Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
The Critical Infrastructure Attack Surface –Assessing Its Breadth, Fragility, Threats and Defenses
Today’s Speakers
Sameer BhalotraFormer Sr. Director of Cyber Security at the White House and Co-Founder/CEO at StackRox
James CarderVice President of LogRhytyhm Labs & CISO at LogRhythm, Inc.
Kennet WestbyPresident and Co-Founder of Coalfire Systems, a leader in cyber risk advisory and assessment services
Critical Infrastructure: Traditional
Critical Infrastructure: Emerging
Cyber Threats
Escalation Path
IoT Devices
CRITICAL INFRASTRUCTURE AND IoT RISK MANAGEMENT
CI RISK MANAGEMENT –WHAT IS DIFFERENT?
• Requires expanded threat intelligence, analysis and data sharing
• Broader and more complex threat actors and scenarios
• Impact assessment extends beyond organizational CIA
• Response and recovery as important as prevention
• The scope of assets are larger and more distributed than a data security centric plan
INCLUDING IoT IN YOUR PLAN“”IoT adoption will increase in both speed and scope, and [will] impact virtually all sectors of our society. The Nation’s challenge is ensuring that the IoT’s adoption does not create undue risk. Additionally…. there is a small—and rapidly closing—window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.” President’s National Security Telecommunications Advisory Committee (NSTAC)
Things to include in your CI Cyber Assessment• IoT is rapidly becoming our critical infrastructure• Respond and recovery planning must include
impact of IoT threats• Expand impact analysis to include public and
personal safety• Require any acquisition, development and
deployment of IoT to incorporate cyber risk assessment and security best practices
FRAMEWORKS FOR CI CYBER RISK• NIST CSF – Cyber Risk Assessment and Risk
Management Framework – Supports expanded scope for critical
infrastructure– Response and recovery key to CI– Partnership of industry and government – maps
existing standards– CI sectors aligning guidance and assessment
criteria to framework• Expanded NIST guidance for IoT systems security
engineering– NIST SP 800-160• New CI regulatory or compliance expansion
unlikely
Critical Infrastructure | Detect & Monitor
Critical Infrastructure Sectors
Innovation vs. Security Timeline
1950 - 1970
Web Mobile ComputingPersonal Computers Internet of ThingsMainframe Computers
1970 - 1990 1990 - 2000 2000 - 2010 2010 - Today
Birth of Information Security
1985 - 1990Personal Computer
Security
1990 - 2000Web Security
2000 - 2010Internet of Things
Security
?
Computers have gotten smaller, power consumption less, expanding capabilities for consumer and critical infrastructure
Simplifying Critical infrastructure
• They’re just computers• Operating system (most are known Windows or Linux)• User interface• Network and Internet enabled• Product log data and other artifacts• Protection• Governance• Monitor, detect, and respond
The Modern Cyber Threat Pandemic
Source Symantec, Underground black market: Thriving trade in stolen data, malware, and attack services. November 20, 2015; Medscape, Stolen EHR Charts Sell for $50 Each on Black Market, April 28, 2014
GREATER RISK
GREATER IMPACT
CRITICAL INFRASTRUCTURE MEANS
Endpoint Monitoring& Forensics
Network Monitoring& Forensics
Security Intelligence & Analytics Fabric
Log ManagementSIEM
Security Analytics
User and Entity Behavior Analytics
Endpoint BehaviorAnalytics
Network BehaviorAnalytics
Healthcare Snapshot
Healthcare: Google Glass, smart watches, medical devices on wheels, virtual reality systems, proton laser beams to treat cancer, credit union and ATMs, 1,000 different ways to get money and process credit cards, drug and blood dispensers, a farm (yes, a farm), and even an airport! ALL WITH AN IP ADDRESS!
Enterprise Visibility
• Can’t put an agent on it, can’t probe it, how do I see it?
• Can passively fingerprint the device using network based communication
• Protocol analysis (unencrypted vs. encrypted)• Communication pattern analysis (type, path, systems, frequency)• Other data points that can be used in correlation (headers, mac, etc.)
• Monitor the management workstation or backend controller
• Anything that deviates out of its normal operation (baseline) should trigger an alarm (technology deviation or user deviation)
Use Case: Industrial Control Systems
What is Security Automation and Orchestration?
• Gartner’s Definition: “utilize machine-readable security data to provide analysis and management capabilities to support operational security teams”
Why Security Automation and Orchestration (SAO)?
Problems Solved by SAO:• Centralizes and safeguards security investigations• Standardizes incident response processes• Enables efficient collaboration• Automates workflows and responses• Profoundly reduces mean time to respond (MTTR)
Benefits of LogRhythm Security Automation and Orchestration
• Minimize MTTR by standardizing and automating response
• Increase analyst efficiency and effectiveness• Work from a single pane of glass to avoid swivel chair analysis• Streamline analyst workflows with a deeply integrated solution
(e.g., smoothly pivot from Alarm to Case to PCAP)• Leverage automation for repeatable and predictable tasks
• Minimize total cost of ownership and realize faster ROI• Leverage your existing security tools with automation• Avoid adding another security tool to your stack• Eliminate costly API integration and maintenance
Telnet / FTP / Web
Compromise1. Default Credentials (”found on Internet”)
2. Manipulate drugs getting dispensed through admin interface3. Kill patient
Detection and ResponseUser, Endpoint, and Application access controls
Maintenance windows and change managementRemove unnecessary ports and protocols
Network isolationMonitor and alert on suspicious activity and behaviors
Take action
PreventionThreat Intelligence
Vulnerability Scan the patient floorIdentify approved and not approvedTune audit and monitoring controls
All automatically and in alignment with Hospital processes
Case Study: Patient Harm
Recon. and Planning
Initial Planning
Command and Control
Lateral Movement
Target Attainment
Exfiltration,Corruption,Disruption
Data Breaches Can Be Avoided
Early neutralization stops cyber incidents and data breaches
Security Analytics
User and Entity Behavior Analytics
Endpoint BehaviorAnalytics
Network BehaviorAnalytics
THANK YOU!