luncheon 2016-01-21 - emerging threats and strategies for defense by paul fletcher
TRANSCRIPT
EMERGING THREATS & STRATEGIES FOR DEFENSE
Paul Fletcher – Cyber Security Evangelist @_PaulFletcher
Threats by Customer Environment
40.55%
28.01%
18.75%
10.60%
1.96% 0.13% 0.02% application-attack
brute-force
suspicious-activity
recon
trojan-activity
denial-of-service
other
40.79%
22.36%
15.67%
7.40%
5.29% 0.03% 0.02% application-attack
brute-force
trojan-activity
suspicious-activity
recon
denial-of-service
other
Cloud Environment On Premise Environment
Source: Alert Logic CSR 2015
Brute Force
Application Attack Application Attack
Brute Force
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Threats by Customer Industry Vertical
Source: Alert Logic CSR 2015
Application Attack
Brute Force
Recon Suspicious Activity
DoS
Global Analysis
Internet of Things – Planes, Trains and Automobiles
Internet of Things – Keyfobs and Garage Doors
Latest “News”
Update as needed
Latest Activity
• Darkode taken down on July 15, 2015 • Arrests made in 20 countries • Despite Coordinated law enforcement efforts • BotNet takedowns are more effective
HOW DO WE DEFEND AGAINST THESE ATTACKS
Security Architecture
Firewall/ACL Intrusion Detection
Deep Packet Forensics
Network DDOS
Netflow Analysis
Backup
Patch Mgmt Vulnerabilities
Server/App
Log Mgmt SDLC
Anti-Virus Encryption GPG/PGP
Host Anti Malware
FIM
NAC Scanner
Mail/Web Filter Scanner
IAM Central Storage
Data Correlation is the Key
Enterprise Cyber Security Teams
24x7 Security Operations Center and Intelligence
Monitor intrusion detection and vulnerability scan
activity
Search for Industry trends and deliver intelligence on
lost or stolen data
Collect data from OSINT and Underground Sources to deliver Intelligence and
Content
Identify and implement required policy
changes
Escalate incidents and provide guidance to the response team to
quickly mitigate Incidents
Monitor for Zero-Day and New and
Emerging attacks
Cross product correlate data sources
to find anomalies
SECURITY BEST PRACTICES
10 Best Practices of Cloud Security
1. Secure your code 2. Create access management policies 3. Data Classification 4. Adopt a patch management approach 5. Review logs regularly 6. Build a security toolkit 7. Stay informed of the latest vulnerabilities that may affect you 8. Understand your cloud service providers security model 9. Understand the shared security responsibility 10. Know your adversaries
1. Secure Your Code
• Test inputs that are open to the Internet • Add delays to your code to confuse bots • Use encryption when you can • Test libraries • Scan plugins • Scan your code after every update • Limit privileges • Stay informed
2. Create Access Management Policies
• Identify data infrastructure that requires access • Define roles and responsibilities • Simplify access controls (KISS) • Continually audit access • Start with a least privilege access model
3. Data Classification
• Identify data repositories and mobile backups • Identify classification levels and requirements • Analyze data to determine classification • Build Access Management policy around classification • Monitor file modifications and users
4. Adopt a Patch Management Approach
• Inventory all production systems • Devise a plan for standardization, if possible • Compare reported vulnerabilities to production infrastructure • Classify the risk based on vulnerability and likelihood • Test patches before you release into production • Setup a regular patching schedule • Keep informed, follow bugtraqer • Follow a SDLC
5. Importance of Log Management and Review
• Monitoring for malicious activity • Forensic investigations • Compliance needs • System performance
• All sources of log data is collected • Data types (Windows, Syslog) • Review process • Live monitoring • Correlation logic
6. Build a Security Toolkit • Recommended Security Solutions
• Antivirus • IP tables/Firewall • Backups • FIM • Intrusion Detection System • Malware Detection • Web Application Firewalls • Forensic Image of hardware remotely • Future Deep Packet Forensics • Web Filters • Mail Filters • Encryption Solutions • Proxies • Log collection • SIEM Monitoring and Escalation • Penetration Testing
7. Stay Informed of the Latest Vulnerabilities
• Websites to follow • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/ • https://www.alertlogic.com/weekly-threat-report/
8. Understand Your Service Providers Security Model • Understand the security offerings from your provider • Probe into the Security vendors to find their prime service • Hypervisor Example • Questions to use when evaluating cloud service providers
9. Service Provider & Customer Responsibility Summary
Cloud Service Provider
Responsibility
Provider Services
Hosts
• Logical network segmentation • Perimeter security services • External DDoS, spoofing, and scanning prevented
• Hardened hypervisor • System image library • Root access for customer
• Access management • Patch management • Configuration hardening • Security monitoring • Log analysis
Apps
• Secure coding and best practices • Software and virtual patching • Configuration management
• Access management • Application level attack monitoring
• Network threat detection
• Security monitoring
Networks
Customer Responsibility
Compute Storage DB Network
10. Understand your Adversaries
25
To Follow our Research • Twitter:
- @AlertLogic - @StephenCoty - @_PaulFletcher
• Blog: - https://www.alertlogic.com/resources/blog
• Newsletter: - https://www.alertlogic.com/weekly-threat-report/
• Cloud Security Report - https://www.alertlogic.com/resources/cloud-security-report/
• Zero Day Magazine - http://www.alertlogic.com/zerodaymagazine/
• Websites to follow • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/ • https://www.alertlogic.com/weekly-threat-report/
Thank you.