Selex Es main conference brief for Kingdom Cyber Security Forum

© Copyright Selex ES S.p.A 2014 All rights reserved

A perspective from a Cyber Integrator

From Reactive to Proactive: The power of managed situation awareness

Presentation to Kingdom Cyber Security Forum May 2014


What is a Cyber Integrator?

Situation Awareness – of what?

Building a specific response

Benefit from wider system collaboration


What is a Cyber Integrator?




© Copyright Selex ES S.p.A 2014 All rights reserved © Copyright Selex ES S.p.A 2014 All rights reserved

Threats, vulnerabilities and underlying information technology are changing at a ferocious pace; so must all the countermeasures

Viruses

Trojans

Botnets

Phishing

Waterhole

Man in the email

Policy

Training

Hardening

Intrusion detection

Anomaly detection

Malware analysis

Certification

And in complex environments, no single product or service specialist can keep up


Defence (National & NATO)

National Security Agencies

Governments & institutions

Law Enforcement

Telecommunications

Banking & Insurance

Healthcare

Transport & Utilities

Prime Contractors

Large Enterprises

A Cyber Integrator is typically a systems integrator and manufacturer with a broad perspective of security requirements

– and a dedicated security practice


Understand factors, methods and history

Driven by nature and extent of measures required to achieve desired security

In some cases, an annual check up Is sufficient. In others, constant monitoring is recommended!

Level of threat X Level of vulnerability = Extent of security measures required

Understand technical vulnerabilities and weaknesses in security governance and user habits

A practiced Cyber Integrator seeks to diagnose before prescribing


• Customer desired business objectives

SOLUTIONS ARE BUILT ON:

• Customers’ direct threats and vulnerabilities

• Customers’ indirect risks and challenges

• Engineered solutions and services

A Cyber Integrator takes a systems engineering approach


Compromising Ability to Perform Intellectual

Property Theft

Loss of Financial Control

Ability to Recover

Threat to Human Safety

Affecting Compliance Status

Threatening Reputation

Clients suffering data loss, theft and cyber attack with serious to existential consequences


Selex ES: What is a Cyber Integrator?





Our customers are beset by the same global issues

Front office Operations

IT and Administration

Back office Operations

Internal Contractors

Bought-in Services

Trusted Partners

Executive

Tactics

Relentless Spam

Socially engineered

Botnet Attack

Insider Attack

Techniques

Phishing

Waterhole

Spam

Insider

Procedures

Reconnoitre

Penetrate

Sleep

Propagate

Control

Transmit

Transform

Weapons

Virus

Trojan

Worm

Rootkit

Logger

Dialler

Toolkits

VANDALS

PROTESTORS

THIEVES

SPIES

NATIONS

Deface

Destroy

Steal

Cheat

Impair

Customer

POS, ATM etc

Branch Phone

Online

Contact with Enterprise


And the evidence suggests that the money to be made attracts the very best talent – of the wrong sort

• Face to face

• Online payment • Man in the email (China, Nigeria and South Africa)

Fraud

Banking

Account takeover

Automated clearing

Global fraud losses linked to ACH and wire fraud for banking institutions

Corporate finance

Mobile banking and financial transaction threats

• $455 million 2012

• 2013 projection - $523 million

• 2016 projection - $795 million


https://

https://

And enterprises share common vulnerabilities

POORLY INSTALLED

FIREWALLS USING DEFAULT

PASSWORDS POORLY PROTECTED

CUSTOMER DATA AT REST

POORLY MAINTAINED

APPLICATIONS AND SYSTEMS

IRRATIONALLY APPLIED

ORGANISATION SECURITY POLICY

POORLY MAINTAINED

ANTI-VIRUS AND IPS/DLP SYSTEMS

LOOSE UNDERSTANDING OF

NETWORK ACTIVITY

INSUFFICIENT

ENCRYPTION OF DATA IN TRANSIT

LOOSE ‘NEED TO KNOW’

POLICY

POORLY PROTECTED

CUSTOMER DATA AT REST

POORLY MAINTAINED

APPLICATIONS AND SYSTEMS

IRRATIONALLY APPLIED

ORGANISATION SECURITY POLICY

POORLY MAINTAINED

ANTI-VIRUS AND IPS/DLP SYSTEMS

LOOSE UNDERSTANDING OF

NETWORK ACTIVITY

INSUFFICIENT

ENCRYPTION OF DATA IN TRANSIT

LOOSE ‘NEED TO KNOW’

POLICY

USING DEFAULT

PASSWORDS POORLY INSTALLED

FIREWALLS


So, we work with enterprises to improve awareness of Vulnerabilities, Threats and Attacks

Processes

People

Culture

Systems

Tools

Techniques Drivers

Organisation

Threats Vulnerabilities

Level of Damage

Tolerance of Damage

Technology Procedures

And then we start to build the appropriate responses…







CYBER DOCTRINE

Assess

CYBER SERVICES

Assessment Guidance Remediation Projects

Managed Services

Managed Services

A Cyber Integrator draws on a coherent set of services designed to address threats and resolve vulnerabilities

• Vulnerability • Maturity

Assure

Prevent

Protect

Detect

Resist

Defend

Respond

Contain

Eradicate

Recover

Learn

• Policy • Certification • Training • System hardening

• System provision • Enterprise protective monitoring

• Incident response forensics

COMPETITIVE ADVANTAGE. INFORMATION SUPERIORITY.


Taking an Integrators’ approach, we then develop the Advisory, Skills transfer, Change and enduring

Services solution to meet the need.

Understand factors, methods and history

Driven by nature and extent of measures required to achieve desired security

But to keep up with changing threats, exploits and attack methods, our services have to be agile, flexible and truly innovative.

Level of threat X Level of vulnerability = Extent of security measures required

Understand technical vulnerabilities and weaknesses in security governance and user habits


• Policy and legislation background

• Essential industry architecture

• Key industry governance processes

• Key financial functions and processes

• Key systems

We immerse ourselves in your environment:

How does a cyber services integrator achieve agility and flexibility?


• Understand and model predominant attack/exploit methods

• Develop and maintain a library and understanding of characteristic system vulnerabilities

• Anticipate next generation exploits

• Characterise key domain processes that are subject to attack

We maintain sector specific technical expertise, backed by our own wider technical expertise and context

Which enables us to provide a coherent set of appropriate services to the companies operating within the particular sector

How does a cyber services integrator achieve agility and flexibility?


What would the outcome look like?

Achievement and maintenance of security compliance

Monitoring and real time analysis of anomalies plus development of intelligence data -plus reaching out to external sources

Response to incidents: containment, eradication and recovery

Development and maintenance of situation awareness, dynamic risk analysis and feed back for training and process improvement - plus deeper malware / TTP analysis (DIY or bought-in)

Hardening of key systems

Regular vulnerability assessment

Deter Detect

Through life

security

Assure Respond

Learn Assess

Your Cyber Security Capability


Detect

Resist

Defend

Respond

- Contain

- Eradicate

- Recover

- Learn

Deter

Protect

Organisation Users Core Systems

Assess Assure


An Enterprise CIRT or equivalent managed service provides the right focus

Enterprise CIRT







The key characteristic of national and international response to cyber

threats is collaboration



The key characteristic of response is collaboration

• Joint research centre – vulnerabilities etc

• Pan European exercises

• Sector and National CSIRTs

• Europol and Interpol: cooperation for Cyber

EU CYBER STRATEGY RESTS ON COLLABORATION



• To optimise information sharing, collaboration and interoperability

NATO: LISBON DECLARATION




Comprehensive National Cyber security Initiative

• Connecting Cyber Operations Centres

• Shared Situational Awareness

• Federal, State, Local and Private Sector

• Supply chain initiative

US INITIATIVES:



• Education and R&D initiative

• FUNDING!

The concept of sector and national nodes and hubs for reporting, correlating data and sharing intelligence is gaining momentum


And what does all that collaboration provide to the

participants?

A massive surface area to gather cyber intelligence

So, where does one start?


Plans

Procedures

Lessons learned

Vulnerabilities

Threats

Impact

Breach and incident data

Technical indicators of compromise

Suggested remediation actions


Vulnerabilities

Threats

Impact

Breach and incident data

Sector CIRT Secure and

trusted information

sharing

Enterprise CIRT Enterprise CIRT

Within any Business or Government Sector, a federated and trustworthy Sector CIRT would encourage collaboration


The national effect: shared situational awareness of network vulnerabilities, threats, and events

Banking

Oil & Gas Power

generation

Aviation

Telecoms Medical

Are you seeing what

we are seeing?


Presentation to Kingdom Cyber Security Forum

Thank you for listening

May 2014