Upload
lumension
View
683
Download
0
Embed Size (px)
DESCRIPTION
New reports show U.S. government servers are faced with 1.8 billion cyber attacks every month. View this technical presentation on ‘Reorganizing Federal IT to Address Today’s Threats’ by Richard Stiennon, analyst with IT Harvest and author of Surviving Cyber War, and Paul Zimski, VP of Solution Strategy with Lumension, as they examine:*Today’s threats targeting government IT systems*How federal IT departments can be reorganized to improve security and operations*What key endpoint security capabilities should be implementedGet expert insight and recommendations on improving your approach to securing IT systems from today’s sophisticated threats.
Citation preview
Reorganizing Federal IT to Address Today’s Threats
Today’s Speakers
Paul ZimskiVP of Solution StrategyLumension
Richard StiennonAnalyst and AuthorIT Harvest
2
Today’s Agenda
Today’s Threats Targeting Government Systems
How to Reorganize Federal IT
Examining Key Security Strategies
Q&A
New Threats to Federal IT Systems
5
Dark and Stormy forecast for Federal networks• In March 2011 24,000 documents exfiltrated from Pentagon
contractor
• Elaborate attack against RSA results in loss of millions of secret seeds for tokens
• Ensuing attacks against Lockheed Martin, Grumman and L3
• IMF losses
• Hacker attacks against Senate.gov, CIA.gov
5
6
Something needs to change• Threat is there, now what do we do?
6
How to Reorganize Federal IT
8
Advocate bottom-up rather than top-down change
•Pentagon’s just published Strategy for Operating in Cyberspace is yet another example of top down strategy documents.
•Expect similar results to the Comprehensive National Cybersecurity Initiative, Presidential Directives, and Cyberspace Policy Review.
8
Pentagon Strategy for Operating in Cyberspace 15, July 2011• Strategic Initiative 1: Treat cyberspace as an operational domain to organize,
train, and equip so that DoD can take full advantage of cyberspace’s potential.
• Strategic Initiative 2: Employ new defense operating concepts to protect DoD networks and systems.
• Strategic Initiative 3: Partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy.
• Strategic Initiative 4: Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity.
• Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.
9
10
Organizing for cyber defense
• There is no strategy without responsibility
• Create a separate unit to address targeted attacks
10
Introducing the cyber defense team
Cyber Commander
Analysts Operations Red Team
11
Cyber Commander• Assigns and directs roles
• Makes sure the correct tools and defenses are deployed
• Puts in place controls and audit processes
• Reports to upper management on the results of those processes and audits
• Primary point of contact for communicating to law enforcement and intelligence agencies
12
Analysts
Cyber defense analysts study the threat landscape and gather intelligence on emerging threats.
• Understanding the state of the art in attack methodologies.
• Getting to know potential attackers and monitoring their activity.
• Monitoring known attack sources.
• Communicating the threat level to the rest of the cyber defense team.
• Assisting in evaluating technology for internal deployment.
13
Operations
• Selecting and deploying tools
• Discovering internal infections
• Monitoring insider behavior
14
Red Team
• Attack and penetration
• Internal audit
• Operates outside the realm of operational vulnerability assessment. They thrive on social engineering.
15
16
Next steps
• Repeat cyber command structure in every agency / department
• Create overarching cyber command
16
17
Elements of a defensive strategyHarden networks and end points against targeted attacks:
1.Complete packet inspection inbound and outbound
2.Whitelisting on servers, desktops, and embedded systems
3.Platform diversity (Do not, for instance, run Windows on control systems)
4.User behavior monitoring
17
The attackers have changed their tools, targets, and goals.
The defenders must change too.
18
19
Richard StiennonChief Research AnalystIT-Harvest
[email protected] Blog: Forbes Cyber Domaintwitter.com/stiennon
19
Examining Key Security Approaches
1. Implement Defense-in-Depth Endpoint Security
2. Shift from Threat-Centric to Trust-Based Security
3. Build a bottom up approach with operational excellence focused on “the basics”
Three Defensive Strategies
Strategy 1: Defense-in-Depth
22
BlacklistingAs The Core
Zero Day
3rd Party Application Risk
MalwareAs a Service
Volume of Malware
Traditional Endpoint Security
Patch & Patch & ConfigurationConfiguration
Mgmt.Mgmt.
Defense-N-Depth
Strategy 2: Trust-Based Security
Malware
What is Application Whitelisting?
24
Authorized•Operating Systems•Business Software
Known• Viruses• Worms• Trojans
Unauthorized•Games•iTunes
•Shareware•Unlicensed S/W
Unknown• Viruses• Worms• Trojans• Keyloggers• Spyware
ApplicationsU
n-T
rust
ed
Flexible Trust
Trusted Publisher• Authorizes applications based on the vendor that “published” them through
the digital signing certificate.
25
Trusted Updater• Authorizes select systems management solutions to “update” software, patches
and custom remediations, while automatically updating them to the whitelist.
Trusted Path• Authorizes applications to run based on their location.
Local Authorization• Allows end-users to locally authorize applications which have not been otherwise
trusted by the whitelist or any other trust rules.
25
Strategy 3: Operational Excellence – “The Basics”
26
Assess Prioritize Remediate Repeat• Identify all IT assets (including platforms, operating systems, applications, network services)
• Monitor external sources for vulnerabilities, threats and intelligence regarding remediation
• Scan all IT assets on a regular schedule for vulnerabilities, patches and configurations
• Maintain an inventory of IT assets
• Maintain a database of remediation intelligence
• Prioritize the order of remediation as a function of risk, compliance, audit and business value
• Model / stage / test remediation before deployment
• Deploy remediation (automated, or manually)
• Train administrators and end-users in vulnerability management best practices
• Scan to verify success of previous remediation
• Report for audit and compliance
• Continue to assess, prioritize and remediate
Source: Aberdeen Group, Managing Vulnerabilities and Threats (No, Anti-Virus is Not Enough), December 2010
Stop Unwanted Applications
»Immediate and simple risk mitigation
27
Denied Application Policy prevents unwanted applications even if they are already installed
Easily remove unwanted applications
Reducing Local Administrator Risk
»Limit Local Admin Usage»Monitor and Control existing Local Admins
28
Q&A
Next Steps
30
•Resource Center: Putting Cyber Security Plans into Action
» http://www.lumension.com/Resources/Resource-Center/Putting-Cybersecurity-Plans-into-Action.aspx
•Free Security Tools» http://www.lumension.com/Resources/Premium-Security-Tools.aspx
•Whitepapers» Infosecurity for Government Agencies: Checks, Balances &a More Secure Endpoint
• http://www.lumension.com/Resources/WhitePapers/Information-Security-for-Government-Agencies-Checks-Balances-and-a-More-Secure-Endpoint.aspx
» Intelligent Whitelisting: An Introduction to More Effective and Efficient Security• http://www.lumension.com/Resources/Whitepapers/Intelligent-Whitelisting-An-Introd
uction-to-More-Effective-and-Efficient-Endpoint-Security.aspx
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828