An in-depth look at Security Operations in the Cloud. Join us as we discuss: Cloud Security, Secure Cloud Topology, Kill Chain and Threat actor motives.
2. Today’s Speakers
Jeff Schilling, CISM
Chief Security Officer
FireHost
• Former Director of the Global Incident
Response practice for Dell SecureWorks
• Colonel, Retired – Former Director of the
Global Security Operations Center for U.S.
Army’s Cyber Command
• Former Director of the DOD’s Global
NetOps Center for JTF-GNO
SECURITY OPERATIONS
3. Agenda
SECURITY OPERATIONS
• The Security Landscape – Threats, Actors & Motives
• Why SecOps?
• SecOps Concept, Roles & Topology
• The OODA Loop
• Kill Chain
• Use Case
• Questions & Answers
6. HACKTIVISTS
/ CYBER WAR
CRIME AND
FRAUD
INTELLECTUAL
PROPERTY THEFT
THREAT MOTIVES
7. SECURITY OPERATIONS
Why Security Operations?
• It’s about Risk Reduction
• It’s about reducing your attack surface area
• It’s not about the tools you use, it’s about how you use them
8. PEOPLE, PROCESS, & TECHNOLOGY
People, Process, & Technology
PEOPLE: The only cloud
provider with a CSO, CISO,
SecOps and InfoSec team
protecting customers, not just
internal operations.
PROCESS: A security-centric
approach to everything we do –
from customer onboarding and
support to the most advanced
security operations of any cloud
provider around.
TECHNOLOGY: The industry’s
only cloud built secure from day
one with top security products
orchestrated as one automated
system unlike any on the market;
No bolted-on, added expense
gimmicks.
13. TARGETING METHODOLOGY – OODA LOOP
THE OODA LOOP
CLOUD SECURITY FRAMEWORK
Military defense created by Air Force in Korean War
OBSERVE
ORIENT
ACT
DECIDE
14. THE KILL CHAIN – THREAT TYPES
1 2 3 4
RECONNAISSANCE EXPLOITATION
Open source research
Social network research
Port scan, IP sweep
Infected Word Doc or
PDF is opened
Java script exploited
in browser
Command line SQL inject
Google research
WEAPONIZATION
Combine the
exploit tool with
the method
DISTRIBUTION
& STRATEGY
Phishing email
Website drive by
SQL inject script
ACTION
ON TARGET
Search the target
Destroy or disrupt
Package and prepare
for and exfil data
5 PERSIST/LATERAL
6 COMMAND
7 MOVEMENT
Registry Key changed
Privilege Escalation
Look for open
connections
& CONTROL
Malware or
compromised system
reaches out for
instructions
15. THE KILL CHAIN – THREAT TYPES
1 RECONNAISSANCE 2 WEAPONIZATION 3 DISTRIBUTION
4
& STRATEGY
ACTION
ON TARGET
5 PERSIST/LATERAL
6 COMMAND
7 MOVEMENT
& CONTROL
EXPLOITATION
IPRM WAF
vGW NIDS
Threat research
(happens outside
of our network
boundaries)
IPRM WAF
vGW NIDS
Malware Detection
VTM
Malware Detection WAF
Malware Protection
VTM
vGW
IPRM WAF
vGW NIDS
IPRM WAF
vGW NIDS
17. THREAT ACTOR USE CASE
Threat Actors compromises a FireHost customer webserver through a WordPress vulnerability and
begins using the host to send spam email with malicious attachments outside of the environment.
FireHost then receives abuse complaints pursuant to the attack.
• Type of attack requires intermediate (B) or more advanced skills, but is commonly seen at the intermediate layer.
• Results of this type of attack could lead to FireHost reputation damage due to our IPs being blacklisted, as well as
possible data loss to the customer through the mail sender.
• SOC detects similar attacks weekly within our customer environment.
P-D-R KILL CHAIN MAPPING
Threat Scale
Rating: 3-4
20. SECURITY OPERATIONS
Thank You
Please visit us at firehost.com
Email sales@firehost.com
Phone (US) +1 877 262 3473
(UK) +44 800 500 3167
Notas del editor
Neil: I’d like to introduce our speakers today. I’m Neil and I’ll be moderating our discussion. Jeff Schilling, FireHost’s new Chief Security Officer, will be leading today’s session on Security Operations in the cloud and why it matters to today’s enterprises. As you can see here, Jeff has a storied security career, both as a military leader and a civilian.
Jeff slide
With what we’re seeing from the threat and intent standpoints, we can see what trends look like.
Tools are similar, but attack methods change constantly
Parity in advanced skill level
Nation-state using modified or off-the-shelf malware as a hook
Tools ≠ sophisticated
Deployment methods = more sophisticated
Getting harder to find insiders
Criminals, nation-states blending attack methods
Commodity Threat
Phishing with Dynamite
Automated control for scale
Can be defended with good Signature based controls
Smash and grab
Advanced Persistent Threat
Playing chess
Human controlled (just for you)
Custom trade craft
Highly targeted efforts
Attempts to cover their tracks
Goal is to log on, become an insider
Insider Threat
Fly on the wall
Hardest to detect, tries to hide in normal activity
Usually has elevated privileges
In most cases, assumes not being monitored
May be some overlap in APT and Insider threat detection
Hacktivists/Revenge Cyber Warfare
Disrupt
Destroy
Deny
Revenge
Embarrass
Intimidate
Intellectual Property Theft
Competitive advantage
Fill in an innovation gap
Nation-state level espionage
Crime
Steal your Money
Steal your clients’ money
Identity Theft
Fraud
REMINDER – weave in compliance message, too.
Even the best technology requires proper SecOps
Teams buy security tools without understanding threats and vulnerabilities Don’t implement people & processes. Enjoy false sense of protection
Insecure providers don’t focus on security operations in customer environments
FireHost uses the right technology, people and processes to build a wall of protection around the cloud.
Security Operations Center (SOC)
Front-line of security support for our customers.
The initial “Response” arm of the organization
Security Infrastructure (Devices)
Responsible for maintaining and tuning FireHost security infrastructure.
Escalation point for SOC.
Vulnerability Threat Management (VTM)
Working in concert with Intel and FNF, manage vulnerabilities to corrective action.
“Sledgehammer” approach to vulnerability scanning. (wide reaching scans)
Forensics (FOR)
Collect and analyze host-based and network-based forensic artifacts gathered as part of an incident in order to develop better protection, detection, or response mechanisms
Reconnaissance
Open source research
Social network research
Port scan, IP sweep
Google research
___________________
Vulnerability Weaponization
Combine the exploit tool with the method
i.e. Combine a zero day exploit with a PDF or Word Doc or add exploit to a vulnerable website
___________________
Distribution and Strategy
Phishing email
Website drive by
SQL inject script
___________________
Exploitation
Infected Word Doc or PDF is opened
Java script exploited in browser
Command line SQL inject
___________________
Persistence / Lateral Movement
Registry Key changed
Privilege Escalation
Look for open connections
Cover tracks
___________________
Command and Control
Malware or compromised system reaches out for instructions (automated or human controlled)
___________________
Action on Target
Search the target network for desired data
Destroy or disrupt service (i.e. Cryptolocker)
Package and prepare for and exfil data
RECONNAISSANCE
IPRM
WAF
vGW
NIDS
__________________________
WEAPONIZATION
Threat research
(happens outside of our network boundaries)
__________________________
DISTRIBUTION & STRATEGY
WAF
IPRM
Malware Detection
NIDS
VTM
__________________________
EXPLOITATION
WAF
Malware Detection
VTM
__________________________
PERSIST/LATERAL MOVEMENT
Malware protection
VTM
vGW
__________________________
COMMAND & CONTROL
NIDS
IPRM
vGW
WAF
__________________________
ACTION ON TARGET
NIDS
IPRM
vGW
WAF
Neil:
That really tees us up for a discussion about risk reduction and what the cloud provider of tomorrow should look like. Jeff– I know you have some strong opinions on this topic. Can you share your perspective with us?
Jeff:
Well, Neil, they will look very different from the insecure providers of today that we’ve talked about.
One thing you can count on – cybercrime isn’t going away. It’s going to get more sophisticated and more relentless. That means the commodity, performance-driven cloud provider will become a relic of the past – these generalist providers who can only focus on cost and performance simply won’t survive. Any provider who wants to thrive in tomorrow’s landscape will make security the top priority AND deliver performance at the same time.
Now I want to be clear about this - FireHost is delivering this level of advanced security, compliance, performance and service right now. From our orchestration and increasing automation capabilities to our higher standard on service-level agreements, we know how to build the safest and highest-performing cloud around. We’re protecting our clients right now and we’re ready for the future too.
The provider of the future won’t resemble today’s provider
The commodity, performance-driven cloud provider is a relic of the past
Security threats and hackers will continue to become more sophisticated
Tomorrow’s provider will make security the top priority while delivering performance