Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 The Evolution of Defense in Depth Robert Perciaccante, CISSP Security.

Similar presentations


Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 The Evolution of Defense in Depth Robert Perciaccante, CISSP Security."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 The Evolution of Defense in Depth Robert Perciaccante, CISSP Security Systems Engineer – Cisco Systems September 11, Pittsburgh, PA

2 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 2 Good Morning!  Introductions  Brief History of Internet Threats  “Old School Thinking” – Security in the Beginning  Changes in the Threat Model - ~2000 – Present  Defense in Depth – What's mine is mine, and its going to stay mine.

3 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 3 Quick Question:  How many of you are directly involved with the security and protection of your organization? Technical Team Members? Management?  How many of you have been involved, in one way or another, in a security breach, such as a malicious action or a malware outbreak? At your Work? At your Home?

4 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 4 A Day In The Life of a Security Professional…

5 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 5 What is a Threat?  threat (thrět) n.* An expression of an intention to inflict pain, injury, evil, or punishment. An indication of impending danger or harm. One that is regarded as a possible danger; a menace. “threat.: The American Heritage ® Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company, Jan  A threat is any network-based attempt to compromise information, system, or network resources  They can originate from anywhere, any time  They take advantage of operating system, application, protocol, and psychological vulnerabilities  They leverage all methods of entry to a system  The can steal information, destroy data, deny access to servers, shut down embedded devices  They do not want to be found

6 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 6 Sources of Threats  Application vulnerabilities allow hackers to gain access to underlying databases and improper levels of access to applications  Improper data access through improperly configured firewalls and legacy firewall technology  Operating system vulnerabilities allow hackers control of computers and enable information theft and improper system access  can offer spoofed links (e.g. phishing) and attachments infected with spyware, viruses, and other malware  Internet use introduces files through download, drive-by installations, and errant software installations  User access to information and resources that they either shouldn’t have or don’t need  Network system vulnerabilities can allow hackers to take over entire domains (pharming)

7 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 7 Fateful Words “Why would someone bother to attack me? I have nothing that they would want.” - IT Manager ~1998 during a firewall proposal meeting FACT: You may not have something that anyone would want, but you can be used to get to something that they DO want, and where do you think the FBI will come when they start their investigation? Not only could this cause you to lose your operations center (frozen for investigation by authorities), but you are open to liability issues as a result of failure to perform due diligence.

8 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 8 Fateful Words - Example  A datacenter was breached, and used to amplify a DDoS network (Smurf attack)  Target network reported incident and source network to the FBI.  The FBI identified the datacenter network as a source of the traffic, and seized control of the network to perform forensic analysis.  In doing so, the FBI removed all the devices from the network, taking the company’s entire internet presence offline for 5 weeks.  The datacenter network had to be rebuilt from scratch, with all new hardware, in order to maintain operations during the course of the investigation.  The cause was determined to be a failure to implement appropriate security controls. The company who was the target of the DDoS sued the datacenter owner for loss revenue as a result of the attack and won $750,000 in damages.  Total cost to datacenter owner: $750,000.00Punitive Damages to victim $175,000.00Legal resources due to legal action $400,000.00Loss of revenue from downed datacenter and internal resources for its recreation $1,325,000.00Total Loss (and this does not include public image impact!)

9 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 9 The Old Security Model: ~1997 Public Internet Corporate Network IDS\IPS (Maybe…)

10 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 10 The Old Security Model: ~1997 Generalizations:  Everyone on the Internet is untrustworthy  Everyone within my organization is essentially trustworthy  The model was “hard exterior, soft gooey center” Security efforts were focused on keeping the outsiders out Internal personnel and\or systems were essentially permitted to go wherever they needed: HTTP\S, FTP, P2P, IM all essentially permitted unchecked.  Traffic headed to externally facing systems, such as webservers etc, was typically protected through a single layer of firewall protection  Limited or no internal segregation of networks or personnel  Hosts were protected with Anti-virus, perhaps a hardened image, but typically was unprotected  Enterprise event monitoring did not exist There was no significant market uptake for centralized logging and\or monitoring of events – It simply was not done

11 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 11 Challenges with the “Old Model”  Disparate security devices meant segregation of administrative controls Firewall Management Domain Management User Management IDS\IPS Management Router\Switch Management  Too much data in too many different places Inability to get the “Big Picture” because most personnel only had access to a piece of the puzzle  Exterior-only protection meant insiders had free reign No protection from the “Insider Threat” Inability to reconstruct unauthorized access for investigative or prosecutorial processes

12 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 12 Changes in Internet Use and Abuse…  As the Internet became more ingrained into the minds of business and personal users, the number of systems attached to the Internet increased.  Increased complexity of networks and access  With this increased attach rate, the importance for layered security grew from a nice to have to a MUST have: Regulatory compliance Demonstrability of “Due Diligence” SOX, GLBA, PCI, etc Business needs for connectivity Website\eCommerce Vendor\Remote Access

13 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 13 … leads to an Increase in Complexity  Forensics and Investigations more complex Complexity of networks make the forensic reconstruction of events incredibly more difficult to do accurately  Resource diversification Resources may be segmented (i.e. Network Admins and Security Admins) making communications and collaboration more difficult in determining root cause  Intercommunications between companies and partners more complex Application communications are more complex, requiring a much higher degree of network and application understanding to be able to determine what is right and wrong in terms of behaviors  Monitoring and management more difficult De-centralized monitoring typically the case, makes recreation of event timelines very problematic

14 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 14 Unlimited Entry Points  Virtually unlimited application, operating system, driver, and firmware updates annually  Each has undiscovered vulnerabilities  This creates virtually unlimited access by hackers

15 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 15 Evolution of Threats and Exploits Packet Forging/Spoofing Password Guessing Self Replicating Code (WORM) Password Cracking Vulnerability Scanning Audit Disablement Back Door Exploits Session Hijacking Sweepers Sniffers Stealth Diagnostics High Low Pulsing Zombies Blended Threats Self Installing Root Kits Time Dynamic Capabilities Intelligent Bots Complexity Expertise Required

16 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 16 Evolution of Security Challenges GLOBAL Infrastructure Impact REGIONAL Networks MULTIPLE Networks INDIVIDUAL Networks INDIVIDUAL Computer Target and Scope of Damage Rapidly Escalating Threat to Businesses First Gen  Boot viruses Weeks Second Gen  Macro viruses  Denial of Service Days Third Gen  Distributed Denial of Service  Blended threats Minutes Next Gen  Flash threats  Massive “bot”-driven DDoS  Damaging payload worms Seconds 1980s1990sTodayFuture

17 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 17 The Evolution of Intent From Hobbyists to Professionals Threats becoming increasingly difficult to detect and mitigate THREAT SEVERITY WHAT’S NEXT? FINANCIAL Theft & Damage FAME Viruses and Malware TESTING THE WATERS Basic Intrusions and Viruses

18 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 18 Emerging Threats More access, always on, from everywhere Wireless Networking Density SSL and other single sided technologies Allow for scaling and instant DR Corporate “Edge” becoming harder to define and control Anonymous access to or through legitimate networks, data leakage, remote point of attack against endpoints Loss of control over corporate assets significantly changes security posture

19 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 19 Viruses Aren’t Dead  During January 2007, 19 new major viruses were released  Average response time of 21 leading AV engines was 8 hours  40% of the virus attacks in January 2007 had peaked before the AV signature was released  The trend is getting worse, not better. Signature-based solutions must be combined with day-zero protection to protect today’s networks.

20 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 20 Security Breach Example Costs Cost of Recent Customer Records Breach  $6.5 Million: DSW Warehouse Costs from Data Theft  $5.7 Million: BJ’s Wholesale Club from Data Breach Additional impact/cost due to lost customers  20% of customers have ended a relationship with a company after being notified of a breach (Ponemon Institute)  58% said the breach decreased their sense of trust and confidence in the organization reporting the incident

21 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 21 Prevention Costs  Prevention may be cheaper then reaction:  Multiple independent studies have estimated the cost of customer record losses to be between $90 and $182 per record “A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined,” Gartner analyst Avivah Litan © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 21

22 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 22 TJX Security Breach—Jan. 17, 2007  NEW YORK, Jan 17 (Reuters) —TJX Cos Inc. (TJX), which operates the T.J. Maxx and Marshalls chains, said on Wednesday that its computer systems that process customer transactions had been breached, and customer information has been stolen.  Trading of TJX stock was halted on the floor of the NY stock exchange as the news broke.  TJX took a $5M charge to cover the investigation, legal fees and costs associated with explaining the problem to its customers

23 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 23 January 18, 2007—Congress Responds  Washington, DC—House Financial Services Committee Chairman Barney Frank (D-MA) today issued the following statement regarding another major data breach potentially impacting millions of credit card holders: “I learned of the latest data breach from a financial institution that may have to bear the costs of informing customers and issuing new credit cards but they were not told why. This is further evidence of the need for a provision over data security. Mainly, those institutions where breaches have occurred must be identified and they must bear responsibility. Specifically, this means retailers or wholesalers must take responsibility for financial losses, contrary to what common practice is today.” Barney Frank, House Financial Services Committee Chair © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 23

24 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 24 The TJX Saga Continues  Feb 22: TJX indicates that data thefts could reach back into 2005  March 21: TJX indicates that fraudulently obtained information was used in an $8M gift card scheme  March 29: Company reports SEC filing with loss of 45.7M records, along with 455k return records containing SSNs, Military IDs, and other info  April 22: Company clarifies records theft dates back to July 2005 (17 months)  April 26: Class action lawsuit filed by MA, CT, ME  May 4: WSJ Reports TJX had outdated wireless security, failed to install firewalls, and not properly installed other layers of security … lMyQjAxMDE3NzA4NDIwNDQ0Wj.html

25 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID ,048,651 Source: privacyrights.org as of June 8, 2007  Reported records breached since 2005*  “unknowns” not counted Breaches occur more often than you think…

26 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 26 Common Myths  Only specific users have access to my systems  We patch at every release and are therefore secure  We air-gap the network and it’s therefore not exploitable  Our firewall is bulletproof  We use more than one vendor in each tier, so we are more secure. This reduces visibility, increases resource requirements, and significantly increases the likelihood of human error!  Repeat after me: it is vulnerable, it is exploitable, someone will access it

27 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 27 New Opportunity: Proliferation of Devices  New types of devices are joining the network: Hand-helds, smart phones, cameras, tools, physical security systems, etc.  Diversity of OSs: More devices means more operating systems and custom applications  Embedded OSs Process controllers, kiosks, ATMs, lab tools, etc. IT department often not involved in procurement—little attention paid to security For example, one environment got hacked from an oscilloscope  User Expectations Users want to use the technology that are used to using at home Example: Wireless networking, cellular network access  Attacks on the back-end All of these systems provides an ingress point into some form of back-end system Both the method of communication and the device itself are targets  Attacks on the device Proliferation leaves many opportunities for taking control of a system  Attacks on data Sensitive data is becoming increasingly distributed and uncontrolled  Attacks from “Trusted” Devices Mobility of devices means devices move out of your protected network and then back in, possibly bringing malware with it. For example, family member of an employee installs software onto laptop that contains a virus. The ChallengeOpportunities for Attack © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 27

28 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 28 True Layered Protection Public Internet Internet Gateway DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Servers In order to minimize an organization’s risk, it is IMPERATIVE that security be pervasive throughout every layer of the network and integrated into both technology and business processes. While the ROI on security has historically been difficult to calculate, many good ROI models have been published to help minimize overall risk (both operational and financial) as well as provide guidance on the appropriate level of protection EXCELLENT article on the US-CERT website: https://buildsecurityin.us- cert.gov/daisy/bsi/articles/knowledge/busine ss/677.html

29 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 29 Domain AffiliationLiteral Layer Implement Concept of Security Domains Domain Definitions: Wholly Untrusted No operational access or control over devices in this environment Partially Trusted: Operationally controlled by organization Accessed by systems not controlled by organization Internal Trust: Operationally controlled by organization NOT accessed by hosts not managed by organization Individuals using these systems or devices have undergone administrative review Public Internet Internet Gateway DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Servers Partial Trust Internal Trust Wholly Untrusted

30 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 30 Security Domains in a Nutshell Define technical and administrative controls for communications from a higher trust-level domain to a lower trust-level domain Example: Connections from an internal laptop to a DMZ system must be only permitted on FTP or SFTP Define technical and administrative controls for communications from a lower trust-level domain to a higher trust-level domain Example: Information that is needed for a web-facing application cannot be fetched directly from an internal database. Instead a secure-DMZ database may receive replicated data from the internal source, and the web application may access the secondary database using strong authentication, and secure communications. Will require a lot of thought and planning, but will result in a very strong security infrastructure and reduced overall costs!

31 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 31 Implementing True Defense in Depth: Public Internet Internet Gateway DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Example: Anonymous Internet User Consider participants of the Public Internet as hostile: If they cannot be inherently trusted, then they must by default treated as automatically hostile. Minimize the number of services available to hosts that are not trusted Provide a means to authenticate or establish the trust of external hosts through VPN use, SSL Certification authentication, etc. Move everything that touches or is touched by the Public Internet behind a perimeter defense point

32 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 32 Public Internet Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Example: Perimeter Firewall Establish formally accepted guidelines for standardization of perimeter security devices, and services that are permitted in both directions! Implement active defense methodology that will be flexible enough to respond to changing business needs and internet threats such as the implementation of both firewall and intrusion prevention. Utilize best-of-breed technologies that maximize capital expenses, reduces internal resources, and provides the greatest ability to identify and respond to threats Implementing True Defense in Depth:

33 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 33 DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Example: Webserver Farm Establish formally accepted guidelines for standardization of perimeter security devices, and services that are permitted in both directions. Provide heightened level of security over standard hosts through formal lock-down procedures. Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behavior- based agents. Restrict access to these systems, even from your internal systems! Public Internet Internet Gateway(s) Implementing True Defense in Depth:

34 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 34 DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Example: Firewall between DMZ and Secured DMZ Establish formally accepted guidelines for standardization of perimeter security devices, and services that are permitted in both directions! Protect higher-trust networks from potentially compromised hosts. Create a mid-tier for shared information between the DMZ and the internal network by creating a secure DMZ. Restrict both ingress and egress through this gateway! Public Internet Internet Gateway(s) Implementing True Defense in Depth:

35 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 35 DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Example: Network used to replicate information from internal data sources to externally-facing systems Establish formally accepted guidelines for specifically what data must go through the S-DMZ, and what hosts may pull from or push to hosts in this network. Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behavior- based agents. Restrict access to these systems, even from your internal systems! Public Internet Internet Gateway(s) Implementing True Defense in Depth:

36 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 36 DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Example: Firewall between Internal network and Secured DMZ Establish formally accepted guidelines for standardization of perimeter security devices, and services that are permitted in both directions! Protect higher-trust networks from potentially compromised hosts. Very much like the controls in place for the DMZ and Perimeter gateways Restrict both ingress and egress through this gateway! Public Internet Internet Gateway(s) Implementing True Defense in Depth:

37 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 37 DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Example: Internal routers and switches (access and distribution) Define formal paths for traffic flows (assists in incident containment) Implement layered approach through security applied on each device, switch, etc. Use VLAN’s as a means to segregate LIKE traffic, but not as a means to separate security domains VLAN hopping is possible in certain situations Create internal segregation to further compartmentalize traffic and access (guests, vendors, etc) Utilize strong authentication and encryption WEP is not security, it can be cracked in under 3 mins with a very low skill level Use Network Access Control to authenticate and assign additional restrictions as necessary Implement internal intrusion prevention to keep unauthorized traffic under control and to provide additional alerts for early-warning of outbreaks, etc. Public Internet Internet Gateway(s) Implementing True Defense in Depth:

38 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 38 DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Example: Infrastructure computational devices such as file\print servers, servers, etc Develop strong security lock-down and configuration standards for all hosts. Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behavior- based agents. Utilize centralized authentication (LDAP, etc) to speed provisioning, and respond to personnel changes. Restrict access to these systems, even from your internal systems! Public Internet Internet Gateway(s) Implementing True Defense in Depth:

39 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 39 DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Example: End-user laptops, desktops, or terminals. Develop strong security lock-down and configuration standards for all hosts. Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behavior- based agents. Utilize centralized authentication (LDAP, etc) to speed provisioning, and respond to personnel changes. Public Internet Internet Gateway(s) Implementing True Defense in Depth:

40 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 40 DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Example: Shared resources, such as network-enabled printers, IP-based controls, etc. Develop standardized hardware, software, and configuration procedures, and secure where possible Minimize the number of these devices, and ensure that they are not accessible Remember: Most network devices use an embedded operating system, and can be used as a jumping-off point for further attacks or infection! Public Internet Internet Gateway(s) Implementing True Defense in Depth:

41 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 41 Calculate the Value of your Data  Use a deterministic approach to security Apply the appropriate amount of protection based on business risk analysis, not FUD  Calculate the ROI of security vs “protect everything at any cost” Ensure that you are reducing the overall risk of your organization through the application of appropriate controls Don’t protect data worth $1,000 with a $100,000 device Determine and document what is an acceptable loss, and prepare for it  Create a “Risk Acceptance” process that will allow for documented exceptions, reducing the likelihood of undocumented changes being made in order to circumvent the formal procedure.

42 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 42 General Controls: Gateway Controls  Utilize best-of-breed technology  Create a policy that documents what is considered acceptable traffic, and publish these standards. Once published, they can be incorporated into your project management methodology, allowing for automates enforcement and more uniform adoption.  Utilize both firewall and intrusion prevention technologies to maximize the effectiveness of your perimeter defense against known and unknown attempts.  Define all points of ingress and egress, and apply these controls to all of these gateways uniformly This reduces the complexity and chances for human error.

43 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 43 General Controls: Pervasive Network Controls  Add security to every layer of your network  Utilize the concept of security domains, even within your internal network Segregate infrastructure servers from mission-critical systems from desktops from network printers etc…  Implement Network Access Control to limit access to your network from personnel on the inside such as guests, vendors, etc.  Use strong encryption and strong authentication everywhere – if you cannot secure it properly, don’t deploy it until you can!

44 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 44 General Controls: Host-Based  Develop strong security configurations for hosts as appropriate  Implement Behavioral- and Policy-based protection Provides the flexibility to adapt to new threats, as well as support any application you may be running internally. Prevents the need for signature updates, prevents zero-day attacks based on how the attack behaves, not what it’s signature is. Implementation of host-based fire-walling technologies to prevent connections from occurring in the first place.

45 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 45 General Controls: Enterprise Visibility  Implement a centralized logging and monitoring environment Send all logs (or as many as practical based on business risk profile) to a centralized event correlation environment Provides “instant” visibility into issues potentially before they become widespread Ensures that the forensic review of issues is concise, resource group independent, and forensically sound  If you do not already have one, prepare an incident response plan, and practice it often!

46 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 46 Questions?


Download ppt "© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 The Evolution of Defense in Depth Robert Perciaccante, CISSP Security."

Similar presentations


Ads by Google