Managed Security Services from Symantec

Managed Security Services from Symantec

Chris Collier

Presales Specialist – Security

Arrow ECS

Agenda• MSS high-level overview• Industry Examples• Things to think about• Summary• Q&A

Symantec Managed Services

Managed Security Services Mission Statement

Symantec Managed Security Services (MSS) helps organizations anticipate and counteract the constantly changing threat environment by providing:

• Unparalleled global threat visibility.

• Comprehensive edge-to-endpoint incident detection and analysis.

• 24/7 direct access to Symantec’s industry-leading security specialists.

Symantec Managed Security Services

Symantec Managed Security ServicesSecurity Monitoring – 24x7x365 global operation

– >300 staff dedicated to delivering MSS

– >50 GIAC-certified Intrusion Analysts

– 10min Severe Event Escalation Warranty

– High Accuracy, Low False-positive

– Collect , retain and analyse >400B logs per month

– Escalate >400 validated severe incidents per day

across 1,200 Global customers

– Strong Service Governance (ITIL, ISO27001, SSAE 16)

Infrastructure Management– Network IDS/IPS Management Services

– Firewall Management Services

– Symantec Endpoint Protection Management Services


Symantec Managed Security ServicesThe only Gartner recognised leader in ALL regions

Unparalleled Global Intelligence Network

Edge-to-Endpoint Security Monitoring

Enterprise-wide Pricing Model

NIDS

Firewall

WebAppFirewall

HIDS WebProxy

Endpoint OS & Apps

Network Infra. VA


Evolving Threat Landscape

• Targeted attacks• Social networking• Zero-day vulnerabilities and

rootkits• Attack kits• Mobile threats

Critical Protection ChallengesHow MSS Can Help

Stay ahead of threats

Visibility

Focus on top

priorities

Build a sustainable

program

Connect to Business


Where are the gaps?

• Complete coverage of surface area, Edge-to-Endpoint

• Standardise security monitoring across all sites, all geographies, all systems

• Where am I at risk of attack?

Critical Protection Challenges How MSS Can Help


Visibility

Focus on top

priorities

Build a sustainable

program

Connect to Business

NIDS

Firewall

WebAppFirewall

HIDS WebProxy

Endpoint OS & Apps

Network Infra. VA


Actionable Incidents• Focus on the most critical

problems first• Eliminate the risk of chasing

irrelevant events• Avoid over and under-reacting• Report everything



Visibility

Focus on top

priorities

Build a sustainable

program

Connect to Business


Security Operation Demands

• 24x7, Global, Certified• Scalable, Available • Performing• Future ‘proof’ architecture• Recruitment



Visibility

Focus on top

priorities

Build a sustainable

program

Connect to Business


How to Demonstrate Value?

• Protect revenue• Process improvement • Predictable cost-base• Measure and report on

effectiveness and improvement• Time-to-Benefit



Visibility

Focus on top

priorities

Build a sustainable

program

Connect with

Business


Symantec MSS Portfolio

Log Collection, Retention and Access• 2FA Portal Access, tamper proof, searchable, exportable• PCI and ISO27001 reporting features

Real-time Security Monitoring and Analysis• 24x7 security event monitoring and log analysis• Global Intelligence Network correlation

Security Incident Notification and Reporting• Incident Prioritisation, 10min Severe Event Notification• Real-time security dashboard

Deepsight Global Threat Intelligence• Unified threat Intelligence portal and XML Data Feeds• Vulnerability, Threat and Risk content

Infrastructure Management• Managed Network IDS/IPS, Managed Firewall, Managed SEP

Firewalls

IDS / IPS

Web Proxy

Endpoint

OS & Apps

Switches & Routers

GIN

• Correlate Against GIN

• Anomalous Activity

monitoring• Protect against

Emerging Threats

Essential

Applicable to all Systems with Security

Data

Applicable to Egress Points, such as FW’s

Service Transition

Advanced

Applicable to ALL Systems

Applicable to ALL Systems

Analysis

• Enterprise Wide Security Analysis

• Expert Human Analysis

• Protect Information

Assets

Correlation

• Internal Vulnerabilities

• Rate against Assets

• Analyze against log/alert data

Log Collection

• Collect Logs from Man Systems

• Store Logs Online

• Available for Download and

Reporting

Monitoring Service Tiers


Global Intelligence NetworkIdentifies more threats, takes action faster & prevents impact

Information ProtectionPreemptive Security Alerts Threat Triggered Actions

Global Scope and ScaleWorldwide Coverage 24x7 Event Logging

Rapid Detection

Attack Activity• 240,000+ sensors• 64M total internet sensors• 200+ countries

Malware Intelligence• 180M+ systems monitored• 13 security response

centers

Vulnerabilities• 50,000+ vulnerabilities• 15,000+ vendors• 105,000+ technologies

Spam/Phishing• 5M+ decoy accounts• 8B+ email messages/day• 1B+ web requests/day

Austin, TXMountain View, CACulver City, CA

San Francisco, CA

Taipei, Taiwan

Tokyo, Japan

Dublin, IrelandCalgary, Alberta

Chengdu, China

Chennai, India

Pune, India


Process - Symantec Security Monitoring

Industrial IT Security 2012

Identified .threats

Known vulnerabilities

Business-critical IT assets

Risk-based Prioritization Threat Determined

Firewalls/VPN

IntrusionDetectionSystems

VulnerabilityAssessment

NetworkEquipment

Server and Desktop OS Anti-Virus Applications Databases

User Activity Monitoring

Critical file modifications

Policy

Changes

Malicious IP

Traffic

WebTraffic

Tens of Millions:Raw Events

Millions:Security Relevant Events

Hundreds:Correlated Events

http://paypay.co/vv/config.bin

http://121.242.39.105/www.paypal.us/

account.limited.us/cgi.bin/webscr.htm

http://yeeshiedot.ru/bin/xingaepa.bin

http://zsbiz.in/php/cfg002.bin

http://ww3.irs.gov.binnet11.net/refund/form

http://johgheejae.ru/bin/laangiet.bin

http://push.bbc.co.uk/http-bind/

http://scores.espn.go.com/ncf/caster/snapshot?

sessionId=CFBGamecast9

http://money.cnn.com/.element/ssi/main/2.0/

content_ssi.exclude.html

http://www.sunshine-live.de/typo3temp/

JS_playlistfeed_hash.txt?

9140000/newsid_9141700/

http://cdnedge.bbc.co.uk/sport/hi/english/static/football/statistics

http://js-kit.com/api/echo/subscribe?existingRenderers=

%5B0%2C1%5D&

http://www.youtube.com/set_awesome?

l=425.365&w=0.423165986858345173

http://scores.espn.go.com/ncf/caster/snapshot

http://streamer.money.cnn.com/Streamserver/streamserver.dll?

http://lt.andomedia.com/lt?

http://media.msnbc.com/i/NBCSports/SiteManagement/

Scoreboards/scores/scores_nba.xml?num=4281933

http://www.sunshine-live.de/typo3temp/

JS_playlistfeed_hash.txt?dummy=1288537201691

http://www.pandora.com/radio/xmlrpc/v28?

rid=6989026P&lid=115551214&method=getFragment

http://www.zerohedge.com/rss.xml

http://feeds.feedburner.com/zerohedge/feed?q=rss.xml

http://feeds.feedburner.com/clusterstock?format=xml

http://feeds.feedburner.com/CalculatedRisk

http://www.economist.com/rss/daily_news_and_views_rss.xml

http://feeds.wsjonline.com/wsj/xml/rss/3_7011.xml

http://sports-ak.espn.go.com/espn/rss/news

http://sports-ak.espn.go.com/espn/rss/nfl/news


sessionId=CFBGamecast9

http://www.crossfit.com/index1.xml

http://moodle.bath.ac.uk/

http://moodle.bath.ac.uk/file.php/52121

http://www.bkme.com/cgi.bin/AUTH-net/netbanking/

login_pers.html

http://kaithuushi.ru/bin/aiphaipi.bin

http://83.70.178.207/www.paypal.com/

account.cgi.bin.limited/cgi.bin/webscr.htm

http://joysmovie.org/sda/66/cfig.bin

http://www.yahoo.com/

http://www.google.com/

http://list.smartfilter.com/cgi-bin/updatelist

http://im.tcs.com:1533/CommunityCBR/

CC.39.31be99b5%200ac11093d/

https://us.otasl.blackberry.com/

http://iddspws.globalinsight.com/service.asmx

http://feeds.feedburner.com/zerohedge/feed?q=rss.xml



http://cdnedge.bbc.co.uk/sol/shared/json/newsid_


http://feeds.feedburner.com/CalculatedRisk

http://www.economist.com/rss/daily_news_and_views_rss.xml

http://195.5.161.68/~ppherph/zs/cofag56.bin

http://saintsup.com/faq/updates/bins/inf.bin

10.1.25.1 --> 98.77.1.11 - Overnet Client Scan

10.2.1.58 --> 44.75.26.88 - POLICY Yahoo Webmail client chat

10.1.22.7 --> 16.1.82.9 - SHELLCODE base64 x86 NOOP

10.1.11.4 --> 64.99.57.12 - SHELLCODE x86 NOOP

10.2.64.27 --> 18.197.26.177 - SNMP trap udp

19.11.157.22 --> 45.4.55.1 - SQL Query in HTTP Request

48.45.66.99 --> 48.77.88.11 - UDP eDonkey Activity

10.2.1.58 --> 44.75.26.88 - WEB-MISC cat%20 access

10.1.11.4 --> 64.99.57.12 - WEB-PHP test.php access

10.2.64.27 --> 18.197.26.177 - SNMP request udp

10.2.64.27 --> 18.197.26.177 - SNMP public access udp

10.2.1.58 --> 27.192.26.88 - IRC_Rogue_Session

10.1.25.1 --> 98.77.1.11 - Overnet Client Scan

10.2.1.58 --> 44.75.26.88 - POLICY Yahoo Webmail client chat

10.1.22.7 --> 16.1.82.9 - SHELLCODE base64 x86 NOOP

10.1.11.4 --> 64.99.57.12 - SHELLCODE x86 NOOP

10.2.64.27 --> 18.197.26.177 - SNMP trap udp

19.11.157.22 --> 45.4.55.1 - SQL Query in HTTP Request

48.45.66.99 --> 48.77.88.11 - UDP eDonkey Activity

10.2.1.58 --> 44.75.26.88 - WEB-MISC cat%20 access


10.2.64.27 --> 18.197.26.177 - SNMP request udp



192.168.69.97 --> 10.27.200.2 - HTTP_POST_dotdot_data

192.168.64.100 --> 10.35.1.39 - LDAP_Auth_Failed

10.27.153.32 --> 10.11.169.11 - SQL_Injection

65.12.240.98 --> 10.56.30.23 - Email_Calendar_Code_Exec

192.168.69.97 --> 10.56.30.23 - TCP_Port_Scan

10.11.25.10 --> 10.64.24.111 - Image_JPEG_Malformed

10.11.25.10 --> 10.18.14.40 - Image_JPEG_IE_Size_Overflow

200.11.93.162 --> 10.35.1.33 - Ping_Sweep

10.11.25.10 --> 10.27.200.2 - HTTP_GET_DotDot_Data

10.69.0.251 --> 192.168.64.98 - Ping_Flood

10.69.250.8 --> 10.27.200.3 - ICMP_Flood

10.164.250.7 --> 10.12.73.6 - Ping_Sweep

10.68.250.6 --> 10.27.200.3 - HTTP_Executable_Transfer

10.27.200.2 --> 10.11.169.11 - ICMP_Unreachable_Storm

10.56.30.23 --> 10.11.0.12 - HTTP_Auth_TooLong

10.27.200.3 --> 192.168.69.97 - DNS_Truncated_Response

192.168.64.98 --> 192.168.64.100 - HTTP_IIS_Double_Eval_Evasion





202.43.19.162 --> 10.11.25.10 - UDP_Port_Scan

10.51.8.16 --> 200.11.93.162 - SQL_Injection

10.27.142.91 --> 10.11.25.10 - TFTP_Get

10.27.142.91 --> 10.69.0.251 - Audit_TFTP_Get_Filename

10.27.200.3 --> 10.69.250.8 - SQL_Injection

192.168.64.98 --> 10.164.250.7 - TCP_Port_Scan


192.168.64.98 --> 10.27.200.2 - SensorStatistics_Cumulative




10.164.250.7 --> 68.54.88.88 - UDP_Port_Scan

10.68.250.6 --> 10.27.200.3 - SQL_Injection


10.56.30.23 --> 10.12.73.7 - LDAP_Auth_Failed

10.27.200.3 --> 202.43.19.162 - SQL_Injection


68.54.88.88 --> 10.27.142.91 - TCP_Port_Scan




202.43.19.162 --> 10.27.200.3 - SQL_Injection


10.27.142.91 --> 10.11.25.10 - TCP_Port_Scan




10.2.64.27 --> 18.197.26.177 - SNMP request udp




192.168.64.100 --> 10.35.1.39 - LDAP_Auth_Failed

10.27.153.32 --> 10.11.169.11 - SQL_Injection


192.168.69.97 --> 10.56.30.23 - TCP_Port_Scan



200.11.93.162 --> 10.35.1.33 - Ping_Sweep


10.69.0.251 --> 192.168.64.98 - Ping_Flood

10.69.250.8 --> 10.27.200.3 - ICMP_Flood

10.164.250.7 --> 10.12.73.6 - Ping_Sweep










202.43.19.162 --> 10.11.25.10 - UDP_Port_Scan

10.51.8.16 --> 200.11.93.162 - SQL_Injection

10.27.142.91 --> 10.11.25.10 - TFTP_Get




10.2.64.27 --> 18.197.26.177 - SNMP request udp



200.11.93.162 --> 10.35.1.33 - Ping_Sweep


10.69.0.251 --> 192.168.64.98 - Ping_Flood

10.69.250.8 --> 10.27.200.3 - ICMP_Flood

10.164.250.7 --> 10.12.73.6 - Ping_Sweep


192.168.69.97 --> 10.56.30.23 - TCP_Port_Scan



200.11.93.162 --> 10.35.1.33 - Ping_Sweep


10.69.0.251 --> 192.168.64.98 - Ping_Flood

10.69.250.8 --> 10.27.200.3 - ICMP_Flood

10.164.250.7 --> 10.12.73.6 - Ping_Sweep


192.168.64.100 --> 10.35.1.39 - LDAP_Auth_Failed

10.27.153.32 --> 10.11.169.11 - SQL_Injection


192.168.69.97 --> 10.56.30.23 - TCP_Port_Scan



200.11.93.162 --> 10.35.1.33 - Ping_Sweep


10.69.0.251 --> 192.168.64.98 - Ping_Flood

10.69.250.8 --> 10.27.200.3 - ICMP_Flood

10.164.250.7 --> 10.12.73.6 - Ping_Sweep








200.11.93.162 --> 10.35.1.33 - Ping_Sweep


10.69.0.251 --> 192.168.64.98 - Ping_Flood

10.69.250.8 --> 10.27.200.3 - ICMP_Flood

10.164.250.7 --> 10.12.73.6 - Ping_Sweep






202.43.19.162 --> 10.11.25.10 - UDP_Port_Scan

10.51.8.16 --> 200.11.93.162 - SQL_Injection

10.27.142.91 --> 10.11.25.10 - TFTP_Get




10.2.64.27 --> 18.197.26.177 - SNMP request udp



200.11.93.162 --> 10.35.1.33 - Ping_Sweep


10.69.0.251 --> 192.168.64.98 - Ping_Flood

10.69.250.8 --> 10.27.200.3 - ICMP_Flood

10.164.250.7 --> 10.12.73.6 - Ping_Sweep


192.168.69.97 --> 10.56.30.23 - TCP_Port_Scan



200.11.93.162 --> 10.35.1.33 - Ping_Sweep


10.69.0.251 --> 192.168.64.98 - Ping_Flood

10.69.250.8 --> 10.27.200.3 - ICMP_Flood

10.164.250.7 --> 10.12.73.6 - Ping_Sweep


192.168.64.100 --> 10.35.1.39 - LDAP_Auth_Failed

10.27.153.32 --> 10.11.169.11 - SQL_Injection


Outbound TCP connection acc from 10.1.25.1 to 10.2.55.17/445

Inbound TCP connection acc from 10.2.75.64 to 10.1.26.85/445




Outbound TCP connection drop from 10.1.25.1 to 98.77.1.11/25

Outbound UDP connection acc from 10.2.32.11 to 10.1.19.11/137


Outbound ICMP ping acc from 10.1.25.1 to 10.2.1.11/ 00-08






















































































































































































































Outbound UDP connection acc from 10.235.22.11 to

198.28.22.5/53



Inbound UDP connection acc from 198.28.22.5 to 10.235.22.11/10256







198.28.22.5/53









198.28.22.5/53








198.28.22.5/53



























198.28.22.5/53









198.28.22.5/53











198.28.22.5/53










198.28.22.5/53









198.28.22.5/53








198.28.22.5/53



























198.28.22.5/53









198.28.22.5/53








198.28.22.5/53









198.28.22.5/53








198.28.22.5/53









198.28.22.5/53








198.28.22.5/53









198.28.22.5/53








198.28.22.5/53









198.28.22.5/53








198.28.22.5/53









198.28.22.5/53

Device Logs:

15

Without MSSService

LAN 1

LAN 2

Internet

Perimeter FW LAN FW IDS Web Proxy

Web traffic

Windows SMB traffic

Email traffic

Example Stats, one Wednesday afternoon...• Log lines analysed - 15,279,389,291• Number of Incidents Created including Summaries - 7966• Number of Real Time Incidents presented to analysts for

validation – 3124• Number of Real Time Published Incidents – 964 • Number of Summary Published Incidents - 1007• Number of Real Time Critical Incidents – 244


Symantec MSS Portal

• Customizable modules for organizing data in different ways

• Trend graphs for visibility of incident trends

• New Incidents arrive in real time to the Home Page

• Modular elements customizable to each user



Reliability and Trust - Symantec Managed Security Services has been a Gartner Quadrant Leader for 11 consecutive years

Scalable - Symantec MSS analyzes >12 Billion logs from 727,000 devices every day

Detection - Symantec MSS identifies an average of 15,000 security events and escalates 200 critical incidents every day

Flexible – Symantec has flexible pricing and service levels to deliver the right protection and compliance at the right price.

Personal – Symantec provides Named personnel for transition , service management and security analysis duties to drive personal relationships and customer care

Proven – Symantec Managed Service s clients include 6 of Fortune 10, 44 of Fortune 100 and 117 of Fortune 500


Questions?


Managed Security Services from Symantec

Technology

Transcript of Managed Security Services from Symantec