4 cyber security kpis
TRANSCRIPT
by: steven aiello
ver: 2.0.1
S E C U R I T Y K P I S
Steven Aiello
Introduction.
Security & Compliance Solutions Principal
SANS GCIH License 29615 – Mentor Status
SANS GSEC License 353652 – Mentor Status
OSCP – (In Progress)
CISSP
CISA
VCAP - DCA
VCAP - DCD
VCP
This is where I’ve beenIt’s been a long road…
Compliance I.R. A.D.Web Development
Network Logging Systems Admin.Endpoint
- Marcus Lemonis
Performance is the best way to
shut people up.”
The DataWhat does the data say about our efforts in cyber security?
the results
20the change
4the money
101.6the activity
6
$
2020In 2020, these organizations are
expected to spend $101.6 billion
on cybersecurity software,
services, and hardware, according
to research released Wednesday
by the International Data
Corporation. This equates to a
38% increase from the $73.7
billion that IDC projects
organizations will spend on
cybersecurity in 2016.”
Oct 12th 2016fortune.com
$101.6
B
38
%
2016
“
2016Employee notifications were the
most common internal discovery
method for the second straight
year and there was also an uptick
identification through internal
financial audits, associated with
business email compromise
(BEC). Third-party disclosure is
up due to an increase in numbers
of breaches disclosed by the
affected customer or an external
threat actor bragging or extorting
their victims.”
DBIR 2017verizon
law
““disclosed by the affected
customer or an external
threat actor bragging or
extorting their victims.”
Accommodation 93%
Healthcare 65%
Finance 47%
Manufacturing 20%
Information 16%
Professional 4%
Public 1%
Broken down by industry
How likely you are to be breached if you’ve had an event
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Email & Email Attachments
43%
Backdoor or C2 (Hacking) 24%
Web Application 19%
Direct Install 6%
LAN Access 4%
Partner Facility 4%
Attack vectors of confirmed
breaches:
Top attack vectors of known breaches
Backdoor or C2 (Hacking) Email & Email Attachments
Web Application Direct Install
LAN Access Partner Facility
Top six actions by threat actors
that follow the well-traveled path of phishing users to install C2 and
keylogging software in order to capture credentials that are used to
authenticate into, and exfiltrate data out of, organizations.”
Thetop sixthreat action varieties
“
DBIR 2017verizon
To recap what’s happening
81%of breaches leveraged
weak or stolen
passwords, this
includes password
hashes…
66%of malware was
installed via malicous
email attachments
24%of breaches involved
backdoors or “hacking”
Top 6actions threat actors
use involve valid
passwords to move
laterally through the
network
Top 6actions threat actors use
involve valid passwords to
access data and exfiltrate
it [within days] …
Four security KPIs
Data monitored for
anomalous access
What data is important to the business?
What are “normal” data access patterns
by user account? How does the
organization monitor for changes in data
access patterns?
Minimization and
monitoring of lateral
movement What percentage of systems have
unilateral access to other hosts? What
policies and technologies can organizations
put in place to gain visibility?
Confidence in system control
What are our patch times for operating
systems, CotS applications, internally
developed applications? How do we
reduce patching cycles? For systems
that cannot be patched, leverage
application white listing.
Confidence in account
validity
What level of confidence does the
organization have that user accounts
authenticating to systems are being
properly used?
Confidence in account validity
KPI number one:
Account validity is possibly the most difficult KPI to score well in. No,
your two factor authentication will not protect you…
Four security KPIs
Protection from Kerberos Golden Ticket
Mitigating pass the ticket on Active Directory
CERT-EU Security 2014-07
KPI one: confidence in account validity
SMB is the problem
Protection from PTH attacks
• psexec bypasses 2FA
02Kerberos is the
problemCreating the Golden Ticket
• KRBTGT password hash
• Domain admin. username
• Domain name
• Domain SID
032FA == local logon
onlyTwo-factor authentication only
protects user logon attempts from
the Windows console or RDP
01
KPI one: confidence in account validity
If not possible…
For mobile users:
\Security Settings
\Local Policies
\Security Options
Interactive Logon: Number of
previous logons to cache (in case
domain controller is not available)
02Kerberos is still the
problemProtection from the Golden Ticket
• KRBTGT password hash
• Domain admin. username
• Domain name
• Domain SID
If a golden ticket is created the
only way to invalidate the ticket is
to reset the KRBTGT two times
03Disable cached creds
Within Active Directory Group
Policy:
\Computer Configuration
\Windows Settings
\Security Settings
\Local Policies
\Security Options
Do not allow storage of passwords
and credentials for network
authentication
01
Confidence in system control
Whitelist what you can’t rapidly patch
If systems are so sensitive they cannot be patched, by that merit
they should not change. Application whitelisting should be used on
systems that change infrequently
Document patch cycles
Not all systems can be patched, however, you should understand
what those limitations are and seek to improve on them
2
1
Four security KPIs
Isolate what you can’t patch or whitelist3
2019 20202017 2018
Are you patching your
applications as fast as
you patch your OS?
3/5
If your application vendors
wont let you patch, whitelist.
Use it where needed – don’t
overextend.
Understanding your
current state and making
progress towards your
goal is key
“You can't manage what
you can't measure."
Peter Drucker.
Can you patch 90% in
30 days?
90%Whitelist fixed
use systems
Measure your
progress
KPI two: confidence in system control
KPI two: confidence in system control
Patch: step 1
Rebuild web applications: step 2
Potentially change code that calls Struts:
step 3
Before someone with Metasploit attacks…https://github.com/rapid7/metasploit-framework/pull/8924
Apache Struts 2 is the perfect
example…
https://arstechnica.com/information-technology/2017/09/exploit-
goes-public-for-severe-bug-affecting-high-impact-sites/
Sometimes
isolation is your
only option…
Four security KPIs
Minimize lateral movement
[and monitor]
Minimizing lateral movement includes defining normal traffic
patterns in the user LAN segment, and monitoring for policy
violations.
KPI three: minimize and monitor lateral movement
If you implement the
recommendations from KPI 1,
the amount of credentials
available will be greatly limited.
The user will have to move
across the network, this is your
opportunity to discover their
actions. Understanding valid
network traffic is critical.
Users WILL open office
documents, it’s part of their job.
Security needs to protect users
while they are doing their job.
Second ThirdFirst
Harvesting
Credentials
Lateral MovementAttacking the User
81%66% 100%
KPI three: minimize and monitor lateral movement
TCP/UDP port scansPolicy: don’t allow it on user
LANs
PING scansPolicy: don’t allow it on user
LANs
No SMB sharesAll file sharing should go back
to the datacenter
John DoeUsers should know company
policy…
The brunt of attacks will be
focused on your users; this
ends up being a “good thing”
because it makes lateral
movement easier to detect…
Attacks WILL come
from the user LAN
KPI three: minimize and monitor lateral movement
Visibility is key
There are open source and
commercially available packages
for netflow monitoring; select
one and master it.
Netflow monitoring
Investment required
If you’re operating at a larger
scale, you may require an
investment in software to help
you manage micro-segmentation
LAN & data center
micro-
segmentation
Our starting point
pVLANs with post ACLs require
zero capital investment as long as
your switches are sized properly
pVLANs & ACLs Every company I’ve
worked for has used
pVLANs
I was shocked when I realized most
companies were NOT using pVLANs in
their user LANs.
ADP 2003SaaS Provider
OnlineTech
2012Iaas Provider
Four security KPIs
Data monitored for anomalous accessData is the new gold”
Mark Cuban “
KPI four: data monitored for anomalous access
most data is pyrite
[fool’s gold]
some... data is gold
90%[most] of your data is
probably fool’s gold
Good security
doesn’t protect
bad data…
Understanding what data you
have, where it lives, and who
can access it will be critical to
successful GDPR compliance
Focus is what you say no to,
let the 90% go…
10%
90% of focus should
be applied here!
The effort To do this well you will most likely need a commercial product
[unfortunately]…
KPI four: data monitored for anomalous access
data center options
Some options are focused in the
datacenter and are loaded on
your SMB, NFS, shares. They
have access analysis capabilities
but let endpoint options
endpoint options
Endpoint options generally
are provided from backup
vendors. They don’t have
analysis capabilities, but can
identify and encrypt sensitive
data at rest on endpoints
choices
There are some primitive tools
within Microsoft’s ecosystem, but
no analysis of access patterns.
Only access auditing, but it’s
better than nothing
Four security KPIs
Confidence in
system control02
Confidence in
system control04 Data monitored for
anomalous access03
Confidence in
account validity01
Four security KPIs
https://www.ted.com/talks/bruce_schneier
Contact melinkedin.com/in/stevenaiello/
overworkedadmin.com
twitter.com/smaiello