Kim jesteś kliencie Zbigniew Szmigiero


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Identyfikacja na poziomie brzegu sieci
    Wiem kim jest ale co może?
    Deszyfracja wymaga znajomości kluczy i powoduje opożnienia
    DDoS na IDS
  • An exploit is a piece of software that takes advantage of a vulnerability in order to cause unintended application behavior.
    In this slide we see how external content can carry an exploit. When the content is opened by the viewer application – for example a pdf file in Adobe Acrobat Reader, there can be legitimate access to the file system. However, an exploit will create a different type of access, which uses a vulnerability to download a malicious piece of code to the file system. That code can be a ‘downloader’ or the payload itself.
    Apex protects applications that open/render external content, and may be exploited. These applications are:
    Adobe Acrobat Reader
    Flash viewer
    MS-Office applications: Outlook (mail), Excel, Word, PowerPoint
    Browsers: Chrome, IE and FF
  • How does Apex work?
    Apex verifies the memory state of the application, against Whitelisted, Legitimate application states.
    When an application accesses the file system, Apex is triggered to check the memory state. If, like in this case, the memory state matched a whitelisted state, Apex allows it to go through.
  • However, if the action is caused by an exploit, known or zero-day, the access to the file system will create an unknown memory state, and so Apex will prevent the execution of the file the application created. As long as Apex is installed on the endpoint, that code would not execute, so the threat is mitigated.
    [Note that in the first version Apex will not remove the malicious file from the file system. This functionality is planned for the next release which is due in H1 2013.]
  • If malware infected the machine it is very important to mitigate the infection. It doesn’t matter if the machine got infected before or after the installation.
    If the malware directly communicates with the attacker that communication is very visible and can be easily blocked. So advanced malware uses a few evasion techniques to bypass detection.
    For example, it will compromise another legitimate application process, and/or communicate with the attacker over legitimate websites (like Forums and Google Docs).
    Trusteer Apex uses a few different techniques to identify unauthorized exfiltration states and malicious communication channels and blocks them.
    Because Trusteer Apex monitors the activity on the host itself, it has better visibility and can accurately detect and block these exfiltration states.
  • Apex specifically protects employee credentials, which are a prime target for cyber criminals. If compromised, a hacker can use these credentials to log in and access sensitive business information.
    Key loggers are often used for stealing user credentials. They often target VPN clients used by remote employees to access the enterprise network or specific enterprise applications. Trusteer Apex encrypts the keystrokes entered by the user to applications like: VPN clients like Citrix receiver, Browsers, Outlook and can be configured to protect custom applications [needs to be approved by PM].
    Trusteer Apex prevents users from submitting credentials to phishing sites by validating the site to which they connect and blocking attempt to submit corporate credentials to unapproved sites.
    In addition, Apex will prevent users from reusing enterprise passwords on public site like Facebook: public sites are constantly targeted by hackers attempting to steal lists of user credentials. Since users don’t want to remember many passwords, they tend to reuse passwords. But using enterprise passwords on public sites may expose your enterprise because public sties are also under attacks.
    Apex detects and blocks enterprise password submission to an unauthorized web site and alert the user and the enterprise.
    How is it done?
    The admin configures in the Trusteer Management Application (TMA) a list of approved URLs for enterprise application login. The agent keeps a one-way-hash of the passwords locally and compares against it when the users tries to login to a webapp. If the login is to an approved URL, it is allowed. If the URL is not on the approved list, the user will not be allow to use that password.
    Note that this feature is optional and does not have to be enabled.
  • Kim jesteś kliencie Zbigniew Szmigiero

    1. 1. Kim jesteś …? Zbigniew Szmigiero, Customer Technical Professional – IBM Security Systems. © 2013 IBM Corporation
    2. 2. IPS • Działają w oparciu o sygnatury i reguły do warstwy 4 • Niewystarczające do identyfikacji APT, fraudów wycieków danych • Podatne na ataki DDoS • False-Positive vs. False-Negative • Ciągle ważne ale trzeba czegoś więcej 2 © 2013 IBM Corporation
    3. 3. NG IPS 3 © 2013 IBM Corporation
    4. 4. Ochrona danych • Identyfikacja danych wrażliwych (włączając migrację) • Monitorowanie dostępu do nich • Używanie szyfrowanie wszędzie gdzie to możliwe 4 © 2013 IBM Corporation
    5. 5. Guardium 9.1 DATA Big Data Environments InfoSphere BigInsight s GreenPlum CouchDB Integration with LDAP, IAM, SIEM, TSM, Remedy, … SAP HANA Amazon RDS Cassandra Hbase 5 © 2013 IBM Corporation
    6. 6. Detekcja anomalii w DAM Anomaly Hours are marked in Red or Yellow. Click on the bubble navigates to the Outlier View 6 © 2013 IBM Corporation
    7. 7. Szyfrowanie danych APPLICATIONS Data Security Manager • FIPS Level 3 Key Management • Centralized, Automated Key Management • High Availability Cluster • Robust role separation DATABASES FILE SYSTEMS HTTPS VOLUME MANAGERS DAS NAS SAN 7 Encryption Expert Agent • File System or Volume Manager • Transparent and agnostic • Supports Linux, Unix, & Windows • Privileged User Control and Separation • Software-based encryption © 2013 IBM Corporation
    8. 8. Szyfrowanie danych Clear Text BlockLevel MetaClear File System Metadata Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 fAiwD7nb$ Nkxchsu^j2 3nSJis*jmSL Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 File Data Name: J Smith CCN:60115793892 Exp Date: 04/04 Bal: $5,145,789 SSN: 514-73-8970 dfjdNk%(Amg 8nGmwlNskd 9f Nd&9Dm*Ndd xIu2Ks0BKsjd Nac0&6mKcoS qCio9M*sdopF dfjdNk%(Amg 8nGmwlNskd 9f Nd&9Dm*Ndd xIu2Ks0BKsjd Nac0&6mKcoS qCio9M*sdopF File Data • • • • 8 File Data File Data File Data Protects Sensitive Information Without Disrupting Data Management High-Performance Encryption Root Access Control Data Access as an Intended Privilege © 2013 IBM Corporation
    9. 9. Jakość kodu aplikacji • Kto programuje Twoje aplikacje? • Jak sprawdzasz jakość kodu? • Jak kontroluje zmiany i poprawki? 9 © 2013 IBM Corporation
    10. 10. Pełnowymiarowa analiza aplikacji - AppScan Client Side App Browser JavaScript / HTML5 hybrid analysis Native App  SAST (source code)  DAST (web interfaces)  Native App Android iOS  Static Analysis  Static Analysis JavaScript 10 Server Side App  Static Analysis © 2013 IBM Corporation
    11. 11. Jak zarządzasz końcówkami? • • • • • 11 Zarządzanie zasobami Łaty Definicja ról i wymuszanie ich stosowania Monitorowanie dostępu do danych (DLP) Separacja oprogramowania złośliwego i jego unieszkodliwianie © 2013 IBM Corporation
    12. 12. Pełny cykl życia końcówek - TEM Windows/Mac Unix / Linux Inventory Patch Mngt Windows Mobile Kiosk POS Protection Android/iOS/Symbian/ Windows Phone CCM Energy Mngt Software Usage MDM OS deployment Remote Control 12 © 2013 IBM Corporation
    13. 13. Jak to działa? Sites PATCH LICENSE Compliance REMOTE Internet Security, DLP SW Distrib 13 ASSET INSTALL MOBILE © 2013 IBM Corporation
    14. 14. Jak to działa? TEM Agent TEM SRV Przypisanie Dane 14 © 2013 IBM Corporation
    15. 15. Jak działa exploit? WWW Exploit Exploitation Vulnerability File System External Content Legitimate access An exploit is a piece of software that uses an application vulnerability to cause unintended application behavior 15 © 2013 IBM Corporation
    16. 16. Weryfikacja stanu aplikacji Allow application action with a approved state Application State User initiated External Content App Update Legitimate Access 16 File System © 2013 IBM Corporation
    17. 17. Weryfikacja stanu aplikacji Stop application actions with unknown state Application State User Initiate d Exploit Trusteer Apex Stops Executio n App Update File System 17 © 2013 IBM Corporation
    18. 18. Blokada komunikacji oprogramowania złośliwego Block suspicious executables that open malicious communication channels Pre-existing Infection Direct User Download Exfiltration 1 Prevention External Network Informationstealing malware Exfiltration 2 Prevention 18 Direct Communication is Highly Visible Evasion #1: Compromise Application Process Evasion #2: Communicate Over Legitimate Websites Looks Like Legitimate Communication © 2013 IBM Corporation
    19. 19. Ochrona przed kradzieżą tożsamości (ATO) Grabbing credentials from websites Key Logging WWW Phishing WWW Using Corp ****** PWD on Public Sites Keystrokes Obfuscation Grabbing credentials from users’ machine 19 ***** Password Protection © 2013 IBM Corporation
    20. 20. Niekończąca się historia Phishing and Malware Fraud Online Banking Account Takeover, New Account Fraud Mobile Fraud Risk WWW Advanced Threats (Employees) Wire, ACH, Internal Apps 20 © 2013 IBM Corporation
    21. 21. Niekończąca się historia 21 © 2013 IBM Corporation
    22. 22. Niekończąca się historia Hundreds of Customers 100,000,000 Endpoints 7/10 9/10 Top US Banks Global Leading Global Organizations Put Their TRUST In Us Top UK Banks 4/5 Major Financial Fraud Prevention Solutions Advanced Threat Protection Intelligence Top Canadian Banks European Banks Technology Leader 22 Expertise © 2013 IBM Corporation
    23. 23. Oprogramowanie złośliwe TRX Online Banking Trusteer Rapport 1 2 23 • Removes existing infection • Prevents new infection • Secures the browser • Alerts user on Phishing sites • Notifies bank for takedown WWW • Retail and Commercial • Scale to millions • No end user impact 4 Prevents credential and data theft that enable ATO and cross-channel fraud Kills the attack before it even starts © 2013 IBM Corporation
    24. 24. Eliminacja oprogramowania złośliwego Malware-generated Fraudulent Transactions Online Banking TRX Trusteer Pinpoint Malware Detection Trusteer Rapport WWW Credentials Theft via Malware and Phishing 24 © 2013 IBM Corporation
    25. 25. Identyfikacja anomalii Login Online Banking Trusteer Pinpoint Malware Detection Trusteer Mobile OOB Trusteer Rapport Trusteer Pinpoint ATO, Mobile Risk Engine 3rd party risk engine Restrict Web App (add payee) Monitor Account (Re-credential User) Out-of-Band Authentication 3 Remediate and Immune Customer 25 © 2013 IBM Corporation
    26. 26. Kradzież tożsamości i ATO Trusteer Pinpoint Malware Detection 1 LOGIN LOGIN Online Banking 2 Trusteer Pinpoint Account Takeover (ATO) Detection Credentials Account Compromise History Phished Credentials 1 1 Malware Infections (stolen credentials) Complex Device Fingerprinting Device Attributes •New Device •Spoofed Device •Criminal Device 2 User Attributes •Interaction Patterns •Geo Location •Time of Access + 2 Access Denied 26 © 2013 IBM Corporation
    27. 27. Phishing i ATO Online Banking 1 Trusteer Rapport LOGIN 2 Phishing Site Office Trusteer Pinpoint Account Takeover (ATO) Detection Account Compromise History Home 1 Phished Credentials Credentials Malware Infections (stolen credentials) 1 Complex Device Fingerprinting Device Attributes •New Device •Spoofed Device •Criminal Device 2 User Attributes •Interaction Patterns •Geo Location •Time of Access + 2 Access Denied 27 © 2013 IBM Corporation
    28. 28. Kradzież tożsamości Trusteer Pinpoint Malware Detection Online Banking 1 2 Trusteer Pinpoint Account Takeover (ATO) Detection New Account Creation PII Data Theft Trusteer Rapport Account and Device Risk 1 2 Credential PII/Theft via Malware or Phishing Same Device -> Multiple Trusteer-protected FIs Same Device -> Multiple Accounts, Single FI 1 / 2 Tag as Fraudster 28 © 2013 IBM Corporation
    29. 29. Niezależny kanał uwierzytelnienia Online Banking LOGIN Trusteer Pinpoint ATO Detection + OOB Service ATO Risk Detected Trusteer Mobile APP Secure OOB Access Authorization: Access Denied Approve access via registered device SMS or Data 29  © 2013 IBM Corporation
    30. 30. ATO i Fraud Mobilny Trusteer Pinpoint Malware Detection Trusteer Mobile Risk Engine App Login LOGIN Credentials Theft Online Banking Credentials Mobile Device Risk Factors The Bank’s Mobile Banking App Phished Credentials Trusteer Mobile SDK Trusteer Rapport Account Compromise History Malware Infections, Phishing Incident (stolen credentials) Device Attributes •Jailbroken / Rooted Device •Malware Infection •New device ID •Unpatched OS •Unsecure Wi-Fi connection •Rogue App 1 2 Restrict Access 30 © 2013 IBM Corporation
    31. 31. Co dalej? czy Gdzie zacząć? • Wiele rozwiązań, konsole, mnóstwo danych, ograniczone zasoby • SIEM – platforma integracji zdarzeń związanych z bezpieczeństwem • Ile incydentów generuje SIEM? • Incydent kontra Ryzyko • QRadar – Platfoma analizy ryzyka (NG SIEM) 31 © 2013 IBM Corporation
    32. 32. QRadar 32 © 2013 IBM Corporation
    33. 33. „Nigdy nie lataj samolotami projektowanymi przez optymistów.” Służy radą pozytywnie pesymistyczny zespół IBM Security Systems 33 © 2013 IBM Corporation