Title: Enterprise Threat Management (ETM): Bringing Security Together Through Intelligence
1Enterprise Threat Management (ETM)
Bringing Security Together Through Intelligence
- David Thomason
- Director of Security Engineering
2Look Familiar? The Agony of Todays
Network Security
Undetected Attacks According to ComputerWorld
Magazine, the TJX security breach, that was
reported in mid-December of 2006 and could put
the credit and debit card data of more than 40
million customers at risk, was not detected for
seven months.
Outsider Attacks According to the 2006 Ponemon
Data Breach Study, those surveyed who
experienced data theft in the last year spent an
average of 660,000 to notify customers, business
partners, and regulators.
Insider Malicious Attacks In a survey jointly
done by ASIS International and the U.S. Chamber
of Commerce, 138 executives of Fortune 1000
companies reported losses between 53 billion and
59 billion due to insider attacks.
Insider Accidental Attacks In an FBI Computer
Crime Survey released on 1/11/07, 44 of
participants said they were attacked from within
their own organizations.
Unknown Connections The most recent CSI/FBI Crime
Computer and Security Survey reports that 66 of
the security incidents that caused the greatest
organizational losses were unauthorized access
and theft of proprietary information.
Compliance Enforcement According to John Hagerty
of AMR Research, it automated compliance also
comes down to an issue of visibility. Where do
I have problems? Where do I have exposure?
Thats when it starts to become a more strategic
issue because management is asking for an
overall view of this.
3Current Security Spending TrendsUnsustainable
Growth
4Whats Going on Here?
- The awareness of the problem is there
- Billions of dollars have been spent
on IT
security - The security problem is getting worse
as
attackers become more motivated.
Todays professional
hacker does not
want his work to be
noticed. The TJX
security breach (T.J. Maxx
stores)
disclosed in 12/06 was one of
the
largest in retail history and went
undetected for seven months! - How is it possible for so many
security technologies to be
defeated? - The silo approach of see a threat,
buy a
box is no longer feasible.
5Key Flaws in Current Network Security
- Network security technology operates with
virtually no knowledge about what its
protecting - Virtually all network securitytechnology is
driven solely
by people - These factors combine to lead
to network defenses that are
misconfigured, porous, and
static
6Security Events Must Have Context
Is this guy a threat? Or a valued customer? Is
he holding a gun? Or an iPod? Is it summer in
Sydney? Or winter in New York? Do you reach to
set off the alarm? Or to shake his hand?
Unfortunately, the majority of network solutions
today lack the ability to integrate intelligence
into the real-time analysis of potential threats.
7Introducing Enterprise Threat Management (ETM)
8The Role of Intrusion Prevention
- Vulnerability-based Intrusion Prevention
- First line of ETM defense
- IPS rules should address the vulnerabilitynot
the exploit - Protection against zero-day attacks
- IPS events should be correlated against endpoint
intelligence - IPS is just one part of an effective ETM strategy
9The Role of Vulnerability Assessment
- Active Endpoint Intelligence
- Popular source for obtaining endpoint and
vulnerability intelligence - Provides a rich snapshot of endpoint assets and
vulnerabilities - Intelligence degrades in between active scans
- Active scanning can be harmful to some hosts
10The Role of Network Behavior Analysis (NBA)
- Passive Endpoint Intelligence
- Compliments rich intelligence
gained by active
scanning - 24x7 monitoring for endpoint assets
and vulnerabilities - Analogous to passive SONARlearn
by listening - Network Anomaly Detection
- Create a baseline of normal network behavior
- Identify propagation of attacks that walked
through the front door
11The Role of Network Access Control (NAC)
- Pre-connect NAC
- Dominated by Cisco Network Admission Control
(CNAC) Microsoft Network Access Protection
(MNAP) standards - Useful for determining who can get on the ride
- Post-connect NAC
- Useful for determining what you can do once
youre on the ride - Set compliance policies related to usage of
operating systems, services, apps, resources,
etc. - Identifies policy and regulatory non-compliance
12Tying It All Together
- Integrated ETM Console
- Monitor for security events originating from both
inside and outside the organization - Correlate threat, endpoint, and network
intelligence - Threat intelligence from IPS
- Endpoint intelligence from VA NBA
- Network intelligence from NBA
- Drastically reduce false positives and negatives
- Monitor for compliance with IT policies related
to company, industry and/or government regulatory
compliance - Compliance monitoring through post-connect NAC
13ETMBefore, During After the Attack
14Sourcefires Approach to ETM
INTELLIGENCE LAYER
D I S C O V E R
D E T E R M I N E
D E F E N D
15ETMa Better, More Efficient Process
- Organizations need systems that can analyze
security information and apply context
automatically and holistically. Most security
technologies are driven by a man-in-the loop
process. - How do you know when to update your access
control configuration? - How do you know when a new vulnerability is
relevant to your environment? - How do you know when there is an active, high
priority security event occurring in your
environment? - How do you know when the patch management system
needs to address a new host? - This information is then turned into response
manually - Persistent, automatic intelligence generation and
analysis driving network security to
REAL-TIME, UNIFIED,
NETWORK DEFENSE
16ETM Benefits Summary
- Enjoy continuous protection through an integrated
approach. The whole truly is greater than the
sum of the partsreduce number of vendors, reduce
cost of ownership - Get faster and more accurate response from
threat, endpoint, and network intelligencethe
keys to driving next-generation security
technologies that are automated and adaptive - Take advantage of consolidated reporting and
management views - Enforce compliance of security policies and
industry regulations as part of overall network
protection
17ETM Take-away
- ETM leverages real-time intelligence about the
network environment and drives it into network
security technologies for a more effective and
efficient security solution.
18Questions?