Your SlideShare is downloading. ×
Anatomy of a CERT - Gordon Love, Symantec
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Anatomy of a CERT - Gordon Love, Symantec

1,521
views

Published on

Published in: Technology, Travel

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,521
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
90
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Anatomy of a CERT Gordon Love Regional Director for Africa March 2010 1
  • 2. Agenda • The African landscape is changing • Why do we need a CERT – Threat Landscape • Steps in building a CERT • The role of a CSIRT • Q&A Symantec DeepSight Early Warning Services 8.0 2
  • 3. Africa is Changing…. Broadband Capacity Increases 3
  • 4. Lessons Learned – increased broadband capacity • Africa is currently updating its broadband infrastructure • There is an increase in malicious activity in countries with rapidly emerging Internet infrastructures • Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers • With cheaper and faster Internet, more Africans will be “always- on” or continually connected • There will be many “new” internet users that are not security- savvy
  • 5. What do we need to protect against… 5
  • 6. Symantec Security Response – How do we know? Symantec Response Lab Symantec Monitored Countries Symantec Secure Operations Center Over 25,000 Registered Data Partners, From Over 180 Countries Dublin, Ireland Calgary, Canada Waltham, MA American Fork, UT Alexandria, VA Redwood City, CA Newport News, VA Santa Monica, CA London, England Tokyo, Japan San Antonio, TX Berlin, Germany Sydney, Australia 6 – 2002 Symantec Corporation, All Rights Reserved Rapid Detection Attack Activity Malware Intelligence Vulnerabilities Spam/Phishing • 240,000 sensors • 130M client, server, • 32,000+ vulnerabilities • 2.5M decoy accounts • 200+ countries gateways monitored • 11,000 vendors • 8B+ email messages/day • Global coverage • 72,000 technologies • 1B+ web requests/day
  • 7. IWECA Presence Legend: Symantec Resource Distributor Reseller IDC Adjusted Market Potential Ranking 1 Angola 2 Nigeria 3 Kenya 4 Uganda 5 Tanzania 6 Mauritius 7 Ethiopia 8 Botswana 9 Ghana 10 Namibia 7
  • 8. Economic Growth 2008 Country Ranking by Economic Growth (%) 2008 1 Angola 21.4 2 Ethiopia 8.4 3 Uganda 6.4 4 Tanzania 7.2 5 Kenya 4.4 6 Nigeria 7.5 7 Ghana 6.3 8 Mauritius 5.8 9 Namibia 5.5 10 Botswana 4.4 8
  • 9. Ranking by IT Spend PC 2008 Country Ranking by IT Spend ($m) Per Capita 2008 1 Mauritius 74.26 2 Botswana 66.02 3 Namibia 39.42 4 Angola 18.46 5 Kenya 9.14 6 Ghana 7.93 7 Nigeria 7.11 8 Tanzania 3.75 9 Uganda 2.74 10 Ethiopia 1.76 9
  • 10. IDC Predicted ICT Growth 10
  • 11. Kenya review Analyst Opinion In Kenya, the IT market reached a value of $ 352.7 million and is expected to grow albeit slowly at 6.1% in 2009 to reach $ 374.0 million. Over a five-year period, IDC forecasts that the market will increase at a CAGR of 14.6% to reach $ 615.9 million by 2012. 11
  • 12. ISTR XIV Key Trends Threat Landscape Web-based Cyber criminals Increased Rapid adaptation to malicious activity want YOUR sophistication of the security measures has accelerated information Underground Economy • Primary vector for • Focus on exploits • Well-established • Relocating operations malicious activity targeting end- infrastructure for to new geographic • Target reputable, users for financial monetizing stolen areas high-traffic websites gain information • Evade traditional security protection * Symantec Internet Security Threat Report, Volume X!V
  • 13. Highlights Key Trends – Global Activity Threat Activity Vulnerabilities Malicious Code Spam/Phishing • Data breaches can • Documented • Trojans made up 68 • 76% phishing lures target lead to identity theft vulnerabilities up percent of the Financial services (up • Theft and loss top 19% (5491) volume of the top 50 24%) cause of data • Top attacked malicious code • Detected 55,389 phishing leakage for overall vulnerability: • 66% of potential website hosts (up 66%) data breaches and Exploits by malicious code • Detected 192% increase identities exposed Downadup infections in spam across the • Threat activity • 95% vulnerabilities propagated as Internet with 349.6 billion increases with attacked were client- shared executable messages growth in side files • 90% spam email Internet/Broadband distributed by Bot usage networks * Symantec Internet Security Threat Report, Volume XIV
  • 14. New Threat Landscape Number of New Threats Period
  • 15. New Threat Landscape Number of New Threats Period
  • 16. New Threat Landscape 1177% Number of New Threats increase in malware since 2006 Period
  • 17. New Threat Landscape 2/3 Number of New Threats of malicious code created in 2008 Period
  • 18. New Threat Landscape Number of New Threats In 2000 In 2007 5 1431 detections a day detections a day Period
  • 19. New Threat Landscape Number of New Threats In 2000 In 2009 5 15 000+ detections a day detections a day Period
  • 20. 20
  • 21. 192% growth in spam from 2007 to 2008 In 2008, Symantec documented 5,471 vulnerabilities, 80% of which were easily exploitable 90% of incidents would not have happened if systems had been patched In 2008 we found 75,000 active bot-infected computers per day, up 31% from 2007 21 Copyright © 2009 Symantec Corporation. All rights reserved. 21
  • 22. How do we respond at a Regional / National level… 22
  • 23. Objectives of a CERT • Enhance information security awareness • Build national expertise in information security, incident management and computer forensics • Enhance the cyber security law and assist in the creation of new laws • Provide a central trusted point of contact for cyber security incident reporting • Establish a national centre to disseminate information about threats, vulnerabilities, and cyber security incidents • Foster the establishment of and provide assistance to sector- based Computer Security Incident Response Teams (CSIRTs) • Coordinate with domestic and international CSIRTs and related organizations • Become an active member of recognized security organizations and forums
  • 24. CERTS across Europe Thank you! Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
  • 25. Symantec DeepSight Early Warning Services 8.0 25
  • 26. CERT Framework – Mandate, Charter & Constituents 02 Cert Framework designed FUNCTIONALITY Mandate & Implemented Constituent database with Global Cert defined roles & responsibilities in Affiliations Charter place and equipped to Constituents & leverage strategic partnerships Strategic and affiliations Partnerships Strategic Constituent Identification Partnerships & Classification Service Offerings STRUCTURE DELIVERY Constituent campaigning and Memberships Phased delivery of services · Mutually beneficial 01 alliances established Emerging FY '11 Planning Information Security Through Committed Partnership
  • 27. Constituent Tier System • TIER 1 – damage to which would cause critical harm to the critical information infrastructure. For example: regulated electronic communications providers; federal ministries responsible for the critical national infrastructure; national security organizations • Government Departments with direct responsibility Public for an area of CNI. • Providers of Communications Infrastructure • National Security TIER 3 • Must have incident response capability • TIER 2 TIER 2 – damage to which would cause serious harm to the critical information infrastructure. For example: providers of utilities and other parts of the critical infrastructure such as banking • Providers of CNI Services TIER 1 • Government Departments not involved in CNI • Must have incident response capability • TIER 3 – damage to which would cause some harm to the critical information infrastructure. For example: other government departments, agencies, councils and commissions; logistics and transport providers • General Commerce • Other Government Departments • Special Councils & Commissions • PUBLIC – all other sectors and the wider public • General Public • Anyone not covered in Tier 1 - 3
  • 28. CERT Framework – Develop Legal Practices / Policies / Procedures CERT Framework – Implement Global Best & Regulatory Framework Emerging FY '11 Planning
  • 29. CERT Framework – Develop Legal Practices / Policies / Procedures CERT Framework – Implement Global Best & Regulatory Framework Emerging FY '11 Planning
  • 30. CERT Framework – Develop Legal Practices / Policies / Procedures CERT Framework – Implement Global Best & Regulatory Framework Emerging FY '11 Planning
  • 31. CERT CERT Framework – Develop Legal Skilled Resources and Partners Framework – Employ and Develop & Regulatory Framework
  • 32. CERT Framework – Operational Capability with Framework CERT Framework – AchieveDevelop Legal & Regulatory fully functional SOC 32
  • 33. High Level CERT Process Summary 1. Build a Cert Framework 2. Develop Mandate, Charter and Constituents 3. Develop Legal & Regulatory Framework 4. Build required Infrastructure & Technology 5. Implement Global Best Practices, Policies and Procedures 6. Source and Develop skilled Resources, Capability and Partners 7. Achieve Operational Capability & fully Functional CSIRTS 33
  • 34. The role of a CSIRT 34
  • 35. Objectives Why is it important ? Benefits of CSIRT • Relevant & timeous security data aggregated into one location • 24 x 7 x 365 Real-time response capability • Coordination of preventative and response actions • Reduced complexity/cost through standardisation / integration • In-depth reporting at strategic, tactical and operational level • Compliance with governance / regulatory requirements • Business continuity • Customer confidence & brand protection • Improved accountability and management efficiencies
  • 36. Find the right information • Millions of security alerts per day, only a few are relevant – Filtering, aggregation, prioritisation, … • Find one needle in a needle stack! 36
  • 37. Aggregation and Correlation 1. Analytics – Correlation, Threat and business impact ratings 2. Event Detection, IDS, VA 100’s FW, Policy, & Vulnerability • Prioritized lists Scans • Actionable Items Incidents • CIA Business Impact Ratings 1. 1 000 000’s Events • Aggregated event data • Disbursed • Heterogeneous 2. 10 000 000’s Security Data • Raw log Data
  • 38. Incident NOT Event! Event: The smallest unit of security information. Can be positive, negative or informational. . Incident: A collection of events grouped together to form a single unit that requires actions from identification to closure.
  • 39. Incident Prioritisation and Allocation Priorities: Business impact is based on: • As Incidents are formed they are automatically • Confidentiality prioritised. • Integrity. • Availability • Prioritisation is based on the business impact of each encompassed event on the system.
  • 40. A Comprehensive Solution •Multi-vendor security systems generate overwhelming numbers of raw logs, events and alerts •Security professionals analyze & evaluate the results •Security Analysts through the Secure Interface, keep in constant touch with their assigned Clients, with proactive commentary and recommendations on threats impacting their network. Vulnerability Mgmt. AV/Filtering IDS Firewalls Security Analyst
  • 41. Typical Design What does it look like ? CSIRT Security Operations Centre Users / Stakeholders External Stakeholders Staff Suppliers Customers Investors Law Enforcement Regulators Intelligence Government Strategic Security Partners Mobile PDA Laptop Computer Vulnerability Global Pentest / Assessment Inteliigence Audit Service Service Feed Process Business Intelligence Systems Storage Group Firewall Remediation Identity SOC Management Technology File Platform Gateway Routers Other Content Change SOC Central Processes Security Regions Operational Support Management Technology Data Systems E-mail Network IPS Feeds Monitoring and Specialist Analysis Resources CIS Hubs Anti-Virus Regions Data Trading Problem Feeds Policy Management 4 5 Compliance 1 2 3 PHASE1 DEPLOYMENT CHART PHASE2 PHASE3 PHASE4 PHASE5 DEPT1 DEPT2 Cabling DEPT3 DEPT4 DEPT5 Business Support DEPT6 Host Systems DB IPS Incident Management Incident Management Security Control Layer Enterprise Infrastructure Layer Remediation Applications Layer IT Operations Layer Mitigation Escalation Analysis Reporting Endpoint Specialist Process Process Dashboard Compliance Server Layer Web Messaging Security Supporting Processes, Procedures and Standards across Infrastructure, Services, Users and Technologies required to deliver fully integrated Security Enterprise Management Function
  • 42. Requirements What are the Key Success Factors ? Key Components for Building a CSIRT Infrastructure Data and Specialist Best Practice Partnership supporting Intelligence Skills and Policies and Stakeholder Technologies Sources Capacity Processes Management
  • 43. Security Operations Centre Response Console Security Operations Centre (SOC) Expert System & Anomaly Query Engine Continuous Data Mining Process Security Analysts Analysis Secure Interface Relational DB Infrastructure  Authenticate  Encrypt Import Facilities  Verify  Normalize Internet VPN Firewalls IDS AV/Content Vulnerability Policy Scanning Compliance
  • 44. Implementation Where do we start ? Decide on the basic delivery model In-Sourced Outsourced Co-Sourced Virtual Extension Model On-site Managed Security Support
  • 45. Deliverables What will the CSIRT deliver ? Top-10 functions of the CSIRT SOC  Proactive vulnerability scanning  Analysis of Global Threat Intelligence  Communication of Alerts/Advisories  Compliance monitoring / management  Incident response & remediation  BCM / DR support & validation  Vulnerability management  Forensic support / Logging  Collaboration & Awareness (Law/ISP)  Report Generation & Dashboard
  • 46. Partnership Who can help us achieve this ? Symantec Value Proposition People Process Technology o World Class o Globally Consistent ► Market Leading Engineering Staff Operational Correlation o Industry Leading Execution ► Proven scalability Security Response o ITIL best practices ► Breadth of device Team o Transparent, support o Unparalleled SOC Measurable, ► Secure Web portal to Expertise Auditable Process provide clarity into for Continual your security posture Improvement
  • 47. Questions ?
  • 48. Visit www.2010netthreat.com Q&A 48
  • 49. Thank you! Gordon Love Gordon_Love@symantec.com Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Symantec DeepSight Early Warning Services 8.0 49