0/8
Name Infosec CEO Shin Soojung
Domains
Security Consulting
Security System Integration
Security Monitoring & Management
...
Windows Linux UNIX CISCO S/W
Prevention
OS Configuration Check
FW ACL Review
Web Application
Vulnerability Check
Juniper C...
 Organization (CERT Center)  R&R
ITEM R&R
PM • Project Management / Service Delivery
Top-CERT • Cyber Forensic
Site Mana...
Detect incident Customer’s suspicious
Prior attacker IP block
Send incident alerting message to customer
Attacker IP block...
In-house ESM detects incidents from security events according to ISMM, SK Infosec’s own
monitoring methodology, ISMM
Detec...
APT is one of the big trends in security world. SK Infosec bind IPS signature and malware
analyzing tool and provides zero...
Two types of service will be provided. For IPS monitoring service customer, when attack is
occurred, SK Infosec checks the...
 Availability Check Coverage
- Security Systems
- IT Assets agreed on SOW
 Checking Criteria
- 24H*365D Monitoring
- Bas...
Name of Event (Trouble)
Who, When, How, Why
handle the Event
Detail Information of Event
Simple
Trouble Shooting Procedure...
Web hacking occupies 90% of attacks. In order to get the control of victim, hackers use
web-shells and then insert a scrip...
SK Infosec provides monthly report with automated system to avoid human errors. But
executive summary is written by securi...
Intelligence Gathering
SK-NET Mobile/Wireless Financial Sector
Industry
Cooperation
BMT
Analyzing and Testing
Information ...
China Beijing 安全中心
Japan
Audio Technica
Dwango
TOKAI Communication
Tobu Train
Nexway (Intec Cloud)
Planet (Intec Cloud)
DC...
Security
Operation
Security
Consulting
Security
SI
Upcoming SlideShare
Loading in...5
×

Infosec cert service

769
-1

Published on

From my journey to SK Telecom, Seoul, Korea - May 2013.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
769
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Infosec cert service

  1. 1. 0/8
  2. 2. Name Infosec CEO Shin Soojung Domains Security Consulting Security System Integration Security Monitoring & Management Professional Service Period Jun, 2000 ~ Present (13yrs) Infosec is an affiliate company of SK C&C and a total Security Service Provider, providing Security Consulting Service, Security System Integration, Security Monitoring and Management Company Summary Sales Organization CEO MSS Biz HQ Sales HQ Solution Biz HQ Consulting Biz HQ Management Support HQ Security Lab. 860 Employee (May. 1st. 2013) Products Mobile Device Mgmt. Private Information Scanner Private Information Transfer Control (USD) Years 2012 2011 2010 Consulting 14,575,000 13,048,000 10,792,000 SI 53,190,000 53,449,000 37,631,000 MSS 33,204,000 21,519,000 14,525,000 Total 100,969,000 88,016,000 62,948,000 Growth (%) 14.7 39.8 45.9 2
  3. 3. Windows Linux UNIX CISCO S/W Prevention OS Configuration Check FW ACL Review Web Application Vulnerability Check Juniper Cisco Port Scanning /w NMAP Scanners (IBM AppScan) Professionals Management & Monitoring Firewall IPS Anti-DDoS WAF Incident Analysis Infected System Investigation Malicious Code Review Security Audit Trail Review File System Registry / Log Process Memory Dynamic Analysis Static Analysis Security Events System/Web Log IE Cache History Registry 24*7 Health Check ACL Control Report24*7 Security Event Monitoring 24*7 Incident Handling (Alerting & Access Control) Dedicated Professionals SK Infosec provide full coverage of managed security service in Korea, prevention, management, monitoring, and incident handling 3
  4. 4.  Organization (CERT Center)  R&R ITEM R&R PM • Project Management / Service Delivery Top-CERT • Cyber Forensic Site Manager • Follow up Customer Requirements • SPOC(Single Point Of Contact) Dedicated CERT • Apply security policies • 1st line support when breaches occurs • Periodic Report about security situation CERT • 2nd line support when dedicated CERT failed • Veterans in Analyzing Incidents (at least 7 year experiences) • Find zero-day exploits and figure out countermeasures Monitoring • 24H*365D Real-time monitoring • 4 Teams / 2 Teams a day Penetration Tester • White-hat Hackers • Simulated Hacking and Point out Vulns. Security Engineer • Install and Maintain Security Systems • Technical Review about Network Architecture in the view point of Security CERT MSS Biz Team Lee Jaewoo CERT Team / PM Son Youngwoo Monitoring Penetration Tester System Manager Security Engineer Site Manager Top-CERT System Developer Dedicated CERT MSS Biz HQ Cho Raehyun 4
  5. 5. Detect incident Customer’s suspicious Prior attacker IP block Send incident alerting message to customer Attacker IP block - IP address boundary (ex : from China) - Event list (ex : /etc/passwd scanning) - Time base (ex : night time / 18:00~next day 09:00) - No agreement of “block and notice” - When customer orders to block attacker IP Send abuse notification to attacker-side ISP Release blocked IP - Release blocked IP address one month later - Because we use dynamic IP address, it is no more malicious, it can be customer When incident is detected and verified, SK Infosec alerts customer via E-Mail and SMS. If customer agreed the process “block and notice”, SK Infosec will block attacker IP from Firewall prior 5
  6. 6. In-house ESM detects incidents from security events according to ISMM, SK Infosec’s own monitoring methodology, ISMM Detected Incident with its event name, count, src IP, dest IP, and status Security Incident Incident is expanded with its detail information to check whether it is true or false Detail Info. Who deals this incident and whether he send alerting to customer and attackers ISP Response ISMM : Infosec Security Monitoring Methodology 6
  7. 7. APT is one of the big trends in security world. SK Infosec bind IPS signature and malware analyzing tool and provides zero-day exploit detection Storage Malicious code download (from Event URLs) Event detected (IBM Proventia) URL Collection File transfer Multi-AV Scan ReportingESM Block in FW Malicious code Storage Malicious code Analysis & Detection Collect Malicious Code Store Malicious Code Analyze Malicious Code Report Malicious Code 7
  8. 8. Two types of service will be provided. For IPS monitoring service customer, when attack is occurred, SK Infosec checks the victim system to investigate extent of damage. For potential customer, SK Infosec checks whether his system is infected or not. Step Process Investigation Item 1 Initial Stage - Environmental Info. - System process - Network situation 2 Victim system investigation - Attack scenario - Time-line analyze - Investigation tools - Infected files 3 Log file analysis - Event log - System log - Web log - Security equipment log 4 Report and Feedback - Incident handling report - Root cause - Design countermeasure - Recommendation VolatileDataNon-VolatileData System Info File System User Registry Weblog Webshell Network Process Date System Config Environmental Login info Users User activity Network connection ARP Interface info Process List Handle, dll Services Event log File attribute MACTIME Registry Dump Autorun Key creation time Web attack Keyword Webshell execution Keyword Webshell Keyword Encoding Keyword Category Item 8
  9. 9.  Availability Check Coverage - Security Systems - IT Assets agreed on SOW  Checking Criteria - 24H*365D Monitoring - Basically ICMP Health-Check is provided - If needed, Infosec provide Service check based on ports  Tools - Infosec develops an in-house NMS using Open Source NMS (called Nagios) Function Comments Notes . Alive-Check . ICMP and Service Port Check . Developed in Jun. 2011 . Internal Test on Sept. 2011 . Applied on Customer Site in Oct. 2011 . Threshold Mgmt. . Traffic, CPU, Memory check via SNMP provide warning . Network Equipments . Log Analyze . Analyze error log from Security Systems . Customer Report . Monitoring Tool and Automated SMS report 9
  10. 10. Name of Event (Trouble) Who, When, How, Why handle the Event Detail Information of Event Simple Trouble Shooting Procedure 10
  11. 11. Web hacking occupies 90% of attacks. In order to get the control of victim, hackers use web-shells and then insert a script-code in web pages to dispense malware to client. Web hacking occupies 90% of attacks. In order to get the control of victims, hackers use web-shells Monitoring homepage and ad-pages whether malware is inserted or not In-house pattern (Our experience) Filter Obfuscation Appliance System At least 1 time per 2 hours Recursive checking Indicate actual link W-MDS 11
  12. 12. SK Infosec provides monthly report with automated system to avoid human errors. But executive summary is written by security experts Item Content Note Executive summary Security expert’s opinion about site situation and recommendation Event trend by day Detected event count by day diagram and table Event trend by severity Detected event count by severity diagram and table Top 10 event By event name, attacker’s IP, and victim’s IP Including event description 12
  13. 13. Intelligence Gathering SK-NET Mobile/Wireless Financial Sector Industry Cooperation BMT Analyzing and Testing Information Sharing (Back-Line Support) u-CERT Center ISP / IDC Malware Information Gathering Sharing Analyzed Information 범 례 Consulting HQ CHINA ISCM IVHM IPPM Site Manager CISO Security Planning Proactive Security Trend Support Compliance issues Provide Security Info. Monitoring by ISMM Prevention Detection Customer SEOCHO T-Tower SUNAE HR, Finance, Law IT Infra/System, NW 13
  14. 14. China Beijing 安全中心 Japan Audio Technica Dwango TOKAI Communication Tobu Train Nexway (Intec Cloud) Planet (Intec Cloud) DCJ (Intec Cloud)  Service on China & Japan  Cloud Service Security - SKTelecom T-Cloud Service - Japan Intec Cloud Service < Intec Center >  Japan IDC Security Service - Canon-ITS IDC < T-Cloud Service > 14
  15. 15. Security Operation Security Consulting Security SI
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×