Top Security Priorities 2018

Agenda Defining Cybersecurity Cybersecurity Challenges Evolving our Strategy Cybersecurity Models Reactive to Proactive

Defining Cybersecurity

Defining Cybersecurity Information Security IT Security OT Security IoT Security Physical Security Cybersecurity Cybersecurity is an organizational challenge, not an IT, InfoSec, or compliance challenge.

Defining Cybersecurity “Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services. A range of traditional crimes is now being perpetrated through cyberspace. This includes banking and financial fraud, intellectual property violations, and other crimes, all of which have substantial human and economic consequences.” – Source: U.S. Department of Homeland Security

Cybersecurity Challenges

Cybersecurity challenges

Cybersecurity challenges

Cybersecurity challenges

Cybersecurity challenges

Cybersecurity challenges Patching continues to be an issue both externally and internally

Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching

Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue

Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue External vulnerabilities < Internal vulnerabilities (as expected) Now time to focus on internal

Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue External vulnerabilities < Internal vulnerabilities (as expected) Now time to focus on internal SSL issue totals are significant (particularly weak ciphers and versions) Not a major issue at this time but could be something to watch out for in the future

Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue External vulnerabilities < Internal vulnerabilities (as expected) Now time to focus on internal SSL issue totals are significant (particularly weak ciphers and versions) Not a major issue at this time but could be something to watch out for in the future Exploits and vulnerabilities continue to increase as time goes on

Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue External vulnerabilities < Internal vulnerabilities (as expected) Now time to focus on internal SSL issue totals are significant (particularly weak ciphers and versions) Not a major issue at this time but could be something to watch out for in the future Exploits and vulnerabilities continue to increase as time goes on Every few years a major “one-click” exploit MS08-67, Heartbleed, shellshock, MS15-034 MS17-010“wannacry”

Cybersecurity challenges Patching continues to be an issue both externally and internally Application patching less controlled than operating system patching Unsupported systems continue to be an issue External vulnerabilities < Internal vulnerabilities (as expected) Now time to focus on internal SSL issue totals are significant (particularly weak ciphers and versions) Not a major issue at this time but could be something to watch out for in the future Exploits and vulnerabilities continue to increase as time goes on Every few years a major “one-click” exploit MS08-67, Heartbleed, shellshock, MS15-034 MS17-010“wannacry” Most vulnerable ports windows 445 and web 443

Evolving our Strategy

Evolving our Strategy 1. Most Cybersecurity Controls are Preventative in Nature Preventative Controls Detective Controls Firewalls / Next-Gen Firewalls Intrusion Prevention Systems (IPS) Anti-virus / Anti-malware Application Whitelisting Internet Proxies Web Application Firewalls Web Content Filters Data Loss Prevention (DLP) Network Admission Control (NAC) Intrusion Detection Systems (IDS) Security Information and Event Management (SIEM)

Evolving our Strategy 2. Cybersecurity is still a people problem Security is not “Fire and Forget” Preventative controls are not 100% effective. When they fail, we need a detective control in place We can't respond to attacks we don't see coming Having a defined response plan is key

Evolving our Strategy Have been hacked. Will be hacked. Won’t admit it 3. Prevention is ideal but detection is a must There are three kinds of entities: Have been hacked. Will be hacked. Won’t admit it

Evolving our Strategy 4. Shift focus from preventing attacks to preventing attacker success Moving to a goal-oriented defense strategy Assess your risk / know your environment and know what attackers are after Detect attackers moving toward their goals and execute a rapid response Increase Threat Intelligence (know your enemy) Leverage security methodologies and models to your advantage

Cybersecurity models

Cyber Kill Chain – Attack, Defense and Internal Controlslivery Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Action on Objectives The attack can be disrupted at any point in the kill chain. Ideally, a company will have controls at each point to create a defense in depth strategy. “Cyber kill chain” model shows, cyber attacks can and do incorporate a broad range of malevolent actions, from spear phishing and espionage to malware and data exfiltration that may persist undetected for an indefinite period.

MITRE ATT&CK Framework Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Weaponize Deliver Exploit Control Execute Maintain Recon MITRE MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

Reactive to proactive

What is threat hunting? A technique to uncover hidden threats that bypass both preventative and detective controls A proactive process of looking for traces of attackers in your IT environment An approach that applies threat intelligence, analytics, security tools and human analysis

Why threat hunting? Increased stakeholder and Board concerns New, more targeted threats Increased regulatory and compliance attention High-profile breaches result in questions about organizational capabilities for detection and response Breach detection may not be formally evaluated by Internal Audit Due diligence should be conducted by at- risk organizations Increasingly hostile cyber-security environment Nation-state sponsored attacks on US companies Criminal organizations focused on credit card and identity theft More regulatory agency scrutiny across the board Increased industry regulation demands (e.g. PCI-DSS) State and pending federal breach notification laws

A Different Approach If you know the enemy and know yourself, you need not to fear the result of a hundred battles. Sun Tzu

Let’s get to know the enemy Insider threats and compliance “threats” are a different presentation… Credit Card / PII Thieves Ransomware Crooks Wire Transfer Fraudsters Botnet Herders Political Attackers Intellectual Property Thieves

Let’s get to know ourselves Easier Questions What does our network look like (systems, network, users)? Where is our sensitive data? What are our weaknesses? Harder Questions What programs should be running on our systems? What type of traffic is “normal” for us? What user activity is normal? What’s the Risk? Not knowing what you have makes it hard to know what to protect. Not knowing your weaknesses makes it hard to know where you will be hit. Not knowing what is normal makes it hard to know what is abnormal.

Approach to threat hunting Checking enterprise event logs (SIEM, IDS, FIM, etc.) for signs of hacking tools or customized malware used by attackers. Additionally, gather basic configuration from enterprise systems (running processes, registry, autoruns, etc.) Enterprise-Based Threat Hunting Network-Based Threat Hunting Examine network activity logs, netflow information and listening ports for a period of time for unusual destinations or patterns of activity that could indicate a persistent attacker connection. Host-Based Threat Hunting Detailed analysis of running processes, memory dumps and file systems on a sample of systems, looking for signs of malware or malicious activity.

Example Issues Uncovered Uninvestigated connections are being made between the organization’s network to suspicious destinations (e.g., Russia, China) Uninvestigated suspicious patterns of connections are being made from the organization’s network to external IP addresses (e.g., a connection every 5 minutes) There is a high volume of non-business-critical traffic interfering with the ability to recognize a breach in progress. Anti-virus detected hacking tools that could indicate an attacker was in the network, but such detections were not investigated (e.g., how did the tool get on the system?). Unauthorized programs are present on key servers without clear business rationale or formal approval. Key events are not being monitored or logged, hindering the detection and investigation of potential breaches. Existing monitoring efforts are focused only on detecting common malware or hacking attempts, and no proactive searching for targeted attacks occurs.

Thank You Mike Ortlieb Director, Protiviti mike.ortlieb@protiviti.com Orlando, FL 407.849.3940