Information Security Management: Protecting IT Assets from Current and Future ThreatsJohn McCumberStrategic Program Manager

Key Information Security Challenges:

• Blurring lines: “securing” IT assets vs. “managing” them: who ultimately has the responsibility?

• Too much information: deluge of security news (i.e. viruses, new patches) must be custom formatted for my environment – takes time!

• Shortage of trained and experienced personnel

• Need to wrap protection around evolving architectures and business models (i.e. wireless LANs, remote access)

• Investment in new security tools necessitates a new console to manage, alerts to correlate

• “Undesired” ranks are expanding: blended threats, P2P, spam, “spyware,” insider threats – together require more than traditional server and desktop solutions

25,000

50,000

75,000

100,000

125,000

150,000

World-Wide Attack Trends

1996 1997 1998 1999 2000 2001 2002 20030

Infe

cti

on

Att

emp

ts

*Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2003 estimated **Source: CERT

100M

200M

300M

400M

500M

600M

700M

800M

900M

Ne

two

rk In

tru

sio

n A

tte

mp

ts

0

Blended Threats(CodeRed, Nimda, Slammer)

Denial of Service(Yahoo!, eBay)

Mass Mailer Viruses(Love Letter/Melissa)

Zombies

Polymorphic Viruses(Tequila)

Malicious CodeInfectionAttempts*

NetworkIntrusionAttempts**

Source: Bugtraq Vulnerabilities

Software Vulnerabilities

10

2530

50

60

0

10

20

30

40

50

60

70

1999 2000 2001 2002 2003

Average number of new vulnerabilities discovered every week

Vulnerability Trend Highlights

• Newly discovered vulnerabilities are increasingly severe. Accordingly, the number of low severity vulnerabilities is decreasing. High-severity vulnerabilities give increased privileges and access to more prominent targets.

Month

Ne

w v

uln

era

bil

itie

s

Breakdown of Volume by Severity

Vulnerability Trend Highlights

• Symantec reports that 70% of the vulnerabilities found in 2003 could be easily exploited, due to the fact that an exploit was either not required or was readily available. This is a 10% increase over 2002, where only 60% were easily exploitable.

0%

20%

40%

60%

80%

100%

Jan02 Mar02 May02 Jul02 2-Sep Nov02 Jan03 Mar03 May03 Jul03 Sep03 Nov03

Month

Pe

rce

nta

ge

of

vu

lne

rab

ilit

ies

Percentage of Easily Exploitable New Vulnerabilities

Attack Trend Highlights

• Almost one third of all attacking systems targeted the vulnerability exploited by Blaster and its successors. Other worms that surfaced in previous periods continue to survive and target Firewall and IDS systems globally. A sufficient number of unpatched systems remain to sustain them.

Rank Port DescriptionPercentageof Attackers

1 TCP/135Microsoft / DCE-Remote Procedure Call (Blaster)

32.9%

2 TCP/80 HTTP / Web 19.7%

3 TCP/4662 E-donkey / Peer-to-peer file sharing 9.8%

4 TCP/6346 Gnutella / Peer-to-peer file sharing 8.9%

5 TCP/445 Microsoft CIFS Filesharing 6.9%

6 UDP/53 DNS 5.9%

7 UDP/137 Microsoft CIFS Filesharing 4.7%

8 UDP/41170 Blubster / Peer-to-peer Filesharing 3.2%

9 TCP/7122 Unknown 2.5%

10 UDP/1434 Microsoft SQL Server (Slammer) 2.4%

How do we achieve proactive security management to mitigate current and future risks?

Focus on four key elements:• Alert - gain early warning, take evasive action

• Protect – deploy defense-in-depth

• Respond – react in prioritized fashion

• Manage – applies to a 360-degree view of security and managing the secure lifecycles of our individual assets

Early awareness of threats

“Listening posts”

Prevent unwanted attacks

Detect physical breaches

Security of information assets

InternalWorkflowAuto-configurationDisaster recovery

ExternalHotlineSignature updates

• EnvironmentPolicies and

VulnerabilitiesDevice/Patch

ConfigurationUser AccessIdentity Management

• InformationEvents and incidents

Alert Protect

Manage Respond

ProactiveControl

Security Fundamentals

Alert: Spotting the ‘Blaster’ worm early

DeepSight Notification

IP Addresses Infected With The Blaster Worm

7/16 - DeepSight Alerts & TMS initial alerts on the RPC DCOM attack

7/23 - DeepSight TMS warns of suspected exploit code in the wild. Advises to expedite patching.

7/25 - DeepSight TMS & Alerts update with a confirmation of exploit code in the wild. Clear text IDS signatures released.

8/5 -DeepSight TMS Weekly Summary, warns of impending worm.

8/7 TMS alerts stating activity is being seen in the wild.

8/11 - Blaster worm breaks out. ThreatCon is raised to level 3

Alert

The Convergence Imperative

• Assure security policy compliance

• Receive early awareness of threats

• Prevent & detect attacks & breaches

• Protect privacy of information

• Rapidly & easily recover from loss of critical systems & information

• Insure via policies that adequate storage available for applications & backup

• Create secure archives for preserving information assets

• Discover & track HW/SW assets

• Provision, update & configure systems via automated policies

• Instantly push security patches & signatures to all managed devices

• Assure software license compliance & remove unauthorized applications

• De-provision & repurpose systems securely

• Threat, vulnerability & event-driven patch & configuration management

Solving the Convergence Challenge

• Policy-driven backup

• Monitor storage resources & perform corrective action

• System & data recovery

• Threat, vulnerability & event-driven backup

• Recovery from attack

NormalNormalNormalNormal

ProtectD

epth

& F

requ

ency

of b

acku

p

Management in Action:Integrated Security, Systems & Storage

•Threat

•Vulnerabilities•Attack

SEA platform

Rapid Recovery from Attack, Faulty PatchRapid Recovery from Attack, Faulty PatchRapid Recovery from Attack, Faulty PatchRapid Recovery from Attack, Faulty Patch

Adjust Protection Granularity Adjust Protection Granularity Adjust Protection Granularity Adjust Protection Granularity

High RiskHigh RiskHigh RiskHigh RiskAlertAlertAlertAlert

NormalNormalNormalNormal

ScanScanScanScan TestTestTestTest DeployDeployDeployDeploy

Remove Vulnerability

Recover

Alert Action Policie

s

Alert Action Policie

s

Summary

• Risk is escalating: Threats are more complex, exploiting more vulnerabilities in less time – requires more comprehensive strategies leveraging integrated capabilities and strengths

• In the public sector, there are additional strong catalysts driving the “A.P.R.M.” approach, such as compliance (i.e. FISMA) and safely enabling information-sharing. Take advantage of tools that serve multiple needs (i.e. asset inventory, policy compliance and patch management)

• Given the nature of threats, we need to play to natural strengths gained through merging security, system and storage functions – on both a technology and personnel level

• Knowing what we have, how it is configured, and how it can be restored – in the context of what is happening “in the wild” (exploits, vulnerabilities, patterns) is the best defense for what the future brings

Thank You!