Dynamic Threat Protection

1
Dynamic Threat Protection

• Presse-Roundtable
• Hilton-City München, 10. April 2003

2
Agenda

• Dynamic Threat Protection
• Peter Stremus, Director EMEA Marketing
• Product Update
• Johan Beckers, EMEA Director of Technology
  Solutions
• Enterprise Protection
• Volker Pampus, Geschäftsführer Deutschland

3
Dynamic Threat Protection

• Peter Stremus
• EMEA Director of Marketing

4
The Environment Ever-Changing Dynamic Threats
5
The Environment Vulnerabilities Are Increasing
Source Carnegie Mellon Software Engineering
Institute CERT Coordination Center
6
The Environment Incidents Are Accelerating
Source Carnegie Mellon Software Engineering
Institute CERT Coordination Center
7
The Environment Your Increasingly Complex and
Dynamic Infrastructure
8
The Risks and Costs are Real

• 90 detected computer security breaches
• 80 acknowledged financial losses
• Average annual loss was just over US2 million
• The most serious losses were from theft of
  proprietary information or financial fraud
• More respondents (74) cited the Internet as the
  most frequent origin of attack than those citing
  internal origin (33)
• Source 2002 Computer Security Institutes/FBI
  Computer Crime and Security survey

9
The Costs are Real

• Cost per incident high and rising
• SQL Slammer damage estimates already around US1
  billion
• NIMDA over US500 million
• Code Red over US2.5 billion
• Network downtime lost revenue and increased
  expense
• Productivity loss in response and clean-up
• Patching too costly

10
Todays Firewalls and Anti-Virus Are Not
Sufficient

• Hybrid threats SQL Slammer, Nimda, Code Red
  blow right through firewalls
• Desktop AV systems are ineffective and too late
• 57 of attacks are through Port 80
• Web Server threats IIS (50), Apache (20),
  iPlanet (10)
• eCommerce Cold Fusion, shopping carts
• Port 443 https

Internet
FIREWALL
AV
AV
AV
AV
AV
AV
11
Protection Across the Threat Spectrum
12
What Does ISS Do?ISS Keeps the Bad Guys Out

• How?
• Through a new approach - Dynamic Threat
  Protection.
• Dynamic always changing
• Threat the entire threat spectrum hybrids,
  worms, DoS, viruses, malicious code, buffer
  overflows, unauthorized access, exploits
• Protection detection, prevention and response
  from the ever-changing threat across network,
  server, desktops.

13
What is Dynamic Threat Protection?

• An approach enabling organizations to proactively
  protect against potential security risks when
  vulnerabilities are first discovered and before
  threats become active attacks.

14
Detect-Prevent-Respond Capabilities
15
Evolution of Protection
16
From Manual Protection

• Resource Intensive
• Prone To Error
• Hostage to Patch Process

17
to a Dynamic Protection Process
18
Correlation Methods

• Aggregation Group and count events by event
  name, by port, by severity, by source IP or by
  business asset being affected
• Directional Correlation Categorize outbound or
  inbound attacks
• Event-to-Incident Mapping Group and display
  events by incident (e.g., 1000 events across a
  network are due to one intruder/incident, not
  1000 intruders)
• Event-to-Intruder Mapping Group events
  originating from specific intruders
• FastAnalysis Correlation Guided navigation
  within the data, enabling an elementary security
  analyst to research and identify security
  incidents
• Exceptions and Incidents Custom categorization
  and prioritization of events for intervention
  (high priority) or for logging only (low
  priority)
• Attack-to-Vulnerability Correlation Identify
  attack, attack type and likely outcome based on
  vulnerability state of the target from data
  collected via an integrated scan
• Automated Attack pattern recognition Multiple
  event pattern recognition

19
Virtual Patch Restore Customer Control
Dynamic threat protection provides a buffer of
time via the virtual patch whereby newly
discovered exposures are addressed before
scheduled patches and upgrades can be applied.
20
Savings Network Virtual Patch
21
Savings Host Virtual Patch
22
A Platform Starts with a System
23
How To Get There
Top Risks determined by X-Force RD, pen test,
and MSS statistical attack data.
24
ISS the complete Solution
Up-to-date readiness X-Force RD and
Protection Services Best-in-class Protection
Technology Real Secure Protection
Systems Platform Coverage RealSecure
Management
25
Summary
Dynamic Threat Protection

• Best-in-class Technology
• Complete Platform Coverage
• Up-to-date readiness

• Accuracy
• Performance
• Lower TCO

26
Product UpdateInternet Scanner, SiteProtector,
Fusion

• Johan Beckers
• EMEA Director of Technology Solutions

27
Agenda

• Internet Scanner 7.0
• RealSecure SiteProtector 2.0
• RealSecure Fusion 2.0
• What Else Is New ?

28
Internet Scanner 7.0
29
Internet Scanner 7.0
Available April 2003

• Availability April (Beta is available)
• Internet Scanner 7.0 is one product with two
  customer types
• Network Assessment
• Enterprise Assessment

30
Internet Scanner 7.0 - Network Assessment
Available April 2003

• Problem Organizations concerned about securing
  their critical network assets are challenged by
  the rapidly increasing number of threats, lack of
  expertise, and limited resources for information
  security in their organization
• Solution
• Automated vulnerability assessment solution
• Easy to use, with features that compensate for
  the lack of security expertise of some users
• Equipped with a comprehensive and frequently
  updated vulnerability catalog
• Capable of quickly generating reports appropriate
  for different levels of the organization, and
  include detailed fix information for platform
  owners and high-level overviews for managers

31
Internet Scanner 7.0 Enterprise Assessment
Available April 2003

• Problem Enterprises are overwhelmed by the
  challenge of managing host and vulnerability
  information for thousands of nodes in a
  distributed, multi-user organization
• Solution
• Automated vulnerability assessment solution
• Able to assess geographically and
  organizationally distributed networks via a
  single remote interface
• Collect and analyze large amounts of
  vulnerability information to provide high-level
  metrics and multi-dimensional analysis, both for
  a single scan and over time
• Control access to scanning capabilities and
  vulnerability information by a range of users
  within the organization

32
Internet Scanner 7.0 Whats New
Available April 2003
33
RealSecure SiteProtector 2.0
34
RS SiteProtector Fusion 2.0 Positioning

• Problem TCO is too high, too many alerts one
  can handle, too many different management
  applications to protect my organization, not
  scalable
• Solution Centralized management platform that
  unifies the command control, event management
  and analysis of network, server and desktop
  protection systems
• Fusion Automated impact analysis attack
  pattern analysis
• Scalability Extends three tear architecture
• Reduced TCO Lower operational costs

35
RS SiteProtector Differentiators

• Better security at lower cost of ownership
• Ease of Use
• Deployment Central Deployment Manager
• Fully Integrated unifies command control,
  event management and analysis of network, server
  and desktop protection systems
• Architectural Scalability - Built on 3-tier
  architecture
• Accuracy
• Promotes the accuracy of each sensor
• Millions of events per day get aggregated,
  consolidated, correlated, and analysed to become
  accurate and verified security incidents.

36
RealSecure SiteProtector 2.0Available January
2003

• Deployment

Browser Based Deployment
Additional SiteProtectors and components
Automatic registration and grouping of agents
Security Agents Network Server Desktop Vulnerabili
ty Assessment
37
RealSecure SiteProtector 2.0Available January
2003

• Configuration Management

Custom Grouping
Automatic Asset Grouping
38
RealSecure SiteProtector 2.0Available January
2003

• Configuration Management

1 Click does ALOT!!
Vulnerability Assessment
Desktops
Networks
Servers
39
RealSecure SiteProtector 2.0Available January
2003

• Analysis and Reporting

Create Custom Views
Each View can be Exported HTML PDF CSV Scheduled
Once Recurring Sliding Window
40
RealSecure SiteProtector 2.0Available January
2003

• Analysis and Reporting

Built-in Reporting Dashboard Site Level
Reports that show Metrics Comparisons Trends Analy
sis Detail Day Month Quarter Year
41
RealSecure SiteProtector 2.0Available January
2003

• Analysis and Reporting

Advanced Analysis Capabilities
Right-Click Menus Security Logic Fast
Navigation Filters Exceptions Incidents Detail
42
RealSecure SiteProtector 2.0Available January
2003

• Analysis and Reporting

Needle in the Haystack Analysis
43
RealSecure SiteProtector 2.0Available January
2003

• Analysis and Reporting

Incident Creation And Tracking
44
RealSecure Security Fusion 2.0
45
RealSecure Security Fusion 2.0Available May 2003

• Impact Analysis
• Answers the question, Was the attack
  successful?
• Correlates stored data about the target instantly
• Estimates the impact on the target
• Automatically responds
• Attack Pattern Analysis
• Answers the question, Are there patterns of
  attack activity that indicate malicious intent?
• Instantly correlates incoming attacks across
  multiple security agents
• Automatically identifies important security
  incidents.

46
RealSecure Security Fusion 2.0Available May 2003
Attack Impact
47
RealSecure Security Fusion 2.0Available May 2003
Attack Pattern
48
RealSecure Security Fusion 2.0Available May 2003

• Dramatically reduces the noise from false
  positives and unsuccessful attacks
• Immediately augments overwhelmed security staff
  with deep knowledge of attack patterns Built
  and supported by X-Force
• Provides a continuous feedback loop for measuring
  risk, detecting threats, and triggering
  appropriate levels of protection and response
• Allows organizations to move security from panic
  to protection
• Speed, accuracy, lower TCO

49
RealSecure SiteProtector Fusion
50
What Else Is New ?
51
What Else Is New ?

• RealSecure Desktop Protection 3.6
• RealSecure Guard 3.6
• RealSecure WorkGroup Manager 6.7
• RealSecure for Crossbeam
• RealSecure for Nokia
• RealSecure Network Sensor for Solaris
• RealSecure Server Sensor 7.0 on HPUX

52
What Else Is Coming Soon ?

• RealSecure Network Sensor for Solaris
• RealSecure Server Sensor 7.0 on HPUX

53
Enterprise Protection

• Volker Pampus
• Geschäftsführer Deutschland

54
Anforderung Zielsetzung
Security Management
Angriffs- und Abwehr Management
Schwachstellen Management
Entwicklung zu integrierten, dynamischen Security
Management Lösungen
Isolierte Produkt - Lösung
Integrierte Security - Lösung
55
Enterprise Protection
Revision / Audit
Gesetze / Richtlinien
CEO Führung
Sind wir sicher !? Was müssen wir tun?
KonTraG AktG HGB Basel II BSI BS 7799 ISO
17799 GSH

• Definition Richtlinien
• Umsetzung
• Einhaltung
• Abweichung

CIO IT- Verantwortung

• Design
• Lösung
• Schutz

Operative Security Fachverantwortung / Experte
Sicherheitskonzept
56
CEO / Führung

• Informationsbedarf
• Monatsbericht
• Quartalsbericht
• ½ - Bericht
• Jahresbericht
• Budgetplanung
• Inhalt
• Einfach, schnell, verständlich und umfassend
• Zustand und Veränderung
• Einhaltung von Gesetzten und Richtlinen
• Maßnahmen
• Besondere Ereignisse

CEO-Bericht
57
Operative Security / Experten

• Überwachung der Systeme
• Schwachstellenanalytik
• Angriffs-/Abwehr Management
• Korrelations-Analytik
• Kritische Systeme
• Automatisierung
• Fortlaufende Optimierung

58
Revision / Audit

• Unabhängige Beurteilung der Sicherheit
• Zugang zur Analyse mit Berechtigung
• Individuelle Möglichkeit für Analytik
• Bericht
• Empfehlungen
• Fortlaufende Optimierung

59
Enterprise Protection - Phasenmodell
Angriffserkennung und Abwehr
Automatisierung
Organisation
Korrelation
Fragenkatalog Firma Strasse Plz Ort
Security Management
Top 20 Schwachstellen
60
ISS Protection Solutions
61
Fragen an ein Security Management System

• Welche Schwachstellen gibt es in unserer
  IT-Infrastruktur?
• Welche Angriffe erfolgen auf unsere
  IT-Infrastruktur?
• Welche Angriffe erfolgten auf bestehende
  Schwachstellen in unserer IT-Infrastruktur?

62
Konkret
Fragenkatalog Firma Strasse Plz Ort
Security Status Report Firma Strasse Plz Ort
63
(No Transcript)