Building a culture of cybersecurity is critical to every organization no matter the size. Join Aaron Cohen, Director of Cyber Security Services, to learn more about how to strengthen your organization’s cyber resiliency.
Notes: Here’s what’s happened – this is why we are having the conversation today
Needs to be updated
LINDA Remove GDPR – put Equifax stuff in – change slant from
Consequences of attacks over the last 18 months are different than we saw just a few years ago. Seeing attacks at a pace that are truly amazing
Marai botnet – weaponization of IoT devices
The level of sophistication of threat actor is significant
And in world where user is making choices and attacks are more sophisticated than ever – data and analytics matter
This is a big buzz word but analytics can truly deliver
Analytics can make Security Predictive
Most security is forensic and looking to the pass – but in the future with analytics we can learn if something will happen
From a SOC perspective it dramatically reduces what they need to do as reduces false positives
Analytics allows us to ask only when need to so employee does not get overwhelmed
With Mirai could have scanned internet and learned of the incident prior to it being summoned to botnet
Ransomware by Destination – Top 5 for Asia, Pacific, and Japan
Source: Symantec ISTR
Regional Global Country Global Detections
1 2 Japan 9.2%
2 5 India 3.8%
3 9 Australia 2.8%
4 14 Indonesia 1.3%
5 16 China 1.0%
Regional Rank: 3
Global Rank: 9
Country: Australia
Percentage of all Global Detections: 2.8%
Here’s the threat landscape – taking a quick step back, here’s where we were – walk people through this slide
Have to learn from the past – a lot of these build on each other – what’s old always comes back as new again (ex: Kevin Mitnick and his social engineering from 25 years ago)
Cyber Collaboration?
Adversaries are professionalized – have teams
Nation states are collaborating
Underground marketplaces –
Need to collaborate as an industry
Collaboration > Today’s Adversaries (transition from previous slide)
This is the WHO slide – who are they?
WHY? Adversaries are motivated by different things/reasons
WHAT DOES OUR EXPERIENCE TELL US - BATTLE FIELD HAS SHIFTED AND THE MOTIVATIONS HAVE EVOLVED.
Adversary motivated by: Money, Power, Information
We are focused on the what, when, where and how in addition to the who and why
Motivations (from previous slides)
Money (Hacking/Crime)
Lucrative Industry for Hackers
Attackers Follow the Money
Power (cyber espionage and cyber warfare)
Control or Leverage
Safety of Citizens and Nations
Information > leads you in lots of different directions
Trade Secrets & Intellectual Property
Digital Value of Assets
It isn’t that our users are stupid. Here are some common reasons we say our users are stupid:
Poor training
Not motivated
Malicious
Number 1 and 2 are most common.
Give the story of the USCG. People are inherently good and don’t want bad things to happen to the organization. After all that’s how they get paid.
Examples:
How do we
Since most successful attacks involve people > Security training isn’t a one-size-fits-all concept.
C-level executives don’t need to have the same things on their radars as IT managers. You need to offer content specifically tailored for different roles in your organization.
By approaching security awareness this way, you can move past minimum requirements and into meaningful change. Identify key roles within your organization, and provide those roles with the training courses they need.
By doing this, you can concentrate on the areas that present the biggest threat to any given role, allowing you to target risks with focused content. When you mix these specialized modules with basic best practices modules such a building a strong password, you promote meaningful behavior change and increase your organization’s overall security. .
You assess major roles within your organization, determined what they need to know, and provide training they can begin to use immediately. My example could be anything from the c-level executives to the HR department. Since time is short today, I am going to talk about the technical users, Developers, Administrators, Security Professionals. Remember them? They need awareness as well, just a different type of awareness. They don’t need literacy training, they need real world training, using the latest threats and vulnerabilities…
Make it easy for people to not compromise the organization
Adding EXT to outside emails
Free drop down in O365 for enterprises
Ex: Healthcare company
Adding special colors/fonts to signature
Password expiration (90-days)
Password strength enforcement (Alphanumeric, mixed case, 9+ characters, etc)
And how do you do this? Provide interesting content.
Transition > Great that we can put technical controls in place, but we need better content
Thinking outside of the box and using better techniques to get users do what we want them to do.
Gamification and Making it personal.
Security is not an exciting topic unless you’re in the field. This means that training should be more personal, so employees understand the implications and understand the impact they have on data protection.
Instead of talking to users about protecting corporate data, try talking about how to protect their financial data – what 2 factor authentication looks like, how it should be done, how do you know what your kids are talking about on SnapChat … while doing the personal stuff, the transition of behavior will come into the corporate side.
Ex: Executive Briefing on how to keep families safe at home – changing PW, not clicking on links, recognizing phishing emails > This makes it personal to executives
Ex: Teach them how to protect own financial data at home
Everyone needs basic training – technical employees need that basic training plus more – a whole other layer of training
Technical staff need more to make sure they are protecting information and systems
Ex: Next slide
Example of how Symantec prepares our technical audience
Talk them through this – we
We eat our own dog food:
Here is a really good example. Before my company was acquired by Symantec they ran an internal Wargames event- FOR EVERYONE! One attractive reason we joined Symantec.
So why do this- In theory
Simulation based training can:
Enhance technical and functional skills
Problem solving and decision making skills
Interpersonal and communication skills- team based competencies
Find hidden talent
Retention
In this case not only engage employees with something interesting and different- you keep and identify good talent. This leads to addressing the ever looming skills gap.
Notes to 3- letter agency example
Are you capable of defending your network?
Have you thought about ways to find the right people?
Do you need outside help? (go to next slide – evolution)
Key Message:
As security operations mature, the need for MSSP or third party doesn’t go away – internal capabilities may shift – leave things that are hard to do internally (like Incident Response) to third party
It’s okay to offload things to third parties – focus on the things your team/org is best at – and offload those other things to outside parties
You may not have resources, etc.
Everything I’ve talked about is for one reason – so you are more prepared for attacks of tomorrow that are getting more sophisticate
Learn from past – can be leveraged in attacks of tomorrow – we are always looking for next attack horizon – we train our people on these types of attacks in CyberWar Games
We need to collaborate with each other – like the adversaries do – internally and externally with third parties
If we educate people, we are prepared for what’s next
Seeded Questions:
I don’t have budget – what can I do?
We don’t have enough people to do all the work – how do we find the right people to fill the gaps?
If it’s everyone’s responsibility … Who’s most important? Where would you start?