Fewer Breaches Instead of Bigger Data: Thwarting Attacks, Enabling
the Fully Connected Business
1111
John PescatoreSANS, Director - Emerging Security Trends
Opening Stipulations
• It’s Dangerous Out There• Security Is Hard, Will Continue to Be Hard• Business Goes On, With or Without Security
2
How To Tell When It Will Get Easier
1. When Software Engineering is no longer an oxymoron
(software and SaaS come with warranties)2. Users no longer fall for scams
(Atlantic City and Las Vegas shut down)3
Probability of Attack = 100%
4
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Breach Statistics
5
Verizon Data Breach Incident Report, 2013
Real World Risk EquationRisk = Threat x Vulnerability + Action
• Avoid old vulnerabilities, shield new ones– People– Process– Technology
• Remove barriers– Automate the easy, because the next hard is just
around the corner
• Simultaneous evolution and mutation
7777
Focus on protecting the business firstEffectively and efficiently and quickly
Advanced targeted attacks are happening now
How to Prioritize Security Spending
Compliance must follow security
Is It Safe??
8
Do you know from where you are starting? OK, are you really sure? NO – Need to establish baseline YES – We are secure and compliant YES – We are pretty squishy YES – We are on fire!
Can you do the necessary triage?
9999
Compliant and fairly secure - really Focus on getting fasterWhat coming business/technology trend
will cause breakage? Threat monitoring and preparedness
10101010
Not unusual to find evidence of an active compromise – ON FIRE! Activate incident response Protect the crown jewels Shield, replace, enhance Forensics
Most Enterprises Are Squishy
Controls may have been implemented but are not mature or repeatable Typical Problem Areas:Lack of Vulnerability/Config Management basicsNo Advanced Threat visibilityNo real application security
Common barriers to progress: Cloud/BYOD/compliance more important “The users will never, management will never…”
11
Critical Security Controls
1212
1 23
4
5
6
7
89
1011121314
15
16
17
1819
20
1) Inventory of Authorized and
Unauthorized Devices
11) Limitation and Control of Network Ports,
Protocols and Services
2) Inventory of Authorized and Unauthorized Software
3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4) Continuous Vulnerability Assessment and Remediation
5) Malware Defense
6) Application Software Security
7) Wireless Device Control
8) Data Recovery Capability
9) Security Skills Assessment and Appropriate Training to Fill Gaps
10) Secure Configuration of Devices such as Firewalls, Routers, and Switches
20) Penetration Tests and Red Team Exercises
19) Secure Network Engineering
18) Incident Response Capability
17) Data Loss Prevention
15) Controlled Access Based on Need to Know
14) Maintenance, Monitoring and Analysis of Audit Logs
13) Boundary Defense
12) Controlled Use of Administrative Privileges
16) Account Monitoring and Control
Goals
• Overcome barriers for quick wins on “easy” ones
• Reduce cost of ops for easy ones• Address the next level, repeat
© 2013 The SANS™ Institute –www.sans.org 13
Getting to ContinuousSecurity Monitoring
Shield
Eliminate Root Cause
Monitor/Report
Policy Assess Risk
Baseline Vuln Assessment/Pen TestSecurity Configuration
Mitigate
• FW/IPS• Anti-malware• NAC
• Patch Management• Config Management• Change Management
• Software Vuln Test• Training• Network Arch• Privilege Mgmt
Discovery/Inventory
• SIEM• Security Analytics• Incident Response
ThreatsRegulationsRequirementsOTT Dictates
Things to Remember
• Don’t fight the next war with the previous battles weapons– PCs weren’t bigger dumb terminals,
smartphones/tablets aren’t small PCs
• Make advances and fortify– Whitelisting on servers– App stores/MDM on mobile devices
15
Resources
• SANS Reading Room: http://www.sans.org/reading_room/
• Blog – www.sans.org/security-trends/• The Critical Security Controls:
http://www.counciloncybersecurity.org/practice-areas/technology/
• Questions: [email protected], @John_Pescatore
16