View
0
Download
0
Category
Preview:
Citation preview
Cyber Defense Tool Limitations and What Our Leaders Should Be
Doing About Them
Current state of cyber breaches, tool gaps, and future advancements
Tim Ryan
• Partner, Ernst and Young LLP, US Cyber Investigations Leader• Lead cyber investigations for audit and non-audit clients
• Led the cyber security and investigations group at an international risk management firm
• Led the largest cyber squad in the US for the FBI and led one of the largest criminal computer forensic labs for the FBI• Special agent and computer forensic examiner
• JD Rutgers; MS IT/IA Univ. MD
The views expressed in presentation are my own and not, necessarily, of EY. This presentation is for educational purposes only.
Perspective
• It’s not if you will get hacked, it’s how bad will the hack be.
• Perspective is on the root cause and mitigation of cybersecurity failures
Core problems
• Systems are detecting intruders and then nothing happens• Case study: alert 2 months prior to
investigation
• Failing to eradicate the intruder• Clean the initial deployment of
malware but do not understand how it has metastasized
• Common vulnerabilities• Technical debt. Lack of investment
in system maintenance.
What is lacking from a tool perspective• Too many false positives
• They are not automatically baselining the system. So detecting anomalies is difficult.
• The alerts do not automatically trigger the appropriate response. It gets handed to a human which is where things sometimes go wrong.
• Training and experience dependencies are not factored into tool purchase
Detection
Evidence destruction
Other detection and machines
wiped
Company unable to look for
attacker fingerprints
Unknown level of compromise
Alert Drill Extrapolate Contain Eradicate Report
Developments: Integration and Orchestration
Integration and Orchestration
Detection systems
Alerting work flows
Response integration
Developments: Training
• User Awareness• Phishing
• Compliance/Policy
• Incident Response Planning and Table Top Exercises• Table Top Exercise is a simulated
event meant to tease out critical principles and identify response challenges
• Operationalize policy (IRP) into tactical decision-making
User Compliance and Policies
Corporate Table Top Exercise
User Attack Sensitization
Corporate Simulated
Attack
Training
Developments: Endpoint focusThe endpoint is usually the workstation that a user is operating (either desktop or laptop). Many attacks begin by implanting malware on the endpoint. From here the attacker gains a foothold inside the castle and starts looking around for what he can steal.
Therefore the endpoint is often a critical piece of the attack. Effectively monitoring and controlling the endpoint is important. Expert analysis required.
Developments: Zero Trust Networks
The Problem With Trust
• Old paradigm
• Current attacks
What Zero Trust Looks Like
• All devices belong to an inventory
• All communications are encrypted
• Authorization is based on the device identity, the user identity, and the requested resource identity.
For example:
Tim Ryan using an up to date, hardened corporate laptop, wants to access his corporate email.
Developments: Security as a product of cloud migration• Hygiene
• Security at Scale
versus
Developments: Defense and Response
Response
Defense
Recommended