SlideShare una empresa de Scribd logo
1 de 49
Descargar para leer sin conexión
Anatomy of a CERT
Gordon Love
Regional Director for Africa
March 2010
                               1
Agenda
• The African landscape is changing


• Why do we need a CERT – Threat Landscape


• Steps in building a CERT


• The role of a CSIRT


• Q&A


Symantec DeepSight Early Warning Services 8.0   2
Africa is Changing….
Broadband Capacity Increases




                               3
Lessons Learned – increased broadband capacity
• Africa is currently updating its broadband infrastructure
• There is an increase in malicious activity in countries with rapidly
  emerging Internet infrastructures
• Malicious activity usually affects computers that are connected to
  high-speed broadband Internet because these connections are
  attractive targets for attackers
• With cheaper and faster Internet, more Africans will be “always-
  on” or continually connected
• There will be many “new” internet users that are not security-
  savvy
What do we need to protect against…



                                      5
Symantec Security Response – How do we know?
      Symantec Response Lab                                        Symantec Monitored Countries

Symantec Secure Operations Center                  Over 25,000 Registered Data Partners, From Over 180 Countries




                                                                             Dublin, Ireland
                                Calgary, Canada
                                                                             Waltham, MA
                               American Fork, UT
                                                                            Alexandria, VA
                                Redwood City, CA
                                                                           Newport News, VA
                                Santa Monica, CA
                                                                           London, England
              Tokyo, Japan      San Antonio, TX
                                                                            Berlin, Germany




                               Sydney, Australia

  6 – 2002 Symantec Corporation, All Rights Reserved
                                                       Rapid Detection

  Attack Activity                 Malware Intelligence              Vulnerabilities               Spam/Phishing
  • 240,000 sensors                  • 130M client, server,      • 32,000+ vulnerabilities        • 2.5M decoy accounts
   • 200+ countries                   gateways monitored              • 11,000 vendors         • 8B+ email messages/day
                                       • Global coverage           • 72,000 technologies         • 1B+ web requests/day
IWECA Presence


                        Legend:
                      Symantec Resource

                            Distributor

                             Reseller

                 IDC Adjusted Market Potential Ranking
                          1               Angola
                          2               Nigeria
                          3               Kenya
                          4               Uganda
                          5              Tanzania
                          6             Mauritius
                          7              Ethiopia
                          8             Botswana
                          9               Ghana
                         10              Namibia
                                                7
Economic Growth 2008
Country Ranking by Economic Growth (%) 2008
         1               Angola         21.4
         2              Ethiopia         8.4
         3               Uganda          6.4
         4              Tanzania         7.2
         5               Kenya           4.4
         6               Nigeria         7.5
         7               Ghana           6.3
         8             Mauritius         5.8
         9              Namibia          5.5
        10             Botswana          4.4

                                               8
Ranking by IT Spend PC 2008

  Country Ranking by IT Spend ($m) Per Capita 2008
           1               Mauritius        74.26
           2               Botswana         66.02
           3               Namibia          39.42
           4                Angola          18.46
           5                Kenya           9.14
           6                Ghana           7.93
           7                Nigeria         7.11
           8               Tanzania         3.75
           9                Uganda          2.74
          10               Ethiopia         1.76

                                                     9
IDC Predicted ICT Growth




                           10
Kenya review




                                          Analyst Opinion
 In Kenya, the IT market reached a value of $ 352.7 million and is expected to grow albeit slowly
  at 6.1% in 2009 to reach $ 374.0 million. Over a five-year period, IDC forecasts that the market
                will increase at a CAGR of 14.6% to reach $ 615.9 million by 2012.


                                                                                               11
ISTR XIV Key Trends
                                           Threat Landscape




     Web-based               Cyber criminals                            Increased            Rapid adaptation to
   malicious activity          want YOUR                           sophistication of the     security measures
   has accelerated             information                        Underground Economy

• Primary vector for      • Focus on exploits                     • Well-established       • Relocating operations
  malicious activity        targeting end-                          infrastructure for       to new geographic
• Target reputable,         users for financial                     monetizing stolen        areas
  high-traffic websites     gain                                    information            • Evade traditional
                                                                                             security protection



                          * Symantec Internet Security Threat Report, Volume X!V
Highlights
Key Trends – Global Activity




     Threat Activity          Vulnerabilities                      Malicious Code             Spam/Phishing



  • Data breaches can        • Documented                       • Trojans made up 68        • 76% phishing lures target
    lead to identity theft     vulnerabilities up                 percent of the              Financial services (up
  • Theft and loss top         19% (5491)                         volume of the top 50        24%)
    cause of data            • Top attacked                       malicious code            • Detected 55,389 phishing
    leakage for overall        vulnerability:                   • 66% of potential            website hosts (up 66%)
    data breaches and          Exploits by                        malicious code            • Detected 192% increase
    identities exposed         Downadup                           infections                  in spam across the
  • Threat activity          • 95% vulnerabilities                propagated as               Internet with 349.6 billion
    increases with             attacked were client-              shared executable           messages
    growth in                  side                               files                     • 90% spam email
    Internet/Broadband                                                                        distributed by Bot
    usage                                                                                     networks


                                   * Symantec Internet Security Threat Report, Volume XIV
New Threat Landscape
 Number of New Threats




                         Period
New Threat Landscape
 Number of New Threats




                         Period
New Threat Landscape




                                  1177%
 Number of New Threats




                         increase in malware since 2006




                                      Period
New Threat Landscape




                                      2/3
 Number of New Threats




                         of malicious code created in 2008




                                        Period
New Threat Landscape
 Number of New Threats




                             In 2000                     In 2007


                               5                     1431
                         detections a day            detections a day




                                            Period
New Threat Landscape
 Number of New Threats




                             In 2000                      In 2009


                               5                     15 000+
                         detections a day             detections a day




                                            Period
20
192%      growth in spam from 2007 to 2008
In 2008, Symantec documented     5,471    vulnerabilities,
          80% of which were easily exploitable

90%   of incidents would not have happened if systems had
                     been patched
In 2008 we found   75,000     active bot-infected computers per
                    day, up 31% from 2007                      21
                                  Copyright © 2009 Symantec Corporation. All rights reserved. 21
How do we respond at a Regional /
National level…



                                    22
Objectives of a CERT
•   Enhance information security awareness
•   Build national expertise in information security, incident
    management and computer forensics
•   Enhance the cyber security law and assist in the creation of
    new laws
•   Provide a central trusted point of contact for cyber security
    incident reporting
•   Establish a national centre to disseminate information about
    threats, vulnerabilities, and cyber security incidents
•   Foster the establishment of and provide assistance to sector-
    based Computer Security Incident Response Teams (CSIRTs)
•   Coordinate with domestic and international CSIRTs and
    related organizations
•   Become an active member of recognized security
    organizations and forums
CERTS across Europe




    Thank you!




    Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
    the U.S. and other countries. Other names may be trademarks of their respective owners.

    This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
    are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Symantec DeepSight Early Warning Services 8.0   25
CERT Framework – Mandate, Charter & Constituents



                   02
                                                                                                          Cert Framework designed
          FUNCTIONALITY                                         Mandate                                        & Implemented

      Constituent database with                   Global                           Cert
  defined roles & responsibilities in           Affiliations                      Charter
        place and equipped to                                  Constituents &
   leverage strategic partnerships                               Strategic
            and affiliations                                    Partnerships
                                                 Strategic                        Constituent
                                                                                 Identification
                                                Partnerships
                                                                                & Classification
                                                                 Service
                                                                Offerings


                                                                                                    STRUCTURE

                                                      DELIVERY                                 Constituent campaigning
                                                                                                  and Memberships
                                                  Phased delivery of
                                                      services
                  · Mutually beneficial                                               01
                    alliances
                    established




Emerging FY '11 Planning           Information Security Through Committed Partnership
Constituent Tier System
                          •   TIER 1
                               – damage to which would cause critical harm to the critical
                                   information infrastructure. For example: regulated
                                   electronic communications providers; federal ministries
                                   responsible for the critical national infrastructure; national
                                   security organizations
                                      • Government Departments with direct responsibility
          Public                           for an area of CNI.
                                      • Providers of Communications Infrastructure
                                      • National Security
          TIER 3
                                      • Must have incident response capability
                          •   TIER 2
          TIER 2               – damage to which would cause serious harm to the
                                   critical information infrastructure. For example: providers
                                   of utilities and other parts of the critical infrastructure
                                   such as banking
                                      • Providers of CNI Services
          TIER 1
                                      • Government Departments not involved in CNI
                                      • Must have incident response capability
                          •   TIER 3
                               – damage to which would cause some harm to the critical
                                   information infrastructure. For example: other
                                   government departments, agencies, councils and
                                   commissions; logistics and transport providers
                                      • General Commerce
                                      • Other Government Departments
                                      • Special Councils & Commissions
                          •   PUBLIC
                               – all other sectors and the wider public
                                      • General Public
                                      • Anyone not covered in Tier 1 - 3
CERT Framework – Develop Legal Practices / Policies / Procedures
                 CERT Framework – Implement Global Best & Regulatory Framework




Emerging FY '11 Planning
CERT Framework – Develop Legal Practices / Policies / Procedures
                 CERT Framework – Implement Global Best & Regulatory Framework




Emerging FY '11 Planning
CERT Framework – Develop Legal Practices / Policies / Procedures
                 CERT Framework – Implement Global Best & Regulatory Framework




Emerging FY '11 Planning
CERT CERT Framework – Develop Legal Skilled Resources and Partners
     Framework – Employ and Develop & Regulatory Framework
CERT Framework – Operational Capability with Framework
CERT Framework – AchieveDevelop Legal & Regulatory fully functional SOC




                                                                          32
High Level CERT Process Summary
1. Build a Cert Framework
2. Develop Mandate, Charter and Constituents
3. Develop Legal & Regulatory Framework
4. Build required Infrastructure & Technology
5. Implement Global Best Practices, Policies and Procedures
6. Source and Develop skilled Resources, Capability and Partners
7. Achieve Operational Capability & fully Functional CSIRTS




                                                                   33
The role of a CSIRT



                      34
Objectives
                                                     Why is it important ?
Benefits of CSIRT

 •   Relevant & timeous security data aggregated into one location
 •   24 x 7 x 365 Real-time response capability
 •   Coordination of preventative and response actions
 •   Reduced complexity/cost through standardisation / integration
 •   In-depth reporting at strategic, tactical and operational level
 •   Compliance with governance / regulatory requirements
 •   Business continuity
 •   Customer confidence & brand protection
 •   Improved accountability and management efficiencies
Find the right information
• Millions of security alerts per day, only a few are relevant
  – Filtering, aggregation, prioritisation, …
• Find one needle in a needle stack!




                                                                 36
Aggregation and Correlation
1.   Analytics – Correlation, Threat
     and business impact ratings

2.   Event Detection, IDS, VA                      100’s
     FW, Policy, & Vulnerability                              • Prioritized lists
     Scans                                                   • Actionable Items
                                    Incidents          • CIA Business Impact Ratings

                                       1.
                                                           1 000 000’s
                                     Events                     • Aggregated event data
                                                                       • Disbursed
                                                                    • Heterogeneous
                                       2.
                                                                        10 000 000’s
                                   Security Data                           • Raw log Data
Incident NOT Event!
                                 Event:

                      The smallest unit of security

                      information. Can be positive,

                       negative or informational.

                                    .



Incident:

   A collection of
  events grouped
together to form a
  single unit that
 requires actions
from identification
    to closure.
Incident Prioritisation and Allocation




        Priorities:            Business impact is based on:
• As Incidents are formed
   they are automatically         •   Confidentiality
         prioritised.             •   Integrity.
                                  •   Availability
• Prioritisation is based on
   the business impact of
 each encompassed event
       on the system.
A Comprehensive Solution
•Multi-vendor security systems generate overwhelming numbers of raw logs, events
and alerts
•Security professionals analyze & evaluate the results
•Security Analysts through the Secure Interface, keep in constant touch with their
assigned Clients, with proactive commentary and recommendations on threats
impacting their network.




                         Vulnerability Mgmt.
          AV/Filtering
    IDS



              Firewalls


                                                                          Security
                                                                          Analyst
Typical Design
                                                                                                                                                                                                                                                                 What does it look like ?
                                                                                                                                                                                       CSIRT Security Operations Centre
Users / Stakeholders




                                                                                                                                                                                                                                                                 External Stakeholders

                                 Staff                                                  Suppliers                               Customers                                   Investors

                                                                                                                                                                                                                                               Law Enforcement     Regulators             Intelligence      Government                                                               Strategic
                                                                                                                                                                                                                                                                                                                                                                                  Security Partners



                                                      Mobile                                 PDA                               Laptop                                Computer
                                                                                                                                                                                                                                       Vulnerability                     Global                                 Pentest /
                                                                                                                                                                                                                                       Assessment                     Inteliigence                               Audit
                                                                                                                                                                                                                                         Service                     Service Feed                               Process
                                                                                                 Business Intelligence
                                                                                                       Systems




                       Storage Group
                                                                                                                                Firewall
                                                                                                                                                                                Remediation

                                                                                                                               Identity                                                                                                  SOC
                                                                                                                             Management                                                                                               Technology
                         File                                                                                                                                                                                                          Platform
                                                                                                                               Gateway
                                                       Routers                                                                                                                                                                                                                                                                                                                       Other
                                                                                                                               Content
                                                                                                                                                                                   Change                                                                    SOC Central Processes                                           Security                                               Regions
                                                                                               Operational Support




                                                                                                                                                                                 Management                                                                                                                                 Technology                                                Data
                                                                                                    Systems




                        E-mail                                                                                                Network IPS                                                                                                                                                                                                                                            Feeds
                                                                                                                                                                                                                                                                   Monitoring and                                             Specialist
                                                                                                                                                                                                                                                                     Analysis                                                 Resources                                               CIS
                                                        Hubs                                                                   Anti-Virus                                                                                                                                                                                                                                           Regions
                                                                                                                                                                                                                                                                                                                                                                                      Data
                       Trading                                                                                                                                                    Problem                                                                                                                                                                                            Feeds
                                                                                                                                Policy                                           Management                                                                                       4
                                                                                                                                                                                                                                                                                      5



                                                                                                                              Compliance                                                                                                                              1
                                                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                                                              3


                                                                                                                                                                                                                                                                                                                                    PHASE1
                                                                                                                                                                                                                                                                                                                                             DEPLOYMENT CHART

                                                                                                                                                                                                                                                                                                                                              PHASE2   PHASE3   PHASE4   PHASE5
                                                                                                                                                                                                                                                                                                                            DEPT1

                                                                                                                                                                                                                                                                                                                            DEPT2


                                                       Cabling                                                                                                                                                                                                                                                              DEPT3

                                                                                                                                                                                                                                                                                                                            DEPT4

                                                                                                                                                                                                                                                                                                                            DEPT5
                                                                                               Business Support




                                                                                                                                                                                                                                                                                                                            DEPT6




                                                                                                                                 Host
                                                                                                   Systems




                          DB
                                                                                                                                 IPS                                    Incident Management                         Incident Management
                                                                                                                                            Security Control Layer




                                                                                                                                                                                                                                                                                                                         Enterprise
                                                                 Infrastructure Layer




                                                                                                                                                                                                                                                                   Remediation
                                                                                                     Applications Layer




                                                                                                                                                                                              IT Operations Layer




                                                                                                                                                                                 Mitigation                              Escalation                                                                      Analysis         Reporting
                                                                                                                               Endpoint                                                                                                                             Specialist
                                                                                                                                                                                 Process                                  Process                                                                                        Dashboard
                                                                                                                              Compliance
                                       Server Layer




                         Web


                                                                                                                              Messaging
                                                                                                                               Security

                                                                                                                          Supporting Processes, Procedures and Standards across Infrastructure, Services, Users and Technologies
                                                                                                                                        required to deliver fully integrated Security Enterprise Management Function
Requirements
                                    What are the Key Success Factors ?
Key Components for Building a CSIRT




    Infrastructure     Data and         Specialist   Best Practice   Partnership
      supporting     Intelligence       Skills and   Policies and    Stakeholder
     Technologies      Sources          Capacity      Processes      Management
Security Operations Centre
                                                                                                    Response Console
                                            Security Operations Centre
                                                      (SOC)
                   Expert System & Anomaly Query
                               Engine
                                                          Continuous Data
                                                          Mining Process



                                                                                                    Security Analysts
                                                                                                     Analysis



Secure Interface                                    Relational DB Infrastructure
                                                                                           Authenticate
                                                                                             Encrypt
                                                   Import Facilities                          Verify
                                                                                            Normalize



                                                        Internet



                                                                                           VPN



              Firewalls               IDS     AV/Content               Vulnerability     Policy
                                                                        Scanning       Compliance
Implementation
                                                  Where do we start ?
Decide on the basic delivery model


                                     In-Sourced
                                     Outsourced
                                     Co-Sourced
                                       Virtual Extension Model
                                       On-site Managed Security Support
Deliverables
                                    What will the CSIRT deliver ?
Top-10 functions of the CSIRT SOC
                                     Proactive vulnerability scanning
                                     Analysis of Global Threat Intelligence
                                     Communication of Alerts/Advisories
                                     Compliance monitoring / management
                                     Incident response & remediation
                                     BCM / DR support & validation
                                     Vulnerability management
                                     Forensic support / Logging
                                     Collaboration & Awareness (Law/ISP)
                                     Report Generation & Dashboard
Partnership
                                      Who can help us achieve this ?
Symantec Value Proposition

          People                   Process               Technology

   o World Class             o Globally Consistent   ► Market Leading
     Engineering Staff         Operational             Correlation
   o Industry Leading          Execution             ► Proven scalability
     Security Response       o ITIL best practices   ► Breadth of device
     Team                    o Transparent,            support
   o Unparalleled SOC          Measurable,           ► Secure Web portal to
     Expertise                 Auditable Process       provide clarity into
                               for Continual           your security posture
                               Improvement
Questions ?
Visit www.2010netthreat.com




Q&A                                 48
Thank you!
    Gordon Love
    Gordon_Love@symantec.com




    Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
    the U.S. and other countries. Other names may be trademarks of their respective owners.

    This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
    are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Symantec DeepSight Early Warning Services 8.0                                                                                                                                               49

Más contenido relacionado

Similar a Anatomy of a CERT - Gordon Love, Symantec

Introduction - The Smart Protection Network
Introduction - The Smart Protection NetworkIntroduction - The Smart Protection Network
Introduction - The Smart Protection NetworkAndrew Wong
 
Windstream Webinar: Debunking Network Security Myths
Windstream Webinar: Debunking Network Security MythsWindstream Webinar: Debunking Network Security Myths
Windstream Webinar: Debunking Network Security MythsWindstream Enterprise
 
Next2 Investor Slide Deck
Next2 Investor Slide DeckNext2 Investor Slide Deck
Next2 Investor Slide DeckBrian Puckett
 
Opening Keynote and Welcome
Opening Keynote and WelcomeOpening Keynote and Welcome
Opening Keynote and WelcomeCarahsoft
 
Cloud pamoja presentation final 11-3-2013
Cloud pamoja presentation final 11-3-2013Cloud pamoja presentation final 11-3-2013
Cloud pamoja presentation final 11-3-2013ambio
 
Finpro report market study nigeria
Finpro report market study nigeriaFinpro report market study nigeria
Finpro report market study nigeriaBusiness Finland
 
Cassis international's pitch
Cassis international's pitchCassis international's pitch
Cassis international's pitchi7
 
5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust Security5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust SecurityRebekah Rodriguez
 
Building eastern european champions (final)
Building eastern european champions (final)Building eastern european champions (final)
Building eastern european champions (final)Philippe Botteri
 
The Internet of Things - beyond the hype and towards ROI
The Internet of Things - beyond the hype and towards ROIThe Internet of Things - beyond the hype and towards ROI
The Internet of Things - beyond the hype and towards ROIPerry Lea
 
Ireland - The location of choice for International Payments firms
Ireland - The location of choice for International Payments firmsIreland - The location of choice for International Payments firms
Ireland - The location of choice for International Payments firmsMartina Naughton
 
Using Graphs to Take Down Fraudsters in Real Time
Using Graphs to Take Down Fraudsters in Real TimeUsing Graphs to Take Down Fraudsters in Real Time
Using Graphs to Take Down Fraudsters in Real TimeNeo4j
 
3 - AVG Presentation Noah 2011
3 - AVG Presentation Noah 20113 - AVG Presentation Noah 2011
3 - AVG Presentation Noah 2011NOAH Advisors
 
Indian Information Technology Act
Indian Information Technology ActIndian Information Technology Act
Indian Information Technology ActKaran Bhagatwala
 
IDC Corporate Cverview 12/2011
IDC Corporate Cverview 12/2011IDC Corporate Cverview 12/2011
IDC Corporate Cverview 12/2011kimidc
 
IDC Corporate Overview 12/2012
IDC Corporate Overview 12/2012IDC Corporate Overview 12/2012
IDC Corporate Overview 12/2012kimidc
 
Idc Corporate Overview Dec 2011
Idc Corporate Overview Dec 2011Idc Corporate Overview Dec 2011
Idc Corporate Overview Dec 2011Miaricci
 

Similar a Anatomy of a CERT - Gordon Love, Symantec (20)

Introduction - The Smart Protection Network
Introduction - The Smart Protection NetworkIntroduction - The Smart Protection Network
Introduction - The Smart Protection Network
 
Windstream Webinar: Debunking Network Security Myths
Windstream Webinar: Debunking Network Security MythsWindstream Webinar: Debunking Network Security Myths
Windstream Webinar: Debunking Network Security Myths
 
Next2 Investor Slide Deck
Next2 Investor Slide DeckNext2 Investor Slide Deck
Next2 Investor Slide Deck
 
Opening Keynote and Welcome
Opening Keynote and WelcomeOpening Keynote and Welcome
Opening Keynote and Welcome
 
Taveau cartes2012 speaker
Taveau cartes2012 speakerTaveau cartes2012 speaker
Taveau cartes2012 speaker
 
Cloud pamoja presentation final 11-3-2013
Cloud pamoja presentation final 11-3-2013Cloud pamoja presentation final 11-3-2013
Cloud pamoja presentation final 11-3-2013
 
Finpro report market study nigeria
Finpro report market study nigeriaFinpro report market study nigeria
Finpro report market study nigeria
 
Cassis international's pitch
Cassis international's pitchCassis international's pitch
Cassis international's pitch
 
5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust Security5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust Security
 
Building eastern european champions (final)
Building eastern european champions (final)Building eastern european champions (final)
Building eastern european champions (final)
 
The Internet of Things - beyond the hype and towards ROI
The Internet of Things - beyond the hype and towards ROIThe Internet of Things - beyond the hype and towards ROI
The Internet of Things - beyond the hype and towards ROI
 
Ireland - The location of choice for International Payments firms
Ireland - The location of choice for International Payments firmsIreland - The location of choice for International Payments firms
Ireland - The location of choice for International Payments firms
 
Using Graphs to Take Down Fraudsters in Real Time
Using Graphs to Take Down Fraudsters in Real TimeUsing Graphs to Take Down Fraudsters in Real Time
Using Graphs to Take Down Fraudsters in Real Time
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task Force
 
3 - AVG Presentation Noah 2011
3 - AVG Presentation Noah 20113 - AVG Presentation Noah 2011
3 - AVG Presentation Noah 2011
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Indian Information Technology Act
Indian Information Technology ActIndian Information Technology Act
Indian Information Technology Act
 
IDC Corporate Cverview 12/2011
IDC Corporate Cverview 12/2011IDC Corporate Cverview 12/2011
IDC Corporate Cverview 12/2011
 
IDC Corporate Overview 12/2012
IDC Corporate Overview 12/2012IDC Corporate Overview 12/2012
IDC Corporate Overview 12/2012
 
Idc Corporate Overview Dec 2011
Idc Corporate Overview Dec 2011Idc Corporate Overview Dec 2011
Idc Corporate Overview Dec 2011
 

Más de vngundi

Dealing With Security Threats
Dealing With Security ThreatsDealing With Security Threats
Dealing With Security Threatsvngundi
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approachesvngundi
 
Day 2 Dns Cert 4 Scenarios
Day 2   Dns Cert 4 ScenariosDay 2   Dns Cert 4 Scenarios
Day 2 Dns Cert 4 Scenariosvngundi
 
Day 2 Dns Cert 4c Malicious Use
Day 2   Dns Cert 4c Malicious UseDay 2   Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2   Dns Cert 4b Name Server RedirectionDay 2   Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirectionvngundi
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2   Dns Cert 4a Cache PoisoningDay 2   Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoningvngundi
 
Day 2 Dns Cert 3 Dns Organizations
Day 2   Dns Cert 3 Dns OrganizationsDay 2   Dns Cert 3 Dns Organizations
Day 2 Dns Cert 3 Dns Organizationsvngundi
 
Day 1 Large Scale Attacks
Day 1   Large Scale AttacksDay 1   Large Scale Attacks
Day 1 Large Scale Attacksvngundi
 
Day 1 From CERT To NCSC
Day 1   From CERT To NCSCDay 1   From CERT To NCSC
Day 1 From CERT To NCSCvngundi
 
Day 1 Enisa Setting Up A Csirt
Day 1   Enisa   Setting Up A CsirtDay 1   Enisa   Setting Up A Csirt
Day 1 Enisa Setting Up A Csirtvngundi
 
Day 1 Coop Banks
Day 1   Coop BanksDay 1   Coop Banks
Day 1 Coop Banksvngundi
 

Más de vngundi (11)

Dealing With Security Threats
Dealing With Security ThreatsDealing With Security Threats
Dealing With Security Threats
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 
Day 2 Dns Cert 4 Scenarios
Day 2   Dns Cert 4 ScenariosDay 2   Dns Cert 4 Scenarios
Day 2 Dns Cert 4 Scenarios
 
Day 2 Dns Cert 4c Malicious Use
Day 2   Dns Cert 4c Malicious UseDay 2   Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2   Dns Cert 4b Name Server RedirectionDay 2   Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2   Dns Cert 4a Cache PoisoningDay 2   Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoning
 
Day 2 Dns Cert 3 Dns Organizations
Day 2   Dns Cert 3 Dns OrganizationsDay 2   Dns Cert 3 Dns Organizations
Day 2 Dns Cert 3 Dns Organizations
 
Day 1 Large Scale Attacks
Day 1   Large Scale AttacksDay 1   Large Scale Attacks
Day 1 Large Scale Attacks
 
Day 1 From CERT To NCSC
Day 1   From CERT To NCSCDay 1   From CERT To NCSC
Day 1 From CERT To NCSC
 
Day 1 Enisa Setting Up A Csirt
Day 1   Enisa   Setting Up A CsirtDay 1   Enisa   Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
 
Day 1 Coop Banks
Day 1   Coop BanksDay 1   Coop Banks
Day 1 Coop Banks
 

Último

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 

Último (20)

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 

Anatomy of a CERT - Gordon Love, Symantec

  • 1. Anatomy of a CERT Gordon Love Regional Director for Africa March 2010 1
  • 2. Agenda • The African landscape is changing • Why do we need a CERT – Threat Landscape • Steps in building a CERT • The role of a CSIRT • Q&A Symantec DeepSight Early Warning Services 8.0 2
  • 3. Africa is Changing…. Broadband Capacity Increases 3
  • 4. Lessons Learned – increased broadband capacity • Africa is currently updating its broadband infrastructure • There is an increase in malicious activity in countries with rapidly emerging Internet infrastructures • Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers • With cheaper and faster Internet, more Africans will be “always- on” or continually connected • There will be many “new” internet users that are not security- savvy
  • 5. What do we need to protect against… 5
  • 6. Symantec Security Response – How do we know? Symantec Response Lab Symantec Monitored Countries Symantec Secure Operations Center Over 25,000 Registered Data Partners, From Over 180 Countries Dublin, Ireland Calgary, Canada Waltham, MA American Fork, UT Alexandria, VA Redwood City, CA Newport News, VA Santa Monica, CA London, England Tokyo, Japan San Antonio, TX Berlin, Germany Sydney, Australia 6 – 2002 Symantec Corporation, All Rights Reserved Rapid Detection Attack Activity Malware Intelligence Vulnerabilities Spam/Phishing • 240,000 sensors • 130M client, server, • 32,000+ vulnerabilities • 2.5M decoy accounts • 200+ countries gateways monitored • 11,000 vendors • 8B+ email messages/day • Global coverage • 72,000 technologies • 1B+ web requests/day
  • 7. IWECA Presence Legend: Symantec Resource Distributor Reseller IDC Adjusted Market Potential Ranking 1 Angola 2 Nigeria 3 Kenya 4 Uganda 5 Tanzania 6 Mauritius 7 Ethiopia 8 Botswana 9 Ghana 10 Namibia 7
  • 8. Economic Growth 2008 Country Ranking by Economic Growth (%) 2008 1 Angola 21.4 2 Ethiopia 8.4 3 Uganda 6.4 4 Tanzania 7.2 5 Kenya 4.4 6 Nigeria 7.5 7 Ghana 6.3 8 Mauritius 5.8 9 Namibia 5.5 10 Botswana 4.4 8
  • 9. Ranking by IT Spend PC 2008 Country Ranking by IT Spend ($m) Per Capita 2008 1 Mauritius 74.26 2 Botswana 66.02 3 Namibia 39.42 4 Angola 18.46 5 Kenya 9.14 6 Ghana 7.93 7 Nigeria 7.11 8 Tanzania 3.75 9 Uganda 2.74 10 Ethiopia 1.76 9
  • 10. IDC Predicted ICT Growth 10
  • 11. Kenya review Analyst Opinion In Kenya, the IT market reached a value of $ 352.7 million and is expected to grow albeit slowly at 6.1% in 2009 to reach $ 374.0 million. Over a five-year period, IDC forecasts that the market will increase at a CAGR of 14.6% to reach $ 615.9 million by 2012. 11
  • 12. ISTR XIV Key Trends Threat Landscape Web-based Cyber criminals Increased Rapid adaptation to malicious activity want YOUR sophistication of the security measures has accelerated information Underground Economy • Primary vector for • Focus on exploits • Well-established • Relocating operations malicious activity targeting end- infrastructure for to new geographic • Target reputable, users for financial monetizing stolen areas high-traffic websites gain information • Evade traditional security protection * Symantec Internet Security Threat Report, Volume X!V
  • 13. Highlights Key Trends – Global Activity Threat Activity Vulnerabilities Malicious Code Spam/Phishing • Data breaches can • Documented • Trojans made up 68 • 76% phishing lures target lead to identity theft vulnerabilities up percent of the Financial services (up • Theft and loss top 19% (5491) volume of the top 50 24%) cause of data • Top attacked malicious code • Detected 55,389 phishing leakage for overall vulnerability: • 66% of potential website hosts (up 66%) data breaches and Exploits by malicious code • Detected 192% increase identities exposed Downadup infections in spam across the • Threat activity • 95% vulnerabilities propagated as Internet with 349.6 billion increases with attacked were client- shared executable messages growth in side files • 90% spam email Internet/Broadband distributed by Bot usage networks * Symantec Internet Security Threat Report, Volume XIV
  • 14. New Threat Landscape Number of New Threats Period
  • 15. New Threat Landscape Number of New Threats Period
  • 16. New Threat Landscape 1177% Number of New Threats increase in malware since 2006 Period
  • 17. New Threat Landscape 2/3 Number of New Threats of malicious code created in 2008 Period
  • 18. New Threat Landscape Number of New Threats In 2000 In 2007 5 1431 detections a day detections a day Period
  • 19. New Threat Landscape Number of New Threats In 2000 In 2009 5 15 000+ detections a day detections a day Period
  • 20. 20
  • 21. 192% growth in spam from 2007 to 2008 In 2008, Symantec documented 5,471 vulnerabilities, 80% of which were easily exploitable 90% of incidents would not have happened if systems had been patched In 2008 we found 75,000 active bot-infected computers per day, up 31% from 2007 21 Copyright © 2009 Symantec Corporation. All rights reserved. 21
  • 22. How do we respond at a Regional / National level… 22
  • 23. Objectives of a CERT • Enhance information security awareness • Build national expertise in information security, incident management and computer forensics • Enhance the cyber security law and assist in the creation of new laws • Provide a central trusted point of contact for cyber security incident reporting • Establish a national centre to disseminate information about threats, vulnerabilities, and cyber security incidents • Foster the establishment of and provide assistance to sector- based Computer Security Incident Response Teams (CSIRTs) • Coordinate with domestic and international CSIRTs and related organizations • Become an active member of recognized security organizations and forums
  • 24. CERTS across Europe Thank you! Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
  • 25. Symantec DeepSight Early Warning Services 8.0 25
  • 26. CERT Framework – Mandate, Charter & Constituents 02 Cert Framework designed FUNCTIONALITY Mandate & Implemented Constituent database with Global Cert defined roles & responsibilities in Affiliations Charter place and equipped to Constituents & leverage strategic partnerships Strategic and affiliations Partnerships Strategic Constituent Identification Partnerships & Classification Service Offerings STRUCTURE DELIVERY Constituent campaigning and Memberships Phased delivery of services · Mutually beneficial 01 alliances established Emerging FY '11 Planning Information Security Through Committed Partnership
  • 27. Constituent Tier System • TIER 1 – damage to which would cause critical harm to the critical information infrastructure. For example: regulated electronic communications providers; federal ministries responsible for the critical national infrastructure; national security organizations • Government Departments with direct responsibility Public for an area of CNI. • Providers of Communications Infrastructure • National Security TIER 3 • Must have incident response capability • TIER 2 TIER 2 – damage to which would cause serious harm to the critical information infrastructure. For example: providers of utilities and other parts of the critical infrastructure such as banking • Providers of CNI Services TIER 1 • Government Departments not involved in CNI • Must have incident response capability • TIER 3 – damage to which would cause some harm to the critical information infrastructure. For example: other government departments, agencies, councils and commissions; logistics and transport providers • General Commerce • Other Government Departments • Special Councils & Commissions • PUBLIC – all other sectors and the wider public • General Public • Anyone not covered in Tier 1 - 3
  • 28. CERT Framework – Develop Legal Practices / Policies / Procedures CERT Framework – Implement Global Best & Regulatory Framework Emerging FY '11 Planning
  • 29. CERT Framework – Develop Legal Practices / Policies / Procedures CERT Framework – Implement Global Best & Regulatory Framework Emerging FY '11 Planning
  • 30. CERT Framework – Develop Legal Practices / Policies / Procedures CERT Framework – Implement Global Best & Regulatory Framework Emerging FY '11 Planning
  • 31. CERT CERT Framework – Develop Legal Skilled Resources and Partners Framework – Employ and Develop & Regulatory Framework
  • 32. CERT Framework – Operational Capability with Framework CERT Framework – AchieveDevelop Legal & Regulatory fully functional SOC 32
  • 33. High Level CERT Process Summary 1. Build a Cert Framework 2. Develop Mandate, Charter and Constituents 3. Develop Legal & Regulatory Framework 4. Build required Infrastructure & Technology 5. Implement Global Best Practices, Policies and Procedures 6. Source and Develop skilled Resources, Capability and Partners 7. Achieve Operational Capability & fully Functional CSIRTS 33
  • 34. The role of a CSIRT 34
  • 35. Objectives Why is it important ? Benefits of CSIRT • Relevant & timeous security data aggregated into one location • 24 x 7 x 365 Real-time response capability • Coordination of preventative and response actions • Reduced complexity/cost through standardisation / integration • In-depth reporting at strategic, tactical and operational level • Compliance with governance / regulatory requirements • Business continuity • Customer confidence & brand protection • Improved accountability and management efficiencies
  • 36. Find the right information • Millions of security alerts per day, only a few are relevant – Filtering, aggregation, prioritisation, … • Find one needle in a needle stack! 36
  • 37. Aggregation and Correlation 1. Analytics – Correlation, Threat and business impact ratings 2. Event Detection, IDS, VA 100’s FW, Policy, & Vulnerability • Prioritized lists Scans • Actionable Items Incidents • CIA Business Impact Ratings 1. 1 000 000’s Events • Aggregated event data • Disbursed • Heterogeneous 2. 10 000 000’s Security Data • Raw log Data
  • 38. Incident NOT Event! Event: The smallest unit of security information. Can be positive, negative or informational. . Incident: A collection of events grouped together to form a single unit that requires actions from identification to closure.
  • 39. Incident Prioritisation and Allocation Priorities: Business impact is based on: • As Incidents are formed they are automatically • Confidentiality prioritised. • Integrity. • Availability • Prioritisation is based on the business impact of each encompassed event on the system.
  • 40. A Comprehensive Solution •Multi-vendor security systems generate overwhelming numbers of raw logs, events and alerts •Security professionals analyze & evaluate the results •Security Analysts through the Secure Interface, keep in constant touch with their assigned Clients, with proactive commentary and recommendations on threats impacting their network. Vulnerability Mgmt. AV/Filtering IDS Firewalls Security Analyst
  • 41. Typical Design What does it look like ? CSIRT Security Operations Centre Users / Stakeholders External Stakeholders Staff Suppliers Customers Investors Law Enforcement Regulators Intelligence Government Strategic Security Partners Mobile PDA Laptop Computer Vulnerability Global Pentest / Assessment Inteliigence Audit Service Service Feed Process Business Intelligence Systems Storage Group Firewall Remediation Identity SOC Management Technology File Platform Gateway Routers Other Content Change SOC Central Processes Security Regions Operational Support Management Technology Data Systems E-mail Network IPS Feeds Monitoring and Specialist Analysis Resources CIS Hubs Anti-Virus Regions Data Trading Problem Feeds Policy Management 4 5 Compliance 1 2 3 PHASE1 DEPLOYMENT CHART PHASE2 PHASE3 PHASE4 PHASE5 DEPT1 DEPT2 Cabling DEPT3 DEPT4 DEPT5 Business Support DEPT6 Host Systems DB IPS Incident Management Incident Management Security Control Layer Enterprise Infrastructure Layer Remediation Applications Layer IT Operations Layer Mitigation Escalation Analysis Reporting Endpoint Specialist Process Process Dashboard Compliance Server Layer Web Messaging Security Supporting Processes, Procedures and Standards across Infrastructure, Services, Users and Technologies required to deliver fully integrated Security Enterprise Management Function
  • 42. Requirements What are the Key Success Factors ? Key Components for Building a CSIRT Infrastructure Data and Specialist Best Practice Partnership supporting Intelligence Skills and Policies and Stakeholder Technologies Sources Capacity Processes Management
  • 43. Security Operations Centre Response Console Security Operations Centre (SOC) Expert System & Anomaly Query Engine Continuous Data Mining Process Security Analysts Analysis Secure Interface Relational DB Infrastructure  Authenticate  Encrypt Import Facilities  Verify  Normalize Internet VPN Firewalls IDS AV/Content Vulnerability Policy Scanning Compliance
  • 44. Implementation Where do we start ? Decide on the basic delivery model In-Sourced Outsourced Co-Sourced Virtual Extension Model On-site Managed Security Support
  • 45. Deliverables What will the CSIRT deliver ? Top-10 functions of the CSIRT SOC  Proactive vulnerability scanning  Analysis of Global Threat Intelligence  Communication of Alerts/Advisories  Compliance monitoring / management  Incident response & remediation  BCM / DR support & validation  Vulnerability management  Forensic support / Logging  Collaboration & Awareness (Law/ISP)  Report Generation & Dashboard
  • 46. Partnership Who can help us achieve this ? Symantec Value Proposition People Process Technology o World Class o Globally Consistent ► Market Leading Engineering Staff Operational Correlation o Industry Leading Execution ► Proven scalability Security Response o ITIL best practices ► Breadth of device Team o Transparent, support o Unparalleled SOC Measurable, ► Secure Web portal to Expertise Auditable Process provide clarity into for Continual your security posture Improvement
  • 49. Thank you! Gordon Love Gordon_Love@symantec.com Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Symantec DeepSight Early Warning Services 8.0 49