Cyber Security Background and Context Prepared for the CAR MBS
CJ Dietzman, Principal HPE Enterprise Security Services August 3rd, 2016
Agenda Welcome & Introduction
Cyber Security Background & Context Cyber Risk Report 2016 – Key Findings and Observations
Cyber Threat & Risk Analysis
2
CJ Dietzman, CISSP, CISA Principal, Enterprise Security Services
•
Over 15 years front-line experience working in professional services within the domains of Cyber Security, Risk, Compliance, and Control
•
Industry expertise includes Manufacturing, Hi-Tech, Financial Services, Retail, and Consumer Products
[email protected] M +1 203 810 7279
3
Cyber Security climate in today’s business environment
4
Automotive Industry Cyber Threat Universe
Advanced Malware
Supply Chain / Third Parties
Trojans
Phishing
Malicious Insiders
Ransomware
Negligent Employees
Application Attacks
10X
146
44%
56%
46 days
increase in security vulnerabilities
median number of days attackers are present before being detected
of all data breaches involve third-party mistakes
of executives say their response to security is reactive, not proactive
average time it takes to remove an attacker from an environment once discovered 5
HPE Cyber Risk Report 2016
Access the full report here: www.hpe.com/software/cyberrisk 6
2015 – “The Year of Collateral Damage” If 2014 was the Year of the Breach, then 2015 was the Year of Collateral Damage. United States Office of Personnel Management (OPM) • Targets of the breach may be people who never themselves consented to inclusion in the OPM database. Ashley Madison • Personal information easily deduced from revealed data.
These example breaches affected those who never had direct contact with either entity, or whose information resided in their networks only as it related to someone else.
7
Shifting focus of Cyber Attacks For the first time our research looks into the world of incident responders in the enterprise and found that many organizations are: • Not keeping pace with attacker trends, including direct attacks on the systems on which enterprises rely. • Unaware adversaries are taking excellent advantage of technologies enterprises have put in place to serve their customers.
Advanced Malware
Trojans
Ransomware
Application Attacks
Only by learning to treat applications as security entities/devices can defenders hope to adapt to the new adversary landscape. 8
Overreaching regulations push research underground Emerging legislation often incurs unwanted consequences to go along with the intended result. While the intent to protect from attack is apparent, the implications of these rules push legitimate security research underground, available only to those denizens who dwell there. Example:
Wassenaar Arrangement Amendments for Information Security Export Controls for Conventional Arms and Dual-Use Goods and Undesirable consequences Technologies 2013 Amendment from added security systems to the scope – including intrusion software, in Amendment would make much addition to an incredibly broad of today’s defensive set of controls. cybersecurity research untenable—if not criminal— under the revision. The outcry from the community is swaying the decision to implement the amendment.
To be effective, regulations impacting security must protect and encourage research that benefits everyone
9
Political pressures attempt to decouple privacy and security efforts A difficult and violent year on the global scene combined with lingering distrust of tech initiatives: • Revelations by Edward Snowden and other whistleblowers, led to a fraught year for data privacy, encryption, and surveillance worldwide. • Lawmakers in the US, UK, and elsewhere claimed that security was only possible if fundamental rights of privacy and due process were abridged. • This is not the first time that legislators have agitated to abridge privacy rights in the name of “security.”
Those evaluating the security of their enterprises would do well to monitor government efforts such as adding “backdoors” to encryption and other security tools.
10
The industry learned nothing about patching in 2015
Applying patches in an enterprise is not trivial and can be costly—especially when other problems occur as a result. Software vendors must earn back the trust of users to help restore faith in automatic updates. Top 10 vulnerabilities exploited in 2015
The most exploited bug from 2014 happened to be the most exploited bug in 2015 as well -and it’s now over five years old. 11
Evolution of the vulnerability market • White market has had a tremendous positive effect in securing the landscape by bringing researchers and vendors together and setting the standard for coordinated disclosure. • We expect the vulnerability market will continue to evolve as more and more vendors announce their own programs to incentivize research. • We also expect regulations and legislation to impact the nature of disclosure, and not necessarily in a positive manner.
It is in all of our best interest to continue to find and disclose security bugs in popular software so vendors can fix things in a timely manner.
12
Evolution of the vulnerability market (cont’d)
Timeline of notable bug-bounty programs, 1995-2015
Zero Day Initiative core principles
13
Automotive Industry Cyber Security Where to begin? Where to focus? Threat Intelligence
Product Security (Connected Car/IOT)
Security Operations
Advanced Security Architecture
Governance, Risk, and Compliance
Security Strategy
Policies & Standards
Security Awareness & Training
Threat & Vulnerability Management
Third Party Risk Management
Application Security
Cloud Security
Ongoing Security Monitoring and Testing
Data Protection
Identity & Access Management
Security Information & Event Monitoring (SIEM)
Cyber Resilience
Endpoint Protection
All are valid Security endeavors… …but what are the right priorities now for your organization? ANSWER:
It depends…let’s first focus on identifying and assessing your organization’s Cyber Threats & Risks
14
What are the real Cyber Threats facing your organization today? Align your Security Program priorities with the Threats and Risks that are most relevant to your organization Cyber Threats represent significant risks across industry sectors ─ High-profile Cyber Attacks focused on disrupting business operations are driving the need for a more holistic approach to Cyber Resilience ─ Cyber Criminals continue to target Personally Identifiable Information (PII) and other data of value, often leveraging multiple simultaneous attack methods
Cyber Threat & Risk Assessment
─ Rapid adoption of the New Style of Business and IT, including Cloud and Big Data technologies, must be coupled with integrated Security Architecture and Controls in order to mitigate Cyber Risk ─ Government agencies such as the Federal Trade Commission (FTC) and State Attorneys General continue to bring cases and actions against organizations across industry sectors related to Data Breaches that impact Consumer Privacy ─ Boards and Executive Leadership demand effective Security despite constrained resources and budgets
How can Enterprise Security Services help you? HPE’s methodology of proven best practices, including our Cyber Reference Architecture allows us to assist clients in identifying the Cyber Threats that are most relevant to the organization, enabling a more impactful approach to managing and mitigating Cyber Security Risks: ─ Enterprise Threat Assessment, identifying the Cyber Threats most likely to impact the organization ─ Analysis and optimization of current Cyber-capabilities, in the context of organizational Cyber Threats ─ Development and implementation of a holistic Cyber Security Strategy ─ Enhancement of existing Security Architecture and Controls to more effectively manage Cyber Risk ─ Transformation of organizational Cyber Security posture through the effective integration of Security Governance, Policies, Standards, Controls, Awareness, and Tools
15
Conclusion In the coming years, the complexities of legislation and international events will have a greater impact in the realms of security and privacy. Network defenders need to understand the complexities of privacy issues as thoroughly as they understand the impact of security vulnerabilities. Instead of symmetric responses to threats, tomorrow’s network defender must understand how to respond asymmetrically to threats through automated analysis, wide-reaching fixes, and a community-based defense. While the threat of cyberattack is unlikely to go away, thoughtful planning can continue to increase both the physical and intellectual price an attacker must pay to successfully exploit an enterprise. Start by using the information in the 2016 Cyber Risk Report to better understand the threat landscape, and to best deploy your resources to minimize security risk. Access the full report here: www.hpe.com/software/cyberrisk 16
Thank You CJ Dietzman, CISSP, CISA Principal, Security Consulting, Americas Enterprise Security Services
[email protected] M +1 203 810 7279 Hewlett Packard Enterprise
17