Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Transcription

1 Effective Threat Management Building a complete lifecycle to manage enterprise threats.

2 Threat Management Lifecycle Assimilation of Operational Security Disciplines into an Interdependent System of Proactive and Reactive Processes Enhanced Security Posture Efficient Security Operations LURHQ Confidential 2

3 One System, Two Roles Proactive Processes Discover & Assessment Early Warning Reactive Processes Detection & Response Prevention Security Trending and Analysis Feeds Improving Lifecycle LURHQ Confidential 3

4 Threat Management Foundation People Dedicated Threat Management team Threat Research and Vulnerability Assessment Monitoring and Response Credentials Certifications (GIAC and others) Experience Processes Enterprise Remediation Threat/Vulnerability Prioritization, Accountability, etc. Incident, Vulnerability & Threat Handling Incident Categorization, Assessment, Response Vulnerability & Threat Identification and Response Technologies Best-of-Breed Security Infrastructure Vulnerability Management Encompassing Intelligence and Scanning Security Monitoring and Analysis Platform Real Time, Centralized Repository for Events, Threat Research, Vulnerabilities, etc Event to Event and Event to Vulnerability/Threat Research Capabilities Reporting LURHQ Confidential 4

5 Early Warning Threat Research Is A System to Discover, Prioritize and Respond to Emerging Threats Streamline Currently Inefficient Process by Integrating: Vulnerability Alerts from Vendors, BugTraq, etc. Internet-Wide Trending Analyses from DShield, etc. In-Depth Security Intelligence from Service Providers Aggregate and Prioritize Assign Accountability Workflow System to Track Remediation Efforts Result = Better Visibility into Threats Targeting the Enterprise LURHQ Confidential 5

6 Prevention 24X7 & Immediate Security Infrastructure Management Leverage Threat Research, Vulnerability Management and Monitoring Proactively Block Threats at the Firewall Tune IDS/IPS to Detect/Block Emerging Threats Properly Manage the Technology Lifecycle Replace Outdated Solutions Have Proper Procedures Around Updates Centrally Store Configuration Changes Result = A Dynamic Security Infrastructure Capable of Deflecting Constantly Evolving Threats LURHQ Confidential 6

7 Discovery and Assessment Continuous Vulnerability Scanning Conduct Vulnerability Scans At Least Once/Qtr for Critical Systems, Annually for Others Preferably Using Multiple Scanners Schedule Scans on Remote Hosts Aggregate and Prioritize Assign Accountability Workflow System to Track Remediation Effort Result = Snapshot of Enterprise s Risk Exposure LURHQ Confidential 7

8 Detection and Response Real-Time 24X7 Security Event Monitoring and Analysis Encompass Security Infrastructure and Critical IT Assets Discovery of Known and Unknown Threats Gain Complete Context Leverage Security Intelligence Platform s Event to Event and Event to Vulnerability/Threat Research Correlation Capabilities All Information At Your Fingertips Invoke Incident Handling Process Categorize, Assess and Respond Result = Seamless View of Enterprise-Wide Security Status and the Ability to Stop Attacks Before Damage is Done LURHQ Confidential 8

9 Trending and Analysis Reporting Across All Segments Based on Aggregated Threat Research, Vulnerability Scanning, Security Monitoring and Security Management Data Better Decision Making Improves All Other Segments Discover Over- and Under-Funded Areas of the Environment Provable Security On-Demand Reports for Management/Auditors/Others Result = Comprehensive Security Information for Constantly Improving Threat Management LURHQ Confidential 9

10 Technology Platform: Integration in Action Enterprise Security Monitoring, Threat Intelligence, Managed Intrusion Detection and Managed Firewall Technology People & Process firewall Negative Filter 4,989,950 firewall Non-Security Event No Action Required 75 IPS NIDS HIDS 5,000,000 events Sherlock Inspector and Inspector Agent Remaining Events of Interest Event Consolidation Positive Filter 10, Anomaly 10, Automated Analysis 200 Incident Handling Process: Aggregate, Correlate, Categorize, Assess Threat, and Respond Incident is logged for future correlation and reported, but no further action required. Low Threat Security Event Worm - Customer Not Vulnerable 75 Security Event Information Gathering 50 Incident requires near term intervention by LURHQ and/or the customer to prevent availability or security issue. Medium Threat server Non-Security Actionable 3 per week server server Security Event Human Controlled Exploit Attempt 1 per week Incident requires immediate intervention by LURHQ and the customer to prevent and/or remediate availability or security issue in progress. High Threat Process for Auditing, Trending, Scanning & Threat Intelligence LURHQ Confidential 10

11 Sasser Case Study: Integration in Action Vulnerability Released to Public Threat Research Rates the Threat High and Assigns Responsibility Vulnerability Management Illustrates the Extent of the Vulnerability s Presence Internally Threat Management Team Aware of Threat and Enterprise Exposure Exploit Released to Public Threat Research Analyzes Exploit Code Security Management Updates IDS Signatures to Look for Attacks Using the Exploit and Adds FW Rules to Block Incoming Traffic, if possible Security Monitoring Highlights Increasing Scan Attempts Worm Propagating Security Monitoring Enables Real-Time Detection Security Management Facilitates Immediate Protection Worm Threat Passed Trending Analyses Illustrates Most Infections Occurred Through VPN Trending Analyses Also Demonstrates Effectiveness of Enterprise s Security LURHQ Confidential 11

12 Benefits to Your Enterprise Threat Management s Bottom Line: Enhanced Security Posture More Efficient Use of Security Resources Better Visibility Into Enterprise-Wide Security Status On-Demand Reporting for Decision Support, Management and Auditors LURHQ Confidential 12

13 Conclusion Effective Threat Management Truly Integrates Proactive and Reactive Operational Processes Protection Discovery & Assessment Detection & Response Early Warning Aggregated Security Data Facilitates Trending and Analysis Constantly Improving Threat Management Lifecycle Results in Better Overall Security, Enhanced Operational Efficiency and Improved Decision Making LURHQ Confidential 13