target breach analysis - itag · stealth core is not your typical firewall, vlan, or vpn approach...

© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY.

Tech 360CyberSecurity Risks and Mitigations

November 11, 2016

Rob JohnsonDistinguished Engineer, Unisys Corp.

© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 2

Tech360 – CyberSecurity Risks and Mitigations

• Scope of Today’s Talk

– Breadth v. Depth

– Definitions

– Common Risks

– Emerging Mitigation Technologies

• Q&A


Tech360 – CyberSecurity Definitions

• Information Security Attributes– Confidentiality – keep private things private

– Integrity – ensure information can’t be altered, or detected if altered

– Availability – make sure information can be used when needed

– Non-repudiation – don’t allow deniability, plausible or otherwise

• There Is No Perfect Security– No “magic bullet”

– There are always vulnerabilities

– Good security = Layers of compensating controls

• Security is an Onion


Tech360 – CyberSecurity Risks

• Lockheed Martin’s Cyber Kill Chain Model

1) Reconnaissance: Stalk your target

2) Weaponization: Customize your malware

3) Delivery: Infect a device with access to target

4) Exploitation: Leverage target’s vulnerability

5) Installation: Transfer your malware to target

6) Command & Control: Send commands (keyboard, scripts, triggers) to target

7) Action on Objectives: Malware does its job (exfiltrate data, DDOS, self-destruct)



• Distributed Cyber Kill Chain Model1) Reconnaissance: Stalk your target

2) Weaponization: Customize your malware

3) Delivery: Infect a device with access to target network

4) East/West Replication: Infect neighbors

1) Search for target and clean up

2) Build a botnet

5) Exploitation: Leverage target’s vulnerability

6) Installation: Transfer your malware to target

7) Command & Control: Send commands (keyboard, scripts, triggers) to target

8) Action on Objectives: Malware does its job (exfiltratedata, DDOS, self-destruct)


• Advanced Persistent Threats (APTs)

– Highly-specific targeting (e.g. a particular server or application)

– Low-and-slow attacks spread unnoticed “below the radar”, i.e. below alerting thresholds, that can infect networks for months before detected

– Well-known examples

• STUXNET – State-developed malware attack against Iran’s nuclear processing centrifuges

• Target breach – Exfiltration of millions of customers’ credit card data on Black Friday

Tech360 – Risks

2

3 3

34 6

7

1

5

55

HVAC Svr

POS Mgmt Svr



• Botnets – general-purpose, massively deployed

– Millions of IoT devices infected by various malware – Mirai, Anime, Bashlight

• Bots: CCTV cameras, DVRs, home routers, basically any Linux-based device

– Spreads by scanning IP addresses and guessing (default) passwords

• Recent attacks: Brian Krebs website (Sept. 2016), Dyn DNS Services (Oct. 21, 2016)



• Botnet Types

– Command & Controlled – bots controlled remotely

• APTs (similar to Target but more wide-spread)

• Distributed Denial of Service (DDOS) – effects range from annoying, through revenue loss, to loss of critical services such as 911

– Self-destructive – bots kill their hosts

• Cyber Warfare (power grids, financial systems, military C&C)

• Cyber Terrorism (in-flight systems, air traffic control, public transit, power/water infrastructure, medical devices)



• Insider Threats

– Edward Snowden – malicious actor

– Typical employees – working at/from home

– Risks

• Improper access to information

• Exfiltration of that information to public/private servers


Tech360 – CyberSecurity Mitigations

• Tried and True Approaches

– Strong passwords

– Application layer ACLs

– Perimeter firewalls, intrusion detection, etc.

• Emerging Approaches

– Behavioral analysis by Security Information and Event Management (SIEM) systems

• Pattern recognition of anomalous activity – Joe logs on at 3:00 AM from China!!!

• Autonomic mitigation – quarantine Joe



• Emerging Approaches (cont.)

– Micro-segmentation

• Software Defined Networks (SDNs)

– Controlled traffic flows

– Integrated into infrastructure








• Identity/Role-based policy enforcement

• Discover



• Discover, Affinitize• Emerging Approaches (cont.)














– Departmental, regulatory, organizational roles i.e. Communities of Interest (COIs)

• Discover, Affinitize, Model










– Control traffic into, within, and out of COIs based on user’s/server’s identity

• Discover, Affinitize, Model, Deploy










– Control traffic into, within, and out of COIs based on user’s/server’s identity

• Data encryption (compliance rqmts)

– In-motion

– At-rest

• Discover, Affinitize, Model, Deploy

© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY.

Tech 360

November 11, 2016

The Unisys Stealth program is a suite of security products spanning

network security, identity management, physical security, and

analytics.


Tech360 – Stealth(core): Proven Technology

Achieve Unified Security Policy for Datacenter, Remote Office, Cloud, and MobileStreamline provision of resources with “Baked-In” agile security

Achieve Network Segmentation without “Rip and Replace” or Network RedesignCertified through NSA for NIAP and CSFC Certifications

Integrate Stealth into Defense in Depth Architecture to provide a means to Rapidly React to Security Events : Quarantine and Remediate

Leverage existing Identity Store (ICAM) to drive RBAC to define level of Access and Privilege. Mitigate risk of Insider Threat by enforcing “Least Privilege” and “Need to know”

Easily create a well defined Security Boundary (as per FIPS and NIST) to meet many controls outlined in PCI-DSS, IRS Pub 1075, and HIPAA

Tech 10 Security Products: Advanced Threat Protection

Frost & Sullivan 2015 New Product Innovation Award

-------------------Encrypted Network Security

Crypto-Module

JFCOM JILTestbed IO

Range

2005

CWID-

08DISA

CWID-

09DISA

JUICE

09CECOM

Combined

Endeavou

r EUCOM

CWID-

05USAF

CWID-

10SOCOM

GTRI DJC2

PMO

SPAWAR

Private LabSSVT Validation

Large

IntegratorStealth Tests

IV&VNational Center for

Counter-terrorism

and Cybercrime

SOCOM

Export LicenseDept. of Commerce

FIPS 140-2

CertificationNIST

EAL4+

Certificatio

nNIAP

DIACAP MAC-1

CertificationCWID-10

Network Risk

AssessmentAF Comm Agency

CWID-05

DIACAP MAC-1

CertificationJFCOM

SOCOMR&D

Prototype

Emerald

WarriorSIPRNet

IATT

Independen

t Testing 3rd Party

And again Different Client

Different Tester

Commercial &

Public Sector

2006 2007 2008 20142009 2010 2011 20132012

InterOp 2012

“Hot New Product”

2015

3rd Party

QSA / PEN

Testing

(PCI

Compliance)

And again

2016

Certified for

NSA-CSfCvalidation

CECOM – Communications Electronics Command (US Army)CSfC – Commercial Solutions for ClassifiedCWID – Coalition Warrior Interoperability DemonstrationDIACAP – DoD Information Assurance Certification and Accreditation Process DISA – Defense Systems Information Agency DJC2 – Deployable Joint Command and ControlEUCOM – European CommandGTRI – Georgia Tech Research InstituteJFCOM – JOINT Forces Command JIL – Joint Intelligence LaboratoryJUICE – Joint User Interoperability Communications Exercise MAC – Mission Assurance Category (Level 1 is Highest)NIAP – National Information Assurance PartnershipNIST – National Institute of Standards and TechnologySOCOM – Special Operations Command


Tech360 – Stealth(core): What It Is

Stealth Core is a set of products and technologies that microsegment any IP network into identity-based virtualized networks with customized security

policies.

Stealth Core is NOT your typical firewall, VLAN, or VPN approach to network security, although it has aspects of all of those technologies.

Implementing the principle that endpoints (servers and workstations) should protect themselves, Stealth creates cryptographically-enforced

microsegment perimeters within your corporate enterprise network.

Through simple policies that are integrated with your Identity Management infrastructure, Stealth protects critical assets from both internal and external

threats.


Tech360 – Stealth(core): What It Does

Stealth Core automatically virtualizes any IP network into isolated, user/role-based Communities of Interest

•Stealth endpoint (server and workstation) operations are automatic without end user intervention or app changes•Stealth virtualizes networks by establishing endpoint-to-endpoint IPsec tunnels on top of physical or virtual networks•Any IP network, including WANs, LANs, VLANs, WiFi, 3G/4G, and clouds, can be Stealth-enabled

•Virtual networks are isolated from each other through the use of very strong (Suite B) cryptography

•Stealth policies are applied based on the user’s role in an organization, not by device, VLAN, switch port, etc.

•Membership in a mutual Community of Interest determines whether endpoints can communicate. To non-members, endpoints are “dark”

Finance

Legal

Customer Support

FIPS certified crypto: AES-256 GCM/CBC+SHA-1, Elliptic Curve DH and DSA, …

Engineering


Tech360 – CyberSecurity Summary

• Best Practices

– Strong passwords

– Perimeter firewalls

– Endpoint protection

• New Stuff

– SIEM tools


– Encryption


Tech360 – CyberSecurity Q&A

Thank-You

Questions?

target breach analysis - itag · stealth core is not your typical firewall, vlan, or vpn approach...

Documents