270 likes | 361 Views
Jeannette Jarvis Association of Anti Virus Asia Researchers November 26, 2004. Managing A Global Corporate Protection Infrastructure. Agenda. Setting the scene Objective Threats Challenges Protection Strategy Products Processes Critical reference links. Company Objectives.
E N D
Jeannette Jarvis Association of Anti Virus Asia Researchers November 26, 2004 Managing A Global CorporateProtection Infrastructure
Agenda • Setting the scene • Objective • Threats • Challenges • Protection Strategy • Products • Processes • Critical reference links
Company Objectives • Virus/worm/intrusion freeenvironment • Immediate alerting notification • Security incidents • Suspicious activity • Well-defined processes • Normal operations • Events • Enterprise compliance • Security tools & update process
Malware Threats • Denial of service • Execution of arbitrary code • Remote execution • Viewing sensitive company information • Manipulating data • Propagating data • Keylogging exploits • Phishing Schemes • Spyware / Adware • Spoofing
Software Vulnerabilities As reported by SEI CERT/CC: www.cert.org/stats/cert_stats.html
Progression of Malware Transports > 2004 Worms 2001 Nimda Code Red SQL Slammer Sasser Virus bye-mail Melissa Loveletter 1999 Viruses inMacros Concept Laroux Wazzu 1995 Viruseson floppy disks Brain Friday the 13th Michelangelo 1987
Challenges • Security versus • Functionality • Usability • Scalability • Manageability • Vulnerabilities to exploit time is short
Company Challenges • Limited resources • Outdated/mis-configured machines • Rogue servers • Acquisitions – conforming to your existing security policies and processes • Home users – lack of configuration control • Mobile employees – low bandwidth for security updates
Risk Versus Cost Budget Constraints Critical Infrastructure
Protection Management Components Products • Multi-tiered approach • Address all entry and exit points • People • Education / Awareness / Communication • Engagement Policy • Consistent compliance across enterprise • Published security policy Processes • Consistent enterprise solutions • Continuous process improvement
Products – Defense in Depth • Port blocking • Firewall – desktop and network • Intrusion detection/prevention tools • Web Proxy filtering • Content Filtering – perimeter and internal • Anti-virus – multi-vendor approach • Spyware / Adware • Pop-up blocker • Event correlation tool
Policy & Process Tools • Push tools – patches and configuration updates • Compliance tools – conform to company policies or disbarred from entry • Centralized management tools • One site for enterprise visibility of activity and product disposition • Centrally manage product updates and signature detections & policy creation • Metrics and reporting • Encryption Policy • Enterprise Backup Solution
Visibility • Event correlation tool • Gather events of interest throughout the enterprise from ALL security tools • Into a well-structured database to enable efficient complex incident detection and response • Provide effective query for investigators • Reports based on trend analysis • Effective metrics to target detection strategy
Consistent Enterprise Processes • Have established plans for prevention, detection and reaction • Know who does what, when • Backup personal identified • Normal operations • Monitoring for malware activity • Who initiates mitigation for new threats • Communication Process • When is information communicated • How? • By whom?
Process during an event • Security event • Defined processes for how your company reacts to a security incident / outbreak • Notification • Those involved with the event • General employee population • Action • Who is empowered to take action • Locking down machines • Isolating network • Product Updates
Vulnerability Monitoring • Security monitoring and response Team • Monitors new vulnerabilities • Triage Security Alerts • Accesses impact on infrastructure • Report status • Critically • Recommendation • Links to updates • Ensure that responsible party is providing solution in appropriate timeframe • Prioritizes the threats • Continuous audits of enterprise
Education • Yearly security awareness training is required • Interactive web based training is mandated • Annual security video required to be reviewed by all • Internal web site for virus information • Company wide information • Company web site when threat/issue warrants complete visibility • Email to all employees when their involvement is critical to containment of a threat
Post Mortem • Tool to communicate lessonslearned and improve your infrastructure • Immediately following closure of incident • All key organizations have representation • Attendance is mandatory • Establish root cause • Address perceptions and reality Continuous Process Improvement
Home Users • Hardware Firewall Preferred • Software Firewall at minimum • Policy Compliance • Disable ability to login to corporate network unless up-to-date • Patches • Anti-virus signature files • Personal firewall installed
IT Department Responsibility • Empowerment to make immediate high impact decisions • Vulnerability assessments • “What if” scenarios • Isolated network / Isolated lab environment • Fail-over architecture
Event Disaster Plan • Critical contact phone lists available off-line • Processes to get needed security products updates when normal resources are unavailable • Teleconferences for management and technical staff to get needed information during crises • Business continuity plans established • Communication process when normal channels are eliminated
Virus Industry Presence Associations • AVAR – Association of Anti-virus Asia Researchershttp://www.aavar.org • AVIEN – Anti-virus Information Exchange Networkhttp://www.avien.org/ • AVIEWS – Anti-virus Information Early Warning System http://www.aviews.org • EICAR – European Institute for Computer Antivirus Researchhttp://www.eicar.org/ • The Wildlist Organization – International forum on the wild viruseshttp://www.wildlist.org/
Critical Information Links • CERT – Computer Emergency Response Teamhttp://www.cert.org/ • Internet Storm Centerhttp://isc.sans.org//index.php • Virus Bulletin http://www.virusbulletin.com/ • AntiPhishing Working Group http://www.antiphishing.org/
Closing • Managing your environment requires • Due diligence • Defensive tools • Monitoring & Awareness • Notification and response • On-going user education • Consistent enterprise processes