This document discusses implementing effective cybersecurity postures. It outlines an agenda for a presentation including discussing Obama's 2013 executive order on critical infrastructure cybersecurity and the NIST Cybersecurity Framework. It identifies that everything is now critical infrastructure and weaknesses can be exploited. It discusses overcoming potential roadblocks like understanding business risks, planning for the full threat mitigation cycle, dealing with consequences, getting options for mitigation, and preparing for worst-case recovery scenarios. The presentation aims to provide clarity and help audiences be thoughtful and logical in their cybersecurity approaches.
4. Agenda
o Obama Executive Order
o Cybersecurity Framework 1.0
o Time To GSD
o Overcome 5 Top Road Blocks
o Q&A
CyphortLabsT-shirt
5. We monitor threats & help
customers
______
24X7 monitoring for
malware events
________
Assist customers with
their forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research &
technology prototyping
We work with
security ecosystem
________
Best practice for cyber
defense
________
Actionable threat
intelligence
6. o Obama’s Executive Order 13636, February 12, 2013
o Call to action “Improving Critical Infrastructure Cybersecurity”
o Critical Infrastructure: “systems and assets, whether physical or
virtual, so vital to the United States that the incapacity or destruction
of such systems and assets would have a debilitating impact on
security, national economic security, national public health or safety,
or any combination of those matters.”
7. You Can Be The Weakest Link To Cybersecurity!
o With the connected world, everything is critical to
threat penetration, from retail stores, to government,
to IoT devices!
o RSA Secure Token breach via HR employee
o Target breach via HVAC contractor access
o OPM breach via contractors (USIS & KeyPoint)
o Jeep Cherokee via (Sprint cellular + Harman Kardon
Uconnect 8.4N/RA4 radio)
8. NIST Cybersecurity Framework 1.0
o NIST spear-headed joint government-
private effort
o Framework meant for voluntary following
o Advocate best approach to managing
cybersecurity risks in the face of advanced threats
and evolving IT & ICS infrastructure
9. From Board Visibility 2 GSD!
Business risks
CEO/CISO accountability
“5 headcounts, take care
of it for me!”
What are our crown jewels, where?
What’s the most urgent?
Who/where are our threat sources?
What tools are most effective for our
needs?
“We need to implement a solution to
manage the risks for today and ongoing,
with grace!”
Process, tools, operations
11. Risk Mgmt Cycle Government Businesses Tool Vendors Netizens
Identify objectives Foster good
behaviors
Priority & Objective Business asset & IT
integration
Privacy & Security
awareness
Protect assets Encourage best
practices
Proactive Posture Kill chain & impact
delineation
Practice security
Detect incidents Promote sound
approaches
Visibility: attack
surface & threat
vector
Deployment
flexibility & scale
Follow policy
Respond to
incidents
Compel business
responsibility
Time to
containment &
resolution
Workflow
automation, API
Follow policy
Recover from
breaches
Compel stronger
consumer
protection
Time to restoration Context aware &
forensics
Follow policy
Defensive Stake Holders And Roles
12. Top 5 Potential Road Blocks
1. Understand business specific risks
2. Plan for complete threat mitigation cycle
3. Anticipate to deal with consequences
4. Ask for ready-to-take mitigation options
5. Prepare for the worst-case recovery
13. Understand Your Business Risks
o Different threats, different priorities
o OPM – personnel records
o Health care – patient records
o Financial – client records, transaction system
o Design house – blueprint, schematics
o Internet service provider – customer account
info
o Where others failed
o Compliance as the ends instead of means
14. Plan For Full Mitigation Cycle
o Watch for attacks at all stages of kill chain
o Monitor all access paths to your protected assets
o Spectacular failures
o RSA attack combined flash 0day+spear-phishing
o Mr. Snowden went directly for exfiltration
o OPM attack opted USIS & KeyPoint as stepping stones
o Ashley Madison hack likely with insider involvement
Exploit Download Install Exfiltrate
15. Focus On Dealing With Consequences
o “Consequence Focus” forces clarity on objectives
o Stopping an BO exploit against the file server is neither sufficient
nor necessary for stopping code theft on the server
o Need multi-prone: protect, detect, respond, and recover
o Murphy’s law also holds for “prevention”
o Others’ failure, your gain
o “Deploy and forget” IPS defense does not work
o Think what you can protect, detect, respond, and recover!
16. Your Plan, Your Choice
o What’s missing from your tools?
o Timely, relevant and specific detection
o Prioritized ready-to-take actions
o Ecosystem friendly tools
o Some example failures
o Firewalls will block IP/port/Apps, if you tell them “what
exactly”
o IPS/SWG will block a communication/URL, if you tell
them so
o AV will quarantine or even clean up an endpoint, if it
were able to spot most of malware
17. Prepare For The Worst
o Don’t plan for “Armageddon” or “Singularity”
o Plan for the worst you can handle
o Privileged user gets infected by RAT malware
o Unauthorized access to your source repository
o Cryptolocker infection on file share server
o Some well-known lessons
o No worst consideration
o No robust backup/restore practice for server or
endpoints
o No compartmentization or isolation control
o No least-privilege practice
There is a new defense paradigm, justifiably learned from traditional warfare: focusing on attack consequences
Two main reasons behind this paradigm shift, …
When you pay attention, other’s failure is your gain, …