Gaining The Decisive Advantage Outmaneuver, Outperform, and Outfight Adversaries The original submission with this presentation was done while I was still a federal employee. I retired from federal service at the end of February and became the CTO for Fidelis Cybersecurity. The majority of this presentation is based on work I performed while still with the federal government working on an effort called NSCSAR now known as DODCAR. The latter part of this presentation is a vendor perspective on how to achieve many of the strategies identified within that body of work. Meeting with DOD CIO Mr. Halverson NSA called downtown to explain what we are doing about the number of breeches; basically told our current approach was not effective. Current approach was programming making their case downtown Lack of a holistic strategy 60 days tasker/NSCSAR becomes DODCAR/.govCAR Basic approach was cyber threat framework/mapped existing capabilities/identified gaps Session tomorrow.

Breaches Happen and the Costs are Large! Approximately 41,686 security incidents in 20181 Average time to identify a threat is 197 days and contain it is 97 days2 Average cost of a data breach has increased over the last 5 years to a current cost of $3.92 million2 Theses statistics re-enforce the point that tradition cybersecurity defenses are not effective against advanced persistent threats. Some of the key statistics in the Verizon Report : Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018 Phishing is involved in 32% of breaches and 78% of cyber-espionage incidents 90% of malware arrived via email 60% of web application attacks were on cloud-based email servers 52% of cyberattacks involve hacking and 34% of attacks involved insiders 43% of cyberattacks were on small businesses Ransomware is the second biggest malware threat and accounted for 24% of malware-related breaches According to the annual Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security: Data breaches have become such a common occurrence that hardly a week goes by when a business, organization, government department, bank, or educational establishment does not admit to the existence of one in their networks or systems. While the financial penalties can vary depending on the size of a business, a data breach can wreak havoc and the long-term cost may not be immediately apparent. The average financial impact of a data breach continues to rise and now can cost the average business up to $3.92 million, according to new research. Companies that identify a breach <100 days can save more than $1 Million2 Sources: 2019 Verizon Data Breach Investigations Report 2018 Cost of a Data Breach, Ponemon Institute

Security Operation Centers (SOCs) Under Siege Lack full visibility of devices on the network and no contextual understanding of threats Overwhelming volumes of alerts to triage and investigations to conduct Capabilities are not fully utilized, while duplicative capabilities add complexity Products lack integration and automation, slowing down response times Security Operation Centers (SOC) are overwhelmed by the sheer volume of alerts lacking context and the number of investigations demanding their attention. Security analysts are often presented with more alerts than are humanly possible to triage and investigate, granting adversaries more time to evade detection because of the time required by SOCs to detect and respond. These problems are further exacerbated by a rising skills gap as organizations struggle to build an adequate bench of expertise. More data is not necessarily a good thing. The focus should be on zeroing in on the right data with advanced analytics in place to process the data and make it actionable. Some organizations have as many as 75 different cybersecurity vendors inside their networks. These can include multiple firewalls, antivirus tools, intrusion detection and intrusion prevention systems, data loss prevention, network packet capture tools, web application firewalls, advanced threat protection tools to name just a few. Each product has its own management system and these products lack the integration, automation, and interoperability to share cyber threat information across and between networks, thus slowing down response and remediation times. Given this piecemeal addition of new capabilities, organizations need to take a step back and re-evaluate their security infrastructure to determine whether all these solutions are still necessary. What’s often discovered is that many of these products are not fully utilized and/or these products are providing duplicative capabilities, which results in additional complexity with no beneficial effect on security posture. Organizations need to adopt a cyber threat framework to assess the composite solution effectiveness of whether their existing cybersecurity infrastructure can provide 100% coverage against the attacker. Focus on reactive measures rather than predictive or proactive approaches More data isn’t better – it’s about zeroing in on the right data and making it actionable There is no holistic understanding of a composite solution’s effectiveness

Key Findings: State of Threat Detection Report Lack of Visibility and Automation are Major Pain Points 57% reported lack of device visibility 53% reported lack of automation The Security Stack is Not Optimized Less than 7% are using their security stack to its full capability 62% not using half or more of their stack to its full capability Are you using your full security stack to its full capability? Source: 2019 State of Threat Detection, Fidelis Cybersecurity

What if You Could Re-Imagine Your Security Stack? So… it’s easy to say security operations should function a certain way, but how do we get there?

Checklist for Re-Imagining Your Security Stack Determine Existing Vendor Product Utilization Integrate, Automate, and Share Intelligence Amongst Products Map Existing Capabilities Against Cyber Threat Frameworks Collect the right data to answer “Who, What, Where, When, and How” Identify Duplicative Capabilities and Technology/Operational Gaps Operate Inside the Attacker’s Decision Cycle to Gain The Decisive Advantage Fortify Reactive Capabilities with Predictive, Proactive Capabilities Digital transformation is providing companies a unique opportunity to rethink how technology, people and processes can be used to fundamentally change business performance. Integration of business systems, information technology, and operational technology will fundamentally transform the effectiveness and efficiency of business operations. This digital transformation must be underpinned by a corresponding transformation in cyber security, moving from an unmanageable collection of point solutions aimed at detecting and responding to cyber incidents (i.e., “reactive” cyber security) to an integrated data-driven approach aimed at predicting and preventing cyber threats (i.e., “proactive” cyber security). Shifting cyber security from a reactive to a proactive posture requires 1) an integrated approach that can operate across the full spectrum of prevention, detection, hunting, and response; 2) a deep understanding of the cyber terrain that is being defended; 3) robust threat intelligence to alert defenders to the emerging and evolving threats most likely to impact their networks and systems; 4) advanced analytics and machine learning technologies to, for example, stitch together seemingly unrelated events occurring across the enterprise to produce high confidence and actionable alerts; 5) retrospective analysis of how threats originally manifested within the environment, and 6) automation and orchestration to improve the efficiency and speed with which security staff are able to maintain a secure environment, investigate anomalies, and respond to cyber incidents. In a nutshell, security must be integral, holistic, and automated from the onset rather than pieced together over time…

Gain The Decisive Advantage Ensure continuous real-time visibility of managed/unmanaged assets – which assets have vulnerabilities, what is critical, where is sensitive data, what are the high-risk paths - to minimize blind spots in the environment Build threat-driven operations to understand and respond in real-time because you can’t defeat what you don’t detect Shape the adversary experience by modifying the attack surface in favor of the defenders to add cost, risk, and complexity to their operations, and Consolidate the stack with proactive, protective, predictive, reflective, and reactive defensive cyber operations into a single coherent interface

Full Spectrum Defensive Cyber Operations Proactive Capabilities Terrain-Based Cyber Defense™ — Identify Inventory of Managed and Unmanaged Assets, High-Risk Assets / Paths, Lateral Movement, Cyber Risk Score, Metadata Records of All Endpoint and Network Activity Dynamic Deception — Configure Attack Surface; Increase Adversary Cost, Complexity, & Risk Protective Capabilities Distributed Protection — Network IPS & DLP, Endpoint Protection Platform (EPP), Endpoint DLP Reactive Capabilities Threat-Driven Operations — Automate Post-Breach Detection & Response Actions Predictive Capabilities Machine Learning/Artificial Intelligence Based Analysis — Detect Anomalous Activity, Determine Probability of Compromise, Analysis of Metadata in Search of Known/Unknowns Retrospective Capabilities Automated Retrospective Analysis ― Continuously collect and assess metadata (all communication paths) against new threat intelligence 8

Artificial Intelligence / Machine Learning Identify and discover malicious attackers through complex correlation & analysis of multiple data sets Respond predictively and proactively, rather than reactively, to individual threats Dynamically changing defensive posture in response to evolving cyber threats … At the same time, attackers will be using AI/ML to execute their attacks more effectively and efficiently.

Skilled Workforce Automation is the workforce multiplier to detect and remediate sophisticated attackers; automation tools include: Security Automation Orchestration Response (SOAR) Robotic Process Automation (RPA) By scaling down unnecessary, redundant security devices and integrating what remains, making cybersecurity solutions more effective than ever.

Stack Consolidation Must Begin Today! Vendor Platform

In Summary Streamline cybersecurity defenses to maximize the operational effectiveness and efficiency OUTPERFORM the adversary by investing in reactive, proactive, and predictive capabilities to provide 100% coverage of cyber threat framework OUTFIGHT the adversaries by delivering robust threat intelligence and hunting for advanced threats within our rich metadata OUTMANEUVER the adversary by altering the percentage of overall exploitable terrain using dynamic deception Operate Inside the Attacker’s Decision Cycle to GAIN THE DECISIVE ADVANTAGE Traditional cybersecurity defenses must transition from an unmanageable collection of point solutions aimed at detecting and responding to cyber incidents (i.e., “reactive” cyber security) to an integrated data-driven approach aimed at predicting and preventing cyber threats (i.e., “proactive” cyber security). Shifting cyber security from a reactive to a proactive posture requires 1) an integrated approach that can operate across the full spectrum of prevention, detection, hunting, and response; 2) a deep understanding of the cyber terrain that is being defended; 3) robust threat intelligence to alert defenders to the emerging and evolving threats most likely to impact their networks and systems; 4) advanced analytics and machine learning technologies to stitch together seemingly unrelated events occurring across the enterprise to produce high confidence and actionable alerts; and 5) automation and orchestration to improve the efficiency and speed with which security staff are able to maintain a secure environment, investigate anomalies, and respond to cyber incidents. Security must be integral, holistic, and automated from the onset rather than pieced together over time.

Questions Craig Harber, Chief Technology Officer Craig.Harber@fidelissecurity.com DoD Cybersecurity Analysis and Review (DoDCAR) Program Office DoDCAR_Outreach@nsa.gov