human insider threats in cybersecurity and the architecture to … · 2017-04-20 · human insider...
Post on 07-Jun-2020
3 Views
Preview:
TRANSCRIPT
April 5, 2017
Mohsen Manialawy, CISSP, M.Sc., MBA.
Solutions Architect Cisco Security Solutions
Human Insider Threats in Cybersecurity and the Architecture to Mitigate
Points of Discussion • Human Insider Threats, is it still a problem and how bad ?
• What is the Required Architecture to Mitigate ?
• Key Takeaways
Human Insider Threats, is it still a problem and how bad ?
58% 57% 57% 57%
The Top 4 Sources of Concern Which Security Professionals Found in Defending Against a Cyberattack
Mobile Devices Data in Public Cloud Cloud Infrastructure
Percentage of respondents who find the category very and extremely challenging to defend
User Behavior (For example, Clicking malicious link in email
or website)
Source: Cisco 2017 Annual Cybersecurity Report
Realities of Modern Threats
One out of four breaches are
caused by malicious insiders
95% of all cybercrime is triggered by
a user clicking on a malicious link
disguised to be legitimate
Two out of three breaches exploit
weak or stolen passwords
With lateral movement of advanced
persistent threats, even external attacks
eventually become internal threats
External Internal
FW
IDS
IPS Highlights
Source: 2014 Verizon Data Breach Investigations Report and Forrester research.
How Data Breaches Happen
Reconnaissance
Victim clicks phishing email link
Malware dropped via backdoor
Lateral Movement to find Admin
Escalate Privilege to become Admin
Data Exfiltration using Admin privilege
Information monetized after breach
Adware and Malvertising Shift Into High Gear (used for redirection to exploit kits)
of the 130
organizations
investigated had
adware infections
Adware
75% Malvertising
Using brokers (gates) to increase
speed and agility
Switching quickly between
servers without changing
redirection
Source: Cisco 2017 Annual Cybersecurity Report
Browser Infections: The Pest That Persists
More than
85% of the companies studied were affected each month by malicious extensions
Source: Cisco 2016 Annual Cybersecurity Report
Spam Comes Roaring Back Email is Back in Vogue
of spam is malicious
8 %
65% of email is spam
2016 2013 2010 .5K
1K
1.5K
5K
4.5K
4K
3K
Em
ails
/ S
eco
nd
3.5K
2.5K
2K
Source: Cisco 2017 Annual Cybersecurity Report
87K
PUA and Suspicious
Binaries, browser extensions
50K
Trojan Droppers
(VBS) 15K
Phishing
(Links)
27K
Trojan Downloaders
(Scripts)
18K
Browser
Redirection-
Downloads
24K
Browser
Redirection (JS)
11K
Facebook Hijacking
14K
Android Trojans
(Iop)
12K
Browser
Redirection
Watching and Waiting Adversaries Take Time Inspecting and Looking for Opportunities
35K
Scam Links
Snowshoe Uses various IP address.
Hides from detection with
low volume.
Spam Attacks: Snowshoe and Hailstorm
Hailstorm Highly-concentrated.
High-speed. Uses speed
and volume to bypass
detection.
Source: Cisco 2017 Annual Cybersecurity Report
Percentage of Monthly Vertical Block Rates
Source: Cisco 2017 Annual Cybersecurity Report
Security Maturity in Industry Verticals
30% Finance
Hard Hit: Security Breaches Paralyze Systems and Impact Key Business Operations
Business Impact
36% Operations
26% Brand
Reputation
26% Customer
Retention
1-8 Hours time that systems were
down for 65% of
organizations
Nearly 30% of systems were
impacted for 61% of
organizations
Operational Impact
Source: Cisco 2017 Annual Cybersecurity Report
Human Insider Threats, is it still a problem and how bad ?
Absolutely…. quite impactful.
What Is the Required Architecture to Mitigate ?
Process of Attacks
Research,
identify and
select targets
Pair remote access
malware with exploits
Deliver cyberweapons
by email, website and
attachments
Install payloads to
gain persistent
access
User Browsing Web Site - Security Controls
Host Based Security Next-Generation Firewall/IPS
Gate Agent Accessing
Web
AMP Malware Sandbox Threat Intelligence
DNS
Security
Supporting Cloud
Services
After
Outbreak
Intelligence
Reporting
Log Extraction
Management
Allow Warn Block Partial Block
HQ
www
Web
Filtering
Web
Reputation
Application
Visibility &
Control
Webpage www.website.com
Anti-
Malware File
Reputation
File
Sandboxing
File
Retrospection
Cognitive
Threat
Analytics
DLP
Integration
Admin
X X X X X X
Threat
Analytics
Client
Authentication
Methods
Roaming User Branch Office
WCCP Load Balancer PBR AnyConnect Explicit/PAC Traffic
Redirection
Methods
Campus Office
Web Security Functions CloudThreat
Intelligence Appliance
User Opening an Email - Security Controls
Next-Generation Firewall/IPS Host Based Security
AMP Malware Sandbox Threat Intelligence
DNS Security
Supporting Cloud
Services
Email Security Functions
Reporting
Message
Track
Management
Allow Warn
Admin HQ
Anti-Spam
and
Anti-Virus
Mail Flow
Policies
Data Loss
Protection
Encryption
Before During X X X
X
Inbound
Outbound
Cisco
Appliance Virtual
Talos
Block Partial
Block
Outbound Liability
Before After During
Tracking
User click Activity
(Anti-Phish)
File
Sandboxing & Retrospection
X X X X X
Cloud
Content
Controls
X
Reputation
Acceptance
Controls File
Reputation
Anti-Spam
Anti-Virus Outbreak
Filters
X
Mail Flow
Policies Graymail
Management
Safe Unsubscribe
X
Anti-Phish URL Rep & Cat
Network Resources Access Policy
Allow Deny
BYOD Access
Rapid Threat
Containment
Guest Access
Role-based Access
Identity Profiling
and Posture
Who
Compliant
What
When
Where
How
Identity/Context Based Segmentation Capable Infrastructure (mitigating malicious insiders)
Network
Door
Works across
wired, wireless
and VPN
Context Integration
Protocols
It Takes an Integrated Architecture with Threat Intelligence to Mitigate Insider Threats
Identity Authorization DNS Security Firewall Anti-Malware Access Control Posture Assessment Flow Analytics Application Visibility Threat Intelligence
DATA CENTER
Monitoring Policy
Identity
Cloud Services
AMP
Sandbox
Threat Intelligence
DNS Security
Anti-Virus
• Insider threats, are real, sophisticated, here to stay and cannot be ignored.
• Build a multilayer secure Integrated Architecture that works together, powered by Threat Intelligence and unified management and telemetry capability
• Technology only based mitigation solutions are NOT sufficient; invest in educating and training people on safe Internet and Email behavior, and ensure the proper implementation of policies, processes and procedures to quickly identify and contain breaches.
Key Takeaways
top related