SlideShare a Scribd company logo

Accelerating OT - A Case Study

Digital Bond
Digital Bond

Craig Heilmann of IBM Security Services at S4x15 OTDay

1 of 14
Download to read offline
S4 ICS Security Conference 2015 Accelerating OT Cyber Security - Case Study Craig Heilmann, CISSP, CRISC Global Lead, Critical Infrastructure Security Services IBM Security Services January 2015
S4 ICS Security Conference 2015 Sticky Bombs Takeaway 2 IBM Security Note to S4 slide reviewers: The reference is an attention-getter. Saving Private Ryan sticky bombs. This will carve a takeaway into memory. “If you remember only one thing from this session, remember sticky bombs.” Explosives + socks, coated with grease. A blunt response, but when used at the right time was effective against a high tech, sophisticated attack. This is the theme really of the entire session … using our IT and OT capabilities we have today, low tech and high tech, in rapid and effective ways to counter the high volume of persistent and sophisticated attacks … and a case study to show how it is done.
S4 ICS Security Conference 2015 Regardless of industry, the necessary shift in security paradigm needed to “fight the fight” today boils down to fundamental themes: Security Requirements 3 IBM Security Capability •  All about visibility and control •  More about process than technology •  Objective to disrupt the attack chain (not to be 100% breach-free) Capacity •  More leverage for skilled resources •  Greater reach and scalability •  Working smarter not harder Acceleration •  Reducing the time to detect •  Reducing the time to respond, contain and recover •  Reducing the time, effort or cost to transform
S4 ICS Security Conference 2015 Through this lens, let’s look at a recent and typical case study: Case Study: Introduction 4 IBM Security Client •  Multi-billion dollar manufacturer with global operations •  Long history of acquisitions leading to fairly autonomous business units •  Highly automated via extensive industrial control systems on the plant floor •  Considered critical infrastructure due to strategic nature of products and processes Capability •  No SOC, heavily reliant on static perimeter defenses (firewall, IDS, …) •  Just beginning to deploy IT security and event monitoring (SIEM) •  Disconnected from OT (as well as telecom and physical) •  Ad hoc incident response and no IR Plan (heroic efforts of a few) Capacity •  Few security resources; sharp troops but bogged down in daily manual tasks •  Limited security budget (historically 1~2% IT spend) •  No strategic partners (various local small players depending on geography) Acceleration •  Desire to mature and transform but not clear where to begin •  Pressure from Board to show “results” quickly
S4 ICS Security Conference 2015 The client in this case study created a vision behind a 5 year plan that would transform and modernize their security organization. Case Study: Future State 5 IBM Security Old  Paradigm   New  Paradigm   Security  Model  based  on   Defense  in  Depth   Security  Model  based  on   Rapid  Detec7on  +  Rapid  Response   Security  Opera4ons   Steady  State  and  Reac7ve   Security  Opera4ons   Elas7c  and  Agile   Governance,  Risk  &  Compliance   IT  and  Compliance  Focused   Governance,  Risk  &  Compliance   Enterprise  Risk  Management   Func4onal  Domains   IT,  OT,  Telecom,  Physical  Silos   Func4onal  Domains   Converged   Security  Analysis   Manual  and  Fragmented   Security  Analysis   Analy7cs  and  Intelligence  
S4 ICS Security Conference 2015 Great vision, but the constraints seemed likely to stall out the plan before it even got started. Case Study: Constraints 6 IBM Security §  Very limited budget §  Culture resistant to security controls §  Must show impact and results quickly §  Only a small increase in headcount approved §  Fighting tight market for security skills (unable to fill open reqs) §  Directive to accelerate improvements in OT security §  Pressure to pull forward much of the 5 year plan into a 3 year plan
S4 ICS Security Conference 2015 The solution was to develop an incremental plan, beginning with a focus on operations where the most impact could be achieved with the least amount of upfront spend: Case Study: Solution Step One 7 IBM Security Capability •  Inventory existing technologies and processes and optimize against attack chain •  Deploy one new technology (password vaulting) to enable rapid password changes •  Leverage NOC in short term with plan to outsource SOC long-term •  More SIEM logging and extend into OT environments (and protocols) •  Select global strategic partner for IR; co-develop IR plan Capacity •  Dedicate strongest security resources to strategy, policy and oversight •  Retool and cross-train where possible; staff aug and outsource others •  Invest in external security intelligence and early warning providers •  Managed device administration with long-term transition to MSS Acceleration •  Culture change management via governance restructuring, training and communication program •  Optimize technology and processes to detect faster and respond faster (and more effective) •  Analytics and automation in the area of SIEM (correlation and behavioral analysis)
S4 ICS Security Conference 2015 This new “Elastic and Agile” operating model looks like a stair stepped response plan, throwing “big levers” that involve processes, operations and technology. Case Study: New Security Operating Model 8 IBM Security
S4 ICS Security Conference 2015 More than incident response and threat management, this approach moves much bigger security levers designed to more substantially disrupt, frustrate or stop modern attacks. Case Study: New Security Operating Model 9 IBM Security WHY – because most attacks need credentials §  Identity and valid user credentials are crucial to most attacks. §  Changing passwords is one of the top three remediation activities during and after a breach, and often a wise precautionary activity to preclude an attack. WHAT – all passwords for all accounts, everything §  All passwords; users, administrators and service accounts in IT and OT §  For many organizations this can be 100,000+ accounts. §  Service accounts because attackers love them; ideally several of them that have domain privileges and are hard-coded into custom critical business applications. HOW – in one 36 hour event §  Must be done in one swift blow, typically over a weekend within a 36 hour period §  It takes most medium to large organizations 3 to 4 months to prepare for, plan and finally execute this task. §  A lot of house cleaning in Active Directory must occur. A lot of custom code and even some vendor proprietary code must change to remove hard-coded service account names and passwords. §  Users must be notified. Business application owners and partners and vendors are impacted. §  And then the actual event, scheduling downtime and bringing down the entire environment, changing passwords, and bringing it all back up – similar to a DR exercise. New Approach – turn a weakness into strength §  Don’t wait for a breach that causes you to coexist with an attacker for 3-4 months. §  Do the house cleaning today. §  Work with the business to cleanup the application portfolio today. §  Develop a procedure for an enterprise-wide password change. §  Understand what criteria might trigger this response. §  Train the business and train the users. BENEFIT – disrupt and stop attacks in their tracks §  Attackers are counting on your inability to respond in this fashion. §  Creating levels of lockdown that package this capability with others like more restrictive physical security access control, throttling the number of SOC analysts’ “eyes-on-glass”, throttling the sensitivity of what constitutes “suspicious” activity and so on disrupts and stops attacks. §  By “operationalizing” these kinds of capabilities, you are involving the business from the beginning; working out issues with validated systems, legal, compliance, change control and a myriad of other related issues and concerns well ahead of a crisis. §  Everyone understands their part, understands the impact to them, and understands the criteria that dictate the response. §  Security becomes the responsibility of everyone, not just the security organization. Example: Consider an enterprise-wide password change …
S4 ICS Security Conference 2015 As designed, the new operating model is more of a program with a framework and lifecycle, enabling continuous adaptability and maturation. Case Study: New Security Operating Model 10 IBM Security Initial Program Setup Security Model Gap Record Test Results Program Refresh Security Model Gap Record Test Results . . . Levels 0-2 Levels 0-3 •  Treat as POC •  Use existing inventory •  No net-new deployments •  Focus on optimization •  Focus on change and education •  Deploy some new tech •  Fill high priority gaps •  Fix high-priority test findings •  Implement budgeted and planned changes •  Adapt model with new attack scenarios Might only have two alert levels at first – that’s okay … … and MANY gaps identified, programmed for future mitigation More maturity, capability and flexibility may warrant more alert levels over time … … but gaps should reduce, ideally to zero backlog Timeline
S4 ICS Security Conference 2015 A collateral benefit of the approach enabled a quantifiable and more predictable method for cost modeling and budget allocations, rationalizing spend and pulling investments forward. Case Study: Cost Modeling 11 IBM Security Steady State / Level-Zero Cost Level- Dependent Variable Cost Operating Budget = Level Zero “annual cost of business as usual” + (# of Level 1 events) x (Level 1 run rate) x (average duration) + (# of Level 2 events) x (Level 2 run rate) x (average duration) + (# of Level 3 events) x (Level 3 run rate) x (average duration) + (# of Level 4 events) x (Level 4 run rate) x (average duration)
S4 ICS Security Conference 2015 A post-deployment analysis identified several additional benefits of the approach: Case Study: Additional Benefits 12 IBM Security §  More confidence at executive levels in ability to defend against attacks §  Highly visible to the Board, the business and users §  Security training more relevant and taken more seriously §  Tighter integration between IR, DR, Safety, and other response plans §  Clarification of security governance and responsibilities
S4 ICS Security Conference 2015 Question and Answer 13 IBM Security Q&A Capability Capacity Acceleration
S4 ICS Security Conference 2015 www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Recommended

DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015Shah Sheikh
 

Recommended

DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015Shah Sheikh
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectioninfoLock Technologies
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...Shah Sheikh
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationSymantec
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security programOutpost24
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint SecurityBen Rothke
 
IBM Security QFlow & Vflow
IBM Security QFlow & VflowIBM Security QFlow & Vflow
IBM Security QFlow & VflowCamilo Fandiño Gómez
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure ProtectionPriyanka Aash
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 

More Related Content

What's hot

Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectioninfoLock Technologies
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...Shah Sheikh
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationSymantec
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security programOutpost24
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint SecurityBen Rothke
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure ProtectionPriyanka Aash
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 

What's hot (20)

Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
 
IBM Security QFlow & Vflow
IBM Security QFlow & VflowIBM Security QFlow & Vflow
IBM Security QFlow & Vflow
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure Protection
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 

Viewers also liked

Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSDigital Bond
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service HardeningDigital Bond
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Digital Bond
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
PT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening GuidePT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening Guideqqlan
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouPaula Januszkiewicz
 

Viewers also liked (20)

Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICS
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
PT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening GuidePT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening Guide
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
 
Kerberos
KerberosKerberos
Kerberos
 

Similar to Accelerating OT - A Case Study

Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architectureangelohammond
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...John M. Willis
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCJohn M. Willis
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Ray Bugg
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriAtif Ghauri
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxMark Simos
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsPECB
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 

Similar to Accelerating OT - A Case Study (20)

Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
SIEM Buyer's Guide
SIEM Buyer's GuideSIEM Buyer's Guide
SIEM Buyer's Guide
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLC
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
 
Ccie security 01
Ccie security 01Ccie security 01
Ccie security 01
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 

More from Digital Bond

The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)Digital Bond
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Digital Bond
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Digital Bond
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Digital Bond
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Digital Bond
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItDigital Bond
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 
PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code ProtectionDigital Bond
 

More from Digital Bond (10)

The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security Products
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze It
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability Analysis
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack Vector
 
PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code Protection
 

Accelerating OT - A Case Study

  • 1. S4 ICS Security Conference 2015 Accelerating OT Cyber Security - Case Study Craig Heilmann, CISSP, CRISC Global Lead, Critical Infrastructure Security Services IBM Security Services January 2015
  • 2. S4 ICS Security Conference 2015 Sticky Bombs Takeaway 2 IBM Security Note to S4 slide reviewers: The reference is an attention-getter. Saving Private Ryan sticky bombs. This will carve a takeaway into memory. “If you remember only one thing from this session, remember sticky bombs.” Explosives + socks, coated with grease. A blunt response, but when used at the right time was effective against a high tech, sophisticated attack. This is the theme really of the entire session … using our IT and OT capabilities we have today, low tech and high tech, in rapid and effective ways to counter the high volume of persistent and sophisticated attacks … and a case study to show how it is done.
  • 3. S4 ICS Security Conference 2015 Regardless of industry, the necessary shift in security paradigm needed to “fight the fight” today boils down to fundamental themes: Security Requirements 3 IBM Security Capability •  All about visibility and control •  More about process than technology •  Objective to disrupt the attack chain (not to be 100% breach-free) Capacity •  More leverage for skilled resources •  Greater reach and scalability •  Working smarter not harder Acceleration •  Reducing the time to detect •  Reducing the time to respond, contain and recover •  Reducing the time, effort or cost to transform
  • 4. S4 ICS Security Conference 2015 Through this lens, let’s look at a recent and typical case study: Case Study: Introduction 4 IBM Security Client •  Multi-billion dollar manufacturer with global operations •  Long history of acquisitions leading to fairly autonomous business units •  Highly automated via extensive industrial control systems on the plant floor •  Considered critical infrastructure due to strategic nature of products and processes Capability •  No SOC, heavily reliant on static perimeter defenses (firewall, IDS, …) •  Just beginning to deploy IT security and event monitoring (SIEM) •  Disconnected from OT (as well as telecom and physical) •  Ad hoc incident response and no IR Plan (heroic efforts of a few) Capacity •  Few security resources; sharp troops but bogged down in daily manual tasks •  Limited security budget (historically 1~2% IT spend) •  No strategic partners (various local small players depending on geography) Acceleration •  Desire to mature and transform but not clear where to begin •  Pressure from Board to show “results” quickly
  • 5. S4 ICS Security Conference 2015 The client in this case study created a vision behind a 5 year plan that would transform and modernize their security organization. Case Study: Future State 5 IBM Security Old  Paradigm   New  Paradigm   Security  Model  based  on   Defense  in  Depth   Security  Model  based  on   Rapid  Detec7on  +  Rapid  Response   Security  Opera4ons   Steady  State  and  Reac7ve   Security  Opera4ons   Elas7c  and  Agile   Governance,  Risk  &  Compliance   IT  and  Compliance  Focused   Governance,  Risk  &  Compliance   Enterprise  Risk  Management   Func4onal  Domains   IT,  OT,  Telecom,  Physical  Silos   Func4onal  Domains   Converged   Security  Analysis   Manual  and  Fragmented   Security  Analysis   Analy7cs  and  Intelligence  
  • 6. S4 ICS Security Conference 2015 Great vision, but the constraints seemed likely to stall out the plan before it even got started. Case Study: Constraints 6 IBM Security §  Very limited budget §  Culture resistant to security controls §  Must show impact and results quickly §  Only a small increase in headcount approved §  Fighting tight market for security skills (unable to fill open reqs) §  Directive to accelerate improvements in OT security §  Pressure to pull forward much of the 5 year plan into a 3 year plan
  • 7. S4 ICS Security Conference 2015 The solution was to develop an incremental plan, beginning with a focus on operations where the most impact could be achieved with the least amount of upfront spend: Case Study: Solution Step One 7 IBM Security Capability •  Inventory existing technologies and processes and optimize against attack chain •  Deploy one new technology (password vaulting) to enable rapid password changes •  Leverage NOC in short term with plan to outsource SOC long-term •  More SIEM logging and extend into OT environments (and protocols) •  Select global strategic partner for IR; co-develop IR plan Capacity •  Dedicate strongest security resources to strategy, policy and oversight •  Retool and cross-train where possible; staff aug and outsource others •  Invest in external security intelligence and early warning providers •  Managed device administration with long-term transition to MSS Acceleration •  Culture change management via governance restructuring, training and communication program •  Optimize technology and processes to detect faster and respond faster (and more effective) •  Analytics and automation in the area of SIEM (correlation and behavioral analysis)
  • 8. S4 ICS Security Conference 2015 This new “Elastic and Agile” operating model looks like a stair stepped response plan, throwing “big levers” that involve processes, operations and technology. Case Study: New Security Operating Model 8 IBM Security
  • 9. S4 ICS Security Conference 2015 More than incident response and threat management, this approach moves much bigger security levers designed to more substantially disrupt, frustrate or stop modern attacks. Case Study: New Security Operating Model 9 IBM Security WHY – because most attacks need credentials §  Identity and valid user credentials are crucial to most attacks. §  Changing passwords is one of the top three remediation activities during and after a breach, and often a wise precautionary activity to preclude an attack. WHAT – all passwords for all accounts, everything §  All passwords; users, administrators and service accounts in IT and OT §  For many organizations this can be 100,000+ accounts. §  Service accounts because attackers love them; ideally several of them that have domain privileges and are hard-coded into custom critical business applications. HOW – in one 36 hour event §  Must be done in one swift blow, typically over a weekend within a 36 hour period §  It takes most medium to large organizations 3 to 4 months to prepare for, plan and finally execute this task. §  A lot of house cleaning in Active Directory must occur. A lot of custom code and even some vendor proprietary code must change to remove hard-coded service account names and passwords. §  Users must be notified. Business application owners and partners and vendors are impacted. §  And then the actual event, scheduling downtime and bringing down the entire environment, changing passwords, and bringing it all back up – similar to a DR exercise. New Approach – turn a weakness into strength §  Don’t wait for a breach that causes you to coexist with an attacker for 3-4 months. §  Do the house cleaning today. §  Work with the business to cleanup the application portfolio today. §  Develop a procedure for an enterprise-wide password change. §  Understand what criteria might trigger this response. §  Train the business and train the users. BENEFIT – disrupt and stop attacks in their tracks §  Attackers are counting on your inability to respond in this fashion. §  Creating levels of lockdown that package this capability with others like more restrictive physical security access control, throttling the number of SOC analysts’ “eyes-on-glass”, throttling the sensitivity of what constitutes “suspicious” activity and so on disrupts and stops attacks. §  By “operationalizing” these kinds of capabilities, you are involving the business from the beginning; working out issues with validated systems, legal, compliance, change control and a myriad of other related issues and concerns well ahead of a crisis. §  Everyone understands their part, understands the impact to them, and understands the criteria that dictate the response. §  Security becomes the responsibility of everyone, not just the security organization. Example: Consider an enterprise-wide password change …
  • 10. S4 ICS Security Conference 2015 As designed, the new operating model is more of a program with a framework and lifecycle, enabling continuous adaptability and maturation. Case Study: New Security Operating Model 10 IBM Security Initial Program Setup Security Model Gap Record Test Results Program Refresh Security Model Gap Record Test Results . . . Levels 0-2 Levels 0-3 •  Treat as POC •  Use existing inventory •  No net-new deployments •  Focus on optimization •  Focus on change and education •  Deploy some new tech •  Fill high priority gaps •  Fix high-priority test findings •  Implement budgeted and planned changes •  Adapt model with new attack scenarios Might only have two alert levels at first – that’s okay … … and MANY gaps identified, programmed for future mitigation More maturity, capability and flexibility may warrant more alert levels over time … … but gaps should reduce, ideally to zero backlog Timeline
  • 11. S4 ICS Security Conference 2015 A collateral benefit of the approach enabled a quantifiable and more predictable method for cost modeling and budget allocations, rationalizing spend and pulling investments forward. Case Study: Cost Modeling 11 IBM Security Steady State / Level-Zero Cost Level- Dependent Variable Cost Operating Budget = Level Zero “annual cost of business as usual” + (# of Level 1 events) x (Level 1 run rate) x (average duration) + (# of Level 2 events) x (Level 2 run rate) x (average duration) + (# of Level 3 events) x (Level 3 run rate) x (average duration) + (# of Level 4 events) x (Level 4 run rate) x (average duration)
  • 12. S4 ICS Security Conference 2015 A post-deployment analysis identified several additional benefits of the approach: Case Study: Additional Benefits 12 IBM Security §  More confidence at executive levels in ability to defend against attacks §  Highly visible to the Board, the business and users §  Security training more relevant and taken more seriously §  Tighter integration between IR, DR, Safety, and other response plans §  Clarification of security governance and responsibilities
  • 13. S4 ICS Security Conference 2015 Question and Answer 13 IBM Security Q&A Capability Capacity Acceleration
  • 14. S4 ICS Security Conference 2015 www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.