The Game has Changed… Ready or Not! Ted Lee Systems Engineering Team Lead

Cyber Attack Trends Average annual cost of security incidents Annual number of data breaches Average annual cost of security incidents Regulatory mandates Among companies with revenues over $1 billion HIPAA PCI $5.9 million 2014 SOX $3.9 million HITECH Breaches reported NERC NIST 2013 Source: Identity Theft Resource Center Source: 2015 Global State of Information Security Survey, PwC [begin] Whether you’re an Info Security, compliance or IT executive today, your job is harder than they have ever been before. The number of data breaches reported today are growing ‘up and to the right’ – and so are the annual costs dealing with the numerous security incidents. At the same time, the regulatory mandates keep changing and increasing. You are likely spending millions of dollars per year on people and technology to deal with these trends, yet the bad guys keep getting through. Why is this the case? [next slide] 2

IT Security Challenges 53 million email addresses and 56 million credit cards Attackers used stolen vendor credential to access critical systems Cyber attack could cost as much as $100 million Disabled the antivirus in the target machines without detection 76 Million Households affected Hackers took over a remote server the bank failed to properly update The Home Depot “44 percent of known breaches came from vulnerabilities that are 2 to 4 years old” HP Cyber Risk Report 2015 Attackers exploit vulnerable endpoints, easily move across big flat networks 21m government employees identities stolen OPM did not maintain a comprehensive inventory of servers, databases and network devices 80m customer records stolen “Suspicious” administrator activity went unnoticed for months 11m customers’ medical and financial data stolen Premera’s network security procedures were inadequate [begin] First of all, the threats are more sophisticated and targeted than ever before. Highly funded adversaries – both nation state and cybercriminals – engage in a marketplace to steal valuable information or cause destruction. [click once - animation] As we study how these breaches happen, we see some commonalities. Typically, the attacker leverages well-known vulnerabilities in endpoints, then they move laterally across the network to find the system that they really want to exploit. This has been reported again and again. [next slide] [below is some background info about these attacks] Home Depot http://www.usatoday.com/story/money/business/2014/11/06/home-depot-hackers-stolen-data/18613167/ “Hackers used a vendor's stolen log-on credentials to penetrate Home Depot's computer network and install custom-built malware that stole customer payment-card data and e-mail addresses, the retailer announced Thursday. The company had announced in September that the massive data breach allowed criminals to harvest information from 56 million credit and debit cards in the United States and Canada. The latest revelations Thursday arose from the company's investigation. Another 53 million e-mail addresses were added to the list of compromised data.” Also here: https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf JPMorgan Chase Hacking Affects 76 Million Households http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/?_r=0 Soon after the hacking was discovered at JPMorgan, agents with the F.B.I. determined that the attack was not particularly sophisticated: The hacking succeeded largely because the bank failed to properly update a remote server. In spite of this, it was discovered somewhat by accident and went on long enough to give hackers access to 90 servers. Sony – attackers turned off the AV in the machines they breached without letting the server know. “what’s unfortunate about this breach is the techniques that were used are not particularly sophisticated”, WSJ, http://www.wsj.com/articles/how-the-sony-data-breach-signals-a-paradigm-shift-in-cybersecurity-1423540851 Anthem – attackers stole network credentials of 5 individuals. They only detected the breach when one of the users noticed queries he had not made OPM - http://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/ Nov, 2014 - OPM did not maintain a comprehensive inventory of servers, databases and network devices, nor were auditors able to tell if OPM even had a vulnerability scanning program May 2015 - Premera Blue Cross, one of the insurance carriers that participates in the Federal Employees Health Benefits Program, discloses a breach affecting 11 million customers. Federal auditors at OPM warned Premera three weeks prior to the breach that its network security procedures were inadequate. May 2015 - Carefirst Blue Cross discloses breach impacting 1.1 million customers. Clues unearthed by researchers point to the same attack infrastructure and methods used in the Anthem and Premera breach.  http://www8.hp.com/us/en/hp-news/press-release.html?id=1915228#.Vd5FXbQpKYR “44 percent of known breaches came from vulnerabilities that are 2-4 years old. Attackers continue to leverage well-known techniques to successfully compromise systems and networks. Every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years or even decades ago.”

The Challenging Threat Landscape Dec 2014: “Within two years, 90% of all IT networks will have an IoT-based security breach” Number of unmanaged devices is exploding 2010 2012 2014 2016 2018 2020 Less than 10% of new devices connecting to the corporate environment will be manageable through traditional methods By 2020: 20+ Billion Unmanaged Connected Devices Unmanaged Devices Managed Devices [begin] The second primary reason the bad guys are winning has to do with the rapidly changing landscape of endpoints. [click once - animation] By 2020, less than 10% of all new devices connecting to your network will be manageable via an agent. As we all know, putting an agent on devices is the defacto standard for controlling enterprise devices; however, the onslaught of BYOD and IoT makes this no longer possible. IDC is predicting that by the end of next year, 90% of all IT networks will have an IoT-based security breach. [next slide] ========================= Information about sources BI Intelligence forecast: http://marketeyewitness.com/internet-things-industry-future-now/ Gartner forecast: http://www.gartner.com/newsroom/id/2905717 Verizon forecast: http://www.verizonenterprise.com/resources/reports/rp_state-of-market-the-market-the-internet-of-things-2015_en_xg.pdf IDC: http://www.idc.com/getdoc.jsp?containerId=prUS25291514 Source: Gartner, BI Intelligence, Verizon, ForeScout

IT Security Challenges IBM “70 to 90 percent of all malicious incidents could have been prevented or found sooner if existing logs and alerts had been monitored” Verizon Data Breach Investigations Report “Average time to contain a cyber attack is 31 days” Ponemon Institute “2014 Global Report on the Cost of Cyber Crime” Fragmented security lets attackers in IBM Firewall SIEM ATD VA Endpoint Patch EMM Security products are siloed. Human beings are needed to compensate for lack of automation. SecOps teams are overwhelmed and cannot respond in a timely fashion. [begin] The third major reason the bad guys have an advantage has to do with the lack of coordination between all of our security, management and compliance tools. [click once – animation] Each major technology tool does not share information with other relevant tools that could help detect, prevent or respond to a cyber threat. Therefore, people – rather than technology – are required to connect the dots. As we learned with some of these well-publicized breaches, relying on overwhelmed security operations teams to sift through alerts from dozens of tools, is a losing proposition. All this fragmentation lets attackers in. The recent Verizon report states that 70 – 90 percent of malicious incidents could have been prevented or found sooner if effective coordination between disparate tools existed. And once you have been breached, it takes on average 31 days to contain the attack, and we know that much of this delay is caused by of the lack of coordination between tools. [next slide] http://www.verizonenterprise.com/DBIR/2015/ NOTES: Opportunity for the Adversaries Swivel Chair Administration Builds sometimes trip people up. Defense in Depth doesn’t work because of lack of communications to each other “throwing people at the problem” How do they work – human beings.. Already overlooked

The Threat Landscape: 5 Major Trends Emerging 2016 80% Global 2000 hit by targeted attacks 1. Highly Targeted Attacks 2.5x Increase in losses from targeted attacks yoy 2015 PwC Information Security Breach Study and Symantec Internet Security Threat Report 20 (2015)

The Threat Landscape: 5 Major Trends Emerging 2016 60% Can’t catch credential thieves today Highly Targeted Attacks 2. Credential Theft 40% Windows hosts with high-risk credentials for pivot points https://www.rapid7.com/docs/Rapid7-IDR-Survey-Report.pdf http://www.cyberark.com/blog/what-percentage-of-your-windows-network-is-exposed-to-credential-theft-attacks/

The Threat Landscape: 5 Major Trends Emerging 2016 41% Breaches caused by trusted partners Highly Targeted Attacks Credential Theft 3. Insider Element 33% Enterprises that give partners privileged network access Protiviti 2014 IT Security and Privacy Survey and 2015 PwC Information Security Breach Study

The Threat Landscape: 5 Major Trends Emerging 2016 26k Netscreen Firewalls with malicious backdoor Highly Targeted Attacks Credential Theft Insider Element 4. Hijacked Security Layers 70% Cloud applications impacted by Heartbleed SSL flaw http://www.securityweek.com/juniper-firewall-backdoor-password-found-6-hours http://www.csoonline.com/article/3016788/security/junipers-backdoor-password-disclosed-likely-added-in-late-2013.html

The Threat Landscape: 5 Major Trends Emerging 2016 5 out of 6 large companies is hit with targeted attacks today 17% Android apps that are malware Highly Targeted Attacks Credential Theft Insider Element Hijacked Security Layers 5. New Threat Vectors 70% IoT devices shipping with known vulnerabilities https://www.symantec.com/security_response/publications/threatreport.jsp http://www8.hp.com/us/en/hp-news/press-release.html?id=1744676#.VvLFhpMrK-Y

Can Agents Do It All? Continuous Monitoring and Threat Mitigation with Next-generation NAC- Frost & Sullivan – October 2015 ioT = Internet of Things

Internet of Things, Ready or Not… 20+ Billion Here it Comes! IoT 5 Billion BYOD PC This chart shows: A lot of unmanaged devices…. 1990 2015 2020 Gartner, Nov. 10, 2015

Typical Mix of Devices in a Network Unknown 3% Construct of what networks are comprised of today, focus on the 3% of unknown

3% of all devices on the network are unknown Reality 3% of 5 billion is 150,000,000 endpoints (a.k.a. unknown devices) Current State 3% of all devices on the network are unknown

What about the Internet of Things (IoT)? Network connectivity enables these objects to collect and exchange data: Video cameras Healthcare equipment Safety equipment Climate control Environmental sensors Vehicles Asset tracking devices Refrigerators Smart homes Trash cans http://postscapes.com/internet-of-things-examples/ http://postscapes.com/internet-of-things-examples/

“Survey Says” Change the Rules 1 2 We need to 1st understand the relevant threat landscape then we can discuss what we can do about it.

Got Blind Spots? Continuous Monitoring and Threat Mitigation with Next-generation NAC- Frost & Sullivan – October 2015

How Many Network Security Incidents? 72% Percentage of networks that had 5 or more security incidents within the past 12 months. Continuous Monitoring and Threat Mitigation with Next-generation NAC - Frost & Sullivan – October 2015

Which Devices are Secure? What devices had 5 or more security incidents in the last 12 months? Continuous Monitoring and Threat Mitigation with Next-generation NAC - Frost & Sullivan – October 2015 BYOD – Bring your own device IoT = Internet of Things

Do Agents Provide the Security You Need? What is your confidence level that agents are installed and working properly on your computers? Recognizing that answers of “6” and “7” represent high or extreme confidence in agent installments, presented here are replies of 1 thru 5, which demonstrate a confidence that is less than “on point.” Many network security administrators use security and management agents to track endpoints on their networks. An agent is a small piece of code installed on an endpoint that associates the endpoint to the enterprise network. The advantage to using agents is that an endpoint is more easily recognized by the network and communications such as software updates are more easily facilitated between the endpoint and the network. However, there are three significant problems with agents. The first problem is that the majority of cyber security tools use a “polling” type of scan technology. Commonly, in vulnerability management (VM), security information and event management (SIEM), and other cyber technologies, semi-persistent scanning is initiated. This procedure works well for static devices that are attached by Ethernet to a network. However, as networks are designed to accommodate more mobile devices, much happens dynamically between polling events. Transient devices are easily lost. The second problem is that agents can be misconfigured or disabled. An enterprise network is often a fluid environment. Endpoints are frequently reconfigured and new office locations are dropped or added. If an agent is not functioning properly, the network loses visibility into the endpoint and security can be compromised. The second problem with reliance on security agents is that agents required by IT teams cannot be installed on the increasing number of personal (BYOD) and IoT devices on the enterprise network. Hence, reliance on agents means that the network isn’t aware of the fastest growing segment of endpoints coming onto the enterprise network and reduces the organization’s security posture. The last problem with security agents is reliance on security agents brings a false sense of security. In the Network Visibility Survey conducted by Frost & Sullivan, the survey asked security professionals about the confidence levels they had about the installed antivirus, mobile device management (MDM), encryption, and patch management agents they had on their networks. Source: Continuous Monitoring and Threat Mitigation with Next-generation NAC- Frost & Sullivan – October 2016 Continuous Monitoring and Threat Mitigation with Next-generation NAC - Frost & Sullivan – October 2015 MDM = Mobile Device Management

Ready for Automation? Would your security product benefit if it could automatically invoke a set of predetermined security controls? The increasing complexity of network and information security burdens security teams that are already overtaxed. Most organizations report that they have too few information security workers. Removing manual tasks through automation would seem to make sense, but there are questions about how willing security professionals are to embrace automation. So, the question was put to the survey respondents, “To what degree would your network benefit if they could automatically invoke a set of pre-determined security controls (network security technology)? The survey results indicate a Clarion call for security vendors to add more automation to their products. (Please see Exhibit 3.) Ideally, IT and security teams would like to be able to customize settings; however, a security tool has to be effective out of the box and has to remain effective when integrated with other tools in a layered cyber defense. Source: Continuous Monitoring and Threat Mitigation with Next-generation NAC- Frost & Sullivan – October 2015 Continuous Monitoring and Threat Mitigation with Next-generation NAC- Frost & Sullivan – October 2015 MDM = Mobile Device Management SIEM = Security and Event Management

“Survey Says” 1 Change the Rules 2

See Discover Classify Assess 1010011010001 1101001001 001101 00101101101 110010101101 011001001101 So how do you see how these BYOD and Unmanaged devices? Notes: Thousands of different hardened operating systems. Not prone to agents. WE NEED TO STAY AGENTLESS SO WE SEE EVERYTHING We need to recognize everything.  AUTO CLASSIFY 100% THIS ALLOWS CUSTOMERS TO SET POLICIES BASED ON REAL WORLD USE CASES (HVAC, PRINTER, BYOD..) On slide 12 – should be DISCOVER, CLASSIFY, ASSESS – in that order… not sure having the words ‘ integrations ‘ makes sense since we are not speaking to our solution rather suggesting what should be done to SEE everything connecting to the enterprise… can you explain the order of the builds for me? I am sure there is a reason.  IE give me the talk track.

Less Privileged Access Control Less Privileged Access Quarantine Block Limit Notify Data Center Guest Network Corporate Network

Orchestrate ATD SIEM VA EMM Custom

IoT Use Case IOC Scanner 1 Device connects to the network 2 Device is detected and classified as a printer 3 Compromised printer communicates with the corporate file server 4 SIEM/ATD detects an anomaly and forwards the event to CounterACT® Firewall ATD SIEM Endpoint Patch EMM 5 Compromised printer is blocked from accessing the network Corporate File Server Network Internet ) ) ) ) ) ) ) ) ) BYOD Devices IoT Devices Corporate Devices Rogue Devices

Advanced Threat Detection Use Case 1 1 ATD system notifies ForeScout of an infected endpoint and threat profile 2 2 ForeScout policy based on threat classification restricts network access of endpoint ATD 3 1 3 3 ForeScout initiates managed endpoint remediation actions using details from the ATD system and removes network access restrictions on endpoint Internet 2 3 1 5 4 ForeScout CounterACT® 4 4 ForeScout scans other managed endpoints on the network for the IOC and initiates remediation actions Switch Wireless LAN Controller 5 5 ForeScout scans endpoints for IOCs as new endpoints attempt to connect to the network 4 5 2 3 1 May 2016 [begin] BYOD Devices Managed Devices IoT Devices Rogue Devices Reference Acronym Glossary at the end of presentation

Vulnerability Assessment Use Case 1 1 ForeScout detects an endpoint connecting to the network ForeScout requests the VA System initiate a real-time scan of the endpoint 2 2 VA Patch 3 2 5 3 3 VA system sends scan results to ForeScout 4 4 ForeScout places endpoint in remediation VLAN based on VA scan results and policies Internet 5 6 4 1 3 2 ForeScout CounterACT® 5 5 ForeScout requests patch management system to apply correct patches Switch Wireless LAN Controller 6 6 ForeScout provides endpoint with appropriate network access once remediated 6 4 1 2 May 2016 BYOD Devices Managed Devices IoT Devices Rogue Devices Reference Acronym Glossary at the end of presentation

Enterprise Mobility Management Use Case 1 1 ForeScout discovers endpoint connecting to network 2 2 ForeScout queries EMM server to see if endpoint is managed by EMM, if so, network access continues EMM 3 2 4 3 3 ForeScout moves endpoint to restricted access if not currently EMM managed, does http redirect and prompts user to install EMM agent Internet 4 3 1 2 ForeScout CounterACT® 4 4 ForeScout moves endpoint back to appropriate network access once EMM confirms endpoint is EMM managed and meeting EMM policy Switch Wireless LAN Controller 2 4 1 3 May 2016 [begin] BYOD Devices Managed Devices IoT Devices Rogue Devices Reference Acronym Glossary at the end of presentation

THANK YOU!

Glossary (1 of 3) BYOD – Bring Your Own Device IoT – Internet of Things SIEM – Security Information and Event Management ATD – Advanced Threat Detection VA – Vulnerability Assessment EMM – Enterprise Mobility Management SQL – SQL Server DNS – Domain Name Server DHCP – Dynamic Host Configuration Protocol VPN – Virtual Private Network PKI – Private Key Infrastructure SDK – Software Developer Kit HIPAA – Health Insurance Portability and Accountability Act PCI – Payment Card Industry SOX – Sarbanes Oxley NERC – North American Electric Reliability Corporation NIST – National Institute of Standards and Technology HITECH – Health Information for Technology for Economic and Clinical Health