Designing a Security
Intelligence Architecture

Daniel Wiley
Senior Security Consultant

©2013 Check Point Software Techno...
You have been told that you have
an infected machine in your network…

You have seconds to make
a difference Now what?
©20...
Threats are always changing

Attackers are using any method available to
infiltrate networks
Attacks are moving up the net...
Need architecture that adapts
• Can’t limit yourself to one function anymore

• Need versatility ability to find the right...
What does that really all mean
You need features that can adapt to
changing environments
Ability to react to attacks needs...
What does it take?
1

Know your environment

2

You need context

3

Build visibility into your network

4

Don’t forget L...
This doesn’t help
Internet

Internal

©2013 Check Point Software Technologies Ltd.

7
Sounds simple but isn’t
Understand the whole Network Topology
Application Architecture is vital to defense
Network Design ...
What does it take?
1

Know your environment

2

You need context to the data

3

Build visibility into your network

4

Do...
What does this all mean!

Context

• Having an IP address alone does not help
• What does the log really mean to my enviro...
How do you build context

Automated

Manual

• Geo Location

• Past Experiences

• Identity Awareness

• Application Flows...
Some examples
What we used to see in a log:
Source: 1.1.1.1 Destination: 2.2.2.2 Service: TCP/80
Action: Allow
What we see...
What does it take?
1

Know your environment

2

You need context to the data

3

Build visibility into your network

4

Do...
I can’t see anything
Engineer with logging in mind – The more you log
the more you can see
Ensure you are capturing all ke...
Advanced Visibility
When you identify the really nasty stuff you
need to know how to deal with it.

• Threat Emulation
• M...
What does it take?
1

Know your environment

2

You need context to the data

3

Build visibility into your network

4

Do...
Layer 7
Without application layer data finding
golden nugget is almost impossible

Email

Data
Exfil

Web

Anti-Bot/DLP
Ap...
Layer 7
Once you know the attack vectors you can trace the risk
to your network and maybe the actual attacker

Fraud
Event...
Layer 8 – Man humans are difficult
Without management on board having all the information
in the world won’t help
Incident...
Core Items Need
As many blades as possible with advanced features
(Packet Capture/URL Logging/SMTP Information)
Large logg...
Putting it all together
For any intelligence system try to answer
the following questions:
Who: Financial officer was targ...
What’s the point of all of this
Time for analysis and full understand of an event
is greatly decreased
Ability to identify...
How can you use Check Point - Gateway

• Firewall
- Advanced Logging Options such as URL logging
Log all rules

• Utilize ...
How can you use Check Point Management
• SmartLog
- Create predefined searches for specific events – Such as
Logon / Logof...
Summary

Visibility

Advanced
Blades

Log everything
Network Map
Full Team
Envolvement

Context

Known your
environment
Un...
Thank You!

Daniel Wiley
Senior Security Consultant

©2013 Check Point Software Technologies Ltd.
Upcoming SlideShare
Loading in...5
×

Check Point designing a security

1,754

Published on

Designing a Security Intelligence Architecture 

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,754
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Check Point designing a security

  1. 1. Designing a Security Intelligence Architecture Daniel Wiley Senior Security Consultant ©2013 Check Point Software Technologies Ltd.
  2. 2. You have been told that you have an infected machine in your network… You have seconds to make a difference Now what? ©2013 Check Point Software Technologies Ltd. 2
  3. 3. Threats are always changing Attackers are using any method available to infiltrate networks Attacks are moving up the network stack means more information is needed to deal with them Scaling tools and architecture is not simple as you move up to threat landscape If you have something worth stealing someone will try ©2013 Check Point Software Technologies Ltd. 3
  4. 4. Need architecture that adapts • Can’t limit yourself to one function anymore • Need versatility ability to find the right tool quickly • Ability to layer capabilities on existing architectures ©2013 Check Point Software Technologies Ltd. 4
  5. 5. What does that really all mean You need features that can adapt to changing environments Ability to react to attacks needs to be in real time Need to think outside of the box sometimes The more data the better Sometimes you have to make the hard decisions ©2013 Check Point Software Technologies Ltd. 5
  6. 6. What does it take? 1 Know your environment 2 You need context 3 Build visibility into your network 4 Don’t forget Layer 7 and 8 ©2013 Check Point Software Technologies Ltd. 6
  7. 7. This doesn’t help Internet Internal ©2013 Check Point Software Technologies Ltd. 7
  8. 8. Sounds simple but isn’t Understand the whole Network Topology Application Architecture is vital to defense Network Design is vital to get the visibility you need What do users normally do? Can you answer the basic questions about core data flows and business drivers? Who are your partners ©2013 Check Point Software Technologies Ltd. 8
  9. 9. What does it take? 1 Know your environment 2 You need context to the data 3 Build visibility into your network 4 Don’t forget Layer 7 and 8 ©2013 Check Point Software Technologies Ltd. 9
  10. 10. What does this all mean! Context • Having an IP address alone does not help • What does the log really mean to my environment • It’s hard to see who is actually attacking you • Layering context is great but what do you with the data ©2013 Check Point Software Technologies Ltd. 10
  11. 11. How do you build context Automated Manual • Geo Location • Past Experiences • Identity Awareness • Application Flows • Application Intelligence • Business Goals and Direction • DLP • Relationships • URL Filtering/Logging • Third party information • Hit count • Network Architecture • Smart Monitor/Smart Log • Compliance Requirements • Header Identification • Change Control • Machine Identification • Lessons Learned ©2013 Check Point Software Technologies Ltd. 11
  12. 12. Some examples What we used to see in a log: Source: 1.1.1.1 Destination: 2.2.2.2 Service: TCP/80 Action: Allow What we see now: Source: 1.1.1.1 Destination 2.2.2.2 Service: TCP/80 User: Bob Barker Machine: PriceIsRight OS: WinXP Browser: Chrome Server: Apache URL: www.hackme.org/malware.exe URL Category: Hacking Site IPS: Binary Download Country: US Anti-Bot: reallybadstuff.v52 Packet Capture: onaplatter.exe Action: Block ©2013 Check Point Software Technologies Ltd. 12
  13. 13. What does it take? 1 Know your environment 2 You need context to the data 3 Build visibility into your network 4 Don’t forget Layer 7 and 8 ©2013 Check Point Software Technologies Ltd. 13
  14. 14. I can’t see anything Engineer with logging in mind – The more you log the more you can see Ensure you are capturing all key metrics (SmartMonitor/SNMP) at gateway and network Learn TCPDUMP/WireShark/fw monitor Utilize Packet Capture mode within IPS and Anti-Bot Understand what you are capturing and why Everything creates a log – Learn them ©2013 Check Point Software Technologies Ltd. 14
  15. 15. Advanced Visibility When you identify the really nasty stuff you need to know how to deal with it. • Threat Emulation • Malware Reversing • Locating infected hosts • Having control over network means blocking hostile code ©2013 Check Point Software Technologies Ltd. 15
  16. 16. What does it take? 1 Know your environment 2 You need context to the data 3 Build visibility into your network 4 Don’t forget Layer 7 and 8 ©2013 Check Point Software Technologies Ltd. 16
  17. 17. Layer 7 Without application layer data finding golden nugget is almost impossible Email Data Exfil Web Anti-Bot/DLP Application Control/URL Filtering IPS IP Addresses / Services / Time / Direction ©2013 Check Point Software Technologies Ltd. 17
  18. 18. Layer 7 Once you know the attack vectors you can trace the risk to your network and maybe the actual attacker Fraud Event Corp Espionage Hacking Event CEO ©2013 Check Point Software Technologies Ltd. 18
  19. 19. Layer 8 – Man humans are difficult Without management on board having all the information in the world won’t help Incident Response is vital – Plan, Test, Evaluate, Repeat Do you have a plan for interacting with law enforcement Who is really attacking you and why Know your gaps and try and address them ©2013 Check Point Software Technologies Ltd. 19
  20. 20. Core Items Need As many blades as possible with advanced features (Packet Capture/URL Logging/SMTP Information) Large logging infrastructure A Network Map A Org Chart SmartEvent SmartLog Enough resources to generate higher level data ©2013 Check Point Software Technologies Ltd. 20
  21. 21. Putting it all together For any intelligence system try to answer the following questions: Who: Financial officer was targeted What: Installation of malware on PC, attempted to upload Excel spreadsheet to C&C Where: PC location within executive zone, C&C located in Brazil When: Over 5 month period multiple spear fishing emails Why: After full analysis determined that excel spreadsheet would give completive advantage to competition Infrastructure – DLP, Anti-Bot, Anti-Virus, Endpoint, Logging, SmartEvent ©2013 Check Point Software Technologies Ltd. 21
  22. 22. What’s the point of all of this Time for analysis and full understand of an event is greatly decreased Ability to identify who is targeted and what the risk really is You need to make blocking decisions quickly Talking about it over 5 days isn’t going to help If you can react to malware events in minutes or seconds you are doing as good as the best ©2013 Check Point Software Technologies Ltd. 22
  23. 23. How can you use Check Point - Gateway • Firewall - Advanced Logging Options such as URL logging Log all rules • Utilize Application Control and URL Filtering • Identity Awareness • Anti-Bot/Anti-Virus - Utilize Packet Capture Ability • IPS - Utilize Packet Capture Ability - Ensure advanced features are enabled on the IPS Blade - GeoLocation ©2013 Check Point Software Technologies Ltd. 23
  24. 24. How can you use Check Point Management • SmartLog - Create predefined searches for specific events – Such as Logon / Logoff events for Identity logs • SmartEvent • Endpoint - Compliance Checks - MD5/OS Checks - AV Events - Firewall Logs ©2013 Check Point Software Technologies Ltd. 24
  25. 25. Summary Visibility Advanced Blades Log everything Network Map Full Team Envolvement Context Known your environment Understand network Overlay business requirements Control Create areas of control Management Onboard Builds Intelligence ©2013 Check Point Software Technologies Ltd. 25
  26. 26. Thank You! Daniel Wiley Senior Security Consultant ©2013 Check Point Software Technologies Ltd.

×