advanced it security intelligence

7/31/2019 Advanced IT security intelligence

1/27

Clive Longbottom,

Service Director, Quocirca Ltd

Bob Tarzey,

Analyst and Director, Quocirca Ltd

June 19th 2012


2/27

Quocirca 2012 Slide 2 of 27

The ability to monitor IT systems andtheir use in real time and observe events

occurring that when correlated with

other information amount to suspicious

or unwanted activity

Builds on the heritage of log management and security

information and event management (SIEM) tools

Supplements point security products


3/27


Encryption

IDS

IPS


4/27



5/27


6/27



7/27 Quocirca 2012 Slide 7 of 27



2 2.5 3 3.5

Health care

Financial transparency

Credit card handling

Securities trading

Environmental

International tradingEU

Industry specific

National security

Data privacy

National government

Scale from 1 =

will decrease a

lot to 5 = will

increase a lot

Source, Quocirca You

sent what?, 2010

Many of the ASI examples that

follow help drive compliance goals



Source: McAfee Threats Report Q1 2012



Infected server, at

first undetected

Attempts by infected server to

contact many other servers

Inputs: server activity logs, network data, IP geolocation data

Alert: unusual server behaviour and network traffic

Result: unknown malware identified and thwarted and deeper

penetration of network prevented

Call home to

unusual IP

address



Inputs: approved/restricted external resources, class of data

Policy: classified data cannot be copied to certain locations

Result: non-compliant storage of data prevented



Data protection, the court of public opinion:

In terms of keeping your records safe, how trustworthy

do you feel the following organisations are?

Source:



Remote

IPaddress Firewall

Multiple access attempts from remote server

repelled, single attempt is successful

Later attempt to copy data to same IP address

Inputs: server access logs, firewall log

Alert: likely successful hack

Result: data theft prevented


16/27



Request 110:00 GMT

Request 211:30 CET

Inputs: IP geolocation, mobile geolocation, time, user access logs

Alert: inconsistent access request

Result: hack prevented or uncovered



Source: Quocirca 2011, The data sharing paradox



E-commerce

transactiondatabase

Customers

E-commerce

app

Direct access request

Inputs: database access logs, IDs of resources requesting access

Policy: database only accessed via given application

Result: hack prevented or uncovered



Attempt to Access SCADA

Inputs: door entry system log, SCADA access log

Policy: physical presence of individual required to access SCADAsystem

Result: unauthorised attempt to change systems prevented (e.g.

STUXNET)

?


22/27 Quocirca 2012 Slide 22 of 27Source: Quocirca 2011, Conquering the sys-admin challenge


23/27


24/27

Quocirca 2012 Slide 24 of 27Source: Quocirca 2011, Conquering the sys-admin challenge


25/27


Backup

process

started

Inputs: server activity log, primary storage read log, backup

storage write logWarning: scheduled backup failed

Result: potential disaster recovery problem averted

Not

completed


26/27



27/27

THANKYOU

www.quocirca.com

[email protected]

advanced it security intelligence

Documents