Evolving Security in Process Control
•Télécharger en tant que PPTX, PDF•
1 j'aime•3,347 vues
Lockheed Martin presentation from 4th Annual Cyber Security Summit, 30th March 2015.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (9)
Similaire à Evolving Security in Process Control
Similaire à Evolving Security in Process Control (20)
Plus de Lockheed-Martin
Plus de Lockheed-Martin (6)
Dernier
Dernier (20)
Evolving Security in Process Control
- 1. © Lockheed Martin Evolving Security in Process Control 4th Annual Cyber Security Summit – Energy & Utilities Abu Dhabi March 30, 2015
- 2. © Lockheed Martin Not ‘If’ but ‘When’
- 3. © Lockheed Martin Cyber Attack Impacts Whole Value Chain Business Production Control Systems Customers Security Incident Impact
- 4. © Lockheed Martin Growth in Targeted Attacks Night Dragon - 2011 Shamoon - 2012 Energetic Bear - 2012 Norwegian Oil & Gas - 2014 German steel works - 2014
- 5. © Lockheed Martin Just the Tip of the Iceberg For every major incident that makes the news, many more smaller incidents go unreported
- 6. © Lockheed Martin Rapidly Changing Threat Landscape • New vulnerabilities • Readily available exploit kits • Hacktivists • State sponsored activities • BYOD • Mobile devices • Cloud access from anywhere • Growth in social media • Internet of Things • Advanced Persistent Threats (APT’s)
- 7. © Lockheed Martin A173984 • Malicious Insider 37% • Criminal Syndicates 26% • Nation State Sponsored 19% Top Threats Intelligence Driven Cyber Defence, Ponemon Institute LLC, February 2015
- 8. © Lockheed Martin • Lost Intellectual Property – Geoscience data • Reputation Damage – Joint Ventures – Customers – Government • Business Disruption – Lost production – Incident investigation • Damage to Critical Infrastructure – HSE – Cost of repair Top Impacts Intelligence Driven Cyber Defence, Ponemon Institute LLC, February 2015
- 9. © Lockheed Martin Internet Accessible Control Systems 241 locations >52,000 IP addresses
- 10. © Lockheed Martin Prevention is ideal but detection is a must However, detection without response has minimal value
- 11. © Lockheed Martin Would you know if your system was compromised? Average time from compromise to detection 14 months
- 12. © Lockheed Martin The Need to Evolve Engineering workstation HMI Manual shutdown F&GESD Shutdown signal PI server Remote monitoring PI server File server Antivirus server Patch server Remote access server Offline Malware Analysis Privilege Access Management & Session Recording SIEM/ID server “We have a firewall and anti-virus software. We’re safe.”
- 13. © Lockheed Martin The Need to Evolve Engineering workstation HMI Manual shutdown F&GESD Shutdown signal PI server Remote monitoring PI server File server Antivirus server Patch server Remote access server Offline Malware Analysis Privilege Access Management & Session Recording SIEM/ID server “We have a firewall and anti-virus software. We’re safe.” NO! YOU ARE NOT SAFE The insider is already the wrong side of your firewall – with your approval
- 14. © Lockheed Martin Foundational Security Technologies Basic Security Compliant Security (Reactive) Sustainable Security (Proactive) Intelligence Driven Defense® (Predictive) Procedures and Documentation Automation and Efficient IT/OT Process Integration Cyber Intelligence integrated in Operations Compliance driven (ISO27001), COTS products, “set it and forget it” Add good security practices, use SIEM to monitor & respond to alerts Integrate IT & OT security, use available intelligence See what’s coming at you, anticipate, generate & share intelligence 80%20%Security Evolution
- 15. © Lockheed Martin End Point Security Network Security Reactive Looking inwards at vulnerability and managing impact to confidentiality, integrity and availability. This typically results in reactive actions after an intrusion has taken place. Address 80% Threat Foundational Security
- 16. © Lockheed Martin Intelligence Driven Defense® Threat Focused This builds on foundational security. It looks outwards at the specific adversaries attacking your enterprise and intimately understanding/analysing their tactics, techniques and procedures. This allows you to proactively take a defensive course of action. Proactively address 20% and 80% Threat
- 17. © Lockheed Martin Campaign analysis is used to determine the patterns and behaviours of the intruders LM Cyber Kill Chain® Campaign Heat Map • Group intrusions together into “Campaigns” • Prioritize and measure against each campaign Understand the Threat Landscape
- 18. © Lockheed Martin • Basic security measures essential – Reduce attack surface – Maintain signatures, patches, firewalls, etc. • People – End users are part of your defences – train & test them – Your adversaries are people. You need people who understand their tactics, techniques & procedures (TTP) – train & test them • Governance – Management focus on security – Ensure response capability is in place (you will need it) – train & test them – Measure success Critical Success Factors
- 19. © Lockheed Martin Remember… Security is a journey, not a destination
- 21. © Lockheed Martin Thank you Andrew Wadsworth, GICSP Head of Process Control Security Lockheed Martin andrew.wadsworth@civil.lmco.com Johnstone House 52-54 Rose Street Aberdeen AB10 1UD United Kingdom Office +44 1224 611040 Mobile +44 7914 356962 Scott Keenon Business Development Manager Lockheed Martin scott.keenon@civil.lmco.com Johnstone House 52-54 Rose Street Aberdeen AB10 1UD United Kingdom Office +44 1224 611052 Mobile +44 7968 793353
Notes de l'éditeur
- Accepted by security professionals that any network can be compromised eventually. Trends: Increasing number of attacks Year-on-year increases Increasing sophistication of attacks What was sophisticated yesterday is easy today – integrated into e.g. Metaspoilt Multiple approaches Evade detection – average time from penetration of PCE to detection = 18 months Energy is a high value target (59% of attacks reported in 2013 to US DHS) Energy specifically targeted Not if but when
- Why are you here? BG Group’s customers depend on BG Group delivering consistently and reliably In order to do that BG Group needs its production operations to operate 24 x 7 Those production operations depend on automation systems to operate 24 x 7 Process security focuses on ensuring safe, reliable and secure operations The business that BG Group is in is for many of the countries in which you operate A part of the critical Energy infrastructure those countries and a major contributor to those countries economies PCE security matters to BG Group’s success A PCE security incident can impact BG’s customers and, potentially, has safety, environmental, financial & reputation impacts
- People – Process – Technology Journey
- When we look at foundational security this is typically fulfilled by organisations aligning to security good practice. At LM we are certified to ISO27001 at an enterprise level and also over 25 IS&GS programmes also have ISO27001 certification. There are many ways to represent foundational security and here I have broken this down into overarching security elements which are the dark blue boxes and then (left hand side) end point and (right hand side) network security which are shown inside. Foundational security is essential to manage risk from broad-based adversaries such as cyber criminals, Hacktivists, hackers and less sophisticated adversaries. Essentially we are in a position where we can buy COTS products, supplemented by good security policies and education and awareness to manage threat actors. If only this was enough to manage the threat from the sophisticated top 20% of adversaries.
- Using intelligence to look for the needle in the haystack or needle in the needle stack. Cut through all of the noise to spot characteristics of sophisticated threats and insider threats.
- You want to identify potential threats early and plot course accordingly! Using the Titanic analogy……. there were plenty of warning to avoid the ice berg before disaster struck! It High level talking point -- Tracking campaigns is enormously beneficial. We are not trying to stop 1s and 0s, we are trying to stop people, so I need to understand how and when people operate. The principle goal of campaign analysis is to determine the patterns and behaviors of the intruders, their tactics, techniques, and procedures (TTP), to detect “how" they operate rather than specifically “what" they do. The campaign heatmap allows us to quickly hone in on which adversaries are active over a particular timeframe and understand when and how they attack. The use of the heat-map has been important to understanding what triggers an APT attack (i.e. new zero-day vulnerabilities, or other significant events). This allows us to assess our defensive posture on a campaign-by-campaign basis, and based on the assessed risk of each, develop strategic courses of action to cover any gaps. We can also tell the difference between an adversary that targets us every month, vs one that targets us periodically. For example, if there are a number of consecutive months of activity but then a conspicuous gap, that might mean something was missed or the adversary changed their TTP’s. The heatmap allows us to identify periods during the year that are traditionally busy or periods where multiple adversaries are all active at once. This enables us to ensure that staff is on hands at that and/or plan to deploy very aggressive mitigations as there is little room for error. CYBER KILL CHAIN services becomes a model for actionable intelligence when defenders align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise. Typically, “Defense-in-Depth” just means “more is better than less”. With CYBER KILL CHAIN services we have a smarter measure of depth by having defensive options across the full spectrum of the defense lifecycle. If you're just "adding more", you could just be layering defense at one part of the defense lifecycle while deficiencies elsewhere go unnoticed. Cyber Kill Chain™ Detect Deny Disrupt Degrade Deceive The matrix depicts courses of action (detect, deny, disrupt, degrade, deceive) across all phases of the defense lifecycle. This matrix depicts in the exploitation phase, for example, that host intrusion detection systems (HIDS) can passively detect exploits, patching denies exploitation altogether, and data execution prevention (DEP) can disrupt the exploit once it initiates. Illustrating the spectrum of capabilities defenders can employ, the matrix includes traditional systems like network intrusion detection systems (NIDS) and firewall access control lists (ACL), system hardening best practices like audit logging, but also vigilant users themselves (THE I CAMPAIGN ™) who can detect suspicious activity. The key here is Resiliency. One mitigations breaks the chain, but 7 mitigations make you resilient. Even if the adversary changes 6 things, your one mitigation still wins. There is no inherent advantage to an aggressor in cyber; launching a successful intrusion requires a lot of things to happen just right. The problem is that most defenders don't know how to correctly control and defend their environment. If you have control of your environment, and understand your threats, you can build resilience. The reason we have multiple D's is that defenders can make intelligence gain vs loss trade offs. By blocking something (Deny), you may tip your hand to the adversary. They may know precise what they need to adjust to bypass your defenses. (i.e., you block my IP, I'll just use a different one). Instead, if you're able to Deceive them, you may be able to collect additional information from the adversary. All of this is new information for you to use for new defenses. Classic example is if I give you an IP address that sends malicious email. If you block that, the adversary knows immediately what mitigation you put in because they can tell their connections are failing. However, what have you gained as defender? All you can see is a bunch of dropped SYN packets on your firewall. Yes you've gained the security that that particular IP can't send anything to you. But, you know nothing further. If the adversary switches to a new IP, would you be able to detect it? Instead, by deceiving, and allow the full email to enter into your network, but blocking it before it goes to the user, you now know a tremendous amount of information. We measure success by framing metrics in the context of the cyber kill chain. Metrics of resiliency are generated by measuring the performance as well as the effectiveness of defensive actions against the intruders. This allows us to plan investment roadmaps to rectify any capability gaps. Fundamentally, this approach is the essence of intelligence-driven CND: basing security decisions and measurements on a keen understanding of the adversary. Because we always complete the kill chain, we can also show which capabilities further down were relevant. This is important because often times when leadership makes a big investment in a security tool, they might ask "what has it done for us?". Sometimes, we're good at blocking activity before it reaches that new system, but if we can show that it is relevant to the problems we face, it enables us to demonstrate its value. LM’s unique Cyber Kill Chain approach drives the way we do analysis for incident response. Regardless of the stage the attack has progressed, our team of analysts works to recreate all steps of the attack. We use a combination of forensic images, host, and network logs to understand how the adversary initially gained access to the client’s environment and then progressed through the attack. Where others may encounter road blocks, our analysts will leverage our expansive knowledge bank of observed APT Tactics, Techniques, and Procedures (TTP) to identify additional areas for investigation. Our analysis methodology does not require the installation of any specific tools in a client’s computing environment. The LM team uses a combination of COTS and LM proprietary software to support the analysis of an incident. Once a client’s internal Incident Response (IR) team engages LM analysts, our analysis process is executed as follows: - Conduct a kickoff meeting (face-to-face or via conference call) with LM and the client to discuss the initial facts and decide any immediate remediation actions. - Pull forensic images of affected assets and provide to LM analysts. - During the analysis, LM analysts will collaborate with the client’s Incident Response team for any additional data, recommendations, or suggested immediate remediation's. The results of the analysis are packaged into a final report and presented to the client. By breaking an intrusion into multiple steps, we have multiple opportunities to recover from that threat. Our effort is best spent on three priorities: detection, additional visibility, and process improvement. Based on the TTP observed during a given incident, we work with the client’s incident response team to integrate new detections into the client’s current security architecture. This will ensure the client has the maximum amount of protection at all steps of the Cyber Kill Chain. This includes additional detections in current tools or enhancements to existing processes (e.g. Patching). Our experience has shown that TTPs can shift slightly between attacks, but having defenses at multiple steps greatly reduce the chance a future attack will be successful. We will also identify recommendations for tools or processes to provide additional visibility to remediate any information gaps observed during the previous incident. This includes identifying additional log sources that could be reconfigured to provide context into the progression of an attack. This information can be crucial in streamlining the next investigation or providing the visibility required to properly recreate an incident. Lastly, we treat each intrusion as a learning experience and an opportunity for improvement to better understand and recognize the TTPs of an adversary. Each intrusion is also an opportunity to examine current client processes to seek improvement.