1 / 27

Managing A Global Corporate Protection Infrastructure

Jeannette Jarvis Association of Anti Virus Asia Researchers November 26, 2004. Managing A Global Corporate Protection Infrastructure. Agenda. Setting the scene Objective Threats Challenges Protection Strategy Products Processes Critical reference links. Company Objectives.

keefe-bradley
Download Presentation

Managing A Global Corporate Protection Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jeannette Jarvis Association of Anti Virus Asia Researchers November 26, 2004 Managing A Global CorporateProtection Infrastructure

  2. Agenda • Setting the scene • Objective • Threats • Challenges • Protection Strategy • Products • Processes • Critical reference links

  3. Company Objectives • Virus/worm/intrusion freeenvironment • Immediate alerting notification • Security incidents • Suspicious activity • Well-defined processes • Normal operations • Events • Enterprise compliance • Security tools & update process

  4. Malware Threats • Denial of service • Execution of arbitrary code • Remote execution • Viewing sensitive company information • Manipulating data • Propagating data • Keylogging exploits • Phishing Schemes • Spyware / Adware • Spoofing

  5. Software Vulnerabilities As reported by SEI CERT/CC: www.cert.org/stats/cert_stats.html

  6. Progression of Malware Transports > 2004 Worms 2001 Nimda Code Red SQL Slammer Sasser Virus bye-mail Melissa Loveletter 1999 Viruses inMacros Concept Laroux Wazzu 1995 Viruseson floppy disks Brain Friday the 13th Michelangelo 1987

  7. Software Vulnerability Lifecycle

  8. Challenges • Security versus • Functionality • Usability • Scalability • Manageability • Vulnerabilities to exploit time is short

  9. Company Challenges • Limited resources • Outdated/mis-configured machines • Rogue servers • Acquisitions – conforming to your existing security policies and processes • Home users – lack of configuration control • Mobile employees – low bandwidth for security updates

  10. Risk Versus Cost Budget Constraints Critical Infrastructure

  11. Protection Management Components Products • Multi-tiered approach • Address all entry and exit points • People • Education / Awareness / Communication • Engagement Policy • Consistent compliance across enterprise • Published security policy Processes • Consistent enterprise solutions • Continuous process improvement

  12. Products – Defense in Depth • Port blocking • Firewall – desktop and network • Intrusion detection/prevention tools • Web Proxy filtering • Content Filtering – perimeter and internal • Anti-virus – multi-vendor approach • Spyware / Adware • Pop-up blocker • Event correlation tool

  13. Policy & Process Tools • Push tools – patches and configuration updates • Compliance tools – conform to company policies or disbarred from entry • Centralized management tools • One site for enterprise visibility of activity and product disposition • Centrally manage product updates and signature detections & policy creation • Metrics and reporting • Encryption Policy • Enterprise Backup Solution

  14. Visibility • Event correlation tool • Gather events of interest throughout the enterprise from ALL security tools • Into a well-structured database to enable efficient complex incident detection and response • Provide effective query for investigators • Reports based on trend analysis • Effective metrics to target detection strategy

  15. Consistent Enterprise Processes • Have established plans for prevention, detection and reaction • Know who does what, when • Backup personal identified • Normal operations • Monitoring for malware activity • Who initiates mitigation for new threats • Communication Process • When is information communicated • How? • By whom?

  16. Process during an event • Security event • Defined processes for how your company reacts to a security incident / outbreak • Notification • Those involved with the event • General employee population • Action • Who is empowered to take action • Locking down machines • Isolating network • Product Updates

  17. Vulnerability Monitoring • Security monitoring and response Team • Monitors new vulnerabilities • Triage Security Alerts • Accesses impact on infrastructure • Report status • Critically • Recommendation • Links to updates • Ensure that responsible party is providing solution in appropriate timeframe • Prioritizes the threats • Continuous audits of enterprise

  18. Education • Yearly security awareness training is required • Interactive web based training is mandated • Annual security video required to be reviewed by all • Internal web site for virus information • Company wide information • Company web site when threat/issue warrants complete visibility • Email to all employees when their involvement is critical to containment of a threat

  19. Post Mortem • Tool to communicate lessonslearned and improve your infrastructure • Immediately following closure of incident • All key organizations have representation • Attendance is mandatory • Establish root cause • Address perceptions and reality Continuous Process Improvement

  20. Home Users • Hardware Firewall Preferred • Software Firewall at minimum • Policy Compliance • Disable ability to login to corporate network unless up-to-date • Patches • Anti-virus signature files • Personal firewall installed

  21. IT Department Responsibility • Empowerment to make immediate high impact decisions • Vulnerability assessments • “What if” scenarios • Isolated network / Isolated lab environment • Fail-over architecture

  22. Event Disaster Plan • Critical contact phone lists available off-line • Processes to get needed security products updates when normal resources are unavailable • Teleconferences for management and technical staff to get needed information during crises • Business continuity plans established • Communication process when normal channels are eliminated

  23. Virus Industry Presence Associations • AVAR – Association of Anti-virus Asia Researchershttp://www.aavar.org • AVIEN – Anti-virus Information Exchange Networkhttp://www.avien.org/ • AVIEWS – Anti-virus Information Early Warning System http://www.aviews.org • EICAR – European Institute for Computer Antivirus Researchhttp://www.eicar.org/ • The Wildlist Organization – International forum on the wild viruseshttp://www.wildlist.org/

  24. Critical Information Links • CERT – Computer Emergency Response Teamhttp://www.cert.org/ • Internet Storm Centerhttp://isc.sans.org//index.php • Virus Bulletin http://www.virusbulletin.com/ • AntiPhishing Working Group http://www.antiphishing.org/

  25. Closing • Managing your environment requires • Due diligence • Defensive tools • Monitoring & Awareness • Notification and response • On-going user education • Consistent enterprise processes

  26. ??? Questions ???

More Related