7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
1/41
Larry ClintonPresident & CEO
Internet Security [email protected]
703-907-7028202-236-0001www.isalliance.org
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
2/41
During the Last Minute
45 new viruses 200 new malicious web sites 180 personal identities stolen 5,000 new versions of malware created 2 million dollars lost
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
3/41
The evolved cyber threat What drives the evolved cyber threat Economics and cyber security Ineffective corporate strategy Ineffective Government Policy Promising corporate approaches to the
new threats Promising Public Policy to deal with cyber
security
Presentation Outline
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
4/41
Well funded Well organized---state supported Highly sophisticated---NOT hackers
Thousands of custom versions of malware Escalate sophistication to respond to
defenses
Maintain their presence and call-home They target vulnerable people more than
vulnerable systems
Advanced Persistent ThreatWhat is it?
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
5/41
The most revealing difference is thatwhen you combat the APT, your
prevention efforts will eventually fail. APT
successfully compromises any target it
desires.----M-trend Reports
APT
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
6/41
The most sophisticated, adaptive and persistentclass of cyber attacks is no longer a rare event
APT is no longer just a threat to the public
sector and the defense establishmentthis
year significant percentages of respondentsacross industries agreed that APT drives theirorganizations security spending.
PricewaterhouseCoopers Global Information
Security Survey September 2011
The APT----Average Persistent Threat
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
7/41
43% Consumer Products
45% Financial services 49% entertainment and media 64% industrial and manufacturing sector 49% of utilitiesPWC 2011 Global Information Security
Survey
% Who Say APT Drives Their Spending
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
8/41
Companies are countering the APT principallythrough virus protection (51%) and either
intrusion detection/prevention solutions (27%)
PWC 2011
Conventional information security defensesdont work vs. APT. The attackers successfully
evade all anti-virus network intrusion and other
best practices, remaining inside the targets
network while the target believes they have beeneradicated.---M-Trend Reports 2011
Are We Thinking of APT All Wrong?
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
9/41
Only 16% of respondents say theirorganizations security policies address
APT. In addition more than half of all
respondents report that their organization
does not have the core capabilities directly
or indirectly relevant to countering this
strategic threat.
We Are Not Winning
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
10/41
ISA seeks to integrate advanced
technology with business
economics and public policy tocreate a sustainable system of
cyber security.
ISAlliance Mission Statement
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
11/41
Technological analysis tells us HOW cyberattacks occur. Economics tells us WHY theyoccur
All the economic incentives favor the attackers
Attacks are cheap, easy, profitable and chancesof getting caught are small
Defense is a generation behind the attacker, theperimeter to defend is endless, ROI is hard to
show Until we solve the cyber economics equation we
will not have cyber security
The Cyber Security Economic Equation
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
12/41
We find that misplaced incentives are as
important as technical designsecurity
failure is caused as least as often by bad
incentives as by bad technological design
Anderson and Moore The Economics of Information
Security
Technology or Economics?
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
13/41
Economists have long known that liability should beassigned to the entity that can manage risk. Yet
everywhere we look we see online risk allocated
poorlypeople who connect their machines to risky
places do not bear full consequences of their actions.
And developers are not compensated for costly efforts tostrengthen their code.
Anderson and Moore Economics of Information
Security
Misaligned Incentives
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
14/41
National Strategy to Secure Cyber Space(2002) held that business efficency would
drive cyber security investmetn.
DHS Eco-system Paper (2011) holds thesame view
Business efficiency demands LESSsecure systems (VOIP/international supply
chains/Cloud)
Efficiency and Security
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
15/41
Countries that grow by 8-13% can only do this by
copying. Copying is easy at firstyou copy
simple factoriesbut to grow by more than 8%
you need serious know how. There are only 2
ways to get this: partnering and theft. Chinacannot afford to NOT to grow 8% yearly.Partnering wont transfer enough know how to
sustain 8%+ so all thats left is theft and almost
all the theft is electronic. Scott Borg, US CyberConsequences Unit
Why China and the APT?
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
16/41
We must have public private partnership
Gov and industry goals are aligned, notidentical
Lack of Trust impedes partnership Economics are different for gov and
industry
Difficult issues with respect to riskmanagement, information sharing, rolesand responsibilities
Gov and Industry Economics are Different
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
17/41
DHS defines covered critical infrastructure DHS sets regulations for private sector via
rulemaking establishing frameworks
PS corps must submit plans to meet regs DHS certifies evaluators which companies
must hire to review DHS approved cyber plans
Companies DHS decides are not meeting theregs must face public disclosure (name andshame)
Administration Legislative Proposal
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
18/41
General Plans dont tell us anything (but doincrease cost and take away from real security)
Most successful attacks are difficult and expensiveto findoften you dont know.
Disclosure requirements penalize good companies Name and shame provides incentives NOT to
invest in the expensive tools we need or even look
Name and shame incentivizes attacks
Why It Wont Work
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
19/41
As I study these pieces of legislation, the one
thing that concerns me is the potential negative
implications and unintended consequences of
creating more security compliance requirements.
Regulation and the consequent compliancerequirements could boost costs and misallocateresources without necessarily increasing security
due to placing too much emphasis on the wrong
things. ----Mark Weatherford, now DHS DeputyUnder Secretary for Cybersecurity
Why it wont work
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
20/41
It is critical that any legislation avoids diverting
resources from accomplishing real security by
driving it further down the chief security officers
(CSOs) stack of priorities.
Mark Weatherford Government Technology
magazine July 28, 2011
Why Admin Legislative Plan wont work
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
21/41
Roach Motel Model 2008(Jeff Brown, Raytheon, Chair)
Expanded APT best Practices(Rick Howard, VeriSign; Tom Kelly, Boeing;and Jeff Brown, Raytheon; co-chairs)
ISA and APT
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
22/41
No way to stop determined intruders Stop them from getting back out (w/data)
by disrupting attackers command andcontrol back out of our networks
Identify web sites and IP addresses usedto communicate w/malicious code
Cut down on the dwell time in thenetwork
Dont stop attacksmake them less useful
Roach Motel: Bugs Get In Not Out
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
23/41
Focus is NOT on perimeter vulnerability
Focus IS ON disseminating info on attackerC2 URLs & IP add & automatically block
OUTBOUND TRAFFIC to them
Threat Reporters (report malicious C2channels)
National Center (clearing house) Firewall Vendors (push info into field of
devices like AV vendors do now)
New Model (Based on AV Model)
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
24/41
Physical separation between the corporatenetwork, the secret sauce, any Merger &
Acquisition (M&A) groups and any contractdeals
Enforce the "Need to Know" rule Encrypt everything in transit & at rest e.g.
Smartphone.
Foreign travel. Use throw-away laptops and Label all documents and e-mail with theappropriate data classification Upgrade to the latest operating systems
APT Best Practices 1) Corp. Due Diligence
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
25/41
Identify vulnerable software. Prevent exploitation by enumerating applications
with Microsoft EMET. Train and maintain vigilance of employees
regarding the sophistication of spoofed and
technical social engineering attacks.Applying email filters and translation tools for
common attack file types like PDF and OfficeDocuments.
Installing and testing unknown URLs with clienthoneypots before delivering email and allowingusers to visit them.
2) Preventing and Identifying Exploitation
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
26/41
Monitor all points of communication (DNS,HTTP, HTTPS) looking for anomalies
Limit access to unknown communicationtypes
Utilize a proxy to enforce knowncommunication and prevent all unknowncommunication types.
Monitor netflow data to track volume,destination,
Monitor free and paid services likewebhosting.
3) Outgoing Data and Exfiltration
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
27/41
Collection Requirements typically focus on 3areas:
a) Economic Development
b) National Security
c)
Foreign Policy
Identify what assets are strategicallyimportant according to APT Collection
Requirements Focus Enterprise IT Security resources on
securing and monitoring these assets
4) Understand Why You Are an APT Target?
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
28/41
Cost-Benefit Chart
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
29/41
50 Questions Every CFO Should Ask (2008)
It is not enough for the information technologyworkforce to understand the importance of cyber
security; leaders at all levels of government andindustry need to be able to make business and
investment decisions based on knowledge of risksand potential impacts. Presidents Cyber Space
Policy Review May 30, 2009 page 15
ISA-ANSI Project on Financial Risk Management
of Cyber Events: 50 Questions Every CFO
should Ask ----including what they ought to beasking their General Counsel and outside
counsel. Also, HR, Bus Ops, Public and InvestorCommunications & Compliance
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
30/41
Financial Management of Cyber Risk (2010)
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
31/41
In 2008 only 15% of companies hadenterprise wide risk management teams forprivacy/cyber
In 2011 87% of companies had crossorganizational cyber/privacy teams
Major firms (E & Y) are now including ISAFinancial Risk Management in theirEnterprise Programs
Even govt. (e.g DOE) has now adopted theseprinciples for their sector risk management
Growth Toward Enterprise-wide Cyber Risk Management
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
32/41
Senior executives are responsible how cyber
security risk impacts the organizations
mission and business functions . As part of
governance, each organization establishes a
risk executive function that develops anorganization-wide strategy to address risks
and set direction from the top. The risk
executive is a functional role established
within organizations to provide a more
comprehensive, organization-wide
approach.
DOE Risk Management Framework
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
33/41
ISA Social Contract
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
34/41
Broad Industry and Civil Liberties Support
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
35/41
Basic attacks Vast majority Can be very damaging Can be managed
Ultra-Sophisticated Attacks (e.g., APT) Well-organized, well-funded, multiple
methods, probably state-supported
They will get in
Two Types of Attacks
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
36/41
PWC/Gl Inform Study 2006--- best practices100%
CIA 2007---90% can be stopped
Verizon 200887% can be stopped NSA 2009---80% can be prevented Secret Service/Verizon 2010---94% can be
stopped or mitigated by adopting inexpensivebest practices and standards already existing
Best Practices Do Work
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
37/41
ISA-House Legislative Proposals
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
38/41
ISA-House Legislative Proposals
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
39/41
ISA-House Legislative Proposals
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
40/41
ISA-House Legislative Proposals
7/31/2019 2011 11 16 Larry Clinton SC Magazine Keynote Presentation About APT Economic Misalignment and Regulation
41/41
Larry ClintonPresident & CEO
Internet Security [email protected]
703-907-7028202-236-0001
www.isalliance.org