IT-security in the IT-security in the Ubiquitous Computing World Ubiquitous Computing World Chris Kuo Chris Kuo , CISSP, CISA , CISSP, CISA [email protected][email protected]Acer eDC (e-Enabling Data Center) Acer eDC (e-Enabling Data Center) Acer Inc. Acer Inc. 2007/3/27 2007/3/27
17
Embed
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA [email protected] Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IT-security in theIT-security in the
Ubiquitous Computing WorldUbiquitous Computing World
Goals of Information SecurityGoals of Information Security
Target of Protection: DataTarget of Protection: Data
Goals of Protection: Confidentiality, Integrity and Goals of Protection: Confidentiality, Integrity and Availability of DataAvailability of Data
IntegrityAvailability
Confidentiality
Ensure the data isavailable and timely
Ensure the data is not disclosed improperly
Ensure the data is correct
3
Attacks on availability of PC GridAttacks on availability of PC GridEnterprises may use PC grid to run complicated Enterprises may use PC grid to run complicated and critical applications where businesses rely onand critical applications where businesses rely on
PC grid relies on the health of underlying PCsPC grid relies on the health of underlying PCs
PC PC PC.....
A virtualized computer using security mechanisms ofauthentication, digital signature, encryption, etc
new malware cannot bnew malware cannot be detected by AV or IDe detected by AV or IDSS
Phenomena:Phenomena:
network congestion or systemnetwork congestion or system overload overload
un-noticed information leak byun-noticed information leak by backdoor backdoor
devices can be illegally devices can be illegally controlled remotely controlled remotely
Solution:Solution:
monitor network behavior monitor network behavior to catch malware activities to catch malware activities
identify malware hostsidentify malware hosts
perform forensics on hostsperform forensics on hosts
11
Malware Detection Example(I)Malware Detection Example(I)Set filtering rules and get interested eventsSet filtering rules and get interested events– Outbound connections for hosts in China and the connections were
denied by firewall
12
Malware Detection Example(II)Malware Detection Example(II)The Event Diagram shows suspicious hostsThe Event Diagram shows suspicious hostsInspect the hosts to get suspicious filesInspect the hosts to get suspicious files
13
Malware MonitoringMalware MonitoringInformation Source: FirewallInformation Source: Firewall– Firewall contains logs of all traffic transactions permitte
d or denied– Considerable resources and capabilities are required to
effectively analyze firewall logs, “in real-time!”• In Acer SOC, about 100M event per day!
Network Behavior ModelNetwork Behavior Model– By firewall logs, the legal/illegal network behavior model
of a site may be constructed– Rules to allow or detect/alert network behavior must be
established– Illegal behavior, once identified, must be alerted in the f
orm of “security incidents”– Response team must address security incidents in spec
ified time (under SLA) and perform forensic actions to understand the intrusion
In 2006, Acer SOC uncovered >200 new malware!In 2006, Acer SOC uncovered >200 new malware!
14
Security Management FlowSecurity Management Flow
EventEventSourcesSources
Workflow LayerWorkflow Layer Case Assignment Trouble Shooting Resolution and Tracking
Security Management PlatformSecurity Management PlatformA system to monitor/manage 1000+ customersA system to monitor/manage 1000+ customers
A system worth 2M~3M US dollarsA system worth 2M~3M US dollars
A distributed PC grid may save money and management effortsA distributed PC grid may save money and management efforts
16
SummarySummary
Ubiquitous computing(like PC grid) has raised the importanUbiquitous computing(like PC grid) has raised the importance of client devicesce of client devices
Network behavior of client devices must be constructed to Network behavior of client devices must be constructed to allow comprehensive view on securityallow comprehensive view on security– Firewall logs is the sole source for the understanding of comp
rehensive network behavior
– Network behavior is monitored in real-time via SOC operations
Existing AV systems, along with SOC, are part of defense inExisting AV systems, along with SOC, are part of defense infrastructurefrastructure
Defense weaponryDefense weaponry– AV system: to detect any known virus events
– AV monitoring: collecting AV event messages from AV server
Grid computing has the potential to be used in security infoGrid computing has the potential to be used in security information managementrmation management