by sergio heker glesec clab 2014 conference cyber-security operations and intelligence a current...

By Sergio Heker

GLESEC

CLAB 2014 CONFERENCE

Cyber-Security Operations and Intelligence

A current perspectiveSeptember 10-12, 2014

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244

State of Affairs in Cyber-Security

• We are under cyber-attack

»whether we like it or not

“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it.” – Gartner, Inc., 2012

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


“According to a Cisco examination of threat intelligence trends, malicious traffic is visible on 100 percent of corporate networks. This means there is evidence that sophisticated criminals or other players have penetrated these networks and may be operating undetected over long periods of time. “

NoteworthyAttack Persistent Threats (APT)Perimeter breach, detection and remediation

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


Records of 25,000 Homeland Security Employees Stolen in Cyber Attack

Health care data breaches have hit 30M patients and counting

Massive 300Gbps DDoS attack on media firm fuelled by unpatched server flaw

Few and selected August 2014 attacks

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


Source: August 2013 - Hackmagedon

It’s global. No country is spared…

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


Source: August 2013 - Hackmagedon

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


Banking sector9.5%

August 2013 reportSource: August 2013 - Hackmagedon

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


Manufacturing 26.5%Finance and insurance 20.9%Information and communication 18.7%Health and social services 7.3%Retail and wholesale 6.6%

Source: IBM Annual 2013 report

Incident Rates Across Monitored Industries

Around 50% of attacks in two vertical sectors

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• Many organization prefer to think about this as if this is not happening to them

» ignoring the risk will not make it go away

• Some organization consider this to be a technology problem with no impact to the bottom line

» seriously?

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• There are many who think that buying a product will improve the chances from getting their security compromised

» There is no magic pill…

• Organization in general lack the dedicated info-sec personnel, focus and infrastructure to address cyber-attacks

» it is not their focus anyway…

“Organizations face an evolving threat scenario that they are ill-prepared to deal with.”

– Gartner. “Best Practices for Mitigating Advanced Persistent Threats.” January 2012.

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


“The sophistication of the technology and tactics used by online criminals—and their nonstop attempts to breach network security and steal data—have outstripped the ability of IT and security professionals to address threats. Most organizations do not have the people or the systems to monitor their networks consistently and to determine how they are being infiltrated.”, based on CISCO 2014 Annual Report

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244

The problem at hand…

• We must first recognize that there is a problem and that this problem can impact our organizations.

“Our experience shows that many organizations have not yet internalized the cyber-security risks that they are exposed to.” GLESEC

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• We can define the problem as an on-going risk identification and mitigation.

– Risk conditions vary with time• Threats are growing• Vulnerabilities are growing

– Vulnerabilities and threats reported by Cisco IntelliShield® showed steady growth in 2013: as of October 2013, cumulative annual alert totals increased 14 percent year-over-year from 2012

• More assets are added on-line every second

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• We can define the problem as an on-going risk identification and mitigation (cont).

– Complexity of countermeasures• Countermeasures adapt to the risk changes in a

dynamic way. • New countermeasures are created every day to

deal with new threats and vulnerabilities

– There is an on-going cost which should be compared with the impact for decision making purpose

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• Countermeasure products provide an immense amount of information in real-time that has to be analyzed and acted upon.

• Ideal for BigData application

• The information gathered is intelligence information

• This is more valuable when more data sources are combined in a meaningful fashion.

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


In summary:– There are growing risks due to increase

threats and vulnerabilities

– There is growing complexity of defense mechanisms and new countermeasures that arrive to the market

– Data continues to grow for analysis and response

– Limited info-sec resources to deal with in-house

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


A case studyOrganization Type FinancialCountermeasures in-place Firewalls; IDS/IPS; Anti-malware

Incident On-line banking system is brought down by a DoS/DDOS attack and remains down for a period of days

Situation The organization did not have the "right" countermeasures

It did not have the focus on addressing this due to insuffient number of personnel/resources, not dedicated security experts

Impact Loss of potential business to clients Reputation Potential loss of clientsLessons learned Risk is changing

Countermeasures keep changing to adapt to risk

The organization should not focus internal resources in areas that are not their core-business

Remediation The organization outsourced to a security firm its information security

The organization receives an average of over 100,000 attacks per month; 4,000 of critical nature

The counter-measures in-place now are stopping attacks with the correlation of other security sources, infrastructure and dedicated security experts

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


A case study

Organization Type Health CareCountermeasures in-place Firewalls; IDS/IPS; Anti-malware

Incident Two internal systems are identified to have a variant of the Zeus malware

Situation The organization has contracted an information security company that is monitoring and managing cyber-security incidents

Impact Potential expansion of the malware to over 10,000 internal systems

Potential compromise of all banking activity realized by any of the institution's employees

Lessons learned The organization had taken the right steps to ensure someone is monitoring and protecting them

Countermeasures are in-place The risk was avertedRemediation The organization outsourced to a security firm its information security The organization receives an average of over 3,000,000 attacks per month

The counter-measures in-place now are stopping attacks with the correlation of other security sources, infrastructure and dedicated security experts

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244

How do we deal with this situation?

• Think risk mitigation as justification not ROI

• Think process not product

• Operations alone is not enough, this is an intelligence game

• Consider the strengths and weakness of your organization

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• Think risk mitigation as justification not ROI

– Follow a risk gap analysis to arrive to the right countermeasures for your organization• Risk Conditions• Impact of these risk conditions• Countermeasures to specific risk conditions• Cost of these countermeasures• Risk analysis and decision making process• On-going process

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


Source: GLESEC

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244

Certain Risk Conditions

• Bank account take over – Zeus… other malicious apps• E-commerce or other business site account take over• Physical destruction of systems under cyber attack – IRAN

Nuclear Centrifuges, ARAMCO…• Information destruction under cyber attack• Information modification and altering under cyber attack• Information leakage, confidentiality breach, intellectual

property exposure• Lack of availability of business critical systems – DDOS

attacks…• Use of corporate assets to launch attacks to third parties --

LIABILITY• Use of corporate assets for non business activities• Non compliance with regulations such as HIPAA/HITECH; GLBA;

SOX;SBP-Panama; other• Ransomware• ……

Source: GLESEC

Sample list of Risk Conditions

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• Strong Authentication – two and three factors• Secure Browsing – critical area of concern• In-transit encryption – SSL vulnerabilities• Application Firewall• DDOS Protection and Attack Mitigation• UTM Protection• Sensitive Information Management and data leakage

protection• Privilege Identity Management – password management• Attack Persistent Threats• Breach Detection• End Point Security• …..

Source: GLESEC

Sample list of Countermeasures

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• Think process not product

Countermeasures are not just products and these should include all the necessary elements to produce the desired risk-mitigation, namely systems, personnel, processes.

It is our experience that when a countermeasure is not part of a security process the countermeasure becomes obsolete

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• ISO 27001 international standard promotes the importance of a process for the on-going improvement of the organization’s information security (Information Security Management System – ISMS).

• This includes:– Understand the organizational security requirements and the

need to establish policies and goals to manage information security.

– Implement and operate controls to manage the risks associated with information security.

– Monitor and audit information security.– On-going improvement based on the monitoring of results

against goals.

Think process not product

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• Operations alone is not enough, this is an intelligence game

– The operation of security systems is a necessary but not sufficient condition to derive the expected security protection.

– Security systems provide information that when correlated with the appropriate sources and acted upon provide the maximum benefit for this particular countermeasure.

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• Why Operations & Intelligence?

– Operations keeps the systems working properly

– Operations however does not have an insight to what is actually happening

“Cyber-Intelligence is the extraction of information with the purpose of understanding and responding to attacks and its mitigation”, GLESEC

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244


• Consider the strengths and weakness of your organization

If necessary outsource to experts if you cannot justify the internal investment of deviation of business focus from your core business

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244

Closing Remarks

• If we adopt a risk-based model for justification and understand the dynamics of information security then we can derive a methodology for handling cyber-security

• Risk-based model• On-going process• Methodology

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244

Closing Remarks

• Countermeasures should be considered as changing dynamically and including products, personnel, systems and processes.

• An on-going process based methodology should be utilized

• An outsourcing strategy is sometimes the best solution for an organization.

Tel: +1 (609) 651 4246Fax: +1 (609) 482 8244

Thank you

by sergio heker glesec clab 2014 conference cyber-security operations and intelligence a current...

Documents

cybersecurity source

state of affairs

cybersecurity records

cybersecurity manufacturing26

cyber attacks

network security

cybersecurity banking

hackmagedon slide