michael crosno (security landscape) geekfest
TRANSCRIPT
CNET, 2013
Cyber Crime Market
Page 2Click Security Confidential
Criminal Action Estimated Costs
Global Cyber Activity $300 billion – $1 trillion
Drug Trafficking $600 billion
Piracy $1 billion – $16 billion
Globally, we spend $70 billion per year to stop the bad guys
The bad guys are making $300+ billion a year
Why Security Systems are Failing
Page 3Click Security Confidential
Attack Surfaces
Adversaries
Enterprise Defenses
Expanding Attack Surfaces
Page 4Click Security Confidential
Humans
78% of IT professionals
consider employees as the
biggest security threat
508 is the average
number of applications
in an enterprise
Networks
5.2 is the average number of
devices per knowledge worker
connecting to a network
Software
Citrix, 2013
Forbes, 2014 Ponemon Institute, 2015
AV-test.org, 2015.
Evolution of Adversaries
Page 5Click Security Confidential
$1,300 is the average
attacker payment for a
banking Trojan
400,000 hackers
estimated in China alone &
growing daily
Malware Explosion # Skilled Hackers Black Market
383,000 new
malware variants
every day
US Intelligence, infosecisland.com
darkreading.com, 2012AV-test.org, 2015
Overwhelmed Defenses
Page 6Click Security Confidential
1-3 is the average
number of headcount
devoted to IT security
64% of US companies
face 10,000+ alerts
per month
Point Products Insufficient Workloads Increasing Budgets Underfunded
8% of incidents are detected
by endpoint, firewall &
network solutions
FireEye, 2015FireEye, 2015Verizon DBIR, 2013
Impact on your Enterprise
Page 7Click Security Confidential
32 is the average number
of days to resolve &
lockdown an attack
173 is the average
number of days from
infiltration to discovery
$8.9m is the cost of
the average enterprise
breach
Escalating Costs Slow to Discover Long to Resolve
Verizon 2012 DBIR Ponemon Institute, 2013darkreading.com, 2012
D&B – Slow and Methodical
Page 10Click Security Confidential
Event Date Time Kill Chain Description of Actor’s Activities
Dave & Busters Feb. 1 0 1 Estonian and Ukrainian intruders scan /evaluate restaurant internet-facing connections
Dave & Busters Mar. 1 28 2 Estonian and Ukrainian intruders breached network security controls at a restaurant
Dave & Busters Mar. 2 1 4 Intruders breach a poorly secured retail system with internal network access, explore network
Dave & Busters Mar. 15 13 3 Yastremskiy and Suvorov contract Albert Gonzalez to customize sniffer for DB network
Dave & Busters Apr. 1 17 4 Intruders used network access to install packet sniffer designed to capture track 2 credit card data
Dave & Busters Apr. 15 14 5 The initial tests of the sniffer failed by crashing or failing to record data
Dave & Busters Apr. 15 0 5 Revised packet sniffer often failed to capture the intended information
Dave & Busters Sept. 1 139 5 Over 6 months intruders improved, tested and monitored their tools
Dave & Busters Sept. 22 1 6 Intruders establishing reliable and persistent control of the restaurant environments
Dave & Busters Sept. 3 1 6 Intruders prepare for breaching the corporate network in Dallas
Dave & Busters Sept. 15 12 5 Corporate servers breached, and admin passwords allow access to network devices
Dave & Busters Sept. 16 1 7 Intruders install the refined tools at 11 locations without detection
Dave & Busters Sept. 17 1 8 Packet capture tools return over 130,000 credit cards' full track data
Dave & Busters Sept. 30 13 10 The intruders were eventually blocked and identified by financial records
New Model for Security
Page 11Click Security Confidential
The bad guys are
going to get in – how
do you find them
before they do
damage?
Transformational Changes
Page 12Click Security Confidential
Current Security Practices
• Blocking & preventing attacks will work
• Big data produces better results
• Monitoring events will find bad actors
• Canned rules in SIEM’s are enough
Future Solutions Focus
• Detection, profiling & lockdown
• Adversary monitoring & investigation
• Actor kill-chain visualization & analysis
• User created analytics & sharing
Focus on what they do, not what they use…