How to Troubleshoot Apps for the Modern Connected Worker
Fs isac fico and core presentation10222012
1. Predictive Security Intelligence – Driving a Productive
Partnership between security, audit and risk
Tuesday October 23, 2012
FS-ISAC Fall Summit
Vickie Miller, Seema Sheth-Voss
Sr. Director, Information Security Director, Solutions Marketing
FICO Core Security
PA G E
2. Agenda
• Overview of FICO and security organization
• Security analytics journey at FICO
• Parallel between FICO’s business & challenges with security data
• CORE Insight solution and value
• Building a resilient and predictive security architecture
PA G E
3. A bit about FICO
• Founded in 1956, FICO is a leading provider of credit
scoring, decision management, fraud detection and credit risk
score services.
• The concepts that are of interest include:
− Multi-dimensional profiling capabilities
− Neural networks
− Adaptive analytics
− Self-calibrating outlier analytics
− Integration with man-made rules to detect anomalous activity
− Integration with man-made rules to determine courses of action based
on the output of machine generated anomaly detection and output of
man-made anomaly detection.
PA G E
4. Security organization at FICO
• Application Security with static and dynamic code analysis
• Security Operations - logging, IDS/IPS, FIM, PVM
• Governance, Risk and Compliance – internal, external audits
Defense focused
Need to shift and
evolve to
Proactive and Predictive
PA G E
5. Challenges at FICO
Need for operational efficiency
• Multiple IT Delivery Models
• Cloud
• Challenges with SLAs
Need to protect our
environment
• Risk and Compliance
Challenge of internal
Pressure
communication
• Need for scalability
and automation in risk
• Managing Up!
assessment but with
• Communicating
the ability to react
across the matrix and
quickly
the globe
• Cost of labor and lost
opportunity cost
PA G E
6. Parallels between our business and my team
• FICO’s business uses advanced predictive analytics in the
transaction stream to prevent fraud loss.
• Security uses Snort rules and packet inspection to detect
anomalous activity
• FICO uses consortium of data & real-time input to detect
changing nature of fraud (Card Alert – Michaels)
• Millions and millions of log files looking for event correlations.
PA G E
8. Predictive Security Intelligence - Taking a
performance and analytics driven approach
What is happening? What really matters
Why? What is likely? and what doesn’t?
What should we
do about risks?
How do we
convey the risk
to get action?
PA G E
9. Layered controls at each part of technology
stack but no correlation
• The vast majority at the
management software layer
are built to defend, react or
monitor
• This model has inherent gaps:
− Overwhelming amounts of data
?
− Little correlation /
communication between
solutions
− By the time alerts go off, it’s too
late
PA G E
10. FICO’s solution
What is likely to happen? Understand security
posture before a breach happens
PA G E
11. Visualize the most likely attack paths to crown
jewel assets or data
Focus on the most critical vulnerabilities which have business
or reputation impact
PA G E
12. What really matters?
Get above the noise of the security data..
Challenge: false positives and make sense of the noise..
Simulate or
Test
Identify and
prove critical
exposures
Incident and
Scan data Remediation
Discover assets Apply patches
, collect incident and other
data and scan for updates
vulnerabilities
Repeat
Validate fix
effectiveness
PA G E
13. Value of getting above the noise of data
Before After
• Small security staff • Proactively determine attack path
• Needed to scale and enhance across 1000 assets
testing, understand risk to most • Identified the 30 most critical
critical assets exploitable vulnerabilities of the
• Getting 82,000 vulnerability 82,000 worth addressing first
signatures from scanner • Prioritize & validate vulnerabilities
• Yet only working on 300 results due
to resource constraints (hopefully Savings
the right 300?) • VM costs per year: $43,200
• Yearly vulnerability management • Trouble tickets passed ~ 30
cost: $144,000
• Yearly remediation/Patch
management estimate at 300
tickets passed to IT: $700,000
PA G E 1 3
14. Compliance Officer
“Security needs to be
Conveying risk & prompting action an enabler, but
A balancing act between risk reduction and making checkbox mentality
security “easier” and cost efficient creates a divide.”
“Security metrics
“We need security
need to be
Chief Risk Officer
to let us know
conveyed in
whether controls
language of
Audit Officer
are in place and
“We’re enterprise risk.”
working.”
spending a lot
on tools, but I
can’t say
whether we’re
Business improving our
overall security
Technology posture …”
CISO
“The business “Our security data
needs new log contains over
functionality, but X million
Security Director
my team is fixing records, but it’s
things that may not “We have the difficult to
even be real.” best team, but determine what is
truly most
VP of IT
we can’t scale
Pen Test Team
and periodic vulnerable.”
assessments
quickly become
outdated.”
PA G E 1 4
15. What should we do with security data?
Enabling Performance Management like best practices for
security
• Security Metrics and Reporting
with Continuous Assessment
• Status of the safeguards
• Trending
• Change management
• Hand-off to remediation
systems
• Enterprise Risk Management
• Business continuity
• Reputation
PA G E
16. Core Security – Our journey to Security Intelligence
• Leading provider of predictive security intelligence solutions
− Established: 1996, first commercial product: Core Impact 2001
− Headquartered in Boston, CoreLabs in Buenos Aires
− 1,400 customers, ~200 employees
• Diverse, experienced organization driving segment leadership
− Experienced management -- backgrounds include Sophos, CA, Symantec, Seagate, IBM
− Active Customer Advisory Board and Core Customer Community group
− Consistent award recognition from industry groups and media
• Groundbreaking research & product development
− Leading-edge consulting services brings field experience
− CoreLabs vulnerability research team world renowned
− 9 patents approved / 12 pending
PA G E
17. CORE’s security intelligence solution in action
1. Environment
Profiling and
security data
7. Dashboard / collection
Reporting 2. Campaign
Tell Insight about your
Insight presents environment. Definition
findings in terms You define critical IT
relevant to your assets (aka
organization. goals), scope and
timing.
Security
6. Infrastructure Verified!
3. Threat Planning
Change and Simulation
Campaigns can
Insight calculates likely
automatically adapt as
New system added to attack paths to your
you deploy new
environment! defined assets.
systems.
Security
Verified!
5. Adaptive Path 4. Threat
Adjustment Replication
Insight seeks new Insight attempts to
paths as systems are exploit vulnerabilities
compromised. along the paths.
PA G E 1 7
18. CORE Insight: Start improving the effectiveness of
your vulnerability management program
Based on what I outlined above I see this type of dashboard capability as a real need
for security officers. As I like to say: “You get what you measure.” Metrics change
behaviors; that’s their value. Sharing those measurements so people know the value
of your efforts is a best practice – Ed Ferrara, Forrester blog in ComputerWorldUK
Blog October 8, 2012
PA G E
19. CORE Insight Platform tomorrow – Predictive
Intelligence to your existing security ecosystem
• Firewall • Vuln Scan
• IDS/IPS • DLP
Security Suite
Security Data
SIEM
Alerts to be Validated
CORE Insight Enterprise
Threat Path
Vulnerability and Vector Analysis
Threat Validation
PA G E 1 9
GRC
20. Intelligence and Measurement drives cross-
organizational partnership
Audit and Compliance
Security Team
Streamline workflow
and correlate data Validate vulnerabilities
across multiple and test controls
vulnerability
management tools
Strike the Balance
Let’s Predict to keep bad guys out
&
Make better decisions and not
‘break the bank’
Operational Risk Officer
Convey cyber risk in
Track remediation operational terms
and fix the right
VP of IT
things
PA G E
At CORE we’ve been working closely with clients on a different way to get and not just getting ahead of the threat but managing their security posture and helping them gain business level commitment on security investments.I used to work in Business intelligence and the same performance management and predictive analytics framework can apply to security data and management
Now here is the challenge and an unfortunate secret I hear with CISO that I meet – they buy technology out of fear and greed. Someone in the IT department hears about a new virus or vulnerability … downloads and installs the latest patch … and they're done. Reactive big news gets a lot of attention.. We go back to business as usual until the next time. Wikileaks happened at the state department and many US federal depts rushed everyone rushed out to get Data leak prevention software.. Please you are all in the similar boat.. Whether you are the CIO, telecomm network execs, buisness leader or the security leader – I think we all recognize that we need a different approachHere is what happens with all that spending.. We think we are doing a good job – but now we have ended up with a new problem... All the stuff is actually creating more noise and distracting us from the real threat. What we really need is a system or platform that is proactive and predictive and system that helps us manage, validate and correlate our data and alerts.
What is happening and what is likely.?Back to the interconnected nature of the attacks. We need to think like the attacker. CORE has been business for 14 years and we were the early pioneers of the approach now widely known as pen testing. Pen testing is a systematicapproach to identifying weaknesses in alreadydeployed targets and exploiting thoseweaknesses. It is a vulnerability assessment followed byexploiting the vulnerabilities found during theassessment. “You are trying to break a system, withoutbreaking the system.”What is unique about automated tools such as CORE Impact – is that these are goal oriented and multi-vector.. After your critical assets – isn’t just a web url or a network it is a business and data and process collection which has multiple types ofIT assets underneath.. Pen testing simulates the actions of the attacker who exploit the weak links in the management software – not the scada devices which you think are air gapped.. And they think multi- surface across networks, web, endpoints and use weak links like admin email, phishing to gain access to deeper privileges such as adminstrative to burrow deeper into control systems or transmission layers.
That brings us to the next question in our framework – what really mattersremember I talked about all the reactive and detective controls - so say you have an incident management system or you went and invested in scanner or sniffing technology – pen testing is a great way to drill further and pivot in to figure out what is real..Here is what happens if you don’t‘.. Your security teams will spend precious time chasing false positive or noisy data while the attacks keep coming and your downstream IT teams who are responsible for remediation will simply shut security out.. Because they don’t believe the threat is credible plus they have never enough resources
Here is an example from a lab under the dept of energy – they were getting 82000 signatures from their scanning technologies but only getting to 300..With a highly scalable and automated solution for security assessment and attack planning this agency was able to pinpoint the 30 most exploitable vulnerabilities saving both cost and effort in their security team but also the downstream IT remediation effort.
Finally to the final question in our framework – how do we convey risk to the board and management. CORE solutions have been critical is driving performance management like best practices for securtyFirst the CISO, director can continously test and report status of the safeguard and whether or not there working and capture the trending.From a performance viewpoint these guys want to fix or remediate the most critical exposures – managing the workflow with IT on the most critical priorities. Also the thing about vulnerability – is that change in their IT environment is constant so the keeping on top of what is most critical at any given time. Last CISO are eager to have something that they can take to their Monday morning meeting with their boss whether it is the CIO or chief compliance or audit team. We relate the technical language to the business systems or domains – e.g. network centers, operations, labs, enterprise systems such as call centers, and of course critical networks that form the support infrastructure of the transmission and power distribution. Ie. The basic discussion is what does a vulnerability or red on the asset heat map mean in terms of continuing operations, safety of personnel, impact to customers services, or potential disruptions and having a clear pulse on that at all times.
Thanks Vickie.. Shift gears a little bit and tell you a little about Core Security which is the solution Vicke talked about and where we got started..We are interesting company in that we are 14 years old start up. We were the ones founded in BA actually the security team of the equivalent of the IRS of argentina and these are the guys that pioneered ethical hacking and the first product which is still a leading tool for red team and pen testing teams today is CORE Impact. 3 years ago we decided to take the smarts of the tool, our vulnerability research and this entire notion of multi-vector attack planning and pivoting and develop an enterprise platform and solution for security vulnerability management – think about mutliple or simulated ethical hacking that is really looking at the next attack window . The simplest analog is the game of chess – rules of the game are known and normal players can follow the rules and make the moves play by play.. What we are about it being the more strategic chess player – they can look at a board and predict not only their moves but their opponent’s moves probably 8-9 plays in advance..
Step 1: Getting an understanding of your overall environment – this is both technical infrastructure – everything is an asset – web app, email, and servers. We can take this from a configuration database or you might have this already as part of your security scans. We also collect the security scan information and in a subsequent steps I’ll show how we correlate that information in the analysisStep 2 – this is where the business requirement get introduced.. Let’s define the goals of your campaign ie. Defining the assets which are the crown jewels you think attackers want to get to. So for retailers, ecommerce, payments players this is typcially credit card data, HC – patient records and for you in fin services it is the critical perimeters of the money movement applications, web portals etc. You set up the campaign frequency ( daily, weekly, 15 days – giving you the situational awareness0Step 3 – here is where CORE’s IP really shines – we calculate the attack path or the multi-point or multi-pivoted path of the attacker..The state of art until recently was scanner – web and network but we got a ton of data and it simply wasn’t even practical to patch even the category 1 plus the criticality from a technical sense didn’t necessarily mean it was truly exploitable or something that is not as critical in a technical perspective could actually be a gateway to the ultimate vulnerabilty on a machine with your crown jewels. Another thing we found is attackers don’t attack or exploit machines just because there is a vuln. They look for the window and easier paths . There are multiple paths and factos – chance of disocvery, chance of being successful, Now try doing this at scale and automated – mathematically this is what they call an nP hard problem in computer science to actually find the optimal paths because each decision point has multiple and unique factors. least-cost cyclic route through all nodes of a weighted graph. This is commonly known as the traveling salesman problem.We have developed AI algorithms which heuristically determine the most likely paths,Moving along in cases where we can we can actually test the exploit. Note that most banks, ecommerce clients don’t allow live exploits against production systems and they are happy with the simulation results. Finally change management – people do silly things – someone in Denver offcie puts up a new server with default password/admin credentials and Insight will adjust take the new environment in account and then finally we have multiple levels of dashbaords for directors, executivs, IT to track the security and vm posture
So what we have built today with the solution underpinning I just walked through are the complete aspects of an intelligent vul management program and what is critical is that there is intelligence, visualization and measurement at every step. Ed Ferrara actually called CORE’s dashboard out in his recent blog as one of many solutions out there. What I hear is the importance of measurement and alignment at every level and the hierarchy from measurements – let’s understand stuff down in the weeds in the CVEs to understanding which are truly real and then prioritizing 2) next let’s understand whether IT actually fixed these and is there a clear workflow and path. I used to work a lot with CIOs.. So the value really starts to resonate outside the walls of security – with your audit, IT dev guys and ultimately back to the business lines when you can translate the security risk to your guys
Next coming up is the evolution of Insight as a platform that provides security intelligence into the rest of your infrastructure. I know GRC vendors like RSA, Agiliance are here as is IBM Q1 labs. What we get asked about is where and how does Insight fit in the rest of existing security architecture. So we have a number of deployments underway where your peers are tackling separate aspects.. One hand is the your SOC with the SIEM as the center of the universe collecting and correlating all that data. What even the state of art SIEM can’t do today is tell us what sophisticated attackers are thinking and what’s they’ll do before they do it? The data is also not relational – eg. How does a Toronto incident on a file server lead to a compromise in the boston office? Are they isolated incidents or part of coordinated attack? We can integrate with a SIEM and where people find most value is the attack paths and validation of alerts – proving what is real and then feeding that intelligence really key factor such as exploitability, asset value and impact – in form of a correlation rule back into the SIEM. These correlations rules complement either the manual analysis done or some of kind of statistical engine like a splunk which simply looks for pattern anomalies but doesn’t have the security context or think like the atttacker mentality,On the other hand is the audit and Enterprise risk community and their world is IT GRC systems. Many leading GRC systems have good VM modules but again they can be quickly overwhelmed with data directly from a scanner. AI engine allows to spot gaps in the compliance framework and verify that controls and policies actually thwart the kinds of attacks they were designed to stop and immediately provides documented proof. Vulnerability validation and proof of compliance or non-compliance against key controls makes it much easier to integrate and correlate ultimately to business impact and risk.
So in a nutshell – back to intelligence and hierarchy of insights – driving what common insights but different context..