© Institute of Internal Auditors 2019 CONNECT …...AlienVault, Splunk Audit Considerations: The SIEM needs to be connected to all key infrastructure elements in order to be effective

© Institute of Internal Auditors 2019 1CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977

Auditing Cyber Defense TechnologiesSTEPHEN HEAD | EXPERIS FINANCE

APRIL 1, 2019

© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 2

AgendaTopic

Cyber Risks

Endpoint Protection

Next-Generation Layer 7 Firewalls

Multifactor Authentication

Email Filtering

Vulnerability Scanning

Penetration Testing


Security Information and Event Management (SIEM)

Intrusion Detection (IDS)/Intrusion Prevention (IPS)

Security Operations Center (SOC)

Threat Intelligence

Computer Forensics

Cloud Security

Summary

Headlines Highlight Increased Risk

Pundits extoll the costs of breaches and cyber attacks, but few offer anything beyond anecdotal data collected through surveys. According to the Ponemon Institute, as of 2018:

The only cost that truly matters is the one your organization must deal with!

$3.86 million is the average total cost of a data breach

6.4% increase in the total cost of a data breach since 2017

$148 is the average cost per lost or stolen record

Not IF, but WHEN You Will Be Attacked

Source: Ponemon Institute

Source: http://www.emc.com/collateral/other/emc-trust-curve-es.pdf

Data Losses Are Only One Aspect of a Broader Issue

Organizations Are Dealing With Multiple Impacts

http://www.emc.com/collateral/other/emc-trust-curve-es.pdf

What Regulators are Saying

• Cybercriminals can cause significant financial losses for regulated entities as well as for consumers whose private information may be revealed and/or stolen for illicit purposes.

• The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.

• Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted.

Source: New York State DFS 23 NYCRR 500

German Steel Mill – Hackers struck a steel mill in Germany by manipulating and disrupting control systems resulting in “massive” damage

Hollywood Presbyterian Medical Center –Ransomware locked doctors out of patient records for more than a week. Hackers demanded $3.6M

“ . . . we fully expect a business to fail due to the financial consequences of a cyber-attack.”1

Cyber-attacks are costing businesses $400 -$500 billion a year2

Cyber resiliency should be part of BCM efforts

1Source: Lloyd’s insurer Aegis London2 Source: Forbes, “The Business of Cybersecurity:2015 Market Size, Cyber Crime, Employment and Industry Statistics, October 2015”

Emerging Global Risk and Trends

Source: https://www.secureworldexpo.com/industry-news/cyber-risk-is-business-risk

Threat Actors RisksAttack TargetsMotives

Nation State

Hactivists

Lone Wolves

Insiders

Criminal Underground

• Political Agenda• Military Agenda• Economic Harm

• Theft• Fraud• Ransom

• Political Agenda • Personal Agenda• Social Change

• Thrill Seeking• Personal Gain• Social Status

• Financial Gain• Social/Political Gain• Revenge

• Intellectual Property• Sensationalism• Critical Infrastructure

• Personal Information• Credit Card Data• Device Manipulation

• Corporate Sensitive• Key Employee Information

• Device Control• Vandalism• Harassment

• Device Control• Vandalism• Harassment

• Competitive Impact• Service Disruptions• Design Disclosure

• Regulatory Sanctions• Lawsuits• Loss of Reputation

• Brand Damage• Business Disruption• Loss of Reputation

• Competitive Impact• Business Disruption• Loss of Reputation

• Business Disruption• Brand Damage• Personal Safety

Attackers, Targets and Motivations are Evolving

The right sensors when monitored and acted upon can prevent or detect attacks at each critical phase

Each attack type is unique, but most have a similar structure

Anatomy of an Attack

Planning/Information Gathering

Initial Attack and Breach

Establish Command and Control

Additional ExploitationData Exfiltration and

Persistence

Identify Employees and Contact Information

Information available on the internetInformation coerced via various means

Create a spoofed web site

Send malicious linkWait for results

Identify vulnerable systems, services, processesGain access to internal network or systems

Establish a means of controlling “base” for gathering more network details and exploitationMalware takes effect

Search for information sourcesAdditional credentials/ authorizationsAttempt additional exploits

Remove or extract data obtainedAvoid discovery

Test for access, connectivity, conduct

scans, identify resources

Identify additional vulnerabilities, execute

exploits, collect information

Identify additional vulnerabilities

Phases

Example

Endpoint ProtectionThis category consists of software that is designed to provide the necessary protections to prevent the endpoint (server, client, mobile device, etc.) from attacks by malware, bots, or intruders.

Modern endpoint protection software uses multiple methods to determine the identity of hostile or unknown software packages.

Symantec, for example, has a Host Intrusion Prevention System (HIPS) component.

Cylance uses a proprietary database of malware attributes and blocks such from executing when it detects the software.

© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 12

Endpoint ProtectionExamples:

Symantec, McAfee, Cylance

Audit Considerations:

Distribution to all endpoints

Endpoint detection settings

Alerts generated from endpoint software


Next-Generation Layer 7 Firewalls“Layer 7” capabilities indicate that the device can efficiently examine application code and report any anomalies or malicious indicators.

According to Gartner, 75% of attacks now take place at the application layer.

A majority of recent vulnerabilities affect web applications.

Next generation devices often incorporate features normally found in separate devices such as intrusion detection, malware detection, sandboxing, etc.


Next-Generation Layer 7 FirewallsExamples:

Palo Alto, Checkpoint, Cisco and Fortinet


Failure to implement key features

Proper sizing of hardware, features installed, and network throughput to ensure adequate capacity

Lack of log retention or no aggregation and correlation of logs


Multifactor AuthenticationMultifactor Authentication (MFA) prevents identity theft by using two or more methods to confirm the identity of the user.

Many of the solutions perform MFA by providing a secondary “check” of the user’s identity by communicating to the user some form of code that the user must enter after successfully submitting an ID/password combination. The user must enter this code into some sort of portal or application that is provided by the solution. The code is verified on the backend to confirm the identity of the user.


Multifactor AuthenticationExamples:

Google authenticator, LastPass authenticator,

Microsoft authenticator, Okta


Exempting certain classes of users

Access paths that bypass multifactor

Authentication that pretends to be but is not truly multifactor


Email FilteringThis involves filtering incoming mail, identifying whether such mail is part of a phishing campaign, and automatically removing email even if received by users after the fact.

This would occur if the email was not identified as malicious when it was initially received by the organization’s email server, but was later flagged by the security industry as part of a criminal effort.

Filtering may also involve egress filtering of PII.


Email FilteringExample:

Proofpoint


Administration procedures should be formalized

Filtering should encompass the entire enterprise and not just certain business units

Filtering is tuned to minimize type 1 and 2 errors

Is PII subject to filtering?


Vulnerability ScanningThere are many commercial vulnerability scanners. Most of these are well designed and have robust research organizations supporting them. The best scanners not only indicate what vulnerabilities exist, but also provide guidance regarding the software company’s recommended fix for these issues.

Vulnerability scanning software allows the user to mark certain findings as either false positives or as accepted risk. Unfortunately, this feature is sometimes used to mask vulnerabilities that should be remediated .


Vulnerability ScanningExamples:

Nessus, Qualys, Nmap


Scan should not omit key infrastructure components

Incorrectly designating vulnerabilities as “false positive” or “accepted risk” without proper vetting

Scans should be periodically conducted (at least quarterly) and actionable items acted upon promptly


Penetration TestingPenetration Testing, also called Ethical Hacking, is the process of ensuring that adequate security controls have been applied to technological components of a system by attempting to subvert such controls.

With some of the newer pen testing tools, the user is not required to have any additional skills other than to learn the commands that must be run from the user interface – no programming, system administration, network administration, or other skills are needed. This may be an overselling our their capabilities.

Testers should hold a Certified Ethical Hacker (CEH) certification or have equivalent real-world experience.


Penetration TestingExamples:

MetaSploit, Rapid7, Kali Linux


Sufficient time should be provided to perform the testing, otherwise it is not a true test

Designating parts of the infrastructure as out-of-scope results in a less than complete pen test (usually omitting the worst offenders)

Pen tests should be performed at least annually




Typically, log data is collected from every kind of technology possible in order to accumulate the maximum amount of data – firewalls, routers, smart switches, wireless access points, intrusion detection/protection systems, antivirus/endpoint protection solutions, etc.

The result is: Real time monitoring of all IT infrastructure Correlation of events Analysis and reporting of security incidents Integrated with threat intelligence Centralized storage of logs



Examples:

AlienVault, Splunk


The SIEM needs to be connected to all key infrastructure elements in order to be effective.

The SIEM needs to be tuned with proper rules or “use cases” set up to that instruct the SIEM on what to do with the data and how to label it with regard to the degree of risk.

Lack of log retention or aggregation.

Escalation procedures for notifications from the SIEM should be formalized.

Intrusion Detection (IDS) / Intrusion Prevention (IPS)These devices have grown significantly in capability and complexity over the years, to the point where they can no longer be considered simply technology that detects and/or blocks traffic based upon certain attributes, but also has many other features that allow for prevention and analysis.

Modern deployments in this area are often categorized as “IDPS”, since it intends to meet both the detection and prevention requirements. The value-add of IDS/IPS is the richness of the data that it can send to the SIEM.


Intrusion Detection (IDS) / Intrusion Prevention (IPS)Examples:

Products offered by McAfee, Darktrace, Trend Micro, Cisco


Sensors are not appropriately placed

IDS/IPS is not being updated regularly

IDS/IPS is not properly tuned (i.e., too many false positives caused the System Administrator to turn down the sensitivity thereby negating the usefulness of the detective component)

Lack of log retention or aggregation


Security Operations Center (SOC)The focus of a SOC is to monitor for security incidents that occur and react to them in a timely manner.

Often, the SOC receives alerts about incidents from the SIEM, although there may be other channels through which data flows.

Once they receive a notification, the SOC analysts will examine the data received and try to determine a cause for the incident.

SOCs can be staffed in a number of ways. In many cases, a third-party security company is hired to provide coverage from a professional SOC facility.


Security Operations Center (SOC)Examples:

Can be internal or outsourced


Processes for triaging potential vulnerabilities and handling escalation of communications should be formalized

Since this is a 24x7 operation, formal procedures for handoff of issues during shift change is important

Service Level Agreements (SLAs) should be in place with escalation depending on the severity of the event


Threat IntelligenceThreat intelligence provides access to technical and adversary intelligence collected by a vendor through thousands of monitored sensors and other proprietary mechanisms to give early warning of potential attacks.

It may also be integrated with sensors deployed at the perimeter of the organization’s own network, to provide a more complete picture of what is happening to other organizations and how that correlates with early signs that may be showing up in IDS/IPS alerts and firewall messages.


Threat IntelligenceExamples:

FireEye, Deepsight, LookingGlass


Threat intelligence should be integrated into the SIEM and SOC in order to be useful

Intelligence should be updated continuously as attacks often appear first in time zones where the business day is just getting started

The provider should have a sufficiently large footprint for its information to be useful


Computer ForensicsComputer forensics is the practice of using digital data and records to support an investigation into that behavior, be it criminal, civil, or corporate.

There are many categories of computer forensics. What they have in common is the gathering and correlation of evidence without destroying or otherwise tainting its usefulness if law enforcement is brought into the investigation.


Computer ForensicsExamples:

EnCase, FTK


Users should have proper training in how to handle evidence and exercise proper chain-of-custody.

In reviewing digital evidence, one must take special care to not taint the original. Often this means reviews should be performed against a copy of the media and never against the original.


Cloud SecurityCloud providers will often have security services that either are included as part of the agreement or can be purchased separately.

Some of the areas that should be focused on when setting up service agreements include: Governance Compliance Availability Data Security Identity and Access Management Disaster Recovery and Business Continuity

Planning


Cloud SecurityExamples:

AWS, Azure


What type of SOC report is available?

What optional security features have been included in the contract (or omitted)?

Have all contracted for security features been implemented?

How are cloud security features into the SIEM and SOC?


Questions and Answers?END OF PRESENTATION


Stephen HeadDirector, IT Risk Advisory Services

Experis Finance704.953.6688

[email protected]

Thank you for your time and attention!IIA CHAPTER CHICAGO | 59TH ANNUAL SEMINAR


Stephen HeadDirector, IT Risk Advisory Services

Experis Finance704.953.6688

[email protected]

Documents

© Institute of Internal Auditors 2019 CONNECT …...AlienVault, Splunk Audit Considerations: The SIEM needs to be connected to all key infrastructure elements in order to be effective