upstream intelligence: gaps and gap fillers · traffic shaping domain name services traffic flow...
TRANSCRIPT
Upstream intelligence:
gaps and gap fillers
July 25 2011
Contact: Tyson Macaulay
613 781 0822
ISO standards driving “Upstream”
intelligence
ISO 27032
ISO 27010
ISO 27032 – Cybersecurity
Security of the network “space” managed by shared resources of
network owners.
Mitigates security challenges less addressable in enterprise networks,
and virtually un-addressable in small/medium business or consumer.
Contains security guidance beyond that available in 27001 / 27002
The following services (at a minimum) will be affected by the ISO standard:
• Carrier (national) backbones
• WANs (ATM, MPLS, etc)
• MANs
ISO 27032 highlights
• Service providers are expected to observe the same roles and
responsibilities as that of consumer organizations, as well as the
following:
– providing safe and secure products and services;• Implement and support and ISMS and risk assessment processes
• Secure coding
– providing safety and security guidance for end-users; and
– providing security inputs to other providers and to consumers about trends and
observations of traffic in their networks and services.
• Sophisticated network monitoring and analytics (signature-less detection)
ISO 27010 – Info-sharing
Threat, vulnerability and risk information-sharing.
Seeks to facilitate and stream-line information sharing
Contains security guidance beyond that available in 27001 / 27002
The following services (at a minimum) will be affected by the ISO standard:
• Critical Infrastructure
• Private Sector organizations
• Public Sector organizations
ISO 27010 highlights
• Provide further guidance on relevant ISO controls, IE
– Classification
– Exchange agreements
– Auditing
• Provides sample trust models
Does not stipulate technical solution
– Business models (who owns the aggregation and correlation)
– Operational models (weighting and processing)
– Technical delivery structures
Bell security reference designs
Enterprise Information
Management (EIM)
High Performance Secure Networks
(HPSN)
Upstream security
(in the carrier cloud)
Security of computing and storage clouds
Benefits
• Improved risk management
• Compliance reporting
• Management and metrics
Opportunity
• Employee productivity
• Reduced storage and backup
• Reduced management
Benefits
• Improved risk mitigation
• Compliance reporting
• Segregation of sensitive data
Opportunity
• Reduced incidents
• Efficient audit and reporting
• Reduced management
Benefits
• Compliance reporting
• Enhanced threat management
• Rapid deployment
Opportunity
• Improved Internet performance
• Reduced capital (HW/SW/network)
• Reduced management
Benefits
• Expanded business options
• Enhanced scalability
• Pre-hardened services
Opportunity
• Enable adoption of cloud services
• Reduced capital (HW/SW/network)
• Reduced management
Bell security reference designs
Enterprise Information
Management (EIM)
High Performance Secure Networks
(HPSN)
Upstream security
(in the carrier cloud)
Security of computing and storage clouds
Benefits
• Improved risk management
• Compliance reporting
• Management and metrics
Opportunity
• Employee productivity
• Reduced storage and backup
• Reduced management
Benefits
• Improved risk mitigation
• Compliance reporting
• Segregation of sensitive data
Opportunity
• Reduced incidents
• Efficient audit and reporting
• Reduced management
Benefits
• Compliance reporting
• Enhanced threat management
• Rapid deployment
Opportunity
• Improved Internet performance
• Reduced capital (HW/SW/network)
• Reduced management
Benefits
• Expanded business options
• Enhanced scalability
• Pre-hardened services
Opportunity
• Enable adoption of cloud services
• Reduced capital (HW/SW/network)
• Reduced management
Upstream security reference design
9Bell confidential – do not distribute without
permission
Cloud-computing security reference design
10Bell confidential – do not distribute without
permission
Messaging / Web
analysis
Open Source info
Spamhuas, MAUWG,
CERT, SANS, Team
Cymru DNS
Traffic shaping Domain Name
Services
Traffic flow
analysisClosed source
Intra-carrier
Info share
Customer
support
Product vendor
subscriptions
Correlation and
aggregation
Upstream
Intelligence
Anatomy of UI
Traffic Flow
Traffic flow in “darkspace” – a large event in
2010
Page 13
Take 20,000+ unmanaged devices and put them
on the same network. This is what you get.
Dark IP hosts – force and
velocityHost profile by velocity
Wireless traffic flow
The need for wireless access is real.
Increased access equals increased risk
Wireless traffic flow
Security story
Lessons must be learned.
There is a first time for everything
Wireless threat – Darkspace – 1 week
Wireless threat – Botnet C&C – 1 week
Wireless threat – Botnet C&C – 1 year
Expanded
service area
Major security
evolution
Wireless threat – Botnet C&C – 1 week
Domain Name Services (DNS)
Peer-to-peer (P2P)
Messaging
FI example 1 current
24
FI example 1 future
25
FI example 2 current
26
FI example 2 future
27
Delivery methods
28
Delivery methods
29
UI Algorithms
• Sample Rule 1: reputation scores are at first inherited from the seed
source.
• Sample Rule 2: reputation scores will be impacted by the number of threat-
detection elements / sources reporting activity (more sources is bad, no
sources is good) ;
• Sample Rule 3: the number of discreet events will impact reputations
• Sample Rule 4: traffic-levels above measurable norms (in bound and
outbound) is always bad but weight will depend on the detection source
(P2P might be highest, Messaging second, Traffic last)
• Sample Rule 5: amount of time since the last observed event is a “decay”
factor. Reputation scores improve the longer since the last logged event.
Decay factors may vary by detection source (P2P highest rate of decay,
Traffic patterns the lowest due to Botnet beaconing)
• Sample rule 6: all weights associated with seeds and threat detection
sources are configurable on a manual or automatic. “Decay” acceleraties
as time passed rather than proceeding linearly.
30
Back-up
31
Bell confidential – do not distribute without
permission32
Internet or private link
Upstream (cloud-based) threat intelligence
Reporting interfaceCorrelation engineLog aggregationLog source
Upstream intelligence and SIEM deployment options
Client site
Bell SOC
Option: Hybrid A On siteOff-site Hybrid B
HPSN security reference design
33Bell confidential – do not
distribute without