Embed Size (px)
Citation preview
The Role of Security Monitoring & SIEM in Risk Management
Jeff Kopec, MS, CISSP Cyber Security Architect
Oakwood Healthcare
DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
Jeff Bell, CISSP, GSLC, CPHIMS, ACHE Director, IT Security & Risk Services
CareTech Solutions @JeffBell_CTS #HIMSS15
Conflict of Interest
Jeff Kopec, MS AND
Jeff Bell, BS Have no real or apparent conflicts of interest to report.
© HIMSS 2015
2
Learning Objectives
1.Assess the readiness of healthcare providers and business associates to respond to current cybersecurity threats.
2.Evaluate the barriers to successful Security Information and Event Management (SIEM) implementation including solutions and alternatives.
3.Describe the people and process changes needed to successfully use SIEM technology to identify and respond to cybersecurity incidents.
3
An Introduction to the Benefits Realized for the Value of Health IT
http://www.himss.org/ValueSuite
SAT ISFACTION Breaches are expensive
• Data breaches cost healthcare organizations millions of dollars every year. Cost is ~$2M per institution over two years.
• Security Monitoring reduces the likelihood and severity of breaches, resulting in savings.
Patient satisfaction is affected by breaches
• Loss of business due to customer dissatisfaction is the largest factor in the cost of a data breach, estimated in 2013 at $188 per record.
• 30% of patients said they would find a new healthcare provider if their provider’s office was breached. SAVINGS
The Fourth Annual Benchmark Study on Patient Privacy & Data Security sponsored by ID Experts and conducted by the Ponemon Institute, March 2014 2013 Cost of Data Breach Study by the Ponemon Institute, Sponsored by Symantec, May 2013
Avoidable Collateral Damage from Corporate Data Breaches, sponsored by Identity Finder and conducted by Javelin Strategy & Research, May 2014
4
A Day in the Life of an IT Security Officer
Gotham City General Hospital
5
Need: Robust / Effective / Risk-based Cybersecurity Programs § 164.306 Security standards: General rules. (a) General requirements. Covered entities and business associates must do the following:
(1)Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2)Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3)Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4)Ensure compliance with this subpart by its workforce.
6
What We Have: Inadequate Cybersecurity Programs
To receive FBI industry notices apply for InfraGard membership at www.InfraGard.org
7
Verizon, Data Breach Investigation Report, 2014
…the bad guys seldom need days to get their job done, while the good guys rarely manage to get theirs done in a month of Sundays.
…attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade. This doesn’t scale well, people.
http://www.verizonenterprise.com/DBIR/2014/
“
” “
” 8
Percent of Breaches where time to compromise (red) / time to discovery (blue) was days or less
Cybersecurity Framework (NIST) Identify: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy
Protect: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures
Detect: Anomalies and Events, Security Continuous Monitoring, Detection Processes
Respond: Response Planning, Communications, Analysis, Mitigation, Improvements
Recover: Recovery Planning, Improvements, Communications
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014 9
Council on Cybersecurity - Critical Security Controls CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 11: Limitation and Control of Network Ports, Protocols, and Services
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 12:Controlled Use of Administrative Privileges
CSC 3: Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 13: Boundary Defense
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 14: Maintenance, Monitoring, & Analysis of Audit Logs
CSC 5: Malware Defenses CSC 15: Controlled Access Based on the Need to Know
CSC 6: Application Software Security CSC 16: Account Monitoring and Control CSC 7:Wireless Access Control CSC 17:Data Protection CSC 8: Data Recovery Capability CSC 18:Incident Response & Mgmt CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 19:Secure Network Engineering
CSC 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 20: Penetration Tests and Red Team Exercises
http://www.counciloncybersecurity.org/critical-controls/ 10
CSC 14-8: Deploy a SIEM (Security Incident and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts.
11
Security: People, Processes, Technologies
Skilled Staff
ESSENTIAL PROCESSES
Change Mgmt, Vulnerability Mgmt, Configuration Mgmt, Access Mgmtt, Incident Response, Security Monitoring, Asset Mgmt, Awareness Training, DR/BCP, Governance, Risk Mgmt, Audit
Security Policies
FOUNDATIONAL TECHNOLOGIES
Firewall, Security Gateway (Web, eMail), Network Segmentation, Endpoint Protection, Mobile Device Mgmt, IPS,
Log Consolidation, Patch Mgmt, Encryption
ADVANCED TECHNOLOGIES
App Control (Whitelisting), SIEM, NGFW / NGIPS, HIPS, User Monitoring, Vulnerability Scan, Forensic Tools, NAC
Security Framework
CUTTING EDGE TECHNOLOGIES
Data Loss Prevention, Database Activity Monitoring, Threat Intelligence, Network Behavior Analysis, etc.
Benefits of Security Monitoring • More rapid detection of security incidents • More rapid incident response • Ensure data is available for incident response • Reduce impact from security incidents • Meet regulatory requirements • Demonstrate Due Care / Due Diligence • Reporting / Metrics / Transparency • Operational benefits
“By preparing for cyberthreats before an attack, organizations can potentially limit both data loss and the reactive, post-incident expenses … The longer a breach stays undetected, the further it spreads and the more it costs organizations…”
Be Ready for a Breach with Intelligent Response, James Tarala, SANS, November 2014
12
SIEM Functionality
• Log collection, storage
Raw data Parsed / normalized data
• Data enrichment • Data correlation / anomaly detection • Alerts • Console displays • Query tools to support investigation / analysis
Definition: Security Information and Event Management
13
POLLING QUESTION
Describe your use of SIEM technology:
a. SIEM not installed
b. Not used effectively
c. Use third-party to monitor
d. Have an effective process
e. I don’t know
SIEM Functionality Log Collection / Storage
Logs are critical to protect, detect and respond to security incidents.
Logs should be collected in a central location and monitored continuously.
Security incidents almost always leave Indicators of Compromise (IOCs) in logs.
The trick is to find them!
14
SIEM Functionality Log Collection / Storage Difficulties with analyzing logs No one may look at the logs Log analysis takes specialized skills and tools Logs may be stored only on local devices Log retention may be too short Logs may contain…
• Too much information • Too little information
15
SIEM Functionality Log Collection / Storage Examples of events that can generate log messages: System changes (New account, elevation of priv.) Authentication and authorization (successful &
failed) Security alerts (malware detection, IDS detection,
anomalous behavior such as new traffic flow) User activity – access to devices, files, records System shutdown, startup
Logging and Log Management, Dr. Anton Chuvakin et. al. 2013, PP 44-45
16
SIEM Functionality Log Collection / Storage Raw data SIEM receives raw data
Raw data format varies by log source
Raw data is not useful for analytics
Parsed / normalized data
SIEM parses data & transforms it to a normalized data structure
Normalized data is stored in a database
17
SIEM Functionality Log Collection / Storage
What retention period is appropriate? Retained logs for “as long as it might be useful”1
Based on business requirements PCI requires at least one year log retention, with
a min. of three months immediately available NIST recommends 3-12 months for high impact
systems 2 Tiered storage can be used
1 Logging and Log Management, Dr. Anton Chuvakin et. al. 2013, PP 232 2 Guide to Computer Security Log Management, SP 800-92, NIST, 2006
18
POLLING QUESTION
What is your data retention of security logs?
a. Less than 3 months
b. 3 – 12 months
c. 1 – 2 years
d. 2+ years
e. We do not manage
SIEM Functionality Data Enrichment Log data can be made more useful by enriching it
Examples: Add host name from DHCP server Add a risk level by identifying hosts that are
vulnerable to a detected exploit
Threat intelligence: IOC or black lists of malicious URLs or IP addresses Data on users and assets from Active Directory
or other sources
19
Correlation: Relationship between multiple events. Correlate a threat with a vulnerability Failed login attempts followed by successful
login Logins by multiple users on the same endpoint
SIEM Functionality Data Correlation
20
Anomalies: Establish baselines. What varies from the baseline is an anomaly. Privileged account logs in from new IP address New process not running on any other device New device on the network (unauthorized
device) Unusually large data extract
SIEM Functionality Anomaly Detection
21
SIEM Functionality Alerts, Queries and Console Display Real-time Alerts: Based on correlation rules. Alerts to the SIEM console and external systems such as email or an ITSM.
Console displays: Many types of real-time data including risk-rated alerts.
Queries / Drill Down: Used to analyze an alert. Clicking an IP address or device name may display other events related to that IP address. This can greatly expedite incident investigation.
22
23
24
February 4, 2015 Anthem breach, about 80 million affected. What has been reported: Discovered by a DBA who noticed a query running
under the DBA’s ID Signs the breach was committed by a Chinese
cyber espionage group known as Deep Panda ScanBox Framework
Real World Example Anthem Breach
http://www.beckershospitalreview.com/healthcare-information-technology/hackers-break-into-anthem-8-thing-to-know.html http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/00
25
February 4, 2015 Anthem breach, about 80 million affected. What has been reported: Trojan named Derbusi IP address: 198.200.45[.]112 URL: We11point[.]com Backdoor program masquerading as Citrix VPN
software digitally signed by a certificate issued to DTOPTOOLZ Co. – a calling card of Deep Panda
Real World Example Anthem Breach
http://www.beckershospitalreview.com/healthcare-information-technology/hackers-break-into-anthem-8-thing-to-know.html http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/00
26
Real World Example Anthem Breach
In retrospect, how might this breach have been prevented or detected? DBA credentials were compromised and used.
Possible anomalies related to the credentials • First time the ID logged in from that IP
address • Multiple simultaneous logins
27
Real World Example Anthem Breach
In retrospect, how might this breach have been prevented or detected? Access to a look-alike domain name:
we11point[.]com. Possibly used in a phishing campaign to obtain credentials. • Some security firms identify
we11point[.]com as malicious. • Threat intelligence may have caught it in the
web or email security gateway or in the SIEM.
28
Real World Example Anthem Breach
In retrospect, how might this breach have been prevented or detected? The malware masquerading as Citrix VPN
software could have been detected by: • Advanced endpoint protection tools • First time this software has ever been seen on
the network (unique hash value)
29
Real World Example Anthem Breach
In retrospect, how might this breach have been prevented or detected? Unusual network traffic flow (Anomaly)
• Exfiltration traffic: Large outbound transfer to an IP with a bad reputation or in a location where you don’t do business
• Command and Control traffic • VPN connection from outside the country
30
SIEM Architecture
• Collectors
• Logging of raw data
• Parsing / normalizing of data
• Storage of normalized data
• Analytics engine
• Platform to support query, drill-down for investigation / analysis
31
32 SIEM Overview, CareTech Solutions
33 SIEM Overview, CareTech Solutions
Some Firewall logs fed in 2010
Do we really need a SIEM?
Are we really ready?
• Understand organization’s assets (critical vs. non-critical)
• The “map” of our network
• Are the logs you want being captured?
• Involve data-owners early on and provide access to improve data-owner cooperation
SIEM Implementation Plan
34
Perimeter System Integration • Focus on familiar systems Network Authentication / Authorization logs
(Active Directory) Remote Access system, Firewalls Anti-virus integration
Internal Systems • “Tell me again why I should give you my logs?” • Raw, unmodified log data please… Routers, Switches Critical System logs (e.g. Interface Engine)
We Bought it — Now What?
35
Do we know what we’re looking for? Do we understand all the functionality?
• Have a plan to collect data
• Ensure logs can be incorporated
• Too many logs leads to hardware, processing and storage issues
Which Logs?
36
Oakwood SIEM Problems & Solutions
37
Failure to
gather business
requirements
Identify & work with key
stakeholders upfront.
Determine what’s
important to the organization.
Lack of
understanding of SIEM
functionality
Training is a
must!!! Consultant with SIEM expertise helped “tune” SIEM & train
staff.
SIEM improperly
architected & deployed
Ran slow, not enough storage
Partner with Network &
Storage teams early in the
process.
Insufficient resources to
monitor & respond to
events
Managed Service Provider
contracted to monitor, train &
create new rules.
Staffing • To review potential incidents and events
captured • To respond to the identified incidents and
events is critical… ideally an incident response team
Death by logs • Failure to review and respond
Many Organizations Recently Breached
Staffing
38
Outsource: Managed Services
Pros: • Knowledge of product • Expedite deployment and deliver quick wins • Perception: “We spent money on consulting;
I better provide what they’re asking for.”
Cons: • Staff must still must be dedicated • They don’t know your network
Staffing Options
39
Staffing Options
In-house
Pros: • Less expensive upfront • A better understanding of “why” … sometimes
Cons: • Learning curve can cause delays • Resource availability
40
SIEM Staffing - Key Tasks & Resources
41
Planning • Security team or Project Manager to identify
business requirements and key stakeholders Architecture & Log Integration
• Partnership with key stakeholders to appropriately integrate logs and interpret
Monitoring for Incidents & Events • Security Operations Center (SOC) or Managed
Services Provider Responding to Incidents & Events
• Security Incident Response Team
Security incidents and breaches will occur in each of our organizations. Be Prepared! SIEM technology, skilled resources and effective
processes are needed to prevent, detect and respond to security incidents. Process and skilled analysts trump technology. Determine the scope and objectives for your SIEM
in order to rightly size the technology and staff. The SIEM will get more and more useful and will
become the go-to source for security monitoring
Conclusions & Recommendations
42
An Introduction to the Benefits Realized for the Value of Health IT
http://www.himss.org/ValueSuite
SAT ISFACTION Breaches are expensive
• Data breaches cost healthcare organizations millions of dollars every year. Cost is ~$2M per institution over two years.
• Security Monitoring reduces the likelihood and severity of breaches, resulting in savings.
Patient satisfaction is affected by breaches
• Loss of business due to customer dissatisfaction is the largest factor in the cost of a data breach, estimated in 2013 at $188 per record.
• 30% of patients said they would find a new healthcare provider if their provider’s office was breached. SAVINGS
The Fourth Annual Benchmark Study on Patient Privacy & Data Security sponsored by ID Experts and conducted by the Ponemon Institute, March 2014 2013 Cost of Data Breach Study by the Ponemon Institute, Sponsored by Symantec, May 2013
Avoidable Collateral Damage from Corporate Data Breaches, sponsored by Identity Finder and conducted by Javelin Strategy & Research, May 2014
43
Questions?
Jeff Kopec, MS, CISSP
Cyber Security Architect Oakwood Healthcare
Jeff Bell, CISSP, GSLC, CPHIMS, ACHE
Director, IT Security & Risk Services @JeffBell_CTS #HIMSS15
CareTech Solutions
44
https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23180 https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23181
Polling Questions Results:
