Successfully reported this slideshow.
Your SlideShare is downloading. ×

Presentation infra and_datacentrre_dialogue_v2

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 44 Ad
Advertisement

More Related Content

Slideshows for you (20)

Viewers also liked (11)

Advertisement

Similar to Presentation infra and_datacentrre_dialogue_v2 (20)

Recently uploaded (20)

Advertisement

Presentation infra and_datacentrre_dialogue_v2

  1. 1. World’s biggest Hack? • They’ve lost...everything • Was their security ”make believe”? • Can they survive?
  2. 2. Defending enterprise IT - Some best practices to mitigate cyber attacks Going Above and Beyond Compliance And staying away from Slide #1
  3. 3. About me • Father of 3, happily married. I live in Luxembourg • Head of IT for a Bank, and also independent IT/Infosec consultant. Any opinions presented here are my own and do not represent my employer. • CISO-as-a-service, CIO-as-a-service • Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses) • Member of the I am the Cavalry movement – trying to make connected devices worthy of our trust • @ClausHoumann • Find my work on slideshare
  4. 4. Cyber Security: ”State of the (European) Union” • Threats are abundant and on the rise • http://map.ipviking.com/ is a good way to illustrate/visualize this • Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp- content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf – http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
  5. 5. Cyber Security: ”State of the (European) Union” • Threats are abundant and on the rise • http://map.ipviking.com/ is a good way to illustrate/visualize this • Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp- content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf – http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf • The job of Enterprise-Defender is as much sorting through vendor bullshit, trying to not purchase crappy products while trying to build some actual skills • Tools are not the solution • No silver bullets exist
  6. 6. Infosec Vendors
  7. 7. Cyber Security: ”State of the (European) Union” • Threats are abundant and on the rise • http://map.ipviking.com/ is a good way to illustrate/visualize this • Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp- content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf – http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf • The job of Enterprise-Defender is as much sorting through vendor bullshit, trying to not purchase crappy products while trying to build some actual skills • Tools are not the solution • No silver bullets exist • It’s an assymetrical conflict
  8. 8. It’s an assymetrical conflict X-wing
  9. 9. Cyber Security: ”State of the (European) Union” • Threats are abundant and on the rise • http://map.ipviking.com/ is a good way to illustrate/visualize this • Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp- content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf – http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf • The job of Enterprise-Defender is as much sorting through vendor bullshit, trying to not purchase crappy products while trying to build some actual skills • Tools are not the solution • No silver bullets exist • It’s an assymetrical conflict • A lot of companies fail to focus on the basics • Train your people!
  10. 10. Train Harder And smarter
  11. 11. Cyber Security: ”State of the (European) Union” • Threats are abundant and on the rise • http://map.ipviking.com/ is a good way to illustrate/visualize this • Existing tools, and even Next-Generation APT tools dont work: – Examples: https://blog.mrg-effitas.com/wp- content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf – http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf • The job of Enterprise-Defender is as much sorting through vendor bullshit, trying to not purchase crappy products while trying to build some actual skills • Tools are not the solution • No silver bullets exist • It’s an assymetrical conflict • A lot of companies fail to focus on the basics • Train your people! • Do not rely on compliance for security
  12. 12. Compliance • Is • NOT • Security • Which any of you who ever attended a Security conference will have already heard • Compliance is preparing to fight yesteryears war
  13. 13. Want to beat assymetricality? Here’s how: • A strategic approach to security leveraging methods that work
  14. 14. Pyramids - This one is Joshua Cormans. Could be best definition of Defense-in-Depth Defensible Infrastructure Operational Excellence Situational Awareness Counter- measures
  15. 15. The Foundation Defensible Infrastructure Software and Hardware built as ”secure by default” is ideal here. Rugged DevOps. Your choices of tech impacts you ever after You must assemble carefully, like Lego Without backdoors or Golden Keys!
  16. 16. Mastery Operational Excellence Master all aspects of your Development, Operations and Outsourcing. Train like the Ninjas! DevOps (Rugged DevOps) Change Management Patch Management Asset Management Information classification & localization Basically, all the cornerstones of ITIL You name it. Master it.
  17. 17. Gain the ability to handle situations correctly – Floodlights ON Situational Awareness ”People don’t write software anymore, they assemble it” Quote Joshua Corman. -> Know which lego blocks you have in your infrastructure -> Actionable threat intelligence -> Automate as much as you can, example: IOC’s automatically fed from sources into SIEM with alerting on matches Are we affected by Poodle? Shellshock? WinShock? Heartbleed? Should we patch now? Next week? Are we under attack? Do we have compromised endpoint? Are there anomalies in our LAN traffic?
  18. 18. Counter that which you profit from countering • Decrease attacker ROI below critical threshold by applying countermeasures • Most Security tools fall within this category • Limit spending until you’re laid the foundational levels of the pyramid Counter- measures Footnote: Cyber kill chain is patented by Lockheed Martin.
  19. 19. Mapping to other strategic approaches Defensible Infrastructure Operational Excellence Situational Awareness Counter- measures Lockheed Martin patented Nigel Wilson -> @nigesecurityguy
  20. 20. Defense-in-Depth
  21. 21. Kill chain actions Source: Nige the security guy = Nigel Wilson
  22. 22. Defensive hot zones • Basketball and other sports analysis -> • – FIND the HOT zones of your opponents. • Defend there.
  23. 23. Defensive hot zones • Basketball and other sports analysis -> • – FIND the HOT zones of your opponents. • Defend there.
  24. 24. Hot zones! • You need to secure: – The (Mobile) user/ endpoints – The networks – Data in transit – The Cloud – Internal systems Sample protections added only, not the complete picture of course
  25. 25. Best Practices – High level • Create awareness – Security awareness training • Increase the security budget – Justify investments BEFORE the breach. – It’s easier when you’re actually being attacked. But too late. • Use the Cyber Kill Chain model or Nigel Wilsons ”Defensible Security Posture” to gain capability to thwart attackers • Training, skills and people!
  26. 26. Hot zone 1: Endpoints A safe dreamworld PC • Microsoft EMET 5.1 • No Java • No Adobe Flash Player/Reader • No AV (that one is for you @matalaz) • Kill all executable files on the Proxy layer (.exe .msi etc.) • (Not even needed but works if something evades the above): – Adblocking extension in browser – Invincea FreeSpace/Bromium Vsentry/Malwarebytes/Crowdstrike Falcon
  27. 27. Hot zone 1: A real world PC • Microsoft EMET 5.1 • Java • Adobe Flash Player/Reader • AV • Executable files kill you, so use: – Adblocking extension in browser – Invincea FreeSpace/Bromium Vsentry/Malwarebytes/Crowdstrike Falcon – Secure Web Gateway – White listing, black listing – No admin credentials left behind And then cross your fingers
  28. 28. Hot zone 1, more • PC defense should include: – Whitelisting – Blacklisting – Sandboxing – Registry defenses – Change roll-backs – HIPS – Domain policies – Log collection and review – MFA – ACL’s/Firewall rules – Heuristics detection/prevention – DNS audit and protection
  29. 29. Hot zone 2: The networks • Baselining everything • Spot anomalies • Monitor, observe, record • Advanced network level tools such as Netwitness, FireEye, CounterAct • Test your network resilience/security with fx Ixia BreakingPoint • Network Security Monitoring (NSM) • Don’t forget the insider threat
  30. 30. Hot zone 3+4: Data in Transit/Cloud • Trust in encryption • Remember you secure what you put in the cloud. The Cloud provider doesn’t • Great new mobile collaboration tools exist • SaaS monitoring and DLP tools exist -> ”CloudWalls” • Cloudcrypters • CloudTrail, CloudWatch, Config-log/change-trackers, vuln.mgmt • Story about the Vulnerability patched during Bash/Shellshock public confusion period • And this for home study: https://securosis.com/blog/security-best- practices-for-amazon-web-services
  31. 31. Cloud • Segmentation • Compartmentalisation • Need to know
  32. 32. Cloud • Concentration risk • Secure the administrative credentials and APIs • ENISA: – https://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud-computing-risk- assessment – https://resilience.enisa.europa.eu/cloud-computing- certification • A funny story about cloud certification providers hacking me
  33. 33. Hot Zone 5
  34. 34. Best practices • Use EMET • Use ad-blockers • Use advanced endpoint mitigation tools like Bromium Vsentry, Invincea FreeSpace, Malwarebytes, Crowdstrike Falcon • Identify potential attackers and profile them
  35. 35. A more defensible infrastructure • Avoid expense in depth • Research and find the best counter measures • Open Source tools can be awesome for example Suricata & Bro_IDS • Full packet capture and Deep packet inspection/Proxies for visibility • KNOW WHAT’S GOING ON IN YOUR NETWORKS • Watch and learn from attack patterns
  36. 36. Best practices - Mitigate risks Source: Dave Sweigert
  37. 37. Automate Threat Intelligence IOC • Use multiple IOC feeds • Automate daily: – IOC feed retrival, – Insertion into SIEM, – Correlation against all-time logfiles, – Alerting on matches • Example: Splunk Splice can do parts of this
  38. 38. You need to ally up! • Security and Infrastructure aren’t enemies • Security and the office of the CIO aren’t enemies • Ally up & Bromance! • Together, you can make things more defensible and retain usability
  39. 39. • 5G: The rise of the Android DDoS’er. 1 gbit/s connections from phones easily hacked. Obvious threat? • IPv6 – network reconnainsance surprisingly easily done: https://tools.ietf.org/html/draft-ietf-opsec-ipv6- host-scanning-04. Damn, no security through obscurity to get there • Countering Nation State Actors -> or more specifically their TTP’s becomes a MUST. Because the bad guys will learn from them & adapt their offense Future threat trends
  40. 40. And the unexpected extra win • Real security will actually make you compliant in many areas of compliance
  41. 41. Q & A • Ask me question, or I’ll ask you questions
  42. 42. Sources used – http://www.itbusinessedge.com – Heartbleed.com – https://nigesecurityguy.wordpress.com/ – Lockheed Martins ”Cyber Kill Chain” – Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome” – Lego

Editor's Notes

  • Or join these
  • The Egyptians built their pyramids from the bottom up. Because, that’s how you build pyramids. Start there!
  • Laying a secure foundation matters supremely. History proves this
  • As with any art, practice makes master. So, Practice!
  • Automation is key for threat intelligence, threat detection and threat remediation
  • Dont start by blindly buying tools, do the basics, master it and work from there
  • In reality, you will have AV, Java and others. And you probably cannot enforce killing all executables
  • In reality, you will have AV, Java and others. And you probably cannot enforce killing all executables
  • In reality, you will have AV, Java and others. And you probably cannot enforce killing all executables
  • In reality, you will have AV, Java and others. And you probably cannot enforce killing all executables

×