Karunia Wijaya - Proactive Incident Handling
28
CryptoRing PROACTIVE INCIDENT HANDLING
-
Upload
indonesia-honeynet-chapter -
Category
Technology
-
view
444 -
download
4
description
Karunia Wijaya - Proactive Incident Handling
Transcript of Karunia Wijaya - Proactive Incident Handling
CryptoRingPROACTIVE INCIDENT HANDLING
Karunia
Formal Education:• Master Degrees, September 2003, University of Pelita Harapan, Jakarta• Bachelor’s Degrees, January 1997, University of HKBP Nommensen, Medan• Diploma’s Degree, 1995, International Computer Studies Microskills Singapore - Medan, Certification:• IBM eServer Certified Specialist, March 2002, iSeries Solution Sales V5R1 • Managed Security Specialist, Des 2005, SIMCommander, Hong Kong• Web Security Expert, September 2010, Armorize Technolgy, San Francisco.• MVCN Encryption Specialist, October 2010, Navayo Technologies Inc., Hungary• IRM Specialist, August 2012, Seclore Technology, India• Certified IRCA Lead Auditor ISO27001, February 2013 , BSI, United Kingdom• NRPL MSSR Radar Specialist, May 2013, NRPL, FinlandOthers:• Executive Vipasanna Meditation, Geulis Mountain, Based on S.N. Goenka Meditation Courses • Emotions Metabolism, By Mahadibya Nurcahyo Chakrasana• Neuro Linguistic Programming, Jogja, Basic Principle of Life Expanding 72 hours By Clear Heart Foundation
International & National
Speakers for:• Kemenkoinfo• Kemenakertrans• Kemenhan• Kemenhub• Lembaga Sandi Negara• BP Batam• BPPT• BNN• SGU• Binus• MIEL Academy – (India, Vietnam, Macau,
Singapore, Malaysia)
Owner of :• PT. Adi Inti Mandiri – Tangerang Selatan• PT. Adi Inti Mandiri Solusi - Jakarta• PT. Global Network Security - Jakarta• PT. Auto Technic Multimedia - Batam• PT. Maxima Innovative Technology - Jakarta• PT. Inti Wira Buana - Jakarta• PT. Indo Mindstrom Wizzard - Jakarta• BPR Pundi Dana Mandiri - Jambi• Vivasoft Pte. Ltd. - Singapore• IMWizz Pte. Ltd. - Singapore• SIMCommander Inc. – Hong Kong• GlobeNet Secure Sdn. Bhd. – Malaysia• MIEL Pte. Ltd. - Singapore
Security Management Challenges
• Implementation– Tools to manage security cost millions– Integrating and deploying is challenging– 24 x 365 management requires highly trained staff
• Business Imperative– Not core business – does not generate revenue– Investing in security management can be costly and not
producing the expected results
The Problems
• Too many consoles and different log formats- lack of holistic view on overall security postures- long learning cycle
• Huge amount of data- hard to manage and review
• Organizational challenges- different team have different responsibility- Long response time
• Lack of security professionals in the organization- Security experts are still expensive and scary- Lack of incident response methodology
• Don’t know what to do when an incident occurred- Limited resources- budgets and resources are always limited
Customer Expectation
• Cost Effective Security• Up-to-date Defense Mechanism• 24x7 Monitoring and Alert• Rapid Emergency Response• Reporting and Analysis• Technical Expertise
Business threats
Vulnerability
Capability for companies to
respond
How Managed Security Services Work
CryptotechnoSOC
Firewall/VPN
Network IDS/IPS
Host IDS
Unified Threat Management
Routers/Switches
NetFlow Analysis Devices
MAC Address Information
Vulnerability Scanning tools
Windows
Unix
Linux
Mainframe
Antivirus
Applications
Web Servers
Database
Email Servers
Proprietary Applications
Security and Networking Devices
Systems and Applications
Efficiency of Correlation
Based on one month of actual customer data
620Security Events
2Events Requiring Immediate Customer Contact
• Cryptotechno proactively contacts clients to warn of a serious security threat (SOC Security experts)
• Eliminate insignificant events and report valid events (Correlation Engine)
• Security threat pattern identification (Normalize and input to Correlation Engine)
• Cryptotechno proactively contacts clients to warn of a serious security threat (SOC Security experts)
• Eliminate insignificant events and report valid events (Correlation Engine)
• Security threat pattern identification (Normalize and input to Correlation Engine)
Events Provided for Client Review
55
9,481,668Logs and alertsgenerated by firewallsand IDSs
Supported Devices
Attack Example
• Most of attackers use the attack sequence: First to scanning the network and system for security holes Then launching a Buffer Overflow and Backdoor to the victim
machine and take remote control the machine
Without CryptoRing Solution
With CryptoRing Solution
CryptoRing Service Description
• Monitors device availability and collect security events from customers’ devices
• Event correlation analysis to distill the true security incidents
• Real-time email alerting service for security incident detected
• Weekly scheduled security status and summary reports through email
• Easy to use reporting web portal for logon anywhere
Benefits
• Protection from device availability, best practice attacks identification and advanced organized attack sequence detection
• Integrated analysis with other security devices in network for accurately identify real threats
• Email alerting to keep customer updated on security status at real-time.
• Easy to read summary and details reports for intuitive security posture
• Fully Worked with UTM (especially TippingPoint) Appliances
What Customer Will Get
• Weekly Standard Reports o Comprehensive reports in PDF formato Deliver to customer automatically
through email
• Web Portalo Login to generate ad-hoc reports o Anywhere and anytime
• Email Alert Messageso Notify customer on security incident in
real-time
Topology
Early Warning
Weekly Standard Reports
Type Reports DetailsAlerts • Weekly Security Alert
Summary• Alert count by day• Weekly Alert Trend• Alert Count by Alert Category (CAT)• Alert Count by Alert Rule• Alert CAT 3 – Top 10 Destination (with source and Rule)• Alert CAT 2 – Top 10 Destination (with source and Rule)• Alert CAT 1 – Top 10 Destination (with source and Rule)• Alert CAT 0 – Top 10 Destination (with source and Rule)
Security Events • Weekly Security Events Summary
• Security Event Count by Day (by Device)• Weekly Security Event Trend• Firewall: Top 10 Denied Source• Anti-Virus: Top 10 Virus, Top 10 Infected Host, Top 10 Email Sender• IDS/IPS: Top 10 Alert, Top 10 Attack Destination, Top 10 Attack Source• Web Filtering: Top 10 Blocked Web Domain
• Weekly Device Status Summary
• Device Up/Down Status by Day• Device Administrative Login by Day
Usage • Weekly Device Usage Summary
•Bandwidth: Inbound and Outbound, Top 10 Protocol, Top 10 Source, Top 10 Destination• Web Proxy: Top 10 Web Access, Top 10 Source• Email: Top 10 Sender, Top 10 Receiver
Web Portal Reports
Type Report Group Details
Alerts • Alert Summary • Last 24 Hours Alert Count by Alert Category (CAT)• Last 24 Hours Alert Statistics
Security Events • Security Event Summary
• Last 24 Hours Security Event Statistics• Last 24 Hours Security Event Statistics by Device• Last 24 Hours Top 10 Source• Last 24 Hours Top 10 Destination
• Firewall • Last 24 Hours Firewall Denied Source IP• Last 24 Hours Firewall Denied Destination IP• Last 24 Hours Firewall Denied Destination Port• Last 24 Hours Top 10 Source by Connection Count• Last 24 Hours Top 10 Destination by Connection Count• Last 24 Hours Top 10 Destination Port by Connection Count• Last 24 Hours Top 10 Email Sender• Last 24 Hours Top 10 Web Client• Last 24 Hours User Login Success• Last 24 Hours User Login Failure
Web Portal Report
Type Report Group DetailsSecurity Events
• IDS/IPS • Last 24 Hours Top 10 Source• Last 24 Hours Top 10 Destination• Last 24 Hours Top 10 Event
• Anti-Virus • Last 24 Hours Top 10 Virus• Last 24 Hours Top 10 Infected Host
Usage • Web• FTP• Email• Telnet / SSH• VPN
• Last 24 Hours Top 10 Source• Last 24 Hours Top 10 Destination• Last 24 Hours Top Users
Customer would be assigned a login ID where only her relevant alerts and data would be shown.
Customer Portal Login
Portal Dashboard
Dashboard would be shown on main display area after login by default to provide security posture information to the customers. Customer can select their desired reports for the portal display as well.
Main report display area
User selects individual reports from different groups
Alert Summary Reports
These reports display the alerts detected by the SIMC, you can understand the alert statistics and distribution of different severities.
Event Summary Reports
These reports show the event statistics within a day. The number of events received within the working days should be almost the same. If there is abnormal raise of the event count, you should take further investigation to find out the cause of this abnormal situation.
Virus Reports
These reports display the virus activities detected on firewalls. Customer can know the most frequent virus occurred in the firewall. You can also collect the virus information and distribute this information to all the system owners to aware of this virus.
Firewall Reports
These reports display the destination IP addresses with the most bandwidth consumption. Usually the IP address listed is the critical servers in the enterprise such as email server, ftp server. Customer may find out any IP address that abuse the Internet link from these reports.
IDS / IPS Reports
This report displays the top 10 events detected in IDS/IPS. Customer can understand the most frequent IDS/IPS event occurred and judge if further investigation is required.
Incident Report Samples
