BigData and (in)security Considerations
Technology Trends Reshaping Business Cloud Computing Amazing Applications That Change Our World Fast, Widespread Wireless/Wireline IP Networks Powerful Mobile Computing Devices Most Organizations are reengineering the way they do business. 2
Government/Education Interactions Finance Communities Compliance Communities Demand Communities Compliance Payment & Settlement Fulfillment Revenue Logistics Service Providers Brokers Carriers Suppliers/ Distributors Banks & Credit Escrow/ Endowments Agents Student Finance Regulatory Authorities Government Authorities Industry Standards Organizations Retailers Consumers Parents/ Students Constituents Education Distributors, Vendors Partners IT/Software IT Standards Community Financial Investment Management Industry/Education/ Government Organizations Your Organization Marketing Legal Security Logistics & Facilities Communities
Technology Diversity Security Managed Hosting Utility Computing Replication & Storage Computing Power On Demand Application Platform On Demand Global Geographic Diversity Smartphone & Laptop Back-up Domestic Geographic Diversity Virtual Cloud Private Cloud Collocation 4 Cloud & Hosting Services
Security Security Vendor and Partner Choices Application Hosting & Pro Services Application Hosting & Pro Services Application Hosting & Pro Services Application Hosting & Pro Services Business Application Mobilization Middleware Software as a Service Enablement Application Management Video Management ecommerce Application Hosting & Pro Services WebSphere Hosting & Services Application Management Content Delivery Network Digital Signage Content Acceleration Application Services 5
Access and Communications Choices Security Remote Access Domestic MPLS Global MPLS Web & Audio Conferencing Unified Communications Wireless WAN Telepresence Legacy Data Networking Web & Email Security Integrated Voice & Data Internet Access Local & Long Distance Network Sourcing Firewall, Bandwidth, & Mobile Security as a Service 6 Network Services
Mobility Explosion Security Mobile Device Management Mobile Messaging Global Mobile Compatibility Simultaneous Voice & Data Business Applications Mobile Commerce Mobile Resource Management $ Mobile Productivity Solutions Tablets Machine-to-Machine Laptops & Netbooks SmartPhones Legacy Cell Phones Global Wi-Fi Access Fixed Mobile Convergence 7 Mobility Services
Mandates and More Security Custom Application Development Software Implementation, Enhancements & Upgrades ecommerce Strategy SAS 70 / SSAE 16 / ISAE 3402 PCI Regulatory Compliance GLB Sarbanes-Oxley ISO 27001/2 RFID Supply Chain Logistics WWWAN Architecture Assistance Assess Security Risk Of Evolving Application-based Mobile Technologies Systems Integration Data Warehouse Application Consulting Disaster Recovery Strategy Cloud & Hosting Consulting Unlock Your Applications Rise Above the Cloud Protecting Interests Your GovEd Organization Putting all of the Pieces Together Mobilize Everything Connect To Your World Mobility Consulting Telemetry Solution Development Network Consulting Network Architecture Assistance Firewall Assessments Customer Data Protection Cloud Strategy Application Acceleration Network Integration Custom Hardware Solutions 3 rd Party Mobile Apps Equipment Staging, Cabling, and Wiring Incident Response & Forensics Security Event Management
The threat Landscape is changing
Concerns are real not FUD Alaska Department of Health and Social Services the state Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,700,000 to settle possible HIPAA violations. Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ephi) of their Medicaid beneficiaries Utah Department of Health March 30, approximately 780,000 Medicaid patients & recipients of the Children's Health Insurance Plan had personal information stolen after a hacker from Eastern Europe accessed the Utah Department of Technology Service's server. South Carolina Department of Revenue Breach $25m and climbing. Employee opened a phishing email on a personal machine infected a thumb drive inserted thumb drive in DOR PC low and slow extraction of data from DOR data base SC DOR no longer allows employees to use state machines for personal use.. Can not access during lunch or after work.
Concerns are seen early by BigData BigData Advisory Cisco Security Advisory Cisco ASA5500 Series Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) and Cisco Catalyst 6500 Series ASA Services Module (Cisco ASASM) contain a vulnerability that may allow an unauthenticated, remote attacker to cause the reload of the affected device. Protect Alert Increased scan sources on port 135/tcp Increase scanning on port 135/TCP. Port 135/TCP is commonly associated with epmap to manage services like Exchange, AD, DHCP, DNS and WINS. The current scanning activity appears to be an attempt to identify open DCE/RPC Locator Services to target vulnerable systems for malicious purposes. Several malware (Randex, Spybot, Sdbot and Ircbot) are know to use 135/tcp. 11
With BigData BigData Resources that benefit Gov/Ed Organizations: Extremely (elastic) Large Network Resources: Teams and Organizations with Expertise Full-time/part-time security professionals with training and credentials Benefit from real-time knowledge-base and tools Page 12
What BigData Sees/Monitors 46 72 petabytes of data traffic per day on average (peta = 1 million gigbytes) Wireless subscribers >156M not simply cell phones Hand-held computers BigData may have large Wi-Fi network view with hundreds of thousands of WiFi hotspots around world. BD may have more than one billion BILLIONS of devices connected to its network at any given time Billions of IP flows go through a BigData analysis DB per hour on average. 13
With BigData behind you: Correlation of your events with some of the largest threat intelligence databases in the world Proactive signatures Custom tools for early detection Resources for mitigation BigData offers a unique global view of traffic & threats that can not be replicated. 14
SCREEN SHOT - LAST NIGHT Page 15 2010 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Relative rank DDoS Defense Diversion Overview UDP port 2002 relative to other UDP traffic IP Network 1 10 100 1000 10000 2842 17 20 Date 9/10 9/11 9/12 9/13 9/14 9/15 9/16 5 2 2 8 # flows # packets # bytes 1. BigData Partner Detects DDoS attack BGP announcement 1.2.3.4/32 2. Activate Scrubbing Complex Scrubbing Complex 3. Withdraw routes to alternate ISP Targeted servers 1.2.3.4/24 16 Non-targeted servers
Relative rank DDoS Defense Diversion Overview UDP port 2002 relative to other UDP traffic Date IP Network 9/10 9/11 9/12 9/13 9/14 9/15 9/16 1 2 2 5 10 8 17 20 100 1000 2842 10000 # flows # packets # bytes 3. Divert only the Target s traffic to Scrubber 4. Scrubber Identifies and filters the malicious traffic Scrubbing Complex 6. Scrubbed Legitimate Traffic Flows back to targeted devices Targeted servers 1.2.3.4/24 17 Non-targeted servers
BigData BigData BigData
THREAT MANAGERS Service Support Model IDS Alarms Firewall Logs DLP Alarms Netflow Proxy Logs Server Alarms Internet Alarms DDOS Detection VPN Logs Honey Pots Real-Time Alerts & Alarms with Severity & Likely Source Monitoring Engines Correlation Engines Flow Analysis
Service Support Model / Flow IDS Alarms Firewall Logs DLP Alarms Netflow Proxy Logs Server Alarms Internet Alarms DDOS Detection VPN Logs Honey Pots Real-Time Alerts & Alarms with Severity & Likely Source Monitoring Engines Correlation Engines Flow Analysis Security Professionals Security Analysis (Profile/Anomaly Based) Global Network Security
Service Support Model / Flow IDS Alarms Firewall Logs DLP Alarms Netflow Proxy Logs Server Alarms Internet Alarms DDOS Detection VPN Logs Honey Pots Security Information Mitigation Plan Security Support Real-Time Alerts & Alarms with Severity & Likely Source Monitoring Engines Correlation Engines Flow Analysis Security Professionals Security Analysis (Profile/Anomaly Based) BigData Network Security GNOC
Security Event Threat Management System
BigData Security Solutions A Defense-in-Depth Approach: Many types of data share the same cable Application Data Traffic Business Applications FTP - File Transfer Telenet Data connections HTTP / HTTPS Web Browsers and Secure Web Pages SMTP E-Mail VPN Site-to-Site and Users IPSec NAT-T, SSL, etc. Token (hard or soft) Security Protecting different data different ways. E-Mail concerns are different then Denial of Service Concerns Data requirements and exposure can effect all parts of your organization. Protection where needed Defense-in-Depth approach to securely protect your business. Passing packets, or augmenting your team through services is Defense-in-Depth. Protection where you need it - when you need it. 24x7 Always on - always available BigData Network Operating Center and Security Solution teams - There when you need them. 23
Secure E-Mail Gateway (SEG) Protecting Against Inbound Threats, While Delivering Outbound Policy Enforcement, Disaster Recovery, and Archiving Of E-mail Data Put the Moat outside your business - Where it belongs BigData Network-based solution blocking spam, viruses, and other inbound e-mail malware threats with an additional layer of protection against loss of sensitive information and services. DLP Data Loss Protection PII Personal Identifiable Information Disaster Recovery Support for months with mail- bagging in the event of expected or unexpected e-mail downtime. access to these e-mails during outage Multi-layered e-mail filtering protection Encryption features to support your data loss prevention strategies 24
25
BigData Web Security URL Filtering, Company Policy Enforcement and Protection Stop New and Known Malware at the Internet Level Inbound / Outbound Real-Time Scanning across multiple, correlated detection technologies Zero-Day concerns dynamically identified by working with massive amounts of Web Data Processes Outbreak Intelligence using proprietary, proactive, heuristics technology Proactively identify threats, rapidly develop heuristics, and test these against real data. Ensuring accuracy, effectiveness and immediate protection. Anywhere+ - Same protection / enforcement for roaming assets (laptops) when away from office. Page 26
BigData = World Class Security Operations World Class Security NOC Physical Redundancy Documented Operational Security Procedures 24x7 monitoring and management State of the art systems that monitor and manage thousands of devices Systems that collect terabytes of data Correlate thousands of security events Top Notch Security Expertise CCNP, CCIE, GCIA, CISSP, MCSE, and Unix certified professionals Strong Security Skills Incident Handling and Intrusion Detection In depth understanding of TCP/IP Years of experience Lead in Industry Standards of Excellence AT&T Network Security GNOC Industry Thought Leaders 27
BigData offers A Defense-in-Depth: Approach to Security Security Consulting Security Event & Threat Analysis Network-Based Firewall Solutions Intrusion Detection and Intrusion Protection Solutions Email & / or Web Filtering Protection Internet BigView & DDoS Defense SOLUTION: Move the Moat Outside the Castle. Michael Light, Emerging Technologies Consultant Michael.Light@att.com 843.814.7935 2010 AT&T Intellectual Property. All rights reserved. AT&T Proprietary 28 (Internal Use Only) Page 28