Embed Size (px)
Citation preview
NSI / Rook Security Lunch & Learn: Proactive SecurityOctober 27-29, 2015
// What We’ll Discuss
■ Intro■ Disclaimers and Promises■ Proactive Security■ Group Participation■ Supply Chain■ Hacker Communications and Dark Web■ Wrap Up / Q&A
// Who I am...
Mike Patterson is the Vice President, Strategy at Rook Security, an IT Security firm providing security strategy, crisis management, and next generation security operations services. Prior to Rook, Mike spent 2+ years as a strategy consultant at Monitor Group, a top-tier management consulting firm, where he advised on a number of projects ranging from market entry strategy for HIV medications for a large pharmaceutical company to market selection support for a large chemical company. After Monitor, Mike spent over six years inside the sales organization of Turner Broadcasting in a variety of capacities and was one of the few individuals to have represented all Turner brands by the time he left in 2013 to join Rook.
In addition to being responsible for many of Rook’s special projects, Mike’s area of expertise lays in the cross-section of financial planning, internal strategy, sales operations and pricing. Mike has an undergraduate degree in Finance and Marketing from the Tippie School of Business from The University of Iowa and was a Hawkinson Scholar. He lives in Chicago with his wife and enjoys running, reading and competing in various strategy games, especially poker, chess and backgammon.
// I work for Rook Security
// Disclaimers and Promises
■ Disclaimers:This advice is free - it does not come with guarantees. Use at your discretion...I am a company officer, not a full-time security operations professional. I have my technical limits.If I can’t answer something, follow up with me and I will find someone at Rook who can.I focus on presentation content...not transitions and fancy clip art / visuals...
■ PromisesI will not sell you anythingI will not pitch you anythingI will tell you how it is and what we see
// Proactive Security
■ In a nutshell, this is everything you can do to improve your security and mitigate your chances of an incident originating from beyond your immediate network.
Don’t look this up in Webster’s...it’s not an official definition. ■ Many traditional technologies sit at the perimeter or monitor for intrusion, but they have their limits■ There are many other ways to take security into your own hands, but time is precious...■ So...let’s look at two use cases today:
Supply chainHacker communications and dark web
// Group Participation
■ Where outside of your organization does your sensitive data reside? PII, IP, financials, customer data, credentials...
// Group Participation
■ Let’s see what the survey says…■ Here’s a starting list:
Law firmsAccounting firmsBanksMarketing services firmsCloud-based providersOutsourced printing partnersContract manufacturersPayroll servicesCredit bureausData mining organizationsEt al
// Group Participation
■ Here’s where counsel and risk officers smack their heads…
■ At which of those locations have you done the following? Asked about their security capabilities? Made them document details of their security program, provide 3P audits / assessments of their
organization (SSAE16, NIST, ISO, etc.) Actually done a review / assessment of what they claim to be doing? Reviewed their capabilities and progress annually?Followed an onboarding process for these partners that involved IT?
■ Do your existing technologies monitor these locations? How about your people and processes?
// Supply Chain Risk
■ Supply chain risk has been behind some damaging breaches: Target (HVAC contractor)BHP Billiton and Potash Corp. hostile takeover (7 law firms targeted)T-Mobile (Experian)
■ 80% of breaches allegedly start in the supply chain
■ How to get started addressing this?
// Supply Chain Risk - How to Mitigate
■ Insert the IT organization into the onboarding process for new vendors, especially those getting key data■ New vendors should document their security capabilities before doing business with the company■ Consider investing in assessments of key partners
Risk-based approach:Cloud-based application hosting financial data for a public companyLaw firm reviewing your new office lease
■ Look for clients who perform regular audits against standards such as SSAE16, ISO, NIST, but evidence of any security plan can be effective.
■ Trust but verify.■ Build security reviews and breach notification protocol into your MSA’s■ Regularly review and push your partners for answers on how they will secure your data...they should be
prepared for and used to this. If they aren’t, I would suggest that you tread lightly.
// Side Note on Supply Chain Risk - When the Shoe is on the Other Foot
■ If you can audit your downstream partners, your upstream partners can certainly audit you!■ Consider:
Building a playbook to common questions and communicating these to your partnersInvesting in your security program and using it as a point of competitive advantage and differentiating
point
// Hacker Communications and Dark Web
■ First, a Dark Web “Definition”: Area of the internet not commonly viewable by search engines. Hidden sites and hidden by design.
Requires special browser to navigateLots of shady and illegal activityAs Gollum would say in LOTR: “Very nasty place. Full of...enemies.”
■ Information on targets is frequently exchanged and traded, whether by contract or via publically available pastes of data that can be used for new attacks
Think of Ashley Madison attack - List of customers first shared across dark web, then publically searchable on the common internet.
However, the public only sees a small number of breached databases posted to the dark web. Many companies never know they are breached and have their information floating across the dark web.
■ However, many successful breaches can have the breadcrumbs traced back to the dark web: initial venting and organizing of crowd-sourced attacks, attack recon, pastes of exfiltrated data, etc.
■ Knowing hackers are targeting you or have compromised you can greatly aid your response time
// What to DoStart an open source intelligence program:
■ Easy○ Start google alerts on your assets, domains, etc
■ Examples: Acme + Sweatshop, [email protected], Acme + Tangodown○ Utilize Twitter monitoring tools like Tweetdeck
■ Examples: Acme DoS, Acme TangoDown, etc■ Anonymous may conduct much of their operations in the dark, but they are active in broadcasting their
targets and victims. Follow their activity along with other hacker groups. ■ Intermediate
○ Leverage Open Source tools for paste-site monitoring■ DumpMon (Github), Pastemon (Github), etc.
■ Advanced○ Write custom monitoring tools
■ Allows for monitoring sites beyond most open source solutions○ Build and maintain dossiers on attackers known to have an interest in your company, whether by intent or by
past attacks waged against you■ Operations, associates, IP addresses, malware, etc.
// Thank You and Q/A
