Successfully reported this slideshow.
Your SlideShare is downloading. ×

Keynote Information Security days Luxembourg 2015

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 43 Ad

Keynote Information Security days Luxembourg 2015

Download to read offline

Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically

Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Advertisement

Similar to Keynote Information Security days Luxembourg 2015 (20)

Advertisement

Recently uploaded (20)

Keynote Information Security days Luxembourg 2015

  1. 1. World’s biggest Hack? • Was their security ”make believe”?
  2. 2. Me • Father of 3, happily married. • I work for a Bank. Am also independent IT/Infosec consultant. Any opinions presented here are my own and do not represent my employer. • Contributor to ”@TheAnalogies project” making IT and Infosec understandable outside the echo chambers • Member of the I am the Cavalry movement – trying to make connected devices worthy of our trust • @ClausHoumann • I present on security a lot at conferences -> Find my work on slideshare
  3. 3. What is a keynote? • Painting the big picture • Strategic views -> Not Tactical view
  4. 4. The big picture • Existing tools, and even Next- Generation APT tools have limits/are broken: – Examples: https://blog.mrg-effitas.com/wp- content/uploads/2014/11/Crysys_MRG_APT_detection_test_20 14.pdf – He created the stupidest malware imaginiable. No one detected it. – http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf – Paul Jung -> Present here today -> shows how easily malware can detect sandboxes
  5. 5. The big picture • No silver bullets exist. Beware of the phrases: – ”Counter any threat” – ”Detect any malware” – ”You only need our solution” – Proceed with caution – VPT (vendor persistent threat)
  6. 6. The big picture • That being said, many awesome vendors and products are present today! There is no #Infosec without them • They have my respect
  7. 7. Solar Eclipse?
  8. 8. Doing it wrong (Source: Stefan Esser)
  9. 9. Source: With permission from Daniel Miessler @danielmiessler
  10. 10. And my own version
  11. 11. Doing it right • EURODNS in Luxembourg has just made it possible for each client to get an SSL certificate for their website for free • This simple change makes a difference
  12. 12. The job of the enterprise defender: • Trying to not purchase crappy products (Lemons -> Source: Haroon Meer @wearetroopers • While trying to build a real skilled defense
  13. 13. It’s an assymetrical conflict X-wing
  14. 14. Compliance • Is • NOT • Security • Compliance is preparing to fight a war • Using antiquated weapons • Against enemies of decades past
  15. 15. Why worry now? • Companies that get hacked are fine...look at Sony, Target, Apple etc. -> stock prices not affected, end users don’t care. – Breaches and lawyer expenses following these are an acceptable cost of doing business – Right? – No, maybe not anymore...next slide
  16. 16. Board Level Attention required, NOW! • EU Data protection regulation: – Mandatory breach reporting within 72 hours – 5% of revenue as fine possible • Threat level increasing sharply • Attack surface increasing (think IoT, BYOD)
  17. 17. Want to beat assymetricality? Here’s how: • A strategic approach to security leveraging methods that work
  18. 18. Pyramids - This one is Joshua Corman’s. Defensible Infrastructure Operational Excellence Situational Awareness Counter- measures
  19. 19. The Foundation Defensible Infrastructure Software and Hardware built as ”secure by default” is ideal here. Rugged DevOps. Your choices of tech impacts you ever after You must assemble carefully, like Lego Without backdoors or Golden Keys!
  20. 20. Mastery Operational Excellence Master all aspects of your Development, Operations and Outsourcing. Train like the Ninjas! DevOps (Rugged DevOps) Change Management Patch Management Asset Management Information classification & localization Basically, all the cornerstones of ITIL You name it. Master it.
  21. 21. Gain the ability to handle situations correctly – Floodlights ON Situational Awareness ”People don’t write software anymore, they assemble it” Quote Joshua Corman. -> Know which lego blocks you have in your infrastructure -> Actionable threat intelligence -> Automate as much as you can, example: IOC’s automatically fed from sources into SIEM with alerting on matches Are we affected by Poodle? Shellshock? WinShock? Heartbleed? Should we patch now? Next week? Are we under attack? Do we have compromised endpoint? Are there anomalies in our LAN traffic?
  22. 22. Counter that which you profit from countering • Decrease attacker ROI below critical threshold by applying countermeasures • Most Security tools fall within this category • Limit spending until you’re laid the foundational levels of the pyramid Counter- measures Footnote: Cyber kill chain is patented by Lockheed Martin.
  23. 23. Mapping to other strategic approaches Defensible Infrastructure Operational Excellence Situational Awareness Counter- measures Lockheed Martin patented Nigel Wilson -> @nigesecurityguy
  24. 24. Defensive hot zones • Basketball and other sports analysis -> • – FIND the HOT zones of your opponents. • Defend there.
  25. 25. Defensive hot zones • Basketball and other sports analysis -> • – FIND the HOT zones of your opponents. • Defend there.
  26. 26. Hot zones! • You need to secure: – The (Mobile) user/ endpoints – The networks – Data in transit – The Cloud – Internal systems Sample protections added only, not the complete picture of course
  27. 27. Best Practices – High level • Create awareness – Security awareness training • Increase the security budget – Justify investments BEFORE the breach. – It’s easier when you’re actually being attacked. But too late. • Use the Cyber Kill Chain model or Nigel Wilsons ”Defensible Security Posture” to gain capability to thwart attackers • Training, skills and people!
  28. 28. Hot zone 1: A real world PC • Microsoft EMET 5.2 • Java • Adobe Flash Player/Reader • AV • Executable files kill you, so use: – Adblocking extension in browser – Advanced endpoint protection solutions – Secure Web Gateway – White listing, black listing – No admin credentials left behind And then cross your fingers
  29. 29. Hot zone 1, more • PC defense should include: – Whitelisting – Blacklisting – Sandboxing – Registry defenses – Change roll-backs – HIPS – Domain policies – Log collection and review – MFA – ACL’s/Firewall rules – Heuristics detection/prevention – DNS audit and protection
  30. 30. Hot zone 2: The networks • Baselining everything • Spot anomalies • Monitor, observe, record • Advanced network level tools • Test your network resilience/security with Ixia BreakingPoint. Ask me for free test licenses. • Network Security Monitoring (NSM) • Don’t forget the insider threat
  31. 31. Hot zone 3+4: Data in Transit/Cloud • Trust in encryption • Remember you secure what you put in the cloud. The Cloud provider doesn’t • Great new mobile collaboration tools exist • SaaS monitoring and DLP tools exist -> ”CloudWalls” • Cloudcrypters • CloudTrail, CloudWatch, Config-log/change-trackers, vuln.mgmt • Story about the Vulnerability patched during Bash/Shellshock public confusion period • And this for home study: https://securosis.com/blog/security-best- practices-for-amazon-web-services
  32. 32. Cloud • Segmentation • Compartmentalisation • Need to know
  33. 33. Cloud • Concentration risk • Secure the administrative credentials and APIs • ENISA: – https://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud-computing-risk- assessment – https://resilience.enisa.europa.eu/cloud-computing- certification • A funny story about cloud certification providers hacking me
  34. 34. Best practices • Use EMET • Use ad-blockers • Use advanced endpoint threat prevention solutions • Use ”Adversary mind-set” and threat modeling
  35. 35. A more defensible infrastructure • Avoid expense in depth • Research and find the best counter measures • Open Source tools can be awesome • Full packet capture and Deep packet inspection/Proxies for visibility • KNOW WHAT’S GOING ON IN YOUR NETWORKS • Watch and learn from attack patterns
  36. 36. Best practices - Mitigate risks Source: Dave Sweigert
  37. 37. Automate Threat Intelligence IOC • Use multiple IOC feeds • Automate daily: – IOC feed retrival, – Insertion into SIEM, – Correlation against all-time logfiles, – Alerting on matches – Manual follow-up on alerts
  38. 38. You need to ally up! • Security and Infrastructure aren’t enemies • Security and the office of the CIO aren’t enemies • Ally up & Bromance!
  39. 39. And the unexpected extra win • Real security will actually make you compliant in many areas of compliance
  40. 40. Q & A • Ask me question, or I’ll ask you questions
  41. 41. Sources used – http://www.itbusinessedge.com – Heartbleed.com – https://nigesecurityguy.wordpress.com/ – Lockheed Martins ”Cyber Kill Chain” – Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome” – Lego

Editor's Notes

  • Or join these
  • Paul Jung present & presenting
  • Paul Jung present & presenting
  • Paul Jung present & presenting
  • No, that’s not a moon. Perspective matters. Things are not as they seem.
  • The Egyptians built their pyramids from the bottom up. Because, that’s how you build pyramids. Start there!
  • Laying a secure foundation matters supremely. History proves this
  • As with any art, practice makes master. So, Practice!
  • Automation is key for threat intelligence, threat detection and threat remediation
  • Dont start by blindly buying tools, do the basics, master it and work from there
  • In reality, you will have AV, Java and others. And you probably cannot enforce killing all executables
  • In reality, you will have AV, Java and others. And you probably cannot enforce killing all executables
  • In reality, you will have AV, Java and others. And you probably cannot enforce killing all executables

×