Enterprise Cybersecurity: Building an Effective Defense Chris Williams Oct 29, 2015 14 Leidos 0224 1135
About the Presenter Chris Williams is an Enterprise Cybersecurity Architect at Leidos, Inc. He has been designing, deploying, and operating cybersecurity solutions for government and commercial clients for over 20 years, and holds a patent for e commerce technology. Co author of Enterprise Cybersecurity: How to Implement a Successful Cyberdefense Program Against Advanced Threats 2
About Leidos Formerly part of Science Applications International Corporation (SAIC) Fortune 500 solutions leader with over $5 billion annual revenue About 22,000 employees Businesses: National Security, Health, Engineering National Security Engineering Health Cybersecurity 3
Agenda 1. The Cyberdefense Challenge 2. Anatomy of a Targeted Attack 3. Axioms for Modern Cyberdefense 4. Pragmatic Cyberdefense 5. Today s Cybersecurity Top Ten 6. Houston, We Have a Systems Problem 7. Generations of Weapons Systems 8. Generations of Malware 9. Generations of Cyberdefense 10. The Cyberdefense Pyramid 11. A Cybersecurity Program Framework 12. Closing Thought 4
1. The Cyberdefense Challenge In a complex environment: Flaws are inevitable Systems malfunction People make mistakes Therefore: Attackers can always gain a foothold, eventually If defenders can t detect and catch the attackers on the inside, the attackers will eventually succeed Attackers will always have lucky breaks. However, lucky attackers should not be the end of the defense. 5
2. Anatomy of a Targeted Attack Targeted attacks methodically work through victim defenses Initial Incursion Establish Foothold Command & Control Escalate Privileges Move Laterally Complete the Mission Attacker Server Vulnerability Application Vulnerability Buy Access Malicious Web Site Malicious Email Endpoint Vulnerability Compromised Server Compromised Endpoint Compromised Mobile Device Compromised User Account Web Site WebShell Outbound Web Connection Protocol Tunneling Internet Facing User Account Password Keylogger Harvest Credentials Pass the Hash / Ticket Exploit Vulnerabilities Hijack Sessions Maintain Persistence Network Mapping Share Enumeration Remote Desktop Remote Shell Remote Admin Tools CONFIDENTIALITY: Exfiltrate Data INTEGRITY: Modify Data AVAILABILITY: Destroy Data The sequence gives defenders opportunities to succeed 6
3. Axioms for Modern Cyberdefense 7
4. Pragmatic Cyberdefenses Rather than strive for perfection, strive for good enough: Focus on real world attacks that are most likely to occur Repel attacks when they occur, then improve defenses Design defenses to impede the attack: Disrupt Detect Delay Defeat Many Initial Attacks Disrupt Detect Detect Delay Fewer Penetrations Delay Defeat 8
Pragmatic Cyberdefense: Audit First Threat Analysis Audit Controls Forensic Controls Detective Controls Preventive Controls Don t try to protect everything Design Security Around the Threats: How do you search for the threat? What logs do you need to detect the threat? Can you alert when the threat occurs? Can you block the threat so it does not succeed? 9
Pragmatic Cyberdefense: Cyber Castles We can learn from history by looking at medieval towns: Most of the productivity is in the undefended fields and village The town is lightly defended, but the castle is heavily defended To take the town, you have to control the castle Tower = Authentication Systems Castle = Security Systems Town = Business Servers Fields = Regular Users 10
Pragmatic Cyberdefense: True Defense in Depth Layer enterprise security to protect the security infrastructure best: Each layer gives defenders an opportunity to detect and repel attack Each layer s defense can be somewhat porous perfection not required Defenses get stronger as attackers penetrate further inside Goal is to give defenders 2 or more opportunities to catch the attack Users: lightly protected Servers and Infrastructure: better-protected Security Systems: well-protected Authentication Systems: very well-protected 11
5. Today s Cybersecurity Top Ten 1. Emphasis on detection rather than protection 2. Less reliance on endpoint security 3. Network segmentation to provide defense in depth 4. Two factor authentication for system administrators 5. Application whitelisting for critical systems and assets 6. Log aggregation and security information and event management (SIEM) 7. 24x7 security monitoring to detect incidents 8. Forensics tools to track down attacks when they occur 9. Incident rapid response to repel attacks in real time 10. Security incident metrics tracking activities and threats 12
6. Houston, We Have a Systems Problem John Gall: The Systems Bible Systems in general work poorly or not at all. Any large system is going to be operating most of the time in failure mode. Big systems either work on their own or they don t. If they don t, you can t make them. Pushing on the system doesn t help. Albert Einstein: We cannot solve our problems with the same thinking we used when we created them 13
7. Generations of Weapons Systems Jet fighters since WWII are often grouped into generations Each generation represents a leap forward in capability and renders the previous generations obsolete Gen 1: F 86 Sabre (1949) Gen 2: F 8 Crusader (1957) Gen 3: F 4 Phantom (1960) Gen 4: F 15 Falcon (1976) Gen 5: F 22 Raptor (2005) The F 15 has a claimed combat record of 101 victories and zero losses in actual air to air combat Images courtesy Wikipedia 14
8. Generations of Malware Malware can also be grouped into generations Subsequent generations reflect increases in capability and threat Sophistication 1 2 1. Static Virus 2. Network based Virus 3. Trojan Horse 3 4 5 6 4. Command and Control 5. Customized 6. Polymorphic 7 8 9 Increasing Sophistication, Stealth and Capability 7. Intelligent 8. Autonomous and Polymorphic 9. Firmware and Supply Chain Time 15
9. Generations of Cyberdefense Cyberattacks and defenses can also be characterized as generations. We are now in the transition from Generation 2 to Generation 3. 1. Hardening the Host 2. Protecting the Network 3. Layered Defense and Active Response 4. Automated Response 5. Biological Defense 16
Gen 1: Hardening the Host The Challenge Increases in the numbers of Internet connected systems Multi user systems with large numbers of users Network connected systems becoming more important Attacks Target unpatched host vulnerabilities Originate from attacker computers Exploit insecure protocols Defenses Security Technical Implementation Guides (STIGs) Host hardening Regular patching Air Gapping 17
Gen 2: Protecting the Network The Challenge More and more devices to patch / harden / protect Vulnerable protocols / enterprise system architectures Vulnerabilities that are impossible to patch Attacks Automated tools scan and attack vulnerable systems Central control of compromised systems (botnets) Theft of data and credentials Defenses Perimeter firewalls and defenses Private organizational networks (NAT) Automated endpoint management 18
Gen 3: Layered Defense and Active Response The Challenge Proliferation of external connections (VPN, cloud, partners) Little visibility or protection once attackers get inside Vulnerabilities in security and management systems Attacks Follow the attack sequence to penetrate enterprise Use enterprise security systems against itself Conduct data theft on colossal scales Defenses Defenses are layered using segmentation Security infrastructure is armored against attack Active detection and response 19
Gen 4: Automated Response The Challenge Proliferation of security technologies and complexity Labor and cost for active detection and incident response Speed of response against aggressive attacks Attacks Proliferate and consume incident response resources Defenders must prioritize and cannot investigate everything Swift, catastrophic, attacks Defenses Automated detection and response Rapid containment and reconstitution of affected systems Strict configuration control 20
Gen 5: Biological Defense The Challenge Proliferation of vulnerable devices providing attackers with footholds and stepping points within the environment Stealthy malware and unknown / unpatched vulnerabilities Attacks Malware installed via zeroday and supply chain Autonomous and stealthy malware evades detection Acts like an insider attack once inside the environment Defenses Defenses organized around the data, not the host or perimeter Analytics to recognize behavioral anomalies Hunting to find attacks 21
Defenses Build Upon One Another 10. The Cyberdefense Pyramid 5: Host, Network, Detection, Response, Analytics 4: Host, Network, Detection, Response 3: Host, Network, Detection 2: Host, Network 1: Host Generation 5 Generation 4 Generation 3 Generation 2 Generation 1 There is little point in deploying advanced defenses if basic defenses are not in place first 22
11. A Cybersecurity Program Framework A successful enterprise cybersecurity framework should: Coordinate architecture, policy, programmatics, IT life cycle, and assessments Enable organization, budgeting, delegation, and accountability Align well with real world skills of cybersecurity professionals Enable decision making for strategy, prioritization, and executive reporting 23
12. Closing Thought With an ineffective cyber defense, the defender has to do everything perfectly to protect the enterprise. With an effective cyber defense, the attacker has to do everything perfectly to attack it. Which would you rather have? 24
Thank You! 25