Cyber Security: State of the Nation Presented by: Joe LoBianco, CISSP

“There are only two types of companies: those that have been hacked and those that will be.” Robert Mueller FBI Director, 2012

The Threat Landscape Continues to Evolve Which actors should I be worried about? State-sponsored Cyber Warfare 2016+ ? Organized Crime Source: Deloitte

Threats… What is going on out there? Progress works both ways… Information Security Capabilities Threat Actor Capabilities Attackers are continuing recent trends, mirroring macro technology trends Leading to Advancements in… Attack Methods Sophistication/Organization of criminals Types of Targets (Perimeter  Highly Protected)

1. Attack Methods Cost Quality Increasing attack frequency and impact. Economics in action: “cheaper and better” lowers barrier to entry Cost Quality More commoditized Attacks-as-a-Service: Malware, DDoS, Ransomware Malware is more sophisticated Evades detection More modular: Mix and match attack tools Increasing attack frequency and impact. Can’t be sure who the enemy actually is anymore.

2. Attacker Sophistication A rising tide lifts all foes This is not just about Nation States Cheaper, better and more accessible attack methods are enabling all types of criminals by narrowing the sophistication gap High Nation States Organized Crime Level of Sophistication Thieves, Small-scale criminals Low Time

3. Types of Targets Thieves are using better capabilities to eye higher value targets We’ve moved beyond worrying about “Smash and Grab”… Via DDoS, Perimeter Web Systems, Customer Fraud (small loss per account) …to worrying about high impact targets (customer, business) Via internal systems compromise, APTs, Ransomware (destructive malware) targeting organizations

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” Bruce Schneier Cryptographer, Computer Security and Privacy Specialist

3. Types of Targets People and process are now integral to successful attacks Attacks target all dimensions of your organization… PEOPLE PROCESS TECHNOLOGY Social engineering, Insider threats Learn your processes and supply chain to exploit weaknesses Exploit vulnerabilities, attack highly protected assets – not just perimeter targets

Challenges for Security Professionals The bad guys only need to be successful once The challenge is the same as always: Protect against both old and new attacks Key Factors Key Questions Usually measured by the strength of our mature, well-known controls (DDoS, AV, IPS, etc.) Do we think these controls will protect us from the new attacks? Do we even know what controls we need to deal with the newest threats? The people that evaluate us (eg. regulators, auditors, etc.) are typically not evaluating the maturity of threat and risk-based programs How do we balance “hygiene” of old controls and implementation of improved controls?

Advice on Staying Ahead Actions you can take today… 1 Threat Simulation Scenario-based continuous re-evaluation Table-top methods and real-world simulated attacks Simulations are not just for your CIRT, but effective as risk assessment and awareness exercises too Increasing your Information Security capabilities 2 Intelligence in your processes External threat intelligence data Internal incident data Adapt your education and awareness as threats evolve To inform risk assessments 3 Educate the Board Senior level engagement goes to CEO and Board Security must be on their agenda (not optional!) Start with education and not metrics, and don’t tell them that everything is OK

A Cyber-Resilient Organization Balancing investment in several types of defenses Too much focus in one area can leave you exposed on another… Governance Threat Intelligence Threat Mitigation Incident Response