In military doctrine from Sun Tzu to Clausewitz, defenders had the advantage over attackers. But in the cyberspace realm, we’ve lost our edge. What can we do? As security breaches proliferate, this question become critical. This webinar covers how organizations can prevent large-scale breaches to core IT environments, delay or confuse cyberattackers, and improve situational awareness and rapid response capabilities.
2. About Us
• We are a consulting firm dedicated to helping
organizations plan, specify and develop security
programs, policies and technology solutions.
Copyright (c) 2015 Security Architects, LLC 2
About
Us
Clients
Enterprise Security Teams
Cloud service providers (CSPs)
Other Audiences
Areas of Expertise
Cloud
Security
Identity and
Privacy
Endpoint
Security
Cyber
Security
4. Special Guests
Copyright (c) 2015 Security Architects, LLC 4
Guest Organization Topic
Doug Simmons Security Architects Prevention
Fred Cohen Fearless Security Deception
Chris Blask Fearless Security, ICS
ISAC
Situational
awareness
Link to recorded webinar
http://security-architect.com/webinars
5. Problem Statement
Cyber-attackers have been successful.
Organizations are being told they’re in a state of
“continuous compromise” and that “prevention is
futile.”
Does this have to become “the new normal” or should
security architects buck the trend?
5Copyright (c) 2015 Security Architects, LLC
6. Metaphors for the
Cybersecurity Problem
• Military: Advantage goes to the defense, if its
in a fortified position
• NFL football: Advantage goes to the offense,
because it knows what it is going to do
• Immunology: Advantage goes to the world of
diseases, but can be mitigated by good
personal and public health practices
Copyright (c) 2015 Security Architects, LLC 6
7. Questions to Consider
• How can we raise overall assurance to
minimize “statistical” likelihood of
compromised users and devices?
• How can we prevent large-scale breaches from
striking our core IT environments?
• How can we slow down attackers using
innovative but practical techniques?
• How can we improve situational awareness
and rapid response capabilities?
Copyright (c) 2015 Security Architects, LLC 7
8. Raising Overall Assurance
• Table stakes
– Maintain some minimum security baseline (e.g.
SANS Critical Controls)
• No brainer?
– Two factor authentication for general
authentication, remote access and wherever risk-
appropriate or convenient
Copyright (c) 2015 Security Architects, LLC 8
9. Protecting the Core
• If its true that some level of “continuous compromise” is
unavoidable, how do we cope?
Copyright (c) 2015 Security Architects, LLC 9
Intelligence
Gathering
Social
Engineering
Compromise
Credentials
Dump
Database
Exfiltrate
Data
Trawl Linked In
and social media
to find key staff
Send phishing
messages to
key staff
Plant malware
on devices, or
capture data
Access database
using super-user
credentials
Via Pwned PC
or staging
system
1 2 3 4 5
10. Protecting the Core
Copyright (c) 2015 Security Architects, LLC 10
RECOMMENDED PREVENTION TECHNIQUES OTHER IDEAS
Privileged account management (PAM) Risk disaggregation
Network segmentation, or zoning Risk transfer or avoidance
Data masking Audience-supplied answer
Database audit and protection (DAP) Audience-supplied answer
Server-based change monitoring Audience-supplied answer
Audience-supplied answer Audience-supplied answer
11. Confusing and Delaying
Attackers
• “Hence, when able to attack, we must seem
unable;
• When using our forces, we must seem inactive;
• When we are near, we must make the enemy
believe we are far away;
• When far away, we must make him believe we
are near.”
Sun Tzu
Copyright (c) 2015 Security Architects, LLC 11
12. Deception Concepts
Copyright (c) 2015 Security Architects, LLC 12
Human
attacker
00010010
11010011
11011110
00010010
11010011
11011110
Program
Induce false signal
Suppress true signal
Manipulate signal
Deception technique Intended result
Confused, misdirected
Delayed
Discouraged
Detected / understood
Misdirected
Delayed
Detected / understood
14. Confusing and Delaying
Attackers
Copyright (c) 2015 Security Architects, LLC 14
RECOMMENDED TECHNIQUES OTHER IDEAS
Information hiding Information substituion
Honey pots Audience-supplied answer
Use of non-standard ports or protocols Audience-supplied answer
Specialized response services Audience-supplied answer
Source: Fred Cohen
15. How Can We Improve Situational
Awareness and Response?
• Tactical
– Understanding inventory and
identity
– Monitoring the IT environment
– Detecting yesterday’s (known)
threats
• Strategic
– Correlating events with context to
detect incidents, attacks or risk
indicators
– Anticipating tomorrow’s threats and
attacks
– Plugging into shared knowledge
across the industry, leveraging the
power of many
Copyright (c) 2015 Security Architects, LLC 15
Source:
https://km4meu.wordpress.com/2014/03/03/scaling-
pacing-staging-and-patterning-navigating-fractal-
change-through-space-and-time/
16. Situational Awareness:
Industry Timeline
• 2014: The Year of the Pipes
– How to we automate sharing?
• 2015: The Year of Sources/Policies/Analytics
– Where from? Who to? How to?
• 2016: The Year of Intel Application
– Automation in defensive systems
Copyright (c) 2015 Security Architects, LLC 16
Source: Chris Blask
18. Promoting Situational
Awareness
Copyright (c) 2015 Security Architects, LLC 18
RECOMMENDED FOR SITUATION
AWARENESS
Develop monitoring policies and
technologies
Consume STIX/TAXII feeds (share if
appropriate)
Integrate monitoring with local
context: Assets, identities,
behaviors and transactions
Emerging cyber-insurance
ecosystem for actuarial learning and
risk management
Integrate monitoring with global
context: threat intelligence and
knowledge
Audience-supplied answer
Deploy security analytics Audience-supplied answer
Join your industry ISAC(s) Audience-supplied answer
Favor security solutions that
support STIX/TAXII, usable
integration points and taxonomies
Audience-supplied answer
19. Putting this All Together
Copyright (c) 2015 Security Architects, LLC 19
Question Metaphor Security
Posture
How can we raise overall assurance to
minimize “statistical” likelihood of
compromised users and devices?
Immunological Preventive
How can we prevent large-scale breaches
from to our core IT environments?
Military Preventive
How can we slow down attackers using
innovative but practical techniques?
NFL football Deterrence
How can we improve situational awareness
and rapid response capabilities?
NFL football Detective
20. Final Thought from
the Master
Copyright (c) 2015 Security Architects, LLC 20
Security is a people challenge, as much as a technology
challenge.
“The Way means inducing the people
to have the same aims as the
leadership, so that they will share
death and share life, without fear of
danger.”
Security is about governance as well as technology Security is everyone’s business
Security should be baked into products