cyber security overview - · pdf filecyber security overview ... cyber security fusion center...
TRANSCRIPT
Cyber Security Overview
Charles Blauner
Managing Director – Global Head of Information
Security
+1 908 563-3589
Treasury and Trade Solutions
Overview: 2014 Significant Attacks
2
Overview: The Cyber Threat Landscape—Actors and Methods
Motivation: make money
Methods: spear-phishing and other
techniques; mature underground
economy supporting
criminal activity
Threat Actors
Motivation: theft of trade or craft
secrets or support of military
capabilities and
nationalized industries
Methods: advanced operations to
establish a foothold into
infrastructure
Motivation: instill fear to have
targets comply with demands
or ideology
Methods: using Cyber to “enable”
their programs (recruit, incite, train,
plan and finance)
Motivation: seek publicity for their
geopolitical agenda
Methods: disruption (i.e.,
Distributed Denial of Service)
and defacement
Motivation: emotional or
sometimes financial needs
Methods: uses insider knowledge
to steal data, conduct fraud, etc.
Nation-State Actors Organized Criminals Cyber Terrorists Hacktivists Insiders
Methods
3
It’s All About Speed
The Bad Actors move at the speed of light, while the victims learn of it well after the attack
43%
29%
4%
11%
7% 7%
0%
8%
38%
14%
25%
8% 8%
0% 0% 0% 0%
27% 24%
39%
9%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Seconds Minutes Hours Days Weeks Months Years
Initial Attack to Initial Compromise Initial Compromise to Data Exfiltration Initial Compromise to Discovery
Conclusions
The efficacy of attacks is high and, once a network is infiltrated, adversaries are difficult to
detect and are often able to operate undetected for long periods of time
– Aggravating the issue of slow speed of detection, is the fact that in the majority of
cases, the victim discovers the breach by being notified by third-party
A key objective remains prevention but we can NOT assume we will be successful 100%
of the time and need to enhance our ability to detect and respond to the adversary at each
stage of the kill chain
External Party 49%
Internal Active 16%
Internal Passive
28%
Not Documented
7%
Source: 2012 Data Breach Investigations Report from Verizon / http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf.
4
IS Capabilities Assessment
Information Security Priorities
IS Talent/Operating Model IS Capabilities Maturity
Metrics/ Measures
Threats IS
Challenges
Business
Direction
External/Internal
Perspectives
Drivers
Talent/Operating Model Review
Strategic Planning Process
The strategic planning process must reassess key drivers versus current capabilities on a quarterly basis to define a set of
Information Security priorities
Situational Analysis
IS Strategy/Plan
5
Prevention is not Enough
For the Bad Actor to “win” they can succeed on 1 out of 100 attempts
For Citi to be successful they must prevent 100 out of 100 attempts
– Given time, the Bad Actor will eventually succeed
The ability to detect and respond to events are critical to a successful cyber defense
Intelligence about our adversaries and about ourselves must be used to inform all three phases of our defense system
Prevention
Detection Response
Intelligence Led Ecosystem
6
The Cyber Kill ChainTM
Cyber Red Zone
The Cyber Kill Chain is a Trademark of Lockhead Martin
Attacker must expose tools, techniques and processes as attacker moves through each phase of
the intrusion chain
7
Malicious Attack—Disrupting the Kill ChainTM
Gathering Initial Information
Creating Malware
Delivering the Malware
Exploiting a vulnerability to
gain access to an asset
Installing malware on
the asset
Creating a channel of
communication back to
the attacker
Adversary performing
their objectives
Reconnaissance
Prepare
Delivery
Exploitation
Installation
Command and Control
Actions on Objective
Protect sensitive data, stronger
access controls,
Intelligence gathering on
up-coming malware
Secure email protections, spam
filters, “Be Safe, Be Secure”
training
More secure code, firewalls,
Silvertail, IDS/IPS,
vulnerability testing,
EERS, privileged account controls
Malware analysis, investigation
support, network tools that capture
suspicious traffic
Reactive Proactive
Intelligence gathering on new targets
Predictive analysis that identifies
potentially malicious URLs; Streamlined
technologies/process for SOC alerting
Tools that leverage analytics to identify
attacks in progress
Ability to know who is on the network
with what credentials
Real time network tools that can isolate
suspicious traffic and identify source
Simulate real world threats; identify and
remediate process gaps
8
Cyber Defense Starts with Strong Intelligence Capabilities
1. Understand the threat: gain knowledge of the adversary and their
tradecraft; know ourselves, valuable assets and challenges
2. Integrate cyber threat intelligence and analysis into decision-making:
Deliver tactical and strategic intelligence products
3. Build a Foundation of Information Sharing: Increase internal and
external information sharing in a trusted environment
4. Strong Execution of Program Management: Support an enterprise
approach to integrated processes while conducting incident
response in a learning cycle environment
5. Maximize Collaboration: Promote collaboration and partnerships
both internal and external; sharing best practices and benchmarking
6. Promote Team Success: Hiring top talent, providing the best
available training and experiences, focused on enterprise solutions
7. Leverage Technology: Identify and develop innovative technologies
that enhance safety and security
Principles of an Intelligence-led Organization
9
IS Architecture—Defense in Depth IS architecture is one of layered security—deploying the latest technologies at the network layers as well as within the strategic
data centers.
10
Cyber Kill ChainTM and a Layered Defenses Strategy (by Capability)
Phase Protection Detection
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and
Control
Actions on Objectives
Cyber Security Fusion Center
Cyber Intelligence Center
Proxies
Firewalls
Proxies Intrusion
Detection
Antivirus
Antivirus
Proxies
Data Leakage
Protection
Anomaly
Detection
Proxies
Malware
Analysis
Anomaly
Detection
Network Application ID
Network Malware Analysis Sandboxing Internet SSL Decryption
Malware Analysis
Sandboxing End Point Monitoring
End Point Monitoring
End Point Monitoring Anomaly
Detection
End Point Monitoring
Next Gen Firewalls
Forensic Analysis
Malware Analysis
A
n
a
l
y
t
i
c
s
11
Cyber Kill ChainTM and Building a Detection Capability The Security Operations Center (SOC) follows standard processes for detecting potential attacks
IS Event Alert SOC L1
Detection IS Event Triage
Data Collection Event
Annotation Case Creation
Case Escalation
Firewalls
Identified
threats
Known vulnerabilities
Business-critical IT assets
Intrusion Detection Systems
External Threat Data Damballa VPN McAfee Applications Databases
SafeWord Entrust Symantec DLP SiteMinder
Raw Events
Security Relevant Events
Correlated Events
Arbor
Windows UNIX
Risk-based Prioritization Threat Determined
Damballa
ForeScout
ArcSight
Netwitness
12
Why Focus on War Games?
“The more you sweat in peace, the
less you bleed in war”
(1939—Chinese Generalissimo Chiang Kai-shek)
13
War Games Overview
Execute internal and external cyber based exercises/workshops to ensure
Citigroup is prepared to react to cyber incidents of all levels. It is structured to
simulate the experience of a real attack and involves representation from
information security, technology, business, legal, and
communication organizations
Overarching Program Objectives
Identify opportunities for Citi to enhance its cyber threat
preparedness with a focus on three areas
Effectiveness of existing cyber incident protocols,
processes and procedures
Cross-functional coordination and command and control
Coordination and communication with internal/
external parties
14
Citi believes that sustainability is good business practice. We work closely with our clients, peer financial institutions, NGOs and other partners to finance solutions to climate change, develop industry standards, reduce our own
environmental footprint, and engage with stakeholders to advance shared learning and solutions. Highlights of Citi’s unique role in promoting sustainability include: (a) releasing in 2007 a Climate Change Position Statement, the
first US financial institution to do so; (b) targeting $50 billion over 10 years to address global climate change: includes significant increases in investment and financing of renewable energy, clean technology, and other carbon-
emission reduction activities; (c) committing to an absolute reduction in GHG emissions of all Citi owned and leased properties around the world by 10% by 2011; (d) purchasing more than 234,000 MWh of carbon neutral power for
our operations over the last three years; (e) establishing in 2008 the Carbon Principles; a framework for banks and their U.S. power clients to evaluate and address carbon risks in the financing of electric power projects; (f)
producing equity research related to climate issues that helps to inform investors on risks and opportunities associated with the issue; and (g) engaging with a broad range of stakeholders on the issue of climate change to help
advance understanding and solutions.
Citi works with its clients in greenhouse gas intensive industries to evaluate emerging risks from climate change and, where appropriate, to mitigate those risks.
efficiency, renewable energy and mitigation
© 2015 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.
IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used or
relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby ("Transaction").
Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor.
In any instance where distribution of this communication is subject to the rules of the US Commodity Futures Trading Commission (“CFTC”), this communication constitutes an invitation to consider entering
into a derivatives transaction under U.S. CFTC Regulations §§ 1.71 and 23.605, where applicable, but is not a binding offer to buy/sell any financial instrument.
Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment to lend, syndicate a
financing, underwrite or purchase securities, or commit capital nor does it obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or
regulation, you agree to keep confidential the information contained herein and the existence of and proposed terms for any Transaction.
Prior to entering into any Transaction, you should determine, without reliance upon us or our affiliates, the economic risks and merits (and independently determine that you are able to assume these risks) as well as the legal,
tax and accounting characterizations and consequences of any such Transaction. In this regard, by accepting this presentation, you acknowledge that (a) we are not in the business of providing (and you are not relying on us
for) legal, tax or accounting advice, (b) there may be legal, tax or accounting risks associated with any Transaction, (c) you should receive (and rely on) separate and qualified legal, tax and accounting advice and (d) you
should apprise senior management in your organization as to such legal, tax and accounting advice (and any risks associated with any Transaction) and our disclaimer as to these matters. By acceptance of these materials,
you and we hereby agree that from the commencement of discussions with respect to any Transaction, and notwithstanding any other provision in this presentation, we hereby confirm that no participant in any Transaction
shall be limited from disclosing the U.S. tax treatment or U.S. tax structure of such Transaction.
We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number.
We may also request corporate formation documents, or other forms of identification, to verify information provided.
Any prices or levels contained herein are preliminary and indicative only and do not represent bids or offers. These indications are provided solely for your information and consideration, are subject to change at any time
without notice and are not intended as a solicitation with respect to the purchase or sale of any instrument. The information contained in this presentation may include results of analyses from a quantitative model which
represent potential future events that may or may not be realized, and is not a complete analysis of every material fact representing any product. Any estimates included herein constitute our judgment as of the date hereof
and are subject to change without any notice. We and/or our affiliates may make a market in these instruments for our customers and for our own account. Accordingly, we may have a position in any such instrument at
any time.
Although this material may contain publicly available information about Citi corporate bond research, fixed income strategy or economic and market analysis, Citi policy (i) prohibits employees from offering, directly or indirectly,
a favorable or negative research opinion or offering to change an opinion as consideration or inducement for the receipt of business or for compensation; and (ii) prohibits analysts from being compensated for specific
recommendations or views contained in research reports. So as to reduce the potential for conflicts of interest, as well as to reduce any appearance of conflicts of interest, Citi has enacted policies and procedures designed to
limit communications between its investment banking and research personnel to specifically prescribed circumstances.