Click here to load reader

© Institute of Internal Auditors 2019 CONNECT ... AlienVault, Splunk Audit Considerations: The SIEM needs to be connected to all key infrastructure elements in order to be effective

  • View
    0

  • Download
    0

Embed Size (px)

Text of © Institute of Internal Auditors 2019 CONNECT ... AlienVault, Splunk Audit Considerations: The...

  • © Institute of Internal Auditors 2019 1CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977

  • Auditing Cyber Defense Technologies STEPHEN HEAD | EXPERIS FINANCE

    APRIL 1, 2019

    © Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 2

  • Agenda Topic

    Cyber Risks

    Endpoint Protection

    Next-Generation Layer 7 Firewalls

    Multifactor Authentication

    Email Filtering

    Vulnerability Scanning

    Penetration Testing

    © Institute of Internal Auditors 2019 3CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977

    Security Information and Event Management (SIEM)

    Intrusion Detection (IDS)/Intrusion Prevention (IPS)

    Security Operations Center (SOC)

    Threat Intelligence

    Computer Forensics

    Cloud Security

    Summary

  • Headlines Highlight Increased Risk

  • Pundits extoll the costs of breaches and cyber attacks, but few offer anything beyond anecdotal data collected through surveys. According to the Ponemon Institute, as of 2018:

    The only cost that truly matters is the one your organization must deal with!

    $3.86 million is the average total cost of a data breach

    6.4% increase in the total cost of a data breach since 2017

    $148 is the average cost per lost or stolen record

    Not IF, but WHEN You Will Be Attacked

    Source: Ponemon Institute

  • Source: http://www.emc.com/collateral/other/emc-trust-curve-es.pdf

    Data Losses Are Only One Aspect of a Broader Issue

    Organizations Are Dealing With Multiple Impacts

    http://www.emc.com/collateral/other/emc-trust-curve-es.pdf

  • What Regulators are Saying

    • Cybercriminals can cause significant financial losses for regulated entities as well as for consumers whose private information may be revealed and/or stolen for illicit purposes.

    • The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.

    • Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted.

    Source: New York State DFS 23 NYCRR 500

  • German Steel Mill – Hackers struck a steel mill in Germany by manipulating and disrupting control systems resulting in “massive” damage

    Hollywood Presbyterian Medical Center – Ransomware locked doctors out of patient records for more than a week. Hackers demanded $3.6M

    “ . . . we fully expect a business to fail due to the financial consequences of a cyber- attack.”1

    Cyber-attacks are costing businesses $400 - $500 billion a year2

    Cyber resiliency should be part of BCM efforts

    1Source: Lloyd’s insurer Aegis London 2 Source: Forbes, “The Business of Cybersecurity:2015 Market Size, Cyber Crime, Employment and Industry Statistics, October 2015”

    Emerging Global Risk and Trends

  • Source: https://www.secureworldexpo.com/industry-news/cyber-risk-is-business-risk

  • Threat Actors RisksAttack TargetsMotives

    Nation State

    Hactivists

    Lone Wolves

    Insiders

    Criminal Underground

    • Political Agenda • Military Agenda • Economic Harm

    • Theft • Fraud • Ransom

    • Political Agenda • Personal Agenda • Social Change

    • Thrill Seeking • Personal Gain • Social Status

    • Financial Gain • Social/Political Gain • Revenge

    • Intellectual Property • Sensationalism • Critical Infrastructure

    • Personal Information • Credit Card Data • Device Manipulation

    • Corporate Sensitive • Key Employee Information

    • Device Control • Vandalism • Harassment

    • Device Control • Vandalism • Harassment

    • Competitive Impact • Service Disruptions • Design Disclosure

    • Regulatory Sanctions • Lawsuits • Loss of Reputation

    • Brand Damage • Business Disruption • Loss of Reputation

    • Competitive Impact • Business Disruption • Loss of Reputation

    • Business Disruption • Brand Damage • Personal Safety

    Attackers, Targets and Motivations are Evolving

  • The right sensors when monitored and acted upon can prevent or detect attacks at each critical phase

    Each attack type is unique, but most have a similar structure

    Anatomy of an Attack

    Planning/Information Gathering

    Initial Attack and Breach

    Establish Command and Control

    Additional Exploitation Data Exfiltration and

    Persistence

    Identify Employees and Contact Information

    Information available on the internet Information coerced via various means

    Create a spoofed web site

    Send malicious link Wait for results

    Identify vulnerable systems, services, processes Gain access to internal network or systems

    Establish a means of controlling “base” for gathering more network details and exploitation Malware takes effect

    Search for information sources Additional credentials/ authorizations Attempt additional exploits

    Remove or extract data obtained Avoid discovery

    Test for access, connectivity, conduct

    scans, identify resources

    Identify additional vulnerabilities, execute

    exploits, collect information

    Identify additional vulnerabilities

    Phases

    Example

  • Endpoint Protection This category consists of software that is designed to provide the necessary protections to prevent the endpoint (server, client, mobile device, etc.) from attacks by malware, bots, or intruders.

    Modern endpoint protection software uses multiple methods to determine the identity of hostile or unknown software packages.

    Symantec, for example, has a Host Intrusion Prevention System (HIPS) component.

    Cylance uses a proprietary database of malware attributes and blocks such from executing when it detects the software.

    © Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 12

  • Endpoint Protection Examples:

    Symantec, McAfee, Cylance

    Audit Considerations:

    Distribution to all endpoints

    Endpoint detection settings

    Alerts generated from endpoint software

    © Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 13

  • Next-Generation Layer 7 Firewalls “Layer 7” capabilities indicate that the device can efficiently examine application code and report any anomalies or malicious indicators.

    According to Gartner, 75% of attacks now take place at the application layer.

    A majority of recent vulnerabilities affect web applications.

    Next generation devices often incorporate features normally found in separate devices such as intrusion detection, malware detection, sandboxing, etc.

    © Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 14

  • Next-Generation Layer 7 Firewalls Examples:

    Palo Alto, Checkpoint, Cisco and Fortinet

    Audit Considerations:

    Failure to implement key features

    Proper sizing of hardware, features installed, and network throughput to ensure adequate capacity

    Lack of log retention or no aggregation and correlation of logs

    © Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 15

  • Multifactor Authentication Multifactor Authentication (MFA) prevents identity theft by using two or more methods to confirm the identity of the user.

    Many of the solutions perform MFA by providing a secondary “check” of the user’s identity by communicating to the user some form of code that the user must enter after successfully submitting an ID/password combination. The user must enter this code into some sort of portal or application that is provided by the solution. The code is verified on the backend to confirm the identity of the user.

    © Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 16

  • Multifactor Authentication Examples:

    Google authenticator, LastPass authenticator,

    Microsoft authenticator, Okta

    Audit Considerations:

    Exempting certain classes of users

    Access paths that bypass multifactor

    Authentication that pretends to be but is not truly multifactor

    © Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 17

  • Email Filtering This involves filtering incoming mail, identifying whether such mail is part of a phishing campaign, and automatically removing email even if received by users after the fact.

    This would occur if the email was not identified as malicious when it was initially received by the organization’s email server, but was later flagged by the security industry as part of a criminal effort.

    Filtering may also involve egress filtering of PII.

    © Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 18

  • Email Filtering Example:

    Proofpoint

    Audit Considerations:

    Administra

Search related