Eric Mc Gee – Associate Director Cybersecurity Look Everywhere – Prepare for Anything
Eric Mc Gee – Associate Director Cybersecurity
Look Everywhere – Prepare for Anything
Eric Mc Gee – Associate Director Cybersecurity
• B.Eng Electronics (Hons) from the University of Pretoria• CISSP, CISA, and CRISC professional certifications• Started as a integrated circuit designer & embedded system developer• Joined BCX Group in 1998 at Nanoteq managing Security product development• Was Managing Executive for Communications and Security Business Unit at BCX• Joined Deloitte as an Associate Director – Cybersecurity Leader
Cyber Strategyre-Think
Look Everywhere – Prepare for Anything
Cyber messaging proof points© 2019. For information, contact Deloitte Touche Tohmatsu Limited. 4
Delusion
Cyber messaging proof points© 2019. For information, contact Deloitte Touche Tohmatsu Limited. 5
Reality
6
Source: Verizon Data Breach Threat Report 2019
Gap between Compromise, Exfiltration and Discovery, Containment
Cyber messaging proof points© 2019. For information, contact Deloitte Touche Tohmatsu Limited. 7
Case study
Talk Talk
o Telco in UK
oData breach of
150k users
o Vulnerability on system in infrastructure of
acquired entity
oLost 100k users
o Cost 77 million pounds
o At worst lost 34% of share value
Cyber messaging proof points© 2019. For information, contact Deloitte Touche Tohmatsu Limited. 9
These days are really over – we need a different strategy
DATA L
AKE
Look Everywhere
It will still happen
• Preparation for incidents
• Consistent guidance required in crisis
• Comprehensive response required
Legal and law enforcement
Regulatory requirements
Forensic investigations
Containment and eradication
Public relations
Impacted parties and remedies
Prepare for Anything
• Utilise the same incident response system that automates and
orchestrate the technical response
• Ensure consistent response, even for unfamiliar parties involved
• Integrated communication and reporting
• Evidence and audit trail linked
DATA L
AKE
Look Everywhere
Prepare for Anything
Cyber-Crime Fusion
Look Everywhere – Prepare for Anything
Cyber messaging proof points© 2019. For information, contact Deloitte Touche Tohmatsu Limited. 17
Look everywhere: connect more, to see more, to act betterAn overarching data and capability model for more effective detection and response
Stress testing
Control implement-
tationData
model
Scenario analysis
Response & investiga-
tion
Threat intelligence
Detection & analytics
Cross-domain Threat Intel
Correlate cross-domain cyber, fraud and crime intelligence, instead of focusing on individual items of intelligence within each domain
Unified Capability Model
• Scenario analysis to identify and prioritise all cyber, fraud and crime threat scenarios with a uniform approach, using an extended chain of attack
• Control implementation aligned across AML, cyber, crime and fraud to better prevent, detect and respond to threats, remove duplicate efforts and reduce blind spots across the extended attack chain
• Integral stress testing to validate control effectiveness and drive continuous improvement – focusing risk reduction efforts where it really matters
• Integrated Detection, Response & Investigation team as a central nerve centre to connect more, see more and act better
Unified Data & Analytics
• Develop an overarching data structure to collect, classify and correlate data across applications, cyber, physical, process and fraud
• Harness the best engineering and data science expertise to build more effective detection & analytics tooling
Identify Prevent
DetectRespond
Compromised healthcare data used to create mule accounts
Criminals steal healthcare data to create accounts for money mules
Intel team flags discovered compromised PII to trigger alerts during CDD
Synthetic identities to create fake accounts and steal money
Criminals combine PII from data breaches for account take-over or to take out loans
Data correlation between CDD, transactions and compromised PII reveals anomalies
Large scale money theft by APT
APT gains access to payment system through targeted phishing attack and lateral
movement
Suspicious privileged account behaviour occurs simultaneously with unusual
transaction patterns
Account holder
Transaction patterns
Client risk rating
Account number
Sanction list
Address
Background information
Transaction risk score
Contra account
Device biometrics
Device IP address
Transaction risk score
Transaction
User risk score
FTI
Device location
Peer group
IP address
IoCDark Web Intel
CTI
Threat scenarios
Alerts
Proxy data
System data
Privileged account usage
Account holder
Transaction patterns
Client risk rating
Account number
Sanction list
Address
Background information
Transaction risk score
Contra account
Device biometrics
Device IP address
Transaction risk score
Transaction
User risk score
FTI
Device location
Peer group
IP address
IoCDark Web Intel
CTI
Threat scenarios
Alerts
Proxy data
System data
Privileged account usage
Account holder
Transaction patterns
Client risk rating
Account number
Sanction list
Address
Background information
Transaction risk score
Contra account
Device biometrics
Device IP address
Transaction risk score
Transaction
User risk score
FTI
Device location
Peer group
IP address
IoCDark Web Intel
CTI
Threat scenarios
Alerts
Proxy data
System data
Privileged account usage
19
Benefits of an integrated Cyber-Crime fusion ecosystem
Breaking siloes to enable consolidation, convergence and operationalefficiencies
Reduce Cost
Holistic
Exceed Compliance Obligations
Interoperate
Increase Productivity
Reduce Impacts
• Facilitate and enable collaboration
• Common taxonomy, speak same language
• Create a standardised data model for consistent, reliable and complete analytics
• Share intelligence easier between organisations, and with other stakeholders (LE, Regulators, industry bodies)
• Use data to benefit business process automation, ITSM, BI etc
• Detect earlier, prevent earlier, predict more, minimise impact
• Shift left in attack lifecycle, move from reactive to proactive
• Agile response to detected known malicious events to preempt and prevent downstream incidents and crises
• Focus on real threats and reduce false positves
• Emerging principles (GDPR & NIS) of “state of the art controls”, “secure by design and default”, etc.
• Recent regulator encouragement to do better than standard compliance for tackling fraud and AML
• Increase collaboration between operations via a more effective capability framework (governance, people, process, tech, facilities)
• Improve efficiency to investigate and respond
• Reduce resource constraints
• Improve efficacy – higher true positive rates – reduced false positives
• More sustainable approach, leveraging automation
• Consolidate spending on operations, technology & resources
• Simplify approach and remove complexity
• Provide a more holistic perspective on risk (global and informed by ALL threats) to see the complete picture
• Enhanced visibility to see suspicious activity across the entire end-to-end attack path
© 2019 Deloitte LLP. All rights reserved.
Cyber-Crime Fusion -
How
Look Everywhere – Prepare for Anything
21
Preparing for a different strategy - shape, define and deliver
Cyber messaging proof points© 2019. For information, contact Deloitte Touche Tohmatsu Limited. 22
Hacker develops malware and sends spear-phishing emails to bank employees to infect the system
BANK EMPLOYEES
INFECTEDINFRASTRUCTURE
SWIFT messages are intercepted and modified
to redirect funds
ACCOUNT BALANCES are inflated and money is
collected
ATMs are infected and spit out cash
STOLEN FUNDS are converted into CRYPTOCURRENCIES
CYBER CRIME1
HACKER
FRAUD2
Threat actors operation TTP DescriptionData types to detect TTPs
Initial Access: Spear Phishing Attachment
Execution: PowerShell
Persistence: Process Injection
Privilege Escalation: Bypass User Access Control
Credential Access: Hooking
Lateral Movement: RDP
C&C: Remote Access Tools
SWIFT: Message tampering
Funds misappropriation: external accounts
Card misuse: inflated balance
ATM cash withdrawal
Mule networks
Virtual Currencies
Shell Company NetworksSTOLEN FUNDS are laundered through SHELL COMPANIES
Email gateway
Process command-line parameter
Windows event logs
System calls
Loaded DLLs
Netflow
Packet capture
SWIFT messages
Transaction data
Account details
Out of scope Out of scope
Data sources requirement
Endpoint Logs
Email logs
Firewall logs
Intrusion Detection Systems
Intrusion Prevention Systems
SWIFT servers logs
Transaction monitoring
KYC platform
© 2019 Deloitte The Netherlands
Example integrated attack framework developmentHolistic threat scenario analysis to inform data sources
Cyber-Crime Fusion –
Technology Solution
Look Everywhere – Prepare for Anything
Cyber messaging proof points© 2019. For information, contact Deloitte Touche Tohmatsu Limited. 25
Core data and technology components and existing accelerators
High-level Cyber-Crime fusion reference architecture
Executives
Analysts
Investigators
• Cyber systems logs• Transactional data• Contextual data• Unconventional
data
Data
Sources
AI
Engine Knowledge
Graph
• Classification, segmentation, and pattern recognition.
• AI models automation.
Risk
Engine
Available
Insights
• SIEM• Fraud alerts Integrated risk
scores
Tagged dataReinforced Learning
Generated insights
• Integrated assurance scoring (rule and non rule-based)
• Retaining connected data and insights.
• Visual analysis
Use cases insightsGenerated risk scores
Graph-based learning
Temporal and connected risks
Executive Dashboards
Case management: assurance calculation flow, graphs, historical trends, what-if, correlation, predictive, simulation analysis.
FeedbackActive learning
Reinforced learning
Interactive dashboards for quick alert management
Learning feedbackAutomation
Engine
Log Mgt
Systems
• Log aggregators• Data hubs/lakes
Buffered logsBatch logs
HDFS
NoSQLGraph
DB
Unified Data Virtualsation Layer
Connect
Data EnrichmentImproving data
quality
Attributes that matterData
prioritisation
Dashboard Data Ecosystem
Combine Consume
SOAR
and
RPA
Cyber messaging proof points© 2019. For information, contact Deloitte Touche Tohmatsu Limited. 26
These days are really over – we need a different strategy
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.
Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245 000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2019. For information, contact Deloitte Touche Tohmatsu Limited