39
© 2010 Guidance Software, Inc. All Rights Reserved. A New Era in Incident Response and Data Auditing The Case for Cyberforensics

Cybersecurity - Sam Maccherola

Embed Size (px)

DESCRIPTION

Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados" Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc. Brasília, 04 de agosto de 2010

Citation preview

Page 1: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

A New Era in Incident Response and Data Auditing

The Case for Cyberforensics

Page 2: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Speaker

Sam Maccherola

Vice President and General Manager, Public Sector for Guidance Software Inc.Contact Info: [email protected] , (703) 657-7230

Bio 20+ years of government management and program development experience within the

information technology and systems integration industry, At Guidance Software, manages strategic direction, as well as operational, sales, and

business development for a growing global Government practice. Prior to Guidance Software:

— Vice President of Federal at ProSight Inc., responsible for overall strategic direction, as well as operations, sales and marketing components for the federal business unit.

— President of Tenix America and VP of Public Sector Sales for Tripwire, Inc.  — Senior positions with Tumbleweed, Entrust Technologies, Inc., PLATINUM Technologies,

and Legent Corp. Recognized as one of the 100 people in Government and Industry that made a positive

difference in Government IT by a panel of Government and Industry leaders. Active participant in many associations that promote public-private sector information

sharing and partnerships: AFCEA, ACT/IAC and ITAA

Page 3: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Guidance Software, Inc.The World Leader in Digital Investigations

Enterprise Ready, Market Proven Solutions Over 150 customers of EnCase® eDiscovery Over 650 customers of EnCase® Enterprise including:

— More than 100 of the Fortune 500 and over half of the Fortune 50— Deployed on over 10 million desktops, laptops and servers

The Leading Court-Validated Technology Used in thousands of cases worldwide Authenticated in over 50 published court cases and EnCase technology

validated under Daubert/Frye Courts have taken “judicial notice” of the validity of EnCase software

Top-ranked Software by Industry Analysts Gartner’s highest rating for eDiscovery Software Socha-Gelbmann’s Top 5 (highest category) for eDiscovery software Forrester calls it “The de-facto industry standard for remote desktop collection”

Committed to Support your On-going Success World-Class Training and Certification Program Top-Ranked Professional Services Organization

Page 4: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Government Agencies of AllSizes Rely on EnCase® Solutions

Page 5: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Evolving Threats

Perimeter defense is never enough

With new technologies come new exploits

Threats can also be internal and/or inadvertent

A determined hacker will find a way (high end)

Hacking has become “Productized” (low end)

Page 6: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Key Trends

Per a recent Cisco Annual Security Report, statistics found included:

the overall number of disclosed vulnerabilities grew by 11.5%.

Vulnerabilities in virtualization technology nearly tripled - from 35 to 103 year-over-year

attacks are becoming increasingly blended, cross-vector and targeted.

Cisco says its researchers saw 90% growth in threats originating from legitimate domains,

This year, numerous legitimate websites were infected with IFrames, malicious code injected by botnets that redirects visitors to malware-

downloading sites, the company says.

Page 7: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

2008 Intelligence Community Statistics

55% Increase in Remote Access Cyber Intrusions

52% Increase in Insider Cyber Intrusions

22% Increase in Credit Card Fraud

Page 8: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Verizon Data Breach Report

Analysis of over 500 e-forensics audits:

73% resulted from external sources

18% by insiders

39% implicated business partners

Page 9: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Blackhats: Threat Actors

Nation States

108 countries with dedicated cyber-attack organizations

Dragon Bytes: Chinese Information War Theory & Practice

Terrorists

Growing sophistication

Hamas and Al Qaeda

Ibrahim Samudra and Irhabi 007

Organized Crime

Cybercrime is big business aka RBN

FBI: #1 criminal priority is cybercrime

Page 10: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Trends in Attacks Against .GOV

SQL Injection and Cross-site Scripting

Island Hopping-Unisys/DHS

Remote User Compromise-VPN Attacks-Client Side Attacks

PKI Compromise--Private Key Theft

Zero-Day Attacks

Automated Attack Tools

Digital Insider Attacks

Page 11: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Data is the Lifeblood of Government

C l a s s i f i e d

I n f o r m a t i o n

Government Data

Epicenter of Risk

Vu l n e r a b i l i t i e s &

A s s e s s m e n t s

PII & Medical

Records

B u d g e t a r y /

P r o c u r e m e n t

D e f e n s e C o n t r a c t s

Tr o o p

M o v e m e n t s

S e n s i t i v e

P r o j e c t s &

S c h e m a t i c s

Page 12: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Let the Blood Loss Begin…

25 July 2010

U.S. National Security Advisor on Wikileaks Report on Afghanistan

Says disclosure of classified information threatens U.S. national security

Page 13: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

On a Normal Day, an Agency Gets Hit by upwards of 2.4M Attacks

How effective is your security? 99.9%? 99% 12,000 - 24,000 attacks 99.9% 1200 - 2400 attacks through each day 99.99% 120 - 240 attacks

Multiple technologies must be layered to get near 99.9% effective

It is impossible to achieve impenetrability

Even if you pulled the plug, they can take the hard drive…

Page 14: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Traditional Security is for Traditional Threats

“Traditional security solutions are obsolete…the signature approach and other traditional methods of security are not keeping

pace with the

number of threats being created by online criminals.”

“The days of traditional URL filtering are dead, we care about where users go and they all use the top 500 websites. We care

about enforcing

capable policy security and the content on pages is dynamic.”

“It often takes up to 24- to 72-hours from the time a threat is identified, analyzed, and its signature is developed to the time it is

finally delivered to the endpoint. While consumers and enterprises are playing the

waiting game; their endpoints are exposed and vulnerable.”

“The degree of difficulty for identifying malware targeting data

is outpacing the innovation of traditional security vendors.”

Page 15: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Over $40B Spent on FISMA since 2002 … not enough

More checklists and standardsConsensus Audit Guideline; CVE/OVAL; DISA GOLD/STIG;

NSA/NIST NIAP (CCEVS EAL); DIACAP; FIPS; FISMA; ISO 17799; IEC 27002; GLBA; SOX; HIPAA; FDCC; SCAP; NERC’s CIP 009-2; and so on…

Compliance is not an insurance policy against the unknown threat. Heartland Payment Systems

— Breach cost at $12.5M+

Page 16: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

History Repeats Itself

Hannibal using the Roman Roads to cross the Alps

40% Increase in Major Intrusions (US-CERT)

Page 17: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Challenge – The Starting Line

You Are Here

Page 18: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Challenge – 1st Hour

You Are Here

Page 19: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Challenge – 2nd Hour

You Are Here

Page 20: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Challenge – 3rd Hour

You Are Here

Page 21: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Challenge – Owned

You Are Here

Page 22: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Hosting Companies = Watering Holes

Page 23: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Current Challenges in Cyber Defense

Regardless of what you do…Attacks will continue 24/7/365Enemy at the Gates will continue to recon/infiltrate/exfiltrateAnonymity will challenge attributionMalware will be custom designed and used against youThey live in 0-day environmentPolymorphic Code is on the riseYou need to be right 100% of the time

How do you learn to defend if you never learn what happened or who you’re dealing with?

Page 24: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Cyber Forensics is the Spear Tipof any Cybersecurity Initiative

Identify covert/undiscovered threats: dynamically adaptive patented technology gives InfoSec the advantage against new threats: Polymorphic Malware Packed files Other advanced hacking techniques

Attribute new attacks to older attacks, invaluable in attributing malware to an attacker

Complete visibility into endpoint risk with the ability to target static and live data to locate sensitive information

Find and remediate malware: risk mitigation by wiping sensitive information, malware and malware artifacts from hard drives, RAM and the Windows Registry

Powerful investigative capabilities allow organizations to audit for PII (e.g., credit card numbers, account numbers, etc.), and perform internal investigations such as those dealing with fraud or HR matters

Page 25: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

2010 Cybersecurity Survey (Continued)

44%42%

Endpoint was used in all of the top 3 insider theft mechanisms

44% Laptops

42% Copied information to mobile device

38% Downloaded information to home computer)

38%

Page 26: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

2010 Cybersecurity Survey (Continued)

Incident response and internal forensics can make a difference28% of events resulted in legal or law enforcement action35% could not pursue legal action due to lack of evidence29% could not identify the individuals responsible

Page 27: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Endpoint Needs Comprehensive Visibility

Endpoint

Visibility

Speed,

Mobility,

Adaptability

Data

Protection

Multiple OS and File Systems;

See through Data at rest solutions;

Packed and compressed; Data

Universe is ever expanding

Targeted search &

remediation; DLP;

Encryption, etc

Infinite digital reach;

Speed of cyber, not

UPS/FedEx; Adaptive

malware identification

& recovery

Cyber

Preparedness

Page 28: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Incident Response at the Forensic Level with Endpoint Visibility

EnCase Cybersecurity provides…

Enterprise-wide incident response— Cyberforensic triage and in-depth analysis, attack attribution analysis, and

remediation

System deviation assessments— Expose system integrity issues caused by unknown

threats

Data policy enforcement— Identify and wipe PII/Classified data

from unauthorized endpoints

The Missing Layer in Defense in Depth …

Page 29: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Information Security Challenges

Proactively identifying and addressing covert/unknown threatsDetermining the capabilities and purpose of unknown files or

running processes Identifying and recovering from known malware and/or

polymorphic malware— Signature-based detection tools are insufficient when faced with code

that morphs to evade detection

Quickly triaging and containing an identified threat

Locating and rapidly responding to data leakage (PII, IP, etc.)Compliance with data protection and breach notification laws

Determining the “State of the Network” by comparing known profiles to data on systems

Page 30: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Past

One Computer at a timeDays, weeks, and months

to get the data

Costly & Time Consuming

The gathered intelligencewas valuable, but useless

Page 31: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Past

EnCase Field Intelligence Module (FIM)

One computer over the network. (2004)

Page 32: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Past

Searching only onetarget at a time.

Page 33: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

EnCase Cybersecurity provides…

Network-enabled incident response— Cyberforensic triage and analysis, attack attribution analysis, and remediation

System deviation assessments— Expose system integrity issues caused by anomalous or unknown threats

Data policy enforcement— Identify and wipe PII/IP/Classified data

from unauthorized endpoints

A Cyber Forensics Approach

Page 34: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Present

Enterprise Forensics

Page 35: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Present

Automation of searchingmultiple targets in parallel.

Pre-defined Critera

Page 36: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

The Present

Automation of searching forcompromises and malware.

Page 37: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Benefits & Features of Cyber Forensics

Benefit Cyber Forensic Feature

Proactively identify and recover from covert network threatsEntropy near match analysis, hash analysis, memory analysis, remediation

Find similar files over the network Entropy near match analysis

Proactively identify and recover from data leakage Targeted search and remediation

Ensure endpoints remain in a trusted state Hash database comparison, system profiling

Accurately triage an incident anywhere in the world from a central location

Network-enabled, security protocols, investigative capabilities

Combat insider threat by proactively identifying and investigating suspicious activity

Log file analysis, Snapshot, investigative capabilities

Endpoint situational awareness Operates at the kernel level, sees what the OS cannot

Determine the extent of data breaches Log file analysis, memory analysis, investigative capabilities

Page 38: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Questions/Thoughts

Today, how do you… Identify unknown or covert threats? Limit the risk exposure presented by sensitive information? Respond to a suspected threat? Limit the scope of a data breach? Ensure endpoints remain in a

trusted state? Address and scale technology

and processes to include file servers, email servers,semi-structured data repositories?

Page 39: Cybersecurity - Sam Maccherola

© 2010 Guidance Software, Inc. All Rights Reserved.

Thank you