16

BayNewsletter_2

Embed Size (px)

DESCRIPTION

F Enterprise Solution Manager F F F F 101.5MHz F F F F F F F F F F F Lumension Security F F F (US Veteran Affairs) F Sanctuary Endpoint Se- curity Solution F F F F F F F F F F F 250,000 , F F F F F F Nida Tangwongsiri, General Manager 2 l Bay Computing Newsletter l Issue 2

Citation preview

Bay Newsletter new1.pmd 14/3/2551, 9:591

2 l Bay Computing Newsletter l Issue 2

EDITOR’S NOTE & NEWS UPDATE

������ �� �� ������� ����� ��� ��� RSA���������������� Log �������������

!"� #�������$���%�"�&��� '���(����)&)�*����&��+ (Security Information & Event Management -SIEM) RSA enVision ��"� ������������&��������"���0�&(�������)� �* �12�������������0�!�� 3&��&�� &� EMC 4 RSA Computer Related CrimeAct Seminar 2008 ��&�*7 19 �$ (���&� 2551 �*7<��& �

Bay Computing in collaboration with RSA arrange an �EMC � RSA ComputerRelated Crime Act Seminar 2008� on February 19, 2008, demonstrating logsystem, Security Information & Event Management (SIEM), RSA enVisionas well as example threats report, possible attack notification and networkmonitoring. �

������ � ��������������� �����������������������!"�#$%��'�%��*��+-/��#�������� ���'3��4�����/��*��/� �'.�..���*/�5

�����6��73*��:%5�����'3��4��� '.;.2550 "=% ��6��3�7�4�>���*/�����'��6��?����%� -� ����73*$�4��� �� $�%���:5 >�6����@3434���D���5��������:%�6�� 7�4�>��������� ��� >4������ '3���G�H= �����/�����-� ����:�6�3���-/��#�>�6��4����G�*/���������*J5���!�!�5:�������;(Security Information & Event Management ���� SIEM) �:%'K��4��5�*����6��+ Log �� BayNs Newsletter P�:Q �������/���� ����:Q�:��������4���7��:�*:5� �'��6����/�:��5 ��>�6���>�/ �4���J5������!��4: ����/�*J��6���*#>��TU��6� �6�����-��5 ����H= ���'K������� �6�*/�5�� 4� ��*

��-G6�:%�$/�������!"�#$%� '.�.. ���������/!�� ����:%�:��6!5$����%�W ���$/������ �= H��!�����:Q$�$����/�*�4�:5�!�� �����%���'�/��W �� �$�� �6�U� ��-/��#��%���� "=% ���������� Newsletter P�:Q��/�6��:5*53% -=Q�4������:%���3%�����/��P�:%>�/�

BayNs Newsletter �*'3�'�-=Q���?���5�4�����'�%��75>'�������/#>�6>��!�/����!�!�5: ���������:%4/� ���5��5���/�*�� ������/ *�� !��*>�/ $�%� �:%�5�#������*�� >�6���5��-!��;'�����*/ �:% [email protected]

� ���� ������� �, �������� �����

Lumension Security '����+��� ����������<��&+=� '����+����>�� ���� (USVeteran Affairs) ��0��3?")@�#?�&�������� '���(� Sanctuary Endpoint Se-

curity Solution ?��3�"������3?"&)��)�(���� ���'�*���B�"���� *'�������(���������$ ���3?"�07���&�=�!"� #��������B'��"� D ��& ���������������������*@* ������250,000 ���07��, ��'��' ����@��G���� ��07�'2����&�����7�B��!��!"� #� �� B'H=��������$ ������������������)'���� B ��=�'�����

By recognizing traffic details and itNs application Lumension Securityannounced that US Veteran Affairs had chosen the Sanctuary endpoint securitysolution to enforce their main and subsidiary policies as well as control portabledevices. Sanctuary Device Control is installed to 250,000 computers alongwith servers and laptops to protect data from leaking and control malware andunauthorized program installation. �

PatchLink <"#&������������� '���(����������?���)�������������� B�"������

�����&���3�"�'J&<"#&�����3&���$ Patching ���Remediation 3 'N@"�& �����������&���!�� IDC �"����&������������#�H=� 14 �'���@�&� IDC ������&������������������������� '���(������������� ��*7� *�&�)&" �������)���������&07���&H=�'N2011 �"�������*7�#�H=� 18.4 �'���@�&�

Patchlink is a leading network security and vulnerability management solutionprovider for corporate customers and has been ranged as one of the leaders inPatching and Remediation market for 3 years consecutively. Furthermore, IDCreported that the market for information security management and risk analysissolutions will continue to expand until 2011, with estimated 18.4% growth. �

����$�� ��*��+��� Enterprise SolutionManager ������ �� �� ������� ����� 3�"

�� (��%�����B��*��07�<"#������ ��07&��� H*7101.5MHz 3&���!"� X�&�)&" �����%*+=��������7�B��!��!"� #�(�3&�����Y ��07��'J&���3�"��� �"#���<"#GZ���*7����!"� #�!������� �������(�3&���(�&�������

Khun Avirut Liangsiri, Enterprise Solution Manager of Bay Computing, gavean interview on Data Leakage trends and case studies in corporate networkto IT for Executive radio show aired on Chula Radio (101.5 MHz) to providerknowledge on risks and protection of data leakage both inside and outsideorganizations. �

01 03

04

02

To comply with the Computer Crime Act B.E. 2550 (2007), a great number

of organizations are now trying to acquire the perfect solution that will help

them storing computer traffic data. But one question that they really would like some

answers is XHow are we going to measure the Return on Investment (ROI) for this

solution?Y To answer this with a simple statistical value or profit figures is not enough,

and it is not what the solution is all about. Instead, it is more about social responsibility,

their reputations and compliance with the Act. On the contrary, if they look at the value

of implementing the Security Information & Event Management (SIEM), they will see the

tangible outcomes. This is because the system will provide threats report and notify

possible attacks, so the organizations can lower network administrative and monitoring

tasks as well as developing the network systems in the most effective way.

During this time, these organizations looking for the solution to comply with the Computer

Crime Act, which may cause delay in other important, projects. Therefore, in this issue, we

pick up from the last one and provide more details on Data Leakage Protection solution.

Bay`s Newsletter is published quarterly to provide knowledge on new computer

technologies and trends. To confirm or cancel subscription, please send your name,

address and telephone number to [email protected].

� Nida Tangwongsiri, General Manager

Bay Newsletter new1.pmd 14/3/2551, 9:592

Bay Computing Newsletter l Issue 2 l 3

SUCCESS STORY

������������� ���������� Packet Logic������ ��������������� ���������������� ���!"

���������� � �������������������� ������������������� ��������������������������������������

Krieangsak PramepornviputSystem AdministratorUniversity of the Thai Chamberof Commerce

���%� ����6�3��������+4������3�5��5������/���5 4/� �� �7/#�$/�3��������+4 "=% ����6�:��3��G���-=Q����%�5W -G6�:% ��6��G-� ����3�5��5�:���* ����/��������H-5�5>�*��3*q��3��������+4��/�':5 '�>������4/� ����*/

�'�%�>�/�-������:Q ����3�5��5������/���5�= �:��������{{|�-� ����$/�3��������+4������3�5��5���3����6�� '��� ���>�*��3*q�����$/ ���3��������+4��������������3�5��5 ��������H= 80-90 ������"+�4� H#��$/�'�%�!��* Bittorrent "=% ����:��6!5$��4�����;=�~� �� 7���/>�*��3*q��3��������+4�#���:5��!*5�$���4�

*/�5��4��:Q����3�5��5�= �:>���3*�:%�6���*>�*��3*q�����$/ Bittorrent ��/�/�5� �'�%������'3%��43���/>���3����3��������+4������%�W "=% �:����*�� �5�#���5>���� �������6��?�����$/"�{4�>��� �����>4� �:%����4��� >4��+5 ����*/7�4��4/� ��� ���:%��*����3�5��5�= �������G�PacketLogic ����3~� �5� ���'3�43Q "=% ��?������G��3����*���>�*��3*q����*�� �$/ �� */�5�������43*4Q �6���� �{����������+4��3���J�5������3�5��5

!*5�6-� PacketLogic �:%�/#��$�3*-� -/��#��5�� �6��:5* $��5��/7/#�3����6�����H����*�!5�5����$/ ���3��������+4 -� �3����3��������+44�� W �*/�5�� �:��6�3�q3J�' ���*>�*��3*q��������!��* Bittorrent $��5��/����$/ ���3��������+4�/��������-=Q� �6�����H>�* ��5 ������$/�3��������+4>��:5����� ����/����*/���:�:%�:�3����3��������+4�����*�:��3��G�$/ ���# 73*��43 "=% �����������������������>��� ����/�����H�����>�6�*����*/�5�� ����� �: ���H= �����H�$/��5 ��>*#5/���� �'�%�;=�~�'�43��������$/�3��������+4J�5������3�5��5 �'�%���������� ��GJ�'�����/�3���4�� W ��/����6��>�6�:��6�3�q3J�'53% -=Q�

The problem that University of Thai Chamber of Commerce faced with their internet system was the insufficient band-width problem due to a growing number of users.

To eliminate this problem, the university analyzed their network traffic data and found that 80-90% of all traffic went from/tobittorrent sites, which was not educational-related and a waste of network bandwidth.

To limit the use of bittorrent and preserve the bandwidth for use in other purposes, the university has tried various solutionsincluding router management software, but found no success. Finally, they have brought in PacketLogic from Bay Computing,which is a bandwidth management system, to install between the firewalls and network system.

The PacketLogic helps the university enforce their internet policies, limit the use of bittorrent, and increase value of the internet.The system can show the use of the internet in real-time; they will know instantly if the internet usage is too high probably due tomalware and computer viruses. Therefore, the university can control this problem almost right away. Furthermore, the univeristycan study internet usersN behaviors in the past, so they can modify the internet system properly and effectively. �

Bay Newsletter new1.pmd 14/3/2551, 9:593

4 l Bay Computing Newsletter l Issue 2

COVER STORY

# ���$�� ������%� ����Data Leakage and it’s impactto business� ��� ������ ���������, Enterprise Solution Manager/Senior Security Consultant ��� ������� �������, Security Engineer,

� By Avirut Liangsiri, Enterprise Solution Manager/Senior Security Consultant and Pramote Uthayochat, Security Engineer,

����� ��� ���������� �!"��, Bay Computing Co., Ltd.

����������� � 68 ��������� ���������������� ���������������������!"��#

(Sensitive Data) $%� 6 ���&�'�*� ��������� ��+ *������� � 22 ��������� ���������������� ���������������������$%� 22 ���&���,������ � '�*� ���+ ���������$��-���. �'��� /�������������'�# ���!/�'���� 1,000�����4*�����-�������4��.��.!�� Fortune ��,���.�!�&�5 � � Fortune 1000 74� � 75 ��������� ���!4�;#��������������� -��!$�74� � ������!"��#��������<�!�����74������������ !�,���������.� �-�����/���.*���%&��,����� � ���&� �%��'�=������-"�������� -�74������4 �.5 '����*44� ��5 �� � �-��<����! ��������.��>����4����� $������ = � =,����.����*� ����4�?�� ��,�! ��@����������.��������.��>����4����� !���������4 �<���� !���� ���&�<� A�/4����/B������%&���� *���,�����%&����%&��. ���4� ���������&�5 �<����������! �>�����4� �������7�.���

It is reported that 68 percent of organizationsexperienced six losses of sensitive data annuallywhile some other 22 percent encountered morethan 22 data-leak incidents per year. WhatGs more,75 percent of Fortune 1000 companies also fellvictim to accidental and/or malicious data leakage.Data leakage is a very common problem in IT; it isan accident waiting to happen. Organizationaldata loss occurs daily and through commonchannels like email, such as sending emailmessages to unintended recipients or tosomeone with the same name but in the differentcompanies. The level of impact if the messageis disclosed depends on the sensitivity of themessage.

Bay Newsletter new1.pmd 14/3/2551, 9:594

Bay Computing Newsletter l Issue 2 l 5

COVER STORY

-�����!"��-��.!"����-�. 451 Group 74� �98 ��������� ��������������������� ��!���/��-������������ ��,��� ��� ��,��/4����/ *��IDC .��������P�� � 70 ��������� �����������������������!���/��-��4/���Q�.'�������

�;--/4���;#�������-��������.����� (IdentityTheft) �%��$��'=���.��������=#�������,�*R�����7,��*!����>�����.=�� �<��;#�����74�������%&��,��.5 �"'��'����.5 ����U���������V���.*����4�.4������.����� = � PCI(Payment Card Industry standard) �%���<���4�.4������� �������.>��'��4����4�������= � VISA, MasterCard 7,��4����4'=���4!$�4������� ����"���'��������\������������������*��'�����U��!����.-����������V���.����?>�������4�������� ���������������������! ��4/���������� �<����

���� '�(#�( �)*+, -�#�(# ���$�� ����*�� ��#,.�� '�7.U. 2548 4�?�� Westpac '�����U��!����. $�������,&���.'������������7.�1 ��� 7,������?���7���������4�?��! ��@�������� Excel �������������.���������������+

���*�����.�������������������7.� *� ����^� �'��@����������&� ������.���>��"������+�;--/4�����. �%���<�����_�>.������� ���"���*-����.�������������7.�*��$,�� ��<����>��V

� '��,�������� 7.U. 2549 !��=�����!,�7�7� Boston Globe *�� Worcester Telegram& Gazette �� � 240,000 �� �����4� �����.$%����������4��� �,��74���.��4����������!��=���&���� $��7�7�4������������ Routing Slip���.����>�7��� �,���-�������'=������?�&"

� '��,�������� 7.U. 2549 ��������74��������4������� $�������.'���������,�!��'���@���!$�� ��.������4��-/�. �'�R�������@{���$����.'����� 20 ���.#!���| �����4�����.�������������&�-����.! ����� ���������������������4���> ������4������!������/}�����.�� ���*��=��Q�7 ���$%���������&���������4���� ������'���@���!$�� *����.=,�����*�� �� ��

� '��,�����.�.� 7.U. 2549 TD Ameritrade�%���<�4�?���������7.����'��4��������,&���.�������7.�*44������� ���*-��� � ���-74unauthorized code �%���<�= �����'��4/���

Q�.���!����$���$%� =,�� �����*����! ����. �*��4������U�7�������������� ����-�������4���������.�-��������

� '��,���/�Q�7��}� 7.U. 2550 4�?�� DuPont>��>�����Q�P~�*��>��Q�P~����.��,�����.'�# ���.,��@\������7�����������������%�� ����-��74� � ����7������>����&���������������������!�� ������4����������� � 22,000 �4�4����-���"�����4 DuPont ���� � 10 �+ � ��-��"��������&���� �%�����$%�>��Q�P~����.���. ����� ���-�.*��7���� ��� �������44�?��� �*� �'����� ���

� '��,��7�?Q��� 7.U. 2550 ��� CarsonCounty ��| Nevada !���|����� ��>���� ���!�����'=�������.�������-�4���'=�*�\�7�7� (KeyLogger) *��������!>��'=�*�����!> ��-����,������-������������������� County 7,�����$%�4�#=�> �����}������������ *��!����$���.����������$%� 450,000 ���.#!���|

Identity theft is a crime involving illegal usageof another individualGs identity by crimeorganizations or hackers, and has becomeone of the fastest growing crimes. Severalcountries have issued a law and standard,such as PCI (Payment Card Industry standard),which is a collaborative effort by Visa, MasterCard, and other credit card associations tosafeguard customer information by mandatingfinancial institutions to meet certain minimumstandards. Furthermore, in Australia, there isa new law, which punishes service providerswho fail to safeguard their customer information.

Examples of casestudies� In 2005, AustraliaGs Westpac was bannedfrom trading in the stock market for 1 day as apunishment, because one of its employeesaccidentally sent an excel file containing annualfinancial reports and profit reports to a financialanalyst. This is considered as a violation of therule, which stated that a company must reporta profit before disclosing the profit report.

� In January of 2006, more than 240,000 ofBoston Globe and Worcester Telegram &Gazette newspaper subscribers was shockedwhen they found their credit card data onthe back of the routing slip due to a mistakeprinting on the reused paper.

� In March of 2006, a computer hard-diskcontaining top-secret U.S. military data wassold at a second-hand market in Afghanistanfor a price of 20 U.S. dollars. The diskcontained personal mails, military recordsspecifying the names of the soldiers who hadbeen trained in the nuclear, biologicaland chemical weapon program as well asintelligence news and sources in Afghanistan.

� In September of 2006, TD Ameritrade, anonline brokerage service provider, suffereddata breach, which stemmed from unauthorizedcode that allowed hackers to access itscustomersG names, email addresses, homeaddresses, and telephone numbers.

� In February of 2007, DuPont - a largechemical company - sued one of its formeremployees, who had downloaded more than22,000 confidential, trading documents andbrought this information with him to workfor the competitor after working for DuPont for10 years.

� In March of 2007, at Carson County ofNevada, U.S., unknown hackers got a keylogger installed on city treasurer as well asuser names and passwords. The hackersused this access to online saving accountsand manage to steal 450,000 U.S. Dollars.

Causes and SolutionsBased on a research conducted by CSI/FBI,it is found that 74% of financial loss is causedby virus attacks, unauthorized networkaccess, stolen laptops and portable devices,and violations of intellectual property. 53%of people who completed the survey did notknow what they kept on their USB ThumbDrive before it was stolen. 98% of data-leak-

Bay Newsletter new1.pmd 14/3/2551, 9:595

6 l Bay Computing Newsletter l Issue 2

COVER STORY

����/���� ��* ������/��0�( �-�����U%�?���� CSI/FBI '��+ 7.U. 2549 74� ��� � 74 ����������������!�#!�.�����������%&�-��!���/����5 �,� ����-����������!���7����� ������'=���,�� �.��.�� �����4��/#�� (Unauthorized Network Access) ����!�#��.�������������. �'���,���*����� ��,��/���P�7�7� *��������.���������.���4���7.�!�����;##���,�������4��������� *���� � 53 ������������>����4*44!�4$�� �� ���4� �������������4���4� USB Thumb Drive���$�����.��,��"!�#��. 98 ���������������������������������.�������4�/4����/��,������� ��� (Stupidity)

!���/���744 �.�,� ���*��� (Malware) 7�������\���������! ���� ��,����-�� '��;--/4���<�������. ��.���"4�� �,���-������P������*���������%&�'�� '�*� �������&���-"������ ������� ����>��>����44���?���������Q�.'�5 -�!����$��������� = � Houseof Lords ����U�����? ��������!���_�>.� � -�����U%�?��������-�.��������������-��-�'���� 74� � ��������74����. ������!���7�����'�� �� � 6,200 ����. ��� ���� *��'�-"�����& 28 ��������� !����$$�����--�4*���\���������� �.���*����\���������!���7����� 1 �,��$����74� � 70 ���������!����$$�����--�4*���\�������� �,���-������P������*���'��;--/4����7���������������� = � Stratio ��,� Stration ��,� Warezov�%���<�=,������������7����� (Worm) �%��!����$����.����������/�5 30 ���� 7,�����.�� � � � � � - 7 4 � � . � � � * � � � �\ � � �� � � � �� !���7����� �����&����'=����*��� = � eVadeOGMatic 7,������.�*������?P��������!�"'��������-74��,�7�.� 10 ��������� ��.�� ������!����$�������!���7�������&�5 �.

*��*� ���*� �������-��= ����� (Vulnerabilities)�����44� ̂4����� (Operating System) *�����*������./��� (Application) ��.���'=����*������Q� Fuzzing 7,��= �.�����= ����� ���-�������� �����P= ����� ��*� 7������%&��/��+*��'��;--/4�� ����%����%���<�= ����� ������%&�'�Web Application �%���<�= �����'�� '����4/��-������*R����� 7,�����$%���������������� �*���<�����.=��'�=�U�?|�-� ���

����\�������������������������!� �,�� ��������4�����'����-��=�&���������� (DataClassification)

� -������447,���"�����.4�.'�����\������������������ ��&�'�����4���

� Desktop 7,���\���������"�������������4!,��������7�7�

� Gateway (Web, e-Mail, FTP, InstantMessaging) ��.������-!�4���������������> ����&����! �> �� Web/FTP upload ��,����! �> �� e-Mail *�� Instant Messaging

age incidents are caused by accidents orstupidity.

Data leakage is most commonly caused bymalware because there are new threatsevery day, making it hard for securitysolution providers to create protections forevery viruses, worms, and Trojans. Houseof Lords in England recently released adocument which said that, according to astudy made on underground traffic data,there are newly discovered 6,200 virusesevery day, 28% of which can be detectedand quarantined by anti-virus software. Onemonth after 70% of all viruses can bedetected and quarantined.

Malware is becoming more and moresophisticated. For example, Stratio, Strationand Warezov are new worms that canupdate themselves every 30 minutes toconceal from discovery by anti-virussoftware. Other tricks include the use ofevade OGMatic, which updates viruses to

reduce the discovery rate to 10% withoutharming the virusG capabilities.

In addition, hackers are competing with oneanother to find vulnerabilities in operatingsystems and applications by using fuzzingprograms. This type of programs help thehackers find vulnerabilities, more than 50%of which found in web applications. Hackersexploit these vulnerabilities to attack thesystems and access the inside data forfinancial and personal gains.

Proper solutions for protection against dataleakage are to set up :

� Data classification

� Policy to prevent the data leakage at thelevel of :

� Desktop by preventing users from copyingdata to their portable devices

� Gateway (Web, e-Mail, FTP, InstantMessaging) by examining data which areuploaded via Web or FTP, or come throughe-mail and Instant Messaging, such asMSN Messenger or Yahoo Messenger.

� Policy to manage data according to userresponsibilities and types of data

� Identity Management

� Policy for Change Control Managementand Document Management

� Policy for data leakage responses

� Policy for regular data recovery

Bay Computing has tested the SanctuaryDevice Control (SDC), a solution which preventsdata leakage and has been used by morethan 2,000,000 people in 1,700 organizationsaround the world. The summarized detail ofthe solution is as follows :

Bay Newsletter new1.pmd 14/3/2551, 9:596

Bay Computing Newsletter l Issue 2 l 7

COVER STORY

= � MSN Messenger ��,� Yahoo Messenger�<����

� ����.4�.'����4����-����������� ���������4>�=�4���-���������*�����Q����������

� �����4����-���������� (Identity Management)

� ������"�����.4�.!"���4 Change controlmanagement *�� Document management

� ����.4�.�����4!���� ���/���������������.�7��

� ����.4�.'�����" Data Discovery �. ��!��"!��

4�?�� 4.� ���7��&� -"��� ��������'=���44�\�������������������,� Sanctuary DeviceControl (SDC) �%����>��'=� 1,700 ������ ��,��� �2 ������������� -%����"��!���<������������'������&

Sanctuary Device Control �<���44������*44��7,���\������������������'�����4����!�����

!"���4�\������������������������> �����7����I/O � ��5 �����,������7����� = � USBRemovable Storage, CD-RW, DVD-RW,Wireless, LAN *���,��5 ��.�����������"���������*���-�������"�����.4�.'����'=�������*� �� Devices ���!�}���� User, Group��,� Computer ��� �%��������.,��. /�*��� �.'����'=���� ! ������"�����.4�.'��*� �� User,Group ��,� Computer ��&� !����$�"�������. ������.� = � �"���'�������� ���@�����*� �� !����$��.���� (Read/Write Permission) ����"���= �����'����'=���� Device ��,�*��*� �����������"��� Permission *44 Online*�� Offline ��� = � = ���������. �'�����"�����--��������/#��'��'=���� LAN '������� �!,��!��7�.�� ���&� ! ��!�����'����!,��!���,��5��� �����!��,������ '��4������� *� �,��>��'=�����"��,������7��������44�����-���/#��'����!�}�'����'=���������!��,��������� �<����

�/)�������'�1. ������!����$'���������@�����-� Access ���(File Filter) '�! �������� Filter File ���*���������!����$� �����$%�����4�����������@����&�5 ����*!��� � �� � �'��-� rename ��,�����.�

���!�/��@����.���� 7��������--�4���= ���� �%��-�*��� ����4� �*� ��,��5 ������. �'������������������--�4��&�-���7�.����!�/��@��� ���&� �� ������-'�����4������� �%��$���<�= ���&� 7�.�������.����!�/��@����!����$��/�7��-��������--�4���*���

2. ������"�����.4�. (Policy Permission)���'�����4 User, Group *�� Computer 4�Directory ������. �

3. ���/P!�4��'�����" Shadow file 7,����4����������<�����|�����

4. ���/P!�4�����������! Device *44 AES 256

5. Log ����.����.����� �����'-� �. *������7������ �.'����'=���� ��,�!����$���4�/P!�4��'�������4�����������'�������������������/P����� *��'�! ����� Log ��.��!����$4 �4������ �������'����.�!���������� ����,�*�����@����������. �

Sanctuary Device Control secures yourendpoints and eliminates data loss throughI/O devices, such as USB Removable Storage,CD-RW, DVD-RW, Wireless, LAN, and so on.Program users can link device policies tousers, user groups, and computers easilyand flexibly. The device policy enforcementcan be specified in deep details. For example,system admin can assign read/write permissionto different files, usage period for each device,and specify permissions both online and offline.Moreover, the use of wireless connection and

modem can be disabled at the office, and areenabled when users work from their home.

Feature1. File accessing filter, which can read thefile contents. Even though a file has beenrenamed or type changed, the system canstill detect it. This exempts Sanctuary fromother competitors, because they cannotcheck the content - only for a file extension.In this case, if users change the file extension,their systems will not be able to detect it.

2. Policy Permission for User, Group andComputers in directories

3. Shadow file for copies

4. Device encryption using AES 256

5. Easy-to-read logs that have easy-to-use templates and can be configured &customized. The logs also show when usersread and modify files stored in the system

Bay Newsletter new1.pmd 14/3/2551, 9:597

8 l Bay Computing Newsletter l Issue 2

���� '�(1��� ��

1. ���-������/���P� I/O : �����4�����. Devices=��� ��5 ��� Sanctuary �����4����"��� ���$%�Status ��� Program *�� License

I/O devices management consists ofvarious device details supported by Sanctuaryas well as program statuses and licenses.

����. �����������/���P���������'=����4���,�����������

Examples of client devices search

3. ����"��� Permission '����4 Device =��� ��5 ��.!����$��&����*����,��=�����Permission �����-��"�����4� Device =����&�5����. ��� �.��. ��.��.����.������4�����.

� Add/Modify Permissions : �<� Permission ����

� Add/Modify Online Permissions : �<�Permission *44 Online �,� '��P�������@������� ���4�����������

� Add/Modify Offline Permissions : �<�Permission *44 Online �,� '��P�������@������ !����$��� ���4�����������

� Add Schedule : �"���= �����'����'=����'����4�/���P�

� Add Temporary Permissions : ����"���Temporary '���� Access Device (!����$�"���*44 Offline *���! �'�����������"�����7�����)

� Add Shadow : ����" Shadow Files ��4���'�����" Shadow !����$��4���*44�7��=,���@�� � ���&� ��,�-���4��&������������@�����

� Add Copy Limit : ����"���'���������&� Limit'�������4�+��@��'�*� ��������

� Add Event Notification : �"���'�������*-���,������������������

COVER STORY

2. ��� Explorer : -�= �.'���� Manage Devices= � Add Device ���������"���4���,�������������.�� -"�<������������-�� Log

Explorer menu helps managing devices, suchas adding devices connected to a clientwithout having to search in the logs

Device permissions assignment by right-click-ing a device and select permission types,which are

� Add/Modify Permissions : Main permissions

� Add/Modify Online Permissions : Onlinepermissions during client connection withservers

� Add/Modify Offline Permissions : Onlinepermissions during the time that clientcannot connect with servers

� Add Schedule : Defining device usageperiod

� Add Temporary Permissions : Definingtemporary device usage period (can be donevia offline and sent updates to clients)

� Add Shadow : Making shadow files (Onlynames or names & contents)

� Add Copy Limit : Defining limit for filecopying per day

� Add Event Notification : Sending notifica-tions to clients

Bay Newsletter new1.pmd 14/3/2551, 9:598

Bay Computing Newsletter l Issue 2 l 9

COVER STORY

��.����.�'�����"��� Policy !����$�"������'�����4 Read, Write, Encrypt, Decrypt,Export to file, Export to media, Import

Available permissions are : Read, Write,Encrypt, Decrypt, Export to file, Export tomedia, and Import

'�! ���������" File Filter -���=������@��������4��/������!��� ��5 = � 7�� MicrosoftOffice, Archive files, Entertainment Files = ��@��Q�7 7�� �<���� *��.�������4=������@���,��5 ��������.

Examples of file type filtering are : MicrosoftOffice, Archive files, Entertainment files(pictures, music, etc.), and other file types.

4. '�! ����� Log -������*!����.����.����=��-� !����$4 �4������ �>��'������� ���@��*�����@�� �,��������'� ��. Device =�������<����

4. Logs specifying details of users, what filesare read and modified, when this happens,and using which devices.

-%�������� ���44��4�/�*���\����������������������<�����|��!�����&����/P!�4��������� ��. ����.���� ��.�7������"���'����?P���������������>��'=��������. ���-����& .�����/P!�4��������.����������� !����$�"���� ��'������&������ !"���4������7����!����$!�4$�������� �������� �� ������� ����� ���. 0-2962-2223

Sanctuary is a world-standard data leakage protection and controlsystem, and has so many useful features that cannot be described allof them here. It is useful for every type of organizations, especiallywith ones that have a variety of users. For further information, pleasecontact Bay Computing, Tel. 0-2962-2223. �

Bay Newsletter new1.pmd 14/3/2551, 9:599

10 l Bay Computing Newsletter l Issue 2

SOLUTION UPDATE

PatchLink and VMS(Vulnerability Management Solution)� ��� ������� ���� ���#���, Senior System Engineer, ����� ��� ���������� �!"��

� By Chaivit Pongjaroenchai, Senior System Engineer, Bay Computing Co.,Ltd.

���������� ����� ������ �����������������������������������

�� ����!���"#���$%���������� �"������ ����#�&�!�'�� #� &(�������� ��� �������!�&�&���)*��� !��!�)*+����,��,��!-��������(��.���)/+�"��)*+� #(����0(+������)� ����������� +��,��������1�2+��� !�����1� ���� !������#*����( �������,���!��� #(�� Vulnerability �34������*�� *���!���#(��%��������� ����������� )���������!��3��3+�

���� VM (Vulnerability Management System) 0(+7� ����)/+�"����#*����( �������,���!��� #(�$%��� /�&*�������,��,��!-���� 8��)�����������������0!�� (Proactive) &(�,� �*�/�&*��!��� #(�$%������+)*+2+�(�������!��� �"��!� ���"�/�(Remediation) ��!����7� )/+��1�/�!�&������ �����8��� 0���, *���������

��9*�!�������*���� VM ��+2� ������,���+��� ���"�/�34������)��� �!����������� ����

������� (+���#'� ����� Manual Patch ��%�0���"��"!��������� �� Vulnerability )*��� !��� #(�$%�������0(+ ���� Patch Management ��1�!���� !����/���)*+,����7�#(��%��� ������"�/�0���������� ����*���� �����"�+�� ��0(+8��)�����!����(��.�!��!��!� &(�)/+��+�*�+�!��0!�0�� �����!����%�

VMS (Vulnerability Management Solution) ��1� ��#�!#� ����� VM ��� Patch Management ��+�0�+(+�� �� �"��/���)*+2+�(�������,����7����,�Vulnerability ��� Patch 0(+,�(� ������(���#��$%���� VMS !��(���%������0���� �� Lumension 2+��(����!����%�!������ 0(+��� ������ VMS !��,����7��#*����( ��0(+���,����:����!��,�( ������

� )/+ PatchLink Scan !�*�+�!����1����� VM 3$����+���� Vulnerability Set !����������� !��,�()��������� ���0(+��� ���"�(�)*����(���� ����)�0(+(+������;����(��&� Common Criteria EAL2Certified

� �� PatchLink Update ��1� �0 ,�*�������Patch Management 3$���/���,������� (+�� �������� ��2+�2�#�*�� *���)���,�* ���34������!�)*+ PatchLink Update ��1�!�%2+��� ��# ���2+���)� ���"�/�34�������������� �����(��.����������

� (+�� PatchLink Security Management Console!�)*+,����7��#*����( ��!�% VM ��� PatchManagement 0(+8��)���&3��(��� �� !�)*+)/+��0(+������,�(� ��(��.�

(+�� ��������� VM ��� Patch Management !����.� �� ��;���+��� Vulnerability ��� Patch !���������!� �� ��$)*+ �����������"��*���� �� ��% ��)/+����� �"��� VM � Lumension�� �0 ��&����# 3$�!� ���#�����*� Vulnerability !��������,��"��'� ��)*+ �����1�/�(�(����"���/���&� ���"�/�!������1��+)/+����������34������)*+�,�.�,��" /����(����,��,�������*��(����� �2+�(���������1������ �������� Lumension �$

To support business growth, manyorganizations have been expanding

their network systems and the number of theircomputers. Each organization brought in newtechnologies to boost up the speed of thesystems in order to gain competitive advantagesand be a leader in their field. With the hugenumber of computers and complex networksystems, it is quite difficult to manage the systemrisks resulting from software vulnerabilities.

Vulnerability Management System (VM) is used toproactively manage risks arising from system vulnera-bilities in real time. In order to do that, VM scans forsystem security holes and notify the system adminis-trators to provide a remedy, such as patching,before a cracker, virus or malware can exploit them.

Since there are a number of computers in a networksystem, it is hard for the system administrators toimplement the manual patching on each machine

and catch up with a new vulnerability discovereddaily. With Patch Management that comes withthe VM, patches are distributed and installed onseveral machines simultaneously within a shortperiod of time. This can be implemented usingonly 2-3 IT people resources.

Vulnerability Management Solution (VMS) isintegration between Vulnerability Management(VM) and Patch Management, enabling thesystem administrators to easily detect systemvulnerabilities and manage patches. However,there are only a few good VMS available in themarket. Lumension is proud to say that we are theonly one who has the best VMS which offer fullservice vulnerability management. It contains:

� Patchlink Scan, which is a part of the Vulnera-bility Management (VM) and contains the mostextensive and updated Vulnerability Set, certifiedwith Common Criteria EAL2 standard

Bay Newsletter new1.pmd 14/3/2551, 9:5910

Bay Computing Newsletter l Issue 2 l 11

SOLUTION UPDATE

��1� VMS !�������,#!'#8�"�� ��� VM ������ ���0(+��� ����(��� )*+)/+��)��� �!���+ ����(������;�� ����#*����( ��������(8��!���������!��,� �!# NASA ��� ��!�� ��&*� ,*��;���# �

,�*�������,����7)� ��!������� !��&((�(���Lumension VMS 0(+� �

� SafeScan : ,����7,� �&(�0���� �� ��!����������������

� Auto Updating : ,����7,��,� �0(+��������+ �� !�%��������� ���,��(�*� *������(��

� Adaptive Scanning : ���������(�� ��,� ���������� Access Level 0(+

� Comprehensive Coverage : ,����7�+�*�������� Vulnerability !��"���������� ����*���� �:�

!����)/+������������ �/�� ������� ,�#�/� *��"�#�����

� Accurate Identification and Remediation :

����,����� Vulnerability ����"�/� � +0�0(+���������

� Comprehensive and Compliance Report :

,����7,�+�����,(2������0(+�������*�����������������+ ��

� Remediation Recommendations : ���������)� �� Patch Vulnerability !������,�"� �"��)/+��1����!�)� ����(,#�)�

*� �� ��!��� ����*������0�+�������,�*��� DScan and PatchF 8��)������(���������� ������ Lumension VMS ��1��������!�����,�)�����*�$� �"��)*+�� ��!���,����7�����������#*����( �������,������� �� Vulnerability�� ���)�����������%0(+��������,#!'#8�" �

� Patchlink Update, which is a part of PatchManagement and widely well-known in a long time.With the help from various software providers inthe industry, Patchlink Update is the first and aleader in bringing in patches from the providersquickly and effectively.

� Patchlink Security Management Console allowsboth Vulnerability Management (VM) and PatchManagement to run in the same console. Users canaccess and use both applications quickly and easily.

This strong combination of VM and Patch Manage-ment makes vulnerabilities and patches databasewell-covered and widely acknowledged by manyorganizations. Furthermore, LumensionJs Vulnera-bility Management (VM) is very easy to use,because it has an automatic mechanism thatmanages related vulnerabilities into one group andmaps the appropriate remedial patches from eachsoftware camp for those vulnerabilities. This is why

LumensionJs Vulnerability Management Solution(VMS) is much more effective than any other VMproviders and used by organizations that needhigh levels of security, such as NASA and U.S.Department of Defense.

LumensionJs Vulnerability Management Systemfeatures include :

� SafeScan : system scan with no interruptingon other parts of the network

� Auto Updating : on-demand system scan whichcan be implemented daily, weekly and monthly

� Adaptive Scanning : set the type of scanningand control user access level

� Comprehensive Coverage : search and identifysystem vulnerabilities in network devices, such asrouters, switches or printers

� Accurate Identification and Remediation : monitorsystem vulnerabilities and accurately identifyremedial patches

� Comprehensive and Compliance Report :

create and show standard/customized reports

� Remediation Recommendations : provideadvices on patches for detected system vulnera-bilities to make a consideration

If your company is looking for solutions thathave Dscan and patchF capability - both in onesystem, LumesionJs Vulnerability ManagementSolution is the one tool that helps you achievethat. It lets you effectively manage and controlall the risks arising from current systemvulnerabilities. �

Bay Newsletter new1.pmd 14/3/2551, 9:5911

12 l Bay Computing Newsletter l Issue 2

SOLUTION UPDATE

� ��� ���� "������$���%, CISSP, CISA, CCSP, Security+ ��� "&�� ��'�� �(�, Engineer, ����� ��� ���������� �!"��

� By Tada Kijmartsuvun, CISSP, CISA, CCSP, Security+ and Kong Chantem, Engineer, Bay Computing Co., Ltd.

SIEM /4��� '$ ��56����1�6��� $(� /��� # ���$� LogSIEM - Log data analysis at its best

�;--/4�����=,����.���,�� �.���7������<����. ����������� ! �>�'�������� �!,��!���<���

�. ��!���������� *� !��������%&�7����������,� ����-"�<�'������4�/����'=����*�����?���������Q�.��,�� �.�%��������?���������Q�.��44��,�� �.�<�����������������.�*���������%&��. �������� ���-�������-�����*7� ��4���������!���7�����������%&�'���,�� �. �%��! �>���4��,������7�����*����,�� �.-"������

���4����-�������44��,�� �.'��;--/4��-%�-"�<�������U�.��,����,�����%&� 7,�����-!�4����>����������%&�'���44��,�� �. ���$%������4!���� ���/���P�������%&����-����& ���.�V��4�.4� ��5 ���7���%&� = � 7����=4�##��� ����.�������"����>����.���4���7����� 7.U. �����"'��������?���������Q�.*������\��������/���P�� ��5 ��!����������"*���"�%�$%�7������%&�

!"���4����������'�# �����4 Log �������"���'�7����=4�##��� ����.�������"����>����.���4

These days network connections are availablealmost everywhere, which accelerates

communications between PCs and individuals.However, these network systems need to have controlsand security systems in place to protect them frompotential harms. Network security updates are very fastchanging due to new damaging threats, such ascomputer virus attacks that affect all network computers.

As a consequence, network systems need to rely on otherdevices to check for irregular activities and respond tosecurity incidents. Moreover, the new Computer CrimeAct B.E. 2550 which has just come out, forces manyorganizations to manage system security and monitor thesecurity incidents more closely than before.

To comply with the Act, these organizations must keeptheir traffic data logs for analysis. For a large organiza-tion, this could cost millions to achieve. Aside from that,

they have to invest time in studying the technology andimplement it. However, in real situation, the systembrings little value to daily operations. This is because ofthe lack of log normalization, correlation and analysisand reporting tools. Seeing this, some organizations arereluctant to make the investment.

As a matter of fact, these logs are all useful at somepoint. Organizations should know how to retain log datathat are useful for analyzing, building relationships inreal-time and creating reports - all of these data arebeneficial for business operations. Furthermore, SIEMcan help the organizations handle alerts and eventswhich occur millions of times per day. It can also filterand prioritize these incidents so proper incidentresponse can be conducted.

In this newsletter, we present a research on an SIEMutilization study. SIEM (Security Information and Event

Bay Newsletter new1.pmd 14/3/2551, 9:5912

Bay Computing Newsletter l Issue 2 l 13

SOLUTION UPDATE

���7����� 7.U. ���� ��4�<�Q���-�������'=������/���4����4�� �����,���-�����U%�?������44 ����-�����&���44-�!"��- *� �,�����'=����-����74� �����.=����������4'�=������-"�����&�� ���������. 7��������44���-��"�������� Log ��&����.��������4��4��������'=�����.=�������� 4���������������������-����/� 7������� ��� ������.=��������� �����"��}/��-���������

'������--��*��� ������� ��5 ��������4��������&�����*���*� ������.=�� ���������7�.�*� 7-��P�-������44��4 Log ������/P!�4���������������� ���!��������!��7��}�*44��.����� ����-����!������.���'����*44� ��5 ����,&�����.=��� �}/��-��������� ���-����& �����4�,���4����,��(Alert) *����/���P� (Event) �����-����44� ��5 ��4*!���4������/���P�� ���� -"�<�����7%��7���44 SIEM '����������� *��-���"��4����!"��# 7,��'��!����$��4!���� ���/���P�����. ��$������ (Proper Incident Response)

'��4�4��& ������-%����"!��>�����������*��U%�?�*���������"��44 SIEM ��'=� SIEM (Security Information andEvent Management ��,���444����������*����/���P����������������Q�.) �%���<���44� �!/������������7�����%&���.����"��������.���� SIM (Security InformationManagement - �<���44���'=�'�����������������*���"��'=�'��������.=��'������ ��5 = � ����"��.����"!��>��4������,�>�����-!�4-��Q�.��� ���$%�����"��������'=�'�����" Compliance ���!*�������� ��5 = � ISO17799/27001, SOX, BASEL II, PCI �<����) *�� SEM(Security Event Management - �<���44���'=�'������4������� Log -���/���P���,���@��*�����������'=�����. �

'���,�� �. 7,��*!��'���������>����� ��5 ������%&���Q�.'���,�� �.���) ����4���������.���

���'=������44 SIEM ��������!�}Q�7�� �����-������"�����.�"7�������44 SIEM ���*� ��-�����=,���� �(Integrate) *���"���� �������4 Security device ������. ����. ��!�4��P� 7,��'����>�������!/� ����"���=,���� ���4��44���� �����& �,� Firewall, IDS sensor, ��44���.,�.�����4/��� (AAA, LDAP, AD, etc..) *��������>����!*��= ����� (Vulnerability scan data) �%��-��"'�������4�,���4��/���P�������%&��<����. ��$������

���-����& ����" Forensic 7,����4/��/���P�*����.�����������4>�=�4����V���.��&� ���������-����4�����4� ������� ��� ��� !"���4������-!�4Q�.'� *������^4������V��4�.4� ��5 ����-���������.����. ��� ��,���7,��*!��'�����$%����.����4*���^4������V��4�.4� ��5

��44 SIEM �����4�����.! ��� ��5 �����&

1. Log Consolidation : ��44-����4��4��� Log ���U��.��������$%����������! (Encryption), ������-!�4����$��������������� (Authenticated) *�����4�4��������� (Compres-sion) ��.'=���44|�����������7��������.�7�� ����-�����!����$��4 Log ���-���/�5 =������/���P�'���,�� �.�����.���7�������*���7����

2. Threat Correlation : �<���44��-��.� (artificial intelli-gence) '=����-!�4 Log � ��5 7,�����-������-���������%&�*44��.�����

Management) is the latest technology that combinesSIM (Security Information Management) and SEM(Security Event Management). SIM is a data analysissystem and can be used to create management andaudit reports, and measure standards compliance, suchas ISO17799/27001, SOX, BASEL II, and PCI. As forSEM, it is a log retention and analysis system andcan be used to examine and collect unusual activityinformation in the network or application system.

For SIEM to work effectively, it has to integrate with othersecurity devices. Integration with firewalls; IDS sensors;user identity system like AAA, LDAP, AD; and vulnerabilityscan data makes the system most effective and respondto the security incident properly.

The log data is an invaluable resource for computerforensic analysis and can also be used as evidence inlegal proceedings. Furthermore, log data retention is

useful for internal auditing as well as producing reportsto comply with Act and procedures.

SIEM consists of:

1. Log Consolidation - Central log retention that hasencryption, authentication and compression feature;using specialized database; and can be programmedto collect data from any network devices.

2. Threat Correlation - Artificial intelligence system thatexamines log data for possible attacks in real-time

3. Incident Management - Including workflow systemwhich responds to detected threats

� Notification - Email, SMS, Pager or notifying to theEnterprise Manager i.e. MOM, HP Openview

Bay Newsletter new1.pmd 14/3/2551, 9:5913

14 l Bay Computing Newsletter l Issue 2

SOLUTION UPDATE

3. Incident Management : = ���44�����@��� �%��-��<���44�����.-������ � �,�����-74Q�.�/����*���-��"����� ���

� Notification � Email, SMS, Pagers ��,�*-����.����44Enterprise Managers = � MOM, HP Openview

� Trouble Ticket Creation !����$�"���� ����4��44Q�.��� = � Remedy �<����

� Automated responses ���$%������.�'=� Scripts

� Response and Remediation logging

4. Reporting 7,�������*�����-!�4��/���P�� ��5 ������.�������4��.4�.��������� = � ��.4�.������������Q�.(Security Policies) ��,� Change Management = � 4���%��������.�*��� Configuration ����/���P� ����-�����" Compliance �������|��� ��5 �����-/����4��/����!�}Q�7'���44��������'=�����. �*��� ��,����!,4!��!�4!�� (Forensics) �

� Trouble Ticket Creation - working with other callcenter applications, such as Remedy

� Automated responses activated by execution ofscripts

� Response and Remediation logging

4. Reporting - monitor and check for events againstall policies, such as security policies and changemanagement tasks including configuration-changinglog, standards compliance, efficiency improvement andcomputer forensics. �

���������� : A Practical Application of SIM/SEM/

SIEM Automating Threat Identification/SANS Institute

Source : A Practical Application of SIM/SEM/SIEM

Automating Threat Identification/SANS Institute.

� ������������ ������� RSA enVision

RSA Envision Features

� ��� Dashboard ��� RSA enVision

RSA Envision Dashboard

� ������� Enterprise Dashboard ������� RSA enVision

RSA Envision Enterprise Dashboard

� ������ Event Explorer ����������� Admin ���������!���"#

$��%���&'��%�'���'(!����(�

Event Explorer for system administrator to monitor events

more clearly and flexibly

Bay Newsletter new1.pmd 14/3/2551, 9:5914

Bay Computing Newsletter l Issue 2 l 15

SOLUTION UPDATE

Bay Newsletter new1.pmd 14/3/2551, 9:5915

Bay Newsletter new1.pmd 14/3/2551, 10:0016