alert logic n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Alert Logic PowerPoint Presentation
Download Presentation
Alert Logic

Loading in 2 Seconds...

play fullscreen
1 / 42

Alert Logic - PowerPoint PPT Presentation


  • 178 Views
  • Uploaded on

Alert Logic. The Path to Compliance September 2011. Agenda. State of the security market Organized Cybercrime Common Attack Methodology Compliance defined The Compliance Two-Step The Obligatory Response A Security First Approach Real World Examples. State of the security market.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Alert Logic' - hisano


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
alert logic

Alert Logic

The Path to Compliance

September 2011

agenda
Agenda
  • State of the security market
    • Organized Cybercrime
    • Common Attack Methodology
  • Compliance defined
    • The Compliance Two-Step
    • The Obligatory Response
  • A Security First Approach
  • Real World Examples
recent attacks
Recent Attacks

May 4, 2009 Virginia Prescription Monitoring Program, Richmond Virginia

Compromised Records: 531,400

Type of Attack: Outside Hacker

Outcome: Attacker is still at-large. State notified 531,400 people of the breach by letter

November 10, 2010 Holy Cross Hospital, Ft. Lauderdale Florida

Compromised Records: 44,000 (1500 Confirmed)

Type of Attack: Internal Employee gained access to server

Outcome: Employee was fired and arrested. 5 other suspects have been charged.

February 10, 2011 Texas Children’s Hospital, Houston Texas

Compromised Records: 19,264

Type of Attack: Malware

Outcome: Attacker is still at-large. All patients were notified by letter

2010 data breaches
2010 Data Breaches

*Statistics from 2010 Verizon Business Data Breach Investigation Report

cybercrime market
Cybercrime Market

The Numbers

  • Global computer crime market estimated to be $7B in 20101
  • Russia responsible for $2.5B
  • Growing ~35% per year overall

Interesting Trends

  • Increase of specialization of participants
  • On-Demand and Pay-Per-Use services
  • Developing C2C market

1 Group-IB Report - 2010

how it works the business model
How it Works – The Business Model

Register With Cybercrime Group

2

Data Sold Wholesale

5

BLACK MARKET

CYBERCRIME GROUP

Purchase Malware Pack

1

6

Payment Made

4

Infected Users Send Data to Group

DISTRIBUTOR

Infect Users, P2P seeding, XSS

3

VICTIMS

traditional attacks
Traditional Attacks

Hacker Profile

  • Talented individual
  • Young, bored

Motivation

  • To prove a point
  • Curiosity
  • Credibility

Attack Methods

  • Worms targeting memory vulns in network services
  • Attack payload not usually customized
modern attack profile
Modern Attack Profile

Hacker Profile

  • Organized Crime (84%)
  • Dedicated teams who are paid
  • Teams often work for criminal organizations as a career

Motivation

  • Targeted attack for financial gain
  • Desire anonymity

Attack Methods

  • Vulnerable web applications
  • Client side applications
  • Malware used to keep control
delivery attack surface
Delivery/Attack Surface
  • Cross Site Scripting
  • Most sites are vulnerable
  • Easy to find and users trust the websites
  • SQL Injection
  • Easy to find
  • Very common

Source: Veracode State of Software Security Report, April 2011

security and compliance management is becoming more difficult every day
Security and Compliance Management is Becoming More Difficult Every Day

Increasing number and sophistication in security threats

  • Improved organization and sophistication of attackers
  • Prolonged and persistent targeting with compressed timelines to react
  • Rise of contaminated spam, botnets, and social engineering for malicious breaches

Increasing complexity in maintaining compliance

  • Continuous updates in requirements and reporting standards
  • Adoption of new regulatory compliance standards
  • Manual and laborious processes

Increasing cost to support and maintain (HW, SW, FTEs)

  • Training on the latest compliance requirements and security threats
  • Updating, patching, and maintaining software, scripts, and processes
  • Rollout of new HW/SW to keep up with increased demand
complicated and costly compliance picture for healthcare
Complicated and Costly Compliance Picture for Healthcare
  • Implement People, Process, & Technology for Compliance
  • HIPAA §164.308 Administrative safeguards
  • HIPAA §164.312 Technical safeguards
  • Penalties for EMR Non-Compliance Coming into Effect
  • Penalties and Fees up to $1.5M for neglect
  • Data Breach Notification to HHS and Local Media for breaches >500 patients
  • What about PCI compliance?
  • PCI applies to every entity that stores, processes, or transmits cardholder information
  • Patient billing, pharmacy, etc.
the ugly truth
The Ugly Truth
  • Compliance is the output of post-mortem
    • Some organization did not secure their data, and now everyone else must deploy solutions, software, policies, and guidelines
  • Compliance will always be a step behind the latest threat
  • Compliance will NEVER mean you are secure
  • Compliance mandates will continually be expanded, as hospitals, insurance companies, and other health care resources experience breaches, privacy violations, and security issues
the compliance two step
The Compliance Two-Step
  • Organizations continue to check the compliance box and then struggle to maintain compliance
  • IDS, Log Manamement and Vulnerability Scanning are the most expensive and resource intensive – and also the most difficult for organizations to implement and maintain
  • Attacks are not being detected in an acceptable time
  • Organizations that achieve compliance are able to protect their patient data
  • Companies will continue to fail to achieve compliance due to lack of time, budget, and technical resources
slide23

The Obligatory Response

Protective Technical Controls

  • Firewalls
  • Routers
  • Antivirus
  • System Patching
  • Complex Passwords
  • Data Access Controls
  • Whole Disk Encryption
  • VPNs
analyzing the facts
Analyzing the Facts
  • Companies aren‘t detecting attacks in an effective way
    • Why? Chasing false alarms, other priorities, etc…
  • Companies are not focusing on continuous security
    • Too many companies check a box and move on
  • Companies must review log data
    • Companies need to be more vigilant in this area
  • Most of the 99% of breaches could have been caught
    • With effective intrusion detection systems, log management and vulnerability assessment
common trends
Common Trends
  • Strong push towards SaaS and MSSPs to augment their staff
  • Some are looking towards cloud-based technologies to reduce technology expenditures
  • Moving away from general standards like HIPAA and SOX towards PCI and DISA Standards
  • Deploying centralization solutions to tie together their compliance efforts
  • Using GRC tools
defending users
Defending Users

AV Isn’t Enough

  • Malware evolves ahead of AV signatures

Education

  • At least half of the executables on P2P network infected
  • Don’t install software from untrusted sources
  • Safe browsing
  • Flash drives
infrastructure defense
Infrastructure Defense

Close your Perimeter (egress too!)

Patch your systems

Vulnerability scanning

  • Automated vuln scans & review them regularly

IDS

  • Attempted botnet comm, network scans
  • Propogation over RPC exploits, brute forcing Windows shares

Log Management

  • Account lockouts due to brute force
  • Proxy logs

WAF

use case 1 security issues and identity theft
Use Case #1: Security Issues and Identity Theft
  • Scenario
      • One of your system administrators returned from a two-week vacation and was unable to login
      • He believes his account has been locked out, but he’s not sure why
  • Key Questions to Answer:
      • Why is the account locked out?
      • Where did the lock out occur?
      • When did it occur?
      • How did it occur?
effective log management can prevent breaches and provide compliance
Effective Log Management Can Prevent Breaches and Provide Compliance
  • Breached customer records cost businesses an average of $202 per record in 20091
  • “86% of victims had evidence of the breach in their logs…”
    • “in most attacks, the victim has several days or more before data was compromised.”2

Breach or

Malicious Activity

Suspicious Log Activity

Intrusion or Penetration

IT alerted

Without Log Mgmt

Too Late

WithLog Mgmt

Breach is Avoided

Log collection and monitoring detects activity; sends alert

SOC is alerted and security containment steps are executed

compliance and security simplified security issues and identity theft
Compliance and Security Simplified:Security Issues and Identity Theft
  • Key Compliance and Security Activities
  • Monitoring
  • Investigating
  • Alerting

Log in to a domain controller. Examine the AD object for the user to determine the time of lock-out. Review the logs on each domain controller manually.

Log in to a domain controller daily. Create a filter on the username every day, and review the logs. Repeat process for every domain controller.

  • Wait for the System Admin to call if their account is locked out again.
  • WithoutLog Management
  • Issue: Manual & Timely
  • Issue: Expensive
  • Issue: Reactive
  • Common index with search capabilities.
  • Automated alerting and notification.
  • Regular reporting and forensics
  • WithLog Management
use case 2 audit resolution challenges
Use Case #2: Audit Resolution Challenges
  • Scenario
      • A new policy is initiated to require any new Domain Administrators to only be added by the Security Department
      • A few weeks later, a routine audit discovers some new members in the Domain Admin Group
  • Key Questions to Answer:
      • When were these users added?
      • Who added them?
      • Who was added?
compliance and security simplified audit resolution challenges
Compliance and Security Simplified:Audit Resolution Challenges
  • Key Compliance and Security Activities
  • Monitoring
  • Investigating
  • Alerting

Log in to a domain controller. Review the logs for group changes. Hope the logs are still on the system and have not rolled over. Repeat for each DC.

Log in to a domain controller daily. Review Domain Admins group and verify no one has been added or removed since the last review.

  • Wait for the System Admin to call if their account is locked out again.
  • WithoutLog Management
  • Issue: Manual & Timely
  • Issue: Expensive
  • Issue: Reactive
  • Search on the Group Member Added and filter on Domain Admin.
  • Save View and have the report emailed on a regular basis.
  • Build an automated alert to notify when users added, removed, changed
  • WithLog Management
use case 3 hacker attacker
Use Case #3: Hacker/Attacker
  • Scenario
      • For several weeks your network has been running slow
      • Some systems have been performing abnormally and there are new user accounts that cannot be tied back to a particular user
      • Suddenly, you receive an odd e-mail from an alleged hacker who claims to have access to sensitive patient files
  • Key Questions to Answer:
      • Have you been hacked?
      • If so, when did it begin?
      • How would you respond?
      • Should you notify the media?
compliance and security simplified business critical applications
Compliance and Security Simplified:Business Critical Applications
  • Key Compliance and Security Activities
  • Monitoring
  • Investigating
  • Alerting

Log in to the firewall/VPN gateway, look through the logs (if it can store the logs). Look for disconnect messages, and errors. Etc.

Log in to VPN. Search inside of the VPN Disconnect messages. See what time the disconnect occurred and all errors related to the VPN session.

  • Wait for the Network Engineer to log in and discover it is down.
  • WithoutIntrusion Detection
  • Issue: Manual & Timely
  • Issue: Expensive
  • Issue: Reactive
  • Use logs to search for suspicious message, account creation, firewall messages.
  • Use IDS to look for attack attempts.
  • Focus efforts on actionable security incidents
  • With
  • Intrusion Detection
with complicated threats there is a need for security expertise
With Complicated Threats, There is a Need for Security Expertise

Lots of point solutions, but difficult to consume all the data

It is nearly impossible to be aware of all forms of attacks and attack-responses, and perform all the other functions expected relating to daily operations

Breach or

Malicious Activity

Suspicious Log Activity

Intrusion or Penetration

IT alerted

Without IDS

Too Late

With IDS

Breach is Avoided

Log collection and monitoring detects activity; sends alert

Security containment steps are executed

meeting the challenges head on
Meeting the Challenges Head On
  • Move from manual to automated log management
    • Keys to success: effective and sustainable log management and review
  • Choose a vulnerability assessment solution that aligns with your network
    • Keys to success: centralized view and remediation knowledge
  • Select an intrusion protection solution that doesn’t require costly implementation, configuration and management
    • Keys to success: Implement a solution that adapts to your network security policies and minimizes the work load of your resources
who is alert logic

Founded: 2002

Customers: 1,200+, spanning 3 continents

Staff: 100+

Service Renewal Rate: ~99%

Experienced Management

Profitable w/ Strong Balance Sheet

Who is Alert Logic?

Patented SaaSProducts

Integrated Services

Log Manager

Threat Manager

LogReview

ActiveWatch

  • Easy to implement and deploy
  • Flexible and Scalable
  • 24x7 Security Operations Center
  • GIAC-certified security analysts
  • Improve security and threat visibility
  • Meet compliance requirements
  • Lower, more predictable costs
  • Quicker Time-to-Value

Delivering measurable customer benefits

contact
Contact
  • Mark Brooks
  • mbrooks@alertlogic.com