Cybersecurity Monitoring
Transcription
Cybersecurity Monitoring
Cybersecurity Monitoring Gib Sorebo AGENDA − Current State of Control System Cybersecurity Monitoring − Reasons for Concern − Options for Greater Visibility − Potential Ecosystem − Responding to Events 2 Why is Network Monitoring Needed? Today’s computing environment is extremely decentralized − Creates many, many entry points into your systems − Giving hackers tremendous advantages You can’t prevent everything − End user errors, time to patch systems, third parties, the internet, etc. Detection is the key step between prevention and corrective action − − − − Adds context to tools (IDS, Firewalls, Proxy, etc) Use cases alert on things tools will not see Gives metrics and trends Supports corrective and preventative actions The Undiscovered Breach 229 “Median number of days attackers were present on a victim’s network before being discovered” in 2013 Source: 2014 Mandiant Threat Report 4 Network Monitoring Reasons for Concern: The Kill Chain 5 Current State for Monitoring Operations Technology (OT) HMI = Human Machine Interface WAN = Wide Area Network SIEM = Security Information and Event Management SOC = Security Operations Center IDS = Intrusion Detection System 6 Network Monitoring Reasons for Concern: Supply Chain FBI: Counterfeit Cisco routers risk “IT subversion” ZDNet, May 12, 2008 Soviet Trans-Siberian Pipeline Sabotage (1982) Dell on Wednesday said that some replacement motherboards for PowerEdge servers may have contained the W32.Spybot worm in flash storage. PC Magazine, July 22, 2010 Stuxnet (2010) 7 Options for Greater Visibility on the Operations Side 8 The Enterprise Needs Better Coverage Too • Conceptually, resources should be segmented by function so that monitoring and traffic restrictions can be effective • Practically, organizations need to prioritize where to focus their efforts and start by isolating their DMZ, system administration functions, users, and operational technology (OT) DMZ = Demilitarized Zone Monitoring—Logistical Architecture Responding to Breaches Do you know what normal looks like? − Control system behavior − Electro-mechanical behavior (don’t forget to read the gauges and use all your senses) Can you operate without computers? If so, for how long? How will you know when you can trust your computers again? Are your business processes prioritized and staffed appropriately? − Outage management/customer service may need more staff without automation − What systems need to come back up first? − What are the dependencies? − Who gets to decide what’s most important? 11 Staffing Levels for Security Operations Center Alignment with Control Processes False Positives 12 Other Considerations Coverage of All Kill Chain Stages No Disruption to Operations Questions? For more information contact: Gib Sorebo Leidos Chief Cybersecurity Technologist phone: 703-676-0269 | email: [email protected]