Reorganizing Federal IT to Address Today’s Threats
Today’s Speakers Paul Zimski VP of Solution Strategy Lumension Richard Stiennon Analyst and Author IT Harvest
Today’s Agenda Today’s Threats Targeting Government Systems How to Reorganize Federal IT  Examining Key Security Strategie...
New Threats to Federal IT Systems
Dark and Stormy forecast for Federal networks <ul><li>In March 2011 24,000 documents exfiltrated from Pentagon contractor ...
Something needs to change <ul><li>Threat is there, now what do we do?  </li></ul>
How to Reorganize Federal IT
Advocate bottom-up rather than top-down change <ul><li>Pentagon’s just published Strategy for Operating in Cyberspace is y...
Pentagon Strategy for Operating in Cyberspace 15, July 2011 <ul><li>Strategic Initiative 1:  Treat cyberspace as an operat...
Organizing for cyber defense  <ul><li>There is no strategy without responsibility  </li></ul><ul><li>Create a separate uni...
Introducing the cyber defense team Cyber Commander Analysts Operations Red Team
Cyber Commander <ul><li>Assigns and directs roles </li></ul><ul><li>Makes sure the correct tools and defenses are deployed...
Analysts <ul><li>Cyber defense analysts study the threat landscape and gather intelligence on emerging threats. </li></ul>...
Operations <ul><li>Selecting and deploying tools </li></ul><ul><li>Discovering internal infections </li></ul><ul><li>Monit...
Red Team <ul><li>Attack and penetration  </li></ul><ul><li>Internal audit </li></ul><ul><li>Operates outside the realm of ...
Next steps <ul><li>Repeat cyber command structure in every agency / department </li></ul><ul><li>Create overarching cyber ...
Elements of a defensive strategy <ul><li>Harden networks and end points against targeted attacks: </li></ul><ul><li>Comple...
The attackers have changed their tools, targets, and goals.  The defenders must change too.
<ul><li>Richard Stiennon </li></ul><ul><li>Chief Research Analyst </li></ul><ul><li>IT-Harvest  </li></ul><ul><li>[email_a...
Examining Key Security Approaches
<ul><li>Implement Defense-in-Depth Endpoint Security </li></ul><ul><li>Shift from Threat-Centric to Trust-Based Security <...
Strategy 1: Defense-in-Depth Traditional  Endpoint Security Defense-N-Depth Blacklisting As The Core Zero Day 3 rd  Party ...
Strategy 2: Trust-Based Security
What is Application Whitelisting?  Malware Applications <ul><li>Authorized </li></ul><ul><li>Operating Systems </li></ul><...
Flexible Trust  <ul><li>Trusted Publisher </li></ul><ul><li>Authorizes applications  based on the vendor that “published” ...
Strategy 3: Operational Excellence – “The Basics” Source: Aberdeen Group, Managing Vulnerabilities and Threats (No, Anti-V...
Stop Unwanted Applications <ul><ul><li>Immediate and simple risk mitigation </li></ul></ul>Denied Application Policy preve...
Reducing Local Administrator Risk <ul><ul><li>Limit Local Admin Usage </li></ul></ul><ul><ul><li>Monitor and Control exist...
Q&A
Next Steps <ul><li>Resource Center: Putting Cyber Security Plans into Action </li></ul><ul><ul><li>http://www.lumension.co...
<ul><li>Global Headquarters </li></ul><ul><li>8660 East Hartford Drive </li></ul><ul><li>Suite 300 </li></ul><ul><li>Scott...
Upcoming SlideShare
Loading in...5
×

Reorganizing Federal IT to Address Today's Threats

707

Published on

New reports show U.S. government servers are faced with 1.8 billion cyber attacks every month. View this technical presentation on ‘Reorganizing Federal IT to Address Today’s Threats’ by Richard Stiennon, analyst with IT Harvest and author of Surviving Cyber War, and Paul Zimski, VP of Solution Strategy with Lumension, as they examine:

*Today’s threats targeting government IT systems
*How federal IT departments can be reorganized to improve security and operations
*What key endpoint security capabilities should be implemented

Get expert insight and recommendations on improving your approach to securing IT systems from today’s sophisticated threats.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
707
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • © Copyright 2008 - Lumension Security
  • Defense in Depth Strategy Address the core IT Risk with Patch &amp; Configuration Management Stop unwanted / untrusted change with Application Control Protect against insider risk Device Control Deploy a broad defensive perimeter with AntiVirus Reduce endpoint complexity with an Endpoint Management and Security Suite
  • On top of defense-in-depth, time to shift from threat-centric approach to one based on trust….
  • Application control or whitelisting provides a new layer in the foundation for endpoint protection. Whitelisting is about identifying the known good and by default not letting anything other than what’s on the whitelist from executing. Simply put, any executable – whether a business application, a video driver, or a web browser plug-in – not specified on the whitelist cannot load and run. It’s the most effective security layer as its prevents execution in the kernel.
  • Trust Engine Challenge . Organizations need an automated method by which to determine whether or not to allow changes to the code running on their network assets, particularly the endpoints, in order to make the promise of application whitelisting operationally feasible. Without this, changes to the whitelist had to be made manually and oftentimes without any basis. The challenge is to implement a process by which changes can be automatically vetted and installed on network assets. Feature . LEMSS:AC allows any number of trust policies to be created and implemented which will automate the process of assessing the security and desirability of changes to programs running on network assets; these trust mechanisms allow for the automated or user-driven changes to the “known good” whitelist required in dynamic environments such as desktops and laptops without completely surrendering control over these changes. These trust mechanisms include: Trusted Publisher , Trusted Updater , Trusted Path , and Local Authorization . Benefit . This permits the organization to provide the higher level of security against malware and other undesirable programs available from a whitelisting / “default deny” approach without the additional administrative burden sometimes associated with it. Some specific examples of how the Trust Engine might help operationalize whitelisting in a real IT network with dynamic environments such as desktops or laptops include: Trusted Publisher (i.e., from a known good vendor with a signed certificate) – the organization may have whitelisted a specific Microsoft Operating System (OS) and applications (e.g., Word, Excel and Powerpoint) but finds that some users may want to add certain OS capabilities (such as additional drivers) or applications (such as Visio) from Microsoft; by implementing a policy which permits changes to the whitelist when those changes are accompanied by a valid, signed certificate from Microsoft, these changes could be made “on the fly” by the end user without additional work for the system administrators. Trusted Updater (i.e., from a known good process which updates existing software) – the organization may be using an automated patching solution (such as Lumension Patch and Remediation) or have certain continuously updated programs (such as WebEx) on their whitelist. Here again, by implementing a policy which permits changes to the whitelist when those changes are made by these specific programs, these changes could be made automatically without adding to the administrative burden. Trusted Path (i.e., from a known good location, generally inside the network) – it is not uncommon for IT administrators to create a library of known good applications, which is used when installing or updating an endpoint; organizations might want to restrict all endpoint changes to only those which come from this “source repository.” By creating / using a trusted path policy (and carefully controlling access to this “source repository”), the whitelist can be updated as changes are made in the library of known good applications. Local Authorization (i.e., allow specific users to self-authorize applications) – in some cases, an organization might allow specific users to augment the whitelist of known good applications under their own say-so, be they administrators or even end users; for instance, perhaps a “well known” salesman is on a customer call and needs to update her machine to allow her presentation to work on the customer’s equipment. This trust mechanism provides a way to permit these ad hoc changes while providing the traceability and control needed to ensure that, should they prove unwise, they can be reversed.
  • Reorganizing Federal IT to Address Today's Threats

    1. 1. Reorganizing Federal IT to Address Today’s Threats
    2. 2. Today’s Speakers Paul Zimski VP of Solution Strategy Lumension Richard Stiennon Analyst and Author IT Harvest
    3. 3. Today’s Agenda Today’s Threats Targeting Government Systems How to Reorganize Federal IT Examining Key Security Strategies Q&A
    4. 4. New Threats to Federal IT Systems
    5. 5. Dark and Stormy forecast for Federal networks <ul><li>In March 2011 24,000 documents exfiltrated from Pentagon contractor </li></ul><ul><li>Elaborate attack against RSA results in loss of millions of secret seeds for tokens </li></ul><ul><li>Ensuing attacks against Lockheed Martin, Grumman and L3 </li></ul><ul><li>IMF losses </li></ul><ul><li>Hacker attacks against Senate.gov, CIA.gov </li></ul>
    6. 6. Something needs to change <ul><li>Threat is there, now what do we do? </li></ul>
    7. 7. How to Reorganize Federal IT
    8. 8. Advocate bottom-up rather than top-down change <ul><li>Pentagon’s just published Strategy for Operating in Cyberspace is yet another example of top down strategy documents. </li></ul><ul><li>Expect similar results to the Comprehensive National Cybersecurity Initiative, Presidential Directives, and Cyberspace Policy Review. </li></ul>
    9. 9. Pentagon Strategy for Operating in Cyberspace 15, July 2011 <ul><li>Strategic Initiative 1: Treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential. </li></ul><ul><li>Strategic Initiative 2: Employ new defense operating concepts to protect DoD networks and systems. </li></ul><ul><li>Strategic Initiative 3: Partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy. </li></ul><ul><li>Strategic Initiative 4: Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity. </li></ul><ul><li>Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation. </li></ul>
    10. 10. Organizing for cyber defense <ul><li>There is no strategy without responsibility </li></ul><ul><li>Create a separate unit to address targeted attacks </li></ul>
    11. 11. Introducing the cyber defense team Cyber Commander Analysts Operations Red Team
    12. 12. Cyber Commander <ul><li>Assigns and directs roles </li></ul><ul><li>Makes sure the correct tools and defenses are deployed </li></ul><ul><li>Puts in place controls and audit processes </li></ul><ul><li>Reports to upper management on the results of those processes and audits </li></ul><ul><li>Primary point of contact for communicating to law enforcement and intelligence agencies </li></ul>
    13. 13. Analysts <ul><li>Cyber defense analysts study the threat landscape and gather intelligence on emerging threats. </li></ul><ul><li>Understanding the state of the art in attack methodologies. </li></ul><ul><li>Getting to know potential attackers and monitoring their activity. </li></ul><ul><li>Monitoring known attack sources. </li></ul><ul><li>Communicating the threat level to the rest of the cyber defense team. </li></ul><ul><li>Assisting in evaluating technology for internal deployment. </li></ul>
    14. 14. Operations <ul><li>Selecting and deploying tools </li></ul><ul><li>Discovering internal infections </li></ul><ul><li>Monitoring insider behavior </li></ul>
    15. 15. Red Team <ul><li>Attack and penetration </li></ul><ul><li>Internal audit </li></ul><ul><li>Operates outside the realm of operational vulnerability assessment. They thrive on social engineering. </li></ul>
    16. 16. Next steps <ul><li>Repeat cyber command structure in every agency / department </li></ul><ul><li>Create overarching cyber command </li></ul>
    17. 17. Elements of a defensive strategy <ul><li>Harden networks and end points against targeted attacks: </li></ul><ul><li>Complete packet inspection inbound and outbound </li></ul><ul><li>Whitelisting on servers, desktops, and embedded systems </li></ul><ul><li>Platform diversity (Do not, for instance, run Windows on control systems) </li></ul><ul><li>User behavior monitoring </li></ul>
    18. 18. The attackers have changed their tools, targets, and goals. The defenders must change too.
    19. 19. <ul><li>Richard Stiennon </li></ul><ul><li>Chief Research Analyst </li></ul><ul><li>IT-Harvest </li></ul><ul><li>[email_address] </li></ul><ul><li>Blog: Forbes Cyber Domain </li></ul><ul><li>twitter.com/stiennon </li></ul>
    20. 20. Examining Key Security Approaches
    21. 21. <ul><li>Implement Defense-in-Depth Endpoint Security </li></ul><ul><li>Shift from Threat-Centric to Trust-Based Security </li></ul><ul><li>Build a bottom up approach with operational excellence focused on “the basics” </li></ul>Three Defensive Strategies
    22. 22. Strategy 1: Defense-in-Depth Traditional Endpoint Security Defense-N-Depth Blacklisting As The Core Zero Day 3 rd Party Application Risk Malware As a Service Volume of Malware Patch & Configuration Mgmt.
    23. 23. Strategy 2: Trust-Based Security
    24. 24. What is Application Whitelisting? Malware Applications <ul><li>Authorized </li></ul><ul><li>Operating Systems </li></ul><ul><li>Business Software </li></ul><ul><li>Known </li></ul><ul><li>Viruses </li></ul><ul><li>Worms </li></ul><ul><li>Trojans </li></ul><ul><li>Unauthorized </li></ul><ul><li>Games </li></ul><ul><li>iTunes </li></ul><ul><li>Shareware </li></ul><ul><li>Unlicensed S/W </li></ul><ul><li>Unknown </li></ul><ul><li>Viruses </li></ul><ul><li>Worms </li></ul><ul><li>Trojans </li></ul><ul><li>Keyloggers </li></ul><ul><li>Spyware </li></ul>Un-Trusted
    25. 25. Flexible Trust <ul><li>Trusted Publisher </li></ul><ul><li>Authorizes applications based on the vendor that “published” them through the digital signing certificate. </li></ul><ul><li>Trusted Updater </li></ul><ul><li>Authorizes select systems management solutions to “update” software, patches and custom remediations, while automatically updating them to the whitelist. </li></ul><ul><li>Trusted Path </li></ul><ul><li>Authorizes applications to run based on their location. </li></ul><ul><li>Local Authorization </li></ul><ul><li>Allows end-users to locally authorize applications which have not been otherwise trusted by the whitelist or any other trust rules. </li></ul>
    26. 26. Strategy 3: Operational Excellence – “The Basics” Source: Aberdeen Group, Managing Vulnerabilities and Threats (No, Anti-Virus is Not Enough), December 2010 Assess Prioritize Remediate Repeat <ul><li>Identify all IT assets (including platforms, operating systems, applications, network services) </li></ul><ul><li>Monitor external sources for vulnerabilities, threats and intelligence regarding remediation </li></ul><ul><li>Scan all IT assets on a regular schedule for vulnerabilities, patches and configurations </li></ul><ul><li>Maintain an inventory of IT assets </li></ul><ul><li>Maintain a database of remediation intelligence </li></ul><ul><li>Prioritize the order of remediation as a function of risk, compliance, audit and business value </li></ul><ul><li>Model / stage / test remediation before deployment </li></ul><ul><li>Deploy remediation (automated, or manually) </li></ul><ul><li>Train administrators and end-users in vulnerability management best practices </li></ul><ul><li>Scan to verify success of previous remediation </li></ul><ul><li>Report for audit and compliance </li></ul><ul><li>Continue to assess, prioritize and remediate </li></ul>
    27. 27. Stop Unwanted Applications <ul><ul><li>Immediate and simple risk mitigation </li></ul></ul>Denied Application Policy prevents unwanted applications even if they are already installed Easily remove unwanted applications
    28. 28. Reducing Local Administrator Risk <ul><ul><li>Limit Local Admin Usage </li></ul></ul><ul><ul><li>Monitor and Control existing Local Admins </li></ul></ul>
    29. 29. Q&A
    30. 30. Next Steps <ul><li>Resource Center: Putting Cyber Security Plans into Action </li></ul><ul><ul><li>http://www.lumension.com/Resources/Resource-Center/Putting-Cybersecurity-Plans-into-Action.aspx </li></ul></ul><ul><li>Free Security Tools </li></ul><ul><ul><li>http://www.lumension.com/Resources/Premium-Security-Tools.aspx </li></ul></ul><ul><li>Whitepapers </li></ul><ul><ul><li>Infosecurity for Government Agencies: Checks, Balances &a More Secure Endpoint </li></ul></ul><ul><ul><ul><li>http://www.lumension.com/Resources/WhitePapers/Information-Security-for-Government-Agencies-Checks-Balances-and-a-More-Secure-Endpoint.aspx </li></ul></ul></ul><ul><ul><li>Intelligent Whitelisting: An Introduction to More Effective and Efficient Security </li></ul></ul><ul><ul><ul><li>http://www.lumension.com/Resources/Whitepapers/Intelligent-Whitelisting-An-Introduction-to-More-Effective-and-Efficient-Endpoint-Security.aspx </li></ul></ul></ul>
    31. 31. <ul><li>Global Headquarters </li></ul><ul><li>8660 East Hartford Drive </li></ul><ul><li>Suite 300 </li></ul><ul><li>Scottsdale, AZ 85255 </li></ul><ul><li>1.888.725.7828 </li></ul><ul><li>[email_address] </li></ul>
    1. Gostou de algum slide específico?

      Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

    ×