C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
- 1. Keynote 9: Cyber Security in Emerging
C4I Systems: Deployment and
Implementation Perspectives
By Eric J. Eifert, Sr. VP of DarkMatter’s Managed
Security Services
- 3. My Background
• Over 20+ years experience in
Cyber Security
Special Agent investigating cyber
crime and computer intrusions
Programme Manager for large U.S.
Cyber Security Operations Centres
Executive running cyber security line
of business (US$125+M)
Adjunct professor teaching graduate
cyber investigations
Relocated to UAE for DarkMatter
- 4. Who are the Threat Actors
World Trade /
Globalisation Activists
Environmental Groups
Regional Political
Activism
Non-State Sponsored
Terrorism
Organised Crime
Nation States /
Governments
Insider Threats
Information Hacktivisists
General Attacker Threats
Illegal Information Brokers
and Freelance Agents
Trusted 3rd Parties
Corporate Intelligence
Investigation Companies
Competitors, Contractors,
Corporations
Untrained Personnel
- 5. What are the cyber risks
• Theft of sensitive and valuable
information
• Manipulation of mission
critical data
• Disruption to operations
• Impact to successful execution
of mission priorities
• Destruction of C4I systems via
non-kinetic attacks
- 6. Knowledge is power
• C4I System are complex
and targets of
sophisticated cyber
attacks
• What type of information
are adversaries looking
for?
– C4I capabilities
– Operational information
– Vulnerabilities
– Plans and strategy
– Research and development
- 7. Well orchestrated
cyber attack against
Ukrainian power grid
• 23 Dec 2015
“Prykarpattyaoblenergo”
reported disruption of
power supply because of an
“accident”
• Ukrainian CERT reported 8
different power companies
across 8 different regions
were affected by cyber
attacks
• One company affected
linked attack to subnetwork
belonging to ISP operated
in Russia
- 9. C4I Systems
• Deployable C4I
capabilities
• Mission critical
systems
• Long Haul
Communications
• Mission impact
• Lessons learned
- 10. Assessing the risk
• Understand your assets
• Sensors
• Communications
• Network environment
• Data Storage
• Analytics
• Understand the threats
• Which threat actors are targeting
you and why
• Know their capabilities
• Understand your
vulnerabilities
• People, process, and technology
- 11. • Identify standards to
measure yourself against
• Leverage guidance from
your country and others
• International
Organisation for
Standardisation
• US National Institute of
Standards and
Technology
• Industry specific
documentation
Assessing the risk
- 12. • What to assess?
• Risk Management
• Asset, Change, and Configuration
Management
• Identity and Access Management
• Threat and Vulnerability Management
• Situational Awareness
• Information Sharing and
Communication
• Event and Incident Response, COOP
• Supply Chain and External
Dependencies
• Workforce Management
• Cybersecurity Program Management
Assessing the risk
NIST’s model of security information and decision flows within an organization (Source: NIST Preliminary-Cybersecurity Framework, Page 9)
- 13. Mitigating the risk
At an advanced level it is the integration of all this information to allow
continuous monitoring and rapid decision making
At the most basic level it is having true visibility across your own environment
Knowing what is on your network…
Knowing how your network is configured…
Knowing who is on your network…
At an intermediate level it is understanding external influences and their
relevance to your environment
Visibility
Intelligence
Integration
- 14. Why Visibility
Visibility Type Rationale
Hardware Knowing what hardware is in the environment as well as when new
hardware is introduced to the environment allows you to ensure they
conform with your secure baseline and are authorised devices
Software Software vulnerabilities, bugs and security updates are common,
knowing if you are vulnerable and rapidly resolving your vulnerable
state is critical
Configuration Maintaining a secure configuration baseline is important to prevent
unauthorised access and subversion of defences
Identity and
Access
Confirming the identity of authorised users as well as ensuring they
have access to the appropriate resources and data sources
Data Knowing what data within your organisation is sensitive allows you to
focus your resources on what is most important
Visibility
Intelligence
Integration
- 15. Why Intelligence
Intelligence Type Rationale
Vulnerabilities Understanding what vulnerabilities exist within your environments as
well as when new vulnerabilities are discovered allows for rapid
remediation
Threat Actors Understanding the types of adversaries targeting you and their
motivation helps to focus resources and security investments
Adversarial
Capabilities
Up to date knowledge of the specific tactics, techniques, procedures,
and technologies being used by an adversary allows for better
detection
Government Government agencies have access to rich threat intelligence that can
be leveraged to gain better insight into the threat landscape
Industry Industry peer groups can provide insight into sector specific cyber
threats as well as share lessons learned to increase your security
posture
Visibility
Intelligence
Integration
- 16. Why Integration
Integration Type Rationale
Diverse Technology Proper integration of diverse technologies reduces the
potential for the introduction of security weaknesses
Legacy Technology Legacy applications running on insecure hardware and
software need to be known and mitigated through other
means
Logs and Diagnostics Diverse log and diagnostic formats can make it difficult to
leverage the content for decision making
Visualization Aggregation of information into a dashboard for decision
makers helps prioritise and speed up the decision making
process
Automation Acting at the speed of cyber to mitigate issues reduces the
potential of cyber events
Visibility
Intelligence
Integration
- 17. Mitigating the risk
- Increase your visibility
• Deploy technology to provide
visibility across all assets
• Remote locations
• Non-IP based systems
• Mobile and wireless
• Understand your critical assets,
technology, and data
• Correlate and analyse data to
detect anomalous and suspicious
events
• Conduct continuous monitoring
and rapid remediation/mitigation
activities
- 18. Mitigating the risk
- Increase your intelligence
• Develop a threat intelligence
programme
• Obtain threat intelligence feeds
• Develop partnerships with
government information sharing
programmes
• Develop partnerships with
industry peers to share threat
intelligence
• Interface with all stakeholders to
understand critical components
- 19. Mitigating the risk
- Facilitate better integration
• Understand the technical landscape within the organisation and
influence the roadmap with a focus on better integration and
security
• Attend user conferences to learn about best practices from other
organisations with similar environments
• Develop a secure reference architecture that is flexible and adaptable
• Understand the Application Program Interfaces (APIs) of the
technologies in use and how to leverage them for security
orchestration and automated remediation
• Develop an integration lab to test secure configurations and
integrations prior to deployment
- 20. Summary
• C4I systems complex and a target for cyber attackers and insiders
• In order to assess your cyber risk you need to understand your
assets, the threats to those assets, and the vulnerabilities
• Leverage National and International standards, guidelines, and
frameworks
• Evaluate your organisation’s cyber maturity across visibility,
intelligence, and integration
• Develop a plan to mitigate the highest risk areas and build towards a
continuous monitoring and mitigation capability supported by
intelligence and securely integrated technology
Intelligence
Visibility Integration
Editor's Notes
- What is on your network includes hardware, software, and information.