cxo t07 modern driven security its closer than you think copy1

2020-03-01 59浏览

  • 1.#RSAC SESSIONID:CXO-T07 MODEL-DRIVENSECURITY:IT’S CLOSER THAN YOU THINK Jim Routh CSO Aetna @jmrouth1
  • 2.Session objec@ves #RSAC 1 Share some examples of model-driven security 2 3 Introduce you to the world of unconven@onal controls Iden@fy talent development challenges 2
  • 3.Evolu@on from conven@onal to unconven@onal controls #RSAC NIST CSF 800-53 ISO 27001 HiTrust Cyber Security Conven@onal Un-Conven@onal 3
  • 4.The #1 Threat Vector today #RSAC #1 CYBER THREAT VECTOR This is the reason that phishing, spear-phishing, and whaling a^acks are directed against individuals. ... Almost all na@onal and industry phishing laws and regulaSons include a s@pula@on that businesses and organiza@ons CONVENTIONAL CONTROL must create, implement, and maintain a security awareness training program. h^p://resources.infosecins@tute.com/category/enterprise/phishing/phishingcountermeasures/an@-phishing-laws-regula@onsNIST SP 800-177 SEPTEMBER, 2016 UNCONVENTIONAL CONTROL EVOLVING TO CONVENTIONAL Domain based Message Authen@ca@on, Repor@ng and Conformance (DMARC) was conceived to allow email senders to specify policy on how their mail should be handled, the types of security reports that receivers can send back, and the frequency those reports should be sent. Standardized handling of SPF and DKIM removes guesswork about whether a given message is authen@c, benefi]ng receivers by allowing more certainty in quaran@ning and rejec@ng unauthorized mail. 4
  • 5.Phishing Different tac@cs require different controls #RSAC Impostor Sender Spoof Look-Alike Domain AuthenSc Display Name DecepSon DMARC Sinkhole newly registered domains Apply domain a]ributes to inbound filters Brand protecSon services End user educaSon TBD 5 Compromised Account Account Owner
  • 6.Phishing Inbound email protec@on- Domain A^ributes #RSAC Using email traffic data, the system learns the unique fingerprint of all email senders into your enterprise This durable idenSty trust model is used to stop all messages that do not prove they should be trusted 29,231 servers sent email for an enterprise on a single day 312 servers for the enterprise 4,641 servers owned by service providers 9,732 benign email forwarders 14,526 malicious senders 6
  • 7.Phishing Enabled by models #RSAC Comparing Aetna in-bound email and correla@ng it with billions of emails every day from the largest email providers using machine learning models applied in real @me enables filtering of email based on sending domain a^ributes to divide the mail stream into trusted and untrusted streams. 7
  • 8.Privilege User Privilege user & ac@vity management ac@vity #RSAC 1 Reduce the number of privilege users Ac@ve Removed Non-Person IDs Person IDs 0 2 Provide context to monitoring and change admin tool choice 3 Implement data analy@c techniques to determine behavioral pa^erns 250 500 750 Level of access Ability to modify Access AcSvity Alerts 8 1000
  • 9.#RSAC IdenSty DeparSng User Excess Access/Outlier Orphan Accounts EnStlements High Privilege Accounts / Access (HPA) Dormant Accounts Roles InacSve Accounts On-Pr User Behavior AnalyScs (UBA) em AcSvity & Alerts Accounts IdenSty Access Intelligence (IAI) IdenSty & Access Privilege User Behavioral analysis is the cornerstone S / Saa d u o l C 9 AcSvity Volumes Geo-locaSon Log AcSvity Access Pa]erns Device FingerprinSng Physical Access TransacSon Pa]erns Security Alerts Pa]erns DLP Alerts
  • 10.Privilege User Example of an event email #RSAC Privileged Access Management (PAM) Implement and consolidate access monitoring, aler@ng, and response u@lizing all available access and iden@ty data (policy and event) to iden@fyanomalies:Event email issent:When unusual ac@vity is detected within a 24-hour period To the employee’s manager And contains a^achment of Anomalous Ac@vity Report Provide clear understanding of privileged access Ensure appropriate access is not being misused Target inves@ga@ons & follow up This results in a substantial ‘false-positive’ reduction, as well as an increased business awareness of privileged access. 10
  • 11.Over 3 billion user IDs and passwords were stolen in 2016Source:Shape Security
  • 12.CredenSals Criminals use creden@als for account takeover #RSAC 51% 40% In 2016, data breaches increased by of consumers suffered some kind of security incident in 2016, including a stolen password or breached account 3 Billion 81% In one breachYahoo 2013 of hacking related breaches leveraged stolen or weak passwordsSources:2017 Verizon DBIR Report; Iden@ty Thej Resource Center (ITRC) and CyberScout 12
  • 13.CredenSals The trouble with passwords… #RSAC Most people use less than 5 passwords for all accounts Reuse makes them easy to compromise They are difficult to remember 50% 39% 25% of those haven’t changed their password in the last 5 years of adults use the same password for many of their online accounts of adults admit to using less secure passwords, because they are easier to rememberSources:Pew research; Telesign research 13
  • 14.CredenSals If I were a criminal… #RSAC h^ps://www.youtube.com/watch?v=Z8AbGDOv2dcI would use Sentry MBA for creden@al stuffing. I’d take log in creden@als and try them on different domains. I’d get a 2% hit, meaning 2% of the creden@als I use will give me control of the account. I can get a 4% return by using the domain name in front of the password. 10,000 creden@als = 200 or 400 accounts that I own. h^ps://sentry.mba/Sources:h^ps://krebsonsecurity.com/tag/sentry-mba/h^ps://blog.shapesecurity.com/2016/03/09/a-look-at-sentry-mba/14
  • 15.CredenSals It’s @me for something be^er #RSAC A simpler and more secure experience Aetna is leading the way in introducing advanced authen@ca@on methods into the health care sector. Our consumers no longer need to rely on tradi@onal usernames and passwords when logging into Aetna applica@ons Authen@ca@on, once a single event, is now integrated into the applica@on transparently and con@nuously We’re adjus@ng controls and analy@c capabili@es to create fric@on for the threat adversaries while reducing fric@on for our users 15
  • 16.CredenSals Con@nuous risk-based authen@ca@on #RSAC Con@nual authen@ca@on Risk score calculated without impac@ng the user experience 30-60 user a^ributes assessed 16 Risk score determines how much and what access to provide
  • 17.Phishing CredenSals Authen@ca@on framework for mobile & web #RSAC One framework Mul@ple authen@ca@on tools Change controls without changing applica@ons Across mobile and web Policy-driven authen@ca@on model 17
  • 18.Model-driven security controls have arrived #RSAC Inbound email protec@on Con@nuous behavioral based authen@ca@on Privileged User Monitoring High risk Endpoint Fraud user protec@on management monitoring using Machine models Learning Access AcSvity Alerts 18 Dynamic access Voice biometrics provisioning for fraud detec@on
  • 19.The Models are driving security #RSAC Security Controls Data Aggrega4on Data Analysis 19 Results
  • 20.The Models are driving security #RSAC Data Aggrega4on Data Analysis Security Controls 20
  • 21.Model Inventory #RSAC Model/Policy Name High Risk user - Depar@ng User Sending self email DescripSon Users with future term date in Ul@Pro sending email to personal email accounts Restrict SSN email for High Risk users Provide a daily list of all users with a risk score over 80 so they are restricted from Workforce sending email with SSN data. Events By Restricted Users High volumes of privileged ac@vity Off hours ac@vi@es Unusual evening privileged ac@vity Week end login events Unusual weekend privileged ac@vity Unauthorized password changes Vaulted accounts that have passwords changed by an unauthorized ID Self-Privilege Escala@on Admin gran@ng privileges to themselves AccountCompromise:Mul@ple Failed Logins/ Possible Configura@on Issue Mul@ple Failed Logins/ Possible Configura@on Issue Unusual amount of password reset events Unusual amount of password reset events Unusual amount of Failed Password changes Unusual amount of Failed Password changes Purging of Audit Logs A user purges an audit log from a server 21 Effects Workforce Workforce Workforce Workforce Workforce Workforce Workforce Workforce Workforce Workforce
  • 22.Models to be scheduled #RSAC Model/Policy Name DescripSon Effects Order Register new bank followed by transac@on over threshold If a person changes banking informa@on and performs a financial transac@on same day Consumer 1 Account email address changed followed by password reset request Account email address changed followed by password reset request Consumer 2 Financial Ac@vity greater than threshold Financial Ac@vity greater than threshold Consumer 3 Brute Force A^ack high number of failed login a^empts Consumer 4 Prevent Vault Checkout for High Risk Users Require addiSonal verificaSon before allowing a vaulted ID to be checked out by a high risk user Workforce 5 Geographic Ac@vity without Physical Access Logical Account ac@vity at Geo loca@on where there is no Physical Account ac@vity Workforce 6 Physical/Geographic Loca@on Mismatch Logical Account Geo loca@on not matching Physical Account Geo loca@on. Workforce 7 Accounts Crea@on and dele@on in a day Accounts created by the admin , used and then deleted in the same day Workforce 8 Accounts Enable and Disable in a day Accounts enabled by the admin , used and then disabled in the same day Workforce 9 Poten@al Access Misuse A^empt (Wanderer) - Badge User is ge]ng failed access at mul@ple access point Workforce 10 Abnormal Access using Mul@ple Cards - Badge Person is using temporary badge and permanent badge in short @meframe Workforce 11 Rare Badge Access Anomaly User accesses badge outside his normal historical behavior Workforce 12 Poten@al Access Breach A^empt - Badge Stats model User is ge]ng high number of failed access Workforce 13 22
  • 23.Model Inventory Management #RSAC 23
  • 24.What are Models? #RSAC ​𝑒↑𝑥 =1+​𝑥/1! +​𝑥↑2 /2! +​𝑥↑3 /3! +… 𝜁(s)=∑𝑛=1↑∞▒​1/​𝑛↑𝑠 =∏𝑝↑▒​1Input /1−​𝑝Hidden ↑ −𝑠 Output Mathema@cal formula@on of observed events 24
  • 25.Vendor Analy@cs Ecosystem #RSAC BRO Various models in produc@on from a variety of vendors
  • 26.Custom Fraud Analy@c Models #RSAC HSA Burst Model FSA Burst Model HSA Employer Breach FSA Employer Breach HSA Individual Fraud FSA Individual Fraud Merchant Spike Cardholder Fraud Targeted Merchant 26 Daily Report
  • 27.Model Data and Workflow #RSAC NGA Threat DetecSon Storage & AnalyScs Fraud Network Events & Security Logs Dataflow AnalyScs Workflow OrchestraSon BRO Storage & AnalyScs 36 producCon flows 6+ Billion events/day AnalyScs 27 - Alerts - Playbooks - Auto Bots
  • 28.Data Scien@st meet Security Professional #RSAC
  • 29.#RSAC QUESTIONS? routhj@aetna.com h]ps://www.linkedin.com/in/jmrouth/