Systematically combine network data and intelligence sources to create a working model of the attack surface. Perform attack simulation to easily identify weak points in your defenses. Target vulnerability concentrations with streamlined actions and fix risky firewall rules and changes with automated risk assessment. With comprehensive network data at your fingertips, SOC analysts and incident response teams can achieve same-day response to cyber attacks.
Take your enterprise network security to the next level. Prevent, analyze, and respond to cyber attacks in real time.
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incident Response
1. A Call to Arms: Using a Working Model of the
Attack Surface to Improve Incident Response
Gidi Cohen | CEO & Founder | Skybox Security
2. Sources: Spending-IDC & Gartner; Costs – Center for Strategic and
Interational Studies; Chart - 2015 Verizon Data Breach Investigations Report
The Defender Deficit
£260B
annual cost of
cyber crime
£45B annual
spend on solutions
NO CHANGE
in “defender gap”
In 10years!
80% of Attackers
Compromise Network in Days
25% of Defenders
Discover Attacks in Days
3. Peacetime
From Peacetime to Wartime Mindset
Process Focused
Advanced Planning
Compliance Driven
Battlefield View
Attack Detection
Jump Teams
Wartime
4. What’s your Incident Response Time?
Sources: ISACA.org for Incident Response process,
Ponemon 2014 Cost of Cyber Crime Study for IR times
+45 days
to resolve
170 days
to detect
Incident Response Process
5. What Takes So Long?
Potential Exfiltration
Suspicious outbound data
Shut down unnecessary ports
• Does this event match a
possible attack vector?
• What assets are exposed
through that access path?
• Which security controls can
we leverage?
• Will a firewall change
disrupt necessary services?
11. Ongoing Visibility of the Battlefield
Security Controls
Firewalls
IPS
VPNs
Network Topology
Routers
Load Balancers
Switches
Assets
Servers
Workstations
Networks
Vulnerabilities
Location
Criticality
Threat Actors
Hackers
Insiders
Worms
The attack surface is the sum
of all reachable and
exploitable attack vectors
against an organization.
12. Apply Understanding of the Attack Surface
With Knowledge of the Attack Surface
Improve
planning
Reduce
mean time
to detect
Speed
containment
actions
Verify
resolution
14. Preparation: Optimise SIEM Monitoring
SIEMCreate a SIEM watch list
• Watch specific servers
with known vulnerabilities
• Monitor access paths to
high-value assets
• Look for services used
in recent threats
15. High volume
to review
False positives
Detection: Confirm Real Attacks Fast
Attack Detection
SIEM Level 1
SOC Analysts
Level 2
IR Team
BEFORE
16. High volume
to review
False positives
Detection: Confirm Real Attacks Fast
Attack Detection
SIEM Level 1
SOC Analysts
Level 2
IR TeamBEFOREAFTER
Get attack context
Assets at risk
Prioritisation
19. Analysis: Triage Based on Impact to Assets
Flag high-risk
vector
Alert:
anomalous
behavior
Low risk
Alert:
unexpected
router
change
Multiple ways to
compromise
finance server
20. Contain: Fast Zero-Day Response
Source: ISACA.org
Attack Surface Model
New Vulnerability
Identified!
CVE-2015-01234
• Which systems have
the vulnerability?
• Are they part of an
attack vector?
• Triage response
Threat
Vulnerability
Asset
25. Summary: Using Attack Surface for IR
Incident Response Process
Incorporate broad
set of data sources
for full attack
surface view
Arm the IR team
Tools to correlate, query,
and monitor attack surface
Speed detection and
analysis
Use contextual info
on likely next steps
Contain attacks and
limit damage
26. Visit Skybox Security at Infosec
• Powerful platform for
visibility of the attack surface
• Vulnerability and threat management
• Firewall management
• Network visibility and compliance
Risk Analytics for
Cyber Security
Script:
In 2014, a group called the Center for Strategic and International studies in Washington DC. Released a report estimating the annual cost of cyber crime at 260B GBP ($400B USD). According to IDC, Gartner and other analyst firms –the worldwide spending on information security solutions in 2014 was 45B GBP ($70B USD). Both of these numbers have been climbing at extraordinary rates, toward 15% per year growth over the most recent time period. In fact, this unchecked growth in spending on security products, and the continued cyber crime costs may now be having an impact on the global economy.
Given all of this security spending and attention to the cyber problem, you would expect that defenders would have made substantial inroads into reducing the number of attacks, but this hasn’t shown to be true.
Instead, in this graph you see the most recent Verizon Data Breach report, indicating that the gap the time to compromise and the time to discover an attack is largely unchanged over 10 years! So attackers are still able to compromise networks in minutes or days, while defenders require weeks or months to discover, an attack, and even more time to analyze the incident, contain, and devise an effective plan of response.
Other notes from the source reports:
A study that estimated the global cost of cybercrime at $400 billion also revealed information security market trend data from research firm IDC showing a burgeoning market for products associated with identifying threats, data protection and incident response activities.
The report, issued this week by the Center For Strategic International Studies, a Washington, D.C., think tank, estimates the global cost of cybercrime at $400 billion and projects the figure to climb substantially until public- and private-sector organizations implement stronger measures to address intellectual property theft. The study, commissioned by Intel Security (formerly McAfee), also highlighted data from Framingham, Mass.-based research giant IDC, projecting a steep rise in spending on digital forensics tools, next-generation firewalls, and identity and access management software. The increased spending on security products may be having a negative impact on the global economy, the report found.
Script:
Over the past few years, with the continual onslaught of bad cyber news, we’ve seen a shift in mindset of security teams.
You may see this in yourself, in your own organizations. Instead of focusing on security planning, operational efficiency, continuous monitoring, compliance auditing; organizations have shifted to a ‘wartime’ mindset. In fact, IDC’s 2014 security spending report is in line with this, predicting a fast-growing market for attack detection, incident response, and data protection technologies
In ‘wartime’ – the focus is on fast response. You have to have the tools to detect the indicators of compromise that signal an attack in process. You need to develop situational awareness to understand the cyber battlefield and intelligence to triage incidents so you send the skilled jump teams in to fight the right issues.
At least, that’s the concept.
Script:
I think it’s great that companies are shifting to this ‘wartime’ mindset, because clearly there is a lot of work to be done.
Let’s take the incident response process, which is central to identifying and responding to cyber threats. We start with preparation – which can involve identifying areas of risk, developing the right response plans for different alerts, training individuals in your organization. Detection and analysis – to cull through the millions of different events that may be triggered through your SIEM, and the analysis to decide what to do about those events. Containment, eradication and recovery - the concrete steps to take action to block an attacker, keep data from leaving your organization, and remediating the root causes. And post-incident activity to document, learn from the attack, and introduce changes to policies, to segmentation, to incident response plans, so that you can respond more quickly next time.
Ponemon’s 2014 Cost of Cyber Crime Study found that the average time to detect a malicious attack was 170 days. You may say ‘no way’, but in many of the most newsworthy breaches over the past year, after-the-fact analysis often shows that attackers were in the network for months, conducting reconnaissance, setting up command and control malware, and more.
Ponemon also reported that the average time to resolve a cyber attack was 45 days, and this was a 33% INCREASE over the 32-days average from the global study in 2013. So with all the focus on better security management and incident management, we are heading in the wrong direction, fast. The Incident response processes so important to protecting our businesses are too long.
How long should this process take? 50% of vulnerabilities are breached within 2 weeks of announcement of the vulnerability. 75% of attackers are able to take days to compromise a network. So the time frame we should be targeting is… a couple of days. Not weeks or months.
So the next question is … WHY does this process take so long today?
From the original sources:
Cyber crimes require more time to resolve: The average time to detect a malicious or criminal attack by a global study sample of organizations was 170 days. The longest average time segmented by type of attack was 259 days, and involved incidents concerning malicious insiders. The average time to resolve a cyber attack once detected was 45 days, while the average cost incurred during this period was $1,593,627 – representing a 33-percent increase over last year’s estimated average cost of $1,035,769 for a 32-day period.(2)
Script:
As an example, let’s say that you have a suspicious incident – it appears that unauthorized outbound data is leaving the organization. There may be a defined containment protocol ‘Shut down unnecessary ports immediately’ followed by more investigation.
But before you can do that, you need to check… is this a real attack?
You had 100 other alerts today, what makes this one real? Does this match with a known attack vector?
Are valuable assets exposed? Could they be if the attack continues? This may help me triage the different events and spend time on those that are truly a risk to critical assets.
I need to find the security controls that I can use to contain the attack. Which firewalls, which IPS.
And this is really, really hard to do if you have zero visibility of your attack surface. Today’s enterprises respond to cyber threats with almost no visibility of the battlefield that they are fighting on.
Script:
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
Script:
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script:
I think it’s great that companies are shifting to this ‘wartime’ mindset, because clearly there is a lot of work to be done.
Let’s take the incident response process, which is central to identifying and responding to cyber threats. We start with preparation – which can involve identifying areas of risk, developing the right response plans for different alerts, training individuals in your organization. Detection and analysis – to cull through the millions of different events that may be triggered through your SIEM, and the analysis to decide what to do about those events. Containment, eradication and recovery - the concrete steps to take action to block an attacker, keep data from leaving your organization, and remediating the root causes. And post-incident activity to document, learn from the attack, and introduce changes to policies, to segmentation, to incident response plans, so that you can respond more quickly next time.
Ponemon’s 2014 Cost of Cyber Crime Study found that the average time to detect a malicious attack was 170 days. You may say ‘no way’, but in many of the most newsworthy breaches over the past year, after-the-fact analysis often shows that attackers were in the network for months, conducting reconnaissance, setting up command and control malware, and more.
Ponemon also reported that the average time to resolve a cyber attack was 45 days, and this was a 33% INCREASE over the 32-days average from the global study in 2013. So with all the focus on better security management and incident management, we are heading in the wrong direction, fast. The Incident response processes so important to protecting our businesses are too long.
How long should this process take? 50% of vulnerabilities are breached within 2 weeks of announcement of the vulnerability. 75% of attackers are able to take days to compromise a network. So the time frame we should be targeting is… a couple of days. Not weeks or months.
So the next question is … WHY does this process take so long today?
From the original sources:
Cyber crimes require more time to resolve: The average time to detect a malicious or criminal attack by a global study sample of organizations was 170 days. The longest average time segmented by type of attack was 259 days, and involved incidents concerning malicious insiders. The average time to resolve a cyber attack once detected was 45 days, while the average cost incurred during this period was $1,593,627 – representing a 33-percent increase over last year’s estimated average cost of $1,035,769 for a 32-day period.(2)
Script:
Vulnerability Exposure
Vulnerability Density
Remediation Latency
New Vulnerabilities
Violating Firewall Rules
Configuration Violations
Unused Firewall Rules
Network Zoning
Unauthorized Firewall Changes
End point protection and patch management coverage
Script:
Focus the SIEM on the right information. The attack surface can be used to generate a watch list to optimize the correlation rules of the SIEM.
Such as checking for unusual activity on particular servers that are known to be vulnerable
Monitoring events along available access paths to high-value assets
Or monitoring services or protocols that were implicated in the threat intelligence layered into the attack surface model.
make more specific – soc team receiving events, queries the analytics engine
If someone hacks that system, can they gain access to the important assets
Are there other systems that can be attacked…
SOC team receiving events, queries the analytics engine
“If someone hacks that system, can they gain access to the important assets?
Are there other systems that can be attacked?
Script:
When you take the attack surface model and add powerful analytics, like attack simulation, you can triage a potential threat quickly. Let’s say that there was an unexpected change at a router.
Script:
Is it a real attack vector? Let’s say we find a vector that we know could include a router change as a key step to compromised this financial systems. change.
You could identify a real attack vector and flag it as a high risk vector, or spot a lower priority change because it can’t impact a critical system.
Notes: start with prevention – using attack surface view to reduce attack vectors,
Then detection – SIEM focused on right information
Containment – verification, zoning changes, access controls to prevent exfiltration must have the info readily available
Image on left -> identification of events – check to see if they are on the attack surface, reduce false positiives
Then triage - achieve quick prioritization, identify actions
Then containment – command and control, exp=filtration, malware control
Isolation allows customers to block activity between threats and compromised assets
Active traffic, potential traffic
Disable command and control activity
Link would generate a firewall change request
Change Manager
Mail
Identify long terms architectural changes, network segmentation, next gen fw policies, IPS utilization