Compliance Risks in APT Response & Defense



Similar documents
RSA Security Anatomy of an Attack Lessons learned

Securely Yours LLC Top Security Topics for Sajay Rai, CPA, CISSP, CISM

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

RSA Security Analytics

Advanced Threats: The New World Order

Breach Found. Did It Hurt?

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

THE EVOLUTION OF SIEM

FISMA / NIST REVISION 3 COMPLIANCE

Securing and protecting the organization s most sensitive data

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Logging and Auditing in a Healthcare Environment

IBM QRadar Security Intelligence April 2013

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

INCIDENT RESPONSE CHECKLIST

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

PCI DSS Requirements - Security Controls and Processes

SANS Top 20 Critical Controls for Effective Cyber Defense

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

Defending Against Cyber Attacks with SessionLevel Network Security

University of Pittsburgh Security Assessment Questionnaire (v1.5)

74% 96 Action Items. Compliance

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Security and Privacy

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Endpoint Threat Detection without the Pain

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

On-Premises DDoS Mitigation for the Enterprise

The Education Fellowship Finance Centralisation IT Security Strategy

plantemoran.com What School Personnel Administrators Need to know

AlienVault for Regulatory Compliance

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

North American Electric Reliability Corporation (NERC) Cyber Security Standard

How to effectively respond to an information security incident

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Intelligence Driven Security

Enabling Security Operations with RSA envision. August, 2009

Logging In: Auditing Cybersecurity in an Unsecure World

Eric Moriak - CISSP, CISM, CGEIT, CISA, CIA Program Manager - IT Audit Children s Medical Center Dallas. Dallas, Texas

End-user Security Analytics Strengthens Protection with ArcSight

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Big Data, Big Risk, Big Rewards. Hussein Syed

Cyber Security Metrics Dashboards & Analytics

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Detect & Investigate Threats. OVERVIEW

Session 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Incident Response. Six Best Practices for Managing Cyber Breaches.

KEY STEPS FOLLOWING A DATA BREACH

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Analyzing HTTP/HTTPS Traffic Logs

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Data Security Incident Response Plan. [Insert Organization Name]

Standard: Information Security Incident Management

Top 20 Critical Security Controls

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Cyber Self Assessment

The Next Generation Security Operations Center

Introduction of Intrusion Detection Systems

Swordfish

Supplier Information Security Addendum for GE Restricted Data

CyberArk Privileged Threat Analytics. Solution Brief

Anatomy of a Cloud Computing Data Breach

SIEM is only as good as the data it consumes

Security Analytics for Smart Grid

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Unified Security, ATP and more

Concierge SIEM Reporting Overview

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Achieving PCI-Compliance through Cyberoam

PII Compliance Guidelines

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Information Security Policy

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Getting Ahead of Advanced Threats

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Transcription:

Compliance Risks in APT Response & Defense Jennifer Archie, Partner Kevin Boyle, Partner The Security-Privacy Paradox No Privacy without security Effective security has impacts on privacy Key privacy requirement is to protect against unauthorized access lock it up behind a secure perimeter APTs are designed to elude perimeter defenses Detecting and eradicating APTs requires review of behavior and content in the systems and enterprise being protected 2

Examples of Conflicting Goals Security Obligation to provide security Quick response to attacks and changing strategies Need to retain log and traffic data for analysis Need to consolidate data for analysis vs. Privacy Obligation not to intrude on personal communications Requirements to obtain user consent and register applications/processing Restrictions on data retention Export limitations on personal data, banking information and state secrets 3 Fair Information Practice Principles (FIPs) Transparency (notice) Individual Participation (choice) Purpose Specification Data Minimization Use Limitation Data Quality and Integrity Security Accountability and Auditing Rooted in the US Department of Health Education and Welfare seminal 1973 report, Records, Computers, and the Rights of Citizens, these principles are at the core of the Privacy Act of 1974 and are mirrored in many federal statutes and the laws of foreign nations, very notably the countries of the European Economic Area. 4

U.S. Legal Environment (A Privacy Outlier) US has a Sectoral, but still FIPs-based, Legal Approach Regulation of data users by sector, such as: Government (Privacy Act, etc.) Financial (GLBA) Medical (HIPAA) Children (COPPA) Educational (FERPA) Breach Disclosure (most states & some federal requirements) Limited export restrictions 5 Data Protection universal principles In the developed world, outside the US, the expression of data protection in various declarations and laws varies only by degrees. All require that personal information must be: obtained fairly and lawfully; used only for the original specified purpose; adequate, relevant and not excessive to purpose; accurate and up-to-date; and destroyed after its purpose is completed. 6

Non- US View EU (and much of rest of world) Omnibus Approach Privacy as a fundamental Human Right (including even a right to be forgotten) Regulation across sectors Any processing requires compliance with local requirements Broad export restrictions 7 Contract Requirements Customer Agreements Limitations on use of data Limitations on processing locations Disclosure obligations Compliance with law obligations Terms of Use Privacy Policies 8

Cross Border Data Flow Export controls Laws to protect financial/medical/other sensitive information Anti-outsourcing laws Contract limitations 9 An Issues Smorgasbord Country US Germany France South Korea China CIS Columbia Issue Health and export control statutes Strict prohibitions on interception; intra-corporate networks Employee rights to private communications on corporate networks Two-party consent to monitoring for non-south Korean companies State secret and cyber crime reporting laws; export restrictions Limits use of encryption tools and prohibits export of state secrets and commercial secrets Sectoral limits on export of personal information 10

Methodology Detection Tools Firewall Logs DS Logs Packet Captures Lima Scans/Hostbased Scanner SIEM Indicators of Compromise - IP Addresses - Protocols - Registry Keys - Filenames - Hash Values Analysis - Host Forensics - Network Logs - Malware Analysis 11 APT Defense & Analytic Tools Increasing Privacy Impact Category Description Examples Systems Data Monitoring Tools (IDS, IPS) Server Monitoring Tools Systems Data Storage Tools Consolidation Tools (SIEM) Content Monitoring Tools (DLP) Content and Log Storage Tools These tools send alerts based on rules of non-routine events, patterns of suspicious behavior, or unusual activity. The alerts will contain systems data to provide evidence of the type of issues spotted, e.g. file type, IP address, communications protocols, and what it was communicating with internally. Often programmed to recognize specific malicious signatures. These tools are similar to the above but work at a server or endpoint rather network level, e.g. monitor a server to look for unusual events. These tools save all log / network data so it can be reviewed at a later date. These differ from the monitoring tools as the monitoring tools do not save all data but only provide information of suspicious events. These tools take feeds from all of the other tools to enable suspicious events to be cross referenced. This technology can correlate event information and bring together a larger picture of activity above and beyond individual technology collection and analysis. These tools undertake deep packet inspection (looking at Business Content) based on a set of rules to try and identify content being exfiltrated or moved around the network by the attackers. These tools effectively store all log and content data that passes over a certain point in the network, e.g. firewall, mail server, VPN tunnels. Capable of storing a complete record of all communications entering and leaving the network which can subsequently be reviewed if necessary to investigate suspicious behavior and modes of attack. Length of data retention key driver. Proventia, Fidelis XPS, Netflows (SiLK analysis) RSA ECAT, Microsoft Threat Detection System, Symantec CSP SPLUNK ArcSight, Alien Vault SIEM Symantec DLP RSA Security Analytics 12

Specific Activities/(Risks) AV, IDS/IPS and other pattern based tools (content scanning) DLP (content scanning at a more intrusive level than IDS/IPS) Capturing network packets (metadata and/or content), logs and assets (even more intrusive content scanning) SIEM and log correlation/analysis (behavior tracking, works council issues, potentially ties to content scans) Device forensics (content scanning, behavior tracking) Global SOC (export controls, privacy controls) 13 Active Defense Example IDS/IDS or SIEM alerts to sharp uptick in DNS lookups Traffic logs are reviewed or sniffer is used to identify source of excess lookups Suspect machines in local network identified by MAC address info in traffic and IP address logs Suspect external IP addresses blocked Suspect machines are imaged and reviewed for malware Traffic from suspect machines reviewed to look for data exfiltration Internal network and server logs review for evidence of lateral attacks 14

Intrusion Response Example Notice of possible intrusion (e.g. indicia of breach, law enforcement) Scramble response to confirm breach and establish scope review available logs look for malware and other forensic evidence Stop/isolate (or perhaps monitor) Implement monitoring tools to observe and trace any continued intrusion Deal with notification issues (DP and users) Eradicate 15 Active Defense vs. Incident Response Active Defense ongoing IR generally episodic Exigent circumstances of IR may allow broader scope than in AD, but generally requirements will be the same 16

Data Protection EU type DP rules Many issues arise under EU and EU-type data protection regimes Collection/processing/access of any information about a living person subject to regulation in EU Consent may not work Exceptions may not apply Export may create additional issues Optimal defense-in-depth security program may not be proportional 17 Data Protection United States 18

What is proportional - Tool retention periods Is there a less intrusive way? If data is stored, how often is it used? How sensitive is the data? Full packet capture is very sensitive, log data less sensitive. What would be the impact of a shorter period? What safeguards are in place to protect individuals? What do others do? Different countries within Europe will have different views. German case law Deutsche Telekom 19 APT Tools: A Compliance Risk View Category Description Issues Increasing Privacy Impact General Issues for all tools Data subject consent, DP registration Systems Data Monitoring Tools (IDS, IPS) Server Monitoring Tools Systems Data Storage Tools Consolidation Tools (SIEM) Content Monitoring Tools (DLP) These tools send alerts based on rules of non-routine events, patterns of suspicious behavior, or unusual activity. The alerts will contain systems data to provide evidence of the type of issues spotted, e.g. file type, IP address, communications protocols, and what it was communicating with internally. These tools are similar to the above but work at a server rather network level, e.g. monitor a server to look for unusual events. These tools save all log / network data so it can be reviewed at a later date. These differ from the monitoring tools as the monitoring tools do not save all data but only provide information of suspicious events. These tools take feeds from all of the other tools to enable suspicious events to be cross referenced. This technology can correlate event information and bring together a larger picture of activity above and beyond individual technology collection and analysis. These tools undertake deep packet inspection (looking at Business Content) based on a set of rules to try and identify content being exfiltrated or moved around the network by the attackers. IP addresses treated as PI by some jurisdictions; collection/review of physical security data may violate workplace rules, especially when correlated with other data Fact of access to particular servers may reveal protected health information or other PI Same as above but with data retention issues and increased prospect that substance of communications will be revealed In addition to above, export issues (as data need to be normalized and compared (depending on configuration); additional retention issues Direct review of message content; export issues depending on configuration Content and Log Storage Tools These tools effectively store all log and content data that passes over a certain point in the network, e.g. firewall, mail server, VPN tunnels. Direct review of message content, data retention issues, export issues 20

The Compliance Dilemma Security necessities (regulatory and contractual) potentially conflict with various data privacy and related requirements Evolving area of law with conflicting obligations in and across jurisdictions Seeking 100% compliance perhaps not feasible Potential liability on both sides (including some criminal) Apparently no cases dealing specifically with this conflict in the context of APT attacks on corporate data, so no direct guidance on weighing priorities 21 What to Do? No risk free answer Acting vs. not acting Right-sizing and scoping collection, transport, and assessment of business content and metadata gathered in IR 22

Risks In Not Acting Failure to use adequate measure to protect personal information Failure to meet certification requirements (US-EU Safe Harbor) Failure to meet contractual requirements (SCCs, BAAs, general client agreements) Failure to halt movement of PI and other controlled info within network by attacker (which movement may itself violate law) 23 Risks In Acting Lack of consent Exceeding scope of consent or legitimate interests Use of unregistered applications or use of registered applications out of scope Undeclared use of data Export of PI without necessary consent or authority or in violation of express export limitations Unauthorized interception of communications Monitoring employees in violation of regulations and labor requirements 24

A Practical Approach to Compliance Back to privacy first principles FIPS Disclosure Transparency Least intrusion necessary (proportionality/necessity) Balance interests Ensure monitoring is necessary and no less intrusive means available Obtain employee consent where possible As part of onboarding Sign-on banners As part of ongoing security awareness efforts 25 A Practical Approach to Compliance Reduce risk of misuse through appropriate use of safeguards and documented, tool-specific written protocols regarding export, access, use, need to escalate for express permission to deviate from protocol Ensure DP filings and other compliance materials adequately disclose monitoring Monitoring notified to and agreed with Works Councils where required BCRs may afford additional flexibility in response 26

Necessity? Why is monitoring necessary? Many examples establish that perimeter defenses do not protect against APTs Zero day, must have software and user issues Once intruder is in, monitoring internal activity is often the only way to identify and trace attacker Checking substance of communications may be the only way to detect and thwart exfiltration of protected data 27 Flash Response Risks No employee consents or employee consents too narrow Regulatory lead-time issues Management overhead issues (time to process issues) Lack of event data because logs/traffic information not available 28

Planning For Defense Planning for defensive actions What tools, what data and where What law applies What have you already declared/registered Closing the gap Privacy enforcement risk vs. security risk 29 Privacy By Design Notice to users Disclosure to regulators Limited use Access Purpose Limited retention Tool escalation based on need 30

Collaborating Across Departments Other departments within same company may not be fully briefed on defense-in-depth, tool-based strategies, in terms of understanding what data is gathered by what means for what purposes for how long Get buy-in before rolling-out new AD tools Three part framework: Where are you looking? What can you see? How encrypted/plain text? Ask about notice, minimization and policies 31 Closing Thoughts Wrapping up Make sure you understand how tools are deployed in your environment As always, the particulars matter Plan now for active defense, breaches and forensic response 32

Contact Information Jennifer C. Archie Washington, D.C. T +1.202.637.2205 E jennifer.archie@lw.com B http://www.globalprivacyblog.com/ Jennifer Archie is a partner with Latham & Watkins with 15 years experience investigating and responding to security incidents. A CIPP, she regularly presents on cyber security and privacy topics. Kevin C. Boyle Washington, D.C. T +1.202.637.2245 E kevin.boyle@lw.com B http://www.globalprivacyblog.com Kevin Boyle is a partner with Latham & Watkins with a practice focused on data privacy & security and technology related transactions. A CISSP and CIPP, he led Latham s internal security program for 10 years and its privacy program for 5 years. 33

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information