These are the talk slides from ISSA International - discussing the need to reboot Enterprise Security to facilitate better defensibility, more intelligent security, and better operational capabilities.
A debit card processing company was breached in India. To breach into these companies, it is likely that profiles were developed on key employees… There are experts who build profilesI want to attack company X. I find out who the top execs are. I might go on LinkedIn. I look at their Facebook posts. I know his friends. Places he’s been. Restaurants he checks into. Find out what he likes to do. It makes the victim easy to attack because the profiler know things about him or her that not many people should know.If you are an expert profiler, you can build these profiles and sell them on the black market, i.e, the internet to the highest bidder. I have 10 profiles from company X. Who wants them? Hackers buy these profiles because it is more efficient than doing the profiling themselves. It will take way less time to buy them than build them myself. These hackers then breached the company. They might have used a phishing attack and installed malware to break into the network and use the employee’s credentials. They may build their own toolkits. Or go online and rent bot.net networks for $18/day. Or buy a Zeus kit for $7K or so. They only had to be right once. It could be likely that after these companies were breached that these hackers raised their hand and sold these breach points to the highest bidder. I have 50 access points. Who wants to buy that? After the breach, we don’t know how long the adversary was there. It could have been months… years? Then the person who’s really good at using those access points, figuring out where your sensitive data is, being able to map your environment, figure out your configurations. They create this map… They raise their hand. Sell it on the Internet and sell it to the next person.Eventually they criminals were able to access some critical databases and change the account profile including withdrawal limits and account codes. This information was taken out of the company and provided to their colleagues or sold to a third party. And from there the cards were made and the teams hit the streets to withdraw cash from the ATMs. This information is monetized and feeds this entire ecosystem. Are there vertically integrated bad guys? Yes. Nation states, large criminal organizations. But is someone is more efficient and more effective at doing one of those stages, why wouldn’t you just buy it? When talking about cyber security, we focus too much on the specific actors, whether state-sponsored, a “hacktivist” or a cyber criminal. We need to focus on the full marketplace in which these actors participate. The market organizes these actors around the market processes for breach, enabling disparate parties to collaborate. As actors specialize in this marketplace – in order to make more money – innovation is extraordinary. This criminal ecosystem is much more efficient at creating, sharing and acting on the security intelligence than the ecosystem that exists to defend our customers. The standardization of Security policies has done a great deal to raise the bar for our industry. But it will continue to fail to make us secure because it lacks the focus on the adversary. No framework discussed in committee will be able to evolve as fast as a marketplace. We need to build our response in a way that disrupts the adversary at every step of their process.
For us, we need to define a new defense in depth. New defense in depth. Build our capabilities at each stage of their value chain. Obviously we do some of these things.We teach people how to be less vulnerable. How do you go on the internet without clicking on the links that will download the latest virus to your laptop. You are only as secure as the behavior of your employees. We need to do more work here.We spend money building capabilities trying how to keep the adversary out of the organization. We may stop 10,000 attacks, but they only have to be right 1 time. And, they are extremely good at evading us.
For us, we need to define a new defense in depth. New defense in depth. Build our capabilities at each stage of their value chain. Obviously we do some of these things.We teach people how to be less vulnerable. How do you go on the internet without clicking on the links that will download the latest virus to your laptop. You are only as secure as the behavior of your employees. We need to do more work here.We spend money building capabilities trying how to keep the adversary out of the organization. We may stop 10,000 attacks, but they only have to be right 1 time. And, they are extremely good at evading us.
We need to look at solutions that help us determine that something is afoot. In building out the capabilities for disrupting the discovery and capture stages, Big data and the ability to process large data sets in real time and at scale is powerful. We need to look at the data that you have in your organization to find something that is unusual. If a verified employee, i.e., the individual who’s profile was hacked, starts doing something uncharacteristic like accessing file shares they haven’t before or changing database records, you should know about it. If data flows don’t match predicted processes, alerts should be set off. Now, what these criminals are looking for is your critical data. IP, customer information, etc. What are you doing to protect your critical data? Is it encrypted? You should know when it is being moved. Accessed inappropriately or being sent outside the organization in an email, a post on a Facebook account or stored on cloud storage. The increase in the types of information that can be correlated from all over the enterprise and from data outside the enterprise is phenomenal. Organizations are monitoring the cyber black markets for your enterprise’s sensitive data and including data from the cloud infrastructures in your security operations environment. We are working with companies to combine employee sentiment with abnormal access behavior to find malicious insiders. Finally, the adversary will beat us at some point. What capabilities do we have for responding after they have won.
We need to look at solutions that help us determine that something is afoot. In building out the capabilities for disrupting the discovery and capture stages, Big data and the ability to process large data sets in real time and at scale is powerful. We need to look at the data that you have in your organization to find something that is unusual. If a verified employee, i.e., the individual who’s profile was hacked, starts doing something uncharacteristic like accessing file shares they haven’t before or changing database records, you should know about it. If data flows don’t match predicted processes, alerts should be set off. Now, what these criminals are looking for is your critical data. IP, customer information, etc. What are you doing to protect your critical data? Is it encrypted? You should know when it is being moved. Accessed inappropriately or being sent outside the organization in an email, a post on a Facebook account or stored on cloud storage. The increase in the types of information that can be correlated from all over the enterprise and from data outside the enterprise is phenomenal. Organizations are monitoring the cyber black markets for your enterprise’s sensitive data and including data from the cloud infrastructures in your security operations environment. We are working with companies to combine employee sentiment with abnormal access behavior to find malicious insiders. Finally, the adversary will beat us at some point. What capabilities do we have for responding after they have won.
We need to look at solutions that help us determine that something is afoot. In building out the capabilities for disrupting the discovery and capture stages, Big data and the ability to process large data sets in real time and at scale is powerful. We need to look at the data that you have in your organization to find something that is unusual. If a verified employee, i.e., the individual who’s profile was hacked, starts doing something uncharacteristic like accessing file shares they haven’t before or changing database records, you should know about it. If data flows don’t match predicted processes, alerts should be set off. Now, what these criminals are looking for is your critical data. IP, customer information, etc. What are you doing to protect your critical data? Is it encrypted? You should know when it is being moved. Accessed inappropriately or being sent outside the organization in an email, a post on a Facebook account or stored on cloud storage. The increase in the types of information that can be correlated from all over the enterprise and from data outside the enterprise is phenomenal. Organizations are monitoring the cyber black markets for your enterprise’s sensitive data and including data from the cloud infrastructures in your security operations environment. We are working with companies to combine employee sentiment with abnormal access behavior to find malicious insiders. Finally, the adversary will beat us at some point. What capabilities do we have for responding after they have won.
How the SPR framework looks at your organization, to analyze and devise a forward-moving plan for measureable improvement.