Selex ES at Le Bourget 2013 Cyber Partnership

962 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
962
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Selex ES at Le Bourget 2013 Cyber Partnership

  1. 1. Multinational CybersecurityPartnerships & Alliances:Building & Managing a ComprehensiveComputer Incident Response Capability
  2. 2. Outline of our talkOutline Introductions Starting with Protection & Defence Scope and ambition of CIRC Approach to tooling The need for collaboration
  3. 3. February 2012British ledconsortium28 Nations 22,000 usersOctober 2013FOC
  4. 4. We help clients that are key national organisations
  5. 5. The risks our clients run from data loss, theft or cyberattack are serious to existentialAbility to recoverHuman SafetyAccreditation StatusReputationFinancial controlAbility to performIntellectual Property
  6. 6. Drives the nature and extent ofmeasures required to achievedesired securityThe services we providedepend on the problem we findlevel of threatlevel of vulnerabilityUnderstanding the threatactors, methods and historyUnderstanding the technicalvulnerabilities andweaknesses in securitygovernance and user habitsExtent of security measures requiredX=
  7. 7. Assess ConfirmCompetitive Advantage. Information Superiority.Aware,Deter,Detect&Resist,DefendAssureAuditDiscoveryHealth ChecksPolicyTrainingAccreditation supportDesign, build, operateSecure systemsProtectiveMonitoringServicesRespondInvestigationForensicsProtectImplementSelex ES cyber services are a coherent set,designed to address threats and resolvevulnerabilities
  8. 8. Ensure:The MissionProtect:The DataContinuously monitor:The NetworkNorthrop Grumman Approach to CybersecurityFull Dimensional Assurance BlueprintPeople and Processes Technology Enhanced automation Temporal improvement Information protection strategy Risk based approach Data centric protection Application integrity Adaptive architecture Continuous situation awareness & responseIntegrated and Continual ImprovementsIt’s how we view our job for our networks and our customer’s networks
  9. 9. The Northrop GrummanCybersecurity Operations Center (CSOC)9Computer Network Defense Activities:1. Monitoringo Monitors the NGGN and related devices for signs of maliciousactivity2. Vulnerability Managemento Security risks and ensuring appropriate remediation3. Patch Managemento Rapid deployment of vendor provided fixes to identifiedvulnerabilities4. Forensicso Information security post-incident analysis5. Incident Responseo Rapid response to malicious activity on the NGGN and relatedenvironments6. Cyber Threato Analysis of emerging threats to the NGGN and related environments7. Sectoro Sector-specific computer network defense requirementsLD-CA-BOK-004, Rev. 16, March 2013, ISHQ-2013-0024
  10. 10. Don’t start by building a CIRCInstead, analyse your enterprise vulnerabilites: People- yours, your suppliers and partners and yourcustomers Processes Organisation Leadership and governance Physical sites Data Applications Information and telecoms infrastructure and bought-in services Your security maturity (e.g. ISO 27001)
  11. 11. Getting the house in orderProbably not enough:Implementation of an appropriate defensive suite: automated vulnerability scanning ICT infrastructure and systems log collation andstorage IDS/IPS and associated log collection potentially, a spectrum of active protectivemonitoring:o Security Information and EventManagemento Full Packet Captureo Deep Packet Inspectiono associated management, storage andalerting / reporting service levelCredit: Active Audit Agency: Ukraine
  12. 12. Scope and ambitionAssuming your vulnerabilities are managed,it depends on the threat you face and yourfreedom of movement
  13. 13. Typical Threat World(Offense)TimeAttacker SurveillanceAccessProbeTargetAnalysisAttackSet-upPerformingReconnaissanceAttackBeginsSystemIntrusionAffectingTheAttackAttackCompletePackagingExfiltrationModificationExecutingTheMissionCover-upCompleteCoveringTheTracksLD-CA-BOK-004, Rev. 16, March 2013, ISHQ-2013-0024
  14. 14. AttackForecastPhysicalSecurityIntrusionDetectionAnalysisBeginsSystemReactionDamageIdentificationRecoveryDefender ReconnaissanceEntryMonitoring &ControlImpactAnalysisResponseThreatAnalysisAttackIdentifiedTimePreparing theDefenseMonitoringFor an AttackTriage andSituationAssessmentAfterActionLD-CA-BOK-004, Rev. 16, March 2013, ISHQ-2013-0024Typical Threat World(Defense)
  15. 15. It Doesn’t Always Line UpAttacker Free TimeRecoveryAttackForecastPhysicalSecurityIntrusionDetectionAnalysisBegins SystemReactionDamageIdentificationDefender ReconnaissanceEntryMonitoring& ControlImpactAnalysisResponseThreatAnalysis AttackIdentifiedTimeDefender ActionTimeTimeAttackBeginsSystemIntrusionAttacker SurveillanceAccessProbeAttackCompleteTargetAnalysisAttackSet-upPackagingExfiltrationModificationCover-upCompleteReduceThisBy moving/shrinking thisLD-CA-BOK-004,Rev. 16, March 2013, ISHQ-2013-0024
  16. 16. Factors affecting your respondposture:Your legal entitlement – you have heard this today!Cost of maintaining the capabilityThe return on investment you would expect (consider insurance!)
  17. 17. Approach to toolingDetectionIncident managementAnalysisActive response or reporting to AuthorityEvidence managementNot forgetting the people!
  18. 18. Layered CybersecurityDefense FrameworkComputer Network DefenseDefense-In-DepthThe FanTMPerimeterFirewallPerimeterIDS/IPSAdvancedSensorHoneypotMessage Security(anti-virus, anti-malware)DLPSecure DMZsApplication SecurityMalwareAnalysisNAC/EndpointProfilerEnclaveFirewall DLPWireless/MobileProtectionWeb ProxyContent FilteringEnterpriseIDS/IPSVoIPProtectionVirtual NetworkSecurityEnterpriseMessage SecurityEnterpriseRemoteAccessEndpoint SecurityEnforcementDLPDesktopFirewallHost IDS/IPSContent Security(anti-virus,anti-malware)PatchManagementUSGCBComplianceSIEM Digital Forensics Security SLA/SLO ReportingEscalationManagementFocused OpsSOC/NOC Monitoring (24x7)Incident Reporting,Detection, Response (CIRT)Security DashboardContinuousMonitoringand AssessmentSituationalAwarenessVulnerabilityAssessmentSecurity AwarenessTrainingContinuousC&AIT SecurityGovernanceSecurity Policies& ComplianceSecurityArchitecture& DesignThreatModelingPenetrationTestingCyber Threat IntelligenceSecurityTechnology EvaluationRisk ManagementFrameworkWAFStatic AppTesting/CodeReviewDatabaseSecure Gateway(Shield)DatabaseMonitoring /ScanningDynamic App TestingDAR/DIM/DIUProtectionData WipingCleansingPKIFICAMEnterprise RightManagementDLPDataClassificationData/DriveEncryptionData IntegrityMonitoring© 2013 Northrop Grumman CorporationAcronyms & Abbreviations:DAR: Data At RestDIM: Data In MotionDIU: Data In UseDLP: Data Loss PreventionIDP: Intrusion Detection and PreventionFICAM: Federal Identity Credential andAccess ManagementNAC: Network Access ControlPKI: Public Key InfrastructureSIEM: Security Information Event ManagementUSGCB: US Govt Configuration BaselineOUTSIDE THREATMissionCritical AssetsInside ThreatsThe “Fan™” - Layered Cybersecurity Defensive ReferenceModel
  19. 19. Why COTS Security Will Always Be a Step Behind19Well funded adversaries have access to the same technologies as the defendersAdvanced Adversaries’ Attack ToolTest EnvironmentDefender’s COTS-based SecurityArchitecture
  20. 20. Good Guys Have Some Ways to Level the Field Behavioral analytics (Who talks and workswith who) Partnerships for threat information sharing Threat intelligence team augmentation Custom file analysis Custom monitoring of network traffic forC2 channels Organizational agility to respond tochanging threat tacticsPerimeterFirewallPerimeterIDS/IPS AdvancedSensorHoneypotMessage Security(anti-virus, anti-malware)DLPSecure DMZsApplication SecurityMalwareAnalysisNAC/EndpointProfilerEnclaveFirewallDLPWireless/MobileProtectionWeb ProxyContent FilteringEnterpriseIDS/IPSVoIPProtectionVirtual NetworkSecurityEnterpriseMessage SecurityEnterpriseRemoteAccessEndpoint SecurityEnforcementDLPDesktopFirewallHost IDS/IPSContent Security(anti-virus,anti-malware)PatchManagementUSGCBComplianceSIEM Digital Forensics Security SLA/SLO ReportingEscalationManagementFocused OpsSOC/NOC Monitoring (24x7)IncidentReporting,Detection, Response (CIRT)Security DashboardContinuousMonitoringand AssessmentSituationalAwarenessVulnerabilityAssessmentSecurity AwarenessTrainingContinuousC&AIT SecurityGovernanceSecurity Policies& ComplianceSecurityArchitecture& DesignThreatModelingPenetrationTestingCyber Threat IntelligenceSecurityTechnology EvaluationRisk ManagementFrameworkWAFStatic AppTesting/CodeReviewDatabaseSecure Gateway(Shield)DatabaseMonitoring /ScanningDynamic App TestingDAR/DIM/DIUProtectionData WipingCleansingPKIFICAMEnterprise RightManagementDLPDataClassificationData/DriveEncryptionData IntegrityMonitoringMissionCriticalAssetsDefenders Have to Be Right Every Time… The Field Can Be Leveledby Leveraging Information Available Only to the Defender
  21. 21. The need for collaborationThe value of developing and sharingintelligence, securelyThe common theme across EU, NATO, othernations and Industry bodies globally
  22. 22. Towards Cyber Systems Interoperability:STIX: Structured Threat Information eXpression LanguageAssociated Campaigns[*]HistoricalCampaigns[*]AssociatedActors[*]RelatedIncidents[*]RelatedThreatActors[*]PotentialCOAs[*]ExploitTargets[*]LeveragedTTPs[*]RelatedIndicators[*]RelatedTTPs[*]RelatedIndicators[*]Related Indicators[*]ObservedTTPs[*]Attribution[*]RelatedTTPs[*] IndicatedTTPs[*]Observables[*]Sub-Observables[*]RelatedIncidents[*]COATaken[*]COARequested[*]SuggestedCOA[*]CampaignTTPThreatActorExploitTargetCOAIncidentObservableIndicatorSource:MITRE Structured Threat Information eXpression (STIX) v.1.0Source: CJCS/NATO Joint Terminology for Cyberspace Operations

×