3. Me
⢠Father of 3, happily married.
⢠I work for a Bank. Am also independent IT/Infosec
consultant. Any opinions presented here are my own
and do not represent my employer.
⢠Contributor to â@TheAnalogies projectâ making IT and
Infosec understandable outside the echo chambers
⢠Member of the I am the Cavalry movement â trying to
make connected devices worthy of our trust
⢠@ClausHoumann
⢠I present on security a lot at conferences -> Find my
work on slideshare
4. The big picture
⢠Existing tools, and even Next-
Generation APT tools have limits/are
broken:
â Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_20
14.pdf
â He created the stupidest malware imaginiable. No one detected
it.
â http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
â Paul Jung -> Present here today -> shows how easily malware
can detect sandboxes
7. The Vendor threat
⢠No silver bullets exist. Beware of vendors using the phrases:
â âCounter any threatâ
â âDetect any malwareâ
â âYou only need our solutionâ
â > Proceed with caution
â VPT
(vendor persistent threat)
11. Doing it right
⢠EURODNS in Luxembourg has just made it
possible for each client to get an SSL
certificate for their website for free
⢠This simple change makes a difference
12. The job of the enterprise defender:
⢠Trying to not purchase crappy products
(Lemons -> Source: Haroon Meer @wearetroopers
⢠While trying to build a real skilled defense
15. Compliance
⢠Is
⢠NOT
⢠Security
⢠Compliance is preparing to fight a war
âBut using antiquated weapons
âAnd against enemies of decades past
16. BoD: Why worry now?
⢠Companies that get hacked are fine...look at
Sony, Target, Apple etc. -> stock prices not
affected, end users donât care.
â Breaches and lawyer expenses following these are
an acceptable cost of doing business
â Right?
â No, maybe not anymore...next slide
17. Board Level Attention required, NOW!
Strategy! THINK!
⢠EU Data protection regulation:
â Mandatory breach reporting within 72 hours
â 5% of revenue as fine possible
⢠Threat level increasing sharply
⢠Attack surface increasing (think IoT, BYOD)
18. Pyramids
- This one is Joshua Cormanâs.
Defensible Infrastructure
Operational Excellence
Situational
Awareness
Counter-
measures
19. The Foundation
Defensible Infrastructure
Software and Hardware built as
âsecure by defaultâ is ideal
here. Rugged DevOps.
Your choices of tech impacts
you ever after
You must assemble carefully,
like Lego
Without backdoors or Golden Keys!
20. Mastery
Operational Excellence
Master all aspects of your Development,
Operations and Outsourcing. Train like the
Ninjas!
DevOps (Rugged DevOps)
Change Management
Patch Management
Asset Management
Information classification & localization
Basically, all the cornerstones of ITIL
You name it. Master it.
21. Gain the ability to handle situations correctly â Floodlights ON
Situational
Awareness
âPeople donât write software anymore, they assemble itâ Quote Joshua Corman.
-> Know which lego blocks you have in your infrastructure
-> Actionable threat intelligence
-> Automate as much as you can, example: IOCâs automatically fed from sources
into SIEM with alerting on matches
Are we affected by Poodle? Shellshock?
WinShock? Heartbleed? Should we patch now?
Next week? Are we under attack? Do we have
compromised endpoint? Are there anomalies
in our LAN traffic?
22. Counter that which you profit from
countering
⢠Decrease attacker ROI below critical threshold
by applying countermeasures
⢠Most Security tools fall within this category
Counter-
measures
Footnote: Cyber kill chain is patented by Lockheed Martin.
23. Mapping to other strategic approaches
Defensible Infrastructure
Operational Excellence
Situational
Awareness
Counter-
measures
Lockheed Martin patented
Nigel Wilson ->
@nigesecurityguy
24. Defensive hot zones
⢠Basketball and
other sports
analysis ->
⢠â FIND the
HOT zones of
your
opponents.
⢠Defend there.
25. Defensive hot zones
⢠Basketball and
other sports
analysis ->
⢠â FIND the
HOT zones of
your
opponents.
⢠Defend there.
26. Hot zones!
⢠You need to secure:
â The (Mobile) user/
endpoints
â The networks
â Data in transit
â The Cloud
â Internal systems
Sample protections added only, not the
complete picture of course
27. Best Practices â High level
⢠Create awareness â Security awareness
training
⢠Increase the security budget
â Justify investments BEFORE the breach.
â Itâs easier when youâre actually being attacked.
But too late.
⢠Use âAdversary mind-setâ and threat modeling
⢠Training, skills and people!
28. Hot zone 1:
A real world PC
⢠Microsoft EMET 5.2
⢠Executable files kill you, so use:
â Adblocking extension in browser
â Advanced endpoint protection solutions
â No admin credentials left behind
And then cross your fingers
29. Hot zone 1
⢠PC defense should include:
â Whitelisting
â Blacklisting
â Sandboxing
â Registry defenses
â Change roll-backs
â HIPS
â Domain policies
â Log collection and review
â MFA
â ACLâs/Firewall rules
â Heuristics detection/prevention
â DNS audit and protection
30. Hot zone 2:
The networks
⢠Baselining everything
⢠Spot anomalies
⢠Monitor, observe, record
⢠Advanced network level tools
â FireEye?
⢠Test your network resilience/security with Ixia
BreakingPoint. Ask me for free test licenses.
⢠Network Security Monitoring (NSM)
â Suricata, SecurityOnion, BroIDS?
⢠Donât forget the insider threat
31. Hot zone 3+4:
Data in Transit/Cloud
⢠Trust in encryption
⢠Remember you secure what you put in the cloud. The Cloud
provider doesnât
⢠Great new mobile collaboration tools exist
⢠SaaS monitoring and DLP tools exist -> âCloudWallsâ
⢠Cloudcrypters
⢠CloudTrail, CloudWatch, Config-log/change-trackers, vuln.mgmt
⢠Story about the Vulnerability patched during Bash/Shellshock public
confusion period
⢠And this for home study: https://securosis.com/blog/security-best-
practices-for-amazon-web-services
33. Cloud
⢠Concentration risk
⢠Secure the administrative credentials and APIs
⢠ENISA:
â https://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-risk-
assessment
â https://resilience.enisa.europa.eu/cloud-computing-
certification
⢠A funny story about cloud certification providers
hacking me
34. A more defensible infrastructure
⢠Avoid expense in depth
⢠Research and find the best counter measures
⢠Open Source tools can be awesome
⢠Full packet capture and Deep packet
inspection/Proxies for visibility
⢠KNOW WHATâS GOING ON IN YOUR
NETWORKS
⢠Watch and learn from attack patterns
36. Automate Threat Intelligence IOC
⢠Use multiple IOC feeds
⢠Automate daily:
â IOC feed retrival,
â Insertion into SIEM,
â Correlation against all-time logfiles,
â Alerting on matches
â Manual follow-up on alerts
37. You need to ally up!
⢠Security and Infrastructure arenât enemies
⢠Security and the office of the CIO arenât
enemies
⢠Ally up & Bromance!
38. And the unexpected extra win
⢠Real security will actually make you compliant
in many areas of compliance
39. Q & A
⢠Ask me question, or Iâll ask you questions
40. Sources used
â http://www.itbusinessedge.com
â Heartbleed.com
â https://nigesecurityguy.wordpress.com/
â Lockheed Martins âCyber Kill Chainâ
â Joshua Corman and David Etue from RSAC 2014
âNot Go Quietly: Surprising Strategies and
Teammates to Adapt and Overcomeâ
â Lego
Hinweis der Redaktion
Or join these
Paul Jung present & presenting
No, thatâs not a moon. Perspective matters. Things are not as they seem.
Paul Jung present & presenting
Also the Microsoft stuxnet vuln patch failed. And signatures fail all the time also â my vendor didnt succesfully create signatures for Shellshock for 1-2 weeks, first few were insufficient
The Egyptians built their pyramids from the bottom up. Because, thatâs how you build pyramids. Start there!
Laying a secure foundation matters supremely. History proves this
As with any art, practice makes master. So, Practice!
Automation is key for threat intelligence, threat detection and threat remediation
Dont start by blindly buying tools, do the basics, master it and work from there
In reality, you will have AV, Java and others. And you probably cannot enforce killing all executables
In reality, you will have AV, Java and others. And you probably cannot enforce killing all executables
In reality, you will have AV, Java and others. And you probably cannot enforce killing all executables