scot secure 2015

Welcome To

Mark StephenBBC Scotland #scotsecure

Steve MulhearnFortinet

#scotsecure

© Copyright Fortinet Inc. All rights reserved.

Security Challenges and Emerging Threats

Steve Mulhearn- Business Solutions DevelopmentApril 2015

5

Challenges Today

COST

» Operational

» Capital

CONSOLIDATION

» Virtual

» Manpower

SECURITY

» Emerging Threat

» Advanced Threats

6

What We Used To Think

7

How We Think Today

8

The Anatomy Of An Attack

“Generic Threat”

Bot

Zero Day Threat

Trojan

Virus

Worm

Devices

Email

Web sites

Physical media

9

Advanced Targeted Attack Lifecycle

Day 1 2 Years +

“Social

Engineering”

“Bot net”

Activation

Zero Day

Exploit

10

The Threat is Worse Than Ever

*Akylus July 2014

11

With A Consistent Motivation

*Hackmageddon July 2014

12

Q2 2014 (IDC):

301.3M Smart Phones Shipped

Android 84.7% Market

February:

Drive-By Mobile

(DriveGenie)

June:

Pletor Mobile Ransom

(Doc Encryption)

July:

Dorkbot/Ngrbot

Kamikaze

2014 Threat Landscape Developments

Feb 13

IoT:

The Moon Worm

Linksys Routers

Heartbleed

Vulnerable OpenSSL

Apr 07

Apple iCloud

Ransomware

$100 EUR

Oleg Pliss

May 26 Jun 23

Havex RAT

OPC Server Spy

Aug 05

Cybervor

1.2B User & Pass

500M emails

Aug 15

Supervalu Data Breach,

200 Stores Affected

Evernote Hack

164,644 Forum

Members

Jun 10Evernote Hack

50M Users

Mar

2013

13

No One Is Immune

Have you changed your password yet?

14

ebay – The Impact by the Numbers

262,800Number of Passwords changed in a year

(Average 2 minutes/password)

551 Man/years wasted changing passwords

145 M User accounts compromised

525,600 Minutes in a year

15

Follow The Acronym Trail

16

Is There A Silver Bullet For Defeating an ATA?

17

Collaborative Approach to Addressing Advanced Threats

http://www.networkworld.com/news/2013/103013-gartner-defense-attacks-275438.html?page=2

18

Focus on Three Key Actions

Step 1 - Mitigation

• Mitigate threats before they enter

your network

• Proactive is key

Step 2 - Detection

• Discover threats that have

or tried to enter the network

Step 3 - Remediation

• Respond to any threats that

have breached the network

19

Mitigation

DetectionRemediation

A Structured Approach for Maximum Protection

Access Control• Reduce Attack

Surface

Threat Prevention• Inspect and block

threats

Threat Detection• Identify new

incidents

Continuous

Monitoring• Assess, audit,

improveIncident Response• Validate and contain

20

Step 1 - Mitigation

Access Control

» Stateful Firewall

» 2 Factor Authentication

Threat Prevention

» Intrusion Prevention

» Application Control

» Web Filtering

» Email Filtering

» Anti-Virus

21

A Cornerstone of Mitigation

The reports of my death

have been greatly

exaggerated.

22

The Human Factor - Laziness

“Old Habits Die Hard”

23

Operating Systems and Software Require Constant Updates

12%

52%

24%

3%9%

Installed PC Operating Systems*

Windows 8/8.1

Windows 7

Windows XP

Windows Vista

Other

*Net Applications September 2014

24

Not All Anti-Virus Solutions are Equal

Detection

Technology

Network

Placement

Operational

Efficacy

25

Step 2 - Detection

Access Control

» Stateful Firewall

» 2 Factor Authentication

Threat Prevention

» Intrusion Prevention

» Application Control

» Web Filtering

» Email Filtering

» Deep Flow Anti-malware

Threat Detection

» Botnet detection

» Client reputation

» Network behavior analysis

» Sandboxing

26

Payload Analysis (aka “sandboxing”)

What is it?» Virtual container, reflecting an end user desktop, in which

untrusted programs can be safely examined

What happens in it?» Code is executed in an contained, virtual environment

» Activity is logged and is analyzed for suspect characteristics

» Rating is determined based on system, file, web and traffic activity

Why is it important?» Traditional security looks at static attributes (signature, heuristic,

pattern, reputation, etc.) rather than dynamic activity

» In many cases, a site or code is just the first, small stage

Unsafe action, escape attempt

Controlled communication

inspection

X

27

A Deeper Level of Analysis

Network Behavior Analysis» Establish baselines of normal traffic patterns, look for anomalies

Network Forensics» Capture and replay network traffic for incident response

Payload Analysis» Execute code in a contained, “sandbox” environment

Endpoint Behavior Analysis» Monitor the production system configuration for anomalies

Endpoint Forensics» Collect data from endpoints to aid in incident response and forensics

28

Technology Hype and Hysteria

VISIBILITY

TIME

Technology

Trigger

Peak of Inflated

Expectations

Trough of

Disillusionment

Slope of

Enlightenment

Plateau of Productivity

29

A Word of Caution

http://www.darkreading.com/attacks-breaches/the-increasing-failure-of-malware-sandbo/240159977

30

Step 3 - Remediation

Access Control

» Stateful Firewall

» 2 Factor Authentication

Threat Prevention

» Intrusion Prevention

» Application Control

» Web Filtering

» Email Filtering

» Deep Flow Anti-malware

Threat Detection

» Sandboxing

» Botnet detection

» Client reputation

» Network behavior analysis

• Incident Response

» Consolidated logs and reports

» Professional Services

» User or Device Quarantine

» Threat Prevention Updates

• Continuous Monitoring

» Real-time Activity Views

» Security Reporting

» Threat Intelligence

31

Coordinated Defense Strategy

In-Network

Defenses

Continuous

Updates

Threat Research

and Discovery

32

The Fortinet ATP Solution

FortiGuard Services

FortiGuard Lab

33

Protecting Today’s Network

Evolution, evolution, evolution

Wherever there is value, the cyber criminal will follow

34

Protecting Today’s Network

Evolution, evolution, evolution

Wherever there is value, the cyber criminal will follow

Anticipate, React, Respond

35

Complexity

Tony NeateGet Safe Online

#scotsecure

Det Supt Stevie WilsonPolice Scotland

#scotsecure

Brian GibsonScottish Business Resilience Centre

#scotsecure

Brian GibsonChief Inspector

Deputy Director Scottish Business Resilience Centre

• We are a unique organisation comprising of contributionsand secondments from the Police, Scottish Government,Fire Services, Scottish Clearing Banks, investors and ourmembership.

• Vision• Creating a secure & resilient Scotland for business to flourish in

• Stakeholders• Scottish Government, Police Scotland, Members

Digital Security Support

Online Footprint Assessment

Digital Security Support

Cyber Supply Chain Test

Digital Security Support

Cyber Security Assessment

Insider Threat

• Case Study 1 - Pet Shop

• Case Study 2 – Call Centre

Developing a Cyber Security Strategy

• Mind-set

• E – Trader Accreditation

• Cyber Essentials (CE) Cyber Essentials Plus (CE+)

• Innovation Voucher Scheme

• Get Safe Online (getsafeonline.org)

• Cyber Streetwise – (cyberstreetwise.com)

Thank YouQUESTIONS ?

Questions & Discussion#scotsecure

Exhibition & RefreshmentsCheck badge for Breakouts

#scotsecure

18th June Dynamic Earth

Limited spaces remain

www.scot-cloud.com

30th Sept Dynamic Earth

Registration open

www.iotscotland.com

Welcome Back

Prof. Bill BuchananEdinburgh Napier

University#scotsecure

Glenn AttridgeRoyal Bank of Scotland

#scotsecure

Jiveen LalRisksmith

#scotsecure

Risk, responsibility and contractual obligation

Jiveen Lal, Director

+44(0)77 1402 3912

ask@risksmith.com

@risksmithUK

AGENDA

Risk, responsibility and contractual obligation

Agenda

Contract obligations and cyber attacks• Data loss• Cyber attack

Responsibilities beyond contract obligation

Cyber insurance• Identifying needs and testing your insurance• Market update

DATA LOSS / CYBER ATTACK

Contract obligations

1. Data loss

YouYour client

A client's customer

2. Business interruptions

Supplier

You

Customer

YOUR BUSINESS

Responsibility beyond contracts

Responsibility beyond contracts

Intellectual property

Revenue

Bodily injury

Property damage

Shareholder/Due diligence

Regulations

Brand

BUSINESS NEEDS

Cyber insurance

Identifying business needs

People SystemsInternal

processesExternal events

Business model

Quick test

1. Where is data?

2. Who has access?

3. What happens when a vendor suffers?

4. What are the ramifications of internally-sourced breach?

5. What do you plan to do when you have a data breach?

Cyber insurance update

• Experienced an event

• Know someone

• Increased awareness

• Fines/penalties

• Contract obligations

• Technology companies

Jamie GravesZoneFox

#scotsecure

Innovation & Cyber Security

Jamie Graves, CEO

j.graves@zonefox.com

Thanks

• j.graves@zonefox.com

• ZoneFox.com

• @ZoneFox

• @DrJamieGraves

Questions & Discussion#scotsecure

18th June Dynamic Earth

Limited spaces remain

www.scot-cloud.com

30th Sept Dynamic Earth

Registration open

www.iotscotland.com

Post Conference SurveyPlease complete

to get slides#scotsecure

Drinks & NetworkingExhibition Area

#scotsecure

Conference Close#scotsecure