Rethinking Cyber Security in the Age of the Breach

Transcription

1 Global Cloud Networking Advanced Managed Security Cloud Unified Communications Rethinking Cyber Security in the Age of the Breach Craig D Abreo, CISSP VP Security Operations Copyright 2015 Masergy Communica8ons, Inc.

2 A Quick History of Hacking 2 - Hackers emerge at MIT - Efficiency was the goal - Phone hack (Phreakers) - John Draper (Blue box) - Phreakers à Computing - Hacking groups - Legion of Doom/Chaos Club Magazine - Robert Morris (1 st worm) - Operation Sundevil - Kevin Mitnick takedown - AOHell (AOL mail bomb) - Service Denial (Large Org) - DNS Attacks - Source Code Stealing - Intellectual Property - Credit Card/PII theft - APT and Malware - State Sponsored Attacks

3 Let s dissect an advanced cyber attack

4 Typical Advanced Persistent Threat (APT) Attack process Ini$al/Zero Day A0acks Backdoor/Remote Access Lateral Movement on Network Data Gathering/ Exfiltra$on Cover Tracks Targeted NICAZE Reconnaissance Proxy Tunneling Logs Edi8ng Phishing Malware Social Engineering Vulnerable Services SoJware flaws Drive by downloads IRC Botnet Logic Bombs Command & Control (C&C) User Mode rootkits Kernel Rootkits BIOS Malware Scanning Vulnerable Assets discovery Sniff network File shares Databases Password Cracking Hidden Data Streams (NTFS) Covert TCP channels (Loki) Reverse WWW shells Steganography techniques Log/Accoun8ng Clearing Use of Proxy channels (Tor) Clear shell history Microcode Malware SQL Injec8ons VM Detec8on

5

6 The result You can t escape the news 6

7 The high cost of Data Breaches The average cost to a company for a data breach is $3.5M Source: Ponemon Ins1tute 2014 Cost of Data Breach Global Analysis

8 Typical Enterprise Security Landscape Silo d independent security solutions Perimeter Focus Does not protect against internal threats Signature based Detect known signatures 95%+ exposed No defense for emerging threats, 0-day attacks, encryption Inability to monitor themselves Inadequate oversight, monitoring, ticketing and incident response Management challenges Not enough security expertise, small security staff

9 Monitoring all available traffic is key East - West Traffic North - South Traffic Users

10 Security Integration and Information Sharing

11 Advanced Behavioral Analysis & Machine Learning Resource Pairing Threshold Protocol Pattern Statistical Frequency

12 Resource & Pairing Engine System Resources monitoring: services protocols ports etc. Major and Minor Overflows & Underflows Inbound and Outbound activity Determine when new servers are found New Services discovered on a previous know host/entity tcp/3306 tcp/443 tcp/21 Pairing Engines monitors and tracks host-to-host/net communication

13 Threshold Engine Time based analysis using predictive mathematics to determine expected values Time slices analysis: single hour continuous contiguous hours day of week/month/quarter Useful for time based functions: backup batch processing etc.

14 Protocol Analysis & Pattern Engine Analysis to check for proper protocol usage Packet anomalies are used to evade detection fragments sequence obfuscation de-synchronization Abnormal packets = unsafe packets Pattern Engine will attempt to classify known traffic

15 Statistical Analysis & Frequency Engine Statistical analysis of: packet flow through the environment individual systems field information within packets Measure and tracks the rate of change in frequency from the statistical engine: packet count protocol usage port service usage

16 Identifying and analyzing abnormal network behaviors Machine Learning

17 The human element of Security Security = Protection/Prevention + Detection + Incident Response Let the machines do what they do best integrate closely with human intelligence/expertise and let the humans do what they do best People Process Technology

18 How can you apply these concepts? Monitor all available traffic on your all network (North-South, East-West, Critical zones, Logs, Scans, End-points etc.) Don't rely just on signature based technologies.. explore your behavioral options Hold a bake off before you settle on a MSSP provider.. Security is 24/7 not 9-5 Invest in a comprehensive security audit program Educate your users - Security Awareness goes a long long way

19 Global Cloud Networking Advanced Managed Security Cloud Unified Communications Thank You!!