advanced it security intelligence
TRANSCRIPT
-
7/31/2019 Advanced IT security intelligence
1/27
Clive Longbottom,
Service Director, Quocirca Ltd
Bob Tarzey,
Analyst and Director, Quocirca Ltd
June 19th 2012
-
7/31/2019 Advanced IT security intelligence
2/27
Quocirca 2012 Slide 2 of 27
The ability to monitor IT systems andtheir use in real time and observe events
occurring that when correlated with
other information amount to suspicious
or unwanted activity
Builds on the heritage of log management and security
information and event management (SIEM) tools
Supplements point security products
-
7/31/2019 Advanced IT security intelligence
3/27
Quocirca 2012 Slide 3 of 27
Encryption
IDS
IPS
-
7/31/2019 Advanced IT security intelligence
4/27
Quocirca 2012 Slide 4 of 27
-
7/31/2019 Advanced IT security intelligence
5/27
-
7/31/2019 Advanced IT security intelligence
6/27
Quocirca 2012 Slide 6 of 27
-
7/31/2019 Advanced IT security intelligence
7/27 Quocirca 2012 Slide 7 of 27
-
7/31/2019 Advanced IT security intelligence
8/27 Quocirca 2012 Slide 8 of 27
-
7/31/2019 Advanced IT security intelligence
9/27 Quocirca 2012 Slide 9 of 27
2 2.5 3 3.5
Health care
Financial transparency
Credit card handling
Securities trading
Environmental
International tradingEU
Industry specific
National security
Data privacy
National government
Scale from 1 =
will decrease a
lot to 5 = will
increase a lot
Source, Quocirca You
sent what?, 2010
Many of the ASI examples that
follow help drive compliance goals
-
7/31/2019 Advanced IT security intelligence
10/27 Quocirca 2012 Slide 10 of 27
Source: McAfee Threats Report Q1 2012
-
7/31/2019 Advanced IT security intelligence
11/27 Quocirca 2012 Slide 11 of 27
Infected server, at
first undetected
Attempts by infected server to
contact many other servers
Inputs: server activity logs, network data, IP geolocation data
Alert: unusual server behaviour and network traffic
Result: unknown malware identified and thwarted and deeper
penetration of network prevented
Call home to
unusual IP
address
-
7/31/2019 Advanced IT security intelligence
12/27 Quocirca 2012 Slide 12 of 27
-
7/31/2019 Advanced IT security intelligence
13/27 Quocirca 2012 Slide 13 of 27
Inputs: approved/restricted external resources, class of data
Policy: classified data cannot be copied to certain locations
Result: non-compliant storage of data prevented
-
7/31/2019 Advanced IT security intelligence
14/27 Quocirca 2012 Slide 14 of 2714
Data protection, the court of public opinion:
In terms of keeping your records safe, how trustworthy
do you feel the following organisations are?
Source:
-
7/31/2019 Advanced IT security intelligence
15/27 Quocirca 2012 Slide 15 of 27
Remote
IPaddress Firewall
Multiple access attempts from remote server
repelled, single attempt is successful
Later attempt to copy data to same IP address
Inputs: server access logs, firewall log
Alert: likely successful hack
Result: data theft prevented
-
7/31/2019 Advanced IT security intelligence
16/27
-
7/31/2019 Advanced IT security intelligence
17/27 Quocirca 2012 Slide 17 of 27
Request 110:00 GMT
Request 211:30 CET
Inputs: IP geolocation, mobile geolocation, time, user access logs
Alert: inconsistent access request
Result: hack prevented or uncovered
-
7/31/2019 Advanced IT security intelligence
18/27 Quocirca 2012 Slide 18 of 27
Source: Quocirca 2011, The data sharing paradox
-
7/31/2019 Advanced IT security intelligence
19/27 Quocirca 2012 Slide 19 of 27
E-commerce
transactiondatabase
Customers
E-commerce
app
Direct access request
Inputs: database access logs, IDs of resources requesting access
Policy: database only accessed via given application
Result: hack prevented or uncovered
-
7/31/2019 Advanced IT security intelligence
20/27 Quocirca 2012 Slide 20 of 27
-
7/31/2019 Advanced IT security intelligence
21/27 Quocirca 2012 Slide 21 of 27
Attempt to Access SCADA
Inputs: door entry system log, SCADA access log
Policy: physical presence of individual required to access SCADAsystem
Result: unauthorised attempt to change systems prevented (e.g.
STUXNET)
?
-
7/31/2019 Advanced IT security intelligence
22/27 Quocirca 2012 Slide 22 of 27Source: Quocirca 2011, Conquering the sys-admin challenge
-
7/31/2019 Advanced IT security intelligence
23/27
-
7/31/2019 Advanced IT security intelligence
24/27
Quocirca 2012 Slide 24 of 27Source: Quocirca 2011, Conquering the sys-admin challenge
-
7/31/2019 Advanced IT security intelligence
25/27
Quocirca 2012 Slide 25 of 27
Backup
process
started
Inputs: server activity log, primary storage read log, backup
storage write logWarning: scheduled backup failed
Result: potential disaster recovery problem averted
Not
completed
-
7/31/2019 Advanced IT security intelligence
26/27
Quocirca 2012 Slide 26 of 27
-
7/31/2019 Advanced IT security intelligence
27/27
THANKYOU
www.quocirca.com