Upload
elmer-montgomery
View
226
Download
0
Embed Size (px)
Citation preview
1
Managing A Global CorporateProtection Infrastructure
Jeannette JarvisAssociation of Anti Virus Asia Researchers
November 26, 2004
2
Agenda
Setting the scene Objective Threats Challenges
Protection Strategy Products Processes
Critical reference links
3
Company Objectives
Virus/worm/intrusion freeenvironment
Immediate alerting notification Security incidents Suspicious activity
Well-defined processes Normal operations Events
Enterprise compliance Security tools & update process
4
Malware Threats
Denial of service Execution of arbitrary code Remote execution Viewing sensitive company information Manipulating data Propagating data Keylogging exploits Phishing Schemes Spyware / Adware Spoofing
Software Vulnerabilities
262 417
1090
2437
41293784
0
1000
2000
3000
4000
5000
1998 1999 2000 2001 2002 2003
As reported by SEI CERT/CC: www.cert.org/stats/cert_stats.html
Malicious Code Growth
0
10000
20000
30000
40000
50000
60000
70000
80000
90000
100000
1990 1991 1994 1996 1998 1999 2000 2001 2002 2003
Kno
wn
Viru
s Va
rian
ts
7
Progression of Malware Transports
Viruseson floppy disks
Virus bye-mail
Viruses inMacros
MelissaLoveletter
Worms
ConceptLarouxWazzu
BrainFriday the 13th
Michelangelo
NimdaCode RedSQL SlammerSasser
> 2004
1987
1995
1999
2001
Software Vulnerability Lifecycle
9
Challenges
Security versus Functionality Usability Scalability Manageability
Vulnerabilities to exploit time is short
10
Company Challenges
Limited resources Outdated/mis-configured machines
Rogue servers Acquisitions – conforming to your existing
security policies and processes Home users – lack of configuration control Mobile employees – low bandwidth for
security updates
11
Risk Versus Cost
Critical Infrastructure
Budget Constraints
12
Protection Management Components
Products Multi-tiered approach Address all entry and exit
points
Processes Consistent enterprise
solutions Continuous process improvement
Policy Consistent compliance
across enterprise Published security
policy
People•Education / Awareness / Communication
•Engagement
13
Products – Defense in Depth
Port blocking Firewall – desktop and network Intrusion detection/prevention tools Web Proxy filtering Content Filtering – perimeter and internal Anti-virus – multi-vendor approach Spyware / Adware Pop-up blocker Event correlation tool
14
Policy & Process Tools
Push tools – patches and configuration updates
Compliance tools – conform to company policies or disbarred from entry
Centralized management tools One site for enterprise visibility of activity
and product disposition Centrally manage product updates and
signature detections & policy creation Metrics and reporting
Encryption Policy Enterprise Backup Solution
15
Visibility
Event correlation tool Gather events of interest throughout the
enterprise from ALL security tools Into a well-structured database to enable
efficient complex incident detection and response
Provide effective query for investigators Reports based on trend analysis Effective metrics to target detection strategy
16
Consistent Enterprise Processes
Have established plans for prevention, detection and reaction Know who does what, when Backup personal identified
Normal operations Monitoring for malware activity Who initiates mitigation for new threats
Communication Process When is information communicated
How? By whom?
17
Process during an event
Security event Defined processes for how your company
reacts to a security incident / outbreak Notification
Those involved with the event General employee population
Action Who is empowered to take action
Locking down machines Isolating network
Product Updates
18
Vulnerability Monitoring
Security monitoring and responseTeam
Monitors new vulnerabilities Triage Security Alerts
Accesses impact on infrastructure Report status
Critically Recommendation Links to updates
Ensure that responsible party is providing solution in appropriate timeframe
Prioritizes the threats Continuous audits of enterprise
19
Education
Yearly security awareness training is required Interactive web based training is mandated Annual security video required to be reviewed by all
Internal web site for virus information Company wide information
Company web site when threat/issue warrants complete visibility
Email to all employees when their involvement is critical to containment of a threat
20
Post Mortem
Tool to communicate lessons
learned and improve your infrastructure
Immediately following closure of incident
All key organizations have representation Attendance is mandatory
Establish root cause
Address perceptions and reality
Continuous Process Improvement
21
Home Users
Hardware Firewall Preferred Software Firewall at minimum
Policy Compliance Disable ability to login to corporate network
unless up-to-date Patches Anti-virus signature files Personal firewall installed
22
IT Department Responsibility
Empowerment to make immediate high impact decisions
Vulnerability assessments
“What if” scenarios
Isolated network / Isolated lab
environment
Fail-over architecture
23
Event Disaster Plan
Critical contact phone lists available off-line Processes to get needed security products
updates when normal resources are unavailable
Teleconferences for management and technical staff to get needed information during crises
Business continuity plans established Communication process when normal channels
are eliminated
24
Virus Industry Presence Associations
AVAR – Association of Anti-virus Asia Researchershttp://www.aavar.org
AVIEN – Anti-virus Information Exchange Networkhttp://www.avien.org/
AVIEWS – Anti-virus Information Early Warning System
http://www.aviews.org EICAR – European Institute for Computer Antivirus
Researchhttp://www.eicar.org/
The Wildlist Organization – International forum on the wild viruseshttp://www.wildlist.org/
25
Critical Information Links
CERT – Computer Emergency Response Teamhttp://www.cert.org/
Internet Storm Centerhttp://isc.sans.org//index.php
Virus Bulletin
http://www.virusbulletin.com/ AntiPhishing Working Group
http://www.antiphishing.org/
26
Closing
Managing your environment requires Due diligence Defensive tools Monitoring & Awareness Notification and response On-going user education Consistent enterprise processes
27
??? Questions ???