Karunia Wijaya - Proactive Incident Handling


Published on

Karunia Wijaya - Proactive Incident Handling

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Karunia Wijaya - Proactive Incident Handling

  2. 2. KaruniaFormal Education:• Master Degrees, September 2003, University of Pelita Harapan, Jakarta• Bachelor’s Degrees, January 1997, University of HKBP Nommensen, Medan• Diploma’s Degree, 1995, International Computer Studies Microskills Singapore - Medan,Certification:• IBM eServer Certified Specialist, March 2002, iSeries Solution Sales V5R1• Managed Security Specialist, Des 2005, SIMCommander, Hong Kong• Web Security Expert, September 2010, Armorize Technolgy, San Francisco.• MVCN Encryption Specialist, October 2010, Navayo Technologies Inc., Hungary• IRM Specialist, August 2012, Seclore Technology, India• Certified IRCA Lead Auditor ISO27001, February 2013 , BSI, United Kingdom• NRPL MSSR Radar Specialist, May 2013, NRPL, FinlandOthers:• Executive Vipasanna Meditation, Geulis Mountain, Based on S.N. Goenka Meditation Courses• Emotions Metabolism, By Mahadibya Nurcahyo Chakrasana• Neuro Linguistic Programming, Jogja, Basic Principle of Life Expanding 72 hours By Clear Heart Foundation
  3. 3. International & NationalSpeakers for:• Kemenkoinfo• Kemenakertrans• Kemenhan• Kemenhub• Lembaga Sandi Negara• BP Batam• BPPT• BNN• SGU• Binus• MIEL Academy –(India, Vietnam, Macau, Singapore, Malaysia)Owner of :• PT. Adi Inti Mandiri – Tangerang Selatan• PT. Adi Inti Mandiri Solusi - Jakarta• PT. Global Network Security - Jakarta• PT. Auto Technic Multimedia - Batam• PT. Maxima Innovative Technology - Jakarta• PT. Inti Wira Buana - Jakarta• PT. Indo Mindstrom Wizzard - Jakarta• BPR Pundi Dana Mandiri - Jambi• Vivasoft Pte. Ltd. - Singapore• IMWizz Pte. Ltd. - Singapore• SIMCommander Inc. – Hong Kong• GlobeNet Secure Sdn. Bhd. – Malaysia• MIEL Pte. Ltd. - Singapore
  4. 4. Security ManagementChallenges• Implementation– Tools to manage security cost millions– Integrating and deploying is challenging– 24 x 365 management requires highly trained staff• Business Imperative– Not core business – does not generate revenue– Investing in security management can be costly and notproducing the expected results
  5. 5. The Problems• Too many consoles and different log formats- lack of holistic view on overall security postures- long learning cycle• Huge amount of data- hard to manage and review• Organizational challenges- different team have different responsibility- Long response time• Lack of security professionals in the organization- Security experts are still expensive and scary- Lack of incident response methodology• Don’t know what to do when an incident occurred- Limited resources- budgets and resources are always limited
  6. 6. Customer Expectation• Cost Effective Security• Up-to-date Defense Mechanism• 24x7 Monitoring and Alert• Rapid Emergency Response• Reporting and Analysis• Technical ExpertiseBusiness threatsVulnerabilityCapability forcompanies torespond
  7. 7. How Managed SecurityServices WorkCryptotechnoSOC Firewall/VPN Network IDS/IPS Host IDS Unified ThreatManagement Routers/Switches NetFlow AnalysisDevices MAC AddressInformation VulnerabilityScanning tools Windows Unix Linux Mainframe Antivirus Applications Web Servers Database Email Servers ProprietaryApplicationsSecurity and NetworkingDevicesSystems and Applications
  8. 8. Efficiency of CorrelationBased on one month of actual customer data620SecurityEvents2Events RequiringImmediate CustomerContact• Cryptotechno proactivelycontacts clients to warn of aserious security threat (SOCSecurity experts)• Eliminate insignificant eventsand report valid events(Correlation Engine)• Security threat patternidentification (Normalize andinput to Correlation Engine)Events Provided forClient Review559,481,668Logs and alertsgenerated by firewallsand IDSs
  9. 9. Supported Devices
  10. 10. Attack Example• Most of attackers use the attack sequence: First to scanning the network and system for security holes Then launching a Buffer Overflow and Backdoor to the victimmachine and take remote control the machine
  11. 11. Without CryptoRing Solution
  12. 12. With CryptoRing Solution
  13. 13. CryptoRing Service Description• Monitors device availability and collectsecurity events from customers’ devices• Event correlation analysis to distill thetrue security incidents• Real-time email alerting service forsecurity incident detected• Weekly scheduled security status andsummary reports through email• Easy to use reporting web portal forlogon anywhere
  14. 14. Benefits• Protection from device availability, bestpractice attacks identification andadvanced organized attack sequencedetection• Integrated analysis with other securitydevices in network for accurately identifyreal threats• Email alerting to keep customer updatedon security status at real-time.• Easy to read summary and details reportsfor intuitive security posture• Fully Worked with UTM (especiallyTippingPoint) Appliances
  15. 15. What Customer Will Get• Weekly Standard Reportso Comprehensive reports in PDF formato Deliver to customer automaticallythrough email• Web Portalo Login to generate ad-hoc reportso Anywhere and anytime• Email Alert Messageso Notify customer on security incident inreal-time
  16. 16. Topology
  17. 17. Early Warning
  18. 18. Weekly Standard ReportsType Reports DetailsAlerts • Weekly Security AlertSummary• Alert count by day• Weekly Alert Trend• Alert Count by Alert Category (CAT)• Alert Count by Alert Rule• Alert CAT 3 – Top 10 Destination (with source and Rule)• Alert CAT 2 – Top 10 Destination (with source and Rule)• Alert CAT 1 – Top 10 Destination (with source and Rule)• Alert CAT 0 – Top 10 Destination (with source and Rule)Security Events • Weekly SecurityEvents Summary• Security Event Count by Day (by Device)• Weekly Security Event Trend• Firewall: Top 10 Denied Source• Anti-Virus: Top 10 Virus, Top 10 Infected Host, Top 10 Email Sender• IDS/IPS: Top 10 Alert, Top 10 Attack Destination, Top 10 Attack Source• Web Filtering: Top 10 Blocked Web Domain• Weekly Device StatusSummary• Device Up/Down Status by Day• Device Administrative Login by DayUsage • Weekly Device UsageSummary•Bandwidth: Inbound and Outbound, Top 10 Protocol, Top 10 Source, Top 10Destination• Web Proxy: Top 10 Web Access, Top 10 Source• Email: Top 10 Sender, Top 10 Receiver
  19. 19. Web Portal ReportsType Report Group DetailsAlerts • Alert Summary • Last 24 Hours Alert Count by Alert Category (CAT)• Last 24 Hours Alert StatisticsSecurity Events • Security EventSummary• Last 24 Hours Security Event Statistics• Last 24 Hours Security Event Statistics by Device• Last 24 Hours Top 10 Source• Last 24 Hours Top 10 Destination• Firewall • Last 24 Hours Firewall Denied Source IP• Last 24 Hours Firewall Denied Destination IP• Last 24 Hours Firewall Denied Destination Port• Last 24 Hours Top 10 Source by Connection Count• Last 24 Hours Top 10 Destination by Connection Count• Last 24 Hours Top 10 Destination Port by Connection Count• Last 24 Hours Top 10 Email Sender• Last 24 Hours Top 10 Web Client• Last 24 Hours User Login Success• Last 24 Hours User Login Failure
  20. 20. Web Portal ReportType Report Group DetailsSecurityEvents• IDS/IPS • Last 24 Hours Top 10 Source• Last 24 Hours Top 10 Destination• Last 24 Hours Top 10 Event• Anti-Virus • Last 24 Hours Top 10 Virus• Last 24 Hours Top 10 Infected HostUsage • Web• FTP• Email• Telnet / SSH• VPN• Last 24 Hours Top 10 Source• Last 24 Hours Top 10 Destination• Last 24 Hours Top Users
  21. 21. Customer would be assigned a login ID where onlyher relevant alerts and data would be shown.Customer Portal Login
  22. 22. Portal DashboardDashboard would be shown on main display area after loginby default to provide security posture information to thecustomers. Customer can select their desired reports for theportal display as well.Main reportdisplay areaUser selectsindividual reportsfrom differentgroups
  23. 23. Alert Summary ReportsThese reports display the alerts detected by theSIMC, you can understand the alert statistics anddistribution of different severities.
  24. 24. Event Summary ReportsThese reports show the event statistics within a day. Thenumber of events received within the working days should bealmost the same. If there is abnormal raise of the eventcount, you should take further investigation to find out thecause of this abnormal situation.
  25. 25. Virus ReportsThese reports display the virus activities detected onfirewalls. Customer can know the most frequent virusoccurred in the firewall. You can also collect the virusinformation and distribute this information to all thesystem owners to aware of this virus.
  26. 26. Firewall ReportsThese reports display the destination IP addresses with themost bandwidth consumption. Usually the IP address listed isthe critical servers in the enterprise such as email server, ftpserver. Customer may find out any IP address that abuse theInternet link from these reports.
  27. 27. IDS / IPS ReportsThis report displays the top 10 events detected inIDS/IPS. Customer can understand the mostfrequent IDS/IPS event occurred and judge if furtherinvestigation is required.
  28. 28. Incident Report Samples