RSA 2010 Francis De Souza

Title of Presentation

Francis deSouza

Symantec

Session ID: SPO1-107

Session Classification: Intermediate

Today’s IT Attacks: An IT Security Strategy To Protect Your Assets

Agenda

Sources of a Breach

Security Market Drivers

Breach Analysis

Security Strategy

2

3

SecureEndpoints

A CRIME IS COMMITTED

EVERY ¼ OF A SECOND

ON THE WEB

4

SecureEndpoints

1 IN 5WILL BE A VICTIM

OF CYBER CRIME

5

SecureEndpoints

100%OF ENTERPRISES

HAVE

EXPERIENCED

CYBER LOSSES

6

SecureEndpoints

CYBER ATTACKS COST

COMPANY’S AN

AVERAGE OF

$2 MILLION ANNUALLY

7

SecureEndpoints

$75% OF ALL ENTERPRISES

HAVE EXPERIENCED

CYBER ATTACKS IN

THE PAST 12MONTHS

8

SecureEndpoints

43%

OF COMPANIES

LOST CONFIDENTIAL

DATA IN 2009

9

SecureEndpoints

ENTERPRISE SECURITY IS

BECOMING MORE

DIFFICULT

10

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Sources Of A Breach

TargetedAttackers

WellMeaningInsider

MaliciousInsider

11

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

History of Targeted Attacks

1998|1999|2000|2001|2002|2003|2004|2005|2006|2007|2008|2009|2010

Solar Sunrise:Attacks stealing passwords from DoD systems conducted by 2 Californian and 1 Israeli teenager

US Government:Systems in the Department of Defense, State, Commerce, Energy, and NASA all comprised and terabytes of information confirmed stolen.

January 12:Google announces they have been a victim of a targeted attack

Moonlight Maze:Attacks targeting US military secrets reported to be conducted by Russia

Titan Rain:Coordinated attacks on US government military installations and private contractors

Ghostnet:Attacks on Tibetan organizations and embassies of many EMEA countries, and NATO systems.

12

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Anatomy Of A Breach

> Incursion

> Discovery

> Capture

> Exfiltration

Anatomy Of A Breach

13

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Mass Attack vs Targeted AttackPhase Mass Attack Targeted Attack

Incursion Generic social engineeringBy-chance infection

Handcrafted and personalized methods of delivery

Discovery Typically no discovery, assumes content is in a predefined and predictable location

Examination of the infected resource, monitoring of the user to determine additional accessible resources,and network enumeration

Capture Predefined specific data or data which matches a predefined pattern such as a credit card number

Manual analysis and inspection of the data

Exfiltration Information sent to a dump site often with little protection and dump site serves as long term storage

Information sent back directly to the attacker and not stored in a known location for an extended period

14

IncursionSecurity Market Drivers

Incursion

In 2009 spam accounted for 90%of all email traffic

In 2008, Symantec documented 5,471vulnerabilities, 80% of which were easily exploitable

90% of incidents wouldn’t have happened if systems were patched

In 2009 we found 47,000 active bot-infected computers per day

15

DiscoverySecurity Market Drivers

Discovery

91% of records compromised in 2008 involved organized crime targeting corporate information

81% of attacked companies were non-compliant in PCI

67% of breaches were aided by insider negligence

16

CaptureSecurity Market Drivers

Capture

285 million records were stolen in 2008, compared to 230 million between 2004 and 2007

Credit card detail accounts for 19% of all goods advertised on underground economy servers

IP theft costs companies $600 billion globally

17

ExfiltrationSecurity Market Drivers

Exfiltration

“Hackers Targeted Source Code of More Than 30 Companies”Jan 13, Wired.com

“SS Numbers Of Californians Accidently Disclosed” Feb 9 KTLA.com

“HSBC Bank Reports Lost Client Data From Swiss Private Bank”Dec 9, Reuters

“Gov’tPosts Sensitive List of US Nuclear Sites” Associated Press

18

Dissecting Hydraq

19

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Dissecting Hydraq

Hi Francis,

I met you at the Malware Conference last month. Wanted to let you know I got this great shot of you doing your presentation. I posted it here:

Attacker Breaks into the

network by delivering

targeted malware to

vulnerable systems and

employees

Incursion

20

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Dissecting Hydraq

Hacker Maps

Organizations Defenses

From the Inside and

Creates a Battle Plan

Discovery

21

OrganizedCriminalOrganizedCriminal

Dissecting Hydraq

Attacker Accesses Data

on Unprotected Systems

and Installs Malware to

Secretly Acquire Crucial

Data

Capture

22

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Dissecting Hydraq

Victim

Hydraq

72.3.224.71:443Attacker

Confidential Data Sent

Back to Enemy’s “Home

Base” for Exploitation

and Fraud

Exfiltration

23

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Poorly Enforced

IT Policies

Prelude to a

Breach

Poorly EnforcedIT Policies

1

24

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Poorly Protected

InformationPrelude to a

Breach

Poorly ProtectedInformation

2

25

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Poorly Managed

Systems

Prelude to a

Breach

Poorly ManagedSystems

3

26

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Poorly Protected

InfrastructurePrelude to a

Breach

Poorly ProtectedInfrastructure

4

27

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

The Challenge

2727

Develop and Enforce IT Policies

Protect The Information

Manage Systems

Protect The Infrastructure

28

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Risk Based and Policy Driven

Information - Centric

Well Managed Infrastructure

A Comprehensive Security Strategy

Is Required

IT Governance, Risk and Compliance

Information Risk Management

Infrastructure Protection and Management

29

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

New Threats Require New Technologies

Protect the Infrastructure

Develop & Enforce IT Policies

Protect the Information

Manage Systems

• Reputation Based Security

• Mobile and Server Security

• Encryption

• IT Risk Management

• Compliance Process Automation

• Information-Centric Policy

• Data Ownership

• Automated Content Classification

• Content Aware Endpoint Security

• Workflow

• Application Streaming

• Portable Personalities

Integrated Security Platform

Open

Platform

Console

Unification

Security

IntelligenceDynamic

Protection

30

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Protect theInformation

Manage Systems

Develop and EnforceIT Policies

Protect theInfrastructure

> Control Compliance Suite

> Data Loss Prevention Suite

> IT Management Suite

> Symantec Protection Suite

Symantec Focuses on Meeting These Challenges

31

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Addressing Important Security Questions

> Can you enforce IT policies and remediate deficiencies?

> Do you know where your sensitive information resides?

> Can you easily manage the lifecycle of your IT assets?

> Can you improve your security posture by rationalizing

your security portfolio?

32

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Thank You