Cyber Security Challenges: A Law Enforcement Perspective - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Cyber Security Challenges: A Law Enforcement Perspective

Description:

we face a long-term challenge in cyberspace from foreign ... Post-mortem / lessons learned. Work proactively when we can to identify threat activity ... – PowerPoint PPT presentation

Number of Views:172
Avg rating:3.0/5.0
Slides: 14
Provided by: b54133
Category:

less

Transcript and Presenter's Notes

Title: Cyber Security Challenges: A Law Enforcement Perspective


1
Cyber Security ChallengesA Law Enforcement
Perspective
  • CS Jennifer Kolde / jennifer.kolde_at_ic.fbi.govSan
    Diego FBI National Security Cyber Squad
  • Conference on Innovation Support for National
    Security
  • June 9, 2009

2
The Problem
  • we face a long-term challenge in cyberspace
    from foreign intelligence agencies and
    militaries, criminals, and otherslosing this
    struggle will wreak serious damage on the
    economic health and national security of the
    United Stateswe are currently running behind,
    and the ability to operate in cyberspace and to
    defend against the operations of others will be
    crucial for our nation to prosper
  • Source Center for Strategic and International
    Studies, Securing Cyberspace for the 44th
    Presidency, December 2008
  • http//www.csis.org/media/csis/pubs/081208_securin
    gcyberspace_44.pdf

3
The Potential Loss
  • Survey examined whereintellectual property
    originates, where it is stored globally, how it
    is transferred and lost
  • Companies surveyed estimated
  • They lost a combined 4.6 billion worth of
    intellectual property last year alone
  • They spent approximately 600 million repairing
    damage from data breaches
  • Based on these numbers, McAfee projects that
    companies worldwide lost more than 1 trillion
    last year.
  • Responses from gt 800 CIOs worldwide
  • How do you measure national security losses?
  • Source Purdue CERIAS / McAfee 01/29/2009
  • http//www.mcafee.com/us/about/press/corporate/200
    9/20090129_063500_j.html

4
Perspective
  • FBI San Diego
  • National Security Cyber Squad
  • Cyber counterterrorism / cyber counterintelligence
  • Technical analysis support to case agents
  • Prior experience defending Navy networks
  • We deal primarily with victim companies
  • Compromise / data loss has already occurred
  • Post-mortem / lessons learned
  • Work proactively when we can to identify threat
    activity

5
How Security Works
Right Personnel
Effective Security
Right Tools
Sufficient Time
6
Personnel /Time Tradeoffs
  • Security products have become increasingly
    complex
  • Problematic with unskilled or less-skilled
    personnel and / or lack of sufficient time
    dedicated to security tasks
  • For personnel outsource the smart person to
    the vendor (built-in in-depth analysis,
    vendor-provided templates)
  • For time increased efficiency, simpler user
    interface, ease of customization, plenty of
    canned reports

7
Where Can We Intervene?
  • Initial Compromise
  • Host (AV, firewall, HIDS / HIPS, host / device
    logs)
  • Network (IDS / IPS)
  • Application (logs)
  • Ongoing Intrusion
  • Host (as above)
  • Network (internal IDS / IPS, netflow data)
  • Application (logs)
  • Backchannel / Outbound Communications
  • Network (IDS / IPS, analysis of outbound traffic,
    network logs e.g., DNS)
  • Combination of the above
  • SIM / SIEM

8
Where Tools Fail
  • Signature-based
  • Most effective, but always retroactive
  • Relatively easy to defeat
  • Hard to define known good / known bad hard
  • Best bet simplify ability for users to add
    custom signatures
  • Heuristic
  • Moderately effective
  • Risk of false positives
  • Who reviews / deconflicts?

9
Where Tools Fail
  • Anomaly Detection
  • Less effective
  • Hard to train (relies on well-defined set of
    normal behavior)
  • Assumes bad traffic will not look normal
  • Statistical Analysis
  • Moderately effective
  • Limited use
  • Often limited to canned reports (Top 10)

10
Improvements for Tools
  • What is the new model for antivirus?
  • Alert on file characteristics?
  • Automatic unpacking?
  • Sandbox execution?
  • Memory monitoring / protection?
  • Simplify ability to add signatures once
    identified
  • Incorporate WHOIS lookup into detection /
    protection

11
Improvements for Tools
  • Write signatures for anomalies
  • Non-RFC protocols
  • Incorporate better reporting and analysis
  • Improved statistics
  • Anomaly detection per host / device
  • Changes / differences since last report
  • DNS lookups, traffic volume, destination IPs

12
Key Features (Wish List)
  • Improve existing tools (reduce noise to focus
    on really important stuff)
  • Incorporate novel detection methods
  • Improve existing detection methods
  • Canned templates for common apps / protocols
  • Statistical analysis / reporting
  • Tools based on real world incident data
  • Instead of (or in addition to) compliance with
    arbitrary list
  • Simplify tool customization
  • Simplify all aspects of tool lifecycle for less
    experienced or time-pressed staff

13
Questions?
Write a Comment
User Comments (0)
About PowerShow.com