Rajiv Shah - BAE Systems Australia - Industry Address

1 Copyright © 2016 BAE Systems. All Rights Reserved. BAE Systems is a trade mark of BAE Systems plc

|

Defending Nations from Cyber Attacks

ADM Cybersecurity summit

20 June 2016

BAE SYSTEMS PROPRIETARY



|



Agenda

Introductions1

The cyber threat2

What can we do about it?3

Bringing it together – roadmaps and challenges4

Conclusions5


|



• Dr Rajiv Shah – Director, Australia & New Zealand• Cyber, intelligence and security industry executive

• 20 years experience with BAE Systems Applied Intelligence

• Worked in UK, USA and Australia

• Relationships with commercial and government clients

Introduction


|



We are BAE Systems

“BAE Systems has been

helping nations,

governments, and

leading financial and

business organisations

counter cyber threats for

over forty years.”

It’s not just security, it’s defence


|



˃ Our cyber security division - applying intelligence to all forms of data

Applied Intelligence: A BAE Systems Company

KEVIN TAYLOR

MANAGING DIRECTOR

40+ OFFICES

GLOBALLY

4,500 +

EMPLOYEES

CORE HERITAGE

IN SECURE

GOVERNMENT

AND AGENCIES

CLOUD & DIGITALTHREAT &

COMMUNICATIONS INTELLIGENCE

FINANCIAL CRIMECYBER DEFENCE

Trusted suppliers and partners strengthen our solutions


|



Agenda

Introductions1

The cyber threat2



Conclusions5


|



Cyberspace: ‘an interactive domain made up of digital networks that is used to store, modify and communicate information. It includes the Internet, but also the other information systems that support our businesses, infrastructure and services’

Definition of Cyber Security

Information Security:‘the theory and practice of defending data or information (including systems for the processing and storage of these) against unauthorised or unintended access, destruction, disruption or tampering’

Cyber Security:‘preservation of confidentiality, integrity and availability of information in the Cyberspace’


|



The World is Changing

Advanced threats against governments, nations and businesses used to be purely physical

Battles would take place in the air, on land, or in the sea— the battlefield has now extended to cyberspace

Digital threats can now move beyond borders quickly and this interconnected world leaves organisations porous and vulnerable to threats

Governments and businesses have an urgent requirement to comply with increasing regulation, whilst transforming and meeting the customer’s needs


|



We all know about the external threat

69% of large organisations were attacked by an unauthorised

outsider in the last year (up from 55% a year ago).

Information Security Breaches Survey 2015

In November 2014 the Guardians of Peace wiped the IT infrastructure of Sony

Pictures and leaked embarrassing confidential information. Release of “The

Interview” was cancelled.

"Last year our cyber defences blocked around 400,000 advanced malicious cyber threats against the Government's secure

internet alone, so the threat is real."

Defence Secretary Philip Hammond, Conservative Party Conference 2013

In June 2010 the Stuxnet computer worm infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant, reportedly destroying roughly a fifth of Iran’s nuclear centrifuges by causing them to

spin out of control.


|



But don’t forget the Insider Threat!

75% of large organisations suffered staff-related security breaches in the last year

Extracts from Information Security Breaches Survey (ISBS) 2013

13% of large organisations had a security or data breach in the last year relating to social networking

sites

50% of the worst breaches in the year were caused by inadvertent human error.

57% of breaches in the last year were caused by staff breaking data protection regulations

65% of breaches involved unauthorised access to data by staff


|



THE TRADITIONAL RESPONSE TO THE CYBER THREAT…

…attempt to reduce “risky”

employee behaviour.

Build higher perimeters

and seek greater isolation

from the threat…

… add new protection at

the perimeter, and…


|



… but there are problems with this approach

• Perimeter is hard to define

• “Risky” activities can drive business

• Threat is not always external

• Enterprise perimeter hard to protect

Mobile SalesTeam

Cyber Threat

OutsourceSupplier

ChannelPartner

Customer


|



Agenda

Introductions1

The cyber threat2



Conclusions5


|



˃ Cyber attacks are increasingly sophisticated and prevalent

The growing problem

Deal with the huge volume of data flowing across their networks

Operationalise threat data quickly so they can spot and shut down attacks fast

Analyse Tactics, Training, Tools and Procedures to quickly adapt and get ahead of the threat

Step back and create situational awareness to see the bigger national and international picture

Nations are finding it increasingly difficult to:


|



BAE Systems approach for cyber defence˃ Cyber defence is organised into 4 areas…

Predict

DetectRespond

PreventUnderstand the

cyber risks

Protect information and IT

Monitor networks for attacks

Managing the consequences of

attacks

The threats an organisation faces should determine the tools, methods and systems used


|



Mid Space CyberNational level monitoring

A model for national cyber defense

Departm

ent

Netw

ork

Departm

ent

Netw

ork

Departm

ent

Netw

ork

Departm

ent

Netw

ork

“Bad guy”

Departm

ent

Netw

ork

Govt executive branchNational level policy and standard setting

SOCSectorCERT

SOCSector CERT

ASOCMOD CERT

ASOCSectorCERT

ASOCSector CERT

National CERTOrchestrating and sharing policy, threat intelligence and training across nation,


|



What is a Security Operations Centre

ProbesProbesConnectorsEvent

CorrelationRules Engine

Event Archive

Anti-Virus

Firewalls

Web Proxies

AD / DHCP / DNS

Host Agents

Network Probes

IPS

Threat Intel

Sensors

Centralised location(s) where key organisational IT assets are monitored and defended from cyber attacks


|



˃ Pros and cons

Traditional SOCs

• Capable of ingesting a wide range of data and offering real time detection

• Ideally utilized to address immediate security posture and support real time activity

• BUT

• Limited ability to apply sophisticated algorithms to identify longer term traits

• Poor understanding of high-risk behaviours

• So the sophisticated enemy has adapted and can go undetected


|



The Advanced Security Operations Centre

Videos/ASOC_long_FINAL 03.wmv

Videos/ASOC_long_FINAL 03.wmv


|



WHAT IS THREAT INTELLIGENCE

“Threat Intelligence is defined as the output of a process that combines threat data with additional context that is

relevant to your organisation.”


|



˃ We track of over 100 sophisticated attack groups

The evolving threat

Malware feeds

SOC Threat

Intelligence

Active & passive

tracking

Incident Response

Team

Social media &

hacker forums

Open Source &

security research

communities

Intelligence

exchange with

trusted partners

We are the greatest industrial contributor of Threat Intelligence to US Department of Defense and UK Gov-CERT

Example trends- Adverse publicity for China caused

some groups to disband but new groups have emerged and attacks are increasingly sophisticated and more targeted

- Multiple reports of reports of alleged Russian cyber-espionage emerged in 2014 but all groups are undeterred and still active


|



Organisations recognise the benefits threat intelligence (TI) can bring

Process is largely manualTechnology needed to automate and optimize

workflow to turn information into intelligence which powers defense

… but they struggle to adequately processand review TI with limited resources

MANAGING THREAT INTELLIGENCE ISN’T EASY

OUTINTHREAT

INFORMATIONDEFENSIVE POWERANALYZE ACTIONACQUIRE PROCESS STORE


|



Advanced threat analytics to discover the new threats

23

Collects full breadth of data

Maximum efficiency at point of investigation

Proven, behavioral analytics across full

context of data

Massively scalable, parallelized data

processing platform

1 Billion events 10 investigations


|



ADVANCED SOC – DETECTING NEW ATTACK METHODS

Example – Periodic Beaconing

• Purpose – Detection of structured malware beaconing to C2 infrastructure

• Scale – Every unique combination of IP Address / Hostname on the network

• Complexity – Autocorrelation function run over every IP / Hostname pair

• Performance – Addition of entity risk scoring to prioritise‘bad’ beaconing

1010

0101

Monitor

ProtectiveMonitoring

Advanced ThreatDetection

Analytics & RulesDevelopment


|



INSIDER THREATS REQUIRE A DIFFERENT APPROACH

Performance degradation

Policy violations

Escalated privileges

Attempted exfiltration

Suspect social network

1

2

3

4

5

Attack stage: Achieve effect

Attack technique: Exfiltration

Data source: Network data

Alert type: Suspicious social network

Analytic technique: Graph scoring

Analysis of email relationships between employees and external recipients establishes trusted social network

Suspicious webmail communication channel in receipt of an archive (.zip) document

Fuzzy matching entities highlights alternative, legitimate comms. channel


|



Incident Response highlights

Founding member and CESG certified

incident response provider.

We leverage our threat intelligence team to provide a real-time overview of the

latest threats.

Our experience is based on nearly a decade defending clients against

advanced cyber attacks.

We provide incident readiness and advanced training for organisations.

Experienced in handling cases from espionage to financial fraud.

We deliver global incident response to deal with the increasingly

international threats our clients face.

Incident management, digital forensics, malware reverse

engineering, network traffic analysis and SCADA expertise.

Our experts work with companies to ensure they can react rapidly to major

attacks.


|



MID-SPACE CONCEPT OF OPERATIONS

National Telecommunications Infrastructure

Existing tap points in CSP networks

Multi-mission / LI network probes

Comms. Intel Mission

• Signature-based / “IDS-like” alerting• Anti-virus / malware scanning• Blacklisting known bad domains / URLs• Statistical DDoS detection and mitigation• Metadata generation / content capture

Threat Intelligence

• Threat indicator management• Threat actor campaign tracking• National-level situational awareness

Mid-space Monitoring

• Mid-space “known-bad” alert triage• National scale DDoS monitoring• Attack proliferation monitoring• Mid-space tasking and management Alerts to subscribing

organisations

Qualified threat intelligence

SelectedContent

BulkMetadata

Verified Alerts

Departmental Perimeter


|



National Cyber Security Operations Centre

Providing advanced cross-organisation cyber security monitoring and detection of cyber campaigns against the State.

Creating and sharing situational awareness of cyber threats facing the State through the use of big data and analytics.

Orchestrating national cyber protection, and supporting recovery activities, for both government and critical organisations.

Strengthening the future of the State by developing local skills and experience in cyber security specialist subjects.

Co-operating with international law enforcement,cyber security partners and other nations’ cyber response teams.


|



Bringing the mission to life

National Cyber Security Operations

Centre (NCSOC)

Departm

ent

Netw

ork

Departm

ent

Netw

ork

Departm

ent

Netw

ork

Departm

ent

Netw

ork

Departm

ent

Netw

ork

“Bad guy”

ASOCDept.ASOC

ASOCDept.ASOC

CERTDept.CERT

ASOCDept.ASOC

ASOCDept.ASOC

(1) ASOC detects a phishing email, raises an alert and related

information sent to the NCSOC

(2) NCSOC reviews data, links it to other incidents in two other ASOC and issues alerts

(4) NCSOC extracts new intelligence on the

attacker’s malware and infrastructure. This is

exchanged with international partners as part of the global fight

against cyber-crime

(3) Response teams carry out recommended

actions and close the security Incidents


|



Agenda

Introductions1

The cyber threat2



Conclusions5


|



A roadmap for building National Cyber Defence

Year 3

Year 1Q1 Q2 Q3 Q4

Year 2Q5 Q6 Q7 Q8

Year 3Q9 Q10

Phase 1Prepare and enhance

Phase 2Build and transition

Phase 3Optimise and improve

Businessas usual

So

ph

isti

ca

ted

A

tta

ck

Pro

tecti

on

Fa

ste

r re

me

dia

tio

n

& r

esp

on

se

Th

rea

t In

tell

ige

nce

Policy &Processes

DisasterRecovery

Capacity & Capability Building

Support & Maintenance

Infrastructure

Build

Vulnerability

Assessment Rollout

Initial Mid-Space

Capability

Pen-testing

Equipment

In-house Threat

Intelligence

Management

BAE Systems

Incident Response

Service Go-live

In-house

Incident

Response

BAE Systems AI

Threat Intel

Service Go-live

Threat

Intelligence

SharingASOC Target

Operating Model

Policy

Audit

ASOC Policy

Rollout

Business

Continuity

Training

development

Training Range

Operational

Pen- testers

Ready

Incident

Responders+

ASOC

Support

Integrated

National cyber

defences

Threat

Intelligence

platform

Security Assessment

Capability

National cyber

awareness

programme

In-house

Development

Programme

Develop DR

strategy


|



Case study 1: Delivering national cyber defence

The cyber challenges:

1. Cyber crime and terrorism

2. Cross-border cyber threats

3. Managing cyber crises

4. Collation, analysis and sharing of cyber threat intelligence

5. National cyber security

6. Capability and capacitydevelopment


|



Case Study 2: Improving the SOC…

C Y B E R A T T A C K

Multiple systems

providing multiple

defensive layers

Open architecture with

best in class

technology

Continuous learning to

create world-class cyber

security practitioners

Efficient integrated

processes – Target

Operating Model


|



Case study 3: National Cyber training programmeEthical hacking

Web app hacking

Wireless security

Implementing ISO27001

Awareness: end user

Awareness: senior

Cyber behavioural

analysis

Monitoring system design &

build

Penetration testing

Cyber data science

SOC operations

Forensic investigation

Malware investigation

Computer security incident

investigation

Security architecture

Secure coding

ICS/SCADA security

Cyber threat intelligence

Cyber strategy and governance

Cyber Fundamentals

Implementing PCI-DSS

Cyber wargaming

SOC incident response

Information assurance and accreditation

Mobile device security

Cloud security

Malware reverse engineering

Cryptosystems

Highly classified networks

Specialist forensics


|



Agenda

Introductions1

The cyber threat2



Conclusions5


|



Why we are different

We are a security innovator

We take a consulting approach

We are a systems integrator

We build sovereign capability

We think local and act global

Researching threats and building world class tools

To understand customers problems and build effective solutions

Building and delivering successful large scale programmes

Using locally security cleared companies and staff and building links with universities

Culture, language and local knowledge are key to success

Questions


|

Conclusions

• Threats are growing – and will continue

• Effective national cyber defencerequires a layered approach

• Key success factors will be:• Threat intelligence

• Advanced analytics

• Collaboration and skills development


|

BAE Systems14 Childers StCanberraACT 2601Australia

T: +61 (0)2 6245 [email protected]

Unpublished Work Copyright © 2016 BAE Systems. All Rights Reserved.

BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc.

The information in this document contains proprietary information of BAE Systems. Neither this document nor any of the proprietary information contained therein shall be (in whole or in part) published, reproduced, disclosed, adapted, displayed, used or otherwise made available or accessible (in each case, in any form or by any means) outside of BAE Systems without the express written consent from the document originator or an approved representative of BAE Systems.



Date post:	14-Feb-2017
Category:	Internet
Upload:	informa-australia
View:	488 times
Download:	0 times