More Related Content Similar to Anticipate and Prevent Cyber Attack Scenarios, Before They Occur (20) More from Skybox Security (20) Anticipate and Prevent Cyber Attack Scenarios, Before They Occur1. Gidi Cohen
CEO, Founder
Skybox Security, Inc.
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 1
2. Why can’t we curb the
threat?
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 2
3. The Network Complexity Challenge
Enterprise network
• 55,000 nodes
• 300 firewalls
• 25,000 rules
• 65 network
changes/day
• 10,000 daily reported
vulnerabilities
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 3
5. Vulnerabilities and Threats Abound
buffer attack blocked rules Misconfigured firewall
USBs Misconfigured firewall policy violation
social networks social networks
missing IPS signature
blocked rules asset vulnerabilities
default password threat origins Misconfigured firewall
access violation blocked rules threat origins
blocked rules
access policy violations
access policy violations
buffer attack violation default password
access
default password Misconfigured firewall USBs
USBs policy violation
social networks
blocked rules policy violation access violation
missing IPS signature social networks
threat originssocial networks policy violation
access violation
USBs missing IPS signature
Misconfigured firewall
threat origins social networks
buffer attack buffer attack
social networks social networks blocked rules
missing IPS signature blocked rules
access violation access violation
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 5
6. Every Organization Feels the Pain
88% of organizations: experienced significant damage or
disruption due to attacks or data breaches in past six months
Damage to brand Minor Web DoS None, 10.0% Data breach of
(e.g. attack, 1.7% customer or
hactivism), 6.7% confidential
Damage to records, 20.0%
information
systems or
data, 18.3%
Misuse or Service
unauthorized down, 60.0%
access to
information, 35.0
%
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.
7. Vulnerability Management Program
Key for Risk Reduction
• Most respondents see their VM program as a
key to reduce risk level and respond to threats
To reduce our security risk level
To proactively prevent threats before
they happen
To respond to new threats
To provide an accurate assessment of
our security status
To meet compliance requirements
To prioritize and minimize patching
costs
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.
8. Vulnerability Scans –
Too Little, too Late
Frequency and Coverage
350
Where you need to be
300 Daily updates
Frequency x/year
250 90%+ hosts
200
150 Critical systems, DMZ
Partner/External networks Avg. scan: every 30 days
100 Avg. scan: every 60-90 days 50-75% of hosts
50 <50% of hosts
0
10% 20% 30% 40% 50% 60% 70% 80% 90%
% of Network Scanned
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.
9. Vulnerability Scanning:
Not Effective
We are concerned about disruptions from scanning 59%
We don’t have the resources to analyze more
frequent scan data 58%
We don't have the resources to deal with broader
patching activity 41%
Some hosts are not scannable due to their use 34%
The cost of licenses is prohibitive 29%
Unable to gain credentialed access to scan portions
of the network 12%
We just don’t need to scan more 5%
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.
10. Old Gen Tech – Can’t Keep Up
Vulnerability Scanners
Too much Disruptive to the network
data Not suitable for daily operations
Irrelevant for the Internet of Things
Security Information & Event Management (SIEM)
Reactive Real-time is too late
Lacks context to deal with incidents
Network Configuration Management
Limited Config management, not security
view
No holistic view of network security
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 10
11. Security is Unmanageable
Painful, Costly, Reactive
Unable to keep pace with Damaging attacks, business
network changes, new services disruption, loss of IP
Compliance reporting Inefficient processes,
consumes scarce resources escalating management costs
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 11
12. It’s going to get a lot worse
(Mobile, Virtualization, Clouds)
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 12
13. The Security Management Gap is
140
Widening Fast
120 BYOD and BYOC the new
norm
100 Virtual servers now 50% of
80
deployments
Security Security programs can’t keep
60 challenges up
40
Can you achieve a 16X
20 improvement in 4 years?
0
2009 2010 2011 Ability to2013 2014
2012 execute How?
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 13
14. Many Attacks, Similar Root Causes
Scenario Attack Technique Contributing factors
Buffer overflow Known vulnerabilities
Data Breach SQL injection, RFI, XSS Policy compliance
Cyber Theft DDOS Device misconfigurations
Hacktivism Client-side attack Insiders
APT combining techniques Vulnerabilities
Espionage Known and zero-day Policy compliance
Cyber Crime vulnerabilities Social engineering
Custom malware
Firewall bypass Firewall misconfiguration
Unauthorized Stolen credentials Vulnerabilities
Access Policy compliance
Stepping stone
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 14
15. The Missing Piece:
Security Risk Management
Holistic Visibility of the IT Infrastructure
• Networks, routers, firewalls, …
• End points – servers, desktops, virtual machines, mobile
• Cloud and virtualization infrastructure
Predictive Security Analytics
Cyber attack simulation – APT, malicious code
Network security analysis – firewalls, network path analysis
Security metrics
Cost Saving - Integrated into Daily Operations
• Proactive, automated operation
• Scale to any environment
• Integrated with existing infrastructure
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 15
16. Future Architecture of
Security Management
SOC Console
Security Risk Security Information &
Management Event Management
(SRM) (SIEM)
Proactive, pre-attack Post-attack incident
exposure management management
Patch Management, Vulnerability Scanners, A lot of logs, events
Asset Management, Threat Intelligence, network traffic
Network & Security Configs,
Mobile Device Management
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 16
18. Elements of a Predictive Approach
Situational Awareness – Where are we right now?
Contextual and current data
Network context – configuration, controls, policies
Vulnerability data
Threat data
Analytics – Where are the biggest risks?
Network modeling
Access Paths
Risk Analysis
Threat Impact
Operational – What should we do to prevent?
Must improve and simplify daily security activities or why bother
Actionable Intelligence
Secure Change Management process
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 18
19. Situational Awareness
Using a Network Model
Firewall Router Load IPS Vulnerability Patch
Balancer Scanner
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 19
20. How is the Model Created?
Gather info on
Import topology data network topology
Device configs
Routing tables
Automatically create a
hierarchical model tree,
grouping hosts by
TCP/IP network
Add function,
location, type
Analyze model to detect
missing info – hosts, ACLs,
routing rules for gateways
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 20
21. Network Model Enables Analytics
Normalized view of the network
security situation
Visualize entire network
Updated continuously
Multiple models (sandboxes):
Live, Forensic, and What-if
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 21
22. Network Path Analysis
Complete End-to-
End path analysis
Highlighting ACL’s
and routing rules
Supports
NAT, VPN, Dynami
c Routing and
Authenticated
rules
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 22
23. Find Exploitable Vulnerabilities
Vulnerabilities
• CVE 2009-203
• CVE 2006-722
• CVE 2006-490
Rogue Admin
Internet Hacker
Compromised
Partner
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 23
24. Simulate all Possible Attacks
Vulnerabilities
• CVE 2009-203
• CVE 2006-722
• CVE 2006-490
Rogue Admin
Internet Hacker
Attack
Compromised
Simulations
Partner
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 24
25. Proactive Intelligence to Prevent Attack
Connectivity Path
Probable attack vector to
Finance servers asset group
This attack is a “multi-step”
attack, crossing several network
zones
Business Impact
Attack Vector
How to Block
Potential Attack?
© 2012 Skybox Security
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 25
26. Quantify and Prioritize Risks
Vulnerability
(CVSS Score & CIA Impact)
X
Exposure
(Threat Origins & Network)
X
Business Impact
(CIA Impact and Asset Importance)
{Attack Simulation}
Risk
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 26
27. Plan Defensive Strategy
Most Critical
Actions
Vulnerabilities
Threats
27
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.
29. Attack Vector w/ Network Propagation
Remote Code Execution
1. Buffer overflow vulnerability
MS11-004 on FTP server in DMZ
2. Exploit to gain root control
on the FTP server
3. FTP server trust relations with
DNS server in core network
4. DNS server running Free BSD has
BIND vulnerability - enables control
of DNS server
5. Finance server compromised.
Significant damage or data loss
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 29
30. Prevent a Buffer Overflow Attack
Identifies all potential
attack paths
Buffer Overflow Attack
Attack simulation reveals a
small number of exposed
vulnerabilities
Issue an urgent request to
patch the FTP server
Security team patches a
single vulnerability to block
potential attack and reduce
high risk of Financial Server
compromise
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 30
31. Attack Vector w/ Network Propagation
Firewall Bypass Attack Steps
1. DMZ firewall allowed access
Firewall Bypass through TCP port
443 to internal network
(which might be okay)
2. A misconfigured load
balancer rule performed
NAT to TCP port 80
3. Allowing port 80 access to
the development network –
a very risky situation
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 31
32. Preventing a Firewall Bypass Attack
Automatically assess configurations of
firewalls, load balancers, IPS devices,
and routers
Create an up-to-date network model
Check policy rules such as:
“No access from Internet to Internal
except …”
End-to-end access path analysis –
every possible path
Issues tickets to address violations in
order of impact to business
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 32
33. Wide Attack Surface Expose
Client-Side Attack Vectors
User opens infected email
attachment or clicks link to a A vulnerability or misconfig on
malicious or hacked website desktops is exploited and
malware is installed
Malware enables attacker to
collect data from
machine, continue attack
within the network, and send
data back to attacker
Source: SANS Tutorial: HTTP Client-side Exploit
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 33
34. Preventing a Client-Side Attack
EMEA region at
highest risk
Retrieve exact list of
vulnerable hosts
Remediate in order
Adobe Reader 9.x and
of risk impact
8.x contribute the
majority of the risk (76%)
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 34
35. Reinvent your Security Program
Add Proactive Security Tools Now
Situational awareness
Predictive
Use the Force, Luke!
Risk-based analytics
Decision support
Set the bar really high
Unbelievable scale
Adapt to new architectures
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 35
36. Thank you
Gidi Cohen
CEO, Founder
info@skyboxsecurity.com
+1 (408) 441-8060
Disclaimer
The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and
opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San
Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the
accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as
professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other
expert assistance is required, the services of a competent professional should be sought.
36
Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.