Anatomy of a CERT - Gordon Love, Symantec

1

Anatomy of a CERT

Gordon LoveRegional Director for Africa

March 2010

Agenda

• The African landscape is changing

• Why do we need a CERT – Threat Landscape

• Steps in building a CERT

• The role of a CSIRT

• Q&A

Symantec DeepSight Early Warning Services 8.0 2

Broadband Capacity Increases

3

Africa is Changing….

Lessons Learned – increased broadband capacity

• Africa is currently updating its broadband infrastructure

• There is an increase in malicious activity in countries with rapidly emerging Internet infrastructures

• Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers

• With cheaper and faster Internet, more Africans will be “always-on” or continually connected

• There will be many “new” internet users that are not security-savvy

5

What do we need to protect against…

6 – 2002 Symantec Corporation, All Rights Reserved

Symantec Security Response – How do we know?

Over 25,000 Registered Data Partners, From Over 180 Countries

Symantec Monitored Countries

San Antonio, TX

Redwood City, CA

Calgary, Canada

American Fork, UT

Santa Monica, CA

Tokyo, Japan

Sydney, Australia

Symantec Secure Operations Center

Symantec Response Lab

Newport News, VA

Berlin, Germany

London, England

Waltham, MA

Dublin, Ireland

Alexandria, VA

Attack Activity• 240,000 sensors

• 200+ countries

Malware Intelligence• 130M client, server,

gateways monitored

• Global coverage

Vulnerabilities• 32,000+ vulnerabilities

• 11,000 vendors

• 72,000 technologies

Spam/Phishing• 2.5M decoy accounts

• 8B+ email messages/day

• 1B+ web requests/day

Rapid Detection

Legend:

Symantec Resource

Distributor

Reseller

7

IWECA Presence

1 Angola

2 Nigeria

3 Kenya

4 Uganda

5 Tanzania

6 Mauritius

7 Ethiopia

8 Botswana

9 Ghana

10 Namibia

IDC Adjusted Market Potential Ranking

Economic Growth 2008

8

1 Angola 21.4

2 Ethiopia 8.4

3 Uganda 6.4

4 Tanzania 7.2

5 Kenya 4.4

6 Nigeria 7.5

7 Ghana 6.3

8 Mauritius 5.8

9 Namibia 5.5

10 Botswana 4.4

Country Ranking by Economic Growth (%) 2008

Ranking by IT Spend PC 2008

9

1 Mauritius 74.26

2 Botswana 66.02

3 Namibia 39.42

4 Angola 18.46

5 Kenya 9.14

6 Ghana 7.93

7 Nigeria 7.11

8 Tanzania 3.75

9 Uganda 2.74

10 Ethiopia 1.76

Country Ranking by IT Spend ($m) Per Capita 2008

10

IDC Predicted ICT Growth

11

Kenya review

Analyst Opinion

In Kenya, the IT market reached a value of $ 352.7 million and is expected to grow albeit slowly

at 6.1% in 2009 to reach $ 374.0 million. Over a five-year period, IDC forecasts that the market

will increase at a CAGR of 14.6% to reach $ 615.9 million by 2012.

ISTR XIV Key Trends

Cyber criminals

want YOUR

information

• Focus on exploits

targeting end-

users for financial

gain

Web-based

malicious activity

has accelerated

• Primary vector for

malicious activity

• Target reputable,

high-traffic websites

Increased

sophistication of the

Underground Economy

• Well-established

infrastructure for

monetizing stolen

information

Rapid adaptation to

security measures

• Relocating operations

to new geographic

areas

• Evade traditional

security protection

Threat Landscape

* Symantec Internet Security Threat Report, Volume X!V

HighlightsKey Trends – Global Activity

• Data breaches can

lead to identity theft

• Theft and loss top

cause of data

leakage for overall

data breaches and

identities exposed

• Threat activity

increases with

growth in

Internet/Broadband

usage

Threat Activity Vulnerabilities Malicious Code Spam/Phishing

• Documented

vulnerabilities up

19% (5491)

• Top attacked

vulnerability:

Exploits by

Downadup

• 95% vulnerabilities

attacked were client-

side

• Trojans made up 68

percent of the

volume of the top 50

malicious code

• 66% of potential

malicious code

infections

propagated as

shared executable

files

• 76% phishing lures target

Financial services (up

24%)

• Detected 55,389 phishing

website hosts (up 66%)

• Detected 192% increase

in spam across the

Internet with 349.6 billion

messages

• 90% spam email

distributed by Bot

networks

* Symantec Internet Security Threat Report, Volume XIV

New Threat Landscape

Period

Num

ber

of

New

Thre

ats


Period

Num

ber

of

New

Thre

ats


Period

Num

ber

of

New

Thre

ats 1177%

increase in malware since 2006


Period

Num

ber

of

New

Thre

ats 2/3

of malicious code created in 2008


Period

Num

ber

of

New

Thre

ats

In 2000

5detections a day

In 2007

1431detections a day


Period

Num

ber

of

New

Thre

ats

In 2000

5detections a day

In 2009

15 000+detections a day

20

21

Copyright © 2009 Symantec Corporation. All rights reserved. 21

192% growth in spam from 2007 to 2008

In 2008, Symantec documented 5,471 vulnerabilities, 80% of which were easily exploitable

90% of incidents would not have happened if systems had been patched

In 2008 we found 75,000 active bot-infected computers per

day, up 31% from 2007

22

How do we respond at a Regional / National level…

Objectives of a CERT

• Enhance information security awareness

• Build national expertise in information security, incident management and computer forensics

• Enhance the cyber security law and assist in the creation of new laws

• Provide a central trusted point of contact for cyber security incident reporting

• Establish a national centre to disseminate information about threats, vulnerabilities, and cyber security incidents

• Foster the establishment of and provide assistance to sector-based Computer Security Incident Response Teams (CSIRTs)

• Coordinate with domestic and international CSIRTs and related organizations

• Become an active member of recognized security organizations and forums

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

CERTS across Europe


Emerging FY '11 Planning

FUNCTIONALITY

Constituent database with

defined roles & responsibilities in

place and equipped to

leverage strategic partnerships

and affiliations

02

Cert Framework designed

& Implemented

Cert Charter

Constituent Identification

& ClassificationService

Offerings

Global Affiliations

Mandate

Strategic Partnerships

Constituents & Strategic

Partnerships

DELIVERY

Phased delivery of

services

STRUCTURE

Constituent campaigning

and Memberships

01· Mutually beneficial

alliances

established

Information Security Through Committed Partnership

CERT Framework – Mandate, Charter & Constituents

Constituent Tier System

TIER 1

TIER 2

TIER 3

Public

• TIER 1– damage to which would cause critical harm to the critical

information infrastructure. For example: regulated electronic communications providers; federal ministries responsible for the critical national infrastructure; national security organizations

• Government Departments with direct responsibility for an area of CNI.

• Providers of Communications Infrastructure• National Security• Must have incident response capability

• TIER 2– damage to which would cause serious harm to the

critical information infrastructure. For example: providers of utilities and other parts of the critical infrastructure such as banking

• Providers of CNI Services• Government Departments not involved in CNI• Must have incident response capability

• TIER 3– damage to which would cause some harm to the critical

information infrastructure. For example: other government departments, agencies, councils and commissions; logistics and transport providers

• General Commerce• Other Government Departments• Special Councils & Commissions

• PUBLIC– all other sectors and the wider public

• General Public• Anyone not covered in Tier 1 - 3


CERT Framework – Develop Legal & Regulatory FrameworkCERT Framework – Implement Global Best Practices / Policies / Procedures





CERT Framework – Develop Legal & Regulatory FrameworkCERT Framework – Employ and Develop Skilled Resources and Partners

32

CERT Framework – Develop Legal & Regulatory FrameworkCERT Framework – Achieve Operational Capability with fully functional SOC

1. Build a Cert Framework

2. Develop Mandate, Charter and Constituents

3. Develop Legal & Regulatory Framework

4. Build required Infrastructure & Technology

5. Implement Global Best Practices, Policies and Procedures

6. Source and Develop skilled Resources, Capability and Partners

7. Achieve Operational Capability & fully Functional CSIRTS

High Level CERT Process Summary

33

34

The role of a CSIRT

Objectives

• Relevant & timeous security data aggregated into one location

• 24 x 7 x 365 Real-time response capability

• Coordination of preventative and response actions

• Reduced complexity/cost through standardisation / integration

• In-depth reporting at strategic, tactical and operational level

• Compliance with governance / regulatory requirements

• Business continuity

• Customer confidence & brand protection

• Improved accountability and management efficiencies

Why is it important ?

Benefits of CSIRT

• Millions of security alerts per day, only a few are relevant

– Filtering, aggregation, prioritisation, …

• Find one needle in a needle stack!

Find the right information

36

Aggregation and Correlation

Events

Security Data

Incidents

10 000 000’s

1 000 000’s

• Aggregated event data

• Disbursed

• Heterogeneous

100’s

• Prioritized lists

• Actionable Items

• CIA Business Impact Ratings

• Raw log Data

1. Analytics – Correlation, Threat

and business impact ratings

2. Event Detection, IDS, VA

FW, Policy, & Vulnerability

Scans

2.

1.

Event:

The smallest unit of security

information. Can be positive,

negative or informational.

.

Incident NOT Event!

Incident:

A collection of

events grouped

together to form a

single unit that

requires actions

from identification

to closure.

Priorities:

• As Incidents are formed they are automatically

prioritised.

• Prioritisation is based on the business impact of

each encompassed event on the system.

Business impact is based on:

• Confidentiality

• Integrity.

• Availability

Incident Prioritisation and Allocation

A Comprehensive Solution

•Multi-vendor security systems generate overwhelming numbers of raw logs, events

and alerts

•Security professionals analyze & evaluate the results

•Security Analysts through the Secure Interface, keep in constant touch with their

assigned Clients, with proactive commentary and recommendations on threats

impacting their network.

Vulnerability Mgmt.

AV/Filtering

IDS

Firewalls

Security

Analyst

Typical DesignWhat does it look like ?

Analysis

IT O

pe

ratio

ns L

aye

r

File

E-mail

Trading

DB

Web

Routers

Hubs

Storage Group

Network IPS

Firewall

Host

IPS

Policy

Compliance

Anti-Virus

Gateway

Content

PHASE 5

DEPT 6

DEPT 5

DEPT 4

DEPT 3

DEPT 2

DEPT 1

PHASE 4PHASE 3PHASE 2PHASE 1

DEPLOYMENT CHART1

2

3

4

5

Endpoint

Compliance

Staff Suppliers Customers Investors

ComputerMobile LaptopPDA

Se

cu

rity

Co

ntr

ol L

aye

r

Ap

plic

atio

ns L

aye

r

Infr

astr

uctu

re L

aye

r

Se

rve

r L

aye

r

Law Enforcement Regulators Intelligence Government

Pentest /

Audit

Process

Global

Inteliigence

Service Feed

Vulnerability

Assessment

Service

SOC

Technology

Platform

CIS

Regions

Data

Feeds

Security

Technology

Specialist

Resources

Incident Management

Escalation

Process

Incident Management

Mitigation

Process

Problem

Management

Change

Management

Remediation

SOC Central Processes

Monitoring and

Analysis

Remediation

Specialist

Enterprise

Reporting

Dashboard

CSIRT Security Operations Centre

External Stakeholders

Use

rs / S

take

ho

lde

rs

Supporting Processes, Procedures and Standards across Infrastructure, Services, Users and Technologies

required to deliver fully integrated Security Enterprise Management Function

Bu

sin

ess In

telli

ge

nce

Syste

ms

Op

era

tio

na

l S

up

po

rt

Syste

ms

Bu

sin

ess S

up

po

rt

Syste

ms

Other

Regions

Data

Feeds

Strategic

Security Partners

Cabling

Identity

Management

Messaging

Security

RequirementsWhat are the Key Success Factors ?

Key Components for Building a CSIRT

Infrastructure supporting

Technologies

Data and Intelligence

Sources

Specialist Skills and Capacity

Best Practice Policies andProcesses

Partnership Stakeholder

Management

Relational DB Infrastructure

Expert System & Anomaly Query

Engine

Security Operations Centre

(SOC)

Response Console

Continuous Data

Mining Process

Import Facilities

Authenticate

Encrypt

Verify

Normalize

Security Analysts

Analysis

Internet

Firewalls

VPN

IDS AV/Content Vulnerability

Scanning

Policy

Compliance

Security Operations Centre

Secure Interface

ImplementationWhere do we start ?

Decide on the basic delivery model

In-Sourced

Outsourced

Co-Sourced

Virtual Extension Model

On-site Managed Security Support

DeliverablesWhat will the CSIRT deliver ?

Top-10 functions of the CSIRT SOC

Proactive vulnerability scanning

Analysis of Global Threat Intelligence

Communication of Alerts/Advisories

Compliance monitoring / management

Incident response & remediation

BCM / DR support & validation

Vulnerability management

Forensic support / Logging

Collaboration & Awareness (Law/ISP)

Report Generation & Dashboard

PartnershipWho can help us achieve this ?

Symantec Value Proposition

People Process Technology

o Globally Consistent

Operational

Execution

o ITIL best practices

o Transparent,

Measurable,

Auditable Process

for Continual

Improvement

o World Class

Engineering Staff

o Industry Leading

Security Response

Team

o Unparalleled SOC

Expertise

► Market Leading

Correlation

► Proven scalability

► Breadth of device

support

► Secure Web portal to

provide clarity into

your security posture

Questions ?

48

Q & A

Visit www.2010netthreat.com

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Gordon Love

[email protected]