Transcript Click here to the slides.

https://www.csiac.org/
Securing Your Company for Today’s Cyber War:
A Three-Pronged Approach to a Comprehensive IT
Security Strategy
Today’s Presenter:
Peter Allor
IBM Security, Senior Cyber Security Strategist
March 30, 2016
Moderator:
Steve Warzala
[email protected]
© 2016 IBM Corporation
1
Securing Your Company for
Today’s Cyber War:
Three-Pronged Approach to a Comprehensive
IT Security Strategy
Peter Allor
Senior Security Strategist,
Project Manager, Disclosures
IBM Security
March 30, 2016
© 2016 IBM Corporation
Agenda
 Not prepared for Cyber War – it is war
 Make a security strategy your own
 Visibility of your operations, partners and vendors – know who is on your
network, what they are running and how they are configured
 Adopt Security Intelligence / Situational Awareness – it is about
integration, visibility and system feedback
© 2016 IBM Corporation
3
IBM Security has global reach
IBM Security by the Numbers
+
monitored countries (MSS)
+
endpoints protected
+
service delivery experts
+
events managed per day
© 2016 IBM Corporation
4
IBM X-Force monitors and analyzes the changing threat
landscape
20,000+ devices
25B+ analyzed
under contract
web pages and images
15B+ events
12M+ spam and
managed per day
133 monitored
countries (MSS)
3,000+ security
related patents
270M+ endpoints
reporting malware
phishing attacks daily
96K+ documented
vulnerabilities
860K+ malicious
IP addresses
Millions of unique
malware samples
© 2016 IBM Corporation
5
We are not prepared for Cyber
War – and it is Economic war now
© 2016 IBM Corporation
(Photo: Shutterstock/Andrey Armyagov)
© 2016 IBM Corporation
7
Key Trends from 2015
8
© 2016 IBM Corporation
8
CISOs face a shortage of skills, lack of metrics and strategy
Security Maturity
Board of
Directors
Stakeholders
Compliance
Mandates
Industry
Standards
49%
31%
83%
of IT executives have no measure
of security effectiveness
of IT professionals
have no risk strategy
of enterprises have difficulty finding
the security skills they need
2012 Forrester Research Study
2013 Global Reputational Risk & IT Study, IBM
2012 ESG Research
© 2016 IBM Corporation
9
Attacks are focusing on higher value data targets
2015
2013
2014
800,000,000+ records
1,000,000,000 records
Healthcare mega-breaches
breached, while CISOs cite increasing
risks from external threats
set the trend for high value targets of
sensitive information
breached, with no signs of
decreasing in the future
Source: IBM X-Force Threat Intelligence Report - 2016
© 2016 IBM Corporation
10
(Photo: Shutterstoc/pichetw)
© 2016 IBM Corporation
11
Highly regulated industries have the highest per-record data breach
costs
$359
$294
$227
$155
$141
$122
Healthcare
Consumer
Education
Energy
Pharmaceutical
Hospitality
$206
Financial
$105
Retail
*Currencies converted to US dollars
Source: 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute, sponsored by IBM
© 2016 IBM Corporation
12
Why do Breaches Happen?
Vulnerabilities
 Configuration Errors
 “Weak” defaults
 Easy passwords
 “Bugs”
 Input validation
Malware
 Installing suspect
applications
 Clicking malicious
links
 Phishing Emails
 Watering Hole attacks
Source: IBM Security Services 2013 Cyber Security Intelligence Index
© 2016 IBM Corporation
13
Overlay malware on the mobile operating system is what web
injections are to the PC
Mobile overlay malware offers a one-stop shop for blackhats
– Works with bank apps and other applications that use HTML/JS injections
– Enable credential collection
© 2016 IBM Corporation
14
2015 brought X-Force the highest annual number of disclosed
vulnerabilities recorded in our database
Source: IBM X-Force Threat Intelligence Report - 2016
© 2016 IBM Corporation
15
Many organizations do not sufficiently monitor published
vulnerabilities that may affect the technology protecting their data
Reasons could be:
 They don’t know all the sources of their
data because they lack an asset
inventory.
 They don’t understand how critical their
vulnerabilities are or the danger they
pose to effectively supporting and
growing the business.
 They intend to do a vulnerability scan to
identify risks and remediate
vulnerabilities, but, lacking an
understanding of the risks, they never
get around to taking action.
Source: IBM X-Force Threat Intelligence Report - 2016
© 2016 IBM Corporation
16
Make Security Strategy Your Own–
Know your Risks
Protect
© 2016 IBM Corporation
Security leaders are more accountable than ever before
CEO
CFO/COO
CIO
CHRO
CMO
Loss of market
share and
reputation
Audit failure
Loss of data
confidentiality,
integrity and/or
availability
Violation of
employee privacy
Loss of
customer trust
Violation of
customer privacy
Loss of brand
reputation
Legal exposure
Fines and
criminal charges
Financial loss
Your board and CEO demand a strategy
Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series
© 2016 IBM Corporation
18
Questions CISO Want to be Able to Answer…
© 2016 IBM Corporation
19
The 2014 U.S. State of Cybercrime Survey
The survey identified eight common deficiencies where spending and efforts lag:
1. Most organizations do not take a strategic approach to cybersecurity spending
2. Organizations do not assess security capabilities of third-party providers
3. Supply chain risks are not understood or adequately assessed
4. Security for mobile devices is inadequate and has elevated risks
5. Cyber risks are not sufficiently assessed
6. Organizations do not collaborate to share intelligence on threats and responses
7. Insider threats are not sufficiently addressed
8. Employee training and awareness is very effective at deterring and responding to
incidents, yet it is lacking at most organizations
http://www.pwc.com/us/en/increasing-it-effectiveness/publications/2014-us-state-of-cybercrime.jhtml
Co-sponsored by CSO magazine, CERT Division of the Software Engineering Institute at Carnegie Mellon University, PwC,
and the US Secret Service, March-April 2014
© 2016 IBM Corporation
20
Executive Order 13636:
Improving Critical Infrastructure Cybersecurity
“It is the policy of the United States to enhance the security and resilience of
the Nation’s critical infrastructure and to maintain a cyber environment that
encourages efficiency, innovation, and economic prosperity while promoting
safety, security, business confidentiality, privacy, and civil liberties”
President Barack Obama
Executive Order 13636, Feb. 12, 2013
• The National Institute of Standards and Technology (NIST) was directed to work with
stakeholders to develop a voluntary framework for reducing cyber risks to critical
infrastructure
• Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for
future work
• NIST is already reviewing the Framework for revisions (if required). Meeting April 6-7
21
© 2016 IBM Corporation
21
Security Risk Framework Maturity Cycle
IBM Security Framework
NIST Security Framework
Core Function
Identify
Protect
DOMAIN
Detect
Respond
Recover
SECTORAL
PROCESS
(Compliance)
No formal strategy
SMART
ARCHITECTURE
ORGANIZATIONAL
Period review and assessment
© 2016 IBM Corporation
22
Characteristics of Organizational Frameworks
Base characteristics
 Generally uses portions of process,
domain and sector frameworks
 Based on the organization’s business
environment and conditions
 Based on evaluations from lines of
business / operations, executives,
auditors and Board of Directors
 Amends plans based on resources,
changing conditions, and new
information
 Commonly adopts a customized,
organization-based framework based
on multiple types
Approach to risk
 Special attention to a limited number of
specific approaches for addressing risk
and measuring the effectiveness of
protection
 Sets the risks, priorities, and risk
tolerances for cybersecurity and
Information Technology in support of
the enterprise
 Examines in even greater detail the
overall risk the enterprise faces
– Determines its unique security
requirements
– Ensures capabilities are in place to
provide the necessary security
– Aligns requirements and technologies with
its internal policies and processes
Meets NIST and domain guidelines and Federal, State mandates
© 2016 IBM Corporation
23
Security frameworks and risk-management strategies address
Evolving
threats
Including the growing sophistication of threats, new attack
methods, and adaptations to technologies or delivery methods
Changing
business needs
Including evolving lines of business, acquisitions, mergers, the
integration of operations, and the addition or elimination of
business functions
Volatile
economics
Including changes in business profitability, the market for the
organization’s goods or services, national and international
economic trends, or wholesale currency changes
Increasing
regulation
Including changes and additions to regulation and compliance
requirements, locally, nationally or internationally
Technology and
process changes
Including adding new or removing existing technologies, or
implementing a bring-your-own-device (BYOD) program
Geographic and
facilities changes
Including moving to a new location or having data-center or cloud
services added from another area
© 2016 IBM Corporation
24
Map your Security to the NIST Framework
© 2016 IBM Corporation
25
Map your Security to the NIST Framework
© 2016 IBM Corporation
26
Security Intelligence –
Situational Awareness
Detect
© 2016 IBM Corporation
Security Strategy – addresses…..
Advanced
Threats
SECURITY
TRENDS
Cloud
Mobile and
Internet of Things
Strategy, Risk and Compliance
Compliance
Mandates
Skills
Shortage
Cybersecurity Assessment and Response
Security Intelligence and Operations
Advanced
Fraud
Protection
Identity
and Access
Management
Data
Security
Application
Security
Network, Mobile
and Endpoint
Protection
Advanced Threat and Security Research
DELIVERY
MODELS
Management
Consulting
Systems
Integration
Integrated
Products
Security
as a Service
Managed
Security
Partner
Ecosystem
© 2016 IBM Corporation
28
Situational Awareness – CDM
Discovery
and
Verification
•
•
•
•
•
Uncovers the weaknesses
Daily vulnerability and missing patches
Proven, certified scanning
Endpoints, assets, device configuration
Passive and active discovery
Intelligent
Context
Driven
Prioritization
•
•
•
•
•
What assets are important ?
Where are the threats ?
Who is talking to who ?
What is blocked and patched already ?
What is out of compliance ?
•
•
Who needs to action
What needs to be done
•Missing patch updates
•Signatures
•Configuration changes
•
•
•
•
What needs escalation
What is in and out of compliance
Dashboards and reports
APIs
Automatic
Delegation
and
Assignments
Reporting
and
Alerting
© 2016 IBM Corporation
29
Integrate your organization’s
operations and security leaders
Respond
© 2016 IBM Corporation
IBM CISO Assessment – 2012
Frameworks rely on the CISO having Stakeholder Participation
© 2016 IBM Corporation
31
Reaching security maturity – how to map your way there
Security Intelligence
Predictive Analytics, Big Data Workbench, Flow Analytics
SIEM and Vulnerability Management
Log Management
Advanced Fraud Protection
People
Data
Applications
Infrastructure
Data governance
Fraud detection
Multi-faceted
network protection
Encryption key
management
Hybrid scanning
and correlation
Anomaly detection
Identity governance
Optimized
Fine-grained
entitlements
Privileged user
management
User provisioning
Proficient
Access management
Strong authentication
Basic
Directory
management
Data masking / redaction
Database activity
monitoring
Virtualization security
Web application protection
Asset management
Source code scanning
Endpoint / network
security management
Data loss prevention
Encryption
Database access control
Hardened
Perimeter security
Application
scanning
Host security
© 2016 IBM Corporation
13-09-17
Anti-virus
32
Many of the incidents we’ve seen could be avoided with a focus on
security basics
Instrument your environment with effective detection
Keep up with threat intelligence
Maintain a current and accurate asset inventory
Maintain an identity governance practice to audit and enforce access rules and
permissions
Have a patching solution that covers your entire infrastructure
Implement mitigating controls
Create and practice a broad incident response plan
© 2016 IBM Corporation
33
NETWORK
ENDPOINT
Focus on critical points in the attack chain with preemptive defenses
on both the endpoint and network
Prevent
malware installs
Prevent
control channels
• Verify the state of
applications
• Block exploit attempts
used to deliver malware
• Stop direct outbound
malware
communications
• Protect against process
hijacking
Exploit Disruption
Malware Quarantine
User Protection
Prevent
mutated exploits
Prevent
active beaconing
Prevent
malicious apps
• Verify the state of
network protocols
• Block unknown exploits
with behavioral
heuristics
• Stop malware and
botnet control traffic
with real-time reputation
and SSL inspection
On the Endpoint
Trusteer Apex Malware Protection
Prevent
credential loss
• Block keyloggers
• Stop credential use
on phishing sites
• Limit reuse of
passwords
• Block access to
malicious websites
• Protect against web
application misuse
On the Network
IBM Security Network Protection XGS
© 2016 IBM Corporation
34
Network administrators can take a few basic steps to fend off
malicious spam attachments
Keep your spam and virus filters up to date.
Block executable attachments. In regular business
environments it is unusual to send executable attachments.
Most spam filters can be configured to block executable files
even when they are within zip attachments.
Use mail client software that allows disabling automatic
rendering of attachments and graphics, and preloading of
links—and then disable them.
Educate users on potential danger of spam, and actions to
take
© 2016 IBM Corporation
35
(Photo: Shutterstoc/pichetw)
© 2016 IBM Corporation
36
Every breach requires a plan of action
Forensic analytics can provide the insights to understand what is happening in the
network and what steps are necessary to prevent threats.
Full Packet Capture
• Capture packets off the network
• Include other, related structured and unstructured content stored
within the network
Retrieval & Session Reconstruction
• For a selected security incident, retrieve all the packets (time
bounded)
• Re-assemble into searchable documents including full payload
displayed in original form
Forensics Activity
• Navigate to uncover knowledge of threats
• Switch search criteria to see hidden relationships
© 2016 IBM Corporation
37
Reconstruction enables organizations to view recorded
network transactions in formats tailored for human
consumption
Different types of reconstruction:
• Web page
• Chat
• Social networking
• Webmail
• Blogging
• File transfers
• File attachments
• File metadata
• File flows (attached executables,
JavaScript, macros, redirects)
Traffic
Capture
© 2016 IBM Corporation
38
What can you do to mitigate these threats?
Keep up with threat intelligence
Maintain a current and accurate asset inventory
Have a patching solution that covers your entire
infrastructure
Implement mitigating controls
Instrument your environment with effective
detection
Create and practice a broad incident response
plan
© 2016 IBM Corporation
39
© 2016 IBM Corporation
40
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU
www.ibm.com/security
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.