Core security utcpresentation962012
Download as PPTX, PDF1 like278 views
This document discusses proactive security intelligence for smart utilities. It covers the threat landscape including sophisticated malware like Stuxnet, targeted attacks using zero-days and social engineering, and high-volume attacks. It notes challenges in securing critical infrastructures due to their use of common operating systems and protocols. The document advocates taking a performance and analytics-driven approach to proactive security using network simulation, penetration testing, and predictive modeling to identify exposures before they can be exploited.
Core security utcpresentation962012
- 1. Proactive Security Intelligence for Smart Utilities September 11, 2012 Canadian Utility Telecom Conference, Vancouver, Canada Seema Sheth-Voss [email protected] CORE Security 1 PA G E
- 2. What is so difficult about cyber security?? PA G E 2
- 3. Let’s cover the threat Landscape Stuxnet: “Most Sophisticated Malware Ever” ● Artifact: autonomous, highly-targeted sabotage-oriented worm ● Adversary: Nation-state military / intelligence ● Most likely vector: compromised insider (USB drive!) ● Evaded: ● Firewalls ● AV ● Patching ● Host Hardening You can protect against the artifact, but not the adversary. If you are targeted, escalate. PA G E 3
- 4. Threat: High Tech, Targeted Attacks ● Flame: forged Microsoft update certificate ● DuQu: zero-day kernel exploit embedded in Word document ● Gauss: encrypted payload – can only be decrypted on target machine ● Nation-state adversaries, but still manual remote control Conventional ICS security guidance does not address targeted attacks PA G E 4
- 5. Threat: Low Tech, Targeted Attacks ● Night Dragon, Shady RAT ● Trick users into providing passwords, installing malware ● Custom malware, tested to evade anti-virus ● Remote control: steal credentials, propagate ● Steal administrator credentials, create own passwords ● Create accounts, don’t guess long passwords ● Firewalls allow connections with passwords Conventional ICS security guidance does not address targeted attacks PA G E 5
- 6. Threat: High-Volume Attacks ● Authors: organized crime ● Black market – stolen credit card number $0.25, stolen bank account / password $1.00 ● High volume, auto-propagating, indiscriminate attacks – compromise hundreds of thousands or millions of machines and extract pennies of value from each ● Target of conventional anti-virus solutions Viruses, worms and bot-nets are the pervasive “background noise” of the Internet. Any interaction with the Internet risks contamination. PA G E 6
- 7. Management understanding of cyber risk.. PA G E 7
- 8. Challenge in securing critical infrastructures.. Windows or Linux based (NOT as air-gapped as we think!!) Management Software Layer Hardware and Software Protocols H SCADA (Device level) PA G E 8
- 9. Layered controls at each part of technology stack but no correlation • The vast majority at the management software layer are built to defend, react or monitor • This model has inherent gaps: − Overwhelming amounts of data ? − Little correlation / communication between solutions − By the time alerts go off, it’s too late PA G E
- 10. Key standards and mandates provide a starting point Key standards and Guidance Description documents NERC Standards CIP-002-4 Cyber asset identification, security controls, physical, through CIP-009-4 security management, incident response and recovery planning NIST SP 800-137 Continuous Monitoring Framework FERC Approved NERC CIP rules in 2008 and in addition looks to NIST coordinates with NIST Canadian Standards Council Task force on Smart Grid Tech & standards created by National Committee of IEC promotes harmonization with NIST and NERC .. The non-technical “managerial and organizational process” controls (e.g. NIST) are just as important as the technical controls. PA G E 1 0
- 11. Findings of the ICS- CERT across 150 incidents People Process Technology • Failure to perform • Business siloes – IT • No risk assessment risk and and control systems and impact analysis consequence need to be analyses safeguarded as • Network ‘one” segmentation • Lack of situational awareness and • Policy on removable • Patch management training on cyber media and security in test bed threats such as maturity spear phishing • User access/log on • Lack of incident • Lack of minimum response planning • OS & Firmware standards Source: US Dept. of Homeland Security Industrial Control Systems Cyber Emergency Response PA G E 1 1 Team 2011 Summary report
- 12. Proactive Security Intelligence - Taking a performance and analytics driven approach What is happening? What really matters Why? What is likely? and what doesn’t? What should we do about risks? How do we convey the risk to get action? PA G E 1 2
- 13. What is happening? What is likely? Network Network operations simulation or center VM clone Alarm to monitor temp. Management software for PLC Penetration Testing Multi-vector, multi-surface and ‘what-if’ PA G E testing helps us think like an attacker
- 14. What is happening? What is likely.. Unique challenges across distribution and corporate monitoring networks - Local privilege escalation and spear phishing are examples PA G E 1 4
- 15. A predictive security architecture and process offers a risk-based approach for proactive insights. 1. Environment Profiling and security data collection Tell Insight about your 2. Campaign environment. Definition You define critical IT assets (aka goals), scope and timing. Security 6. Infrastructure Verified! 3. Threat Planning Change and Simulation Campaigns can Insight calculates likely automatically adapt as New system added to attack paths to your you deploy new environment! defined assets. systems. Security Verified! 5. Adaptive Path 4. Threat Adjustment Replication Insight seeks new Insight attempts to paths as systems are exploit vulnerabilities compromised. along the paths. PA G E 1 5
- 16. What really matters? Get above the noise of the security data.. (Exploit) Identify and prove critical exposures Incident and Scan data Remediation Discover assets , Apply patches collect incident and other data and scan for updates vulnerabilities Repeat Pen Testing (Exploit) Validate fix effectiveness Remove false positives and make sense of the noise.. PA G E
- 17. Value of getting above the noise of data Before After • Small security staff • Proactively determine attack path • Needed to scale and enhance across 1000 assets testing, understand risk to most • Identified the 30 most critical critical assets exploitable vulnerabilities of the • Getting 82,000 vulnerability 82,000 worth addressing first signatures from scanner • Prioritize & validate vulnerabilities • Yet only working on 300 results due to resource constraints (hopefully Savings the right 300?) • VM costs per year: $43,200 • Yearly vulnerability management • Trouble tickets passed ~ 30 cost: $144,000 • Yearly remediation/Patch management estimate at 300 tickets passed to IT: $700,000 PA G E 1 7
- 18. What should we do with security data? How do we convey risk and take action? Enabling Performance Management like best practices for security • Security Metrics and Reporting with Continuous Assessment • Status of the safeguards • Trending • Change management • Hand-off to remediation systems • Enterprise Risk Management • Safety, continuity, operational implications • Business asset tagging PA G E 1 8
- 19. Benefits of a proactive security intelligence approach Balancing risk mitigation with improved security ‘performance’ • Keep the bad guys out: Predict threats without disrupting operations • Don’t break the bank: Eliminating data overload drives actionable insight and improves efficiency • Demonstrate business impact: Convey implications of cyber risk – resiliency and operational continuity. PA G E 1 9
- 20. About Core Security • Leading provider of predictive security intelligence solutions − Established: 1996, first commercial product: Core Impact 2001 − Headquartered in Boston, CoreLabs in Buenos Aires − 1,400 customers, ~200 employees • Diverse, experienced organization driving segment leadership − Experienced management -- backgrounds include Sophos, CA, Symantec, Seagate, IBM − Active Customer Advisory Board and Core Customer Community group − Recognized by leading analysts in the emerging category of Security Intelligence − Consistent award recognition from industry groups and media • Groundbreaking research & product development − Leading-edge consulting services brings field experience − CoreLabs vulnerability research team world renowned – publish more than 200 exploits − High-profile research community involvement − 6 patents approved / 7 pending PA G E 2 0
- 21. PA G E 2 1
Editor's Notes
- #3: There is so much coverage of massive, costly attacks … and yet many warning from the experts. There is huge talk of cyber security legislation in US which got stalled but across the lines in this election year ppl know that a cyber war – where our utlities, water plants etc could be compromised.. Andrew has done a great job of covering the nature and classes of the threats.. Reason 1 – the threat is real and more complex. – the nature is stealth, internconnected and hidden. . Similar analog is For years, terrorist attacks occurred around the world. Each one tended to be viewed as a singular event. Until September 11th, 2001. Suddenly, a pattern appeared and the size of the threat became clearer.
- #8: Another reason why is this hard and not talked about enough – is our failure of communication.. This cartoon hits home.. The CEO seems okay or our communication is limited to explaining the risk of brand, reputation.or market position. In this case showing up in the news. In fact a CM survey of CEO showed that in spite of what is happening mainly a real danger to business continuity – cyber risk is not even a topic at the board level . What we really need is a way to talk about cyber risk in the language of risk management
- #9: Let’s talk about the technical challenge – for critical infrastructure particularly we need to think systematically at every layer of the technology and then holistically. A lot of attention gets paid to SCADA and right ly so. Here is an example of a vulnerability at the SCADA level but we need to think about the hw and software protocol and ultimately the management software – which ends up being a windows or linux machine connected to the big bad vulnerabile internet. So we have a double whammy – devices never designed with Cyber security in mind and need for the convenience of the public internet to monitor networks and manage the enterprise side of your business.
- #10: Now here is the challenge and an unfortunate secret I hear with CISO that I meet – they buy technology out of fear and greed. Someone in the IT department hears about a new virus or vulnerability … downloads and installs the latest patch … and they're done. Reactive big news gets a lot of attention.. We go back to business as usual until the next time. Wikileaks happened at the state department and many US federal depts rushed everyone rushed out to get Data leak prevention software.. Please you are all in the similar boat.. Whether you are the CIO, telecomm network execs, buisness leader or the security leader – I think we all recognize that we need a different approachHere is what happens with all that spending.. We think we are doing a good job – but now we have ended up with a new problem... All the stuff is actually creating more noise and distracting us from the real threat. What we really need is a system or platform that is proactive and predictive and system that helps us manage, validate and correlate our data and alerts.
- #11: Now shift gears.. Legislation and standards get the threat and have done a laudable job on offering framework and guidelines.. I am not going to read these – I am assuming you know that there is actually a lot of consensus across states, canada and even ENISA guidelines.. What is most important is the non-technical controls. I advocate the cont. monitoring framework – SP- 800-137 as a starting point.. In fact Ron Ross who is a NIST Fellow in a recent talk put up a slide for FS, Technology, CIP CISOs showing two list of control categories – technical such as encryption, vulnerability assessment which is CORE’s business, etc on in colum and then second was all about security traninging, management, awareness, analytics, operations. – Humans are the weak link and without the organizational and process oversight – no amount of investment in the technology is really enough
- #12: Here is another more post mortem view from the ICS-CERT specifically across critical infrastructure companies – water, energy and we see that the people and process gaps on standards, simple things like password updating, adherance to doing simple patch management and employee awareness were the root causes of incidents – more so than the technical
- #13: At CORE we’ve been working closely with clients on a different way to get and not just getting ahead of the threat but managing their security posture and helping them gain business level commitment on security investments.I used to work in Business intelligence and the same performance management and predictive analytics framework can apply to security data and management
- #14: What is happening and what is likely.?Back to the interconnected nature of the attacks. We need to think like the attacker. CORE has been business for 14 years and we were the early pioneers of the approach now widely known as pen testing. Pen testing is a systematicapproach to identifying weaknesses in alreadydeployed targets and exploiting thoseweaknesses. It is a vulnerability assessment followed byexploiting the vulnerabilities found during theassessment. “You are trying to break a system, withoutbreaking the system.”What is unique about automated tools such as CORE Impact – is that these are goal oriented and multi-vector.. After your critical assets – isn’t just a web url or a network it is a business and data and process collection which has multiple types ofIT assets underneath.. Pen testing simulates the actions of the attacker who exploit the weak links in the management software – not the scada devices which you think are air gapped.. And they think multi- surface across networks, web, endpoints and use weak links like admin email, phishing to gain access to deeper privileges such as adminstrative to burrow deeper into control systems or transmission layers.
- #15: This is what we call an attack path map – the target machine might be controls at your NOC or alarms system that manages the water temp.. What we are seeing is the web attacks on enterprise sites, call centers, or social engineering attacks are the common ways of entry
- #16: Now let’s imagine taking an army of pentesters and codifying their expertise into an scalable and automated platform essentially not testing a subset of goal machines but an entire division or corporate or network, web applications, end points collectively that form your smart grid infrastructure. . what we have done at CORE is taken all the expertise of humansand exploit algorithms from the tools and essentially created a engine or enterprise service bus for security. Here is how it works. CORE insight first gather information about all assets in the target test – and collects any existing security data say from IPS, Firewalls, scanners. The most important aspect is we allow the security director to prioritize assets based on business need and criticality.. So in our case it would be web applications or monitoring systems across a region.We then take that information and calculate the attack paths and probabilities of success via a simulation and threat replicationIf test is being conducted in live mode – Insight will attempt to exploit the possible vulnerabilities which are burrowed deep into your environment or the goal machineInsight doesn’t find anything it continues to find newer possible and probable paths and the test campaign adjusts as new servers, configurations etc are added into the environment. Note we can also eliminate certain assets in the subsequent run if there are no changes or the asset isn’t deemed as critical.
- #17: That brings us to the next question in our framework – what really mattersremember I talked about all the reactive and detective controls - so say you have an incident management system or you went and invested in scanner or sniffing technology – pen testing is a great way to drill further and pivot in to figure out what is real..Here is what happens if you don’t‘.. Your security teams will spend precious time chasing false positive or noisy data while the attacks keep coming and your downstream IT teams who are responsible for remediation will simply shut security out.. Because they don’t believe the threat is credible plus they have never enough resources
- #18: Here is an example from a lab under the dept of energy – they were getting 82000 signatures from their scanning technologies but only getting to 300..With a highly scalable and automated solution for security assessment and attack planning this agency was able to pinpoint the 30 most exploitable vulnerabilities saving both cost and effort in their security team but also the downstream IT remediation effort.
- #19: Finally to the final question in our framework – how do we convey risk to the board and management. CORE solutions have been critical is driving performance management like best practices for securtyFirst the CISO, director can continously test and report status of the safeguard and whether or not there working and capture the trending.From a performance viewpoint these guys want to fix or remediate the most critical exposures – managing the workflow with IT on the most critical priorities. Also the thing about vulnerability – is that change in their IT environment is constant so the keeping on top of what is most critical at any given time. Last CISO are eager to have something that they can take to their Monday morning meeting with their boss whether it is the CIO or chief compliance or audit team. We relate the technical language to the business systems or domains – e.g. network centers, operations, labs, enterprise systems such as call centers, and of course critical networks that form the support infrastructure of the transmission and power distribution. Ie. The basic discussion is what does a vulnerability or red on the asset heat map mean in terms of continuing operations, safety of personnel, impact to customers services, or potential disruptions and having a clear pulse on that at all times.
- #20: In summary the benefits of this approach and a platform We want to keep the bad guys out before they get in and at the same time achieve a good level of confidence in the risk we are taking at an reasonable cost. Security spending doesn’t need to be fear driven but should be treated like any other IT spend. I strongly believe that we need to different level in our security conversations and translate cyber risk into enterprise risk.