Download - Kim jesteś kliencie Zbigniew Szmigiero
© 2013 IBM Corporation
Kim jesteś …?
Zbigniew Szmigiero, Customer Technical Professional – IBM Security Systems.
© 2013 IBM Corporation2
IPS
• Działają w oparciu o sygnatury i reguły do warstwy 4• Niewystarczające do identyfikacji APT, fraudów
wycieków danych• Podatne na ataki DDoS• False-Positive vs. False-Negative• Ciągle ważne ale trzeba czegoś więcej
© 2013 IBM Corporation3
NG IPS
© 2013 IBM Corporation4
Ochrona danych
• Identyfikacja danych wrażliwych (włączając migrację)• Monitorowanie dostępu do nich• Używanie szyfrowanie wszędzie gdzie to możliwe
© 2013 IBM Corporation5
Guardium 9.1
Integration with LDAP, IAM, SIEM, TSM, Remedy, …
Big Data Environments
DATA
InfoSphere BigInsight
s
CouchDB
GreenPlum
SAP HANAAmazon RDSCassandraHbase
© 2013 IBM Corporation6
Detekcja anomalii w DAM
Anomaly Hours are marked in Red or Yellow. Click on the bubble
navigates to the Outlier View
© 2013 IBM Corporation7
Szyfrowanie danych
APPLICATIONS
DATABASES
SAN
NASDAS
FILE SYSTEMS
VOLUME MANAGERS
HTTPS
Data Security Manager• FIPS Level 3 Key Management• Centralized, Automated Key Management• High Availability Cluster• Robust role separation
Encryption Expert Agent• File System or Volume Manager • Transparent and agnostic• Supports Linux, Unix, & Windows• Privileged User Control and Separation• Software-based encryption
© 2013 IBM Corporation8
Szyfrowanie danych
Name: J Smith
CCN:60115793892
Exp Date: 04/04
Bal: $5,145,789
SSN: 514-73-8970
Name: Jsmith.doc
Created: 6/4/99
Modified: 8/15/02
Clear Text
File DataFile Data
File SystemFile SystemMetadataMetadata
dfjdNk%(AmgdfjdNk%(Amg
8nGmwlNskd 9f8nGmwlNskd 9f
Nd&9Dm*NddNd&9Dm*Ndd
xIu2Ks0BKsjdxIu2Ks0BKsjd
Nac0&6mKcoSNac0&6mKcoS
qCio9M*sdopFqCio9M*sdopF
Name: Jsmith.docName: Jsmith.doc
Created: 6/4/99Created: 6/4/99
Modified: 8/15/02Modified: 8/15/02
MetaClear
Block-Level
fAiwD7nb$
Nkxchsu^j2
3nSJis*jmSL
dfjdNk%(Amg
8nGmwlNskd 9f
Nd&9Dm*Ndd
xIu2Ks0BKsjd
Nac0&6mKcoS
qCio9M*sdopF
• Protects Sensitive Information Without Disrupting Data Management• High-Performance Encryption• Root Access Control• Data Access as an Intended Privilege
File Data
File Data
File Data
File Data
© 2013 IBM Corporation9
Jakość kodu aplikacji
• Kto programuje Twoje aplikacje?• Jak sprawdzasz jakość kodu?• Jak kontroluje zmiany i poprawki?
© 2013 IBM Corporation10
Pełnowymiarowa analiza aplikacji - AppScan
BrowserBrowser
NativeNativeAppApp
Server Side App
SAST (source code)
DAST (web interfaces)
Client Side App
JavaScript / HTML5 hybrid analysis
Native AppAndroid
iOS
JavaScript
Static AnalysisStatic AnalysisStatic Analysis
© 2013 IBM Corporation11
Jak zarządzasz końcówkami?
• Zarządzanie zasobami• Łaty• Definicja ról i wymuszanie ich stosowania• Monitorowanie dostępu do danych (DLP)• Separacja oprogramowania złośliwego i jego
unieszkodliwianie
© 2013 IBM Corporation12
Pełny cykl życia końcówek - TEM
Windows/Mac Unix / LinuxWindows Mobile
KioskPOS
Android/iOS/Symbian/ Windows Phone
MDMSoftware Usage
OS deploymentRemote Control
Protection
Energy MngtPatch Mngt
InventoryCCM
© 2013 IBM Corporation13
Sites
LICENSE REMOTE
ASSET INSTALL MOBILE
Internet
SW Distrib
PATCH
Jak to działa?
Compliance
Security, DLP
© 2013 IBM Corporation14
Jak to działa?
Przypisanie
TEM SRVTEM Agent
Dane
© 2013 IBM Corporation15
Jak działa exploit?
Exploitation
FileSystem
Legitimate access
WWW
Vulnerability
External Content
Exploit
An exploit is a piece of software that uses an application vulnerability to cause unintended application behavior
© 2013 IBM Corporation16
Weryfikacja stanu aplikacji
Allow application action with a approved state
External Content
FileSystem
Legitimate Access
User initiated
App Update
Application State
© 2013 IBM Corporation17
Weryfikacja stanu aplikacji
Stop application actions with unknown state
FileSystem
ExploitUser Initiated
Application State
App Update
Trusteer Apex Stops
Execution
© 2013 IBM Corporation18
Evasion #1: Compromise
Application Process
Looks Like Legitimate
Communication
Evasion #2: Communicate
Over Legitimate Websites
Direct Communication is Highly Visible
Blokada komunikacji oprogramowania złośliwego
External Network
Information- stealing malware
Block suspicious executables that open malicious communication channels
2Exfiltration Prevention
1Exfiltration Prevention
Direct User Download
Pre-existing Infection
© 2013 IBM Corporation19
KeyLogging
Ochrona przed kradzieżą tożsamości (ATO)
PhishingUsing Corp
PWD on Public Sites
******
WWWWWWGrabbing credentials
from websites
*****
Grabbing credentials from users’
machine
Password Protection
KeystrokesObfuscation
© 2013 IBM Corporation20
Niekończąca się historia
WWW
Phishing and Malware Fraud
Advanced Threats
(Employees)
Online Banking
Wire, ACH, Internal Apps
Account Takeover, New Account Fraud
Mobile Fraud Risk
© 2013 IBM Corporation21
Niekończąca się historia
© 2013 IBM Corporation22
Niekończąca się historia
Global
Hundreds of Customers
100,000,000 Endpoints
Solutions
Financial Fraud Prevention
Advanced Threat Protection
Leader
Intelligence
Technology
Expertise
Leading Global Organizations Put Their TRUST In Us
7/10Top US Banks
9/10Top UK Banks
4/5Top Canadian
Banks
MajorEuropean Banks
© 2013 IBM Corporation23
Oprogramowanie złośliwe
TRX
WWW
Online Banking
4Prevents credential and data theft that enable ATO and cross-channel fraud
• Retail and Commercial• Scale to millions• No end user impact
1• Removes existing infection• Prevents new infection• Secures the browser
2• Alerts user on Phishing sites• Notifies bank for takedown
Trusteer Rapport
Kills the attack before it even startsKills the attack before it even starts
© 2013 IBM Corporation24
Eliminacja oprogramowania złośliwego
TRX
WWW
Online Banking
Malware-generated Fraudulent Transactions
Malware-generated Fraudulent Transactions
Credentials Theft via Malware and PhishingCredentials Theft via
Malware and Phishing
Trusteer RapportTrusteer Rapport
Trusteer PinpointMalware DetectionTrusteer Pinpoint
Malware Detection
© 2013 IBM Corporation25
Identyfikacja anomalii
Logi
n
Online Banking
Trusteer PinpointMalware DetectionTrusteer Pinpoint
Malware Detection
Monitor Account (Re-credential User)
3rd party risk engine
Restrict Web App
(add payee)
Remediate and Immune Customer
3
Trusteer Rapport
Out-of-Band Authentication
Trusteer Mobile OOB
Trusteer Pinpoint ATO,
Mobile Risk Engine
© 2013 IBM Corporation26
Kradzież tożsamości i ATO
LOG
INCredentials
Online Banking
Trusteer PinpointAccount Takeover (ATO) Detection
Trusteer PinpointAccount Takeover (ATO) Detection
2
Trusteer PinpointMalware DetectionTrusteer Pinpoint
Malware Detection
1
LOG
IN
Complex Device Fingerprinting
Device Attributes•New Device•Spoofed Device •Criminal Device
User Attributes•Interaction Patterns•Geo Location•Time of Access
Account Compromise History
Phished Credentials
Malware Infections(stolen credentials)1
2
1 2+Access Denied
© 2013 IBM Corporation27
Phishing i ATO
LOG
INCredentials
Online Banking
Complex Device Fingerprinting
Device Attributes•New Device•Spoofed Device •Criminal Device
User Attributes•Interaction Patterns•Geo Location•Time of Access
Account Compromise History
Phished Credentials
Malware Infections(stolen credentials)
1
2
1 2+Access Denied
Phishing Site
Office Home
Trusteer RapportTrusteer Rapport
Trusteer PinpointAccount Takeover (ATO) Detection
Trusteer PinpointAccount Takeover (ATO) Detection
2
1
© 2013 IBM Corporation28
Kradzież tożsamości
Online Banking
New Account Creation
PII DataTheft
2
1 2/
Tag as Fraudster
Trusteer PinpointMalware DetectionTrusteer Pinpoint
Malware Detection
1 Trusteer PinpointAccount Takeover (ATO) Detection
Trusteer PinpointAccount Takeover (ATO) Detection
Account and Device Risk
Credential PII/Theft via Malware or Phishing
Same Device -> Multiple Trusteer-protected FIs
Same Device -> Multiple Accounts, Single FI
1
2
Trusteer RapportTrusteer Rapport
© 2013 IBM Corporation29
Niezależny kanał uwierzytelnienia
Access DeniedAccess Denied
LOG
IN
Online Banking
Trusteer PinpointATO Detection +
OOB Service
Trusteer PinpointATO Detection +
OOB Service
ATO Risk DetectedATO Risk Detected
Trusteer Mobile APP
Secure OOB Access Authorization:Approve access via registered device
SMS or Data
© 2013 IBM Corporation30
ATO i Fraud Mobilny
Online Banking
Credentials
Restrict AccessRestrict Access
CredentialsTheft
Trusteer PinpointMalware DetectionTrusteer Pinpoint
Malware Detection
LOG
IN Trusteer Mobile Risk Engine
Trusteer Mobile Risk EngineAp
p Lo
gin
Mobile Device Risk Factors
Device Attributes•Jailbroken / Rooted Device•Malware Infection•New device ID•Unpatched OS•Unsecure Wi-Fi connection•Rogue App
Account Compromise History
Phished Credentials
Malware Infections, Phishing Incident(stolen credentials)1 2
The Bank’s Mobile Banking App
The Bank’s Mobile Banking App
Trusteer Mobile SDK
Trusteer Mobile SDK
Trusteer RapportTrusteer Rapport
© 2013 IBM Corporation31
Co dalej? czy Gdzie zacząć?
• Wiele rozwiązań, konsole, mnóstwo danych, ograniczone zasoby
• SIEM – platforma integracji zdarzeń związanych z bezpieczeństwem
• Ile incydentów generuje SIEM?• Incydent kontra Ryzyko• QRadar – Platfoma analizy ryzyka (NG SIEM)
© 2013 IBM Corporation32
QRadar
© 2013 IBM Corporation33
„Nigdy nie lataj samolotami projektowanymi przez optymistów.”
Służy radą pozytywnie pesymistyczny zespółIBM Security Systems