A Call to Arms: Using a Working Model of the Attack Surface to Improve Incident Response
•Télécharger en tant que PPTX, PDF•
1 j'aime•949 vues
Systematically combine network data and intelligence sources to create a working model of the attack surface. Perform attack simulation to easily identify weak points in your defenses. Target vulnerability concentrations with streamlined actions and fix risky firewall rules and changes with automated risk assessment. With comprehensive network data at your fingertips, SOC analysts and incident response teams can achieve same-day response to cyber attacks. Take your enterprise network security to the next level. Prevent, analyze, and respond to cyber attacks in real time.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à A Call to Arms: Using a Working Model of the Attack Surface to Improve Incident Response
Similaire à A Call to Arms: Using a Working Model of the Attack Surface to Improve Incident Response (20)
Plus de Skybox Security
Plus de Skybox Security (20)
Dernier
Dernier (20)
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incident Response
- 1. A Call to Arms: Using a Working Model of the Attack Surface to Improve Incident Response Gidi Cohen | CEO & Founder | Skybox Security
- 2. Sources: Spending-IDC & Gartner; Costs – Center for Strategic and Interational Studies; Chart - 2015 Verizon Data Breach Investigations Report The Defender Deficit £260B annual cost of cyber crime £45B annual spend on solutions NO CHANGE in “defender gap” In 10years! 80% of Attackers Compromise Network in Days 25% of Defenders Discover Attacks in Days
- 3. Peacetime From Peacetime to Wartime Mindset Process Focused Advanced Planning Compliance Driven Battlefield View Attack Detection Jump Teams Wartime
- 4. What’s your Incident Response Time? Sources: ISACA.org for Incident Response process, Ponemon 2014 Cost of Cyber Crime Study for IR times +45 days to resolve 170 days to detect Incident Response Process
- 5. What Takes So Long? Potential Exfiltration Suspicious outbound data Shut down unnecessary ports • Does this event match a possible attack vector? • What assets are exposed through that access path? • Which security controls can we leverage? • Will a firewall change disrupt necessary services?
- 6. Ongoing Visibility of the Battlefield Security Controls Firewalls IPS VPNs
- 7. Ongoing Visibility of the Battlefield Security Controls Firewalls IPS VPNs Network Topology Routers Load Balancers Switches
- 8. Ongoing Visibility of the Battlefield Security Controls Firewalls IPS VPNs Network Topology Routers Load Balancers Switches Assets Servers Workstations Networks
- 9. Ongoing Visibility of the Battlefield Security Controls Firewalls IPS VPNs Network Topology Routers Load Balancers Switches Assets Servers Workstations Networks Vulnerabilities Location Criticality
- 10. Ongoing Visibility of the Battlefield Network Topology Routers Load Balancers Switches Assets Servers Workstations Networks Vulnerabilities Location Criticality Threat Actors Hackers Insiders Worms Security Controls Firewalls IPS VPNs
- 11. Ongoing Visibility of the Battlefield Security Controls Firewalls IPS VPNs Network Topology Routers Load Balancers Switches Assets Servers Workstations Networks Vulnerabilities Location Criticality Threat Actors Hackers Insiders Worms The attack surface is the sum of all reachable and exploitable attack vectors against an organization.
- 12. Apply Understanding of the Attack Surface With Knowledge of the Attack Surface Improve planning Reduce mean time to detect Speed containment actions Verify resolution
- 13. Preparation: Reduce Attack Vectors • Target concentrations of vulnerabilities • Address zoning violations • Fix risky firewall rules
- 14. Preparation: Optimise SIEM Monitoring SIEMCreate a SIEM watch list • Watch specific servers with known vulnerabilities • Monitor access paths to high-value assets • Look for services used in recent threats
- 15. High volume to review False positives Detection: Confirm Real Attacks Fast Attack Detection SIEM Level 1 SOC Analysts Level 2 IR Team BEFORE
- 16. High volume to review False positives Detection: Confirm Real Attacks Fast Attack Detection SIEM Level 1 SOC Analysts Level 2 IR TeamBEFOREAFTER Get attack context Assets at risk Prioritisation
- 17. Analysis: Triage Based on Impact to Assets
- 18. Analysis: Triage Based on Impact to Assets
- 19. Analysis: Triage Based on Impact to Assets Flag high-risk vector Alert: anomalous behavior Low risk Alert: unexpected router change Multiple ways to compromise finance server
- 20. Contain: Fast Zero-Day Response Source: ISACA.org Attack Surface Model New Vulnerability Identified! CVE-2015-01234 • Which systems have the vulnerability? • Are they part of an attack vector? • Triage response Threat Vulnerability Asset
- 21. Contain: Understand Scope, Exfiltration Paths Exfiltration Path
- 22. Contain: Understand Scope, Exfiltration Paths Exfiltration Path
- 23. Contain: Understand Scope, Exfiltration Paths Recommended Actions • Generate firewall change requests to block exfil route • Switch advanced malware to block mode • Enable IPS signature Exfiltration Path
- 24. Post-Incident Activity Attack Surface Model Long term architectural changes Network segmentation Use of advanced controls Verify risk elimination
- 25. Summary: Using Attack Surface for IR Incident Response Process Incorporate broad set of data sources for full attack surface view Arm the IR team Tools to correlate, query, and monitor attack surface Speed detection and analysis Use contextual info on likely next steps Contain attacks and limit damage
- 26. Visit Skybox Security at Infosec • Powerful platform for visibility of the attack surface • Vulnerability and threat management • Firewall management • Network visibility and compliance Risk Analytics for Cyber Security
- 27. Thank you
Notes de l'éditeur
- Script: In 2014, a group called the Center for Strategic and International studies in Washington DC. Released a report estimating the annual cost of cyber crime at 260B GBP ($400B USD). According to IDC, Gartner and other analyst firms –the worldwide spending on information security solutions in 2014 was 45B GBP ($70B USD). Both of these numbers have been climbing at extraordinary rates, toward 15% per year growth over the most recent time period. In fact, this unchecked growth in spending on security products, and the continued cyber crime costs may now be having an impact on the global economy. Given all of this security spending and attention to the cyber problem, you would expect that defenders would have made substantial inroads into reducing the number of attacks, but this hasn’t shown to be true. Instead, in this graph you see the most recent Verizon Data Breach report, indicating that the gap the time to compromise and the time to discover an attack is largely unchanged over 10 years! So attackers are still able to compromise networks in minutes or days, while defenders require weeks or months to discover, an attack, and even more time to analyze the incident, contain, and devise an effective plan of response. Other notes from the source reports: A study that estimated the global cost of cybercrime at $400 billion also revealed information security market trend data from research firm IDC showing a burgeoning market for products associated with identifying threats, data protection and incident response activities. The report, issued this week by the Center For Strategic International Studies, a Washington, D.C., think tank, estimates the global cost of cybercrime at $400 billion and projects the figure to climb substantially until public- and private-sector organizations implement stronger measures to address intellectual property theft. The study, commissioned by Intel Security (formerly McAfee), also highlighted data from Framingham, Mass.-based research giant IDC, projecting a steep rise in spending on digital forensics tools, next-generation firewalls, and identity and access management software. The increased spending on security products may be having a negative impact on the global economy, the report found.
- Script: Over the past few years, with the continual onslaught of bad cyber news, we’ve seen a shift in mindset of security teams. You may see this in yourself, in your own organizations. Instead of focusing on security planning, operational efficiency, continuous monitoring, compliance auditing; organizations have shifted to a ‘wartime’ mindset. In fact, IDC’s 2014 security spending report is in line with this, predicting a fast-growing market for attack detection, incident response, and data protection technologies In ‘wartime’ – the focus is on fast response. You have to have the tools to detect the indicators of compromise that signal an attack in process. You need to develop situational awareness to understand the cyber battlefield and intelligence to triage incidents so you send the skilled jump teams in to fight the right issues. At least, that’s the concept.
- Script: I think it’s great that companies are shifting to this ‘wartime’ mindset, because clearly there is a lot of work to be done. Let’s take the incident response process, which is central to identifying and responding to cyber threats. We start with preparation – which can involve identifying areas of risk, developing the right response plans for different alerts, training individuals in your organization. Detection and analysis – to cull through the millions of different events that may be triggered through your SIEM, and the analysis to decide what to do about those events. Containment, eradication and recovery - the concrete steps to take action to block an attacker, keep data from leaving your organization, and remediating the root causes. And post-incident activity to document, learn from the attack, and introduce changes to policies, to segmentation, to incident response plans, so that you can respond more quickly next time. Ponemon’s 2014 Cost of Cyber Crime Study found that the average time to detect a malicious attack was 170 days. You may say ‘no way’, but in many of the most newsworthy breaches over the past year, after-the-fact analysis often shows that attackers were in the network for months, conducting reconnaissance, setting up command and control malware, and more. Ponemon also reported that the average time to resolve a cyber attack was 45 days, and this was a 33% INCREASE over the 32-days average from the global study in 2013. So with all the focus on better security management and incident management, we are heading in the wrong direction, fast. The Incident response processes so important to protecting our businesses are too long. How long should this process take? 50% of vulnerabilities are breached within 2 weeks of announcement of the vulnerability. 75% of attackers are able to take days to compromise a network. So the time frame we should be targeting is… a couple of days. Not weeks or months. So the next question is … WHY does this process take so long today? From the original sources: Cyber crimes require more time to resolve: The average time to detect a malicious or criminal attack by a global study sample of organizations was 170 days. The longest average time segmented by type of attack was 259 days, and involved incidents concerning malicious insiders. The average time to resolve a cyber attack once detected was 45 days, while the average cost incurred during this period was $1,593,627 – representing a 33-percent increase over last year’s estimated average cost of $1,035,769 for a 32-day period.(2)
- Script: As an example, let’s say that you have a suspicious incident – it appears that unauthorized outbound data is leaving the organization. There may be a defined containment protocol ‘Shut down unnecessary ports immediately’ followed by more investigation. But before you can do that, you need to check… is this a real attack? You had 100 other alerts today, what makes this one real? Does this match with a known attack vector? Are valuable assets exposed? Could they be if the attack continues? This may help me triage the different events and spend time on those that are truly a risk to critical assets. I need to find the security controls that I can use to contain the attack. Which firewalls, which IPS. And this is really, really hard to do if you have zero visibility of your attack surface. Today’s enterprises respond to cyber threats with almost no visibility of the battlefield that they are fighting on.
- Script: Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive
- Script: This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
- The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- Script: I think it’s great that companies are shifting to this ‘wartime’ mindset, because clearly there is a lot of work to be done. Let’s take the incident response process, which is central to identifying and responding to cyber threats. We start with preparation – which can involve identifying areas of risk, developing the right response plans for different alerts, training individuals in your organization. Detection and analysis – to cull through the millions of different events that may be triggered through your SIEM, and the analysis to decide what to do about those events. Containment, eradication and recovery - the concrete steps to take action to block an attacker, keep data from leaving your organization, and remediating the root causes. And post-incident activity to document, learn from the attack, and introduce changes to policies, to segmentation, to incident response plans, so that you can respond more quickly next time. Ponemon’s 2014 Cost of Cyber Crime Study found that the average time to detect a malicious attack was 170 days. You may say ‘no way’, but in many of the most newsworthy breaches over the past year, after-the-fact analysis often shows that attackers were in the network for months, conducting reconnaissance, setting up command and control malware, and more. Ponemon also reported that the average time to resolve a cyber attack was 45 days, and this was a 33% INCREASE over the 32-days average from the global study in 2013. So with all the focus on better security management and incident management, we are heading in the wrong direction, fast. The Incident response processes so important to protecting our businesses are too long. How long should this process take? 50% of vulnerabilities are breached within 2 weeks of announcement of the vulnerability. 75% of attackers are able to take days to compromise a network. So the time frame we should be targeting is… a couple of days. Not weeks or months. So the next question is … WHY does this process take so long today? From the original sources: Cyber crimes require more time to resolve: The average time to detect a malicious or criminal attack by a global study sample of organizations was 170 days. The longest average time segmented by type of attack was 259 days, and involved incidents concerning malicious insiders. The average time to resolve a cyber attack once detected was 45 days, while the average cost incurred during this period was $1,593,627 – representing a 33-percent increase over last year’s estimated average cost of $1,035,769 for a 32-day period.(2)
- Script: Vulnerability Exposure Vulnerability Density Remediation Latency New Vulnerabilities Violating Firewall Rules Configuration Violations Unused Firewall Rules Network Zoning Unauthorized Firewall Changes End point protection and patch management coverage
- Script: Focus the SIEM on the right information. The attack surface can be used to generate a watch list to optimize the correlation rules of the SIEM. Such as checking for unusual activity on particular servers that are known to be vulnerable Monitoring events along available access paths to high-value assets Or monitoring services or protocols that were implicated in the threat intelligence layered into the attack surface model. make more specific – soc team receiving events, queries the analytics engine If someone hacks that system, can they gain access to the important assets Are there other systems that can be attacked…
- SOC team receiving events, queries the analytics engine “If someone hacks that system, can they gain access to the important assets? Are there other systems that can be attacked?
- Script: When you take the attack surface model and add powerful analytics, like attack simulation, you can triage a potential threat quickly. Let’s say that there was an unexpected change at a router.
- Script: Is it a real attack vector? Let’s say we find a vector that we know could include a router change as a key step to compromised this financial systems. change. You could identify a real attack vector and flag it as a high risk vector, or spot a lower priority change because it can’t impact a critical system.
- Notes: start with prevention – using attack surface view to reduce attack vectors, Then detection – SIEM focused on right information Containment – verification, zoning changes, access controls to prevent exfiltration must have the info readily available Image on left -> identification of events – check to see if they are on the attack surface, reduce false positiives Then triage - achieve quick prioritization, identify actions Then containment – command and control, exp=filtration, malware control
- Isolation allows customers to block activity between threats and compromised assets Active traffic, potential traffic Disable command and control activity Link would generate a firewall change request Change Manager Mail
- Identify long terms architectural changes, network segmentation, next gen fw policies, IPS utilization
- Summary