Information Security done right - Defending enterprise IT in 2015. Cloudified.

2. World’s biggest Hack?
• They’ve lost...everything
• Was their security ”make believe”?
• Can they survive?

3. Defending enterprise IT
- Some best practices to mitigate
cyber attacks
Going Above
and Beyond Compliance
And staying away from Slide #1

4. About me
• Father of 3, happily married. I live in Luxembourg
• Head of IT for a Bank, and also independent IT/Infosec
consultant. Any opinions presented here are my own
and do not represent my employer.
• CISO-as-a-service, CIO-as-a-service
• Contributor to @TheAnalogies project (making IT and
Infosec understandable to the masses)
• Member of the I am the Cavalry movement – trying to
make connected devices worthy of our trust
• @ClausHoumann
• Find my work on slideshare

5. Cyber Security:
”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work:
– Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf

7. Cyber Security:
”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work:
– Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying
to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist

8. Infosec Vendors

9. Cyber Security:
”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work:
– Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying
to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist
• It’s an assymetrical conflict

10. It’s an assymetrical conflict
X-wing

11. Cyber Security:
”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work:
– Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying
to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist
• It’s an assymetrical conflict
• A lot of companies fail to focus on the basics
• Train your people!

12. Train Harder
And smarter

13. Cyber Security:
”State of the (European) Union”
• Threats are abundant and on the rise
• http://map.ipviking.com/ is a good way to illustrate/visualize this
• Existing tools, and even Next-Generation APT tools dont work:
– Examples: https://blog.mrg-effitas.com/wp-
content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf
– http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
• The job of Enterprise-Defender is as much sorting through vendor bullshit, trying
to not purchase crappy products while trying to build some actual skills
• Tools are not the solution
• No silver bullets exist
• It’s an assymetrical conflict
• A lot of companies fail to focus on the basics
• Train your people!
• Do not rely on compliance for security

14. Compliance
• Is
• NOT
• Security
• Which any of you who ever attended a
Security conference will have already heard
• Compliance is preparing to fight yesteryears
war

15. Want to beat assymetricality?
Here’s how:
• A strategic approach to security leveraging
methods that work

16. Pyramids
- This one is Joshua Cormans.
Could be best definition of Defense-in-Depth
Defensible Infrastructure
Operational Excellence
Situational
Awareness
Counter-
measures

17. The Foundation
Defensible Infrastructure
Software and Hardware built as
”secure by default” is ideal
here. Rugged DevOps.
Your choices of tech impacts
you ever after
You must assemble carefully,
like Lego
Without backdoors or Golden Keys!

18. Mastery
Operational Excellence
Master all aspects of your Development,
Operations and Outsourcing. Train like the
Ninjas!
DevOps (Rugged DevOps)
Change Management
Patch Management
Asset Management
Information classification & localization
Basically, all the cornerstones of ITIL
You name it. Master it.

19. Gain the ability to handle situations correctly – Floodlights ON
Situational
Awareness
”People don’t write software anymore, they assemble it” Quote Joshua Corman.
-> Know which lego blocks you have in your infrastructure
-> Actionable threat intelligence
-> Automate as much as you can, example: IOC’s automatically fed from sources
into SIEM with alerting on matches
Are we affected by Poodle? Shellshock?
WinShock? Heartbleed? Should we patch now?
Next week? Are we under attack? Do we have
compromised endpoint? Are there anomalies
in our LAN traffic?

20. Counter that which you profit from
countering
• Decrease attacker ROI below critical threshold
by applying countermeasures
• Most Security tools fall within this category
• Limit spending until you’re laid the
foundational levels of the pyramid
Counter-
measures
Footnote: Cyber kill chain is patented by Lockheed Martin.

21. Mapping to other strategic approaches
Defensible Infrastructure
Operational Excellence
Situational
Awareness
Counter-
measures
Lockheed Martin patented
Nigel Wilson ->
@nigesecurityguy

22. Defense-in-Depth

23. Kill chain actions
Source: Nige the security guy =
Nigel Wilson

24. Defensive hot zones
• Basketball and
other sports
analysis ->
• – FIND the
HOT zones of
your
opponents.
• Defend there.

25. Defensive hot zones
• Basketball and
other sports
analysis ->
• – FIND the
HOT zones of
your
opponents.
• Defend there.

26. Hot zones!
• You need to secure:
– The (Mobile) user/
endpoints
– The networks
– Data in transit
– The Cloud
– Internal systems
Sample protections added only, not the
complete picture of course

27. Best Practices – High level
• Create awareness – Security awareness training
• Increase the security budget
– Justify investments BEFORE the breach.
– It’s easier when you’re actually being attacked. But
too late.
• Use the Cyber Kill Chain model or Nigel Wilsons
”Defensible Security Posture” to gain capability to
thwart attackers
• Training, skills and people!

28. Hot zone 1: Endpoints
A safe dreamworld PC
• Microsoft EMET 5.1
• No Java
• No Adobe Flash Player/Reader
• No AV (that one is for you @matalaz)
• Kill all executable files on the Proxy layer (.exe .msi
etc.)
• (Not even needed but works if something evades the
above):
– Adblocking extension in browser
– Invincea FreeSpace/Bromium
Vsentry/Malwarebytes/Crowdstrike Falcon

29. Hot zone 1:
A real world PC
• Microsoft EMET 5.1
• Java
• Adobe Flash Player/Reader
• AV
• Executable files kill you, so use:
– Adblocking extension in browser
– Invincea FreeSpace/Bromium Vsentry/Malwarebytes/Crowdstrike
Falcon
– Secure Web Gateway
– White listing, black listing
– No admin credentials left behind
And then cross your fingers

30. Hot zone 1, more
• PC defense should include:
– Whitelisting
– Blacklisting
– Sandboxing
– Registry defenses
– Change roll-backs
– HIPS
– Domain policies
– Log collection and review
– MFA
– ACL’s/Firewall rules
– Heuristics detection/prevention
– DNS audit and protection

31. Hot zone 2:
The networks
• Baselining everything
• Spot anomalies
• Monitor, observe, record
• Advanced network level tools such as Netwitness,
FireEye, CounterAct
• Test your network resilience/security with fx Ixia
BreakingPoint
• Network Security Monitoring (NSM)
• Don’t forget the insider threat

32. Hot zone 3+4:
Data in Transit/Cloud
• Trust in encryption
• Remember you secure what you put in the cloud. The Cloud
provider doesn’t
• Great new mobile collaboration tools exist
• SaaS monitoring and DLP tools exist -> ”CloudWalls”
• Cloudcrypters
• CloudTrail, CloudWatch, Config-log/change-trackers, vuln.mgmt
• Story about the Vulnerability patched during Bash/Shellshock public
confusion period
• And this for home study: https://securosis.com/blog/security-best-
practices-for-amazon-web-services

33. Cloud
• Segmentation
• Compartmentalisation
• Need to know

34. Cloud
• Concentration risk
• Secure the administrative credentials and APIs
• ENISA:
– https://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-risk-
assessment
– https://resilience.enisa.europa.eu/cloud-computing-
certification
• A funny story about cloud certification providers
hacking me

35. Hot Zone 5

36. Best practices
• Use EMET
• Use ad-blockers
• Use advanced endpoint mitigation tools like
Bromium Vsentry, Invincea FreeSpace,
Malwarebytes, Crowdstrike Falcon
• Identify potential attackers and profile them

37. A more defensible infrastructure
• Avoid expense in depth
• Research and find the best counter measures
• Open Source tools can be awesome for example
Suricata & Bro_IDS
• Full packet capture and Deep packet
inspection/Proxies for visibility
• KNOW WHAT’S GOING ON IN YOUR NETWORKS
• Watch and learn from attack patterns

38. Best practices - Mitigate risks
Source: Dave Sweigert

39. Automate Threat Intelligence IOC
• Use multiple IOC feeds
• Automate daily:
– IOC feed retrival,
– Insertion into SIEM,
– Correlation against all-time logfiles,
– Alerting on matches
• Example: Splunk Splice can do parts of this

40. You need to ally up!
• Security and Infrastructure aren’t enemies
• Security and the office of the CIO aren’t
enemies
• Ally up & Bromance!
• Together, you can
make things more
defensible and
retain usability

41. • 5G: The rise of the Android DDoS’er. 1 gbit/s
connections from phones easily hacked. Obvious
threat?
• IPv6 – network reconnainsance surprisingly easily
done: https://tools.ietf.org/html/draft-ietf-opsec-ipv6-
host-scanning-04. Damn, no security through obscurity
to get there
• Countering Nation State Actors -> or more specifically
their TTP’s becomes a MUST. Because the bad guys will
learn from them & adapt their offense
Future threat trends

42. And the unexpected extra win
• Real security will actually make you compliant
in many areas of compliance

43. Q & A
• Ask me question, or I’ll ask you questions

44. Sources used
– http://www.itbusinessedge.com
– Heartbleed.com
– https://nigesecurityguy.wordpress.com/
– Lockheed Martins ”Cyber Kill Chain”
– Joshua Corman and David Etue from RSAC 2014
”Not Go Quietly: Surprising Strategies and
Teammates to Adapt and Overcome”
– Lego