extending cyber security beyond the network perimeter › sites... · extending cyber security...
TRANSCRIPT
© Leidos. All rights reserved.
Extending Cyber Security Beyond the Network PerimeterRobert ZitzSenior Vice President and Chief Systems ArchitectNational Security Sector
October 20, 2015
31
More than 90% of successful breaches required only the most basic techniques
Only 3% of breaches were unavoidable without difficult or expensive actions
Outsiders were responsible for most breaches
85% of breaches took months to be discovered; the average time is five months
96% of successful breaches could have been avoided if the victim had put in place simple or intermediate controls
©2013 LEIDOS. ALL RIGHTS RESERVED.
75% of attacks use publicly known vulnerabilities in commercial software that could be prevented by regular patching
One study found that antivirus software missed as much as 95% of malware in the first few days after its introduction
Another study found that 25% of malware is not detected by current techniques
Hacking Is Not that Hard
Source: James A. Lewis, “Raising the Bar for Cybersecurity”, CSIS, February 12, 2013
32 ©2013 LEIDOS. ALL RIGHTS RESERVED.
The New World of Data Ubiquity
Source: “NSTAC Report to the President on Secure Government Communications”, NSTAC, August 20, 2013
33
Extending the Traditional Network Perimeter
©2013 LEIDOS. ALL RIGHTS RESERVED.
Adequate Defense Requires a Unified Approach
34
Traditional− Decentralized
• Largely developed and implemented by individual organizations based on own unique risk and management approaches
− “IT” Driven• Seen as an information
technology problem rather than mission or business risk
©2013 LEIDOS. ALL RIGHTS RESERVED.
Organizational Approach EvolvesOrganizational
Modern− Cyber security is a C-suite
concern that impacts the bottom line
• Profit/losses, fiduciary and due diligence responsibility
− Centralized, focused risk management
− Increasing attention to consequence management
− Leadership infuses awareness and makes continuous cyber security integral to culture and behavior of the organization
35
Traditional− Information Security experts
confined to IT Department− Limited training and
education for workforce− Rules Based− Controlled access,
networks, devices− Silo effect can limit cross
organizational information sharing including best practices and threat warnings
©2013 LEIDOS. ALL RIGHTS RESERVED.
Behavioral Approach Evolves
Modern− Everyone is an active member
of the cyber team− Deeper understanding of
threats, risks & consequences• ‘Own’ the problem, build
security in− Sophisticated monitoring of
everyone in organization for adherence to policy
− Continual review and revision of training programs
− Cross-organizational training to build trust, sharing
Behavioral
36
Traditional− Rigid network perimeters− Limit
• Administrative privileges• Access points• Platforms, operating
systems and applications− Patch applications and
operating systems− Use Virtual Private Networks− Concern over Bring Your
Own Device− Intrusion detection and
forensics heavily signature-based (reactive)
©2013 LEIDOS. ALL RIGHTS RESERVED.
Technological Approach Evolves
Modern (Defense-In-Depth)− Maintain and update basics
• Firewalls, anti-virus, strong passwords, signature-based detection
− Employ Mitigation Strategies• White Listing, prompt
patching, policy tuning− Continuous Diagnostics
• Real time comparison of network performance and trends, real time risk assessment
− Big Data (Large Scale Analytics) (proactive)
Technological
37
CDM is continuously checking for− Rogue processes− Unknown services− Code injection and Rootkit behaviors− Unusual Operating System artifacts− Suspicious network activity− Evidence of persistence− Unauthorized use of valid accounts− Anomalous employee behaviors
©2013 LEIDOS. ALL RIGHTS RESERVED.
Continuous Diagnostics and Mitigation
38
Takes a page out of Intelligence Community− Indications and Warning− Adversary tactics, techniques and procedures
• Know the enemy intentions, capabilities and motivations− Use All Source, Multi-INT, Open Sources
• “Activity Based Intelligence” (ABI)− Looking for
• Distributed social network that enables them• Support and sustainment structure• Their technical and financial platforms• Their messaging
− Determine the intent− ID the actors− Prioritize targets (theirs and ours)
©2013 LEIDOS. ALL RIGHTS RESERVED.
How Big Data Techniques Help
39
Networks don’t attack networks: People do Decades of clinical psychology proves behavior occurs in
response to environmental antecedents and is maintained by consequences of the behavior
Modifying and automated applied behavior analysis to include prediction, influence, pattern classification, and analysis of situations
Big data techniques for ingest, correlation, change detection
©2013 LEIDOS. ALL RIGHTS RESERVED.
Modern Technological ApproachesNext Steps
40 ©2013 LEIDOS. ALL RIGHTS RESERVED.
Modern Technological ApproachesNext Steps (continued)
• Identifies and differentiates between malicious and non-malicious intent in real time, including zero day attacks
• Predicts unknown as well as known patterns of threat behavior
• Increases true positives and true negatives (accuracy) while decreasing false positives and false negatives (errors)
• Uniquely assesses behavior of all IP/Users every 1/10th of a second: Expertise - The combined knowledge and skills of network use
and misuse represented by a visitor Deception - The degree to which a visitor attempts to avoid
detection or masquerades true malicious intent while entering a network
By assessing the degree of Expertise and Deception present for each IP/User -- not signatures –Automating Behavioral Analysis can identify new unknown threats and predict attacks
41 ©2013 LEIDOS. ALL RIGHTS RESERVED.
Modern Technological ApproachesNext Steps (continued)
• Predictive - Predicts threats based on the presence of precursors that precede an attack as opposed to identifying attacks
• Proactive - As a preventative measure, system is trained on known and unknown constellations of precursors of attacks
Intent-basedPredicts the attack
42
The threats, risks and consequences dictate a unified approach to extending cyber security beyond the perimeter
Organizational, Behavioral and Technological advances are needed on a simultaneous basis
Use of more automated applications and continuous monitoring offers potential for greater defense-in-depth
We must greatly expand our use of Big Data analytics to move to a more proactive stance
©2013 LEIDOS. ALL RIGHTS RESERVED.
Summary
Robert ZitzSenior Vice President &Chief Systems Architect