the most common failure with today's defences
DESCRIPTION
This talk looks at the challenges we face as a defender today by examining several recent, prominent breaches and one of their common causes. The first 2/3 of this talk are the same as "Is That Normal?" (http://www.slideshare.net/marknca/is-that-normal-behaviour-modelling-on-the-cheap) but in the last 3rd, instead of diving in the the mechanics of behavioural analysis, this talk looks at what we should be doing with the results. Originally presented at the Gartner Security & Risk Management Summit in London, 08-Sep-2014TRANSCRIPT
![Page 1: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/1.jpg)
The Most Common Failure With Today's Defences
Mark Nunnikhoven Vice President, Cloud & Emerging Technologies @marknca
Just like you probably can’t see this, I can’t see the backchannel Tweet me now @marknca, I’ll reply after the talk…
![Page 2: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/2.jpg)
Recent attacks The problem What you can do?
![Page 3: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/3.jpg)
Recently…
![Page 4: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/4.jpg)
![Page 5: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/5.jpg)
450 000 000
“Client record” is typically at least [username+password]
![Page 6: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/6.jpg)
27-Nov-2013—15-Dec-2013
First real CEO “resignation” due primarily to information security incident
![Page 7: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/7.jpg)
a/k/a “Target 2” …but worse
Early May-2014—Late Aug-2014
![Page 8: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/8.jpg)
Nominated for “Worst Communications During An Incident”
Late Feb-2014—Mid May-2014
![Page 9: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/9.jpg)
Real reputation risk & impact on ability to conduct business
17-Jun-2013—17-Oct-2014
![Page 10: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/10.jpg)
Should have received more attention More on this one later…
17-Sep-2013—Early Oct-2013
![Page 11: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/11.jpg)
Amazing visualization from Information Is Beautiful “World’s Biggest Data Breaches & Hacks”
![Page 12: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/12.jpg)
![Page 13: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/13.jpg)
Breaches: more frequent, lasting longer, bigger impact on businesses
![Page 14: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/14.jpg)
The Problem
![Page 15: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/15.jpg)
Restrict inbound Restrict outbound Heavily monitor access
Data
Data space: servers, applications, infrastructure, etc.
![Page 16: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/16.jpg)
Restrict inbound Allow outbound Little to no monitoring
User
User space: Where the users are ;-) Endpoints like laptops, desktops, tablets, etc.
![Page 17: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/17.jpg)
![Page 18: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/18.jpg)
Authentication Authorization
Yes, we typically only use 2 controls here
![Page 19: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/19.jpg)
152 million records 40 GB of source code
~44 GB of data exfiltrated
![Page 20: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/20.jpg)
What can you do?
![Page 21: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/21.jpg)
Authentication Authorization
![Page 22: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/22.jpg)
Authentication Authorization
3 is more than 2. That’s an immediate win when reporting up to your boss(es)
Behaviour analysis
![Page 23: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/23.jpg)
What to look at
All traffic leaving user spaceMost organizations have some controls between the user and the world
Need to start to address internal data flow & expand existing controls
![Page 24: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/24.jpg)
What to look for
Malicious patterns
A service or appliance can help here
![Page 25: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/25.jpg)
What to look for
Odd access patterns
Most breaches are access data through authorized channels BUT using odd behavioural patterns
![Page 26: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/26.jpg)
What to do about it
Vary the level of trust in the user* Dynamically vary the level depending on specific criteria and indicators of trust
![Page 27: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/27.jpg)
You may trust me to deliver a talk on security…
![Page 28: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/28.jpg)
But would you trust me to look after your kids?
![Page 29: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/29.jpg)
Trust is a spectrum
![Page 30: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/30.jpg)
Varying trust
A quick example
![Page 31: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/31.jpg)
Normal access
![Page 32: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/32.jpg)
Have a confirmed finding (or high enough confidence)
![Page 33: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/33.jpg)
Not sure what we’ve found
![Page 34: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/34.jpg)
Not sure what we’ve found
![Page 35: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/35.jpg)
Take a deeper look
![Page 36: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/36.jpg)
Not sure what we’ve found? Increase monitoring, block high value access temporarily
![Page 37: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/37.jpg)
Add behavioural analysis Look for odd/malicious patterns Vary the level of trust
![Page 38: The Most Common Failure With Today's Defences](https://reader036.vdocument.in/reader036/viewer/2022070302/547e4488b379594e2b8b5442/html5/thumbnails/38.jpg)