channel partners: where ideas get realfiles.informatandm.com/uploads/2017/4/4.3_richter.pdf · 8...
TRANSCRIPT
Channel Partners: Where Ideas
Get Real
Assessing Customer Risk For Fun & Profit
#CPExpo
TRACK CHAIR
Lorna GareyEditor in Chief,
Knowledge & Networking
#CPExpo
SPEAKER
ChrisRichterSVP, Global
Security Services
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Assessing Customer Risk
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Chris Richter
SVP, Global Security Services
@RichterOnCyber
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Level 3 CommunicationsA little about us…
© 2017 Level 3 Communications, LLC. All Rights Reserved. Level 3’s global network is made up of owned, leased access and
IRU segments, which are not distinguished on this map. Level 3 engages in-region carriers to provide services in some markets.
Over $8BIn Annual Revenue
~12,600Employees
Connecting
60+Countries and
Counting
212,000+Route Miles of
Fiber Globally
More than
360Multi-tenant
Datacenters
2
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Security from Our Lens24 x 7 we track, monitor and manage
© 2017 Level 3 Communications, LLC. All Rights Reserved. Level 3’s global network is made up of owned, leased access and
IRU segments, which are not distinguished on this map. Level 3 engages in-region carriers to provide services in some markets.
~87 TBof data per day
We collect
at least 25 C2networks a month
We identify and remove
~1.3 billionSecurity events per day
We monitor
mitigate ~100DDoS attacks a day
We respond to and
48 billion NetFlow sessions per day
We monitor over
~357 millionDNS queries per day
We collect
3
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Growing Threat Environment
4
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Security Landscape Continues to Evolve
75% of organizations
studied were injected with
malicious adware1
Malware
Cybercrime damage costs to hit $6
trillion annually by 20213
Costs
47% of victims learn they
are breached by a third
party2
Breach
100 percent of victims
had up-to-date anti-
virus signatures2
Signatures
46% of compromised
systems had no
malware on them2
Compromised
Systems
Attacks Are Changing In Form, Complexity, Volume
Antivirus
1 Source: Cisco 2017 Annual Cybersecurity Report
2 Source: Fireeye 2016 infographic fireeye-advanced-threat-protection.pdf
3 Source: Hackerpocalypse, a Cybercrime Revelation, Steve Morgan, Cybersecurity Ventures 2016 Crime Report
5
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Who Is Attacking?
6
Who Is Attacking, and Using Which Strategies?Top 10 countries seen hosting C2s in Q1, 2017
Source: Level 3 Threat Research Labs, March 2017
36%
18%
16%
19%
11%
Scan Phish Malware Bot C2
1. United States2. Canada3. Russia4. Taiwan 5. Great Britain
6. France 7. Brazil 8. Germany9. Netherlands10. Mexico
7
Public Internet
VPN
Mobile Workers
Mobile Connectivity
Email and Web Traffic
Web Properties
Headquarters
Munich Branch Office
Cloud Deployments: Amazon Web Services, Google, MS Azure
Partner, Contractor Access-Environmental Controls, POS, CRM
Remote Offices
Third-Party Data Center Applications
Mobile Phone
SmartWatch
Tablet
Appliances
SecuritySystems
Google TVApple TV
Netflix
Gaming Systems
Engine computer
Wi-Fi
Bluetooth
Vendor Supply Chain
Computer
Lights
GPS
Entertainment
Paris Branch Office
Challenge: Securing the Evolving, Increasingly
Complex Network
8
Global Distribution of Mirai Bots
Volume of Attacks by Type
Exploiting Those Attack Vectors at ScaleIoT Vulnerabilities and Mirai Botnets
Source: Level 3 Threat Research Labs
Source: Level 3 Threat Research Labs
How 1.5 million connected cameras were hijacked to make an unprecedented botnetMotherboard, September 29th, 2016
Hackers Release Botnet Code, Raising Specter of More AttacksWSJ, October 5th, 2016
9
Basics: What Is Risk?
10
What Is Risk?
What’s at Stake? Examples of Risk Include:
• Income and revenue loss
• Lost reputation, brand damage
• Legal (compliance, contractual)
• Loss of assets (customer data, intellectual property)
• Liability of BOD and senior management
• Random expenses associated with risk
15
Publicly held companies (and board members) are especially under pressure
to establish best practices to protect data, and can be held liable for failing
to establish guidelines for adhering to regulatory requirements.
What Is Risk?
What Are the Components of Risk?
Typical examples of threats include:
• Accidents
• Malicious attacks
• Theft and fraud
• System failure
• Network and power outages
• Employee or service provider errors
• Force majeure
16
The generally accepted theoretical formula used by risk managers is:
Risk = Sum (Threats x Vulnerabilities x Asset Values)
What Is Risk?
Examples of Vulnerabilities to an
Organization Include:
• Poorly written software
• Configuration mistakes
• Poorly designed architecture
• Insufficient security controls
• Lack of redundancy
• Poor password control
• Lack of maintenance and patch mgt. process
• Lack of compliance enforcement
• Lack of security policies and procedures
• Lack of a business continuity program
• Poorly trained or inadequate staff
17
What Is Risk?
There Are Four Key Methods of Mitigating Risk:
1. Organizations can transfer the risk, such as financial risk, to a third party – an insurance company, for example
2. They can cease the activity that causes the risk
3. They can accept the risk
4. Or, they can treat the risk with controls
18
What Is the Right Approach?
FIRST STEP: Develop a formal risk-management program that begins with a
comprehensive risk assessment. A solid risk-management program can improve a
company’s business efficiency, reduce its risk exposure, and thus improve its
performance and bottom line.
Benefits are real:
- Risks are treated and made manageable
- Risk exposure is reduced
- Number and cost of cybersecurity controls is usually reduced
- Operational efficiency can improve, while costs are reduced, improving the
bottom line
19
According to industry research, cost of compliance is 70% lower on average
for organizations with a formal risk management program in place.
Risk Assessment Essentials – And
More
16
Key Elements of a Risk Assessment
The Steps Each Organization Should Take
Audit and Classify Enterprise Data
Evaluate the Applications
Audit and Evaluate the IT Infrastructure
Understand What Makes Enterprises a Target
Develop a Risk-Based (Not Compliance-Based) Approach
Collaborate
1
2
3
4
5
6
Au
tom
ate
d T
oo
ls &
So
luti
on
s
17
Marketing
Financial
Newsfeeds/Blogs
Legal documents
Cardholder data
Healthcare/PHI
Audit and Classify Enterprise Data
Understand the value and location of data assets1
18
e-Commerce
Test and Development
ERP
CRM
Payment processing
Evaluate Applications
Understand the applications’ security
and the data they control and access2
19
Focus on Simplicity
• Complexity Is a Risk
• Segmentation
• APIs
• Orchestration
• Network Elements
• Storage and Backup
• Access Controls
• Patch management
Audit the IT Infrastructure
Audit systems, network and IT elements3
20
• External
• Internal
• Physical
Targeting• Provocative actions
Threats
• Public announcements,
contracts, and other
public data
• Nature of the organization’s
business and culture
Teach Them What Makes Them a Target
Understand threats to data and what makes
Enterprises a target4
21
• Being compliant does not equal
secure
• Help them look beyond standards
and regulations
• Establishing and adhering to a
governance, risk, and compliance
(GRC) framework (many to choose
from!)
• Developing a risk-based approach
to managing threats and
vulnerabilities
Governance, Risk and Compliance
They should fear the hacker, not the auditor5
22
Collaboration
Collaborate with service providers and peers
• Some controls are better suited
for delivery by service providers
(network, cloud, MSSPs, risk
assessments, etc.)
• Collaboration with peer
organizations is vital
• Take advantage of government
resources: standards, programs,
events, consortiums, services
6
• Take advantage of advanced tools
to continually monitor threats
23
Risk and Threat Management ToolsFor More Comprehensive Analysis and Monitoring
24
Risk Assessment & Management Tools
• Methodologies
• Controls
• Technologies
• Processes and Action Plans
• Continuous Monitoring
29
Continuous Monitoring Through Threat Intelligence
Tools
Threat intelligence tools provide correlated, actionable information so Enterprises can direct time
and resources to mitigation and protection
26
Predicting Attacks Before They HappenThe Backbone as The Sensor
Threat Feeds and Proprietary
Algorithms
Alerting
Threat Research
Labs
Monitoring and Correlation For
Identifying Malicious Traffic
SOC
Sampled Traffic Flows from the
Network
Open Source and Private
Threat Feeds
Threat Intelligence
Team
DDoS Customer SIEM & MSSPs
Global Internet
SOC
Threat Analytics
Data Scientists
Network Security Systems
12
3
4
5
27
Threat Intelligence: Use Case Major Motion Picture Studio
Customer:
Major Motion Picture Studio
Situation
Customer experienced frequent compromises
from temporary workforce introducing malware
within their network, despite a large security
equipment investment.
Solution
With Level 3’s Adaptive Threat Intelligence, the
customer was able to identify external, malicious
IP addresses and infected internal machines.
The service blocked these addresses using
specific rules and policies.
28
Threat Intelligence: Use Case A European Water Treatment Business
Q4 - 201661 Instances of C2 Communications
▪ 32 Inbound Sessions
▪ 29 Outbound Session
▪ Source and destination communication with known malicious host and IP
40 Instances of Malware Communications
▪ 0 Inbound Sessions
▪ 8 Outbound Session
▪ Source and destination communication with known malicious host and IP
January - 2017
▪ Five Threats in Total
▪ No C2
▪ No Malware
▪ 2 Bots
▪ 2 Scans only 1 found to be possibly malicious
▪ 1 Phishing
▪ Three suspicious source locations
- Taiwan, Ukraine, Serbia
- Most likely blocked by firewall
BEFORE: Q4 2016 AFTER: January, 2017
Threat Intelligence: Use Case A US City
Q4 - 2016226 Instances of C2 Communications
▪ 21 Inbound Sessions
▪ 205 Outbound Session
▪ Source and destination communication known malicious host and IP
23 Instances of Malware Communication
▪ 8 Inbound Sessions
▪ 15 Outbound
▪ Source and Destination with known malicious host and IP
January - 20172 Instances of a C2 Communication
▪ 0 inbound non malicious
▪ 2 outbound same IP addresses possible malicious IP
2 Instances of Malware
▪ 0 Inbound sessions
▪ 2 outbound sessions only 1 malicious
▪ IP on 4 blacklist sites as well as Cymon
BEFORE: Q4 2016 AFTER: January, 2017
Level 3
IP Network
Multi-Service Port
Application
Management
Cloud
ConnectivitySecurity
Global
Reach
Blue Jeans
IP VPN
Internet
AWS
DDoS
SIP
Mobile Users
Content Delivery
Azure
Office 365Public Private
Network-BasedSecurity
AdaptiveNetworkControl
PrivatePublic
Multi-Service Port
Risk Assessments Require a Holistic View
31
36
Additional Resources
▪ NIST Cybersecurity Framework
▪ Center for the Protection of National Infrastructure (CPNI)
▪ Communications Electronic Security Group, UK (CESG)
▪ UK Computer Emergency Response Teams (CERT)
▪ Institute of Information Security Professionals (IISP)
▪ Cloud Security Alliance
▪ Action Fraud
▪ Information Commissioner’s Office (ICO)
▪ Information Sharing and Analysis Centers
▪ Cyber-security Information Sharing Partnership (CiSP)
▪ (ISACs)
- FS-ISAC
- NH-ISAC
- IT-ISAC
▪ ISACA
▪ WARP in Latin America
37
Happy Birthday, World Wide WebRisk Management Is a Journey!
33
THANK YOU!Don’t forget to turn in
your survey at the door!
Channel Partners: Where Ideas
Get Real