Protect & Defend Your Critical Infrastructure

SCADA, Smart Grid, and Compliance

Tom Turner – VP Marketing and Channels, Q1 LabsAlex Tatistcheff – Senior Security Instructor, Sourcefire

Douglas Hurd – Director, Technology Alliances

2

● Introductions and Overviews

● Partnership Background

● Compliance Requirements

● Total Security Intelligence for Energy & Utilities

● Q&A

Outline

3

Sourcefire Overview

● Founded in 2001 by Snort Creator, Martin Roesch, CTO

● Headquarters: Columbia, MD

● Focus on enterprise and government customers

● Global Security Alliance ecosystem

● NASDAQ: FIRE

Mission: To be the leading provider of intelligent cybersecurity

solutions for the enterprise.

4

Q1Labs - OverviewQ1Labs - Overview

Who we are:► Innovative Security Intelligence software company► Largest independent SIEM vendor► Leader in Gartner 2011, 2010, 2009 Magic

Quadrant

Award winning solutions:► Family of next-generation Risk Management, Log

Management, SIEM, security intelligence solutions

Executing, growing rapidly:► +1600 customers worldwide► Five-year average revenue growth +70% ► North America, EMEA and Asia Pacific

5

● Mutual customers asked for integration

● Q1 Dev team to build integration using Sourcefire API

● Q1 Labs completes integration makes eStreamer Client available

Partnership Background 2010-2011

6

Deployment Scenarios - SourcefireDeployment Scenarios - Sourcefire

7

Deployment Scenarios – Q1 Labs

8

Sourcefire and NERCNERC REQUIREMENT REALATIVE SOURCEFIRE 3D SYSTEM COMPLIANCE BENEFITS

CIP-002-R3 Critical Cyber Asset Identification CIP-005-R1.6 Documentation for Perimeter Assets

Generates profiles for all networked hosts enabling automated identification of cyber assets associated with critical applications and systems.

CIP-003-R6 Change Control and Configuration Management

Enables administrators to implement baseline configuration policies for endpoints, subnets, and networks. Automates monitoring and enforcement of configuration policy.

CIP-005-R2 Electronic Access Controls Detects and documents activity associated with unapproved ports and services. Alerts and corrective actions can easily be configured.

CIP-005-R3 Monitoring Electronic Access Applies state-of-the-art intrusion detection and prevention capabilities to detect and alert for attempts at or actual unauthorized access.

CIP-005-R4 Cyber Vulnerability Assessment CIP-007-R8 Cyber Vulnerability Assessment

Creates a real-time profile of the operating system, applications, services, ports, etc. for every host and maps that against a database of 13,000+ known vulnerabilities using passive, non-disruptive techniques.

CIP-007-R2 Ports and Services Compliance white lists can be configured to monitor and automatically enforce acceptable ports and services lists

CIP-007-R4 Malicious Software Prevention Anti-malware VRT rules meet the requirements for anti-malware prevention and can augment existing anti-virus tools

CIP-007-R6 Security Status Monitoring IPS and RNA satisfy multiple security best practices for providing continuous 24x7 monitoring of security incidents and policy violations

CIP-008-R1 Incident Response Plan Provides detailed flow and packet-capture information to reveal the anatomy of successful attacks and accelerate the recovery process.

Total Security Intelligencefor Energy & Utilities

10

● 72% of organizations are not getting the intelligence they need

► Only 39% of organizations are currently using a SIEM solution

● On average, it takes 22 days to detect unauthorized changes or malicious activity

● 69% of organizations feel a data breach is likely to occur in the next 12 months

● 76% of organizations have suffered one or more data breaches over the course of the last 12 months.

Energy & Utilities – Security Challenges

Source: April 2011 Ponemon Research survey

11

● Top IT Security priority is to protect and secure SCADA networks

● QRadar monitors and correlates data from many sources including SCADA

Smart Networks

Source: April 2011 Ponemon Research surveySecuring smart meters

Protecting the nation’s critical infrastructure

Securing information assets

Protecting endpoints to the network

Protecting enterprise systems

Protecting SCADA networks

- 1.00 2.00 3.00 4.00 5.00 6.00

1.21

2.22

3.91

4.03

4.82

5.06

12

Pre-Exploit

Remediation

Post-Exploit

ExploitPrediction/Prevention Phase Reaction/Remediation Phase

Vulnerability

SIEM, Network/User Anomaly Detection,

Log Management

Risk Management , Compliance Management,

Vulnerability Management, Configuration Management

Solutions Across the Entire Compliance and Security Intelligence Lifecycle

13

Security Intelligence: SIEM with Behavior Anomaly Detection and Broadest ContextSecurity Intelligence: SIEM with Behavior Anomaly Detection and Broadest Context

Suspected Incidents

Manage Risk

Content capture and user activity monitoring enabled

fraud detection prior to exploit completion

Detect Threats Others Miss

Discovered 500 hosts with “Here You Have” virus, which all other security products missed

2 Billion log and events per day reduced to 25 high

priority offenses

Consolidate Silos

14

● Smart meter devices and systems

● Detects Snort alerts from SCADA networks

● Intrusion events and packet data

● Real-time user and network events

● Compliance and white list events

QRadar Collects Sourcefire Event Data

15

Compliance Validation and Information Overload

Information Overload• Collecting and analyzing millions of daily logs

can be overwhelming• Data silos increase operational expenses

Compliance & Policy• NERC, CIP and FERC compliance validation

requires logging and reporting• Evolving regulations and Smart Energy

solutions have implications across many networks

QRadar’s integrated security management supports specific NERC-CIP requirements, with out of the box NERC-CIP reporting, such as: CIP-005. Electronic Security Perimeter(s)

16

Fundamental NERC-CIP RequirementsSupported by QRadar

NERC-CIP Area RequirementsCIP-002: Critical Asset Identification Provides automated discovery & classification of:

•Cyber assets that use a routable protocol (CIP-002.R3.1-2)

CIP-003: Security Management Controls

Enables effective monitoring and threat detection controls to critical infrastructure:

•Protect information associated with critical assets (CIP-003.R4)•Detecting inappropriate access to protected critical assets (CIP-003.R5)

CIP-005: Electronic Security Perimeters

Provides log management and event monitoring of an electronic cyber perimeter:

•Monitor electronic access to the perimeter (CIP-0005.R2/R3)• Integrated vulnerability assessment monitoring and reporting (CIP-005.R4)

CIP-007: Systems Security Management

Provides monitoring and event monitoring systems for:•Rogue ports and services (CIP-007.R2)•Malicious software (CIP-007.R4)•Detection of cyber incidents (CIP-007.R6)•Detection of vulnerabilities (CIP-007.R8)

CIP-008: Incident Reporting & Response Planning

Workflow to support incident reporting and response:•Prioritization of security incidents (CIP-008.R1)•Process for documenting incidents to cyber assets (CIP-008.R1)

17

Threat and Risk Management

Detecting Threats• Without broad surveillance and integration, threats will be

missed• Combating fraud, targeted exploits and cyber warfare requires

intelligent visibility• Telemetry intelligence must be broadened to for Smart Energy

solutions (Smart Grid, etc.)

Unable to Predict Risk Impact• Day to day security firefighting• Unable to see the risk impact of network changes, including new

applications and infrastructure• Protecting legacy SCADA systems, which inherently lack

security controls

18

Questions?

Alex Tatistcheffalex.tatistcheff@sourcefire.com

Tom Turnertom.turner@q1labs.com

Doug Hurddhurd@sourcefire.com

Thank You for your time!