nzisf talk: six essential security services

47
essential security services Hinne Hettema IT Security Team Leader The University of Auckland Email: [email protected] PGP Key ID: B1EA7147 | PGP Key Fingerprint: AC12 2983 2EA1 B328 95BB B4AE EDA5 8E90 B1EA 7147 NZISF | 9 February 2017 | Auckland

Upload: hinnehettema

Post on 13-Apr-2017

149 views

Category:

Internet


0 download

TRANSCRIPT

Page 1: NZISF Talk: Six essential security services

The Six essential security servicesHinne HettemaIT Security Team LeaderThe University of AucklandEmail: [email protected]

PGP Key ID: B1EA7147 | PGP Key Fingerprint: AC12 2983 2EA1 B328 95BB B4AE EDA5 8E90 B1EA 7147

NZISF | 9 February 2017 | Auckland

Page 2: NZISF Talk: Six essential security services

root@myops:~# whoami

• Theoretical chemist and philosopher by training (PhD 1993 and 2012)• Wrote DALTON program code [in FORTRAN]• Played with supercomputers such as Cray Y-MP• First got hacked in 1991• Worked 15 years as IT Infrastructure architect for various NZ companies• Now lead the IT Security team @UoA by day• Public speaker and cybersecurity blogger, Gartner Research Circle• Present at technical cyber security conferences

Page 3: NZISF Talk: Six essential security services

root@myops:~# whoami > graphic

Page 4: NZISF Talk: Six essential security services

My mission:Become a ‘second generation’ security leader, focusing on the security challenges of new technology for large organisations: the cloud, threat intelligence handling and sharing, and big data initiatives to drive an improved security posture for complex organisations.

Page 5: NZISF Talk: Six essential security services

Contents

1. The root of the problem2. A conventional view: cyber security is a business problem3. A maverick view: cyber security is a business problem4. The six essential security services5. A call to action

Page 6: NZISF Talk: Six essential security services

The root of the problem

Page 7: NZISF Talk: Six essential security services

Security train wreck: why the mess?

The IT industry creates and maintains eternal economic disincentives to build better security into anything:1. Rapid consumerisation, hence feature driven development (security

is not a feature)2. Time and Cost driven market model (lowering quality)3. Security has to be relearned at each new phase of development

(why, oh why is ‘telnet’ the most common IoT port?)With IoT, to make it worse, these disincentives are meeting:4. Long expected lifetimes

Page 8: NZISF Talk: Six essential security services

And the business responseOperational Security dimension Fear ResilienceSecurity posture Reactive ProactiveIncident approach Panic [denial, anger, bargaining] Controlled chaosSecurity team HR “we need a fall guy” “build the team”Security monitoring Haphazard

[Worse] Vendor drivenControls based on• attacker behaviour/movement• known exploit risks• known vulnerability/exposure

Predictability None / little Anticipated eventsPeople impact Burn-out BusySecurity perception IT problem

Hackers are nerds doing bad things!Business problemHackers are people too

Defence focus BorderFortressDefence in depth

“Assume breach”Immune systemResilience and antifragility

Page 9: NZISF Talk: Six essential security services

A conventional view: cyber security is a business problem

Page 10: NZISF Talk: Six essential security services

Cyber security as a risk exercise

• Cybersecurity usually seen as an area of tactical IT risk

• Risk treatment strategies• Accept (who accepts what risk on behalf of whom?)• Mitigate (what to put in place?)• Transfer (insurance?)

• Two notes• Trends cannot always be extrapolated• Cyber security risk is ‘black swan’ territory, so actuarial calculations are

problematic

Page 11: NZISF Talk: Six essential security services

All your risks are belong to us

• Tactical IT risk hides cybersecurity risk safely somewhere in the realm of the ‘techies’

The four mistakes people make when looking to get security leadership:1. Short-change how much risk is actually involved2. Get the reporting structure wrong3. Overemphasise the technical4. Looking for five-legged unicorns (the ‘skill shortage’)

http://www.heidrick.com/Knowledge-Center/Publication/Four-mistakes-to-avoid-when-hiring-your-next-security-chief

Page 12: NZISF Talk: Six essential security services

Compliance focus

• Compliance is not a comprehensive answer to risk• Rather than a baseline, compliance

becomes the end-goal (understandable if the starting point is abject non-compliance…)• Focus on compliance can lead to ‘box-

ticking’ exercise and poorly conceived or mis-scoped security solutions

Page 13: NZISF Talk: Six essential security services

Governance, Risk, Compliance

What can possibly go wrong…?• Cybersecurity usually seen as an area of tactical IT risk (risk of mis-

scoping)• Struggle to get from the IT department up to board level• Focus on compliance leads to box-ticking exercise• Compliance concerns drive security solutions that don’t work• This gives security a bad name• Solution: disband your security team…

Page 14: NZISF Talk: Six essential security services

If all this works so bad, let’s just…

Page 15: NZISF Talk: Six essential security services

A maverick view: cyber security is a business problem

Page 16: NZISF Talk: Six essential security services

Recognise the true complexity

http://cyber-analysis.blogspot.co.nz/2014/10/cyber-terrain-model-for-increased.html

Page 17: NZISF Talk: Six essential security services

18

Crims and others on the cyber terrain…

• Unlike ‘acts of god’ attacks are intentional

Cyber attack is a very attractive mode of crime or espionage / sabotage• Very large economies of scale• Very low chance of getting caught• Very easy to do in different jurisdictions, so low chance of conviction• Methods and tools readily available• In large quantity and variety

Page 18: NZISF Talk: Six essential security services

Prospect theory and your cybers

• GRC models are based on ‘rational behaviour’• We are evolutionary primed to prefer fast solutions that help us

survive (something rustles in the bushes…)• Daniel Kahnemann: Thinking Fast, Thinking slow• Look at prospect theory• Loss feels 2.25 as bad as a similar gain feels good• Overweight small probabilities, and underweight big ones• Defenders: avoid a big loss (becoming the next Sony), overestimate small

probabilities (APT), easy attitude to adopt is to become big risk takers (spend megabucks on some flashing lights automated kill chain mitigation device)

Page 19: NZISF Talk: Six essential security services

The ‘operations dilemma’

• Good cyber security depends on a lot of small things done well• Which each help to mitigate a ‘small loss’• Or have small gains

Operations?• It’s ‘operational’, and hence it’s cost minimised• Or it’s assumed ‘done already’• Operational people outside security often have a ‘break fix’ attitude

(incentivise lack of outages), so no patching, no hygiene, ‘but it works’

Page 20: NZISF Talk: Six essential security services

Outcomes of the ‘operations dilemma’

1. Many criminally under-adopted (hard to get budget for) tools• 2FA or two-step verification• Canaries (thinkst or canary.tools)• Understanding the threats in your context – any logging and monitoring

projects• Certificate health and maintenance

2. Overspending on high risk technical solutions• Non-contextualised threat intelligence feeds and tooling• Automated threat mitigation tools• ‘Prevention’ and DLP tools

Page 21: NZISF Talk: Six essential security services

‘Operations Dilemma’ restated

• We can get action if there are massive and costly breaches• Otherwise it’s hard to get visibility and budget• We don’t help ourselves: Department of ‘No’• How many of us can• Provide instant and up to date metrics on small breaches and incidents• Define the services that the security team provides to the rest of the

organisation?• Work our people in virtual teams, devops, cloud?• Work with agencies and trust groups if required?

Page 22: NZISF Talk: Six essential security services

Strategic aspects of cyber security

Consider this• Almost all ‘new’ business is heavily digital or has IT as a central

component• Existing and new customers need to trust you if they are to continue

business with you• We want to use ‘cloud’ to cut costs• We’re rapidly re-engineering ‘IT’ from waterfall to DevOps• ‘Cloud’ is a strategic choice and changes all security architectures we

have so far been comfortable with (firewalls will become irrelevant)

Page 23: NZISF Talk: Six essential security services

24

Where to focus security operations?

‘Services’ help define ‘security’ in terms the rest of the business understands

• Compliance approach is still primarily preventive• ‘Beyond compliance’ is proactive, predictive and corrective in each

stage of the IT factory• Step 1: What can we learn from actual breaches that happened to us?

Page 24: NZISF Talk: Six essential security services
Page 25: NZISF Talk: Six essential security services

The six essential security services: best practice, maturity, examples

Page 26: NZISF Talk: Six essential security services

The six essential security services

• Strategy• Policies• Architecture• Penetration testing• Monitoring and Alerting• Incident response

Page 27: NZISF Talk: Six essential security services

Strategy: why

• Cyber security is now firmly a matter of boards, who need education themselves (a good strategy can help)• No longer ‘just an IT issue’• Security is becoming exponentially more complex: it’s about

maintaining trust in the digital assets of an organization, understanding the threats to that trust, and sharing that intelligence with the community in a controlled fashion• Security landscape changes incredibly quickly• Strategy needs to be forward looking and anticipate changes

Page 28: NZISF Talk: Six essential security services

Strategy: how

• Strategy is narrative and contextual• Focus on two upper levels of the

pyramid of pain in your business context• The ‘why’ of the attack

landscape is most important• Build on existing strengths:

reputation, mission, values, value chain

David Bianco: The pyramid of pain http://detect-respond.blogspot.co.nz/2013/03/the-pyramid-of-pain.html

Page 29: NZISF Talk: Six essential security services

Strategy: forward or backward looking

Recommended strategic settings:

• Assume breach• Fully informed management• Threat hunting, collection and

intelligence program• Address how to work with

agencies – legal, organisational, reputational

Backward looking strategy is focusing on• Compliance• Anything with ‘ISO’• Risk management

Forward looking strategy focuses on• Antifragility• Resilience• Threat hunting and discovery• Cloud enablement• Trust and its implementation

Page 30: NZISF Talk: Six essential security services

Policies: how, why, maturity

• My least favourite area!• Writing is easy, adoption is key• Can plunder other sites, but no substitute for understanding your own

business

Maturity• Immature: Policies for each technology element• Mature: Policies focusing on trust anchors, data classification, use

Page 31: NZISF Talk: Six essential security services

Architecture

Aim for Defensible Architecture

Understand and document the key elements driving security posture:1. Security zones: geographic, legal, physical, logical (not just defence

in depth!)2. User, workload and data perimeters3. Trust calculations for user / data access or data / data access4. Controls and detection

Page 32: NZISF Talk: Six essential security services

Key architecture practices

• Trust modelling• Threat modelling• Mitigations integrated with a risk framework• Monitoring and detection baked in from day 1

Page 33: NZISF Talk: Six essential security services

Penetration / security testing

• Works two ways:• Backward into the next design iteration• Forward into deploying operational protection• And bugs can get fixed

• Mix of manual and automated• Works on application hardening• Aspect of QA – integrate with QA service?

Page 34: NZISF Talk: Six essential security services

Penetration testing: maturity

Immature• Run an automated scan across every web siteMature• Do you architects threat model? Great! You’ve just got yourself a test

plan for penetration testing• Don’t forget your buildings, access cards, shadow cloud• For stuff that you can’t fix: implement deployment controls

Page 35: NZISF Talk: Six essential security services

Monitoring and Alerting

• Think along the threat chain• Understand the various stages of an attack, at least conceptually and

in the context of your business• Select detection, mitigation and tooling techniques that suit your

businesses• Be wary of ‘automated kill chain mitigation’ tools

Page 36: NZISF Talk: Six essential security services

Attack stages: the ‘kill chain’Source: A “Kill Chain” Analysis of the 2013 Target Data Breach: Majority Staff Report For Chairman Rockefeller, March 26, 2014, diagram attributed to Lockheed Martin

Page 37: NZISF Talk: Six essential security services

The kill chain as a detection toolSource: A “Kill Chain” Analysis of the 2013 Target Data Breach: Majority Staff Report For Chairman Rockefeller, March 26, 2014

Page 38: NZISF Talk: Six essential security services

Tooling examples

• Ingress / egress at the border• Flow data• Packet captures• IDS close to key services• Logon / logoff intelligence• System logs• Host systems – HIDS / HIPS / system hardening

Page 39: NZISF Talk: Six essential security services

Kill chain derived Tooling MatrixBorder Hosts Internal network Storage …

Discovery NIDS Referrers Flows, patterns

Weaponisation FW Logs

Delivery FW, Flows AV, EMET, HID[P]S

Exploitation NIS AV Internal IDS

Installation HID[P]SConfiguration

Ports Files, changes

Lateral movement

FW, Logs, flow data

Command and Control

FlowsEgress traffic

File access

Actions objectives

Flows

Destruction

Page 40: NZISF Talk: Six essential security services

Alerting strategy

Leading principle: Alerts are based on contextualised data

Example – automate this:• IDS detects attack against a server [say, ssh brute forcing]• When was the last vulnerability scan done?• Where is the report?• Should a report be run now?• Is the server vulnerable to this attack? [Yes / Maybe / No]

Page 41: NZISF Talk: Six essential security services

Contextualisation

• This can drive the ‘big data threat intelligence’ strategy• Can’t buy everything• Your own logs and auth records are key components• Consolidate on noSQL solution, with large storage• Automate threat indicator collection• Do not generate alerts if not necessary

Page 42: NZISF Talk: Six essential security services

Incident response: maturity

• No maturity: nothing or headless chicken• Low maturity: SIEM• Lots of false positives• Analysts sit waiting for an alarm to go off• Passive activity, turning you into a victim• No capability to consume and use threat intelligence

• High maturity:• Contextualised TI, warning early in kill chain• Blue teaming• Active hunting

Page 43: NZISF Talk: Six essential security services

The elites: Threat Intelligence Sharing

• Open source feeds• Sharing collectives / trust groups• Commercial feeds• Your own attack intelligence• Network• Memory• Antivirus• Logs• Enterprise data stores

Page 44: NZISF Talk: Six essential security services

A call to action

Page 45: NZISF Talk: Six essential security services

Where to from here?

• Start with an understanding of the business• A full-fledged security strategy not necessary on day 1, but executive

support is required• Start with incidents, monitoring and alerting and build out from there• If that’s hard, think ‘logs’• Architecture / threat modelling your processes is next• Put monitoring and alerting around identified threats (past incidents)• Investigate incidents in depth to understand your adversary

Page 46: NZISF Talk: Six essential security services

Key considerations in security leadership

1. Drive from tactical to strategic: know how to articulate the dimensions of ‘trust’ and ‘security’ for new business

2. Step out of tech: Understand ‘security’ in terms of the ‘cyber terrain’ (people, process, technology)

3. Drive the closure of the incident response loop (organisational learning)

4. Develop and contextualise threat intelligence by enriching logs and incident data before buying expensive platforms and feeds

5. Work with agencies and trust groups

http://www.heidrick.com/Knowledge-Center/Publication/Does_Your_Security_Chief_Have_Board_Level_Commercial_Savvy

Page 47: NZISF Talk: Six essential security services

Questions?