2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information...
-
Upload
isalliance -
Category
Documents
-
view
220 -
download
1
Transcript of 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information...
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
1/28
Jeff Brown
CISO
22 October, 2009
An Information
Assurance
Strategy for theRest of Us
Copyright 2009 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Sponsoredby
Aero Webinar Series
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
2/28
Page 2
Upcoming AIA/ISA Webinars
n Testing In A Real Environment Leads to Faster Cyber Security Innovationfeaturing General (Ret.) Charles Charlie Croom, Vice President of CyberSecurity Solutions, Lockheed Martin Information Systems & Global Services andCurt Aubley, Chief Technology Officer CTO, Lockheed Martin Operations &Next Generation Solutions. To be presented on 11/5/09
n Supply Chain Issues in Cyber Security A Framework for Moving Forwardfeaturing Scott Borg, Director and Chief Economist (CEO) at the U.S.Cyberconsequences Unit. To be presented on 11/19/09
n Legal Framework for Securing Unified Communications featuring JeffreyRitter, President, Waters Edge Consulting.
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
3/28
Page 3
Roadmap
7/19/12
The Environment
A Strategy BeyondDefense in Depth
3 AffordableWays to
Implement
the Strategy
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
4/28
Page 4
7/19/12
The Advanced Persistent Threat
n Increasingly sophisticated cyber threats by hostileentities designed to gain control of your network
for the long term
n Intellectual property theft on a grand scalen Not just one particular country or groupnAerospace companies are target #1!
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
5/28
Page 57/19/12
None of us big or small canstop a determined cyber attack
from succeeding!
We cant rely on traditional defenses (goodpatching, firewalls, IDS, AV, etc.) in the age of
social engineering and zero-day exploits
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
6/28
Page 67/19/12
But how much can you invest
in cyber security?
Likely not a fraction of whatDoD and the Big Primes are
investing.
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
7/28Page 77/19/12
So Where does that leave us?
We cant stop e-mail or web browsing
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
8/28Page 87/19/12
It would be easy to be pessimistic
But youd be wrong
There is a strategy that
can give you a lot of lift
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
9/28Page 97/19/12
A Strategy for the Rest of Us
n Recognize they will get in.
n Work to detect and disrupt outbound command and controlchannels.
If intruders get in, but cant get back out,
we win!
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
10/28Page 107/19/12
If your infrastructure addresses the factthat intruders will get in, the number of
intrusions becomes much less relevant.
Which has less risk?
n If 100 get in and cant get out or only last a daybefore C2 monitoring finds them
n If 10 get in and have free reign for 3 months beforea sys admin finds them
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
11/28Page 117/19/12
The Primary metric becomes
Dwell Time
How long were you exposed?
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
12/28Page 127/19/12
Your Goal
nYour goal should be to drive down DwellTime anyway you can.
n If Dwell Time trends down, your cybersecurity is improving
Days betweencompromise
and discovery
Incident/date
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
13/28Page 137/19/12
So Focus on Outbound Traffic
nIts easier and the highest payoff!
n There is far less noise on outbound trafficn It decouples malware detection from the
vulnerability
Disrupt and Deny Adversarys Command and Control Traffic
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
14/28
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
15/28Page 15
You can use other peoples money!
Collaboration is Cheap.
The Return on Investment is high
7/19/12
Blocking the Known
Discover and block C2 sites any way you can
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
16/28
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
17/28Page 177/19/12
You Dont Have to Share Much
n Youre not admitting you werecompromised, just that you
found something
Share the outbound traffic info!
We saw malwarebeaconing or
communicating towww. badsite.org or
123.45.67.211
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
18/28Page 187/19/12
Collaboration Opportunities
Measure of Merit: is it near-real time?
ISACS
Amongst Yourselves
Defense Industry BaseCyber Task Force
Law Enforcement(Infragard)
Defense SecurityInformation Exchange
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
19/28Page 197/19/12
3 Ways to Make This Strategy Real
Collaboration
Block the known C2
Server Segregation
Channel the Unknown
Web Authentication
Challenge the Unknown
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
20/28
Page 20
Servers - Its where the money is
7/19/12
n Servers are where theadversary wants to liveOn 24x7Contains the most valuable data
n Limit unknown traffic to andfrom them
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
21/28
Page 21
Channeling the Unknown
nMost servers have no businessinitiating traffic to the Internet
except for very specific sites
(Updates, etc.)
n It is easy to enumerate validdestinations
7/19/12
Im sorry, file server, I cantconnect you with
www.badguy.com
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
22/28
Page 22
Channel all Server Traffic
n Servers should only talk to the Internet throughknown choke point to known sitesPut them in a separate subnet(s)Point all to a separate proxyPermit only mission essential sites
lProxy denies become meaningful
l Allow sys admin 2-factor authentication overridesAbove all, prohibit sys admin e-mail and surfing
7/19/12
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
23/28
Page 23
What Does That Do For You?
n No way for malware to beacon to ownern
To access a server, they must compromise a client and move laterally Much noisier Combine with two factor authentication for servers and you really have
something
n Experience shows that all malicious traffic moves to clients overnight
And it cost nothing except the labor to consolidate server subnets and identifyvalid sites
7/19/12
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
24/28
Page 247/19/12
3 Ways to Make This Strategy Real
Collaboration
Block the known C2
Server Segregation
Channel the Unknown
Web Authentication
Challenge the Unknown
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
25/28
Page 25
Challenge the Unknown
nAll web proxy vendorscategorize sites and update
like AV
n The majority of malware C2 sitesare new and therefore fall into
the default uncategorized bin
nThis presents us with anopportunity
7/19/12
You want to gowhere?!!!
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
26/28
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
27/28
Page 277/19/12
The Bottom Line Dont Despair
Set yourselves up for success
By adding a C2 Denial Strategy to yourexisting Defense in Depth you can improve
your cyber security greatly without breaking
the bank
-
7/31/2019 2009 10 22 Jeff Brown Raytheon ISA AIA Raytheon Information Sharing Webinar Entitled Information Assurance Strategy for the Rest of Us
28/28