats Designing the enterprise security architecture with operational knowledge of targeted threat methods will help prioritize investments across each pillar to better manage the risk. According to the SANS Critical Security Controls, one of the key tenets of an effective cyberdefense program is Offense Informs Defense. Targeted threats designed to steal or destroy sensitive business data follow a common pattern. By understanding the adversaries methods, an enterprise CISO can prioritize investments in the right security architecture pillars to have the most impact on business risk reduction. The attack chain paints a more complete picture of adversary s methods by identifying pre- and post-exploit actions, rather than narrowly focusing on one aspect of the attack itself. With better alignment to real-world threat operations, the attack chain provides an excellent guide for security executives to focus on defense-in-depth controls and increase the value of security to the business. Stopping or detecting at or before this step eliminates the impact to the business Detecting and responding quickly after this step reduces the impact to the business WEAPONIZATION EXPLOIT ESCALATION IMPACT RECONNAISSANCE DELIVERY COMMUNICATION MOVEMENT STAGE ONE STAGE TWO STAGE THREE Figure 2. The stages of the attack chain. Awareness of adversary tactics and techniques offer the key insights necessary to prevent, detect, or respond faster and more effectively. Using this model, an enterprise should prioritize building security capability to prevent and detect adversary actions in Stage Two, commonly called the Infection Stage of the attack chain. Infection Stage Adversary Actions Delivery Exploit Communication Key Characteristics Socially engineered with malicious link or attachment. Download of malicious file or content. Vulnerability exploit in Adobe, Flash, Office, browsers. Installation of unknown malware. SQL injection. Command and control over DNS, HTTP, HTTP protocols. Remote access Trojan. Table 1. Adversary attack tactics and techniques. Building Resilience in a Digital Enterprise 3

4 This stage involves attack delivery, usually through a socially engineered with attachment or link to malicious web sites or SQL injection. The initial can be from actual compromised accounts to increase likelihood of success. Once executed, the malware has a high rate of success due to lack of comprehensive controls, data collection, and continuous monitoring. Despite these facts, the attacker is also most vulnerable at this stage because of the high rate of network and host activity required to complete infection. Prioritizing Cybersecurity Investments for Business Resilience The threat landscape has progressed such that every enterprise can be a target of a sophisticated cyberattack. Organizations must assume they will be targeted and hasten preparations prioritize their security investments. The following tables summarize the priority investment areas across each security building block, component or security multiplier that an enterprise should consider to better manage the risk of targeted threats. Anticipation The focus is on creating an always ready security culture and creating awareness across the user and executive population. Components and Develop a team to coordinate the collection, integration, and management of intelligence for cyberdefense. Create a threat profile for your industry, enterprise, and critical business applications to support security architecture investments and promote awareness. Obtain threat intelligence focused on your enterprise that may indicate an impending attack. Develop a culture of security through a structured awareness and training programs for the user population and executive staff. Identification The focus is on identifying critical business assets, finding vulnerabilities in business or user applications, and minimizing privileged accounts to minimize the attack surface and improve access management. Components and Identify, monitor, and control administrator accounts. Create a process to identify and assess the criticality of business assets (data, systems, applications). Create a process to continuously identify and monitor critical application vulnerabilities and privileged accounts. Acquire and deploy vulnerability assessment and asset identification technologies capable of passive and active interrogation of systems or applications. Acquire and deploy data labeling technology to automate identification and labeling of sensitive business data. Automate scanning and Integrate results into security monitoring and incident response processes. Building Resilience in a Digital Enterprise 4

5 Prevention This section is about prioritizing preventative controls to reduce the time to protect. The focus is on users, the Internet boundary, and endpoint device anti-malware controls enhanced with integrated analytics and intelligence to prevent an attacker from gaining an entry to, maintaining a foothold in, or moving around the enterprise. Components and Train and certify personal on proper operation and configuration of security controls. Create a secure configuration review process to ensure that security controls are operating effectively. Acquire or upgrade security gateways on the Internet boundary to prevent advanced or unknown malware delivered through . Acquire or upgrade web security gateways on the Internet boundary to prevent advanced or unknown malware delivered over HTTP and HTTPS. Acquire or upgrade endpoint security systems on end-user devices and servers to employ application whitelisting capability. Integrate automated malware analytics and threat intelligence from global, community, and local sources with and web security sensors. Integrate automated malware analytics and threat intelligence from global, community, and local sources with endpoint security systems. Train users to identify and report potential phishing s and be aware of risks in social media. Detection This section is about prioritizing detective controls to reduce the time to identify and contain an exploited system. The focus in this section is ensuring that sensor technology produces accurate indicators, centralizing log collection, and effectively using threat intelligence to rapidly identify potentially exploited systems. Components and Train and certify malware and forensic analysts as part of an enhanced cybersecurity operations center. Develop an incident response process to continuously monitor key indicators and sweep for indicators of compromise. Develop a cyber intelligence process to collect, integrate, and manage threat intelligence from global, community, and local sources. Centralize collection of key log sources from DNS, web proxies, NetFlow, endpoints, authentication, and remote access logs in a SIEM for continuous monitoring and rapid incident response. Integrate automated malware analytics and threat intelligence from global, community, and local sources with , web, and endpoint security sensors. Collect and integrate threat intelligence from community and local sources into the SIEM to sweep continuously for indicators of compromise. Train users to identify and report potential phishing s and be aware of risks in social media Building Resilience in a Digital Enterprise 5

6 Summary Resilience is an evolution, not a single product, process, or technology. Resilience is also a business objective. We are in a period of unprecedented change where transformative technology is creating new opportunity for business innovation and new ways for cybercriminals or state actors to threaten the business. Building resilient digital services and safeguarding sensitive data are now executive priorities. This brief defines some the critical building blocks and investments that will help build a resilient and trusted digital enterprise. Intel Security solutions can enable business resilience in the cyberdomain through enterprise security architecture with balanced controls and integrated security multipliers. By leveraging Intel Security solutions and their connected architecture, an organization can improve cyber resilience and confidently move in new business directions. Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2015 McAfee, Inc brf_invest-manage-risk_0315_ETMG McAfee. Part of Intel Security Mission College Boulevard Santa Clara, CA