The Assumed Breach Model

Slides:



Advertisements
Similar presentations
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Network security policy: best practices
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to Security Architecture
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Cyber Security Audit and Network Monitoring P.D. Mynatt Doug Brown March 19 th 2015.
Information Security Update CTC 18 March 2015 Julianne Tolson.
Information Security Issues at Casinos and eGaming
What is FORENSICS? Why do we need Network Forensics?
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
How to create DNS rule that allow internal network clients DNS access Right click on Firewall Policy ->New- >Access Rule Right click on Firewall.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Small Business Security Keith Slagle April 24, 2007.
HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action.
Frontline Enterprise Security
Understand Audit Policies LESSON Security Fundamentals.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Windows Administration How to protect your computer.
IS3220 Information Technology Infrastructure Security
2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Some Great Open Source Intrusion Detection Systems (IDSs)
Incident Response Strategy and Implementation Anthony J. Scaturro University IT Security Officer September 22, 2004.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
An Anatomy of a Targeted Cyberattack
Deployment Planning Services
Six Steps to Secure Access for Privileged Insiders and Vendors
Security Awareness Program
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Deploy and get started with Microsoft Advanced Threat Analytics
Security Standard: “reasonable security”
Cloud Security IS Application-Centric Security
Six Steps to Secure Access for Privileged Insiders and Vendors
Module 1: Introduction to Designing Security
Information Security: Risk Management or Business Enablement?
CMGT 431 Competitive Success/snaptutorial.com
CMGT 431 Education for Service-- snaptutorial.com.
CMGT 431 STUDY Lessons in Excellence--cmgt431study.com.
CMGT 431 Teaching Effectively-- snaptutorial.com.
By: Tekeste Berhan Habtu Chief Executive Officer Venue: African Union
Combining the best of Audit and Penetration Testing
Building a Security Operations Center
How to Operationalize Big Data Security Analytics
PRIVILEGED ACCOUNT ABUSE
Validating Your Information Security Program (ISP 3 of 3)
National Cyber Security
Brandon Traffanstedt Systems Engineer - Southeast
A 5-minute overview of ADAudit Plus
Implementing Client Security on Windows 2000 and Windows XP Level 150
NSX Data Center for Security
What are the Resilience Mechanisms? Hugo Pereira Evoleo Technologies
Network hardening Chapter 14.
BACHELOR’S THESIS DEFENSE
Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.
Anuj Dube Jimmy Lambert Michael McClendon
Pass-the-Hash.
Security in the Real World – Plenary Day One
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

The Assumed Breach Model A Practical Approach

Manager – Security Architecture Heavily focused on Cloud/AWS Experience includes moving from End User Support, to Sys Admin, to Consulting, to Information Security to Security Architecture

Agenda Current Landscape Strategy Next Steps

Current Security Landscape Checking Boxes We play whack-a-mole with security controls and tools

Shiny New Toys…Tools This is a firewall without a strategy

Primarily Reactive We just collect logs to collect logs

What is assumed breach? Simply put: A security strategy that assumes any given endpoint is breached to some extent and controls risk as such.

Strategy Access Control Choke Points Trust Zones Detection Capabilities

Principles Empower Business Keep It Simple

Access Control What is being protected? How do we protect it if we assume it is already breached?

Access Control: What is being protected? Internal Restricted Public Payroll Policies and Procedures PII, PCI, PHI SOX, GLBA Marketing Public Website Access Control: What is being protected?

Access Control: Tiered Access Lateral Movement Administrative Access WannaCry https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material

Choke Points Trusted sources Areas of known activity Minimize surface areas for non-standard things (i.e. front gate and not the walls) Not a new concept

Choke Points

More than network segmentation We can have segmentation and still have a flat network Must empower businesses Too many hoops to jump through, at best users will be mad, worst case, they will find a way around Trust Zones

Medical Devices/ATMs/ICS Trust Zones Medical Devices/ATMs/ICS User Networks VDI EMR/Mainframe/ICS Servers

Detection Strategy Identify the needles before building the haystack Minimize attack surfaces Focus on ‘all hands on deck’ alerts Review alerts vs reports

Detection Strategy Don’t try to think like an attacker Stop trying to prevent the latest and greatest 0 day – just assume it is already there

Next Steps Access Control Minimize perimeter Control changes Tiered accounts for administration

Next Steps Choke Points Bring the battle to you Know what normal looks like Tiered Accounts Reduce the noise

Next Steps Trust Zones Segment your network Know what is supposed to talk to each other This should be transparent to users Keep it simple, but not flat

Next Steps Detection Capabilities Use guides (see references) Know what normal is, be able to detect what isn’t Reduce the noise

References Don’t Think like an attacker Strategy: Detection: Mitre ATT&CK – https://attack.mitre.org/wiki/Main_Page Known IOCs - https://github.com/Neo23x0/sigma Threat Hunter Playbook https://github.com/Cyb3rWard0g/ThreatHunter-Playbook Strategy: http://threatexpress.com/2018/01/threat-mitigation-strategies-observations-recommendations/ - James Tubberville http://www.andrewalaniz.com/2017/12/10-immutable-laws-assumed-breach/ - Andrew Alaniz – 10 Immutable Laws of Assumed Breach https://www.slideshare.net/JoeVest1/using-ioc-to-design-and-control-threat-activities-during-a-red-team-engagement - Joe Vest – Using IOCs to control threats https://technet.microsoft.com/en-us/library/hh278941.aspx - Microsoft - 10 Immutable Laws of Security Detection: https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/ - Jessica Payne – Tracking Lateral Movement http://www.andrewalaniz.com/2017/12/assumed-breach-model-practical-approach-part-1/ - Andrew Alaniz – Assumed Breach Model http://www.andrewalaniz.com/2016/10/windows-event-forwarding-collector-resources/ - Resources for capturing Windows Events References