upstream intelligence: gaps and gap fillers · traffic shaping domain name services traffic flow...

Upstream intelligence:

gaps and gap fillers

July 25 2011

Contact: Tyson Macaulay

[email protected]

613 781 0822

mailto:[email protected]

ISO standards driving “Upstream”

intelligence

ISO 27032

ISO 27010

ISO 27032 – Cybersecurity

Security of the network “space” managed by shared resources of

network owners.

Mitigates security challenges less addressable in enterprise networks,

and virtually un-addressable in small/medium business or consumer.

Contains security guidance beyond that available in 27001 / 27002

The following services (at a minimum) will be affected by the ISO standard:

• Carrier (national) backbones

• WANs (ATM, MPLS, etc)

• MANs

ISO 27032 highlights

• Service providers are expected to observe the same roles and

responsibilities as that of consumer organizations, as well as the

following:

– providing safe and secure products and services;• Implement and support and ISMS and risk assessment processes

• Secure coding

– providing safety and security guidance for end-users; and

– providing security inputs to other providers and to consumers about trends and

observations of traffic in their networks and services.

• Sophisticated network monitoring and analytics (signature-less detection)

ISO 27010 – Info-sharing

Threat, vulnerability and risk information-sharing.

Seeks to facilitate and stream-line information sharing

Contains security guidance beyond that available in 27001 / 27002

The following services (at a minimum) will be affected by the ISO standard:

• Critical Infrastructure

• Private Sector organizations

• Public Sector organizations

ISO 27010 highlights

• Provide further guidance on relevant ISO controls, IE

– Classification

– Exchange agreements

– Auditing

• Provides sample trust models

Does not stipulate technical solution

– Business models (who owns the aggregation and correlation)

– Operational models (weighting and processing)

– Technical delivery structures

Bell security reference designs

Enterprise Information

Management (EIM)

High Performance Secure Networks

(HPSN)

Upstream security

(in the carrier cloud)

Security of computing and storage clouds

Benefits

• Improved risk management

• Compliance reporting

• Management and metrics

Opportunity

• Employee productivity

• Reduced storage and backup

• Reduced management

Benefits

• Improved risk mitigation


• Segregation of sensitive data

Opportunity

• Reduced incidents

• Efficient audit and reporting


Benefits


• Enhanced threat management

• Rapid deployment

Opportunity

• Improved Internet performance

• Reduced capital (HW/SW/network)


Benefits

• Expanded business options

• Enhanced scalability

• Pre-hardened services

Opportunity

• Enable adoption of cloud services

• Reduced capital (HW/SW/network)


Upstream security reference design

9Bell confidential – do not distribute without

permission

Cloud-computing security reference design

10Bell confidential – do not distribute without

permission

Messaging / Web

analysis

Open Source info

Spamhuas, MAUWG,

CERT, SANS, Team

Cymru DNS

Traffic shaping Domain Name

Services

Traffic flow

analysisClosed source

Intra-carrier

Info share

Customer

support

Product vendor

subscriptions

Correlation and

aggregation

Upstream

Intelligence

Anatomy of UI

Traffic Flow

Traffic flow in “darkspace” – a large event in

2010

Take 20,000+ unmanaged devices and put them

on the same network. This is what you get.

Dark IP hosts – force and

velocityHost profile by velocity

Wireless traffic flow

The need for wireless access is real.

Increased access equals increased risk

Wireless traffic flow

Security story

Lessons must be learned.

There is a first time for everything

Wireless threat – Darkspace – 1 week

Wireless threat – Botnet C&C – 1 week

Wireless threat – Botnet C&C – 1 year

Expanded

service area

Major security

evolution

Wireless threat – Botnet C&C – 1 week

Domain Name Services (DNS)

Peer-to-peer (P2P)

Messaging

FI example 1 current

24

FI example 1 future

25

FI example 2 current

26

FI example 2 future

27

Delivery methods

28

Delivery methods

29

UI Algorithms

• Sample Rule 1: reputation scores are at first inherited from the seed

source.

• Sample Rule 2: reputation scores will be impacted by the number of threat-

detection elements / sources reporting activity (more sources is bad, no

sources is good) ;

• Sample Rule 3: the number of discreet events will impact reputations

• Sample Rule 4: traffic-levels above measurable norms (in bound and

outbound) is always bad but weight will depend on the detection source

(P2P might be highest, Messaging second, Traffic last)

• Sample Rule 5: amount of time since the last observed event is a “decay”

factor. Reputation scores improve the longer since the last logged event.

Decay factors may vary by detection source (P2P highest rate of decay,

Traffic patterns the lowest due to Botnet beaconing)

• Sample rule 6: all weights associated with seeds and threat detection

sources are configurable on a manual or automatic. “Decay” acceleraties

as time passed rather than proceeding linearly.

30

Back-up

31

Bell confidential – do not distribute without

permission32

Internet or private link

Upstream (cloud-based) threat intelligence

Reporting interfaceCorrelation engineLog aggregationLog source

Upstream intelligence and SIEM deployment options

Client site

Bell SOC

Option: Hybrid A On siteOff-site Hybrid B

HPSN security reference design

33Bell confidential – do not

distribute without

upstream intelligence: gaps and gap fillers · traffic shaping domain name services traffic flow...

Documents