Cyber Watch. Written by Peter Buxbaum



Similar documents
SANS Top 20 Critical Controls for Effective Cyber Defense

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

DoD Strategy for Defending Networks, Systems, and Data

Advanced Threat Protection with Dell SecureWorks Security Services

Concierge SIEM Reporting Overview

Defending Against Cyber Attacks with SessionLevel Network Security

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

Stay ahead of insiderthreats with predictive,intelligent security

The SIEM Evaluator s Guide

Defending Against Data Beaches: Internal Controls for Cybersecurity

Microsoft s cybersecurity commitment

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

THE EVOLUTION OF SIEM

CyberArk Privileged Threat Analytics. Solution Brief

Bridging the gap between COTS tool alerting and raw data analysis

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Cybersecurity Enhancement Account. FY 2017 President s Budget

Getting Ahead of Malware

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Enterprise Cybersecurity: Building an Effective Defense

74% 96 Action Items. Compliance

Cisco Cyber Threat Defense - Visibility and Network Prevention

WEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES

IBM Security QRadar Risk Manager

How To Protect A Network From Attack From A Hacker (Hbss)

IBM Security QRadar Risk Manager

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Protecting Critical Infrastructure

CyberSecurity Solutions. Delivering

The Path Ahead for Security Leaders

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Firewalls, Tunnels, and Network Intrusion Detection

Common Cyber Threats. Common cyber threats include:

Critical Security Controls

Covert Operations: Kill Chain Actions using Security Analytics

How To Manage Security On A Networked Computer System

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

SURVEY OF INTRUSION DETECTION SYSTEM

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

D. Grzetich 6/26/2013. The Problem We Face Today

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Open Source Software for Cyber Operations:

Seven Strategies to Defend ICSs

Extreme Networks Security Analytics G2 Risk Manager

PCI DSS Requirements - Security Controls and Processes

Comprehensive Advanced Threat Defense

Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

ADC Survey GLOBAL FINDINGS

Reliable, Repeatable, Measurable, Affordable

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

PCI Wireless Compliance with AirTight WIPS

Network Security Monitoring: Looking Beyond the Network

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Cisco IPS Tuning Overview

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

RSA Security Analytics

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Automate PCI Compliance Monitoring, Investigation & Reporting

Incident Response. Six Best Practices for Managing Cyber Breaches.

Cisco Security Optimization Service

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Missing the Obvious: Network Security Monitoring for ICS

Introducing IBM s Advanced Threat Protection Platform

Intrusion Detection for Mobile Ad Hoc Networks

Agenda , Palo Alto Networks. Confidential and Proprietary.

Cyber Situational Awareness for Enterprise Security

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

Cisco RSA Announcement Update

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

24/7 Visibility into Advanced Malware on Networks and Endpoints

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Transcription:

Cyber Watch Written by Peter Buxbaum

Security is a challenge for every agency, said Stanley Tyliszczak, vice president for technology integration at General Dynamics Information Technology. There needs to be a lot more innovation in implementation of advanced technology. The real challenge is how to implement security in a budgetconstrained environment, how to separate the wheat from the chaff so you can take appropriate actions. General Dynamics IT provides malware and intrusion detection and prevention, email scanning and other cybersecurity products and enterprise-level services to the Coast Guard. An organization like the Coast Guard that has significant national security responsibilities needs to be concerned about state-sponsored targeted attacks, in addition to insider threats, said Tom Cross, director of research at Lancope. State-sponsored intrusions are the most sophisticated attacks out there. They have a lot of smart people, they have the money to spend, and they know about systems vulnerabilities months in advance of the security community. These days, cybersecurity requires more than just old-school intrusion detection; it requires continuous monitoring of network activity and the analysis of mountains of data to identify malicious activity. Traditional measures like firewalls won t catch every attack, especially if legitimate credentials have been compromised, said David Pack, director of LogRhythm Labs. The way to determine when a credential has been compromised is to build a baseline of user or host behavior and to look at log data in real time. Analytical tools can detect when behaviors have changed. At that point, an analyst can look into the situation to see whether the account has been compromised. It is really a triumvirate of people, processes and technology that makes for good cybersecurity, said Tyliszczak. You can t do just one piece. Cybersecurity is an ongoing effort and there is no big bang solution particularly since the threats are increasing in both sophistication and frequency of attack. We ve learned, through a number of our programs for the DoD, IC and other federal agencies, that you have to treat cybersecurity as mission-critical and put in place multiple checks and practices that make sure systems are always protected to their highest level. There are some things you can automate, continuous monitoring of security state, for example, but it still requires trained people, disciplined processes and a culture that gives good security practices to the highest priority. The main challenge that our industry faces today is staying ahead of the adversary, said Ross Warren, Inmarsat Government s director of cyber security. The attacker only needs to exploit one vulnerability to gain access to a network. Whereas the defenders need to ensure some faction of a defense in depth covering every avenue for exploitation. Inmarsat Government participates in DoD s defense industrial base (DIB) Cyber Security/Information Assurance (CS/IA) program. The DIB CS/IA program is a voluntary DoD program that enhances our capabilities to safeguard customer information that transits our unclassified information systems, Warren explained. We also have a multi-year partnership with the FBI through their Infraguard program, through which we participate in focused interest groups representing the satellite industry. We fall under the U.S. Cyber Command, said Thompson. As of November of last year we started to route our network traffic over DoD sensors before it gets down to Coast Guard sensors. That way we leveraged a higher level enterprise filtering process. DoD is able to knock off malicious traffic before it gets to us. That lowered the number of incidents on our systems several fold. The Coast Guard also deploys a suite of firewalls that block traffic from Internet addresses known to cause trouble and prevents network users from accessing unreliable Internet domains. That is on the defense side, the blocking piece, said Thompson. Thompson characterizes the other measures taken by the Coast Guard as defense in depth. One such tool, required by DoD, stops users on the network from doing things they shouldn t. We train our users, said Thompson, but some people don t understand the training as well as others.

The Coast Guard also deploys network monitoring tools that examine network behavior to look for anomalies. Attempts to log into the network several times with false passwords could raise a red flag, as could administrators signing in in the middle of the night when they normally don t work. These tools help us to understand what is going on on the network and if it is legitimate or not, said Thompson. For many years, people have approached network problems from a perimeter security perspective, said Cross. They built high walls to keep bad stuff out. But more recent attackers have shown sophistication in getting past those types of security systems. To identify and track those types of threats, as well as insider threats, you need to have an audit trail of the internal network. These newer types of threat detection systems analyze internal network behaviors, explained Guy Alon, a marketing director at Israel Aircraft Industries, but also search externally for clues that could indicate an impending attack. From an internal point, we are interested in being able to analyze network behavior, so we collect data like the hours that specific employees enter and exit a facility, he said. On the external side, we aim to reach into cyberspace to sites like social networks to identify whether there are specific conversations that appear to attempts to collect sensitive data. This could represent a cyber threat. We developed a special anomaly detection engine targeted to advanced persistent threats, said Tavi Salamon, an IAI business development manager. It is fully automated and is able to detect patterns out of existing behavior on the network. Once the engine learns the patterns, it can tell what behavior is normal and what is abnormal. Other detection engines are rules-based and are based on past experience. The other kind learns new patterns as they develop. Inmarsat Government has deployed multiple intrusion prevention/detection systems (IDS), giving them a defense in-depth network architecture. We have partnered with Dell Secureworks, a very well-respected managed security services provider, to manage our intrusion prevention system and provide security on the edge of our network. Secureworks 24/7/365 security operations center monitors and protects our networks, providing an added level of confidence to our defensive posture and security. Inmarsat Government has deployed multiple IDS that use the Security Onion Linux distribution. The Security Onion IDS sensors leverage multiple mature, open-source cyber defense software packages in a very easy-to-deploy installation. We collect data to develop multiple dimensions of user behaviors, said Pack. It might be normal for a user to change to a different job function and access new data, but if multiple dimensions of a user s behavior changes within an hour, that is an indication of compromised credentials. LogRhythm pulls network log data to a centralized location for processing by an analytics engine. We enable organizations to baseline normal, day-to-day activity across multiple dimensions of the enterprise, said Pack. The system then analyzes against that baseline log, flow and machine data generated to discover anomalies in real time. For example, a system baseline could be created showing the rolling averages of the expected numbers of users logged into a system at any given point to create parameters of what constitutes normal and abnormal usage. When activity deviates from the normal, an alert can be generated. Collecting network data also helps with job of analyzing an attack after the fact. Lancope s tool collects netflow data, protocols that are constantly being transmitted by network routers, switches and firewalls. This is an efficient way to create a network audit trail, said Cross. The netflow metadata is light but can

create a history of everything that happened on a network. Other tools which do deep packet inspections generate a large amount of data which needs to be stored. Analyzing netflow data allows analysts to recreate an attack s kill chain. You can recreate the process the attacker took to break into the network, said Cross. Sophisticated attacks often target specific people. They have to take action to activate the exploit. Once that happens, the malware establishes a foothold and continues to work on the inside to find information and move it out of the network. Recreating the steps the attackers engage in is useful for building models of attacks, which are used to consider what controls have to be put in place to counter each step of an attack. It s important to emphasize cybersecurity technology doesn t work effectively on its own. It requires interaction with humans. An alert generated by a piece of software does not necessarily indicate an attack. The trained analysts are the ones who actually determine whether an attack has occurred or is underway. We have watch standers working 24/7 at our cyber operations center, said Thompson. They look at anomalous behavior identified by the software and conduct further investigations. They also analyze attack kill chains to see where our defenses were effective, or not. If defensive measures did not stop an attack, they can put a block on that portion of the network. We also have a forensics team that investigates what systems and data an attack was aiming for and whether the signature of that attack spread to other portions of the network. Contractors are well advised to take the educational responsibility for their own staff that are placed in secure areas, according to Terry Verigan, vice president of CompuCure. CompuCure has been involved in managing government projects involving sensitive and classified data. Whenever we have a team going on site, said Verigan, we do background checks as required by the agency, but we also educate and remind staff members about what we are dealing with. That means, for example, leaving their cell phones behind when those devices are not allowed on site, usually because of their photographic capabilities. Verigan also advises prohibiting the use of social media sites on agency networks. Social media in my experience is insecure, he said. Small malware files can be embedded in social media transmissions the same as in email. Social media tends to make workers a little more casual about their work environment which in itself can be a big security issue. Making social media secure seems to be a non sequitur. The Coast Guard is ramping up its training of its cybersecurity personnel, according to Thompson. Because threats are evolving and becoming more challenging and more pervasive, we need a more robust ability to respond, he said. The National Security Agency has some training courses online and industry has a robust set of courses that our people can learn from. Forensics especially requires extensive training. We teach our forensics people how to maintain a virtual chain of custody. They have to do everything that investigators do in the physical world. The Coast Guard also provides extensive onthe-job training, Thompson noted. We currently are researching new detection and prevention methods such as botnet interception with DNS redirection and rogue user detection though behavior analytics, explained Warren. We strongly believe the way to improved security capabilities is through a greater understanding of our currently deployed defenses. Inmarsat Government sees the practice and methodologies suggested by the Network Security Monitoring principals as a natural progression that builds on lessons learned from managing firewalls, anti-virus and web filtering. Understanding normal behavior and the deviations from that normal behavior show the most promise for improving cyber security.

IAI offers a simulated cybersecurity training system that represents an integration of several different commercial training tools. The trainer can insert different types of attack patterns, said Salomon, and the student has to work through the scenario and distinguish what to do in different situations. Once thing that Lancope is working on is to facilitate the sharing of threat information among different organizations that use their tools or ones similar. Threat intelligence is not standardized, said Cross. Work is currently taking place to establish standard formats for communicating threat information and to build processes within organizations to manage that sharing. Many organizations take in threat intelligence, Cross added, but don t see the benefit of telling other people what they learn. We ve got to break that ice. That is going to dominate the discussion in coming years.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information