Practical Defensive Security Discussions

Jeff Fawcett

Cisco Director Cybersecurity

jefawcet@cisco.com

Agenda

What Makes You a Target?

You Need a Security Framework:• NIST 800-53 and 800-171 (old reliable?)

• Forrester's Zero Trust (everyone is looking at)

Common Use Cases

Practical Suggestions

Q&A

Cisco Confidential 3© 2015 Cisco and/or its affiliates. All rights reserved.

What Do You Have That Makes You a Target

Specific Encryption, 2FA, Inventory,

PCI

Segmentation, DLP, Multifactor Authentication

PII and HIPAA

NIST 800- 171 Continuity

Grants, Testing

ResearchWho is your threat?Zero Trust Network Model

Think: “My network infrastructure sits on the Internet.”

https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/

Are existing security standards failing to Protect You?

Has the perimeter been eroded?Defense in depth is common approach, but may be too simplistic for today’s digital-enabled business.

Best Practices within NIST Framework

1. Identify and Catalog your Sensitive Data

2. Map the data flows of your sensitive data

3. Architect your Zero Trust network

4. Create your automated rule base

5. Continuously monitor your trusted ecosystem

5 Guiding Principles for Zero Trust (assume your network is on the internet )(Strategy – outside scope of todays presentation)

Ask Questions Please

Common Use Cases to Address:

• Ransomware bricked my servers or workstations – backup/block coming in, block going out

• Federal Grants are requiring a cybersecurity program explanation

• Healthcare Compliance HIPAA

• Compliance Issues - PII/PCI/NIST

• Infrastructure (Healthcare, Power, Water, Roads, Digital Signage, Buildings, IoT)

• Insider…. East-West

• Need to control who get on my network - NAC

• Protect my mobile users – lockdown your MDM Console

Common Use Cases to Address:

• Protecting the State’s brand name (affecting what businesses want to move to NY or stay)

• Moving to the Cloud securely (do you know your flows? Dependencies? Top 2 for failure)

• Encrypted traffic moving through and out of your network

• Moving to the Cloud securely (do you know your flows? Dependencies? Top 2 for failure)

• Application security; WordPress sites; Flash; Java Script; etc. Targets

• Protecting your email system and end users from Phishing, Ransomware, Miners

• Been Breached – IR; IR Prep; APT Hunting

Where and What is Your Risk at Your Agency? That Should Drive Your Priorities.

• Long term impact of stolen Research like loss of grants

• Infrastructure (Healthcare, Power, Water, Roads, Digital Signage, Buildings, IoT)

• Insider…. East-West

• Election Security

Practical Holistic, Move the Needle Security Investments

• Attack probability (see upside down pyramid) . Understand who is coming after just you. What are their capabilities? Potential loss. What do you need to address that

• Use DNS protection, large majority of breaches (90%) involve DNS (ingress, egress)

• What Are The Best 5 Things You Can Do With The Time and $$$ You Have ?? Maybe

oA Cybersecurity framework, leveraging Cybersecurity Analytics, fast to detect, block, and mitigate

o Incident Response Preparation, Basic Logical Segmentation

oRemove Admin rights (least privilege)

oMFA (Multi Factor Authentication) as all your credentials are stolen, way to block them from using the Admin’s

Some Best Practices Suggestions

• Logically Segment your network (by App, Data, Users) using visibility, Isolation, policy enforcement, and Identity

• Patch management done right will harden your security

• Monitor your DNS and use Netflow to improve security.

• Watch your outflow and inflows for unusual events, traffic, quantity.

• Multi-factor your Admins when they login, track their logs

• Lock down your MDM tool/dashboard

• CMMI baseline

Some Best Practices Suggestions

• Everything (firewalls, IDP/S, applications, security solutions, etc) must tie to your intelligence. Start with state focus, then national, then world. Can not emphasis using the best intelligence is key if integrated to your solutions.

• Analytics is the new security approach. Pair with automation and integration

• Cyber Range Training, Education

• Pen Testing, Red Teaming

• Look for grey market hardware

• Streamline regulatory compliance with segmentation

Some Best Practices Suggestions

• Whitelisting to control a few key applications and sensitive data (not AD)

• Quick Meantime to Detection by using Intel, integration and Analytics

• IoT needs to be on its own network

• Privilege escalation management

• Limit Partner, vendor, contractor access

• Use NAC to inventory and spot new devices on the network

• Site to site VPN

• Reverse Proxy via Browser

Some of Jeff’s List – Practical Suggestions

• Integrity of data, configurations

• Baseline your security strategy program

• Use risk, threat and consequences to prioritize

• DNSSEC

• DMARC

• Lock down the MDM Console

• Educations Awareness Training

• Know what your top 50 IP or sensitive data is and where it sits

• NAC to stop jailbroken devices

Some of Jeff’s List – Practical Suggestions

• NAC Detect and inventory new devices coming onto your network

• DLP to stop accidental leakage

• Remove XP

• Block TOR and I2P protocols

• Reduce use of Java and Java Script

• Use encrypted gateway to handle PCI and sensitive data

• It is all about securing the data, not your network

• In certain cases use default deny all – white list

• Turn off every port and service not needed

In Review

Discussed What is Important to You

You Need a Security Framework:• NIST 800-53 and 800-171• Forrester's Zero Trust

Common Use Cases

Practical Suggestions

Q&A Lets talk?

Q & A