CI Security Mike Hamilton Founder and CISO April 19, 2019 2 - - PowerPoint PPT Presentation

April 19, 2019

CI Security

Mike Hamilton Founder and CISO

Our stuff keeps your stuff from becoming their stuff

April 19, 2019

Surviving 2019 and Beyond

SCITDA September 24, 2019

• 2

April 19, 2019

Your Presenter

• Founder, CI Security
• Policy Advisor, Washington State
• CISO, City of Seattle
• Managing Consultant, VeriSign
• Senior Principal Consultant,

Guardent

• Independent Consultant
• CEO, Network Commerce, Inc.
• Ocean Scientist, NASA/JPL

April 19, 2019

You Are Here

You will recognize

• Water
• Traffic
• Communications
• Emergency Management
• Public Health
• Government

And in some cases

• Energy
• Dams
• Elections
• 9-1-1
• You will recognize
• Water
• Traffic
• Communications
• Emergency

Management

• Public Health
• Government
• And in some cases
• Energy
• Dams
• Elections
• 9-1-1

April 19, 2019

Meanwhile…

What could possibly go wrong?

April 19, 2019

Leaning Into OSINT

Trends emerge, which lend themselves to prediction, or at least noticing which way the wind is starting to blow

April 19, 2019

Recent Public Sector Events

April 19, 2019

Ransomware

April 19, 2019

MSPs – A One-Stop Shop (for compromise)

https://ci.security/ 9

April 19, 2019

April 19, 2019

April 19, 2019

BEC

Toyota Subsidiary Loses $37 Million Due to BEC Scam

April 19, 2019

Phishing Sites are Eclipsing Malware

Data from Microsoft “safe browsing” identification of unsafe sites

April 19, 2019

Credential Stuffing

April 19, 2019

Cryptocurrency Mining

• Low-Risk for organized crime
• Uses existing botnets
• Becoming legitimized as an

alternative to ads

• Operational Continuity Threat
• Not as disruptive as

ransomware

NOTE that the problem waxes and wanes due to the value of the cryptocurrency and power costs

April 19, 2019

SIM Swapping

April 19, 2019

IoT Weaponization

▪ Not secured when deployed ▪ If exposed to the Internet, immediate takeover ▪ Mirai, Reaper, DoubleDoor ▪ Used for DDOS, and TBD

April 19, 2019

Gigantic DDOS

Arbor believes that we’ve entered a new era in which Tb/s DDoS attacks will be common, whether it’s through memcached server vulnerabilities or through other vulnerabilities attackers may be able to find later.

Memcached Amplification Attack Breaks New DDoS Record At 1.7 Tb/s

April 19, 2019

Nation-State Collateral Damage

April 19, 2019

AI – Friend or Foe?

April 19, 2019

The Third Party Microscope

April 19, 2019

Commercial Malware Companies

April 19, 2019

A Spyware Company Audaciously Offers ‘Cyber Nukes’

“This ability enables an agency to instantly disable or destroy a target. Cyber strike capability is an ‘always online weapon’ that can be fired at any IP connected terminal with power to disable

• r destroy a target permanently. This weapon is

comparable to a Nuclear Strike that can destroy city wide Cyber infrastructure or render a county wide IP communications ineffective,” the brochure adds.

source: https://motherboard.vice.com/en_us/article/59weqb/a-spyware-company-audaciously-offers-cyber-nukes

April 19, 2019

Hardware Vulnerabilities

"One of the problems with Spectre is that it's completely silent," Evtyushkin said. "You don't see anything happening. Compared to traditional attacks, where an application usually crashes and you can see the damage, with microarchitecture attacks you won't see it or know it happened."

Meltdown-Spectre: Now the class action suits against Intel are starting to mount up

April 19, 2019

So… What Should We Do?

April 19, 2019

• Records Disclosure: ~$150/record
• Theft: $75K-$1.2M in our region,

multiple millions elsewhere

• Disruption: Loss of business

continuity or operating capacity, loss

• f life for critical services

Outcomes to Avoid, Financial Impacts

April 19, 2019

Assume Breach

• Government must manage security as a

business risk rather than an IT problem

• 20th Century: Prevent compromises and

security events

• 21st Century: Manage the risk of this

foreseeable event

27

We now recognize we cannot eliminate the likelihood of security events

April 19, 2019

The likelihood, or probability that a threat is realized

• Preventive controls reduce that likelihood

The impact (usually financial) of that realized threat

• Detection and rapid, effective response address the impact term

The Mathematics of Risk

R = P(TV) * I

28

April 19, 2019

• Intrusion Detection System
• SIEM
• Log Aggregation and Analysis
• Packet capture and analysis
• Human investigators
• Firewall
• Intrusion Prevention System /

Application Firewall

• URL filtering
• E-mail security
• Vulnerability management
• Anti-Virus
• Employee training

Detective Controls Preventive Controls

R = P(TV) * I

https://ci.security/ 29

April 19, 2019

Detection & Response is a gap

Most organizations suffer deal with the fallout

average days until compromised asset detected

• f victims are notified by a

third party such as the FBI

• f victims were not compliant

with regulatory requirements

205 89% 69%

https://ci.security/ 30

April 19, 2019

Minimize:

• The time from initial

compromise to detection

• The time to reach full

recovery after detection

• The sum of these two is

known as the ‘dwell time’

Key Metrics

https://www.armor.com/blog/dwell-time-cyber-security-metric/

April 19, 2019

Improving Detection and Response

• Make it IT’s job
• Designate authority and set

standards to federate incident response

• Use the help/service desk
• Make use of Interns
• Outsource it

April 19, 2019

Not Everything is Bad… We Think

AI, ML, and Security Automation

April 19, 2019

Let’s Talk about AI & ML

https://www.legalcheek.com/2019/03/40-of-ai-start-ups-dont-use-ai/ https://www.csoonline.com/article/3378201/11-questions-to-ask-before-buying-ai-enabled-security-software.html

April 19, 2019

Intelligence That’s More Than Artificial

Threat Intelligence Firms Look to AI, but Still Require Humans Machine learning and artificial intelligence are helping threat-intelligence firms cover a greater area

• f the darknet, but human analysts will always be necessary, experts say. Threat intelligence firms

are racing to expand their machine-learning capabilities to capture more of the un-indexed parts of the internet, but somewhat ironically, human analysts and experts remain critical to the effort.

https://www.darkreading.com/risk/threat-intelligence-firms-look-to-ai-but-still-require-humans/d/d-id/1334570

https://www.ttnews.com/articles/ai-will-boost-productivity-needs-human-guidance https://www.extremetech.com/extreme/291952-google-duplex-still-needs-a-lot-of-help-from-humans

April 19, 2019

This Was PRISEM

• Public
• Regional
• Information
• Security
• Event
• Monitoring

36 Confidential Information

April 19, 2019

Public Infrastructure Security Cyber Education System (PISCES)

https://ci.security/ 37

Data Sharing Agreements Real-Time Network Security Data City and County Governments CI Security Provides the Monitoring Stack, Collectors, and Maintenance 5-year contract for technology and maintenance services Data Access for Cyber Analyst Curriculum Curriculum Agreements Technology Hosting Agreement Incident Reporting and Response The PISCES Nonprofit

April 19, 2019

Wrapping…

You still don't have to run faster than the bear, but you might be collateral damage

• Service disruption for the purpose of extortion is the largest

emerging threat – monitor, including your control systems (water/waste/traffic/etc.)

• Use the Microsoft controls with O365
• Be prepared to rapidly and effectively respond
• Hold your vendors to a security standard
• Procurement and policy are your best friends

April 19, 2019

I’ll Leave You With This

Rescinding the policy of de minimis use can reduce compromises by 40%

April 19, 2019

THANK YOU

Mike Hamilton

mkh@ci.security @detectrespond – Company Tweets @seattlemkh – Unvarnished Opinions Sign up for the IT Security News Blast https://ci.security/news/daily-news

April 19, 2019

CI Security

Our stuff keeps your stuff from becoming their stuff