Information Security & Threat Landscape
advertisement
Information Security & Current Threat Landscape Bobby M Varghese Vice President Enterprise Security Services 12th Sep 2014 © CSS Corp | Confidential | www.csscorp.com © CSS Corp | Confidential | www.csscorp.com 1 Information security has many challenges © CSS Corp | Confidential | www.csscorp.com 2 Threats accompany technology trends • • • • • • • • • • • • Web Exploits: SQL Injection / Cross-site Scripting Botnets: Updating and Modifications BYOD: Personal and Professional usage Data Loss: Intellectual Property Protection, Health data, Compromises Failed Trust: Certificate system, authentication Big data : Greater storage of data = greater liability Internet of things : greater attack surface Cloud & Virtualization Evolution of SCADA networks to IP Virtual / common currencies Targeted and Persistent Attacks Sponsored Cyber Operations: espionage, attacks, offensive security © CSS Corp | Confidential | www.csscorp.com 3 CIO’s World of Security 1. Expanding boundaries of Enterprise a) Earlier: Physical and defined b) Recent: Physical and un-defined(mobility) c) Now: Cloud/Virtual and un-defined. 2. Security Imperatives a) Earlier: WAN and Compliance b) Recent: Breaches and lost money c) Now: Loss of Business and Reputation Security - integrate with the Business transactions © CSS Corp | Confidential | www.csscorp.com 4 Detection is key to Respond and Recover Source: Cisco Threat Report © CSS Corp | Confidential | www.csscorp.com 5 Market Snapshot Threat Intelligence • 14% YoY increase in vulnerabilities and threats • Spam volume down in 2013, but proportion of maliciously intended spam remained constant • Boston Marathon bombing-related SPAM represented 40% of World wide spam on April 17, 2013 Mobile Attacks • • • • Emerging – and logical – area of exploration for malware developers Increased attempt to monetize Android compromises Adware, SMB-related spyware © CSS Corp | Confidential | www.csscorp.com 6 Threat flow Landscape Desktop Firewall IDS/IPS Attacker Cross Site Scripting Web Server Known Vulnerabilities DoS Antispoofing Applications Databases Privileged users (DBAs, developers) Parameter Tampering Mobile Port Scanning PatternCookie based Attack Poisoning Users SQL Injection Logs are forwarded to SIEM for Threat Monitoring and Alerting by SOC Team © CSS Corp | Confidential | www.csscorp.com 7 Retail Chain Breach Notification Timeline Page 11 Hackers break in using credentials from PA HVAC contractor DOJ Contacts RT et to inform them of the breach Targe wit U ts RT retains investigators RT notifies payment processors and card brands – begins malware removal More malware removed from 25 disconnected terminals © CSS Corp | Confidential | www.csscorp.com Public breach notification 8 Retail Chain CC Data Security Breach Researchers view © CSS Corp | Confidential | www.csscorp.com 9 Impact of breach at Retail Chain Data Breach • • • • 70 Million People Personal information 40 Million Credit and Debit cards stolen Customer’s sensitive information Stolen cards sold for $ 20 - $ 100 Impact of breach at Retail Chain Financial Impact • Sales decline of approximately 2.5 percent in the fourth quarter • Lower EPS from the previous estimate of $1.50 to $1.60 to $1.20 to $1.30 • It couldn't provide GAAP EPS numbers for the fourth quarter of 2013 but said they “may include charges related to the data breach.” • Cost of the Breach is estimated about $1 Billion © CSS Corp | Confidential | www.csscorp.com 10 SOC Requirement • • • • Compliance factors Reduce the impact of an incident Real Time Threat Monitoring Proactive reaction • Centralized Management and Monitoring of Network Infrastructure for : – – – – – External Threats Internal Threats User Activity Data Activity Provide evidence in investigations © CSS Corp | Confidential | www.csscorp.com 11 Security Operations Center • SOC is a centralized location where an organization’s security, network, end-user devices and systems are monitored. • Through people, processes and technology, a SOC is dedicated to detection, investigation, and response of log events triggered through security related correlation logic. • Delivers 24x7x365 security management, monitoring and reporting services. © CSS Corp | Confidential | www.csscorp.com 12 Attack Detection through SIEM Cyber- Attack is attacking the network Security Operations Center Blacklisted IPs Threat Intelligence SIEM Visual Analytics © CSS Corp | Confidential | www.csscorp.com 13 Attack Detection Observed Botnet event activity Analyzed the impact Incident Ticket would be created for scanning the asset with updated AV signatures and required recommendation Incident ID Detection Detector Priority Type Name/IP Address Source IP | Port Destination IP | Port Reason for Escalating Affected Machine User Details IP Address Hostname Location Project Name User Name Employee ID Sample Log Continuous monitoring of logs for any further malware activity and proceed for ticket closure. © CSS Corp | Confidential | www.csscorp.com IM570610 P3 McAfee - IPS 10.9.15.16 192.138.151.200 | 80 10.130.56.31 | 63468 Analyze and Create Incident Ticket BOT: Warbot Bot Activity Detected 10.130.56.31 LAP-04-1235 West Wing Aruba Riyazuddin Mohammed sl091306 May 30 09:51:03 10.9.15.16 SyslogAlertForwarder: |5840905297032758676|Signature|2013-0530 09:51:02 IST|BOT: Warbot Bot Activity Detected|0x48809d00|High|warbot1|Mediu m|My Company|AMBIT_IPS_Secondary|1A1B|192.138.151.200|80|10.130.56.31|63468 |Malware|botnet|Outbound|Inconclusive|si gnature|http|tcp| Containment and Eradication 14 10 Security Essentials Every CIO Needs to Know © CSS Corp | Confidential | www.csscorp.com 15 Best Practises • • • • • • • Establish an Information Security Policy Dedicate resource/s for Information Security System Do Risk Assessments regularly Create Awareness across the Organisation Involve App Development Teams in implementation Conduct Vulnerability Assessments at periodic intervals Enable Monitoring of your Digital Assets –Security Operations & Management • Integrate Vulnerability reports into Security Operations • Regular reviews to measure control effectiveness © CSS Corp | Confidential | www.csscorp.com 16 Enterprise Security Services Governance, Risk and Compliance Risk Assessments, Policies & Controls and Identity and Access Management Security Monitoring Services • 24x7x365 Monitoring • Monitoring & Notification Service from SOC • Reporting Services Device Management Services Vulnerability Management Services • Firewall /IDS/IPS / WAF Management • Authentication Server Management • End-Points Management • Implementation Services • Anti Virus and malware management service • Vulnerability Assessment • Penetration Testing • Web Application Security Assessment • Secure Configuration Management • Patch Management Mobile Security Services • BYOD Policy Creation • Mobile Devices (Security) Management • Mobile Security Testing Security Operations Center © CSS Corp | Confidential | www.csscorp.com 17 SOC Architecture © CSS Corp | Confidential | www.csscorp.com 18 Vulnerability Management • VM services covers four activities - Vulnerability Assessment of IT assets, validation of identified vulnerabilities, Providing Recommendations and Reporting • Provides an independent baseline and validation of the organization’s security posture. • Risk analysis and develop remediation plans that are tailored to unique business requirements and security needs Vulnerability Assessment • Scanning of the target infrastructure, establishing a baseline and making compliance easier by validating external posture Penetration Testing • Manual testing and exploits, in addition to false positive reduction of automated results • Providing an overall security picture at a lower cost with repeatable exercises • Verifying that defense in depth and response capabilities are working as designed, along with security controls validation • Periodically verifying assets are properly protected; evaluating recurring differentials and managing vulnerabilities • Required by many industry regulations and standards © CSS Corp | Confidential | www.csscorp.com 19 Thank You © CSS Corp The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. © CSS Corp | Confidential | www.csscorp.com 20 Network & Security Operations The NOC’s purpose has always been to ensure "power, ping, and pipe" to computing resources and is critically measured on uptime. Conversely, the SOC’s purpose has been to "protect, detect, react, and recover" and is critically measured on response time. Network Operations Security Operations Network Monitoring & Management Network Behavior Anomaly Network fault tolerance Intrusion Detection Network device configuration Threat & Log Management Sniffing Troubleshooting Network Forensics © CSS Corp | Confidential | www.csscorp.com 21 SIEM Event Types Event Type Source Vendor/Application Events System activity Server syslog Windows, Linux • Authentication/authorization • Services starting/stopping • Config changes • Audit events Web proxy logs Web proxies Websense Web malware downloads, Command Control check-ins Antivirus Mcaffe epo Spam filter Blue Coat Network firewall Cisco ASA, Checkpoint, Juniper Malware logs Firewall logs Web server logs Web Application Firewall Trustwave, Imperva Web servers Apache, IIS © CSS Corp | Confidential | www.csscorp.com Malicious activity, Malicious URLs, malicious attachments Accepted/denied connections Access logs, Error logs 22 Security Event Analysis © CSS Corp | Confidential | www.csscorp.com 23 Source / Target Analysis © CSS Corp | Confidential | www.csscorp.com 24
