Scale your database traffic with Read & Write split using MySQL Router
Stay Ahead of Threats with Advanced Security Protection - Fortinet
1. Stay Ahead of Threats with Advanced Security Protection
John Gleason – CISSP
2. Risk - The common driver
Stay ahead…. Have a goal and a plan!
• Threat Landscape
• Cyber Security finally reaches #1 in C-Level concerns
• Security Program vs. Compliance checkboxes
• Definitions are important
• Security basics – blocking and tackling before technology
• The end goal – Lower residual risk = Acceptable level of risk
5. Cyber Security finally reaches #1 in C-level concerns:
Top 5 Business Risks - according to World Economic Forum (US, Japan, Germany, Netherlands & others)
• #1 Cyber attacks
• #2 Data fraud and theft
• #3 Terrorist attack
• #4 Fiscal crisis
• #5 Asset bubble
This underscores the significance of understanding the cyber threat
landscape and associated insights related to intruder detection.
7. Security Programs address the 360 degree view
• Controls – Require People, Process, and Technology
• Administrative
• Technical
• Physical
• •ISO 27002 defines information security policy in section 5
• •COBIT defines it in the section "Plan and Organize"
• •Sarbanes Oxley defines it as "Internal Environment"
• •HIPAA defines it as "Assigned Security Responsibility"
• •PCI DSS defines it as "Maintain an Information Security Policy"
8. Definitions are important
Understanding can only come through common terminology and definitions
• Security Triad
• Roles & Responsibilities
• Data Classification
• Asset Value
• Threat, Threat Agent, Vulnerability, Risk, Counter measure
• Controls
• Residual Risk
10. • Confidentiality - Access Control
• Identification, Authentication, Authorization (Authenticity)
• Least Privilege / Need to know
• Integrity
• Assurance, Accuracy, Reliability
• Availability
• Perform in a predictable manor, acceptable level of performance
• Recover securely from disruption so productivity will not be negatively impacted
• Single points of failure ???? (BC/DR)
12. Roles and Responsibilities
Where do you identify? Owner, GM, Coach, Lineman, Linebacker, Safety?
• Data Owner
• Concerned about terms like legal, regulatory, compliance, due care & due diligence,
negligence, reasonable and expected. Generally not IT.
• Data Custodian
• Typically IT. Responsible for implementing the policies and guidelines established
by the Data Owner. include physical data storage, back-up and recovery, and the
operation of security and data management systems.
13. Data Classification
How do you view and categories your assets?
Public / Private Business & Organizations Military/Government
Restricted/Confidential/Proprietary Top Secret
Private Secret
Sensitive Confidential
Public Sensitive but Unclassified
Unclassified
14. Asset Value
Quantitative or Qualitative?
• Cost – to Acquire or develop? Maintain & protect? Replace?
• Value – to Adversaries, Intellectual Property
• Operational and productivity loss when unavailable
• Liability if asset is compromised – Compliance, Legal
• Value of knowing your values – cost/benefit analysis, wise selection of
countermeasures, risk awareness, due diligence
15. Risk Management – What (NIST Cyber Security Framework)
• Risk management is the ongoing process of identifying, assessing, and
responding to risk. To manage risk, organizations should understand the
likelihood that an event will occur and the resulting impact. With this
information, organizations can determine the acceptable level of risk for
delivery of services and can express this as their risk tolerance.
• Organizations may choose to handle risk in different ways, including
mitigating the risk, transferring the risk, avoiding the risk, or accepting
the risk, depending on the potential impact to the delivery of critical
services.
16. Risk Management – Why (NIST Cyber Security Framework)
• With an understanding of risk tolerance, organizations can prioritize
cybersecurity activities, enabling organizations to make informed decisions
about cybersecurity expenditures.
• Implementation of risk management programs offers organizations the ability to
quantify and communicate adjustments to their cybersecurity programs.
• Organizations may choose to handle risk in different ways, including mitigating
the risk, transferring the risk, avoiding the risk, or accepting the risk, depending
on the potential impact to the delivery of critical services
22. Turning traditional risk analysis upside down
• Threats of today have increased in
frequency and impact
• 75-90% enter via E-mail.
• 10-20% compromised website
• Avoiding the activity is not an option
23. Did You Know…
79,790
Number of incidents investigated by Verizon in 2015
229
Average number of days attackers were on a network before detection
70-90%
Percent of time unique malware was found
Gartner: All organizations should assume they are in a state of continuous compromise
25. Breaking the Kill Chain of Advanced Threats
Spam
Malicious
Link
Malware
Bot Commands
& Stolen Data
Spam
Malicious
Email
Malicious
Link
Exploit Malicious
Web Site
Malware
Command &
Control Center
Bot Commands
& Stolen Data
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Sandbox
26. Layered Defense + Shared Intelligence
Web Filter
Web Filter – Known malicious site
IP Reputation
Botnet site
Intrusion Prevention
Anti-Virus/Malware
Intrusion Prevention
Sandbox candidate
34. 3:00 – 3:45 PM BREAKOUT SESSIONS
KONICA MINOLTA
Breakout Room: Guest Locker Room
“What is your Print Transformation
Strategy?”
Emil Enstrom, Vice President of Enterprise
Accounts
BARRACUDA
Breakout Room: Delta 360 Club
“Protecting Data Everywhere”
Rod Mathews, Senior Vice President and
General Manager
MARCO
Breakout Room: Main Field
“Uncovering the Cloud: Is it Right for You?”
Steve Knutson, Chief Technology Officer
and Vice President of Service
MITEL
Breakout Room: Interview Room
“Deliver a Flexible, Engaging Customer
Contact Center Experience”
Brian Spencer, General Manager – Contact
Center
Editor's Notes
CISSP – back story and reason for publicly speaking – Advance the cause/awareness of security – Commercial… I mean visibility for Fortinet
Questions to the Audience – get idea of demographics:
Size or organization?
How many Network Admins? Department heads? Security or compliance leaders, C-Level = President, owner?
Stay Ahead – Simple Version – Define your Assets, Threats, Vulnerabilities and Risks – Implement a counter measure which best fits into your overall strategy, and provides the highest levels of protection where appropriate.
Risk directly relates to advanced threats - Identifying assets and making decisions to protect according to your risk tolerance. Having thorough & informed input is critical to the equation.
Entry points to the network have exploded. Boarders have extended far beyond the data center and internet edge. Data Center, branch office, remote client, Cell phones & tablets – BYOD, Private cloud, Public Cloud – AWS & Azure. IoT – HVAC, CC readers, Thermostats, printer/MFP Healthcare – Blood pump, IV drip, heart monitor, etc.
Example: Continuing on the reactive and volume problem
Rapid Spread: We live in such a connected world and with advancements in technology the Internet is becoming faster and faster. This enables the rapid spread of viruses/malware around the Globe.
Morphing Malware: When a new virus/malware is released into the wild it will continuously change or morph its appearance making it very difficult to for AV/Malware vendors to detect.
* Within 1 hour of a new virus/malware being released into the wild we could have 120 different variants/versions of that virus/malware. And again vendors just can’t react fast enough. At the end of that hour vendors are still building protection for the first variant.
Why? Why is this new found level of concern the case for only a subset of countries? The answer to this question lies in being able to understand the dependencies and interconnections of the physical and digital world.
Compliance is more about security for specific risk - Business Model. Can be short sighted on
NIST – again bigger overall umbrella view.
Examples of people processes and technology – emphasize the importance of process – not can we make the change, but SHOULD we make the change.
NIST Cyber Security - created for Critical Infrastructure, but I love it because it combines creation of a security program and a game plan for starting and tracking progress in the program creation itself and success milestones and maturity.
Validation
Team needed
Knowing your role – and gathering & providing information to proper channels.
Admins – Inventory, diagrams, identification of virtual vs. physical assets. Document single points of failure. Document & validate back-up process. Communicate with the data owner regularly.
Department heads – document and prioritize your resources, or those used most by your team. Identify threats and work with BC/DR
Less about the level and more about identifying data, where it lives and matching for good decision making.
Let them read - Main point Knowing your assets and values will drive solid decision making and awareness.
Follow the links
Advanced threats are not just about entry and prevention. Detective controls and segmented zones allow for the identification upon movement.
Controls in place all to reduce the impact.
Admin- Policy, procedure, guidelines, best practices
Technical – Cyber/Data communications – Firewall-App Ctrl/WF/DLP/ IP reputation/Botnet preventative, IPS preventative/detective IDS detective, reloading a system OS as a corrective control
Physical include locks, fences, mantraps and even geographic specific controls
Compensating controls – in lieu of requested. Alternate controls which address the same risk.
Activity phase controls can be either technical or administrative and are classified as follows: • Preventative controls exist to prevent the threat from coming in contact with the weakness. • Detective controls exist to identify that the threat has landed in our systems. • Corrective controls exist to mitigate or lessen the effects of the threat being manifested.
Residual risk needs to equal or exceed acceptable risk – otherwise the control was not worth it. Organization needs to know exactly whether the planned treatment is enough or not.
Normally Risk with high likelihood and high impact were activities to be avoided.
I don’t agree with Gartner on this one, but I do anticipate more internal segmentation inspection will occur.
The technology and power are now available to inspect and the necessary speeds.
Consider the way advanced threats typically operate:
they generally start with an email seeking to entice users through social engineering to click on a malicious link. Ideally, your antispam/phishing technology will block the message. But if just one slips through and the recipient is fooled that link will redirect them out to a malicious site.
that malicious site will typically try to insert malware by exploiting vulnerabilities. Ideally, your web filter will prevent the site visit, IPS will stop the exploit or antimalware will block the code. But if not, you have active malware in your network that can do many things- usually at the behest of an external command and control.
it’s at this stage that having measures in place like IP Reputation or other call back detection methods is critical- to ensure that communication channel is severed and data can’t be exfiltrated. Otherwise you are breached…
Unless you have deployed a sandbox as a deeper method of inspection, to do things like- follow URLs, analyze objects and inspect traffic or communications. And to do so based on actual observed activity rather than static attribute or reputation checking.
The primary value of a sandbox is to take the time for more advanced analysis that’s generally not possible on production systems and identify those things that have evaded traditional defenses…before the endgame of a breach occurs.
Threat intelligence – Fortiguard Labs one of the largest Threat research groups in the world. Leader of Zero-day discoveries.
Threat intelligence – Fortiguard Labs one of the largest Threat research groups in the world. Leader of Zero-day discoveries.
How the fabric works
In fact, organizations looking to take a coordinate approach to combating advanced threats benefit from NSS Labs Recommended components including:
FortiGate as NGFW and NGIPS in the data center and at the edge
FortiWeb in front of external-facing web servers that often serve as entry points to the network
FortiClient for Enterprise Endpoint Protection covering users on and off the network
FortiSandbox for continuous analysis of seemingly benign objects and sites to detect the most sophisticated attacks that might slip through your defenses.
Security Fabric – Peer-to-peer communication between nodes. Sandbox & FortiGuard Labs provide the highest levels of protection possible.