Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1 of 34

Stay Ahead of Threats with Advanced Security Protection - Fortinet

2

Share

Download to read offline

John Gleason, Systems Engineer

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Stay Ahead of Threats with Advanced Security Protection - Fortinet

  1. 1. Stay Ahead of Threats with Advanced Security Protection John Gleason – CISSP
  2. 2. Risk - The common driver Stay ahead…. Have a goal and a plan! • Threat Landscape • Cyber Security finally reaches #1 in C-Level concerns • Security Program vs. Compliance checkboxes • Definitions are important • Security basics – blocking and tackling before technology • The end goal – Lower residual risk = Acceptable level of risk
  3. 3. Virus Lifecycle to Scale Virus.A (#1) Virus.B (#2) Virus.AA (#27) Virus.BL (#120) VendorUpdate(Virus.A) +0 +30 Sec +13 Min +1 Hour
  4. 4. Cyber Security finally reaches #1 in C-level concerns: Top 5 Business Risks - according to World Economic Forum (US, Japan, Germany, Netherlands & others) • #1 Cyber attacks • #2 Data fraud and theft • #3 Terrorist attack • #4 Fiscal crisis • #5 Asset bubble This underscores the significance of understanding the cyber threat landscape and associated insights related to intruder detection.
  5. 5. Security Program vs. Compliance checkboxes • Security/Governance Frameworks • NIST (Multiple) • COBIT • ISO 27000 • ITIL • SIGMA6 • Compliance • HIPPA / HITECH • PCI / DSS • CIPA / FERPA • GLBA • Sarbanes Oxley (SOX)
  6. 6. Security Programs address the 360 degree view • Controls – Require People, Process, and Technology • Administrative • Technical • Physical • •ISO 27002 defines information security policy in section 5 • •COBIT defines it in the section "Plan and Organize" • •Sarbanes Oxley defines it as "Internal Environment" • •HIPAA defines it as "Assigned Security Responsibility" • •PCI DSS defines it as "Maintain an Information Security Policy"
  7. 7. Definitions are important Understanding can only come through common terminology and definitions • Security Triad • Roles & Responsibilities • Data Classification • Asset Value • Threat, Threat Agent, Vulnerability, Risk, Counter measure • Controls • Residual Risk
  8. 8. Security triad Like a three legged stool - Possible Fourth = Authenticity
  9. 9. • Confidentiality - Access Control • Identification, Authentication, Authorization (Authenticity) • Least Privilege / Need to know • Integrity • Assurance, Accuracy, Reliability • Availability • Perform in a predictable manor, acceptable level of performance • Recover securely from disruption so productivity will not be negatively impacted • Single points of failure ???? (BC/DR)
  10. 10. Roles & Responsibilities
  11. 11. Roles and Responsibilities Where do you identify? Owner, GM, Coach, Lineman, Linebacker, Safety? • Data Owner • Concerned about terms like legal, regulatory, compliance, due care & due diligence, negligence, reasonable and expected. Generally not IT. • Data Custodian • Typically IT. Responsible for implementing the policies and guidelines established by the Data Owner. include physical data storage, back-up and recovery, and the operation of security and data management systems.
  12. 12. Data Classification How do you view and categories your assets? Public / Private Business & Organizations Military/Government Restricted/Confidential/Proprietary Top Secret Private Secret Sensitive Confidential Public Sensitive but Unclassified Unclassified
  13. 13. Asset Value Quantitative or Qualitative? • Cost – to Acquire or develop? Maintain & protect? Replace? • Value – to Adversaries, Intellectual Property • Operational and productivity loss when unavailable • Liability if asset is compromised – Compliance, Legal • Value of knowing your values – cost/benefit analysis, wise selection of countermeasures, risk awareness, due diligence
  14. 14. Risk Management – What (NIST Cyber Security Framework) • Risk management is the ongoing process of identifying, assessing, and responding to risk. To manage risk, organizations should understand the likelihood that an event will occur and the resulting impact. With this information, organizations can determine the acceptable level of risk for delivery of services and can express this as their risk tolerance. • Organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services.
  15. 15. Risk Management – Why (NIST Cyber Security Framework) • With an understanding of risk tolerance, organizations can prioritize cybersecurity activities, enabling organizations to make informed decisions about cybersecurity expenditures. • Implementation of risk management programs offers organizations the ability to quantify and communicate adjustments to their cybersecurity programs. • Organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services
  16. 16. • Threat, Threat Agent, Vulnerability, Risk, Counter measure
  17. 17. Controls – Compensating Controls • Administrative • Technical • Physical • Preventative / Protective • Detective • Corrective / Reactive
  18. 18. Residual risk • According to ISO 27001, residual risk is “the risk remaining after risk treatment”.
  19. 19. Turning traditional risk analysis upside down • Threats of today have increased in frequency and impact • 75-90% enter via E-mail. • 10-20% compromised website • Avoiding the activity is not an option
  20. 20. Did You Know… 79,790 Number of incidents investigated by Verizon in 2015 229 Average number of days attackers were on a network before detection 70-90% Percent of time unique malware was found Gartner: All organizations should assume they are in a state of continuous compromise
  21. 21. New world strategies
  22. 22. Breaking the Kill Chain of Advanced Threats Spam Malicious Link Malware Bot Commands & Stolen Data Spam Malicious Email Malicious Link Exploit Malicious Web Site Malware Command & Control Center Bot Commands & Stolen Data Anti-spam Web Filtering Intrusion Prevention Antivirus App Control/ IP Reputation Sandbox
  23. 23. Layered Defense + Shared Intelligence Web Filter Web Filter – Known malicious site IP Reputation Botnet site Intrusion Prevention Anti-Virus/Malware Intrusion Prevention Sandbox candidate
  24. 24. Sandbox = Isolation
  25. 25. FortiGuard Labs – Augment your security staff Nearly 300 threat researchers
  26. 26. FortiGuard Labs Statistics
  27. 27. Shared threat intelligence
  28. 28. Only ATP Solution NSS Recommended Edge to Endpoint
  29. 29. Fortinet Security Fabric – Shared threat intelligence
  30. 30. Questions ?? Thank you
  31. 31. 3:00 – 3:45 PM BREAKOUT SESSIONS KONICA MINOLTA Breakout Room: Guest Locker Room “What is your Print Transformation Strategy?” Emil Enstrom, Vice President of Enterprise Accounts BARRACUDA Breakout Room: Delta 360 Club “Protecting Data Everywhere” Rod Mathews, Senior Vice President and General Manager MARCO Breakout Room: Main Field “Uncovering the Cloud: Is it Right for You?” Steve Knutson, Chief Technology Officer and Vice President of Service MITEL Breakout Room: Interview Room “Deliver a Flexible, Engaging Customer Contact Center Experience” Brian Spencer, General Manager – Contact Center

Editor's Notes

  • CISSP – back story and reason for publicly speaking – Advance the cause/awareness of security – Commercial… I mean visibility for Fortinet

    Questions to the Audience – get idea of demographics:
    Size or organization?
    How many Network Admins? Department heads? Security or compliance leaders, C-Level = President, owner?

    Stay Ahead – Simple Version – Define your Assets, Threats, Vulnerabilities and Risks – Implement a counter measure which best fits into your overall strategy, and provides the highest levels of protection where appropriate.

  • Risk directly relates to advanced threats - Identifying assets and making decisions to protect according to your risk tolerance. Having thorough & informed input is critical to the equation.
  • Entry points to the network have exploded. Boarders have extended far beyond the data center and internet edge. Data Center, branch office, remote client, Cell phones & tablets – BYOD, Private cloud, Public Cloud – AWS & Azure. IoT – HVAC, CC readers, Thermostats, printer/MFP Healthcare – Blood pump, IV drip, heart monitor, etc.
  • Example: Continuing on the reactive and volume problem

    Rapid Spread: We live in such a connected world and with advancements in technology the Internet is becoming faster and faster. This enables the rapid spread of viruses/malware around the Globe.

    Morphing Malware: When a new virus/malware is released into the wild it will continuously change or morph its appearance making it very difficult to for AV/Malware vendors to detect.

    * Within 1 hour of a new virus/malware being released into the wild we could have 120 different variants/versions of that virus/malware. And again vendors just can’t react fast enough. At the end of that hour vendors are still building protection for the first variant.
  • Why? Why is this new found level of concern the case for only a subset of countries? The answer to this question lies in being able to understand the dependencies and interconnections of the physical and digital world.
  • Compliance is more about security for specific risk - Business Model. Can be short sighted on

    NIST – again bigger overall umbrella view.
  • Examples of people processes and technology – emphasize the importance of process – not can we make the change, but SHOULD we make the change.

    NIST Cyber Security - created for Critical Infrastructure, but I love it because it combines creation of a security program and a game plan for starting and tracking progress in the program creation itself and success milestones and maturity.
  • Validation
  • Team needed
  • Knowing your role – and gathering & providing information to proper channels.

    Admins – Inventory, diagrams, identification of virtual vs. physical assets. Document single points of failure. Document & validate back-up process. Communicate with the data owner regularly.

    Department heads – document and prioritize your resources, or those used most by your team. Identify threats and work with BC/DR
  • Less about the level and more about identifying data, where it lives and matching for good decision making.
  • Let them read - Main point Knowing your assets and values will drive solid decision making and awareness.
  • Follow the links
  • Advanced threats are not just about entry and prevention. Detective controls and segmented zones allow for the identification upon movement.
  • Controls in place all to reduce the impact.
  • Admin- Policy, procedure, guidelines, best practices
    Technical – Cyber/Data communications – Firewall-App Ctrl/WF/DLP/ IP reputation/Botnet preventative, IPS preventative/detective IDS detective, reloading a system OS as a corrective control
    Physical include locks, fences, mantraps and even geographic specific controls
    Compensating controls – in lieu of requested. Alternate controls which address the same risk.
    Activity phase controls can be either technical or administrative and are classified as follows: • Preventative controls exist to prevent the threat from coming in contact with the weakness. • Detective controls exist to identify that the threat has landed in our systems. • Corrective controls exist to mitigate or lessen the effects of the threat being manifested.
  • Residual risk needs to equal or exceed acceptable risk – otherwise the control was not worth it. Organization needs to know exactly whether the planned treatment is enough or not.
  • Normally Risk with high likelihood and high impact were activities to be avoided.
  • I don’t agree with Gartner on this one, but I do anticipate more internal segmentation inspection will occur.
  • The technology and power are now available to inspect and the necessary speeds.
  • Consider the way advanced threats typically operate:
    they generally start with an email seeking to entice users through social engineering to click on a malicious link. Ideally, your antispam/phishing technology will block the message. But if just one slips through and the recipient is fooled that link will redirect them out to a malicious site.
    that malicious site will typically try to insert malware by exploiting vulnerabilities. Ideally, your web filter will prevent the site visit, IPS will stop the exploit or antimalware will block the code. But if not, you have active malware in your network that can do many things- usually at the behest of an external command and control.
    it’s at this stage that having measures in place like IP Reputation or other call back detection methods is critical- to ensure that communication channel is severed and data can’t be exfiltrated. Otherwise you are breached…
    Unless you have deployed a sandbox as a deeper method of inspection, to do things like- follow URLs, analyze objects and inspect traffic or communications. And to do so based on actual observed activity rather than static attribute or reputation checking.

    The primary value of a sandbox is to take the time for more advanced analysis that’s generally not possible on production systems and identify those things that have evaded traditional defenses…before the endgame of a breach occurs.
  • Threat intelligence – Fortiguard Labs one of the largest Threat research groups in the world. Leader of Zero-day discoveries.
  • Threat intelligence – Fortiguard Labs one of the largest Threat research groups in the world. Leader of Zero-day discoveries.
  • How the fabric works
  • In fact, organizations looking to take a coordinate approach to combating advanced threats benefit from NSS Labs Recommended components including:
    FortiGate as NGFW and NGIPS in the data center and at the edge
    FortiWeb in front of external-facing web servers that often serve as entry points to the network
    FortiClient for Enterprise Endpoint Protection covering users on and off the network
    FortiSandbox for continuous analysis of seemingly benign objects and sites to detect the most sophisticated attacks that might slip through your defenses.


  • Security Fabric – Peer-to-peer communication between nodes. Sandbox & FortiGuard Labs provide the highest levels of protection possible.
  • ×