know what you are protecting - antoanthongtin.vnantoanthongtin.vn/portals/0/newsattach/2015/05/11 -...
TRANSCRIPT
11
Know What You Are Protecting
2014 Vietnam Information Security Day
December 2014
Philip Hung Cao
CISM, CCSK, CNSE, VTSP-NV
| ©2014, Palo Alto Networks. Confidential and Proprietary.2
…changing
what we do,
how we think,
how we
construct our
networks…
3
The Changes
Our Government Networks
Remote
CLOUD(s)
• Hospitals
• Universities
• Schools
• Libraries
• City services
• State services
• Federal services
4
The Evolution of The Network
Greater mobility, more applications, private, hybrid and public cloud use.
VNC
SMB
pop3
snmpdns
telnet
LDAP
ftp
SSL
5
Data improves all of our services
National
government
“Local”
governmentLower education Higher education Public Healthcare
Your citizens’, students’, employees’, patients’ worlds are changing –
so will yours.
6
INFORMATION SECURITY MANAGEMENT
Known threats
Identity compromise
Zero-day exploits / vulnerabilities
Evasive command-and-control
Unknown & polymorphic malware
Mobility threat
DATA IS LUCRATIVE FOR ALL
But governments are
often not ready &
operate in the blind
despite these drastic
changes
7
Vision
Connecting
– Your Citizens
– Your Students
– Your Patients
– Your Employees
to
– INFORMATION
When and where they need it
Securing it … contextually – ensuring the RIGHT people get the
RIGHT information … SMART Security
9
In the demand for access to more data, faster
Our network security has not kept up
• Add patchwork of security
functions
• Stay in the comfort zone
• Focus on most frequent
attack vectors
• Ignore lateral
movements and
callbacks
Know what is happening on your network
Start with the Basics
10
Visibility to applications, content and users
What is the status of your data use policies?
How are they enforced?
What is your data segmentation strategy?
Who is running what applications with what information?
Know the pitfalls
– Common applications and protocols are often used
maliciously
– Common applications are highly targeted for exploits
– Malicious actors hide their C2 and other traffic within
encrypted communications
– Attackers hide “in plain sight”
– Normal hours
– Normal traffic
– Credential theft
11
Your Network has encrypted traffic – is it good or bad?
TDL-4
Poison IVYRustock
APT1Ramnit
Citadel
Aurora
BlackPOS
12
Common Applications have heaviest exploit activity
10 applications transmitted 94% of the exploit logs
Source: Palo Alto Networks Application Usage and Threat Report (AUTR) – survey of >5,500 networks
14
Civilian agency – lack of segmentation example
Maintain access
Spearphished
or waterholed
executive
Moved laterally
within network
Exfiltrated
dataRecon on
agency and
typical patterns
Breached
network with
stolen
credentials
15
National Association of Counties
“We needed to take a
proactive approach to
managing the risk to our
business caused by P2P
and malware. Our existing
firewall offered very limited
visibility into what was
happening on my network...
I now know what is going on
with my network, and I can
proactively tackle issues
before they become
problems. I can also enforce
policy for what applications
are allowed on the network.”
- Bert Jarreau, CIO, NACo
• 3,066 county governments in the U.S.
• Resource for elected county officials
• Access value-added services: Grant submissions,
population counts, economies, transportation funding and
financing, etc.
• Access from locations all over the country
17
Best Practices for a Data-driven Government
Establish good data hygiene and data protection plan
– ISO 27000 series
– OECD privacy principles
– Government Security classifications
– Cloud Security Alliance (CSA) Cloud Controls Matrix
Regularly review data, application use cases with stakeholders
Review security and network architecture
Cultivate a workforce of joint ownership
– Network and security
– IT & SCADA
18
Tactics, including Network Segmention
Establish ongoing visibility: All applications,
content and use cases– Contextual user access: Tie applications to users
– Block or tightly control unknown traffic
– “Decrypt and inspect” select applications
Segment the Network
– Eliminate the risk, eliminate free lateral movement
throughout the orgn
– Treat ICS/SCADA differently and lock down all but
short list of protocols
– Tie users: applications with centralized policies
– Particularly important for mobile, operational
users
– Consider all connected devices
19
Evolve into a Strategic Intelligence Team
• Transition “incident response”
• Consistent, repeatable process
• Senior leaders drive direction
• Follow Intel lifecycle
• Inform your “Community”
• Reduce alert data
• Automate correlation of security
insights – from all critical
locations
• Stop any point in the kill chain*
Direction
Collection
Analysis
Dissemination
20
Cultivate an Innovative Workforce
• Increased efficiency
• New revenue streams
• Better citizen connectedness
• Competitive differentiation
• Improved government:
citizen/patient/student experience
Cultivate a New Information Security mindset
| ©2014, Palo Alto Networks. Confidential and Proprietary.21
SMART GOVERNMENT needs
SECURE GOVERNMENT