Brought Our Own Enterprise - Lessons Integrating the IACD Framework
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Brought Our Own Enterprise Lessons Integrating the IACD Framework Anthony Ramos Michael Stair Lead – Technology Security Lead Member of Technical Staff AT&T Chief Security Office AT&T Chief Security Office May 2, 2019 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
IACD Readiness Framework
Adopt Pilot Deploy Upgrade Sustain
2 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
IACD Baseline Architecture
Sensors/ Sense-Making
Sensing Sensor/Actuator Analytic
Interface Framework
Sources
Orchestration
Manager
Response Decision-
Actuators/ Action Making
Action Engine
Controller
Points
3 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
IACD Readiness Framework
Adopt Pilot Deploy Upgrade Sustain
4 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Adoption
• Leadership Buy-in
• Executive
• Organizational
• Identify Candidate Business Cases
• Identify Adoption Strategy/Key Partners
• Actuator Owners/Policy Management
• Threat Analytics
• Cyber Threat Information (CTI)
• SOC/Incident Response
• Operations Liaison
5 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Candidate Business Case
• Low Regret/High Benefit
• Align with existing capabilities
• Utilize cross-organizational roles/expertise
• Malicious IP Address Blocking
• Indicators of Compromise (IOC) from CTI
• Multi-Vendor/Virtualized Actuators
• Considerations for technology-based
support/scale
• Proactive/traditional inline blocking
https://www.iacdautomate.org/orchestration
• Reactive/observation-based blocking
• Ingress/Egress
6 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Functional Ownership
Sensors/Sensing Sensor/Actuator Sense-Making
Sources Interface Analytic
Framework
(Multiple) (Multiple) (Threat Analytics)
Orchestration
Manager
(Multiple)
Response Action Decision-
Actuators/ Making
Action Controller
Engine
Points (Cloud Security)
(Multiple)
(Multiple)
7 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.IACD Readiness Framework
Adopt Pilot Deploy Upgrade Sustain
8 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.The New Enterprise
Security Perimeter
Hybrid Clouds
Data Centers
Network
Private Clouds
Endpoint/
VPN
Devices
Compute
Public Clouds
9 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Micro-Perimeters
tcp/443
Web
App B
tcp/8443 tcp/8443
App C
App
tcp/3306
App A
DB
tcp/3306
10 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Platforms and Interface Standards
• SOAR
• Already evaluated/identified by earlier PoC efforts
• Decision-Making/CoA Function
• In-House Response Orchestrator
• Focus on virtualized security technologies
• Hierarchical security policy engine
• OpenC2 – Open Command and Control
• Vendor agnostic response action
• STIX 2 – Structured Threat Information eXpression
• IOC Sightings/Observations
11 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Policy Hierarchy - Security Zones
Global Security Zone
•
SecZone: global
Customer
Tenant/Cloud Partition
Platform-wide SecZone: att
Application
Policies AT&T-wide SecZone: ZZZ Sub-Application
Policies Tenant-Specific SecZone: App
Policies SecZone: App:Web
Proactive
Firewall Firewall
Blocklist Firewall
Policy Policy Reactive
Policy
Blocklist Effective Firewall Policy
12 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Reference Architecture
Actions Cyber Events
Sensors/Actuators Sense-Making Services
Sensing
Change Response Threat
Analytics Cyber Threat
Notification Orchestration
Information
Context
Enrichment
Enterprise
Inventory
Topic
Alerts
Response Actions Open-loop
Course of Action Case CoA
Sense-Making Management Workflows
Reversibility
13 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Workflow – Proactive Blocks
Query CTI for Update Global
Derive Effective
actionable IP Proactive
FW Policies
IOCs Blocklist
Start Workflow
Deploy FW
Policy Updates
Exit Workflow
14 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Workflow – Reactive Blocks
IOC traffic allow observation in log data
Determine Update
Is IP
Open Case Associated Effective FW
Blockable?
µ-perimeter Policy
Exit Workflow
Deploy FW Notify
Update/
Policy Application/
Close Case
Updates Ops
Exit Workflow
15 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Reversibility
• False positives are inevitable
• Exception requests are inevitable
• Autoimmunity – Malicious CTI
• Restrictive CTI queries
• Require IOC corroboration from multiple sources
• Extended workflows to support removal trigger
16 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.IACD Readiness Framework
Adopt Pilot Deploy Upgrade Sustain
17 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Deploy
• Embed in SDLC
• Audit
• SOC/IR Teams
• Case Management
• Operations/Application Owners
• Change Notifications
• Metrics
• Number of Security Policy Updates
• Number of Reverse Workflows Executed
• Reactive MTTR
• Allows -> Denies
18 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.IACD Readiness Framework
Adopt Pilot Deploy Upgrade Sustain
19 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Upgrade
• E2E Performance
• Iterative improvements to Business Case
• Effectiveness
• Expand coverage
• ML/AI opportunities
• Additional Use/Business Cases
• Champion in other environments/business units
20 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.IACD Readiness Framework
Adopt Pilot Deploy Upgrade Sustain
21 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.Sustain
• Funding/Budget Plans
• Platform Upgrades
• Revisit SOAR Capabilities/Options
• New/Evolved Standards
22 © 2019 AT&T Intellectual Property. AT&T, Globe logo, and DIRECTV are registered trademarks and service marks of
AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.You can also read
