390 likes | 467 Views
Managing Threats and Vulnerabilities Threat Management Services for security monitoring and incident response. Frederic MARTINEZ February, 2008. Agenda. Why security matters Why security monitoring and incident response matters Threat Management Services Lessons Learned TMS Next steps
E N D
Managing Threats and VulnerabilitiesThreat Management Services for security monitoring and incident response Frederic MARTINEZ February, 2008
Agenda • Why security matters • Why security monitoring and incident response matters • Threat Management Services • Lessons Learned • TMS Next steps • Key takeaways
The Dynamic Enterprise … interconnects • … for continuous and transformative growth
1 Why Security Matters
Our Customers’ Security ChallengesWhy security matters to our Customers … Viruses, worms, spyware and spam Protect customer / partner privacy Managing internal &external threats Regulatory requirements Security Management Patch management, operations challenges Homeland Security & critical infrastructure protection Business continuity planning Businessconsolidation Migrating to complex technologies • Strengthened Privacy protection • Strengthened security for telecom operators • Increased protection of critical infrastructures • Sarbanes-Oxley Act • Basel II for financial sector • Company’s top management getting liable for security of business assets • IP everywhere • Networks convergence • Open / shared multi-applications networks • Decrease of biodiversity(same basic techno & middleware everywhere) • Increased complexity of systems • New services such as VoIP, Triple Play, xOD… based upon high-value content delivery with contractual requirement. • Deeper interactions in ECO system with partners, customers. • no more clear and static border protection • The network is critical to the business / mission and failures can have a malicious origin
Some real cases … Mobile phones belonging to top Greek military and government officials — including the prime minister — and the U.S. Embassy were tapped for nearly a year beginning in the weeks before the 2004 Olympic games…the surveillance was carried out through spy software installed in the central system of Vodafone, the mobile telephony provider that served the targets. Vodafone was fined 76 MEUR by Greek Authorities. (July’07) Two US fraudsters routed calls through unprotected network ports at VoIP vendors to route calls onto providers. Over three weeks, the two routed half a million phone calls to a VoIP provider in Newark via a company based in Rye Brook. Federal investigators believe the two made as much as $1m from the scam. (July’06) A sophisticated computer hacker had access to servers at US wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities. (Jan’05) A federal grand jury has indicted a 20-year-old California man on charges that, in Jan’05, his botnet hijacked thousands of computers and crippled a hospital network, leaving intensive care systems paralysed and doctors' pagers useless, Associated Press reports.(Feb’06) The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall. (Aug’03)
Our customers security challengesWhy security matters to us Integrated Security System Eco-System Defenses Hardening (Standards) Network, & Services Design Security Imbed End-to-End Integrity Attestation • System Hardening – Standards Based: Our products must be developed to a consistent security and reliability framework. Build “trustworthy”, to inter-operate within both a solution and an integrated security where security information is exchanged. A standards-based approach leads to interoperability, certification, etc. • Integrated Security Eco-System: Security must be designed as a system of defenses that are integrated together to exchange information and ties in closer cooperation the three elements of prevention-detection-response. Point selected appliances are no longer viable. • Embed Integrity Attestation: All is built on IP-based components, the cloud extends into customer premises – the threat increases. Rootkit (stealthy threats) raise the bar of how systems can get compromised and not detected. These trends drive the need to measure the state of integrity and validate configuration from creation through operation. • Design Security E2E: A differentiation for solutions such as VoIP competing in Convergence is the security design – one that works e2e and is architected consistent for all implementations.
2 Why security monitoring and incident response matters The impact of compliance & regulations 9 | Presentation Title | Month 2008
Last year’s slides on trends and our positioning :we see and face every day attacks that go faster and faster
Latest example: Storm WormNot just a “point release”, an active on-going investment ! How does Storm spread? Constant updates Keep spam topic current Exploit new vulnerabilities, even adapt to the end-user web browser New spreading techniques – like blog-comment spam Active updates to adapt to the latest OS upgrades, anti-virus signatures, and other security patches Payload morphs every 30 minutes or so (so signatures cannot catch up) Difficult to detect by Telco in the cloud Obfuscated Command & Control protocol overlaid on P2P hiding behind Fast Flux (using DNS) Few packets sent for a P2P: average is under one packet per second Active defense – analysis of obfuscated code may trigger DDoS attack! Don’t get detected: be patient, don’t hurt the hosts Robust design with separation of duties Redundancy with P2P network for C2 (Command and Control) Only a fraction are C2 servers, only a fraction of infected hosts spread the worm. The rest stand by to receive orders. • chart show packet count for the P2P data plane over 7h
The Challenge: Difficult, Multi-Dimensional, and In Flux Blacklist Defenses Ineffective Security un-manageable and no single situation awareness Reacting to infinite possible sources Ex: polymorphism Point Prod’s Point Roles Inconsistent security applied to network components – un-trusted pieces make… Increasing Network Complexity Increased vulnerability Ex: firewall VOIP sessions Weak Links Prevalent That addresses security in a comprehensive way – so very difficult to integrate security Threat occur faster than we can detect and respond before it impacts business Lack of Universal Standard Exploitation Window Zero-Day Data exchange requires better security controls More personal data is online– uncertain protection Data Control & Integrity DataLeakage From phishing and spy ware to DDOS and Network Penetration Attacks SPAM – SPIT – SPASMS tough to separate wanted info Sophisticated Cyber Crime Data Flooding • Source : Bell Labs Research
Business needs and drivers for security monitoring and controlWhat is the –customer- Value of our Threat Management Services ? Our point of view on Security Business Imperatives Proven Benefits • Over USD 1million in increased productivity (by reducing downtime) • Avoidance of fines (due to QoS, SLA, compliance or regulatory violations) – one incident could cost USD 500K • Concentrate on core business and avoid risks linked to building and maintaining a full security operational team Plus… • Increased end-user trust • Fewer security incidents • Prevent rather than cure where possible • Quicker response to and recovery from attacks “Conduct business anytime” Minimize downtime and enhance productivity • 24x7 monitoring is important in reducing the risk of security breach. Provide trustworthy service “Sensitive data and traffic protected” • Governance regulations require organizations to become stricter in enforcing segregation of duties. This requires separation of security administration and control activities. “Enhanced staff productivity and lower operating expenses” Operate cost-effectively • Lack of appropriately skilled resources at customer organizations leads to increased demand for outsourcing security services. End User Needs
5 Top Reasons to monitor your information systems security vulnerabilities (and exploits) are found for the products you have deployed No network is totally isolated; hence you can get hacked or hit by viruses and the likes Beware of insiders abuse Customer’s organisation and systems are evolving and changing Regulations and Legal Compliancy require a constant assessment of the situation (SOX, NERC, CIP, BASEL II, …) “Security Is a Process Not a Product… Is Anyone Paying Attention?” *Bruce Schneier 5 Top Reasons to monitor your ICT environment after deployment Operators Health Care Financial Government Utilities GLBA, Basel II, SAS 70 Type II, CICA 5900 Critical Infrastructure Protection NERC CIP HIPAA, FDA 21 CFR Part 11 CSE SOX regulation impacting financial data
ISO/IEC 17799:2005 - a critical common reference ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management (system) in an organization. Information security policy (document and review) Organization of assets and resources (internal organization and external parties) Asset classification and control Personnel security (prior, during & after change or termination of employment) Physical and environmental security (secure areas & environmental security) Communications and operations management (includes risk assessment on assets & exchanges, network security mgt and monitoring) Access control (to information) at user, network, OS & application level Systems development and maintenance (includes technical vulnerability management) Information security incident management Reporting information security events & weaknesses Management of information security incidents Business continuity management Compliance Three critical areas to control stealth attacks
3 Threat Management Services Description and background (ie link with audit, consulting etc …)
Alcatel-Lucent Services Our approach to Security Where do Threat Management Services stand in the lifecycle?Security Consulting & Integration Services • Risk Assessment • Business Impact Analysis • Gap Analysis • Threat Prevention & Management • Security Monitoring • Crisis & Incident Management • Vulnerability Assessment • Penetration testing • Secure Architecture Review • Compliance Readiness • Security Policy & Program Development • Security Architecture & Design • Security Policy & Integration • Business Continuity Planning • Hardening & Remediation • Deploy Security Systems/Elements • Business Continuity Plan Testing 17 | Presentation Title | Month 2008
Threat Management: Solution Threat & vulnerability management • Vulnerability feed and Database • Vulnerability assessment/scan • Risk Management and Modelization Events Monitoring and Analysis • Malicious activities detection Threat Reporting • Statistical reporting • Operational reporting • Strategic reporting for compliance Crisis & incident management
Threat Management Services – Prevention • Knowledge of vulnerabilities that could impact systems within monitored environment • Knowledge of current and forthcoming threats • Assessment of vulnerabilities within monitored environment • Risk management based on modelization with business/service impact Identification of counter measures Output for Operations Team ANALYZE IMPACTS (IDENTIFICATION OF THE RISKS) What if an attack is successful ? FOLLOW-UP OF THE TOPICALITY (DAY BEFORE) What might happen in my environment? INVENTORY OF FLAWS (VULNERABILITIES ASSESSMENT) Where am I vulnerable? Follow-up patch management Analyze residual risk (followed action plan)
Threat Management Services – Beyond Prevention: Real-Time Monitoring and Off-Line Logs Review • Two operational modes • Real-time monitoring of infra activity to detect abnormal behavior • Off-line logs review for usage control and compliancy control • Solution proposal by TMC analyst sent to pre-defined contact points • Possibility for (initial) forensics analysis
Dashboard and Reporting What Reports generated and provided to Customer’s stakeholders Key Security Indicators showing Customer’s security status Key Indicators of Performance of the TMC Instrument for SLA monitoring How Use of a Web-based portal for direct communication Use of electronic reports with different flavours of information details • Key Security and Performance Indicators • Volume of incidents • Backlog with breakdown of severity per incident • Events/alerts per categories: port scans, port sweeps, authentication events including failed logins,… • Events/alerts per location, per time zone, per IP source, per nature (success/failure), … • Top IP address sources generating events/alerts, top IP addresses of target devices, used protocols, … • Number of incidents closed within SLA • …
Threat Management and Management of Security: separation of duties Alcatel-Lucent Network Operation Center Alcatel-Lucent Threat Management Center Third-party Network Operation Center Security event monitoring Security resource management Dashboard management & reporting Maintenance Patch management ITIL-based processes • Incident mgmt • Change mgmt • Problem mgmt • Configuration mgmt Events and alarms management Deployment Policy compliance control Change management Incident & crisis management Security rules configuration Operational incident management (hands-on corrective measures) A basic security principle: whoever monitors an action should not be the one who performs the action (benefits both the customer and the provider)
4 Lessons learnt End-user profiles
Threat Management Services:More than 1.6 Billion events / month over 60 countries All TMS customers have a wide international network France Mediterranea (Morocco, Algeria, Libia, …) Africa (Gabon, Nigeria, Angola ….) Middle East and SouthAsia (Saudi Arabia, Iran …) Worldwide (Canada, Venezuela, Indonesia ….)
History The Tunisian government decided in 2003 to deploy a cyber-security National plan. A National Information Security Agency (ANSI) was created under the Authority of the Ministry of new communication technologies. This Agency was charged of implementing a –mandatory- national plan regarding security audit/assessment of many companies, and creating a Computer Emergency Response Team, the Cert-TCC, with a funding from the World Bank. Relations with ALU and the Cert-IST The Alcatel-Lucent experts of the Cert-IST have audited and trained the Cert-TCC structure. The Cert-IST has sponsored them to the FIRST, membership, (17 May 2007). The ANSI/Cert-TCC only national and legitimate Tunisian Cert He is responsible of cyber-security for government, privates companies (including ISPs), and has an excellent track record of awareness activities towards citizens and families. CERT expertise expansion :Raising the (Tunisian) National Agency for Information Security and the Cert-TCC
Lessons LearnedThe issue for the customer is not technical Fact: the Security Resources deployed by the customer are used at 30% of their capacities this is slowing the adoption of additional technologies / resources Need: the customer simultaneously faces pressure for more control and COMPLIANCE Feedback: Security Resource Management is often limited to an evolution of network mgt External To the Control Authority compliance requirement TMS deliverables Through the board Through the operations Internal To internal management Monitored Network
Lessons Learned 1/5The « Intrusion Protection » customer Context: the Security Resource Management strategy of the customer includes deploying Intrusion Protection Systems. Dimensioning: 30 sites (NA : US, Canada EUROPE: France, UK - AFRICA: Angola, Nigeria, Cameroun - ASIA: Thaïland, Indonesia - CALA: Argentina, Venezuela – ME: Iran, … ) Needs: Response strategy to detected malicious activity Added value of the TMS: Centralization and consistency Single point of contacts towards the editors through the Cert-IST Escalation capability for recommendations (on blocking rules) Deliverables TMS: DASHBOARDS (Daily & Monthly) REPORTINGS (Monthly) Lessons learnt: Questionable Adaptation of the Security Resources solution to the needs Organizational issues between integration, operation, control, diverse providers
Lessons Learned 2/5The « Secured Services » customer Context: the strategy of the customer includes a secured hosting center for critical applications. Dimensioning: wide variety of technical resources, FW (two types), VPN SSL, HIDS, NIDS, ROUTERS, LDAP, SWITCHES, SGBD, AV, Web and other Applications/Servers, AAA … Needs: Monitoring Crisis Response strategy to detected malicious activity Proof of Compliance efforts Added value of the TMC: Real-time monitoring and control Escalation capability Lessons learnt: High visibility to board Each event is important/critical 30 | Presentation Title | Month 2008
Lessons Learned 3/5The « Secured Web Presence » customer Context: the strategy of the customer includes a secured DMZ center for critical Web applications + an intensive usage of Intranet/Extranet/Internet. Dimensioning: 50000 people around the globe … Needs: Monitoring Crisis Response strategy to detected malicious activity Added value of the TMC: Real-time monitoring and control Escalation capability Lessons learnt: High Volumes of logs (~500 millions /month) High end-user « suspicious activity » (Webmail, WebEx, => « Noise » …) High Internet exposure (direct hackers connectivity)
Lessons Learned 4/5The « Secured Worldwide Intranet » customer Context: the strategy of the customer includes a secured network for intensive usage of Intranet/Extranet/Internet. Dimensioning: (8/20/250 sites) around the globe … Needs: Monitoring Operational Response strategy to detected malicious activity Support to remote un(der)-staffed sites Added value of the TMC: Real-time monitoring and control Response recommendations Escalation capability Lessons learnt: Heterogeneity and organizational issues with a variety of remote sites High end-user « suspicious activity » (Webmail, WebEx, => « Noise » …) High Internet exposure
Lessons Learned 5/5The « Security Compliant » customer Context: the strategy of the customer includes a threat management service covering critical servers (250 then 900). Dimensioning: wide variety of technical resources , ROUTERS, SGBD, Web and other Applications/Servers, AAA … Needs: Monitoring, Crisis Response strategy to detected malicious activity Proof of Compliance efforts Added value of the TMC: Real-time monitoring and control Escalation capability Lessons learnt: High visibility to board Heterogeneity and organizational issues with a variety of structures/regions
5 Threat Management Services Next steps (ie Safer or Bugyo, DPI, Aware)
BUildinG security assurance in Open infrastructures • European collaborative project under the Eureka Framework and Celtic cluster • Project ID: CP2-002 (June 2005-June 2007)www.celtic-initiative.org/projects/bugyo Companies involved • Alcatel CIT, FranceEADS-DCS, FranceENST, FranceOppida, FranceTELINDUS, LuxembourgPublic Research Center HENRI Tudor, Lu.Karlstad University, SwedenOnePutt Solutions, SwedenTeliaSonera, SwedenAcotec, SpainTelefónica, Spain “In Network infrastructures, Security assurance should be addressed as tool/process that checks (assure) that the security features deployed in products/systems are working at the exact level customers paid for.” Security Assurance is related to what some analysts call the Security Compliance and control Security Assurance Cockpit BUGYO learnings are integrated into the Threat Management Services
Deep Packet Inspection:Intelligent components for Threat Management Services TMC Security alerts and reports TMC NOC Security Monitoring (In-house or Managed) Monitoring & Management CORE DPI DPI Internet DPI DPI DPI Peers Enterprise IS DPI DPI solutions are intelligent agents for TMCs, providing places for definition of new/extended services Telco case Corporate case Less intrusive architecture and enlarged inspection capabilities for: • Business and ROI protection • Limitation of abuse of network resources • Defense against malware, attacks
3G/4G Security and Network Awareness:Protecting wireless network resources and performance from threats Limited Signaling Limited Battery Drivers • Wireless 3G BB subscribers increasing • 3G applications on the rise • Mobile data network has unique limits Limited Air Resources WiMax HA ASN BTS EV-DO HA PDSN RNC BTS Internet W-CDMA GGSN SGSN RNC Node-B Security Planning Alcatel-Lucent 9900 • Monitors and classifies wireless traffic • Wireless behavioral anomaly detection • Translates subscriber behaviors to loads throughout the network Subscriber Billing Network Performance
Key takeaways Alcatel-Lucent help you protect your network and system infrastructures, and address security and compliance requirements to achieve your business goals. By improving your security policies, practices and use of technologies, you can identify vulnerabilities, reduce risks and leverage industry best practices. This translates into business insurance – you avoid financial losses from network/system downtime, lost productivity, lost revenue, customer satisfaction issues, fines or investigative costs. Alcatel-Lucent understand the complexity of security requirements and issues inherent in new technologies / services and proposes the appropriate solutions and services.
Alcatel-Lucent: Partner to the Dynamic Enterprise Enabling the Dynamic Enterprise
www.alcatel-lucent.com 41 | Presentation Title | Month 2008
Backup slides 42 | Presentation Title | Month 2008