Anomaly Detection and Vulnerability Management. Rolf Strehle, ditis Systeme Heidenheim

Transcription

1 Anomaly Detection and Vulnerability Management Rolf Strehle, ditis Systeme Heidenheim 1

2 The Driver IT Risks 2

3 Application Risks 3

4 Vulnerabilities The vulnerabilty scan detected more than 200 vulnerabilities that would give an attacker full control over the system (root access) 4

5 Findings Router/Switches with default Passwords weak SSL keys (Debian Bug) SNMP world-writable devices (printer, switches, UPS) databases w/o password (Oracle, MS-SQL, MySql) Client VNC server w/o password (desktop hijacking) missing Service Packs and Patches Open FTP Server (printer disks) Software vulnerabilities (Firefox, Acrobat...) 5

6 The Approach 6

7 Vulnerability Management Analysis of actual threats in our Corporate Network Requirement to measure our IT security process according to ISO27001 Identify IT risks and document the status on a regularly basis One central system to monitor ALL network devices (independent of O/S on a worldwide scope - Global Monitoring) We have to know our week points and threats before others do! 7

8 Use of Vulnerability Scans Scan of networks not yet connected to the network. Risks for the global network can be detected and resolved before integrating new locations. Immediately detect systems already infected (Conficker Virus). Audit tool for supporting ISO27000 security process. Validation of incidents detected through our Anomaly Detection System (identify brand-new viruses and malware - 0-Day exploits). Scan all kinds of hardware and OS (Cisco routers, VoIP phones, switches, WLAN access points, Linux systems) Scan of vulnerable applications (Oracle, Adobe, Sharepoint, Web) 8

9 3 Days After 9

10 Anomaly Detection 10

11 Network Monitoring Monitoring Team 11

12 Security KPI Dashboard 12

13 KPI Categories Account Management - AM - Mobile Hardware - MH - Network Infrastructur - NI - Awareness - AW - Compliance Controle - CC - Patch Management - PM - Financial Controlling - FC - Malware - MW - Vulnerability Management - VM - Group Description for example Account Management management of user related issues (e.g. user accounts and password quality) - Password-Quality - Idle AD Accounts Awareness awareness on information security - PGP Encryption - elearning Financial Controlling cost analysis - IT Costs Security Relation Compliance Controle requirements of applicable regulations and guidelines - IT-Security Checklist Mobile Hardware special needs for mobile hardware - Notebook-Encryption - Mobile Hardware Loss Malware containment of malicious software - Spam Filtered Network Infrastructur behavior and configuration regarding network issues - Device or Server Breakdown Patch Management review on timeliness of updates and upgrades - Server or Client Updates Vulnerability Management vulnerability-analysis of applications and devices - Vulnerabilities per system, OS or services 13

14 IT Security Dashboard IT Security Overview Global Antivirus Compliance Global Notebook Encryption IT Security Factor Global PC-Client Compliance IT Security Incidents 14

15 Conclusion Process to prove the correct behavior of already existing tools like Virus Scan (TrendMircro), Network-Management (Cisco Works), Windows Configuration Tools (MOM, SCCM) and others Detection of systems not managed or monitored by other tools (unknown systems, illegally installed devices) Detection of application and malware not found by other tools (viruses, unknown software). Important data source for other systems like global monitoring tools, ISO performance indicators Competence Center IT Security to share practice and know-how in our industry: Anomaly Detection and Vulnerability Management is needed to identify IT security risks for all network devices (independent of hardware and operating system). 15

16 Contact: Rolf Strehle Leiter Informationssicherheit ditis Systeme GmbH & Co.KG Tel