1 / 24

Tech Day: Early Warning and Managed Security Services

Tech Day: Early Warning and Managed Security Services. Sean B. Murphy, CISSP Senior Systems Engineer 24 January 2006. 1. 2. 3. A G E N D A. Your challenges DeepSight Early Warning Services Managed Security Services.

nevarezj
Download Presentation

Tech Day: Early Warning and Managed Security Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tech Day:Early Warning and Managed Security Services Sean B. Murphy, CISSP Senior Systems Engineer 24 January 2006

  2. 1 2 3 A G E N D A Your challenges DeepSight Early Warning Services Managed Security Services

  3. Mitigating risk and proactively protecting your business becomes more challenging every day.

  4. Application Development Processes Perimeter Defense Wireless Authorization & Access Control Network Design Network Components Authentication Solutions Virus Protection Secure Programming Infrastructure Security Directory Services Product Security Application Security Operating Systems Data Integrity Privacy Confidentiality & Segmentation Secure Builds & Host Hardening Partner & Third Party Integration Cryptography & Encryption Storage Solutions Monitoring & Logging Provisioning & Implementation Digital Forensics Secure Operations System Administration Incident Response & Readiness Configuration Management Assessment & Compliance Physical Security Business Continuity Corporate Security Policy Remote Access Services Security Strategy Training & Awareness Roles & Responsibility Employee Exit Processes Internal Threat Profiling Secure Organization Hiring & Screening Organizational Security Maturity Employee Change Management Symantec Security Blueprint

  5. Malicious Code: Worms, Virus, & TrojanMore Targeted Malware has grown 2.4x 1H05 nearly equals all of 2004 There have been only 5 Cat. 3 events in ’05. There have been only 7 Category 3 events in the last 9 mos.

  6. Faster, More Aggressive Attacks • New vulnerabilities are being exploited more quickly • Faster exploitation requires better patch management policies • More attacks are targeting new vulnerabilities January 2003 Slammer Vuln is 6 months old August 2003 Blaster Vuln is 26 days old May 2004 Sasser Vuln is 18 days old August 2005 Zotob and Esbot Vuln is 5 days old

  7. New Vulnerabilities • Over 14,000 vulnerabilities documented in the Symantec vulnerability database • 2664 new vulnerabilities discovered in 2004; 1869 in first half of 2005 • 70% of vulnerabilities can be exploited with little or no coding knowledge • Malicious code threats today are largely synonymous with software vulnerabilities and vice versa Source: Symantec Vulnerability Database

  8. DeepSight Early Warning Services

  9. 11 Symantec Support Centers Customers + Consulting & Education 61 Symantec Monitored Countries 20,000 Registered Sensors in 180 Countries 6 Symantec Security Response Labs + + + Calgary, Canada Dublin, Ireland Springfield, OR Tokyo, Japan Waltham, MA San Francisco, CA London, England Redwood City, CA Munich, Germany Alexandria, VA Taipei, Taiwan Santa Monica, CA Newport News, VA Orem, UT/American Fork, UT Sydney, Australia Global Intelligence Network Unmatched Insight 5 Symantec SOCs

  10. DeepSight Alert Services • Customized vulnerability and malicious code alerts • Version-specific alerting • Over 4,600 products • Over 18,000 versions • From over 2,200 vendors • Comprehensive, prioritized alerts • In-depth analysis and attack mitigation strategies • Patches and workarounds • Automated delivery of actionable information • Powerful Research Capabilities

  11. DeepSight Threat Management System • Global threat landscape • View of global attack activity including source data • Early warning of global attacks, worms, blended threats • Notifications personalized to your industry, technologies and more • Automated alerting of emerging threats • Complete, credible analysis and risk assessment, including countermeasures to mitigate attacks

  12. DeepSight Attack Correlation Engine & Database Symantec Security Response Threat Analysts DeepSight Threat Management SystemOverview • Over 20,000 sensors in over 180 countries registered to upload IDS and Firewall information • 500 MSS customers • 120 million AV systems • Attack Quarantine System DeepSight Data Partners • Almost 16 billion events • Over 160 million attack source IP addresses • In-depth expert analysis and investigation

  13. 2+ Days Early Warning Symantec DeepSight Customers on Alert:Zotob.E and Esbot.A Worms DeepSight Timeline 2005.08.09: Alert Services: Multiple Microsoft Vulns TMS: ThreatCon raised to 2, Threat Alert MS PnP Buffer Overflow Vuln 2005.08.14: Alert Services: Zotob.A worm alert TMS: Threat Alert bot networks using PnP Vuln 2005.08.15: Alert Services: Esbot.A worm alert Risk 2 2005.08.12: Alert Services: Additional exploits available 2005.08.13: TMS: Daily Report TMS observed exploit activity in DeepSight Honeypot 2005.08.16: Alert Services:Zotob.E & Esbot.A worms raised to Risk 3 TMS: ThreatCon raised to 2, alert on Worms

  14. Managed Security Services

  15. Be a trusted extension of Client’s Security Organization Focus on Large Enterprise’s unique problems and service requirements Extend world-class monitoring throughout Enterprise Build trust through operational transparency Service Delivery Philosophy

  16. Audits & Certifications People Stability Technology Defense In Depth Customer Service Process Intelligence Market Leadership Return on Investment Infrastructure Flexibility Critical Service Components

  17. Security Monitoring Incident Analysis: Analyze security data to detect and respond to signs of malicious activity Perform data aggregation, normalization, data mining and correlation Validate, and Assess impact of Incident to Enterprise. Incident Escalation: Escalate actionable incidents Industry leading escalation SLA Flexible escalation procedures to fit with Enterprise requirements Rapid Response to Outbreaks: Update processes, technology and expertise to emerging threats and trends. Provide early warning to client of emerging threats. Security Management Fault Management: Monitor devices for fault, performance and availability monitoring Restore service availability Identify and eliminate root cause of faults and outages Change Management: Routine and Emergency changes to business critical security devices. Performance based SLA for changes Secure in-band & out-of-band management Configuration backup (for quick rebuilds) Release/Lifecycle Management: Routine Product Updates Emergency Patches Management & Monitoring Services

  18. Defense in Depth:Edge to Endpoint Protection GLOBAL INTELLIGENCE DATA VULNERABILITY SCAN DATA Router Firewall Integrated Security Appliance Network IDS/IPS Host IDS/IPS

  19. Incident assessment follows mature assessment methodology. Leverage Intelligence on new threats Obtain second opinion if required Follow internal published handling guidelines. Context is critical for accurate validation and severity assessment Global Trends Enterprise details Attack details Vulnerability Results Analysis Methodology Critical Servers Global Trends Client Vulnerabilities Firewall & IDS Logs Known False Positives

  20. Data Reduction and Expert Analysis INFRASTRUCTURE 950 million logs and alerts received INTELLIGENCE 650,000 potential events detected TECHNOLOGY 14,500 events created PEOPLE 3100 incidents validated PROCESS 65 severe events escalated

  21. Return on Investment Approximately 87% of clients with tenure of more than six months successfully avoided experiencing a severe attack.

  22. Secure Internet Interface (the portal)

  23. Unmatched Perspective & Insight

  24. Thank You! sean_murphy@symantec.com

More Related