Can We Become Resilient to Cyber Attacks?

Transcription

1 Can We Become Resilient to Cyber Attacks? Nick Coleman, Global Head Cyber Security Intelligence Services December 2014

2 Can we become resilient National Security, Economic Espionage Nation-state actors, APTs Stuxnet, Aurora, APT-1 Narrow focus Targeted attacks / APTs Low frequency, high impact Notoriety, Activism, Defamation Hactivists Lulzsec, Anonymous, Islamist threats Monetary Gain Organized crime Zeus, ZeroAccess, Blackhole Exploit Pack Broad focus Large scale / industrialized Commodity attacks Botnets 2

3 How are we feeling? 3

4 Are we learning anything? 1,764,121 Represents the number of security events the average organization of employees will capture weekly 324 of these events represent actual attacks, per week 2.1 of these attacks will result in an incident, per week, - a 22% annual increase 2014 IBM Cybersecurity Intelligence Index 95% of incidents analyzed logged human error as a contributing factor Stolen or lost laptop or mobile device, Mistaken address/ disposition/ of SPI, Double clicking (malware), Poor system hygiene: failure to patch, configure, or update Failure to delete dormant user accounts, use of default passwords IBM Cybersecurity Intelligence Team 1 out of 100 security compromises are ever detected General Keith Alexander, Head of U.S. Cyber Command, in a speech to the American Enterprise Institute 3 % of all incidents analyzed by IBM Response Services could be considered noteworthy (potentially material or significant impact) 2014 IBM Cybersecurity Intelligence Team 4

5 Looking for the iceberg? System audit trails Logs Events Alerts Configuration information Internet of Things External threat feeds Business process data Identity context Mobile devices Cloud resources and social activity Malware information What we started with: Log collection Signature-based detection Where we are getting to: Real-time monitoring Context-aware anomaly detection Automated correlation and analytics Integration of structured and unstructured data Correlation of descriptive threat ligence with monitoring and machine data Better early warning when new threats appear

6 Gaining visibility to reduce risk? Firewall Proxy Internal IDS/IPS Endpoint security Employee directory Ever-increasing proliferation of cyber threat ligence feeds Top tier phishing indicators Brand abuse phishing indicators External Malware campaigns/ indicators Fraud payment Actor / indicators Web Application Authentication Malware detection SSO/ LDAP context Staff asset / credentials Customer asset / credentials Threat landscape (TTPs) Intel as a service (IaaS) Human Intel (HUMINT) Network Security Building access Fraud payment Application inventory Law enforcemt threat Industry threat sharing Public sector threat ISAC threat Technical Intel (TECHINT) CSIRT incidents Vulnerability patch mgmt DNS/ DHCP Call/ IVR Website marketing analytics IP reputation Passive DNS OSINT sentiment analysis Undergd/ dark Web Malware Hashes / MD5 Testing using real ligence patterns? Sharing data real time to inform protection Response and data providing actionable insight

7 Caution. Anything that is connected to the Internet can be hacked. Everything is being connected to the Internet. 7

8 Seeing people coming? A new approach. Making it difficult, and less rewarding New Approach Traditional Approach Predict and act Lack of Insight Velocity Sense and respond Inefficient Access Instinct and intuition Real-time, fact-driven Volume Skilled analytics experts Everyone Inability to Predict Variety Back office Point of impact Automated Optimized 8 8

9 Thank you 9