Similar presentations:
Cyber Preparedness
1. Cyber Preparedness
˃ A Proactive Response to InfiltrationColin McKinty
Vice President, Cyber Strategy for the Americas
[email protected]
April 2016
1 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
2. Cyber Preparedness
How To Get StartedTake A Proactive Stance
Be Ready to Respond
2 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
3. Cyber Preparedness
How To Get StartedTake A Proactive Stance
Be Ready to Respond
3 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
4. Where Does Cyber Preparedness Begin?
Technology?Security team?
Processes?
4 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc | BAE SYSTEMS PROPRIETARY
5.
It starts withThe Board.
It is driven by a culture where
cyber risk is addressed as part
of operational risk
5 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc | BAE SYSTEMS PROPRIETARY
6.
Why ShouldThey Care?
6 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc | BAE SYSTEMS PROPRIETARY
7. The Obvious
7 | Copyright © 2015 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc | BAE SYSTEMS PROPRIETARY
8.
Reducing Risk.8 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc | BAE SYSTEMS PROPRIETARY
Enables Growth.
9. Cyber Preparedness
How To Get StartedTake A Proactive Stance
Be Ready to Respond
9 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
10.
Fire started in a NJ home lastyear
A driver saw the fire and banged
on the front door until someone
answered
The alarms went off -- afterward
The family inside escaped
Fireman eventually got control
Happy ending … but what if the
driver did not stop?
Also, almost one year later, reconstruction is just starting
10 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
11.
Effective SmokeDetection
Consider where you replace
them
Ensure the batteries work
Monitor and maintain
11 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc | BAE SYSTEMS PROPRIETARY
12.
Have a Plan forWhen the Alarm
Goes Off
Think of this as Incident
Response
The value of knowing
someone is looking after you
… ready to bang on your door
when fire starts
12 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc | BAE SYSTEMS PROPRIETARY
13.
What if there’s a “fire” in yournetwork?
What if the alarms don’t go off
right away or if you don’t have
the right alarms in place?
What kind of damage could that
do if your business took a year
to get back to normal?
Also, consider the scenario
where your entire operation
“burns to the ground”
13 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
14. Hierarchy of Security Needs
To be fully prepared andavoid disasters:
Detect new, hidden threats
Effectively and efficiently
respond
Reduce the time & resources
required in the detection to
resolution phase
14 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
15. Prevention: Still Important
15 | Copyright © 2015 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc
16. Balancing Spend Allocations
PreventionDetection
Response
16 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
17.
The ability to respond toan incident is only as
good as an organization’s
ability to …
detect the
incident.
17 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
18. Detection
˃ Why It’s Challenging• Too many bad guys/attacks
• Bad guys don’t want to be found
• Attacks take new forms every day
• Sophisticated APT and targeted attacks
routinely circumvent existing security
defenses
• The longer they stay undetected, the
greater the financial damage and
sensitive data loss
18 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
19. Analytics Techniques
Detection TechniquesAttacks
Anomaly Detection Analytics
Unsupervised machine learning
New, unknown, attacker techniques
Nation state, targeted attacks
Anomaly Detection Analytics
Behavioural Analytics
Unsupervised machine learning
Known attacker techniques.
Beaconing, watering hole etc.
Anomaly Detection Analytics
Behavioural Analytics
Supervised machine learning
Signatures
Rules
19 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
Increasing Risk
Threat
Landscape
Known attacker methods.
Exploit kits, evolving malware strains. e.g. key
loggers, browser clashes
Previously seen threat.
Exact malware match, known bad end
points
20. Characteristics of Behavioral Analytics
Potentially badvs known bad
Risk based
vs binary
Enduring
vs brittle
Time range vs
point in time
General vs specific case
20 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
21. Detection needs to driven by a Threat model
Analytics are categorised by ‘attack technique’. These are the stages an attacker has to go through tosuccessfully complete an attack on a network.
Targeted Attack
Delivery
Exploitation
Installation
Command & Control
Delivering malware on to the
user’s machine via email, USB,
web etc.
With access to the estate,
attacker can accomplish their
original goal
Exploiting a vulnerability to
execute code on the user estate
Setting up a command
channel for remote
manipulation of victim
Installing malware on the
asset
21 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
Action on Intent
22. Cyber Preparedness
How To Get StartedTake A Proactive Stance
Be Ready to Respond
22 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
23. Response
23 | Copyright © 2015 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc
24.
Having properanalysis capabilities
requires both trained
personnel and the
proper tools to
perform the analysis.
24 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
25.
A PLANvs
A FRAMEWORK
"No plan of operations
extends with certainty
beyond the first encounter
with the enemy's main strength“
-- Helmuth Karl Bernhard Graf von Moltke
25 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
26.
FRAMEWORKAuthority and Scope
Team Members and Responsibilities
Logistics
Process to determine severity and
escalation
Post-Incident Activities
Supporting Documentation
26 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
27.
The most critical componentin any Incident Response
Practice …
Authority and backing from
executive management.
27 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
28.
IR TeamPrimary team
Extended team
Third parties
28 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
29.
PrimarySecurity Team
IR Lead
Operations Team
Service Desk Team
29 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
30.
Extended30 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
Executives
Legal
Communications
Human Resources
Compliance
Physical Security
31.
rd3
Parties
Outsourced IT (help desk, server
support)
Forensic Firms
ISPs
Legal Counsel
Law Enforcement
Public Relations Teams
31 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
32.
Often overlooked items:Succession of Command
Catering
Shipment of Evidence
OpTempo
32 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
LOGISTICS
E-Mail Distro / Call bridge for
communication
War Room
Computing equipment
Evidence Locker
33.
Testing IncidentResponse
High Level Audit
Objective Based
Assessment
Table top Exercise
War Game
33 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
34. Cyber Preparedness – Key Takeaways
Begins With Preparedness CultureBalancing Act; Varied Techniques
Turn IR Plan Into an IR Framework
34 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
35.
Thank You35 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
36.
Q&A36 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
37.
BAE SystemsSurrey Research Park
Guildford
Surrey
GU2 7YP
United Kingdom
T: +44 (0)1483 816000
F: +44 (0)1483 816144
Unpublished Work Copyright © 2015 BAE Systems. All Rights Reserved.
BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc.
The information in this document contains proprietary information of BAE Systems. Neither this document nor any of the proprietary information
contained therein shall be (in whole or in part) published, reproduced, disclosed, adapted, displayed, used or otherwise made available or accessible
(in each case, in any form or by any means) outside of BAE Systems without the express written consent from the document originator or an
approved representative of BAE Systems.
BAE Systems Applied Intelligence Limited registered in England and Wales Company No. 1337451 with its registered office at Surrey Research Park,
Guildford, England, GU2 7YP.
37 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc
38.
FREEDOM OF INFORMATION ACTThis document (<projectreference><documentnumber>) contains confidential and commercially sensitive material which is
provided for the Authority’s internal use only and is not intended for general dissemination.
The information contained herein pertains to bodies dealing with security, national security and/or defence matters that would
be exempt under Sections 23, 24 and 26 of the Freedom of Information Act 2000 (FOIA). It also consists of information which
describes our methodologies, processes and commercial arrangements all of which would be exempt from disclosure under
Sections 41 and 43 of the Act.
Should the Authority receive any request for disclosure of the information provided in this document, the Authority is requested
to notify BAE Systems Applied Intelligence. BAE Systems Applied Intelligence shall provide every assistance to the Authority in
complying with its obligations under the Act.
BAE Systems Applied Intelligence’s point of contact for FOIA requests is:
Chief Counsel
Legal Department
BAE Systems Applied Intelligence
Surrey Research Park
Guildford Gu2 7YP
Telephone 01483 816082
38 | Copyright © 2015 BAE Systems. All Rights Reserved.
BAE Systems is a trade mark of BAE Systems plc