Information Security & Threat Landscape

advertisement
Information Security &
Current Threat Landscape
Bobby M Varghese
Vice President
Enterprise Security Services
12th Sep 2014
© CSS Corp | Confidential | www.csscorp.com
© CSS Corp | Confidential | www.csscorp.com
1
Information security has many challenges
© CSS Corp | Confidential | www.csscorp.com
2
Threats accompany technology trends
•
•
•
•
•
•
•
•
•
•
•
•
Web Exploits: SQL Injection / Cross-site Scripting
Botnets: Updating and Modifications
BYOD: Personal and Professional usage
Data Loss: Intellectual Property Protection, Health data, Compromises
Failed Trust: Certificate system, authentication
Big data : Greater storage of data = greater liability
Internet of things : greater attack surface
Cloud & Virtualization
Evolution of SCADA networks to IP
Virtual / common currencies
Targeted and Persistent Attacks
Sponsored Cyber Operations: espionage, attacks, offensive security
© CSS Corp | Confidential | www.csscorp.com
3
CIO’s World of Security
1. Expanding boundaries of Enterprise
a) Earlier: Physical and defined
b) Recent: Physical and un-defined(mobility)
c) Now: Cloud/Virtual and un-defined.
2. Security Imperatives
a) Earlier: WAN and Compliance
b) Recent: Breaches and lost money
c) Now: Loss of Business and Reputation
Security - integrate with the Business transactions
© CSS Corp | Confidential | www.csscorp.com
4
Detection is key to Respond and Recover
Source: Cisco Threat Report
© CSS Corp | Confidential | www.csscorp.com
5
Market Snapshot
Threat Intelligence
• 14% YoY increase in vulnerabilities and threats
• Spam volume down in 2013, but proportion of maliciously intended spam
remained constant
• Boston Marathon bombing-related SPAM represented 40% of World wide
spam on April 17, 2013
Mobile Attacks
•
•
•
•
Emerging – and logical – area of exploration for malware developers
Increased attempt to monetize
Android compromises
Adware, SMB-related spyware
© CSS Corp | Confidential | www.csscorp.com
6
Threat flow Landscape
Desktop
Firewall
IDS/IPS
Attacker
Cross Site
Scripting
Web Server
Known
Vulnerabilities
DoS
Antispoofing
Applications
Databases
Privileged users
(DBAs, developers)
Parameter
Tampering
Mobile
Port
Scanning
PatternCookie
based Attack Poisoning
Users
SQL
Injection
Logs are forwarded to SIEM for Threat Monitoring and Alerting by SOC Team
© CSS Corp | Confidential | www.csscorp.com
7
Retail Chain Breach Notification Timeline
Page 11
Hackers break in
using credentials
from PA HVAC
contractor
DOJ Contacts RT et
to inform them of the
breach
Targe
wit
U
ts
RT retains
investigators
RT notifies payment
processors and card
brands – begins malware
removal
More malware removed
from 25 disconnected
terminals
© CSS Corp | Confidential | www.csscorp.com
Public breach
notification
8
Retail Chain CC Data Security Breach
Researchers view
© CSS Corp | Confidential | www.csscorp.com
9
Impact of breach at Retail Chain
Data
Breach
•
•
•
•
70 Million People Personal information
40 Million Credit and Debit cards stolen
Customer’s sensitive information
Stolen cards sold for $ 20 - $ 100
Impact of breach at Retail Chain
Financial
Impact
• Sales decline of approximately 2.5 percent in the fourth
quarter
• Lower EPS from the previous estimate of $1.50 to $1.60 to
$1.20 to $1.30
• It couldn't provide GAAP EPS numbers for the fourth quarter
of 2013 but said they “may include charges related to the
data breach.”
• Cost of the Breach is estimated about $1 Billion
© CSS Corp | Confidential | www.csscorp.com
10
SOC Requirement
•
•
•
•
Compliance factors
Reduce the impact of an incident
Real Time Threat Monitoring
Proactive reaction
• Centralized Management and Monitoring of Network Infrastructure for :
–
–
–
–
–
External Threats
Internal Threats
User Activity
Data Activity
Provide evidence in investigations
© CSS Corp | Confidential | www.csscorp.com
11
Security Operations Center
• SOC is a centralized location where an organization’s security,
network, end-user devices and systems are monitored.
• Through people, processes and technology, a SOC is dedicated
to detection, investigation, and response of log events
triggered through security related correlation logic.
• Delivers 24x7x365 security management, monitoring and
reporting services.
© CSS Corp | Confidential | www.csscorp.com
12
Attack Detection through SIEM
Cyber- Attack is
attacking the network
Security
Operations
Center
Blacklisted IPs
Threat Intelligence
SIEM
Visual Analytics
© CSS Corp | Confidential | www.csscorp.com
13
Attack Detection
Observed Botnet event activity
Analyzed the impact
Incident Ticket would be created
for scanning the asset with updated AV signatures
and required recommendation
Incident ID
Detection
Detector
Priority
Type
Name/IP Address
Source IP | Port
Destination IP | Port
Reason for Escalating
Affected
Machine
User
Details
IP Address
Hostname
Location
Project Name
User Name
Employee ID
Sample Log
Continuous monitoring of logs for any
further malware activity and proceed for
ticket closure.
© CSS Corp | Confidential | www.csscorp.com
IM570610
P3
McAfee - IPS
10.9.15.16
192.138.151.200 | 80
10.130.56.31 | 63468
Analyze and Create
Incident
Ticket
BOT:
Warbot Bot Activity
Detected
10.130.56.31
LAP-04-1235
West Wing
Aruba
Riyazuddin Mohammed
sl091306
May 30 09:51:03 10.9.15.16
SyslogAlertForwarder:
|5840905297032758676|Signature|2013-0530 09:51:02 IST|BOT: Warbot Bot Activity
Detected|0x48809d00|High|warbot1|Mediu
m|My Company|AMBIT_IPS_Secondary|1A1B|192.138.151.200|80|10.130.56.31|63468
|Malware|botnet|Outbound|Inconclusive|si
gnature|http|tcp|
Containment and
Eradication
14
10 Security Essentials Every CIO Needs to Know
© CSS Corp | Confidential | www.csscorp.com
15
Best Practises
•
•
•
•
•
•
•
Establish an Information Security Policy
Dedicate resource/s for Information Security System
Do Risk Assessments regularly
Create Awareness across the Organisation
Involve App Development Teams in implementation
Conduct Vulnerability Assessments at periodic intervals
Enable Monitoring of your Digital Assets –Security
Operations & Management
• Integrate Vulnerability reports into Security Operations
• Regular reviews to measure control effectiveness
© CSS Corp | Confidential | www.csscorp.com
16
Enterprise Security Services
Governance, Risk and Compliance
Risk Assessments, Policies & Controls and Identity and Access Management
Security
Monitoring
Services
• 24x7x365
Monitoring
• Monitoring &
Notification Service
from SOC
• Reporting Services
Device
Management
Services
Vulnerability
Management
Services
• Firewall /IDS/IPS /
WAF Management
• Authentication
Server Management
• End-Points
Management
• Implementation
Services
• Anti Virus and
malware
management service
• Vulnerability
Assessment
• Penetration Testing
• Web Application
Security Assessment
• Secure Configuration
Management
• Patch Management
Mobile Security
Services
• BYOD Policy Creation
• Mobile Devices
(Security)
Management
• Mobile Security
Testing
Security Operations Center
© CSS Corp | Confidential | www.csscorp.com
17
SOC Architecture
© CSS Corp | Confidential | www.csscorp.com
18
Vulnerability Management
• VM services covers four activities - Vulnerability Assessment of IT assets, validation of
identified vulnerabilities, Providing Recommendations and Reporting
• Provides an independent baseline and validation of the organization’s security posture.
• Risk analysis and develop remediation plans that are tailored to unique business
requirements and security needs
Vulnerability Assessment
• Scanning of the target infrastructure,
establishing a baseline and making
compliance easier by validating external
posture
Penetration Testing
• Manual testing and exploits, in addition
to false positive reduction of automated
results
• Providing an overall security picture at a
lower cost with repeatable exercises
• Verifying that defense in depth and
response capabilities are working as
designed, along with security controls
validation
• Periodically verifying assets are properly
protected; evaluating recurring
differentials and managing vulnerabilities
• Required by many industry regulations
and standards
© CSS Corp | Confidential | www.csscorp.com
19
Thank You
© CSS Corp
The information contained herein is subject to change without
notice. All other trademarks mentioned herein are the property of
their respective owners.
© CSS Corp | Confidential | www.csscorp.com
20
Network & Security Operations
The NOC’s purpose has always been to ensure "power, ping, and pipe" to
computing resources and is critically measured on uptime. Conversely, the SOC’s
purpose has been to "protect, detect, react, and recover" and is critically measured
on response time.
Network Operations
Security Operations
Network Monitoring &
Management
Network Behavior Anomaly
Network fault tolerance
Intrusion Detection
Network device configuration
Threat & Log Management
Sniffing Troubleshooting
Network Forensics
© CSS Corp | Confidential | www.csscorp.com
21
SIEM Event Types
Event Type
Source
Vendor/Application
Events
System activity
Server syslog
Windows, Linux
• Authentication/authorization
• Services starting/stopping
• Config changes
• Audit events
Web proxy logs
Web proxies
Websense
Web malware downloads, Command
Control check-ins
Antivirus
Mcaffe epo
Spam filter
Blue Coat
Network firewall
Cisco ASA, Checkpoint,
Juniper
Malware logs
Firewall logs
Web server logs
Web Application
Firewall
Trustwave, Imperva
Web servers
Apache, IIS
© CSS Corp | Confidential | www.csscorp.com
Malicious activity, Malicious URLs,
malicious attachments
Accepted/denied connections
Access logs, Error logs
22
Security Event Analysis
© CSS Corp | Confidential | www.csscorp.com
23
Source / Target Analysis
© CSS Corp | Confidential | www.csscorp.com
24
Download