Mais conteúdo relacionado Mais de Unisys Corporation (20) Big Data is Old School – Endpoint Intelligence is the New Information Security1. Big Data InfoSec Should Be Dead
David Frymier
Vice President and CISO, Unisys
2. Two Big Drivers
IT Environment
Consumerization of IT
• New devices are everywhere;
employees will use them
– Consumer devices are not generally
MS domain aware
• Not just about devices—new services
on the Internet tunnel port 80
– gotomyPC, logmein
– Dropbox
• Organizational perimeter crumbling
© 2014 Unisys Corporation. All rights reserved.
2
3. Advanced Persistent
Threat
• Enters through spam e-mail, bad websites
• “Beacons” back to command and
control servers
– Reports in
– Obtains instructions/more malware
• Evades anti-malware software
• Low and slow
• Looks laterally and vertically in network
for high value targets
• Can be found through beaconing activity
Corporate
Jewels
Enterprise
Administration
(Active Directory)
Departmental
infrastructure
Random spam
Spear phishing
Bad web site
Botnet
C&C
© 2014 Unisys Corporation. All rights reserved.
3
4. Security Monitoring Model – SIEM
Current countermeasures
Portal
Network Security
Services
Asset Inventory
and Vulnerability
Scanning
Portal
Security
Incident
Management
Dashboard & Reports
Assets and
Vulnerabilities
Intrusion
Detection &
Prevention
Network
Firewall &
VPN
Web Content
Security
Vulnerability
Mgmt.
Threat &
Vulnerablity
Alerting
Endpoint
Security
Unisys or
Customer
Ticketing System
Event
Correlation
Engine
Incidents
Portal
Threat
Pattern
Database
Event
Database
Response and
Remediation
Portal
Normalization of Element-specific log file data
Secure
Remote
Access
Web
Application
Security
Portal
Reporting
Security
Event
Monitoring
Email
Scanning
Portal
Threat and
Vulnerability
Alerting
Application
Security
Services
Scanner
Portal
Elementspecific
Agents
Elementspecific
Agents
Elementspecific
Agents
Security Infrastructure; Network Devices; OS, Application and Data Logs
Unisys
Monitored or Managed Security Elements
Customer
Managed Security Elements
© 2014 Unisys Corporation. All rights reserved.
4
5. SIEM
• It’s mostly after-the-fact
• Protects everything the
same way
• Getting more and more
expensive—like big data
– Software costs
– Storage of all the log and
traffic data/meta data
– Processing
– Network resources to move
data from endpoint to SIEM
For advanced adversaries, the traditional approach
just isn’t working.
The New York Times article retrieved from www.nytimes.com
© 2014 Unisys Corporation. All rights reserved.
5
6. How is this possible?
• The real world follows the laws of physics—
the cyber world follows manmade rules that
govern the transfer of data
• We forget how young the Internet is; it grew
like a weed—without much change in the
underlying protocols
• Standardization cuts both ways
• There are fundamental design flaws
– Anonymity and spoofing
• Software has bugs
This is not going
to be fixed quickly.
© 2014 Unisys Corporation. All rights reserved.
6
7. SNOWDEN
Encryption works. Properly implemented
strong crypto systems are one of the few
things that you can rely on.
Edward Snowden
Interview with Guardian readers, June 2013
© 2014 Unisys Corporation. All rights reserved.
7
8. What
is Unisys Stealth™?
• Software, running on Windows and
Linux computers
• FIPS 140-2 AES-256 certified
cryptography module
• Provides compartmentalized security by
implementing virtual communities of interest
(COI) for predetermined endpoint users
• Authenticates and authorizes users based
on identity, not network topology
• Because it executes between the network
and link protocol layers, it has no effect on
applications or existing networks
• Makes systems undiscoverable by attackers
• Supports “clear COI” to allow for incremental
integration into existing environments
7. Application
6. Presentation
5. Session
4. Transport
3. Network
Stealth Shim
2. Link
1. Physical
NIC
© 2014 Unisys Corporation. All rights reserved.
8
9. Stealth Application compartmentalization
for a Web Application
• Because Stealth is software,
it can be deployed with:
– no network changes (no cabling,
no VLAN or LAN changes, no firewall rules)
– no application changes—
either code or configuration
• … and if you chose to install just
the data center components,
it can be done with:
– no end-user impact—
or even awareness
© 2014 Unisys Corporation. All rights reserved.
9