Title of Presentation
Francis deSouza
Symantec
Session ID: SPO1-107
Session Classification: Intermediate
Today’s IT Attacks: An IT Security Strategy To Protect Your Assets
Agenda
Sources of a Breach
Security Market Drivers
Breach Analysis
Security Strategy
2
3
SecureEndpoints
A CRIME IS COMMITTED
EVERY ¼ OF A SECOND
ON THE WEB
4
SecureEndpoints
1 IN 5WILL BE A VICTIM
OF CYBER CRIME
5
SecureEndpoints
100%OF ENTERPRISES
HAVE
EXPERIENCED
CYBER LOSSES
6
SecureEndpoints
CYBER ATTACKS COST
COMPANY’S AN
AVERAGE OF
$2 MILLION ANNUALLY
7
SecureEndpoints
$75% OF ALL ENTERPRISES
HAVE EXPERIENCED
CYBER ATTACKS IN
THE PAST 12MONTHS
8
SecureEndpoints
43%
OF COMPANIES
LOST CONFIDENTIAL
DATA IN 2009
9
SecureEndpoints
ENTERPRISE SECURITY IS
BECOMING MORE
DIFFICULT
10
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Sources Of A Breach
TargetedAttackers
WellMeaningInsider
MaliciousInsider
11
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
History of Targeted Attacks
1998|1999|2000|2001|2002|2003|2004|2005|2006|2007|2008|2009|2010
Solar Sunrise:Attacks stealing passwords from DoD systems conducted by 2 Californian and 1 Israeli teenager
US Government:Systems in the Department of Defense, State, Commerce, Energy, and NASA all comprised and terabytes of information confirmed stolen.
January 12:Google announces they have been a victim of a targeted attack
Moonlight Maze:Attacks targeting US military secrets reported to be conducted by Russia
Titan Rain:Coordinated attacks on US government military installations and private contractors
Ghostnet:Attacks on Tibetan organizations and embassies of many EMEA countries, and NATO systems.
12
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Anatomy Of A Breach
> Incursion
> Discovery
> Capture
> Exfiltration
Anatomy Of A Breach
13
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Mass Attack vs Targeted AttackPhase Mass Attack Targeted Attack
Incursion Generic social engineeringBy-chance infection
Handcrafted and personalized methods of delivery
Discovery Typically no discovery, assumes content is in a predefined and predictable location
Examination of the infected resource, monitoring of the user to determine additional accessible resources,and network enumeration
Capture Predefined specific data or data which matches a predefined pattern such as a credit card number
Manual analysis and inspection of the data
Exfiltration Information sent to a dump site often with little protection and dump site serves as long term storage
Information sent back directly to the attacker and not stored in a known location for an extended period
14
IncursionSecurity Market Drivers
Incursion
In 2009 spam accounted for 90%of all email traffic
In 2008, Symantec documented 5,471vulnerabilities, 80% of which were easily exploitable
90% of incidents wouldn’t have happened if systems were patched
In 2009 we found 47,000 active bot-infected computers per day
15
DiscoverySecurity Market Drivers
Discovery
91% of records compromised in 2008 involved organized crime targeting corporate information
81% of attacked companies were non-compliant in PCI
67% of breaches were aided by insider negligence
16
CaptureSecurity Market Drivers
Capture
285 million records were stolen in 2008, compared to 230 million between 2004 and 2007
Credit card detail accounts for 19% of all goods advertised on underground economy servers
IP theft costs companies $600 billion globally
17
ExfiltrationSecurity Market Drivers
Exfiltration
“Hackers Targeted Source Code of More Than 30 Companies”Jan 13, Wired.com
“SS Numbers Of Californians Accidently Disclosed” Feb 9 KTLA.com
“HSBC Bank Reports Lost Client Data From Swiss Private Bank”Dec 9, Reuters
“Gov’tPosts Sensitive List of US Nuclear Sites” Associated Press
18
Dissecting Hydraq
19
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Dissecting Hydraq
Hi Francis,
I met you at the Malware Conference last month. Wanted to let you know I got this great shot of you doing your presentation. I posted it here:
Attacker Breaks into the
network by delivering
targeted malware to
vulnerable systems and
employees
Incursion
20
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Dissecting Hydraq
Hacker Maps
Organizations Defenses
From the Inside and
Creates a Battle Plan
Discovery
21
OrganizedCriminalOrganizedCriminal
Dissecting Hydraq
Attacker Accesses Data
on Unprotected Systems
and Installs Malware to
Secretly Acquire Crucial
Data
Capture
22
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Dissecting Hydraq
Victim
Hydraq
72.3.224.71:443Attacker
Confidential Data Sent
Back to Enemy’s “Home
Base” for Exploitation
and Fraud
Exfiltration
23
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Poorly Enforced
IT Policies
Prelude to a
Breach
Poorly EnforcedIT Policies
1
24
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Poorly Protected
InformationPrelude to a
Breach
Poorly ProtectedInformation
2
25
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Poorly Managed
Systems
Prelude to a
Breach
Poorly ManagedSystems
3
26
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Poorly Protected
InfrastructurePrelude to a
Breach
Poorly ProtectedInfrastructure
4
27
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
The Challenge
2727
Develop and Enforce IT Policies
Protect The Information
Manage Systems
Protect The Infrastructure
28
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Risk Based and Policy Driven
Information - Centric
Well Managed Infrastructure
A Comprehensive Security Strategy
Is Required
IT Governance, Risk and Compliance
Information Risk Management
Infrastructure Protection and Management
29
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
New Threats Require New Technologies
Protect the Infrastructure
Develop & Enforce IT Policies
Protect the Information
Manage Systems
• Reputation Based Security
• Mobile and Server Security
• Encryption
• IT Risk Management
• Compliance Process Automation
• Information-Centric Policy
• Data Ownership
• Automated Content Classification
• Content Aware Endpoint Security
• Workflow
• Application Streaming
• Portable Personalities
Integrated Security Platform
Open
Platform
Console
Unification
Security
IntelligenceDynamic
Protection
30
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Protect theInformation
Manage Systems
Develop and EnforceIT Policies
Protect theInfrastructure
> Control Compliance Suite
> Data Loss Prevention Suite
> IT Management Suite
> Symantec Protection Suite
Symantec Focuses on Meeting These Challenges
31
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Addressing Important Security Questions
> Can you enforce IT policies and remediate deficiencies?
> Do you know where your sensitive information resides?
> Can you easily manage the lifecycle of your IT assets?
> Can you improve your security posture by rationalizing
your security portfolio?
32
OrganizedCriminal
WellMeaningInsider
Malicious Insider
OrganizedCriminal
WellMeaningInsider
MaliciousInsider
Thank You