using effective configuration management to detect & respond to zero-day and apt attacks
DESCRIPTION
As malware becomes more sophisticated and insider threats more persistent, the need to closely monitor systems is more important than ever. Good configuration management can provide vital insight into potentially dangerous changes in your environment.TRANSCRIPT
USING EFFECTIVE CONFIGURATION MANAGEMENT TO DETECT AND RESPOND
TO ZERO-DAY AND APT ATTACKS
Presentation Overview
• Magic Trick• The Problem • Anatomy of an Attack• Manage Change, Protect Systems
Speakers
Andrew PlatoPresident / CEOAnitian Enterprise Security
Mark KerrisonCEONNT Workplace Solutions
MAGIC!
Configuration Management
A Little Magic
Pick a Card – Any Card
Do you have it…Now watch in
amazement as I make your card
disappear!!!!
TAH DAH!
Tah Dah!
THE PROBLEM
Configuration Management
Current Defences are Inadequate
• Firewall & IPS – Zero day and APT style attacks can bypass signatures or hide inside encrypted tunnels
• Web & Email Filters – Rely on signatures and interception, which also can be bypassed
• Anti-virus – Even the base AV products are only about 90% effective
• Encryption – Can actually hide threats inside encrypted areas• None of these can stop the most sinister threat – complacency • “We’ve got security in place so we are secure...right?”
NSS Labs Correlation of Detection Failures
• http://bit.ly/nss-did• 606 unique combination
of devices • NGFW+IPS, IPS+endpoint,
NGFW+endpoint, etc.• Only 3% (19 combinations)
could block all exploits• Bypassed exploits were
all vulnerabilities to common applications • The message is clear, current defense in depth methods are
flawed• This is why APT-style attacks are successful
ANATOMY OF AN ATTACK
Configuration Management
Anatomy of a Hack
Step 1 – Gone Phishing – could be random spam, could be targeted ‘spear phishing’ attack on identified user
IPS
Anatomy of a Hack
This looks interesting – I’ll click on the link...
Step 2 – Sucker! – user welcomes in malware and as an ‘authorized’ download the malware gets in
IPS
Anatomy of a Hack
Step 3 – Infiltrated and Infected and In Trouble – At worst a root kit infection provides a platform to which other malware can be introduced and protected from detection and removal
IPS
*PRIVATE*
Anatomy of a Hack
Step 4 – A Victim of Crime – malware can spread itself to data stores and send back personal information, card data, intellectual property, financial data...
IPS
Anatomy of a HackAlternatively - Inside Man abuses Sys Admin rights to install malware or open up systems to infection...
IPS
Anatomy of a Hack...or simply steals data directly
*PRIVATE*
IPS
The Art of Layered Security
We need threats to follow the script...
The Art of Layered Security
When they don’t, we’re exposed!
Insider attacks, zero day and APT can bypass security controls
Insider Threats APT Zero Day
MANAGE CHANGE, PROTECT SYSTEMS
Configuration Management
You never know how they might get you!
• You have to Know what good looks like first
What does good look like in our environment?
Spot the difference
Get Systems into a Known-Good State
Then Keep Them There!
Right...nobody move!
Monitor for Changes
Investigate Change
Review the Change
Pinpoint What Changed, When and by Whom
Gotcha!
• Now that you know what changed, you can change it back• You also have data, valuable data on what really happened• There is no guessing or conjecture, you know what changed,
where, when, and who did it.• You can also correlate this data with firewall, IDS/IPS, web filter,
and AV logs to see if there are related events• Armed with real data, you can make a real decision about
security
Let’s plan changes – so we know about them
Wait for my instructions via email
Closed Loop Change Management!
• Planned changes are happy changes• We did what we said we would do
Take-Aways
• Get IT systems into a known, good state (which is also a compliant state!)
• When you know what looks good, then it become easier to spot something bad
• Disclose monitoring practices to everybody to discourage insider attacks
• Reject unplanned changes• Combine Change & Configuration Management, File Integrity
Monitoring and System Hardening to detect all moving parts• Add context with a Compliance Dashboard
QUESTIONS
?
Thank YouWEB: www.newnettechnologies.com
www.anitian.comSLIDES: [email protected] for a
copy of the presentation or visitwww.slideshare.net/andrewplato
BLOG: blog.anitian.com