building resilient security for the age of continuous attacks · building resilient security for...
TRANSCRIPT
©2015 Bit9. All Rights Reserved
Building Resilient Security for the Age of Continuous AttacksHarry Sverdlove, CTO, Bit9 + Carbon BlackMITRE Secure and Resilient Cyber Architectures Invitational
What do we mean by Cyber Resiliency?
“Let me tell you something you already know. The world ain't all sunshine and rainbows. It's a very mean and nasty place, and I don't care how tough you are, it will beat you to your knees and keep you there permanently if you let it.
You, me, or nobody is gonna hit as hard as life.But it ain't about how hard you hit. It's about how hard you can get hit and keep moving forward; how much you
can take and keep moving forward.That's how winning is done!”
‐ Rocky Balboa
Compromise, unauthorized code execution or unauthorized access within your environment, should
NOT result in:
What do we ACTUALLY mean by Cyber Resiliency?
Continuously Evolving Technology Landscape
Cloud Computing
Mobile Computing
Internet of Things
Surface area is ever‐increasing
Perimeters are becoming less relevant
Everything is connected to something
Technology is crossing into our physical world
Continuously Evolving Threat Actors
Criminal Enterprises• Broad‐based and targeted attacks
• Financially motivated
• Getting more sophisticated
Hactivists• Targeted and destructive attacks
• Unpredictable motivations
• Generally less sophisticated
Nation‐States• Targeted and multi‐stage attacks
• Motivated by information and IP
• Highly sophisticated, endless resources
Continuous Stream of Data Breaches
Source: Information is Beautiful, www.informationisbeautiful.net, May 2015
in IT, we hire staff to support technology
in security operations,we buy technology, to
support staff
A Framework for Cyber Resiliency
Anticipate
Withstand
Recover
Evolve
Understand
Prepare
Prevent
Prepare
Continue
Constrain
Reconsitute
Transform
Re‐architectCyber Resiliency Engineering Framework, September 2011
Simplified Security Lifecycle
DetectRecognize
suspicious or malicious behavior
RespondInvestigate, assess scope, determine root cause, recover
Prevent
Harden systems from attack, repel hostile
actions
How Are We Doing?
Respond
Prevent
Detect
Bulk of our budget continues to be hereStill weak in predictive security
More emphasis on actionable threat intelStill relying largely on point‐in‐time scanning
Expensive, reactive, disruptiveNot continuous at all
Pop Quiz: Which Comes First – Detection or Collection
Most programs alert on interesting first then collect artifacts afterwards
By prioritizing data collection over detection, you accelerate
investigation, finding root cause andscope, recovery, and threat hunting
Reduce Dwell Time By Prioritizing Data Collection
Compromised(attacker present)
Recovered(attacker expelled)
Breach Discovered(attacker identified)
DWELL TIME
Proactively collecting data here is automated and efficient
Reactively collecting data here is time consuming and expensive
Reduce Dwell Time By Prioritizing Data Collection
Compromised(attacker present)
Recovered(attacker expelled)
Breach Discovered(attacker identified)
DWELL TIME
By prioritizing data collection before detection you can eliminate the tedious and time consuming
data acquisition process exponentially reducing dwell time and accelerating your response
Time is the dominant parameter. The pilot who goes through the OODA cycle in the
shortest time prevailsbecause his opponent is caught responding to situations that have already changed.
Col John Boyd, 1966
ObserveOrientDecideAct
Principles of Resiliency
Non‐persistence
Recovery
Segmentation
AdaptabilityDeception
Intelligence Diversity
UnpredictabilityOrchestration
Least Privilege
Redundancy
Parting Thoughts
Cyber resiliency is a part of cyber security
Threats are evolving and continuous
Security needs to evolve and be continuous
Not just constant prevention –constant detection and response are required
This requires visibility, which leads to intelligence, which leads to predictive security
Security happens with people, not technologyBut technology is an invaluable tool to support the people
Monkeys are your friend ‐ automate your resiliency!