Cyber Security: Vision, Strategy and Roadmap Antonio Forzieri EMEA Cyber Security Practice Lead Cyber Security – Vision, Strategy and Roadmap.
Download ReportTranscript Cyber Security: Vision, Strategy and Roadmap Antonio Forzieri EMEA Cyber Security Practice Lead Cyber Security – Vision, Strategy and Roadmap.
Cyber Security: Vision, Strategy and Roadmap Antonio Forzieri EMEA Cyber Security Practice Lead Cyber Security – Vision, Strategy and Roadmap 1 Agenda 1 Market Trends 2 Targeted attacks – how they work 3 Integrating Network and Endpoint Activity Cyber Security – Vision, Strategy and Roadmap 2 Market Trends Cyber Security – Vision, Strategy and Roadmap VISION DUBAI 2014 3 Cyber…… Its all about perspective “WE EXIST IN A HYPER CONNECTED AND COMPLEX WORLD” “TRANSFORMING CONSUMER CYBERCRIME” “CYBER IS MOVING UP THE BUSINESS RISK REGISTER” “NATIONAL CYBER STRATEGIES & DATA PROTECTION LEGISLATION ARE GAINING SPEED” “ATTACKERS ARE EXPLOITING THE SHIFTING LANDSCAPE” Cyber Security – Vision, Strategy and Roadmap IoT - A new platform for malicious actors? Cyber Security – Vision, Strategy and Roadmap What Drives the Modern Day Attacks? Hacktivism Money DDoS Banking Trojan Defacement Extortion Scam Targeted Attacks Sabotage Cyber Security – Vision, Strategy and Roadmap Espionage 6 Cyber – A complex set of business & technical challenges Cyber Risk Challenges Business Sponsorship Requirements for Cyber Security Business ownership for competitive differentiation People & Process Evolving Technologies PEOPLE Data Governance PROCESS Security Architecture Visibility & Agility Cyber Security – Vision, Strategy and Roadmap TECHNOLOGY We Need Better Intelligence to be Cyber Resilient 7 Today’s security approach needs to be REIMAGINED Cyber Security – Vision, Strategy and Roadmap CYBER SECURITY: THERE IS NO…. Organisations already have security controls, policies and processes in place Cyber Security – Vision, Strategy and Roadmap Some are better at Security than others 9 MOST ARE FOCUSED ON ‘PREVENT’ PREPARE UNDERSTAND MY SECURITY & RISK POSTURE PREVENT PROTECT COMPANY INFORMATION FROM MALICIOUS ATTACK AND MISUSE Cyber Security – Vision, Strategy and Roadmap DETECT & RESPOND PROVIDE RAPID DETECTION AND RESPONSE TO SECURITY INCIDENTS RECOVER REDUCE TIME TO RECOVERY TO MAINTAIN BUSINESS CONTINUITY 10 HOW ALIGNED TO BUSINESS ARE WE? Risk 19% Increasing benefits and influence Functional Maturity Trusted Ally Respond to incidents and requests More holistic Measurable More view of threat and comprehensive landscape, & auditable IT, security IT proactive, Partnering controls, infrastructure and beginning to anticipate preventative integrate in issues, look risk-based silos for approach efficiencies Innovative offerings, business alignment, dynamic IT Seen as TACTICAL Resource IT seen as a TRUSTED ALLY 43% 35% Transactional IT NOT VALUED 1 3% INITIAL: Reactive Mode 2 REPEATABLE: Awareness Mode IT Seen as a COMMODITY IT Seen as an PARTNER 3 4 DEFINED: Informed Mode MANAGED: Innovative Mode 5 OPTIMISED: Strategic Mode At Risk Cyber Security – Vision, Strategy and Roadmap 11 CYBER SECURITY GROUP OFFERINGS Security Intelligence Security Simulation and Development Program Advanced Threat Protection Monitoring and Intelligence (MSS) Incident Response Offering Value Security intelligence collection, analysis and sharing through customer portals, data feeds, multi-level briefs and security intelligence services Provide access to intelligence, knowledge and skill sets needed for security intelligence programs and strategic security planning Cyber War Games and LiveFire Exercises Expertise, skill set development and cyber readiness through real life simulations Sets teams up for success PREPARE PREPARE Advanced Threat Protection across the enterprise Enable enterprises to rapidly and effectively contain, investigate and remediate advanced threats Comprehensive 24x7 security monitoring & intelligence Identify, prioritize, and respond to incidents and fill critical skill set gaps Advanced Incident Response & Forensics support Immediate access to critical knowledge and skill sets during incident response DETECT & RESPOND DETECT & RESPOND Cyber Security – Vision, Strategy and Roadmap DETECT & RESPOND 12 Targeted attacks – how they work Cyber Security – Vision, Strategy and Roadmap VISION DUBAI 2014 13 Anatomy of a breach Cyber Security – Vision, Strategy and Roadmap 14 How bots infect PCs Drive-by download (Watering hole) 1 6 5 3 Attacker compromises a web application and inserts an hidden link inside the legitimate app. User is silently redirected to a server under the attacker control and a first stage payload is installed into the user PC exploiting a vulnerability. Attacker downloads information stolen from the drop zone eventually connecting through an anon proxy. The installed malware collects information and sends it back to the drop zone server. Cyber Security – Vision, Strategy and Roadmap 2 A legitime user visits the compromised app. Usally users are redirected to the these apps via SEO poisoning attacks. 4 First stage is executed on the user’s endpoint and download a second stage. The multi stage helps bypassing security controls. 15 How bots infect PCs Spear phishing 1 6 5 3 Malicious attachment connects to a malicious system to download the first stage of the malicious code. Attacker sends an e-mail to targeted users with a malicious attachment (usually pdf or office’s document) Attacker downloads information stolen from the drop zone eventually connecting through an anon proxy. The installed malware collects information and sends it back to the drop zone server. Cyber Security – Vision, Strategy and Roadmap 2 User receives the e-mail and open the attachment. Usually social engineering techniques are used in order to mimic a legit e-mail. 4 First stage is executed on the user’s endpoint and downloads a second stage. The multi stage helps bypassing security controls. 16 Integrating Network and Endpoint Activity Cyber Security – Vision, Strategy and Roadmap VISION DUBAI 2014 17 Evolution of Firewall Technology Traditional UTM or ISA Next Gen FW STAP Determine who can talk to who, but they can’t hear what’s being said. Limited to catching what’s known Analyzes files to detect unknown & zero-day malware • Port & protocol based • IP-based detection • Some IPS capabilities • Signature-based IPS & AV • URL filtering • Application control • Virtual Execution • Sandboxing • File hash lookups Cyber Security – Vision, Strategy and Roadmap 18 Life Before and After MSS-ATP TODAY NetSec VX detects suspected Malware TOMORROW NetSec VX detects suspected Malware and alerts Symantec Advanced Threat Protection Manual correlation & remediation Network Security Group Determines whether malware is known and SEP has blocked it; verifies whether endpoints are compromised; understands if / where infection has spread Endpoint Security Group Launches corrective actions Symantec End Point Protection Manager Initiates endpoint actions (clean, block, quarantine, gather forensics, …) Automated correlation & remediation Symantec Advanced Threat Protection Cyber Security – Vision, Strategy and Roadmap Symantec End Point Protection Manager Initiates endpoint actions (clean, block, quarantine, gather forensics, …) 19 Advanced Threat Protection Alliance • NGFW Market Leader (Vision, Execution) • Disruptive to FireEye by offering ATP as add-on • NGFW market share leader (shipped 90kappliances in 2012) • Strongest on post-detection response capabilities • Now part of Cisco, so 20k sales people to sell AMP Cyber Security – Vision, Strategy and Roadmap 20 Rapid assessment of advanced threats Release 1 (H1 CY2014) 33 AV IPS Confirm infection state of target endpoint, with autoprioritization of associated incident and option of Symc threat analyst expert assist 13 NetSec device detects suspected malware file or attack attempt (such as remote exploit) in transit to specific internal endpoint(s). 23 Sends NetSec detection events to MSS (inc target IP, source IP, file hash, user & other useful context data such as VX output). VX If endpoint not reported as infected, or to aid further investigation, it is possible to review contextual intel on attack (reputation of involved files & domains, behavior of the malware (inc VX output), remediation and mitigation best practice guidance) Managed Security Services Rapid relay of detection alerts SEP Client Cyber Security – Vision, Strategy and Roadmap 23 Sends malware detection details & endpoint infection state to MSS. SEP Manager 21 MSS-ATP Accelerates Detection and Response TOMORROW Automated correlation & remediation Symantec Advanced Threat Protection Network Security technology detects suspected Malware and alerts MSS-ATP Analyzes the endpoints to: • determine whether malware is known and SEP has blocked • verify whether endpoints are compromised • understand if / where infection has spread • identify the malware & blocks IP address Cyber Security – Vision, Strategy and Roadmap Symantec End Point Protection Manager Initiates endpoint actions (clean, block, quarantine, gather forensics) 22 Increased Efficacy of Threat Investigations Sources Potential Threat List Network SEP Recognition File Reputation Potential Threat List Potential Threat List Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malware Download, Endpoint Protected Malicious File Downloaded Malicious File Downloaded Malware Download, Endpoint Protected Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malicious File Downloaded Malware Download, Endpoint Protected Malicious File Downloaded Malicious File Downloaded Malware Download, Endpoint Protected Malicious File Downloaded Malicious File Downloaded Malware Download, Endpoint Protected Malicious File Downloaded Malicious File Downloaded Malware Download, Endpoint Protected Malicious File Downloaded Malicious File Downloaded Malware Download, Endpoint Protected Malicious File Downloaded Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malicious File Downloaded Malware Download, Endpoint Protected Malicious File Downloaded Malware Download, Endpoint Protected Malicious File Downloaded Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malicious File Downloaded Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malicious File Downloaded Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malicious File Downloaded Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malicious File Downloaded Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malicious File Downloaded Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malicious File Downloaded Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malware Download, Endpoint Protected Cyber Security – Vision, Strategy and Roadmap FILE A Malware Download, Endpoint Protected Malware Download, Endpoint Protected Malware Download, Endpoint Protected FILE B Malware Download, Endpoint Protected 23 Thank you! Antonio Forzieri [email protected] +39 347 7819020 Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Cyber Security – Vision, Strategy and Roadmap 24