Inconceivable!
Rebooting the Enterprise Security Program
for Defensibility
Rafal M. Los – Principal, Strategic Security Se...
. whoami
Rafal Los
Principal, Strategic Security Services
HP Enterprise Security Services
Advisory group delivering on
str...
Security
Risk
Defensibility
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
To quote Enigo Montoya:
“You keep using that word, I do
not think it means what you
think it means.”
© Copyright 2013 Rafa...
Security
of yesterday
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
Security of today

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
your current security is the
equivalent of the Maginot Line
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA Inte...
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
your enemy will attack where
you are weak
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conferen...
meanwhile …

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
security must enable the
enterprise
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 201...
security must maximize
enterprise resources
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Confer...
security must adjust to
adversaries
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 201...
HOW?!

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
let’s start with adjusting goals

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
we know secure is a myth

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
so what is more realistic?

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
Detect the incident
Respond to the threat
Resolve the issue
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA Inte...
disrupt the attack(ers)
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
The adversary attack ecosystem
Research
Infiltration

Discovery

Their ecosystem

Our
enterprise
Capture

Exfiltration

21...
Disrupting the adversary
Educating users
Research
Counter-intelligence
Infiltration

Discovery

Their ecosystem

Our
enter...
Disrupting the adversary
Educating users
Research
Counter-intelligence
Infiltration
Blocking access

Discovery

Their ecos...
Disrupting the adversary
Educating users
Research
Counter-intelligence
Infiltration
Blocking access

Discovery
Identifying...
Disrupting the adversary
Educating users
Research
Counter-intelligence
Infiltration
Blocking access

Discovery
Identifying...
Disrupting the adversary
Educating users
Research
Counter-intelligence
Infiltration
Blocking access

Discovery
Identifying...
I know what you’re thinking!

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
“Oh, great, more products?”

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
maybe?

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
Products (alone) don’t solve this

Security products don’t get fully
implemented
Processes and operational capabilities
ne...
How well do you do BASICS?

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
assets in your environment

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
changes to your environment

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
situational awareness
and context

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
let’s do “security intelligence”

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
structured +
unstructured
data sets

refined
analyzed
data

raw data

intelligence

© Copyright 2013 Rafal Los – Rafal@IsH...
Your logs are

raw data

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
data analysis means…

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
finding this:

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
in this:

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
NON-TRIVIAL ACTIVITY

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
so now what?

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
now you make decisions

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
in ‘real time’

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

ISSA International Conference 2013
Developing a scoring methodology (one way)
1

Tiered Scoring process

2

3

Threat Index (1~5)

2

potential impact

• Hum...
The SPR Framework
Measure &
Improve

• Part 1
• Assessment of
business ‘criticals’
• Define
‘what’, ‘why’, ‘from
whom’ for...
Measurably improving enterprise security
12-month plan to get you there
Improve ability to
detect, respond, resolve
Implem...
Thank you

© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com
Upcoming SlideShare
Loading in...5
×

Rebooting the Enterprise Security Program for Defensibility - ISSA International 2013

882

Published on

These are the talk slides from ISSA International - discussing the need to reboot Enterprise Security to facilitate better defensibility, more intelligent security, and better operational capabilities.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
882
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • A debit card processing company was breached in India.  To breach into these companies, it is likely that profiles were developed on key employees… There are experts who build profilesI want to attack company X. I find out who the top execs are. I might go on LinkedIn. I look at their Facebook posts. I know his friends. Places he’s been. Restaurants he checks into. Find out what he likes to do. It makes the victim easy to attack because the profiler know things about him or her that not many people should know.If you are an expert profiler, you can build these profiles and sell them on the black market, i.e, the internet to the highest bidder. I have 10 profiles from company X. Who wants them? Hackers buy these profiles because it is more efficient than doing the profiling themselves. It will take way less time to buy them than build them myself. These hackers then breached the company.  They might have used a phishing attack and installed malware to break into the network and use the employee’s credentials. They may build their own toolkits. Or go online and rent bot.net networks for $18/day. Or buy a Zeus kit for $7K or so. They only had to be right once.  It could be likely that after these companies were breached that these hackers raised their hand and sold these breach points to the highest bidder. I have 50 access points. Who wants to buy that? After the breach, we don’t know how long the adversary was there.  It could have been months… years?  Then the person who’s really good at using those access points, figuring out where your sensitive data is, being able to map your environment, figure out your configurations. They create this map… They raise their hand. Sell it on the Internet and sell it to the next person.Eventually they criminals were able to access some critical databases and change the account profile including withdrawal limits and account codes. This information was taken out of the company and provided to their colleagues or sold to a third party.  And from there the cards were made and the teams hit the streets to withdraw cash from the ATMs.  This information is monetized and feeds this entire ecosystem. Are there vertically integrated bad guys? Yes. Nation states, large criminal organizations. But is someone is more efficient and more effective at doing one of those stages, why wouldn’t you just buy it? When talking about cyber security, we focus too much on the specific actors, whether state-sponsored, a “hacktivist” or a cyber criminal. We need to focus on the full marketplace in which these actors participate. The market organizes these actors around the market processes for breach, enabling disparate parties to collaborate. As actors specialize in this marketplace – in order to make more money – innovation is extraordinary. This criminal ecosystem is much more efficient at creating, sharing and acting on the security intelligence than the ecosystem that exists to defend our customers. The standardization of Security policies has done a great deal to raise the bar for our industry. But it will continue to fail to make us secure because it lacks the focus on the adversary. No framework discussed in committee will be able to evolve as fast as a marketplace. We need to build our response in a way that disrupts the adversary at every step of their process.
  • For us, we need to define a new defense in depth. New defense in depth. Build our capabilities at each stage of their value chain. Obviously we do some of these things.We teach people how to be less vulnerable. How do you go on the internet without clicking on the links that will download the latest virus to your laptop. You are only as secure as the behavior of your employees. We need to do more work here.We spend money building capabilities trying how to keep the adversary out of the organization. We may stop 10,000 attacks, but they only have to be right 1 time. And, they are extremely good at evading us.
  • For us, we need to define a new defense in depth. New defense in depth. Build our capabilities at each stage of their value chain. Obviously we do some of these things.We teach people how to be less vulnerable. How do you go on the internet without clicking on the links that will download the latest virus to your laptop. You are only as secure as the behavior of your employees. We need to do more work here.We spend money building capabilities trying how to keep the adversary out of the organization. We may stop 10,000 attacks, but they only have to be right 1 time. And, they are extremely good at evading us.
  • We need to look at solutions that help us determine that something is afoot. In building out the capabilities for disrupting the discovery and capture stages, Big data and the ability to process large data sets in real time and at scale is powerful. We need to look at the data that you have in your organization to find something that is unusual. If a verified employee, i.e., the individual who’s profile was hacked, starts doing something uncharacteristic like accessing file shares they haven’t before or changing database records, you should know about it. If data flows don’t match predicted processes, alerts should be set off. Now, what these criminals are looking for is your critical data. IP, customer information, etc.  What are you doing to protect your critical data? Is it encrypted? You should know when it is being moved. Accessed inappropriately or being sent outside the organization in an email, a post on a Facebook account or stored on cloud storage. The increase in the types of information that can be correlated from all over the enterprise and from data outside the enterprise is phenomenal. Organizations are monitoring the cyber black markets for your enterprise’s sensitive data and including data from the cloud infrastructures in your security operations environment. We are working with companies to combine employee sentiment with abnormal access behavior to find malicious insiders. Finally, the adversary will beat us at some point. What capabilities do we have for responding after they have won.
  • We need to look at solutions that help us determine that something is afoot. In building out the capabilities for disrupting the discovery and capture stages, Big data and the ability to process large data sets in real time and at scale is powerful. We need to look at the data that you have in your organization to find something that is unusual. If a verified employee, i.e., the individual who’s profile was hacked, starts doing something uncharacteristic like accessing file shares they haven’t before or changing database records, you should know about it. If data flows don’t match predicted processes, alerts should be set off. Now, what these criminals are looking for is your critical data. IP, customer information, etc.  What are you doing to protect your critical data? Is it encrypted? You should know when it is being moved. Accessed inappropriately or being sent outside the organization in an email, a post on a Facebook account or stored on cloud storage. The increase in the types of information that can be correlated from all over the enterprise and from data outside the enterprise is phenomenal. Organizations are monitoring the cyber black markets for your enterprise’s sensitive data and including data from the cloud infrastructures in your security operations environment. We are working with companies to combine employee sentiment with abnormal access behavior to find malicious insiders. Finally, the adversary will beat us at some point. What capabilities do we have for responding after they have won.
  • We need to look at solutions that help us determine that something is afoot. In building out the capabilities for disrupting the discovery and capture stages, Big data and the ability to process large data sets in real time and at scale is powerful. We need to look at the data that you have in your organization to find something that is unusual. If a verified employee, i.e., the individual who’s profile was hacked, starts doing something uncharacteristic like accessing file shares they haven’t before or changing database records, you should know about it. If data flows don’t match predicted processes, alerts should be set off. Now, what these criminals are looking for is your critical data. IP, customer information, etc.  What are you doing to protect your critical data? Is it encrypted? You should know when it is being moved. Accessed inappropriately or being sent outside the organization in an email, a post on a Facebook account or stored on cloud storage. The increase in the types of information that can be correlated from all over the enterprise and from data outside the enterprise is phenomenal. Organizations are monitoring the cyber black markets for your enterprise’s sensitive data and including data from the cloud infrastructures in your security operations environment. We are working with companies to combine employee sentiment with abnormal access behavior to find malicious insiders. Finally, the adversary will beat us at some point. What capabilities do we have for responding after they have won.
  • How the SPR framework looks at your organization, to analyze and devise a forward-moving plan for measureable improvement.
  • Transcript of "Rebooting the Enterprise Security Program for Defensibility - ISSA International 2013"

    1. 1. Inconceivable! Rebooting the Enterprise Security Program for Defensibility Rafal M. Los – Principal, Strategic Security Services ISSA International 2013 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com
    2. 2. . whoami Rafal Los Principal, Strategic Security Services HP Enterprise Security Services Advisory group delivering on strategy, operationalization, and tactical response. Detect, Respond, Resolve in a meaningful way. Rafal@HP.com +1 (404) 606-6056 2 Rafal Los, Principal, Strategic Security Services, with HP Enterprise Security Services, brings a pragmatic approach to enterprise security. Combining nearly 15 years of technical, consulting and management skills in Information Security, Rafal draws on his extensive experience to help organizations build intelligent, defensible and operationally efficient security programs. He is an advocate for focus on sound security fundamentals and for the principles of "right defenses, right place, right reason". He is also a contributor to open standards and organizations - volunteering his time to groups such as OWASP and the Cloud Security Alliance. His blog, Following the White Rabbit, is his unique perspective on the various aspects of enterprise security, emerging technologies, and current events and can be found at http://hp.com/go/white-rabbit. Prior to joining HP, Los defined what became the software security program and served as a regional security lead at a Global Fortune 100 contributing to the global organization's security and riskmanagement strategy internally and externally. Rafal prides himself on being able to add a 'tint of corporate realism' to information security. Rafal received his B. S. in Computer Information Systems from Concordia University, River Forest, Ill. © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    3. 3. Security Risk Defensibility © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    4. 4. To quote Enigo Montoya: “You keep using that word, I do not think it means what you think it means.” © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    5. 5. Security of yesterday © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    6. 6. Security of today © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    7. 7. your current security is the equivalent of the Maginot Line © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    8. 8. © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    9. 9. your enemy will attack where you are weak © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    10. 10. meanwhile … © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    11. 11. security must enable the enterprise © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    12. 12. security must maximize enterprise resources © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    13. 13. security must adjust to adversaries © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    14. 14. HOW?! © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    15. 15. let’s start with adjusting goals © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    16. 16. we know secure is a myth © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    17. 17. © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    18. 18. so what is more realistic? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    19. 19. Detect the incident Respond to the threat Resolve the issue © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    20. 20. disrupt the attack(ers) © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    21. 21. The adversary attack ecosystem Research Infiltration Discovery Their ecosystem Our enterprise Capture Exfiltration 21 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    22. 22. Disrupting the adversary Educating users Research Counter-intelligence Infiltration Discovery Their ecosystem Our enterprise Capture Exfiltration 22 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    23. 23. Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Their ecosystem Our enterprise Capture Exfiltration 23 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    24. 24. Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Identifying attacks Their ecosystem Our enterprise Capture Exfiltration 24 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    25. 25. Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Identifying attacks Their ecosystem Protecting the Capture target asset Our enterprise Exfiltration 25 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    26. 26. Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Identifying attacks Their ecosystem Protecting the Capture target asset Our enterprise Planning Exfiltration damage mitigation 26 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    27. 27. I know what you’re thinking! © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    28. 28. “Oh, great, more products?” © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    29. 29. maybe? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    30. 30. Products (alone) don’t solve this Security products don’t get fully implemented Processes and operational capabilities need to be developed Resources primarily spent on prevent Need to detect, respond, resolve 30 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    31. 31. How well do you do BASICS? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    32. 32. assets in your environment © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    33. 33. changes to your environment © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    34. 34. situational awareness and context © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    35. 35. let’s do “security intelligence” © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    36. 36. structured + unstructured data sets refined analyzed data raw data intelligence © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    37. 37. Your logs are raw data © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    38. 38. data analysis means… © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    39. 39. finding this: © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    40. 40. in this: © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    41. 41. NON-TRIVIAL ACTIVITY © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    42. 42. so now what? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    43. 43. now you make decisions © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    44. 44. in ‘real time’ © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    45. 45. Developing a scoring methodology (one way) 1 Tiered Scoring process 2 3 Threat Index (1~5) 2 potential impact • Human-based analysis of the threat – Severity 1 – Severe – Severity 2 – Urgent – Severity 3 – Important – Severity 4 – Low – Severity 5 – Inconsequential 3 1 applicability 45 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    46. 46. The SPR Framework Measure & Improve • Part 1 • Assessment of business ‘criticals’ • Define ‘what’, ‘why’, ‘from whom’ for defensibility Baseline Triage • Part 2 • Mitigate immediate deficiencies • Identify and triage active threats • Part 3 • Define strategic ‘how’ • Align to organizational goals, needs, resources Tactics • Part 4 • Define tactical feedback • Strengthen tactical response Strategy Developed by: Rafal Los 46 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    47. 47. Measurably improving enterprise security 12-month plan to get you there Improve ability to detect, respond, resolve Implement strategy and measure effectiveness Develop a goal-oriented strategy Understand your current operational state 47 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
    48. 48. Thank you © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

    ×