What you can’t see, can hurt you ! Addressing the modern day cyber threat ARUN GEORGE CRISC, CISM, CISSP, GCIH, ITIL-F, 7799LA Regional Manager – Solution Architects, MEMA May 29, 2013 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. • The security market has changed • A risk based, adversary-centric approach is needed • HP ESP security solutions • Solution demo 2 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The security market has changed HP’s perspective on the evolution of the security and risk landscape © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Customers struggle to manage the security challenge Primary Challenges 1 Nature & Motivation of Attacks (Fame fortune, market adversary) A new market adversary Research 4 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Today, security is a board-level agenda item Infiltration Discovery Capture Exfiltration Customers struggle to manage the security challenge Primary Challenges 1 Nature & Motivation of Attacks (Fame fortune, market adversary) Delivery Traditional DC A new Private Cloud Managed Cloud Public Cloud market adversary Network Storage Servers 2 Transformation of Enterprise IT (Delivery and consumption changes) Research Virtual Desktops 5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Consumption Discovery Capture Exfiltration Notebooks Tablets Smart phones Infiltration Customers struggle to manage the security challenge Primary Challenges 1 Nature & Motivation of Attacks (Fame fortune, market adversary) PoliciesDelivery and regulations Traditional DC Private Cloud Managed Cloud Public Cloud Network Storage Servers 2 Transformation of Enterprise IT (Delivery and consumption changes) Virtual Desktops 3 6 Regulatory Pressures (Increasing cost and complexity) © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Basel IIIConsumption Notebooks Tablets Smart phones DoD 8500.1 A new approach is needed A risk-based, adversary-centric approach © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Back to the Basics Risk = Asset value x Vulnerability x Threat/Exploit Term Definition Vulnerability Security flaw in a software program Exploit Attack on a vulnerability to: • Gain unauthorized access • Create a denial of service On a timeline plot, Vulnerability comes first. Exploit is released to abuse an already existing vulnerability. 8 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Attack Timeline 1) Vulnerability is discovered first, exploits are released later 2) Ratio of (Vulnerability: Exploits) is always (1:n), where n>1 0-day time period Being Proactive is better than being Reactive Proactive Reactive 9 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Classifying Security Technologies Luxury 10 Firewall/UTM NGFW IDS Antivirus URL filtering Malware Protection IPS NGIPS PT/VM Event monitoring Software Assurance SSO IPAM © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Must Classifying Security Technologies Reactive Firewall/UTM NGFW IDS Antivirus URL filtering Malware Protection IPS NGIPS PT/VM Proactive Event Monitoring Software Assurance Must 11 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Our strategy is to focus solutions around three areas 1. Harden the attack surface 2. Improve risk management and response 3. Proactively protect information assets Build it in. Make it intelligent. Protect what matters. 12 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. How do we do this? 13 Harden the attack surface Improve risk management Proactively protect information Identify, improve and reduce the vulnerability profile of enterprise applications and systems Turn information to intelligence and more quickly see, find and stop known and unknown threats Proactively find, understand and protect sensitive information across the enterprise © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Enterprise Security Products (ESP) Market leading products and services One Team, One Vision • Security Information and Event Management • Log Management • Application Security • Network Security • Data Protection • Threat Research • Security Services ATALLA 14 • 1,400 security professionals from ArcSight, Fortify and TippingPoint teams • 1,500 security professionals in HP Enterprise Security Services • Top three security company by market share (leader in SIEM, Log Mgt, AppSec, Network Security) © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. ESP security solutions © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Fortify Software Security Center Identifies and eliminates risk in existing applications and prevents the introduction of risk during application development, in-house, or from vendors • Protect business critical applications from advanced cyber attacks by removing security vulnerabilities from software In-house Outsourced • Accelerate time-to-value for achieving secure applications • Increase development productivity by enabling security to be built into software, rather than added on after it is deployed Commercial 16 Open source • Deliver risk intelligence from application development to improve operational security © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP TippingPoint Network Defense System A complete set of network security solutions that address today’s advanced threats Next gen IPS Reputation feeds Network Defense System DVLabs research 17 Next gen mgmt • Scalable infrastructure to address current and future security deployment models (NGIPS) • Dynamic analytics and policy deployment with real time management (NG Mgmt) • Predictive intelligence to proactively address current and future threat activity (DVLabs) © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP ArcSight Security Intelligence A comprehensive platform for monitoring modern threats and risks, augmented by services expertise and the most advanced security user community, Protect724 Event correlation User monitoring Data capture Fraud monitoring Controls monitoring • Analyze events in real time to deliver insight • Respond quickly to prevent loss App monitoring Log management 18 • Establish complete visibility • Measure security effectiveness across people, process, and technology © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Security innovations © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Web Application Protection Adaptive Web Application Firewall (WAF) technology HP WebInspect Scan What does it provide? • Advanced web application scanning to uncover vulnerabilities combined with adaptive IPS response • WebInspect information passed to WebAppDV to auto-generate IPS filters for virtual vulnerability patch Internet • • Inspection of encrypted and non-encrypted traffic (ideal for web commerce apps) Detailed vulnerability report of web applications Quick activation of vulnerability filters 3 SSL Features • 1 4 IPS 2 Vulnerability Report Customer benefits • Protection for custom and commercial web applications • Elimination of tuning required by legacy WAFs 20 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Vulnerability Page and Parameter Runtime Application Security HP Application Security Monitor (AppSM) What does it provide? • AppSM Runtime: Default RTA rules pre-configured in connector to detect “standard” security threats and forward them to ArcSight ESM • Detection of standard threats quickly integrated with HP ArcSight ESM • AppSM Content: Simple default ArcSight ESM Dashboard and Reports for viewing standard threats in applications Features • Malicious user behavior detected • Events sent to real-time correlation engine Web-App #1 AppSM Runtime Fortify Runtime Target API AppSM Rule-Pack • Active response taken HP ArcSight Syslog Connector Customer benefits • Application monitoring for applications not instrumented to create security logs • Leverage ESM investment to receive additional threat intelligence • Default RTA rules pre-configured in connector 21 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Web-App #2 AppSM Runtime AppSM Content HPArcSight ESM Reputation-based Threat Intelligence HP Reputation Security Monitor (RepSM) Bad IPs/ DNS names What does it provide? • Enables Security Operations to leverage global threat intelligence to detect and protect against APTs Features Reputation Data • Submissions from global security community • Intelligence fed to SIEM for real-time correlation HP TippingPoint RepDV • Active response taken in response to malicious activity • Detects and prioritizes advanced persistent threats (APTs) through correlation of suspicious enterprise-wide activity • Enables security operations to respond to unknown attacks with manual or automated actions Customer Benefits • Identifies APTs that go undetected by signature-based security controls • Enables security operations to respond to unknown attacks with manual or automated actions •22 Improves efficiency of SOC, by reducing false-positives using correlation © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP ArcSight Events Responses App Apps Laptops Servers Database Networks HP ArcSight and Operations Management 360º view of security and IT events WHAT IT IS FW, VPN, IPS, AV, OS, dB, App, etc • Bi-directional integration between OM/NNM/NNMi and HP ArcSight ESM/Logger SmartConnectors BENEFITS Complete visibility into anomalies and threats Single pane of glass view of security, compliance and IT ops Reduced gap between NOC and SOC Security and compliance related KPIs to IT operations service health dashboards • Automate business process and workflows to enable effective business risk management • • • • 23 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Logger SmartConnectors ESM OM/OMi/NNMi CPU, memory, I/O, storage, latency, fan speed, temp, HA, etc. The secret sauce: security and threat research © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Security solutions backed by global security research Ecosystem Partner • SANS, CERT, NIST, OSVDB, software & reputation vendors • 1650+ Researchers • 2000+ Customers sharing data • Leading security research • Continuously finds more vulnerabilities than the rest of the market combined • Collaborative effort of market leading teams: DV Labs, ArcSight, Fortify, HPLabs, Application Security Center • Collect network and security data from around the globe HP Global Research ESS FSRG 25 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Global Research • Collect network and security data from around the globe • Specific Research within TippingPoint, Fortify, and ArcSight 26 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26 Leading Security Research 27 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Recognized security research leader Frost & Sullivan Market Share Leadership Award for Vulnerability Research – Analysis of vulnerabilities by severity (continued) Key takeaway: HP TippingPoint continues to lead in critical0severity vulnerability disclosures. 3 years in a row! At any time, 200 to 300 zero day vulnerabilities only HP knows about 28 Note: All figures are rounded. The base year is CY 2011. Source: Frost & Sullivan analysis © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Leading Security Research Discovers 4-6 times more software vulnerabilities than other IPS, NGFW vendors 2011 Adobe & Microsoft Vulnerability Acknowledgements 80 250 2007-2011 Adobe & Microsoft Vulnerability Acknowledgements 70 200 60 50 150 40 100 30 20 50 10 0 0 Adobe MSFT Adobe MSFT Focused on security research with real-world application *Compiled from publicly available data on Adobe and Microsoft advisory pages. 29 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30 25 20 15 10 5 0 30 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2013 Taking a look at a real world example © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. APT - Definition Advanced Persistent Threat (APT) Well-funded and skilled attacker (teams) with profound knowledge about the target and a long-term infiltration strategy. Once the target is infiltrated the highest priority is to stay covert and exfiltrate as much sensible and valuable data as possible or to damage the target (organization) effectively and sustained. Due to the high stakes the attacker(s) will keep on trying until success. 32 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Asset APT - Use Case Overview Attacker 1 Attacker identifies target individuals on social network web-sites for a Spear Phishing attack 2 Attacker crafts a malicious pdf document with an adobe 0Day Exploit and links it into the Spear Phishing Email(s) 3 Victim clicks on the pdf link and the the application/host gets infected. The attacker uploads more tools to the owned host. 4 Attacker searches for „Waypoints“ or „Jumphosts“ for privilege escalation and obfuscation of the source of the activities. 5 Attacker exploits vulnerabilities on the Waypoint host and/or uses gathered privileged credentials to use it as the main platform. 6 Via the Waypoint host the attacker gathers sensible data from the Backend Databases 7 Attacker compresses, encrypts and segments the data and exfiltrate it via a covert channel over a long periode of time „slow-and-low“ 33 Victim © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Corp.-Network Critical Asset Solution Demo © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Why HP Enterprise Security Build it in Harden the attack surface to improve and reduce the vulnerability profile of enterprise applications and systems Security Technology Security Consulting Make it intelligent Improve risk management and response by turning information to intelligence and more quickly see, find and stop known and unknown threats Managed Security Services Protect what matters Proactively protect information by finding, understanding and protecting sensitive information across the enterprise 35 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Security Research & Intelligence Thank you © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
© Copyright 2026 Paperzz