Cyber Defense Tool Limitations and What Our Leaders Should Be

Doing About Them

Current state of cyber breaches, tool gaps, and future advancements

Tim Ryan

• Partner, Ernst and Young LLP, US Cyber Investigations Leader• Lead cyber investigations for audit and non-audit clients

• Led the cyber security and investigations group at an international risk management firm

• Led the largest cyber squad in the US for the FBI and led one of the largest criminal computer forensic labs for the FBI• Special agent and computer forensic examiner

• JD Rutgers; MS IT/IA Univ. MD

The views expressed in presentation are my own and not, necessarily, of EY. This presentation is for educational purposes only.

Perspective

• It’s not if you will get hacked, it’s how bad will the hack be.

• Perspective is on the root cause and mitigation of cybersecurity failures

Core problems

• Systems are detecting intruders and then nothing happens• Case study: alert 2 months prior to

investigation

• Failing to eradicate the intruder• Clean the initial deployment of

malware but do not understand how it has metastasized

• Common vulnerabilities• Technical debt. Lack of investment

in system maintenance.

What is lacking from a tool perspective• Too many false positives

• They are not automatically baselining the system. So detecting anomalies is difficult.

• The alerts do not automatically trigger the appropriate response. It gets handed to a human which is where things sometimes go wrong.

• Training and experience dependencies are not factored into tool purchase

Detection

Evidence destruction

Other detection and machines

wiped

Company unable to look for

attacker fingerprints

Unknown level of compromise

Alert Drill Extrapolate Contain Eradicate Report

Developments: Integration and Orchestration

Integration and Orchestration

Detection systems

Alerting work flows

Response integration

Developments: Training

• User Awareness• Phishing

• Compliance/Policy

• Incident Response Planning and Table Top Exercises• Table Top Exercise is a simulated

event meant to tease out critical principles and identify response challenges

• Operationalize policy (IRP) into tactical decision-making

User Compliance and Policies

Corporate Table Top Exercise

User Attack Sensitization

Corporate Simulated

Attack

Training

Developments: Endpoint focusThe endpoint is usually the workstation that a user is operating (either desktop or laptop). Many attacks begin by implanting malware on the endpoint. From here the attacker gains a foothold inside the castle and starts looking around for what he can steal.

Therefore the endpoint is often a critical piece of the attack. Effectively monitoring and controlling the endpoint is important. Expert analysis required.

Developments: Zero Trust Networks

The Problem With Trust

• Old paradigm

• Current attacks

What Zero Trust Looks Like

• All devices belong to an inventory

• All communications are encrypted

• Authorization is based on the device identity, the user identity, and the requested resource identity.

For example:

Tim Ryan using an up to date, hardened corporate laptop, wants to access his corporate email.

Developments: Security as a product of cloud migration• Hygiene

• Security at Scale

versus

Developments: Defense and Response

Response

Defense