Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Infosec cert service


Published on

From my journey to SK Telecom, Seoul, Korea - May 2013.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Infosec cert service

  1. 1. 0/8
  2. 2. Name Infosec CEO Shin Soojung Domains Security Consulting Security System Integration Security Monitoring & Management Professional Service Period Jun, 2000 ~ Present (13yrs) Infosec is an affiliate company of SK C&C and a total Security Service Provider, providing Security Consulting Service, Security System Integration, Security Monitoring and Management Company Summary Sales Organization CEO MSS Biz HQ Sales HQ Solution Biz HQ Consulting Biz HQ Management Support HQ Security Lab. 860 Employee (May. 1st. 2013) Products Mobile Device Mgmt. Private Information Scanner Private Information Transfer Control (USD) Years 2012 2011 2010 Consulting 14,575,000 13,048,000 10,792,000 SI 53,190,000 53,449,000 37,631,000 MSS 33,204,000 21,519,000 14,525,000 Total 100,969,000 88,016,000 62,948,000 Growth (%) 14.7 39.8 45.9 2
  3. 3. Windows Linux UNIX CISCO S/W Prevention OS Configuration Check FW ACL Review Web Application Vulnerability Check Juniper Cisco Port Scanning /w NMAP Scanners (IBM AppScan) Professionals Management & Monitoring Firewall IPS Anti-DDoS WAF Incident Analysis Infected System Investigation Malicious Code Review Security Audit Trail Review File System Registry / Log Process Memory Dynamic Analysis Static Analysis Security Events System/Web Log IE Cache History Registry 24*7 Health Check ACL Control Report24*7 Security Event Monitoring 24*7 Incident Handling (Alerting & Access Control) Dedicated Professionals SK Infosec provide full coverage of managed security service in Korea, prevention, management, monitoring, and incident handling 3
  4. 4.  Organization (CERT Center)  R&R ITEM R&R PM • Project Management / Service Delivery Top-CERT • Cyber Forensic Site Manager • Follow up Customer Requirements • SPOC(Single Point Of Contact) Dedicated CERT • Apply security policies • 1st line support when breaches occurs • Periodic Report about security situation CERT • 2nd line support when dedicated CERT failed • Veterans in Analyzing Incidents (at least 7 year experiences) • Find zero-day exploits and figure out countermeasures Monitoring • 24H*365D Real-time monitoring • 4 Teams / 2 Teams a day Penetration Tester • White-hat Hackers • Simulated Hacking and Point out Vulns. Security Engineer • Install and Maintain Security Systems • Technical Review about Network Architecture in the view point of Security CERT MSS Biz Team Lee Jaewoo CERT Team / PM Son Youngwoo Monitoring Penetration Tester System Manager Security Engineer Site Manager Top-CERT System Developer Dedicated CERT MSS Biz HQ Cho Raehyun 4
  5. 5. Detect incident Customer’s suspicious Prior attacker IP block Send incident alerting message to customer Attacker IP block - IP address boundary (ex : from China) - Event list (ex : /etc/passwd scanning) - Time base (ex : night time / 18:00~next day 09:00) - No agreement of “block and notice” - When customer orders to block attacker IP Send abuse notification to attacker-side ISP Release blocked IP - Release blocked IP address one month later - Because we use dynamic IP address, it is no more malicious, it can be customer When incident is detected and verified, SK Infosec alerts customer via E-Mail and SMS. If customer agreed the process “block and notice”, SK Infosec will block attacker IP from Firewall prior 5
  6. 6. In-house ESM detects incidents from security events according to ISMM, SK Infosec’s own monitoring methodology, ISMM Detected Incident with its event name, count, src IP, dest IP, and status Security Incident Incident is expanded with its detail information to check whether it is true or false Detail Info. Who deals this incident and whether he send alerting to customer and attackers ISP Response ISMM : Infosec Security Monitoring Methodology 6
  7. 7. APT is one of the big trends in security world. SK Infosec bind IPS signature and malware analyzing tool and provides zero-day exploit detection Storage Malicious code download (from Event URLs) Event detected (IBM Proventia) URL Collection File transfer Multi-AV Scan ReportingESM Block in FW Malicious code Storage Malicious code Analysis & Detection Collect Malicious Code Store Malicious Code Analyze Malicious Code Report Malicious Code 7
  8. 8. Two types of service will be provided. For IPS monitoring service customer, when attack is occurred, SK Infosec checks the victim system to investigate extent of damage. For potential customer, SK Infosec checks whether his system is infected or not. Step Process Investigation Item 1 Initial Stage - Environmental Info. - System process - Network situation 2 Victim system investigation - Attack scenario - Time-line analyze - Investigation tools - Infected files 3 Log file analysis - Event log - System log - Web log - Security equipment log 4 Report and Feedback - Incident handling report - Root cause - Design countermeasure - Recommendation VolatileDataNon-VolatileData System Info File System User Registry Weblog Webshell Network Process Date System Config Environmental Login info Users User activity Network connection ARP Interface info Process List Handle, dll Services Event log File attribute MACTIME Registry Dump Autorun Key creation time Web attack Keyword Webshell execution Keyword Webshell Keyword Encoding Keyword Category Item 8
  9. 9.  Availability Check Coverage - Security Systems - IT Assets agreed on SOW  Checking Criteria - 24H*365D Monitoring - Basically ICMP Health-Check is provided - If needed, Infosec provide Service check based on ports  Tools - Infosec develops an in-house NMS using Open Source NMS (called Nagios) Function Comments Notes . Alive-Check . ICMP and Service Port Check . Developed in Jun. 2011 . Internal Test on Sept. 2011 . Applied on Customer Site in Oct. 2011 . Threshold Mgmt. . Traffic, CPU, Memory check via SNMP provide warning . Network Equipments . Log Analyze . Analyze error log from Security Systems . Customer Report . Monitoring Tool and Automated SMS report 9
  10. 10. Name of Event (Trouble) Who, When, How, Why handle the Event Detail Information of Event Simple Trouble Shooting Procedure 10
  11. 11. Web hacking occupies 90% of attacks. In order to get the control of victim, hackers use web-shells and then insert a script-code in web pages to dispense malware to client. Web hacking occupies 90% of attacks. In order to get the control of victims, hackers use web-shells Monitoring homepage and ad-pages whether malware is inserted or not In-house pattern (Our experience) Filter Obfuscation Appliance System At least 1 time per 2 hours Recursive checking Indicate actual link W-MDS 11
  12. 12. SK Infosec provides monthly report with automated system to avoid human errors. But executive summary is written by security experts Item Content Note Executive summary Security expert’s opinion about site situation and recommendation Event trend by day Detected event count by day diagram and table Event trend by severity Detected event count by severity diagram and table Top 10 event By event name, attacker’s IP, and victim’s IP Including event description 12
  13. 13. Intelligence Gathering SK-NET Mobile/Wireless Financial Sector Industry Cooperation BMT Analyzing and Testing Information Sharing (Back-Line Support) u-CERT Center ISP / IDC Malware Information Gathering Sharing Analyzed Information 범 례 Consulting HQ CHINA ISCM IVHM IPPM Site Manager CISO Security Planning Proactive Security Trend Support Compliance issues Provide Security Info. Monitoring by ISMM Prevention Detection Customer SEOCHO T-Tower SUNAE HR, Finance, Law IT Infra/System, NW 13
  14. 14. China Beijing 安全中心 Japan Audio Technica Dwango TOKAI Communication Tobu Train Nexway (Intec Cloud) Planet (Intec Cloud) DCJ (Intec Cloud)  Service on China & Japan  Cloud Service Security - SKTelecom T-Cloud Service - Japan Intec Cloud Service < Intec Center >  Japan IDC Security Service - Canon-ITS IDC < T-Cloud Service > 14
  15. 15. Security Operation Security Consulting Security SI