Rapid Fire Security : Evolution to Revolution

Similar documents
FS-ISAC CHARLES BRETZ

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Digital Evidence and Threat Intelligence

Security Information & Event Management (SIEM)

Modular Network Security. Tyler Carter, McAfee Network Security

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Concierge SIEM Reporting Overview

Perspectives on Cybersecurity in Healthcare June 2015

High End Information Security Services

Orchestrated Security Network. Automated, Event Driven Network Security. Ralph Wanders Consulting Systems Engineer

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

A Crisis Response, Information Sharing View of FFIEC Appendix J?

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

Security Orchestration with IF-MAP

Security Coordination with IF-MAP

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Network Security Monitoring: Looking Beyond the Network

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Practical Threat Intelligence. with Bromium LAVA

End-user Security Analytics Strengthens Protection with ArcSight

REVOLUTIONIZING ADVANCED THREAT PROTECTION

The Sophos Security Heartbeat:

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

McAfee Security Management Adaptive Security Model & Threat Intelligence Exchange

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

McAfee Network Security Platform

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

24/7 Visibility into Advanced Malware on Networks and Endpoints

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

How To Build Security By Silo

McAfee Security Architectures for the Public Sector

Cybersecurity Awareness. Part 2

FIA Webinar Cybersecurity Threats: Preparation & Response June 29, 2015

Unified Threat Management, Managed Security, and the Cloud Services Model

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Proven LANDesk Solutions

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Securing the Intelligent Network

Memory Forensics & Security Analytics: Detecting Unknown Malware

After the Attack: RSA's Security Operations Transformed

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Fighting Advanced Threats

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

Securing Office 365 with MobileIron

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Are you prepared to be next? Invensys Cyber Security

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

Next Generation IPS and Reputation Services

Symantec Endpoint Protection Datasheet

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

Secure Cloud-Ready Data Centers Juniper Networks

Leading by Innovation McAfee Endpoint Security The Future of Malware-Detection: Activate protection on all Layers outside the Operating System

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Getting Ahead of Malware

Frontiers in Cyber Security: Beyond the OS

Cybersecurity Enhancement Account. FY 2017 President s Budget

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Anti-exploit tools: The next wave of enterprise security

Advanced Threat Protection with Dell SecureWorks Security Services

Beyond the Hype: Advanced Persistent Threats

Zscaler Internet Security Frequently Asked Questions

Defending Against Cyber Attacks with SessionLevel Network Security

THE TOP 4 CONTROLS.

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

Unified Security, ATP and more

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Glasnost or Tyranny? You Can Have Secure and Open Networks!

Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security #RSAC

Chapter 9 Firewalls and Intrusion Prevention Systems

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Using SIEM for Real- Time Threat Detection

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

That Point of Sale is a PoS

Can We Become Resilient to Cyber Attacks?

Injazat s Managed Services Portfolio

Enterprise Security Platform for Government

Persistence Mechanisms as Indicators of Compromise

Transcription:

Rapid Fire Security : Evolution to Revolution

David O Berry, Previously Director of Strategic Development and ITS for SC Probation, Parole, & Pardon Services During my 19+ years with South Carolina MS-ISAC Executive Board SC Security Domain Chairman and Collaboration TL Midland s ISSA Chapter Founder and President Trusted Computing Group s Customer Advisory Council (TNC- CAC) Chairman, TOG s Improving The Digital EcoSytem Workgroup Chapters Published on IF-MAP, SCAP, TNC and Standard s Based Defense/Mitigation (ISMH 09,10,11) My Previous Life s Work and the IT Environment 800+ users, rapidly growing external user-base (1000s) 100% Mobile capable Plan started in 2002 26 30+ Full-time IT including development, engineering, help desk, & remote support Decentralized work force Heterogeneous and Open Standards Deployments Core: McAfee, Dell, Juniper, APC Network: Juniper, BlueCoat, Citrix, Imprivata Data: McAfee EEPC, Device Control, Host DLP Endpoint: McAfee AV, HIPS, Policy Auditor Management: McAfee s epolicy Platform, STRM, NSM Manager, Cacti & other Open Source products 2

First of all some recognition for exceptional efforts 3

The Art of Security The Techno-Industrial Revolution 2.x is The ULTIMATE outcome of the application of human creative skills and imagination http://news.nationalgeographic.com/news/2012/12/pictures/121205-earth-night-science-space/

Threat Radar = Answering The Question Why? Industrial Threats Will Mature Hacktivism: Reboot or be Marginalized Windows 8: BIOS and Hardware Attacks Mobile Botnets, Rootkits, and Attack Surface Oh MY! Rogue CERTs: Rooting Trust

Threat Trends: Unfathomable Numbers 70% Increase in the number of suspect URLs in 2013 now 98 million total! 1,000,000 New unique samples of ransomware in 2013 2,200,000 New MBR-attack-related samples in 2013 2,400,000 2013 new Android malware samples 5,700,000 New malicious signed binaries in 2013 Source: McAfee Labs 200 New threats every minute, or more than 3 every second

Key Topic Mobile malware: The march continues! 2.47 million new Android mobile malware samples were added in 2013, up 197% from 2012. There were 744,000 new samples in Q4 alone!!

Key Topic Malicious signed binaries: Can we trust the Certificate Authority model? The number of malicious signed binaries in our library tripled in 2013 to more than 8 million. In Q4, there were 2.3 million new and unique malicious signed binaries. It includes stolen, purchased, or abused certificates, but the majority of growth is due to dubious content distribution networks (CDNs).

Key Trend Malware Attackers can now deliver nearly unique samples to every victim. As a result, the total number of known malware samples grew at an even faster rate in 2013. The McAfee Labs zoo grew by 81 million samples in 2013. It now contains more than 196 million unique malware samples. There are 200 new threats every minute, or more than 3 every second

Key Trend Ransomware The volume of new ransomware samples doubled from Q4 2012 to Q4 2013. McAfee Labs added 1 million new samples in 2013.

Key Trend Rootkits The volume of new rootkits is the lowest it has been in three years.

This was THEN Literally in Black and White!!!

Next generation data centers large scale virtualized utility fabric provides application services to millions of users - the utility computing vision access tier authentication, DNS, intrusion detect, VPN web cache processing elements web tier web page storage (NAS) application tier files (NAS) database tier internet switched fabric infrastructure on demand intranet edge routers routing switches storage elements 1st level firewall load balancing switches web servers 2nd level firewall switches application servers switches database SQL servers storage area network (SAN) Multi-tiered applications

Threats Rapidly Moving Down the Stack Attack and disable security products and hence all protection Compromise virtual machine and hence all guest machines within Ultimate APT s compromise devices below OS, either before or after shipment Applications/RDBMS AV HIPS Operating System Virtual Machine I/O Memory Disk Network Display BIOS CPU Traditional attacks and defenses focused primarily on the application layer Infect OS with APT s resulting in threats hidden from security products Rogue peripherals & firmware bypassing all other security measures

Past, Present, and Future 2007 (5 years ago) 1M malware samples 2013 (today s estimate) 130M malware samples By 2020 (in 7 years) 40% of data will be generated by IoT Connected Devices (IoT) *Will represent 24 Billion

And They Wonder Why We Seldom Sleep Peacefully?

Design includes security objectives End-to-end security management Protect attacks at physical layer Machine level integrity checks Identity linking and authorization Secure deployment of credentials UI to control security operations/manage security lifecycle Data management Techno-Industrial Revolution 2.x is absolutely all about MASSIVE SCALE!!!!!!!

Evolution of Cyber Security and the Cyber Intelligence Problem Yesterday s Security Today s Problem??? Tomorrow s Solution??? Network Awareness Protect the perimeter and patch the holes to keep out threats share knowledge internally. Increasing Cyber Risks Malicious actors have become much more sophisticated & money driven. Losses to US companies now in the tens of millions; WW hundreds of millions. Cyber Risks are now ranked #3 overall corporate risk on Lloyd s 2013 Risk Index. Intelligence Sharing Identify and track threats, incorporate knowledge and share what you know manually to trusted others, which Is extremely time consuming and ineffective in raising the costs to the attackers. Manually Sharing Ineffective Expensive because it is slow manual process between people. Not all cyber intelligence is processed; probably less than 2% overall = high risk. No way to enforce cyber intelligence sharing policy = non-compliance. Situational Awareness Automate sharing develop clearer picture from all observers input and pro-actively mitigate. Solving the Problem Security standards recently matured. Cyber Intelligence Sharing Platform revolutionizing sharing and utilization of threat intelligence.

Cyber Intelligence Problem Typical Sharing of Intelligence Today 1. Machines detect threats, typically stored in proprietary formats or PDFs 2. People export data and manually share via multiple media types 3. Other people rarely get a full picture of ongoing threats 4. Only some threats are mitigated 1 4 Org A 2 Email/phone, Secure portal 3 Org B 19

Impediments To Progress Trust isolated into like organizations based on similarly perceived threats/business line Vendor Interoperability Individual organization with manual processes Many elements of automation still disconnected Vendor driven Collaboration across organizations Competitors nervous to share data Liability Disagreement about system to use to share information Simplicity of automation to support small organizations Shortage of skilled analysts How to share without tipping off the enemy? 20

FS_ISAC MISSION: Sharing Timely, Relevant, Actionable Cyber and Physical Security Information & Analysis A nonprofit private sector initiative formed in 1999 Designed/developed/owned by financial services industry Assist to mitigate recent cybercrime & fraud activity Process thousands of threat indicators per month 2004: 68 members; 2014: 5,000+ members Sharing information globally 21

How FS-ISAC Works: Circles of Trust IRC CHEF BRC CYBER INTEL FS- ISAC PPSIC TIC PRC CIC CAC Clearing House and Exchange Forum (CHEF) Payments Risk Council (PRC) Payments Processor Information Sharing Council (PPISC) Business Resilience Committee (BRC) Threat Intelligence Committee (TIC) Community Institution Council (CIC) Insurance Risk Council (IRC) Compliance and Audit Council (CAC) Cyber Intelligence Listserv Education Committee Product and Services Review Committee Survey Review Committee Security Automation Working Group (SAWG) Member Reports Incident to Cyber Intel list, or via anonymous submission through portal Members respond in real time with initial analysis and recommendations SOC completes analysis, anonymizes the source, and generates alert to general membership 22

Sharing is key INFRASTRUCTURE TRUST To be forewarned is to be fore-armed

Traffic Light Protocol (TLP) Restricted to a defined group (e.g., only those present in a meeting.) Information labeled RED should not be shared with anyone outside of the group AMBER information may be shared with FS-ISAC members. GREEN Information may be shared with FS-ISAC members and partners (e.g., vendors, MSSPs, customers). Information in this category is not to be shared in public forums WHITE information may be shared freely and is subject to standard copyright rules 24

Other Models Common non-disclosure language developed and NDA s to enforce secrecy Consortia are built around common interest areas that define a common context of threat Organizations operate in an open environment (no anonymization) Organizations contribute what they are willing to share in a central automated repository with appropriate handling caveats (TLP and other) Participation accelerates when the percentage of Sharing organizations is high members share process and technology to improve sharing for everyone s benefit 25

Countermeasures Trends: Intelligence, Response, and Red Teams Extensive Red Teaming and SE Testing Develop Operational Readiness Focus on OSINT analysis and Forensics Extensive Internal CERT Team investments Partnerships for information sharing

Security Automation Will Revolutionize Information Sharing 27

Common Language(s) MITRE has been working with Industry to develop common structures STIX CYBOX TAXII CAPEC MAEC OVAL Implementations are still immature but there is a gathering storm Analysts must have a firm grasp of this entire space 28

Cyber Threat Intelligence Consider These Questions.. What Activity are we seeing? Where has this threat been Seen? What weaknesses does this threat Exploit? Who is responsible for this threat? What Threats should I be looking for and why? What does it Do? Why does it do this? What can I do? 29

That Machines Can Use Too <?xml version="1.0" encoding="utf-8"?> <cybox:observables xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:cybox="http://cybox.mitre.org/cybox_v1" xmlns:common="http://cybox.mitre.org/common_v1" xmlns:fileobj="http://cybox.mitre.org/objects#fileobject" xsi:schemalocation="http://cybox.mitre.org/cybox_v1 http://cybox.mitre.org/xmlschema/cybox_core_v1.0(draft).xsd http://cybox.mitre.org/objects#fileobject http://cybox.mitre.org/xmlschema/objects/file/file_object_1.2.xsd" cybox_major_version="1" cybox_minor_version="0(draft)"> <cybox:observable> <cybox:stateful_measure> <cybox:object id="cybox:a1" type="file"> <cybox:defined_object xsi:type="fileobj:fileobjecttype"> <FileObj:Hashes> <common:hash> <common:type datatype="string">md5</common:type> <common:simple_hash_value condition="isinset" value_set="4ec0027bef4d7e1786a04d021fa8a67f, 21F0027ACF4D9017861B1D021FA8CF76,2B4D027BEF4D7E1786A04D021F A8CC01" datatype="hexbinary"/> </common:hash> </FileObj:Hashes> </cybox:defined_object> </cybox:object> </cybox:stateful_measure> </cybox:observable> </cybox:observables> <!-- STIX Indicator w/ Snort Example Copyright (c) 2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html. This example demonstrates a simple usage of STIX to represent indicators with a Snort test mechanism. This demonstrates the ability of STIX indicators to represent external test mechanisms within an indicator. It demonstrates the use of: * STIX Indicators * STIX TestMechanisms * Extensions (Snort) * Controlled vocabularies Created by Mark Davidson --> <stix:stix_package xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:indicator="http://stix.mitre.org/indicator-2" xmlns:stixvocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:testmechsnort="http://stix.mitre.org/extensions/testmechanism#snort-1" xmlns:example="http://example.com/" xsi:schemalocation= "http://stix.mitre.org/stix-1../stix_core.xsd http://stix.mitre.org/indicator-2../indicator.xsd http://stix.mitre.org/default_vocabularies-1../stix_default_vocabularies.xsd http://stix.mitre.org/extensions/testmechanism#snort-1../extensions/test_mechanism/snort.xsd" id="example:stixpackage-0935d61b-69a4-4e64-8c4c-d9ce885f7fcc" version="1.0.1" > <stix:stix_header> <stix:title>example SNORT Indicator</stix:Title> <stix:package_intent xsi:type="stixvocabs:packageintentvocab-1.0">indicators - Network Activity</stix:Package_Intent> </stix:stix_header> <stix:indicators> <stix:indicator xsi:type="indicator:indicatortype" id="example:indicator-ad560917-6ede- 4abb-a4aa-994568a2abf4"> <indicator:type xsi:type="stixvocabs:indicatortypevocab-1.0">exfiltration</indicator:type> <indicator:description> Indicator that contains a SNORT signature. This snort signature detects &apos;exfiltration attempts&apos; to the 192.168.1.0/24 subnet. </indicator:description> <indicator:test_mechanisms> <indicator:test_mechanism id="example:testmechanism-5f5fde43-ee30-4582-afaa-238a672f70b1" xsi:type="testmechsnort:snorttestmechanismtype"> <!-- From http://manual.snort.org/node29.html --> <testmechsnort:rule><![cdata[log udp any any -> 192.168.1.0/24 1:1024]]></testMechSnort:Rule> </indicator:test_mechanism> </indicator:test_mechanisms> </stix:indicator> </stix:indicators> </stix:stix_package> 30

Sharing Solution Instead of 2% or less of attacks blocked, detected, or prevented, a much higher percentage of attacks are stopped 1 3 5 Org A 2 4 Intelligence Repository Many Trusted Orgs 31

Iterative Real Time Loops OODA Matters The ability to make this world happen exists now It is not futures or fiction.

Coordinated Security : Pub/Sub Rules the New World Asset Management System Endpoint Security (via NAC) SIM / SEM Nitro, epo, MAP Servers IPAM Open Infterfaces IF-MAP Protocol Physical Security ICS/SCADA Security AAA Routing Server or IDS Switching Wireless Firewalls Cloud Security

Data Exchange Layer An innovative, real-time, bi-directional communications fabric providing with product integration simplicity. Risk BPM Asset Threat Identity Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products enabling security intelligence and adaptive security. Activity Data Location THE SECURITY CONNECTED FRAMEWORK ADAPTIVE SECURITY ARCHITECTURE

Current Standards Status Pilot group aka Friends and Family 25 Organizations Participating Vision Gaining Momentum Live at NH-ISAC Working with several others Released Version 1.2 to the group Focus on installability Enabled Collaboration Forums, Bug Tracker, Download System Conversion of Open Source Intel Feeds Approximately 14 sources 35

Automation Maturity Humans will always be in the loop Using STIX and TAXII repositories/gateways we can leverage already scarce talent Fewer analysts will have to develop their own signatures Using automation it is possible to move signatures faster Off the shelf COTS may not interoperate across vendors Open Source may require in-house development to automate information flow Ensuring security in information flow across systems??? Don t let your security solution become the problem! But, can you trust Analysts/Incident Handlers in other organizations? 36

What You Can Do Encourage Cyber Observable/Indicator sharing within your organization Work within standards that are widely adopted (STIX/TAXII) Don t wait for the perfect solution start now and help mature the process Engage with working and sharing groups Software Supply Chain Assurance https://buildsecurityin.us-cert.gov/ Open Web Application Security Project http://www.owasp.org ISAC find one that you fit InfraGard SANS/DSHIELD 37

Recap and Refocus The New Biz World Requires More Devices (Mobile etc.) Therefore Usually More Work Nothing Is Getting Easier Endpoints And Flowpoints Were/Are Unmanageable With Technology That Does Not Scale From A Visibility Perspective Standardize Where/What You Can BOTH Modularity And Scalability Of Both Product And Aggregator Of Relevant Data Required Slow Adoption Of Standard Solutions Cripples Innovation and Impacts Efficiency of the Overall Digital Ecosystem Safety We Are All Part Of One Organism In This Digital Ecosystem Immune System Concept, If Extremities Get An Infection It Can Easily Become Systemic Digital Feudalism or Castle And Moat Were Reasonable In The Past Now The Barbarians Can Draft Your Citizens, Dogs, Cats, Livestock, Refrigerators, etc. Into Service Against You Bad Security Threatens Innovation Which In Turn Threatens Productivity Don t Give Anyone An Excuse No to So 38

David O Berry McAfee/Intel Security Group @davidoberry

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information