Inteligencia en Seguridad y Gestión del Riesgo: ¿lo que no ves puede dañarte? / Security Intelligence and Risk Management. Is it able to hurt you what you can't see?

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The Value of Security Intelligence What you can’t see, can hurt you

Simon Leech CISSP CISM CRISC PreSales Director EMEA, HP Enterprise Security

[email protected]

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

HP Enterprise Security HP Enterprise Security

Market leading products and services • Security Information and Event

Management

• Log Management

• Application Security

• Network Security

• Data Protection

• Threat Research

• Security Services

One Team, One Vision

ATALLA


Global security research

• i.e. SANS, CERT, NIST, OSVDB, software & reputation vendors

• 1600+ Researchers

• 2000+ Customers

Ecosystem

Partner

• Leading security research

• Continuously finds more vulnerabilities than the rest of the market combined

• Collaborative effort of market leading teams: DV Labs, ArcSight,

Fortify, HP Labs, Application Security Center

• Collect network and security data from around the globe

FSRG Fortify Security Research Group


Disruptive technology trends

FUTURE OF

SECURITY:

PROACTIVE

RISK

MANAGEMENT

COLLABORATIVE OPEN & EXTENDED

DEVICES,DATA & INFRASTRUCTURE

CLOUD Public, Private, Adoption

BIG DATA Content, Context, Unstructured

FORTRESS Reactive Perimeter Security

CONSUMERIZATION Mobility, Device & Social Media


The enterprise security problem

Breaches continue…

even though they have

hundreds of security solutions

available

Siloed security products…

don’t learn or share information

Limited context…

a gap between IT operations

and security constrains

potential actions

No effective way…

to understand and prioritize

risk


Enterprises and Governments are experiencing the most AGGRESSIVE THREAT ENVIRONMENT in the

history of information.

Rise Of The Cyber Threat


…and becoming more costly Ponemon 2nd Annual Cost of Cybercrime Study 2011

Ponemon Institute: Private and Confidential

$1,530,568

$2,872,913

$5,167,657

$5,895,065

$7,576,693

$8,389,828

$17,455,124

$36,470,889

$1,037,277

$1,650,976

$3,180,182

$3,788,468

$4,611,172

$6,459,362

$15,567,136

$51,925,510

$- $15,000,000 $30,000,000 $45,000,000 $60,000,000

Minimum value

Quartile 1

Quartile 2

Median

Quartile 3

Grand mean

Quartile 4

Maximum value

FY 2010 FY 2011


Enterprises and Governments are experiencing the most AGGRESSIVE THREAT ENVIRONMENT in the

history of information.

Rise Of The Cyber Threat


Advanced Persistent Threats

Solar Sunrise

Moonlight Maze

Titan Rain

Byzantine Foothold

Aurora

Exxon

US Power Grid

Operation Shockwave

The Classics The Subversives

Night Dragon

1998 1999 2004 2007 2009 2010 2011

RSA

Lockheed Martin

Stuxxnet

1997

Eligible Receiver



Solar Sunrise

Moonlight Maze

Titan Rain

Byzantine Foothold

Aurora

Exxon

US Power Grid

Operation Shockwave


Night Dragon

1998 1999 2004 2007 2009 2010 2011

RSA

Lockheed Martin

Stuxxnet

1997

Eligible Receiver



Solar Sunrise

Moonlight Maze

Titan Rain

Byzantine Foothold

Aurora

Exxon

US Power Grid

Operation Shockwave


Night Dragon

1998 1999 2004 2007 2009 2010 2011

RSA

Lockheed Martin

Stuxxnet

1997

Eligible Receiver


What do these three organisations have in common?


Modern Breaches Share a Pattern

Acquire target, sneak in, hop around (Zero Day? Perimeter won’t always help)

Get privileged access to critical assets (Impact takes time)

Conduct the crime for an extended time (Early detection matters)

“The success or failure of an attack will depend on the attacker’s ability to go undetected”


The unlucky CISO? 1. At 5pm on Friday evening, a security administrator receives an email from US-CERT

notifying him of a critical vulnerability in the database system he manages. It’s home time, he does nothing.

2. Sometime over the weekend, a high ranking user receives an email from an MTA in China. It’s from a known bad IP address, and it triggers an alert, but the IP isn’t rated highly enough to get the email blocked

3. Monday morning at 9am the user opens the email, and double clicks on the attachment that he had been sent. It seems to be a harmless PDF from a colleague, but unknown to him it installs a RAT and sends a hello back to the same IP address that had sent the email

4. A couple of hours later, at 1230pm, the CPU on a server in the application server farm spikes, triggering an alert on the app monitoring dashboard. But after a couple of minutes it goes away, and the server admin ignores it


The unlucky CISO? 5. At the same time, the database admin notices an increase in activity deviating 10x from

the norm at this time of the day. The number of data sets being accessed is also higher than normal, but the database remains up so the admin doesn’t worry

6. Also at 1230pm, the network admin notices a significant increase in the traffic between the app server and the database server, and then out to the Internet (coincidentally to the same IP address that had sent the email and installed the RAT, but no one notices this)

7. Later that day, as part of a weekly vulnerability scan, the security team identify the database server has the newly discovered vulnerability, and create a trouble ticket to get it patched

8. The following morning the security team patch the vulnerability, and a couple of days later a dump of the entire database, including gigs of PII, appears on pastebin…..


Main areas to focus on

• Understand the weaknesses that you have inherited

• Understand the weaknesses that you have created

• (Understand the weaknesses that you can use)

• Make your security intelligence work


Understand the weaknesses that you have inherited

• You will have vulnerabilities in your third party applications! • But do you have the time to find them? • Is it even your job to find them?

Vulnerabilities entered in OSVDB annually


Understand the weaknesses that you have inherited

• You will have vulnerabilities in your third party applications! • But do you have the time to find them? • Is it even your job to find them?

• A recent study by Forrester concluded: • Independent and original vulnerability research is important to security

organisations

• Companies want to leverage relationships with vulnerability researchers in order to make decisions

• Quality vulnerability information helps improve security


Vulnerability Bounty Programs – Good or Bad?


Vulnerability Bounty Programs – Good or Bad?


Understand the weaknesses that you have created

• You will have vulnerabilities in your self developed applications! • You need to make the time to find them • You owe it to your customers, and to your own cyber reputation

Source: HP DVLabs Threatlinq


Understand the weaknesses that you have created

• You will have vulnerabilities in your self developed applications! • You need to make the time to find them • You owe it to your customers, and to your own cyber reputation

• A recent study by Ponemon Institute showed: • 73% of respondents hacked at least once in the past 2 years

• 72% actually test less than 10% of their web applications for security

• Investments in awareness around secure software development best

practices will help here


Understand the weaknesses that you can use

• Probably outside the realm of most information security policies • But definitely becoming a usable tactic in the art of cyber warfare

Articles from Andy Greenberg, Forbes.com


Making Your Security Intelligence Work

TECHNOLOGY

PROCESS

Network & System Owners

Incident Handler

Case closed

Escalation

PEOPLE

Level 1 Level 2

Engineer

1

3 4

2 5

6

• Advanced Persistent Threat (APT) Detection • Compliance Reporting • High-risk User Monitoring • Privacy Breach Detection

• Data Leakage Monitoring • Critical Business Transaction Monitoring • Perimeter Security Monitoring • Universal Log Management

Risk Management Solution Focus Areas


Conclusions

• There are no good neighborhoods on the Internet – they’re all some kind of bad

• Legacy controls will not be able to keep up – but keep security technologies up to date to stay ahead of the changing threat

• Vulnerability research is critical to provide insight into potential future cyber attacks – align with security operations and change management

• Actionable security intelligence is as important as any security product – and make your risk position a board room topic


HP Enterprise Security vision

• Must be driven by business priorities

• Must “see everything” in the context of business processes and enable fast, efficient resource prioritization

• Must deliver standalone and intelligently integrated solutions

• Must achieve compliance goals and manage security costs


Security Intelligence and Risk Management Platform HP EnterpriseView

COMPLIANCE AND POLICY

VULNERABILITY MANAGEMENT

ASSET PROFILING

RISK MANAGEMENT

Security Intelligence

Network Security

Application Security

& FSRG Threat Research

A Security Intelligence and Risk Management platform


HP EnterpriseView: see everything and prioritize response

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you [email protected]

http://www.hpenterprisesecurity.com/solutions/2011-cyber-security-risk-report

Technology

Inteligencia en Seguridad y Gestión del Riesgo: ¿lo que no ves puede dañarte? / Security Intelligence and Risk Management. Is it able to hurt you what you can't see?