A viable SIEM approach for Android

Similar documents
A viable SIEM approach for Android

Using Extensible Metadata Definitions to Create a Vendor-Independent SIEM System

Security concept for gateway integrity protection within German smart grids

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Orchestrated Security Network. Automated, Event Driven Network Security. Ralph Wanders Consulting Systems Engineer

Security Coordination with IF-MAP

SIEM approach for a higher level of IT security in enterprise networks

Trusted Network Connect (TNC)

Security Orchestration with IF-MAP

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

- IF-MAP Research Projects and Open Source Software

Network Access Control (NAC) and Network Security Standards

ESUKOM: Smartphone Security for Enterprise

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge

OneFabric Connect. Overview. Extend the OneFabric architecture to 3rd party applications DATA SHEET BENEFITS BUSINESS ALIGNMENT

Norton Mobile Privacy Notice

Contextual Security with IF-MAP

Security concept for gateway integrity protection within German smart grids

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

FIDO Modern Authentication Rolf Lindemann, Nok Nok Labs

Bridging the gap between COTS tool alerting and raw data analysis

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Intro to Firewalls. Summary

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Frequently asked questions

DYNAMIC DNS: DATA EXFILTRATION

» WHITE PAPER X and NAC: Best Practices for Effective Network Access Control.

IBM QRadar Security Intelligence April 2013

(U)SimMonitor: A New Malware that Compromises the Security of Cellular Technology and Allows Security Evaluation

End-user Security Analytics Strengthens Protection with ArcSight

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

RFI Template for Enterprise MDM Solutions

Fidelis XPS Power Tools. Gaining Visibility Into Your Cloud: Cloud Services Security. February 2012 PAGE 1 PAGE 1

Sophos Mobile Control Technical guide

NTT R&D s anti-malware technologies

Kaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing

A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1

Onegini Token server / Web API Platform

The Cloud App Visibility Blindspot

How we keep harmful apps out of Google Play and keep your Android device safe

Windows Server 2003 End of Support. What does it mean? What are my options?

Network Visiblity and Performance Solutions Online Demo Guide

HP Insight Management Agents architecture for Windows servers

State of Security Monitoring of Public Cloud

Course Outline. Managing Enterprise Devices and Apps using System Center Configuration ManagerCourse 20696B: 5 days Instructor Led

How To Create An Integrated Visualization For A Network Security System (For A Free Download)

Leveraging Trusted Network Connect for Secure Connection of Mobile Devices to Corporate Networks

Endpoint protection for physical and virtual desktops

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Concierge SIEM Reporting Overview

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Endpoint protection for physical and virtual desktops

Load Testing Essentials

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

IF-MAP Use Cases: Real-Time CMDB, and More

Average annual cost of security incidents

KASPERSKY FRAUD PREVENTION PLATFORM COVERING ONLINE AND MOBILE BANKING RISKS

IBM Advanced Threat Protection Solution

Intrusion Detection in AlienVault

Analyzing HTTP/HTTPS Traffic Logs

Monitor network traffic in the Dashboard tab

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

U.S. Cellular Mobile Data Security. User Guide Version 00.01

ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

ESET ENDPOINT SECURITY FOR ANDROID

Ecom Infotech. Page 1 of 6

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

DDoS-blocker: Detection and Blocking of Distributed Denial of Service Attack

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Security Intelligenece: tracking obfuscated and unrecognized attacks Check Point Software Technologies Ltd.

Compliance Guide: PCI DSS

Trust: When Physical and Logical Security Worlds Collide

High-performance VoIP Traffic Optimizer Client Solution

The Secure Web Access Solution Includes:

Cisco Advanced Malware Protection for Endpoints

Transcription:

IDAACS 2015, 24.-26.09.15 A viable SIEM approach for Android Kai-Oliver Detken Evren Eren Markus Schölzel DECOIT GmbH Fahrenheitstraße 9 D-28359 Bremen https://www.decoit.de detken@decoit.de

Outline Introduction Motivation TNC IF-MAP Data model MAP graph Android SIEM without IF-MAP DECOmap for Android Conclusion and Outlook

Introduction (1) The term SIEM is divided into: Security Event Management (SEM) Security Information Management (SIM) SEM security management includes: Real-time monitoring Event correlation Event messaging Security management of SIM includes: Long-term capturing Analyze of log data Reporting of log data Basically SIEM systems are able by collecting sensor information and events to recognize anomalies and prevent threats

Introduction (2) imonitor project (www.imonitor-project.de) of BMWi started in July 2013 and ended in June 2015 successfully Partner of the Bremer project were: DECOIT GmbH (coordination, development, exploitation) University of Bremen, TZI (development) neusta GmbH (development, exploitation) The project developed a new form of event correlation, which recognize new attack variants automatically (with artificial intelligence) Exchange rules through a central knowledge server An event overview is presented in one SIEM-GUI centrally

Motivation (1) Tech Pro Research's latest survey (January 2015) shows that the Bring Your Own Device (BYOD) movement is booming: 74% of organizations either already using or planning to allow employees to bring their own devices to work BYOD will drive Android into the enterprise despite security concerns: The bring your own device (BYOD) movement [...] will continue to grow despite security risk, according to Ernst & Young In case of a malicious event monitoring systems need to respond immediately!

Motivation (2) Proposed solution: user authentication (credentials or certificate) + collection of status reports These data could contain traffic, load and usage stats, system, platform and app version information Based on this information mobile devices can be treated differently in real-time to restrict access and scope for devices with known bugs or suspicious behavior TNC IF-MAP can be used to allow an integration of multiple tools and an efficient database a SIEM system can rely on

TNC IF-MAP (1) Trusted Network Connect (TNC) is an open architecture developed by the Trusted Computing Group (TCG) to enforce policies regarding endpoint integrity IF-MAP, as part of TNC, is a client/server protocol for accessing a Metadata Access Point (MAP) and storing/reading information about network-/securityrelevant real-time metadata Based on IEEE 802.1x (AR, PEP and PDP) IF-MAP Clients and a MAP-Server (not TPM required) XML/SOAP over HTTPS (CBOR protocol optionally)

TNC IF-MAP (2)

TNC IF-MAP data model The data model includes: Original and extended identifiers Links Standard metadata and vendor-specific metadata Android device in a MAP graph:

TNC IF-MAP graph

Android platform Metadata used to identify devices and their state: Device specific data (IMEI, IMSI, ) Platform (build number, firmware version, ) System state (cpu load, traffic, ) Communication (bluetooth, sms, nfc, ) Apps (installed, permissions)

SIEM without IF-MAP Data collected by IF-MAP Clients can be re-used to generate events for various types of monitoring systems and statistics Icinga-based approach accepting Android events via NSCA InfoEvent, MonitorEvent and AppEvent:

DECOmap for Android DECOmap for Android is an Open Source tool which has been developed by DECOIT GmbH in two research projects The App Version 0.2 has been extended in cooperation with the University of Applied Science of Dortmund It can be used without license costs with or without IF-MAP protocol Currently an integrity check is not available, because of missing TPM modules on mobile platforms Download is available at project websites: www.imonitor-project.de www.simu-project.de

Conclusion and Outlook Collecting data of Android for SIEM environments with and without IF-MAP protocol has been working out Concept to treat mobile devices depending on their status (not only authenticating of the user) DECOmap allows real-time actions on specific events Future work can be: Developing more clients for multiple platforms using the same or an extended data model (e.g. ios) Provide usable interfaces for communication between monitoring systems and mobile devices Evaluation and incorporation of metadata to allow an assessment of mobile devices Implement an integrity check on mobile devices with TPM support

Thank you for your attention! DECOIT GmbH Fahrenheitstraße 9 D-28359 Bremen https://www.decoit.de info@decoit.de

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information