Upload
aceds
View
205
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc 1
Applied Intelligence
COMMERCIAL IN CONFIDENCE
APTs Changed the Game:
Find out what your peers are doing to address them
Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc 2
Applied Intelligence
COMMERCIAL IN CONFIDENCE
GUEST SPEAKER
Jason Malo
• Research Director – Security & Fraud
CEB TowerGroup
Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc 3
Applied Intelligence
COMMERCIAL IN CONFIDENCE
GUEST SPEAKER
Colin McKinty
• Regional Vice President – Cyber
BAE Systems Applied Intelligence
4 © 2013 The Corporate Executive Board Company. All Rights Reserved.
APTs CHANGED THE GAME …
APTs: Monster
Under the Bed
Revealed
CEB TowerGroup Retail Banking
How Your Peers
Are Organizing
and Investing
Where
Countermeasures
Are Effective and
Need Help
5 © 2013 The Corporate Executive Board Company. All Rights Reserved.
Targeted Attacks
LAYERED ATTACKS MEET LAYERED SECURITY
Social Engineering, Phishing, SMiShing
Denial of Service Attacks
April 26, 2011 — 77 million customer records were stolen.
“Security teams were working very hard to defend against denial of service attacks, and that
may have made it more difficult to detect this intrusion quickly.”1
These efforts are still very effective, and are often used in concert with more complex attacks
Source: CEB IREC, A Guide to Advanced Persistent Threats, January 2012
Profile the Target
Track the Target
Install Malware
Malware Disables Existing Security
Controls
Attacker Takes Control
• Takes direct control
• Leaves behind tracks
• Primitive/clumsy methods
• Scattered search
• Easier to identify
• Spelling/grammatical errors
• Takes indirect control
• Wiping tracks
• Unique methods
• Clear objectives
• Dormant/low profiles
Low Sophistication High Sophistication
CEB TowerGroup Retail Banking 1. Sony Computer Entertainment chairman in letter to Congress, May 2011
Stuxnet – June 2010
Sophisticated malware designed specifically to target one kind of supervisory control and data
acquisition (SCADA) and subvert detection.
6 © 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
MOST ATTACKS ARE NOT “ADVANCED”
Verizon only saw one breach due to a highly-sophisticated, “advanced” attack, but one complex event is enough.
Sophistication of Attack Methods Resulting in a Data Breach
510 attributable data breaches
What about attacks or data
thefts that go undetected?
We have to address the
most significant risk, but we
wary of the existence and
the typical evolutionary path
of these threats.
10%
67%
23%
0%
Very Low
Low
Moderate
High
THE DIFFICULTY RATING OF ATTACKS VERY LOW: the average person could have done it.
LOW: basic methods, little or no customization or resources required.
MODERATE: some skilled techniques and customization required.
HIGH: advanced skills, significant customizations, and/or extensive resources required.
Source: 2013 Data Breach Investigations Report, Verizon
(1)
(116)
(343)
(50)
7 © 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
APTS ARE PERSISTENT & TARGETED
Targeted persistent
attacks utilize multiple
techniques and tools of
varying levels of
sophistication.
“Advanced” is a moving standard, but focused attackers have deeper toolkits
APT Characteristics
Targeted Persistent
Well-funded Control Targeted
Malware Coordinated
Sophisticated Code Data Exfiltration
Circumvents Firewall Multi-Vector
Sophisticated Hacking Sustained
Social Engineering Clandestine
Internally Supported Focused
8 © 2013 The Corporate Executive Board Company. All Rights Reserved.
Source: The Insider Threat , Vormetric
31%
43%
45%
54%
54%
61%
62%
66%
Lack of forensics
Advanced persistent threats
System sabotage
Compromised user accounts
Trusted/Privileged user abuse
Introduction of malware
Theft of data or intellectual property
Exposure of sensitive data
RENEW FOCUS ON WHAT’S IMPORTANT
It’s important to understand the threat landscape, but an effective defense must always come back to the protection of what’s important
The impact of advanced threats are
CEB TowerGroup Retail Banking
9 © 2013 The Corporate Executive Board Company. All Rights Reserved.
APTs: Monster
Under the Bed
Revealed
CEB TowerGroup Retail Banking
How Your Peers
Are Organizing
and Investing
Where
Countermeasures
Are Effective and
Need Help
10 © 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
2013 ENTERPRISE THREAT LANDSCAPE OVERVIEW
Regulatory compliance,
threats, and malicious
actors are the greatest
sources of risk.
Threat Rankings By Level of Information Executive Concern
Source: CEB 2013 Threat Landscape Survey, N=69
Denial of Service
Environmental
Vulnerabilities in Domain Controllers
Third Party Risk: IaaS
Other Social Engineering
Use of Employee-Owned Mobile Devices
Hactivism
Third Party Risk: Non-Cloud
Unintentional User Behavior, Employee Carelessness
Regulatory Non-Compliance: Employee Owned Devices
Regulatory Non-Compliance: Big Data and Customer…
Web Application Vulnerabilities
Organized Crime and Fraud
Privilege Abuse
Third Party Risk: SaaS
Malicious Insiders
Targeted Phishing
State-Sponsored Attacks
Regulatory Non-Compliance: All Types
11 © 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
CURRENT DEFENSES ARE INCOMPLETE, NOT
OBSOLETE Current, outward-looking network-layer security “walls” are being subverted, requiring an inward-looking complement.
What happens between checkpoints, and what happens between devices?
Often checkpoints are
asymmetric and provide
inadequate data capture.
What happens in-between
checkpoints, or even once
past all of them.
What are the network layer
data ingress points that
bypass checkpoint?
Perimeter
Core
Edge
Datacenter
Virtual
Network
Point-in-Time
Assessment
12 © 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
RELATIVE SUCCESS AGAINST THE MOST PROLIFIC
ATTACKS
Types of cyber attacks experienced Average days to resolve attack (days)
2013, n = 234 separate companies 2013, n = 234 separate companies
38%
48%
50%
52%
55%
57%
57%
98%
99%
Malicious Insiders
Malicious Code
Stolen Devices
Phishing & SE
Botnets
Denial of service
Web-based attacks
Viruses, worms, trojans
Malware
2.6
2.7
5.0
13.3
19.2
19.3
28.9
42.4
53.0
Viruses, Worms, & Trojans
Botnets
Malware
Stolen Devices
Denial of Service
Phishing & SE
Web-Based Attacks
Malicious Code
Malicious Insiders
Source: 2013 Cost of Cyber Crime Study, Ponemon Institute, 10/2013 Source: 2013 Cost of Cyber Crime Study, Ponemon Institute, 10/2013
13 © 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
CYBER CRIME COSTS DRIVEN BY SOME OF THE
LEAST TECHNICAL MEANS
Average annualized cyber crime cost weighted by
attack frequency
Cost mix of attacks by organizational size
n=234 companies Size measured by number of enterprise seats in organization
$491
$630
$899
$26,249
$31,059
$80,847
$80,995
$139,931
$154,453
Malware
Viruses, Worms, Trojans
Botnets
Stolen Devices
Phishing & SE
Malicious Code
Web-Based Attacks
Denial of Service
Malicious Insiders
4%
4%
7%
13%
13%
9%
15%
14%
22%
8%
10%
12%
8%
9%
15%
9%
13%
16%
Botnets
Malware
Phishing & SE
Malicious Code
Stolen Devices
Viruses, Worms, Trojans
Malicious Insiders
Web-Based Attacks
Denial of Service
Source: 2013 Data Breach Investigations Report, Verizon
Source: 2013 Cost of Cyber Crime Study, Ponemon Institute, 10/2013 Source: 2013 Cost of Cyber Crime Study, Ponemon Institute, 10/2013
Large Organizations Small Organizations
14 © 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
RECOGNIZING ANTI-MALWARE BENEFITS AND
CONSTRAINTS Malware protection has successfully relied on blacklisting recognized code for years, but has always had a blind-spot with zero-day attacks
Signature-based threat detection isn’t a silver bullet, nor is it completely outdated.
PROS CONS
Unobtrusive to users Need to have seen at least once
Definitive (Not based on probability) Need to have a fingerprint
Easy to Manage Expanding Signature set /
unmanageable blacklist size
Effective against many known
threats
Asymmetric
Expansion of checkpoints and user-
attributable monitoring
Source: 2013 Data Breach Investigations Report, Verizon
15 © 2013 The Corporate Executive Board Company. All Rights Reserved.
APTs: Monster
Under the Bed
Revealed
CEB TowerGroup Retail Banking
How Your Peers
Are Organizing
and Investing
Where
Countermeasures
Are Effective and
Need Help
16 © 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
INFORMATION SECURITY ALIGNING 2014 EFFORTS
CISO’s strategic
priorities for 2014 stress
an analytics-driven, risk-
aware, modern
technology focused
enterprise approach to
security
CISO’s Priorities for 2014
Percentage of Respondents Identifying Topic as a Top Three Concern
18%
22%
28%
30%
30%
31%
32%
34%
38%
48%
Presenting information about advanced attacks tothe Board of Directors
Building staff technical skills to deal with advancedthreats
Driving the business to create an official statementof risk appetite
Updating processes and around privileged accessand superusers
Upgrading risk assessments as the "cloud" portionof portfolio increases
Maturing application security processes as mobiledevelopment increases
Bringing rigor to the selection of defenses fromadvanced threats/sophisticated attackers
Formalizing the interfaces with other risk functions(ERM, Legal, etc.)
Improving security staff's business engagementskills
Leveraging security analytics to understand attacksand make control/incident response decisions
Source: CEB 2013 Agenda Survey
17 © 2013 The Corporate Executive Board Company. All Rights Reserved.
KEY TENETS OF AN APT STRATEGY
CEB TowerGroup Retail Banking
Delivery Exploitation Installation Command and Control Action on Objectives
Source: Lockheed Martin Kill Chain Model Detection based on scanning may be too late
Indexing
Log Activity
Network
Visualization
Move Detection Up
To Delivery Phase
1. Monitoring Along the Entire Threat Lifecycle
2. End-User Awareness
• Newsletters, training, posters, and other materials are commonplace
• Internal drills oriented to user type and risk
3. Access Control
4. Incident Response
• Ongoing privileged-user audits
• User-based profiling, including risk-based controls
• Data classification, tracking and reporting
• Proactive role and responsibility definition, including communication and response protocols.
• Post-incident learning plans
• Documentation and reporting is a challenge
18 © 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB Information Risk Leadership Council
What is the biggest obstacle in increasing effectiveness of security analytics
for your information security function?
Percentage of Information Risk Executives
TALENT IS THE BIGGEST OBSTACLE TO EFFECTIVE
USAGE OF SECURITY ANALYTICS The highest number of
executives cited the
mindset and skills of
employees as the largest
obstacle to improved
security analytics usage
n= 37
Technology. We don’t have the
tools and technologies
needed to gather, store, or analyze security
data, 16%
Other, 16% Process. We
don’t have mature rules and processes about what to look for in the data we
collect and how to use that
information in decision-making,
30%
People. We don’t have
people with the mindset and
skills needed to analyze complex
security datasets, 38%
Source: CEB Information Risk Peer Perspectives, 09/2013
19 © 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
COMPLEMENT LONG STANDING STRATEGIES WITH
ENHANCED INTELLIGENCE Return on investment
expectations are highest
for advanced intelligence
systems.
Estimated ROI for seven categories of enabling security technologies
2013, n = 234 separate companies
Source: 2013 Data Breach Investigations Report, Verizon
6%
14%
14%
14%
19%
19%
21%
Automated policy management tools
Extensive use of data loss prevention tools
Access governance tools
Enterprise deployment of GRC tools
Extensive deployment of encryption technologies
Advanced perimeter controls and firewalltechnologies
Security intelligence systems
• Notice this is oriented to
“intelligence”, not “big
data”
20 Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc Company Confidential
Applied Intelligence
ADDRESSING YOUR CHALLENGES ANALYTICS, THREAT INTELLIGENCE,
WORKFLOW & ANALYST PRODUCTIVITY
21 Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc Company Confidential
Applied Intelligence
View … How We Protect and Enhance
22 Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc Company Confidential
Applied Intelligence
CyberReveal™ Solution Overview
23 Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc Company Confidential
Applied Intelligence
Large Volumes, Lots of Formats …
CyberReveal™ Threat Analyst
24 Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc Company Confidential
Applied Intelligence
How to Focus on 10 Threats … among Billions?
25 Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc Company Confidential
Applied Intelligence
How Do You Make it Actionable?
26 Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc Company Confidential
Applied Intelligence
INVESTIGATOR: VIEW AND ANALYZE
27 Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc Company Confidential
Applied Intelligence
INVESTIGATOR: SECURITY ANALYST VIEW
28 Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc Company Confidential
Applied Intelligence
INVESTIGATOR: REQUESTING MORE CONTEXT
29 Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc Company Confidential
Applied Intelligence
INVESTIGATOR: WHAT TO DO WITH THE ALERT
Copyright © 2014 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems Plc 30
Applied Intelligence
COMMERCIAL IN CONFIDENCE
THANK YOU. © BAE Systems 2014, unpublished, copyright BAE Systems all rights reserved.
Proprietary: no use, disclosure or reproduction without the written permission of BAE Systems plc.
For more information:
• Visit www.baesystems.com/ai
• Contact us at [email protected]