Compliance Risks in APT Response & Defense

Transcription

1 Compliance Risks in APT Response & Defense Jennifer Archie, Partner Kevin Boyle, Partner The Security-Privacy Paradox No Privacy without security Effective security has impacts on privacy Key privacy requirement is to protect against unauthorized access lock it up behind a secure perimeter APTs are designed to elude perimeter defenses Detecting and eradicating APTs requires review of behavior and content in the systems and enterprise being protected 2

2 Examples of Conflicting Goals Security Obligation to provide security Quick response to attacks and changing strategies Need to retain log and traffic data for analysis Need to consolidate data for analysis vs. Privacy Obligation not to intrude on personal communications Requirements to obtain user consent and register applications/processing Restrictions on data retention Export limitations on personal data, banking information and state secrets 3 Fair Information Practice Principles (FIPs) Transparency (notice) Individual Participation (choice) Purpose Specification Data Minimization Use Limitation Data Quality and Integrity Security Accountability and Auditing Rooted in the US Department of Health Education and Welfare seminal 1973 report, Records, Computers, and the Rights of Citizens, these principles are at the core of the Privacy Act of 1974 and are mirrored in many federal statutes and the laws of foreign nations, very notably the countries of the European Economic Area. 4

3 U.S. Legal Environment (A Privacy Outlier) US has a Sectoral, but still FIPs-based, Legal Approach Regulation of data users by sector, such as: Government (Privacy Act, etc.) Financial (GLBA) Medical (HIPAA) Children (COPPA) Educational (FERPA) Breach Disclosure (most states & some federal requirements) Limited export restrictions 5 Data Protection universal principles In the developed world, outside the US, the expression of data protection in various declarations and laws varies only by degrees. All require that personal information must be: obtained fairly and lawfully; used only for the original specified purpose; adequate, relevant and not excessive to purpose; accurate and up-to-date; and destroyed after its purpose is completed. 6

4 Non- US View EU (and much of rest of world) Omnibus Approach Privacy as a fundamental Human Right (including even a right to be forgotten) Regulation across sectors Any processing requires compliance with local requirements Broad export restrictions 7 Contract Requirements Customer Agreements Limitations on use of data Limitations on processing locations Disclosure obligations Compliance with law obligations Terms of Use Privacy Policies 8

5 Cross Border Data Flow Export controls Laws to protect financial/medical/other sensitive information Anti-outsourcing laws Contract limitations 9 An Issues Smorgasbord Country US Germany France South Korea China CIS Columbia Issue Health and export control statutes Strict prohibitions on interception; intra-corporate networks Employee rights to private communications on corporate networks Two-party consent to monitoring for non-south Korean companies State secret and cyber crime reporting laws; export restrictions Limits use of encryption tools and prohibits export of state secrets and commercial secrets Sectoral limits on export of personal information 10

6 Methodology Detection Tools Firewall Logs DS Logs Packet Captures Lima Scans/Hostbased Scanner SIEM Indicators of Compromise - IP Addresses - Protocols - Registry Keys - Filenames - Hash Values Analysis - Host Forensics - Network Logs - Malware Analysis 11 APT Defense & Analytic Tools Increasing Privacy Impact Category Description Examples Systems Data Monitoring Tools (IDS, IPS) Server Monitoring Tools Systems Data Storage Tools Consolidation Tools (SIEM) Content Monitoring Tools (DLP) Content and Log Storage Tools These tools send alerts based on rules of non-routine events, patterns of suspicious behavior, or unusual activity. The alerts will contain systems data to provide evidence of the type of issues spotted, e.g. file type, IP address, communications protocols, and what it was communicating with internally. Often programmed to recognize specific malicious signatures. These tools are similar to the above but work at a server or endpoint rather network level, e.g. monitor a server to look for unusual events. These tools save all log / network data so it can be reviewed at a later date. These differ from the monitoring tools as the monitoring tools do not save all data but only provide information of suspicious events. These tools take feeds from all of the other tools to enable suspicious events to be cross referenced. This technology can correlate event information and bring together a larger picture of activity above and beyond individual technology collection and analysis. These tools undertake deep packet inspection (looking at Business Content) based on a set of rules to try and identify content being exfiltrated or moved around the network by the attackers. These tools effectively store all log and content data that passes over a certain point in the network, e.g. firewall, mail server, VPN tunnels. Capable of storing a complete record of all communications entering and leaving the network which can subsequently be reviewed if necessary to investigate suspicious behavior and modes of attack. Length of data retention key driver. Proventia, Fidelis XPS, Netflows (SiLK analysis) RSA ECAT, Microsoft Threat Detection System, Symantec CSP SPLUNK ArcSight, Alien Vault SIEM Symantec DLP RSA Security Analytics 12

7 Specific Activities/(Risks) AV, IDS/IPS and other pattern based tools (content scanning) DLP (content scanning at a more intrusive level than IDS/IPS) Capturing network packets (metadata and/or content), logs and assets (even more intrusive content scanning) SIEM and log correlation/analysis (behavior tracking, works council issues, potentially ties to content scans) Device forensics (content scanning, behavior tracking) Global SOC (export controls, privacy controls) 13 Active Defense Example IDS/IDS or SIEM alerts to sharp uptick in DNS lookups Traffic logs are reviewed or sniffer is used to identify source of excess lookups Suspect machines in local network identified by MAC address info in traffic and IP address logs Suspect external IP addresses blocked Suspect machines are imaged and reviewed for malware Traffic from suspect machines reviewed to look for data exfiltration Internal network and server logs review for evidence of lateral attacks 14

8 Intrusion Response Example Notice of possible intrusion (e.g. indicia of breach, law enforcement) Scramble response to confirm breach and establish scope review available logs look for malware and other forensic evidence Stop/isolate (or perhaps monitor) Implement monitoring tools to observe and trace any continued intrusion Deal with notification issues (DP and users) Eradicate 15 Active Defense vs. Incident Response Active Defense ongoing IR generally episodic Exigent circumstances of IR may allow broader scope than in AD, but generally requirements will be the same 16

9 Data Protection EU type DP rules Many issues arise under EU and EU-type data protection regimes Collection/processing/access of any information about a living person subject to regulation in EU Consent may not work Exceptions may not apply Export may create additional issues Optimal defense-in-depth security program may not be proportional 17 Data Protection United States 18

10 What is proportional - Tool retention periods Is there a less intrusive way? If data is stored, how often is it used? How sensitive is the data? Full packet capture is very sensitive, log data less sensitive. What would be the impact of a shorter period? What safeguards are in place to protect individuals? What do others do? Different countries within Europe will have different views. German case law Deutsche Telekom 19 APT Tools: A Compliance Risk View Category Description Issues Increasing Privacy Impact General Issues for all tools Data subject consent, DP registration Systems Data Monitoring Tools (IDS, IPS) Server Monitoring Tools Systems Data Storage Tools Consolidation Tools (SIEM) Content Monitoring Tools (DLP) These tools send alerts based on rules of non-routine events, patterns of suspicious behavior, or unusual activity. The alerts will contain systems data to provide evidence of the type of issues spotted, e.g. file type, IP address, communications protocols, and what it was communicating with internally. These tools are similar to the above but work at a server rather network level, e.g. monitor a server to look for unusual events. These tools save all log / network data so it can be reviewed at a later date. These differ from the monitoring tools as the monitoring tools do not save all data but only provide information of suspicious events. These tools take feeds from all of the other tools to enable suspicious events to be cross referenced. This technology can correlate event information and bring together a larger picture of activity above and beyond individual technology collection and analysis. These tools undertake deep packet inspection (looking at Business Content) based on a set of rules to try and identify content being exfiltrated or moved around the network by the attackers. IP addresses treated as PI by some jurisdictions; collection/review of physical security data may violate workplace rules, especially when correlated with other data Fact of access to particular servers may reveal protected health information or other PI Same as above but with data retention issues and increased prospect that substance of communications will be revealed In addition to above, export issues (as data need to be normalized and compared (depending on configuration); additional retention issues Direct review of message content; export issues depending on configuration Content and Log Storage Tools These tools effectively store all log and content data that passes over a certain point in the network, e.g. firewall, mail server, VPN tunnels. Direct review of message content, data retention issues, export issues 20

11 The Compliance Dilemma Security necessities (regulatory and contractual) potentially conflict with various data privacy and related requirements Evolving area of law with conflicting obligations in and across jurisdictions Seeking 100% compliance perhaps not feasible Potential liability on both sides (including some criminal) Apparently no cases dealing specifically with this conflict in the context of APT attacks on corporate data, so no direct guidance on weighing priorities 21 What to Do? No risk free answer Acting vs. not acting Right-sizing and scoping collection, transport, and assessment of business content and metadata gathered in IR 22

12 Risks In Not Acting Failure to use adequate measure to protect personal information Failure to meet certification requirements (US-EU Safe Harbor) Failure to meet contractual requirements (SCCs, BAAs, general client agreements) Failure to halt movement of PI and other controlled info within network by attacker (which movement may itself violate law) 23 Risks In Acting Lack of consent Exceeding scope of consent or legitimate interests Use of unregistered applications or use of registered applications out of scope Undeclared use of data Export of PI without necessary consent or authority or in violation of express export limitations Unauthorized interception of communications Monitoring employees in violation of regulations and labor requirements 24

13 A Practical Approach to Compliance Back to privacy first principles FIPS Disclosure Transparency Least intrusion necessary (proportionality/necessity) Balance interests Ensure monitoring is necessary and no less intrusive means available Obtain employee consent where possible As part of onboarding Sign-on banners As part of ongoing security awareness efforts 25 A Practical Approach to Compliance Reduce risk of misuse through appropriate use of safeguards and documented, tool-specific written protocols regarding export, access, use, need to escalate for express permission to deviate from protocol Ensure DP filings and other compliance materials adequately disclose monitoring Monitoring notified to and agreed with Works Councils where required BCRs may afford additional flexibility in response 26

14 Necessity? Why is monitoring necessary? Many examples establish that perimeter defenses do not protect against APTs Zero day, must have software and user issues Once intruder is in, monitoring internal activity is often the only way to identify and trace attacker Checking substance of communications may be the only way to detect and thwart exfiltration of protected data 27 Flash Response Risks No employee consents or employee consents too narrow Regulatory lead-time issues Management overhead issues (time to process issues) Lack of event data because logs/traffic information not available 28

15 Planning For Defense Planning for defensive actions What tools, what data and where What law applies What have you already declared/registered Closing the gap Privacy enforcement risk vs. security risk 29 Privacy By Design Notice to users Disclosure to regulators Limited use Access Purpose Limited retention Tool escalation based on need 30

16 Collaborating Across Departments Other departments within same company may not be fully briefed on defense-in-depth, tool-based strategies, in terms of understanding what data is gathered by what means for what purposes for how long Get buy-in before rolling-out new AD tools Three part framework: Where are you looking? What can you see? How encrypted/plain text? Ask about notice, minimization and policies 31 Closing Thoughts Wrapping up Make sure you understand how tools are deployed in your environment As always, the particulars matter Plan now for active defense, breaches and forensic response 32

17 Contact Information Jennifer C. Archie Washington, D.C. T E [email protected] B Jennifer Archie is a partner with Latham & Watkins with 15 years experience investigating and responding to security incidents. A CIPP, she regularly presents on cyber security and privacy topics. Kevin C. Boyle Washington, D.C. T E [email protected] B Kevin Boyle is a partner with Latham & Watkins with a practice focused on data privacy & security and technology related transactions. A CISSP and CIPP, he led Latham s internal security program for 10 years and its privacy program for 5 years. 33