3. O DESAFIO DAS AMEAÇAS CIBERNÉTICAS
As empresas estão se transformando
continuamente, alimentando uma superfície de
ataque cibernético em constante expansão.
As ameaças cibernéticas hoje estão desafiando a
capacidade de resposta da maioria das empresas.
6. MODERNIZAÇÃO DE OT
Rede Corporativa
Indústria 4.0
Information
Technology
”IT”
Operational
Technology
”OT”
Industrial IoT
• Unificação da rede IP
• Mais conectividade externa
• “Refresh tecnológico” de OT & IT
• Virtualização, Cloud, Mobile, 4G/5G
PLCs / RTUs
HMI
Estação Remota / Chão de Fábrica
Centro de Controle
Control Servers
SCADA Master /HMI
Integração IT-OT
Internet
WAN
Poços de Petróleo Digitais
Industrial
8. PILARES BÁSICOS PARA CIBERSEGURANÇA EM OT
Norma IEC-62443
Segmentação
Zero Trust
Acesso Remoto
Arquitetura Controle de Acesso SecOps Gestão
Uso de MFA
Políticas de
segurança
baseadas em
usuários
Segurança de
endpoints
Correlação de
eventos
Definição de
Processos
Procedimentos de
Respostas a
Incidentes
13. CONTROLE DE ACESSO
Políticas de segurança baseadas em usuários
DEPOIS
ANTES
access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255 lt 1780
access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611
access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606
access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005
access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199
access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782
access-list 102 deny ip 193.250.210.122 0.0.1.255 lt 2297 130.113.139.130 0.255.255.255 gt 526
SOURCE ZONE USER
DESTINATION
ZONE
APPLICATION
HQ Zone , GP Zone Employee Internet Zone Sanctioned SaaS
HQ Zone, GP Zone NY-Finance-
Analysts
Financial Servers-
NY
Internal Financial
Apps
User-ID enables security teams to define policy rules on firewalls to safely
enable applications and control access based on users or groups of users
Using IP addresses to identify users is inefficient and cannot determine
users accurately as IP addresses change
14. CONTROLE DE ACESSO
MFA – Multi Factor Authentication
Multi-Factor
Authentication
Always know that
the user is who
they claim to be
Historian
Engineer Station
Attacker uses stolen
credentials
1
4 Attacker fails to gain
access, attempt recorded
2 User receives MFA request
User denies request to
access sensitive data
3
15. SECOPS
Segurança de Endpoints
Isolate endpoints,
quarantine, block files,
kill processes
Block network access
via firewall integration
Orchestrate
with SOAR Tools
Access endpoints
through a terminal
Restore compromised
hosts with one click
Endpoint script
execution
Security Analyst Compromised
Host
16. SECOPS
Segurança de Endpoints
Broker de
Comunicação
Serviço de
XDR
Agentes em
Endpoints
Proteja endpoints que não podem se conectar diretamente à Internet
17. SECOPS
Correlação de Eventos
App
User
& Host
Network
Threat
Intel
Endpoint
App
App name
Protocol
URL and Domain
Response Size
Response Code
Referrer
Network
TCP port
Source IP
Country
Dest IP
Sent Bytes
Received Bytes
Threat
Intelligence
Malware hashes
Malicious IPs
Phishing URLs
URL Categories
User & Host
User name
Hostname
Organizational unit
Operating system
Mac address
Endpoint
File update
Process name
MD5/SHA Hash
File path
Registry change
Malware verdict
CLI arguments
Collect rich data for
behavioral analytics & AI
Automatically correlate data to
gain context for investigations
18. GESTÃO
Definição de Processos
Respond
Transform
Assess and test your security
controls against the right
threats with Proactive
Assessments
Incident Response
Cyber Risk Management
Threat
Intelligence
Tools
Expertise &
Experience
19. GESTÃO
Procedimentos de Respostas a Incidentes
SENSE
● Detect and prevent
● Critical security layers
AUTOMATE
● Automated detections,
correlations,
prioritization, root
cause, timelining, and
workflows
INTEGRATE
● Stories: Native Data
Stitching with built-in
logic to understand
incidents and artifacts
● Data correlation
ANALYZE
Large set of ML models
● Post-Exploit Detection
● Lateral Movement
Detection
● Data Exfiltration
Detection
HOST
NETWORK
AUTOMATED
ROOT CAUSE
AUTOMATED
WORKFLOWS
STORY
BEHAVIOR
MODELS
1
4
2
3
IDENTITY
Multi-extortion techniques where attackers not only encrypt the files of an organization, but also name and shame the victims and/ or threaten to launch additional attacks (e.g., distributed denial of service, known as DDoS) to encourage victims to pay more quickly. In 2021, the names and proof of compromise for 2,566 victims were publicly posted on ransomware leak sites, marking an 85% increase compared to 2020.
Extremely prolific ransomware as-a-service (RaaS) business models, which offer “startup kits” and “support services” to would be cybercriminals, significantly lowering the technical barrier to entry and accelerating the speed with which attacks can be introduced and spread.
Rapid weaponization of vulnerabilities. For example, major ransomware gangs quickly exploited CVE-2021-44228, commonly referred to as Log4Shell. It is highly likely that as long as organizations fail to patch known critical vulnerabilities, attackers will exploit them to their advantage.
With the convergence of IT and OT at an accelerated pace and the integrations being more profound and more complex, the need for organizations to adopt a cybersecurity framework designed for OT, such as ISA/IEC 62443, is no longer optional (see figure 3). ISA/IEC 62443 is a flexible framework that addresses and mitigates current and future security vulnerabilities in IACS regardless of industry, making it an integral component of the U.S. Cybersecurity Framework.
With the convergence of IT and OT at an accelerated pace and the integrations being more profound and more complex, the need for organizations to adopt a cybersecurity framework designed for OT, such as ISA/IEC 62443, is no longer optional (see figure 3). ISA/IEC 62443 is a flexible framework that addresses and mitigates current and future security vulnerabilities in IACS regardless of industry, making it an integral component of the U.S. Cybersecurity Framework.