This document provides an overview of Europol and its role in combating cybercrime. Some key points:
- Europol supports cooperation between member states to prevent and combat serious crimes affecting two or more countries, including terrorism and cybercrimes.
- Europol's EC3 division focuses on areas like decryption, financial cybercrime, and working with partners in law enforcement, industry, and academia.
- Recent Europol operations highlighted include Avalanche against botnets, and actions against major ransomware like WannaCry and NotPetya.
- Emerging threats discussed include the convergence of criminal groups from script kiddies to nation states in cyber space, as well as challenges of
8. Europol Classified – EU RESTRICTED
The Hague, Netherlands
Headquarter
“Europol shall support and strengthen action by the competent authorities of the Member
States and their mutual cooperation in preventing and combating serious crime affecting two
or more Member States, terrorism and forms of crime which affect a common interest covered
by a Union policy”
(Europol Regulation)
Europol’s Mandate
9. Europol Classified – EU RESTRICTED
Europol Liaison
Officers in:
• Interpol IGCI
• Interpol IPSG
• Washington DC
Liaison Bureaux Network
10. Europol Classified – EU RESTRICTED
EC3’s Core Areas of Responsibility
Decryption Facility
11. Europol Classified – EU RESTRICTED
Multi-Faceted Approach to Countering Cybercrime
❖ Internet Security
❖ Financial Services
❖ Academic Advisory Network
❖ Cybercrime Prevention
Network
❖ Communication Providers
❖ Forensic Expert Forum
SOCTA
IOCTA
Strategic
Plans
Operational
Actions
Evaluation
12. Europol Classified – EU RESTRICTED
IOCTA 2018 – Key Threats & Trends
Card-not-present
fraud dominates
payment fraud, but
skimming continues
DDoS continues to
plague public and
private organisations
Ransomware
retains its
dominance
Social engineering
still the engine of
many cybercrimes
13. Europol Classified – EU RESTRICTED
Major Cross-Border Cyber-Attacks
WannaCry
Ransomware
Attacks
(May 2017)
NotPetya Malware
Attacks
(June 2017)
14. Europol Classified – EU RESTRICTED
5 arrests in
4 countries
37
searches in
7 countries
39 servers
seized in 13
countries 221
servers taken
offline64 TLDs
800,000
domains in 26
countries
Victim re-
mediation in
189 countries
Awareness
raising and
prevention
Avalanche
16. Europol Classified – EU RESTRICTED
Script
Kiddies
Serious
Organised
Crime
Nation
States
Cyber
Criminals
Convergence of
Criminality
17. Europol Classified – EU RESTRICTED
Joint Cybercrime Action Taskforce (J-CAT)
Identification
of priorities
Investigative
opportunities
INVESTIGATION
Chairmanship: Netherlands Vice-Chairmanship: US FBI
24/7 Permanent Taskforce
Operating from Europol HQ together with EC3
Taskforce Members: 17 LEA Agencies from 15 Member Countries
(9 EU MS, 6 TP) + Europol’s EC3
18. Europol Classified – EU RESTRICTED
EU Law Enforcement Emergency Response
Protocol (LE ERP)
To support the EU MS LEA in providing
immediate response to major cyber-attacks
(in line with nation-level crisis management
mechanisms)
To facilitate collaboration and coordination with
other key players (public & private)
To provide the law enforcement contribution to
the EU crisis management structures
1
2
3
4
19. Europol Classified – EU RESTRICTED
❖ Cooperation with Eurojust,
30 countries, the EBF, 300+
banks and other private-
sector partners
❖ Money muling awareness
campaign #DontBeaMule to
alert the public
❖ 26,376 Money mule
transactions reported
(preventing losses of more
than 36 million Euros)
❖ 168 Arrested, 1504 Money
mules and 140 money mule
organisers identified
European Money Mule Action IV (Sep - Nov 2018)
20. Europol Classified – EU RESTRICTED
No More Ransom
136 Partners
Website available in
36 languages
68 tools capable of
decrypting 99 ransomware
families
> 72,000 devices
successfully decrypted
2017 SC Magazine Editor’s
Choice Award
21. Europol Classified – EU RESTRICTED
Single Police Force
SBRC
University/LE Cooperation
Developing Industry
Scot in Europe – Perspective
22. Europol Classified – EU RESTRICTED
What can Scotland do?
Scottish Business
Resilience Centre
Police Scotland
Cyber Hubs
Cyber Scotland:
education, skills &
awareness
29. POLITICAL LANDSCAPE CHANGING
En garde! 'Cyber-war has begun' – and France will
hack first, its defence sec declares
Poland unveils details of plan for new cyber defence force
30.
31. 90% of malware infections
Tuesday Versus Friday
1 : 20
72% of data breaches
44. The Board
The Executive
Employees/Leaders
Cyber Awareness Training
Cyber Simulation Walk throughs
Balanced Board reporting
Cyber Awareness Training
Include Executive Assistants
Target internal Phishing Campaigns
Digital Footprinting
Cyber Awareness Training
internal Phishing Campaigns
Video sound bites
Secure SDLC tooling
Gamification for apps developers
Cyber Awareness Training
Video sound bitesCustomers/Supply Chain
83. Sophos History
Evolution to SynchronizedSecurity
Founded inAbingdon
(Oxford),UK
Divestednon-
core Cyber
business
Acquired
DIALOGS
Acquired
Astaro
2011 2012 2013
Acquired
Utimaco
SafewareAG
2008
First
checksum-
based
antivirus
software
Peter Lammer Jan Hruska
c1985 c1985
1985 1988 1989
First signature-
based antivirus
software
1996
US presence
established inBoston
Voted best
small/mediumsized
company inUK
Acquired
ENDFORCE
2014
Acquired
Cyberoam
Acquired
Mojave
Networks
Acquired
Barricade
IPO London
StockExchange
Launched
Synchronized Security
2007 2015
Acquired
Surfright
2017
Acquired
Invincea
2016
Acquired
PhishThreat
Acquired
Reflexion
2019
Acquired
Avid Secure
Acquired
DarkBytes
84. Synchronized Security: Better Security
15
Wireless
Web
Email
UTM
Next-Gen
Firewall
File Encryption
Disk Encryption
Endpoint
Next-Gen
Endpoint
Mobile
Server
Analytics
Unparalleled
protectionagainst
advanced threats
Significantly
reduced incident
responsetime
User Training
85. 16
“No other company is close to delivering this type
of communication between endpoint andnetwork
security products.
Chris Christianson, vice president of security programs, IDC
“
86. Proven Technology in KeyAreas
Gartner Magic Quadrant
UNIFIED THREATMANAGEMENT
Gartner Magic Quadrant
ENDPOINT PROTECTIONPLATFORMS
TheForresterWaveTM
ENDPOINT ENCRYPTION
The Forrester Wave: Endpoint Encryption, Chris Sherman, 16 Jan 2015
UPDATE
MagicQuadrant for Unified Threat
Management,
JeremyD'Hoinne, RajpreetKaur,Adam
Hils, 20 June,2017
MagicQuadrant for Endpoint Protection Platforms,
Ian McShane,Avivah Litan,Eric Ouellet,Prajeet
Bhajanka;24January,2018
89. Customer expectations are NOT beingmet
20
Visibility
45%
of trafficis going
unidentified onaverage
Response
7 days
every month spent
responding to andfixing
infectedsystems
Protection
16
infections permonth
on average
What Network Admins Say are their top 3 complaints with their current firewall…
Source: Survey conductedby Vanson Bourne, November 2017 of 2,700 ITdecision makers
in organizations from100-5000 users in 10 countries across 5 continents
90. So what are theseExpectations?
21
Visibility Protection Response
What REALLYscares theadmin?
CloudAppsVisibility UnknownApps
Reporting
RansomwareDefence Zero-dayExploits LateralMovement
ResponseTimeCo-ordinated Threat
Defence
Source: Presenter’s own suppositions and musings
91. TheSolution – Synchronized Security
22
Visibility Protection Response
KeyAdvantages
✓ SynchronizedApplicationControl
✓ CASB CloudApp and Data Visibility
✓ IoT Discovery andClassification
(comingsoon)
KeyAdvantages
✓ Deep Learning in SophosSandstorm
✓ Top-rated IPS Engine by NSSLabs
✓ IPS &App Control SmartLists
New Networking, VPN, and ManagementFeatures
✓ Firewall RuleManagement
✓ Policy TestSimulator
✓ Unified LogViewer
✓ IKEv2 VPNSupport and Template
✓ Wildcard FQDN Support
✓ Azure HighAvailability
✓ DUO Multi-factorAuthentication
✓ Airgap Support (comingsoon)
✓ Chromebook SSO (comingsoon)
Management of XG Firewallin SophosCentral
KeyAdvantages
✓ SecurityHeatbeat
✓ Lateral Movement Prevention
(comingsoon)
94. 25
• Firewall app controlis
signature based
• The app world is
constantly evolving
• Some appsintentionally
change to avoid
detection
• Some app traffic istoo
generic (HTTP/HTTPS)
95. An ElegantSolution
Security Heartbeat™
SynchronizedApp Control
UnknownApplication
XG Firewall sees app trafficthat
does not match asignature
Endpoint SharesApp Info
Sophos Endpoint passes app
name, path and even categoryto
XG Firewall forclassification
Internet
XGFirewall
Sophos Endpoints
1 2
Application is Classified & Controlled
Automatically categorize and control
where possible or admincan manually set
category or policy toapply.
3
102. Synchronized Security - AutomaticResponse
SecurityHeartbeat™
XG Firewall SophosCentral
Servers
Security Heartbeat™ links Endpoints
with the firewall to monitor health
and immediately share thepresence
of threats.
Instant Identification
Security Heartbeat can
instantly share telemetry
about the user, systemsand
process responsible
Automated Response
Automatically isolate, or limit
network access, andencryption
keys for compromised systems
until they are cleanedup
Internet
XGFirewall Endpoints
103. Lateral Movement Protection
SecurityHeartbeat™
XGFirewall SophosCentral
Servers
Security Heartbeat™ links Endpoints
with the firewall to monitor health
and immediately share thepresence
of threats.
LateralMovement Protection
Firewall instantly informs all
other endpoints to ignore any
trafficfrom compromised
device.
Automated Response
Automatically isolate, or limit
network access, andencryption
keys for compromised systems
until they are cleanedup
Internet
XGFirewall Endpoints
105. All AvenuesClosed
36
Disable
Sophos Security
Red Health sentthrough
HB
System Isolates
Endpoint
Disable Heartbeat
FW detects MissingHeartbeat
System Isolates Endpoint
LeavesSophos
Securityalone
Sync Securitydetects
everything they do
and cuts the
communication
stream
106. It only took 2 minutes to find out that everything was under
control. Sophos XG Firewall detected the threat and Security
Heartbeat allowed the infected host to be immediately identified,
isolated and cleaned up. Instead of going into fire drill mode, we
were able to relax and finish ourlunch.
DJAnderson,CTO,Iron Cloud
It JustWorks!
“
“
107.
108. Its Flexible!
Security Heartbeat™ &
SynchronizedApp Control
Security Heartbeat™ &
SynchronizedApp Control
Security Heartbeat™ &
SynchronizedApp Control
Firewall
Replacement
Inline
Discover
Mode
126. Three
reasons
people don’t
use security
or privacy
technologies
1. They do not care about
security and privacy
2. They do not know about
security or privacy issues
3. They cannot use security and
privacy technologies
127
KAMI VANIEA
128. Folk Models of Hackers
Digital graffiti artists
Burglars who break into
computers for criminal
purposes
Criminals who target big
fish
Contractors who support
criminals
129
Wash, Rick. "Folk models of home computer security." Proceedings of
the Sixth Symposium on Usable Privacy and Security. ACM, 2010.
134. Mix of approaches
Security champions
Find an encourage people who are already in teams
and already believe in security
Actionable guidance for users
Provide guidance that users are able to follow
Consider lost work, not just security
Think through what following guidance requires
Express trust in employees
Rules are there so you think before breaking them
Embedded training
Put the “training” in the environment
VERY challenging because requires the tech people to
do this right ☺
135
137. It’s Alive!!
Realising an Effective Information Security Risk Framework
Bridget Kenyon Global CISO, Thales eSecurity
138. Anatomy
A. Setting your risk objectives,
strategy and vision
B. Designing a framework that
delivers for your environment
C. Planning, implementation and
testing
D. Key challenges and obstacles
E. Evaluating progress
139. – Mary Shelley, Frankenstein
“Nothing is so painful to the human mind as a great and sudden
change.”
140. A. Risk objectives, strategy and vision
• Who are your stakeholders? What do they value? How and when is their
performance measured? Why?
• Pin down context: business objectives and strategy
• Derive security objectives (SMART)
• Write strategy to deliver these objectives
• Use objectives and strategy to define vision
141. Sample objectives
Comply with legal, contractual and regulatory
obligations
Maintain/improve reputation with stakeholders
Balance risk against opportunity
Operate ethically
142. Sample strategy statements
Treat information/cyber risk as part of our business
risk
Use security as a competitive differentiator
Build on what we already have
Design in security from the beginning
Prioritise investment according to risk, requirements
and potential rewards
143. Sample vision statements
We show respect for customers and staff by
protecting their information
Cyber security is an enabler for our business
We are resilient in a challenging online world
We care about, respect and protect
information
145. C. Plan, implement, test
• Use project and change management methodologies
• Keep it lightweight:
• Adapt existing processes, make security part of BAU
• Budget for ongoing management of security
• Measure business outcomes
146. D. Challenges and obstacles
Issue Suggestion
Decision making shortcuts: behavioural
economics, System 1 thinking:
“iT should do this”
“It hasn’t happened to us yet”
Do not demonise
Nudge techniques
Supply chains
Transparency
Join up the links
Personal vs organisational risk appetite
Focus on business priorities
Use structured risk assessment approach
Re-scoping of projects
Monitor outcomes and reinforce
expectations
147. E. Evaluating progress
Top level metrics should:
• Map to business requirements
• Be amenable to “drill down” questions
• Use case studies and anecdotes
• Be actionable
148. Sample metrics
• Gap analysis vs key requirements (project, burn-down)
• Percentage of business processes with information risk management
integrated (project, burn-down)
• Value At Risk (BAU, against target)
• Running costs vs costs avoided (BAU, comparison)
• Revenue derived from security improvements
149. Benchmarking
• Find comparable organisations
• Look at longitudinal (historical) data as well as right now
• What worked for the other organisation, and why?
• What did NOT work, and why?
• Beware of pet topics
150. Conclusion
Focus on the business and its
direction
Build on what you already have
Identify the best existing framework
for your current situation
Take account of behavioural drivers
Learn from others
Type to enter a caption.
153. Panel Discussion
Dr Kami Vaniea – Uni of Edinburgh
Prof Bill Buchanan – Napier
Bridget Kenyon – Thales e-Security
Steve Johnson – Orion Health
#scotsecure
159. Primary Care
& Out of Hours
Social Care
& Council
Hospice &
Third Sector
PharmacyAmbulanceHospital Community &
Mental Health
Citizen & Carer
Access
Role-based
Access
Single Citizen Record
Contributing to the
Record
Managing Care
Contributing to the Record
Engaging in Care