https://www.csiac.

org/

Securing Your Company for Today’s Cyber War:

A Three-Pronged Approach to a Comprehensive IT
Security Strategy

Today’s Presenter:
Peter Allor
IBM Security, Senior Cyber Security Strategist
March 30, 2016
Moderator:
Steve Warzala
swarzala@quanterion.com
© 2016 IBM Corporation 1
 Securing Your Company for
Today’s Cyber War:
Three-Pronged Approach to a Comprehensive
IT Security Strategy
Peter Allor
Senior Security Strategist,
Project Manager, Disclosures
IBM Security

March 30, 2016

© 2016 IBM Corporation

Agenda

 Not prepared for Cyber War – it is war

 Make a security strategy your own

 Visibility of your operations, partners and vendors – know who is on your

network, what they are running and how they are configured

 Adopt Security Intelligence / Situational Awareness – it is about

integration, visibility and system feedback

© 2016 IBM Corporation 3

IBM Security has global reach

IBM Security by the Numbers

+ +
monitored countries (MSS) endpoints protected
+ +
service delivery experts events managed per day

© 2016 IBM Corporation 4

IBM X-Force monitors and analyzes the changing threat
landscape

20,000+ devices 25B+ analyzed

under contract web pages and images

15B+ events 12M+ spam and

managed per day phishing attacks daily

133 monitored 96K+ documented

countries (MSS) vulnerabilities

3,000+ security 860K+ malicious

related patents IP addresses

270M+ endpoints Millions of unique

reporting malware malware samples

© 2016 IBM Corporation 5

 We are not prepared for Cyber
War – and it is Economic war now

© 2016 IBM Corporation

(Photo: Shutterstock/Andrey Armyagov) © 2016 IBM Corporation 7
Key Trends from 2015

8 © 2016 IBM Corporation 8

CISOs face a shortage of skills, lack of metrics and strategy

Security Maturity
Board of
Directors

Stakeholders

Compliance
Mandates

Industry
Standards

49%
of IT executives have no measure
of security effectiveness
2012 Forrester Research Study
31%
of IT professionals
83%
of enterprises have difficulty finding
have no risk strategy the security skills they need
2013 Global Reputational Risk & IT Study, IBM 2012 ESG Research

© 2016 IBM Corporation 9

 Attacks are focusing on higher value data targets

2013 2014 2015

800,000,000+ records 1,000,000,000 records Healthcare mega-breaches
breached, with no signs of breached, while CISOs cite increasing set the trend for high value targets of
decreasing in the future risks from external threats sensitive information

Source: IBM X-Force Threat Intelligence Report - 2016

© 2016 IBM Corporation 10

(Photo: Shutterstoc/pichetw) © 2016 IBM Corporation 11
Highly regulated industries have the highest per-record data breach
costs

$359
Healthcare
$294
Education
$227
Pharmaceutical
$206
Financial

$155
Consumer
$141
Energy
$122
Hospitality
$105
Retail

*Currencies converted to US dollars

Source: 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute, sponsored by IBM

© 2016 IBM Corporation 12

Why do Breaches Happen?

Vulnerabilities Malware

 Configuration Errors
 “Weak” defaults  Installing suspect
 Easy passwords applications
 Clicking malicious
 “Bugs” links
 Input validation
 Phishing Emails
 Watering Hole attacks

Source: IBM Security Services 2013 Cyber Security Intelligence Index

© 2016 IBM Corporation 13

Overlay malware on the mobile operating system is what web
injections are to the PC
Mobile overlay malware offers a one-stop shop for blackhats
– Works with bank apps and other applications that use HTML/JS injections
– Enable credential collection

© 2016 IBM Corporation 14

 2015 brought X-Force the highest annual number of disclosed
vulnerabilities recorded in our database

Source: IBM X-Force Threat Intelligence Report - 2016

© 2016 IBM Corporation 15

 Many organizations do not sufficiently monitor published
vulnerabilities that may affect the technology protecting their data

Reasons could be:

 They don’t know all the sources of their
data because they lack an asset
inventory.
 They don’t understand how critical their
vulnerabilities are or the danger they
pose to effectively supporting and
growing the business.
 They intend to do a vulnerability scan to
identify risks and remediate
vulnerabilities, but, lacking an
understanding of the risks, they never
get around to taking action.

Source: IBM X-Force Threat Intelligence Report - 2016

© 2016 IBM Corporation 16

 Make Security Strategy Your Own–
Know your Risks

Protect

© 2016 IBM Corporation

Security leaders are more accountable than ever before

CEO CFO/COO CIO CHRO CMO

Loss of market Audit failure Loss of data Violation of Loss of

share and confidentiality, employee privacy customer trust
reputation Fines and integrity and/or
criminal charges availability Violation of Loss of brand
Legal exposure customer privacy reputation
Financial loss

Your board and CEO demand a strategy

Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series

© 2016 IBM Corporation 18

Questions CISO Want to be Able to Answer…

© 2016 IBM Corporation 19

The 2014 U.S. State of Cybercrime Survey

The survey identified eight common deficiencies where spending and efforts lag:
1. Most organizations do not take a strategic approach to cybersecurity spending
2. Organizations do not assess security capabilities of third-party providers
3. Supply chain risks are not understood or adequately assessed
4. Security for mobile devices is inadequate and has elevated risks
5. Cyber risks are not sufficiently assessed
6. Organizations do not collaborate to share intelligence on threats and responses
7. Insider threats are not sufficiently addressed
8. Employee training and awareness is very effective at deterring and responding to
incidents, yet it is lacking at most organizations

http://www.pwc.com/us/en/increasing-it-effectiveness/publications/2014-us-state-of-cybercrime.jhtml
Co-sponsored by CSO magazine, CERT Division of the Software Engineering Institute at Carnegie Mellon University, PwC,
and the US Secret Service, March-April 2014

© 2016 IBM Corporation 20

Executive Order 13636:
Improving Critical Infrastructure Cybersecurity

“It is the policy of the United States to enhance the security and resilience of
the Nation’s critical infrastructure and to maintain a cyber environment that
encourages efficiency, innovation, and economic prosperity while promoting
safety, security, business confidentiality, privacy, and civil liberties”
President Barack Obama
Executive Order 13636, Feb. 12, 2013

• The National Institute of Standards and Technology (NIST) was directed to work with
stakeholders to develop a voluntary framework for reducing cyber risks to critical
infrastructure
• Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for
future work
• NIST is already reviewing the Framework for revisions (if required). Meeting April 6-7

21
© 2016 IBM Corporation 21
 Security Risk Framework Maturity Cycle
IBM Security Framework
NIST Security Framework
Core Function

Identify

Protect
DOMAIN
Detect

Respond

Recover
SECTORAL
PROCESS (Compliance)

No formal strategy

SMART
ORGANIZATIONAL
ARCHITECTURE

Period review and assessment

© 2016 IBM Corporation 22

Characteristics of Organizational Frameworks
Base characteristics
 Generally uses portions of process,
domain and sector frameworks
 Based on the organization’s business
environment and conditions
 Based on evaluations from lines of
business / operations, executives,
auditors and Board of Directors
 Amends plans based on resources,
changing conditions, and new
information
 Commonly adopts a customized,
organization-based framework based
on multiple types
Meets NIST and domain guidelines and Federal, State mandates
Approach to risk
 Special attention to a limited number of
specific approaches for addressing risk
and measuring the effectiveness of
protection
 Sets the risks, priorities, and risk
tolerances for cybersecurity and
Information Technology in support of
the enterprise
 Examines in even greater detail the
overall risk the enterprise faces
– Determines its unique security
requirements
– Ensures capabilities are in place to
provide the necessary security
– Aligns requirements and technologies with
its internal policies and processes
© 2016 IBM Corporation 23
Security frameworks and risk-management strategies address

Evolving Including the growing sophistication of threats, new attack

threats methods, and adaptations to technologies or delivery methods

Including evolving lines of business, acquisitions, mergers, the

Changing
integration of operations, and the addition or elimination of
business needs
business functions

Including changes in business profitability, the market for the

Volatile
organization’s goods or services, national and international
economics
economic trends, or wholesale currency changes

Increasing Including changes and additions to regulation and compliance

regulation requirements, locally, nationally or internationally

Technology and Including adding new or removing existing technologies, or

process changes implementing a bring-your-own-device (BYOD) program

Geographic and Including moving to a new location or having data-center or cloud

facilities changes services added from another area

© 2016 IBM Corporation 24

Map your Security to the NIST Framework

© 2016 IBM Corporation 25

Map your Security to the NIST Framework

© 2016 IBM Corporation 26

 Security Intelligence –
Situational Awareness

Detect

© 2016 IBM Corporation

Security Strategy – addresses…..

SECURITY Advanced Mobile and Compliance Skills

Cloud
TRENDS Threats Internet of Things Mandates Shortage

Strategy, Risk and Compliance Cybersecurity Assessment and Response

Security Intelligence and Operations

Advanced Identity Network, Mobile

Data Application
Fraud and Access and Endpoint
Security Security
Protection Management Protection

Advanced Threat and Security Research

DELIVERY Management Systems Integrated Security Managed Partner

MODELS Consulting Integration Products as a Service Security Ecosystem

© 2016 IBM Corporation 28

Situational Awareness – CDM

• Uncovers the weaknesses

Discovery • Daily vulnerability and missing patches
and • Proven, certified scanning
Verification • Endpoints, assets, device configuration
• Passive and active discovery

• What assets are important ?

Intelligent
• Where are the threats ?
Context
• Who is talking to who ?
Driven
• What is blocked and patched already ?
Prioritization
• What is out of compliance ?

Automatic • Who needs to action

Delegation • What needs to be done
and •Missing patch updates
Assignments •Signatures
•Configuration changes

• What needs escalation

Reporting
• What is in and out of compliance
and
• Dashboards and reports
Alerting
• APIs

© 2016 IBM Corporation 29

 Integrate your organization’s
operations and security leaders

Respond

© 2016 IBM Corporation

IBM CISO Assessment – 2012
Frameworks rely on the CISO having Stakeholder Participation

© 2016 IBM Corporation 31

Reaching security maturity – how to map your way there

Security Intelligence
Predictive Analytics, Big Data Workbench, Flow Analytics
SIEM and Vulnerability Management
Log Management

Advanced Fraud Protection

People Data Applications Infrastructure

Identity governance
Multi-faceted
Fine-grained Data governance Fraud detection network protection
entitlements Encryption key Hybrid scanning
Optimized Anomaly detection
Privileged user management and correlation
Hardened
management

Data masking / redaction Virtualization security

User provisioning
Database activity Web application protection Asset management
Proficient Access management
monitoring Source code scanning Endpoint / network
Strong authentication
Data loss prevention security management

Perimeter security
Directory Encryption Application
Basic Host security
management Database access control scanning
Anti-virus

13-09-17
© 2016 IBM Corporation 32
Many of the incidents we’ve seen could be avoided with a focus on
security basics

Instrument your environment with effective detection

Keep up with threat intelligence

Maintain a current and accurate asset inventory

Maintain an identity governance practice to audit and enforce access rules and
permissions

Have a patching solution that covers your entire infrastructure

Implement mitigating controls

Create and practice a broad incident response plan

© 2016 IBM Corporation 33

Focus on critical points in the attack chain with preemptive defenses
on both the endpoint and network

Prevent Prevent Prevent

malware installs control channels credential loss
ENDPOINT

• Verify the state of • Stop direct outbound • Block keyloggers

applications malware • Stop credential use
• Block exploit attempts communications on phishing sites
used to deliver malware • Protect against process • Limit reuse of
hijacking passwords

Exploit Disruption Malware Quarantine User Protection

Prevent Prevent Prevent

mutated exploits active beaconing malicious apps
NETWORK

• Verify the state of • Stop malware and • Block access to

network protocols botnet control traffic malicious websites
• Block unknown exploits with real-time reputation • Protect against web
with behavioral and SSL inspection application misuse
heuristics

On the Endpoint On the Network

Trusteer Apex Malware Protection IBM Security Network Protection XGS

© 2016 IBM Corporation 34

Network administrators can take a few basic steps to fend off
malicious spam attachments

Keep your spam and virus filters up to date.

Block executable attachments. In regular business

environments it is unusual to send executable attachments.

Most spam filters can be configured to block executable files

even when they are within zip attachments.

Use mail client software that allows disabling automatic

rendering of attachments and graphics, and preloading of
links—and then disable them.

Educate users on potential danger of spam, and actions to

take

© 2016 IBM Corporation 35

(Photo: Shutterstoc/pichetw) © 2016 IBM Corporation 36
Every breach requires a plan of action

Forensic analytics can provide the insights to understand what is happening in the
network and what steps are necessary to prevent threats.

Full Packet Capture

• Capture packets off the network
• Include other, related structured and unstructured content stored
within the network

Retrieval & Session Reconstruction

• For a selected security incident, retrieve all the packets (time
bounded)
• Re-assemble into searchable documents including full payload
displayed in original form

Forensics Activity
• Navigate to uncover knowledge of threats
• Switch search criteria to see hidden relationships

© 2016 IBM Corporation 37

Reconstruction enables organizations to view recorded
network transactions in formats tailored for human
consumption

Traffic
Different types of reconstruction:
Capture
• Web page
• Chat
• Social networking
• Webmail
• Blogging
• File transfers
• File attachments
• File metadata
• File flows (attached executables,
JavaScript, macros, redirects)

© 2016 IBM Corporation 38

What can you do to mitigate these threats?

Keep up with threat intelligence

Maintain a current and accurate asset inventory

Have a patching solution that covers your entire

infrastructure

Implement mitigating controls

Instrument your environment with effective

detection

Create and practice a broad incident response

plan

© 2016 IBM Corporation 39

© 2016 IBM Corporation 40
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOU
www.ibm.com/security

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.