360 likes | 381 Views
Optimizing Cyber threat Intel across your organization. Peter Van Eeckhout SE Belux. Outline . Why we need to change today Gaining smart Intel before we go into battle Using Intel dynamically to win the war Sharing Intel between countermeasures How do we federate the model?. 3.
E N D
Optimizing Cyber threat Intel across your organization Peter Van Eeckhout SE Belux
Outline • Why we need to change today • Gaining smart Intel before we go into battle • Using Intel dynamically to win the war • Sharing Intel between countermeasures • How do we federate the model?
3 By The endof 2010…
Malware Growth Still Healthy, Curve Flattening No. of samples in our database 40,000,000 30,000,000 20,000,000 10,000,000 0 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q4 2008 2009 2010
The Top Five Worldwide Malware Generic! AtrGeneric removable-device malware Generic.dxGeneric downloaders and Trojans W32/Conficker.worm!infRemovable-device Conficker worm detection Generic PUPGeneral-purpose potentially unwanted programs GameVanceOnline gaming software that collects stats anonymously Two of the top five are AutoRun malware (no user action required), while the others are password-stealing Trojans.
Exploits Microsoft Windows Server Service Buffer Overflow (MS06-040) Symantec Client Security and Symantec Antivirus Elevation of privilege vulnerability (SYM06-010) Can: Gather system information (CPU, RAM, OS Version, IP address, UserName, Uptime) Scan network for machines to infect. Launch a TFTP, HTTP server and SOCKS4 proxy. Download and Execute files. Update bot. Uninstall bot. How many of you were monitoring – Nirbot.worm?
How many of you were monitoring Conficker.worm? • Worm – We see new worms each day – Nothing new! • Used Microsoft vulnerability • Starts HTTP service • Common BOT behaviour – Typical worm behaviour! • Scans subnets for other systems • Connects to Web for updates/more malware – Typical BOT behaviour! • Utilises Autorun.inf & scheduled tasks – Becoming more common! • Tries to block security updates – Nothing new!
Threat Intel – When and what to share? • When is the right time to engage? • On industry/vendor advisory? • On business incident? • On technology alerts? • Real time events • Log analytics • Reactive or proactive • On vulnerability? • On Exploit? • On threat? • On data breach?
Today’s IT Security landscape drives fragmentation SecurityInterlock ? RiskMgmt WhiteListing Encryption Endpoint Firewall eMail Web DLP IPS Sourcefire Juniper Cisco IBM Entrasys NitroSecurity Qualys NessusBigFix Oracle Lumension NetIQ Rapid7 WhiteHat Acunetix Check Point Sophos Credant PGP GuardianEdge (Symantec) SecureWave winMagic SafeNet McAfee Symantec CodeGreen Credant Luminsion Cisco WebSenseRSA Vericept Tumbleweed SoloBreaker Verdasys Oakley Orchuesria Fidelis BorderWare IBM WinMagic McAfeeIBM Microsoft nCircle SourceForge Nikto (freeware)Symantec ConfigureSoft ThirdBrigade (TrendMicro) Wntrust WinMagic Information Security Corp. iAnyWhere Solutions BeCrypt McAfee Wave Systems Mobile Armor Microsoft IBM TrendMicro McAfee TippingPoint Snort HP DeepNines StillSecure Check Point StonesoftTop Layer Radware McAfee Symantec TrendMicro Sophos Kaspersky Panda Microsoft SkyRecon Microsoft G data Trust Port eScan BitDefender Avira McAfee SymantecBit9 Parity Suite Coretrace Bouncer Lumension App Control SignaCert Enterprise Microsoft Applocker McAfee Cisco Juniper Check Point Fortinet Stonesoft SonicWALL McAfeeCisco Trend ScanSafe Barracuda CA Webroot Tripwire nCircle FIM Symantec Websense BlueCoat Aladin Finjan McAfee Barracuda TrendMicro Symantec Cisco Google Sonic SonicWALL WebSense BorderWare Microsoft ProofPoint Eset CA F-secure eEye Digital Prevx Check Point IBM Landesk BigFix Dr Web F-Port BullGuard Arcabit Risisng Software Clam VBA AVG Opsware IBM/Tivoli Config EMC Config Solution BMC Bladelogic Watchguard NETSQ Astaro Phion HP Sophos Appsense Lan Desk Savant Protection Clearswift 8e6 (Marshal) CymphonixContentKeeper Mi5(Symantec) Facetime CP Secure 15 November 24, 2010
Which should lead to questions like these… • What is the threat? • Is it real or theoretical? • What could the threat do? • What would it actually do to my business? • How would that impact my business? • How likely is it to happen? • What countermeasures do I have in place? • Which countermeasures should I enable? • What order should I enable them in? • What impact will these have on my business?
“50% of respondents cited poor documentation of systems, a lack of metadata, diverse and uncontrolled data sources, and poor data quality as significant problems” Bloor
To summarise the issues When does a threat become an incident? • No single point of threat/risk measurement • Lack of correlation to the business risk • Lack of correlation between risk and mitigation tools • Have I already solved the problem? How do I decide when to act? • Often many - if not all security solutions can have some involvement • What is the right solution to apply? • Should I apply the same solution across the business? • How do I validate the problem is solved? • Too many security consoles • Have I already solved the problem
Time to change our approach!Multi-Correlated: Centralized Intelligence
100 billion 100’s million nodes
How do I get Real Time Global Intel? • 2.5B Malware Reputation Queries/Month • 20B Email Reputation Queries/Month • 75B Web Reputation Queries/Month • 2B IP Reputation Queries/Month • 300M IPS Attacks/Month • 100M Ntwk Conn Rep Queries/Month • 100+ BILLION QUERIES/Month Queries • Malware: 40M Endpoints • Email: 30M Nodes • Web: 45M Endpoint and Gateway Users • Intrusions: 4M Nodes • 100+ MILLION NODES, 120 COUNTRIES Nodes 21 November 24, 2010
How real time Intel manages risk 1 User receives new file via e-mail or Web Internet 2 No detection with existing DATs, but the file is “suspicious” Fingerprint of file is created and sent using Artemis 3 5 Artemis identifies threat and notifies client 4 Artemis reviews this fingerprint and other inputs statistically across threat landscape GLOBAL THREAT INTELLIGENCE 6 VirusScan processes information and removes threat Artemis is enabled on the endpoint without any additional client side install Artemis
Real-time malware protectionleveraging Collective Threat Intelligence Researcher notes new Suspicious fingerprint Researcher looks up prevalence of fingerprint Researcher marks as malicious. Subsequent customers protected before malware is widespread. Protection provided in minutes 1 2 3 4
Is it from a Trusted Source? • Enterprise Messages • 10 Billion per month • General Messages • 100 Billion per month • Millions of URLs per month Monitor Data Store Verify Identities Analyze Behavior Analytics Engine Analyze • Volume • Social network • Persistence • Longevity • IP • Domain • URL • Image • Message Reputation Score Web Messaging Firewall Protect
GTI Server Deployment Options Owning my own Intel
Can I have the same Intel in a Closed Networks 26 November 24, 2010
Converting Intel to Action REAL TIME THREAT FEEDS (GTI) SECURITY METRICS ACTIONABLE INFORMATION PROTECTION Executive RiskMgmt WhiteListing Endpoint Web DLP IPS SIA Encrypt. Email Firewall SecurityAdmin ePO IT Architect Security Management Platform
Real Business Risk Assessment • ““3,000 to 30” – Countermeasure aware risk management correlates MTIS threat feeds with discovered vulnerabilities, assets, and deployed countermeasures (intrusion protection, anti-virus, buffer overflow) • Leverages AVERT threat advisory information, delivered by MTIS feed • Risk = (Threat X Vulnerability X Asset)/Detailed Countermeasure 28
INTERNET Smarter Security through integration (1+1=3) Intelligence between solutions Q: Traffic from the INTERNET going to YOUR WEBSERVER contains a RELEVANT Web ATTACK, but the SERVER HAS LOCAL PROTECTION TO STOP IT, I don’t need to do anything! Q: Traffic from X going to Y contains a potential Web server threat?, What should I do? Clients Network IPS Vul Mgmt Security Manager
Open Platform for Security Risk ManagementIndustry Leadership to Drive Better Protection, Greater Compliance and Lower TCO SIA Associate Partner SIA Technology Partner (McAfee Compatible)
Cost Model of Enterprise Security RISK OPTIMIZATION Reactive spend ~3% of IT budget on securityHigh risk Tools Based Applying tools and technologies to assist people in reacting faster Point products for system, network and data Optimized spend ~4% with very low risk DYNAMIC Predictive and agile, the enterprise instantiates policy, illuminates events and helps the operators find, fix and target for response. McAfee ePO managed products Plus GRC and GTI Compliant/Proactive spend ~8% of IT budget on security Medium risk REACTIVE & Manual People only. No tools or processes. “Putting out fires”. Why has it been so challenging to reduce risk? 31
Looking to the future…Advanced Persistent Threat Operation Aurora (Zero-Zero day targeted attack) 1. A targeted user receives a link in email or instant message from “trusted” source 2. User clicks on link (a website hosted in Taiwan) contained JavaScript payload. 3. Browser downloads & executes JavaScript, which inc. exploit 4. Exploit downloads binary disguised as an image (from Taiwan servers) & executes malicious payload. 5. Sets up a backdoor and connects to C&C servers in Taiwan. 6. Attackers had complete access to internal systems. They targeted sources of intellectual property, including software configuration management (SCM).
New Era of Malware:Stuxnet Attacks Critical Infrastructure • Protestors made their mark in the middle east by holding virtual protests and defacing websites and Facebook accounts. • Intelligently targeted at disrupting energy infrastructure running Siemens WinCC and Step7/PCS7 products – pure sabotage • Compromise initially occurs via USB or Network Share (disabling autorun does not protect) – further compromise via network • Compromised machines attempt outbound connectivity to command and control infrastructure • Complexity implies nation state origin • Forged digital signatures to pass digital application checks • Leverages a number of previously unknown exploits • Expert level knowledge of Siemens PLC devices (internal database and code modification) • Pinpoint accuracy in searching for and identifying Siemens devices • More interesting potential details: • Reportedly targeted at Iranian nuclear facilities • Required insider to perform the initial compromise • Fear over broader attention toward the weak global energy infrastructure.