SlideShare a Scribd company logo
ANATOMY OF A HIGH
PROFILE ATTACK
Modern Lessons
for Security Monitoring


HP Protect 2011




Prepared for
Anton Goncharov, CISSP           Prepared by
Partner, Solutions Architect
anton.goncharov@metanetivs.com

Dragos Lungu, CISSP, CISA
Security Consultant
dragos.lungu@metanetivs.com
METANET IVS
•  SIEM and Event Management Group
•  Heavy focus on HP/ArcSight solutions
                                                           EXPERIENCE
•  Based in New York with team
   members world-wide
                                                           EXPERTISE
•  Services: Infrastructure Management,
   Monitoring and Support                                  QUALITY
                                                           OUR TOP 3 STRENGTHS*
•  ArcSight Tools (RR, NMI)
•  Technical Forum
   (answers.metanetivs.com)




                                      PROPRIETARY AND CONFIDENTIAL     * Source: MetaNet Customer Survey, 6/2011
Agenda
1.  Discuss attacks against Sony, HBGary, and RSA
2.  Review the weaknesses and vulnerabilities which allowed
    attacks to succeed
3.  Look at the practices and solutions which could have helped
    prevent the breaches
4.  Discuss integration of prevention and monitoring
5.  Discuss how ArcSight ESM can combat new threats by
    improving infrastructure visibility




                                  PROPRIETARY AND CONFIDENTIAL
ATTACKS
Detailed Review
SONY: Brief Intro
ü  April and May 2011
ü  PlayStation Network
ü  Followed by:
  •    Qriocity
  •    Sony Online Entertainment
  •    Regional (Thailand, Greece, Indonesia)

ü  100M+ PSN accounts stolen
ü  $173M+ direct costs




                                       PROPRIETARY AND CONFIDENTIAL
                                                                      (Source: eWeek)
SONY: Attack Dissection


                                      1. Inject Exploit in
                                      Application Server




                Web Server
                                                             2. Gain DB Access



                3. Phone Home &
                   Upload Data
                                               Application
                                                Servers



                                                                   Database
                                                                    Servers




                     PROPRIETARY AND CONFIDENTIAL
SONY: Weaknesses
ü Inefficient Vulnerability Management
ü Lack of compensating security controls
ü SPOF in SSL tunneling
ü PII Security Policy unenforced
ü Poor network segregation




                               PROPRIETARY AND CONFIDENTIAL
HBGary: Brief Intro
•  On February 7 2011, HBGary Federal and rootkit.com are
   compromised
•  Over 71,000 corporate emails leaked triggering PR disaster
•  Intellectual Property stolen or destroyed (including a decompiled
   copy of Stuxnet)
•  hbgaryfederal.com is still offline 6 months later*




                                PROPRIETARY AND CONFIDENTIAL
                                                               * As of July 2011
HBGary: Attack Dissection



          Phase 1          Phase 2                             Phase 3




                                              Mail


       hbgaryfederal.com    HBGary Email
                                                               Corporate
                                                                Firewall
           SQL Injection
                            Social Engineering               Forged Inbound
                                                                 Access




        CMS Database        Firewall Admin                    Rootkit.com




                              PROPRIETARY AND CONFIDENTIAL
HBGary: Weaknesses
ü Insecure web application programming
ü Weak password encryption and hashing policies
ü Repeated violations of password reuse policy
ü Single factor authentication throughout critical systems
ü Weak vulnerability management program
ü Lack of security training and awareness among critical staff




                               PROPRIETARY AND CONFIDENTIAL
RSA: Brief Intro
•  On March 17, RSA suffers an APT attack targeting the RSA SecurID®
   product
•  Customers exposed to new security risks: RSA ACE server attacks, brute force
   attacks, phishing attacks to reveal PINs, token serial numbers
•  On June 2, data stolen in March is used against Lockheed Martin
•  No dollar figure or details on compromised data were given.




                                   “…this information could potentially be used to reduce
                                the effectiveness of a current two-factor authentication”
                                                 (Art Coviello, Executive Chairman, RSA)




                                   PROPRIETARY AND CONFIDENTIAL
RSA: Attack Dissection

                                                                                          Compromised FTP
                                                                                              Server




     Phase 1            Phase 2                  Phase 3                Phase 4                      Phase 5




   Spear Phishing         Backdoor       Privilege Escalation
  With 0-day payload     Infestation      Deeper Scanning                                          Data Exfiltration
   CVE-02011-0609                                                      Data Acquisition
                       Poison Ivy RAT
                                                                       And Encryption




                                        PROPRIETARY AND CONFIDENTIAL
RSA: Weaknesses
ü Poor security awareness
ü Lax local security policies facilitating privilege escalation
ü No segregation of assets based on business role which allowed
   access to critical systems
ü No effective data loss prevention system




                                 PROPRIETARY AND CONFIDENTIAL
REASONS
Threats and Practices
Common Areas of Concern
ü Security Awareness
ü Ineffective vulnerability and patch management
ü Endpoint security policy
ü Password management issues
ü Egress content filtering
ü DLP for critical networks / systems




                                Nothing new here.


                                   PROPRIETARY AND CONFIDENTIAL
Now Back to 2011
ü  New vectors:
    •  Virtual social engineering, spear phishing, zero-day malware, covert channels,
       commercialization of attack tools
ü  Higher levels of impact:
    •  IP Theft, Cyber Espionage / Sabotage, Market Manipulation, Vendetta, Social Riots
ü  Vulnerability Management is more challenging:
    •  Undisclosed zero-day, weak preventative & compensating security controls, limited
       security practices in SDLC, ubiquity of critical business data




                   Targeted attacks, zero-days vulns, and custom malware
                                   are brutally efficient.

                                           PROPRIETARY AND CONFIDENTIAL
Targeted Attacks



1 in 1,000,000EMAILS IS A TARGETED ATTACK


                                                                                                  57%




                 60.4%                                          INDIVIDUALS WITH MANAGEMENT
     INCREASE IN TARGETED ATTACKS in 2010
                                                                RESPONSIBILITIES




                                 PROPRIETARY AND CONFIDENTIAL           Source: Symantec MessageLabs 2011
Zero-Day Vulnerabilities Rise
ü  One Tell-Tale: More Out of Band Patches
ü  Vulnerability Disclosure Changed:
  •  Vendor Bounty Programs
  •  Responsible Disclosure vs. Full Disclosure
  •  Underground Market
ü  New attack vectors are leveraged as technologies mature




                                 This means we don’t know
                    what we’ll be defending against same time next year.



                                        PROPRIETARY AND CONFIDENTIAL
Custom Malware
•    AV avoidance is a part of the Q&A
•    Sandbox and VM detection
•    Small distribution helps avoid detection:
     •  no packing or polymorphic functions
     •  code signing using forged certificates




                                    63%                                                             79%




           MALWARE UNDETECTABLE BY AV                                     COMPROMISED RECORDS WHERE
                                                                          MALWARE WAS USED

                                           PROPRIETARY AND CONFIDENTIAL            Source: Verizon Data Breach Report 2011
SO WHAT DO WE DO
 Prevention and Assurance
Low Hanging Fruit
ü You can leverage traditional event sources to detect attacks:
 •  Geo/IP data
 •  Port numbers
 •  AD auth logs
ü The attackers know this
ü The attacks on SONY and others bypassed detection easily




                    Successful defense requires a bit more effort




                                    PROPRIETARY AND CONFIDENTIAL    21
Addressing Modern Threats
Targeted Attacks / Spear Phishing:
-  User training, bi-directional message screening, digital signatures, message encryption,
   layered anti-spam, browser protection

Zero Day Vulnerabilities:
-  Layered security, critical process isolation, compensating security controls, application-
   aware IPS (which do not rely on signatures), complete infrastructure visibility

Custom Malware:
-  Behavior monitoring, security policy facilitating incident containment, risk based security
   management, layered security controls



                However, deploying solutions without monitoring them
                              is a waste of resources.

                                        PROPRIETARY AND CONFIDENTIAL
So How Do We...
…Assess the effectiveness of the security controls?
…Define a security baseline?
…Recognize internal threats?
…Monitor critical business processes?
…Assess immediate impact in case of a security breach?




                       The answer is infrastructure visibility.




                                    PROPRIETARY AND CONFIDENTIAL   23
ArcSight ESM Delivers
ü  FlexConnectors for emerging security technologies
ü  FlexConnectors for custom, business-critical applications
ü  Identity Activity Monitoring
ü  Infrastructure Mapping across the Business Units and Roles
ü  Enforcing Corporate Security Policy
ü  KPI-based Information Security Program tracking
ü  Scalability and flexibility to address future threats and undiscovered use cases




                                          PROPRIETARY AND CONFIDENTIAL
Example: Business Infrastructure Mapping
Requirements:
             Business Units               America                                             EMEA                                   APAC
              Applications    HR      Accounting     Payroll             HR          Accounting            Payroll      HR      Accounting          Payroll
                     Server       -       -              -                 -                  -               -             -        -                 -
 IT Groups




               Application        -       -              -                 -                  -               -             -        -                 -
                   Database       -       -              -                 -                  -               -             -        -                 -



Asset Import File:
 Asset Name*           Hostname         IP          Description*                            Asset Group*          Asset Category         Asset Category

 APAC HR Server        hrserver         1.1.1.1     File server hosting HR                  Insurance             HR                     Server
                                                    data
 America Payroll       payrolldb        2.2.2.2     Payroll Oracle DBMS                     Credit                Payroll                Database
 DB
 EMEA Acct App         acctapp          3.3.3.3     Accounting                              Investments           Accounting             Application
 Server                                             application server for
                                                    EMEA



                                                             PROPRIETARY AND CONFIDENTIAL            * - supported by MetaNet NMI (Network Model Importer)
Example: Business Infrastructure Reporting
Trend Table:
 Date       Event Name           Hostname       IP             BU                        Group         App            Event Count
 12-09-11   Malware Infection    payrolldb      2.2.2.2        Credit                    Database      Payroll        16

 13-09-11   Policy Violation     acctapp        3.3.3.3        Investments               Application   Accounting     42

 14-09-11   Failed Admin Login   hrserver       1.1.1.1        Insurance                 Server        HR             25




Trend Based Report:
                                            Failed Admin Logins
120
100
 80
                                                                                                                              Accounting
 60
                                                                                                                              HR
 40                                                                                                                           Payroll
 20
  0
  Week 1          Week 2          Week 3             Week 4                   Week 5                Week 6          Week 7

                                                          PROPRIETARY AND CONFIDENTIAL
Example: Security Program Monitoring
KPI                          Data Sources               ESM Content Description

# failed administrative      OS, Applications,          Line chart Reports based on event counts grouped by
logins                       Network & Security         business units, applications, or groups.
                             Devices
# IT policy violations       Security Event             Correlated events with ‘/Policy/Violation’ Event
                             Management                 Category based on Policy Violation Rules (IT Gov., and
                                                        custom).

% systems where              Vulnerability              Area-based graphs showing the percentage of Assets
security req’s are not met   Management                 tagged with ‘Vulnerability’ Asset Category, mapped
                                                        across time periods

# average time lag           Issue Tracking             Reports based on averaged time-to-resolve values
between detection,           Systems,                   provided by ITS or SIEM. Case-based Reports in
reporting and action         Security Event             ArcSight ESM.
upon security incidents      Management




                                              PROPRIETARY AND CONFIDENTIAL
CONCLUSIONS
(only 20 slides left)
Conclusions
1.  Higher awareness of modern security threats
2. Seek and deploy tools specifically designed to combat modern attacks
3.  Solid security policy, procedures and user training
4. No single security control is 100% effective; compensating controls are key
5. On-going monitoring of technical and procedural controls is a must




                        ArcSight ESM provides the framework
                      to deliver complete infrastructure visibility
                           to enforce your security controls




                                      PROPRIETARY AND CONFIDENTIAL
Questions?
                  We Have Answers:




             http://answers.metanetivs.com

                      PROPRIETARY AND CONFIDENTIAL
References
1.    eWeek
      http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/

2.    Ars Technica
      http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars

3.    RSA Open Letters
      http://www.rsa.com/node.aspx?id=3891

4.    Verizon Breach Report 2011
      http://securityblog.verizonbusiness.com/2011/04/19/2011-data-breach-investigations-report-released/

5.    Symantec MessageLabs Intelligence Reports
      http://www.symanteccloud.com/globalthreats/overview/r_mli_reports

6.    The VeriSign iDefense Intelligence Report
      http://www.verisigninc.com/assets/whitepaper-idefense-trends-2011.pdf




                                                   PROPRIETARY AND CONFIDENTIAL
THANK YOU


MetaNetIVS.com/P2011



Anton Goncharov, CISSP
 Prepared for                    Prepared by
Partner, Solutions Architect
anton.goncharov@metanetivs.com

Dragos Lungu, CISSP, CISA
Security Consultant
dragos.lungu@metanetivs.com

More Related Content

What's hot

Navigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceNavigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere Workplace
Ivanti
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
frcarlson
 
Vfm security with aruba wireless
Vfm security with aruba wirelessVfm security with aruba wireless
Vfm security with aruba wirelessvfmindia
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha Kranjac
NCCOMMS
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop
Sophos
 
Как автоматизировать, то что находит аналитик SOC
Как автоматизировать, то что находит аналитик SOCКак автоматизировать, то что находит аналитик SOC
Как автоматизировать, то что находит аналитик SOC
Denis Batrankov, CISSP
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent Threat
Ammar WK
 
Keynote fx try harder 2 be yourself
Keynote fx   try harder 2 be yourselfKeynote fx   try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
Ben Rothke
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoS
Kenny Huang Ph.D.
 
Cyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureCyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureMohit Rampal
 
CompTIA Security+ SY0-601 Domain 1
CompTIA Security+ SY0-601 Domain 1CompTIA Security+ SY0-601 Domain 1
CompTIA Security+ SY0-601 Domain 1
ShivamSharma909
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedingsSTO STRATEGY
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010Andris Soroka
 
Palo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortPalo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-short
Ten Sistemas e Redes
 

What's hot (20)

Navigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceNavigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere Workplace
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Vfm security with aruba wireless
Vfm security with aruba wirelessVfm security with aruba wireless
Vfm security with aruba wireless
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha Kranjac
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop
 
Как автоматизировать, то что находит аналитик SOC
Как автоматизировать, то что находит аналитик SOCКак автоматизировать, то что находит аналитик SOC
Как автоматизировать, то что находит аналитик SOC
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent Threat
 
Keynote fx try harder 2 be yourself
Keynote fx   try harder 2 be yourselfKeynote fx   try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
 
Avila 3 b
Avila 3 bAvila 3 b
Avila 3 b
 
NGFW Brochure 08 08
NGFW Brochure 08 08NGFW Brochure 08 08
NGFW Brochure 08 08
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoS
 
Cyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureCyber Security for Critical Infrastructure
Cyber Security for Critical Infrastructure
 
CompTIA Security+ SY0-601 Domain 1
CompTIA Security+ SY0-601 Domain 1CompTIA Security+ SY0-601 Domain 1
CompTIA Security+ SY0-601 Domain 1
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
 
(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
 
Palo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortPalo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-short
 

Viewers also liked

Ww Web Projects
Ww Web ProjectsWw Web Projects
Ww Web Projects
WWhazlett
 
Stress Free- Financially secure.
 Stress Free- Financially secure. Stress Free- Financially secure.
Stress Free- Financially secure.
Peter Wheaton
 
Madagascan food
Madagascan foodMadagascan food
Madagascan foodosamfl
 
Manjo's Story Part I
Manjo's Story Part IManjo's Story Part I
Manjo's Story Part I
unicefmadagascar
 
Pr in the Age of Social Media
 Pr in the Age of Social Media Pr in the Age of Social Media
Pr in the Age of Social Media
Marla Lowenthal
 

Viewers also liked (6)

Ww Web Projects
Ww Web ProjectsWw Web Projects
Ww Web Projects
 
Madagagyubku blty.
Madagagyubku blty.Madagagyubku blty.
Madagagyubku blty.
 
Stress Free- Financially secure.
 Stress Free- Financially secure. Stress Free- Financially secure.
Stress Free- Financially secure.
 
Madagascan food
Madagascan foodMadagascan food
Madagascan food
 
Manjo's Story Part I
Manjo's Story Part IManjo's Story Part I
Manjo's Story Part I
 
Pr in the Age of Social Media
 Pr in the Age of Social Media Pr in the Age of Social Media
Pr in the Age of Social Media
 

Similar to Modern Lessons in Security Monitoring

F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
F5 Networks
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
frontone
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
IBM Danmark
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
IBM Danmark
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Alert Logic
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
justinkallhoff
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
Shane Rice
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
Tim Mackey
 
Novinky F5
Novinky F5Novinky F5
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
DaveEdwards12
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
Bill Ross
 
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAmazon Web Services
 
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeNo More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
Core Security
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
Andris Soroka
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formulaOracleIDM
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 

Similar to Modern Lessons in Security Monitoring (20)

F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 
S series presentation
S series presentationS series presentation
S series presentation
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web Applications
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
 
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
 
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeNo More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formula
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 

Recently uploaded

Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 

Recently uploaded (20)

Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 

Modern Lessons in Security Monitoring

  • 1. ANATOMY OF A HIGH PROFILE ATTACK Modern Lessons for Security Monitoring HP Protect 2011 Prepared for Anton Goncharov, CISSP Prepared by Partner, Solutions Architect anton.goncharov@metanetivs.com Dragos Lungu, CISSP, CISA Security Consultant dragos.lungu@metanetivs.com
  • 2. METANET IVS •  SIEM and Event Management Group •  Heavy focus on HP/ArcSight solutions EXPERIENCE •  Based in New York with team members world-wide EXPERTISE •  Services: Infrastructure Management, Monitoring and Support QUALITY OUR TOP 3 STRENGTHS* •  ArcSight Tools (RR, NMI) •  Technical Forum (answers.metanetivs.com) PROPRIETARY AND CONFIDENTIAL * Source: MetaNet Customer Survey, 6/2011
  • 3. Agenda 1.  Discuss attacks against Sony, HBGary, and RSA 2.  Review the weaknesses and vulnerabilities which allowed attacks to succeed 3.  Look at the practices and solutions which could have helped prevent the breaches 4.  Discuss integration of prevention and monitoring 5.  Discuss how ArcSight ESM can combat new threats by improving infrastructure visibility PROPRIETARY AND CONFIDENTIAL
  • 5. SONY: Brief Intro ü  April and May 2011 ü  PlayStation Network ü  Followed by: •  Qriocity •  Sony Online Entertainment •  Regional (Thailand, Greece, Indonesia) ü  100M+ PSN accounts stolen ü  $173M+ direct costs PROPRIETARY AND CONFIDENTIAL (Source: eWeek)
  • 6. SONY: Attack Dissection 1. Inject Exploit in Application Server Web Server 2. Gain DB Access 3. Phone Home & Upload Data Application Servers Database Servers PROPRIETARY AND CONFIDENTIAL
  • 7. SONY: Weaknesses ü Inefficient Vulnerability Management ü Lack of compensating security controls ü SPOF in SSL tunneling ü PII Security Policy unenforced ü Poor network segregation PROPRIETARY AND CONFIDENTIAL
  • 8. HBGary: Brief Intro •  On February 7 2011, HBGary Federal and rootkit.com are compromised •  Over 71,000 corporate emails leaked triggering PR disaster •  Intellectual Property stolen or destroyed (including a decompiled copy of Stuxnet) •  hbgaryfederal.com is still offline 6 months later* PROPRIETARY AND CONFIDENTIAL * As of July 2011
  • 9. HBGary: Attack Dissection Phase 1 Phase 2 Phase 3 Mail hbgaryfederal.com HBGary Email Corporate Firewall SQL Injection Social Engineering Forged Inbound Access CMS Database Firewall Admin Rootkit.com PROPRIETARY AND CONFIDENTIAL
  • 10. HBGary: Weaknesses ü Insecure web application programming ü Weak password encryption and hashing policies ü Repeated violations of password reuse policy ü Single factor authentication throughout critical systems ü Weak vulnerability management program ü Lack of security training and awareness among critical staff PROPRIETARY AND CONFIDENTIAL
  • 11. RSA: Brief Intro •  On March 17, RSA suffers an APT attack targeting the RSA SecurID® product •  Customers exposed to new security risks: RSA ACE server attacks, brute force attacks, phishing attacks to reveal PINs, token serial numbers •  On June 2, data stolen in March is used against Lockheed Martin •  No dollar figure or details on compromised data were given. “…this information could potentially be used to reduce the effectiveness of a current two-factor authentication” (Art Coviello, Executive Chairman, RSA) PROPRIETARY AND CONFIDENTIAL
  • 12. RSA: Attack Dissection Compromised FTP Server Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Spear Phishing Backdoor Privilege Escalation With 0-day payload Infestation Deeper Scanning Data Exfiltration CVE-02011-0609 Data Acquisition Poison Ivy RAT And Encryption PROPRIETARY AND CONFIDENTIAL
  • 13. RSA: Weaknesses ü Poor security awareness ü Lax local security policies facilitating privilege escalation ü No segregation of assets based on business role which allowed access to critical systems ü No effective data loss prevention system PROPRIETARY AND CONFIDENTIAL
  • 15. Common Areas of Concern ü Security Awareness ü Ineffective vulnerability and patch management ü Endpoint security policy ü Password management issues ü Egress content filtering ü DLP for critical networks / systems Nothing new here. PROPRIETARY AND CONFIDENTIAL
  • 16. Now Back to 2011 ü  New vectors: •  Virtual social engineering, spear phishing, zero-day malware, covert channels, commercialization of attack tools ü  Higher levels of impact: •  IP Theft, Cyber Espionage / Sabotage, Market Manipulation, Vendetta, Social Riots ü  Vulnerability Management is more challenging: •  Undisclosed zero-day, weak preventative & compensating security controls, limited security practices in SDLC, ubiquity of critical business data Targeted attacks, zero-days vulns, and custom malware are brutally efficient. PROPRIETARY AND CONFIDENTIAL
  • 17. Targeted Attacks 1 in 1,000,000EMAILS IS A TARGETED ATTACK 57% 60.4% INDIVIDUALS WITH MANAGEMENT INCREASE IN TARGETED ATTACKS in 2010 RESPONSIBILITIES PROPRIETARY AND CONFIDENTIAL Source: Symantec MessageLabs 2011
  • 18. Zero-Day Vulnerabilities Rise ü  One Tell-Tale: More Out of Band Patches ü  Vulnerability Disclosure Changed: •  Vendor Bounty Programs •  Responsible Disclosure vs. Full Disclosure •  Underground Market ü  New attack vectors are leveraged as technologies mature This means we don’t know what we’ll be defending against same time next year. PROPRIETARY AND CONFIDENTIAL
  • 19. Custom Malware •  AV avoidance is a part of the Q&A •  Sandbox and VM detection •  Small distribution helps avoid detection: •  no packing or polymorphic functions •  code signing using forged certificates 63% 79% MALWARE UNDETECTABLE BY AV COMPROMISED RECORDS WHERE MALWARE WAS USED PROPRIETARY AND CONFIDENTIAL Source: Verizon Data Breach Report 2011
  • 20. SO WHAT DO WE DO Prevention and Assurance
  • 21. Low Hanging Fruit ü You can leverage traditional event sources to detect attacks: •  Geo/IP data •  Port numbers •  AD auth logs ü The attackers know this ü The attacks on SONY and others bypassed detection easily Successful defense requires a bit more effort PROPRIETARY AND CONFIDENTIAL 21
  • 22. Addressing Modern Threats Targeted Attacks / Spear Phishing: -  User training, bi-directional message screening, digital signatures, message encryption, layered anti-spam, browser protection Zero Day Vulnerabilities: -  Layered security, critical process isolation, compensating security controls, application- aware IPS (which do not rely on signatures), complete infrastructure visibility Custom Malware: -  Behavior monitoring, security policy facilitating incident containment, risk based security management, layered security controls However, deploying solutions without monitoring them is a waste of resources. PROPRIETARY AND CONFIDENTIAL
  • 23. So How Do We... …Assess the effectiveness of the security controls? …Define a security baseline? …Recognize internal threats? …Monitor critical business processes? …Assess immediate impact in case of a security breach? The answer is infrastructure visibility. PROPRIETARY AND CONFIDENTIAL 23
  • 24. ArcSight ESM Delivers ü  FlexConnectors for emerging security technologies ü  FlexConnectors for custom, business-critical applications ü  Identity Activity Monitoring ü  Infrastructure Mapping across the Business Units and Roles ü  Enforcing Corporate Security Policy ü  KPI-based Information Security Program tracking ü  Scalability and flexibility to address future threats and undiscovered use cases PROPRIETARY AND CONFIDENTIAL
  • 25. Example: Business Infrastructure Mapping Requirements: Business Units America EMEA APAC Applications HR Accounting Payroll HR Accounting Payroll HR Accounting Payroll Server - - - - - - - - - IT Groups Application - - - - - - - - - Database - - - - - - - - - Asset Import File: Asset Name* Hostname IP Description* Asset Group* Asset Category Asset Category APAC HR Server hrserver 1.1.1.1 File server hosting HR Insurance HR Server data America Payroll payrolldb 2.2.2.2 Payroll Oracle DBMS Credit Payroll Database DB EMEA Acct App acctapp 3.3.3.3 Accounting Investments Accounting Application Server application server for EMEA PROPRIETARY AND CONFIDENTIAL * - supported by MetaNet NMI (Network Model Importer)
  • 26. Example: Business Infrastructure Reporting Trend Table: Date Event Name Hostname IP BU Group App Event Count 12-09-11 Malware Infection payrolldb 2.2.2.2 Credit Database Payroll 16 13-09-11 Policy Violation acctapp 3.3.3.3 Investments Application Accounting 42 14-09-11 Failed Admin Login hrserver 1.1.1.1 Insurance Server HR 25 Trend Based Report: Failed Admin Logins 120 100 80 Accounting 60 HR 40 Payroll 20 0 Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 PROPRIETARY AND CONFIDENTIAL
  • 27. Example: Security Program Monitoring KPI Data Sources ESM Content Description # failed administrative OS, Applications, Line chart Reports based on event counts grouped by logins Network & Security business units, applications, or groups. Devices # IT policy violations Security Event Correlated events with ‘/Policy/Violation’ Event Management Category based on Policy Violation Rules (IT Gov., and custom). % systems where Vulnerability Area-based graphs showing the percentage of Assets security req’s are not met Management tagged with ‘Vulnerability’ Asset Category, mapped across time periods # average time lag Issue Tracking Reports based on averaged time-to-resolve values between detection, Systems, provided by ITS or SIEM. Case-based Reports in reporting and action Security Event ArcSight ESM. upon security incidents Management PROPRIETARY AND CONFIDENTIAL
  • 29. Conclusions 1.  Higher awareness of modern security threats 2. Seek and deploy tools specifically designed to combat modern attacks 3.  Solid security policy, procedures and user training 4. No single security control is 100% effective; compensating controls are key 5. On-going monitoring of technical and procedural controls is a must ArcSight ESM provides the framework to deliver complete infrastructure visibility to enforce your security controls PROPRIETARY AND CONFIDENTIAL
  • 30. Questions? We Have Answers: http://answers.metanetivs.com PROPRIETARY AND CONFIDENTIAL
  • 31. References 1.  eWeek http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/ 2.  Ars Technica http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars 3.  RSA Open Letters http://www.rsa.com/node.aspx?id=3891 4.  Verizon Breach Report 2011 http://securityblog.verizonbusiness.com/2011/04/19/2011-data-breach-investigations-report-released/ 5.  Symantec MessageLabs Intelligence Reports http://www.symanteccloud.com/globalthreats/overview/r_mli_reports 6.  The VeriSign iDefense Intelligence Report http://www.verisigninc.com/assets/whitepaper-idefense-trends-2011.pdf PROPRIETARY AND CONFIDENTIAL
  • 32. THANK YOU MetaNetIVS.com/P2011 Anton Goncharov, CISSP Prepared for Prepared by Partner, Solutions Architect anton.goncharov@metanetivs.com Dragos Lungu, CISSP, CISA Security Consultant dragos.lungu@metanetivs.com