At CORE we’ve been working closely with clients on a different way to get and not just getting ahead of the threat but managing their security posture and helping them gain business level commitment on security investments.I used to work in Business intelligence and the same performance management and predictive analytics framework can apply to security data and management
Now here is the challenge and an unfortunate secret I hear with CISO that I meet – they buy technology out of fear and greed. Someone in the IT department hears about a new virus or vulnerability … downloads and installs the latest patch … and they're done. Reactive big news gets a lot of attention.. We go back to business as usual until the next time. Wikileaks happened at the state department and many US federal depts rushed everyone rushed out to get Data leak prevention software.. Please you are all in the similar boat.. Whether you are the CIO, telecomm network execs, buisness leader or the security leader – I think we all recognize that we need a different approachHere is what happens with all that spending.. We think we are doing a good job – but now we have ended up with a new problem... All the stuff is actually creating more noise and distracting us from the real threat. What we really need is a system or platform that is proactive and predictive and system that helps us manage, validate and correlate our data and alerts.
What is happening and what is likely.?Back to the interconnected nature of the attacks. We need to think like the attacker. CORE has been business for 14 years and we were the early pioneers of the approach now widely known as pen testing. Pen testing is a systematicapproach to identifying weaknesses in alreadydeployed targets and exploiting thoseweaknesses. It is a vulnerability assessment followed byexploiting the vulnerabilities found during theassessment. “You are trying to break a system, withoutbreaking the system.”What is unique about automated tools such as CORE Impact – is that these are goal oriented and multi-vector.. After your critical assets – isn’t just a web url or a network it is a business and data and process collection which has multiple types ofIT assets underneath.. Pen testing simulates the actions of the attacker who exploit the weak links in the management software – not the scada devices which you think are air gapped.. And they think multi- surface across networks, web, endpoints and use weak links like admin email, phishing to gain access to deeper privileges such as adminstrative to burrow deeper into control systems or transmission layers.
That brings us to the next question in our framework – what really mattersremember I talked about all the reactive and detective controls - so say you have an incident management system or you went and invested in scanner or sniffing technology – pen testing is a great way to drill further and pivot in to figure out what is real..Here is what happens if you don’t‘.. Your security teams will spend precious time chasing false positive or noisy data while the attacks keep coming and your downstream IT teams who are responsible for remediation will simply shut security out.. Because they don’t believe the threat is credible plus they have never enough resources
Here is an example from a lab under the dept of energy – they were getting 82000 signatures from their scanning technologies but only getting to 300..With a highly scalable and automated solution for security assessment and attack planning this agency was able to pinpoint the 30 most exploitable vulnerabilities saving both cost and effort in their security team but also the downstream IT remediation effort.
Finally to the final question in our framework – how do we convey risk to the board and management. CORE solutions have been critical is driving performance management like best practices for securtyFirst the CISO, director can continously test and report status of the safeguard and whether or not there working and capture the trending.From a performance viewpoint these guys want to fix or remediate the most critical exposures – managing the workflow with IT on the most critical priorities. Also the thing about vulnerability – is that change in their IT environment is constant so the keeping on top of what is most critical at any given time. Last CISO are eager to have something that they can take to their Monday morning meeting with their boss whether it is the CIO or chief compliance or audit team. We relate the technical language to the business systems or domains – e.g. network centers, operations, labs, enterprise systems such as call centers, and of course critical networks that form the support infrastructure of the transmission and power distribution. Ie. The basic discussion is what does a vulnerability or red on the asset heat map mean in terms of continuing operations, safety of personnel, impact to customers services, or potential disruptions and having a clear pulse on that at all times.
Thanks Vickie.. Shift gears a little bit and tell you a little about Core Security which is the solution Vicke talked about and where we got started..We are interesting company in that we are 14 years old start up. We were the ones founded in BA actually the security team of the equivalent of the IRS of argentina and these are the guys that pioneered ethical hacking and the first product which is still a leading tool for red team and pen testing teams today is CORE Impact. 3 years ago we decided to take the smarts of the tool, our vulnerability research and this entire notion of multi-vector attack planning and pivoting and develop an enterprise platform and solution for security vulnerability management – think about mutliple or simulated ethical hacking that is really looking at the next attack window . The simplest analog is the game of chess – rules of the game are known and normal players can follow the rules and make the moves play by play.. What we are about it being the more strategic chess player – they can look at a board and predict not only their moves but their opponent’s moves probably 8-9 plays in advance..
Step 1: Getting an understanding of your overall environment – this is both technical infrastructure – everything is an asset – web app, email, and servers. We can take this from a configuration database or you might have this already as part of your security scans. We also collect the security scan information and in a subsequent steps I’ll show how we correlate that information in the analysisStep 2 – this is where the business requirement get introduced.. Let’s define the goals of your campaign ie. Defining the assets which are the crown jewels you think attackers want to get to. So for retailers, ecommerce, payments players this is typcially credit card data, HC – patient records and for you in fin services it is the critical perimeters of the money movement applications, web portals etc. You set up the campaign frequency ( daily, weekly, 15 days – giving you the situational awareness0Step 3 – here is where CORE’s IP really shines – we calculate the attack path or the multi-point or multi-pivoted path of the attacker..The state of art until recently was scanner – web and network but we got a ton of data and it simply wasn’t even practical to patch even the category 1 plus the criticality from a technical sense didn’t necessarily mean it was truly exploitable or something that is not as critical in a technical perspective could actually be a gateway to the ultimate vulnerabilty on a machine with your crown jewels. Another thing we found is attackers don’t attack or exploit machines just because there is a vuln. They look for the window and easier paths . There are multiple paths and factos – chance of disocvery, chance of being successful, Now try doing this at scale and automated – mathematically this is what they call an nP hard problem in computer science to actually find the optimal paths because each decision point has multiple and unique factors. least-cost cyclic route through all nodes of a weighted graph. This is commonly known as the traveling salesman problem.We have developed AI algorithms which heuristically determine the most likely paths,Moving along in cases where we can we can actually test the exploit. Note that most banks, ecommerce clients don’t allow live exploits against production systems and they are happy with the simulation results. Finally change management – people do silly things – someone in Denver offcie puts up a new server with default password/admin credentials and Insight will adjust take the new environment in account and then finally we have multiple levels of dashbaords for directors, executivs, IT to track the security and vm posture
So what we have built today with the solution underpinning I just walked through are the complete aspects of an intelligent vul management program and what is critical is that there is intelligence, visualization and measurement at every step. Ed Ferrara actually called CORE’s dashboard out in his recent blog as one of many solutions out there. What I hear is the importance of measurement and alignment at every level and the hierarchy from measurements – let’s understand stuff down in the weeds in the CVEs to understanding which are truly real and then prioritizing 2) next let’s understand whether IT actually fixed these and is there a clear workflow and path. I used to work a lot with CIOs.. So the value really starts to resonate outside the walls of security – with your audit, IT dev guys and ultimately back to the business lines when you can translate the security risk to your guys
Next coming up is the evolution of Insight as a platform that provides security intelligence into the rest of your infrastructure. I know GRC vendors like RSA, Agiliance are here as is IBM Q1 labs. What we get asked about is where and how does Insight fit in the rest of existing security architecture. So we have a number of deployments underway where your peers are tackling separate aspects.. One hand is the your SOC with the SIEM as the center of the universe collecting and correlating all that data. What even the state of art SIEM can’t do today is tell us what sophisticated attackers are thinking and what’s they’ll do before they do it? The data is also not relational – eg. How does a Toronto incident on a file server lead to a compromise in the boston office? Are they isolated incidents or part of coordinated attack? We can integrate with a SIEM and where people find most value is the attack paths and validation of alerts – proving what is real and then feeding that intelligence really key factor such as exploitability, asset value and impact – in form of a correlation rule back into the SIEM. These correlations rules complement either the manual analysis done or some of kind of statistical engine like a splunk which simply looks for pattern anomalies but doesn’t have the security context or think like the atttacker mentality,On the other hand is the audit and Enterprise risk community and their world is IT GRC systems. Many leading GRC systems have good VM modules but again they can be quickly overwhelmed with data directly from a scanner. AI engine allows to spot gaps in the compliance framework and verify that controls and policies actually thwart the kinds of attacks they were designed to stop and immediately provides documented proof. Vulnerability validation and proof of compliance or non-compliance against key controls makes it much easier to integrate and correlate ultimately to business impact and risk.
So in a nutshell – back to intelligence and hierarchy of insights – driving what common insights but different context..
Fs isac fico and core presentation10222012
Predictive Security Intelligence – Driving a ProductivePartnership between security, audit and riskTuesday October 23, 2012FS-ISAC Fall SummitVickie Miller, Seema Sheth-VossSr. Director, Information Security Director, Solutions MarketingFICO Core Security PA G E
Agenda• Overview of FICO and security organization• Security analytics journey at FICO• Parallel between FICO’s business & challenges with security data• CORE Insight solution and value• Building a resilient and predictive security architecturePA G E
A bit about FICO • Founded in 1956, FICO is a leading provider of credit scoring, decision management, fraud detection and credit risk score services. • The concepts that are of interest include: − Multi-dimensional profiling capabilities − Neural networks − Adaptive analytics − Self-calibrating outlier analytics − Integration with man-made rules to detect anomalous activity − Integration with man-made rules to determine courses of action based on the output of machine generated anomaly detection and output of man-made anomaly detection.PA G E
Security organization at FICO • Application Security with static and dynamic code analysis • Security Operations - logging, IDS/IPS, FIM, PVM • Governance, Risk and Compliance – internal, external audits Defense focused Need to shift and evolve to Proactive and PredictivePA G E
Challenges at FICO Need for operational efficiency • Multiple IT Delivery Models • Cloud • Challenges with SLAsNeed to protect ourenvironment• Risk and Compliance Challenge of internal Pressure communication• Need for scalability and automation in risk • Managing Up! assessment but with • Communicating the ability to react across the matrix and quickly the globe• Cost of labor and lost opportunity costPA G E
Parallels between our business and my team • FICO’s business uses advanced predictive analytics in the transaction stream to prevent fraud loss. • Security uses Snort rules and packet inspection to detect anomalous activity • FICO uses consortium of data & real-time input to detect changing nature of fraud (Card Alert – Michaels) • Millions and millions of log files looking for event correlations.PA G E
Security organizations lack preventative or predictive tools that other businesses havePA G E
Predictive Security Intelligence - Taking a performance and analytics driven approach What is happening? What really matters Why? What is likely? and what doesn’t? What should we do about risks? How do we convey the risk to get action?PA G E
Layered controls at each part of technologystack but no correlation• The vast majority at the management software layer are built to defend, react or monitor• This model has inherent gaps: − Overwhelming amounts of data ? − Little correlation / communication between solutions − By the time alerts go off, it’s too latePA G E
FICO’s solution What is likely to happen? Understand security posture before a breach happensPA G E
Visualize the most likely attack paths to crown jewel assets or data Focus on the most critical vulnerabilities which have business or reputation impactPA G E
What really matters? Get above the noise of the security data.. Challenge: false positives and make sense of the noise.. Simulate or Test Identify and prove critical exposures Incident and Scan data Remediation Discover assets Apply patches , collect incident and other data and scan for updates vulnerabilities Repeat Validate fix effectivenessPA G E
Value of getting above the noise of dataBefore After• Small security staff • Proactively determine attack path• Needed to scale and enhance across 1000 assets testing, understand risk to most • Identified the 30 most critical critical assets exploitable vulnerabilities of the• Getting 82,000 vulnerability 82,000 worth addressing first signatures from scanner • Prioritize & validate vulnerabilities• Yet only working on 300 results due to resource constraints (hopefully Savings the right 300?) • VM costs per year: $43,200• Yearly vulnerability management • Trouble tickets passed ~ 30 cost: $144,000• Yearly remediation/Patch management estimate at 300 tickets passed to IT: $700,000PA G E 1 3
Compliance Officer “Security needs to beConveying risk & prompting action an enabler, butA balancing act between risk reduction and making checkbox mentalitysecurity “easier” and cost efficient creates a divide.” “Security metrics “We need security need to be Chief Risk Officer to let us know conveyed in whether controls language of Audit Officer are in place and “We’re enterprise risk.” working.” spending a lot on tools, but I can’t say whether we’re Business improving our overall security Technology posture …” CISO “The business “Our security data needs new log contains over functionality, but X million Security Director my team is fixing records, but it’s things that may not “We have the difficult to even be real.” best team, but determine what is truly most VP of IT we can’t scale Pen Test Team and periodic vulnerable.” assessments quickly become outdated.” PA G E 1 4
What should we do with security data? Enabling Performance Management like best practices for security• Security Metrics and Reporting with Continuous Assessment • Status of the safeguards • Trending • Change management • Hand-off to remediation systems• Enterprise Risk Management • Business continuity • ReputationPA G E
Core Security – Our journey to Security Intelligence• Leading provider of predictive security intelligence solutions − Established: 1996, first commercial product: Core Impact 2001 − Headquartered in Boston, CoreLabs in Buenos Aires − 1,400 customers, ~200 employees• Diverse, experienced organization driving segment leadership − Experienced management -- backgrounds include Sophos, CA, Symantec, Seagate, IBM − Active Customer Advisory Board and Core Customer Community group − Consistent award recognition from industry groups and media• Groundbreaking research & product development − Leading-edge consulting services brings field experience − CoreLabs vulnerability research team world renowned − 9 patents approved / 12 pendingPA G E
CORE’s security intelligence solution in action 1. Environment Profiling and security data 7. Dashboard / collection Reporting 2. Campaign Tell Insight about your Insight presents environment. Definition findings in terms You define critical IT relevant to your assets (aka organization. goals), scope and timing. Security 6. Infrastructure Verified! 3. Threat Planning Change and Simulation Campaigns can Insight calculates likely automatically adapt as New system added to attack paths to your you deploy new environment! defined assets. systems. Security Verified! 5. Adaptive Path 4. Threat Adjustment Replication Insight seeks new Insight attempts to paths as systems are exploit vulnerabilities compromised. along the paths.PA G E 1 7
CORE Insight: Start improving the effectiveness ofyour vulnerability management program Based on what I outlined above I see this type of dashboard capability as a real need for security officers. As I like to say: “You get what you measure.” Metrics change behaviors; that’s their value. Sharing those measurements so people know the value of your efforts is a best practice – Ed Ferrara, Forrester blog in ComputerWorldUK Blog October 8, 2012PA G E
CORE Insight Platform tomorrow – Predictive Intelligence to your existing security ecosystem • Firewall • Vuln Scan • IDS/IPS • DLP Security Suite Security Data SIEM Alerts to be Validated CORE Insight Enterprise Threat Path Vulnerability and Vector Analysis Threat ValidationPA G E 1 9 GRC
Intelligence and Measurement drives cross-organizational partnership Audit and ComplianceSecurity Team Streamline workflow and correlate data Validate vulnerabilities across multiple and test controls vulnerability management tools Strike the Balance Let’s Predict to keep bad guys out & Make better decisions and not ‘break the bank’ Operational Risk Officer Convey cyber risk in Track remediation operational terms and fix the right VP of IT thingsPA G E