Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.
-
Upload
lisa-barker -
Category
Documents
-
view
215 -
download
0
Transcript of Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.
![Page 1: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/1.jpg)
Jason A. WesselAVP Security Services
Network Security:
A Defense-in-Depth Approach
![Page 2: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/2.jpg)
Agenda• Origin of Defense-in-Depth• Defense-in-Depth: Information Security
– Strategies, – Security Models / Frameworks
• Attackers & the evolving threats on Information Security
• Network Defenses • Additional Defenses• Question & Answer
![Page 3: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/3.jpg)
Origin of Defense-in-Depth
“A military strategy sometimes called elastic defense. Defense in depth seeks to delay rather than prevent the advance of an attacker, buying time and causing additional causalities by yielding space.”
http://en.wikipedia.org/wiki/Defense_in_depth
![Page 4: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/4.jpg)
Defense-in-Depth: Information Security
“…the practice of layering defenses to provide added protection. Defense in depth increases security by raising the cost of an attack. This system places multiple barriers between an attacker and your business critical information resources: the deeper an attacker tries to go, the harder it gets.”
Brooke Paul, Jul 01, Security Workshop at Network Computing
![Page 5: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/5.jpg)
Defense-in-Depth StrategyInformation Assurance Strategy
Ensuring confidentiality, integrity, and availability of data
People-Hire talented people, train and reward them
Technology -Evaluate, Implement, Test and Assess
Operations-Maintain vigilance, respond to intrusions, and be prepared to restore critical services
IAS Thomas E. Anderson Briefing Slides
![Page 6: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/6.jpg)
Perimeter
Internal
Hosts
Applications
Data
Defense-in-Depth
Security Model
![Page 7: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/7.jpg)
Defense-in-Depth
• Framework for Information Security– “Security is a process, not a product”
Bruce Schneier
• Ongoing process– Can’t be implemented over a weekend
• Assume control points will fail– Architecture to protect from failures
![Page 8: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/8.jpg)
The Attackers• The Script Kiddies
– Does not target specific information or companies– Small number of exploits and search for victims to utilize exploits
against• The Skilled Hacker
– Targets specific information and companies– Performs comprehensive research on victims using multiple
exploits and social engineering techniques– Typically out for personal gain (money, glory, etc.)
• The Insider– Trusted employee, who knows where business critical information
is located– Typically out to harm business reputation, commit fraud, or financial
gain
![Page 9: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/9.jpg)
Attack Landscape is Evolving • Viruses, Worms, Trojans, Root Kits• Shift from “Glory-Motivated-Vandals” to
“Financially-Politically-&-Fraud-Motivated-Cyber-Crime”
• “Designer Worms” and “Designer Trojans”
• Shift from Worms to Bot-Networks
From IBM Internet Security Systems
![Page 10: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/10.jpg)
Attack Evolution Example
• Welchia Worm– Infected devices– Sprayed 20K UDP packets per second– Impacted services and network performance
based on increased traffic volume
• Zotob/Esbot– Owned devices, restricted range, local traffic – Assess first, fire only when vulnerable
From IBM Internet Security Systems
![Page 11: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/11.jpg)
Network Defenses• Network Segmentation• Access Points • Routers and Switches• Firewalls• Content Filtering• IDS / IPS• Remote Access• Event Management• Vulnerability Management
![Page 12: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/12.jpg)
Network Segmentation
• Create a logical security view of a network infrastructure
• Identify critical resources and information assets
• Apply security and business risk classifications
• Building block for the other network defenses
![Page 13: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/13.jpg)
Network Segmentation
![Page 14: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/14.jpg)
Network Access / Entry Points
• Entry points into the network infrastructure
• Classify the access points• Develop a security risk profile for each
access point • Each access point presents a threat for
unauthorized and malicious access to the network infrastructure.
![Page 15: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/15.jpg)
Network Access Points
![Page 16: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/16.jpg)
Routers and Switches
• Typically responsible for transporting data to all areas of the network
• Sometimes overlooked as being able to provide a defense layer
• Capable of providing an efficient and effective security role in a Defense-in-Depth strategy
![Page 17: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/17.jpg)
Simple Router & Switch Network
![Page 18: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/18.jpg)
Firewalls• First defenses thought of when working on a
Defense-in-Depth strategy• Provide granular access controls for a network
infrastructure• Firewall Types:
– Packet filtering– Proxy based– Stateful Inspection
• Continuing to increase their role by performing application layer defenses on the network
![Page 19: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/19.jpg)
Firewalls
![Page 20: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/20.jpg)
Content Filtering• Protection of application and data content
being delivered across the network• Content filtering looks for:
– Virus– File attachments– SPAM– Erroneous Web Surfing– Proprietary / Intellectual Property
• Commonly used network protocols:– SMTP, HTTP, FTP, and instant messaging
![Page 21: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/21.jpg)
Content Filtering
![Page 22: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/22.jpg)
IDS / IPS• Detect malicious network traffic and
unauthorized computer usage• Detection Strategies
– Signature-based – Anomaly-based– Heuristic-based– Behavioral-based
• View of traffic from a single point• Similar technologies are applied at the host and
network layers
![Page 23: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/23.jpg)
IDS/IPS
![Page 24: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/24.jpg)
Remote Access
• Identify all remote access points into the network infrastructure.
• Driven by the need to promote business productivity
• Expanding the perimeter
• Requires strict access controls and continuous activity monitor
![Page 25: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/25.jpg)
Remote Access
![Page 26: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/26.jpg)
Security Event Management
• The collection and correlation events on all devices attached to the network infrastructure.
• Provides insight into events which would go unnoticed at other individual defense layers
• Provide automated alerts of suspicious activity
![Page 27: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/27.jpg)
Security Event Management
![Page 28: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/28.jpg)
Vulnerability Management
• Continuous process of assessing and evaluating the network infrastructure
• Multiple views / perspectives
• Integration with Patch Management and ticketing systems
• Configuration & maintenance validation
![Page 29: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/29.jpg)
Vulnerability Management
![Page 30: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/30.jpg)
Additional Defenses: Connecting the Hosts & Network
• Security Policies
• Network Admission Control (NAC)
• Authentication Services
• Data Encryption
• Patch Management
• Application Layer Gateway
![Page 31: Jason A. Wessel AVP Security Services Network Security: A Defense-in-Depth Approach.](https://reader031.fdocuments.us/reader031/viewer/2022032612/56649efc5503460f94c0f122/html5/thumbnails/31.jpg)
Network Security: A Defense-in-Depth Approach
Jason A. WesselAVP Security Services
CADRE – Information [email protected]
888-TO-CADRE