2. Outline of our talk
Outline
Introductions
Starting with Protection & Defence
Scope and ambition of CIRC
Approach to tooling
The need for collaboration
5. The risks our clients run from data loss, theft or cyber
attack are serious to existential
Ability to recover
Human Safety
Accreditation Status
Reputation
Financial control
Ability to perform
Intellectual Property
6. Drives the nature and extent of
measures required to achieve
desired security
The services we provide
depend on the problem we find
level of threat
level of vulnerability
Understanding the threat
actors, methods and history
Understanding the technical
vulnerabilities and
weaknesses in security
governance and user habits
Extent of security measures required
X
=
7. Assess Confirm
Competitive Advantage. Information Superiority.
Aware,
Deter,
Detect
&
Resist,
DefendAssure
Audit
Discovery
Health Checks
Policy
Training
Accreditation support
Design, build, operate
Secure systems
Protective
Monitoring
Services
Respond
Investigation
Forensics
Protect
Implement
Selex ES cyber services are a coherent set,
designed to address threats and resolve
vulnerabilities
8. Ensure:
The Mission
Protect:
The Data
Continuously monitor:
The Network
Northrop Grumman Approach to Cybersecurity
Full Dimensional Assurance Blueprint
People and Processes Technology
Enhanced automation
Temporal improvement
Information protection strategy
Risk based approach
Data centric protection
Application integrity
Adaptive architecture
Continuous situation awareness & response
Integrated and Continual Improvements
It’s how we view our job for our networks and our customer’s networks
9. The Northrop Grumman
Cybersecurity Operations Center (CSOC)
9
Computer Network Defense Activities:
1. Monitoring
o Monitors the NGGN and related devices for signs of malicious
activity
2. Vulnerability Management
o Security risks and ensuring appropriate remediation
3. Patch Management
o Rapid deployment of vendor provided fixes to identified
vulnerabilities
4. Forensics
o Information security post-incident analysis
5. Incident Response
o Rapid response to malicious activity on the NGGN and related
environments
6. Cyber Threat
o Analysis of emerging threats to the NGGN and related environments
7. Sector
o Sector-specific computer network defense requirements
LD-CA-BOK-004, Rev. 16, March 2013, ISHQ-2013-0024
10. Don’t start by building a CIRC
Instead, analyse your enterprise vulnerabilites:
People- yours, your suppliers and partners and your
customers
Processes
Organisation
Leadership and governance
Physical sites
Data
Applications
Information and telecoms infrastructure and bought-
in services
Your security maturity (e.g. ISO 27001)
11. Getting the house in order
Probably not enough:
Implementation of an appropriate defensive suite:
automated vulnerability scanning
ICT infrastructure and systems log collation and
storage
IDS/IPS and associated log collection
potentially, a spectrum of active protective
monitoring:
o Security Information and Event
Management
o Full Packet Capture
o Deep Packet Inspection
o associated management, storage and
alerting / reporting service level
Credit: Active Audit Agency: Ukraine
12. Scope and ambition
Assuming your vulnerabilities are managed,
it depends on the threat you face and your
freedom of movement
13. Typical Threat World
(Offense)
Time
Attacker Surveillance
Access
Probe
Target
Analysis
Attack
Set-up
Performing
Reconnaissance
Attack
Begins
System
Intrusion
Affecting
The
Attack
Attack
Complete
Packaging
Exfiltration
Modification
Executing
The
Mission
Cover-up
Complete
Covering
The
Tracks
LD-CA-BOK-004, Rev. 16, March 2013, ISHQ-2013-0024
15. It Doesn’t Always Line Up
Attacker Free Time
Recovery
Attack
Forecast
Physical
Security
Intrusion
Detection
Analysis
Begins System
ReactionDamage
Identification
Defender Reconnaissance
Entry
Monitoring
& Control
Impact
Analysis
Response
Threat
Analysis Attack
Identified
Time
Defender Action
Time
Time
Attack
Begins
System
Intrusion
Attacker Surveillance
Access
Probe
Attack
Complete
Target
Analysis
Attack
Set-up
Packaging
Exfiltration
Modification
Cover-up
Complete
Reduce
This
By moving/shrinking this
LD-CA-BOK-004,
Rev. 16, March 2013, ISHQ-2013-0024
16. Factors affecting your respond
posture:
Your legal entitlement – you have heard this today!
Cost of maintaining the capability
The return on investment you would expect (consider insurance!)
19. Why COTS Security Will Always Be a Step Behind
19
Well funded adversaries have access to the same technologies as the defenders
Advanced Adversaries’ Attack Tool
Test Environment
Defender’s COTS-based Security
Architecture
20. Good Guys Have Some Ways to Level the Field
Behavioral analytics (Who talks and works
with who)
Partnerships for threat information sharing
Threat intelligence team augmentation
Custom file analysis
Custom monitoring of network traffic for
C2 channels
Organizational agility to respond to
changing threat tactics
Perimeter
Firewall
Perimeter
IDS/IPS Advanced
Sensor
Honeypot
Message Security
(anti-virus, anti-malware)
DLP
Secure DMZs
Application Security
Malware
AnalysisNAC/Endpoint
Profiler
Enclave
Firewall
DLP
Wireless/Mobile
Protection
Web Proxy
Content Filtering
Enterprise
IDS/IPS
VoIP
Protection
Virtual Network
Security
Enterprise
Message Security
Enterprise
Remote
Access
Endpoint Security
Enforcement
DLP
Desktop
Firewall
Host IDS/IPS
Content Security
(anti-virus,
anti-malware)
Patch
Management
USGCB
Compliance
SIEM Digital Forensics Security SLA/SLO Reporting
Escalation
Management
Focused Ops
SOC/NOC Monitoring (24x7)
IncidentReporting,
Detection, Response (CIRT)
Security Dashboard
Continuous
Monitoring
and Assessment
Situational
Awareness
Vulnerability
Assessment
Security Awareness
Training
Continuous
C&A
IT Security
Governance
Security Policies
& Compliance
Security
Architecture
& Design
Threat
Modeling
Penetration
Testing
Cyber Threat Intelligence
Security
Technology Evaluation
Risk Management
Framework
WAF
Static App
Testing/Code
Review
Database
Secure Gateway
(Shield)
Database
Monitoring /Scanning
Dynamic App Testing
DAR/DIM/DIU
Protection
Data Wiping
Cleansing
PKI
FICAM
Enterprise Right
Management
DLP
Data
Classification
Data/Drive
Encryption
Data Integrity
Monitoring
Mission
CriticalAssets
Defenders Have to Be Right Every Time… The Field Can Be Leveled
by Leveraging Information Available Only to the Defender
21. The need for collaboration
The value of developing and sharing
intelligence, securely
The common theme across EU, NATO, other
nations and Industry bodies globally
22. Towards Cyber Systems Interoperability:
STIX: Structured Threat Information eXpression Language
Associated Campaigns[*]
HistoricalCampaigns[*]
AssociatedActors[*]
RelatedIncidents[*]
RelatedThreatActors[*]
PotentialCOAs[*]
ExploitTargets[*]
LeveragedTTPs[*]
RelatedIndicators[*
]
RelatedTTPs[*]
RelatedIndicators[*]
Related Indicators[*]
ObservedTTPs[*]
Attribution[*]
RelatedTTPs[*] IndicatedTTPs[*]
Observables[*]
Sub-Observables[*]
RelatedIncidents[*]
COATaken[*]
COARequested[*]
SuggestedCOA[*]
Campaign
TTP
Threat
Actor
Exploit
Target
COA
Incident
ObservableIndicator
Source:
MITRE Structured Threat Information eXpression (STIX) v.1.0
Source: CJCS/NATO Joint Terminology for Cyberspace Operations