MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat Intelligence, Faster Detection & Automated Response
Bridging the Gap: Linking Business and Government Efforts to Defend Cyberspace
Dr. Jack Midgley
Global and MENA Cyber Environment?
National Policy Challenges?
Government and Industry Roles? GLOBAL AND MENA CYBER ENVIRONMENT?
Commercial Internet Exposure Index
296
158 121 100 76 77 60 62 68 75 35 42 45 14 27 28 <10 27
Selected Countries: MENA and Global
Internet of Things Exposure Index
341 307 316 242
125 88 88 100 59 27 37 52 0 4 4 6 8 10 20
Selected Countries: MENA and Global
Social Media Exposure Index
85 90 77 68 74 75 61 65 54 40 41 33 28 23 24 25 26 8
Selected Countries: MENA and Global
NATIONAL POLICY CHALLENGES?
Detect Block Respond
Civilian Industry Agencies
Defense Establishment
Detect
Civilian Technical Capability Industry Agencies
Defense Establishment Authority
Block Respond
Technical Capability
Civilian Industry Agencies Decision Rights
Defense Establishment Liability
GOVERNMENT AND INDUSTRY ROLES? Detect Block Respond
Military Foundation
Civilian Industry Agencies Standards and Regs
Defense Establishment �Whole of Nation�
Global and MENA Cyber Environment
National Policy Challenges
Government and Industry Roles
THANK YOU
MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat Intelligence, Faster Detection & Automated Response
Value of Cybersecurity Things You Might Not Know
Fahad Aljutaily Cyber Security VP
We hear about threats, data breaches and phishing scams on a daily basis, but what does it all mean to your organization? By 2021, Cybercrimes Will Cost $6 Trillion per Year Worldwide • The cost of cybercrimes will double in the next 4 years.
$3T $6T 2015 2021
Stolen Lost Intellectual Business Reputational Ransomware Data Theft Money Productivity Propriety Disruption Harm Cost of Cybercrimes Businesses Experience Ransomware Attacks Every 40 Seconds 1 in 131 Emails is Malicious
• Email poses a dangerous and effective threat to users: 1 in 131 emails contains malware, the highest rate in 5 years. • Business Email Compromise, relying on spear-phishing, targeted over 400 businesses every day, draining $3 billion over the last 3 years.
Email Becomes the Weapon of Choice
Attackers Reside within a Network for an Average of 146 Days Before Being Detected Unfilled Cybersecurity Jobs Will Reach 3.5 Million by 2021 • Cy�erse�urity is everyone’s responsibility, from the help desk to the CIO and even non- IT employees.
• The number of jobs in cybersecurity will increase exponentially in the next 5 years.
• By 2021 every large company will have a Chief Information Security Officer (CISO) in seat, compared to the 65% that have one now and the 50% that did in 2016. An IoT Device Can be Attacked Within 2 Minutes
• By the end of 2017, the world will have 8.4 billion connected devices, up 31% from 2016. • Cisco estimates that the number of IoT devices will be three times as high as the global population by 2021 The biggest DDoS attack • Why is IoT a concern? Some IoT powered by 150,000 hacked devices are put on the market so IoT devices quickly that they have vulnerabilities. Consumers may not set them up securely, so when deployed in the network, it exposes their employer to cyber-threats. Conclusion
• Digital transformation will continue to increase cyber threats, seeking innovation and transformation of security management. • Risks of huge economical loss is leading private organizations to increase their efforts in information protection to achieve business goals. • No matter how robust the technologies and processes are, a single instance of human carelessness may cause its fall. • Cyber-security strategy should be part of the organization strategy.
THANK YOU
MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat Intelligence, Faster Detection & Automated Response
Building a Secure Internet of Things World: How billions of connected devices are transforming the cyber security landscape Andy Purdy, JD, CISSP, CIPP/US CSO, Huawei Technologies USA
1
Building a Secure Internet of Things World
How billions of connected devices are transforming the cyber security landscape
The �Internet of Things� �refers to �things,� su�h as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or �etween ea�h other through the Internet.�
2 Agenda
• IoT and its Benefits • Modern Cyber Security Threats and IoT • IoT Architecture and Cyber Security • Huawei 3T+1M Solution • Appendix - Use Cases
3 The Future of IoT: IoE (Internet of Everything) A World of Every Thing Connected!
Vision of IoT: • All things in the world will get connected • It will significantly improve our life quality • It will transform what we do and how we do Estimated IoT market around 2020: • 50 billions IoT devices • 7 trillions revenue
4 The Future of IoT: IoE (Internet of Everything) - Benefits
• Healthcare - Reduce healthcare costs while giving consumers the ability to record, track, and monitor their own vital signs • Home Automation - Greater energy efficiency and reduced costs • Transportation - Safety and convenience benefits • Societal Benefits - Aggregation of big data can lead to research and breakthroughs.
Courtesy of U.S. Federal Trade Commission. www.business.ftc.gov. 5 IoT Security Issues Exposed in News
Mirai was a wake-up call; WannaCry was just passed. IoT Security Issues Exposed in News
7 IoT Security Issues Exposed in News
8 IoT Security Issues Exposed in News
9 IoT Security Issues Exposed in News
10 IoT Security Issues Exposed in News
Mirai was a wake-up call; WannaCry touched thousands.
11 Traditional vs Modern Network Security Threats Traditional Networks Modern All IP Networks
Single entry point Multiple entry points Perfect isolation Chaos interleaving Strict access control Loose access control Predictive threat Unexpected threat
12 IoT Architecture
Retail Smart/Safe City Transport Smart Home Energy Security & Surveillance Healthcare Manufacturing Cloud
Reporting AD Big Data Monitoring Storage Private Servers Core SDLAN Analytics LDAP Control Cloud Network NFV
Pipe IoT Gateway 3G/4G/eLTE/5G WLAN/Wi-Fi Satellite Industrial Ethernet
Device Healthcare Connected Surveillance Mobile Smart Fire Smart Manufacturing Connected Emergency Devices Vehicle Wearable Grid Detection Metering Home Services IoT Architecture – Threat Categories & Defenses
Behavior SIEM Cloud Analytics Reporting Data • User data and privacy Security Systems Major Differences Similar Points Policies Hardening • Data intrusion & attacks • API & Applications Access & Rights Certificates/Keys Retail Smart/Safe City Transport Smart Home Energy Security & Surveillance Healthcare Manufacturing Ctrl/Mgmt Encryption security Tenants Application • Credential disclosure Isolation Secuirty • Limited end-point The basic security • • Service penetration Data Privacy IDS/IPS risks DLP resource constraints: protection principles: Reporting AD Big Data Monitoring Storage Private Servers Core SDLAN Applications Analyticscomputing LDAP power,Control etc. Privacy,Cloud Security,Network NFV Security Pipe • No typical network Reliability, Resilience • Network transmission eavesdropping protocols • The E2E security • Hijacking and tampering • IoT protocols DDoS VPN Protection VPDN • Harsh environment: protection architecture vulnerabilities Protocol Session • Network attacks & Filtering/Mgmt Management IoTdust, Gateway shock,3G/4G/eLTE/5G humidity, WLAN/Wi- Fi Both Satellite of theirIndustrial security Ethernet intrusion risks Network • Security & ControlManagement strong mechanisms are Data Security & Privacy Protection Protection Privacy & Security Data Device Dynamic cipher Communication electromagnetic fields, keys isolation based on ‘before, • Resources Restrictions Local Secure firmware wide temperature • Identity theft and authentication Management Access and Credentials Security, Identity during, after’ Healthcare Connected Surveillance Mobile Smart Fire Smart Manufacturing Connected Emergency physical attack Local encryption TPM/TEE Devices limits.Vehicle Wearable Grid Detectionemergency Metering response.Home Services • Security risks of low- power devices Device • Safety issues beyond • Lack of endpoint Security protection security • OS Parches and updates IoT Security Business Architecture
Suppliers Partners • IoT Security • Chipset manufacturers • Application Communities involves multiple developers • Component • Industry consortia Device stakeholders vendors • • Standards bodies manufacturers • Device • Standards and manufacturers • Middleware providers Compliance • System Integrators Stakeholders Stakeholders Governments Customers • Governance and auditing Security Governance • Security measures Traceability Auditing Compliance Certifications • • • • validation Security Security Management Knowledge • Best practices Security • Solution security • Best practices Knowledge sharing sharing Management • Service security • • Supplier security Risk exposure • Procurement security • Processes Processes • Manufacturing security Security Collaboration monitoring • Delivery security • Joint initiatives (e.g., bounty, CERT) • Special interest groups (e.g., privacy) • Collaboration is essential • Buyer’s power Huawei’s 3 �T� + 1 �M� IoT Security Architecture
Analysis Detection and Isolation and Isolation Detection Analysis T
M and Operations Secure Platform and Data Protection T Management
Malicious Device Detection and Isolation T Defense Configurable Device Defense Capability
16 IoT Security (3T+1M) Defense-in-Depth Solution Providing E2E Security
T Platform and Data Protection
Data Security in the whole lifecycle • API security • Data security management • Tenants isolation • Data Privacy protection • Certificate and key management • Big data/ML dynamic security analysis and response
17 IoT Security (3T+1M) (2) Defense-in-Depth Solution Providing E2E Security
T Malicious device detection and isolation API security • DataBlacklists and
whitelists Unexpected Abnormal location changes • Defense against surge Internet access signaling storms • Fast detection of malicious device Invalid packets Abnormal data • Isolation rules and traffic policies • IoT protocol identification and filtering
18 Malicious Device Detection and Isolation
Visible Abnormal Behavior Detection
Traffic Detect Access in abnormal time Traffic flow Behavior analysis
Invalid packet Sandbox Detect
File
Abnormal data traffic Log Detect Log
Behavior analysis, Unknown risk identification, Abnormal location and DM to isolate malicious attacks movement
19 Secure Operations and Management Providing Operational Guidance
- Management Operator Vertical decision-making - Emergency assurance Support Support Guidance - Background IoT platform Tools support - On-site O&M O&M control tool - Customized Security Security Routine security Security inspection situation evaluation monitoring development tool awareness and O&M report and audit - Installation delivery - Terminal authentication
To provide basis for O&M personnel and decision makers
20 Configurable device defense capability LiteOS+ Chip Security capabilities + SDK
LiteOS system security
Open APIs
Security architecture Terminal security protection The terminal device DTLS
Sensing Sensing Two-way authentication Connection Architecture Architecture Architecture Architecture
FOTA, security update.
Lightweight Kernel
21 Configurable device defense capability LiteOS+ Chip Security capabilities + SDK (2)
The terminal device Application layer
The value is provided by the industry Application Server Boudicca chip Device security AP Https Https DTLS/+, LiteOS system security encryption, and Transport layer DoS attack detection DTLS/+: NB-IoT Adding security IoT platform SP Software integrity check CP Data link layer 3GPP security 4G security algorithm
AP: application processor; SP: Security Processor; SIM card security key CP: general processor 22 DTLS: packet transport-layer security protocol Big Data Analysis of IoT Cybersecurity
DC Big Data analysis platform
Email Server
Sandbox E
Stream probe
Log collector
Terminal • Intelligent center of whole network, network Stream probe Stream probe security situation awareness. • Collect all logs & traffic metadata, deep association and behavior analysis, identify APT and other potential unknown threats • Cooperate with Terminal Security Management System, clean up malwares. • Identify and display APT attack paths and Mobile Device IoT Device quickly investigate APT attacks.
23 Cooperating with Partners to Build a Harmonious, Open, and Win-win IoT Security Ecosystem
Developer Security community standards and certification
Industrial IoT Security alliance Ecosystem Open-source Construction software
Network security policies and regulations
24 Summary
• IoT is here and the threats are REAL • Partnership and collaboration are key for success • Best security practices and architectures must be followed – e.g., 3T+1M • Effective governance and strict compliance are essential
25 THANK YOU
26 Case Study 1: Smart City
Network architecture Security solution
Smart city Surveillance center Ĺ 1. Device risks: The security plug-in provides embedded Management risks: security capabilities. blind management Device lifecycle management: periodic upgrade and PKI • areas and invisible maintenance IoT platform Big data risks • PKI certificate management system, ensuring trusted access • Security encryption, ensuring the confidentiality and integrity of WAN/Internet ĸ original data Network risks: 2. Network risks: IoT security gatewaya IoT protocol attacks • Lightweight tunnel encryption algorithm, ensuring the access and DDoS attacks from million devices • Protocol whitelist, filtering IoT protocol traffic ķ 3. Management risks: Big data analysis-based unified Device risks: security monitoring platform unmanaged, spoofing, • Awareness and display of security postures and collaborative and intrusion cloud protection Security plug-in|Security camera • Network collaboration, defending against unknown threats Case Study 2: Smart Metering
Network architecture Security solution
1. Device risks: Provide comprehensive security IoT platform mechanisms. External interface security: Provide serial interface authentication to prevent external attacks. Ĺ Internal protection: Provide software signature verification to ĸ Data risks: prevent malware implantation in hacker attacks. Attackers eavesdrop on Network risks: LiteOS security: Provide SafeArea and differential upgrade. A large number of and tamper with water 2. Network risks: Provide data transmission security meter data detect the devices are intruded to NB-IoT protection and network anti-DDoS. water company's launch DoS/DDoS E2E transmission security ensures the confidentiality and attacks, causing profitability or affect the integrity of data during transmission. company's earnings. network breakdown. Network anti-DDoS: In the IoT scenario, based on defense against traditional attacks, the core network and base ķ stations work together to provide a new overload control mechanism to defend against DoS attacks that may be Huawei LiteOS|Chip|Module Device risks: introduced by a large number of devices. Water meters are 3. Data risks: anti-attack for the IoT platform, data loss closed unexpectedly prevention, and privacy protection due to data disclosure. Smart water meters Case Study 3: Internet of Elevators
Network architecture Security solution
Convergent IoT gateway
Preventive 1. Device risks: maintenance Smoke • Chip security: supports TPM detection RESTful Video surveillance • OS security: supports secure boot and software Agile controller Property security signature Management Company • The IoT gateway determines whether elevator Elevator Elevator screen phone instructions are valid 2. Cloud risks: Advertising media • Data transmission: Data is encrypted during
Cloud risks: transmission and storage. Device risks: Commercial confidential The elevator control is lost, • Cloud platform security: anti-APT and anti-DDoS information, such as the elevator endangering personal safety and location and customer information causing service interruption are stolen COLOSSAL DDoS ATTACKS ARE THE NEW REALITY
Defeating DDoS Needs a Precision Strategy
Your Secure Application Services CONFIDENTIAL | DO NOT DISTRIBUTE 1. Company CONFIDENTIAL | DO NOT DISTRIBUTE Attack Tools over Time - Evolved
Binary Encryption Tools “Stealth” / Advanced High Scanning Techniques Denial of Service Attack Sophistication Packet Spoofing Intruder Knowledge Sniffers Distributed Attack Tools Back Doors www. Attacks
Disabling Audits GUI
Password Guessing Network Mgmt. Diagnostics
Hijacking Sessions
Exploiting Known Vulnerabilities
Password Cracking Attackers Low 1980 1990 1995 2000 2005 2010 2016
2 2. CONFIDENTIAL | DO NOT DISTRIBUTE Hosting Provider OVH Hit by 1 Tbps DDoS Attack
One of the world’s largest hosting companies said: its systems were hit by distributed denial- of-service (DDoS) attacks that reached nearly one terabit per second (Tbps).
3. CONFIDENTIAL | DO NOT DISTRIBUTE 77% of respondents agree
“Multi-vector attacks, which include volumetric and application layer attacks, will be most dangerous in the future.”
4. CONFIDENTIAL | DO NOT DISTRIBUTE Increased Attacks, Frequency of SecOps Pressure 4x attacks > 50 Gbps
• High-profile attacks changing the economics of protection Growth • Massive scale multi-vector attack (MVA) 1.2 307% Tbps+ • IOT Powered Mirai, WireX, and today? Budget increase next 6 months 74%
A10/IDG report. Sept. 2017 Protecting High Profile Networks Worldwide
Top US Cloud Provider
80+ A10 devices, Largest Mitigation in 26 data centers Platform in the UK SecOps &
Performance
Global IaaS
provider Gaming 3-Tier DDoS 3 Mobile Providers Software defense options VoLTE Protection Platform 100M+ Users 1,800+ game titles Protected 35M active users 237 countries
….and many more. 6. CONFIDENTIAL | DO NOT DISTRIBUTE Brawn to Block Multi- Vector DDoS Threats
Thunder Thunder & Support 14045 vThunder w/DSIRT 840 & Threat (300 Gbps, 440 Mpps) Turnkey Enterprise & Intel Highest Mitigation for NFV Solutions SP & Giants Enhanced Support
7. CONFIDENTIAL | DO NOT DISTRIBUTE Enhanced Support: Support w/DSIRT & Threat Intel
. Augmented 24x7x365 support offering.
. DSIRT (DDoS Security Incident Response Team) support included (new).
. Augmented by dynamic A10 Threat Intelligence Service (now included)
8. CONFIDENTIAL | DO NOT DISTRIBUTE 8 Power of Thunder: A10 SYN Cookie vs Competitor SYN Auth
Competitor 440 Mpps, 66 RU 15x Cost
Thunder 14045 TPS Rack Units 440 Mpps, 3 RU
A10 Competitor
9. CONFIDENTIAL | DO NOT DISTRIBUTE A10 DDoS Product Differentiation ADC in TPS in Data BGP Center: Perimeter: Application r: Full ion Network Protection Protection on on
10 . CONFIDENTIAL | DO NOT DISTRIBUTE A10 Networks Winning Recipe
Training Centers in Middle East Strong Spare Parts New Team Technical Depots Team
Happy Customers
Significant Professional Multivendor Investment Services Support and Integration We are Winning business
11 . CONFIDENTIAL | DO NOT DISTRIBUTE Thank you
12 . CONFIDENTIAL | DO NOT DISTRIBUTE
CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY
CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY
CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY CATEGORY / SUBCATEGORY NAME OBRELA SECURITY INDUSTRIES
ATHENS | LONDON
MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat Intelligence, Faster Detection & Automated Response
Threat Intelligence, The Power of Sharing Charbel Sarkis
Dealing With Today’s Issues
AREAS OF GREATEST TIME TO DETECT BREACH* CONCERN FOR SECURITY* 51% 27% Cloud 5% 1 OF EMEA ENTERPRISES BREACHED IN THE LAST 12 2% Vulnerability in MONTHS* More than 2% IT systems 2 1 hour for 85% Inside Threats 3 BILLION 15% BYOD 4 NEW DEVICES 50% PER YEAR THROUGH 2020 IoT 5 3 Minutes Hours Days And Those of Tomorrow
INFRASTRUCTURE EVOLVING THREAT LANDSCAPE REGULATION, COMPLIANCE AND EVOLUTION CERTIFICATION The State of the Enterprise Network
TODAY’S NETWORK IS TODAY’S NETWORK IS TODAY’S NETWORK IS BORDERLESS FASTER THAN EVER MORE COMPLEX THAN EVER Borderless
EndPoint More Ways IN PoS Mobile More Ways OUT
Mobile
Branch Office Campus
Data Center 0-Day
Remote Office
IoT Containing the Borderless
. Perimeter and internal security in equal doses » Segmentation Strategies . Security extending outward from the core to the access layer . Integration between the elements of the broader network security solution Mobile
Endpoint Campus Data Center
Branch Internal External Office
PoS
IoT FASTER
Which Compromise Do You Make?
BUSINESS SECURITY INFRASTRUCTURE SPEED Powering the Solution
. Integration into the underlying network, not resting on top . Scalability » In terms of size and function » Current and projected performance requirements » Of the security model – the 3 P’s
SOLUTION COMPLEX
Complexity Decreases Security Effectiveness
Each product is �Silo’d� Campus Vendor C Branch Office No interaction Vendor B
Data Center
No integration Vendor A Vendor E Remote Office Vendor F Vendor G Vendor C … Vendor H … Vendor D Eliminating Complexity
• Individual elements that work together, automatically • Pervasive threat intelligence • Single pane of glass management
Email Gateways Endpoint Clients
Firewalls Application Security THREAT INTELLIGENCE Addressing Today’s Security Challenges
TODAY’S NETWORK IS TODAY’S NETWORK IS TODAY’S NETWORK IS BORDERLESS FASTER THAN EVER MORE COMPLEX THAN EVER
SECURITY OBJECTIVE: SECURITY OBJECTIVE: SECURITY OBJECTIVE: BROAD POWERFUL AUTOMATED Broad – A Fabric Gives You Complete Visibility, Coverage and Flexibility Across The Entire Dynamic Attack Surface
Visibility Coverage Flexible/Open
Cloud Security
Application Security
Network Security
Access Security
Client/IoT Security Broad – A Fabric Allows Flexible, Open Integration of Multiple Security Technologies Powerful – Increasing Performance Reduces The Burden on Infrastructure
Security Processors Parallel Path Comprehensive �SPU’s� Processing Range
Accelerates 1 Tbps Network Traffic High End
Accelerates Content Inspection Mid Range
Optimized Performance for Entry Entry Level Level Automated to Provide a Fast, Coordinated Response to Threats
Global & Local Audit & Recommend Coordinated
Known Threats Demo_ISFW-Sales FortiGuard
FP320C3X15002440 Demo_ISFW-Finance ISFW-PRI 2.62 GB
Unknown Threats Demo_ISFW-ENG FortiSandbox Rapid Sharing of Global and Local Threat Intelligence
Global Threat Intelligence
Local Threat Intelligence
Traffic Analysis IoCs IoCs
Web Security Fabric Mail
Firewall Client Firewall
Clustered Local Intelligence distributed Correlation of Global IoCs and networking throughout the Security Fabric speeds mitigation logs pinpoints new threats Threat Intelligence Sharing and IOCs
Asset Risk Top-of-Rack
SDN, Virtual Database Firewall Protection Identity Internal Segmentation FW
Web Servers Application Delivery Threat Controller Web Application Firewall
Internal Segmentation FW Email Server Location DCFW/ NGFW
Email Activity Security
Internal Segmentation FW Data
DDoS Protection
Sandbox Threat Intelligence Sharing and IOCs
Top-of-Rack
SDN, Virtual Database Internal Firewall Protection Web Segme Application - Attack telemetry from clients Serve ntation Delivery rs FW Controller Web Application - Malware samples Firewall Internal - Public & private information sources Segme Email ntation Server DC FW - Website monitoring FW / Email - Attack signatures Security NG Intern FW al - Domain names Segm DDoS Protection entati Sandbox on FW - Host names - IP addresses - - File names • - Registry data • - Vulnerabilities • - Catalogued malware
Takeout Menu
Broad Powerful Automated
Deeper visibility and control Accelerated cloud-scale and More efficient operations throughout a Security Fabric security processor-based with a Security Fabric to reduce the attack surface appliances with coordinated audit/recommendations, from IoT to cloud logging to enable maximum intelligence sharing, and NOC threat protection without views affecting performance Multivendor integration for maximum ROI
THANK YOU
MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat Intelligence, Faster Detection & Automated Response
Adaptive Security Strategy for SOC
Ramy AlDamati Principle CyberSecurity Solution Architect Kaspersky Lab Middle East Africa and Turkey
Sponsor Logo
Global CyberThreats Landscape
Sponsor Logo MALWARE EVOLUTION Looking back at 25 years of malware development
1994 2006 2011 2017 1 1 1 323,000 NEW VIRUS NEW VIRUS NEW VIRUS NEW SAMPLES EVERY HOUR EVERY MINUTE EVERY SECOND EVERY DAY
Sponsor Logo THREAT EVOLUTION
Actors/Targets Attacks/Defenses Significant
Nuisance
Sponsor Logo Trends and Threats Main GOAL: to understand global IT Trends and the Threats they bring
Privacy & data protection Connected Cities challenge Cars become smarter
Consumerization & mobility Increasing online commerce Internet of Things Cloud & virtualization Critical infrastructure at risk Big data Fragmentation of the Internet
Attacks on Smart Cities Malware for ATMs IoT botnets Commercialization of APTs Merger of cybercrime and APTs Ransomware in Targeted Attacks Decreasing cost of APTs Hacktivism Supply chain attacks Targeted attacks Vulnerable connected cars Mobile threats Online Massive data leaks Internet of Things Targeting Cyber-mercenaries hotel networks �Wipers� & cyber-sabotage banking at risk Ransomware Financial phishing attacks Attacks on PoS terminals Threats to Smart Cities
Sponsor Logo THE MODERN CYBERTHREAT LANDSCAPE
ENDPOINTS NETWORK CLOUD AND SAAS USERS EXPANDING ATTACK MOBILE DEVICES SURFACE IoT
MALICIOUS INSIDERS SPEAR-PHISHING TERRORISTS CUSTOM MALWARE ORGANIZED CRIME ZERO-DAY EXPLOITS HACKTIVISTS SOCIAL ENGINEERING MOTIVATED AND WELL- NATION STATES SOPHISITCATED PHYSICAL COMPROMISE FUNDED ATTACKS THREAT ACTORS
Sponsor Logo Cybersecurity challenges of «nearest future»
Endpoints Essential Compliance Skills Demand Malware focus
Manual Work Multiple solutions issue Advanced Security Lack of integration Complexity
Sponsor Logo Security Expert Yesterday – Today – Tomorrow
Role: Threat Hunter Responsibility: discover threats and manage advanced engines Goal: Protect the business Role: Security Analyst Responsibility: monitor and react Goal: Unify the processes and automate routine
Role: Security Engineer Responsibility: building protection Goal: Prevent the external threats
Tomorrow???
Today
5 - 10 years ago
Sponsor Logo Enterprise Security Trends
Sponsor Logo THE AVERAGE FINANCIAL IMPACT OF A BREACH
Additional Internal Staff Wages $14K Lost Business $13K SMB Employing External Professionals $11K Average Total Damage to Credit Rating/Insurance Premiums $9K Extra PR (to repair brand damage) $8K Impact: Compensation $8K Improving Software & Infrastructure $10K Training $891K$7K $86.5k New Staff $7K AVERAGE COST OF A Additional Internal Staff Wages $126K Damage to Credit Rating/Insurance Premiums SINGLE BREACH$116K Enterprise Lost Business $106K Average Total Compensation $92K Extra PR (to repair brand damage) OCCURRED$91K Employing External Professionals $86K Impact: Improving Software & Infrastructure $119K Training $79K $891k New Staff $77K The reallocation of IT staff time represents the single largest source of additional cost for both SMBs and Enterprises
Results fro� Kaspersky La�’s Corporate IT Se�urity Risks. Survey ���6, conducted worldwideSponsor by Kaspersky Logo Lab Base: 926 SMBs/ 590 Enterprises Suffering At Least One Data Breach Financial impact of security incident
growth of the recovery cost during the first week 200% of discovering a security breach for Enterprises
$1092 303 $1100 000 $897 055 $1000 000 $864 214 $900 000 $800 000
$700 000 $555 274 $600 000 $500 000 $392 984 $400 000 $300 000 Almost instant Within a few Within a day Several days Over a week (Detection System In Place) hours *Cost of recovery vs. time needed to discover a security breach for enterprises
Sponsor Logo Enterprise Security Trends: External Factors
Most advanced Availability and lowering Attacks on third-party: threats using basic prices leading to SMBs can become a part vulnerabilities and Cybercrime-as-a-Service of an attack chain human factor
Sponsor Logo Enterprise Security Trends: Internal Factors
Growing IT sophistication An average targeted attack Perimeter security results in visibility gap stays undetected for more is overestimated and lack of operational than 214 days information
Sponsor Logo The smallest percentage of threats creates the highest risk
Machine learning, threat intelligence, APT: unique malware, advanced sandboxing 0.1% 0-days
Heuristics and behavior analysis, Targeted attacks: sophisticated cloud reputation 9.9% malware
Signature and rule- based protection 90 % Generic malware
Sponsor Logo TARGETED ATTACK KILL CHAIN: THEORY VS REALITY
• In theory… pretty straightforward:
Recon & Penetration Propagation Execution Incident Testing
Sponsor Logo TARGETED ATTACK KILL CHAIN: THEORY VS REALITY
• I� reality… sophisti�ated a�d �o�li�ear Penetration 1 – Attached exploit Execution – Local
Recon & Execution Remote Incident Testing –
Propagation 1 – E-mail
Penetration 2 – Watering hole Propagation 2 – Network
Sponsor Logo Targeted Attack Groups rapidly increased
Duqu 2.0 Metel
Darkhotel ProjectSauron 2010 Stuxnet TeamSpy - part 2
Darkhotel Naikon Adwind
MsnMM Saguaro 2011 Duqu Miniduke Campaigns
CosmicDuke Hellsing Lazarus
Satellite StrongPity Gauss RedOctober Turla
Regin Sofacy Lurk
2012 Flame 2013 Icefog 2014 2015 2016
Careto / The Mask Carbanak GCMan
miniFlame Wild Winnti Ghoul Neutron Desert Falcons Epic Turla Poseidon
Blue NetTraveler Fruity Armor Termite Energetic Bear / Equation Danti Crouching Yeti Spring Kimsuky ScarCruft Dragon Animal Dropping Farm Elephant
Sponsor Logo The New Era of SOC
Sponsor Logo TRADITIONAL SOC – Functionality
SECURITY DEVICE MANAGEMENT AND PERIMETER MAINTENANCE Proxy
SECURITY EVENT MONITORING THROUGH SIEM Perimeter logs
SIEM Firewall INCIDENT FORENSICS AND REMEDIATION
INTERNAL OR REGULATORY COMPLIANCE SUPPORT (e.g. PCI-DSS) IPS/IDS
Sponsor Logo TRADITIONAL SOC – RISK
LACK OF A COMPREHENSIVE THREAT OVERVIEW, IMPEDING EFFICIENT SECURITY PROGRAM DEVELOPMENT
Proxy POOR PRIORITIZATION OF DETECTED THREATS
Perimeter logs UNDISCOVERED THREATS STILL ACTIVE WITHIN THE ORGANIZATION Firewall SIEM
LACK OF IN-HOUSE EXPERTISE AND SHORTAGE OF SKILLED PROFESSIONALS ON THE MARKET
IPS/IDS INEFFICIENT INCIDENT RESPONSE PROCEDURES LEADING TO HIGH RECOVERY COSTS
Sponsor Logo Traditional SOC Required REDISIGN
CONVENTIONAL
REACTIVE NO STRATEGIC INEFFICIENT INCIDENT LACK APPROACH OVERWIEW PRIORIZATION OF EXPERTISE
Log collection Aggregation & Correlation Ticketing Reporting
SECURITY OPERATIONS CENTER Unstructured processes
Sponsor Logo
Ice-climbing requires trusted teamwork and agility to continually detect and respond to hidden dangers in a challenging and ever changing landscape, by utilizing the proper tools in same harmony.
so does your SOC ?!
Sponsor Logo
MAIN FOUR KEY ELEMENTS FOR INTELLIGENCE-DRIVEN APPROACH
THREAT INTELLIGENCE FROM MANY DIFFERENT SOURCES IS ESSENTIAL Threat Knowledge Incident TO THE TIMELY DETECTION OF EMERGED THREATS Intelligence and Management Response Threat Hunting Framework THREAT HUNTING PROACTIVELY SEARCHES FOR THREATS REMAINING UNDETECTED BY TRADITIONAL SECURITY SYSTEMS
KNOWLEDGE MANAGEMENT PREVENTS AND Predict Prevent RESPONDS TO INCREASINGLY SOPHISTICATED ATTACKS
INCIDENT RESPONSE FRAMEWORK LIMITS DAMAGE AND REDUCES REMEDIATION COSTS CSOC/SIC Respond Detect
Sponsor Logo The role of an Adaptive Security Strategy
PREDICT PREVENT
Penetration testing service Cybersecurity training Targeted Enterprise Solutions Application security assessment Endpoint security Targeted Attack Discovery Service Datacenter Security Threat Intelligence Portal Embedded security Customized APT reports … Security Awareness Industrial Cybersecurity
RESPOND DETECT Global APT reports Premium support Threat data feeds Dedicated Security Advisor Threat Hunting Service Incident response service Advanced Threat Defense Digital Forensics platform Malware Analysis Endpoint Detection & Response Endpoint Detection & Response
Sponsor Logo Security Operations framework rely on Three key functions
People
Formal Training
Internal On-the-Job Training Experience
Vendor-Specific Training
[ SOC ] Process Technology Preparation Endpoint Netflow Incident Lessons Identification Detection/ Learned Management Network Containment Monitoring Recovery Forensics Eradication Threat Intel
Sponsor Logo Kaspersky Adaptive Security Framework
PREDICT Threat Intelligence sharing Defense Strengthening PREVENT
Security Assessment Penetration Testing Custom Reports Embedded Security Cybersecurity Awareness Professional Services Expert Analysts Threat Intelligence Portal APT Reports NG Endpoint Security Cloud Security
THREAT INTELLIGENCE RISK MITIGATION
Machine Big Data / Threat Intelligence Learning HuMachine™
SECURITY INCIDENT MANAGEMENT CONTINUOUS MONITORING
Endpoint Detection & Response Anti Targeted Attack Managed Protection
Malware Analysis Incident Premium Support Threat Data Targeted Attack APT Reports Endpoint Detection Digital Forensics Response Feeds Discovery & Response
RESPOND Effective Countermeasures Multi-Vector Discovery DETECT
Sponsor Logo Advanced Detection with Machine Learning
Global Threat Intelligence
Customer-supplied and 3rd party TI Reputation
Advanced Anti-malware Targeted Attack Analyzer Sandboxing engine (Machine Learning)
Standard signatures YARA engine
Sponsor Logo Adaptive Threat Response - Automation
Prevention Kill process Advanced Detection Delete object
Quarantine/Recover
Prevent
Collect Forensic Visibility & Incident Run a script/program Data Monitoring Response
Threat Hunting
Sponsor Logo EMPOWERING THE PROCESS : FROM DETECTION AUTOMATION TO RESPONSE
DRIVEN BY INTELLIGENCE APT Threat Data Threat Hunting Threat Intelligence Forensics Incident Response & Custom Reports Feeds Portal Training Service
Forensic Data Discover Qualify Investigate Neutralize Recover
EMPOWERED BY TECHNOLOGIES Network Traffic Analysis Endpoint Detection and Response
Sponsor Logo IT IS THE RIGHT TIME FOR: INTELLIGENCE DRIVEN SOC
INTELLIGENCE-DRIVEN
ADVANCED COUNTERMEASURE CONSTANT OPERATIONS ANALYTICS CAPABILITIES ADAPTATION AUTOMATION
Knowledge Research and Threat Intelligence Threat Hunting Management development
Log collection Aggregation & Correlation Ticketing Reporting
SECURITY OPERATIONS CENTER
Prevent Detect Respond Predict
Sponsor Logo SAVING THE WORLD FOR 20 YEARS
WE PROTECT WHAT MATTERS MOST
THANK YOU
Sponsor Logo