LMTE Cyber Security Sping Summit 20 May 2015 - Presenters' slides

LMTE%&%Cyber%Security%Special%Spring%Summit%
Fact,%ﬁc:on,%foe%or%fortune?%
May%20th,%2015%at%3.30pm%–%5.30pm%
followed%by%networking%drinks%
%
WELCOME%
%

%
%
•  LMTE%–%Who%are%we?%
•  Membership%is%free%
•  Our%aim%is%to%help%educate,%inform%and%allow%for%the%exchange%of%concepts%and%prac:ces%
•  Experience%new%ideas%and%products%from%leading%suppliers%and%professional%services%ﬁrms%
from%across%the%globe%
•  New%membership%cards%
•  They%are%yours%to%take%away%–%bring%them%to%future%events%
•  Keep%them%safe%
•  They%can%be%replaced,%for%a%small%admin%charge%
•  We’re%delighted%to%see%you%–%tell%your%colleagues%–%spread%the%word%
%
%

London%Insurance%Market%
Threat%vs%Opportunity%

Cyber Security Summit
Foreword
Adrian Rands
CEO, QuanTemplate
For data-driven decisions

Bank Muscat
2013
ATM Loss Data Theft
Sony customers
2011
$39m 77m

LSW983/Lloyd’s Electronic and Computer Crime policy

Professor Roy Isbell
Principal Fellow of the University of
Warwick, WMG Cyber Security Centre
Rashmi Knowles
Chief Security Architect at RSA,
The Security Division on EMC
Daniel Beazer
Senior Consulting Analyst,
Peer1 Hosting

For data-driven decisions
Adrian Rands
CEO, QuanTemplate
adrian.rands@quantemplate.com
@quantemplate
quantemplate.com/insights

“Cyber Hardening & the Future Enterprise”
(Exploring the Current & Future Limits of the Cyber
Environment)
Roy Isbell (Prof.) FIET FBCS CITP
LMTE
Cyber Security Special Spring Summit

Current'Trends'
(Symantec'Internet'Security'Threat'Report'–'2015)'
Cyber Hardening & the Future Enterprise
Environment)
Targeted Attacks Increasing Across
All Sectors

Industry'Sectors'Breached'
(Guide'to'Who'is'Under'Threat)'
Environment)
•  Healthcare, retail, and education were ranked
highest for the number of data breach incidents
in 2014; the top three accounted for 58 percent
of all data breaches.
•  The retail, computer software, and financial
sectors accounted for 92 percent of all the
identities exposed in 2014.
•  This highlights that sectors involved in the
majority of data breaches don’t necessarily
result in the largest caches of stolen
identities, with the exception of retail.

Beyond'the'InformaBon'System'
(New'AFack'Vectors'–'Vectors'of'the'Future)'
Environment)

TerBary'
• The'Service'Sector'or'Service'Industry'
Secondary'
• Manufacturing'or'Goods'ProducBon'
Primary'
• Raw'Materials'–'Agriculture,'Fishing'&'
ExtracBon'(Mining)'
T
R
A
N
S
P
O
R
T
C
O
M
M
U
N
I
C
A
T
I
O
N
S
COMMUNICATIONS
BUSINESS DRIVERS:
•  Cost Reduction
•  Improved Performance /
Productivity
•  Increased Safety
Product Lifecycle
Human'Control'
SemiU
Autonomous'
Autonomous'
Source: Wikipedia
Source: Roy Isbell
Business'Sectors'GeVng'Smarter'
(Business'Drivers)'
Environment)

Primary'Sector'
(Raw'Materials'–'Agriculture,'Fishing'&'ExtracBon'Mining)'
Water
Mining Raw Materials
Oil & Gas Drilling/CollectionAquaculture
Agriculture
Livestock Farming
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Environment)

Unusual'Cyber'
(Modulated'Water)'
140Bps - 100Gbs - 1Mbs - 1Mbs - 100Gbs
(Data Rates 35bps to 140bps)
PROCESS
•  Modulated Water
•  Electrical Pulses
•  Data
•  Network Data
•  Processing
•  Satellite Communications
•  Network Data
•  Processing
Environment)

Secondary'Sector'
(Manufacturing'or'Goods'ProducBon)'
Food Supply & Demand Chain
Automated Manufacturing
Water Management
Utility Supply Management
Automated Food Processing/Production
Retail Management
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Environment)

TerBary'Sector'
(The'Service'Sector'or'Service'Industry)'
Integrated'Health'
Integrated'
Emergency'Services'
Integrated'Waste'
Management'
Source: unknown
Source: unknown
Source: unknown
Integrated'Transport'
Source: ETSI
SPECTRUM)
Source: Lumeta
Environment)

Source: Beecham Research
The'Internet'of'Things'
Environment)

What)is)needed?)
• Human:)
• Understanding'how'cyber'influences/impacts'the'
human'or'how'the'human'influences/impacts'cyber.'
• SituaBonal'Awareness:)
• Understand'and'Awareness'of'how'all'aspects'of'
Cyber'are'related.''
• Informa>on/Data:)
• IdenBficaBon'of'all'sources'of'data'&'informaBon'
used,'the'data'flows'and'interUdependencies.'
• Spectrum:)
• MulBple'use'of'the'spectrum'from'DC'to'Light'and'
beyond,'mobility.'
• Systems:)
• IdenBfy'all'the'connected'cyber'systems,'their'
relaBonships'and'the'relaBve'importance'to'the'
overall'operaBon.'
• Infrastructure:)
• Knowledge'of'the'Physical'Infrastructure'as'well'as'
data'and'informaBon'infrastructure.'
• Environment:)
• Understanding'the'impact'of'the'external'
environment'–'PESTEL.'
CONTEXT
The set of circumstances or facts that surround a
particular event or situation.
Source: Roy Isbell
Source: Dictionary.Com
Cyberspace'&'Context'
(CyberSpace'Through'a'Context'PRISM)'
Environment)

Environment'
Human'
Awareness/Understanding'
InformaBon/Data'
Systems'
Spectrum'
Infrastructure'
Internet
+++
WorldWideWeb
The Internet
A Communications Channel that we connect
to in order to pass information
The World Wide Web
A Trading Platform Where Information Is
Exchanged
Source: Roy Isbell
Understanding'Where'We'Are'
Environment)

Source:
Unknown Cyber–Physical
Engineered Systems
Cyber–Physical'Engineered'Systems'
(Adding'Sensing'&'ActuaBon)'
Cyber–Physical Engineered Systems
1.  Effectively command and control systems that are
networked or distributed (i.e. employ networking
and/or communications).
2.  Incorporate a degree of intelligence (adaptive or
predictive).
3.  Work in real time to influence or actuate outcomes in
the physical world.
Cyber–Physical Engineered Systems
4.  Found in transportation, utilities, buildings,
infrastructure & health care.
5.  Use sensors to detect and measure physical
parameters and actuators to control physical
processes.
6.  Utilise feedback loops for monitoring allowing
degrees of autonomy.
Environment)

(Autonomous'Vehicles)'
Source: Rolls Royce Holdings
Autonomous Shipping Autonomous Road Trains
Source: Volvo
Autonomous Planes
Source: Northrop Grumman
Transport for
London is
considering plans to
roll out driverless
tube trains across
the Underground
network by 2020
Source: Transport For London
Autonomous Trains
The first
commercially
available semi
autonomous cars
will be available in
2014 (E&Y Report)
Environment)

Complex'System'of'Systems'
(WHAT?'–'Complex'Cyber'Physical'Engineered'System)'
List of Technologies to Create a Self-driving Vehicle:
•  Collision Avoidance (Steering)
•  Vehicle-to-Vehicle Communication
•  Vehicle-to-Infrastructure Communication
•  Steer-by-Wire
•  Lane Keeping
•  Forward Collision Avoidance (Braking)
•  Driver Performance Monitor
•  Lane Sensing/Warning
•  Active Roll Control
•  Forward Collision Warning
•  Adaptive Cruise Control
•  Vision Enhancement
•  Near Obstacle Detection
•  Electronic Stability Control
•  Adaptive Variable-Effort Steering
•  Semi-Active Suspension
•  Traction Control
•  Anti-Lock Braking Systems
Source: Byron Shaw, GM MD of Advanced Technology
Environment)

Sensor Systems
Connecting Systems
Complex'System'of'Systems'
(HOW?'–'External'Remote'Access)'
Sensor Systems – Constantly monitor the external
environment to build a 360
o
picture that provides
information to the command and control environment of
the vehicle. (Influence, Jamming & Spoofing)
Infotainment – a combination of information and
entertainment. (Access to vehicle subsystems for
information, disruption, modification & control).
Telematics – the integrated use of
telecommunications and informatics for control of
vehicles on the move. (Access for information,
disruption, modification & control).
Environment)

Network'Based'ConnecBvity'
(HOW?'–'Expansion'of'the'AFack'Vectors)'
Mobile Phone App – Sync with Head
Unit. Head Unit OS – Windows,
Android or Linux Variants
Laptop Access – Through Vehicle WiFi
Hotspot
4G Access – Via Mobile
Device
New Vehicle Apps –
Access via Head Unit &
Mobile Device
5G Access – Via Mobile
Device
The Cloud –
Dedicated Cloud
Services or Generic
Web Access
All the Security Issues Associated With
Information Systems, Now Apply to
Connected Vehicles
Bluetooth – Device
Connect
Environment)

Design'&'
Manufacture'
Sales'&'
DistribuBon'
Consumer'/'
Owner'
Disposal'
Maintenance'–'(Maintainer'/'Valet)'
Fuel'–'(Fossil'/'Gas'/'Bio'/'Electrical)'
Vehicle Lifecycle
Analysis of the vehicle lifecycle provides for identification of
those who are permitted to come into contact with the vehicle
and the level of access. These individuals provide identification
of the ‘Insiders’ for consideration of the ‘Insider Threat’
Vehicle'Lifecycle'
(HOW?'–'The'Insider'Threat)'
Maintainers – Have
physical access to the
vehicle via technical
equipment. Both the
equipment and the
personnel maybe an attack
vector
In addition the vehicle
software updating process
needs to be considered as
an attack vector.
The use of Power Line Carrier technology to
communicate between the vehicle, off-board
charger, and smart grid.
Environment)
Access Control: (As a function of)
•  Role – Role based access control is not
enough.
•  Function – Consider adding function as an
additional factor.
•  Time – Consider using time to achieve
removal of legacy access.

(The'Movement'of'Goods'and/or'People)'
Air'
MariBme'
Road'Rail'
Metro/'
Under'
Ground'
People'Goods'
Source: Hitachi.com
Source: Digital Age Transportation – The Future of Urban Mobility - Tiffany Dovey
Fishman – Deloitte University Press.
Source: Roy Isbell DFM
Environment)

1950 – 2050 Rise in Urban Population Source: WHO
Statistics
1.  60% World population urbanised by 2030
2.  Urban population in developing countries will
more than double
3.  New development often on coastal plains,
increasing risk from severe weather & global
warming.
Challenges
1.  Developed countries existing infrastructures
already stretched.
2.  Proactive management required for costly
and scarce resources.
3.  Technological advances allowing
development of SMARTer cities.
4.  Evolving systems of systems of systems(n)
with complex and/or cascading failure.
5.  Greater automation and system autonomy
for cost reduction and improved productivity.
Research:
•  The City as a Platform
•  Understanding Cyber–Physical Engineered Systems
•  Data & Systems Context
•  Resilience of Systems & Services
•  Deriving Cyber Security Needs
Environment)
UrbanisaBon'
(The'Move'to'the'City)'

SMART'Buildings'
(Where'we'Live,'Work'&'Play)'
Source: Hasibat Information Technologies
Source: Arup Foresight & Innovation
Environment)

Future'SMART(er)'CiBes'
(A'Complex'Interconnected'Environment)'
Source:
Unknown
Built Environment
•  Commercial Buildings
•  Living Accommodation
•  Industrial Complex
•  Utility Provision
Infrastructure & Services:
•  Medical
•  Transport
•  Refuse Collection
•  Utility Delivery
•  Food Supply Chain
•  Emergency Services
Environment)

Access)
Informa>on)
CIA'Cyber'
AFack'
Triangle'
Capability)
CIA – Cyber Attack Triangle
Access – In order for any attack to even be contemplated
some form of access to the target is required. Access may be
physical or remote.
Capability – To effect a successful attack the attacker requires
the correct tools and techniques to interact with the target and
influence or affect the changes required to achieve the desired
outcome.
Information – Before either access or capability may be
achieved or determined, information (intelligence) on the target
is required. The level of detailed information will determine the
risk associated with any attack scenario being considered.
Like any three legged stool, absence of any leg renders
the stool useless.
AEack)Anatomy)
AEack)Anatomy)–'Each'aFack'follows'a'sequence'
of'acBviBes'with'each'acBvity,'once'completed'
providing'either'informaBon,'access'or'a'capability'
related'to'the'target'system.'
Cyber)AEack)Triangle)
The'Cyber'AFack'Triangle'
(WHEN?'–'Understanding'the'PreUrequisites'for'an'AFack)'
Environment)

AFack'
MoBvators'
CRIME'
(Including'
Financial)'
(H)AckBvism'
Warfare'
Terrorism'
(Including'
Corporate'
Blackmail)'
Espionage'
(Including'
Industrial'
Espionage)'
Espionage – seeking unauthorised access to sensitive information
(intellectual property, commercial information, corporate strategies, personal
data, pattern of life) or using the vehicle as a reconnaissance tool:
•  State
•  Commercial
(H)Acktivism – seeking publicity or creating pressure on behalf of a specific
objective or cause:
•  Disruption of specific businesses/organisations (supplier or end
user)
•  Disruption of specific geographic areas (cities, routes)
Criminal – largely driven by financial gain, but may include gang related
violence:
•  Theft of a vehicle
•  Theft from a vehicle
•  Hijack of a vehicle
•  Kidnap of a vehicle’s occupant(s)
•  Criminal damage
Terrorism:
•  Use of vehicle as a weapon
•  Attacks on vehicle and/or vehicle’s occupants
•  Disruption of transport systems/infrastructure
Warfare – conflict between nation states
•  Disruption of transport systems/infrastructure to deny operational
use
•  Disable specific modes of transport or vehicle types
•  Destruction of vehicles
AFack'MoBvators'
(Examples'Related'to'Autonomous/Connected'Vehicles)'
Environment)

New'Models'for'EvaluaBng'Cyber'
Security'&'Safety'
Possession)/)Control)
Integrity)Availability)
U>lity)
Authen>city)
Confiden>ality)
Parker DB; 2002
Parkerian Hexad
ConfidenBality'
Integrity'Availability'
Bishop M. 2004
CIA Triad
ConfidenBality'
Possession/
Control'
Integrity'
AuthenBcity'Availability'
UBlity'
Safety'
Boyes H. 2014
Cyber Security for Autonomous Systems
Element) Relevance)to)CPES)
ConfidenBality' ProtecBon'of'personal'&'other'sensiBve'data'
Possession/Control' Prevent'unauthorised'manipulaBon'or'control'of'systems'
Integrity' Prevent'unauthorised'changes'to'or'deleBon'of'data'&'
maintenance'of'system'configuraBon'
AuthenBcity' PrevenBon'of'fraud'or'tampering'with'data'
Availability' Autonomous'Infrastructure'able'to'operate'without'disrupBon'or'
impairment'
UBlity' Maintaining'data'&'systems'in'a'useful'state'throughout'their'
lifecycle'
Safety' PrevenBon'of'harm'to'individuals,'assets'and'the'environment'
Environment)

Autonomous'Systems'Defence'Capability'
Strategies'
Prevent – the prevention of unauthorised users gaining access
to subsystems, prevention of unauthorised modifications or
changes to a systems configuration, prevention of a system
going into an unsafe and unsecure mode of operation.
Protect – the protection of any data or information at rest, in
transit or in operation using strong cryptographic and hashing
techniques, the protection of the access portals from
unauthorised connection through strong authentication .
Detect – the detection of hardware, software modification
outside of operating parameters, the detection of unauthorised
activity within the system, the detection of anomalous activity
within operating parameters.
Deny – the denial of access either physical or remote, the denial
of code or hardware modification without approval, the denial of
an attack using active defence measures.
Respond – the ability to respond (automatically or otherwise) to
events before safety or security countermeasures are activated,
the ability to respond after safety or security countermeasures
have been activated.
Prevent'
Protect'
Detect'Deny'
Respond'
Environment)

Managing'Enterprise'Cyberspace'
(Cyber'OperaBons)'
Source: Roy Isbell DFM
Environment)

The'Edge'Connected'Human'
(Thoughts'for'ConsideraBon)'
Wearable
Technology
Prosthetics
& Implants
Senses
As
Sensors
I
n
t
e
r
a
c
t
i
o
n
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: ETSI
Source: ETSI
Environment)

Thank You for Listening
Questions?
LMTE
Cyber Security Special Spring Summit

Where every interaction matters.
Risks and new technology
Presented by
Daniel Beazer
Senior Consulting Analyst
20th May 2015

Today’s Agenda
!  Introduction to Peer1
!  Changing face of risk in IT
!  Traditional IT vs Agile
!  A closer look at risk in two areas, one over
exaggerated the other under exaggerated
!  Conclusions for the market
!  A takeaway slide and Q&A
2Where every interaction matters.
15 30
45

We are not good at assessing risk
3
“If you both own a gun and a
swimming pool in your
backyard, the swimming pool
is about 100 times more likely
to kill a child than the gun is.”

Us in a nutshell
We are a global web infrastructure and cloud
hosting company specializing in customized
solutions for eCommerce, SaaS applications and
content publishing.
We use innovative technology to deliver
exceptionally responsive, reliable and secure
hosting experiences – we are obsessed with
customer experience.
Most importantly, we care.

Our Services
Managed
Hosting
Services
Secure
Datacenters
Scalable
Infrastructure
Cloud
Hosting
Services

Massive
disruption in IT
creates new risk

The state of IT

IT spend is no longer exclusively with IT
▪  21% of spend is now outside IT (Gartner CIO Survey Feb 2015)
▪  Mostly in marketing, where predictive analytics and other digital
tools can give enterprises competitive advantage
▪  All C-levels now make IT decisions (eg to buy iPads for sales)
▪  IT struggles to meet this demand
▪  AWS’s Stephen Schmidt ‘we don’t talk to IT’
▪  Many private (and public) clouds have been built and are unused

Traditional IT
•  Top down command and control, everyone has to live with their
decisions
•  Black box: no one outside the function can understand (even less
criticise) what they do
•  Not aligned with any +ve business objectives, only negative
(keeping the lights on, stopping security breaches)
•  The customers, ie groups within the business have no choice but
to use what IT offers
•  Uses monolithic proprietary applications hosted in house with
strategic vendor, lead times, SLA, all below market

Traditional IT project
•  Instructions received from another department
•  Scope and specifications issued via RFP to vendors
•  Plans are for maximum capacity
•  Lengthy procurement process
•  Monolithic hardware and software
•  Long contract periods
•  Testing staging and then live
•  Up to a year for a new project

An agile IT project
Lead times < 1hour, no procurement
Usage based, automated, no contracts
Open source software (no time to negotiate)
No longer in house, distributed
Continuous live development
Tied to business outcomes
On
Demand

13
Use cases… from a cost of $20mn to
$5m and a lead time of a year to three
months

Security and risk

Quis custodiet ipsos custodies?
15

The security industry
16
•  Generate most of the data in the
industry and create most of the noise
•  True 3rd party advice hard to find:
industry analysts and consultants
have no incentive to doubt the
prevailing ethos
•  Traditional ‘cleverest man in the room’
and FUD sales tactics
•  MO consists of finding more problems
and defects so customers have to
spend more
•  $76bn industry (Gartner 2015
estimate) vs Microsoft $86bn, IBM
$92bn

A security vendor slide and a layer cake
17

The security group in enterprise
18
Perverse incentives
•  Rain dance argument
•  The group in the business where
failure is rewarded
•  More breaches = more budget if
politics are handled correctly
•  Infosec/CISO group has little influence
•  Buying a wall and a guard is enough

From the Annual Fraud Indicator
▪  67% of fraud is insider fraud
▪  Of the companies polled not one was able to recover the funds
▪  Online banking fraud £40mn
▪  Plastic card fraud £338mn
▪  Identity fraud £3.3bn
▪  Private sector fraud £15.5bn (40% of total)

Risks in the cloud

Where we think the risks lie
▪  27% lack of visibility into who
can access data
▪  18% lack of confidence in the
cloud providers security abilities
▪  12% unclear liability if there is
an attack/loss of data
Source Gartner Survey December
2014

Where the risks really lie
▪  Cloud collapse
-  Brittle business often go bust (Nirvanix)
-  Outages common
-  No cover for outages/business risk in contracts
▪  But.. many back/up security advantages (see next slide)
▪  Complacency Security incidents mostly caused by customer usage, eg
sloppy code, old OSS, allowing ghost accounts from ex-employees to
profilerate
▪  Regulatory breaches Rogue cloud usage, uncontrolled SaaS is universal
Source Gartner Survey December
2014

‘Cloud may secure than client server’
!  Ability to reimage/remove software and transfer it to another makes it
harder to carry out attacks
!  Organisations can secure end to end using encryption
!  IT depts find it hard to compete with cloud providers scale
!  Thousands of customers versus one,100Gbps vs 100Mbps of traffic
!  Benefits of pooled resources, scaled security, DDOS
!  The more physical the more insecure, paper, USBs (60% are lost
containing corporate data)
!  Poorly maintained legacy equipment proliferates in enterprise
Gus Hunt CTO, CIA

Conclusion
▪  Opportunity for the market to drive best practices through genuine third
party advice / consulting
▪  Lower premiums for organisations with lower risk
▪  Test and monitor! … and use the cloud to analyse all that big data

Ten questions your cloud provider doesn’t want
you to ask
▪  Can you give us your three year availability history?
▪  Can you prove to us you will be in business in three years time?
▪  Can we audit your data centre? Can our auditors?
▪  If your cloud node goes down just before Xmas how much will you pay me?
▪  Can you guarantee performance? How?
▪  Can you walk me through what happens if I suffer a security breach?
▪  Or I decide to leave?
▪  Can you guarantee my data will not remain on your platform once I am gone?

Q&A

Early Warning
Systems For
Advanced Threat
Rashmi Knowles CISSP
Chief Security Architect EMEA

3
more advanced
more mobile
diStrUcTive

2007 Today
METHODS
Worms/
Viruses
Simple
DDoS
Phishing
Pharming
APTs
Multi-Stage
Hacker
Collaboration
Disruptive
Attacks
2020
Destructive
Attacks
Intrusive
Attacks
Advanced
DDoS
Sophisticated
Mobile
Attacks
The
Unknown??
2001

5
The RSA Research & Threat Intelligence Outputs
RSA
Research &
Threat
Intelligence
Threat
Intelligence
Feeds via Live
Public Releases
and Blogs via
Speaking of
Security Portal
Reports &
White Papers
via Community
Forums Features and
Functionality
Built Into RSA
Products &
Services
Formal Threat
Intel Exchange
Groups

6
RSA RESEARCH AND THREAT INTELLIGENCE
•  150 Analysts, 100+ languages
•  16,000 ISPs and hosting authorities
•  6,000,000,000 URLs/day
•  800,000 attacks shutdown
•  5hrs time to shut down
!  50-150K samples per week
!  Static and dynamic analysis
!  Credential recovery
!  Mule accounts
!  Military-trained intel agents
!  Tap fraud communication channels
!  Passive & proactive monitoring
!  Report on emerging threats and
attack vectors
AFCC
RESEARCH
LAB
INTEL
TEAM

7
AS THE WORLS GOES MOBILE
CYBERCRIME WILL FOLLOW

8
AS THE WORLD GOES MOBILE – SO
DOES FRAUD

9
40%
of all fraudulent
transactions came
from Mobile Device
Source: RSA Adaptive Authentication

10
CYBERCRIME AS A SERVICE
Cybercriminals increase effectiveness of
attacks even leverage big data principles

11
•  Exploit Kits
•  Botnet Infrastructures
•  Call Centre service
•  Facebook accounts/Ads
•  Bitcoin stealer
•  DDos attacks
CYBERCRIME AS A SERVICE

12
DARKNET PRICE LIST
Infec&ons) $11)p/1000) There)are)"mul&7tenancy")(mul&ple)variants)on)1)machine))plans)that)reduce)cost)
Hos&ng) $507$100) Bullet)proof;)server)only)
Exploit)kit)hos&ng) ~$100) per)week,)~12%)gauranteed)infec&on)rate)
Malware)development) $2,500)) The)average)cost)of)commercial)malware)
Exploits) $10007$300,000) Varies)greatly)based)on)the)exploit…))
Turnkey)banking)trojan)service) $700)7)$1000)
Credit)card)data) $0.25)7)$60) Depending)on)the)amount)of)data)being)sold)(front7of7plas&c)vs)full)track)data);)
exo&c)geo's,)such)as)China,)can)fetch)up)to)$300)per)card.)
Phishing)kit) $07$50)
Spam) $50)) to)~500,000)emails)
DDOS)As)a)service) ~$7)p/hour)
Proxy/RDP/SOCKS/VPN)access) $57$12) Price)per)IP)or)for)period)of)access)
Call)service) $107$15) Depending)on)the)required)language/accent)

13
Source: http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html
Ransomware – customized for legitimacy

14
•  Malware variants – RAM scraping
•  70-90% malware unique to an organisation
•  70% attacks were trusted third-party
•  Phishing associated with 95% of state sponsored attacks
•  50% open emails and click on link within an hour
•  99.9% of exploited vulnerabilities compromised more than a
year after CVE published
THREAT LANDSCAPE
SOURCE VERIZON DBIR2014

15
DEFENDER-DETECTION DEFICIT
Source Verizon DBIR2014

16
COUNT OF MALWARE EVENTS
SOURCE VERIZON DBIR2014

18
Speed
Response Time2Decrease
Dwell Time1
TIME
Attack Identified Response
System
Intrusion
Attack
Begins
Cover-Up
Complete
Advanced Threats Are Different
Cover-Up Discovery
Leap Frog Attacks
3STEALTHY
LOW AND SLOW1TARGETED
SPECIFIC OBJECTIVE 2INTERACTIVE
HUMAN INVOLVEMENT
Dwell Time Response Time

19
205 days – Average number of days threat groups
were on a victims network without detection. The
longest presence was 2,982 days.
Source M-Trends 2015

20
It Will Become Increasingly Difficult To Secure Infrastructure
SECURITY MUST EVOLVE
We must focus on people, transactions,
and the flow of data
Static, Perimeter-Centric
& Compliance Oriented
Risk-based, Agile, &
Contextual Visibility

21
ORGANIZATIONS MUST GET CREATIVE TO
DETECT AND DISRUPT ATTACKS
!  Focus on early detection of breaches to minimize
your window of vulnerability.
!  Move backward in the ‘Kill chain’
!  The key is actively preserving, aggregating and
reviewing data to detect a potential intrusion but
also for post-event forensics.
Recon Weaponise Deliver Exploit Install C2 Action

22
STRATEGIC SECURITY INVESTMENT SHIFT NEEDED NOW!
Today’s
Priorities
Prevention
80%
Monitoring
15%
Response
5%
Prevention
80%
Monitoring
15%
Response
5%
Prevention
33%
Intelligence-Driven
Security
Monitoring
33%
Response
33%

BUILDING BLOCKS OF INTELLIGENCE DRIVEN
SECURITY

24
Cloud On
Prem
ANALYTICS
IDENTITY & ACCESS
DATA
Threat Fraud Compliance Identity
GOVERNANCE, RISK, & COMPLIANCE
INTELLIGENCE DRIVEN SECURITY IN ACTION
LOGS, PACKETS, NETFLOW,
ENDPOINT, ID, VULNS,
THREAT (INT & EXT)

25
•  Risk-driven
–  Prioritize activity and resources
appropriately
•  Incremental and achievable
–  New capabilities improve your maturity
over time
•  Future proof
–  Enables response to changes in landscape
not based on adding new products
•  Agile
–  Enables the business to take advantage of
new technology and IT-driven
opportunities
BENEFITS OF THIS APPROACH

26
CUSTOMER MATURITY MODEL
Advanced Threats Become the Major Spend Driver as Customers Mature
Security Level 4
Business risk-driven
Security fully
embedded in
enterprise processes
Assess business risks
to drive security
implementation
Security tools
integrated with
business tools
e.g. eGRC
Security breaches;
customer demand
Security Level 1
Naïve/Cost-based
Security is
“necessary evil”
Reactive and de-
centralized
monitoring
Tactical threat
defenses
Security Level 3
IT risk-driven
Proactive and
assessment-based
Assess risks and
detect threats for
organization
Security tools
integrated with
common data and
mgmt platform
New leadership
Security Level 2
Compliance-driven
Check-box
mentality
Implement
security to be
compliant
Tactical threat
defenses with
tracking and
reporting tools
Regulatory
EnvironmentCatalyst
Approach
Scope
Technology

27
CHARACTERISTICS OF SECURITY MATURITY
Step 1:
Threat Defense
Step 2:
Compliance and
Defense-in-Depth
Step 3:
Risk-Based
Security
Step 4:
Business-Oriented
VISIBILITY
COLLABORATION
RISK

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

LMTE Cyber Security Sping Summit 20 May 2015 - Presenters' slides

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (16)

Similar to LMTE Cyber Security Sping Summit 20 May 2015 - Presenters' slides

Similar to LMTE Cyber Security Sping Summit 20 May 2015 - Presenters' slides (20)

Recently uploaded

Recently uploaded (20)

LMTE Cyber Security Sping Summit 20 May 2015 - Presenters' slides