Security analytics

Security analytics

• 1.
  SECURITY ANALYTICS My, whata lot of data! 1
• 2.
  Security Analytics Over thenext 30 minutes • Who am I? • Why do we need security as an IT Service? • What does security analytics mean? • How can it provide protection? • Firewalls • Where do we need them? • When is lunch! 2
• 3.
  Who am I? •Simon Bennett BSc MSc CISSP CEH ECSA LPT • Networking and Information Security at Dundee University for the past 13 years • Apart from a 6 month spell at Scottish Power • Recently moved to Subsea 7 in Aberdeen 3
• 4.
  Why do weneed security as an IT Service? What are the threats at a high level? Downtime Loss of Reputation/Data/IP 4
• 5.
  Why do weneed security? Causes of downtime • Distributed Denial of Service • Spamhaus DDoS (DNS Amplification) • Controls • Malware infection/remediation • Oil Rig hack • Contols • Driven by cybercrime • CaaS • Low Orbit ION Cannon 5
• 6.
  Why do weneed security? Loss of reputation Sony In 2011 Sony had a large amount of data copied from their PlayStation network user database. Has cost them at least $170 Million but some analysts have speculated it will cost them more than $1 Billion 6
• 7.
  What does securityanalytics mean? It means different things to different people What it means to me: Examine all the possible data sources • Technical – Logs • Vast amounts of data • Lots of possible sources • Informational - Internet • Blogs / RSS feeds / Google hacks • Personal - people „in the know‟ • CERT functions • Information sharing within industries 7
• 8.
  How does thatlook? • Firewalls • Analyse traffic by: • Person, Time, Protocol, IP, TCP/UDP • Log aggregation • Intelligence gleaned from logs from: • Authentication, DHCP/DNS, Firewalls, IDS, Signature sets/heuristics • CDRs/Identity/ISP/Intelligence agencies • AV/Web/eMail filtering in the cloud • Use Sandbox technologies • Analyse attachments / Files downloaded 8
• 9.
  Firewall history • Routers •Access control lists (non-stateful) • Firewalls • Stateful firewalls appeared mid 90s • Fairly simple databases (state tables) • NAT/PAT complicates things (state tables + src & dst ports) • Work at Layer 4 in the OSI 7 layer model 3. Network (IP/ICMP) 4. Transport (host-to-host flow control TCP/UDP) • From wikipedia (sorry!): “Early attempts at producing firewalls operated at the Application Layer, which is the very top of the seven-layer OSI model. This method required exorbitant amounts of computing power and is rarely used in modern implementations.”
• 10.
  But what about??? •AKA functionality creep • Intrusion Detection/Prevention Systems • Virtual Private Networks (S2S, C2S) • Application control • Web Proxy • Anti-virus/malware • Identity awareness
• 11.
  Complexity creep • Allseparate devices – creates problems… • Network throughput • Resilience • Cost (Capital and Revenue) • Complexity • Troubleshooting • Down-time
• 12.
  NG Firewalls • Massivelypowerful switch/routers • Massively powerful analysis engines • Architected to analyse multiple of 10Gigabits of traffic in real-time • The type of access-list is entirely different • Instead of: • [IP Address A] can access [IP Address B] on [Port Y] • We can write: • [Users] in the [Finance Group] can access [Finance systems] during [08.00 until 18.00] • [All Students] on [IT Suite PCs] can only access [Social networking sites] between [17.00 and 09.00] • [Anyone] using [bittorrent] can only [upload] at [50kpbs] • [Anyone] using [www] (if not previously known) must [authenticate]
• 13.
  Where do weneed them? Two basic tenets of information security – Principle of least privilege Defense in depth Everywhere! • Networks • Clients • Servers • Applications 13
• 14.
  When is lunch! NOW! Thankyou for listening Any Questions? 14