Cybersecurity Monitoring

Cybersecurity Monitoring
Gib Sorebo
AGENDA
− Current State of Control System
Cybersecurity Monitoring
− Reasons for Concern
− Options for Greater Visibility
− Potential Ecosystem
− Responding to Events
2
Why is Network Monitoring Needed?

Today’s computing environment is extremely decentralized
− Creates many, many entry points into your systems
− Giving hackers tremendous advantages

You can’t prevent everything
− End user errors, time to patch systems, third parties, the internet, etc.

Detection is the key step between prevention and corrective action
−
−
−
−
Adds context to tools (IDS, Firewalls, Proxy, etc)
Use cases alert on things tools will not see
Gives metrics and trends
Supports corrective and preventative actions
The Undiscovered Breach
229
“Median number of days attackers were present on a victim’s network before
being discovered” in 2013
Source: 2014 Mandiant Threat Report
4
Network Monitoring
Reasons for Concern: The Kill Chain
5
Current State for Monitoring Operations Technology (OT)
HMI = Human Machine Interface WAN = Wide Area Network SIEM = Security Information and Event Management SOC = Security
Operations Center IDS = Intrusion Detection System
6
Network Monitoring
Reasons for Concern: Supply Chain
FBI: Counterfeit Cisco
routers risk “IT subversion”
ZDNet, May 12, 2008
Soviet Trans-Siberian
Pipeline Sabotage (1982)
Dell on Wednesday said that some
replacement motherboards for
PowerEdge servers may have contained
the W32.Spybot worm in flash storage.
PC Magazine, July 22, 2010
Stuxnet (2010)
7
Options for Greater Visibility on the Operations Side
8
The Enterprise Needs Better Coverage Too
• Conceptually, resources should
be segmented by function so
that monitoring and traffic
restrictions can be effective
• Practically, organizations need
to prioritize where to focus their
efforts and start by isolating
their DMZ, system
administration functions, users,
and operational technology (OT)
DMZ = Demilitarized Zone
Monitoring—Logistical Architecture
Responding to Breaches

Do you know what normal looks like?
− Control system behavior
− Electro-mechanical behavior (don’t forget to read the gauges and use all
your senses)

Can you operate without computers? If so, for how long?

How will you know when you can trust your computers again?

Are your business processes prioritized and staffed appropriately?
− Outage management/customer service may need more staff without
automation
− What systems need to come back up first?
− What are the dependencies?
− Who gets to decide what’s most important?
11
Staffing Levels
for Security
Operations
Center
Alignment with
Control
Processes
False Positives
12
Other
Considerations
Coverage of
All Kill Chain
Stages
No Disruption
to Operations
Questions?
For more information
contact:
Gib Sorebo
Leidos Chief Cybersecurity Technologist
phone: 703-676-0269 | email: sorebog@leidos.com