Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Tech r35
1. Session ID:
Session Classification:
Stephen Hanna
Juniper Networks
TECH-R35
Intermediate
UPGRADETO A MACHINE GUN
AUTOMATEYOUR DEFENSES
David Waltermire
National Institute of Standards and
Technology
10. ► > 60% of Data Breach Attacks Exfiltrate Data in < 1 Day
► >46% Exfiltrate Data in < 1 Hour
► > 56% of Attacks Are Not Discovered for > 1 Month
► 92% of Attacks Discovered by External Parties
► 49% for Large Organizations
Attackers Inside Our OODA Loops
Source - Verizon 2012 Data Breach Investigation Report
11. ► 61% of Attacks Use Automated Attack Toolkits
► Searching for Unpatched Vulnerabilities
► Searching for Default Passwords
► Searching for Guessable Passwords
► Broadcast Attacks with Notification of Infection
► Phishing, Malicious & Compromised Web Sites
► Targeted Attacks with Notification of Infection
► Spearphishing, Social Media
How Do Attackers Do It?
Source - Symantec 2011 Internet Security Threat Report
13. ► Shortage of InfoSec Experts
► U.S. Government Needs 10K InfoSec Experts, Has 1K 1
► 2
► InfoSec Budgets Flat to Up 5% 2
►
What Are Our Options?
1 Source CSIS Commission on Cybersecurity
2 Source ESG Annual Survey on IT Spending Intentions
15. ►
► A single product or technology
► A magic bullet
► Going to solve all your problems
► A set of technologies and processes
► Handle routine tasks automatically
► Detect and remediate vulnerabilities
► Expedite response to known threats
► Deliver essential information when needed
► Allow InfoSec professionals to focus on hard problems
► Automate previously manual tasks
Security Automation is
17. SecurityTechniques
Prepare Detect
Respond Analyze
Risk Analysis
Training
Controls
Policies Intrusion Detection
Anomaly Detection
Configuration Monitoring
Threat Information
Sharing
Security Event
Management
Correlation
Threat Information
Sharing
Human Analysis
Containment
Evidence Gathering
Recovery
Prevention
Forensics
18. Security Automation in Action
Prepare Detect
Respond Analyze
Risk Analysis
Training
Controls
Policies Intrusion Detection
Anomaly Detection
Configuration Monitoring
Threat Information
Sharing
Security Event
Management
Correlation
Threat Information
Sharing
Human Analysis
Containment
Evidence Gathering
Recovery
Prevention
Forensics
19. ► Obtain accurate and timely situational awareness
► Assets, controls, threats, events, responses, measurements
► Supports informed decision-making
► Share info with other defenders
►
► For speed, must be machine-readable and actionable
► Enable manual or autonomous response
► Plug in new sensors and capabilities as needed
► Requires open architecture and standards
Security Automation Benefits
20. ► Security automation is new technology
► Automated responses can be used against you
► Defenders can become complacent
► Sophisticated attacks can go unnoticed
Security Automation Challenges
23. ► 18,000 students
► 2,500 staff over 25 locations
► # of computing devices doubled in 3 years
► In 2011, 17,000 laptops, tablets, PCs, projectors, and other
computing devices
► Technology in the classroom is critical to keep students
engaged and to prepare them for the future
BYOD Case Study: Naperville School District, Naperville,
Illinois (2011)
24. ► One-to-one computing for students
► Enable students to bring their own devices to school
► Integrate BYOD technologies into the curriculum
► Provide classroom benefit
► Reduce the need to purchase end-user devices
► Provide seamless access, strong security, and operational
efficiency
► Avoid disruption to classroom instruction and district
operation
► Reduce costs
Goals
25. ► Step 1: Offer secure guest access via wireless LAN
► Step 2: Rollout campus-wide network access control (NAC)
► Check for patches
► Enforce security policies
Deployment Strategy
26. Naperville Schools
Access Requestor Policy Decision
Point
Policy
Enforcement
Point
Metadata
Access
Point
Sensors
and Flow
Controllers
Policy
•Place BYODs on
BYOD Network
•Limit Access
•Monitor Behavior
!
!!
Remediation
Network !
27. ► Teachers can teach from tablets
► Students can use computer-based learning on their own
devices
► Reduction in risk that student computing behavior at home
Results
29. ► Premise: Improved network hygiene reduces attack surface
► Of the CFO Act reporting agencies, 75% need improvement
in the area of configuration management
► 13 of 23 agencies do not have a fully developed configuration
management policy
► 9 of 23 agencies do not have fully developed configuration
management procedures.
► 9 of 23 agencies do not have standard baseline configurations for all
identified hardware components
► Use of USGCB is not fully implemented in 8 of 23 agencies
Source FY11 FISMA Report to Congress
Endpoint Compliance Case Study: U.S Federal Government
30. ► Create security configuration baselines for common
products
► Use XML expressions to enable content portability between
tools
► Enable automated collection of compliance results using
standardized data format and network protocols
Goals
31. SCAP 1.2 Data Architecture
Asset Reporting Format (ARF)
Extensible Configuration Checklist Description Format (XCCDF)
Open Vulnerability &
Assessment Language
(OVAL)
Systems
Characteristics
Objects
Definitions
States
Results
Asset
Identification
Asset
Identification
Attributes
Open Checklist Interactive
Language (OCIL)
Questions
Questionnaires
Test Actions
Results
Data
Collection
State
Evaluation
Enumerations
Common
Vulnerabilities &
Exposures (CVE)
Common
Configuration
Enumeration (CCE)
Common Platform
Enumeration (CPE)
Enumerations & Identifiers
Profiles
Rules
Checks
Results
Policy
Evaluation
Report Requests Identified Assets Reports
Applicability
Statements Groups
32. 1. Develop a validation testing program based on the Security
Content Automation Protocol
2. Validate commercial products
► 50 products
► 32 vendors
3. Develop Government configuration checklists in SCAP
4. Require Federal agencies to report compliance
► CyberScope
► FISMA reporting
Deployment Strategy
34. Endpoint Assessment & Quarantine UsingTNC & SCAP
Production Network
Policy Decision
Point
Policy
Windows 7
•SP1
•AV Up-to-date
•Firewall
Compliant System
Windows 7
SP1
AV - Symantec AV 10.1
Firewall
Policy Enforcement
Point
Access Requestor
35. ► Scanners use the same SCAP-based content.
► SCAP results can be used to collect endpoint state using TNC
as a secure transport.
► SCAP content and results can be used for network access
control.
Results