Utility Networks Agile Response Capabilities - New Context at EnergySec 2019

New Context protects data and the movement of data in
highly regulated industries
PREPARED FOR:
Using Security Orchestration in Utility Networks to create
an Agile Threat Response and Enhance Resiliency
EnergySec Security and Compliance Summit 2019
August 19-21, 2019

20+ years security & product experience.
Advocacy on security appears in CNBC, Forbes, and NYT.
Previously CloudPassage, nCircle, and Tripwire.
San Francisco
Andrew Storms, CISSP
VP, Product at New Context
@St0rmz
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
The time from the attacker’s
first action in an event chain to
the initial compromise of an
asset is typically measured in
minutes
Breach
00:00:00
56% of breaches took months
or longer to discover
Detection
56%
53 % have no idea how well the
tools and software
implemented in corporate
networks are performing.Functional
53%
https://go.attackiq.com/PR-2019-PONEMON-REPORT_LP.html
63% said they have experienced
a security control reporting a
threat blocked when in reality,
the tool failed to stop malicious
behavior.Failure
63%
Speed Measure and Learn
Speed to assess and react is key
Humans may take too long to analyze the situation
Humans don’t scale well against machines
Trust but verify

Agile Response System System Components Response Types Risks Metrics
TOPICS

TERMINOLOGY
• Indicators
Things I’m looking for
Egress traffic on port 666
• Observables
Things I saw
Traffic on port 666 src myIP
dest outsideIP
• Actuator
Component that is responsible for taking action
Block traffic at firewall on
port 666
STOTS
FIT
STIG
TMA

AGILE RESPONSE SYSTEM COMPONETS
Automation
Machine to machine
communications
Interoperate
Common data
structures
Adapt behaviors
Contextual awareness
Secure and trusted
Confidentiality, integrity,
and availability
Measure and improve
Feedback loops
Take action
Actuators

• Structured Threat Observable Tool Set (STOTS)
• Structured Threat Information Expression (STIX)
• STOTS focus on surgical detection and response
for a specific threat, enabling cyber defenders to
be more agile in defense against cyber
adversaries.
• Detection and monitoring that can be used by
the most advanced and the most basic cyber
personnel to find IOCs for configuration specific
systems.
Common data
structures
Creative Destruction and Agnostic Detection
using a Structured Threat Observable Tool Set
Bryce McClurg | Idaho National Laboratory
Machine to machine
communications

• Use of STIX and ELK to quickly discover potentially
malicious activity.
• Vendor agnostic means to achieve these goals in
addition to providing a means to share these findings.
• Leveraging off the shelf big data tools
such as Elasticsearch.
• Facilitate rapid querying of complex STIX observables.
STIX and Big Data
Christian O. Hunt | New Context Services
Common data
structures
Machine to machine
communications

• Threat Monitoring Appliance (TMA)
• Test harness toolset for STIX based observables and
indicators.
• Runs inside OT networks and executes the responses
• Developed by New Context as part of the California
Energy for the 21st Century (CES-21) project.
Actuators Feedback loops

• Address the asset entire
lifecycle with automation
• 3/4ths of the PF curve
happen prior to failure
• Take an automation-first
approach
• Capture metrics from day 1
AGILE RESPONSE AREAS Actuators Feedback loops

AGILE RESPONSE EXAMPLES
• Failover
• File integrity monitoring
• Information capture
• Long term heuristics
• Maintenance
• State estimation
• Tuning
• While listing
• ARP correction
• Block IP, protocol, session, application
• Failover
• File integrity monitoring
• Long term heuristics
• Scale up/down
Proactive Reactive
BOOM

AGILE RESPONSE RISK TYPES
• Risk associated with the threat and
risk associated with the response
• Some response actions pose risk
regardless if it is run by a human or a
machine
• We likely already know how to assess
the risk, but require modifications to
existing tools or processes.

AGILE RESPONSE RISK METRICS
• There is an inherent risk
with automation.
• Many types of metrics
should be considered

Effectiveness
59%
Does the response work?
Trustworthy
90
75
80
Can I trust source?
Does the response work?
Was it tested in our lab?
Was it tested by the vendor or other 3rd party?
What is the source of the info?
Was it digitally signed?
Reputation factor

Must I act now?
If I don’t act now, will the opportunity close?
Will the response action be different later?
Can I roll back if this breaks?
Window of Opportunity
00:00:10
Must I act now?
Reversibility
Yes
Can I roll back?
Cost of Operational Degradation
$1M Loss of revenue or decline in company value
Are there fines or loss revenue?

Is safety compromised?
Magic smoke?
Affects to health or human welfare?
Are networks affected?
Will this delete data?
Does this expose our network to other risks?
Physical Impact
Is safety compromised?
Digital Impact
95%
Is my network affected?

Is reliability compromised?
Diversity of systems?
Can the backup system handle the entire load?
Will I have to report this to NERC?
Will I be fined?
Do we have enough data to prove this is the best option?
Redundancy Impact
N+1
Will it affect reliability?
Regulatory Impact
No
Will I have to report to NERC?

SUMMARY
• What is an agile response system
• Uses for an Agile response system
• Don’t solely focus on right of boom
• Plenty of opportunity for automation in the asset lifecycle
Common data
structures
Machine to machine
communications Contextual awareness

SUMMARY
• Categorize response types
• Use your individual comfort level with automated responses
• Use metrics to determine the risk of the agile response
• Measure effectiveness of system and learn
Common data
structures
Machine to machine
communications Contextual awareness

REFERENCES
2019 Data Breach Investigations Report
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
California Energy Systems for the 21st Century
https://www.llnl.gov/news/california-utilities-partner-lawrence-livermore-improve-states-energy-
grid
CIS Control 1. Inventory and Control of Hardware Assets
https://www.cisecurity.org/controls/inventory-and-control-of-hardware-assets/
The Cybersecurity Illusion: The Emperor Has No Clothes
https://go.attackiq.com/PR-2019-PONEMON-REPORT_LP.html
Identifying Critical Cyber Assets
https://www.nerc.com/docs/cip/sgwg/Critcal_Cyber_Asset_ID_V1_Final.pdf
Machine Actionable Indicators of Compromise
Doug Rhoades, Southern California Edison
The new Department of Defense (DOD) guide for achieving and assessing RAM
(reliability, availability, and maintainability)
Y. Jackson ; P. Tabbagh ; P. Gibson ; E. Seglie
https://ieeexplore.ieee.org/document/1408329
NIST Special Publication 800-37: Risk Management Frameworks for Information
Systems and Organizations
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Sharable & Implementable Threat Intelligence
Rita Foster and Jed Haile, Idaho National Laboratory
John Tran, Southern California Edison
Andrew Storms, New Context
Structured Threat Information Expression
https://oasis-open.github.io/cti-documentation/
Structured Threat Information Graph
https://github.com/idaholab/STIG

Utility Networks Agile Response Capabilities - New Context at EnergySec 2019

More Related Content

What's hot (18)

Similar to Utility Networks Agile Response Capabilities - New Context at EnergySec 2019 (20)

Recently uploaded (20)

Utility Networks Agile Response Capabilities - New Context at EnergySec 2019