Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security: Assume you’ve been breached

Published byVlastimil Černý Modified over 5 years ago

Similar presentations

Presentation on theme: "Information Security: Assume you’ve been breached"— Presentation transcript:

1 Information Security: Assume you’ve been breached
Tuesday, February 20, 2018 Michael Reineck

2 A little about me Professional
Over 17 years in IT, all in security, all in financial services Master’s Degree in Computer Science CISSP certification Personal Married with 3 children Lived in WI my whole life (almost) Packers, Brewers and Badgers fan

3 Agenda Background NIST Cybersecurity Framework Case Study

4 Background

5 How security has been done forever:

6 And how an attack typically works:

7 An old security axiom: There’s no such thing as perfect security.

8 And the odds are against you…
As a defender, you need to be right every time As an attacker, you only need to be right once

9 NSA Quote “We have to build our systems on the assumption that adversaries will get in.” Debora Plunckett, Director of the U.S. National Security Agency (NSA) Information Assurance Directorate, December 2010

10 We’re getting better at detecting breaches, but we’re still not great
***FireEye 2017 M-trends report

11 And it takes us a long time to detect a breach:
***2017 Verizon DBIR

12 We need better balance from our security programs
“Security is a combination of protection, detection and response. You need protection to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.” Bruce Schneier

13 NIST Cybersecurity Framework

14 NIST Cybersecurity Framework
NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity COBIT 5 (Control Objectives for Information and Related Technology) ISO (International Organization for Standardization) NIST SP (National Institute of Standards & Technology Special Pub.) In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. It was developed via a collaborative process involving industry, academia and government agencies. It is a superset of other existing standards, such as COBIT, ISO and NIST A draft of version 1.1 was released last year.

15 The NIST Cybersecurity Framework consists of five core functions & 22 categories that encompass all cybersecurity activities Function Category Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Anomalies and Events Security Continuous Monitoring Detection Processes Detect Identify Response Planning Communications Analysis Mitigation Improvements Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Respond Protect Recovery Planning Improvements Communications Recover

16 Details on the Detect function
Anomalies and Events Security Continuous Monitoring Detection Processes Detect A baseline of network operations and expected data flows for users and systems is established and managed Event data are aggregated and correlated from multiple sources and sensors Incident alert thresholds are established The network is monitored to detect potential cybersecurity events Malicious code is detected Vulnerability scans are performed

17 Case Study

18 Case Study: Equifax Personal data of 145 million people exposed
The breach used a vulnerability in a common web application framework. Breach was discovered on July 29 and publicly reported on September 7, 2017 March 2017 S M T W F 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Legend Equifax notified of the vulnerability Equifax alerts other internal teams of vulnerability Equifax was breached

19 Case Study: Equifax con.
Intruders installed backdoors on Equifax’s systems By the time they were done, there were over 30 backdoors installed The intruders collected so much data that it needed to be broken into smaller pieces to get it out All this data needs to be sent out of a company via it’s network

20 Detect technologies What you can do with existing tools
Know your environment Make sure your current technologies are configured and logging properly Understand what’s normal (baseline) in your environment Run daily or weekly reports from those systems to see when you deviate from normal Training Your employees make good sensors Outside information There’s a lot of information you can pull in, even for free, including US-CERT, SANS and InfraGard

21 Detect technologies – if you have budget
Technology Vendor Examples Cost Log analysis and correlation (SIEM) IBM, LogRhythm $$$ Vulnerability scanner Qualys, Rapid7, Nessus $$ User Behavior Based Microsoft ATA, Exabeam $ / $$ Anomaly detection Darktrace Decoys (Honeypots and honey tokens) Thinkst Canary $ Sandbox Technologies FireEye, Cisco AMP $$$$

22 Details on the Respond function
Response Planning Communications Analysis Mitigation Improvements Respond Response plan is executed during or after an event Personnel know their roles and order of operations when a response is needed Notifications from detection systems are investigated Incidents are mitigated Response plans incorporate lessons learned Response strategies are updated

23 Case study – Equifax response

24 What can you do? Have a plan:
Determine your incident response plan ahead of time, documenting roles and responsibilities Include all groups in your plan, including IT, legal, marketing, business continuity Determine your PR strategy Work with outside organizations ahead of time: Put an incident response firm on retainer Work with your law firm to maintain client/attorney privilege Make contacts with FBI Practice makes perfect: Do a table top exercise with an experienced vendor to test your plan Review your plan on a regular basis and make adjustments using lessons learned.

25 What’s in store for the future
Move to the cloud changes the paradigm New Technology Concepts Zero trust networks Crypto-anchors Increased importance of Identity Digital rights management

26 Q&A

Download ppt "Information Security: Assume you’ve been breached"

Similar presentations

Identifying and Responding to Security Incidents in the Law Firm

Identifying and Responding to Security Incidents in the Law Firm
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network security policy: best practices

Network security policy: best practices
Introduction to Network Defense

Introduction to Network Defense
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Oklahoma Chapter Information Systems Security Association Oklahoma Chapter, Tulsa Oklahoma City Chapter, OKC Student Chapter, Okmulgee Oklahoma Chapter,

Oklahoma Chapter Information Systems Security Association Oklahoma Chapter, Tulsa Oklahoma City Chapter, OKC Student Chapter, Okmulgee Oklahoma Chapter,
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,

Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,
August 1999 Mr. Mike Finley, CISSP Senior Security Engineer Computer Science Corporation.

August Mr. Mike Finley, CISSP Senior Security Engineer Computer Science Corporation.

Similar presentations

Ads by Google