2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and...

7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation

1/41

Larry ClintonPresident & CEO

Internet Security [email protected]

703-907-7028202-236-0001www.isalliance.org


2/41

During the Last Minute

45 new viruses 200 new malicious web sites 180 personal identities stolen 5,000 new versions of malware created 2 million dollars lost


3/41

The evolved cyber threat What drives the evolved cyber threat Economics and cyber security Ineffective corporate strategy Ineffective Government Policy Promising corporate approaches to the

new threats Promising Public Policy to deal with cyber

security

Presentation Outline


4/41

Well funded Well organized---state supported Highly sophisticated---NOT hackers

Thousands of custom versions of malware Escalate sophistication to respond to

defenses

Maintain their presence and call-home They target vulnerable people more than

vulnerable systems

Advanced Persistent ThreatWhat is it?


5/41

The most revealing difference is thatwhen you combat the APT, your

prevention efforts will eventually fail. APT

successfully compromises any target it

desires.----M-trend Reports

APT


6/41

The most sophisticated, adaptive and persistentclass of cyber attacks is no longer a rare event

APT is no longer just a threat to the public

sector and the defense establishmentthis

year significant percentages of respondentsacross industries agreed that APT drives theirorganizations security spending.

PricewaterhouseCoopers Global Information

Security Survey September 2011

The APT----Average Persistent Threat


7/41

43% Consumer Products

45% Financial services 49% entertainment and media 64% industrial and manufacturing sector 49% of utilitiesPWC 2011 Global Information Security

Survey

% Who Say APT Drives Their Spending


8/41

Companies are countering the APT principallythrough virus protection (51%) and either

intrusion detection/prevention solutions (27%)

PWC 2011

Conventional information security defensesdont work vs. APT. The attackers successfully

evade all anti-virus network intrusion and other

best practices, remaining inside the targets

network while the target believes they have beeneradicated.---M-Trend Reports 2011

Are We Thinking of APT All Wrong?


9/41

Only 16% of respondents say theirorganizations security policies address

APT. In addition more than half of all

respondents report that their organization

does not have the core capabilities directly

or indirectly relevant to countering this

strategic threat.

We Are Not Winning


10/41

ISA seeks to integrate advanced

technology with business

economics and public policy tocreate a sustainable system of

cyber security.

ISAlliance Mission Statement


11/41

Technological analysis tells us HOW cyberattacks occur. Economics tells us WHY theyoccur

All the economic incentives favor the attackers

Attacks are cheap, easy, profitable and chancesof getting caught are small

Defense is a generation behind the attacker, theperimeter to defend is endless, ROI is hard to

show Until we solve the cyber economics equation we

will not have cyber security

The Cyber Security Economic Equation


12/41

We find that misplaced incentives are as

important as technical designsecurity

failure is caused as least as often by bad

incentives as by bad technological design

Anderson and Moore The Economics of Information

Security

Technology or Economics?


13/41

Economists have long known that liability should beassigned to the entity that can manage risk. Yet

everywhere we look we see online risk allocated

poorlypeople who connect their machines to risky

places do not bear full consequences of their actions.

And developers are not compensated for costly efforts tostrengthen their code.

Anderson and Moore Economics of Information

Security

Misaligned Incentives


14/41

National Strategy to Secure Cyber Space(2002) held that business efficency would

drive cyber security investmetn.

DHS Eco-system Paper (2011) holds thesame view

Business efficiency demands LESSsecure systems (VOIP/international supply

chains/Cloud)

Efficiency and Security


15/41

Countries that grow by 8-13% can only do this by

copying. Copying is easy at firstyou copy

simple factoriesbut to grow by more than 8%

you need serious know how. There are only 2

ways to get this: partnering and theft. Chinacannot afford to NOT to grow 8% yearly.Partnering wont transfer enough know how to

sustain 8%+ so all thats left is theft and almost

all the theft is electronic. Scott Borg, US CyberConsequences Unit

Why China and the APT?


16/41

We must have public private partnership

Gov and industry goals are aligned, notidentical

Lack of Trust impedes partnership Economics are different for gov and

industry

Difficult issues with respect to riskmanagement, information sharing, rolesand responsibilities

Gov and Industry Economics are Different


17/41

DHS defines covered critical infrastructure DHS sets regulations for private sector via

rulemaking establishing frameworks

PS corps must submit plans to meet regs DHS certifies evaluators which companies

must hire to review DHS approved cyber plans

Companies DHS decides are not meeting theregs must face public disclosure (name andshame)

Administration Legislative Proposal


18/41

General Plans dont tell us anything (but doincrease cost and take away from real security)

Most successful attacks are difficult and expensiveto findoften you dont know.

Disclosure requirements penalize good companies Name and shame provides incentives NOT to

invest in the expensive tools we need or even look

Name and shame incentivizes attacks

Why It Wont Work


19/41

As I study these pieces of legislation, the one

thing that concerns me is the potential negative

implications and unintended consequences of

creating more security compliance requirements.

Regulation and the consequent compliancerequirements could boost costs and misallocateresources without necessarily increasing security

due to placing too much emphasis on the wrong

things. ----Mark Weatherford, now DHS DeputyUnder Secretary for Cybersecurity

Why it wont work


20/41

It is critical that any legislation avoids diverting

resources from accomplishing real security by

driving it further down the chief security officers

(CSOs) stack of priorities.

Mark Weatherford Government Technology

magazine July 28, 2011

Why Admin Legislative Plan wont work


21/41

Roach Motel Model 2008(Jeff Brown, Raytheon, Chair)

Expanded APT best Practices(Rick Howard, VeriSign; Tom Kelly, Boeing;and Jeff Brown, Raytheon; co-chairs)

ISA and APT


22/41

No way to stop determined intruders Stop them from getting back out (w/data)

by disrupting attackers command andcontrol back out of our networks

Identify web sites and IP addresses usedto communicate w/malicious code

Cut down on the dwell time in thenetwork

Dont stop attacksmake them less useful

Roach Motel: Bugs Get In Not Out


23/41

Focus is NOT on perimeter vulnerability

Focus IS ON disseminating info on attackerC2 URLs & IP add & automatically block

OUTBOUND TRAFFIC to them

Threat Reporters (report malicious C2channels)

National Center (clearing house) Firewall Vendors (push info into field of

devices like AV vendors do now)

New Model (Based on AV Model)


24/41

Physical separation between the corporatenetwork, the secret sauce, any Merger &

Acquisition (M&A) groups and any contractdeals

Enforce the "Need to Know" rule Encrypt everything in transit & at rest e.g.

Smartphone.

Foreign travel. Use throw-away laptops and Label all documents and e-mail with theappropriate data classification Upgrade to the latest operating systems

APT Best Practices 1) Corp. Due Diligence


25/41

Identify vulnerable software. Prevent exploitation by enumerating applications

with Microsoft EMET. Train and maintain vigilance of employees

regarding the sophistication of spoofed and

technical social engineering attacks.Applying email filters and translation tools for

common attack file types like PDF and OfficeDocuments.

Installing and testing unknown URLs with clienthoneypots before delivering email and allowingusers to visit them.

2) Preventing and Identifying Exploitation


26/41

Monitor all points of communication (DNS,HTTP, HTTPS) looking for anomalies

Limit access to unknown communicationtypes

Utilize a proxy to enforce knowncommunication and prevent all unknowncommunication types.

Monitor netflow data to track volume,destination,

Monitor free and paid services likewebhosting.

3) Outgoing Data and Exfiltration


27/41

Collection Requirements typically focus on 3areas:

a) Economic Development

b) National Security

c)

Foreign Policy

Identify what assets are strategicallyimportant according to APT Collection

Requirements Focus Enterprise IT Security resources on

securing and monitoring these assets

4) Understand Why You Are an APT Target?


28/41

Cost-Benefit Chart


29/41

50 Questions Every CFO Should Ask (2008)

It is not enough for the information technologyworkforce to understand the importance of cyber

security; leaders at all levels of government andindustry need to be able to make business and

investment decisions based on knowledge of risksand potential impacts. Presidents Cyber Space

Policy Review May 30, 2009 page 15

ISA-ANSI Project on Financial Risk Management

of Cyber Events: 50 Questions Every CFO

should Ask ----including what they ought to beasking their General Counsel and outside

counsel. Also, HR, Bus Ops, Public and InvestorCommunications & Compliance


30/41

Financial Management of Cyber Risk (2010)


31/41

In 2008 only 15% of companies hadenterprise wide risk management teams forprivacy/cyber

In 2011 87% of companies had crossorganizational cyber/privacy teams

Major firms (E & Y) are now including ISAFinancial Risk Management in theirEnterprise Programs

Even govt. (e.g DOE) has now adopted theseprinciples for their sector risk management

Growth Toward Enterprise-wide Cyber Risk Management


32/41

Senior executives are responsible how cyber

security risk impacts the organizations

mission and business functions . As part of

governance, each organization establishes a

risk executive function that develops anorganization-wide strategy to address risks

and set direction from the top. The risk

executive is a functional role established

within organizations to provide a more

comprehensive, organization-wide

approach.

DOE Risk Management Framework


33/41

ISA Social Contract


34/41

Broad Industry and Civil Liberties Support


35/41

Basic attacks Vast majority Can be very damaging Can be managed

Ultra-Sophisticated Attacks (e.g., APT) Well-organized, well-funded, multiple

methods, probably state-supported

They will get in

Two Types of Attacks


36/41

PWC/Gl Inform Study 2006--- best practices100%

CIA 2007---90% can be stopped

Verizon 200887% can be stopped NSA 2009---80% can be prevented Secret Service/Verizon 2010---94% can be

stopped or mitigated by adopting inexpensivebest practices and standards already existing

Best Practices Do Work


37/41

ISA-House Legislative Proposals


38/41



39/41



40/41



41/41

Larry ClintonPresident & CEO

Internet Security [email protected]

703-907-7028202-236-0001

www.isalliance.org

Date post:	05-Apr-2018
Category:	Documents
Upload:	isalliance
View:	214 times
Download:	0 times