Fewer Breaches Instead of Bigger Data: Thwarting Attacks, Enabling

the Fully Connected Business

1111

John PescatoreSANS, Director - Emerging Security Trends

Opening Stipulations

• It’s Dangerous Out There• Security Is Hard, Will Continue to Be Hard• Business Goes On, With or Without Security

2

How To Tell When It Will Get Easier

1. When Software Engineering is no longer an oxymoron

(software and SaaS come with warranties)2. Users no longer fall for scams

(Atlantic City and Las Vegas shut down)3

Probability of Attack = 100%

4

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Breach Statistics

5

Verizon Data Breach Incident Report, 2013

Real World Risk EquationRisk = Threat x Vulnerability + Action

• Avoid old vulnerabilities, shield new ones– People– Process– Technology

• Remove barriers– Automate the easy, because the next hard is just

around the corner

• Simultaneous evolution and mutation

7777

Focus on protecting the business firstEffectively and efficiently and quickly

Advanced targeted attacks are happening now

How to Prioritize Security Spending

Compliance must follow security

Is It Safe??

8

Do you know from where you are starting? OK, are you really sure? NO – Need to establish baseline YES – We are secure and compliant YES – We are pretty squishy YES – We are on fire!

Can you do the necessary triage?

9999

Compliant and fairly secure - really Focus on getting fasterWhat coming business/technology trend

will cause breakage? Threat monitoring and preparedness

10101010

Not unusual to find evidence of an active compromise – ON FIRE! Activate incident response Protect the crown jewels Shield, replace, enhance Forensics

Most Enterprises Are Squishy

Controls may have been implemented but are not mature or repeatable Typical Problem Areas:Lack of Vulnerability/Config Management basicsNo Advanced Threat visibilityNo real application security

Common barriers to progress: Cloud/BYOD/compliance more important “The users will never, management will never…”

11

Critical Security Controls

1212

1 23

4

5

6

7

89

1011121314

15

16

17

1819

20

1) Inventory of Authorized and

Unauthorized Devices

11) Limitation and Control of Network Ports,

Protocols and Services

2) Inventory of Authorized and Unauthorized Software

3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

4) Continuous Vulnerability Assessment and Remediation

5) Malware Defense

6) Application Software Security

7) Wireless Device Control

8) Data Recovery Capability

9) Security Skills Assessment and Appropriate Training to Fill Gaps

10) Secure Configuration of Devices such as Firewalls, Routers, and Switches

20) Penetration Tests and Red Team Exercises

19) Secure Network Engineering

18) Incident Response Capability

17) Data Loss Prevention

15) Controlled Access Based on Need to Know

14) Maintenance, Monitoring and Analysis of Audit Logs

13) Boundary Defense

12) Controlled Use of Administrative Privileges

16) Account Monitoring and Control

Goals

• Overcome barriers for quick wins on “easy” ones

• Reduce cost of ops for easy ones• Address the next level, repeat

© 2013 The SANS™ Institute –www.sans.org 13

Getting to ContinuousSecurity Monitoring

Shield

Eliminate Root Cause

Monitor/Report

Policy Assess Risk

Baseline Vuln Assessment/Pen TestSecurity Configuration

Mitigate

• FW/IPS• Anti-malware• NAC

• Patch Management• Config Management• Change Management

• Software Vuln Test• Training• Network Arch• Privilege Mgmt

Discovery/Inventory

• SIEM• Security Analytics• Incident Response

ThreatsRegulationsRequirementsOTT Dictates

Things to Remember

• Don’t fight the next war with the previous battles weapons– PCs weren’t bigger dumb terminals,

smartphones/tablets aren’t small PCs

• Make advances and fortify– Whitelisting on servers– App stores/MDM on mobile devices

15

Resources

• SANS Reading Room: http://www.sans.org/reading_room/

• Blog – www.sans.org/security-trends/• The Critical Security Controls:

http://www.counciloncybersecurity.org/practice-areas/technology/

• Questions: jpescatore@sans.org, @John_Pescatore

16