Session Presentation

Session Presentation

#CLUS Security for the Rest of Us Tips, Tricks, and Open Source for the Non-Enterprise Mike McPhee - Systems Engineer @mikey_mcphee BRKSEC-1346 #CLUS Abstract • 62% of all cyber-attacks target small and medium businesses, and more than half of of those breached won't last 6 months due to remediation costs and lost production or reputation. The same security approaches that work for global enterprises with dedicated SOCs and budgets can't work everywhere. The "little guys" deserve to operate securely too. This session will help participants find a more compact, integrated set of security tools and processes that work for their non-Enterprise businesses. Participants will see how to refine requirements and design streamlined security architectures and fill holes with integrated tools that enhance visibility and enable automation. The session will also introduce simple integration steps that can reduce workloads while improving detection and protection. Participants will then see how Cisco's products like Firepower NGFW, Meraki, ESA, WSA, Threat Response and endpoint products can be used alongside open-source tools & information for a more secure but right-sized architecture. #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 What is this session about? • Goal: Defend more effectively, reduce workload • Constraints/Considerations: • Impossible without tight integration and openness • Integration & openness exist in two primary focus areas: • Intelligence feeds • Solution-to-Solution • Solution: • Holistic requirement analysis unveils opportunities • Easy, quick-hit integrations blend solutions reduce workloads + improve efficacy. #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About me • 6 year Systems Engineer with Cisco • Security focus with 200-2500 user & SMB coverage • 12+ years designing C2 systems • 6 years in US Navy (bubblehead) • CCIE #41663 (R&S, Security) • CCDE 20180018 • GSEC • Weezer and Foo Fighters fan, so let’s get going! #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Important: Reference Materials Embedded! • Focus on awareness of integrations and benefits/effort around them For Your Reference • Meant to be a leaping-off point, not an exhaustive walkthrough – pointers to other sessions for depth • Download slides! Includes lots of hidden how-to’s Session worth visiting! • We cannot cover • Basic standup or inherent capabilities of each product • Detailed Configuration – this is an introductory session • Programming – we have great DevNet sessions to assist! #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#BRKRST-1346 by the speaker until June 16, 2019. #CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Agenda • What’s in your threat picture? • A typical small or midmarket security architecture • Beginning with the easy stuff • Building a smarter perimeter • Automating the Interior • Conclusion #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 What are you afraid of? What threats are trending for security? Sophisticated, Using technology Exploitation of security gaps high-impact threats to avoid detection in endpoints and cloud • Ransomware cryptoworms • Encrypted threats • Unpatched, unmonitored endpoints • Self-propagating malware • C2 channels that use legitimate internet • Lack of speedy services remediation • Campaigns launched from single domain From the Cisco 2018 Annual Cybersecurity Report #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 What have the last few years taught us? We all have much to protect Attackers don’t care about size Attackers target your organization’s: Victims suffer huge costs & degraded reputation: Of all attacks result in financial damages of >$500k including… lost revenue, Customer data 54% customers, opportunities, and out-of- pocket costs (Cisco 2018 Cisco Security Capabilities Benchmark Study) Of small businesses are unable to sustain Intellectual property their business more than six months 60% following a cyberattack (October 2016, The National Cyber Security Alliance (NCSA) Company secrets Of midmarket companies have 53% experienced a breach (2018 Cisco SMB Cybersecurity Report) #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 It isn’t popular to view threats through a small business lens • Lots of awesome reports! But… • Poor representation of small/medium (non- enterprise) environments • Change is happening… • Cisco SMB Cybersecurity Report (2018): http://cs.co/9009Eeqa5 • Verizon DBIR Report: https://vz.to/2KSHAC0 • SANS 2018 IR Survey: https://bit.ly/2IBBzrh #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Malicious Binaries and Encryption hamper visibility Attackers embrace encryption to conceal their command-and- control activity October 2017 12% Increase November 2016 50% 38% 19% 70% 268% Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Recent events have exposed a focus on multi-vendor silos and lack of adherence to simple best practices • WannaCry and Nyetya: rapid-moving, self-propagating network-based attacks Network-Based Ransomware Worm • Poor patch hygiene old vulnerabilities and tricks will happen again #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Visibility and analytics can help expose malicious use of legitimate resources • Cybercriminals adopting C2 channels that use legitimate Internet services: • Powershell & WMI • SMB • DNS Easy Setup IP Address Leverage Source: Anomali Encryption for C2 Reduce Burning Infrastructure Subverts Domain and Whitelisted Certificate Intelligence Adaptability #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Better focus on the fundamentals can make a big impact of malicious payloads are 81% 86% delivered through email (73%) and web (13%) #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 A typical small or midmarket security architecture Agenda • What’s in your threat picture? • A typical small or midmarket security architecture • Identifying the gaps in typical architectures • So how can we fix this? • Using models to chart a path • Beginning with the easy stuff • Building a Smarter Perimeter • Automating the Interior • Conclusion #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Defenders still favor perceived “best of breed” to provide “defense in depth” 72% vs. 28% use best-of- use single vendor breed solution #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 But is it possible we are in over our head? #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Fragmented architectures generate noise and alert fatigue 100% of Security Events 92% of Events Cause Alerts 8% Experienced No Alert ? 44% 56% of Alerts are Investigated of Alerts are NOT Investigated • Uninvestigated alerts still create 34% of Investigated huge business risk 66% of Alerts Alerts are Legitimate Prove Benign • Cluttered Visibility – plenty of opportunities to miss something 51% 49% • More tools usually = more places of Legitimate of Legitimate Alerts are Alerts are NOT to work less time to remediate Remediated Remediated #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Focus on protection products alone spawns strategic, operational, and tactical Issues • Focus on single-product protection (inbound) at 26% expense of system-wide can be detection (outbound) addressed by People products alone • Overemphasis on products leaves openings for attackers Products Policies 74% • Too much reliance on might also neglected staff to hold it all require people together and/or processes to address #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 So how can we fix this? Borrow the USAF OODA Loop! Step 1: Observe Step 2: Orient • Understand mission • Select model or methodology • Assess threats/risks • Prioritize goals & establish O O success metrics A D Step 4: Act Step 3: Decide • Implement • Select cost-effective solutions • Train and dedicate resources to achieve goals/mitigate risks • Continually monitor success • Look for quick-wins to buy time for longer-term projects #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Observe: Know yourself! (and your mission) (Sun Tzu’s most important lesson) • What are the priorities? • Evaluating balance of Confidentiality, Integrity, and Availability important • Risk priorities & mitigation options vary by industry/geo/org. • Examples (notional): C C Confidentiality I C A I Integrity I A A Availability Utility Healthcare Credit Union #CLUS BRKSEC-1346 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Cybersecurity’s cold truth – risk is unavoidable

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    115 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us