1

Managing A Global CorporateProtection Infrastructure

Jeannette JarvisAssociation of Anti Virus Asia Researchers

November 26, 2004

2

Agenda

Setting the scene Objective Threats Challenges

Protection Strategy Products Processes

Critical reference links

3

Company Objectives

Virus/worm/intrusion freeenvironment

Immediate alerting notification Security incidents Suspicious activity

Well-defined processes Normal operations Events

Enterprise compliance Security tools & update process

4

Malware Threats

Denial of service Execution of arbitrary code Remote execution Viewing sensitive company information Manipulating data Propagating data Keylogging exploits Phishing Schemes Spyware / Adware Spoofing

Software Vulnerabilities

262 417

1090

2437

41293784

0

1000

2000

3000

4000

5000

1998 1999 2000 2001 2002 2003

As reported by SEI CERT/CC: www.cert.org/stats/cert_stats.html

Malicious Code Growth

0

10000

20000

30000

40000

50000

60000

70000

80000

90000

100000

1990 1991 1994 1996 1998 1999 2000 2001 2002 2003

Kno

wn

Viru

s Va

rian

ts

7

Progression of Malware Transports

Viruseson floppy disks

Virus bye-mail

Viruses inMacros

MelissaLoveletter

Worms

ConceptLarouxWazzu

BrainFriday the 13th

Michelangelo

NimdaCode RedSQL SlammerSasser

> 2004

1987

1995

1999

2001

Software Vulnerability Lifecycle

9

Challenges

Security versus Functionality Usability Scalability Manageability

Vulnerabilities to exploit time is short

10

Company Challenges

Limited resources Outdated/mis-configured machines

Rogue servers Acquisitions – conforming to your existing

security policies and processes Home users – lack of configuration control Mobile employees – low bandwidth for

security updates

11

Risk Versus Cost

Critical Infrastructure

Budget Constraints

12

Protection Management Components

Products Multi-tiered approach Address all entry and exit

points

Processes Consistent enterprise

solutions Continuous process improvement

Policy Consistent compliance

across enterprise Published security

policy

People•Education / Awareness / Communication

•Engagement

13

Products – Defense in Depth

Port blocking Firewall – desktop and network Intrusion detection/prevention tools Web Proxy filtering Content Filtering – perimeter and internal Anti-virus – multi-vendor approach Spyware / Adware Pop-up blocker Event correlation tool

14

Policy & Process Tools

Push tools – patches and configuration updates

Compliance tools – conform to company policies or disbarred from entry

Centralized management tools One site for enterprise visibility of activity

and product disposition Centrally manage product updates and

signature detections & policy creation Metrics and reporting

Encryption Policy Enterprise Backup Solution

15

Visibility

Event correlation tool Gather events of interest throughout the

enterprise from ALL security tools Into a well-structured database to enable

efficient complex incident detection and response

Provide effective query for investigators Reports based on trend analysis Effective metrics to target detection strategy

16

Consistent Enterprise Processes

Have established plans for prevention, detection and reaction Know who does what, when Backup personal identified

Normal operations Monitoring for malware activity Who initiates mitigation for new threats

Communication Process When is information communicated

How? By whom?

17

Process during an event

Security event Defined processes for how your company

reacts to a security incident / outbreak Notification

Those involved with the event General employee population

Action Who is empowered to take action

Locking down machines Isolating network

Product Updates

18

Vulnerability Monitoring

Security monitoring and responseTeam

Monitors new vulnerabilities Triage Security Alerts

Accesses impact on infrastructure Report status

Critically Recommendation Links to updates

Ensure that responsible party is providing solution in appropriate timeframe

Prioritizes the threats Continuous audits of enterprise

19

Education

Yearly security awareness training is required Interactive web based training is mandated Annual security video required to be reviewed by all

Internal web site for virus information Company wide information

Company web site when threat/issue warrants complete visibility

Email to all employees when their involvement is critical to containment of a threat

20

Post Mortem

Tool to communicate lessons

learned and improve your infrastructure

Immediately following closure of incident

All key organizations have representation Attendance is mandatory

Establish root cause

Address perceptions and reality

Continuous Process Improvement

21

Home Users

Hardware Firewall Preferred Software Firewall at minimum

Policy Compliance Disable ability to login to corporate network

unless up-to-date Patches Anti-virus signature files Personal firewall installed

22

IT Department Responsibility

Empowerment to make immediate high impact decisions

Vulnerability assessments

“What if” scenarios

Isolated network / Isolated lab

environment

Fail-over architecture

23

Event Disaster Plan

Critical contact phone lists available off-line Processes to get needed security products

updates when normal resources are unavailable

Teleconferences for management and technical staff to get needed information during crises

Business continuity plans established Communication process when normal channels

are eliminated

24

Virus Industry Presence Associations

AVAR – Association of Anti-virus Asia Researchershttp://www.aavar.org

AVIEN – Anti-virus Information Exchange Networkhttp://www.avien.org/

AVIEWS – Anti-virus Information Early Warning System

http://www.aviews.org EICAR – European Institute for Computer Antivirus

Researchhttp://www.eicar.org/

The Wildlist Organization – International forum on the wild viruseshttp://www.wildlist.org/

25

Critical Information Links

CERT – Computer Emergency Response Teamhttp://www.cert.org/

Internet Storm Centerhttp://isc.sans.org//index.php

Virus Bulletin

http://www.virusbulletin.com/ AntiPhishing Working Group

http://www.antiphishing.org/

26

Closing

Managing your environment requires Due diligence Defensive tools Monitoring & Awareness Notification and response On-going user education Consistent enterprise processes

27

??? Questions ???