McAfee Security Management Adaptive Security Model & Threat Intelligence Exchange

Security Management Adaptive Security Model & Threat Intelligence Exchange David O Berry CSSLP, CISSP-ISSAP, ISSMP, CRISC, MCNE Worldwide Technical Strategist

Left Margin Right Margin Security Obstacles Facing Organizations SILOED SECURITY ORGANIZATIONS Separate organizations utilizing point products, from multiple vendors, operating in functional silos with no intelligence sharing. LACK OF VISIBILITY Too much data and not enough intelligence makes visibility into threats challenging. Reactive security infrastructure lacks the timely intelligence needed to identify threats. TARGETED ATTACKS Attacks are becoming more sophisticated, autonomous and stealthy and are specifically designed to penetrate existing security controls, including security processes and people. 2 Left Margin Right Margin

Left Margin Right Margin Challenge Presented by Targeted Attacks ADVANCED TARGETED ATTACKS COMPROMISE TO DISCOVERY DISCOVERY TO CONTAINMENT CONTAINMENT 9% Hours 4% 12% Months Years 19% Hours 2% Minutes 23% Months DISCOVERY COMPROMISE 11% Days 14% Weeks ATTACK 64% Weeks 42% Days Sources: Verizon 2013 Data Breach Investigations Report. Securosis Malware Analysis Quant Metrics Model 3 Left Margin Right Margin

Left Margin Right Margin Where Security Professionals Spend Their Time 20% Chasing False Positives 22% Protection / Timely Block 11% Breach Notification 35% Detection 3% Other 9% Damage Repair Source: Survey at Black Hat USA 2013 4 Left Margin Right Margin

Left Margin Right Margin Quantifying The Impact of Targeted Attacks Downtime Brand Impact Data Loss Priceless INTELLECTUAL PROPERTY LEAKAGE 5 Left Margin Right Margin

Left Margin Right Margin Quantifying The Impact Retail Example SALES down 46% 1 PROFITS down 34% 1 COSTS so far US $61M 1 POSSIBLE FINES US $400M to $1.1B 1 BRAND IMPACT PRICELESS Global annual cost of cybercrime: US $400 billion 2 Average cost of 2013 attack: US $11.6 million 3 Number of successful attacks: 122 per week per company 3 1. http://online.wsj.com/news/articles/sb10001424052702304255604579406694182132568 2., Net Losses: Estimating the Global Cost of Cybercrime, June 2014 3. Ponemon Institute 2013 Cost of Cyber Crime study 6 Left Margin Right Margin

South Shore Hospital, Massachusetts Spartanburg Regional Healthcare System California Dept. of Child Support Services Left Margin Right Margin The Resulting Impact World s Biggest Data Breaches 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 AOL 92,000,000 Cardsystems Solutions Inc 40,000,000. Citigroup T-Mobile Deutsche Telecom 17,000,000 US Dept of Vet Affairs 26,500,000 AOL 24,000,000 Gap Inc. TK/TJ Maxx 94,000,000 UK Revenue & Customs 25,000,000 Dai Nippon Printing 8,637,405 Action.co.kr BNY Mellon 18,000,000 Shareowner Services AT&T Chile Ministry of Education GS Caltex 11,100,000 Norwegian Tax Authorities University of Utah Hospitals & Clinics University of Miami Jefferson County Stanford University Health Net RockYou! 32,000,000 Starbucks US Dept of Defense Blue Cross Blue Shield of Tennessee Heartland Blizzard 14,000,000 Emergency IBM Healthcare Physicians, Nemours Memorial 130,000,000 Ltd. Foundation Morgan Healthcare Stanley System Linkedin Smith KT Lincoln Barney Medical & Mental JP eharmony Morgan Corp Health US Military 76,000,000 AvMed, Inc. New York City Health & Hospitals Corp. Sony PSN 77,000,000 US National Guard Triple-S Salud, Inc. Colorado Government Center Educational Credit Management Corp Chase Yale University Sutter Medical Foundation Eisenhower Medical Center Health Net NHS 8,300,00 Sony Online Entertainment State of Texas US Law Enforcement Stratfor US Army Apple 12,367,232 Last.fm Military singles.com Medicaid Ubisoft &YourTel unknown Yahoo Tricare Formspring Yahoo Living Social 50,000,000 Scribd Apple Evernote 50,000,000 Facebook 6,000,000 TerraCom Ubuntu Twitter 22,000,000 Washington State court Adobe 152,000,000 system South Africa police Central Hudson Gas & Electric Nintendo Crescent Health Inc., Walgreens Florida Courts Drupal Target 110,000,000 AOL 24,000,000 Korea Credit Bureau 20,000,000 Ebay Advocate Medical Group LexisNexis Mac Rumors.com 145,000,000 SnapChat Neiman Marcus NASDAQ Accidentally Published Hacked Inside Job Lost/Stolen Computer Lost/Stolen Media Poor Security Unknown Virus Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 7 Left Margin Right Margin

Left Margin Right Margin We Must Shift to Adaptive Security For Clarity, Confidence, and Control CURRENT REALITY Increasingly complex and sophisticated threat landscape Abundance of data with disparate security tools providing little real security intelligence Malware-centric protection A NEW, ADAPTIVE APPROACH Shift from singular threat to continuous protection Controls share data and orchestrate responses enabling automated security intelligence Relevant, rich, real-time contextual analytics Pre-exploit indicators of attack Post-exploit indicators of compromise with little breach prevention 8 Left Margin Right Margin

Left Margin Right Margin Adaptive Security Model Turning data into actionable security intelligence ADAPTIVE THREAT PREVENTION ADAPTIVE RISK MANAGEMENT CLARITY CONFIDENCE CONTROL! 9 Left Margin Right Margin

Left Margin Right Margin Clarity to Drive Better, Faster Decisions Current state vs. Adaptive approach CURRENT STATE Limited scope. Limited point in time context. ADAPTIVE APPROACH Continuous monitoring and contextual analytics Product 1 Product 2 Product 3 Result Limited, reactive visibility and threat protection Result Faster, more proactive awareness of threats and anomalous events 10 Left Margin Right Margin

Left Margin Right Margin Confidence to Act Derive knowledge and perspective from multiple sources Global scale GLOBAL INTELLIGENCE COMPANY SPECIFIC INTELLIGENCE HUMAN ORGANIZATIONAL INTELLIGENCE Organizationally relevant focus 11 Left Margin Right Margin

Left Margin Right Margin Confidence to Act Boost confidence with risk scoring, automation, watch lists and alerting Gain confidence to act: Distillation and prioritization Risk scoring and customizable tuning Increased automation Focus on what matters most TRIAGE AND PRIORITIZE CLARITY FROM CONTEXT STATES / EVENTS Left Margin Right Margin

Left Margin Right Margin Control to Instantly Take Integrated Action Standardize integration and communication to break down operational silos DISJOINTED API-BASED INTEGRATIONS COLLABORATIVE FABRIC-BASED ECOSYSTEM (DXL) Result Result Slow, heavy and burdensome Fast, lightweight and streamlined Complex and expensive to maintain Simplified and reduced TCO Limited vendor participation Open vendor participation Fragmented visibility Holistic visibility Left Margin Right Margin

Left Margin Right Margin Security Management Portfolio Stack GTM Positioning abstract Business Partner Portal Self-Service Portal Enterprise-wide Visibility and Correlation (ESM, TIE) Operational Control (epo, incl Mobile -- supporting Point Product Mgt extensions) Secure communications (DXL, legacy comms) concrete On-Device Controls (Agent technologies supporting point products) 14 Left Margin Right Margin

Left Margin Right Margin Changing World of Operational Management Services not Servers ESM ESM epo1 epo2 TIE Service epo1 epo2 Left Margin Right Margin

Threat Radar = Answering The Ques3on Why? Industrial Threats Will Mature Hack3vism: Reboot or be Marginalized Windows 8: BIOS and Hardware AGacks Mobile Botnets, Rootkits, and AGack Surface Oh MY! Rogue CERTs: Roo3ng Trust

This was THEN Literally in Black and White!!!

Next genera3on data centers large scale virtualized u3lity fabric provides applica3on services to millions of users - the u3lity compu3ng vision access tier authentication, DNS, intrusion detect, VPN web cache processing elements web tier web page storage (NAS) application tier files (NAS) database tier internet switched fabric infrastructure on demand intranet edge routers routing switches storage elements 1st level firewall load balancing switches web servers 2nd level firewall switches application servers switches database SQL servers storage area network (SAN) Mul3-3ered applica3ons

And They Wonder Why We Seldom Sleep Peacefully?

Security Automa.on Will Revolu.onize Informa.on Sharing 20

Common Language(s) MITRE has been working with Industry to develop common structures STIX CYBOX TAXII CAPEC MAEC OVAL Implementa3ons are s3ll immature but there is a gathering storm Analysts must have a firm grasp of this en3re space 21

Cyber Threat Intelligence Consider These Questions.. What Activity are we seeing? Where has this threat been Seen? What weaknesses does this threat Exploit? Who is responsible for this threat? What Threats should I be looking for and why? What does it Do? Why does it do this? What can I do? 22

That Machines Can Use Too <?xml version="1.0" encoding="utf-8"?> <cybox:observables xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:cybox="http://cybox.mitre.org/cybox_v1" xmlns:common="http:// cybox.mitre.org/common_v1" xmlns:fileobj="http://cybox.mitre.org/ objects#fileobject" xsi:schemalocation="http://cybox.mitre.org/cybox_v1 http:// cybox.mitre.org/xmlschema/cybox_core_v1.0(draft).xsd http://cybox.mitre.org/ objects#fileobject http://cybox.mitre.org/xmlschema/objects/file/ File_Object_1.2.xsd" cybox_major_version="1" cybox_minor_version="0 (draft)"> <cybox:observable> <cybox:stateful_measure> <cybox:object id="cybox:a1" type="file"> <cybox:defined_object xsi:type="fileobj:fileobjecttype"> <FileObj:Hashes> <common:hash> <common:type datatype="string">md5</common:type> <common:simple_hash_value condition="isinset" value_set="4ec0027bef4d7e1786a04d021fa8a67f, 21F0027ACF4D9017861B1D021FA8CF76,2B4D027BEF4D7E1786A04D021FA 8CC01" datatype="hexbinary"/> </common:hash> </FileObj:Hashes> </cybox:defined_object> </cybox:object> </cybox:stateful_measure> </cybox:observable> </cybox:observables> <!-- STIX Indicator w/ Snort Example Copyright (c) 2013, The MITRE Corporation. All rights reserved. The cos of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html. This example demonstrates a simple usage of STIX to represent indicators with a Snort test mechanism. This demonstrates the ability of STIX indicators to represent external test mechanisms within an indicator. It demonstrates the use of: * STIX Indicators * STIX TestMechanisms * Extensions (Snort) * Controlled vocabularies Created by Mark Davidson --> <stix:stix_package xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:indicator="http://stix.mitre.org/indicator-2" xmlns:stixvocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:testmechsnort="http:// stix.mitre.org/extensions/testmechanism#snort-1" xmlns:example="http://example.com/" xsi:schemalocation= "http://stix.mitre.org/stix-1../stix_core.xsd http://stix.mitre.org/ Indicator-2../indicator.xsd http://stix.mitre.org/default_vocabularies-1../ stix_default_vocabularies.xsd http://stix.mitre.org/extensions/testmechanism#snort-1../ extensions/test_mechanism/snort.xsd" id="example:stixpackage-0935d61b-69a4-4e64-8c4c-d9ce885f7fcc" version="1.0.1" > <stix:stix_header> <stix:title>example SNORT Indicator</stix:Title> <stix:package_i xsi:type="stixvocabs:packageivocab-1.0">indicators - Network Activity</stix:Package_I> </stix:stix_header> <stix:indicators> <stix:indicator xsi:type="indicator:indicatortype" id="example:indicatorad560917-6ede-4abb-a4aa-994568a2abf4"> <indicator:type xsi:type="stixvocabs:indicatortypevocab-1.0">exfiltration</indicator:type> <indicator:description> Indicator that contains a SNORT signature. This snort signature detects &apos;exfiltration attempts&apos; to the 192.168.1.0/24 subnet. </ indicator:description> <indicator:test_mechanisms> <indicator:test_mechanism id="example:testmechanism-5f5fde43-ee30-4582-afaa-238a672f70b1" xsi:type="testmechsnort:snorttestmechanismtype"> <!-- From http://manual.snort.org/ node29.html --> <testmechsnort:rule><![cdata[log udp any any -> 192.168.1.0/24 1:1024]]></testMechSnort:Rule> </indicator:test_mechanism> </ indicator:test_mechanisms> </stix:indicator> </stix:indicators> </stix:stix_package> 23

Sharing Solu3on Instead of 2% or less of attacks blocked, detected, or prevented, a much higher percentage of attacks are stopped 1 3 5 Org A 2 4 Intelligence Repository Many Trusted Orgs 24

Itera3ve Real Time Loops OODA MaGers The ability to make this world happen exists now It is not futures or fic3on.

Coordinated Security : Pub/Sub Rules the New World Asset Management System Endpoint Security (via NAC) SIM / SEM Nitro, epo, MAP Servers IPAM Open Infterfaces IF-MAP Protocol Physical Security ICS/SCADA Security AAA Routing Server or IDS Switching Wireless Firewalls Cloud Security Custom Integration

Current Standards Status Pilot group aka Friends and Family 25 Organiza3ons Par3cipa3ng Vision Gaining Momentum Live at NH- ISAC Working with several others Released Version 1.2 to the group Focus on installability Enabled Collabora3on Forums, Bug Tracker, Download System Conversion of Open Source Intel Feeds Approximately 14 sources 27

Automa3on Maturity Humans will always be in the loop Using STIX and TAXII repositories/gateways we can leverage already scarce talent Fewer analysts will have to develop their own signatures Using automa3on it is possible to move signatures faster Off the shelf COTS may not interoperate across vendors Open Source may require in- house development to automate informa3on flow Ensuring security in informa3on flow across systems??? Don t let your security solu3on become the problem! But, can you trust Analysts/Incident Handlers in other organiza3ons? 28

Left Margin Right Margin Data Exchange Layer (DXL) Use Case Example Transforming Events Into Actionable Intelligence 1 2 Using Network Security Planorm, Enterprise Security Manager, and epo to Find and Remediate Poten3ally Compromised Systems NSP detects Botnet ac3vity (a device trying to reach a botnet server) NSP publishes event data to the message bus (IP address of the suspicious device and the IP address of the Botnet server) 3 ESM searches for past connec3on agempts with Botnet server s IP address 4 ESM publishes list of suspected list of devices to the message bus 5 Infected devices are secured using a combina3on of solu3ons and methods DMZ NSP Network Security Platform ATD Broker FW Broker MWG managed endpoint (Nomadic) Broker Web Gateway Remote Site TIE Server ESM Enterprise Security Manager TIE TIE Server EPO epo managed endpoints Left Margin Right Margin

Left Margin Right Margin Adaptive Security in Action Threat Intelligence Exchange Countermeasures are really good at what they do and They are completely blind to anything outside their plane of existence. Orchestrated & automated responses to adapt faster than threats can evolve Left Margin Right Margin

Left Margin Right Margin Threat Intelligence Exchange Applying the power of knowledge? Other Data Sources Future Organizational Intelligence Security Administrators SOC IR Threat Intelligence Exchange Server Global Threat Intelligence Third-Party Feeds Global Threat Intelligence Local Threat Intelligence Enterprise Security Manager Web Gateway Next Generation Firewall Email Gateway Advanced Threat Defense Endpoint Security Network Security Platform Threat Intelligence Assemble, override, augment, and tune the intelligence source information. 31 Left Margin Right Margin

Left Margin Right Margin Cutting-Edge Endpoint Protection Local Context Execute Tunable Policy Classification Decision Prevent and Remediate Prevent and Quarantine Personalized Threat Intelligence Variable Degrees of Risk Tolerance Submit to Application Sandboxing 32 Left Margin Right Margin

Left Margin Right Margin Any Given Thing is Just Suspicious But Context and Additional Points of View Reveal Much File Is New Loads as Service Low Prevalence Packed Suspiciously Runs From Recycle Bin Revoked Certificate 33 Left Margin Right Margin

Left Margin Right Margin Any Given Thing is Just Suspicious But Context and Additional Points of View Reveal Much Low Prevalence File Is New OTHER FILE CHARACTERISTICS GTI File Reputation GTI Certificate Reputation 3rd Party File Reputation 3rd Party Cert. Reputation Enterprise Prevalence (Occurrence) Enterprise Age Packed (First Contact) Enterprise Suspiciously File Reputation Runs From Recycle Bin Loads as Service Enterprise Cert. Reputation Endpoint Context Endpoint Detection Info. ATD Detection Info. Administrator Classifications Existing Files & Certificates New Files & Certificates Revoked Certificate 34 Left Margin Right Margin

Left Margin Right Margin Adaptive Security In Action Adapt and Immunize From Encounter to Containment in Milliseconds Adaptive security improves anti-malware protection Global Threat Intelligence TIE Server ATD Better analysis of the gray Crowd-source reputations from your own environment Manage risk tolerance across departments/system types 3 rd Party Feeds Actionable intelligence Early awareness of first occurrence flags attacks as they begin Data Exchange Layer Know who may be/was compromised when certificate or file reputation changes ü File Report age Action hidden Taken ü Signed with a revoked certificate ü Created by an untrusted process epo ESM Endpoint Endpoint Endpoint 35 Left Margin Right Margin

Left Margin Right Margin Threat Intelligence Exchange Adapt and Immunize From Encounter to Containment in Milliseconds NGFW NSP Web Gateway Email Gateway Global Threat Intelligence TIE Server ATD 3 rd Party Feeds Data Exchange Layer epo ESM Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products Endpoint Endpoint 36 Left Margin Right Margin

Left Margin Right Margin Instant Protection Across the Enterprise Gateways block access based on endpoint convictions NGFW NSP Web Gateway Email Gateway Global Threat Intelligence TIE Server ATD 3 rd Party Feeds Proactively and efficiently protect your organization as soon as a threat is revealed Data Exchange Layer epo ESM Endpoint Endpoint 37 Left Margin Right Margin

Left Margin Right Margin Adaptive Intelligent Controls Orchestrated & automated responses to adapt faster than threats can evolve Learned insights are shared instantly Response (hunt, kill, remediate) is orchestrated to neutralize threats and reduce complexity: Identify IOCs & IOAs Isolate affected systems Kill malicious processes Remove payloads Find Patient Zero Repair systems (registry, file system, configurations) Patch vulnerabilities Left Margin Right Margin

Left Margin Right Margin Enterprise Security Manager (SIEM) Global Threat Intelligence Vulnerability Manager Compliance Reporting Event Collection epolicy Orchestrator Streamlined Investigations 1001 100110 01011 Log Management Network Security Manager Policy Management Advanced Correlation Integrated Security Platform Industry Leading Security Information and Event Management Left Margin Right Margin

Left Margin Right Margin Adaptive Threat Prevention and Detection NGFW Network & Gateway NSP Web Gateway Email Gateway Sandbox ATD SIEM ESM IOC 1 IOC 2 IOC 3 IOC 4 network and endpoints adapt payload is analyzed new IOC intelligence pinpoints historic breaches DXL Ecosystem DXL Ecosystem Endpoints previously breached systems are isolated and remediated TIE Endpoint Module TIE Endpoint Module TIE Endpoint Module TIE Endpoint Module 40 Left Margin Right Margin

Left Margin Right Margin Adaptive Security Model Prevent, detect, respond and adapt Prioritization Baseline/outlier detection Risk driven Adaptive Threat Prevention & Risk Management Prevent advancing attacks and reduce risk with countermeasures and baseline policies Detect breaches and changing risk exposure Respond quickly to threats and risk with prioritized workflows and automation Adapt instantly to threats and emerging risk across the entire connected IT ecosystem Collaborative infrastructure Open ecosystem Rich contextual analytics Orchestrated actions Architecture ubiquity Vendor agnostic 41 Left Margin Right Margin

Left Margin Right Margin Security Connected Network Security Endpoint Security Confidential Deep Security. 42 Left Margin Right Margin

43

Left Margin Right Margin Adaptive Security Model Clarity, confidence, control CLARITY: Turn security data into security intelligence CONFIDENCE: Use rules, workflows, alerts, and risk scoring to make intelligent, timely decisions CONTROL: Employ adaptive intelligence to gain sustainable advantage over attackers 44 Left Margin Right Margin

Left Margin Right Margin The Security Connected Platform SECURITY MANAGEMENT CONTENT SECURITY Enterprise Security Manager (SIEM) epolicy Orchestrator Threat Intelligence Exchange Email Gateway Web Gateway Data Loss Prevention Vulnerability Manager NETWORK SECURITY Advanced Threat Defense Network Security Platform (IPS) Firewall Enterprise Next Generation Firewall ENDPOINT SECURITY Endpoint Security Suites Data Center Security Suites Embedded Security Device Control Endpoint Encryption Hardware Enhanced Security Left Margin Right Margin

Left Margin Right Margin Adaptive Security Model In Action Adapt and Immunize From Encounter to Containment in Milliseconds NGFW NSP Web Gateway Email Gateway Global Threat Intelligence TIE Server ATD 3 rd Party Feeds YES NO Data Exchange Layer epo ESM VSE Threat Intelligence Module VSE Threat Intelligence Module Endpoints are protected based on gateway convictions 46 Left Margin Right Margin