dan gahafer cyber security ttd2016 - fedinsider.com · resolve cyber-security events ranging from...

Cyber Security Dan GahaferDHS Account Chief Technologist

Month day, year

Managing risk in today’s digital enterprise

Rapid transformation of enterprise IT

Shift to hybrid Mobile connectivityBig data explosion

Cost and complexity of regulatory pressures

CompliancePrivacy

Data protection

Increasingly sophisticated cyber attacksMore sophisticated

More frequent More damaging

© Copyright 2016 Hewlett Packard Enterprise Development LP 2

Worldwide security trends and implications

• Security is a Board of Directors’ concern.

• Security leadership is under immense pressure.• There is a need for greater visibility

of business risks and to make sound security investment choices.

Key points

New Threat Landscape

median time to detect breach205 days

to respondto a breach*

46days

average cost of breach*$7.7M

Sources: Mandiant M-Trends 2015 Report, 2013 Ponemon Cost of Data Breach Study

Cyber Security Posture


Protect your digital enterprise

6

Protect Detect & Respond Recover

Build it inIdentify the threats you face, assess your organization’s capabilities to protect your enterprise,

Harden your applications, protect your users, and encrypt your most important data

Proactively detect and manage breachesHelp reduce time-to-breach-resolution with a tight coupling of analytics, correlation, and orchestration.

Establish situational awareness to find and shut down threats at scale

Safeguard continuityand complianceDrive resilience and business continuity across your IT environments, systems, and applications.

Reduce risk with enterprise-wide governance, risk & compliance strategies

© Copyright 2016 Hewlett Packard Enterprise Development LP

Today’s digital Enterprise needs a new style of protection

Ultimate State • Impregnable

Messaging • Fear, Uncertainty, Doubt

Business Proximity • None

Accountability& Leadership • IT / Risk department

Focus • Perimeter & Information

Approach • Complicate, obstruct, say no

SOC Focus • Regional. Isolated. Servers,network & security devices

Traditional Protect your digital enterprise• Assume a state of compromise. Digital Resilience• Stop exfiltration and business disruption. • Detect early. Quick and effective response

• Confidence, assurance, visibility, prepared to respond

• Enabler. Provider of business outcomes.

• Board, CEO, business

• Protect your most critical assets and the interactions between them, regardless of device or location

• Use a risk based approach to address cyber maturity gaps.

• Includes value chain and value creation ecosystem

• Lean, agile. Maximize interaction opportunities at lowest risk

• Full cyber situational awareness• Global, sharing threat intelligence• All devices

USERS

APPS DATA

7

Developing world class Digital Resilient solutions

8

Unique experience in implementing and

managing world-class solutions

Leading Threat Research

Infrastructure thru Applications

Digital Resilient solutions ready to tackle emerging

security challenges


Security Resilient Architecture (SRA)

Cyber Defense (CD)

Risk & Compliance Management (RCM)

Resilient Workforce (RW)

Strategy,Leadership

& Governance (SLG)

Physical Security (PS)

Identity & Access

Management (IAM)

Infrastructure & Network

Security (INS)Applications Security (AS)

Data Protection &

Privacy (DPP)

Converged Security (CS)

Security & Operations Management (SOM)

Operational & Technical Security (OTS)

HPE Cyber Reference Architecture - Structured in Domains

Highly Structured and Granular

HPE Differentiator§ Unique level of detail in the Operational & Technical

Security (OTS) domain

9



Cyber Defense (CD)

Identity & Access

Management (IAM)

Infrastructure & Network

Security (INS)Applications Security (AS)

Data Protection &

Privacy (DPP)



Resilient Workforce (RW)

Security & Operations Management (SOM)

Strategy,Leadership

& Governance (SLG)

12 in total

63 in total

345 in total

Domain

Sub-domain

CapabilitySub-domain

Capability

Capability

Capability


Cyber Reference ArchitectureDomains & Sub-Domains


Strategy,Leadership &

Governance (SLG)

Audit Management



Security & Operations

Management (SOM)Cyber Defense (CD)Resilient Workforce

(RW)Identity & Access

Management (IAM)Infrastructure &

Network Security (INS)


Applications Security (AS)

Data Protection & Privacy (DPP)


Business Objectives

Critical Business Processes& Assets

Key Business Risks

Security Strategy

Security Governance & Organization

Security Policy

Asset Management

Information Security Management System

Risk Management Framework

Security Metrics

Third Party Management

Framework

Legal & Regulatory Compliance

Privacy Compliance

Standard & Industry Compliance

Enterprise Security Architecture

Security Architecture Assurance

Security Architecture Single Domain

blueprints

Security Architecture Multi Domain

blueprints

Security Standards

Business Continuity

Solution Architecture

Security Awareness Program

Communications & Marketing

Embedded Security Culture

Empowered Workforce

Security Information & Event Management

Security Incident Response &

Remediation Mngt.

Digital Investigation & Forensics

Threat Intelligence & Profiling

Vulnerability Management

Security Analytics

Forensic & Incident Response Tooling

Security Process Measurement

Security Operations Management

Identity Lifecycle Management

Authentication Management

Strong Authentication

Access Management

Directory Management

Privileged Account Management

Rule-based Security Policy Enforcement

Infrastructure Security Enforcement

Known Threat Detection & Prevention

Unknown Threat Detection & Prevention

Software Assurance Lifecycle Maturity

Application Security Requirements

Security Architecture, Design &

Development

Application Security Testing

Security Training for Software

Development

Application Maintenance

Data Discovery & Classification

Data Assurance

Data Protection

Data Security Lifecycle

Management

Certificate & Key Management

Industrial Controls Systems Security

Internet of Things Security

Vehicle Security

Datacenter Security

Office Security

Cyber Defense

11

Cyber Defense Sub-Domains

Security Information &

Event Management

Collecting, consolidating and correlating security event logs in order to automatically generate security alerts based on known attack scenario / use cases. Monitor security alerts and incidents as they occur in a the environment. Provide evidence in case of investigations and to support Incident Response management.

Security Incident Response & Remediation Management

Validate, classify and analyze security incidents (understand what happened, how and why) to ensures adequate and prompt remediation or recovery activities. (Incident Response level 1 and 2).

Digital Investigation &

Forensics

Identifying, processing and analyzing digital states and events to find evidence as to how, why and by whom a computing resource was compromised, and collecting, processing and reviewing data in the event of legal action (Incident Response level 3).

Threat Intelligence &

Profiling

Changing the security model from reactive to proactive by understanding your adversaries and so developing tactics to combat current attacks and plan for future threats. Accurate, complete and actionable information allowing for threat modeling, planning and remediation activities to occur. Such information may come from inside sources such as a CMDB or external providers of such information. The key is to create “actionable” steps to further protect the enterprise. Processes and plans for establishing, maintaining and testing resilient IT service capabilities in the event of environmental, man-made or technical failures in ICT infrastructure and applications.

12© Copyright 2016 Hewlett Packard Enterprise Development LP

Forensic & Incident

Response Tooling

Endpoint and Network incident response and forensics tooling, with collecting, recording, detection, investigation, containment, remediation and threat disruption capabilities.



The cyclical practice of policy definition, baselining, assessing, prioritizing, shielding, remediating and monitoring of exploitable security vulnerabilities in software and firmware in endpoints, infrastructure and other IP addressable assets, including root cause analysis and elimination.

Security Analytics

Analytics to allow processing of large volume of unstructured and structured data in order to efficiently identifying, detecting and alerting in real-time of Anomalies or other abnormal events or transactions that are not conforming to expected patterns.

Cyber Defense Domains


Forensics



Event Management

Cyber Defense Capabilities

Security Analytics



Profiling

Forensic & Incident

Response Tooling


• LogsØ Policy Definition, Generation, Collection, Consolidation, and CorrelationØ Storage, Retrieval, Retention, and Integrity

• Use Case Management• Monitoring and Alerting• Queries and Reporting• Knowledge Management


Forensics



Event Management

Security Analytics



Profiling

Forensic & Incident

Response Tooling

• Triage, Validation, Classification, and Analysis• Communication, and Communication• Root Cause Analysis• Remediation, Recovery, and Reporting• Knowledge Management and Lessons Learned



• Identifying, Processing and Analyzing States And Events To Find Evidence About How, Why, and Whom• Collecting, Preserving, Processing, And Reviewing Data Supporting Legal Processes

• Triage, Validation, Classification, and Analysis• Investigate and Understand Security Trends• Profile Threat Actors• Remediation, Recovery, and Reporting• Actively Hunt Threats


Forensics



Event Management

Security Analytics



Profiling

Forensic & Incident

Response Tooling


Forensics



Event Management

Security Analytics



Profiling

Forensic & Incident

Response Tooling



• Static and Dynamic Code Analysis Focusing on Security Vulnerabilities• “Gold Disks” – Hardened OS/Apps• Penetration Testing/Red Teams• Vulnerability Scanning and Remediation• Patch Management• Research and Vendor Notification• Periodic Health Assessments (C&A, ST&E)

• Big Data Security Analytics• Baseline Normal Behavior (User, Application, System, Network)• Anomaly Detection• Behavior Analysis• Privileged Threat Analytics – Malicious Activity And Actionable Intel To Disrupt/Respond To Attacks• Social Media Analysis• DNS Analytics – Anomalous DNS Communications, Known Bad Domains


Forensics



Event Management

Security Analytics



Profiling

Forensic & Incident

Response Tooling


Forensics



Event Management

Security Analytics



Profiling

Forensic & Incident

Response Tooling



• Full Packet Capture For Analytics And Forensics• Endpoint Forensic Tooling – Ex. Disk, Processes, Memory, Registry• Endpoint Containment For Isolation When Compromised• Endpoint Remediation – Return To Known Good State• Network Forensic Tooling To Perform Analytics And Forensics• Graphical Case Deconstruction To Show Exactly What Happened• Real-Time Query & Alerting• Offline Malware Analysis


Forensics



Event Management

Security Analytics



Profiling

Forensic & Incident

Response Tooling

Cyber Defense Solutions

18

The adversary attack ecosystem

Discovery

Research

Your enterprise

Their ecosystem

Infiltration

Capture

Exfiltration

Build a capability to disrupt the market

Discovery

Research

Your enterprise

Their ecosystem

Infiltration

Capture

Exfiltration

Protecting the target asset

Finding them

Educating usersCounterintelligence

Blocking access

Planning damage mitigation

Security Technology Solutions: Disrupting the adversary

HPE Security Technology Solutions: Market-leading IP and global expertise in delivering services and support across a variety of security technologies from leading global security vendors to help you integrate your environment and optimize your investments

Network intelligenceSecurity intelligence Application security

22

HPE teams with FireEye

HPE EXPANDS ITS IT SECURITY ARSENAL

5 Ways HPE-FireEye Deal Will Raise Security Services Bar

HPE Teams With FireEye To Mount Fortune 1000 Security Offensive

HPE And FireEye Join Breach-Fighting Forces

23

Answers the most important question for every enterprise - whether or not they have been breached.

Investigate and assess, and resolve cyber-security events ranging from single-system compromises to enterprise-wide intrusions by advanced attack groups

24/7 security monitoring and management of cyber-attacks that bypassed traditional technology defenses, with expert threat investigation and proactive attacker hunting

Global Incident Response from HP and FireEye

Advanced Compromise Assessment from HP and FireEye

Managed Advanced Threat Protection Services from HP and FireEye

HPE and FireEye/Mandient

24

Find and remove active and lurking threats

Advanced Compromise Assessment

• Leverages industry-leading technology from FireEye• Local deployment, threat discovery, analysis and assessment• Detailed report with major findings and next-step recommendations

Features

• Exposes current and past attacker activity within the network• Uncovers evidence of compromised assets• Validates security environment and highlights improvements

Problems it solves

• No capital expenditure • Rapid deployment and minimized business disruption• Gain understanding of current state of threat risk

Benefits

25

Threat visibility, confidence of protection, reduced risk

Advanced threat detection 24/7

• Leverages industry-leading technology from HP and FireEye• 24/7/365 systems operational management and maintenance• Rapid detection of threats, alert investigation, malware analysis, and mitigation

recommendations from Federal SOC• Proactive hunt of attackers and personalized threat intelligence

Features

• Alleviates internal resource constraints• Optimizes threat detection, mitigation, and response capabilities• Preempts attacks and minimizes exposure

Problems it solves

• Expanded operational support and expert threat analyst team• Visibility and contextual awareness of active threats • Reduced business risk of security compromise—faster containment• Confidence of protection against targeted threats and advanced malware

Benefits

26

Rapid response when threats become realityGlobal Incident Response

• Rapid deployment of industry leading incident response teams to client site• Cleared resources when required• Full enterprise visibility through proprietary tools and techniques purpose

built for large scale incident response• Expertise, methodologies and IP from HP and FireEye

Features

• Reduces the damage caused by advanced, targeted attacks• Engages experienced teams with deep domain expertise• Minimizes downtime and establishes ongoing response plans

Problems it solves

• Stops prolonged exposure to minimize financial and reputation damages• Addresses legal and regulatory evidence requirements• Relieves overburdened staff in reactive environments

Benefits

While this may not suffice for US Federal customers, enough demandcan facilitate standing up a dedicated federal response team

HPE Security global footprint

Internal Use Only 27

Managed SecurityDevices

1.8m+HPE Secured

User Accounts

47mHPE MSS

Customers

1000+HPE Security

Software Customers

10k+HPE SecurityProfessionals

5000+

SecurityOperationsCenters10

Texas

Virginia

Toronto

Costa Rica

GermanyUK

Bulgaria

India

Malaysia

Australia

Global SOC Regional SOC

HPE next-gen SOCs provide 24*7*365 monitoring and management

Features of Security Operations Centers (SOCs) and HPE MSS• 24*7*365 monitoring and management capability• Local knowledge for regional regulatory support• Integration into a global threat profile with collaboration and communication

across SOCs• Targeted Threat Intelligence via the HPE MSS Portal

Client benefits• Alleviated burden on constrained resources• Improved intelligence sharing and response to

threats• Better identification and faster response to

incidents• Quicker restoration time and reduced impact

on the organization

HPE security research

Innovative research

30

Cyber Risk Report for 2016• HPE researches and publishes the Cyber Risk Report

annually.• Report is shareable to HPE customers, partners, and others. • Broad view of the threat landscape, from industry-wide data to

a focused look at technologies, including open source, mobile, and Internet of Things.

• Provides vendor-agnostic information to better understand the threat landscape, and to identify resources that minimize security risk.

31

Cyber Risk Report for 2016Highlights for 2015:• Mobile devices and broad inter-connectivity are

attracting attackers and expanding the threat landscape.

• 10,000 new Android threats daily - 153 percent year-over-year.

• Malware attacks on Apple iOS grew 235 percent.• 80% of OSS and commercial software contain

security vulnerabilities.• Windows remained the dominant attack target.• The most exploited vulnerability in 2015 had patches

available since 2014.

Thank [email protected]

32

dan gahafer cyber security ttd2016 - fedinsider.com · resolve cyber-security events ranging from...

Documents