Getting Down To Business:Implementing Effective & Sustainable

Cybersecurity Postures

Your speakers today

@FengminGongCo-Founder & Chief Strategy Officer

Shel SharmaProduct Marketing Director

Agenda

o Obama Executive Ordero Cybersecurity Framework 1.0o Time To GSDo Overcome 5 Top Road Blockso Q&A

Cyph

ort L

abs T

-shi

rt

We monitor threats & help customers

______24X7 monitoring for

malware events

________Assist customers with

their forensics and Incident Response

We enhance malware detection accuracy

________False positives/negatives

________Deep-dive research &

technology prototyping

We work with security ecosystem

________ Best practice for cyber

defense

________Actionable threat

intelligence

o Obama’s Executive Order 13636, February 12, 2013 o Call to action “Improving Critical Infrastructure Cybersecurity”o Critical Infrastructure: “systems and assets, whether physical or

virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

You Can Be The Weakest Link To Cybersecurity!

o With the connected world, everything is critical to threat penetration, from retail stores, to government, to IoT devices!

o RSA Secure Token breach via HR employeeo Target breach via HVAC contractor accesso OPM breach via contractors (USIS & KeyPoint)o Jeep Cherokee via (Sprint cellular + Harman

Kardon Uconnect 8.4N/RA4 radio)

NIST Cybersecurity Framework 1.0

o NIST spear-headed joint government-private effort

o Framework meant for voluntary following

o Advocate best approach to managing cybersecurity risks in the face of advanced threats and evolving IT & ICS infrastructure

From Board Visibility 2 GSD!

Business risksCEO/CISO accountability“5 headcounts, take care

of it for me!”

What are our crown jewels, where?What’s the most urgent?

Who/where are our threat sources?What tools are most effective for our

needs?“We need to implement a solution to

manage the risks for today and ongoing, with grace!”

Process, tools, operations

Clarity: Be Thoughtful, Be Logical

Risk Mgmt Cycle Government Businesses Tool Vendors Netizens

Identify objectives

Foster good behaviors

Priority & Objective Business asset & IT integration

Privacy & Securityawareness

Protect assets Encourage best practices

Proactive Posture Kill chain & impact delineation

Practice security

Detect incidents Promote sound approaches

Visibility: attack surface & threat vector

Deployment flexibility & scale

Follow policy

Respond to incidents

Compel business responsibility

Time to containment & resolution

Workflow automation, API

Follow policy

Recover from breaches

Compel stronger consumer protection

Time to restoration Context aware & forensics

Follow policy

Defensive Stake Holders And Roles

Top 5 Potential Road Blocks1. Understand business specific risks2. Plan for complete threat mitigation cycle3. Anticipate to deal with consequences4. Ask for ready-to-take mitigation options5. Prepare for the worst-case recovery

Understand Your Business Riskso Different threats, different priorities

o OPM – personnel recordso Health care – patient recordso Financial – client records, transaction systemo Design house – blueprint, schematicso Internet service provider – customer account

infoo Where others failed

o Compliance as the ends instead of means

Plan For Full Mitigation Cycle

o Watch for attacks at all stages of kill chain

o Monitor all access paths to your protected assetso Spectacular failures

o RSA attack combined flash 0day+spear-phishingo Mr. Snowden went directly for exfiltrationo OPM attack opted USIS & KeyPoint as stepping stoneso Ashley Madison hack likely with insider involvement

Exploit Download Install Exfiltrate

Focus On Dealing With Consequences

o “Consequence Focus” forces clarity on objectiveso Stopping an BO exploit against the file server is neither sufficient

nor necessary for stopping code theft on the servero Need multi-prone: protect, detect, respond, and recover

o Murphy’s law also holds for “prevention”

o Others’ failure, your gaino “Deploy and forget” IPS defense does not worko Think what you can protect, detect, respond, and recover!

Your Plan, Your Choice

o What’s missing from your tools?o Timely, relevant and specific detectiono Prioritized ready-to-take actionso Ecosystem friendly tools

o Some example failureso Firewalls will block IP/port/Apps, if you tell them “what

exactly”o IPS/SWG will block a communication/URL, if you tell them soo AV will quarantine or even clean up an endpoint, if it were

able to spot most of malware

Prepare For The Worsto Don’t plan for “Armageddon” or “Singularity”o Plan for the worst you can handle

o Privileged user gets infected by RAT malwareo Unauthorized access to your source repositoryo Cryptolocker infection on file share server

o Some well-known lessonso No worst considerationo No robust backup/restore practice for server or

endpointso No compartmentization or isolation controlo No least-privilege practice

Any Questions?

Thank You!

Previous MMW slides on

http://cyphort.com/labs/malwares-wanted/