Protect & Defend Your Critical Infrastructure
SCADA, Smart Grid, and Compliance
Tom Turner – VP Marketing and Channels, Q1 LabsAlex Tatistcheff – Senior Security Instructor, Sourcefire
Douglas Hurd – Director, Technology Alliances
2
● Introductions and Overviews
● Partnership Background
● Compliance Requirements
● Total Security Intelligence for Energy & Utilities
● Q&A
Outline
3
Sourcefire Overview
● Founded in 2001 by Snort Creator, Martin Roesch, CTO
● Headquarters: Columbia, MD
● Focus on enterprise and government customers
● Global Security Alliance ecosystem
● NASDAQ: FIRE
Mission: To be the leading provider of intelligent cybersecurity
solutions for the enterprise.
4
Q1Labs - OverviewQ1Labs - Overview
Who we are:► Innovative Security Intelligence software company► Largest independent SIEM vendor► Leader in Gartner 2011, 2010, 2009 Magic
Quadrant
Award winning solutions:► Family of next-generation Risk Management, Log
Management, SIEM, security intelligence solutions
Executing, growing rapidly:► +1600 customers worldwide► Five-year average revenue growth +70% ► North America, EMEA and Asia Pacific
5
● Mutual customers asked for integration
● Q1 Dev team to build integration using Sourcefire API
● Q1 Labs completes integration makes eStreamer Client available
Partnership Background 2010-2011
6
Deployment Scenarios - SourcefireDeployment Scenarios - Sourcefire
7
Deployment Scenarios – Q1 Labs
8
Sourcefire and NERCNERC REQUIREMENT REALATIVE SOURCEFIRE 3D SYSTEM COMPLIANCE BENEFITS
CIP-002-R3 Critical Cyber Asset Identification CIP-005-R1.6 Documentation for Perimeter Assets
Generates profiles for all networked hosts enabling automated identification of cyber assets associated with critical applications and systems.
CIP-003-R6 Change Control and Configuration Management
Enables administrators to implement baseline configuration policies for endpoints, subnets, and networks. Automates monitoring and enforcement of configuration policy.
CIP-005-R2 Electronic Access Controls Detects and documents activity associated with unapproved ports and services. Alerts and corrective actions can easily be configured.
CIP-005-R3 Monitoring Electronic Access Applies state-of-the-art intrusion detection and prevention capabilities to detect and alert for attempts at or actual unauthorized access.
CIP-005-R4 Cyber Vulnerability Assessment CIP-007-R8 Cyber Vulnerability Assessment
Creates a real-time profile of the operating system, applications, services, ports, etc. for every host and maps that against a database of 13,000+ known vulnerabilities using passive, non-disruptive techniques.
CIP-007-R2 Ports and Services Compliance white lists can be configured to monitor and automatically enforce acceptable ports and services lists
CIP-007-R4 Malicious Software Prevention Anti-malware VRT rules meet the requirements for anti-malware prevention and can augment existing anti-virus tools
CIP-007-R6 Security Status Monitoring IPS and RNA satisfy multiple security best practices for providing continuous 24x7 monitoring of security incidents and policy violations
CIP-008-R1 Incident Response Plan Provides detailed flow and packet-capture information to reveal the anatomy of successful attacks and accelerate the recovery process.
Total Security Intelligencefor Energy & Utilities
10
● 72% of organizations are not getting the intelligence they need
► Only 39% of organizations are currently using a SIEM solution
● On average, it takes 22 days to detect unauthorized changes or malicious activity
● 69% of organizations feel a data breach is likely to occur in the next 12 months
● 76% of organizations have suffered one or more data breaches over the course of the last 12 months.
Energy & Utilities – Security Challenges
Source: April 2011 Ponemon Research survey
11
● Top IT Security priority is to protect and secure SCADA networks
● QRadar monitors and correlates data from many sources including SCADA
Smart Networks
Source: April 2011 Ponemon Research surveySecuring smart meters
Protecting the nation’s critical infrastructure
Securing information assets
Protecting endpoints to the network
Protecting enterprise systems
Protecting SCADA networks
- 1.00 2.00 3.00 4.00 5.00 6.00
1.21
2.22
3.91
4.03
4.82
5.06
12
Pre-Exploit
Remediation
Post-Exploit
ExploitPrediction/Prevention Phase Reaction/Remediation Phase
Vulnerability
SIEM, Network/User Anomaly Detection,
Log Management
Risk Management , Compliance Management,
Vulnerability Management, Configuration Management
Solutions Across the Entire Compliance and Security Intelligence Lifecycle
13
Security Intelligence: SIEM with Behavior Anomaly Detection and Broadest ContextSecurity Intelligence: SIEM with Behavior Anomaly Detection and Broadest Context
Suspected Incidents
Manage Risk
Content capture and user activity monitoring enabled
fraud detection prior to exploit completion
Detect Threats Others Miss
Discovered 500 hosts with “Here You Have” virus, which all other security products missed
2 Billion log and events per day reduced to 25 high
priority offenses
Consolidate Silos
14
● Smart meter devices and systems
● Detects Snort alerts from SCADA networks
● Intrusion events and packet data
● Real-time user and network events
● Compliance and white list events
QRadar Collects Sourcefire Event Data
15
Compliance Validation and Information Overload
Information Overload• Collecting and analyzing millions of daily logs
can be overwhelming• Data silos increase operational expenses
Compliance & Policy• NERC, CIP and FERC compliance validation
requires logging and reporting• Evolving regulations and Smart Energy
solutions have implications across many networks
QRadar’s integrated security management supports specific NERC-CIP requirements, with out of the box NERC-CIP reporting, such as: CIP-005. Electronic Security Perimeter(s)
16
Fundamental NERC-CIP RequirementsSupported by QRadar
NERC-CIP Area RequirementsCIP-002: Critical Asset Identification Provides automated discovery & classification of:
•Cyber assets that use a routable protocol (CIP-002.R3.1-2)
CIP-003: Security Management Controls
Enables effective monitoring and threat detection controls to critical infrastructure:
•Protect information associated with critical assets (CIP-003.R4)•Detecting inappropriate access to protected critical assets (CIP-003.R5)
CIP-005: Electronic Security Perimeters
Provides log management and event monitoring of an electronic cyber perimeter:
•Monitor electronic access to the perimeter (CIP-0005.R2/R3)• Integrated vulnerability assessment monitoring and reporting (CIP-005.R4)
CIP-007: Systems Security Management
Provides monitoring and event monitoring systems for:•Rogue ports and services (CIP-007.R2)•Malicious software (CIP-007.R4)•Detection of cyber incidents (CIP-007.R6)•Detection of vulnerabilities (CIP-007.R8)
CIP-008: Incident Reporting & Response Planning
Workflow to support incident reporting and response:•Prioritization of security incidents (CIP-008.R1)•Process for documenting incidents to cyber assets (CIP-008.R1)
17
Threat and Risk Management
Detecting Threats• Without broad surveillance and integration, threats will be
missed• Combating fraud, targeted exploits and cyber warfare requires
intelligent visibility• Telemetry intelligence must be broadened to for Smart Energy
solutions (Smart Grid, etc.)
Unable to Predict Risk Impact• Day to day security firefighting• Unable to see the risk impact of network changes, including new
applications and infrastructure• Protecting legacy SCADA systems, which inherently lack
security controls