Cybersecurity - Sam Maccherola

1,822 views

Published on

Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"

Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc.

Brasília, 04 de agosto de 2010

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,822
On SlideShare
0
From Embeds
0
Number of Embeds
32
Actions
Shares
0
Downloads
65
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cybersecurity - Sam Maccherola

  1. 1. A New Era in Incident Response and Data Auditing<br />The Case for Cyberforensics<br />
  2. 2. Speaker <br />Sam Maccherola<br /><ul><li>Vice President and General Manager, Public Sector for Guidance Software Inc.Contact Info: sam.maccherola@GuidanceSoftware.com , (703) 657-7230
  3. 3. Bio</li></ul>20+ years of government management and program development experience within the information technology and systems integration industry, <br />At Guidance Software, manages strategic direction, as well as operational, sales, and business development for a growing global Government practice.<br />Prior to Guidance Software:<br />Vice President of Federal at ProSight Inc., responsible for overall strategic direction, as well as operations, sales and marketing components for the federal business unit. <br />President of Tenix America and VP of Public Sector Sales for Tripwire, Inc.  <br />Senior positions with Tumbleweed, Entrust Technologies, Inc., PLATINUM Technologies, and Legent Corp.<br />Recognized as one of the 100 people in Government and Industry that made a positive difference in Government IT by a panel of Government and Industry leaders. <br />Active participant in many associations that promote public-private sector information sharing and partnerships: AFCEA, ACT/IAC and ITAA <br />
  4. 4. Guidance Software, Inc.The World Leader in Digital Investigations<br />Enterprise Ready, Market Proven Solutions<br />Over 150 customers of EnCase® eDiscovery<br />Over 650 customers of EnCase® Enterprise including:<br />More than 100 of the Fortune 500 and over half of the Fortune 50<br />Deployed on over 10 million desktops, laptops and servers<br />The Leading Court-Validated Technology<br />Used in thousands of cases worldwide<br />Authenticated in over 50 published court cases and EnCase technology validated under Daubert/Frye<br />Courts have taken “judicial notice” of the validity of EnCase software<br />Top-ranked Software by Industry Analysts <br />Gartner’s highest rating for eDiscovery Software<br />Socha-Gelbmann’s Top 5 (highest category) for eDiscovery software<br />Forrester calls it “The de-facto industry standard for remote desktop collection” <br />Committed to Support your On-going Success<br />World-Class Training and Certification Program <br />Top-Ranked Professional Services Organization<br />
  5. 5. Government Agencies of AllSizes Rely on EnCase® Solutions<br />
  6. 6. Evolving Threats<br />Perimeter defense is never enough<br />With new technologies come new exploits<br />Threats can also be internal and/or inadvertent<br />A determined hacker will find a way (high end)<br />Hacking has become “Productized” (low end)<br />
  7. 7. Key Trends<br /><ul><li>Per a recent Cisco Annual Security Report, statistics found included:
  8. 8. the overall number of disclosed vulnerabilities grew by 11.5%.
  9. 9. Vulnerabilities in virtualization technology nearly tripled - from 35 to 103 year-over-year
  10. 10. attacks are becoming increasingly blended, cross-vector and targeted.
  11. 11. Cisco says its researchers saw 90% growth in threats originating from legitimate domains,
  12. 12. This year, numerous legitimate websites were infected with IFrames, malicious code injected by botnets that redirects visitors to malware-downloading sites, the company says.</li></li></ul><li>2008 Intelligence Community Statistics<br /><ul><li>55% Increase in Remote Access Cyber Intrusions
  13. 13. 52% Increase in Insider Cyber Intrusions
  14. 14. 22% Increase in Credit Card Fraud</li></li></ul><li>Verizon Data Breach Report<br />Analysis of over 500 e-forensics audits:<br /><ul><li>73% resulted from external sources
  15. 15. 18% by insiders
  16. 16. 39% implicated business partners</li></li></ul><li>Blackhats: Threat Actors<br /><ul><li>Nation States
  17. 17. 108 countries with dedicated cyber-attack organizations
  18. 18. Dragon Bytes: Chinese Information War Theory & Practice
  19. 19. Terrorists
  20. 20. Growing sophistication
  21. 21. Hamas and Al Qaeda
  22. 22. Ibrahim Samudra and Irhabi 007
  23. 23. Organized Crime
  24. 24. Cybercrime is big business aka RBN
  25. 25. FBI: #1 criminal priority is cybercrime</li></li></ul><li>Trends in Attacks Against .GOV<br /><ul><li>SQL Injection and Cross-site Scripting
  26. 26. Island Hopping-Unisys/DHS
  27. 27. Remote User Compromise-VPN Attacks-Client Side Attacks
  28. 28. PKI Compromise--Private Key Theft
  29. 29. Zero-Day Attacks
  30. 30. Automated Attack Tools
  31. 31. Digital Insider Attacks</li></li></ul><li>Data is the Lifeblood of Government<br />Vulnerabilities & Assessments<br />ClassifiedInformation<br />PII & Medical Records<br />Government Data<br />Sensitive Projects & Schematics<br />Epicenter of Risk<br />Troop <br />Movements<br />Budgetary/ Procurement<br />Defense Contracts<br />
  32. 32. Let the Blood Loss Begin…<br />25 July 2010<br />U.S. National Security Advisor on Wikileaks Report on Afghanistan<br />Says disclosure of classified information threatens U.S. national security<br />
  33. 33. On a Normal Day, an AgencyGets Hit by upwards of 2.4M Attacks<br />How effective is your security? 99.9%?<br />99% 12,000 - 24,000 attacks<br />99.9% 1200 - 2400 attacks through each day<br />99.99% 120 - 240 attacks<br /> Multiple technologies must be layered to get near 99.9% effective<br /> It is impossible to achieve impenetrability<br />Even if you pulled the plug, they can take the hard drive…<br />
  34. 34. Traditional Security is for Traditional Threats<br />“Traditional security solutions are obsolete…the signature approach and other traditional methods of security are not keeping pace with the number of threats being created by online criminals.”<br />“The days of traditional URL filtering are dead, we care about where users go and they all use the top 500 websites. We care about enforcing capable policy security and the content on pages is dynamic.”<br />“It often takes up to 24- to 72-hours from the time a threat is identified, analyzed, and its signature is developed to the time it is finally delivered to the endpoint. While consumers and enterprises are playing the waiting game; their endpoints are exposed and vulnerable.”<br />“The degree of difficulty for identifying malware targeting data is outpacing the innovation of traditional security vendors.”<br />
  35. 35. The CISO Knows this more than anyone<br />“…there needs to be a continuing and stronger emphasis on protection and management of data, distinct from focusing too heavily on threats and attacks.”<br />— Recommendations from the 2010 State of Cybersecurity from the Federal CISO’s Perspective — An (ISC)2 Report<br />“Perimeter defenses are no longer effective, if they ever were. It’s harder to fight a war from the inside than maintaining the perimeter. It requires additional resources.”<br />— John Wang, Security Architect,<br />NASA<br />
  36. 36. Over $40B Spent on FISMA since 2002 … not enough<br />More checklists and standards<br />Consensus Audit Guideline; CVE/OVAL; DISA GOLD/STIG; NSA/NIST NIAP (CCEVS EAL); DIACAP; FIPS; FISMA; ISO 17799; IEC 27002; GLBA; SOX; HIPAA; FDCC; SCAP; NERC’s CIP 009-2; and so on…<br />Compliance is not an insurance policy against the unknown threat.<br />Heartland Payment Systems<br />Breach cost at $12.5M+<br />
  37. 37. History Repeats Itself<br />Hannibal using the Roman Roads to cross the Alps<br />40% Increase in Major Intrusions (US-CERT)<br />
  38. 38. The Challenge – The Starting Line<br />You Are Here<br />
  39. 39. The Challenge – 1st Hour<br />You Are Here<br />
  40. 40. The Challenge – 2nd Hour<br />You Are Here<br />
  41. 41. The Challenge – 3rd Hour<br />You Are Here<br />
  42. 42. The Challenge – Owned<br />You Are Here<br />
  43. 43. Hosting Companies = Watering Holes<br />
  44. 44. Current Challenges in Cyber Defense<br />Regardless of what you do…<br />Attacks will continue 24/7/365<br />Enemy at the Gates will continue to recon/infiltrate/exfiltrate<br />Anonymity will challenge attribution<br />Malware will be custom designed and used against you<br />They live in 0-day environment<br />Polymorphic Code is on the rise<br />You need to be right 100% of the time<br />How do you learn to defend if you never learn what happened or who you’re dealing with?<br />
  45. 45. Cyber Forensics is the Spear Tipof any Cybersecurity Initiative<br />Identify covert/undiscovered threats: dynamically adaptive patented technology gives InfoSec the advantage against new threats:<br />Polymorphic Malware<br />Packed files<br />Other advanced hacking techniques<br />Attribute new attacks to older attacks, invaluable in attributing malware to an attacker<br />Complete visibility into endpoint risk with the ability to target static and live data to locate sensitive information<br />Find and remediate malware: risk mitigation by wiping sensitive information, malware and malware artifacts from hard drives, RAM and the Windows Registry<br />Powerful investigative capabilities allow organizations to audit for PII (e.g., credit card numbers, account numbers, etc.), and perform internal investigations such as those dealing with fraud or HR matters<br />
  46. 46. 2010 Cybersecurity Survey (Continued)<br /><ul><li>Endpoint was used in all of the top 3 insider theft mechanisms
  47. 47. 44% Laptops
  48. 48. 42% Copied information to mobile device
  49. 49. 38% Downloaded information to home computer)</li></ul>38%<br />42%<br />44%<br />
  50. 50. 2010 Cybersecurity Survey (Continued)<br />Incident response and internal forensics can make a difference<br />28% of events resulted in legal or law enforcement action<br />35% could not pursue legal action due to lack of evidence<br />29% could not identify the individuals responsible<br />
  51. 51. The Endpoint Needs Comprehensive Visibility<br /> Endpoint<br /> Visibility<br />CyberPreparedness<br />Multiple OS and File Systems;<br />See through Data at rest solutions;<br />Packed and compressed; Data<br />Universe is ever expanding<br />Speed,<br />Mobility,<br />Adaptability<br /> Data<br /> Protection<br />Targeted search &remediation; DLP;<br />Encryption, etc<br />Infinite digital reach;<br />Speed of cyber, not<br />UPS/FedEx; Adaptivemalware identification& recovery<br />
  52. 52. The Missing Layer in Defense in Depth …<br />Incident Response at the Forensic Level with Endpoint Visibility<br />EnCase Cybersecurity provides…<br />Enterprise-wide incident response<br />Cyberforensic triage and in-depth analysis, attack attribution analysis, and remediation<br />System deviation assessments<br />Expose system integrity issues caused by unknown threats<br />Data policy enforcement<br />Identify and wipe PII/Classified data from unauthorized endpoints<br />
  53. 53. Information Security Challenges<br />Proactively identifying and addressing covert/unknown threats<br />Determining the capabilities and purpose of unknown files or running processes<br />Identifying and recovering from known malware and/or polymorphic malware<br />Signature-based detection tools are insufficient when faced with code that morphs to evade detection<br />Quickly triaging and containing an identified threat<br />Locating and rapidly responding to data leakage (PII, IP, etc.)<br />Compliance with data protection and breach notification laws<br />Determining the “State of the Network” by comparing known profiles to data on systems<br />
  54. 54. The Past<br />One Computer at a time<br />Days, weeks, and monthsto get the data<br />Costly & Time Consuming<br />The gathered intelligencewas valuable, but useless<br />
  55. 55. The Past<br />EnCase Field Intelligence Module (FIM)<br />One computer over the network. (2004)<br />
  56. 56. The Past<br />Searching only onetarget at a time.<br />?<br />?<br />
  57. 57. EnCase Cybersecurity provides…<br />Network-enabled incident response<br />Cyberforensic triage and analysis, attack attribution analysis, and remediation<br />System deviation assessments<br />Expose system integrity issues caused by anomalous or unknown threats<br />Data policy enforcement<br />Identify and wipe PII/IP/Classified data from unauthorized endpoints<br /> A Cyber Forensics Approach<br />
  58. 58. The Present<br />Enterprise Forensics<br />
  59. 59. The Present<br />Automation of searchingmultiple targets in parallel.<br />Pre-defined Critera<br />
  60. 60. The Present<br />Automation of searching forcompromises and malware.<br />
  61. 61. Benefits & Features of Cyber Forensics <br />
  62. 62. Questions/Thoughts<br />Today, how do you…<br />Identify unknown or covert threats?<br />Limit the risk exposure presented by sensitive information?<br />Respond to a suspected threat? <br />Limit the scope of a data breach?<br />Ensure endpoints remain in a trusted state?<br />Address and scale technologyand processes to include file servers, email servers,semi-structured data repositories?<br />
  63. 63. Thank you<br />

×