SESSION ID:
#RSAC
Mark Weatherford
Defeating Insider Threat with Cyber and Physical Security Convergence
CIN-T06
Chief Cybersecurity StrategistvArmor@vArmor
Jasvir GillFounder & CEOAlertEnterprise, Inc.@AlertEnterprise
#RSAC
We’ve taken the legacy Internet infrastructure, with weak protocols that were never intended to be secure, and built our entire society and economy around it.
Didn’t we do this to ourselves?
#RSAC
Rapid Pace of Change
Change in the business climate today is largely being driven by technology and if you think the pace is frantic now, wait until 2017.
Or 2020.
Or 2025.
The rate of change in business is going to be faster every year for the rest of your working life.
#RSAC
Every company today
“The era of separating traditional industries and
technology industries is over, and those who fail to adopt
right now will soon find themselves obsolete.”
- Forbes.com
…is a software company
#RSAC
Industry 4.0: the Industrial Internet of Things (IIoT)
Vast global opportunities but…1. Sensor and connected devices are being deployed with no
security2. New risks introduced with EVERYTHING as a Service3. Almost no consistent implementation of security across mobility,
virtual data centers and cloud environments4. Security MUST be part of the strategic planning process.
The Internet of Things will be five to ten times more impactful in the next decade than the entire Internet has been to date.
- John Chambers, Former Cisco CEO
#RSAC
Understanding the Bad Guys
Unfortunately, the job of security professionals today is as much about
understanding the businesses of the bad guys, as it is about maintaining the
businesses of the companies we work for.
#RSAC
The bad news . . . .
• Most companies are out-matched in their ability to combat cyber-attacks from nation states, global criminals and malicious insiders.
• In no other arena are private organizations expected to do battle with the likes of:• Izz ad-Din al-Qassam Cyber Fighters• The Syrian Electronic Army• North Korea’s Bureau 121• Russia’s Sandstorm Crew• China’s 13638 group
• Anonymous• Sandworm Team• Lizard Squad• Comment Crew• AnonGhost
#RSAC
Cyber Gestation
146 Days 53 PercentThe median time for an
organization to detect a cyber intrusion is 146 days. That’s five months of someone you
don’t know lurking in your network - watching, reading,
copying, stealing…..
Only 47 percent of organizations discovered their
own data breach. Which means that 53% were
discovered by external entities, such as law enforcement, 3rd
parties or customers.- FireEye M-Trends 2016
#RSAC
The insider threat is serious..
When asked who posed the biggest internal threat to corporate data, 55% of the respondents to the 2015 Vormetric Insider Threat Report identified Privileged Users, followed by contractors, service providers, and business partners.
..and incredibly under-estimated
#RSAC
Who are they?
The Malicious Insider: Those trusted employee’s who intentionally steal and compromise
The Naïve and Ignorant Insider: Those employee’s who, despite awareness training and internal security controls, find a way to compromise the company
The Criminal: External attackers who establish unauthorized access and exploit gaps in visibility and security controls
#RSAC
Incident response and planning
“They came in the house, stole everything, then burned down the house. They destroyed servers, computers, wiped them clean of all the data and took all the data. We were so taken by surprise by the events…that we didn’t have a playbook or a plan at that moment to go forward.”
- CEO of Sony Pictures Entertainment
You can’t plan for
everything
#RSAC
Vendor, third party, and partner risk
• Vendor’s don’t get better AFTER you sign a contract? • If they stink before you've even committed, that's as good as it’s ever
going to get…trust your gut.
• Cyber STD - a partner’s disease becomes your disease when your networks connect.
• Interdependencies – do you have a SPOF (single point of failure) you aren’t aware of?
#RSAC
Convergence
Cybersecurity convergence refers to the concept of bringing three security disciplines together to manage the threats facing the manufacturing industry.• Physical security• Cybersecurity (IT Security)• Operational technology security (Industrial Control System and
SCADA security)
#BPOG | Best
Practices for Oil & Gas
#RSAC
Companies typically organize in silos…
IT Resources
ERP
AccessManagement
Compliance Security
IT
Physical Access
AccessManagement
Compliance Security
PHYSICAL
Control Systems
AccessManagement
Compliance Security
ICS/SCADA…attackers don’t think that way!
SESSION ID:
#RSAC
Mark Weatherford
Defeating Insider Threat with Cyber and Physical Security Convergence
Chief Cybersecurity StrategistvArmor@vArmor
Jasvir GillFounder & CEOAlertEnterprise, Inc.@AlertEnterprise
#RSAC
Security Convergence As a Means to Safeguard Against Complex Threats Like Insider Threat
Jasvir Gill
#RSACComplex Threats are Hard to Detect:-Too Much Data, Too Little Time
The report from Homeland Security recommended a series of common-sense steps: Make sure that outsiders accessing power systems or other networks that operate vital infrastructure can monitor the system, but not change it; close “back doors” — system flaws that can give an intruder unauthorized access; have a contingency plan to shut down systems that have been infected, or invaded, by outsiders.
#RSACSecuring Our Critical Infrastructure is a Global Imperative
Command and Control Pipeline Operations
Transmission Substation Airport Security
#RSACOrganizations Respond to Threats in Silos. Attackers Don’t think that Way.
Silos are Costly, Inefficient, Exposing Gaps to Attackers.
#RSACSecurity Convergence Delivers a Unified Solution for Linking IT Security, Physical Security and OT/ICS Security
#RSAC
Key Risk Indicators: Physical - Cyber
Physical Access Indicators• Physical Access After-Hours, New Patterns• HR Related Event – PIP or Notice• Multiple Failed Attempts to Access Critical
Areas• Increased Number of Logins, Variation in
Remote/Local• Logging into Network At odd Times• Logging in Frequently During Vacation Times• Trading Floor Access Patterns
Cyber/Logical Indicators• Changes in Websites Visited, Work vs Personal• Remote Logging Using Different Employee
Credentials• Increased Printer Usage Patterns• Document Repository Download Patterns
(Frequency & Quantity)• Employee/Contractor File Download During
Termination• Export of Large Reports from Sensitive
Systems
#RSAC
Key Risk Indicators – Human / Behavioral
• Security Warnings• Security Citations• Employee Comes to Work While Intoxicated• Screening: Background Check / Drug
Screening / Credit Score• Employee Mitigates too Many Access
Requests• Employee Had Visitor(s) with Extremely Bad
Behavior• Department Watch List• Expired Training
#RSACHolistic Approach: “Do you send a guy with a gun or a guy with a wrench?”
Real-time Alerts based on anomolies
Monitoring of incidents such as cyber attacks, physical attacks and blended attacks. Examples are acts of terrorism, sabotage et al.
Business friendly interface
Alert 231:
Detected DCS Configuration Change without Work Order Authorization.
#RSACCyber/Physical Security Convergence –Actionable Intelligence across IT/OT
Real-time Alerts based on anomolies
Monitoring of incidents such as cyber attacks, physical attacks and blended attacks. Examples are acts of terrorism, sabotage et al.
Business friendly interface
#RSAC
The Software has identified Zach as a person of concern.
Zach has been a baggage handler for three years. He had a higher rate of accidents and was written up for some negligent workplace behavior.
Zach has been accessing certain areas outside his normal shift hours and exhibiting Non-Standard Behavior using a new sequence of doors never previously accessed.
Example: Aviation Security – Airport Insider Threat
Attempts to Badge into Restricted Area outside his normal shift hours and contrary to sequence of doors he normally uses, generates alert to TSA SOC
#RSAC
NIST NCCoE Reference Deployment leverages Convergence
Risk EnginePolicy Engine Data Reconciliation
Rules Workflows
SCADA / OT
IT
Physical
e.g. SEL Security Computer, Monarch EMS, Rugged-Com, etc.
e.g. Lenel, Tyco Software House, Honeywell Pro-Watch etc.
e.g. Oracle,, SAP, Active Directory, Splunk, ArcSight, IBM Identity Manager
Identity Store
HR
Self--Service
Visitor / Contractor
AlertEnterprise Guardian™Converged IT-OT Identity Management
Acce
ss R
eque
st M
anag
emen
t
Dire
ctly
Pro
visio
n to
Tar
get S
yste
m
NIST NCCoE Reference Deployment leverages AlertEnterprise Unique Ability to Manage IT, Physical and OT IdentitiesCopyright © 2015, AlertEnterprise, Inc.
#RSAC
PLOTPLOT
01010101
01010101
PLOT
Remote Station
PLOT / PLAI Agent
Control Room
Authorized User
PLAI Controller(Kastle)
Attacker
Card Reader
Enterprise Network
WANFirewall
Logs from Network Security Tools
An authorized user swipes his access badge on the Remote station door & changes the OT parameters during the planned maintenance window
User information available in PACS are fetched in real time by PLAI agent.OT logs are correlated with user information and is found to be valid. SIEM log does not show any unexpected behavior in network security logs.
No unusual pattern observed on PLOT and the events are treated as expected behavior by the system.
EXPECTED BEHAVIORSUSPECTED CYBER THREAT
An unauthorized user logs in to the servers in DMZ using brute force method. On successful login the attacker attempts configuration changes on an OT system
SIEM logs indicating unusual pattern is correlated with .user information available in PLAI compliant PACS & OT logs in Enterprise Sentry
The unexpected pattern observed based on the correlation of Physical, Logical and OT logs is flagged off as a Potential Cyber Threat alarm and Security Analyst is provided with Remediation scripts to acknowledge and process alarm.
PLOT ( Physical Logical Operational Technology) Use Case: Potential Cyber Threat Scenario Animation
#RSAC
Final thought - have a security strategy
• Understand technical relationships between the Lines of Business• Data relationships• Align business risks and security controls• Regulatory requirements
• Understand your assets• Where are your crown jewels?• What could put you out of business tomorrow if you lost it?
• Without a security strategy, companies lurch from breach to breach and incident to incident
• It’s inefficient• It’s not cost effective• It drives the IT and security staff crazy
#RSAC
Next week you should:
Create a Working Group with HR, Security and IT to Make a Plan for Linking Physical and Logical Identity Management
In the first three months following this presentation you should:
Identify Key Pain Points such as Blended Threats between your siloes of operation
Create a Common Digital Identity to Unify Access Policies for IT, OT, Physical Security
Create risk metrics for specific roles in the organization
Within six months you should:
Automate Both Physical and Logical Identity and Access Management
Implement a Risk Based Approach to Active Policy Enforcement
Don’t reinvent the wheel. Learn from NIST & others who have successfully solved the problem.
Apply What You Have Learned Today
40