target breach analysis - itag · stealth core is not your typical firewall, vlan, or vpn approach...
TRANSCRIPT
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY.
Tech 360CyberSecurity Risks and Mitigations
November 11, 2016
Rob JohnsonDistinguished Engineer, Unisys Corp.
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 2
Tech360 – CyberSecurity Risks and Mitigations
• Scope of Today’s Talk
– Breadth v. Depth
– Definitions
– Common Risks
– Emerging Mitigation Technologies
• Q&A
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 3
Tech360 – CyberSecurity Definitions
• Information Security Attributes– Confidentiality – keep private things private
– Integrity – ensure information can’t be altered, or detected if altered
– Availability – make sure information can be used when needed
– Non-repudiation – don’t allow deniability, plausible or otherwise
• There Is No Perfect Security– No “magic bullet”
– There are always vulnerabilities
– Good security = Layers of compensating controls
• Security is an Onion
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 4
Tech360 – CyberSecurity Risks
• Lockheed Martin’s Cyber Kill Chain Model
1) Reconnaissance: Stalk your target
2) Weaponization: Customize your malware
3) Delivery: Infect a device with access to target
4) Exploitation: Leverage target’s vulnerability
5) Installation: Transfer your malware to target
6) Command & Control: Send commands (keyboard, scripts, triggers) to target
7) Action on Objectives: Malware does its job (exfiltrate data, DDOS, self-destruct)
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 5
Tech360 – CyberSecurity Risks
• Distributed Cyber Kill Chain Model1) Reconnaissance: Stalk your target
2) Weaponization: Customize your malware
3) Delivery: Infect a device with access to target network
4) East/West Replication: Infect neighbors
1) Search for target and clean up
2) Build a botnet
5) Exploitation: Leverage target’s vulnerability
6) Installation: Transfer your malware to target
7) Command & Control: Send commands (keyboard, scripts, triggers) to target
8) Action on Objectives: Malware does its job (exfiltratedata, DDOS, self-destruct)
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 6
• Advanced Persistent Threats (APTs)
– Highly-specific targeting (e.g. a particular server or application)
– Low-and-slow attacks spread unnoticed “below the radar”, i.e. below alerting thresholds, that can infect networks for months before detected
– Well-known examples
• STUXNET – State-developed malware attack against Iran’s nuclear processing centrifuges
• Target breach – Exfiltration of millions of customers’ credit card data on Black Friday
Tech360 – Risks
2
3 3
34 6
7
1
5
55
HVAC Svr
POS Mgmt Svr
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 7
Tech360 – CyberSecurity Risks
• Botnets – general-purpose, massively deployed
– Millions of IoT devices infected by various malware – Mirai, Anime, Bashlight
• Bots: CCTV cameras, DVRs, home routers, basically any Linux-based device
– Spreads by scanning IP addresses and guessing (default) passwords
• Recent attacks: Brian Krebs website (Sept. 2016), Dyn DNS Services (Oct. 21, 2016)
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 8
Tech360 – CyberSecurity Risks
• Botnet Types
– Command & Controlled – bots controlled remotely
• APTs (similar to Target but more wide-spread)
• Distributed Denial of Service (DDOS) – effects range from annoying, through revenue loss, to loss of critical services such as 911
– Self-destructive – bots kill their hosts
• Cyber Warfare (power grids, financial systems, military C&C)
• Cyber Terrorism (in-flight systems, air traffic control, public transit, power/water infrastructure, medical devices)
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 9
Tech360 – CyberSecurity Risks
• Insider Threats
– Edward Snowden – malicious actor
– Typical employees – working at/from home
– Risks
• Improper access to information
• Exfiltration of that information to public/private servers
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 10
Tech360 – CyberSecurity Mitigations
• Tried and True Approaches
– Strong passwords
– Application layer ACLs
– Perimeter firewalls, intrusion detection, etc.
• Emerging Approaches
– Behavioral analysis by Security Information and Event Management (SIEM) systems
• Pattern recognition of anomalous activity – Joe logs on at 3:00 AM from China!!!
• Autonomic mitigation – quarantine Joe
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 11
Tech360 – CyberSecurity Mitigations
• Emerging Approaches (cont.)
– Micro-segmentation
• Software Defined Networks (SDNs)
– Controlled traffic flows
– Integrated into infrastructure
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 12
Tech360 – CyberSecurity Mitigations
• Emerging Approaches (cont.)
– Micro-segmentation
• Software Defined Networks (SDNs)
– Controlled traffic flows
– Integrated into infrastructure
• Identity/Role-based policy enforcement
• Discover
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 13
Tech360 – CyberSecurity Mitigations
• Discover, Affinitize• Emerging Approaches (cont.)
– Micro-segmentation
• Software Defined Networks (SDNs)
– Controlled traffic flows
– Integrated into infrastructure
• Identity/Role-based policy enforcement
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 14
Tech360 – CyberSecurity Mitigations
• Emerging Approaches (cont.)
– Micro-segmentation
• Software Defined Networks (SDNs)
– Controlled traffic flows
– Integrated into infrastructure
• Identity/Role-based policy enforcement
– Departmental, regulatory, organizational roles i.e. Communities of Interest (COIs)
• Discover, Affinitize, Model
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 15
Tech360 – CyberSecurity Mitigations
• Emerging Approaches (cont.)
– Micro-segmentation
• Software Defined Networks (SDNs)
– Controlled traffic flows
– Integrated into infrastructure
• Identity/Role-based policy enforcement
– Departmental, regulatory, organizational roles i.e. Communities of Interest (COIs)
– Control traffic into, within, and out of COIs based on user’s/server’s identity
• Discover, Affinitize, Model, Deploy
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 16
Tech360 – CyberSecurity Mitigations
• Emerging Approaches (cont.)
– Micro-segmentation
• Software Defined Networks (SDNs)
– Controlled traffic flows
– Integrated into infrastructure
• Identity/Role-based policy enforcement
– Departmental, regulatory, organizational roles i.e. Communities of Interest (COIs)
– Control traffic into, within, and out of COIs based on user’s/server’s identity
• Data encryption (compliance rqmts)
– In-motion
– At-rest
• Discover, Affinitize, Model, Deploy
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY.
Tech 360
November 11, 2016
The Unisys Stealth program is a suite of security products spanning
network security, identity management, physical security, and
analytics.
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 18
Tech360 – Stealth(core): Proven Technology
Achieve Unified Security Policy for Datacenter, Remote Office, Cloud, and MobileStreamline provision of resources with “Baked-In” agile security
Achieve Network Segmentation without “Rip and Replace” or Network RedesignCertified through NSA for NIAP and CSFC Certifications
Integrate Stealth into Defense in Depth Architecture to provide a means to Rapidly React to Security Events : Quarantine and Remediate
Leverage existing Identity Store (ICAM) to drive RBAC to define level of Access and Privilege. Mitigate risk of Insider Threat by enforcing “Least Privilege” and “Need to know”
Easily create a well defined Security Boundary (as per FIPS and NIST) to meet many controls outlined in PCI-DSS, IRS Pub 1075, and HIPAA
Tech 10 Security Products: Advanced Threat Protection
Frost & Sullivan 2015 New Product Innovation Award
-------------------Encrypted Network Security
Crypto-Module
JFCOM JILTestbed IO
Range
2005
CWID-
08DISA
CWID-
09DISA
JUICE
09CECOM
Combined
Endeavou
r EUCOM
CWID-
05USAF
CWID-
10SOCOM
GTRI DJC2
PMO
SPAWAR
Private LabSSVT Validation
Large
IntegratorStealth Tests
IV&VNational Center for
Counter-terrorism
and Cybercrime
SOCOM
Export LicenseDept. of Commerce
FIPS 140-2
CertificationNIST
EAL4+
Certificatio
nNIAP
DIACAP MAC-1
CertificationCWID-10
Network Risk
AssessmentAF Comm Agency
CWID-05
DIACAP MAC-1
CertificationJFCOM
SOCOMR&D
Prototype
Emerald
WarriorSIPRNet
IATT
Independen
t Testing 3rd Party
And again Different Client
Different Tester
Commercial &
Public Sector
2006 2007 2008 20142009 2010 2011 20132012
InterOp 2012
“Hot New Product”
2015
3rd Party
QSA / PEN
Testing
(PCI
Compliance)
And again
2016
Certified for
NSA-CSfCvalidation
CECOM – Communications Electronics Command (US Army)CSfC – Commercial Solutions for ClassifiedCWID – Coalition Warrior Interoperability DemonstrationDIACAP – DoD Information Assurance Certification and Accreditation Process DISA – Defense Systems Information Agency DJC2 – Deployable Joint Command and ControlEUCOM – European CommandGTRI – Georgia Tech Research InstituteJFCOM – JOINT Forces Command JIL – Joint Intelligence LaboratoryJUICE – Joint User Interoperability Communications Exercise MAC – Mission Assurance Category (Level 1 is Highest)NIAP – National Information Assurance PartnershipNIST – National Institute of Standards and TechnologySOCOM – Special Operations Command
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 19
Tech360 – Stealth(core): What It Is
Stealth Core is a set of products and technologies that microsegment any IP network into identity-based virtualized networks with customized security
policies.
Stealth Core is NOT your typical firewall, VLAN, or VPN approach to network security, although it has aspects of all of those technologies.
Implementing the principle that endpoints (servers and workstations) should protect themselves, Stealth creates cryptographically-enforced
microsegment perimeters within your corporate enterprise network.
Through simple policies that are integrated with your Identity Management infrastructure, Stealth protects critical assets from both internal and external
threats.
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 20
Tech360 – Stealth(core): What It Does
Stealth Core automatically virtualizes any IP network into isolated, user/role-based Communities of Interest
•Stealth endpoint (server and workstation) operations are automatic without end user intervention or app changes•Stealth virtualizes networks by establishing endpoint-to-endpoint IPsec tunnels on top of physical or virtual networks•Any IP network, including WANs, LANs, VLANs, WiFi, 3G/4G, and clouds, can be Stealth-enabled
•Virtual networks are isolated from each other through the use of very strong (Suite B) cryptography
•Stealth policies are applied based on the user’s role in an organization, not by device, VLAN, switch port, etc.
•Membership in a mutual Community of Interest determines whether endpoints can communicate. To non-members, endpoints are “dark”
Finance
Legal
Customer Support
FIPS certified crypto: AES-256 GCM/CBC+SHA-1, Elliptic Curve DH and DSA, …
Engineering
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 21
Tech360 – CyberSecurity Summary
• Best Practices
– Strong passwords
– Perimeter firewalls
– Endpoint protection
• New Stuff
– SIEM tools
– Micro-segmentation
– Encryption
© 2016 Unisys Corporation. All rights reserved. FOR INTERNAL USE ONLY. 22
Tech360 – CyberSecurity Q&A
Thank-You
Questions?