Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tech Day: Early Warning and Managed Security Services

Published by현화 모 Modified over 5 years ago

Similar presentations

Presentation on theme: "Tech Day: Early Warning and Managed Security Services"— Presentation transcript:

1 Tech Day: Early Warning and Managed Security Services
Sean B. Murphy, CISSP Senior Systems Engineer 24 January 2006

2 A G E N D A Your challenges DeepSight Early Warning Services
Managed Security Services 1 2 3

3 Business drivers Spam, spyware, adware affecting bottom line Increasing compliance demands Challenge and risk of managing endpoints Lack of integration in security solutions Security trends Clear shift to financially-motivated attacks Rate and sheer number of new vulnerabilities New and increasingly sophisticated threats Mitigating risk and proactively protecting your business becomes more challenging every day.

4 Symantec Security Blueprint
Perimeter Defense Infrastructure Security Storage Solutions Network Components Secure Builds & Host Hardening Design Partner & Third Party Integration Authorization & Access Control Operating Systems Authentication Product Directory Services Wireless Virus Protection Application Development Processes Secure Programming Cryptography & Encryption Privacy Confidentiality & Segmentation Data Integrity Digital Forensics Operations Corporate Security Policy Configuration Management Monitoring & Logging Business Continuity Incident Response & Readiness Physical Remote Access System Administration Assessment & Compliance Provisioning & Implementation Organization Employee Change Organizational Security Maturity Training & Awareness Roles & Responsibility Employee Exit Hiring & Screening Strategy Internal Threat Profiling

5 Malicious Code: Worms, Virus, & Trojan More Targeted
The Threat Landscape There are four points too drive home in the next four slides. These are summarized as follows. There is an increase in Malcode Outbreaks The time between vulnerability disclosure and attack is substantially decreasing There is an increase in critical Vulnerabilities IT and Security Professionals are spending too much time researching security information indicating a need for tool to coupe with the current threat landscape. A Record Number of Malicious Code Outbreaks 75% of 2004’s Cat 3 and 4 viruses occurred in the first half of the year. Many said that the Beagle and Netsky authors were in a “war”, trying to one-up each other. The pace was frantic and frustrating for administrators. There is a consistent increase in malicious code and the exploitation of new vulnerabilities. Malware has grown 2.4x 1H05 nearly equals all of 2004 There have been only 5 Cat. 3 events in ’05. There have been only 7 Category 3 events in the last 9 mos.

6 Faster, More Aggressive Attacks
More attacks are targeting new vulnerabilities New vulnerabilities are being exploited more quickly Faster exploitation requires better patch management policies January 2003 Slammer Vuln is 6 months old August 2003 Blaster Vuln is 26 days old Faster, More Aggressive Attacks Overall we’ve seen a reduction in the time between disclosure of a new vulnerability and exploitation of that vulnerability continued the trend of targeting vulnerabilities faster after disclosure. 18 days, even 26 days is much shorter than the typical enterprises test cycle for new patches. This presents a new challenge to administrators. They must now determine which vulnerabilities require them to abandon their normal operating procedures and they require an expedited test cycle for faster patch rollout. The reduction in time to react has created a critical need for a clear actionable response from IT and Security Professionals. Between July 1 and December 31, 2004, the average time between the disclosure of a vulnerability and the publication of its associated exploit was 6.4 (Symantec Internet Security Threat Report, released in March 2005). May 2004 Sasser Vuln is 18 days old August 2005 Zotob and Esbot Vuln is 5 days old

7 New Vulnerabilities Over 14,000 vulnerabilities documented in the Symantec vulnerability database 2664 new vulnerabilities discovered in 2004; in first half of 2005 70% of vulnerabilities can be exploited with little or no coding knowledge Malicious code threats today are largely synonymous with software vulnerabilities and vice versa New Vulnerabilities Over the past 6 years, we have seen a consistent increase in the number of new vulnerabilities reported, moving from an average of 10 per week in 1999 to an average of 51 per week in 2004. It’s good news that the rapid rate of increase has leveled off, but we still have not seen a decline. In fact, we are seeing an increase in the percentage of new vulnerabilities that are serious and require immediate attention. When faced with over 50 new vulnerabilities per week, plus even more information about known vulnerabilities, prioritization decisions become even more difficult to make. Administrators need reliable, consistent and timely information to make fast and accurate decisions. Implementing a patch in an enterprise can cost hundreds of thousands of dollars, administrators need more than a gut feel to justify this kind of expense. They need facts. The number of new reported vulnerabilities is not because we are seeing more bug-ridden products, it can be attributed to several causes: A more positive attitude toward full disclosure. This is a double edged sword. Although we have more information available to secure our networks, the bad guys also have more information available with which to launch their attacks. An increase in the awareness of vulnerabilities Tools used and knowledge about vulnerabilities have become more sophisticated. This has given the industry the ability to discover a greater number of new vulnerabilities. So of the 10 new vulnerabilities reported yesterday, do you know which ones affect your network environment? Source: Symantec Vulnerability Database

8 DeepSight Early Warning Services

9 Global Intelligence Network
Customers Consulting & Education Unmatched Insight 5 Symantec SOCs + 61 Symantec Monitored Countries + 11 Symantec Support Centers 20,000 Registered Sensors in 180 Countries + + 6 Symantec Security Response Labs Calgary, Canada What is the Global Intelligence Network? Information from Symantec’s global intelligence network is key to making sure your security and IT operations team can work quickly and efficiently. Symantec’s Global Intelligence Network has an unparalleled view of global threat intelligence. The power of this global intelligence network goes far beyond simple physical and electronic presence in so many places around the world. This network represents a spectrum of information sources available to Symantec’s customers, ranging from our five security operations centers, the 20,000 registered sensors in the DeepSight network, the millions of security systems reporting malicious code activity through the Digital Immune System, hundreds of security experts working in the field, and interaction with thousands of customers per day through our customer support centers. This infrastructure is backed by over 1800 analysts, engineers, product and security specialists, researchers, and technical experts who collaboratively share information, and turn that information into actionable knowledge and insight provided to Symantec customers through our content updates, research reports, early warning information, best practices for security, and many other mechanisms. We track vulnerabilities in more than 18,000 product versions from 2,200 vendors –more than three times our closest competitor. We deliver detailed intelligence on real-time security incidents gathered from more than 20,000 sensors in more than 180 countries. We have over 4,000 managed security devices and 120 million Symantec systems, worldwide. More than 500 companies around the world look to us to manage their security environment from one of our six Security Operations Centers—located in Alexandria, Virginia; Sydney, Australia; Tokyo, Japan; Munich, Germany; and London, England. 65 million customers have utilized the free Symantec Security Check feature More than 318 million customers launch our Live Update sessions everyday. During the unprecedented spate of worms in August 2003, Symantec was one of the Internet’s most popular search terms. At the height of the Blaster worm's assault on worldwide Internet traffic, Yahoo's Buzz Index in the UK and Ireland listed Symantec in eighth place, beating out the BBC's hit reality TV show Fame Academy(10th) , soccer star David Beckham (12th) and boy wizard Harry Potter (19th). Redwood City, CA Santa Monica, CA Dublin, Ireland Newport News, VA Waltham, MA Orem, UT/ American Fork, UT Taipei, Taiwan Springfield, OR San Francisco, CA Alexandria, VA London, England Munich, Germany Tokyo, Japan Sydney, Australia

10 DeepSight Alert Services
Customized vulnerability and malicious code alerts Version-specific alerting Over 4,600 products Over 18,000 versions From over 2,200 vendors Comprehensive, prioritized alerts In-depth analysis and attack mitigation strategies Patches and workarounds Automated delivery of actionable information Powerful Research Capabilities What is DeepSight Alert Service? General Points for Emphasis Alert Services notifies customers on system vulnerabilities & malware relevant to their specific network environment. The service is customized to the customer’s operating system, applications and network technologies. The reports are based solely on the customer’s environment and what is relevant to them. Reduces information overload allowing you to focus on security issues directly affecting your area of responsibility. Delivery methods offer flexibility that enables customers to receive alerts when and where they need them. Elaborate on how customers can configure different Delivery Methods, Monitors and Technology Lists for escalation. Frees the security administrator from doing hours of security research allowing them to focus on the security of their organization. Alerts are configured by the customer, with varying priority levels, delivery options, etc. Alerts deliver timely and actionable information on vulnerabilities and malicious code, along with countermeasures to defend against these attacks. Emphasize that the notifications include the problem and solution, including links to patches when available. Vulnerability & Malicious code databases give customers a tool to use in addition to basic alerts, that allows customers to research historical vulnerabilities and malcode affecting their network. Notes Free services such as SANS or USCERT are not free if you can’t customize them. Time is money. Combing through free alerts to find relevant information costs money. Lack of a useful tool for querying the data costs customers money. Having to visit multiple sites to retrieve information, costs money. If customers ask, Alert Services data is provided via SecurityFocus Bugtraq, other vulnerability disclosure mailing lists, vendor information, hacker sites, government agencies, CERTS, and more. In addition, primary research is done in the analysis of malicious code samples. As a customer’s network environment grows they can create new technology lists. As new product versions are released we add them to our list of monitored products. Customers have complete control to monitor the exact systems and applications important to them. The benefit of DeepSight Alert Services to customers will never be rendered obsolete by growth or time.

11 DeepSight Threat Management System
Global threat landscape View of global attack activity including source data Early warning of global attacks, worms, blended threats Notifications personalized to your industry, technologies and more Automated alerting of emerging threats Complete, credible analysis and risk assessment, including countermeasures to mitigate attacks What is DeepSight Threat Management System? (This screen shows global events reporting from TMS sensors.) DeepSight TMS is where Symantec focuses on alerting the customer of the actual attack activity. The goal of TMS is to provide the customer with early warnings of new threats and worms as they develop. TMS gives our customers an intuitive and educated view of the global threat environment. We aim to provide the entire picture – not only how the attack works but also critical information on how the customer can protect themselves from it. The main goal of TMS is to help the customer reduce or completely avoid the damage associated with the next attack and any ongoing developments related to that attack. Symantec DeepSight Threat Management System, tracks global security threats as they occur, providing early warning of attacks. TMS is looking for patterns of attack activity that indicate a new attack developing. Alerts customers based on their preferences and configurations… Meteorological Analogy for TMS 100 years ago, there were no weather satellites and you had absolutely no warning that a Hurricane was headed your way. Because you were surprised by the storm, you didn't have any time to protect yourself... The result was that you may have suffered serious harm.   Today, with our sophisticated weather satellites we can see a Hurricane forming days or even weeks in advance.  This early warning gives the local residents time to board up their windows and head to high ground.  With early warning the risk of serious harm is greatly reduced.   But all too often today, IT administrators become aware of an information security threat when it hits their systems...just like the Hurricane hitting the region 100 years ago.  Symantec DeepSight Threat Management System provides the same type of early notice that today's weather satellites do by monitoring the Internet for the next storm, or attack, that’s developing and heading your way. The only difference is that information security threats move much faster than weather so administrators must respond in hours or minutes instead of weeks or days.   The result is a quick decision, the goal is a quick and informed decision.  By knowing that a security threat is rapidly spreading right now and the threat is targeting a specific vulnerability with a patch already available, administrators can now make better decisions, quicker.

12 DeepSight Threat Management System Overview
Over 20,000 sensors in over 180 countries registered to upload IDS and Firewall information 500 MSS customers 120 million AV systems Attack Quarantine System How is it that we have this insight into the global Threat Landscape? Main Message: We have data partners around the world. This is why we have such a good view of the Internet Activity Data Partners: DeepSight Threat Management System is a suite of products and services that work together to identify network attacks. We normalize data coming from the industry leading IDS systems, including ISS RealSecure, Cisco IDS, Enterasys Dragon, Symantec and Snort and the leading Firewalls, including Checkpoint, Cisco, ZoneAlarm and NetScreen. In addition, Symantec DeepSight Threat Management System also includes antivirus data from Symantec Digital Immune System. This data provides another measure of outbreak severity. Attack Correlation Engine & Database: the Symantec Event Database, aggregates and correlates data from thousands of sensors around the world. By using machine intelligence the system can automatically aggregate data in the Symantec Event Database to provide a global view of attack information throughout the DeepSight Threat Management System. Through a secure, Web-based console, the Threat Management System creates automated threat analysis for each customer, including customizable alerts, reports, and triggers. Symantec Security Response Threat Analysts: the expert team of Symantec Threat Analysts examines data collected from global data partners as well as dozens of public and confidential sources. The DeepSight Threat Management System continuously aggregates and correlates the data; the Threat Analysts identify imminent attacks and deliver comprehensive, detailed analysis based on your specific network configuration. Notes TMS gives customers a very specific customizable view of Global Intelligence Network. Customers can target a specific market segment, technology list, port, or attack category. Within each of these targets thresholds can be used established the criticality of a specific monitor. For the customer this gives them flexibility and control over a vast network of near real time attack intelligence data and technical security analyst reports from Symantec Security Response. No one else in our industry can match the size of our active security sensor data, our level of security expertise or this level of customization over their data. Customers do not need to be data contributors to use the system DeepSight Data Partners DeepSight Attack Correlation Engine & Database Almost 16 billion events Over 160 million attack source IP addresses Symantec Security Response Threat Analysts In-depth expert analysis and investigation

13 Symantec DeepSight Customers on Alert: Zotob. E and Esbot
Symantec DeepSight Customers on Alert: Zotob.E and Esbot.A Worms DeepSight Timeline : Alert Services: Multiple Microsoft Vulns TMS: ThreatCon raised to 2, Threat Alert MS PnP Buffer Overflow Vuln : Alert Services: Zotob.A worm alert TMS: Threat Alert bot networks using PnP Vuln : Alert Services: Additional exploits available : Alert Services: Esbot.A worm alert Risk 2 : TMS: Daily Report TMS observed exploit activity in DeepSight Honeypot : Alert Services:Zotob.E & Esbot.A worms raised to Risk 3 TMS: ThreatCon raised to 2, alert on Worms 2+ Days Early Warning

14 Managed Security Services

15 Service Delivery Philosophy
Be a trusted extension of Client’s Security Organization Focus on Large Enterprise’s unique problems and service requirements Extend world-class monitoring throughout Enterprise Build trust through operational transparency Security becoming critical to maintain brand reputation and business continuity Number of incidents is continuing to rise Cost of incident has increased dramatically Lack of security expertise Threats are becoming more complex and fast Staffing 24x7 security experts is expensive Heterogeneous environment with security solutions from multiple vendors Ineffective overall security due to conflicting priorities between the IT organizations Lack of corporate wide security policy Lengthens overall reaction time Confusion when dealing with an outbreak

16 Critical Service Components
People Process Technology Intelligence Infrastructure Audits & Certifications Stability Defense In Depth Flexibility Market Leadership Return on Investment Customer Service

17 Management & Monitoring Services
Security Management Fault Management: Monitor devices for fault, performance and availability monitoring Restore service availability Identify and eliminate root cause of faults and outages Change Management: Routine and Emergency changes to business critical security devices. Performance based SLA for changes Secure in-band & out-of-band management Configuration backup (for quick rebuilds) Release/Lifecycle Management: Routine Product Updates Emergency Patches Security Monitoring Incident Analysis: Analyze security data to detect and respond to signs of malicious activity Perform data aggregation, normalization, data mining and correlation Validate, and Assess impact of Incident to Enterprise. Incident Escalation: Escalate actionable incidents Industry leading escalation SLA Flexible escalation procedures to fit with Enterprise requirements Rapid Response to Outbreaks: Update processes, technology and expertise to emerging threats and trends. Provide early warning to client of emerging threats. Why is this distinction important? Because they are two distinct functions of effective security management. Security Monitoring is our competitive advantage        What is our competitive advantage to our method of monitoring? Most MSSPs that claim to offer “security monitoring,” are, in fact, only monitoring the security devices to make sure that they are operational. In contrast to the rudimentary capabilities of most MSSPs, the Symantec SOC technology platform enables Symantec to monitor hundreds of thousands of attacks per day, while ensuring that every attack is analyzed, investigated, and interpreted in REAL-TIME. We use a five-step process that involves the use of both technology and human analysis. Stage#1—Import and Normalization of Security Data Stage #2—Data Mining of Normalized Security Data Stage#3—Continuous Security Event Correlation Stage#4—Presentation of Security Events Stage #5—Security Event Analysis and Response During this process a data mining engine, which resides in each client data base, continuously queries normalized security data at a rate of thousands of mining operations per minute to identify occurrences and/or patterns of potential malicious activity. Currently, the data mining process includes thousands of traffic analysis queries, anomalistic activity queries, intrusion signature queries, and hundreds of health and welfare checks.

18 Defense in Depth: Edge to Endpoint Protection
GLOBAL INTELLIGENCE DATA VULNERABILITY SCAN DATA Router Firewall Integrated Security Appliance Network IDS/IPS Host IDS/IPS

19 Analysis Methodology Critical Servers Incident assessment follows mature assessment methodology. Leverage Intelligence on new threats Obtain second opinion if required Follow internal published handling guidelines. Context is critical for accurate validation and severity assessment Global Trends Enterprise details Attack details Vulnerability Results Global Trends Client Vulnerabilities Firewall & IDS Logs Known False Positives

20 Data Reduction and Expert Analysis
INFRASTRUCTURE 950 million logs and alerts received INTELLIGENCE 650,000 potential events detected TECHNOLOGY 14,500 events created PEOPLE 3100 incidents validated PROCESS 65 severe events escalated

21 Return on Investment Approximately 87% of clients with tenure of more than six months successfully avoided experiencing a severe attack.

22 Secure Internet Interface (the portal)

23 Unmatched Perspective & Insight
Note to presenter: use if going into specific discussion on Symantec’s “Insight” capabilities. Information from Symantec’s global intelligence network is key to making sure your security and IT operations team can work quickly and efficiently. Symantec’s global intelligence network receives security advisories across the world at various locations helping you understand the latest threats. We track vulnerabilities in more than 18,000 product versions from 2,200 vendors –more than three times our closest competitor. We deliver detailed intelligence on real-time security incidents gathered from more than 20,000 sensors in more than 180 countries. More than 500 companies around the world look to us to manage their security environment from one of our six Security Operations Centers—located in San Antonio, Texas; Alexandria, Virginia; Sydney, Australia; Tokyo, Japan; Berlin, Germany; and London, England. 65 million customers have utilized the free Symantec Security Check feature More than 318 million customers launch our Live Update sessions everyday. During the unprecedented spate of worms in August 2003, Symantec was one of the Internet’s most popular search terms. At the height of the Blaster worm's assault on worldwide Internet traffic, Yahoo's Buzz Index in the UK and Ireland listed Symantec in eighth place, beating out the BBC's hit reality TV show Fame Academy(10th) , soccer star David Beckham (12th) and boy wizard Harry Potter (19th).

24 Thank You!

Download ppt "Tech Day: Early Warning and Managed Security Services"

Similar presentations

1 Effective, secure and reliable hosted email security and continuity solution.

1 Effective, secure and reliable hosted security and continuity solution.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.

1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.

1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
1 The New Security Blueprint : Challenges & Opportunities Ajay Goel, Managing Director, Symantec India & SAARC Sept 1, 2011.

1 The New Security Blueprint : Challenges & Opportunities Ajay Goel, Managing Director, Symantec India & SAARC Sept 1, 2011.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
INNOVATE THROUGH MOTIVATION MSP Services Overview KEVIN KIRKPATRICK – OWNER, MSP INC LOGO.

INNOVATE THROUGH MOTIVATION MSP Services Overview KEVIN KIRKPATRICK – OWNER, MSP INC LOGO.

Similar presentations

Ads by Google