1. Anatomy of a CERT
Gordon Love
Regional Director for Africa
March 2010
1
2. Agenda
• The African landscape is changing
• Why do we need a CERT – Threat Landscape
• Steps in building a CERT
• The role of a CSIRT
• Q&A
Symantec DeepSight Early Warning Services 8.0 2
4. Lessons Learned – increased broadband capacity
• Africa is currently updating its broadband infrastructure
• There is an increase in malicious activity in countries with rapidly
emerging Internet infrastructures
• Malicious activity usually affects computers that are connected to
high-speed broadband Internet because these connections are
attractive targets for attackers
• With cheaper and faster Internet, more Africans will be “always-
on” or continually connected
• There will be many “new” internet users that are not security-
savvy
6. Symantec Security Response – How do we know?
Symantec Response Lab Symantec Monitored Countries
Symantec Secure Operations Center Over 25,000 Registered Data Partners, From Over 180 Countries
Dublin, Ireland
Calgary, Canada
Waltham, MA
American Fork, UT
Alexandria, VA
Redwood City, CA
Newport News, VA
Santa Monica, CA
London, England
Tokyo, Japan San Antonio, TX
Berlin, Germany
Sydney, Australia
6 – 2002 Symantec Corporation, All Rights Reserved
Rapid Detection
Attack Activity Malware Intelligence Vulnerabilities Spam/Phishing
• 240,000 sensors • 130M client, server, • 32,000+ vulnerabilities • 2.5M decoy accounts
• 200+ countries gateways monitored • 11,000 vendors • 8B+ email messages/day
• Global coverage • 72,000 technologies • 1B+ web requests/day
11. Kenya review
Analyst Opinion
In Kenya, the IT market reached a value of $ 352.7 million and is expected to grow albeit slowly
at 6.1% in 2009 to reach $ 374.0 million. Over a five-year period, IDC forecasts that the market
will increase at a CAGR of 14.6% to reach $ 615.9 million by 2012.
11
12. ISTR XIV Key Trends
Threat Landscape
Web-based Cyber criminals Increased Rapid adaptation to
malicious activity want YOUR sophistication of the security measures
has accelerated information Underground Economy
• Primary vector for • Focus on exploits • Well-established • Relocating operations
malicious activity targeting end- infrastructure for to new geographic
• Target reputable, users for financial monetizing stolen areas
high-traffic websites gain information • Evade traditional
security protection
* Symantec Internet Security Threat Report, Volume X!V
13. Highlights
Key Trends – Global Activity
Threat Activity Vulnerabilities Malicious Code Spam/Phishing
• Data breaches can • Documented • Trojans made up 68 • 76% phishing lures target
lead to identity theft vulnerabilities up percent of the Financial services (up
• Theft and loss top 19% (5491) volume of the top 50 24%)
cause of data • Top attacked malicious code • Detected 55,389 phishing
leakage for overall vulnerability: • 66% of potential website hosts (up 66%)
data breaches and Exploits by malicious code • Detected 192% increase
identities exposed Downadup infections in spam across the
• Threat activity • 95% vulnerabilities propagated as Internet with 349.6 billion
increases with attacked were client- shared executable messages
growth in side files • 90% spam email
Internet/Broadband distributed by Bot
usage networks
* Symantec Internet Security Threat Report, Volume XIV
22. How do we respond at a Regional /
National level…
22
23. Objectives of a CERT
• Enhance information security awareness
• Build national expertise in information security, incident
management and computer forensics
• Enhance the cyber security law and assist in the creation of
new laws
• Provide a central trusted point of contact for cyber security
incident reporting
• Establish a national centre to disseminate information about
threats, vulnerabilities, and cyber security incidents
• Foster the establishment of and provide assistance to sector-
based Computer Security Incident Response Teams (CSIRTs)
• Coordinate with domestic and international CSIRTs and
related organizations
• Become an active member of recognized security
organizations and forums
26. CERT Framework – Mandate, Charter & Constituents
02
Cert Framework designed
FUNCTIONALITY Mandate & Implemented
Constituent database with Global Cert
defined roles & responsibilities in Affiliations Charter
place and equipped to Constituents &
leverage strategic partnerships Strategic
and affiliations Partnerships
Strategic Constituent
Identification
Partnerships
& Classification
Service
Offerings
STRUCTURE
DELIVERY Constituent campaigning
and Memberships
Phased delivery of
services
· Mutually beneficial 01
alliances
established
Emerging FY '11 Planning Information Security Through Committed Partnership
27. Constituent Tier System
• TIER 1
– damage to which would cause critical harm to the critical
information infrastructure. For example: regulated
electronic communications providers; federal ministries
responsible for the critical national infrastructure; national
security organizations
• Government Departments with direct responsibility
Public for an area of CNI.
• Providers of Communications Infrastructure
• National Security
TIER 3
• Must have incident response capability
• TIER 2
TIER 2 – damage to which would cause serious harm to the
critical information infrastructure. For example: providers
of utilities and other parts of the critical infrastructure
such as banking
• Providers of CNI Services
TIER 1
• Government Departments not involved in CNI
• Must have incident response capability
• TIER 3
– damage to which would cause some harm to the critical
information infrastructure. For example: other
government departments, agencies, councils and
commissions; logistics and transport providers
• General Commerce
• Other Government Departments
• Special Councils & Commissions
• PUBLIC
– all other sectors and the wider public
• General Public
• Anyone not covered in Tier 1 - 3
35. Objectives
Why is it important ?
Benefits of CSIRT
• Relevant & timeous security data aggregated into one location
• 24 x 7 x 365 Real-time response capability
• Coordination of preventative and response actions
• Reduced complexity/cost through standardisation / integration
• In-depth reporting at strategic, tactical and operational level
• Compliance with governance / regulatory requirements
• Business continuity
• Customer confidence & brand protection
• Improved accountability and management efficiencies
36. Find the right information
• Millions of security alerts per day, only a few are relevant
– Filtering, aggregation, prioritisation, …
• Find one needle in a needle stack!
36
37. Aggregation and Correlation
1. Analytics – Correlation, Threat
and business impact ratings
2. Event Detection, IDS, VA 100’s
FW, Policy, & Vulnerability • Prioritized lists
Scans • Actionable Items
Incidents • CIA Business Impact Ratings
1.
1 000 000’s
Events • Aggregated event data
• Disbursed
• Heterogeneous
2.
10 000 000’s
Security Data • Raw log Data
38. Incident NOT Event!
Event:
The smallest unit of security
information. Can be positive,
negative or informational.
.
Incident:
A collection of
events grouped
together to form a
single unit that
requires actions
from identification
to closure.
39. Incident Prioritisation and Allocation
Priorities: Business impact is based on:
• As Incidents are formed
they are automatically • Confidentiality
prioritised. • Integrity.
• Availability
• Prioritisation is based on
the business impact of
each encompassed event
on the system.
40. A Comprehensive Solution
•Multi-vendor security systems generate overwhelming numbers of raw logs, events
and alerts
•Security professionals analyze & evaluate the results
•Security Analysts through the Secure Interface, keep in constant touch with their
assigned Clients, with proactive commentary and recommendations on threats
impacting their network.
Vulnerability Mgmt.
AV/Filtering
IDS
Firewalls
Security
Analyst
41. Typical Design
What does it look like ?
CSIRT Security Operations Centre
Users / Stakeholders
External Stakeholders
Staff Suppliers Customers Investors
Law Enforcement Regulators Intelligence Government Strategic
Security Partners
Mobile PDA Laptop Computer
Vulnerability Global Pentest /
Assessment Inteliigence Audit
Service Service Feed Process
Business Intelligence
Systems
Storage Group
Firewall
Remediation
Identity SOC
Management Technology
File Platform
Gateway
Routers Other
Content
Change SOC Central Processes Security Regions
Operational Support
Management Technology Data
Systems
E-mail Network IPS Feeds
Monitoring and Specialist
Analysis Resources CIS
Hubs Anti-Virus Regions
Data
Trading Problem Feeds
Policy Management 4
5
Compliance 1
2
3
PHASE1
DEPLOYMENT CHART
PHASE2 PHASE3 PHASE4 PHASE5
DEPT1
DEPT2
Cabling DEPT3
DEPT4
DEPT5
Business Support
DEPT6
Host
Systems
DB
IPS Incident Management Incident Management
Security Control Layer
Enterprise
Infrastructure Layer
Remediation
Applications Layer
IT Operations Layer
Mitigation Escalation Analysis Reporting
Endpoint Specialist
Process Process Dashboard
Compliance
Server Layer
Web
Messaging
Security
Supporting Processes, Procedures and Standards across Infrastructure, Services, Users and Technologies
required to deliver fully integrated Security Enterprise Management Function
42. Requirements
What are the Key Success Factors ?
Key Components for Building a CSIRT
Infrastructure Data and Specialist Best Practice Partnership
supporting Intelligence Skills and Policies and Stakeholder
Technologies Sources Capacity Processes Management
43. Security Operations Centre
Response Console
Security Operations Centre
(SOC)
Expert System & Anomaly Query
Engine
Continuous Data
Mining Process
Security Analysts
Analysis
Secure Interface Relational DB Infrastructure
Authenticate
Encrypt
Import Facilities Verify
Normalize
Internet
VPN
Firewalls IDS AV/Content Vulnerability Policy
Scanning Compliance
44. Implementation
Where do we start ?
Decide on the basic delivery model
In-Sourced
Outsourced
Co-Sourced
Virtual Extension Model
On-site Managed Security Support
45. Deliverables
What will the CSIRT deliver ?
Top-10 functions of the CSIRT SOC
Proactive vulnerability scanning
Analysis of Global Threat Intelligence
Communication of Alerts/Advisories
Compliance monitoring / management
Incident response & remediation
BCM / DR support & validation
Vulnerability management
Forensic support / Logging
Collaboration & Awareness (Law/ISP)
Report Generation & Dashboard
46. Partnership
Who can help us achieve this ?
Symantec Value Proposition
People Process Technology
o World Class o Globally Consistent ► Market Leading
Engineering Staff Operational Correlation
o Industry Leading Execution ► Proven scalability
Security Response o ITIL best practices ► Breadth of device
Team o Transparent, support
o Unparalleled SOC Measurable, ► Secure Web portal to
Expertise Auditable Process provide clarity into
for Continual your security posture
Improvement