Look Everywhere Prepare for Anything · 2019-11-20 · correlate data across applications, cyber, physical, process and fraud • Harness the best engineering and data science expertise

Eric Mc Gee – Associate Director Cybersecurity

Look Everywhere – Prepare for Anything

Eric Mc Gee – Associate Director Cybersecurity

• B.Eng Electronics (Hons) from the University of Pretoria• CISSP, CISA, and CRISC professional certifications• Started as a integrated circuit designer & embedded system developer• Joined BCX Group in 1998 at Nanoteq managing Security product development• Was Managing Executive for Communications and Security Business Unit at BCX• Joined Deloitte as an Associate Director – Cybersecurity Leader

Cyber Strategyre-Think


Cyber messaging proof points© 2019. For information, contact Deloitte Touche Tohmatsu Limited. 4

Delusion


Reality

6

Source: Verizon Data Breach Threat Report 2019

Gap between Compromise, Exfiltration and Discovery, Containment


Case study

Talk Talk

o Telco in UK

oData breach of

150k users

o Vulnerability on system in infrastructure of

acquired entity

oLost 100k users

o Cost 77 million pounds

o At worst lost 34% of share value


These days are really over – we need a different strategy

DATA L

AKE

Look Everywhere

It will still happen

• Preparation for incidents

• Consistent guidance required in crisis

• Comprehensive response required

Legal and law enforcement

Regulatory requirements

Forensic investigations

Containment and eradication

Public relations

Impacted parties and remedies

Prepare for Anything

• Utilise the same incident response system that automates and

orchestrate the technical response

• Ensure consistent response, even for unfamiliar parties involved

• Integrated communication and reporting

• Evidence and audit trail linked

DATA L

AKE

Look Everywhere

Prepare for Anything

Cyber-Crime Fusion



Look everywhere: connect more, to see more, to act betterAn overarching data and capability model for more effective detection and response

Stress testing

Control implement-

tationData

model

Scenario analysis

Response & investiga-

tion

Threat intelligence

Detection & analytics

Cross-domain Threat Intel

Correlate cross-domain cyber, fraud and crime intelligence, instead of focusing on individual items of intelligence within each domain

Unified Capability Model

• Scenario analysis to identify and prioritise all cyber, fraud and crime threat scenarios with a uniform approach, using an extended chain of attack

• Control implementation aligned across AML, cyber, crime and fraud to better prevent, detect and respond to threats, remove duplicate efforts and reduce blind spots across the extended attack chain

• Integral stress testing to validate control effectiveness and drive continuous improvement – focusing risk reduction efforts where it really matters

• Integrated Detection, Response & Investigation team as a central nerve centre to connect more, see more and act better

Unified Data & Analytics

• Develop an overarching data structure to collect, classify and correlate data across applications, cyber, physical, process and fraud

• Harness the best engineering and data science expertise to build more effective detection & analytics tooling

Identify Prevent

DetectRespond

Compromised healthcare data used to create mule accounts

Criminals steal healthcare data to create accounts for money mules

Intel team flags discovered compromised PII to trigger alerts during CDD

Synthetic identities to create fake accounts and steal money

Criminals combine PII from data breaches for account take-over or to take out loans

Data correlation between CDD, transactions and compromised PII reveals anomalies

Large scale money theft by APT

APT gains access to payment system through targeted phishing attack and lateral

movement

Suspicious privileged account behaviour occurs simultaneously with unusual

transaction patterns

Account holder

Transaction patterns

Client risk rating

Account number

Sanction list

Address

Background information

Transaction risk score

Contra account

Device biometrics

Device IP address


Transaction

User risk score

FTI

Device location

Peer group

IP address

IoCDark Web Intel

CTI

Threat scenarios

Alerts

Proxy data

System data

Privileged account usage

Account holder


Client risk rating

Account number

Sanction list

Address



Contra account

Device biometrics

Device IP address


Transaction

User risk score

FTI

Device location

Peer group

IP address

IoCDark Web Intel

CTI

Threat scenarios

Alerts

Proxy data

System data


Account holder


Client risk rating

Account number

Sanction list

Address



Contra account

Device biometrics

Device IP address


Transaction

User risk score

FTI

Device location

Peer group

IP address

IoCDark Web Intel

CTI

Threat scenarios

Alerts

Proxy data

System data


19

Benefits of an integrated Cyber-Crime fusion ecosystem

Breaking siloes to enable consolidation, convergence and operationalefficiencies

Reduce Cost

Holistic

Exceed Compliance Obligations

Interoperate

Increase Productivity

Reduce Impacts

• Facilitate and enable collaboration

• Common taxonomy, speak same language

• Create a standardised data model for consistent, reliable and complete analytics

• Share intelligence easier between organisations, and with other stakeholders (LE, Regulators, industry bodies)

• Use data to benefit business process automation, ITSM, BI etc

• Detect earlier, prevent earlier, predict more, minimise impact

• Shift left in attack lifecycle, move from reactive to proactive

• Agile response to detected known malicious events to preempt and prevent downstream incidents and crises

• Focus on real threats and reduce false positves

• Emerging principles (GDPR & NIS) of “state of the art controls”, “secure by design and default”, etc.

• Recent regulator encouragement to do better than standard compliance for tackling fraud and AML

• Increase collaboration between operations via a more effective capability framework (governance, people, process, tech, facilities)

• Improve efficiency to investigate and respond

• Reduce resource constraints

• Improve efficacy – higher true positive rates – reduced false positives

• More sustainable approach, leveraging automation

• Consolidate spending on operations, technology & resources

• Simplify approach and remove complexity

• Provide a more holistic perspective on risk (global and informed by ALL threats) to see the complete picture

• Enhanced visibility to see suspicious activity across the entire end-to-end attack path

© 2019 Deloitte LLP. All rights reserved.

Cyber-Crime Fusion -

How


21

Preparing for a different strategy - shape, define and deliver


Hacker develops malware and sends spear-phishing emails to bank employees to infect the system

BANK EMPLOYEES

INFECTEDINFRASTRUCTURE

SWIFT messages are intercepted and modified

to redirect funds

ACCOUNT BALANCES are inflated and money is

collected

ATMs are infected and spit out cash

STOLEN FUNDS are converted into CRYPTOCURRENCIES

CYBER CRIME1

HACKER

FRAUD2

Threat actors operation TTP DescriptionData types to detect TTPs

Initial Access: Spear Phishing Attachment

Execution: PowerShell

Persistence: Process Injection

Privilege Escalation: Bypass User Access Control

Credential Access: Hooking

Lateral Movement: RDP

C&C: Remote Access Tools

SWIFT: Message tampering

Funds misappropriation: external accounts

Card misuse: inflated balance

ATM cash withdrawal

Mule networks

Virtual Currencies

Shell Company NetworksSTOLEN FUNDS are laundered through SHELL COMPANIES

Email gateway

Process command-line parameter

Windows event logs

System calls

Loaded DLLs

Netflow

Packet capture

SWIFT messages

Transaction data

Account details

Out of scope Out of scope

Data sources requirement

Endpoint Logs

Email logs

Firewall logs

Intrusion Detection Systems

Intrusion Prevention Systems

SWIFT servers logs

Transaction monitoring

KYC platform

© 2019 Deloitte The Netherlands

Example integrated attack framework developmentHolistic threat scenario analysis to inform data sources

Cyber-Crime Fusion –

Technology Solution



Core data and technology components and existing accelerators

High-level Cyber-Crime fusion reference architecture

Executives

Analysts

Investigators

• Cyber systems logs• Transactional data• Contextual data• Unconventional

data

Data

Sources

AI

Engine Knowledge

Graph

• Classification, segmentation, and pattern recognition.

• AI models automation.

Risk

Engine

Available

Insights

• SIEM• Fraud alerts Integrated risk

scores

Tagged dataReinforced Learning

Generated insights

• Integrated assurance scoring (rule and non rule-based)

• Retaining connected data and insights.

• Visual analysis

Use cases insightsGenerated risk scores

Graph-based learning

Temporal and connected risks

Executive Dashboards

Case management: assurance calculation flow, graphs, historical trends, what-if, correlation, predictive, simulation analysis.

FeedbackActive learning

Reinforced learning

Interactive dashboards for quick alert management

Learning feedbackAutomation

Engine

Log Mgt

Systems

• Log aggregators• Data hubs/lakes

Buffered logsBatch logs

HDFS

NoSQLGraph

DB

Unified Data Virtualsation Layer

Connect

Data EnrichmentImproving data

quality

Attributes that matterData

prioritisation

Dashboard Data Ecosystem

Combine Consume

SOAR

and

RPA


These days are really over – we need a different strategy

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245 000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2019. For information, contact Deloitte Touche Tohmatsu Limited

Look Everywhere Prepare for Anything · 2019-11-20 · correlate data across applications, cyber, physical, process and fraud • Harness the best engineering and data science expertise

Documents