you are not alone - tml conference€¦ · the working cloud: tackling the security risks (june 22,...
TRANSCRIPT
Free MS-ISAC Services for Local Governments
Kateri Gill
October 4, 2017
You Are Not Alone
2 TLP: WHITE
Center for Internet Security
3 TLP: WHITE
Multi-State Information Sharing and Analysis Center
The MS-ISAC is the focal point for cyber threat prevention,
protection, response and recovery for the nation's SLTT
governments.
4 TLP: WHITE
MS-ISAC Members include:
• All 56 US States and Territories
• All 79 federally recognized fusion centers
• More than 1,400 local governments and tribal nations
State, Local, Tribal, and Territorial
Cities, counties, towns, airports, public education, police departments, ports, transit associations, and more
Who We Serve
5 TLP: WHITE
Free and Voluntary
No Mandated Information Sharing
One Membership Document Required
About MS-ISAC Membership
To join or get more information:
https://msisac.cisecurity.org/members/register
6
Created via PDD 61, May 22,1998, to allow the private sector to come together, share information, perform analysis, and respond to incidents
ISACs
Information Sharing and Analysis Centers
Legal Services
EMR-ISAC
7 TLP: WHITE
• 24 x 7 monitoring
• Analysis of ~750 billion logs/month
• Integration with federal agencies via the NCCIC, NCIJTF
• Trusted private companies
• Constant contact with all ISACs
Intelligence Sources
Information Sharing and Analysis Centers
Research and Education
Oil and Gas
Emergency Management and Response Healthcare Ready
Communications
Financial Services
Information Technology
Surface Transportation, Public Transportation, & Over-the-Road Bus Automotive
Supply Chain
Water Sector Maritime Downstream Natural Gas Defense Industrial Base
ICS
Real Estate
Aviation Public Transit Electricity Multi-State
Legal Services
Defense Security Information Exchange
National Health
Retail
8 TLP: WHITE
Criminals look for data...
and governments have a lot of it!
Why Government?
9
“There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.”
- Robert S. Mueller III, Director of the FBI (2001-2013) March 2, 2012
10 TLP: WHITE
• Support: – Network Monitoring Services – Research and Analysis
• Analysis and Monitoring: – Threats – Vulnerabilities – Attacks
• Reporting: – Cyber Alerts & Advisories – Web Defacements – Account Compromises – Hacktivist Notifications
24 x 7 Security Operations Center
Central location to report any cybersecurity incident
To report an incident or request
assistance:
Phone: 1-866-787-4722
Email: [email protected]
11 TLP: WHITE
• Incident Response (includes on-site assistance)
• Network & Web Application Vulnerability Assessments
• Malware Analysis
• Computer & Network Forensics
• Log Analysis
• Statistical Data Analysis
• Penetration Testing
Computer Emergency Response Team
To report an incident or request
assistance:
Phone: 1-866-787-4722
Email: [email protected]
12 TLP: WHITE
As defined by PPD41: An event occurring on or conducted through a computer
network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks,
physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.
Examples:
• Phishing
• Network Intrusion
• DDoS
• Ransomware
What is an “Incident”?
13 TLP: WHITE
• Who, What, Why, Where and How it Happened
• The Good, The Bad, and The Ugly
• Incident Response Plan
• Training
• Documentation
After Action Review
14 TLP: WHITE
MS-ISAC Advisories
15 TLP: WHITE
• IPs connecting to malicious C&Cs
• Compromised IPs
• Indicators of compromise from the MS-ISAC network monitoring (Albert)
• Notifications from Spamhaus
Monitoring of IP Range & Domain Space
IP Monitoring Domain Monitoring
• Notifications on compromised user credentials, open source and third party information
• Vulnerability Management Program (VMP)
Send domains, IP ranges, and contact info to:
16 TLP: WHITE
What Data Are We Collecting?
• Server type and version (IIS, Apache, etc.)
• Web programming language and version
(PHP, ASP, etc.)
• Content Management System and version
(WordPress, Joomla, Drupal, etc.)
Vulnerability Management Program
Email notifications are sent with 2 attachments containing information
on out-of-date and up-to-date systems:
• Out-of-Date systems should be patched/updated and could
potentially have a vulnerability associated with it
• Up-to-Date systems have the most current patches
17 TLP: WHITE
Time-to-Patch
54.60%
59.24%61.40% 62.70%
64.72% 65.63%
78.65%80.72% 81.63% 81.69% 81.98% 82.02%
Week 1 Week 2 Week 3 Week 4 Week 5 Week 6
% of Patched Word Press Instances Following A
New Version
2015 2016
18 TLP: WHITE
Malicious Code Analysis Platform
A web based service that enables members to submit and analyze suspicious files in a controlled
and non-public fashion
• Executables
• DLLs
• Documents
• Quarantine files
• Archives
To gain an account contact:
19 TLP: WHITE
MS-ISAC Cyber Alerts
20 TLP: WHITE
MS-ISAC Intel Papers
21 TLP: WHITE
The Working Cloud: Tackling the Security Risks (June 22, 2017)
The Expanding Attack Surface (April 2017)
Cybersecurity While Traveling (February 2017)
Cybersecurity Year in Review and 2017 Preview (December 2016)
National Cybersecurity Awareness Month – Be a Part of Something Big (October 2016)
State and Local Roundtable – Effective Cyber Disruption Strategies (August 2016)
National Webcasts
https://msisac.cisecurity.org/webcast/
A collaborative effort between DHS and MS-ISAC to provide timely and relevant cybersecurity education and
information
22 TLP: WHITE
Distributed in template form to allow for re-branding and redistribution by your agency
Monthly Newsletter
23 TLP: WHITE
Cybersecurity Awareness Toolkit
24 TLP: WHITE
Access to:
• MS-ISAC Cyber Alert Map
• Archived webcasts & products
• Cyber table top exercises
• Guides and templates
• Message boards
HSIN Community of Interest
25 TLP: WHITE
Weekly Malware IPs and Domains
26 TLP: WHITE
Machine-to-Machine indicator transfer
Anomali
To gain an account contact:
27 TLP: WHITE
A voluntary self-assessment survey designed to evaluate cyber security management within SLTT governments
October 1 – November 30
All states (and agencies within), local government jurisdictions (and departments within),
tribal and territorial governments can participate.
Nationwide Cyber Security Review
NCSR
https://www.cisecurity.org/ms-isac/services/ncsr
28 TLP: WHITE
• SLTT focus
• 24x7x365 research, analysis, and support
• Signatures unique to SLTT governments
• Integration of research on specific attacks and actors,
including nation-state actors (APT)
• Real-time information sharing
with FSLTT partners
• Experienced cybersecurity
analysts who review each event
minimizing the number of
false-positive notifications
Network Monitoring (Albert)
29 TLP: WHITE
Additional Benefits
• Situational Awareness Resources
• Insider access to federal information
• Product and Training Discounts • Cybersecurity Exercise
Participation • Workgroups • Webcasts
30 TLP: WHITE
•Cyber Resiliency Review
•Stop.Think.Connect
•FedVTE and FedVTE Live!
Federal Resources Free to State and Locals
31
Questions?
Kateri Gill
Program Specialist
518-880-0779
MS-ISAC 24x7 Security Operations Center
1-866-787-4722