SIEM - centralnervesystemet i indsamling og generering af it-indsigt

Transkript

1 SIEM - centralnervesystemet i indsamling og generering af it-indsigt Jacob Herbst, CTO, Dubex A/S Aarhus, den 8. maj 2014

2 Hvad skal vi have ud af dette indlæg? Mine tre mål med dette indlæg: 1. Forklare dele af det aktuelle trusselsbillede, hvordan hackere arbejder og give jer indsigt i nogle af de metoder de benytter 2. Formidle hvorfor overvågning er et krav for et ordentligt sikkerhedsniveau 3. Hvordan man kan komme i gang med overvågning Disclaimer: Sikkerhed er et meget stort emneområde som er i konstant forandring. I løbet af de næste 30 minutter når vi højst at skrabe en lille smule i overfladen.

3 Sikkerhedstendenser Udfordrende trusselsbillede APT-angreb Dag-0-angreb Polymorfisk angreb Målrettede angreb Avanceret infrastruktur Konvergens på IP-netværk Virtualisering Mobile enheder Organizations face an evolving threat scenario that they are ill-prepared to deal with.advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems. Øget kompleksitet Sikkerhed er komplekst Flere opgaver Manglende interne ressourcer og kompetencer Angreb bliver mere komplekse og hyppige Information er blevet strategisk Vores virksomheder bygger på information Kommunikation er vital Dataeksplosion Big data

4

5 Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It By Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack March 13, 2014 The biggest retail hack in U.S. history wasn t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target s (TGT) security and payments system designed to steal every credit card used at the company s 1,797 U.S. stores. At the critical moment when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe the malware would step in, capture the shopper s credit card number, and store it on a Target server commandeered by the hackers. It s a measure of how common these crimes have become, and how conventional the hackers approach in this case, that Target was prepared for such an attack. Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target s security operations center in Minneapolis would be notified. On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data s escape route. As they uploaded exfiltration malware to move stolen credit card numbers first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then Nothing happened. For some reason, Minneapolis didn t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information gushed out of its mainframes.

6 Target CEO Steinhafel to Step Down Following Data Breach By Lindsey Rupp and Lauren Coleman-Lochner - May 5, 2014 The data breach was the last straw for Target Corp. (TGT) Chief Executive Officer Gregg Steinhafel. After last year s hacker attack compromised the personal data of millions of shoppers and added to the retail chain s woes, the board replaced Steinhafel as chairman and CEO today, saying the time was right for new leadership. John Mulligan, Target s chief financial officer, will serve as interim CEO while the company seeks a permanent chief, according to a statement. Board member Roxanne Austin, a former DirecTV executive, will be interim chairwoman. Steinhafel, a 35-year Target employee, was already under scrutiny for lagging rivals in e-commerce and overseeing a Canadian expansion that lost almost $1 billion last year. The pressure mounted over the holiday season, when hackers overcame Target s defenses and stole shoppers personal information. Failure isn t one big mistake -- failure is lots of small mistakes that added up to a big mistake, said Les Berglass, founder and CEO of Berglass & Associates, a New York-based executive-search firm. Bloomberg Businessweek reported in March that Target had ignored warnings from its hacker-detection tools, missing an opportunity to stop the attack sooner. The breach compromised 40 million credit card numbers -- along with 70 million addresses, phone numbers and other pieces of information. Sales Decline After the attack became public in December, Target s reputation and foot traffic took a hit. The Minneapolis-based company s U.S. comparable-store sales decreased 2.5 percent in the fourth quarter. Target replaced its top technology executive in the wake of the breach.

7 APT Advanced Persistent Threats Typisk forløb for et APT-baseret angreb Phishing angreb Zero-day angreb Trojansk hest Interne sårbarheder Dataindsamling Dataudtræk En række brugere modtager målrettet phising-mail Bruger åbner vedlagt fil eller tilgår link Brugerens maskine inficeres med malware - Trojanskhest Angriberen udnytter sårbarheder til at få flere rettigheder Data samles sammen og gøres klar til at blive hentet Krypterede data sendes fx via ftp til et eksternt kompromitteret system

8 Hvorfor lykkes angreb? Angrebene anvender overbevisende social engineering-metoder Udnytter eksempelvis information fra sociale netværk Mangelfuld Endpoint-sikkerhed - værktøjer er ikke brugt effektivt Brugerne har for mange rettigheder De fleste angreb er baseret på udnyttelse af simple metoder Svage passwords, sårbarheder m.m. Angreb udnytter hullerne mellem sikkerhedsmekanismerne Manglende integration og intelligens på tværs af værktøjer Angrebstrafik minder om normal netværkstrafik Udnytter de åbninger til fx webtrafik, der er i vores infrastruktur

9 Tidslinje Advanced Persistent Threats Udfordringer - angreb og metoder Synlige Slørede Kompromittering er vanskeligt at detektere Sløringsteknikker til at undgå afsløring Angreb rettet gennem perimeter Truslerne er web-baserede Udbredelsen af netværk overalt gør opdagelse endnu vanskeligere Angreb rettet mod slutbrugere Indirekte angreb på klienter Angreb rettet mod sociale netværk Slutbrugeren bliver narret af social engineering Indirekte angreb via betroede eksterne tredjeparter Sårbarheder i software gør det bare endnu nemmere at narre slutbrugerne Sårbarheder og avancerede dag-0- angreb Hurtig udnyttelse af sårbarheder Misbrug af ukendte sårbarheder - dag-0 Tidligere Kendte sårbarheder Brede Engangsangreb APT Ukendte dag-0 sårbarheder Målrettede Vedholdende 66% af kompromitteringerne opdages først efter flere måneder Avancerede 36% af kompromitteringerne er først fjernet flere uger efter opdagelse

10 Angreb opdages langsomt og tilfældigt Opdagelse af angreb - hastighed Opdagelse af angreb - hvordan 82% 66% af alle organisationer var flere måneder eller år om at opdage det initiale indbrud af alle hændelser blev opdaget af eksterne 12% af alle hændelser blev tilfældigt opdaget internt Percent of breaches that remain undiscovered for months or more Kun 6% af alle hændelser blev aktivt opdaget internt så det normale er, at der efter nogle måneder kommer nogle eksterne og fortæller, at vi er blevet hacket

11 Reaktionstid Hvor lang tid skal det tage at opdage et succesfuldt angreb? Planlæg efter at succesfulde angreb vil finde sted også for dig! Behov for værktøjer, så vi med det samme selv kan opdage hændelserne Reducer risiko og omkostninger dramatisk ved at reducere den tid det tager at opdage et indbrud og den tid det tager for en effektiv respons Hvor lang tid tager det at handle fra det tidpunkt et problem opdages? Incident response er nødt til at være en del af processen HUSK - Beskyttelse er stadig vigtig - Fokus på de banale kontroller If not the most, this must be one of the most important challenges to the security industry. Prevention is crucial, and we can t lose sight of that goal. But we must accept the fact that no barrier is impenetrable, and detection/response represents an extremely critical line of defense. Let s stop treating it like a backup plan if things go wrong, and start making it a core part of the plan.

12 Overvågning - udfordringen med logning Server and Desktop OS Firewalls/ VPN Directory Services Physical Infrastructure IPS/IDS Identity Management System Health Information Network Equipment Vulnerability Assessment Alle hændelser bliver som regel logget et eller andet sted Overvældende antal logs Sikkerhedsfunktioner er oftest ø-opbygget Behov for logs fra alle typer systemer Ugelange manuelle undersøgelser ved hændelser Massive false positives Heterogene konsoller Mange forskellige formater De kritiske events går tabt og bliver overset i mængden og de fleste angreb eller fejlkonfigurationer går oftest fuldstændigt uset hen. Anti-Virus Databases Applications?

13 Security information and event management SIEM - Security Information and Event Management Udtrykket "SIEM" blev opfundet af Mark Nicolett og Amrit Williams (Gartner Analytikere) i 2005 SIEM-teknologien giver real-time overvågning af sikkerhedshændelser på netværksenheder, systemer og applikationer SIEM (Security information and event management ) is a combination of two different types of technologies: SIM (Security Information Management) Focuses on log collection and report generation Log management the collection, reporting and analysis of log data (primarily from host systems and applications, and secondarily from network and security devices) Regulatory compliance reporting, internal threat management and resource access monitoring. SIM supports the privileged user and resource access monitoring activities of the IT security organization, and the reporting needs of the internal audit and compliance organizations. SEM (Security Event Management) Analyzes events in real-time using event correlation and alerting mechanism Log and event data from security devices, network devices, systems and applications in real time, to provide security monitoring, event correlation and incident response. SEM supports the external and internal threat monitoring activities of the IT security organization, and improves incident management capabilities.

14 Grundlæggende funktioner i et SIEM-system Server and Desktop OS Firewalls/ VPN Directory Services Physical Infrastructure SIM (Security Information Management) SEM (Security Event Management) IPS/IDS Identity Management System Health Information Network Equipment Normalisering Kategorisering Rapportering Korrelering Alarmer Hundrede: Korrelerede events Vulnerability Assessment Anti-Virus Tusinder: Sikkerhedsrelevante events Databases Applications Millioner: Rå events

15 Udfordringer ved SIEM-systemer First, Second and Third Most Challenging Aspects of Log Management and Integration Kilde: Sorting Through the Noise, SANS

16 Udfordringer - Difficulties in Using Logs Kilde: Sorting Through the Noise, SANS

17 SIEM - udviklingen til Security Intelligence Security Intelligence Næste evolution Prediktive løsning Network Activity & Behavior Automatic Discovery Offense advisering Security Intelligence Forensics Adfærdsanalyse SIEM Det næste skridt Aktiv løsning Incident advisering Event korrellering Bruger kontekst Log Management Imødekomme minimum standarder for compliance Indsamling Storage Søgning Compliance Reporting Log Management

18 Fra reaktiv sikkerhed til proaktiv sikkerhed Revider, patch og bloker Tænk som en forsvarer, defense-in-depth mindset Beskyt alle aktiver Læg vægt på perimeteren Patch systemerne Brug signaturbaserede løsninger Scan endpoints for malware Hold dig opdateret Indsaml logfiler Foretag manuelle interviews Luk systemerne Spor, analyser og udbedr Tænk som en angriber, counter intelligence mindset Beskyt de mest værdifulde aktiver Læg vægt på beskyttelse af data Styrk potentielle mål og svage led Anvend sporing af uregelmæssigheder Baseline system adfærd Anvend threat feeds Indsaml alt Automatiser korrelation og analyse Indsaml og bevar beviser

19 Security Intelligence: Next-Generation SIEM Server and Desktop OS Firewalls/ VPN Directory Services Physical Infrastructure Security Intelligence Information Sårbarheder Geo-lokation Trusler IPS/IDS Identity Management System Health Information Network Equipment Vulnerability Assessment Normalisering Kategorisering Rapportering Enheder Sårbarheder Korrelering Baseline Troværdighed Lokation Threats Geo Alarmer Få mistænkelige hændelser Anti-Virus Databases Applications Inventory Brugere Konfiguration Netflow Analyse og Big Data

20 Modenhed i forhold til Security Intelligence Værdi Næsten realtidsmonitorering af sikkerhedsinformationer Security Intelligence Logs indsamles og gennemlæses dagligt (forsinket monitorering) Logs indsamles og rapporter gennemlæses hver måned Logs indsamles og læses I tilfælde af hændelser Logs indsamles og gemmes, men bliver aldrig brugt Logs bliver ikke indsamlet eller genoprettet Modenhed

21 Kom i gang med Security Intelligence Set Scope Compliance: Log management Compliance reporting Security Threat monitoring Incident response Define Requirements Data collection Data retention Reporting Event management Design Environmental assessment Determine audit levels Measure event rates Design collection and event management Incident response and remediation process design Select Develop RFI Evaluate vendors Select technology Deploy Proof of concept Deploy log management Enable logging Activity reports Incident response Real-time monitor Exception reports Broaden scope Kilde: Garnter - How to Deploy SIEM Technology

22 Konklusion Security Intelligence vil fungere og vil give værdi Men det kræver - både initialt og over tid - ressourcer, fokus og engagement Husk kravspecifikation Hold fokus på, hvilke problemer du forsøger at løse med et Security Intelligence-system Byg din EGEN sag og KPI er f.eks.: Hurtigere reaktion på hændelser Forbedret effektivitet Automatisering af compliance processer Trinvis tilgang med fokus på "quick wins Tænk stort start småt Løbende tilpasning til organisationen miljø og øvrige krav Teknikken er vigtig, men processerne er vigtigst for at det giver værdi Gør det operationelt vær klar til at reagere Systemet har ikke værdi før procedurerne for håndtering af hændelser er på plads

23 TAK! For mere information kontakt