Modern Lessons in Security Monitoring

506 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
506
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Modern Lessons in Security Monitoring

  1. 1. ANATOMY OF A HIGHPROFILE ATTACKModern Lessonsfor Security MonitoringHP Protect 2011Prepared forAnton Goncharov, CISSP Prepared byPartner, Solutions Architectanton.goncharov@metanetivs.comDragos Lungu, CISSP, CISASecurity Consultantdragos.lungu@metanetivs.com
  2. 2. METANET IVS•  SIEM and Event Management Group•  Heavy focus on HP/ArcSight solutions EXPERIENCE•  Based in New York with team members world-wide EXPERTISE•  Services: Infrastructure Management, Monitoring and Support QUALITY OUR TOP 3 STRENGTHS*•  ArcSight Tools (RR, NMI)•  Technical Forum (answers.metanetivs.com) PROPRIETARY AND CONFIDENTIAL * Source: MetaNet Customer Survey, 6/2011
  3. 3. Agenda1.  Discuss attacks against Sony, HBGary, and RSA2.  Review the weaknesses and vulnerabilities which allowed attacks to succeed3.  Look at the practices and solutions which could have helped prevent the breaches4.  Discuss integration of prevention and monitoring5.  Discuss how ArcSight ESM can combat new threats by improving infrastructure visibility PROPRIETARY AND CONFIDENTIAL
  4. 4. ATTACKSDetailed Review
  5. 5. SONY: Brief Introü  April and May 2011ü  PlayStation Networkü  Followed by: •  Qriocity •  Sony Online Entertainment •  Regional (Thailand, Greece, Indonesia)ü  100M+ PSN accounts stolenü  $173M+ direct costs PROPRIETARY AND CONFIDENTIAL (Source: eWeek)
  6. 6. SONY: Attack Dissection 1. Inject Exploit in Application Server Web Server 2. Gain DB Access 3. Phone Home & Upload Data Application Servers Database Servers PROPRIETARY AND CONFIDENTIAL
  7. 7. SONY: Weaknessesü Inefficient Vulnerability Managementü Lack of compensating security controlsü SPOF in SSL tunnelingü PII Security Policy unenforcedü Poor network segregation PROPRIETARY AND CONFIDENTIAL
  8. 8. HBGary: Brief Intro•  On February 7 2011, HBGary Federal and rootkit.com are compromised•  Over 71,000 corporate emails leaked triggering PR disaster•  Intellectual Property stolen or destroyed (including a decompiled copy of Stuxnet)•  hbgaryfederal.com is still offline 6 months later* PROPRIETARY AND CONFIDENTIAL * As of July 2011
  9. 9. HBGary: Attack Dissection Phase 1 Phase 2 Phase 3 Mail hbgaryfederal.com HBGary Email Corporate Firewall SQL Injection Social Engineering Forged Inbound Access CMS Database Firewall Admin Rootkit.com PROPRIETARY AND CONFIDENTIAL
  10. 10. HBGary: Weaknessesü Insecure web application programmingü Weak password encryption and hashing policiesü Repeated violations of password reuse policyü Single factor authentication throughout critical systemsü Weak vulnerability management programü Lack of security training and awareness among critical staff PROPRIETARY AND CONFIDENTIAL
  11. 11. RSA: Brief Intro•  On March 17, RSA suffers an APT attack targeting the RSA SecurID® product•  Customers exposed to new security risks: RSA ACE server attacks, brute force attacks, phishing attacks to reveal PINs, token serial numbers•  On June 2, data stolen in March is used against Lockheed Martin•  No dollar figure or details on compromised data were given. “…this information could potentially be used to reduce the effectiveness of a current two-factor authentication” (Art Coviello, Executive Chairman, RSA) PROPRIETARY AND CONFIDENTIAL
  12. 12. RSA: Attack Dissection Compromised FTP Server Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Spear Phishing Backdoor Privilege Escalation With 0-day payload Infestation Deeper Scanning Data Exfiltration CVE-02011-0609 Data Acquisition Poison Ivy RAT And Encryption PROPRIETARY AND CONFIDENTIAL
  13. 13. RSA: Weaknessesü Poor security awarenessü Lax local security policies facilitating privilege escalationü No segregation of assets based on business role which allowed access to critical systemsü No effective data loss prevention system PROPRIETARY AND CONFIDENTIAL
  14. 14. REASONSThreats and Practices
  15. 15. Common Areas of Concernü Security Awarenessü Ineffective vulnerability and patch managementü Endpoint security policyü Password management issuesü Egress content filteringü DLP for critical networks / systems Nothing new here. PROPRIETARY AND CONFIDENTIAL
  16. 16. Now Back to 2011ü  New vectors: •  Virtual social engineering, spear phishing, zero-day malware, covert channels, commercialization of attack toolsü  Higher levels of impact: •  IP Theft, Cyber Espionage / Sabotage, Market Manipulation, Vendetta, Social Riotsü  Vulnerability Management is more challenging: •  Undisclosed zero-day, weak preventative & compensating security controls, limited security practices in SDLC, ubiquity of critical business data Targeted attacks, zero-days vulns, and custom malware are brutally efficient. PROPRIETARY AND CONFIDENTIAL
  17. 17. Targeted Attacks1 in 1,000,000EMAILS IS A TARGETED ATTACK 57% 60.4% INDIVIDUALS WITH MANAGEMENT INCREASE IN TARGETED ATTACKS in 2010 RESPONSIBILITIES PROPRIETARY AND CONFIDENTIAL Source: Symantec MessageLabs 2011
  18. 18. Zero-Day Vulnerabilities Riseü  One Tell-Tale: More Out of Band Patchesü  Vulnerability Disclosure Changed: •  Vendor Bounty Programs •  Responsible Disclosure vs. Full Disclosure •  Underground Marketü  New attack vectors are leveraged as technologies mature This means we don’t know what we’ll be defending against same time next year. PROPRIETARY AND CONFIDENTIAL
  19. 19. Custom Malware•  AV avoidance is a part of the Q&A•  Sandbox and VM detection•  Small distribution helps avoid detection: •  no packing or polymorphic functions •  code signing using forged certificates 63% 79% MALWARE UNDETECTABLE BY AV COMPROMISED RECORDS WHERE MALWARE WAS USED PROPRIETARY AND CONFIDENTIAL Source: Verizon Data Breach Report 2011
  20. 20. SO WHAT DO WE DO Prevention and Assurance
  21. 21. Low Hanging Fruitü You can leverage traditional event sources to detect attacks: •  Geo/IP data •  Port numbers •  AD auth logsü The attackers know thisü The attacks on SONY and others bypassed detection easily Successful defense requires a bit more effort PROPRIETARY AND CONFIDENTIAL 21
  22. 22. Addressing Modern ThreatsTargeted Attacks / Spear Phishing:-  User training, bi-directional message screening, digital signatures, message encryption, layered anti-spam, browser protectionZero Day Vulnerabilities:-  Layered security, critical process isolation, compensating security controls, application- aware IPS (which do not rely on signatures), complete infrastructure visibilityCustom Malware:-  Behavior monitoring, security policy facilitating incident containment, risk based security management, layered security controls However, deploying solutions without monitoring them is a waste of resources. PROPRIETARY AND CONFIDENTIAL
  23. 23. So How Do We...…Assess the effectiveness of the security controls?…Define a security baseline?…Recognize internal threats?…Monitor critical business processes?…Assess immediate impact in case of a security breach? The answer is infrastructure visibility. PROPRIETARY AND CONFIDENTIAL 23
  24. 24. ArcSight ESM Deliversü  FlexConnectors for emerging security technologiesü  FlexConnectors for custom, business-critical applicationsü  Identity Activity Monitoringü  Infrastructure Mapping across the Business Units and Rolesü  Enforcing Corporate Security Policyü  KPI-based Information Security Program trackingü  Scalability and flexibility to address future threats and undiscovered use cases PROPRIETARY AND CONFIDENTIAL
  25. 25. Example: Business Infrastructure MappingRequirements: Business Units America EMEA APAC Applications HR Accounting Payroll HR Accounting Payroll HR Accounting Payroll Server - - - - - - - - - IT Groups Application - - - - - - - - - Database - - - - - - - - -Asset Import File: Asset Name* Hostname IP Description* Asset Group* Asset Category Asset Category APAC HR Server hrserver 1.1.1.1 File server hosting HR Insurance HR Server data America Payroll payrolldb 2.2.2.2 Payroll Oracle DBMS Credit Payroll Database DB EMEA Acct App acctapp 3.3.3.3 Accounting Investments Accounting Application Server application server for EMEA PROPRIETARY AND CONFIDENTIAL * - supported by MetaNet NMI (Network Model Importer)
  26. 26. Example: Business Infrastructure ReportingTrend Table: Date Event Name Hostname IP BU Group App Event Count 12-09-11 Malware Infection payrolldb 2.2.2.2 Credit Database Payroll 16 13-09-11 Policy Violation acctapp 3.3.3.3 Investments Application Accounting 42 14-09-11 Failed Admin Login hrserver 1.1.1.1 Insurance Server HR 25Trend Based Report: Failed Admin Logins120100 80 Accounting 60 HR 40 Payroll 20 0 Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 PROPRIETARY AND CONFIDENTIAL
  27. 27. Example: Security Program MonitoringKPI Data Sources ESM Content Description# failed administrative OS, Applications, Line chart Reports based on event counts grouped bylogins Network & Security business units, applications, or groups. Devices# IT policy violations Security Event Correlated events with ‘/Policy/Violation’ Event Management Category based on Policy Violation Rules (IT Gov., and custom).% systems where Vulnerability Area-based graphs showing the percentage of Assetssecurity req’s are not met Management tagged with ‘Vulnerability’ Asset Category, mapped across time periods# average time lag Issue Tracking Reports based on averaged time-to-resolve valuesbetween detection, Systems, provided by ITS or SIEM. Case-based Reports inreporting and action Security Event ArcSight ESM.upon security incidents Management PROPRIETARY AND CONFIDENTIAL
  28. 28. CONCLUSIONS(only 20 slides left)
  29. 29. Conclusions1.  Higher awareness of modern security threats2. Seek and deploy tools specifically designed to combat modern attacks3.  Solid security policy, procedures and user training4. No single security control is 100% effective; compensating controls are key5. On-going monitoring of technical and procedural controls is a must ArcSight ESM provides the framework to deliver complete infrastructure visibility to enforce your security controls PROPRIETARY AND CONFIDENTIAL
  30. 30. Questions? We Have Answers: http://answers.metanetivs.com PROPRIETARY AND CONFIDENTIAL
  31. 31. References1.  eWeek http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/2.  Ars Technica http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars3.  RSA Open Letters http://www.rsa.com/node.aspx?id=38914.  Verizon Breach Report 2011 http://securityblog.verizonbusiness.com/2011/04/19/2011-data-breach-investigations-report-released/5.  Symantec MessageLabs Intelligence Reports http://www.symanteccloud.com/globalthreats/overview/r_mli_reports6.  The VeriSign iDefense Intelligence Report http://www.verisigninc.com/assets/whitepaper-idefense-trends-2011.pdf PROPRIETARY AND CONFIDENTIAL
  32. 32. THANK YOUMetaNetIVS.com/P2011Anton Goncharov, CISSP Prepared for Prepared byPartner, Solutions Architectanton.goncharov@metanetivs.comDragos Lungu, CISSP, CISASecurity Consultantdragos.lungu@metanetivs.com

×