Effective Methods to Detect Current Security Threats

Similar documents
Effective Methods to Detect Current Security Threats

Cyber Security Metrics Dashboards & Analytics

Additional Security Considerations and Controls for Virtual Private Networks

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Enabling Security Operations with RSA envision. August, 2009

Enterprise Cybersecurity: Building an Effective Defense

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Inspection of Encrypted HTTPS Traffic

FISMA / NIST REVISION 3 COMPLIANCE

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Software that provides secure access to technology, everywhere.

Unified Security, ATP and more

Networking for Caribbean Development

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Cyber Security for SCADA/ICS Networks

Jort Kollerie SonicWALL

The Hillstone and Trend Micro Joint Solution

Security Analytics The Beginning of the End(Point)

Advanced approach to network security and performance monitoring

How To Protect A Web Application From Attack From A Trusted Environment

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

All Information is derived from Mandiant consulting in a non-classified environment.

Redefining SIEM to Real Time Security Intelligence

Firewalls, Tunnels, and Network Intrusion Detection

Protect Your Business and Customers from Online Fraud

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Using SIEM for Real- Time Threat Detection

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

REVIEW ON RISING RISKS AND THREATS IN NETWORK SECURITY

CyberArk Privileged Threat Analytics. Solution Brief

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

How To Manage Security On A Networked Computer System

The Benefits of SSL Content Inspection ABSTRACT

Into the cybersecurity breach

Guideline on Firewall

5 Steps to Advanced Threat Protection

High End Information Security Services

How To Create Situational Awareness

Operationalizing Information Security: Top 10 SIEM Implementer s Checklist

Penetration Testing Service. By Comsec Information Security Consulting

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

End-user Security Analytics Strengthens Protection with ArcSight

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

DDoS Overview and Incident Response Guide. July 2014

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Security Information & Event Management (SIEM)

Defending Against Data Beaches: Internal Controls for Cybersecurity

isheriff CLOUD SECURITY

CDW-G Federal Cybersecurity Report: Danger on the Front Lines. November CDW Government, Inc.

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

24/7 Visibility into Advanced Malware on Networks and Endpoints

WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Cyber Situational Awareness for Enterprise Security

REVOLUTIONIZING ADVANCED THREAT PROTECTION

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

SIEM is only as good as the data it consumes

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

RSA Security Analytics

The Cloud App Visibility Blindspot

I D C A N A L Y S T C O N N E C T I O N

Rashmi Knowles Chief Security Architect EMEA

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

External Supplier Control Requirements

On-Premises DDoS Mitigation for the Enterprise

CISCO IOS NETWORK SECURITY (IINS)

Healthcare Security and HIPAA Compliance with A10

The Key to Secure Online Financial Transactions

Top 10 SIEM Implementer s Checklist

Securing Remote Vendor Access with Privileged Account Security

McAfee Network Security Platform

Advanced Threats: The New World Order

Evolution Of Cyber Threats & Defense Approaches

Protecting Your Organisation from Targeted Cyber Intrusion

Defending Against Cyber Attacks with SessionLevel Network Security

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

BlackRidge Technology Transport Access Control: Overview

Guideline on Auditing and Log Management

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Gateway Security at Stateful Inspection/Application Proxy

Security strategies to stay off the Børsen front page

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Security and Privacy

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Building A Secure Microsoft Exchange Continuity Appliance

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

Transcription:

terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Taking your IT security to the next level, you have to consider a paradigm shift. In the past companies mostly invested resources to try to avoid security violations. Nowadays you have to face the inevitable: a security breach can t be fully prevented. You need to detect it as fast as possible to be able to stop the breach in its early stages. A multi-layer defense strategy is needed to detect attacks and secure your company with a combination of various sensors to improve transparency. Based on our experience managing Security Monitoring for various Swiss companies terreactive we will share insights with you how to tackle this.

terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Enrico Petrov Director Managed Security Services terreactive October 21 st, 2015

Overview Current Threats. Security Threat Detection. Trojan Horse Advanced Persistent Threats (APTs) Vulnerable Applications Denial of Service Data Leakage Malware Compromised Accounts

Overview Current Threats. Security Threat Detection. Spending in Information Security continues to grow (8% in 2014). Gartner Cyber attacks are within the top 5 risks in terms of likelihood. WEF: 2014 Global Risk Report The number of reported security incidents has grown 66% year-over-year since 2013. PWC: The Global State of Information Security Survey 2015 Number of organizations reporting cybersecurity incidents with costs exceeding 20 Mio increased by 92% since 2013. PWC: The Global State of Information Security Survey 2015 Many organizations recognize only after 6-9 months that they have been compromised Dr. Eric Cole Advanced Persistent Threat

Overview Current Threats. Security Threat Detection. Security absolute protection: Incident will happen, no matter what protection is in place Security threats are like a bad disease: It can stay hidden and grow Can cause serious damage Can be hard to get rid of Solution: Border protection? Better: strong Immune System IT Security Monitoring

Overview Current Threats. Security Threat Detection: IT Security Monitoring IT Security Monitoring It s not a just tools, or processes: it s a discipline providing assurance on the capability of an organization in continuously and efficiently detect and respond to disruptive information security events Works like the human body Immune System : Differentiated Sophisticated detection Works from the inside Learning Adaptive Always-on

Tools and Methods. Security Threat Detection: IT Security Monitoring Test / Assessment Gap analysis Tuning Mgt. Summary Compliance Security Status Tracking Incident Handling Mitigation Escalation Report React Review Security Monitoring Cycle Detect Concept Analyse Collect Identify targets, define priorities and strategies Systematically collect evidence of security relevant events Normalize security events, define key metrics, apply correlation and base-lining Detect incidents, policy violations and anomalies

Details and Examples. Security Threat Detection: «Collect» Log messages Security logs: Firewall, VPN, Remote Access, Mail/Web Gateways Protocol ALL connections entering / leaving corporate network - not only the denies ( Accepted connections are bad ) Break encryption and collect logs from SSL reverse proxy, SSL intercept Web surfing, Transfer Gateways ( Encryption is bad ) Application logs: Web, Application Server Intrusion detection: Network-IDS, Host-IDS, Anti Virus, Anti Malware

Details and Examples. Security Threat Detection: «Collect» Log messages Audit logs: DBs, AAA, DLP, Privileged Access Log / Sessions Trust your administrators but no blind trust full action logging Log DNS requests / responses on internal network Malware needs to call-home

Details and Examples. Security Threat Detection: «Collect» Monitoring data System and network monitoring information (availability, performance, system load for host, gateways and network links) Real-time and trend traffic statistics (e.g. bit/s, packets/s) Application monitoring (end-to-end performance, fingerprint) Netflow data Application flow streams at network layer Break down by protocol / hosts / duration / transfer rates and volume

Details and Examples. Security Threat Detection: «Collect» Log Monitoring Netflow

Details and Examples. Security Threat Detection: «Collect» Log Monitoring Netflow Collect & store on central dedicated system Read-only, cannot be tampered with Role based access control (operator, security analyst, CISO) Enable long retention time Forensics, trend analysis ( learn from the past ) Make collected data available online Live search Visual statistics Enable dashboards Aggregation key metrics, drilldown

Details and Examples. Security Threat Detection: «Analyse» Analyse data (sample) The enemy is outside, the enemy is inside : assume a security breach has already happened focus on outbound accepted/denied connections (that s where often malware covert channels lie) Keep an eye on long lasting connections (they are invisible ) Check reputation scoring of accessed external IP / domains: periodically fetch IP blacklists (e.g. www.abuse.ch, MELANI,..) match them against relevant logs

Details and Examples. Security Threat Detection: «Detect» Scenario: Malware on Bank/eShop client s PC [DNS spoofing, JScript injection, fake CA Certiticate] Dridex Customer PC Internet Firewall WAF Web Server Log correlation on FW/-WAF-Web Server: Spoofed Proxy Server Steal credential / CC info Unauthorized transactions HTTP 404 response for stray.js files Too many / fast Web requests per session Poor IP reputation of client IP Geo IP distance between logins

Details and Examples. Security Threat Detection: «Detect» Scenario: Covert (reverse) tunnel Remote Target PC Internet RAS Jump Server Admin PC Network Netflow analysis: FLOW Long lasting SSH connection via Jump Host bypassing enforced idle / absolute timeouts

Organization and processes to make it work. Security Threat Detection: Methodology Log Monitoring Netflow Security Analyst 1. Collect vitals 2. Apply advanced diagnostics 3. Consult the expert

terreactive Background. About us. Facts 20 years experience in IT-security Swiss company with 45 employees Profile Trusted partner for comprehensive and sustainable IT-security solutions Strong focus on Security Monitoring Independent and solution-oriented Services in the IT-security-lifecycle Pioneer for MSS Managed Security Services (60% of company revenues) 360 Security

terreactive AG. Swiss Cyber Storm 2015. Thank you! terreactive AG Kasinostrasse 30 5001 Aarau Switzerland www.security.ch info@terreactive.ch

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information