大資料裡的秘密 從使用者、網路和應用程式的稽核監控談起 Extreme技術顧問 蘇俊銘

Agenda 前言 資訊安全的近況與趨勢 解決方案 結論

前言 巨量資料的價值之一，在於提供快速正確的決策依據，無論採用何種資料儲存處理與分析技術，須要有充足廣泛的來源資料作為依據，用於資安分析亦是如此。 大數據選內衣True & Co 網路上的資訊，企業每天好幾10G, 100G的流量，不同設備上的事件，如何從這上面發現資安問題，亦是大數據分析的應用之一 © 2011 Extreme Networks, Inc. All rights reserved.

物聯網裝置成長與資訊洪流下企業面臨高資安風險 1.加密傳輸成為竊取資料與個資的危機 2.惡意廣告的茲擾 3.物聯網裝置/行動裝置上惡意軟體的威脅(舊OS行動裝置存在的漏洞) 4.資料勒索 5.社交網站、部落格的漏洞成為駭客散播惡意程式的平台 IoT, 企業大頻寬 Open SSL – Heartbleed Bash – ShellShock SSL 3.0 – POODLE 行動裝置3G上網不受內網資安政策的控管 資料勒索-synology 惡意程式透過加密規避檢查 © 2011 Extreme Networks, Inc. All rights reserved.

Increasing Attack Surface & Threat Sophistication

DDoS攻擊流量成長 端點防護能力有限，駭客容易入侵導致DDoS流量暴增，最高峰的DDoS流量可以接近500Gbps是十年前的60倍。 The growing number of DDoS attacks shows no sign of slowing. The attacks on Xbox Live and PlayStation Network are less than two months behind us. Today, the number is more than 60-times greater at roughly 500Gbps. The new record is 25% higher than the previous record of 400Gbps, set in Feb. 2014 only nine months earlier. CloudFlare NTP Flooding. This, combined with the continued lack of security in home routers and steady discovery of widespread vulnerabilities, is expected to give hackers more firepower to harvest botnets and launch stronger DDoS attacks in 2015. 資料來源 http://www.calyptix.com © 2011 Extreme Networks, Inc. All rights reserved.

資安外洩事件近況 資料來源：Gemalto Breach-Level-Index-Annual-Report-2014 1541次的資料外洩事件中，有10億筆的資料外洩 外洩事件的種類 個資竊取54% 現今企業的責任不僅在保護企業資產，也必須保護客戶和員工的資訊。違反這樣的情況可能會嚴重危及企業經營。 資料來源：Gemalto Breach-Level-Index-Annual-Report-2014 © 2011 Extreme Networks, Inc. All rights reserved.

物聯網裝置爆炸性成長 Gardner的預測資料預估2020年時會有超過250億的物連網(IoT)裝置 資料來源Gartner 個資訊息 數量眾多，入侵後獲得的攻擊效果佳 資料來源Gartner © 2011 Extreme Networks, Inc. All rights reserved.

物聯網設備的風險與控管 風險 控管 產用開放源與新的通訊協定，相較舊協定有較多的缺點及漏洞 製造商設計時並未考慮安全性，設備無防毒防駭機制 設備的數量與多樣性造成管理的複雜度 爆炸性的成長數量也成為駭客偵測與覬覦的目標 控管 現階段可整合BYOD解決方案，於該設備的接入層設備進行網路存取控管，僅允許特定的服務（TCP/UDP），降低被入侵與成為攻擊跳台的風險 透過弱點評估設備定期掃描檢視物聯網設備的漏洞 透過SIEM偵測與分析來預警與聯防

Today’s Point Products Defend Yesterday’s Attacks Broad Attacks Multi-faceted Targeted Attacks Tactical Approach Compliance-driven, Reactionary Strategic Approach Intelligence-driven, Continuous Rely on pattern matching to find specific instances of attacks Rely on other add-on products like proxies and application firewalls Targets only certain types of broad attacks Solution provider obtains their research from third parties Piece-part solution Block entire classes of attacks, including mutations Protect against user-focused & application-level attacks Protect against advanced malware & persistent threats Offer industry-leading security research and development Seamlessly integrate with an entire portfolio of industry-leading security solutions Broad Attacks: Indiscriminate malware, spam and DoS activity Multifacetaed attacks: Advanced, persistent, organized, and politically or financially motivated Traditional security technologies and detection/prevention approaches are really struggling As attacks have become more sophisticated and mutate regularly, static technologies can’t keep up Similar to how signature-based antivirus is no longer sufficient, intrusion prevention needs to be smarter and more dynamic This means adapting quickly to attacks as they change, and dealing with things like custom malware, APTs, etc. This also means taking a much more proactive approach to threat detection and prevention, vs. reactive

Security Analytics Market Potential Security Analytics Market Growth Source: Worldwide Security & Vulnerability Assessment (VA) 2014-2018 - IDC Many of us are new to the security market; can you give us an overview of the security market and tell us about some of the trends you’re seeing? Security market remains strong due to sophistication of cyber threats & security attacks

解決方案：SIEM＋IAM（NAC） 資安事件預防 資安事件偵測 資安事件稽核 資安聯防 弱點掃描（主動掃描內網設備的漏洞及提供修復方式報告） 風險管理（主動察覺網路和系統設定上的漏洞與風險及模擬攻擊行為） 威脅情資（從雲端資料庫主動更新外部威脅情資） 資安事件偵測 資安事件警告（依優先權排序） 不同平台事件記錄與分析（防火牆、IPS、Router、Switch、Server…） 網路封包資料分析（Flow） 資安事件稽核 資安事件查詢、追蹤、鑑識、舉證 資安聯防 Firewall、IPS、Switch、IAM（NAC） 資安事件一定會發生的前提下，透過偵測機制見微知著，資安設備聯防，並建立快速回復機制與事後稽核舉證 © 2011 Extreme Networks, Inc. All rights reserved.

Identity and Access Management (IAM) Solution Ensures health and compliance both prior to and after allowing access Provides appropriate access (to assets and QoS) based on organizational role, authenticated identity and security posture Supports IoT end-system / user tracking Automatically contains detected threats Stored Centrally Enforced Globally

Security Analytics Solution Log Management Centralized log collection data base (Firewalls, Server, Switches, Anti virus, etc.) Normalization of logs – translates into human language SIEM Correlates disparate log data and security information Prioritization of actionable offenses Risk Manager Monitors risk profile of devices (password, configuration, patches) Maintains network topology and provides risk correlation of devices Vulnerability Manager Scans devices for known vulnerabilities as defined by the CVE database Provides exposure reports and help prioritize mitigation efforts X-Force IP Reputation Day zero prevention service via proactive vulnerability monitoring of Internet activity Updated security signatures pushed automatically © 2011 Extreme Networks, Inc. All rights reserved.

Advanced Security Analytics Pinpoint Highest Offense 日誌管理是事後稽核使用 SIEM是事前預警 Research Geo-Location Internet Threats Vulnerabilities Contextual Intelligence feeds

Risk Manager 視覺化的拓樸呈現高風險的系統，如系統上有不正確的設定、系統有漏洞 © 2011 Extreme Networks, Inc. All rights reserved.

Risk Manager 可定期蒐集防火牆, Router, Switch, IPS的設定，並檢視該設定與觸發的事件，確保法則設定的正確性與有效性，可儲存多份設定擋進行設稽核比對 © 2011 Extreme Networks, Inc. All rights reserved.

Risk Manager 模擬攻擊，讓企業能夠及早發覺高風險系統，提前強化資安系統設定，並可整合弱點掃描結果呈現有漏洞的系統及最有可能被入侵的系統。 © 2011 Extreme Networks, Inc. All rights reserved.

Vulnerability Manager 提供主動與被動的掃描方式 除定期掃描外，會主動對新連網的設備進行掃描 透過持續性的監控方能有效預防APT的攻擊 © 2011 Extreme Networks, Inc. All rights reserved.

Identify high-priority Vulnerabilities

Incident Forensics 藉由事件追蹤與回溯，協助企業快速找到問題及原因 當資安事件發生時可以提供結構性與非結構性的資如郵件附檔，社群軟體上的夾擋，VoIP Call，，不僅僅提供警告，還提供事件內容與歷史資訊 類搜群引擎的介面提供Big data的分析能力，包括Digital impressions, suspect content, Content Categorization. © 2011 Extreme Networks, Inc. All rights reserved.

Dynamic Update Threat Intelligence DB X-Force提供威脅情資，如動態的更新IP黑名單，最新駭客手法，可利用的弱點資訊。增加SIEM的辨識能力。 © 2011 Extreme Networks, Inc. All rights reserved.

Extreme SIEM: Offense Management Clear & concise delivery of the most relevant information … What was the attack? Was it successful? Who was responsible? Where do I find them? How valuable are they to the business? How many targets involved? Are any of them vulnerable? Where is all the evidence?

Flow Analytics For Better Threat Detection Potential Botnet Detected? This is as far as ArcSight can go. IRC on port 80? QRadar QFlow enables detection of a covert channel. Irrefutable Botnet Communication Layer 7 data contains botnet command and control instructions.

Innovation Integration Intelligence Total Solution Complete Network, Policy And Compliance Management Solution Transforming logs, events, flows, risk and vulnerability management Network Visibility, Control and Automation using NetSight Security Analytics Portfolio Network Management Identity & Access Management via NAC App Visibility & Analytics via Purview Threat Protection Portfolio People Applications Network 4. How do these products fit into the Extreme portfolio of products?  Innovation Integration Intelligence

Integrated with Hadoop for Big Data Security Analytics 針對安全與網路資料的APT分析，可分析長期的的歷史資料 快速查詢資安資料 分析非結構化資料如社群軟體, e-mail, domain資訊 Big Data的可視化 網路行為取證 Hadoop是一個能夠儲存並管理大量資料的雲端平台 Hadoop是一個叢集系統，HDFS © 2011 Extreme Networks, Inc. All rights reserved.

結論 從企業角度來看，IT人員其首要任務乃是維持系統的安全與穩定，因此只要發現任何異常，就應立即根據大量系統日誌進行根本原因分析（RCA），預測可能損害系統維運的因素，以發揮防微杜漸之效，大數據資料分析技術及是應用在此。 透過SIEM整合多樣資安設備所提供的事件與網路流量情報，並結合資產設備的弱點評估與風險管理來進行關連性分析，辨識異常的資安行為，進一步與入侵防禦系統，防火牆，交換器等聯防機制，才足以因應潛藏於內部的危機。 類搜尋引擎介面能提供快速簡易查詢事後資安事件的記錄、鑑識、稽核與事後舉證，甚至還原資安事件的檔案與歷史資料。