Page 1
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP ArcSight мониторинг инцидентов ИБ, SIEM-системы в промышленных сетях
Бажин Игорь
Коммерческий представитель HP ESP
16 июня 2015, Екатеринбург
Page 2
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Тактика
Стратегия
Примерыизпрактики
Page 3
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Subtitle (18 pt. HP Simplified)
Title (28 pt. HP Simplified bold)
Heading (18 pt. HP Simplified bold HP blue)
Body copy (16 pt. HP Simplified)
• Put your first-level bullet here. Try to keep bullet lists simple. (14 pt. HP Simplified)
– Put your second-level bullet here. Use no more than you need to explain your point. (14 pt. HP Simplified)
• Put your third-level of copy here. Use no more than you need to explain your point. (14 pt. HP Simplified)
Page 4
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Page 5
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Тактика
Стратегия
Примерыизпрактики
Page 6
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
Меры защиты информации (Приказ ФСТЭК№31)
идентификация и аутентификация субъектовдоступа и объектов доступа;
управление доступом субъектов доступа к объектамдоступа;
ограничение программной среды;
защиту машинных носителей информации;
регистрация событий безопасности;
антивирусная защиту;
обнаружение (предотвращение) вторжений;
контроль (анализ) защищенности информации;
целостность автоматизированной системыуправления и информации;
доступность технических средств и информации;
защита среды виртуализации;
защита технических средств и оборудования;
защита автоматизированной системы и еекомпонентов;
безопасная разработка прикладного и специальногопрограммного обеспечения;
управление обновлениями программногообеспечения;
планирование мероприятий по обеспечению защитыинформации;
обеспечение действий в нештатных ситуациях;
информирование и обучение персонала;
анализ угроз безопасности информации и рисков отих реализации;
выявление инцидентов и реагирование на них;
управление конфигурацией автоматизированнойсистемы управления и ее системы защиты
Page 7
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
Как с этим жить?
7 – 15 различных СЗИ
3 – 5 человек в службе ИБ
Точки присутствия по всей РФ
Постоянная ротация кадров
Page 8
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
Заставить все системы говорить на одном языке
Windows
Failed Login Event
Oracle
Failed Login Event
UNIX
Failed Login Event
Badge Reader
Entry Denied
OS/390
Failed Login Event
Page 9
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
Заставить все системы говорить на одном языке
Page 10
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Тактика
Стратегия
Примерыизпрактики
Page 11
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
Расследование инцидентов
Page 12
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
Обеспечение соответствия
Page 13
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
Примеры использования
Compliance Monitoring - NERC CIP 002-009, PCI, and SOX (for large investor owned utilities)
Critical Asset Monitoring – specifically those that can impact the reliability of electric supply
User Activity Monitoring – Insider Threat, Privileged User Monitoring, User Monitoring, Shared Account Detection
SCADA Infrastructure Monitoring
Perimeter Security, Physical Security
Log Management – efficient long term storage, retention policies, compliance reporting, forensics
Page 14
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Целое больше, чем сумма его частей
•Мониторинг выдачи прав
•Разделение полномочий
•Кадровая информация
•Противодействие фроду
•Контроли внутреннего аудита
•NERC•ISA/IEC
• Совет Безопасности РФ/ФСТЭК
•Внутренние требования
•Сбор и анализ событий
•Стандарты конфигурации
•Мониторинг инцидентов
•Управление уязвимостями
Управлениеинцидентами
Соответствиестандартам
Контрольправ доступа
Защитабизнеспроцессов
Page 15
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Проект комплексной защиты
Управлениеинцидентами
Сбор и анализсобытий
Стандартыконфигурации
Управлениеуязвимостями
Мониторингинцидентов
Соответствиестандартам
NIST, NERC, ФСТЭК
Контрольправ доступа
Мониторингвыдачи прав
Кадроваяинформация
Разделениеполномочий
Защитабизнес
процессов
Противодействиефроду
Page 16
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Тактика
Стратегия
Примерыизпрактики
Page 17
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Репутационный анализ
МСЭ, ПроксиСервера управления бот-сетью
Украденная информация
Контроль, управление
Зараженный ПК
Воровство пароли,
информация
Распространение
заражения
Разрушительные действия
Page 18
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Репутационный анализ
Аналитики DVLabs
Сенсоры DVLabs по всему миру
Сенсоры IDS/IPS TippingPoint клиентов
Сторонние аналитические команды
Сообщества аналитиков (eSoft, SANS…)
Ваши собственные данные
Page 19
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
Репутационный анализ
Page 20
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
Профилирование активности
Page 21
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
SCADA Protocols - TippingPoint IPSModbus
Distributed Network Protocol 3 (DNP3)
Inter-Control Center Communications Protocol (ICCP)
Utility Communications Architecture 2.0 (UCA 2.0) and International Electro technical Commission (IEC) 61850 Standards
Control Area Networks (CAN)
Control Information Protocol (CIP)
DeviceNet
ControlNet
OLE for Process Control (OPC)
Profibus
Fieldbus
Page 22
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
22
Modbus Filters - TippingPoint IPS
MODBUS: Force Listen Mode Only
MODBUS: Encapsulated Interface Read Device Identification
MODBUS: Restart Communication
MODBUS: Clear Counters and Diagnostic Registers
MODBUS: Unauthorized Read Request
MODBUS: Unauthorized Write Request
MODBUS: Report Slave ID
MODBUS: Fragmented Modbus Query TCP Packet
MODBUS: Automated Solutions HeapCorruption Vulnerability (TSRT-07-10)
MODBUS: Encapsulated Interface CANopenGeneral Request *
MODBUS: Unauthorized Write Response*
MODBUS: Unauthorized Write Mask*
MODBUS: Unauthorized Read FIFO Queue*
Page 23
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23
23
DNP3 Filters - TippingPoint IPS
DNP3: Disable Unsolicited Responses
DNP3: Cold Restart from Un/Authorized Client
DNP3: Unauthorized Read Request to a PLC
DNP3: Unauthorized Write Request to a PLC
DNP3: Unauthorized Miscellaneous Request to a PLC
DNP3: Stop Applications
DNP3: Warm Restart
DNP3: Broadcast Request from Un/Authorized Client
DNP3: Fragmented DNP3 Query TCP packet
DNP3: Request Link Status
Page 24
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Сбор событий в физически изолированных сетях
Page 25
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Ваши вопросы
Page 26
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
RISI Online Incident Database
It includes: Incidents of a cyber security nature that directly affect industrial Supervisory Control and Data Acquisition (SCADA) and process control systems, accidental cyber-related incidents, as well deliberate events such as external hacks, Denial of Service (DoS) attacks, and virus/worm infiltrations, plus much more!
http://www.risidata.com/
Page 27
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Operational Guidelines for Industrial Security
Operational Guidelines for Industrial Security Proposals and recommendations for technical and organizational measures for secure operation of plant and machinery.
Defense-in-Depth architecture to protect automated production plants, overview of security measures etc.
https://www.industry.siemens.com/topics/global/en/industrial-security/Documents/operational_guidelines_industrial_security_en.pdf
Page 28
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security concept PCS 7 and WinCCThe "Security Concept PCS 7 and WinCC" is intended to ensure that only authenticated users can perform authorized (permitted) operations through operating option assigned to them for authenticated devices. These operations should only be performed via defined and planned access routes to ensure safe production or coordination of a job without danger to humans, the environment, product, goods to be coordinated and the business of the enterprise.
http://w3.siemens.com/topics/mea/en/industrial-security/documents/wp_sec_en.pdf