Cyber Watch. Written by Peter Buxbaum

Transcription

1 Cyber Watch Written by Peter Buxbaum

2 Security is a challenge for every agency, said Stanley Tyliszczak, vice president for technology integration at General Dynamics Information Technology. There needs to be a lot more innovation in implementation of advanced technology. The real challenge is how to implement security in a budgetconstrained environment, how to separate the wheat from the chaff so you can take appropriate actions. General Dynamics IT provides malware and intrusion detection and prevention, scanning and other cybersecurity products and enterprise-level services to the Coast Guard. An organization like the Coast Guard that has significant national security responsibilities needs to be concerned about state-sponsored targeted attacks, in addition to insider threats, said Tom Cross, director of research at Lancope. State-sponsored intrusions are the most sophisticated attacks out there. They have a lot of smart people, they have the money to spend, and they know about systems vulnerabilities months in advance of the security community. These days, cybersecurity requires more than just old-school intrusion detection; it requires continuous monitoring of network activity and the analysis of mountains of data to identify malicious activity. Traditional measures like firewalls won t catch every attack, especially if legitimate credentials have been compromised, said David Pack, director of LogRhythm Labs. The way to determine when a credential has been compromised is to build a baseline of user or host behavior and to look at log data in real time. Analytical tools can detect when behaviors have changed. At that point, an analyst can look into the situation to see whether the account has been compromised. It is really a triumvirate of people, processes and technology that makes for good cybersecurity, said Tyliszczak. You can t do just one piece. Cybersecurity is an ongoing effort and there is no big bang solution particularly since the threats are increasing in both sophistication and frequency of attack. We ve learned, through a number of our programs for the DoD, IC and other federal agencies, that you have to treat cybersecurity as mission-critical and put in place multiple checks and practices that make sure systems are always protected to their highest level. There are some things you can automate, continuous monitoring of security state, for example, but it still requires trained people, disciplined processes and a culture that gives good security practices to the highest priority. The main challenge that our industry faces today is staying ahead of the adversary, said Ross Warren, Inmarsat Government s director of cyber security. The attacker only needs to exploit one vulnerability to gain access to a network. Whereas the defenders need to ensure some faction of a defense in depth covering every avenue for exploitation. Inmarsat Government participates in DoD s defense industrial base (DIB) Cyber Security/Information Assurance (CS/IA) program. The DIB CS/IA program is a voluntary DoD program that enhances our capabilities to safeguard customer information that transits our unclassified information systems, Warren explained. We also have a multi-year partnership with the FBI through their Infraguard program, through which we participate in focused interest groups representing the satellite industry. We fall under the U.S. Cyber Command, said Thompson. As of November of last year we started to route our network traffic over DoD sensors before it gets down to Coast Guard sensors. That way we leveraged a higher level enterprise filtering process. DoD is able to knock off malicious traffic before it gets to us. That lowered the number of incidents on our systems several fold. The Coast Guard also deploys a suite of firewalls that block traffic from Internet addresses known to cause trouble and prevents network users from accessing unreliable Internet domains. That is on the defense side, the blocking piece, said Thompson. Thompson characterizes the other measures taken by the Coast Guard as defense in depth. One such tool, required by DoD, stops users on the network from doing things they shouldn t. We train our users, said Thompson, but some people don t understand the training as well as others.

3 The Coast Guard also deploys network monitoring tools that examine network behavior to look for anomalies. Attempts to log into the network several times with false passwords could raise a red flag, as could administrators signing in in the middle of the night when they normally don t work. These tools help us to understand what is going on on the network and if it is legitimate or not, said Thompson. For many years, people have approached network problems from a perimeter security perspective, said Cross. They built high walls to keep bad stuff out. But more recent attackers have shown sophistication in getting past those types of security systems. To identify and track those types of threats, as well as insider threats, you need to have an audit trail of the internal network. These newer types of threat detection systems analyze internal network behaviors, explained Guy Alon, a marketing director at Israel Aircraft Industries, but also search externally for clues that could indicate an impending attack. From an internal point, we are interested in being able to analyze network behavior, so we collect data like the hours that specific employees enter and exit a facility, he said. On the external side, we aim to reach into cyberspace to sites like social networks to identify whether there are specific conversations that appear to attempts to collect sensitive data. This could represent a cyber threat. We developed a special anomaly detection engine targeted to advanced persistent threats, said Tavi Salamon, an IAI business development manager. It is fully automated and is able to detect patterns out of existing behavior on the network. Once the engine learns the patterns, it can tell what behavior is normal and what is abnormal. Other detection engines are rules-based and are based on past experience. The other kind learns new patterns as they develop. Inmarsat Government has deployed multiple intrusion prevention/detection systems (IDS), giving them a defense in-depth network architecture. We have partnered with Dell Secureworks, a very well-respected managed security services provider, to manage our intrusion prevention system and provide security on the edge of our network. Secureworks 24/7/365 security operations center monitors and protects our networks, providing an added level of confidence to our defensive posture and security. Inmarsat Government has deployed multiple IDS that use the Security Onion Linux distribution. The Security Onion IDS sensors leverage multiple mature, open-source cyber defense software packages in a very easy-to-deploy installation. We collect data to develop multiple dimensions of user behaviors, said Pack. It might be normal for a user to change to a different job function and access new data, but if multiple dimensions of a user s behavior changes within an hour, that is an indication of compromised credentials. LogRhythm pulls network log data to a centralized location for processing by an analytics engine. We enable organizations to baseline normal, day-to-day activity across multiple dimensions of the enterprise, said Pack. The system then analyzes against that baseline log, flow and machine data generated to discover anomalies in real time. For example, a system baseline could be created showing the rolling averages of the expected numbers of users logged into a system at any given point to create parameters of what constitutes normal and abnormal usage. When activity deviates from the normal, an alert can be generated. Collecting network data also helps with job of analyzing an attack after the fact. Lancope s tool collects netflow data, protocols that are constantly being transmitted by network routers, switches and firewalls. This is an efficient way to create a network audit trail, said Cross. The netflow metadata is light but can

4 create a history of everything that happened on a network. Other tools which do deep packet inspections generate a large amount of data which needs to be stored. Analyzing netflow data allows analysts to recreate an attack s kill chain. You can recreate the process the attacker took to break into the network, said Cross. Sophisticated attacks often target specific people. They have to take action to activate the exploit. Once that happens, the malware establishes a foothold and continues to work on the inside to find information and move it out of the network. Recreating the steps the attackers engage in is useful for building models of attacks, which are used to consider what controls have to be put in place to counter each step of an attack. It s important to emphasize cybersecurity technology doesn t work effectively on its own. It requires interaction with humans. An alert generated by a piece of software does not necessarily indicate an attack. The trained analysts are the ones who actually determine whether an attack has occurred or is underway. We have watch standers working 24/7 at our cyber operations center, said Thompson. They look at anomalous behavior identified by the software and conduct further investigations. They also analyze attack kill chains to see where our defenses were effective, or not. If defensive measures did not stop an attack, they can put a block on that portion of the network. We also have a forensics team that investigates what systems and data an attack was aiming for and whether the signature of that attack spread to other portions of the network. Contractors are well advised to take the educational responsibility for their own staff that are placed in secure areas, according to Terry Verigan, vice president of CompuCure. CompuCure has been involved in managing government projects involving sensitive and classified data. Whenever we have a team going on site, said Verigan, we do background checks as required by the agency, but we also educate and remind staff members about what we are dealing with. That means, for example, leaving their cell phones behind when those devices are not allowed on site, usually because of their photographic capabilities. Verigan also advises prohibiting the use of social media sites on agency networks. Social media in my experience is insecure, he said. Small malware files can be embedded in social media transmissions the same as in . Social media tends to make workers a little more casual about their work environment which in itself can be a big security issue. Making social media secure seems to be a non sequitur. The Coast Guard is ramping up its training of its cybersecurity personnel, according to Thompson. Because threats are evolving and becoming more challenging and more pervasive, we need a more robust ability to respond, he said. The National Security Agency has some training courses online and industry has a robust set of courses that our people can learn from. Forensics especially requires extensive training. We teach our forensics people how to maintain a virtual chain of custody. They have to do everything that investigators do in the physical world. The Coast Guard also provides extensive onthe-job training, Thompson noted. We currently are researching new detection and prevention methods such as botnet interception with DNS redirection and rogue user detection though behavior analytics, explained Warren. We strongly believe the way to improved security capabilities is through a greater understanding of our currently deployed defenses. Inmarsat Government sees the practice and methodologies suggested by the Network Security Monitoring principals as a natural progression that builds on lessons learned from managing firewalls, anti-virus and web filtering. Understanding normal behavior and the deviations from that normal behavior show the most promise for improving cyber security.

5 IAI offers a simulated cybersecurity training system that represents an integration of several different commercial training tools. The trainer can insert different types of attack patterns, said Salomon, and the student has to work through the scenario and distinguish what to do in different situations. Once thing that Lancope is working on is to facilitate the sharing of threat information among different organizations that use their tools or ones similar. Threat intelligence is not standardized, said Cross. Work is currently taking place to establish standard formats for communicating threat information and to build processes within organizations to manage that sharing. Many organizations take in threat intelligence, Cross added, but don t see the benefit of telling other people what they learn. We ve got to break that ice. That is going to dominate the discussion in coming years.