Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Scot Secure 2019 Edinburgh (Day 1)

390 vues

Publié le

The national Scot-Secure Summit is the largest annual Cyber Security Conference in Scotland: the event brings together senior IT leaders and Information Security personnel, providing a unique forum for knowledge exchange, discussion and high-level networking.

The conference programme is focused on promoting best-practice cyber security; looking at the current trends, the key threats - and offering practical advice on improving resilience and implementing effective security measures.

Publié dans : Technologie
  • Soyez le premier à commenter

Scot Secure 2019 Edinburgh (Day 1)

  1. 1. Welcome to ScotSecure 2019 #scotsecure
  2. 2. Mark Stephen BBC Scotland @bbcscotland #scotsecure
  3. 3. Ray Bugg DIGIT @digitfyi #scotsecure
  4. 4. Steven Wilson Europol @europol #scotsecure
  5. 5. International Challenges of Cybercrime Investigation Europol Unclassified- Basic Protection Level Steven Wilson Head of EC3 27 March, 2019
  6. 6. Europol Classified – EU RESTRICTED The Hague, Netherlands Headquarter “Europol shall support and strengthen action by the competent authorities of the Member States and their mutual cooperation in preventing and combating serious crime affecting two or more Member States, terrorism and forms of crime which affect a common interest covered by a Union policy” (Europol Regulation) Europol’s Mandate
  7. 7. Europol Classified – EU RESTRICTED Europol Liaison Officers in: • Interpol IGCI • Interpol IPSG • Washington DC Liaison Bureaux Network
  8. 8. Europol Classified – EU RESTRICTED EC3’s Core Areas of Responsibility Decryption Facility
  9. 9. Europol Classified – EU RESTRICTED Multi-Faceted Approach to Countering Cybercrime ❖ Internet Security ❖ Financial Services ❖ Academic Advisory Network ❖ Cybercrime Prevention Network ❖ Communication Providers ❖ Forensic Expert Forum SOCTA IOCTA Strategic Plans Operational Actions Evaluation
  10. 10. Europol Classified – EU RESTRICTED IOCTA 2018 – Key Threats & Trends Card-not-present fraud dominates payment fraud, but skimming continues DDoS continues to plague public and private organisations Ransomware retains its dominance Social engineering still the engine of many cybercrimes
  11. 11. Europol Classified – EU RESTRICTED Major Cross-Border Cyber-Attacks WannaCry Ransomware Attacks (May 2017) NotPetya Malware Attacks (June 2017)
  12. 12. Europol Classified – EU RESTRICTED 5 arrests in 4 countries 37 searches in 7 countries 39 servers seized in 13 countries 221 servers taken offline64 TLDs 800,000 domains in 26 countries Victim re- mediation in 189 countries Awareness raising and prevention Avalanche
  13. 13. Europol Classified – EU RESTRICTED Cyber Attacks in the News
  14. 14. Europol Classified – EU RESTRICTED Script Kiddies Serious Organised Crime Nation States Cyber Criminals Convergence of Criminality
  15. 15. Europol Classified – EU RESTRICTED Joint Cybercrime Action Taskforce (J-CAT) Identification of priorities Investigative opportunities INVESTIGATION Chairmanship: Netherlands Vice-Chairmanship: US FBI 24/7 Permanent Taskforce Operating from Europol HQ together with EC3 Taskforce Members: 17 LEA Agencies from 15 Member Countries (9 EU MS, 6 TP) + Europol’s EC3
  16. 16. Europol Classified – EU RESTRICTED EU Law Enforcement Emergency Response Protocol (LE ERP) To support the EU MS LEA in providing immediate response to major cyber-attacks (in line with nation-level crisis management mechanisms) To facilitate collaboration and coordination with other key players (public & private) To provide the law enforcement contribution to the EU crisis management structures 1 2 3 4
  17. 17. Europol Classified – EU RESTRICTED ❖ Cooperation with Eurojust, 30 countries, the EBF, 300+ banks and other private- sector partners ❖ Money muling awareness campaign #DontBeaMule to alert the public ❖ 26,376 Money mule transactions reported (preventing losses of more than 36 million Euros) ❖ 168 Arrested, 1504 Money mules and 140 money mule organisers identified European Money Mule Action IV (Sep - Nov 2018)
  18. 18. Europol Classified – EU RESTRICTED No More Ransom 136 Partners Website available in 36 languages 68 tools capable of decrypting 99 ransomware families > 72,000 devices successfully decrypted 2017 SC Magazine Editor’s Choice Award
  19. 19. Europol Classified – EU RESTRICTED Single Police Force SBRC University/LE Cooperation Developing Industry Scot in Europe – Perspective
  20. 20. Europol Classified – EU RESTRICTED What can Scotland do? Scottish Business Resilience Centre Police Scotland Cyber Hubs Cyber Scotland: education, skills & awareness
  21. 21. <Add security marking if necessary> Thank you
  22. 22. Alison Vincent Valiha Consultancy @draliv #scotsecure
  23. 23. THE HUMAN FIREWALL DR ALISON VINCENT @draliv
  24. 24. THE FUTURE IS CLOSER THAN WE THINK
  25. 25. INTERNET OF THINGS (IOT)
  26. 26. INTERNET OF THINGS (IOT)
  27. 27. POLITICAL LANDSCAPE CHANGING En garde! 'Cyber-war has begun' – and France will hack first, its defence sec declares Poland unveils details of plan for new cyber defence force
  28. 28. 90% of malware infections Tuesday Versus Friday 1 : 20 72% of data breaches
  29. 29. Malicious – acts intentionally Negligent - is sloppy Compromised - acts unintentionally 77%
  30. 30. $30 +
  31. 31. Process. Technology. People. IMPACTS ON AN ORGANISATIONAL STRATEGY
  32. 32. The Board The Executive Employees/Leaders Customers/Supply Chain
  33. 33. The Board The Executive Employees/Leaders Customers/Supply Chain Cyber Awareness Training Video sound bites
  34. 34. The Board The Executive Employees/Leaders Customers/Supply Chain Cyber Awareness Training Video sound bites
  35. 35. The Board The Executive Employees/Leaders Customers/Supply Chain Cyber Awareness Training Video sound bites Internal Phishing Campaigns Secure SDLC tooling Gamification for apps developers
  36. 36. The Board The Executive Employees/Leaders Customers/Supply Chain Cyber Awareness Training Include Executive Assistants Target internal Phishing Campaigns Digital Footprinting
  37. 37. The Board The Executive Employees/Leaders Customers/Supply Chain Cyber Awareness Training Cyber Simulation Walk throughs Balanced Board reporting
  38. 38. FOCUS ON RISKS (NOT THREATS)
  39. 39. The Board The Executive Employees/Leaders Cyber Awareness Training Cyber Simulation Walk throughs Balanced Board reporting Cyber Awareness Training Include Executive Assistants Target internal Phishing Campaigns Digital Footprinting Cyber Awareness Training internal Phishing Campaigns Video sound bites Secure SDLC tooling Gamification for apps developers Cyber Awareness Training Video sound bitesCustomers/Supply Chain
  40. 40. THE HUMAN FIREWALL DR ALISON VINCENT @draliv
  41. 41. Mark Mitchell Check Point @draliv #scotsecure
  42. 42. 47©2019 Check Point Software Technologies Ltd.©2019 Check Point Software Technologies Ltd. Mark Mitchell Security Engineer Transitioning from Consumption to Supply SWITCHING SIDES:
  43. 43. 48©2019 Check Point Software Technologies Ltd. • Background • Walls: Disrupt and Prevent • Turning up for the wrong war • Solutions Agenda
  44. 44. 49©2019 Check Point Software Technologies Ltd. • Background in both Commercial and Academic Sectors • Trained Archaeologist • Old enough to remember people being excited by Windows 95 Me
  45. 45. ©2019 Check Point Software Technologies Ltd. WALLS: DISRUPT AND PREVENT
  46. 46. 51©2019 Check Point Software Technologies Ltd. A History of Walls
  47. 47. 52©2019 Check Point Software Technologies Ltd. A History of Walls
  48. 48. 53©2019 Check Point Software Technologies Ltd. A History of Walls
  49. 49. 54©2019 Check Point Software Technologies Ltd. What happens when the thinking gets stale?
  50. 50. ©2019 Check Point Software Technologies Ltd. TURNING UP FOR THE WRONG WAR
  51. 51. 56©2019 Check Point Software Technologies Ltd. 2018
  52. 52. 57©2019 Check Point Software Technologies Ltd. The Global Risks Report 2018
  53. 53. 58©2019 Check Point Software Technologies Ltd. Where are we ? 1990 2000 2010 2015 2017 Networks Gen II Applications Gen III Payload Gen IV Virus Gen I Enterprises are between Gen 2-3 2.8 Mega Gen V
  54. 54. 59©2019 Check Point Software Technologies Ltd. 59©2018 Check Point Software Technologies Ltd. Only 3% of IT Security Professionals Are at Gen V 89% 97% 98% 10% 3% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Gen 1: AV only Gen 2: FW+AV Gen 3: FW+AV+IPS Gen 4: All+Sandboxing+ Anti Bot Gen 5: All+ Sandboxing in prevention mode+mobile+cloud Cyber Security Generations Analysis Market research Source: Cyber Security Generations Survey among IT Professionals, March 2018, N=300
  55. 55. 60©2019 Check Point Software Technologies Ltd. 60©2018 Check Point Software Technologies Ltd. 76% Experienced Attacks In Multiple Vectors (More than one vector**) 24% 29% 33% 10% 4% 0% 5% 10% 15% 20% 25% 30% 35% One Two Three Four Five Number of Different Attack Vectors ** Vectors- PC, On-premise data Center, Cloud, Mobile, IoT Source: Cyber Security Generations Survey among IT Professionals, March 2018, N=300
  56. 56. 61©2019 Check Point Software Technologies Ltd. 61©2018 Check Point Software Technologies Ltd. PROTECTED NOT PROTECTED LET’S LOOK AT WHAT ORGANIZATIONS USE TODAY NETWORK SANDBOXING MOBILE SECURITY 93% 99% 98% CLOUD SECURITY 87% 96% 91% 2017 2017 20172016 2016 2016 BUT WE ARE STILL NOT USING THE MOST EFFECTIVE SECURITY ! 86% more 300% more 350% more DRAMATIC INCREASE IN PROTECTION
  57. 57. 62©2019 Check Point Software Technologies Ltd. HOW ARE WE APPROACHING CYBER SECURITY TODAY ? A R E W E R E A D Y F O R T H E F U T U R E O F C Y B E R T H R E A T S ?
  58. 58. 63©2019 Check Point Software Technologies Ltd. Technology B Technology C MULTI-VENDOR, ATTACK DETECTION AND MITIGATION A R C H I T E C T U R E A Mitigation Tools Breach Detection and Remediation USING POINT SOLUTIONS… “Attacks are inevitable, so we might as well mitigate the damage” POINT SOLUTIONS: Too many disparate technologies INHERENT GAPS: Incomplete coverage between solutions POST BREACH: Detection & mitigation tools to minimize the damage
  59. 59. 64©2019 Check Point Software Technologies Ltd. Technology B Technology C MULTI-VENDOR, ATTACK DETECTION AND MITIGATION A R C H I T E C T U R E A W e A l l N e e d P r o t e c t i o n Mitigation Tools Breach Detection and Remediation U N I F I E D A R C H I T E C T U R E Next Generation Firewall Threat Prevention (AV, IPS) Advanced Threat Prevention Cloud Mobile Networks A R C H I T E C T U R E B UNIFIED ARCHITECURE FOCUS ON PREVENTION
  60. 60. ©2019 Check Point Software Technologies Ltd. SOLUTIONS
  61. 61. 67©2019 Check Point Software Technologies Ltd. • Internal Communication • Read Communication • Read and Research • Policy and Process • Collaborate • Think like a bad Guy • Detect and Prevent • And remember… Possible Solution
  62. 62. 68©2019 Check Point Software Technologies Ltd.
  63. 63. 69©2019 Check Point Software Technologies Ltd.©2019 Check Point Software Technologies Ltd. THANK YOU
  64. 64. Jon Hope Sophos @JonHope_Sophos #scotsecure
  65. 65. See TheFuture…. JonHope Senior Sales Engineer – UK&I
  66. 66. 2
  67. 67. See TheFuture…. JonHope Senior Sales Engineer – UK&I
  68. 68. Today’sApproach to IT security is fallingbehind
  69. 69. Rogue/Fake Antivirus
  70. 70. LockerRansomware
  71. 71. Crypto-Ransomware (Cryptolocker)(2013)
  72. 72. Crypto-worms (2017)
  73. 73. .CryptoHasYou., 777, 7ev3n, 7h9r, 8lock8, Alfa Ransomware, Alma Ransomware, Alpha Ransomware, AMBA, Apocalypse, ApocalypseVM, AutoLocky, BadBlock, BaksoCrypt, Bandarchor, Bart, BitCryptor, BitStak, BlackShades Crypter, Blocatto, Booyah, Brazilian, BrLock, Browlock, Bucbi, BuyUnlockCode, Cerber, Chimera, CoinVault, Coverton, Cryaki, Crybola, CryFile, CryLocker, CrypMIC, Crypren, Crypt38, Cryptear, CryptFile2, CryptInfinite, CryptoBit, CryptoDefense, CryptoFinancial, CryptoFortress, CryptoGraphic Locker, CryptoHost, CryptoJoker, CryptoLocker, Cryptolocker 2.0, CryptoMix, CryptoRoger, CryptoShocker, CryptoTorLocker2015, CryptoWall 1, CryptoWall 2, CryptoWall 3, CryptoWall 4, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 3.1, CTB-Faker, CTB-Locker, CTB-Locker WEB, CuteRansomware, DeCrypt Protect, DEDCryptor, DetoxCrypto, DirtyDecrypt, DMALocker, DMALocker 3.0, Domino, EDA2 / HiddenTear, EduCrypt, El-Polocker, Enigma, FairWare, Fakben, Fantom, Fonco, Fsociety, Fury, GhostCrypt, Globe, GNL Locker, Gomasom, Goopic, Gopher, Harasom, Herbst, Hi Buddy!, Hitler, HolyCrypt, HydraCrypt, iLock, iLockLight, International Police Association, JagerDecryptor, Jeiphoos, Jigsaw, Job Crypter, KeRanger, KeyBTC, KEYHolder, KimcilWare, Korean, Kozy.Jozy, KratosCrypt, KryptoLocker, LeChiffre, Linux.Encoder, Locker, Locky, Lortok, LowLevel04, Mabouia, Magic, MaktubLocker, MIRCOP, MireWare, Mischa, MM Locker, Mobef, NanoLocker, Nemucod, NoobCrypt, Nullbyte, ODCODC, Offline ransomware, OMG! Ransomware, Operation Global III, PadCrypt, Pclock, Petya, PizzaCrypts, PokemonGO, PowerWare, PowerWorm, PRISM, R980, RAA encryptor, Radamant, Rakhni,, Rannoh, Ransom32, RansomLock, Rector, RektLocker, RemindMe, Rokku, Samas-Samsam, Sanction, Satana, Scraper, Serpico, Shark, ShinoLocker, Shujin, Simple_Encoder, SkidLocker / Pompous, Smrss32, SNSLocker, Sport, Stampado, Strictor, Surprise, SynoLocker, SZFLocker, TeslaCrypt 0.x - 2.2.0, TeslaCrypt 3.0+, TeslaCrypt 4.1A, TeslaCrypt 4.2, Threat Finder, TorrentLocker, TowerWeb, Toxcrypt, Troldesh, TrueCrypter, Turkish Ransom, UmbreCrypt, Ungluk, Unlock92, VaultCrypt, VenusLocker, Virlock, Virus-Encoder, WildFire Locker, Xorist, XRTN, Zcrypt, Zepto, Zimbra, Zlader /Russian,Zyklon 200+Crypto-Ransomware Families
  74. 74. "You can't solve a problem on the same level that it was created. Youhave to rise above it to the nextlevel." - AlbertEinstein
  75. 75. Synchronized Security is BetterSecurity Nick Ross Sales Engineering UKI
  76. 76. Sophos History Evolution to SynchronizedSecurity Founded inAbingdon (Oxford),UK Divestednon- core Cyber business Acquired DIALOGS Acquired Astaro 2011 2012 2013 Acquired Utimaco SafewareAG 2008 First checksum- based antivirus software Peter Lammer Jan Hruska c1985 c1985 1985 1988 1989 First signature- based antivirus software 1996 US presence established inBoston Voted best small/mediumsized company inUK Acquired ENDFORCE 2014 Acquired Cyberoam Acquired Mojave Networks Acquired Barricade IPO London StockExchange Launched Synchronized Security 2007 2015 Acquired Surfright 2017 Acquired Invincea 2016 Acquired PhishThreat Acquired Reflexion 2019 Acquired Avid Secure Acquired DarkBytes
  77. 77. Synchronized Security: Better Security 15 Wireless Web Email UTM Next-Gen Firewall File Encryption Disk Encryption Endpoint Next-Gen Endpoint Mobile Server Analytics Unparalleled protectionagainst advanced threats Significantly reduced incident responsetime User Training
  78. 78. 16 “No other company is close to delivering this type of communication between endpoint andnetwork security products. Chris Christianson, vice president of security programs, IDC “
  79. 79. Proven Technology in KeyAreas Gartner Magic Quadrant UNIFIED THREATMANAGEMENT Gartner Magic Quadrant ENDPOINT PROTECTIONPLATFORMS TheForresterWaveTM ENDPOINT ENCRYPTION The Forrester Wave: Endpoint Encryption, Chris Sherman, 16 Jan 2015 UPDATE MagicQuadrant for Unified Threat Management, JeremyD'Hoinne, RajpreetKaur,Adam Hils, 20 June,2017 MagicQuadrant for Endpoint Protection Platforms, Ian McShane,Avivah Litan,Eric Ouellet,Prajeet Bhajanka;24January,2018
  80. 80. 18
  81. 81. Survey Report onNews.Sophos.com 19
  82. 82. Customer expectations are NOT beingmet 20 Visibility 45% of trafficis going unidentified onaverage Response 7 days every month spent responding to andfixing infectedsystems Protection 16 infections permonth on average What Network Admins Say are their top 3 complaints with their current firewall… Source: Survey conductedby Vanson Bourne, November 2017 of 2,700 ITdecision makers in organizations from100-5000 users in 10 countries across 5 continents
  83. 83. So what are theseExpectations? 21 Visibility Protection Response What REALLYscares theadmin? CloudAppsVisibility UnknownApps Reporting RansomwareDefence Zero-dayExploits LateralMovement ResponseTimeCo-ordinated Threat Defence Source: Presenter’s own suppositions and musings
  84. 84. TheSolution – Synchronized Security 22 Visibility Protection Response KeyAdvantages ✓ SynchronizedApplicationControl ✓ CASB CloudApp and Data Visibility ✓ IoT Discovery andClassification (comingsoon) KeyAdvantages ✓ Deep Learning in SophosSandstorm ✓ Top-rated IPS Engine by NSSLabs ✓ IPS &App Control SmartLists New Networking, VPN, and ManagementFeatures ✓ Firewall RuleManagement ✓ Policy TestSimulator ✓ Unified LogViewer ✓ IKEv2 VPNSupport and Template ✓ Wildcard FQDN Support ✓ Azure HighAvailability ✓ DUO Multi-factorAuthentication ✓ Airgap Support (comingsoon) ✓ Chromebook SSO (comingsoon) Management of XG Firewallin SophosCentral KeyAdvantages ✓ SecurityHeatbeat ✓ Lateral Movement Prevention (comingsoon)
  85. 85. 23 Visibility TheApp ControlProblem
  86. 86. 24 OnAverage… ITManagers cannot account forhow 45%of their bandwidth isconsumed
  87. 87. 25 • Firewall app controlis signature based • The app world is constantly evolving • Some appsintentionally change to avoid detection • Some app traffic istoo generic (HTTP/HTTPS)
  88. 88. An ElegantSolution Security Heartbeat™ SynchronizedApp Control UnknownApplication XG Firewall sees app trafficthat does not match asignature Endpoint SharesApp Info Sophos Endpoint passes app name, path and even categoryto XG Firewall forclassification Internet XGFirewall Sophos Endpoints 1 2 Application is Classified & Controlled Automatically categorize and control where possible or admincan manually set category or policy toapply. 3
  89. 89. 27
  90. 90. CASB - CloudAppVisibility 28 Visibility
  91. 91. CASB =Cloud Access SecurityBroker SecuritCyAHeSaBrtbeat™ Provides visibility, control, and protectionto Cloud Applications & Data in theCloud
  92. 92. Control CenterWidget • Quick view on thedashboard • Block unsanctioned apps • Guarantee service tocritical apps viaQoS • Report on appusage 30
  93. 93. 31
  94. 94. 32 Response Security Heartbeat
  95. 95. Synchronized Security - AutomaticResponse SecurityHeartbeat™ XG Firewall SophosCentral Servers Security Heartbeat™ links Endpoints with the firewall to monitor health and immediately share thepresence of threats. Instant Identification Security Heartbeat can instantly share telemetry about the user, systemsand process responsible Automated Response Automatically isolate, or limit network access, andencryption keys for compromised systems until they are cleanedup Internet XGFirewall Endpoints
  96. 96. Lateral Movement Protection SecurityHeartbeat™ XGFirewall SophosCentral Servers Security Heartbeat™ links Endpoints with the firewall to monitor health and immediately share thepresence of threats. LateralMovement Protection Firewall instantly informs all other endpoints to ignore any trafficfrom compromised device. Automated Response Automatically isolate, or limit network access, andencryption keys for compromised systems until they are cleanedup Internet XGFirewall Endpoints
  97. 97. 35
  98. 98. All AvenuesClosed 36 Disable Sophos Security Red Health sentthrough HB System Isolates Endpoint Disable Heartbeat FW detects MissingHeartbeat System Isolates Endpoint LeavesSophos Securityalone Sync Securitydetects everything they do and cuts the communication stream
  99. 99. It only took 2 minutes to find out that everything was under control. Sophos XG Firewall detected the threat and Security Heartbeat allowed the infected host to be immediately identified, isolated and cleaned up. Instead of going into fire drill mode, we were able to relax and finish ourlunch. DJAnderson,CTO,Iron Cloud It JustWorks! “ “
  100. 100. Its Flexible! Security Heartbeat™ & SynchronizedApp Control Security Heartbeat™ & SynchronizedApp Control Security Heartbeat™ & SynchronizedApp Control Firewall Replacement Inline Discover Mode
  101. 101. Questions?
  102. 102. Dr Kami Vaniea University of Edinburgh @draliv #scotsecure
  103. 103. The Human Factors Dr Kami Vaniea @kaniea kvaniea@inf.ed.ac.uk University of Edinburgh
  104. 104. 114
  105. 105. 115 How do I get the scissors out?
  106. 106. “Easy” to dismiss by hitting X … 116 Except that hitting X means “I accept”
  107. 107. If you want to find usability problems, look for signs. 117
  108. 108. First reaction: Pull Sign says: Push 118
  109. 109. Context matters 119
  110. 110. Why do we involve users in decisions? 120
  111. 111. Because they have contextual knowledge the computer doesn’t have. 121
  112. 112. Good security decisions involve balancing many contextual factors with risks. 122
  113. 113. 123
  114. 114. My Point: Good security decisions are contextual and require balancing risks with benefits. 124
  115. 115. Flicker SalFalko • Encryption • Usability • Trust • User focus • Habituation • Effectiveness
  116. 116. Unexpected security threats 126
  117. 117. Three reasons people don’t use security or privacy technologies 1. They do not care about security and privacy 2. They do not know about security or privacy issues 3. They cannot use security and privacy technologies 127 KAMI VANIEA
  118. 118. Perceptions of online threats (Kaspersky)
  119. 119. Folk Models of Hackers Digital graffiti artists Burglars who break into computers for criminal purposes Criminals who target big fish Contractors who support criminals 129 Wash, Rick. "Folk models of home computer security." Proceedings of the Sixth Symposium on Usable Privacy and Security. ACM, 2010.
  120. 120. 130
  121. 121. 131
  122. 122. https://profile.facebook.com April 1, 2019 132 https://facebook.profile.com Which of these URLs goes to Facebook? ✓ ✘
  123. 123. April 1, 2019 133 profile.facebook.comfacebook.profile.com
  124. 124. 134
  125. 125. Mix of approaches Security champions  Find an encourage people who are already in teams and already believe in security Actionable guidance for users  Provide guidance that users are able to follow  Consider lost work, not just security  Think through what following guidance requires Express trust in employees  Rules are there so you think before breaking them Embedded training  Put the “training” in the environment  VERY challenging because requires the tech people to do this right ☺ 135
  126. 126. Questions? Dr Kami Vaniea @kaniea kvaniea@inf.ed.ac.uk University of Edinburgh
  127. 127. Bridget Kenyon Thales e-security @bridgetkenyon #scotsecure
  128. 128. It’s Alive!! Realising an Effective Information Security Risk Framework Bridget Kenyon Global CISO, Thales eSecurity
  129. 129. Anatomy A. Setting your risk objectives, strategy and vision B. Designing a framework that delivers for your environment C. Planning, implementation and testing D. Key challenges and obstacles E. Evaluating progress
  130. 130. – Mary Shelley, Frankenstein “Nothing is so painful to the human mind as a great and sudden change.”
  131. 131. A. Risk objectives, strategy and vision • Who are your stakeholders? What do they value? How and when is their performance measured? Why? • Pin down context: business objectives and strategy • Derive security objectives (SMART) • Write strategy to deliver these objectives • Use objectives and strategy to define vision
  132. 132. Sample objectives Comply with legal, contractual and regulatory obligations Maintain/improve reputation with stakeholders Balance risk against opportunity Operate ethically
  133. 133. Sample strategy statements Treat information/cyber risk as part of our business risk Use security as a competitive differentiator Build on what we already have Design in security from the beginning Prioritise investment according to risk, requirements and potential rewards
  134. 134. Sample vision statements We show respect for customers and staff by protecting their information Cyber security is an enabler for our business We are resilient in a challenging online world We care about, respect and protect information
  135. 135. B. Designing a frameworkB. Identifying a framework
  136. 136. C. Plan, implement, test • Use project and change management methodologies • Keep it lightweight: • Adapt existing processes, make security part of BAU • Budget for ongoing management of security • Measure business outcomes
  137. 137. D. Challenges and obstacles Issue Suggestion Decision making shortcuts: behavioural economics, System 1 thinking: “iT should do this” “It hasn’t happened to us yet” Do not demonise Nudge techniques Supply chains Transparency Join up the links Personal vs organisational risk appetite Focus on business priorities Use structured risk assessment approach Re-scoping of projects Monitor outcomes and reinforce expectations
  138. 138. E. Evaluating progress Top level metrics should: • Map to business requirements • Be amenable to “drill down” questions • Use case studies and anecdotes • Be actionable
  139. 139. Sample metrics • Gap analysis vs key requirements (project, burn-down) • Percentage of business processes with information risk management integrated (project, burn-down) • Value At Risk (BAU, against target) • Running costs vs costs avoided (BAU, comparison) • Revenue derived from security improvements
  140. 140. Benchmarking • Find comparable organisations • Look at longitudinal (historical) data as well as right now • What worked for the other organisation, and why? • What did NOT work, and why? • Beware of pet topics
  141. 141. Conclusion Focus on the business and its direction Build on what you already have Identify the best existing framework for your current situation Take account of behavioural drivers Learn from others Type to enter a caption.
  142. 142. Thank you for your time! Any questions?
  143. 143. Prof Bill Buchanan Napier Uni @billatnapier #scotsecure
  144. 144. Panel Discussion Dr Kami Vaniea – Uni of Edinburgh Prof Bill Buchanan – Napier Bridget Kenyon – Thales e-Security Steve Johnson – Orion Health #scotsecure
  145. 145. Drinks & Networking #scotsecure
  146. 146. TAKETHEREDPILL STEVE JOHNSON | MARCH 2019
  147. 147. What’s all the fuss about?
  148. 148. Primary Care & Out of Hours Social Care & Council Hospice & Third Sector PharmacyAmbulanceHospital Community & Mental Health Citizen & Carer Access Role-based Access Single Citizen Record Contributing to the Record Managing Care Contributing to the Record Engaging in Care
  149. 149. ACLOSERLOOK…
  150. 150. Collect Detect Predict Control Smart systems | The evolutionary path
  151. 151. Device software Device hardware
  152. 152. Device software Device hardware Device software Device hardware
  153. 153. Device software Device hardware Device software Device hardware Smart product applications Rules / analytics engine Application platform Service database (data lake)
  154. 154. Device software Device hardware Device software Device hardware Externaldataservices Macrosystemintegration Smart product applications Rules / analytics engine Application platform Service database (data lake)
  155. 155. Device software Device hardware Device software Device hardware Administration& security Externaldataservices Macrosystemintegration Smart product applications Rules / analytics engine Application platform Service database (data lake)
  156. 156. Device software Device hardware Device software Device hardware Administration& security Externaldataservices Macrosystemintegration Smart product applications Rules / analytics engine Application platform Service database (data lake)
  157. 157. Now it’s your turn…
  158. 158. Device software Device hardware Device software Device hardware Administration& security Externaldataservices Macrosystemintegration Smart product applications Rules / analytics engine Application platform Service database (data lake)
  159. 159. Device software Device hardware Device software Device hardware Administration& security Externaldataservices Macrosystemintegration Smart product applications Rules / analytics engine Application platform Service database (data lake)
  160. 160. Device software Device hardware Device software Device hardware Administration& security Externaldataservices Macrosystemintegration Smart product applications Rules / analytics engine Application platform Service database (data lake)
  161. 161. Device software Device hardware Device software Device hardware Administration& security Externaldataservices Macrosystemintegration Smart product applications Rules / analytics engine Application platform Service database (data lake)
  162. 162. Data Hygiene
  163. 163. Abraham Wald 1902 - 1950
  164. 164. The take-away…
  165. 165. My mind is like my internet browser: I have 19 tabs open, 3 are frozen, and I’ve no idea where the music is coming from…
  166. 166. Page 195 • 2018 © Orion Health™ group of companies
  167. 167. Page 196 • 2018 © Orion Health™ group of companies Blue Team Operations: Hunting for the 1% Ian McGowan Managing Consultant
  168. 168. Page 197 • 2018 © Orion Health™ group of companies CHALLENGES BLUE TEAM OPERATIONS THREAT ACTORS CYBER THREAT INTELLIGENCE ACTIONABLE INTELLIGENCE
  169. 169. Page 198 • 2018 © Orion Health™ group of companies
  170. 170. Page 199 • 2018 © Orion Health™ group of companies Modern threats take their time and leverage the holistic attack surface The Cyber Attack Lifecycle Environmental Awareness Reconnaissance & Probing Delivery & Attack Exploitation & Installation System Compromise
  171. 171. Page 200 • 2018 © Orion Health™ group of companies Challenging Attack Surface • Digital Transformation • Complex Systems • ‘Protect’ Focused Budgets • False Positives
  172. 172. Page 201 • 2018 © Orion Health™ group of companies
  173. 173. Page 202 • 2018 © Orion Health™ group of companies Blue Team Operations
  174. 174. Page 203 • 2018 © Orion Health™ group of companies Detection & Response Times High Vulnerability Low Vulnerability Months Days Hours Minutes Weeks MTTD&MTTR Exposed to Threats Resilient to Threats
  175. 175. Page 204 • 2018 © Orion Health™ group of companies Defensive Monitoring
  176. 176. Page 205 • 2018 © Orion Health™ group of companies Detection to Response TIME TO DETECT TIME TO RESPOND Logging RespondTriageAnalysis RecoverDefend Point Solutions Central Database Log & Event Correlation Threat Hunting Assess Threat Determine Priority Threat Analysis Chain of Evidence Orchestration and Automation Contain and Eradicate Lessons Learned Reporting
  177. 177. Page 206 • 2018 © Orion Health™ group of companies
  178. 178. Page 207 • 2018 © Orion Health™ group of companies
  179. 179. Page 208 • 2018 © Orion Health™ group of companies
  180. 180. Page 209 • 2018 © Orion Health™ group of companies Threat Hunting • Methodology • Technology • Skilled People • Threat Intelligence
  181. 181. Page 210 • 2018 © Orion Health™ group of companies Incident Response
  182. 182. Page 211 • 2018 © Orion Health™ group of companies
  183. 183. Page 212 • 2018 © Orion Health™ group of companies VPNFilter Malware • Advanced Modular Malware • Code Reuse from APT28 • ~500K SOHO Devices • 54 countries • Destructive Capability
  184. 184. Page 214 • 2018 © Orion Health™ group of companies Threat Intelligence
  185. 185. Page 215 • 2018 © Orion Health™ group of companies Intelligence Lifecycle COLLECTION ANALYSIS PROCESSING DISSEMINATION
  186. 186. Page 216 • 2018 © Orion Health™ group of companies Intelligence Lifecycle Ouput COLLECTION Feeds, Incidents, Notifications ANALYSIS Intel Quality, Validity, Life PROCESSING Intel packages, indicators, TTPs DISSEMINATION Endpoints, NetFlow, NGFW
  187. 187. Page 217 • 2018 © Orion Health™ group of companies 300+ Full Time Threat Intel Researchers Millions Of Telemetry Agents 4 Global Data Centers 1100+ Threat Traps 100+ Threat Intelligence Partners Threat Intel Honeypots Open Source Communities Vulnerability Discovery (Internal) Product Telemetry Internet-Wide Scanning 20 Billion Threats Blocked Intel Sharing Daily Intelligence Flow Customer Data Sharing Programs Provider Coordination Program Open Source Intel Sharing 3rd Party Programs (MAPP) Industry Sharing Partnerships (ISACs) 500+ Participants 3.4 Billion AMP Queries 130 Billion DNS Requests 16 Billion Daily Web Requests (CWS/WSA)
  188. 188. Page 218 • 2018 © Orion Health™ group of companies Threat Intelligence Dissemination Actionable Intelligence Network Endpoint Cloud Next-Gen IPS NetFlow IOC Sharing EPP EDR Email Security Web Security Cloud Access Brokering Cloud Workload Protection Intrusion Detection Firewalls
  189. 189. Page 219 • 2018 © Orion Health™ group of companies Actionable Intelligence
  190. 190. Page 220 • 2018 © Orion Health™ group of companies Pre-Positioning Defences Augmenting your strategy, tactics and operations with a high-fidelity threat intelligence feed will improve your intrusion detection by preparing you for the most likely attack scenarios.
  191. 191. Page 221 • 2018 © Orion Health™ group of companies Attack Surface
  192. 192. Page 222 • 2018 © Orion Health™ group of companies Cyber Kill Chain by Lockheed Martin
  193. 193. Page 223 • 2018 © Orion Health™ group of companies MITRE ATT&CK Framework • Adversary TTPs • Threat Modelling • Identify Gaps • Prioritise Risk Mitigation • Adversary Emulation
  194. 194. Page 224 • 2018 © Orion Health™ group of companies
  195. 195. Page 225 • 2018 © Orion Health™ group of companies Addressing the Overlap Attack Surface Threat Intelligence
  196. 196. Page 226 • 2018 © Orion Health™ group of companies Blue Team Operations • Silver Bullets • Strong Fundamentals • Kill Chain & ATT&CK • Threat Model • Actionable Intelligence
  197. 197. Page 227 • 2018 © Orion Health™ group of companies Thank-you!
  198. 198. Fight the Good Fight Against the Bad Bots SCOT-SECURE 27 MARCH 2019 PRESENTED BY: David Warburton, Senior Threat Research Evangelist F5 Networks
  199. 199. Attack Automation Isthe Single Biggest Threat $2.3 billion in account takeover losses (2016) 48.2% Humans 28.9% Bad Bots 22.9% Good Bots 1.2% Monitoring Bots 2.9% Commercial Crawlers 6.6% Search Engine Bots 12.2% Feed Fetchers 24.3% Impersonators 1.7% Scrapers 0.3% Spammers 2.6% Hacker Tools 229 | © F5 NETWORKS
  200. 200. 21.45% 19.24% 16.49% 62.05% 2.51% 78.25% Tickets 22.97% 7.82% 69.21% Healthcare 24.37% 57.58% 18.04% Financial 24.66% 4.35% 70.99% Airlines 43.90% 0.93% 55.18% Gambling 53.08% 0.09% 46.80% Travel (incl.Airlines Ecommerce Travel (no Airlines) 4.50% 3.46% 92.04% Real Estate 12.44% 37.21% 50.35% Insurance 12.88% 18.65% 68.47% Adult Entertainment 17.57% 0.47% 81.95% % ofTraffic Humans vs Good Bots vs Bad Bots BY INDUSTRY Bad Bots Good Bots Human Source: GlobalDots Bad Bot Report 2018 230 | © F5 NETWORKS
  201. 201. Ratio of Bad Bots to Good Bots by Site Size Large Sites Medium Sites Small Sites Tiny Sites 38.1% 61.9% 44.4% 55.6% 65.3% 34.7% 56.1% 38.9% Bad Bots Good Bots Source: GlobalDots Bad Bot Report 2018 231 | © F5 NETWORKS
  202. 202. Bot AttackTools Headless Chrome 232 | © F5 NETWORKS Sentry MBA
  203. 203. Thingbots: Multi-purpose AttackBots 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 7 Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter Mirai BigBrother Rediation 1 Bot 3 BotsRemaiten 1 Bot Moon 1Bot Aidra 1 Bot Hydra 2 Bots WireX Reaper 3 Bots Satori Fam Amnesia Persirai 1 Bot Brickerbot 6 Bots Masuta PureMasuta Hide ‘N Seek JenX OMG DoubleDoor 1 Bot Crash override 1 Bot Gafgyt Family 2 Bots Darlloz Marcher 1Bot Psyb0t 4 Bots Hajime Trickbot IRC Telnet Annie Shifting from primarily DDoS to multi-purpose Crypto-miner DDoS PDoS Proxy Servers Unknown… Rent-a-bot Credential Collector Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring Tor Node Sniffer Thingbot Attack Type DNS Hijack 233 | © F5 NETWORKS
  204. 204. Username Password Username Password Username Password Username Password support support 10101 10101 root root tomcat tomcat root root dbadmin admin support support PlcmSpIp PlcmSpIp admin admin123 butter xuelp123 admin admin123 sshd sshd ubnt ubnt ftpuser asteriskftp ubnt ubnt monitor monitor usuario usuario PlcmSpIp PlcmSpIp service service butter xuelp123 service service tomcat tomcat usuario usuario mysql mysql pi raspberry hadoop hadoop pi raspberry hadoop hadoop user user mysql mysql user user user1 user1 guest guest vagrant vagrant test test cisco cisco test test jenkins jenkins guest guest vagrant vagrant mother f***** www www mother f***** 101 101 supervisor supervisor a a oracle oracle ts3 ts3 git git apache apache operator operator FILTER**** FILTER**** 0 0 minecraft minecraft supervisor supervisor apache apache ftp ftp testuser testuser ftp ftp telnet telnet operator operator ts3 ts3 git git jenkins jenkins oracle oracle backup backup ubuntu ubuntu Management TestingR2 osmc osmc vnc vnc nagios nagios www www ubuntu ubuntu deploy deploy postgres postgres zabbix zabbix default 1 odoo odoo uucp uucp backup backup monitor monitor user1 user1 Admin admin anonymous any@ postgres nagios postgres nagios alex zabbix alex zabbix ftpuser Root asteriskftp a osmc a osmc 1111 1111 10101 10101 1234 <Any Pass> tomcat tomcat api api dbadmin admin PlcmSpIp PlcmSpIp Source: The Hunt for IoT: The Growth and Evolution of Thingbots Ensures Chaos, F5 Labs, March 2018 Observed in activeattacks Defaults not changed of credentials Username = Password 87% Top 50 AttackedCredentials Q3 2017 Q4 2017 234 | © F5 NETWORKS
  205. 205. Attacks Targeting Europe (last 90days) 235 | © F5 NETWORKS Protocol SIP(5060) SMB(445) ICS(2222) HTTPS (443) RDP(3389) SQL(1433) SSH (22) HTTP (80) MySQL (3306) Telnet (23) SIP-TLS (5061) Port 54184 (54184) Remote Framebuffer (5900) Port 8291(8291) DSL Forum CWMP(7547) Port 5902 (5902) HTTP Alternate (see port 80) (8080) Simple Mail Transfer(25) NETBIOS (139) Port 8545 (8545)
  206. 206. Shifting Sources Previouslyunseen IPaddresses 100% 80% 236 | © F5 NETWORKS Previouslyunseen networks(ASN)
  207. 207. Attack web and mobile apps Launch denial of service Scan for vulnerabilities (reconnaissance) Infect users with malware Account takeover and fraud Web scraping and theft 237 | © F5 NETWORKS What Do Malicious BotsDo? 77% of web app attacks start from botnets
  208. 208. How Do Bots Attack the App Layer? USERNAME Account Takeover • Credential stuffing • Credential cracking • Account aggregation • Account creation Payment Card Data • Carding • Card cracking • Cashing out Vulnerability Scanning • Vulnerability scanning • Footprinting • Fingerprinting DoS / Resource Hoarding • Scalping • Denial of inventory • Denial of service (DoS) • Sniping • Expediting Content Theft • Content scraping Other Attacks 238 | © F5 NETWORKS • Ad fraud • CAPTCHA defeat • Skewing • Spamming • Token cracking
  209. 209. 70 MILLION 427 MILLION 150 MILLION 3 BILLION 117 MILLION 3 out of 4“Nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more.2 ” 1) Symantec Internet Security Threat Report, April 2017 2) Password Statistics: The Bad, the Worse and the Ugly, Entrepreneur Europe In the last 8 years more than 7.1 billion identities have been exposed in data breaches1 239 | © F5 NETWORKS Credential Stuffing
  210. 210. USERNAME Credit Card Data USERNAME Intellectual Property USERNAME Healthcare Data USERNAME Passport Data USERNAME Financial Data USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME Credentials from Previous Breaches USERNAME USERNAME 240 | © F5 NETWORKS Account Takeover ‒ CredentialStuffing
  211. 211. Attackers must automate to find weaknesses for manualprobing Bots allow attackers to scale theiroperations Many reconnaissance tools available • Shodan, publicwww.com, BuiltWith.com,etc. • Network mappers (Nmap) • WGET, SQLMap, etc. • Headless browsers (Phantom.js, Selenium) 241 | © F5 NETWORKS Vulnerability Scanning
  212. 212. Shortcomings of Today’sApproach Code-level security Difficultly differentiating between humans and modern bots Lags behind rapid pace of bot evolution IP blocking Sheer volume of IPs difficult to track and block Ineffective at blocking TOR-based bots Traditional WAF Designed to protect against OWASP Top 10 Rely solely on captcha for bot protection 243 | © F5 NETWORKS
  213. 213. What is Required for Accurate Bot Detection? Bot Signatures + DNS Checks JS Challenge + Browser Fingerprinting Browser Capabilities Human Detection Optional CAPTCHA Anomalies Server should not receive traffic 244 | © F5 NETWORKS
  214. 214. Detect GET flood attacks against Heavy URIs Identify non-human surfing patterns Fingerprint to identify beyond IP address Operating system Geolocation Browser • Screen size and colour depth • Plugin details • Time zone • HTTP_ACCEPT headers • Language • System fonts • Touch support • Extensions Behavioural Analysis andFingerprinting 245 | © F5 NETWORKS
  215. 215. Customer Internet WFirAsFttrimeseporenqdusewstitthoIwnjebctseedrvJeSr: Request is not passed to the server Server WAF verifies response authenticity Cookie is signed, time stamped, and fingerprinted No challenge response from bots Valid resBpoontssearisesdernotptpoetdheserver WAF JSJS JavaScript Based BotDetection LEGITIMATE BROWSER VERIFICATION 246 | © F5 NETWORKS
  216. 216. Appliances Virtual Edition Managed Services Cloud Edition Managed Rules Behaviour analytics + Bot protection + App-level encryption + Anti-bot mobile SDK Advanced WAF Mobile users Attackers Bots Desktop users 247 | © F5 NETWORKS Bot Management Solution DEPLOYMENT MODELS
  217. 217. Network Floods Malformed Requests Scanners and Bots Known Bad Hosts Workflow Enforcement WAF 249 | © F5 NETWORKS Reduce Cloud Costs
  218. 218. AI and FutureBots 250 | © F5 NETWORKS
  219. 219. Classify and control increasingly automated traffic Eliminating 30-40% of web traffic has a big impact Bot detection requires less per-application tuning Key Takeaways 251 | © F5 NETWORKS
  220. 220. Read more about these and other threats Stay up-to-date Sign up for F5 Labs https://interact.f5.com/AppProtectLibrary F5labs.com 252 | © F5 NETWORKS
  221. 221. 253 | © F5 NETWORKS

×