Amit Nath

644 views

Published on

Presentation given by Amit Nath, Country Manager, Trend Micro on August 1st, 2011 at eWorld Forum (www.eworldforum.net) in the session Information Management and Security

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
644
On SlideShare
0
From Embeds
0
Number of Embeds
191
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • As we speak, every 2.5 seconds a new malware is released. Stress that current downloaded pattern file architecture is already stressed, will break for all vendors This is an industry-wide problem
  • [HIGHLIGHT WHEN USING CONVENTIONAL METHOD AS THREATS INCREASE, PATTERN FILES TO STOP THREATS ALSO NEED TO INCREASE IMPACTING PERFORMANCE ON PCS OVER TIME.]
  • Amit Nath

    1. 1. Amit Nath - Country Manager Trend Micro - India & SAARC Rising State of Threat
    2. 2. Last 7 Days…….. <ul><li>Randy Vickers Resigns – Director US CERT </li></ul><ul><li>India Figures as High Infection Country…among top 3 behind Iran, Indonesia ( Stuxnet Worm) </li></ul><ul><li>Online Skirmishes and Spying are escalating….at-least 2000 hacking incidents </li></ul>Classification 08/29/11
    3. 3. Attacks are increasing. And they target on Web application.
    4. 4. Feb 2009 Every 1.5 seconds new malware is released
    5. 5. Complexity Factors- Patterns Deploy More Often 57 205 799 1,484 2,397 3,881 6,279 10,160 16,438 26,598 2007 2009 2011 2013 2015 Projected increase in unique threat samples PER HOUR
    6. 6. How did personal information get leaked? Sniffing Web server information like hardware, OS and vulnerabilities to conduct attack. Intruded to servers exploiting vulnerabilities and placed attack tool to establish the path to get into the whole system. Using attack tool to attack data base to get access privilege. Retrieved user information from the databases. Internet Server Server Server vulnerability Malware User Information Sniffing and Intrusion Placed attack tool Got access privilege Leak information to external network Firewall Server Internet communication Internal communication
    7. 7. What the hackers get from sniffing It’s easy thing to get these information. And it’s easy to attack server based on these information. Numbers of the sites OS and version of Web servers used. IP address The owner information of the servers.
    8. 8. Admin challenges and the blind spot in security <ul><li>How do they avoid that from happening ? </li></ul><ul><ul><li>If they applied security patches… </li></ul></ul><ul><ul><li>Did they really understand these vulnerabilities? </li></ul></ul><ul><ul><li>No unusual events in log files of Firewall and IPS? </li></ul></ul><ul><ul><li>Did they change database administrators’ password periodically? </li></ul></ul><ul><li>Too much confidence? </li></ul><ul><ul><li>Did they think that traditional network security was enough? </li></ul></ul><ul><ul><li>Customers’ personal information were believed to be safe since they were stored in deep inside of the network? </li></ul></ul><ul><ul><li>Mission critical servers were okay since they were in the closed network? </li></ul></ul>
    9. 9. South Korean Botnet Attack – July 4 th 2009 <ul><li>Korean eBay Auction site shut down for 72 hours </li></ul><ul><li>Hackers tried to shut down entire South Korean National Infra. </li></ul><ul><li>Several Government sites shut down or compromised. Data destroyed. </li></ul><ul><li>Cabinet Ministerial Level task force setup. Annual budget 25 M dollars. </li></ul><ul><li>6 Government Ministries set up to adopt anti-botnet initiative. </li></ul><ul><li>Trend Micro chosen by Ministry of Education & Ministry of Public Administration </li></ul>
    10. 10. Customized Client Security Portal 08/29/11 Client Portal TDA Correlation Servers TMSP 3. Rootcause Analysis Security Portal standalone Or in ESM TDA info TMTM Info Provide TMSP DB info for query from client security portal Korea Ministry of Education portal case DB Query Correlate <ul><li>Service Reports with </li></ul><ul><li>Incident Analysis </li></ul><ul><li>Executive Summary </li></ul>Malicious activity detected Inform Cleanup Inform Cleanup Report back TMTM
    11. 11. Customized Portal for MEST 08/29/11 DEMO
    12. 12. Weekly report TMS in KR MEST 08/29/11 MEST Korea Ministry of Education, Science and Technology A B C D E F (=E/D) G H I J K (= J/H) L M N O Category No. Sites Name User Numbers Agent Installed TMAgent Installation Rate Detection Mitigation Mitigation Rate(PCs) Mitigation Success Analysis   Number of Events Number of Infected PCs Number of Events Number of Cleaned PCs Success Automatic Cleanup Partial Cleanup Total     Total 127,439 40,255 32% 40,262 5,589 4,245 1,676 30% 1,007 240 429 1,676 MEST HQ 1 MEST HQ 1,000 - 0% - 0 0 0 0% 0 0 0 0 MEST IT Center 2 KERIS(Korea Education Research Institue & Science) 300 300 100% 37 13 7 6 46% 3 1 2 6 Regional Education Office (16 provincial Office of Education) 3 Regional Office of Education 1 340 330 97% 18 11 5 2 18% 2 0 0 2 4 Regional Office of Education 2 350 94 27% 37 22 2 2 9% 0 2 0 2 5 Regional Office of Education 3 795 795 100% 37 19 12 8 42% 1 3 4 8 6 Regional Office of Education 4 400 282 71% 306 45 53 22 49% 12 6 4 22 7 Regional Office of Education 5 386 292 76% 26 16 14 9 56% 4 5 0 9 8 Regional Office of Education 6 322 317 98% 70 18 32 10 56% 4 5 1 10 9 Regional Office of Education 7 400 337 84% 40 16 31 10 63% 5 3 2 10 10 Regional Office of Education 8 426 426 100% 27 17 15 12 71% 5 3 4 12 11 Regional Office of Education 9 279 279 100% 3 3 2 2 67% 1 0 1 2 12 Regional Office of Education 10 300 266 89% 5 4 3 3 75% 3 0 0 3 13 Regional Office of Education 11 400 400 100% 131 27 91 20 74% 10 5 5 20 14 Regional Office of Education 12 740 718 97% 52 22 31 18 82% 8 4 6 18 15 Regional Office of Education 13 500 417 83% 41 11 25 8 73% 3 2 3 8 16 Regional Office of Education 14 357 357 100% 72 23 56 17 74% 8 6 3 17 17 Regional Office of Education 15 350 380 109% 1 1 1 1 100% 0 1 0 1 18 Regional Office of Education 16 300 - 0% - 0 0 0 0% 0 0 0 0 10 National Universities 19 National University 1 20,000 275 1% 12,996 789 0 0 0% 0 0 0 0 20 National University 2 1,500 129 9% 2,034 259 1 1 0% 1 0 0 1 21 National University 3 6,000 134 2% 2,882 128 0 0 0% 0 0 0 0 22 National University 4 20,000 297 1% 3,058 540 26 5 1% 1 3 1 5 23 National University 5 20,000 162 1% 5,197 325 236 17 5% 13 0 4 17 24 National University 6 8,200 6,137 75% - 0 0 0 0% 0 0 0 0 25 National University 7 10,000 3,089 31% 3,628 905 1025 313 35% 220 21 72 313 26 National University 8 13,000 7,278 56% 105 74 66 60 81% 41 4 15 60 27 National University 9 7,800 8,113 104% 3,760 853 842 349 41% 180 88 81 349 28 National University 10 4,910 3,775 77% 1,830 985 927 659 67% 417 48 194 659 7 National R&D Centers 29 National R&D Center 1 1,300 51 4% 940 118 0 0 0% 0 0 0 0 30 National R&D Center 2 1,200 44 4% 248 99 2 2 2% 1 1 0 2 31 National R&D Center 3 300 300 100% 13 5 3 2 40% 2 0 0 2 32 National R&D Center 4 2,349 1,802 77% 1,828 121 340 53 44% 23 20 10 53 33 National R&D Center 5 1,200 1,053 88% 830 117 391 62 53% 37 8 17 62 34 National R&D Center 6 900 791 88% 10 3 6 3 100% 2 1 0 3 35 National R&D Center 7 835 835 100% - 0 0 0 0% 0 0 0 0 Key is how to increase TMAgent to mitigate
    13. 13. Trend Micro’s Recommendation No need to stop servers No side effects on applications Can detect unknown threat which cannot detect by pattern matching Trend Micro Deep Security Trend Micro Threat Management Solution <ul><li>Know the vulnerabilities </li></ul><ul><li>Flexible security patching </li></ul><ul><li>Pay attention on vulnerabilities of application not only the ones of OS </li></ul><ul><li>Monitor installation of unexpected files and changes in configuration files </li></ul><ul><li>Correlation of OS event log and application log </li></ul><ul><li>Detect communications by attack tools </li></ul><ul><li>Identify server which communicate abnormally </li></ul><ul><li>Monitor the communication from inside to outside </li></ul><ul><li>Detect vulnerabilities on servers automatically </li></ul><ul><li>Protect servers immediately by virtual patching </li></ul>Detect changes in files and registries and alert administrators. Sensor appliance will detect backdoor or bots. Sniffing and intrusion Place attack tool Get privilege Leak information to external network
    14. 14. Wrap up Q. What’s the ideal server security? <ul><li>Prevent intrusion </li></ul><ul><ul><li>Protecting vulnerabilities </li></ul></ul><ul><li>Detect intrusion asap </li></ul><ul><ul><li>Detect unexpected changes in files and registories asap </li></ul></ul><ul><li>Detect information leakage </li></ul><ul><ul><li>Detect communication from attack tools </li></ul></ul>Block Block Block A. security solution expecting intrusion T rend M icro D eep S ecurity + T hreat M anagement S olution OS
    15. 15. Food For Thought for Government ? <ul><li>Security Incident – Early Warning and Mitigation Centers </li></ul><ul><li>Industry Participation – Malware Labs, Training & Development, Certifications </li></ul><ul><li>Legal and Regulatory Framework </li></ul><ul><li>Cyber Security as a Doctrine in Indian Society </li></ul>Classification 08/29/11

    ×