DLP
IDS IPS
Quocirca 2012
Encryption
Slide 3 of 27
ASI capabilities
Central policy and Intelligence engine Long term storage of IT intelligence data Access to/use of data from external data sources Real time, big data processing capability Advance correlation of data and events Clear association of events with users Timely intelligence and insight to act and/or warn Learn from past experience and improve future responses Intuitive interface
Quocirca 2012
Slide 4 of 27
ASI sources 1
IT Infrastructure Network devices Security devices: Servers User end-points SCADA Access data Databases Business applications Email records Web access data Other data access information
Quocirca 2012
Slide 5 of 27
ASI sources 2
Vulnerability data 3rd party feeds Software integrity information Known malware User information User records Access rights Privileged access rights Third party access rights Machine access rights
Quocirca 2012
Slide 6 of 27
ASI sources 3
Other data Change control systems Locational data Regulatory/standard information Industry bodies Social media feeds Weather Time
Quocirca 2012
Slide 7 of 27
Quocirca 2012
Slide 8 of 27
2.5
3.5
Many of the ASI examples that follow help drive compliance goals
Slide 9 of 27
Inputs: server activity logs, network data, IP geolocation data Alert: unusual server behaviour and network traffic Result: unknown malware identified and thwarted and deeper penetration of network prevented Quocirca 2012 Slide 11 of 27
Quocirca 2012
Slide 12 of 27
Inputs: approved/restricted external resources, class of data Policy: classified data cannot be copied to certain locations Result: non-compliant storage of data prevented
Quocirca 2012 Slide 13 of 27
Data protection, the court of public opinion: In terms of keeping your records safe, how trustworthy do you feel the following organisations are?
Source:
14 Quocirca 2012
Slide 14 of 27
Remote IP address
Later attempt to copy data to same IP address Inputs: server access logs, firewall log Alert: likely successful hack Result: data theft prevented
Quocirca 2012 Slide 15 of 27
Firewall
Quocirca 2012
Inputs: IP geolocation, mobile geolocation, time, user access logs Alert: inconsistent access request Result: hack prevented or uncovered
Quocirca 2012 Slide 17 of 27
External access: the growing need to open up applications and data to outsiders
Do you have a requirement to share data stored on your IT infrastructure with outsiders/third parties?
Inputs: database access logs, IDs of resources requesting access Policy: database only accessed via given application Result: hack prevented or uncovered
Quocirca 2012
Slide 19 of 27
Quocirca 2012
Slide 20 of 27
?
Inputs: door entry system log, SCADA access log Policy: physical presence of individual required to access SCADA system Result: unauthorised attempt to change systems prevented (e.g. STUXNET)
Quocirca 2012 Slide 21 of 27
Quocirca 2012
Inputs: change control database, server activity log Policy: sys-admin change only allowed if approved change control ticket in place Result: unauthorised sys-admin change prevented
Quocirca 2012
Slide 23 of 27
Quocirca 2012
Not completed
Inputs: server activity log, primary storage read log, backup storage write log Warning: scheduled backup failed Result: potential disaster recovery problem averted
Quocirca 2012
Slide 25 of 27
Conclusions?
A number of pressures mean it is harder and harder for IT staff to ensure the security of IT systems Point security products remain an essential part of achieving this The effectiveness of point products is enhanced by the use of ASI tools ASI tools also contribute to achieving broader GRC goals
Quocirca 2012
Slide 26 of 27
Quocirca 2012
Slide 27 of 27