Upload
ngodang
View
220
Download
3
Embed Size (px)
Citation preview
Information-Driven Cybersecurity
4 June 2013
Bill Russell Cybersecurity Strategist & Senior Architect
Why Do COTS-Based Architectures Fail to Protect Your Enterprise
Layered Cybersecurity Defense Framework
Computer Network Defense Defense-In-Depth
The FanTM
Perimeter Firewall
Perimeter IDS/IPS Advanced
Sensor
Honeypot Message Security
(anti-virus, anti-malware)
DLP
Secure DMZs
Application Security
Malware Analysis NAC/Endpoint
Profiler
Enclave Firewall DLP
Wireless/Mobile Protection
Web Proxy Content Filtering
Enterprise IDS/IPS
VoIP Protection
Virtual Network Security
Enterprise Message Security
Enterprise Remote Access
Endpoint Security Enforcement
DLP Desktop Firewall
Host IDS/IPS
Content Security (anti-virus, anti-malware)
Patch Management
USGCB Compliance
SIEM Digital Forensics Security SLA/SLO Reporting
Escalation Management
Focused Ops
SOC/NOC Monitoring (24x7)
Incident Reporting, Detection, Response (CIRT)
Security Dashboard
Continuous Monitoring
and Assessment Situational Awareness
Vulnerability Assessment
Security Awareness Training
Continuous C&A
IT Security Governance
Security Policies & Compliance
Security Architecture
& Design
Threat Modeling
Penetration Testing
Cyber Threat Intelligence
Security Technology Evaluation
Risk Management Framework
WAF
Static App Testing/Code
Review
Database Secure Gateway
(Shield)
Database Monitoring /Scanning Dynamic App Testing
DAR/DIM/DIU Protection
Data Wiping Cleansing
PKI
FICAM
Enterprise Right Management
DLP
Data Classification
Data/Drive Encryption
Data Integrity Monitoring
© 2013 Northrop Grumman Corporation
Acronyms & Abbreviations: DAR: Data At Rest DIM: Data In Motion DIU: Data In Use
DLP: Data Loss Prevention IDP: Intrusion Detection and Prevention FICAM: Federal Identity Credential and Access Management
NAC: Network Access Control PKI: Public Key Infrastructure SIEM: Security Information Event Management USGCB: US Govt Configuration Baseline
OUTSIDE THREAT
Mission Critical Assets
Inside Threats
The “Fan™” - Layered Cybersecurity Defensive Reference Model
Approved for Public Release # 13-0985
Where Has This Approach Gotten Us?
Approved for Public Release # 13-0985
Soviet AN-24 manufactured beginning 1963 – 40 sold to China
Chinese Y-7 manufactured beginning 1983
Chinese Domestic Aviation Circa 1983
Chinese Domestic Aviation Circa 2011
BEIJING — China’s military conducted a test flight of a new stealth fighter jet on Tuesday, overshadowing an important visit to Beijing by Defense Secretary Robert M. Gates aimed at improving defense ties — and apparently catching China’s civilian leadership off guard.
(New York Times, July 2011)
U.S. made F-35 Chinese made J-20
Approved for Public Release # 13-0985
U.S. made MQ-9 Reaper
Chinese Unmanned Air Vehicle
Approved for Public Release # 13-0985
Chinese made Pterodactyl 1 (2009)
Think There Is An Interest In Finance?
High-Speed Trading Algorithms
The Knife
The Boston Stumbler
“ China is the world's second-largest economy next to our own. They are a huge trading partner, and our two economies are incredibly intertwined”
Robert Mittelstaedt Arizona State University
Approved for Public Release # 13-0985
Layered Cybersecurity Defense Framework
Computer Network Defense Defense-In-Depth
The FanTM
Perimeter Firewall
Perimeter IDS/IPS Advanced
Sensor
Honeypot Message Security
(anti-virus, anti-malware)
DLP
Secure DMZs
Application Security
Malware Analysis NAC/Endpoint
Profiler
Enclave Firewall DLP
Wireless/Mobile Protection
Web Proxy Content Filtering
Enterprise IDS/IPS
VoIP Protection
Virtual Network Security
Enterprise Message Security
Enterprise Remote Access
Endpoint Security Enforcement
DLP Desktop Firewall
Host IDS/IPS
Content Security (anti-virus, anti-malware)
Patch Management
USGCB Compliance
SIEM Digital Forensics Security SLA/SLO Reporting
Escalation Management
Focused Ops
SOC/NOC Monitoring (24x7)
Incident Reporting, Detection, Response (CIRT)
Security Dashboard
Continuous Monitoring
and Assessment Situational Awareness
Vulnerability Assessment
Security Awareness Training
Continuous C&A
IT Security Governance
Security Policies & Compliance
Security Architecture
& Design
Threat Modeling
Penetration Testing
Cyber Threat Intelligence
Security Technology Evaluation
Risk Management Framework
WAF
Static App Testing/Code
Review
Database Secure Gateway
(Shield)
Database Monitoring /Scanning Dynamic App Testing
DAR/DIM/DIU Protection
Data Wiping Cleansing
PKI
FICAM
Enterprise Right Management
DLP
Data Classification
Data/Drive Encryption
Data Integrity Monitoring
© 2013 Northrop Grumman Corporation
Acronyms & Abbreviations: DAR: Data At Rest DIM: Data In Motion DIU: Data In Use
DLP: Data Loss Prevention IDP: Intrusion Detection and Prevention FICAM: Federal Identity Credential and Access Management
NAC: Network Access Control PKI: Public Key Infrastructure SIEM: Security Information Event Management USGCB: US Govt Configuration Baseline
OUTSIDE THREAT
Mission Critical Assets
Inside Threats
The “Fan™” - Layered Cybersecurity Defensive Reference Model
Approved for Public Release # 13-0985
Why COTS Security Will Always Be a Step Behind
PerimeterFirewall
PerimeterIDS/IPS Advanced
Sensor
HoneypotMessage Security
(anti-virus, anti-malware)
DLP
Secure DMZs
Application Security
MalwareAnalysisNAC/Endpoint
Profiler
EnclaveFirewall DLP
Wireless/MobileProtection
Web ProxyContent Filtering
EnterpriseIDS/IPS
VoIPProtection
Virtual NetworkSecurity
EnterpriseMessage Security
EnterpriseRemoteAccess
Endpoint SecurityEnforcement
DLPDesktopFirewall
Host IDS/IPS
Content Security(anti-virus,
anti-malware)Patch
Management
USGCBCompliance
SIEM Digital Forensics Security SLA/SLO Reporting
EscalationManagement
Focused Ops
SOC/NOC Monitoring (24x7)
Incident Reporting,Detection, Response (CIRT)
Security Dashboard
ContinuousMonitoring
and AssessmentSituationalAwareness
VulnerabilityAssessment
Security AwarenessTraining
ContinuousC&A
IT SecurityGovernance
Security Policies& Compliance
SecurityArchitecture
& Design
ThreatModeling
PenetrationTesting
Cyber Threat Intelligence
SecurityTechnology Evaluation
Risk ManagementFramework
WAF
Static AppTesting/Code
Review
DatabaseSecure Gateway
(Shield)
DatabaseMonitoring /ScanningDynamic App Testing
DAR/DIM/DIUProtection
Data WipingCleansing
PKI
FICAM
Enterprise Right Management
DLP
DataClassification
Data/DriveEncryption
Data IntegrityMonitoring
MissionCritical Assets
Well funded adversaries have access to the same technologies as the defenders
Defender’s COTS-based Security Architecture
Advanced Adversaries’ Attack Tool Test Environment
Approved for Public Release # 13-0985
COTS Security Technology Misses the Advanced Adversary
• A well architected defense-in-depth security approach based on COTS security technology defeats 80% of the threats
• Determined threat actors have access to all the COTS security products and test their attacks against those tools
• Openly available tools and online collaboration of hacktivists and criminals lower the barrier to entry for adversaries
• Advanced adversaries have state or criminal support including advanced exploits, collection management, and targeting
“Over the course of three months, attackers installed 45 pieces of custom malware. The Times … found only one instance in which … identified an attacker’s software as malicious and quarantined it…” New York Times, 30 Jan 2013
Approved for Public Release # 13-0985
Offense Always Has An Advantage
• Threat Technical Capabilities • Exploits – Development teams with State or criminal support • Internet distribution points to drop and pick up • Command and Control using Botnets • C2 Obfuscation using DDNS, FastFlux DNS • Process and attack strategy – intel teams, crash and attack teams, exploit teams, exfil teams
• Threat Intelligence Collection • Comprehensive target picture through open source collection • Your friends names, professions, and things they like • Everything and you post, share, like or link to • Social media systems not inclined to provide security
• Further Lowering of the Barrier to Entry • MetaSploit makes attacking easy for the uninitiated • Threat forums for collaboration and sharing of tools • Social Justice and Causes (Anonymous, WikiLeaks, Hacktivists) rallied against your enterprise: • Every employee is a possible vector
Threat Actors Only Need to Be Right One Time to Gain Access to the Enterprise
Approved for Public Release # 13-0985
Good Guys Have Some Ways to Level the Field
• Behavioral analytics (Who talks and works with whom)
• Partnerships for threat information sharing
• Threat intelligence team augmentation
• Custom file analysis • Custom monitoring of network traffic
for C2 channels • Organizational agility to respond to
changing threat tactics
PerimeterFirewall
PerimeterIDS/IPS Advanced
Sensor
HoneypotMessage Security
(anti-virus, anti-malware)
DLP
Secure DMZs
Application Security
MalwareAnalysisNAC/Endpoint
Profiler
EnclaveFirewall DLP
Wireless/MobileProtection
Web ProxyContent Filtering
EnterpriseIDS/IPS
VoIPProtection
Virtual NetworkSecurity
EnterpriseMessage Security
EnterpriseRemoteAccess
Endpoint SecurityEnforcement
DLPDesktopFirewall
Host IDS/IPS
Content Security(anti-virus,
anti-malware)Patch
Management
USGCBCompliance
SIEM Digital Forensics Security SLA/SLO Reporting
EscalationManagement
Focused Ops
SOC/NOC Monitoring (24x7)
Incident Reporting,Detection, Response (CIRT)
Security Dashboard
ContinuousMonitoring
and AssessmentSituationalAwareness
VulnerabilityAssessment
Security AwarenessTraining
ContinuousC&A
IT SecurityGovernance
Security Policies& Compliance
SecurityArchitecture
& Design
ThreatModeling
PenetrationTesting
Cyber Threat Intelligence
SecurityTechnology Evaluation
Risk ManagementFramework
WAF
Static AppTesting/Code
Review
DatabaseSecure Gateway
(Shield)
DatabaseMonitoring /ScanningDynamic App Testing
DAR/DIM/DIUProtection
Data WipingCleansing
PKI
FICAM
Enterprise Right Management
DLP
DataClassification
Data/DriveEncryption
Data IntegrityMonitoring
MissionCritical Assets
Defenders Have to Be Right Every Time… The Field Can Be Leveled by Leveraging Information Available Only to the Defender
Approved for Public Release # 13-0985
So What Should I Do Now?
• Keep the COTS infrastructure that defeats the 80%
• Collect as much data as possible about what is happening on your network
• Play Cybersecurity as a team sport (InfraGuard, ISACs, FIRST)
• Train your employees for live threats (Not just CBTs)
• Look at the problem through a different lens (Not just the IT lens)
Approved for Public Release # 13-0985
Protect Your Enterprise