Upload
vngundi
View
1.597
Download
0
Embed Size (px)
Citation preview
1
Anatomy of a CERT
Gordon LoveRegional Director for Africa
March 2010
Agenda
• The African landscape is changing
• Why do we need a CERT – Threat Landscape
• Steps in building a CERT
• The role of a CSIRT
• Q&A
Symantec DeepSight Early Warning Services 8.0 2
Broadband Capacity Increases
3
Africa is Changing….
Lessons Learned – increased broadband capacity
• Africa is currently updating its broadband infrastructure
• There is an increase in malicious activity in countries with rapidly emerging Internet infrastructures
• Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers
• With cheaper and faster Internet, more Africans will be “always-on” or continually connected
• There will be many “new” internet users that are not security-savvy
5
What do we need to protect against…
6 – 2002 Symantec Corporation, All Rights Reserved
Symantec Security Response – How do we know?
Over 25,000 Registered Data Partners, From Over 180 Countries
Symantec Monitored Countries
San Antonio, TX
Redwood City, CA
Calgary, Canada
American Fork, UT
Santa Monica, CA
Tokyo, Japan
Sydney, Australia
Symantec Secure Operations Center
Symantec Response Lab
Newport News, VA
Berlin, Germany
London, England
Waltham, MA
Dublin, Ireland
Alexandria, VA
Attack Activity• 240,000 sensors
• 200+ countries
Malware Intelligence• 130M client, server,
gateways monitored
• Global coverage
Vulnerabilities• 32,000+ vulnerabilities
• 11,000 vendors
• 72,000 technologies
Spam/Phishing• 2.5M decoy accounts
• 8B+ email messages/day
• 1B+ web requests/day
Rapid Detection
Legend:
Symantec Resource
Distributor
Reseller
7
IWECA Presence
1 Angola
2 Nigeria
3 Kenya
4 Uganda
5 Tanzania
6 Mauritius
7 Ethiopia
8 Botswana
9 Ghana
10 Namibia
IDC Adjusted Market Potential Ranking
Economic Growth 2008
8
1 Angola 21.4
2 Ethiopia 8.4
3 Uganda 6.4
4 Tanzania 7.2
5 Kenya 4.4
6 Nigeria 7.5
7 Ghana 6.3
8 Mauritius 5.8
9 Namibia 5.5
10 Botswana 4.4
Country Ranking by Economic Growth (%) 2008
Ranking by IT Spend PC 2008
9
1 Mauritius 74.26
2 Botswana 66.02
3 Namibia 39.42
4 Angola 18.46
5 Kenya 9.14
6 Ghana 7.93
7 Nigeria 7.11
8 Tanzania 3.75
9 Uganda 2.74
10 Ethiopia 1.76
Country Ranking by IT Spend ($m) Per Capita 2008
10
IDC Predicted ICT Growth
11
Kenya review
Analyst Opinion
In Kenya, the IT market reached a value of $ 352.7 million and is expected to grow albeit slowly
at 6.1% in 2009 to reach $ 374.0 million. Over a five-year period, IDC forecasts that the market
will increase at a CAGR of 14.6% to reach $ 615.9 million by 2012.
ISTR XIV Key Trends
Cyber criminals
want YOUR
information
• Focus on exploits
targeting end-
users for financial
gain
Web-based
malicious activity
has accelerated
• Primary vector for
malicious activity
• Target reputable,
high-traffic websites
Increased
sophistication of the
Underground Economy
• Well-established
infrastructure for
monetizing stolen
information
Rapid adaptation to
security measures
• Relocating operations
to new geographic
areas
• Evade traditional
security protection
Threat Landscape
* Symantec Internet Security Threat Report, Volume X!V
HighlightsKey Trends – Global Activity
• Data breaches can
lead to identity theft
• Theft and loss top
cause of data
leakage for overall
data breaches and
identities exposed
• Threat activity
increases with
growth in
Internet/Broadband
usage
Threat Activity Vulnerabilities Malicious Code Spam/Phishing
• Documented
vulnerabilities up
19% (5491)
• Top attacked
vulnerability:
Exploits by
Downadup
• 95% vulnerabilities
attacked were client-
side
• Trojans made up 68
percent of the
volume of the top 50
malicious code
• 66% of potential
malicious code
infections
propagated as
shared executable
files
• 76% phishing lures target
Financial services (up
24%)
• Detected 55,389 phishing
website hosts (up 66%)
• Detected 192% increase
in spam across the
Internet with 349.6 billion
messages
• 90% spam email
distributed by Bot
networks
* Symantec Internet Security Threat Report, Volume XIV
New Threat Landscape
Period
Num
ber
of
New
Thre
ats
New Threat Landscape
Period
Num
ber
of
New
Thre
ats
New Threat Landscape
Period
Num
ber
of
New
Thre
ats 1177%
increase in malware since 2006
New Threat Landscape
Period
Num
ber
of
New
Thre
ats 2/3
of malicious code created in 2008
New Threat Landscape
Period
Num
ber
of
New
Thre
ats
In 2000
5detections a day
In 2007
1431detections a day
New Threat Landscape
Period
Num
ber
of
New
Thre
ats
In 2000
5detections a day
In 2009
15 000+detections a day
20
21
Copyright © 2009 Symantec Corporation. All rights reserved. 21
192% growth in spam from 2007 to 2008
In 2008, Symantec documented 5,471 vulnerabilities, 80% of which were easily exploitable
90% of incidents would not have happened if systems had been patched
In 2008 we found 75,000 active bot-infected computers per
day, up 31% from 2007
22
How do we respond at a Regional / National level…
Objectives of a CERT
• Enhance information security awareness
• Build national expertise in information security, incident management and computer forensics
• Enhance the cyber security law and assist in the creation of new laws
• Provide a central trusted point of contact for cyber security incident reporting
• Establish a national centre to disseminate information about threats, vulnerabilities, and cyber security incidents
• Foster the establishment of and provide assistance to sector-based Computer Security Incident Response Teams (CSIRTs)
• Coordinate with domestic and international CSIRTs and related organizations
• Become an active member of recognized security organizations and forums
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
CERTS across Europe
Symantec DeepSight Early Warning Services 8.0 25
Emerging FY '11 Planning
FUNCTIONALITY
Constituent database with
defined roles & responsibilities in
place and equipped to
leverage strategic partnerships
and affiliations
02
Cert Framework designed
& Implemented
Cert Charter
Constituent Identification
& ClassificationService
Offerings
Global Affiliations
Mandate
Strategic Partnerships
Constituents & Strategic
Partnerships
DELIVERY
Phased delivery of
services
STRUCTURE
Constituent campaigning
and Memberships
01· Mutually beneficial
alliances
established
Information Security Through Committed Partnership
CERT Framework – Mandate, Charter & Constituents
Constituent Tier System
TIER 1
TIER 2
TIER 3
Public
• TIER 1– damage to which would cause critical harm to the critical
information infrastructure. For example: regulated electronic communications providers; federal ministries responsible for the critical national infrastructure; national security organizations
• Government Departments with direct responsibility for an area of CNI.
• Providers of Communications Infrastructure• National Security• Must have incident response capability
• TIER 2– damage to which would cause serious harm to the
critical information infrastructure. For example: providers of utilities and other parts of the critical infrastructure such as banking
• Providers of CNI Services• Government Departments not involved in CNI• Must have incident response capability
• TIER 3– damage to which would cause some harm to the critical
information infrastructure. For example: other government departments, agencies, councils and commissions; logistics and transport providers
• General Commerce• Other Government Departments• Special Councils & Commissions
• PUBLIC– all other sectors and the wider public
• General Public• Anyone not covered in Tier 1 - 3
Emerging FY '11 Planning
CERT Framework – Develop Legal & Regulatory FrameworkCERT Framework – Implement Global Best Practices / Policies / Procedures
Emerging FY '11 Planning
CERT Framework – Develop Legal & Regulatory FrameworkCERT Framework – Implement Global Best Practices / Policies / Procedures
Emerging FY '11 Planning
CERT Framework – Develop Legal & Regulatory FrameworkCERT Framework – Implement Global Best Practices / Policies / Procedures
CERT Framework – Develop Legal & Regulatory FrameworkCERT Framework – Employ and Develop Skilled Resources and Partners
32
CERT Framework – Develop Legal & Regulatory FrameworkCERT Framework – Achieve Operational Capability with fully functional SOC
1. Build a Cert Framework
2. Develop Mandate, Charter and Constituents
3. Develop Legal & Regulatory Framework
4. Build required Infrastructure & Technology
5. Implement Global Best Practices, Policies and Procedures
6. Source and Develop skilled Resources, Capability and Partners
7. Achieve Operational Capability & fully Functional CSIRTS
High Level CERT Process Summary
33
34
The role of a CSIRT
Objectives
• Relevant & timeous security data aggregated into one location
• 24 x 7 x 365 Real-time response capability
• Coordination of preventative and response actions
• Reduced complexity/cost through standardisation / integration
• In-depth reporting at strategic, tactical and operational level
• Compliance with governance / regulatory requirements
• Business continuity
• Customer confidence & brand protection
• Improved accountability and management efficiencies
Why is it important ?
Benefits of CSIRT
• Millions of security alerts per day, only a few are relevant
– Filtering, aggregation, prioritisation, …
• Find one needle in a needle stack!
Find the right information
36
Aggregation and Correlation
Events
Security Data
Incidents
10 000 000’s
1 000 000’s
• Aggregated event data
• Disbursed
• Heterogeneous
100’s
• Prioritized lists
• Actionable Items
• CIA Business Impact Ratings
• Raw log Data
1. Analytics – Correlation, Threat
and business impact ratings
2. Event Detection, IDS, VA
FW, Policy, & Vulnerability
Scans
2.
1.
Event:
The smallest unit of security
information. Can be positive,
negative or informational.
.
Incident NOT Event!
Incident:
A collection of
events grouped
together to form a
single unit that
requires actions
from identification
to closure.
Priorities:
• As Incidents are formed they are automatically
prioritised.
• Prioritisation is based on the business impact of
each encompassed event on the system.
Business impact is based on:
• Confidentiality
• Integrity.
• Availability
Incident Prioritisation and Allocation
A Comprehensive Solution
•Multi-vendor security systems generate overwhelming numbers of raw logs, events
and alerts
•Security professionals analyze & evaluate the results
•Security Analysts through the Secure Interface, keep in constant touch with their
assigned Clients, with proactive commentary and recommendations on threats
impacting their network.
Vulnerability Mgmt.
AV/Filtering
IDS
Firewalls
Security
Analyst
Typical DesignWhat does it look like ?
Analysis
IT O
pe
ratio
ns L
aye
r
File
Trading
DB
Web
Routers
Hubs
Storage Group
Network IPS
Firewall
Host
IPS
Policy
Compliance
Anti-Virus
Gateway
Content
PHASE 5
DEPT 6
DEPT 5
DEPT 4
DEPT 3
DEPT 2
DEPT 1
PHASE 4PHASE 3PHASE 2PHASE 1
DEPLOYMENT CHART1
2
3
4
5
Endpoint
Compliance
Staff Suppliers Customers Investors
ComputerMobile LaptopPDA
Se
cu
rity
Co
ntr
ol L
aye
r
Ap
plic
atio
ns L
aye
r
Infr
astr
uctu
re L
aye
r
Se
rve
r L
aye
r
Law Enforcement Regulators Intelligence Government
Pentest /
Audit
Process
Global
Inteliigence
Service Feed
Vulnerability
Assessment
Service
SOC
Technology
Platform
CIS
Regions
Data
Feeds
Security
Technology
Specialist
Resources
Incident Management
Escalation
Process
Incident Management
Mitigation
Process
Problem
Management
Change
Management
Remediation
SOC Central Processes
Monitoring and
Analysis
Remediation
Specialist
Enterprise
Reporting
Dashboard
CSIRT Security Operations Centre
External Stakeholders
Use
rs / S
take
ho
lde
rs
Supporting Processes, Procedures and Standards across Infrastructure, Services, Users and Technologies
required to deliver fully integrated Security Enterprise Management Function
Bu
sin
ess In
telli
ge
nce
Syste
ms
Op
era
tio
na
l S
up
po
rt
Syste
ms
Bu
sin
ess S
up
po
rt
Syste
ms
Other
Regions
Data
Feeds
Strategic
Security Partners
Cabling
Identity
Management
Messaging
Security
RequirementsWhat are the Key Success Factors ?
Key Components for Building a CSIRT
Infrastructure supporting
Technologies
Data and Intelligence
Sources
Specialist Skills and Capacity
Best Practice Policies andProcesses
Partnership Stakeholder
Management
Relational DB Infrastructure
Expert System & Anomaly Query
Engine
Security Operations Centre
(SOC)
Response Console
Continuous Data
Mining Process
Import Facilities
Authenticate
Encrypt
Verify
Normalize
Security Analysts
Analysis
Internet
Firewalls
VPN
IDS AV/Content Vulnerability
Scanning
Policy
Compliance
Security Operations Centre
Secure Interface
ImplementationWhere do we start ?
Decide on the basic delivery model
In-Sourced
Outsourced
Co-Sourced
Virtual Extension Model
On-site Managed Security Support
DeliverablesWhat will the CSIRT deliver ?
Top-10 functions of the CSIRT SOC
Proactive vulnerability scanning
Analysis of Global Threat Intelligence
Communication of Alerts/Advisories
Compliance monitoring / management
Incident response & remediation
BCM / DR support & validation
Vulnerability management
Forensic support / Logging
Collaboration & Awareness (Law/ISP)
Report Generation & Dashboard
PartnershipWho can help us achieve this ?
Symantec Value Proposition
People Process Technology
o Globally Consistent
Operational
Execution
o ITIL best practices
o Transparent,
Measurable,
Auditable Process
for Continual
Improvement
o World Class
Engineering Staff
o Industry Leading
Security Response
Team
o Unparalleled SOC
Expertise
► Market Leading
Correlation
► Proven scalability
► Breadth of device
support
► Secure Web portal to
provide clarity into
your security posture
Questions ?
48
Q & A
Visit www.2010netthreat.com
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Symantec DeepSight Early Warning Services 8.0 49
Gordon Love