Effective Methods to Detect Current Security Threats

Similar documents
Effective Methods to Detect Current Security Threats

Additional Security Considerations and Controls for Virtual Private Networks

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Enabling Security Operations with RSA envision. August, 2009

FISMA / NIST REVISION 3 COMPLIANCE

Cyber Security Metrics Dashboards & Analytics

Software that provides secure access to technology, everywhere.

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Jort Kollerie SonicWALL

Networking for Caribbean Development

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Advanced approach to network security and performance monitoring

Redefining SIEM to Real Time Security Intelligence

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Inspection of Encrypted HTTPS Traffic

Enterprise Cybersecurity: Building an Effective Defense

Cyber Security for SCADA/ICS Networks

Unified Security, ATP and more

The Hillstone and Trend Micro Joint Solution

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

The Benefits of SSL Content Inspection ABSTRACT

All Information is derived from Mandiant consulting in a non-classified environment.

How To Manage Security On A Networked Computer System

Into the cybersecurity breach

How To Create Situational Awareness

Using SIEM for Real- Time Threat Detection

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Security Information & Event Management (SIEM)

REVIEW ON RISING RISKS AND THREATS IN NETWORK SECURITY

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Operationalizing Information Security: Top 10 SIEM Implementer s Checklist

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

5 Steps to Advanced Threat Protection

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Firewalls, Tunnels, and Network Intrusion Detection

Security Analytics The Beginning of the End(Point)

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

End-user Security Analytics Strengthens Protection with ArcSight

External Supplier Control Requirements

CISCO IOS NETWORK SECURITY (IINS)

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Securing SharePoint 101. Rob Rachwald Imperva

The Key to Secure Online Financial Transactions

Defending Against Data Beaches: Internal Controls for Cybersecurity

24/7 Visibility into Advanced Malware on Networks and Endpoints

CyberArk Privileged Threat Analytics. Solution Brief

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Protecting Your Organisation from Targeted Cyber Intrusion

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Guideline on Auditing and Log Management

isheriff CLOUD SECURITY

How To Protect A Web Application From Attack From A Trusted Environment

RSA Security Analytics

The Cloud App Visibility Blindspot

Presented by: Mike Morris and Jim Rumph

High End Information Security Services

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Protect Your Business and Customers from Online Fraud

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Top 10 SIEM Implementer s Checklist

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Basics of Internet Security

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

74% 96 Action Items. Compliance

CDW-G Federal Cybersecurity Report: Danger on the Front Lines. November CDW Government, Inc.

Gateway Security at Stateful Inspection/Application Proxy

Network Security Policy

DDoS Overview and Incident Response Guide. July 2014

Securing Remote Vendor Access with Privileged Account Security

Penetration Testing Service. By Comsec Information Security Consulting

White Paper Secure Reverse Proxy Server and Web Application Firewall

Advanced Threats: The New World Order

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Cyber Situational Awareness for Enterprise Security

Cyberoam Perspective BFSI Security Guidelines. Overview

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Evolution Of Cyber Threats & Defense Approaches

I D C A N A L Y S T C O N N E C T I O N

Guideline on Firewall

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Security and Privacy

Transcription:

terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Enrico Petrov Director Managed Security Services terreactive October 21 st, 2015

terreactive Background. About us. Facts 20 years experience in IT-security Swiss company with 45 employees Profile Trusted partner for comprehensive and sustainable IT-security solutions Strong focus on Security Monitoring Independent and solution-oriented Services in the IT-security-lifecycle Pioneer for MSS Managed Security Services (60% of company revenues) 360 Security

terreactive Background. Who trust us - our customers.

Overview Current Threats. Security Threat Detection. Trojan Horse Advanced Persistent Threats (APTs) Vulnerable Applications Denial of Service Data Leakage Malware Compromised Accounts

Overview Current Threats. Security Threat Detection. Spending in Information Security continues to grow (8% in 2014). Gartner Cyber attacks are within the top 5 risks in terms of likelihood. WEF: 2014 Global Risk Report The number of reported security incidents has grown 66% year-over-year since 2013. PWC: The Global State of Information Security Survey 2015 Number of organizations reporting cybersecurity incidents with costs exceeding 20 Mio increased by 92% since 2013. PWC: The Global State of Information Security Survey 2015 Many organizations recognize only after 6-9 months that they have been compromised Dr. Eric Cole Advanced Persistent Threat

Overview Current Threats. Security Threat Detection. Security absolute protection: Incident will happen, no matter what protection is in place Security threats are like a bad disease: It can stay hidden and grow Can cause serious damage Can be hard to get rid of Solution: Border protection? Better: strong Immune System IT Security Monitoring

Overview Current Threats. Security Threat Detection: IT Security Monitoring IT Security Monitoring It s not a just tools, or processes: it s a discipline providing assurance on the capability of an organization in continuously and efficiently detect and respond to disruptive information security events Works like the human body Immune System : Differentiated Sophisticated detection Works from the inside Learning Adaptive Always-on

Tools and Methods. Security Threat Detection: IT Security Monitoring Test / Assessment Gap analysis Tuning Mgt. Summary Compliance Security Status Tracking Incident Handling Mitigation Escalation Report React Review Security Monitoring Cycle Detect Concept Analyse Collect Identify targets, define priorities and strategies Systematically collect evidence of security relevant events Normalize security events, define key metrics, apply correlation and base-lining Detect incidents, policy violations and anomalies

Details and Examples. Security Threat Detection: «Collect» Log messages Security logs: Firewall, VPN, Remote Access, Mail/Web Gateways Protocol ALL connections entering / leaving corporate network - not only the denies ( Accepted connections are bad ) Break encryption and collect logs from SSL reverse proxy, SSL intercept Web surfing, Transfer Gateways ( Encryption is bad ) Application logs: Web, Application Server Intrusion detection: Network-IDS, Host-IDS, Anti Virus, Anti Malware

Details and Examples. Security Threat Detection: «Collect» Log messages Audit logs: DBs, AAA, DLP, Privileged Access Log / Sessions Trust your administrators but no blind trust full action logging Log DNS requests / responses on internal network Malware needs to call-home

Details and Examples. Security Threat Detection: «Collect» Monitoring data System and network monitoring information (availability, performance, system load for host, gateways and network links) Real-time and trend traffic statistics (e.g. bit/s, packets/s) Application monitoring (end-to-end performance, fingerprint) Netflow data Application flow streams at network layer Break down by protocol / hosts / duration / transfer rates and volume

Details and Examples. Security Threat Detection: «Collect» Log Monitoring Netflow

Details and Examples. Security Threat Detection: «Collect» Log Monitoring Netflow Collect & store on central dedicated system Read-only, cannot be tampered with Role based access control (operator, security analyst, CISO) Enable long retention time Forensics, trend analysis ( learn from the past ) Make collected data available online Live search Visual statistics Enable dashboards Aggregation key metrics, drilldown

Details and Examples. Security Threat Detection: «Analyse» Analyse data (sample) The enemy is outside, the enemy is inside : assume a security breach has already happened focus on outbound accepted/denied connections (that s where often malware covert channels lie) Keep an eye on long lasting connections (they are invisible ) Check reputation scoring of accessed external IP / domains: periodically fetch IP blacklists (e.g. www.abuse.ch, MELANI,..) match them against relevant logs

Details and Examples. Security Threat Detection: «Detect» Scenario: Malware on Bank/eShop client s PC [DNS spoofing, JScript injection, fake CA Certiticate] Dridex Customer PC Internet Firewall WAF Web Server Log correlation on FW/-WAF-Web Server: Spoofed Proxy Server Steal credential / CC info Unauthorized transactions HTTP 404 response for stray.js files Too many / fast Web requests per session Poor IP reputation of client IP Geo IP distance between logins

Details and Examples. Security Threat Detection: «Detect» Scenario: Covert (reverse) tunnel Remote Target PC Internet RAS Jump Server Admin PC Network Netflow analysis: FLOW Long lasting SSH connection via Jump Host bypassing enforced idle / absolute timeouts

Organization and processes to make it work. Security Threat Detection: Methodology Log Monitoring Netflow Security Doctor Analyst 1. Collect vitals 2. Apply advanced diagnostics 3. Consult the expert

terreactive AG. Swiss Cyber Storm 2015. Thank you! terreactive AG Kasinostrasse 30 5001 Aarau Switzerland www.security.ch info@terreactive.ch

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information