Presentation of how to defend enterprise IT - how to get a realistic chance at beating the inherent assymetricality in this conflict.

2. World’s biggest Hack?
• They’ve lost...everything
• Was their security ”make believe”?
• Can they survive?

3. Defending enterprise IT
- Some best practices to mitigate
cyber attacks
Going Above
and Beyond Compliance
And staying away from Slide #1

4. About me
• Father of 3, happily married. I live in Luxembourg
• Head of IT for a Bank, and also independent IT/Infosec
consultant. Any opinions presented here are my own
and do not represent my employer.
• Contributor to @TheAnalogies project (making IT and
Infosec understandable to the masses)
• Member of the I am the Cavalry movement – trying to
make connected devices worthy of our trust
• @ClausHoumann
• Find my work on slideshare

5. Cyber Security:
”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work:
– Examples: https://blog.mrg-effitas.com/wp-content/
uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf

7. Cyber Security:
”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work:
– Examples: https://blog.mrg-effitas.com/wp-content/
uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying
to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist

8. Infosec Vendors

9. Cyber Security:
”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work:
– Examples: https://blog.mrg-effitas.com/wp-content/
uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying
to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist
• It’s an assymetrical conflict

10. It’s an assymetrical conflict
X-wing

11. Cyber Security:
”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work:
– Examples: https://blog.mrg-effitas.com/wp-content/
uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying
to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist
• It’s an assymetrical conflict
• A lot of companies fail to focus on the basics
• Train your people!

12. Train Harder
And smarter

13. Cyber Security:
”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work:
– Examples: https://blog.mrg-effitas.com/wp-content/
uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying
to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist
• It’s an assymetrical conflict
• A lot of companies fail to focus on the basics
• Train your people!
• Do not rely on compliance for security

14. Compliance
• Is
• NOT
• Security
• Which any of you who ever attended a
Security conference will have already heard
• Compliance is preparing to fight yesteryears
war

15. Want to beat assymetricality?
Here’s how:
• A strategic approach to security leveraging
methods that work

16. Pyramids
- This one is Joshua Cormans.
Could be best definition of Defense-in-Depth
Counter-measures
Situational
Awareness
Operational Excellence
Defensible Infrastructure

17. The Foundation
Defensible Infrastructure
Software and Hardware built as
”secure by default” is ideal
here. Rugged DevOps.
Your choices of tech impacts
you ever after
You must assemble carefully,
like Lego
Without backdoors or Golden Keys!

18. Mastery
Master all aspects of your Development,
Operations and Outsourcing. Train like the
Ninjas!
DevOps (Rugged DevOps)
Change Management
Patch Management
Asset Management
Information classification & localization
Basically, all the cornerstones of ITIL
You name it. Master it.
Operational Excellence

19. Gain the ability to handle situations correctly – Floodlights ON
Are we affected by Poodle? Shellshock?
WinShock? Heartbleed? Should we patch now?
Next week? Are we under attack? Do we have
compromised endpoint? Are there anomalies
in our LAN traffic?
”People don’t write software anymore, they assemble it” Quote Joshua Corman.
-> Know which lego blocks you have in your infrastructure
-> Actionable threat intelligence
-> Automate as much as you can, example: IOC’s automatically fed from sources
into SIEM with alerting on matches
Situational
Awareness

20. Counter that which you profit from
countering
• Decrease attacker ROI below critical threshold
by applying countermeasures
• Most Security tools fall within this category
• Limit spending until you’re laid the
foundational levels of the pyramid
Counter-measures
Footnote: Cyber kill chain is patented by Lockheed Martin.

21. Mapping to other strategic approaches
Counter-measures
Situational
Awareness
Operational Excellence
Defensible Infrastructure
Nigel Wilson ->
@nigesecurityguy
Lockheed Martin patented

22. Defense-in-Depth

23. Defensible security posture via
@Nigethesecurityguy

24. Kill chain actions
Source: Nige the security guy =
Nigel Wilson

25. Defensive hot zones
• Basketball and
other sports
analysis ->
• – FIND the
HOT zones of
your
opponents.
• Defend there.

26. Hot zones!
• You need to secure:
– The (Mobile) user/
endpoints
– The networks
– Data in transit
– The Cloud
– Internal systems
Sample protections added only, not the
complete picture of course

27. Best Practices – High level
• Create awareness – Security awareness training
• Increase the security budget
– Justify investments BEFORE the breach.
– It’s easier when you’re actually being attacked. But
too late.
• Use the Cyber Kill Chain model or Nigel Wilsons
”Defensible Security Posture” to gain capability to
thwart attackers
• Training, skills and people!

28. Hot zone 1: Endpoints
A safe dreamworld PC
• Microsoft EMET 5.1
• No Java
• No Adobe Flash Player/Reader
• No AV (that one is for you @matalaz)
• Kill all executable files on the Proxy layer (.exe .msi
etc.)
• (Not even needed but works if something evades the
above):
– Adblocking extension in browser
– Invincea FreeSpace/Bromium
Vsentry/Malwarebytes/Crowdstrike Falcon

29. Hot zone 1:
A real world PC
• Microsoft EMET 5.1
• Java
• Adobe Flash Player/Reader
• AV
• Executable files kill you, so use:
– Adblocking extension in browser
– Invincea FreeSpace/Bromium
Vsentry/Malwarebytes/Crowdstrike Falcon
– Secure Web Gateway
– White listing, black listing
And then cross your fingers

30. Hot zone 1, more
• PC defense should include:
– Whitelisting
– Blacklisting
– Sandboxing
– Registry defenses
– Change roll-backs
– HIPS
– Domain policies
– Log collection and review
– MFA
– ACL’s/Firewall rules
– Heuristics detection/prevention
– DNS audit and protection

31. Hot zone 2:
The networks
• Baselining everything
• Spot anomalies
• Monitor, observe, record
• Advanced network level tools such as
Netwitness, FireEye, CounterAct
• Test your network resilience/security with fx
Ixia BreakingPoint
• Don’t forget the insider threat

32. Hot zone 3+4:
Data in Transit/Cloud
• Trust in encryption
• Great new mobile collaboration tools exist
• SaaS monitoring and DLP tools exist ->
”CloudWalls”
• Cloudcrypters
• And this for home study:
https://securosis.com/blog/security-best-practices-
for-amazon-web-services

33. Hot Zone 5

34. Best practices
• Use EMET
• Use advanced endpoint mitigation tools like
Bromium Vsentry, Invincea FreeSpace,
Malwarebytes, Crowdstrike Falcon
• Identify potential attackers and profile them

35. A safe(r) perimeter defense
• Avoid expense in depth
• Research and find the best counter measures
• Open Source tools can be awesome for
example Suricata
• Full packet capture and Deep packet
inspection/Proxies for visibility
• Watch and learn from attack patterns

36. Best practices - Mitigate risks
Source: Dave Sweigert

37. Automate Threat Intelligence IOC
• Use multiple IOC feeds
• Automate daily:
– IOC feed retrival,
– Insertion into SIEM,
– Correlation against all-time logfiles,
– Alerting on matches
• Example: Splunk Splice can do parts of this

38. Future threat trends
• 5G: The rise of the Android DDoS’er. 1 gbit/s
connections from phones easily hacked. Obvious
threat?
• IPv6 – network reconnainsance surprisingly easily
done: https://tools.ietf.org/html/draft-ietf-opsec-ipv6-
host-scanning-04. Damn, no security
through obscurity to get there
• Countering Nation State Actors becomes a MUST

39. And the unexpected extra win
• Real security will actually make you compliant
in many areas of compliance

40. Q & A
• Ask me question, or I’ll ask you questions

41. Sources used
– http://www.itbusinessedge.com
– Heartbleed.com
– https://nigesecurityguy.wordpress.com/
– Lockheed Martins ”Cyber Kill Chain”
– Joshua Corman and David Etue from RSAC 2014
”Not Go Quietly: Surprising Strategies and
Teammates to Adapt and Overcome”
– Lego