Detecting a Hacking Attempt

Transcription

1 Detecting a Hacking Attempt Speaker: Isaac Thompson Director of Sales Engineering and Training

2 About Prism Microsystems Founded in 1999, headquartered Columbia, Maryland Current Version EventTracker 6 Over 750 Customers Worldwide Both Government and Private Sector Clients Worldwide Presence Customers in 50+ Countries Globally Staffed Professional Services

3 Representative Customer List

4 Reported cyberattacks on U.S. government computer networks climbed 40% DOD, State, Homeland Security and Commerce all have suffered "major intrusions" in which sensitive data were stolen or compromised. Just 1% of federal agencies have fully developed tracking systems* *Source: 16-cyber-attacks_N.htm?loc=interstitialskip

5 Why Log Management? Many machines, many logs, all different Windows, Syslog, SNMP, more Manual collection is hard, understanding even harder Many scenarios require correlation to detect Event on Box 1 + Event on Box 2 + Firewall Event = Hack

6 Hack Attempt

7

8

9

10

11 How It Works

12 Enterprise Class Solution Compliance Operations Security Can receive 40,000 Events/Seconds Compressed and secured transmission Compressed and tamper-proof data store (SHA-1) Powerful Reporting and Analytics engine Over 850 pre-built reports Virtually no impact on monitored clients <0.01% CPU utilization 0.01% network utilization

13 Multiple Platform Support Support events from hundreds of sources Windows Systems Any Unix Flavor (Syslog and Syslog-NG) SNMP V1/V2 (Network Devices) Flat Files (application specific log files) CISCO Systems Checkpoint Firewall Solaris BSM Legacy Platforms

14 Enterprise Wide Support (Not Limited to) Operating Systems: Critical Products: Vendors: Log Formats: WINDOWS SERVER 2008 MICROSOFT CLUSTERS NORTEL EVT/EVTX WINDOWS SERVER 2003 MICROSOFT OFFICE CHECKPOINT SYSLOG WINDOWS XP CITRIX WINDOWS VISTA RESILIENCE SYSLOG NG WINDOWS 2000 MICROSOFT EXCHANGE MICROSOFT SQL SERVER SECUREGUARD SNMP WINDOWS NT SERVER WINDOWS 98 ORACLE SONICWALL IIS/IISW3C/IISMSID AIX MICROSOFT IIS JUNIPER LOG HP-UX MICROSOFT ISA SUN SOLARIS - BSM NORTON ANTIVIRUS SYMANTEC W3C I-SERIES OS/400 V5R2 * TREND MICRO ANTIVIRUS WATCHGUARD TEXTLINE LINUX MCAFEE ANTIVIRUS MAC OS X VMWARE NETSCREEN TEXTWORD NETWARE 6.5 NOKIA URLSCAN WINDOWS DHCP SERVER RED HAT LINUX WINDOWS DNS TIPPINGPOINT BIN SOLARIS 8, 9, 10 IBM Z/OS * WINDOWS TERMINAL SERVER HP NCSA NOVELL SNORT SYMANTEC HTTPERR * Partnership

15 Functional Areas Secure Event Log Consolidation Real Time Event Correlation User Activity Tracking Network Connection Monitoring USB Monitoring System Administrative Activity Tracking Configuration Control Change Control Performance Monitoring

16 What is Change Management? Ever wonder why the PC that was working perfectly before is suddenly misbehaving? Ever wonder what changed? Who changed it? Was it accidental or malicious? The file system/registry of every Windows system is constantly changing This change may be voluntary or involuntary, the changes happen quickly and often without the user s knowledge Under current Windows OS architecture there is no easy way for the user to understand change, identify change and recover from change. EventTracker Change Management Compares the configuration of multiple systems with the master configuration. This plug-in provides a much needed assurance for the security team that critical files (critical web pages, sensitive documents, legal contracts, critical financial spreadsheets, critical EXE and DLL) have not been modified.

17 Disk Space Requirements Disk space utilization depends on two parameters: Event Traffic Number of events received/day How long do the events need to be retained? General rules for storage planning: 1G per Window or Unix server for one year archive 3G per firewall/year 100 MB per workstation/year Storage Requirement 500 servers/1 year = 50 GB* * (approximately 1 Billion events )

18 Event Vault (Archiving) Disk Space requirements Disk space requirements when EventTracker archives: 1M events (1,000,000 events) 5M events 100M events 1000M (approx. 500 servers, 5,000 average events day for 365 days) 5000M Event Vault 50MB 250MB 5GB 50GB 250GB

19

20

21

22 Further Information Corporate Headquarters 8815 Centre Park Drive Columbia, MD Phone: Toll Free: (877) Local: (410) Fax: (410)