Managing the Integrity of Employee Devices and Data  “S ecurity Life Cycle Best Practices”  Pacific NW Digital Gov’t. Summ...
Agenda <ul><li>Key Security Challenges </li></ul><ul><li>Current risk perspective </li></ul><ul><li>Customer Scenario: Hom...
Common Public Sector Security Requirements: <ul><li>Customer/Citizen trust: Safeguard privacy, sensitive data </li></ul><u...
As applied to end users and their devices: <ul><li>Perimeters are disappearing:  Tablet PCs, laptops, handhelds, etc. must...
World-Wide Attack Trends  0 Infection Attempts *Analysis by Symantec Security Response using data from Symantec, IDC & ICS...
Attack Trend Highlights: <ul><li>Security Focus:  Almost one third of all attacking systems targeted the vulnerability exp...
Software Vulnerabilities Source: Bugtraq Vulnerabilities Average number of new vulnerabilities discovered every week Highl
Vulnerability Trend Highlights <ul><li>Security Focus reports that 70% of the vulnerabilities found in 2003 could be easil...
Current Vulnerability Management expenditure Time Vulnerability Activity T0 T1 T2 T3 TOO LATE BEST ROI Spending occurs her...
Vulnerability Management Best ROI  t0-t2 Time Vulnerability Activity T0 T1 T2 T3 TOO LATE BEST ROI Maltrend Vulnerability ...
Malicious Code Trend Highlights <ul><li>Two and a half times the number of Win32 viruses and worms were released in 2003 t...
Malicious Code Trend Highlights <ul><li>Blended threats make up 54%  of the top ten submissions over the past six months. ...
What do these statistics mean? <ul><li>Users’ devices are increasingly targeted for attack: </li></ul><ul><li>More vulnera...
One Mid-Atlantic county’s experience:  <ul><li>New crisis command center  forced client system access across fire, police ...
County Deploys Client Firewall with Antivirus:  <ul><li>Client antivirus, firewall and intrusion protection  </li></ul><ul...
Place Users & Devices Within Core Security Functions Detail Alert Protect Manage Respond Proactive Control
<ul><li>Early awareness of threats </li></ul><ul><li>Listening posts </li></ul><ul><li>Prevent unwanted attacks </li></ul>...
Alert: Spotting the ‘Blaster’ worm early Notification’s IP Addresses Infected With The Blaster Worm Prot 7/16 - initial al...
Protect – multi-tier, multi-layer, integrated Client Gateway Server Resp <ul><li>Gateway Security </li></ul><ul><li>Virus ...
Respond  <ul><li>Combine technology with proactive and reactive intelligence…. </li></ul><ul><ul><li>Anticipate new threat...
Manage <ul><li>Collect and log security events from all sources of input </li></ul><ul><li>Correlate (real-time and statis...
The Reality of Converging Management Requirements: Central <ul><li>Assure security policy compliance </li></ul><ul><li>Rec...
Ensuring the security and availability of end users and their client systems <ul><li>Threat, vulnerability & event-driven ...
Summary <ul><li>Public and private IT innovation hinges on trust </li></ul><ul><li>Consider mission requirements in fieldi...
Thank You! Questions?
Upcoming SlideShare
Loading in …5
×

Managing the Integrity of Employee Devices and Data

439 views
423 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
439
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Managing the Integrity of Employee Devices and Data

  1. 1. Managing the Integrity of Employee Devices and Data “S ecurity Life Cycle Best Practices” Pacific NW Digital Gov’t. Summit David Cantey CISSP SCSP Principal Systems Engineer Symantec Corporation
  2. 2. Agenda <ul><li>Key Security Challenges </li></ul><ul><li>Current risk perspective </li></ul><ul><li>Customer Scenario: Homeland Security = Client Security </li></ul><ul><li>Security best practices in the larger management picture </li></ul>Reqs
  3. 3. Common Public Sector Security Requirements: <ul><li>Customer/Citizen trust: Safeguard privacy, sensitive data </li></ul><ul><li>Continuity of operations: Smooth recovery during crises </li></ul><ul><li>Demonstrate preparedness: Ability to spot new dangers </li></ul><ul><li>Security management: Is security actually “happening?” </li></ul><ul><li>Create/maintain safe IT environment: Resolve vulnerabilities </li></ul><ul><li>Comply with applicable regulatory measures: HIPAA, FISMA </li></ul><ul><li>Obtain some tangible measure of security benefit to the organization </li></ul>affect
  4. 4. As applied to end users and their devices: <ul><li>Perimeters are disappearing: Tablet PCs, laptops, handhelds, etc. must be able to securely operate outside the office defenses </li></ul><ul><li>Hardening devices with disparate firewall, antivirus, intrusion prevention, etc. is complex and/or degrades device performance </li></ul><ul><li>With mobile assets accompanying individuals in new, joint environments, trust depends on consistent standards </li></ul><ul><li>The “undesired” ranks are expanding: Need solutions that encompass relatively recent threats via P2P sharing, adware, spyware, etc. without undue burden </li></ul><ul><li>Blurring lines between “securing” IT assets across the board and assuming “management” of these items. </li></ul><ul><li>What do we own? Asset management is a significant security impediment in large organizations. </li></ul><ul><li>Beyond users’ credentials , how safe is their machine and data ? </li></ul>Trends
  5. 5. World-Wide Attack Trends 0 Infection Attempts *Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2003 estimated **Source: CERT Network Intrusion Attempts 0 Blended Threats (CodeRed, Nimda, Slammer) Denial of Service (Yahoo!, eBay) Mass Mailer Viruses (Love Letter/Melissa) Zombies Polymorphic Viruses (Tequila) Malicious Code Infection Attempts * Network Intrusion Attempts ** high 25,000 50,000 75,000 100,000 125,000 150,000 1996 1997 1998 1999 2000 2001 2002 2003 100M 200M 300M 400M 500M 600M 700M 800M 900M
  6. 6. Attack Trend Highlights: <ul><li>Security Focus: Almost one third of all attacking systems targeted the vulnerability exploited by Blaster and its successors. Other worms that surfaced in previous periods continue to survive and target Firewall and IDS systems globally. A sufficient number of unpatched systems remain to sustain them. </li></ul>Vuln UDP/1434 TCP/7122 UDP/41170 UDP/137 UDP/53 TCP/445 TCP/6346 TCP/4662 TCP/80 TCP/135 Port 10 9 8 7 6 5 4 3 2 1 Rank 2.4% Microsoft SQL Server (Slammer) 2.5% Unknown 3.2% Blubster / Peer-to-peer Filesharing 4.7% Microsoft CIFS Filesharing 5.9% DNS 6.9% Microsoft CIFS Filesharing 8.9% Gnutella / Peer-to-peer file sharing 9.8% E-donkey / Peer-to-peer file sharing 19.7% HTTP / Web 32.9% Microsoft / DCE-Remote Procedure Call (Blaster) Percentage of Attackers Description
  7. 7. Software Vulnerabilities Source: Bugtraq Vulnerabilities Average number of new vulnerabilities discovered every week Highl
  8. 8. Vulnerability Trend Highlights <ul><li>Security Focus reports that 70% of the vulnerabilities found in 2003 could be easily exploited, due to the fact that an exploit was either not required or was readily available. This is a 10% increase over 2002, where only 60% were easily exploitable. </li></ul>Percentage of Easily Exploitable New Vulnerabilities exp Month Percentage of vulnerabilities
  9. 9. Current Vulnerability Management expenditure Time Vulnerability Activity T0 T1 T2 T3 TOO LATE BEST ROI Spending occurs here Best$$ Vulnerability Safeguard Applied Vulnerability Signature Issued/ Safeguard posted Major Vulnerability Exposure Outbreak Vulnerability Discovered
  10. 10. Vulnerability Management Best ROI t0-t2 Time Vulnerability Activity T0 T1 T2 T3 TOO LATE BEST ROI Maltrend Vulnerability Signature Issued/ Safeguard posted Major Vulnerability Exposure Outbreak Vulnerability Discovered Vulnerability Safeguard Applied Spending needs to occur pre T2
  11. 11. Malicious Code Trend Highlights <ul><li>Two and a half times the number of Win32 viruses and worms were released in 2003 than over the same period in 2002. Over the second half of 2003, more than 1702 new Win32 viruses and worms, a 250% increase over the 687 documented in the second half of 2002. </li></ul>New Win32 Viruses and Worms Highl Period Number of viruses and worms Jan 1, 2001 - Jun 30, 2001 Jul 1, 2001 - Dec 31, 2001 Jan 1, 2002 - Jun 30, 2002 Jul 1, 2002 - Dec 31, 2002 Jan 1, 2003 - Jun 30, 2003 Jul 1, 2003 - Dec 31, 2003
  12. 12. Malicious Code Trend Highlights <ul><li>Blended threats make up 54% of the top ten submissions over the past six months. </li></ul><ul><li>Blended threats have begun targeting core operating system component vulnerabilities </li></ul><ul><ul><li>More widespread than the server software targeted by previous network-based worms </li></ul></ul><ul><ul><li>Much higher density of vulnerable systems. </li></ul></ul><ul><li>These worms also increase from two other factors </li></ul><ul><ul><li>The decrease in time between vulnerability disclosure and release of exploit code </li></ul></ul><ul><ul><li>The overall increase in exploit code development. </li></ul></ul><ul><li>Within the top ten malicious code submissions, the number of mass-mailer worms with their own mail engine increased by 61% over first half of 2003. </li></ul>Mean?
  13. 13. What do these statistics mean? <ul><li>Users’ devices are increasingly targeted for attack: </li></ul><ul><li>More vulnerabilities in: </li></ul><ul><ul><li>Core operating system components </li></ul></ul><ul><ul><li>Common desktop applications (i.e. browsers) </li></ul></ul><ul><ul><li>Threats growing around instant messaging apps, P2P, etc. </li></ul></ul><ul><ul><li>E-mail remains a troubling attack avenue. Example: one out of every 12 messages carried MyDoom in Jan. 2004 </li></ul></ul><ul><li>With computing power and applications pushed to new locations (border checkpoints, vehicles, etc.), protections need to be in place to prevent widespread compromise </li></ul>Case
  14. 14. One Mid-Atlantic county’s experience: <ul><li>New crisis command center forced client system access across fire, police and rescue agencies, plus transportation, FEMA, and others </li></ul><ul><ul><li>No consistent security tools/configurations in place, even among same-jurisdiction agencies. </li></ul></ul><ul><ul><li>Significant fears of infection, cleanup, re-infection… </li></ul></ul><ul><li>Rapid proliferation of computers in multiple locations and vehicles </li></ul><ul><ul><li>“ Workstations” in police cruisers, command vans, etc. </li></ul></ul><ul><ul><li>Many with no OEM security </li></ul></ul><ul><ul><li>Need to only permit trusted devices to connect, as security is pushed to all machines </li></ul></ul><ul><li>IT staffs under CIO’s office and those supporting first responders had different perspectives on priorities, including security </li></ul><ul><li>The need to share data rapidly helped define security challenges </li></ul>Solu
  15. 15. County Deploys Client Firewall with Antivirus: <ul><li>Client antivirus, firewall and intrusion protection </li></ul><ul><li>Centrally managed </li></ul><ul><li>resource efficient footprint </li></ul><ul><li>Easy transparent updates </li></ul><ul><li>Blocks numerous attacks by default </li></ul><ul><li>Stops outbound activity that is suspect or malicious, containing damage </li></ul><ul><li>VPN compliancy permits VPN access only when policies are correct (i.e. IDS enabled, AV defs. current, etc.) </li></ul>Life ???
  16. 16. Place Users & Devices Within Core Security Functions Detail Alert Protect Manage Respond Proactive Control
  17. 17. <ul><li>Early awareness of threats </li></ul><ul><li>Listening posts </li></ul><ul><li>Prevent unwanted attacks </li></ul><ul><li>Detect physical breaches </li></ul><ul><li>Security of information assets </li></ul><ul><li>Internal </li></ul><ul><ul><li>Workflow </li></ul></ul><ul><ul><li>Auto-configuration </li></ul></ul><ul><ul><li>Disaster recovery </li></ul></ul><ul><li>External </li></ul><ul><ul><li>Hotline </li></ul></ul><ul><ul><li>Signature updates </li></ul></ul><ul><li>Environment </li></ul><ul><ul><li>Policies and Vulnerabilities </li></ul></ul><ul><ul><li>Device/Patch Configuration </li></ul></ul><ul><ul><li>User Access </li></ul></ul><ul><ul><li>Identity Management </li></ul></ul><ul><li>Information </li></ul><ul><ul><li>Events and incidents </li></ul></ul>Alert Alert Protect Manage Respond Proactive Control
  18. 18. Alert: Spotting the ‘Blaster’ worm early Notification’s IP Addresses Infected With The Blaster Worm Prot 7/16 - initial alerts on the RPC DCOM attack 7/23 - warnings of suspected exploit code in the wild. Advises to expedite patching. 7/25 - exploit code confirmed in the wild. Clear text IDS signatures released. 8/5 - warnings of impending worm. 8/7 activity is being seen in the wild. 8/11 - Blaster worm breaks out.
  19. 19. Protect – multi-tier, multi-layer, integrated Client Gateway Server Resp <ul><li>Gateway Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Firewall </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Common Install, </li></ul><ul><li>Management </li></ul><ul><li>and Content Update </li></ul><ul><li>Client Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Firewall </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Common Install, </li></ul><ul><li>Management </li></ul><ul><li>and Content Update </li></ul><ul><li>Server Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Vulnerability Mgmt. </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Common Install, </li></ul><ul><li>Management </li></ul><ul><li>and Content Update </li></ul>
  20. 20. Respond <ul><li>Combine technology with proactive and reactive intelligence…. </li></ul><ul><ul><li>Anticipate new threats </li></ul></ul><ul><ul><li>Develop and practice emergency response teams </li></ul></ul><ul><ul><li>Respond to security outbreaks with intelligence and fix tools from your security partner </li></ul></ul><ul><li>and minimize damage </li></ul><ul><ul><li>Lost revenue </li></ul></ul><ul><ul><li>Repair costs to bring systems back online </li></ul></ul><ul><ul><li>Lost productivity </li></ul></ul><ul><ul><li>Damage to reputation/brand </li></ul></ul>Mng
  21. 21. Manage <ul><li>Collect and log security events from all sources of input </li></ul><ul><li>Correlate (real-time and statistical), analyze, identify and report incidents </li></ul><ul><li>Execute a continuous vulnerability assessment </li></ul><ul><li>Ensure policy compliance </li></ul><ul><li>Recommend action and track workflow </li></ul><ul><li>Present a real-time dashboard </li></ul><ul><li>Link to other management systems </li></ul><ul><li>Apply automated remediation </li></ul>EA
  22. 22. The Reality of Converging Management Requirements: Central <ul><li>Assure security policy compliance </li></ul><ul><li>Receive early awareness of threats </li></ul><ul><li>Prevent & detect attacks & breaches </li></ul><ul><li>Protect privacy of information </li></ul><ul><li>Rapidly & easily recover from loss of critical systems & information </li></ul><ul><li>Insure via policies that adequate storage available for applications & backup </li></ul><ul><li>Create secure archives for preserving information assets </li></ul><ul><li>Discover & track HW/SW assets </li></ul><ul><li>Provision, update & configure systems via automated policies </li></ul><ul><li>Instantly push security patches & signatures to all managed devices </li></ul><ul><li>Assure software license compliance & remove unauthorized applications </li></ul><ul><li>De-provision & repurpose systems securely </li></ul>Ensur
  23. 23. Ensuring the security and availability of end users and their client systems <ul><li>Threat, vulnerability & event-driven patch & configuration management </li></ul><ul><li>Policy-driven backup </li></ul><ul><li>Monitor storage resources & perform corrective action </li></ul><ul><li>System & data recovery </li></ul><ul><li>Threat, vulnerability & event-driven backup </li></ul><ul><li>Recovery from attack </li></ul>Sum
  24. 24. Summary <ul><li>Public and private IT innovation hinges on trust </li></ul><ul><li>Consider mission requirements in fielding protection for end users and their devices </li></ul><ul><li>Consider integrated solutions as a means to simplifying security across portable assets </li></ul><ul><li>View APRM model as the means to give each device (and its user profile) a secure lifespan from installation through replacement </li></ul><ul><li>Eliminate security/storage/system silos – they are all integrity-relevant. The only secure IT assets are managed IT assets. </li></ul>123
  25. 25. Thank You! Questions?

×