Global Cloud Networking Advanced Managed Security Cloud Unified Communications Rethinking Cyber Security in the Age of the Breach Craig D Abreo, CISSP VP Security Operations Copyright 2015 Masergy Communica8ons, Inc.
A Quick History of Hacking 2 - Hackers emerge at MIT - Efficiency was the goal - Phone hack (Phreakers) - John Draper (Blue box) - Phreakers à Computing - Hacking groups - Legion of Doom/Chaos Club - 2600 Magazine - Robert Morris (1 st worm) - Operation Sundevil - Kevin Mitnick takedown - AOHell (AOL mail bomb) - Service Denial (Large Org) - DNS Attacks - Source Code Stealing - Intellectual Property - Credit Card/PII theft - APT and Malware - State Sponsored Attacks
Let s dissect an advanced cyber attack
Typical Advanced Persistent Threat (APT) Attack process Ini$al/Zero Day A0acks Backdoor/Remote Access Lateral Movement on Network Data Gathering/ Exfiltra$on Cover Tracks Targeted A@acks NICAZE Reconnaissance Proxy Tunneling Logs Edi8ng Phishing Malware Social Engineering Vulnerable Services SoJware flaws Drive by downloads IRC Botnet Logic Bombs Command & Control (C&C) User Mode rootkits Kernel Rootkits BIOS Malware Scanning Vulnerable Assets discovery Sniff network File shares Databases Password Cracking Hidden Data Streams (NTFS) Covert TCP channels (Loki) Reverse WWW shells Steganography techniques Log/Accoun8ng Clearing Use of Proxy channels (Tor) Clear shell history Microcode Malware SQL Injec8ons VM Detec8on
The result You can t escape the news 6
The high cost of Data Breaches The average cost to a company for a data breach is $3.5M Source: Ponemon Ins1tute 2014 Cost of Data Breach Global Analysis
Typical Enterprise Security Landscape Silo d independent security solutions Perimeter Focus Does not protect against internal threats Signature based Detect known signatures 95%+ exposed No defense for emerging threats, 0-day attacks, encryption Inability to monitor themselves Inadequate oversight, monitoring, ticketing and incident response Management challenges Not enough security expertise, small security staff
Monitoring all available traffic is key East - West Traffic North - South Traffic Users
Security Integration and Information Sharing
Advanced Behavioral Analysis & Machine Learning Resource Pairing Threshold Protocol Pattern Statistical Frequency
Resource & Pairing Engine System Resources monitoring: services protocols ports etc. Major and Minor Overflows & Underflows Inbound and Outbound activity Determine when new servers are found New Services discovered on a previous know host/entity tcp/3306 tcp/443 tcp/21 Pairing Engines monitors and tracks host-to-host/net communication
Threshold Engine Time based analysis using predictive mathematics to determine expected values Time slices analysis: single hour continuous contiguous hours day of week/month/quarter Useful for time based functions: backup batch processing etc.
Protocol Analysis & Pattern Engine Analysis to check for proper protocol usage Packet anomalies are used to evade detection fragments sequence obfuscation de-synchronization Abnormal packets = unsafe packets Pattern Engine will attempt to classify known traffic
Statistical Analysis & Frequency Engine Statistical analysis of: packet flow through the environment individual systems field information within packets Measure and tracks the rate of change in frequency from the statistical engine: packet count protocol usage port service usage
Identifying and analyzing abnormal network behaviors Machine Learning
The human element of Security Security = Protection/Prevention + Detection + Incident Response Let the machines do what they do best integrate closely with human intelligence/expertise and let the humans do what they do best People Process Technology
How can you apply these concepts? Monitor all available traffic on your all network (North-South, East-West, Critical zones, Logs, Scans, End-points etc.) Don't rely just on signature based technologies.. explore your behavioral options Hold a bake off before you settle on a MSSP provider.. Security is 24/7 not 9-5 Invest in a comprehensive security audit program Educate your users - Security Awareness goes a long long way
Global Cloud Networking Advanced Managed Security Cloud Unified Communications Thank You!!