Enterprise Threat Management (ETM): Bringing Security Together Through Intelligence David Thomason...
-
Upload
reese-farrow -
Category
Documents
-
view
218 -
download
0
Transcript of Enterprise Threat Management (ETM): Bringing Security Together Through Intelligence David Thomason...
Enterprise Threat Management (ETM): Bringing Security Together Through Intelligence
David ThomasonDirector of Security Engineering
2
X XX
X
XXX
X
X
Insider AccidentalAttacksIn an FBI Computer Crime Survey
released on 1/11/07, 44% of participants said they were attacked from within their own organizations.
OutsiderAttacksAccording to the 2006 Ponemon Data Breach Study, those surveyed who experienced data theft in the last year spent an average of $660,000 to notify customers, business partners, and regulators.
Compliance EnforcementAccording to John Hagerty of AMR Research, “…it [automated compliance] also comes down to an issue of visibility. Where do I have problems? Where do I have exposure? That’s when it starts to become a more strategic issue because management is asking for an overall view of this.”
Insider Malicious AttacksIn a survey jointly done by ASIS International and the U.S. Chamber of Commerce, 138 executives of Fortune 1000 companies reported losses
between $53 billion and $59 billion due to insider attacks.
Undetected AttacksAccording to ComputerWorld Magazine, the TJX security breach, that was reported in mid-December of 2006 and could put the credit and debit card data of more than 40 million customers at risk, was not detected for seven months.
Look Familiar? The Agony of Today’s Network Security
Unknown ConnectionsThe most recent CSI/FBI Crime Computer and
Security Survey reports that 66% of the security incidents that caused the greatest organizational losses were unauthorized access and theft of proprietary information.
3
Current Security Spending Trends:Unsustainable Growth
Security spending is dramatically growing as a percentage of the overall IT budget…
Source: 2006 CIO/CSO/PWC State of Info Security Survey
17%
13%
11%11%
'03 '04 '05 '06
Yet the threats and vulnerabilities keep coming!
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
1995 1996 1997 1998 1999 2000 2001 2002 2003$0
$1,000
$2,000
$3,000
$4,000
$5,000
$6,000
$7,000
$8,000
$9,000
(millio
ns)
Incidents Security Software Revenue
In fact, it is growing twice as fast as overall IT spending (12% vs. 6%)…
4
What’s Going on Here?
The awareness of the problem is there
Billions of dollars have been spent on IT security
The security problem is getting worse as attackers become more motivated. Today’s professional hacker does not want his work to be noticed. The TJX security breach (T.J. Maxx stores) – disclosed in 12/06 – was one of the largest in retail history and went undetected for seven months!
How is it possible for so many security technologies to be defeated?
The silo approach of “see a threat, buy a box” is no longer feasible.
5
Key Flaws in Current Network Security
Network security technology operates with virtually no knowledge about what it’s protecting
Virtually all network securitytechnology is driven solely by people
These factors combine to lead to network defenses that are misconfigured, porous, and static
“By the end of 2007, 75% of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses. The threat environment is changing — financially motivated, targeted attacks are increasing, and automated malware-generation kits allow simple creation of thousands of variants quickly — but our security processes and technologies haven't kept up.”
Gartner's Top Predictions for IT Organizations and users, 2007 and Beyond
6
Security Events Must Have Context
Is this guy a threat? Or a valued customer?
Is he holding a gun? Or an iPod?
Is it summer in Sydney? Or winter in New York?
Do you reach to set off the alarm? Or to shake his hand?
Unfortunately, the majority of network solutions today lack the ability to integrate intelligence into the real-time analysis of potential threats.
7
Introducing Enterprise Threat Management (ETM)
IntrusionIntrusionPreventionPrevention
VulnerabilityVulnerabilityAssessmentAssessment
NetworkNetworkBehaviorBehavior
Analysis (NBA)Analysis (NBA)
NetworkNetworkAccessAccess
Control (NAC)Control (NAC)
ThreatEndpointNetwork
Intelligence
ThreatEndpointNetwork
Intelligence
8
WormsTrojans
Port scansBuffer overflow attacks
SpywareProtocol anomaliesMalformed trafficInvalid headers
Zero-day attacks
Protection Against
The Role of Intrusion Prevention
Vulnerability-based Intrusion Prevention
• First line of ETM defense
• IPS rules should address the “vulnerability”—not the “exploit”
• Protection against zero-day attacks
• IPS events should be correlated against endpoint intelligence
• IPS is just one part of an effective ETM strategy
9
The Role of Vulnerability Assessment
“Active” Endpoint Intelligence
• Popular source for obtaining endpoint and vulnerability intelligence
• Provides a rich “snapshot” of endpoint assets and vulnerabilities
• Intelligence degrades in between active scans
• Active scanning can be “harmful” to some hosts
Scan occurs
Accuracy decay
Time
Qu
alit
y
t - Coherence time
t
10
The Role of Network Behavior Analysis (NBA)
“Passive” Endpoint Intelligence
• Compliments “rich” intelligence gained by active scanning
• 24x7 monitoring for endpoint assets and vulnerabilities
• Analogous to passive SONAR—learn by listening
Network Anomaly Detection
• Create a baseline of “normal” network behavior
• Identify propagation of attacks that “walked” through the front door
11
The Role of Network Access Control (NAC)
Pre-connect NAC
• Dominated by Cisco Network Admission Control (CNAC) & Microsoft Network Access Protection (MNAP) standards
• Useful for determining “who” can get on the ride
Post-connect NAC
• Useful for determining “what” you can do once you’re on the ride
• Set compliance policies related to usage of operating systems, services, apps, resources, etc.
• Identifies policy and regulatory non-compliance
12
Tying It All Together
Integrated ETM Console
• Monitor for security events originating from both inside and outside the organization
• Correlate threat, endpoint, and network intelligence
• Threat intelligence from IPS• Endpoint intelligence from VA & NBA• Network intelligence from NBA
• Drastically reduce false positives and negatives
• Monitor for compliance with IT policies related to company, industry and/or government regulatory compliance
• Compliance monitoring through post-connect NAC
13
ETM—Before, During & After the Attack
BEFORE ANATTACK
BEFORE ANATTACK
Everything onthe network
Policy Violationsand Vulnerabilities
By HardeningAssets
DURING ANATTACK
DURING ANATTACK
The Attack
The Impact
By Blockingand Alerting
AFTER ANATTACK
AFTER ANATTACK
Where theAttack Occurred
What Actionto Take
By Minimizingthe Impact
14
Sourcefire 3D System™
INTELLIGENCE LAYERINTELLIGENCE LAYER
BEFORE ANATTACK
BEFORE ANATTACK
Everything onthe network
Policy Violationsand Vulnerabilities
By HardeningAssets
DURING ANATTACK
DURING ANATTACK
The Attack
The Impact
By Blockingand Alerting
AFTER ANATTACK
AFTER ANATTACK
Where theAttack Occurred
What Actionto Take
By Minimizingthe Impact
D I S C O V E RD I S C O V E R
D E T E R M I N ED E T E R M I N E
D E F E N DD E F E N D
Sourcefire’s Approach to ETM
“Providing endpoint and network intelligence to network security products significantly improves their capabilities...”
Use Endpoint Intelligence to Improve Security Defenses Report
15
ETM—a Better, More Efficient Process
Organizations need systems that can analyze security information and apply context automatically and holistically. Most security technologies are driven by a man-in-the loop process.• How do you know when to update your access control
configuration?
• How do you know when a new vulnerability is relevant to your environment?
• How do you know when there is an active, high priority security event occurring in your environment?
• How do you know when the patch management system needs to address a new host?
• This information is then turned into response manually
Persistent, automatic intelligence generation and analysis driving network security to: REAL-TIME, UNIFIED, NETWORK DEFENSE
16
ETM Benefits Summary
Enjoy continuous protection through an integrated approach. The whole truly is greater than the sum of the parts—reduce number of vendors, reduce cost of ownership
Get faster and more accurate response from threat, endpoint, and network intelligence—the keys to driving next-generation security technologies that are automated and adaptive
Take advantage of consolidated reporting and management views
Enforce compliance of security policies and industry regulations as part of overall network protection
17
ETM Take-away
ETM leverages real-time intelligence about the network environment and drives it into network security technologies for a more effective and
efficient security solution.
Questions?