The Critical Infrastructure Attack Surface –Assessing Its Breadth, Fragility, Threats and Defenses

Today’s Speakers

Sameer BhalotraFormer Sr. Director of Cyber Security at the White House and Co-Founder/CEO at StackRox

James CarderVice President of LogRhytyhm Labs & CISO at LogRhythm, Inc.

Kennet WestbyPresident and Co-Founder of Coalfire Systems, a leader in cyber risk advisory and assessment services

Critical Infrastructure: Traditional

Critical Infrastructure: Emerging

Cyber Threats

Escalation Path

IoT Devices

CRITICAL INFRASTRUCTURE AND IoT RISK MANAGEMENT

CI RISK MANAGEMENT –WHAT IS DIFFERENT?

• Requires expanded threat intelligence, analysis and data sharing

• Broader and more complex threat actors and scenarios

• Impact assessment extends beyond organizational CIA

• Response and recovery as important as prevention

• The scope of assets are larger and more distributed than a data security centric plan

INCLUDING IoT IN YOUR PLAN“”IoT adoption will increase in both speed and scope, and [will] impact virtually all sectors of our society. The Nation’s challenge is ensuring that the IoT’s adoption does not create undue risk. Additionally…. there is a small—and rapidly closing—window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.” President’s National Security Telecommunications Advisory Committee (NSTAC)

Things to include in your CI Cyber Assessment• IoT is rapidly becoming our critical infrastructure• Respond and recovery planning must include

impact of IoT threats• Expand impact analysis to include public and

personal safety• Require any acquisition, development and

deployment of IoT to incorporate cyber risk assessment and security best practices

FRAMEWORKS FOR CI CYBER RISK• NIST CSF – Cyber Risk Assessment and Risk

Management Framework – Supports expanded scope for critical

infrastructure– Response and recovery key to CI– Partnership of industry and government – maps

existing standards– CI sectors aligning guidance and assessment

criteria to framework• Expanded NIST guidance for IoT systems security

engineering– NIST SP 800-160• New CI regulatory or compliance expansion

unlikely

Critical Infrastructure | Detect & Monitor

Critical Infrastructure Sectors

Innovation vs. Security Timeline

1950 - 1970

Web Mobile ComputingPersonal Computers Internet of ThingsMainframe Computers

1970 - 1990 1990 - 2000 2000 - 2010 2010 - Today

Birth of Information Security

1985 - 1990Personal Computer

Security

1990 - 2000Web Security

2000 - 2010Internet of Things

Security

?

Computers have gotten smaller, power consumption less, expanding capabilities for consumer and critical infrastructure

Simplifying Critical infrastructure

• They’re just computers• Operating system (most are known Windows or Linux)• User interface• Network and Internet enabled• Product log data and other artifacts• Protection• Governance• Monitor, detect, and respond

The Modern Cyber Threat Pandemic

Source Symantec, Underground black market: Thriving trade in stolen data, malware, and attack services. November 20, 2015; Medscape, Stolen EHR Charts Sell for $50 Each on Black Market, April 28, 2014

GREATER RISK

GREATER IMPACT

CRITICAL INFRASTRUCTURE MEANS

Endpoint Monitoring& Forensics

Network Monitoring& Forensics

Security Intelligence & Analytics Fabric

Log ManagementSIEM

Security Analytics

User and Entity Behavior Analytics

Endpoint BehaviorAnalytics

Network BehaviorAnalytics

Healthcare Snapshot

Healthcare: Google Glass, smart watches, medical devices on wheels, virtual reality systems, proton laser beams to treat cancer, credit union and ATMs, 1,000 different ways to get money and process credit cards, drug and blood dispensers, a farm (yes, a farm), and even an airport! ALL WITH AN IP ADDRESS!

Enterprise Visibility

• Can’t put an agent on it, can’t probe it, how do I see it?

• Can passively fingerprint the device using network based communication

• Protocol analysis (unencrypted vs. encrypted)• Communication pattern analysis (type, path, systems, frequency)• Other data points that can be used in correlation (headers, mac, etc.)

• Monitor the management workstation or backend controller

• Anything that deviates out of its normal operation (baseline) should trigger an alarm (technology deviation or user deviation)

Use Case: Industrial Control Systems

What is Security Automation and Orchestration?

• Gartner’s Definition: “utilize machine-readable security data to provide analysis and management capabilities to support operational security teams”

Why Security Automation and Orchestration (SAO)?

Problems Solved by SAO:• Centralizes and safeguards security investigations• Standardizes incident response processes• Enables efficient collaboration• Automates workflows and responses• Profoundly reduces mean time to respond (MTTR)

Benefits of LogRhythm Security Automation and Orchestration

• Minimize MTTR by standardizing and automating response

• Increase analyst efficiency and effectiveness• Work from a single pane of glass to avoid swivel chair analysis• Streamline analyst workflows with a deeply integrated solution

(e.g., smoothly pivot from Alarm to Case to PCAP)• Leverage automation for repeatable and predictable tasks

• Minimize total cost of ownership and realize faster ROI• Leverage your existing security tools with automation• Avoid adding another security tool to your stack• Eliminate costly API integration and maintenance

Telnet / FTP / Web

Compromise1. Default Credentials (”found on Internet”)

2. Manipulate drugs getting dispensed through admin interface3. Kill patient

Detection and ResponseUser, Endpoint, and Application access controls

Maintenance windows and change managementRemove unnecessary ports and protocols

Network isolationMonitor and alert on suspicious activity and behaviors

Take action

PreventionThreat Intelligence

Vulnerability Scan the patient floorIdentify approved and not approvedTune audit and monitoring controls

All automatically and in alignment with Hospital processes

Case Study: Patient Harm

Recon. and Planning

Initial Planning

Command and Control

Lateral Movement

Target Attainment

Exfiltration,Corruption,Disruption

Data Breaches Can Be Avoided

Early neutralization stops cyber incidents and data breaches

Security Analytics

User and Entity Behavior Analytics

Endpoint BehaviorAnalytics

Network BehaviorAnalytics

THANK YOU!