Date post: | 18-Jul-2015 |
Category: |
Technology |
Upload: | claus-cramon-houmann |
View: | 509 times |
Download: | 1 times |
World’s biggest Hack?
• They’ve lost...everything
• Was their security ”make believe”?
• Can they survive?
Defending enterprise IT- Some best practices to mitigate
cyber attacks
Going Aboveand Beyond Compliance
And staying away from Slide #1
About me
• Father of 3, happily married. I live in Luxembourg
• Head of IT for a Bank, and also independent IT/Infosec consultant. Any opinions presented here are my own and do not represent my employer.
• Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses)
• Member of the I am the Cavalry movement – trying to make connected devices worthy of our trust
• @ClausHoumann
• Find my work on slideshare
Cyber Security:”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
Cyber Security:”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist
Cyber Security:”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist
• It’s an assymetrical conflict
Cyber Security:”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist
• It’s an assymetrical conflict
• A lot of companies fail to focus on the basics
• Train your people!
Cyber Security:”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist
• It’s an assymetrical conflict
• A lot of companies fail to focus on the basics
• Train your people!
• Do not rely on compliance for security
Compliance
• Is
• NOT
• Security
• Which any of you who ever attended a Security conference will have already heard
• Compliance is preparing to fight yesteryears war
Want to beat assymetricality?Here’s how:
• A strategic approach to security leveraging methods that work
Pyramids- This one is Joshua Cormans.
Could be best definition of Defense-in-Depth
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
The Foundation
Defensible Infrastructure
Software and Hardware built as ”secure by default” is ideal here. Rugged DevOps.
Your choices of tech impacts you ever after
You must assemble carefully, like Lego
Without backdoors or Golden Keys!
Mastery
Operational Excellence
Master all aspects of your Development, Operations and Outsourcing. Train like the Ninjas!
DevOps (Rugged DevOps)Change ManagementPatch ManagementAsset ManagementInformation classification & localizationBasically, all the cornerstones of ITILYou name it. Master it.
Gain the ability to handle situations correctly – Floodlights ON
Situational Awareness
”People don’t write software anymore, they assemble it” Quote Joshua Corman.-> Know which lego blocks you have in your infrastructure-> Actionable threat intelligence-> Automate as much as you can, example: IOC’s automatically fed from sources into SIEM with alerting on matches
Are we affected by Poodle? Shellshock? WinShock? Heartbleed? Should we patch now? Next week? Are we under attack? Do we have compromised endpoint? Are there anomalies in our LAN traffic?
Counter that which you profit from countering
• Decrease attacker ROI below critical threshold by applying countermeasures
• Most Security tools fall within this category
• Limit spending until you’re laid the foundational levels of the pyramid
Counter-measures
Footnote: Cyber kill chain is patented by Lockheed Martin.
Mapping to other strategic approaches
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
Lockheed Martin patented
Nigel Wilson -> @nigesecurityguy
Defensive hot zones
• Basketball and other sports analysis ->
• – FIND the HOT zones of your opponents.
• Defend there.
Hot zones!
• You need to secure:
– The (Mobile) user/endpoints
– The networks
– Data in transit
– The Cloud
– Internal systemsSample protections added only, not the complete picture of course
Best Practices – High level
• Create awareness – Security awareness training
• Increase the security budget
– Justify investments BEFORE the breach.
– It’s easier when you’re actually being attacked. But too late.
• Use the Cyber Kill Chain model or Nigel Wilsons ”Defensible Security Posture” to gain capability to thwart attackers
• Training, skills and people!
Hot zone 1: EndpointsA safe dreamworld PC
• Microsoft EMET 5.1• No Java• No Adobe Flash Player/Reader• No AV (that one is for you @matalaz)• Kill all executable files on the Proxy layer (.exe .msi
etc.)• (Not even needed but works if something evades the
above):– Adblocking extension in browser– Invincea FreeSpace/Bromium
Vsentry/Malwarebytes/Crowdstrike Falcon
Hot zone 1:A real world PC
• Microsoft EMET 5.1• Java• Adobe Flash Player/Reader• AV • Executable files kill you, so use:
– Adblocking extension in browser– Invincea FreeSpace/Bromium
Vsentry/Malwarebytes/Crowdstrike Falcon– Secure Web Gateway– White listing, black listing
And then cross your fingers
Hot zone 1, more
• PC defense should include:– Whitelisting– Blacklisting– Sandboxing– Registry defenses– Change roll-backs– HIPS– Domain policies– Log collection and review– MFA– ACL’s/Firewall rules– Heuristics detection/prevention– DNS audit and protection
Hot zone 2:The networks
• Baselining everything
• Spot anomalies
• Monitor, observe, record
• Advanced network level tools such as Netwitness, FireEye, CounterAct
• Test your network resilience/security with fx Ixia BreakingPoint
• Don’t forget the insider threat
Hot zone 3+4:Data in Transit/Cloud
• Trust in encryption
• Great new mobile collaboration tools exist
• SaaS monitoring and DLP tools exist -> ”CloudWalls”
• Cloudcrypters
• And this for home study: https://securosis.com/blog/security-best-practices-for-amazon-web-services
Best practices
• Use EMET
• Use advanced endpoint mitigation tools like Bromium Vsentry, Invincea FreeSpace, Malwarebytes, Crowdstrike Falcon
• Identify potential attackers and profile them
A safe(r) perimeter defense
• Avoid expense in depth
• Research and find the best counter measures
• Open Source tools can be awesome for example Suricata
• Full packet capture and Deep packet inspection/Proxies for visibility
• Watch and learn from attack patterns
Automate Threat Intelligence IOC
• Use multiple IOC feeds
• Automate daily:
– IOC feed retrival,
– Insertion into SIEM,
– Correlation against all-time logfiles,
– Alerting on matches
• Example: Splunk Splice can do parts of this
• 5G: The rise of the Android DDoS’er. 1 gbit/s connections from phones easily hacked. Obvious threat?
• IPv6 – network reconnainsance surprisingly easily done: https://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-04. Damn, no security through obscurity to get there
• Countering Nation State Actors becomes a MUST
Future threat trends
And the unexpected extra win
• Real security will actually make you compliant in many areas of compliance
Sources used
– http://www.itbusinessedge.com
– Heartbleed.com
– https://nigesecurityguy.wordpress.com/
– Lockheed Martins ”Cyber Kill Chain”
– Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome”
– Lego