MT 117 Key Innovations in Cybersecurity

Key Innovations in Cybersecurity
THE SHIFT TO DETECTION AND RESPONSE
SESSION MT117
BEN SMITH CISSP CRISC @BEN_SMITH

Dell - Internal Use - Confidential
Who here is an IT security professional?

What you will NOT hear from me today…
• “It’s not about if you get breached; it's when you get breached.”
• “Even large enterprises that have millions of dollars to spend on
security got breached, so everyone is at risk.”
• “The breaches we have seen so far are just the beginning – bigger
breaches are coming.”
• “Legacy security technologies are of limited value in the face of
advanced persistent threats.”
• “Security incidents can put you out of business.”
Gartner, “The Future of Security Sales Revolves Around Digital Risk” (May 2015) [G00278090]

Material gaps in detecting, investigating cyber-attacks
24%
Organizations satisfied with their current ability to detectand investigate
Organizations unable to investigate attacks very quickly using their current data & toolsets
92%
Organizations unable to detectattacks very quickly using their current data and toolsets
89%
RSA, “Threat Detection Effectiveness Survey” (2016) https://www.rsa.com/en-us/perspectives/resources/threat-detecti on-effectiveness

Material gaps in detecting, investigating cyber-attacks
< 5%
Organizations who know their split of investment between prevention and detection/response
Cybersecuritybudgetallocation for rapid detectionand response approaches [2015]
60%
Cybersecuritybudgetallocation for rapid detectionand response approaches[2020 prediction]
< 20%
Gartner, “Shift Cybersecurity Investment to Detection and Response” (Tirosh & Proctor, 2016) [G00292536]

Agenda
• On the Offense: Cybercrime = a modern business model!
• On the Defense: Legacy tools and approaches
• The mandatory shift from prevention ► detection & response
• Innovation in cybersecurity: technology, processes, procedures
• “Business-Driven Security” and the RSA NetWitness Suite

The Scrap Value of a Hacked PC
Brian Krebs, “The Scrap Value of a Hacked PC, Revisited” (2012), http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

Attack sophistication vs. intruder technical knowledge
CERT Software Engineering Institute (SEI) at Carnegie Mellon University (2011) [via INSA report: http://www.oss-institute.org/storage/documents/Resources/studies/insa_cyber_intelligence_2011.pdf]

Attack Surface
• Individual computers (corporate, personal)
• Mobile devices
• Internet of Things (IoT)
• Virtualization
• Cloud computing

Cybercrime market: not easy to size, but BIG!
“The black marketcan be more profitable than
the illegal drugtrade:Links to end-users are
more direct, and because w orldwide distribution is
accomplished electronically, the requirements are
negligible. This is because a majority of players,
goods, and services areonline-based and can be
accessed, harnessed, or controlled remotely,
instantaneously. ‘Shipping’ digital goods may only
require an email or dow nload, or a username and
password to a locked site. This enables greater
profitability.”
RAND, “Markets for Cybercrime Tools and Stolen Information:Hackers’ Bazaar” (2014), http://www.rand.org/pubs/research_reports/RR610.html;World Economic Forum, “The Global Risks Report” (2016), https://www.weforum.org/reports/the-global-risks-report-2016/;
RSA, “Current State of Cybercrime” (2016), https://www.rsa.com/en-us/perspectives/resources/2016-current-state-of-cybercrime
"The Internet of Things is a grow ing reality,
introducing new efficiencies as wellas new
vulnerabilities and interconnected
consequences. Recent technological
advances have been beneficial in many
respects, but have also openedthe door
to a growingwave of cyberattacks –
including economic espionage,
cybercrime, and even state-sponsored
exploits – that are increasingly perpetrated
against businesses."
In a six month study, RSA uncovered more
than 500 fraud-dedicated social media
groups aroundthe world with an estimated
total of more than 220,000 members. More
than 60 percent, or approximately 133,000
members, w ere found on Facebook alone.
The types of information openly shared in
socialmedia include live compromised
financialinformation such as credit card
numbers w ith PII and authorization codes,
cybercrime tutorials, malw are and hacking
tools, and cash out and muling services.

The industrialization of cybercrime
Specialization
Division of Labor

Cybercrime…is a business!
Sophos, “TeslaCrypt ransomware attacks gamers – ‘all your files are belong to us!’” https://nakedsecurity.sophos.com/2015/03/16/teslacrypt-ransomware-attacks-gamers-all-your-files-are-belong-to-us/

Different levels of participants in the underground market
RAND, “Markets for Cybercrime Tools and Stolen Information: Hackers’ Bazaar” (2014), http://www.rand.org/pubs/research_reports/RR610.html

Everything you might need is available “on the market”
• Web infrastructure & core applications
• Multi-lingual call centers ready to impersonate / support
• Application development tools & technical services
• Rentable cybercrime infrastructure (including ready-to-use botnets)
• Anonymized payment systems (BTC)
• Research & development (zero-day research)

Organizations face difficult security challenges
A real scarcity of skilled security analysts
forces enterprises to get creative to combat
threats and protect the enterprise.
GROWING SHORTAGE OF
SKILLED SECURITY STAFF
More endpoints in the enterprise, in the field,
and in the cloud means more potential entry
points for attacks.
A GREATLY EXPANDING
ATTACK SURFACE
The days of simple malware or APTs are
gone. Today’s attacks are targeted, lengthy,
and multifaceted.
MORE SOPHISTICATED
ATTACK CAMPAIGNS

So they take preventive steps to protect themselves
Confidential
Data
Endpoints
NGFW IDS / IPS SIEM NGFW
80% of security staff, budget, and activity is generally
dedicated to preventive action

But breaches still occur…what’s happening?
Confidential
Data
Endpoints
NGFW IDS / IPS SIEM NGFW
NGAV misses
UNKNOWN,
NEW threat NGFW has no
rule for / against
threat traffic
IPS has no
signature for the
threat packets
SIEM captures
logs, but will it
trigger an alert?
NGFW has no
rule for/against
threat traffic
How big is the compromise?
How long has it been there?
Just how bad is this?
What did the attacker do?
Missing the little things rapidly adds up to one
bigger problem

Account lockouts
Failed user access attempts
Web shell deletions
Buffer overflows
SQL injections
Cross-site scripting
Denial-of-service
IDS/IPS events
Incident-level fixes
S E C U R I T Y D E T A I L
How bad is it?
Who was it?
How did they get in?
What information was taken?
What are the legal implications?
Is it under control?
What are the damages?
What do we tell people?
B U S I N E S S R I S K

Why does the gap exist?
Lack of context &
ability to prioritizeAlert fatigue
Multiple disconnected
point solutions
SECURITY EXCLUSION SECURITY INCLUSION BUSINESS / IT
RISK MANAGEMENT
FW
A/V
IDS / IPS
SIEM
NGFW
SANDBOX
GW 2FA
ACCESS
MGMT
PROV
SSO
PAM
FEDERATION
GRC
SPREADSHEETS
VULN
MGMT
CMDB

Moving from purely prevention ► monitoring & response

A more balanced approach is needed!
Today’s
investment mix
Prevention
Response
Monitoring
Prevention
Response
Ideal mix
Monitoring

Organizing the innovations
Preventive Detective Investigative Response

Multi-factor authentication & biometrics hits mainstream
Innovation: Preventive

The coming maturation of the cyberinsurance industry
Innovation: Preventive
• ~$3.25B annual premiums
– Dominated by AIG, ACE, Chubb, Zurich, and Beazley Group
CIAB, “Cyber Insurance Market Watch Survey’” (2016), https://www.ciab.com/uploadedFiles/Resources/Cyber_Survey/2ndCyberMarketWatch_ExecutiveSummary_FINAL.pdf;
Insurance Journal, “Where Cyber Insurance Underwriting Stands Today” (2015), http://www.insurancejournal.com/news/national/2015/06/12/371591.htm
NIST’s Cybersecurity Framework (CSF)

Increase visibility and situational awareness by leveraging more data – not just logs
Innovation: Detective
Logs Full Network Traffic Endpoint/Host
Secondary Sources Primary Sources & Context
Events
IDS
Asset Information Threat Intelligence

Behavioral analytics (UBA / UEBA) versus static rules
LEADING INDICATORS OF A PLANNED C2 (COMMAND AND CONTROL) EXPLOIT
Beaconing
Behavior
Rare Domains
Rare
User Agents
Missing
Referrers
Domain Age
(Whois)
• Real-time Analytics
– Data Science algorithms
– Scores on multiple C2 behavior indicators
– Uses streaming HTTP activity
• Low False Positives
– Learns from ongoing and historical activity
– Supervised whitelisting option

Humans are great anomaly detectors…people catch people!

Increasing visibility via public cloud security APIs
Innovation: Detective / Investigative
AWS CloudTrail MicrosoftAzure
Management API

Speed & scope of sharing of community-oriented threat intelligence
Innovation: Detective / Investigative
• InformationSharing and Analysis Center (ISAC)model

Security monitoring teams; virtual MSSP SOCs
Innovation: Response
SOC Manager
Tier 2 Analyst
Security Architect
Tier 1 Analyst
Threat Intelligence Analyst

RSA is very active innovating across all of these areas
Preventive Detective Investigative Response
• Authentication capabilities incorporating software tokens &
biometrics (more secure and more convenient)
• Collaborating with cyber-insurance underwriters to mitigate risk
• Behavior-based analytics for smarter detection
• Tooling for human hunters
• Creating & consuming community threat intelligence
• Providing a set of products & services to build SOCs
• Security monitoring technology = comprehensive visibility
– Logs/event, network traffic, endpoint, threat intelligence,
public cloud APIs…

Under attack: your data, your endpoints, your network

RSA NetWitness Suite [ packets + logs + endpoint ]
NetWitness Server
master console
NetWitness Endpoint
agent console
NetWitness Logs
ingestion & indexing
NetWitness Packets
ingestion & indexing
RSA Live
threat intelligence
NetWitness SecOps Manager
response workflow, orchestration

Business-Driven Security
C O N T E X T U A L I N T E L L I G E N C E
C O N T E X T U A L I N T E L L I G E N C E
S EC U R I T Y
EX C L U S I O N
S EC U R I T Y
I N C L U S I O NA N A L Y T I C S
O R C H E S T R A T I O N & R E S P O N S E
P O W E R &
S P E E D
O F I N S I G H T
R I G H T
P I C T U R E
R I G H T
A C T I O N S
B U S I N E S S
C O N T E X T
R S A
S E C U R I D
S U I T E
R S A C Y B E R
A N A L Y T I C S
P L A T FO R M
R S A
N ET W I T N ES S
S U I T E
R S A A R C H E R S U I T E
R S A
FRAUD & RISK INTELLIGENCE
S U I T E

PORTFOLIO
Respond in minutes, not months N E T W I T N ESS
S U I T E
Reimagine your identity strategy S E C U R I D
S U I T E
Take command of risk A R C H E R
S U I T E
Take command of your
evolving security posture
R I S K &
C YB E R S E C U R I T Y
P R A C T I C E
Expose cybercriminals,
protect customers
FRAUD & RISK
INTELLIGENCE SUITE

MT 117 Key Innovations in Cybersecurity

MT 117 Key Innovations in Cybersecurity

More Related Content

What's hot

Viewers also liked

Similar to MT 117 Key Innovations in Cybersecurity

More from Dell EMC World

MT 117 Key Innovations in Cybersecurity