the most common failure with today's defences
DESCRIPTION
This talk looks at the challenges we face as a defender today by examining several recent, prominent breaches and one of their common causes. The first 2/3 of this talk are the same as "Is That Normal?" (http://www.slideshare.net/marknca/is-that-normal-behaviour-modelling-on-the-cheap) but in the last 3rd, instead of diving in the the mechanics of behavioural analysis, this talk looks at what we should be doing with the results. Originally presented at the Gartner Security & Risk Management Summit in London, 08-Sep-2014TRANSCRIPT
The Most Common Failure With Today's Defences
Mark Nunnikhoven Vice President, Cloud & Emerging Technologies @marknca
Just like you probably can’t see this, I can’t see the backchannel Tweet me now @marknca, I’ll reply after the talk…
Recent attacks The problem What you can do?
Recently…
450 000 000
“Client record” is typically at least [username+password]
27-Nov-2013—15-Dec-2013
First real CEO “resignation” due primarily to information security incident
a/k/a “Target 2” …but worse
Early May-2014—Late Aug-2014
Nominated for “Worst Communications During An Incident”
Late Feb-2014—Mid May-2014
Real reputation risk & impact on ability to conduct business
17-Jun-2013—17-Oct-2014
Should have received more attention More on this one later…
17-Sep-2013—Early Oct-2013
Amazing visualization from Information Is Beautiful “World’s Biggest Data Breaches & Hacks”
Breaches: more frequent, lasting longer, bigger impact on businesses
The Problem
Restrict inbound Restrict outbound Heavily monitor access
Data
Data space: servers, applications, infrastructure, etc.
Restrict inbound Allow outbound Little to no monitoring
User
User space: Where the users are ;-) Endpoints like laptops, desktops, tablets, etc.
Authentication Authorization
Yes, we typically only use 2 controls here
152 million records 40 GB of source code
~44 GB of data exfiltrated
What can you do?
Authentication Authorization
Authentication Authorization
3 is more than 2. That’s an immediate win when reporting up to your boss(es)
Behaviour analysis
What to look at
All traffic leaving user spaceMost organizations have some controls between the user and the world
Need to start to address internal data flow & expand existing controls
What to look for
Malicious patterns
A service or appliance can help here
What to look for
Odd access patterns
Most breaches are access data through authorized channels BUT using odd behavioural patterns
What to do about it
Vary the level of trust in the user* Dynamically vary the level depending on specific criteria and indicators of trust
You may trust me to deliver a talk on security…
But would you trust me to look after your kids?
Trust is a spectrum
Varying trust
A quick example
Normal access
Have a confirmed finding (or high enough confidence)
Not sure what we’ve found
Not sure what we’ve found
Take a deeper look
Not sure what we’ve found? Increase monitoring, block high value access temporarily
Add behavioural analysis Look for odd/malicious patterns Vary the level of trust
