cyberisk question 1 - financialmutuals.org 13th cyber final.pdfjanuary 2019 attack surface more...
TRANSCRIPT
CYBER RISK: THERE IS HELP OUT THERE
CYBER
RISKQUESTION 1:
How big is your IT team
SECURE | SIMPLIFY | AUTOMATE | TRANSFORM
LENS. RISK
LENS. RISK
LENS. RISK
CRIMINAL
TERRORIST
INSIDER
NATION STATE
Economically motivated
Phishing
Malvertising
Ransomware
Disruption
Political
Socio Cultural
Physical Destruction
Corporate Espionage
Trust Abuse
Existing access
Disgruntled employee
Advanced Persistent Threats
Intelligence Driven
Low, Slow, Careful, Targeted
The Big Boys™
YOUR DATA
LENS. RISK
January 2019
Attack Surface
More UsersX Wider Variety of userX More discovered and exploitable
VulnerabilitiesX More connected thus Cascaded
errors (Networked failings)
= BOOM!
LENS. RISK
LENS. POSTURE
QUESTION 2:
Have you heard of these people
1. How do we defend our organisation against phishing attacks?
2. How does our organisation control the use of privileged IT accounts?
3. How do we ensure that our software and devices are up to date?
4. How do we make sure our partners and suppliers protect the information we share with them?
5. What authentication methods are used to control access to systems and data?
LENS. POSTURE
‘Are We Doing The Basics Right?’
1. How do we defend our organisation against phishing attacks?
2. How does our organisation control the use of privileged IT accounts?
3. How do we ensure that our software and devices are up to date?
4. How do we make sure our partners and suppliers protect the information we share with them?
5. What authentication methods are used to control access to systems and data?
LENS. POSTURE
LENS. POSTURE
QUESTION 3:
Got one of these:
• NCSC 10 Steps• Cyber Essentials (CE)• Cyber Essential Plus • NIST• ISO 27001• Hybrid• Other (home grown)• Never heard of them
SECURE | SIMPLIFY | AUTOMATE | TRANSFORM
LENS. POSTURE
RISK CONSIDERATIONS
RISK CONSIDERATIONS
LENS. POSTURE
LENS. POSTURE
LENS. POSTURE
QUESTION 4:
How often do you audit yourCyber Security Posture?
• Annually• Bi-Annually• Monthly• Weekly or More frequently• Not really considered / Not sure• What’s a Cyber Security Posture
LENS. PREVENTION
SECURE | SIMPLIFY | AUTOMATE | TRANSFORM
Outside Threats
Mission CriticalAssets
Engineering & Infrastructure
Vulnerability Assessment
Security Awareness Training
Penetration Testing
Threat Modeling
Risk Management
Continuous Controls
Assessment
Security Architecture
& Design
IT SecurityGovernance
Cyber ThreatIntelligence
SIEM
EscalationManagement
Focused Ops
Digital Forensics
ContiousMonitoring and
AssessmentSituationalAwareness
SOC/NOCMonitoring (24x7)
Incident Reporting,Detection, Response
(CIRT)
Security Dashboard
Security SLA/SLO Reporting
PKI
DAR/DIM/DIUProtection
Identity &Access Management
Data Classification
Data IntegrityMonitoring
DLP
Enterprise Right
ManagementData Wiping
Cleansing
Static AppTesting/ Code
Review
Dynamic App Testing
WAFDatabase
Monitoring/Scanning
DatabaseSecure Gateway
(Shield)
DLP
DLP
DHSEinstein
PatchManagement
FDCCCompliance
Endpoing Security Enhancement
Content Security(anti-virus,
anti-malware)
Host IDS/IPS
Desktop Firewall
EnclaveDataCenter
Firewall
EnterpriseIDS/IPS
VoIP Protection
Inline Patching
Web Proxy Content Filtering
NAC Enterprise MessageSecurity
Enterprise WirelessSecurity
EnterpriseRemoteAccess
DLP
Message Security(anti-virus, anti-
malware)
Honeypot
Secure DMZs
PerimeterIDS/IPS
PerimeterFirewall
Mobile NAC
EnforceAV
DLP
Desktop Core
Configuration
Enforce Firewall
VulnerabilityManagement
Configuration management
Patch Update
AutomatedPolicy Enforcement
AutomatedComplianceEnforcement
Server Virtualization
Virtual Infrastructure
Virtual Desktop
Virtual Application
ManagedSecurityServices
VirtualSecurity
SaaS
Storage Services
PerimeterIDS/IPS
Security Tech evaluation
Security Policies & compliance
Red Teaming
Data Segmentatio
n
Encryption
Simplification Automation Optimization
▪Multi Layered problem to solve▪Layers have multiple components▪Threats & assets are Finite but Attacks and vulnerabilities infinite.
▪Arms race – Hackers have huge evolving resources ▪10,000 products ▪Tech language into Risk?▪Resource shortage!
LENS. PREVENTION
LENS. PREVENTION
BAS Follows Hacker Approach - Typical APT
LENS. PREVENTION
QUESTION 5:
What’s your Breach Attack Simulation (BAS) Enterprise score prediction:
100 is Weak and 0 is Strong:
0 to 9 (Strong)10 to 3940 to 6970 to 8990 to 100 (Weak)Prefer not to know ☺
LENS. PREVENTION
LENS. PREVENTION
LENS. PREVENTION
TRAINING YOUR BARRISTA
Apps Pool Audit Policy NCSC Cyber Ess + ISO / NIST MSSP
✓BASIC
Notes:• Engage powerful BAS and Vulnerability Management solutions to automate posture testing
to the highest standards available:
• Hygiene (through vastly improved patching efficiency)• Assurance• Benchmarking• Insider Fallibility ‘Spark’
LENS. PREVENTION
TRAINING YOUR BARRISTA
Apps Pool Audit Policy NCSC Cyber Ess + ISO / NIST MSSP
✓ ✓10 STEPS
Notes:• As a natural next step a lean, dedicated audit party can bring efficient and experienced eyes
on glass to Apps Pool findings that then extend to wider:
• IT Systems• Processes• People
LENS. PREVENTION
TRAINING YOUR BARRISTA
Apps Pool Audit Policy NCSC Cyber Ess + ISO / NIST MSSP
✓ ✓ ✓10 STEPS
✓
Notes:• With sufficient support a consensus policy or set of policies emerges that ought to clear the
Cyber Essential Plus framework. The implementation support and maintenance of such policy can be very economical (it can be expensive too!).
LENS. PREVENTION
TRAINING YOUR BARRISTA
Apps Pool Audit Policy NCSC Cyber Ess + ISO / NIST MSSP
✓ ✓ ✓10 STEPS
✓ ✓ ✓
Notes:• BELT & BRACES: Beyond Cyber Essentials lie more extensive frameworks along with
significant automation opportunities from an extended Applications set.• SIEM (Security Information Event Management)• Federated SOC (Eyes on glass)• Extended cultural transformation + DLP
• Raising the bar in this way ought to be seen as a catalyst for the digital transformation of the business: Security first makes digital real!
LENS. PREVENTION
QUESTION 6:
When an Association member is breached would it be useful to have:
• Bat phone alert other members • Rapid response team to assist • Virtual SOC / SIEM oversight• Post incident analysis sharing policy
LENS. PREVENTION
Summary
LENS. PREVENTION
Optimum/Max spend on security
37%Possible Loss
Where to invest? How much?
• Short Term – ROI Review current and justify new. Nail Down 5 x NCSC Questions
• Medium Term – Build an ROI tuned plan for progressive enhancement.
Benefits and costs of an investment in cyber / information security. Gordon-Loeb model
SECURE | SIMPLIFY | AUTOMATE | TRANSFORM
LENS. PREVENTION
LENS. PREVENTION
LENS. PREVENTION
Minimum 10 x Days to Maximum 20 Days of CSO and Technical consultancy to:
- Specify phishing filtering and oversee implementation
- Review Active Directory
New
95% Breaches began as
Phishing attacks
100% Of missed Phish
pass through existing defences
SECURE | SIMPLIFY | AUTOMATE | TRANSFORM
LENS. PREVENTION
2 270870580655 eni-6d25f24c 172.31.100.49 178.137.87.242 80 57379 6 15 1843 1496697675 1496697715 ACCEPT OK
VPC Flow Log version
AWS Account
Elastic Network Interface
Source IP
Destination IP
Source Port
Destination Port
IP Protocol
Number of Packets
Bytes
Timeframe (in seconds)
SG or NACL action
Log Status
Lambda Function
a known malicious destinationis talking to
Lambda function is
sending outbound traffic
over port 80 to a
malicious IP address
178.137.87.242
2 270870580655 eni-6d25f24c 172.31.100.49 178.137.87.242 80 57379 6 15 1843 1496697675 1496697715 ACCEPT OK
2 170870580655 eni-6d24f24s 172.31.200.49 178.137.77.242 80 57349 6 25 1843 1496397675 1476697715 ACCEPT OK
2 170470580655 eni-6d14f24s 172.31.202.49 178.137.77.342 80 57319 6 25 1843 1476397675 1476627715 ACCEPT OK
2 170170580655 eni-6d14f24c 172.31.204.49 178.137.77.142 80 57119 6 25 1543 1276397675 1471627715 ACCEPT OK
2 170170560655 eni-6d12f24c 172.31.211.49 178.137.77.172 80 57219 6 25 1573 1276397675 1471627415 ACCEPT OK
2 170170560655 eni-6d12f24c 172.31.211.49 178.137.77.172 80 57219 6 25 1573 1276397675 1471627415 ACCEPT OK
2 170170580655 eni-6d14f24c 172.31.204.49 178.137.77.142 80 57119 6 25 1543 1276397675 1471627715 ACCEPT OK
2 170470580655 eni-6d14f24s 172.31.202.49 178.137.77.342 80 57319 6 25 1843 1476397675 1476627715 ACCEPT OK
2 170870580655 eni-6d24f24s 172.31.200.49 178.137.77.242 80 57349 6 25 1843 1496397675 1476697715 ACCEPT OK
2 170470580655 eni-6d14f24s 172.31.202.49 178.137.77.342 80 57319 6 25 1843 1476397675 1476627715 REJECT OK
2 170170560655 eni-6d12f24c 172.31.211.49 178.137.77.172 80 57219 6 25 1573 1276397675 1471627415 ACCEPT OK
2 170170560655 eni-6d12f24c 172.31.211.49 178.137.77.172 80 57219 6 25 1573 1276397675 1471627415 ACCEPT OK
2 170470580655 eni-6d14f24s 172.31.202.49 178.137.77.342 80 57319 6 25 1843 1476397675 1476627715 ACCEPT OK
2 170870580655 eni-6d24f24s 172.31.200.49 178.137.77.242 80 57349 6 25 1843 1496397675 1476697715 REJECT OK
2 170470580655 eni-6d14f24s 172.31.202.49 178.137.77.342 80 57319 6 25 1843 1476397675 1476627715 ACCEPT OK
2 170170560655 eni-6d12f24c 172.31.211.49 178.137.77.172 80 57219 6 25 1573 1276397675 1471627415 ACCEPT OK
2 170170560655 eni-6d12f24c 172.31.211.49 178.137.77.172 80 57219 6 25 1573 1276397675 1471627415 ACCEPT OK
LENS. PREVENTION
[Internal Use] for Check Point employees
Enriched FlowLogs
Visual Traffic Map Detailed Properties
Canned & Custom Queries
LENS. PREVENTION