optimizing cyber threat intel across your...
TRANSCRIPT
12/7/2010
1
Optimizing Cyber threat Intel across your organizationPeter Van Eeckhout
SE Belux
Outline
•Why we need to change today
•Gaining smart Intel before we go into battle
•Using Intel dynamically to win the war
•Sharing Intel between countermeasures
•How do we federate the model?
12/7/2010
2
312/7/2010
3
By The end of 2010…
1997 End of 2007 End of 2010
Vulnerabilities 440 28,700 62,600
Password Stealers(“Main variants”)
400 85,000 400,000
PotentiallyUnwanted Programs
1 24,000 200,900
Malware (families)(Families - DAT related)
17,000 358,000 2,000,000
Malware Zoo(Collection)
30,000 (?) 8,600,000 40,000,000
Malware Growth Still Healthy, Curve Flattening
40,000,000
30,000,000
20,000,000
10,000,000
0Q1 Q4Q4Q3Q2Q1Q4Q3Q2
2008 2009 2010
No. of samples in our database
12/7/2010
3
The Top Five Worldwide Malware
1) Generic! AtrGeneric removable-device malware
2) Generic.dxGeneric downloaders and Trojans
3) W32/Conficker.worm!infRemovable-device Conficker worm detection
4) Generic PUPGeneral-purpose potentially unwanted programs
5) GameVanceOnline gaming software that collects stats anonymously
Two of the top five are AutoRun malware (no user action required), while the others are password-stealing Trojans.
612/7/2010
Packers keep us up at night…….
12/7/2010
4
712/7/2010
Public trading of Exploits
Why you need to change your thinking
12/7/2010
5
55,000
December 7, 201010
How many of you were monitoring – Nirbot.worm?
Exploits• Microsoft Windows Server Service Buffer
Overflow (MS06-040)
• Symantec Client Security and Symantec Antivirus Elevation of privilege vulnerability (SYM06-010)
Can:• Gather system information (CPU, RAM,
OS Version, IP address, UserName, Uptime)
• Scan network for machines to infect. • Launch a TFTP, HTTP server and
SOCKS4 proxy. • Download and Execute files. • Update bot. • Uninstall bot.
12/7/2010
6
December 7, 201011
How many of you were monitoring Conficker.worm?
• Worm – We see new worms each day
• Used Microsoft vulnerability – Nothing new!
• Starts HTTP service - Common BOT behaviour
• Scans subnets for other systems – Typical worm behaviour!
• Connects to Web for updates/more malware – Typical BOT behaviour!
• Utilises Autorun.inf & scheduled tasks – Becoming more common!
• Tries to block security updates
– Nothing new!
December 7, 201012
Threat Intel – When and what to share?
• When is the right time to engage?– On industry/vendor advisory?– On business incident?– On technology alerts?
• Real time events• Log analytics
• Reactive or proactive– On vulnerability?– On Exploit?– On threat?– On data breach?
12/7/2010
7
December 7, 201013
You receive alerts/advisories like these…
What is it?
12/7/2010
8
15
Today’s IT Security landscape drives fragmentation
SecurityInterlock
?
December 7, 201015
DeepNinesStillSecure
Check PointStonesoftTop LayerRadware
McAfeeSymantec
CodeGreenCredant
LuminsionCisco
WebSenseRSA
Vericept
SourceForgeNikto (freeware)SymantecConfigureSoftThirdBrigade(TrendMicro)
SkyReconMicrosoftG dataTrust PorteScanBitDefenderAvira
McAfeeWave SystemsMobile ArmorMicrosoftIBMTrendMicro
McAfeeCisco
JuniperCheck Point
FortinetStonesoft
SonicWALL
SymantecWebsenseBlueCoatAladinFinjan
McAfeeBarracuda
TrendMicroSymantec
CiscoGoogle
SonicSonicWALL
McAfeeSymantec
TrendMicroSophos
KasperskyPanda
Microsoft
McAfeeCiscoTrend
ScanSafeBarracuda
CAWebroot
WntrustWinMagic
Information Security Corp.
iAnyWhere Solutions
BeCrypt
TumbleweedSoloBreakerVerdasysOakleyOrchuesriaFidelisBorderWareIBMWinMagic
QualysNessusBigFixOracle
McAfeeSymantec
Bit9 Parity SuiteCoretrace Bouncer
Lumension App ControlSignaCert EnterpriseMicrosoft Applocker
TripwirenCircle FIM
WebSenseBorderWareMicrosoftProofPointDr Web
F-PortBullGuardArcabitRisisng SoftwareClamVBAAVG
EsetCA
F-secureeEye Digital
PrevxCheck Point
IBMLandesk
BigFix
Mi5(Symantec)Facetime CP Secure
Clearswift8e6 (Marshal)
CymphonixContentKeeper
SophosAppsenseLan Desk
Savant Protection
Opsware IBM/Tivoli ConfigEMC Config Solution BMC Bladelogic
WatchguardNETSQAstaroPhionHP
SecureWavewinMagicSafeNet
Check PointSophosCredant
PGPGuardianEdge
(Symantec)
LumensionNetIQRapid7WhiteHatAcunetix
McAfeeIBM
MicrosoftnCircle
SourcefireJuniperCiscoIBMEntrasysNitroSecurity
IPS
DLP
Encryption
Web
FirewallEndpoint
RiskMgmt
WhiteListing
McAfeeTippingPointSnortHP
December 7, 201016
Which should lead to questions like these…
• What is the threat?• Is it real or theoretical?• What could the threat do?• What would it actually do to my business?• How would that impact my business?• How likely is it to happen?• What countermeasures do I have in place?• Which countermeasures should I enable?• What order should I enable them in?• What impact will these have on my business?
12/7/2010
9
“50% of respondents cited poor documentation of systems, a lack of metadata, diverse and uncontrolled data sources, and poor data quality as significant problems” Bloor
December 7, 201018
To summarise the issues
When does a threat become an incident?
• No single point of threat/risk measurement
• Lack of correlation to the business risk
• Lack of correlation between risk and mitigation tools
– Have I already solved the problem?
How do I decide when to act?
• Often many - if not all security solutions can have some involvement
– What is the right solution to apply?
• Should I apply the same solution across the business?
• How do I validate the problem is solved?
– Too many security consoles
• Have I already solved the problem
12/7/2010
10
December 7, 201019
Time to change our approach!Multi-Correlated: Centralized Intelligence
100 billion100’s million nodes
12/7/2010
11
How do I get Real Time Global Intel?
December 7, 201021
• 2.5B Malware Reputation Queries/Month• 20B Email Reputation Queries/Month• 75B Web Reputation Queries/Month• 2B IP Reputation Queries/Month• 300M IPS Attacks/Month• 100M Ntwk Conn Rep Queries/Month• 100+ BILLION QUERIES/Month
Queries
Nodes
• Malware: 40M Endpoints• Email: 30M Nodes• Web: 45M Endpoint and Gateway Users• Intrusions: 4M Nodes• 100+ MILLION NODES, 120 COUNTRIES
How real time Intel manages risk
User receives new file via e-mail or Web
1
No detection with existing DATs, but the file is “suspicious”
2
Fingerprint of file is created and sent using Artemis
3
Artemis reviews this fingerprint and other inputs statistically across threat landscape
4
VirusScan processes information and removes threat
6
Artemis identifies threat and notifies client
5
Internet
Artemis is enabled on the endpoint without any addi tional client side install
Artemis
12/7/2010
12
Researcher notes new Suspicious fingerprint
1
Researcher looks up prevalence of fingerprint
2
Researcher marks as malicious.
3
Subsequent customers protected before malware is widespread. Protection provided in minutes
4
Real-time malware protectionleveraging Collective Threat Intelligence
December 7, 201024
• General Messages• 100 Billion per month
• Enterprise Messages• 10 Billion per month
•Millions of URLs per month
FirewallWebMessaging
AnalyticsEngine
Reputation Score
Analyze Behavior
• Volume• Social network• Persistence• Longevity
Verify Identities
• IP• Domain• URL• Image• Message
DataStore
Monitor
Analyze
Protect
Is it from a Trusted Source?
12/7/2010
13
December 7, 201025
GTI Server Deployment Options
Owning my own Intel
December 7, 201026
Can I have the same Intel in a Closed Networks
12/7/2010
14
PROTECTIONREAL TIME THREAT FEEDS (GTI)
ACTIONABLE INFORMATION
SECURITY METRICS
ePO
DLP Web IPS SIA
Endpoint
WhiteListing
Encrypt.RiskMgmt Email Firewall
Converting Intel to Action
Executive
SecurityAdmin
IT Architect
Security Management Platform
December 7, 201028
Real Business Risk Assessment
• ““3,000 to 30” – Countermeasure aware risk management correlates MTIS threat feeds with discovered vulnerabilities, assets, and deployed countermeasures (intrusion protection, anti-virus, buffer overflow)
• Leverages AVERT threat advisory information, delivered by MTIS feed
• Risk = (Threat X Vulnerability X Asset)/Detailed Co untermeasure
28
12/7/2010
15
December 7, 201029
Smarter Security through integration (1+1=3) Vul Mgmt
Clients
Network IPS
Q: Traffic from X going to Y contains a potential Web server threat ?,
What should I do?Q: Traffic from the INTERNET going to YOUR WEBSERVER contains a
RELEVANT Web ATTACK , but the SERVER HAS LOCAL PROTECTION TO STOP IT , I don’t need to do anything!
SecurityManager
Intelligence between solutions
Open Platform for Security Risk ManagementIndustry Leadership to Drive Better Protection, Greater Compliance and Lower TCO
SIA Associate PartnerSIA Technology Partner (McAfee Compatible)
12/7/2010
16
31
Cost Model of Enterprise Security
RISK
OPTIMIZATION
Optimized spend ~4%
with very low risk
Compliant/Proactive spend ~8% of IT
budget on security
Medium risk
Reactive spend ~3% of IT
budget on securityHigh risk Why has it been so challenging to reduce
risk?31
DYNAMICPredictive and agile, the enterprise instantiates policy, illuminates events and helps the operators find, fix and target for response.
Tools BasedApplying tools and technologies to assist people in reacting faster
REACTIVE & Manual
People only. No tools or processes. “Putting out fires”.
McAfee ePO managed
productsPlus GRC and GTI
Point products for system, network
and data
Looking to the future…Advanced Persistent Threat Operation Aurora (Zero-Zero day targeted attack)
1. A targeted user receives a link in email or instant message from “trusted” source
2. User clicks on link (a website hosted in Taiwan) contained JavaScript payload.
3. Browser downloads & executes JavaScript, which inc. exploit
4. Exploit downloads binary disguised as an image (from Taiwan servers) & executes malicious payload.
5. Sets up a backdoor and connects to C&C servers in Taiwan.
6. Attackers had complete access to internal systems. They targeted sources of intellectual property, including software configuration management (SCM).32
12/7/2010
17
New Era of Malware:Stuxnet Attacks Critical Infrastructure
Protestors made their mark in the middle east by holding virtual protests and defacing websites and Facebookaccounts.
• Intelligently targeted at disrupting energy infrast ructure running Siemens WinCC and Step7/PCS7 products – pure sabotage
• Compromise initially occurs via USB or Network Shar e (disabling autorun does not protect) – further compro mise via network
• Compromised machines attempt outbound connectivity to command and control infrastructure
• Complexity implies nation state origin– Forged digital signatures to pass digital applicati on checks– Leverages a number of previously unknown exploits– Expert level knowledge of Siemens PLC devices (inte rnal
database and code modification)– Pinpoint accuracy in searching for and identifying Siemens
devices
• More interesting potential details:– Reportedly targeted at Iranian nuclear facilities– Required insider to perform the initial compromise– Fear over broader attention toward the weak global energy
infrastructure.
12/7/2010
18