Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Security Architecture: From Start to Sustainment Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Security Architecture Topics Introduction Reverse Engineering the Threat Operational Approach System Approach Enterprise Approach Developing an Enterprise Architecture Approach 2

Interdependence of the Cyber-Enabled World 3

Global Supply Chain Vulnerabilities Complex Threat Contamination Counterfeit Countermeasures Surveillance Inspection Testing 4 source: US-China Economic Security Review Commission, 2012, prepared by Northrup Grumman

Phishing Attacks Result of a Phishing at a National Laboratory 530 Email Recipients 50 Clicks 2 Downloads 1 Infection 19 Days Offline 5

Advanced Persistent Threat - Operation Shady Rat 2006-2011 National Secrets Source Code Email Archives Negotiations, Plans Oil & Gas Document Stores Legal Contracts SCADA configurations Design Documents Intellectual Property 6

Example of Advanced Persistent Threat Phase 1 Identify targets, create emails with attachments that appear routine Word Documents, PowerPoint Presentations, Excel Spreadsheets. Loaded with exploit code installing Trojan Phase 2 Trojan contacts an external URL. Commands may be hidden in images. Phase 3 Trojan takes control of the compromised computer. Phase 4 Attacker escalates privileges moves, exfiltrates data, etc.. Defense Trend Micro Recon Preparation Infiltration Beachhead Propagation & Exploitation Command & Concealment Exfiltration & Obfuscation In Depth 7

Challenges Ahead Now!

The Increasing Threat Complex and Continuously Evolving Threats and Hackers Need a defined Security Plan requirements implementation monitoring tailored to your environment Collaboration & Information Sharing Offense must inform the Defense Public, Private sector collaboration is essential Growing Demand for Automated Continuous Threat Monitoring Vast array of tools to help detect and mitigate Advanced Persistent Threats Cannot relax legacy security activities firewalls, passwords Advanced threats seek easiest vulnerability/avenue of attack Continuous Monitoring (of the Security Process) Need to design security in (um, what s that called again?) 9

The Cloud, Big Data, and Mobile Basic Tenet of Security: Decrease the Attack Surface The Cloud and Big Data Georgia Tech study: most obvious exploit that could lead to creation of malicious compute clouds is simple credit-card fraud. Most cybercriminals have access to thousands, if not millions, of stolen credit card numbers. Using stolen accounts to buy cloud computing resources can be a quick way for attackers to create dangerous clusters of virtual systems. Mobile Computing Gartner predicts: employee owned devices will be compromised by malware at twice the rate of enterprise owned Consider: smartphone, unproven applications and free downloads you re carrying a listening device in your pocket In 2012 mobile became the most pervasive means of accessing the Internet In US <1% of mobile devices infected by malware in some other countries 40% (Georgia Tech) Mobile users 3x more likely to visit a phishing site than other users 10

A Managed Service Response (Operational) 11

More than ABCs of Security Architecture Access, Authentication, Accounting (passwords, PIV cards, HSPD-12) Network Security at the Boundaries of the Enterprise (firewall, IPS, monitoring) or the operating system (HIPS/FW) System Security Compliance or Hardening (NIST SP800, DoD 8500, HBSS) 12

System Approach Focus on vulnerabilities System weaknesses Commonality of operating systems Interdependence Growing Too Rapidly In 2010 IBM identified > 8,000 new 27% increase over 2009 Exploits were also up 21 percent 13

Vulnerabilities exploited - Examples 14 Oct 2012 - Red October discovered by Kapersky Worldwide, underway since 2007 Exploited vulnerabilities in Word and Excel programs Europe, Asia North American targets - embassies, research firms, military, energy, nuclear and others. Full extent of damage is unknown Dec 2012 two US power plants sophisticated malware attacks Attack vector: unprotected USB drives Poor security controls Dec 2012 Council on Foreign Relations and an industry company Zero day vulnerability in Internet Explorer to compromise computers of those who visited the websites

Can You Reverse Engineer Risk? 15

Working Backwards from Risk CAESARS Reference Architecture 16 Continuous Asset Evaluation Situational Awareness Risk Scoring Continuous Assessment Inventory (HW/OS/Apps) Vulnerabilities (CVEs, IAVAs) Threats Traffic, Logs, Flow Data (now) Where Do I Spend My Time Today? Situational Awareness Continuous Asset Evaluation = RISK SCORE Risk Scoring

The Converged Enterprise Environment 17

All Aspect Security 18

Security View of Enterprise Architecture 19

Security Architecture Network Architecture supporting security Security /Protections Infrastructure (Protocols/Networks) Security / IA Tools, Capabilities, and Algorithms Security Support Infrastructure (Encryption, Identity Management, Authentication, AD, DNS[Sec], IPALM, Keys) Security Operations, Network Operations, Event and Incident Management, Correlation & Analysis Vulnerabilities, Exploits, and System Sustainment Intrusion Management, Capability Framework Management, Architecture Management Governance, Risk, and Compliance (Policy, C&A, CM) Response, Resilience, and Recovery Personnel Management (training, process orientation, performance measurement) [Enterprise Architecture], Tech Refresh, Planning, and Procurement

Enterprise Approach Cyber Warfare versus Cyber Defense CND, CNA, CNE, Information Assurance, Information Operations Threats, Vulnerabilities, and Systemic Approach Operating in a War Zone versus Building a Static Solution Changes to the environment, process, elements, even personnel create potential vulnerabilities (need to manage change, manage systems, and manage maturity) Not changing with the threat landscape creates weakness without warning (need to manage awareness and metrics, not just vulnerabilities) 21

Enterprise Approach Enterprise Approach means it s a business/mission continuity issue: mission performance in the face of cyber warfare Enterprise Architecture may be the most comprehensive way to develop an Enterprise Approach to Security 22

EA Approach to Security Architecture How do you plug Security into your EA process? How do you extract Security from an EA Framework? How do you translate EA Solutions into Operations 23

EA Framework Touch Points 24

Operationalizing Architecture and Vice Versa 25

Q&A (My Questions, Your Answers) Better, Consistent Implementation of Security Practices Within the EA Framework Extensions to Framework? Intentions of Framework? Ingesting Data and Interfacing with Network & Security Operations, Systems Engineering, Policy & Governance Reverse Engineering Risk 26