Enterprise Threat Management (ETM): Bringing Security Together Through Intelligence

1
Enterprise Threat Management (ETM)
Bringing Security Together Through Intelligence

• David Thomason
• Director of Security Engineering

2
Look Familiar? The Agony of Todays
Network Security
Undetected Attacks According to ComputerWorld
Magazine, the TJX security breach, that was
reported in mid-December of 2006 and could put
the credit and debit card data of more than 40
million customers at risk, was not detected for
seven months.
Outsider Attacks According to the 2006 Ponemon
Data Breach Study, those surveyed who
experienced data theft in the last year spent an
average of 660,000 to notify customers, business
partners, and regulators.
Insider Malicious Attacks In a survey jointly
done by ASIS International and the U.S. Chamber
of Commerce, 138 executives of Fortune 1000
companies reported losses between 53 billion and
59 billion due to insider attacks.
Insider Accidental Attacks In an FBI Computer
Crime Survey released on 1/11/07, 44 of
participants said they were attacked from within
their own organizations.
Unknown Connections The most recent CSI/FBI Crime
Computer and Security Survey reports that 66 of
the security incidents that caused the greatest
organizational losses were unauthorized access
and theft of proprietary information.
Compliance Enforcement According to John Hagerty
of AMR Research, it automated compliance also
comes down to an issue of visibility. Where do
I have problems? Where do I have exposure?
Thats when it starts to become a more strategic
issue because management is asking for an
overall view of this.
3
Current Security Spending TrendsUnsustainable
Growth
4
Whats Going on Here?

• The awareness of the problem is there
• Billions of dollars have been spent
  on IT
  security
• The security problem is getting worse
  as
  attackers become more motivated.
  Todays professional
  hacker does not
  want his work to be
  noticed. The TJX
  security breach (T.J. Maxx
  stores)
  disclosed in 12/06 was one of
  the
  largest in retail history and went
  
  undetected for seven months!
• How is it possible for so many
  
  security technologies to be
  defeated?
• The silo approach of see a threat,
  buy a
  box is no longer feasible.

5
Key Flaws in Current Network Security

• Network security technology operates with
  virtually no knowledge about what its
  protecting
• Virtually all network securitytechnology is
  driven solely
  by people
• These factors combine to lead
  
  to network defenses that are
  
  misconfigured, porous, and
  static

6
Security Events Must Have Context
Is this guy a threat? Or a valued customer? Is
he holding a gun? Or an iPod? Is it summer in
Sydney? Or winter in New York? Do you reach to
set off the alarm? Or to shake his hand?


Unfortunately, the majority of network solutions
today lack the ability to integrate intelligence
into the real-time analysis of potential threats.
7
Introducing Enterprise Threat Management (ETM)
8
The Role of Intrusion Prevention

• Vulnerability-based Intrusion Prevention
• First line of ETM defense
• IPS rules should address the vulnerabilitynot
  the exploit
• Protection against zero-day attacks
• IPS events should be correlated against endpoint
  intelligence
• IPS is just one part of an effective ETM strategy

9
The Role of Vulnerability Assessment

• Active Endpoint Intelligence
• Popular source for obtaining endpoint and
  vulnerability intelligence
• Provides a rich snapshot of endpoint assets and
  vulnerabilities
• Intelligence degrades in between active scans
• Active scanning can be harmful to some hosts

10
The Role of Network Behavior Analysis (NBA)

• Passive Endpoint Intelligence
• Compliments rich intelligence
  gained by active
  scanning
• 24x7 monitoring for endpoint assets
  and vulnerabilities
• Analogous to passive SONARlearn
  by listening
• Network Anomaly Detection
• Create a baseline of normal network behavior
• Identify propagation of attacks that walked
  through the front door

11
The Role of Network Access Control (NAC)

• Pre-connect NAC
• Dominated by Cisco Network Admission Control
  (CNAC) Microsoft Network Access Protection
  (MNAP) standards
• Useful for determining who can get on the ride
• Post-connect NAC
• Useful for determining what you can do once
  youre on the ride
• Set compliance policies related to usage of
  operating systems, services, apps, resources,
  etc.
• Identifies policy and regulatory non-compliance

12
Tying It All Together

• Integrated ETM Console
• Monitor for security events originating from both
  inside and outside the organization
• Correlate threat, endpoint, and network
  intelligence
• Threat intelligence from IPS
• Endpoint intelligence from VA NBA
• Network intelligence from NBA
• Drastically reduce false positives and negatives
• Monitor for compliance with IT policies related
  to company, industry and/or government regulatory
  compliance
• Compliance monitoring through post-connect NAC

13
ETMBefore, During After the Attack
14
Sourcefires Approach to ETM
INTELLIGENCE LAYER
D I S C O V E R
D E T E R M I N E
D E F E N D
15
ETMa Better, More Efficient Process

• Organizations need systems that can analyze
  security information and apply context
  automatically and holistically. Most security
  technologies are driven by a man-in-the loop
  process.
• How do you know when to update your access
  control configuration?
• How do you know when a new vulnerability is
  relevant to your environment?
• How do you know when there is an active, high
  priority security event occurring in your
  environment?
• How do you know when the patch management system
  needs to address a new host?
• This information is then turned into response
  manually
• Persistent, automatic intelligence generation and
  analysis driving network security to
  REAL-TIME, UNIFIED,
  NETWORK DEFENSE

16
ETM Benefits Summary

• Enjoy continuous protection through an integrated
  approach. The whole truly is greater than the
  sum of the partsreduce number of vendors, reduce
  cost of ownership
• Get faster and more accurate response from
  threat, endpoint, and network intelligencethe
  keys to driving next-generation security
  technologies that are automated and adaptive
• Take advantage of consolidated reporting and
  management views
• Enforce compliance of security policies and
  industry regulations as part of overall network
  protection

17
ETM Take-away

• ETM leverages real-time intelligence about the
  network environment and drives it into network
  security technologies for a more effective and
  efficient security solution.

18
Questions?