Defending Against Cyber Attacks : Defense & Response Strategies
advertisement
Defending Against Cyber Attacks : Defense & Response Strategies Tan Wei Ming, Senior Manager, Government Relations, APJ 2009 ITU Regional Cybersecurity Forum for Asia-Pacific 24 September 2009, Hyderabad How Likely Are These? 2 Exponential Spike In Malicious Activities More malicious programs were detected in the last 18 months than in all the previous years combined Symantec Internet Security Threat Report (Trends for 2008), volume XIV, published April 2009 3 Cyber Defense – A Mission Impossible? Disruption p of critical infrastructure operations p Large-scale Defacing of DDoS attacks government websites Organized Criminal Well Meaning Insider Malicious Insider Malware outbreaks within Stealthy ex-filtration or unintended government network loss of confidential data 4 Effective Cyber Defense & Incident Response Strategy > 4 important principles Understand the threats Establish prioritised risk-based framework Develop intelligence-in-depth Develop strong defense capabilities 5 1>Understand 1 Understand The Threats Threat Landscape The Web is the focal point Primary vector for malicious activity • Target reputable, high-traffic websites Attackers want YOUR information • • Focus on exploits targeting end-users for financial gain Increased sophistication of the Underground Economy • Well-established infrastructure for monetizing stolen information Rapid adaptation to security measures • Relocating operations to new geographic areas • Evade traditional security protection 6 Web As The New Focal Point • Attackers locate and compromise a high-traffic site through a vulnerability • specific to the site or in a Web application it hosts. Once the site is compromised, attackers modify pages so malicious content is served to visitors. Site-specific vulnerabilities Web application vulnerabilities 7 Information At Risk > The Education sector accounted for the majority of data breaches with 27%, followed by Government (20%) and Healthcare (15%) > More than half of breaches (57%) were due to theft or loss with insecure policy accounting for 21%. > Manyy data breaches are related to loss of small, portable p devices such as USB memory keys, portable hard drives, and smart phones. 8 Convergence Of Attack Methods Attackers combining malicious code, phishing, spam, exploitation of vulnerabilities, and online attacks 1. Spam containing link to compromised server 5. Download and install additional threats Server hosting additional threats 4. Downloader installed through browser vulnerability 2. User visits legitimate g site 3. Redirection MPack Server Compromised Server 9 2>Establish Prioritised Risk-based Framework Multi-tier protection Endpoint protection & management Sensors & correlation Dashboard monitoring Maintain adequate staff levels Recruit, train, certify & retain security specialists Increase security y awareness amongst users and the public Present & future threat analysis Incident response & recovery Pre-emptive protective measures Coordinate with international community & related bodies 10 Information Assurance Framework NATIONAL INFORMATION ASSURANCE POLICY FRAMEWORK National Legislation g & Regulations g Data Protection Cyber Crime Anti Spam Online Child Safety Critical Information Infrastructure Protection Policies & Structures Awareness Building & Threat Notification Identify CII assets/functions & Interdependencies Identify Of CII Owners & Operators Establish Trusted Information Sharing & Analysis Establish Public/Private Roles & Responsibilities Plan & Test Emergency Response Plans Increase Awareness Of Small Businesses & Individuals Issue Notifications Of Threats, Vulnerabilities, Security Incidents Policy & Operational Coordination & Response Military Law Enforcement Agencies CERT (Govt, National, Academic) Public-Private Partnerships & International Cooperation Research Institutes GOVERNMENT Industry Experts Other N-CERTS PRIVATE SECTOR Int’l Alliances & Associations GENERAL PUBLIC 11 Fundamental Questions to Ask > How do you prioritize events that occur at your end points today? How many malicious events do you experience per day? per week? > How long does it currently take to respond to those events? How are you keeping up? How do you manage the workflow of that process? > How much time does your staff invest in researching effective remediation best practices? > Do you have visibility to malicious activities before they occur? > How do you invest your response resources today? How would you rather use these resources? > What are your current requirements for providing security status, audit reports, and general information requests? How do you meet those requirements? > Are yyou leveraging g g the information yyou have? Arebiggest you challenges optimizing your responding resources? What are your in effectively to malicious activities that occur? 12 Prioritization A Constant Challenge Identify Identify and issue warning of serious security threat 2 Events Requiring Immediate Customer Contact 55 Events E t P Provided id d for f Client Review 620 Security Events Eliminate insignificant events and report valid events Security threat pattern identification 9,481,668 Logs and alerts generated by firewalls and IDSs Based on one month of actual customer data. 13 Risk-Based Risk Based Approach RISK MANAGEMENT THREAT & VULNERABILITY MANAGEMENT INCIDENT RESPONSE AUDIT & RECOVERY / COUNTERINTELLIGENCE Respon nse Time Avvailable C2 Situational Awareness I f Information i Risk Ri k M Management Comprehensive Analysis Sensors & Correlation Cyber Intelligence WEEKS DAYS/HOURS Proactive HOURS/MINUTES WEEKS Reactive 14 3>Develop 3 Develop Intelligence-in-Depth Intelligence in Depth • GUIDANCE AND SUPPORT IN DEVELOPING AND MAINTAINING IA POLICY Strategic Intelligence • • • • • Strategic threat trend reports (ISTR) Sector specific reports Technology vulnerability assessments Penetration testing Environmental assessments • DELIVERY OF SITUATIONAL AWARENESS OF IA ACTIVITIES Operational Intelligence Tactical Intelligence • • • • • In depth analysis of targeted malware and attacks Monitoring of network relevant vulnerabilities and exploits Ongoing behavioural anomaly base lining and detection Incident analysis and lessons learned War gaming of potential attack vectors • TIMELY AND RELEVANT DELIVERY OF EVALUATED INTELLIGENCE TO ENABLE REAL TIME DECISIONS IN HANDLING AN INCIDENT • Visual representation of suspicious activity and prediction of likely attack paths • Prioritisation of threats based on information and infrastructure criticality • Presentation of appropriate remediation methods to defeat attacks 15 Global Intelligence Network Identifies more threats, takes action faster & prevents impact Calgary, g y, Alberta San Francisco, CA Mountain View, CA Culver City, CA Dublin, Ireland R di Reading, England E l d Tokyo, Japan Alexandria, VA Chengdu, China Austin, TX Taipei, Taiwan Chennai, India P Pune, IIndia di Sydney, AU Worldwide Coverage Global Scope and Scale 24x7 Event Logging Rapid Detection Threat Activity Attack Activity • 240,000 , sensors • 240,000 240 000 sensors • 200+ countries • 200+ countries Preemptive Security Alerts Malcode Intelligence Malware • 130MIntelligence client, server, • 130M client, client server gateways t server, gateways monitored • Global coverage • Global coverage Vulnerabilities Vulnerabilities • 32,000+ vulnerabilities • 32,000 32 000+ vulnerabilities • 11,000 11 000 vendors d • 11,000 vendors • 72,000 technologies • 72,000 technologies Information Protection Spam/Phishing Spam/Phishing •2.5M decoy accounts 2email 5Mildecoy accounts •8B+ 8B• 2.5M messages/daily /d il ••1B+ 8B+web email messages/day requests/daily • 1B+ web requests/day Threat Triggered Actions Copyright © 2009 Symantec Corporation. All rights reserved. 16 Combining Global, Sector & Local Intelligence Global Cyber Intelligence Global Real World Intelligence Trusted Information Sharing Locall L Network Information 17 Security Event Monitoring & Correlation Dublin, Ireland Calgary, Canada San Francisco, CA Springfield, OR Redwood City, CA Santa Monica, CA Tokyo, Japan London, England Munich, Germany Alexandria, VA Sydney, Australia 18 4>Develop 4 Develop Strong Defense Capabilities Prioritised Risk-based Visibility Protect Information ENDPOINT DISCOVERY NETWORK Action nable Intellligence Action nable Intellligence Protect Systems DATA LOSS PREVENTION MESSAGING ENCRYPTION WEB NETWORK ACCESS CONTROL DATA PROTECTION Policy-Driven Compliance Symantec Management Platform Discover Inventory Workflow Configure Provision Patch Report CMDB 19 Multi-Tier Multi Tier Protection Gateway Protection •Brightmail Gateway IM and SMTP Gateways Groupware Protection Endpoint Protection •Mail Security for Exchange •Mail Security for Domino p •Premium Antispam •Endpoint Protection •AntiVirus for Mac / Linux •AntiVirus for Windows Mobile Messaging Environment SMTP and IM Traffic Internet Microsoft Exchange Lotus Domino 20 Defending & Managing The Endpoints Symantec Endpoint Protection Symantec Network Access Control Vontu DLP & Symantec Endpoint Encryption Threat Protection Network A Access C Control t l Data Loss Prevention & Encryption Keep the Bad things Out Trust, but Verify Keep the Good things In • Protect P t t against i t malware l • Protect from known and unknown threats • Manage multiple endpoint technologies • Enforce Endpoint Security policies • Discover confidential data • Allow guest access to the network • Enforce policies to prevent its loss • Provide access only to properly secured endpoints • Encrypt to prevent unauthorized access • Monitor its use Altiris Client Management Suite Endpoint Management Keep the Wheels On • • • • Integrates security, data loss and management Provides automation Increases visibility and control Lowers total cost of ownership by managing multiple endpoint technologies 21 Sensor Deployment & Correlation Monitor & Correlate Incident Actionable Alerts Initiate Remediation Workflow SIM 4.0 WWSMC Demo Board Helpdesk Processes Symantec Confidential Security & IT Compliance Reports 10 Symantec Security Information Manager (SSIM) 22 Executive Dashboard Monitoring E.g. Vulnerability Assessment Module Vulnerability information is collected and collated with organisation & asset info. The analyst team is able to monitor status at a glance and drill down by theatre to individual assets. They can view trends and d search h ffor th the status t t off any system. t 23 Thank You! Tan Wei Ming weiming_tan@symantec.com +65 96236998 Copyright Copyright © 2009 © 2009 Symantec Symantec Corporation. Corporation. All rights All rights reserved. reserved. Symantec Symantec and the andSymantec the Symantec LogoLogo are trademarks are trademarks or registered or registered trademarks trademarks of Symantec of Symantec Corporation or its affiliates in the Corporation U.S. and other or its countries. affiliates inOther the U.S. names and may otherbe countries. trademarks Other of their names respective may be owners. trademarks of their respective owners. ThisThis document document is provided is provided for informational for informational purposes purposes onlyonly andand is not is not intended intended as advertising. as advertising. All warranties All warranties relating relating to the to the information information in this in this document, document, either express or implied, either are express disclaimed or implied, to the maximum are disclaimed extent to allowed the maximum by law. extent The information allowed by inlaw. this document The information is subject in this to change document without is subject notice. to change without notice.
