Channel Partners: Where Ideas

Get Real

Assessing Customer Risk For Fun & Profit

#CPExpo

TRACK CHAIR

Lorna GareyEditor in Chief,

Knowledge & Networking

#CPExpo

SPEAKER

ChrisRichterSVP, Global

Security Services

© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.

Assessing Customer Risk

© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.

Chris Richter

SVP, Global Security Services

@RichterOnCyber

© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.

Level 3 CommunicationsA little about us…

© 2017 Level 3 Communications, LLC. All Rights Reserved. Level 3’s global network is made up of owned, leased access and

IRU segments, which are not distinguished on this map. Level 3 engages in-region carriers to provide services in some markets.

Over $8BIn Annual Revenue

~12,600Employees

Connecting

60+Countries and

Counting

212,000+Route Miles of

Fiber Globally

More than

360Multi-tenant

Datacenters

2

© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.

Security from Our Lens24 x 7 we track, monitor and manage

© 2017 Level 3 Communications, LLC. All Rights Reserved. Level 3’s global network is made up of owned, leased access and

IRU segments, which are not distinguished on this map. Level 3 engages in-region carriers to provide services in some markets.

~87 TBof data per day

We collect

at least 25 C2networks a month

We identify and remove

~1.3 billionSecurity events per day

We monitor

mitigate ~100DDoS attacks a day

We respond to and

48 billion NetFlow sessions per day

We monitor over

~357 millionDNS queries per day

We collect

3

© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.

Growing Threat Environment

4

© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.

Security Landscape Continues to Evolve

75% of organizations

studied were injected with

malicious adware1

Malware

Cybercrime damage costs to hit $6

trillion annually by 20213

Costs

47% of victims learn they

are breached by a third

party2

Breach

100 percent of victims

had up-to-date anti-

virus signatures2

Signatures

46% of compromised

systems had no

malware on them2

Compromised

Systems

Attacks Are Changing In Form, Complexity, Volume

Antivirus

1 Source: Cisco 2017 Annual Cybersecurity Report

2 Source: Fireeye 2016 infographic fireeye-advanced-threat-protection.pdf

3 Source: Hackerpocalypse, a Cybercrime Revelation, Steve Morgan, Cybersecurity Ventures 2016 Crime Report

5

© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.

Who Is Attacking?

6

Who Is Attacking, and Using Which Strategies?Top 10 countries seen hosting C2s in Q1, 2017

Source: Level 3 Threat Research Labs, March 2017

36%

18%

16%

19%

11%

Scan Phish Malware Bot C2

1. United States2. Canada3. Russia4. Taiwan 5. Great Britain

6. France 7. Brazil 8. Germany9. Netherlands10. Mexico

7

Public Internet

VPN

Mobile Workers

Mobile Connectivity

Email and Web Traffic

Web Properties

Headquarters

Munich Branch Office

Cloud Deployments: Amazon Web Services, Google, MS Azure

Partner, Contractor Access-Environmental Controls, POS, CRM

Remote Offices

Third-Party Data Center Applications

Mobile Phone

SmartWatch

Tablet

Appliances

SecuritySystems

Google TVApple TV

Netflix

Gaming Systems

Engine computer

Wi-Fi

Bluetooth

Vendor Supply Chain

Computer

Lights

GPS

Entertainment

Paris Branch Office

Challenge: Securing the Evolving, Increasingly

Complex Network

8

Global Distribution of Mirai Bots

Volume of Attacks by Type

Exploiting Those Attack Vectors at ScaleIoT Vulnerabilities and Mirai Botnets

Source: Level 3 Threat Research Labs

Source: Level 3 Threat Research Labs

How 1.5 million connected cameras were hijacked to make an unprecedented botnetMotherboard, September 29th, 2016

Hackers Release Botnet Code, Raising Specter of More AttacksWSJ, October 5th, 2016

9

Basics: What Is Risk?

10

What Is Risk?

What’s at Stake? Examples of Risk Include:

• Income and revenue loss

• Lost reputation, brand damage

• Legal (compliance, contractual)

• Loss of assets (customer data, intellectual property)

• Liability of BOD and senior management

• Random expenses associated with risk

15

Publicly held companies (and board members) are especially under pressure

to establish best practices to protect data, and can be held liable for failing

to establish guidelines for adhering to regulatory requirements.

What Is Risk?

What Are the Components of Risk?

Typical examples of threats include:

• Accidents

• Malicious attacks

• Theft and fraud

• System failure

• Network and power outages

• Employee or service provider errors

• Force majeure

16

The generally accepted theoretical formula used by risk managers is:

Risk = Sum (Threats x Vulnerabilities x Asset Values)

What Is Risk?

Examples of Vulnerabilities to an

Organization Include:

• Poorly written software

• Configuration mistakes

• Poorly designed architecture

• Insufficient security controls

• Lack of redundancy

• Poor password control

• Lack of maintenance and patch mgt. process

• Lack of compliance enforcement

• Lack of security policies and procedures

• Lack of a business continuity program

• Poorly trained or inadequate staff

17

What Is Risk?

There Are Four Key Methods of Mitigating Risk:

1. Organizations can transfer the risk, such as financial risk, to a third party – an insurance company, for example

2. They can cease the activity that causes the risk

3. They can accept the risk

4. Or, they can treat the risk with controls

18

What Is the Right Approach?

FIRST STEP: Develop a formal risk-management program that begins with a

comprehensive risk assessment. A solid risk-management program can improve a

company’s business efficiency, reduce its risk exposure, and thus improve its

performance and bottom line.

Benefits are real:

- Risks are treated and made manageable

- Risk exposure is reduced

- Number and cost of cybersecurity controls is usually reduced

- Operational efficiency can improve, while costs are reduced, improving the

bottom line

19

According to industry research, cost of compliance is 70% lower on average

for organizations with a formal risk management program in place.

Risk Assessment Essentials – And

More

16

Key Elements of a Risk Assessment

The Steps Each Organization Should Take

Audit and Classify Enterprise Data

Evaluate the Applications

Audit and Evaluate the IT Infrastructure

Understand What Makes Enterprises a Target

Develop a Risk-Based (Not Compliance-Based) Approach

Collaborate

1

2

3

4

5

6

Au

tom

ate

d T

oo

ls &

So

luti

on

s

17

Marketing

Financial

Newsfeeds/Blogs

Legal documents

Cardholder data

Healthcare/PHI

Audit and Classify Enterprise Data

Understand the value and location of data assets1

18

e-Commerce

Test and Development

ERP

CRM

Payment processing

Evaluate Applications

Understand the applications’ security

and the data they control and access2

19

Focus on Simplicity

• Complexity Is a Risk

• Segmentation

• APIs

• Orchestration

• Network Elements

• Storage and Backup

• Access Controls

• Patch management

Audit the IT Infrastructure

Audit systems, network and IT elements3

20

• External

• Internal

• Physical

Targeting• Provocative actions

Threats

• Public announcements,

contracts, and other

public data

• Nature of the organization’s

business and culture

Teach Them What Makes Them a Target

Understand threats to data and what makes

Enterprises a target4

21

• Being compliant does not equal

secure

• Help them look beyond standards

and regulations

• Establishing and adhering to a

governance, risk, and compliance

(GRC) framework (many to choose

from!)

• Developing a risk-based approach

to managing threats and

vulnerabilities

Governance, Risk and Compliance

They should fear the hacker, not the auditor5

22

Collaboration

Collaborate with service providers and peers

• Some controls are better suited

for delivery by service providers

(network, cloud, MSSPs, risk

assessments, etc.)

• Collaboration with peer

organizations is vital

• Take advantage of government

resources: standards, programs,

events, consortiums, services

6

• Take advantage of advanced tools

to continually monitor threats

23

Risk and Threat Management ToolsFor More Comprehensive Analysis and Monitoring

24

Risk Assessment & Management Tools

• Methodologies

• Controls

• Technologies

• Processes and Action Plans

• Continuous Monitoring

29

Continuous Monitoring Through Threat Intelligence

Tools

Threat intelligence tools provide correlated, actionable information so Enterprises can direct time

and resources to mitigation and protection

26

Predicting Attacks Before They HappenThe Backbone as The Sensor

Threat Feeds and Proprietary

Algorithms

Alerting

Threat Research

Labs

Monitoring and Correlation For

Identifying Malicious Traffic

SOC

Sampled Traffic Flows from the

Network

Open Source and Private

Threat Feeds

Threat Intelligence

Team

DDoS Customer SIEM & MSSPs

Global Internet

SOC

Threat Analytics

Data Scientists

Network Security Systems

12

3

4

5

27

Threat Intelligence: Use Case Major Motion Picture Studio

Customer:

Major Motion Picture Studio

Situation

Customer experienced frequent compromises

from temporary workforce introducing malware

within their network, despite a large security

equipment investment.

Solution

With Level 3’s Adaptive Threat Intelligence, the

customer was able to identify external, malicious

IP addresses and infected internal machines.

The service blocked these addresses using

specific rules and policies.

28

Threat Intelligence: Use Case A European Water Treatment Business

Q4 - 201661 Instances of C2 Communications

▪ 32 Inbound Sessions

▪ 29 Outbound Session

▪ Source and destination communication with known malicious host and IP

40 Instances of Malware Communications

▪ 0 Inbound Sessions

▪ 8 Outbound Session

▪ Source and destination communication with known malicious host and IP

January - 2017

▪ Five Threats in Total

▪ No C2

▪ No Malware

▪ 2 Bots

▪ 2 Scans only 1 found to be possibly malicious

▪ 1 Phishing

▪ Three suspicious source locations

- Taiwan, Ukraine, Serbia

- Most likely blocked by firewall

BEFORE: Q4 2016 AFTER: January, 2017

Threat Intelligence: Use Case A US City

Q4 - 2016226 Instances of C2 Communications

▪ 21 Inbound Sessions

▪ 205 Outbound Session

▪ Source and destination communication known malicious host and IP

23 Instances of Malware Communication

▪ 8 Inbound Sessions

▪ 15 Outbound

▪ Source and Destination with known malicious host and IP

January - 20172 Instances of a C2 Communication

▪ 0 inbound non malicious

▪ 2 outbound same IP addresses possible malicious IP

2 Instances of Malware

▪ 0 Inbound sessions

▪ 2 outbound sessions only 1 malicious

▪ IP on 4 blacklist sites as well as Cymon

BEFORE: Q4 2016 AFTER: January, 2017

Level 3

IP Network

Multi-Service Port

Application

Management

Cloud

ConnectivitySecurity

Global

Reach

Blue Jeans

IP VPN

Internet

AWS

DDoS

SIP

Mobile Users

Content Delivery

Azure

Office 365Public Private

Network-BasedSecurity

AdaptiveNetworkControl

PrivatePublic

Multi-Service Port

Risk Assessments Require a Holistic View

31

36

Additional Resources

▪ NIST Cybersecurity Framework

▪ Center for the Protection of National Infrastructure (CPNI)

▪ Communications Electronic Security Group, UK (CESG)

▪ UK Computer Emergency Response Teams (CERT)

▪ Institute of Information Security Professionals (IISP)

▪ Cloud Security Alliance

▪ Action Fraud

▪ Information Commissioner’s Office (ICO)

▪ Information Sharing and Analysis Centers

▪ Cyber-security Information Sharing Partnership (CiSP)

▪ (ISACs)

- FS-ISAC

- NH-ISAC

- IT-ISAC

▪ ISACA

▪ WARP in Latin America

37

Happy Birthday, World Wide WebRisk Management Is a Journey!

33

THANK YOU!Don’t forget to turn in

your survey at the door!

Channel Partners: Where Ideas

Get Real