-
1
-
We all know the security market has changed. There are more
threats than ever before.
2
-
DigiNotar went brankrupt.
Why?
DigiNotar was a Dutch certificate authority owned by VASCO Data
Security International.[1]
On September 3, 2011, after it had become clear that a security
breach had resulted in the
fraudulent issuing of certificates, the Dutch government took
over operational
management of DigiNotar's systems.[2] That same month, the
company was declared
bankrupt.
Dozens of fraudulent certificates had been created.
Hacker had breached the perimeter using malware.
Then hopped around to find servers where they could find
privileged account names.
Used Cain and Able to brute force attack to ultimately get
privileged acess details.
Used SQL injection attack to retrieve CA details.
Then sold these to rogue individuals who used it to set up phony
websites that looked like
real ones. Used to make money and steal identity etc.
ArcSight could have prevented this from happening:
Perimeter breach, high login activity, unusual login activity
(after hours and from Iran), sql
injection attacks.
-
Cyber-crime is on the rise and the rewards for cyber-criminals
is greater than ever
Likewise, impact to corporations is greater than ever
In the news: Sony Playstation, Epsilon, Citigroup
New cyber-criminals are well funded, coordinated, and more
sophisticated
Organized crime
Nation-state sponsored
Political hacktivists
Clearly, the traditional approach is not working
Cyberkriminalitt ist im Vormarsch und der Gewinn fr Kriminelle
war nie grerEbenso ist aber auch der Druck auf die Firmen noch nie
grer gewesen
Wir sehen Firmen wie Sony, Citigroup, RSA usw. in den
Schlagzeilen wie sie
anscheinend von einer Meute gezielt gehetzt und erlegt
werden
Internet Kriminelle sind sowohl finanziell als auch technisch
gut ausgerstet und mit jeder Krise stehen mehr gut ausgebildete
Personen zur VerfgungWir sehen uns sowohl mit organisierter
Kriminalitt konfrontiert als auch mit von Staaten gesponsorten
Angriffen sowie politisch motivierten Attacken
Es ist offensichtlich, da der bisherige Ansatz gescheitert so
nicht funktioniert
4
-
Customers struggle to manage the security challenge
Nature & Motivation of Attacks(Fame fortune, hacker
nations)
Attacks motivated by information marketplace creating a broader
threat
landscapeI will attack anything of value
thats weaker than the peer group because I know I can sell it
somewhere
5
-
Explosion of attack surface: burgeoning IT complexity in demand
for service
delivery and diverse device
Transformation of Enterprise IT(Mobility, cloud, information,
social)
6
-
Regulatory Pressures(Increasing cost and complexity)
Government-imposed complicance requirements
Using compliance to define your security strategy sets a low
barthe last place you want to be in this environment
7
-
Applications: SDLC, testing, Fortify, WAF, vulnerability
scans
Systems: OS patching, opsware automation, vulnerability
scans
Risk mapping: EnterpriseView, Arcsight
Visibility: EnterpriseView, ArcSight, TippingPoint, DVLabs
Blocking: Tippingpoint, DVLabs
Internally: ArcSight, Autonomy, Atalla
Externally: ArcSight, Autonomy, Atalla
8
-
9
-
Your security effectiveness is only as good as the security
research behind it and DVLabs
has been the industry leader for years. In addition to our own
in-house security
researchers, DVLabs manages Zero Day Initiative (ZDI) which is a
global organization of
researchers constantly looking for new application
vulnerabilities:
1,500+ researchers registered
Typical profile: male, teen to mid twenties, hobbyist
3,400+ 0-day vulnerabilities submitted by these researchers
1100+ 0-day vulnerabilities purchased (30+%)
Plus, over 2000 customers leverage and contribute information to
our ThreatLinQ security
portal. ThreatLinQ houses up to the minute security information
from around the globe
that customers have access to 24 hours a day, 7 days a week.
We also partner with other leading research organizations like
SANS, CERT and NIST to
consolidate security intelligence resulting in the most advanced
intelligence network
anywhere in the world.
10
-
We package our software to meet the needs of our customers,
recognizing that everyones
starting place and journey may be different.
In 2011 HP pioneered the idea of the worlds first Performance
System for IT the IT
Performance Suite. In just 12 months, HPs IT Performance Suite
has helped IT departments
improve the performance of IT outcomes while lowering costs and
increasing business
alignment.
With the acquisitions of Autonomy, Arcsight and Vertica were now
ready to able to offer
performance systems tailored to the needs of Security, Legal and
Marketing professionals, to
ensure that no matter what, your applications and information
work for you.
These HP Performance Systems combine HP software and expertise
to develop and run the
best applications and deliver insight in real time from 100% of
your information, all while
ensuring your IT assets are secure, reliable and compliant.
All supported by the industry leader in customer satisfaction
for enterprise software as well as
a global partner ecosystem.
And were proud to have a portfolio that is open and flexible
enabling you to run our software in
diverse environments on your infrastructure or in the cloud,
easily integrating to your systems
and data sources, all while taking advantage of some of the most
innovative computer science
and mathematics breakthroughs covered by over 2000 patents and
patents pending.
11
-
12
-
Fortify gives you advanced technologies to ensure your
applications are secure. Fortify
inspects applications at the source code level (static testing)
and while they are running
(dynamic testing). Fortify supports more languages than any
other application security
vendor with significant strengths in the area of mobile
application security. But its not
just built for custom applications, Fortify and determine if
vulnerabilities exist in
commercial, custom and open source activities. And even more
differentiated, Fortify can
be delivered as a software you purchase or as a service. With
unmatched flexibility and
depth of coverage, Fortify ensures you have a world class
application security program in
place.
13
-
The ArcSight solution gives you the ability to collect
information from any device, any time
any where to ensure you have complete enterprise security
visibility. Whats more,
ArcSight is supported by the revolutionary CORR Engine which
delivers industry leading
correlation speeds with significant storage requirement
decreases from prior versions.
The ArcSight solution allows you to capture logs, correlate
events, monitor applications,
check for fraud and manager uses and controls.
Focusing on turning information into intelligence, the ArcSight
solution stands apart in the
industry
14
-
15
-
WebAppDV Scan a web application for vulnerabilities and based on
the results custom
signatures or filter can be created to protect the web
application by preventing traffic
passing through that are trying to exploit the
vulnerability.
Good for inhouse applications.
Its a service.
16
-
17
-
18
-
19
-
20
-
21
-
Adversaries collaborate with each other.
They form groups, specialize in different functions, share tools
and attack attempts and
successes are shared between them.
So why dont companies also collaborate together? Effectively
telling your neighbors you
have been attacked and by who and how they did it.
Of course you can maintain your privacy and remain anonymous in
your threat exchange.
22
-
Slide 22
A1 Philippa this is Deb. Tomas says, "this is an image pulled
from the Internet and may be copyrighted. Philippa could you put in
some kind of image similar to this suggesting a hacking activity,
but something aesthetically pleasing?"Author, 03/02/2014
-
The intelligence that comes to TC will be normalized so relevant
data such as IP addresses
and file hashes can be isolated and distributed to companies to
feed for example their
ArcSight SIEM and TippingPoint devices.
23
-
24
-
25
-
3 companies. All 3 have different products, and security
profiles. Company A detects a new
zero day and shares that with Threat Central. Companies B and C
both receive an event
with the actionable indicators from company As submission.
Company B detects a malware variant that is not discovered in
company A or C.
And so on
26
-
STIX is a collaborative community-driven effort to define and
develop a
standardized language to represent structured cyber threat
information.
HP has Threat Central which is a Security Intelligence
Platform
Intelligence is sent to TC through various intelligence feeds
including HP Security
Research. Example of intelligent information are active
malicious IP addresses or file
hashes of dangerous files that have been used in recent
attacks.
TC clients are subscribers sending intel to TC and having intel
sent to them via TC.
TC clients can choose to expose their intel to small private
communities or larger
communities.
E.g. One for UK Gov, one for US Gov, one for Financial
organisations, one for
telcos or even smaller communities or larger communites.
27
-
28
-
29
