Advanced IT security intelligence

Bob Tarzey, Clive Longbottom,

Analyst and Director, Quocirca Service Director, Quocirca Ltd Ltd

June 19th 2012

What is advanced IT security intelligence?

The ability to monitor IT systems and their use in real time and observe events occurring that when correlated with other information amount to suspicious or unwanted activity Builds on the heritage of log management and security information and event management (SIEM) tools Supplements point security products
Quocirca 2012 Slide 2 of 27

Point security products

DLP
IDS IPS
Quocirca 2012

Encryption

Slide 3 of 27

ASI capabilities
Central policy and Intelligence engine Long term storage of IT intelligence data Access to/use of data from external data sources Real time, big data processing capability Advance correlation of data and events Clear association of events with users Timely intelligence and insight to act and/or warn Learn from past experience and improve future responses Intuitive interface

Quocirca 2012

Slide 4 of 27

ASI sources 1
IT Infrastructure Network devices Security devices: Servers User end-points SCADA Access data Databases Business applications Email records Web access data Other data access information

Quocirca 2012

Slide 5 of 27

ASI sources 2
Vulnerability data 3rd party feeds Software integrity information Known malware User information User records Access rights Privileged access rights Third party access rights Machine access rights

Quocirca 2012

Slide 6 of 27

ASI sources 3
Other data Change control systems Locational data Regulatory/standard information Industry bodies Social media feeds Weather Time

Quocirca 2012

Slide 7 of 27

Some example GRC challenges

Compliance Unknown malware Use of cloud storage Data theft User mobility Safe online transactions Control of privilege Reliable sys-admin

Quocirca 2012

Slide 8 of 27

Compliance demands will not decrease

How do you see regulations in the following areas affecting your organisation over the next 5 years?
National government Data privacy National security Industry specific EU International trading Environmental Securities trading Credit card handling Financial transparency Health care

Scale from 1 = will decrease a lot to 5 = will increase a lot

2.5

3.5

Source, Quocirca You sent what?, 2010

Quocirca 2012

Many of the ASI examples that follow help drive compliance goals
Slide 9 of 27

A lot of new malware around

Source: McAfee Threats Report Q1 2012

Quocirca 2012 Slide 10 of 27

ASI example: zero day malware (e.g. Flame)

Infected server, at first undetected

Attempts by infected server to contact many other servers

Call home to unusual IP address

Inputs: server activity logs, network data, IP geolocation data Alert: unusual server behaviour and network traffic Result: unknown malware identified and thwarted and deeper penetration of network prevented Quocirca 2012 Slide 11 of 27

Cloud growth: the take off of DIY computing?

Quocirca 2012

Slide 12 of 27

ASI example: the non-compliant copying of data

Inputs: approved/restricted external resources, class of data Policy: classified data cannot be copied to certain locations Result: non-compliant storage of data prevented
Quocirca 2012 Slide 13 of 27

Data protection, the court of public opinion: In terms of keeping your records safe, how trustworthy do you feel the following organisations are?

Source:

14 Quocirca 2012

Slide 14 of 27

ASI example: data protection (e.g. APTs)

Multiple access attempts from remote server repelled, single attempt is successful

Remote IP address

Later attempt to copy data to same IP address Inputs: server access logs, firewall log Alert: likely successful hack Result: data theft prevented
Quocirca 2012 Slide 15 of 27

Firewall

User mobility: the rise and rise of the smartphone

Quocirca 2012

Source: Beyond the PC, Oct 2011Slide 16 of 27

ASI example: user mobility, the impossible access request

Request 1 10:00 GMT

Request 2 11:30 CET

Inputs: IP geolocation, mobile geolocation, time, user access logs Alert: inconsistent access request Result: hack prevented or uncovered
Quocirca 2012 Slide 17 of 27

External access: the growing need to open up applications and data to outsiders
Do you have a requirement to share data stored on your IT infrastructure with outsiders/third parties?

Source: Quocirca 2011, The data sharing paradox

Quocirca 2012 Slide 18 of 27

ASI example: the suspicious access route

Customers E-commerce app
E-commerce transaction database

Direct access request

Inputs: database access logs, IDs of resources requesting access Policy: database only accessed via given application Result: hack prevented or uncovered

Quocirca 2012

Slide 19 of 27

The need to protecting critical infrastructure

Quocirca 2012

Slide 20 of 27

ASI Example: the non-event prior to access

Attempt to Access SCADA

?
Inputs: door entry system log, SCADA access log Policy: physical presence of individual required to access SCADA system Result: unauthorised attempt to change systems prevented (e.g. STUXNET)
Quocirca 2012 Slide 21 of 27

The need monitor sys-admin activity

To what extent are you able to control the following issues when it comes to privileged user management?

Quocirca 2012

Source: Quocirca 2011, Conquering the sys-admin challenge

Slide 22 of 27

ASI Example: suspicious sys-admin activity

Attempt to change settings on server by sys-admin

Inputs: change control database, server activity log Policy: sys-admin change only allowed if approved change control ticket in place Result: unauthorised sys-admin change prevented

Quocirca 2012

Slide 23 of 27

The need to check sys-admin activity

How often do you back up the configuration settings for the following types of devices/applications?

Quocirca 2012

Source: Quocirca 2011, Conquering the sys-admin challenge

Slide 24 of 27

ASI example: spotting a sys-admin failure

Not completed

Backup process started

Inputs: server activity log, primary storage read log, backup storage write log Warning: scheduled backup failed Result: potential disaster recovery problem averted

Quocirca 2012

Slide 25 of 27

Conclusions?
A number of pressures mean it is harder and harder for IT staff to ensure the security of IT systems Point security products remain an essential part of achieving this The effectiveness of point products is enhanced by the use of ASI tools ASI tools also contribute to achieving broader GRC goals

Quocirca 2012

Slide 26 of 27

THANKYOU www.quocirca.com bob.tarzey@quocirca.com

Quocirca 2012

Slide 27 of 27