![Page 1: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/1.jpg)
Facing Security Monitoring:Hype, Challenges, Solutions
Alexios Fakos Johannes Schö[email protected]@owasp.org
![Page 2: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/2.jpg)
Agenda
1
2
4
3
Hype
Solutions
Challenges
Summary
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 2
![Page 3: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/3.jpg)
Hype
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 3
![Page 4: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/4.jpg)
Hype or just your threat landscape?
61%48%
% of global CEOs worried about Cyber Security
2014 2015
Source: Annual CEO Survey, PwC
78%
% of global CEOs saying Cyber Security is strategically important
2015
Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 4
![Page 5: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/5.jpg)
Median number of days before detection?
?Source: Mandiant, M-Trends® 2015: A View From the Front Lines
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 5
![Page 6: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/6.jpg)
5 Questions CEOs Should Ask About Cyber Risks
CFO, CISO, CEO, CIO
Source: https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf
2. What Is the Current Level and Business Impact of Cyber Risks to Our Company?
What Is Our Plan to Address Identified Risks?
4. How Many and What Types of Cyber Incidents Do We Detect In a Normal Week?
What is the Threshold for Notifying Our Executive Leadership?
3. How Does Our Cybersecurity Program Apply Industry Standards and Best Practices?
1. How Is Our Executive Leadership Informed about the Current Level and Business Impact of Cyber Risks to Our Company?
5. How Comprehensive Is Our Cyber Incident Response Plan?
How Often Is It Tested?
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 6
![Page 7: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/7.jpg)
Solution
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 7
![Page 8: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/8.jpg)
Risk Assessment Methodology
• Goals
– Provide a quantitative view of risk
– Align with the tools and capabilities that exist today
– Provide specific and actionable mitigation recommendations
– Align with industry standards
– Utilize fewer resources
– Standardize the results
Source: http://www.nist.gov/cyberframework/upload/cybersecurityframework_6thworkshop_chevron.pdf
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 8
![Page 9: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/9.jpg)
NIST Cybersecurity Framework
Building from standards, guidelines and best practicesthe Framework provides a common taxonomy andmechanism for organizations to:
1. Describe their current cybersecurity posture.
2. Describe their target state for cybersecurity.
3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.
4. Assess progress toward the target state;
5. Communicate among internal and external stakeholders about cybersecurity risk.
Source: http://www.dhs.gov/using-cybersecurity-framework
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 9
![Page 10: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/10.jpg)
The three parts and a rising question
Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
4321 4321
Threat Profile
The ability to respond quickly and effectively to potential cyber attacks, but how to start?
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 10
![Page 11: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/11.jpg)
The Critical Security Controls forEffective Cyber Defense
• Council on CyberSecuritywas established in 2013 as an independent, expert, not-for-profit organization.
• Controls are in alignment with security standards and best practices.
• 20 Critical Security Controls focusing on– Prioritization (quick wins)
– Procedures and tools that enable implementation and automation
– Metrics and tests to assess implementation status and effectiveness
– Guidance (how to)
Source: http://www.counciloncybersecurity.org/
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 11
![Page 12: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/12.jpg)
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
Example CSC 12: Controlled Use of Administrative Privileges
Does the system provide an inventory of all administrative accounts?
Effectiveness Metrics
Does the system report on the addition of new administrative accounts?
How long does it take for administrators to be notified about user accounts being added to super user groups (time in minutes)?
612minutes
What percentage of the organization’s elevated accounts do not currently adhere to the organization’s password standard (by business unit)?
Automation Metrics
44%
How many unauthorized elevated application accounts are currently configured on the organization’s systems (by business unit)?
44%
Attempt to configure weak administrator passwords that are non-compliant with established policy.
Verify that the system does not allow weak passwords to be used.
Effectiveness Test
Source: http://www.counciloncybersecurity.org/
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 12
![Page 13: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/13.jpg)
Dependencies
• Relevant Critical Controls for Continuous Monitoring
– CSC 1: Inventory Of Authorized And Unauthorized Devices
– CSC 2: Inventory Of Authorized And Unauthorized Software
– CSC 4: Continuous Vulnerability Assessment And Remediation
– CSC 12: Controlled Use Of Administrative Privileges
– CSC 13: Boundary Defense (flow of information)
– CSC 14: Maintenance, Monitoring, And Analysis Of Audit Logs
– CSC 15: Controlled Access Based On The Need To Know
– CSC 16: Account Monitoring And Control
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 13
![Page 14: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/14.jpg)
Target picture
• Your defined metrics
Reporting
Various Data Sources
L
o
g
M
a
n
a
g
e
m
e
n
t
• EventsSIEM
Maturity and the
capability to detect
and respond to threats and
targeted attacks
Correlation
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 14
![Page 15: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/15.jpg)
Challenges
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 15
![Page 16: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/16.jpg)
Target picture
• Your defined metrics
Reporting
Various Data Sources
L
o
g
M
a
n
a
g
e
m
e
n
t
• EventsSIEM
Maturity and the
capability to detect
and respond to threats and
targeted attacks
Correlation
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 16
![Page 17: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/17.jpg)
Example CSC 12: Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 17
Source: http://www.counciloncybersecurity.org/
![Page 18: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/18.jpg)
Solution Path – Logging
• Administrative Privileges in applications:
– Does your application log these?
– How does your application log these?• Who
• What
• Where
• When
– Does the logging provide (near) real time monitoring? Or do you get application logs once each six hours?
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 18
Source: http://www.counciloncybersecurity.org/
![Page 19: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/19.jpg)
• Your defined metrics
Reporting
SAP Business L
o
g
M
a
n
a
g
e
m
e
n
t
• EventsSIEM
Correlation
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 19
MainFrameApplications
Active Directory
Custom Java Application
Logs
Our target picture again
Does the system provide an inventory of all administrative accounts?
Source: http://www.counciloncybersecurity.org/
![Page 20: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/20.jpg)
Use Case Approach
• Use Cases
– Business Use Case VS System Use Case
– Create Business Use Cases for existing controls if applicable
• System Use Case
Track successful logins
• Business Use Case
Track successful logins, that are not automated scripts etc. and correlate against existing business processes
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 20
![Page 21: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/21.jpg)
Use Case Approach
Objective Details Output Data Sources
CSC12: Controlled Use OfAdministrative Privileges
•Successful Admin Login
•Collect exiting Support Tickets for Admin
•Prevent False positives:
•Automated scripts
•Logins from machines XYZ
•Logins from service ZYX
•Logins around 3.30 am each Wednesday night
•Reports
•Alerts
•KPI
•OS
•Databases
•Applications
•Network Devices
•Ticketing Systems
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 21
![Page 22: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/22.jpg)
Summary
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 22
![Page 23: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/23.jpg)
Summary
• Use your Risk Assessment Methodology to identify
– Capability and maturity regarding your appropriate security controls
– Take your time for metrics and how to evaluate security controls
• Think big but start smart and small– Identify KPIs you need for your desired maturity level
– Identify Applications and Infrastructure you need do deliver information into your LM/SIEM for evaluation for these KPIs
– Assess readiness of these components to actually deliver this information
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 23
![Page 24: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/24.jpg)
Questions?
Thank you for your attention!
22nd May 2015 Facing Security Monitoring: Hype, Challenges, Solutions 24
![Page 25: Facing Security Monitoring: Hype, Challenges, Solutions...Source: Verizon, 2015 Data Breach Investigations Report Source: Mandiant, M-Trends® 2015: A View From the Front Lines 22nd](https://reader031.vdocument.in/reader031/viewer/2022011900/5f03c2807e708231d40aa1dd/html5/thumbnails/25.jpg)
2522nd May 2015Facing Security Monitoring: Hype, Challenges, Solutions