Belgacom Security Convention. Tuesday 15 October 2013, Aula Magna, Louvain-la-Neuve

Transcription

1 Belgacom Security Convention Tuesday 15 October 2013, Aula Magna, Louvain-la-Neuve

2 Belgacom Security Convention The new, continuous security model Hans De Raeve Product Manager Belgacom Sean Newman Product Manager Sourcefire 10/17/2013 Slide 2

3 Agenda The Core elements of ICT Security The new, continuous security model The perfect blend Sourcefire within the continuous security model Q&A Slide 3

4 Attackers, Focused on YOUR Data! Hacktivists Organised crime Nation States 25% of attacks targeted at a specific individual or company Verizon Data Breach report 2013

5 Why? The Underground Economy is Booming The Underground Embraces the Cloud Business Model Exploit-as-a-Service, Malware-as-a-Service, Botnet as a Service, Source : McAfee Threat report Q4 2012

6 Today s Reality Today s Reality: 621 breaches in % stemmed from external agents 52% utilized some form of hacking 40% incorporated malware 78% of attacks not highly difficult 1 in 5 attributed to Cyber Espionage 2013 Verizon Data Breach Investigation Report All were smart, all had security. All were compromised.

7 Confidentiality Integrity Availability New Security model The goal of ICT Security ICT Security Focus Shift Slide 7

8 Customer Feedback Feedback Approval End User ROC * Event Management Operations Analyst Security Analyst Management New Service Call Identification & Logging Categorization & Prioritization Investigation & Diagnosis Solve on this Level? Yes Resolution & Recovery Closure Service Call Closed No Record Escalation End User Agrees? Yes No SDK 1st Line Agent 1st Line Support Engineer 2nd Line Support Engineer Customer Care Officer Threshold Exceeded Configuration Issue Problem Candidate Change Request Monitoring & Escalation CMDB Maintain Configuration Management Problem Management Change Management Confidentiality Integrity Availability New Security Model The Core Elements of any organisation ICT Security Your People Focus Shift Remote Operations Center * Your Processes Your Technologies Slide 8

9 Customer Feedback Feedback Approval End User ROC * Event Management Operations Analyst Security Analyst Management New Service Call Identification & Logging Categorization & Prioritization Investigation & Diagnosis Solve on this Level? Yes Resolution & Recovery Closure Service Call Closed No Record Escalation End User Agrees? Yes No SDK 1st Line Agent 1st Line Support Engineer 2nd Line Support Engineer Customer Care Officer Threshold Exceeded Configuration Issue Problem Candidate Change Request Monitoring & Escalation CMDB Maintain Configuration Management Problem Management Change Management Confidentiality Before Integrity During Availability After New Security Model The Core Elements of any organisation Security ICT Security Threats Your People Remote Operations Center * Your Processes Your Technologies Prevent & Reduce Detect & Reduce React Detect Impact & Remediate Slide 9

10 The Core Elements of ICT Security People People are NOT your most important asset.

11 The Core Elements of ICT Security People People are NOT your most important asset. The right people are!

12 The Core Elements of ICT Security People They are difficult to find and hard to keep Treat them well Training Challenging work environment Salary Bonus Job Rotation Career path

13 Sensitivity : "Unrestricted", "Internal Use Only" or "Confidential" 10/17/2013 Slide 13

14 The Core Elements of ICT Security People & There Roles Security Threats Before During After Business Analysts IT Architects Sec. Officers CIO HR Process managers Policy managers Engineering End users Prevent & Reduce IT Engineering Sec. Analysts Service Desk End users Detect & Reduce React Forensics Specialists Sec. Engineering CxO End users Business Analysts PR Detect Impact & Remediate

15 Customer Feedback Feedback Approval End User ROC * Event Management Operations Analyst Security Analyst Management New Service Call Identification & Logging Categorization & Prioritization Investigation & Diagnosis Solve on this Level? Yes Resolution & Recovery Closure Service Call Closed No Record Escalation End User Agrees? Yes No SDK 1st Line Agent 1st Line Support Engineer 2nd Line Support Engineer Customer Care Officer Threshold Exceeded Configuration Issue Problem Candidate Change Request Monitoring & Escalation CMDB Maintain Configuration Management Problem Management Change Management Confidentiality Before Integrity During Availability After The Core Elements of ICT Security Security Cyber Security Threats Remote Operations Center * Prevent & Reduce Detect & Reduce React Detect Impact & Remediate Slide 15

16 The Core Elements of ICT Security Processes Security Threats Before During After ISO Focus IT Governance on IT Service IT Management ITILv3 IT Service Continuity Management IT Management = good shepherding of assets & resources (operational BS Focus on Business Continuity Management level) ISO 27k Focus on Information Security Risk IT Management Governance = good Operations shepherding + vision and Problem leadership Man. Risk Assessment (strategic BCM and tactical level) Man. BCM Man. BCM Awareness Communication Policies Training Prevent & Reduce Detect & Reduce React Detect Impact & Remediate

17 The Core Elements of ICT Security Processes at Belgacom

18 Customer Feedback Feedback Approval End User ROC * Event Management Operations Analyst Security Analyst Management New Service Call Identification & Logging Categorization & Prioritization Investigation & Diagnosis Solve on this Level? Yes Resolution & Recovery Closure Service Call Closed No Record Escalation End User Agrees? Yes No SDK 1st Line Agent 1st Line Support Engineer 2nd Line Support Engineer Customer Care Officer Threshold Exceeded Configuration Issue Problem Candidate Change Request Monitoring & Escalation CMDB Maintain Configuration Management Problem Management Change Management Confidentiality Before Integrity During Availability After The Core Elements of ICT Security Security Cyber Security Threats Remote Operations Center * Prevent & Reduce Detect & Reduce React Detect Impact & Remediate Slide 18

19 The Core Elements of ICT Security Technologies FW/VPN AV Block or Allow PKI IDS / IPS UTM It matches the pattern NAC No key, no access Application Control Self Defending Network No false positives, no false negatives. Fix the Firewall

20 The Core Elements of ICT Security Technologies

21 Security Technologies at Belgacom ICT Security

22 The Core Elements of ICT Security Technologies Security Threats Before During After Patch management Firewall DLP VAM Proxy NAC DNSSEC SSL IAM (N) (H) IPS AVAS DDOS NBA Botnet Detect (N) (H) IPS SIEM Forensics Full Packet Capturing Anti-Phishing & Brand Protection Prevent & Reduce Detect & Reduce React Detect Impact & Remediate

23 Customer Feedback Feedback Approval End User ROC * Event Management Operations Analyst Security Analyst Management New Service Call Identification & Logging Categorization & Prioritization Investigation & Diagnosis Solve on this Level? Yes Resolution & Recovery Closure Service Call Closed No Record Escalation End User Agrees? Yes No SDK 1st Line Agent 1st Line Support Engineer 2nd Line Support Engineer Customer Care Officer Threshold Exceeded Configuration Issue Problem Candidate Change Request Monitoring & Escalation CMDB Maintain Configuration Management Problem Management Change Management Security Threats Before During After Business Analysts, IT Architects Sec. Officers, CIO, HR Process mgr., Policy mgr., Engineering, End users IT Engineering Sec. Analysts Service Desk End users Forensics Specialists Sec. Engineering CxO, End users Business Analysts, PR Remote Operations Center * Risk Management Risk Assessment BCM, Awareness Policies, Training 80% 20% Operations BCM Management Problem Man. Man. BCM Communication Patch man, FW, DLP VAM, Proxy, NAC DNSSEC SSL IAM Prevent & Reduce (N) (H) IPS AVAS DDOS NBA Botnet Detect Detect & Reduce React (N) (H) IPS SIEM Forensics Full Packet Capturing Anti-Phishing & Brand Protection Detect Impact & Remediate

24 Sensitivity : "Unrestricted", "Internal Use Only" or "Confidential" 10/17/2013 Slide 24

25 Sensitivity : "Unrestricted", "Internal Use Only" or "Confidential" 10/17/ Slide 25

26

27 Belgacom Flashlight Sensitivity : "Unrestricted", "Internal Use Only" or "Confidential" 10/17/2013 Slide 27

28 Combine The Core Elements of ICT Security Flashlight Managed Security Services

29 Flashlight Supported Technologies DNS/DHCP IPS/IDS FW/UTM N.Forensics WAF SSL Sec. Remote Access Sec. Internet Access Strong Auth. AVAS Server OS Web Proxy AVAS DDOS WLAN Contr. 17/10/2013 Slide 29 Confidential - Belgacom

30 Flashlight Service Portfolio Confidential - Belgacom 17/10/2013 Slide 30

31 Flashlight Remote Operation Centre (ROC) International Customer base +60 customers +400 milion Sec. Event Day ROC Build to Nato Specs mgd devices Security Analysts Confidential - Belgacom 24/7 17/10/2013 Slide 31 17/10/2013 Slide 31

32 ICT (Security) Solutions Automatic Syslog, SNMP, Flow, CEF, Log Management Reporting Dashboard Manual Content Rules Topology info Normalisation Correlation Security Analysts Analysis and Forensics Confidential - Belgacom 17/10/2013 Slide 32 Security

33 Belgacom Flashlight The Value of Managed Security Services Cost Saving: No big investments -> OPEX You can benefit from High-end shared and specialised Tools, People and Processes You can count on highly skilled and certified security specialists 70+ Customer oriented security experts 24/7 redundant ROC Trusted advisor, supporting multiple vendors and technologies Centralised visibility and control. Benefit from trends we detect over multiple customers Tools Processes People 17/10/2013

34 Customer Feedback Feedback Approval End User ROC * Event Management Operations Analyst Security Analyst Management New Service Call Identification & Logging Categorization & Prioritization Investigation & Diagnosis Solve on this Level? Yes Resolution & Recovery Closure Service Call Closed No Record Escalation End User Agrees? Yes No SDK 1st Line Agent 1st Line Support Engineer 2nd Line Support Engineer Customer Care Officer Threshold Exceeded Configuration Issue Problem Candidate Change Request Monitoring & Escalation CMDB Maintain Configuration Management Problem Management Change Management Security Threats Before During After Business Analysts, IT Architects Sec. Officers, CIO, HR Process mgr., Policy mgr., Engineering, End users IT Engineering Sec. Analysts Service Desk End users Forensics Specialists Sec. Engineering CxO, End users Business Analysts, PR Remote Operations Center * Risk Management Risk Assessment BCM, Awareness Policies, Training Operations BCM Management Problem Man. Man. BCM Communication Patch man, FW, DLP VAM, Proxy, NAC DNSSEC SSL IAM Prevent & Reduce (N) (H) IPS AVAS DDOS NBA Botnet Detect Detect & Reduce React (N) (H) IPS SIEM Forensics Full Packet Capturing Anti-Phishing & Brand Protection Detect Impact & Remediate

35 A New Model for Security A T T A C K C O N T I N U U M BEFORE DURING AFTER See it, Control it Intelligent & Context Aware Retrospective Security Network Endpoint Mobile Virtual Point-in-Time Continuous 35

36 Before Pre-Emptive Security Discover everything - continuously Harden assets most at risk Implement Access Policy to reduce attack surface Threats Devices Applications Network Vulnerabilities OS Users Information Superiority Files 36

37 During Intelligent Security Identify and Block known malware Detect and Prevent conventional hacking In the Network and at the End Point Contextual Intelligence 37

38 After Retrospective Security Sees Everything Never Forgets Turns Back Time Track all network activity Track all file, process and application activity Big data analysis to correlate weak signals for Indicators of Compromise Scope, Contain and Remediate threats Turn back the clock on advanced malware 38

39 Sourcefire Agile Security Solutions Management Center APPLIANCES VIRTUAL APPLICATION & ACCESS CONTROL NEXT- GENERATION INTRUSION PREVENTION ADVANCED MALWARE PROTECTION COLLECTIVE SECURITY INTELLIGENCE CONTEXTUAL AWARENESS HOSTS VIRTUAL MOBILE APPLIANCES VIRTUAL 39

40 Independent Validation Leadership* Class leader in detection Class leader in performance Class leader in vulnerability coverage Completely evasion free Ratings* 99% detection & protection 34 Gbps inspected throughput 60M concurrent connections $15 TCO / protected Mbps "For the past five years, Sourcefire has consistently achieved excellent results in security effectiveness based on our real-world evaluations of exploit evasions, threat block rate and protection capabilities. Vikram Phatak, CTO NSS Labs, Inc. it is Sourcefire s dedication to understanding, detecting, and blocking the most advanced threats facing enterprise networks that enables these products to stand out amongst the competition. Frost & Sullivan.** Leading Threat Prevention Best-in-Class Performance Advanced Malware Protection Scalable FirePOWER platform Flexibile NGIPS/App/Access Ctrl * NSS Labs, Network IPS Product Analysis Sourcefire 3D8260 v4.10, April 2012 ** Frost & Sullivan 2013 Global Intrusion Prevention Systems Product Leadership Award May

41 FireSIGHT is built into all Sourcefire next-generation security solutions delivering the network intelligence and context you need to respond to changing conditions and threats.

42 FireSIGHT Sees Everything Categories Examples Sourcefire FireSIGHT Typical IPS Threats Attacks, Anomalies Users AD, LDAP, POP3 Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame Command & Control Servers C&C Security Intelligence Client Applications Firefox, IE6, BitTorrent Network Servers Apache 2.3.1, IIS4 Operating Systems Windows, Linux Routers & Switches Cisco, Nortel, Wireless Mobile Devices iphone, Android, Jail Printers HP, Xerox, Canon Sensitive Data Credit Cards, SSNs, Custom VoIP Phones Avaya, Polycom Virtual Machines VMware, Xen, RHEV Typical NGFW

43 FireSIGHT Contextual Awareness Improves Security and Saves Money IT Insight Spot rogue hosts, traffic anomalies, policy violations, and more Impact Assessment Threat correlation reduces actionable events by up to 99% Automated Tuning Adjust IPS policies automatically based on network change User Identification Associate users with security and compliance events 43

44 FireSIGHT Context Explorer All application traffic Risky applications Who is sending the most data? Where is data coming from/going to? Which file types? What does User traffic look like over time?

45 FireSIGHT Awareness Who is at the host OS & version Identified What other systems / IPs did user have, when? Server applications and version Client Applications Client Version Web Application

46 Reduce Risk Through Granular Control Control access for applications, users and devices Employees may view Facebook, but only Marketing may post to it No one may use peer-to-peer file sharing apps 2,000+ apps, devices, and more! 46

47 Web URL Filtering Block non-business-related sites by category Based on user and user group Block access to know bad site 47

48 Sourcefire Advanced Malware Protection with Retrospective Security Comprehensive Monitoring Continuous Analysis Big Data Analytics Integrated Response Control & Remediation Collective Security Intelligence 48

49 File Trajectory Which systems are affected? File introducing threat Rate of Propagation Point of entry root cause Time of entry how long? Retrospective action Trajectory acts as a flight recorder 49

50 Device Trajectory Is it infected and how? Trajectory acts as a flight recorder 50

51 Device Flow Correlation Is there a connection to a known bad location? Associate applications with network connections Detect weak signals in application network traffic Link files to known bad sites Link sites to known bad files Cloud scalability for advanced analysis and detection Network Tracking Custom Blacklists Cloud Intelligence Dropper Detection Multiple ways to stop threats and eliminate root causes 51

52 Indicators of Compromise Spotlight high-risk systems Automated compromise analysis & determination Prioritized list of compromised devices Drill down for quick root cause analysis and remediation 52

53 Assume you will be Compromised Sourcefire s New Continuous Security Model A T T A C K C O N T I N U U M BEFORE DURING AFTER See it, Control it Intelligent & Context Aware Retrospective Security Network Endpoint Mobile Virtual Point-in-Time Continuous 53

54 World s Leading Security Team #1 Market Share in Network Security & Data Center Security Leader in Magic Quadrants for IPS, Security, Web Security, NAC, & SSL VPN NSS Labs Security Value Map Leadership for NGIPS & NGFW World-class security research team & threat data Open source projects: Snort, ClamAV, Razorback 54

55 Industry Analysts Weigh in The deal will allow Sourcefire to leverage Cisco's deep market penetration and expand its technology footprint. In return, Cisco has obtained technology that helps bolster not only its network security offering, but also its credentials in the wider antimalware space. 451 Group "Cisco/Sourcefire: A Potential Game Changer for Cisco and the Cybersecurity Industry. ESG Cisco will reap advanced threat prevention technology within FireAMP and obtain well-respected security research talent from Sourcefire's VRT. FireAMP will give Cisco malware- detection technology that could enable it to develop an advanced threat platform, helping malware mitigation teams fight complex threats. Gartner 55

56 Sean Newman Hans De Raeve Sensitivity : "Unrestricted", "Internal Use Only" or "Confidential" 10/17/2013 Slide 56

57 Thank you Do not forget the evaluation form and the contest! The winners will be designated at on the Belgacom booth. Win tickets for Belgium-Wales or a free hacking training