business overview - ssr (에스에스알) 정보 보안 ...ssrinc.co.kr/upload/ssrinc2015_en.pdf ·...
TRANSCRIPT
Business Overview
INDEX
I. Business Area
II. Milestone
III. Organization
IV.Consulting
1. Penetration Test Service
2. Security Assessment Service
3. Security Management Consulting
V. Solutions
1. SolidStepTM
2. MetiEyeTM
I. Business Area SSR Inc. specializes in providing integrated information security service including consulting, IT solution
development and maintenance for government, education, healthcare, finance and enterprises.
• LG CNS Special
consulting partner
• KISA Sharing Information
• More than 84% of
employees are technical
skilled.
• 60% of Consultants
are MENSA member
•100% Success rate of Penetration test
•Web, Mobile, C/S Vulnerability Asst.
•Systems in infrastructure Security Asst.
•Asst. for Smart Home Devices like TV
•Annual Enterprise Security Asst.
•Information Security Management
•Management Private Information
•Internal Info. Leakage Prevention
•Server / WAS / DBMS / Network Asst.
•PC Asst.
•Intrusion Activity Detection
•Web page Change Audit
Technical Consulting
Administrative Consulting
Pen. Test
Security Asst. for IT Service
P. I. M. S.
I. S. M. S.
Security Asst. for Information Asset
Consulting
Solution Configuration Asst.
Webshell Detect & Protect
SolidStep
MetiEye
※Asst. : Assessment
2010.8 2010.9 2011.12 2012.9 2012.10 2014.11 2013.4 2014.5 2014.3
Information
Sharing
Agreement
with KISA
Won Korea
S/W Technology
Award
2010 2011 2012 2013
4.2B 3.6B 1.2B 0.2B 5 11 42 50
X25
x14
Increased Revenue for 4yrs
Increased Employees for 4yrs
5B
69
2014
The revenue of security consulting business keep growing remarkably every year since 2010, and at the
same time we started to invest on Security Solution business strategically from 2013.
II. Milestone
Established
SSR Inc. LG CNS
Consulting
Partner
Constituted
Technical
Lab.
Certificated
ISO9001
Launched
SolidStep
MetiEye
Certificated
ISO/IEC27001 Certificated
National
Consulting Firm
Korean won
year
2014.12
CC Certificated
For SolidStep
2014.8
CC Certificated
For MetiEye
III. Organization
C.E.O.
Solution Division Consulting Division
C.T.O.
Administration
Tech. Consulting Admin. Consulting Lab.
Director Admin. Sales Tech. Support R&D Consultant Total
1 2 8 4 14 38 67
16 MENSA members !
Advancement
SolidStep
MetiEye
Design
Consulting 5 Consulting 1
Consulting 2
Consulting 3
Consulting 4
Consulting 6
Consulting 7
Strategic Planning
System Engineer
Sales
Sales
Biz. Planning
SSR Expert
Mobile Specialist Code Assessment
Professional Reverse Engineer System Specialist Penetration Tester
Services Point Internal System
Application Attacks O.S. & Network Attacks
Normal Access Get Information Asset
Mobile Web
Application Mail
Backdoor
HR
System MES
System R&D
System
• Discovering security
threats that can occur by
evasion and providing
countermeasures to the
related vulnerabilities by
reverse engineering the
program’s essential
function.
• Determine vulnerabilities on
the source and suggest
countermeasures.
• - Check for proper input
value verification
- Check for Secure Code
application
- Check for important
information leaks
Vulnerability Analysis
carried out based on the
client’s web service
checklist
Analyze the vulnerability
and its effect on related
system.
Determine the vulnerabilities
within web application
source code and suggest
proper countermeasures.
• Analysis aimed at hardening
the server OS setting
• Analysis aimed at hardening
WEB/WAS service server
setting
• Analysis aimed at hardening
DBMS service server setting
• Analysis aimed at hardening
network’s transmission tool
setting
• Perform analysis by dividing
the Smart Office environment
of public institutions and
conglomerates into
Application and Client Mobile
App transmission processes,
and suggest proper
countermeasures to the
vulnerabilities.
Penetration test is the practice of testing a system, network and application to find vulnerabilities that an
attacker could exploit. SSR’s penetration test is performed manually with market-leading technology by a
professional consultants just not tools.
IV. Consulting
1. Penetration Test Service
Service
Asset
Information
Asset
SSR technical consulting including Web, mobile, server, and network provide the best quality of service by
customizing customer's requirements.
Security
System
Server
Network
Mobile
Application
C/S
Application
Web
Application
•Policy
•Operation
•Authorization
•OS Vulnerability
•Web Vulnerability
•Was Vulnerability
•DBMS Vulnerability
•Configuration Security
•Appliance Vulnerability
•Web Vulnerability
•Web Pen. test
•Source Code
•Reverse Eng.
•Source Code
•Mobile Vulnerability
•Data Leakage Vulnerability
•Source Code
On Site Residential Assessment : DOOSAN Group, NEXON Korea, LG U+, SK planet, eBay Korea Project Based Assessment : Auction, LG Electronics, G market, BC card, HYUNDAI autoever, POSCO, DAUM, DAERIM industry, National Rehabilitation Center, KERIS, HMC Investment Securities, yeungnam university, Korea Centers for Disease Control and Prevention etc.
Customers
IV. Consulting
2. Security Assessment Service
Security
Operation
Security
Policies
Security
Processes Information
Security
Management
Personal
Information
Management
Internal
Information
Leakage
Prevention
Goals
for
Information
Security
Strategies Key Solution
Based on IT Security Infrastructure & Security Awareness
Information Security Certification
I.S.M.S. , ISO/IEC 27001
Private Information Security Certification
P.I.M.S. , P.I.P.L.
• Improve Reliability
• Employees’ Active Participation on
Security Campaign
• System Enhancement
KISA - ISMS Consulting ISO/IEC27001 Consulting KISA - PIMS Consulting
Details
Provide aid in ensuring systematic and effective
management of important security administration
according to KISA ISMS standards
Provide support in systemically and effectively
managing information security according to ISO27001
standards
Assist in establishing a system which safely
manages private data according to PIMS standard
Certification
Criteria
5 Administrative Procedures,12 Controlling items. 11 Domains ,133 Controls 5 personal information Administrative Procedures,11
Controls
- - 3 Life-cycle Procedures,28 Controls
13 Domains,92 Countermeasures - 9 Domains,79 Countermeasures
Issuing Institution KISA (Korea Internet & Security Agency) I.R.C.A. KISA (Korea Internet & Security Agency)
To counter the security threats on precious IT assets, SSR’s Information Security Consulting suggests key
solutions which enhance effective management security and elevate security awareness.
IV. Consulting
3. Security Management Consulting
V. Solutions
1. SolidStepTM – Security Configuration Assessment System
100% Applicable Report
Via Scanning and analysis that matches client’s company security policy, Solidstep provides report with
which system manager can clearly take action.
Broad Scanning Spectrum of 1,000 items
1,000 Inspection items developed/enhanced by 50 experts satisfy both domestic and overseas standards.
300 Times Faster Scanning Speed
SSR’s own optimized automated technology boats 300 times faster checking speed than the existing
manual method.
Total Inspection
Faster agent structure know-how allows for fewer burdens on servers during comprehensive and large-scale inspection.
1/3 Cost Reduction
Only 1/3 of the existing vulnerability scanning consulting (manual) costs is needed thanks to broad swift
comprehensive scans and applicable results.
Server
(O.S. , Web) Network DBMS
PC
(Endpoint)
SolidstepTM is an automated security assessment system which perform fast security scans on entire IT
assets and audits changes in real-time. The first SCA(Security Configuration Assessment)-VA system
enhanced manual scanning work ever has done.
Server
Security Asst.
DBMS
Security Asst.
Web Config.
Security Asst.
PC
Security Asst.
Account
Audit
Customized
Asst. rule
Statistics
Report
Audit
Change
Offline Asst.
Manually assess the encrypted information collected files
with Agent
Agentless
Online Asst.
• Install-Free
Portable Program (No need to Reboot)
• OS Free
Windows, Linux, AIX, HP-UX Solaris etc. 11 Platform
support
• Resource Free
CPU consumption of less than 1%
• ACL Free
NO Agent Port Listening Using HTTPS Protocol
• Assessment with SSH, Winexec
Zero Issues as the Agent installation & operation Guarantee the same results as the agent performs Required Server Access Information Required Network ACL *Add-ons (Resource Monitoring, etc.) Not Available Assessment Scheduling Not Available
4-free
PC
Network
Analyzer Templates Collector Reporter
Windows Unix DBMS WEB WAS
SolidStep
Manager (H/W)
Password Crack
(3-Ways)
FireWall
N/W
• Architecture
Internet
• Features
V. Solutions
1. SolidStepTM – Security Configuration Assessment System
• Dashboard for security manager
V. Solutions
1. SolidStepTM – Security Configuration Assessment System
• Assessment base line • Analysis Reports
MetiEye Monitoring System
Hacker Internal Developer
Detect
Malicious
Behavior
Isolate Webshell
and Prevent IP
Generate
Report Administrator
Information leakage code injection
Webshell Uploading
Insert malicious backdoor
Remaining test & backup files
Webshell / Mal. URL
Detection
Web Source
Change Management
File Creation/Upload
Control
Remote
Management Flexible U.I.
Massive
Pattern
DB
Heuristic
Detect
Engine
Hash DB
for known
webshell
No
Reboot
after
Updating
Algorithm
Optimi-
zation
Lab.
Consulting
Developer has pen-test careers
Continuous gathering the new
webshell pattern
• Key Features
• Special Features • Support
• Product Overview
MetiEyeTM has an edge in webshell pattern DB which consultants have collected and developed for numerous
consulting cases since corporations founded. The heuristic detection algorithm for ETDR (Endpoint Threat
Detection & Response) is patent pending.
V. Solutions
2. MetiEyeTM - Webshell Protection System
• Dashboard for security manager
V. Solutions
2. MetiEyeTM - Webshell Protection System
• Detection Details • Monthly/Daily Reports for Detection
THANK YOU
www.ssrinc.co.kr
Tel. 02-6124-6690 Fax. 02-6124-6693