Date post: | 29-Dec-2015 |
Category: |
Documents |
Upload: | jerome-carson |
View: | 224 times |
Download: | 0 times |
Information Security Management: Protecting IT Assets from Current and Future ThreatsJohn McCumberStrategic Program Manager
Key Information Security Challenges:
• Blurring lines: “securing” IT assets vs. “managing” them: who ultimately has the responsibility?
• Too much information: deluge of security news (i.e. viruses, new patches) must be custom formatted for my environment – takes time!
• Shortage of trained and experienced personnel
• Need to wrap protection around evolving architectures and business models (i.e. wireless LANs, remote access)
• Investment in new security tools necessitates a new console to manage, alerts to correlate
• “Undesired” ranks are expanding: blended threats, P2P, spam, “spyware,” insider threats – together require more than traditional server and desktop solutions
25,000
50,000
75,000
100,000
125,000
150,000
World-Wide Attack Trends
1996 1997 1998 1999 2000 2001 2002 20030
Infe
cti
on
Att
emp
ts
*Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2003 estimated **Source: CERT
100M
200M
300M
400M
500M
600M
700M
800M
900M
Ne
two
rk In
tru
sio
n A
tte
mp
ts
0
Blended Threats(CodeRed, Nimda, Slammer)
Denial of Service(Yahoo!, eBay)
Mass Mailer Viruses(Love Letter/Melissa)
Zombies
Polymorphic Viruses(Tequila)
Malicious CodeInfectionAttempts*
NetworkIntrusionAttempts**
Source: Bugtraq Vulnerabilities
Software Vulnerabilities
10
2530
50
60
0
10
20
30
40
50
60
70
1999 2000 2001 2002 2003
Average number of new vulnerabilities discovered every week
Vulnerability Trend Highlights
• Newly discovered vulnerabilities are increasingly severe. Accordingly, the number of low severity vulnerabilities is decreasing. High-severity vulnerabilities give increased privileges and access to more prominent targets.
Month
Ne
w v
uln
era
bil
itie
s
Breakdown of Volume by Severity
Vulnerability Trend Highlights
• Symantec reports that 70% of the vulnerabilities found in 2003 could be easily exploited, due to the fact that an exploit was either not required or was readily available. This is a 10% increase over 2002, where only 60% were easily exploitable.
0%
20%
40%
60%
80%
100%
Jan02 Mar02 May02 Jul02 2-Sep Nov02 Jan03 Mar03 May03 Jul03 Sep03 Nov03
Month
Pe
rce
nta
ge
of
vu
lne
rab
ilit
ies
Percentage of Easily Exploitable New Vulnerabilities
Attack Trend Highlights
• Almost one third of all attacking systems targeted the vulnerability exploited by Blaster and its successors. Other worms that surfaced in previous periods continue to survive and target Firewall and IDS systems globally. A sufficient number of unpatched systems remain to sustain them.
Rank Port DescriptionPercentageof Attackers
1 TCP/135Microsoft / DCE-Remote Procedure Call (Blaster)
32.9%
2 TCP/80 HTTP / Web 19.7%
3 TCP/4662 E-donkey / Peer-to-peer file sharing 9.8%
4 TCP/6346 Gnutella / Peer-to-peer file sharing 8.9%
5 TCP/445 Microsoft CIFS Filesharing 6.9%
6 UDP/53 DNS 5.9%
7 UDP/137 Microsoft CIFS Filesharing 4.7%
8 UDP/41170 Blubster / Peer-to-peer Filesharing 3.2%
9 TCP/7122 Unknown 2.5%
10 UDP/1434 Microsoft SQL Server (Slammer) 2.4%
How do we achieve proactive security management to mitigate current and future risks?
Focus on four key elements:• Alert - gain early warning, take evasive action
• Protect – deploy defense-in-depth
• Respond – react in prioritized fashion
• Manage – applies to a 360-degree view of security and managing the secure lifecycles of our individual assets
Early awareness of threats
“Listening posts”
Prevent unwanted attacks
Detect physical breaches
Security of information assets
InternalWorkflowAuto-configurationDisaster recovery
ExternalHotlineSignature updates
• EnvironmentPolicies and
VulnerabilitiesDevice/Patch
ConfigurationUser AccessIdentity Management
• InformationEvents and incidents
Alert Protect
Manage Respond
ProactiveControl
Security Fundamentals
Alert: Spotting the ‘Blaster’ worm early
DeepSight Notification
IP Addresses Infected With The Blaster Worm
7/16 - DeepSight Alerts & TMS initial alerts on the RPC DCOM attack
7/23 - DeepSight TMS warns of suspected exploit code in the wild. Advises to expedite patching.
7/25 - DeepSight TMS & Alerts update with a confirmation of exploit code in the wild. Clear text IDS signatures released.
8/5 -DeepSight TMS Weekly Summary, warns of impending worm.
8/7 TMS alerts stating activity is being seen in the wild.
8/11 - Blaster worm breaks out. ThreatCon is raised to level 3
Alert
The Convergence Imperative
• Assure security policy compliance
• Receive early awareness of threats
• Prevent & detect attacks & breaches
• Protect privacy of information
• Rapidly & easily recover from loss of critical systems & information
• Insure via policies that adequate storage available for applications & backup
• Create secure archives for preserving information assets
• Discover & track HW/SW assets
• Provision, update & configure systems via automated policies
• Instantly push security patches & signatures to all managed devices
• Assure software license compliance & remove unauthorized applications
• De-provision & repurpose systems securely
• Threat, vulnerability & event-driven patch & configuration management
Solving the Convergence Challenge
• Policy-driven backup
• Monitor storage resources & perform corrective action
• System & data recovery
• Threat, vulnerability & event-driven backup
• Recovery from attack
NormalNormalNormalNormal
ProtectD
epth
& F
requ
ency
of b
acku
p
Management in Action:Integrated Security, Systems & Storage
•Threat
•Vulnerabilities•Attack
SEA platform
Rapid Recovery from Attack, Faulty PatchRapid Recovery from Attack, Faulty PatchRapid Recovery from Attack, Faulty PatchRapid Recovery from Attack, Faulty Patch
Adjust Protection Granularity Adjust Protection Granularity Adjust Protection Granularity Adjust Protection Granularity
High RiskHigh RiskHigh RiskHigh RiskAlertAlertAlertAlert
NormalNormalNormalNormal
ScanScanScanScan TestTestTestTest DeployDeployDeployDeploy
Remove Vulnerability
Recover
Alert Action Policie
s
Alert Action Policie
s
Summary
• Risk is escalating: Threats are more complex, exploiting more vulnerabilities in less time – requires more comprehensive strategies leveraging integrated capabilities and strengths
• In the public sector, there are additional strong catalysts driving the “A.P.R.M.” approach, such as compliance (i.e. FISMA) and safely enabling information-sharing. Take advantage of tools that serve multiple needs (i.e. asset inventory, policy compliance and patch management)
• Given the nature of threats, we need to play to natural strengths gained through merging security, system and storage functions – on both a technology and personnel level
• Knowing what we have, how it is configured, and how it can be restored – in the context of what is happening “in the wild” (exploits, vulnerabilities, patterns) is the best defense for what the future brings