빅데이터로풀어보는보안전략 - Cuvix Information 1-2.pdf빅데이터로풀어보는보안전략 김창오 | 컨설팅/기술이사 ... Real-time navigation of 100s GBs of

빅데이터로 풀어보는 보안 전략

김창오 | 컨설팅/기술이사블루코트

관리 대상의 복잡도 증가

성장 > 시스템 확대 > 보안구성 복잡 > 신규 시스템 등장 > 공격 대상 증가 > 취약점 대상 증가

현대 보안 공격의 특징

지능적인전략 금전적목적과목표 시간초월적공격

APT 공격 방어의 허와 실

웹 보안위협 동향 – 악성코드 네트워크

240%

전년대비악성코드증가

40%

소셜네트워크사이트를통한악성코드

감염

2/3모든웹공격중 2/3는악성코드네트워

크(Malnet)을통해서발생

1/142

검색엔진검색결과중악성코드링크

5000

기업이매달직면하는보안위협

취약점에 대한 공격 방법

E-mail / Messenger/ SNS

Public Web Site 공격* 취약점을만들기위해사회공학적방법을이용

기업의 정보보호 대응 방안

보안 강화설계

Security by Design

Privacy by Design

Secure Coding/SDLC

사전영향평가

Security Impact Assessment

Privacy Impact Assessment

Technology Impact Assessment

지속적인보안관리

Risk Management Governance Compliance

보안역량지속관리

Education/Training

Awareness/Campaign

Security Team/Recruiting

사고대응준비/증거기반강화

Forensic Readiness/Digital Forensics

Business Continuity Plan Disaster Recovery Plan

위험 예측/식별 강화

Breach Notification/Report

Monitoring/Audit Public Notice on Security Level

사전예측 가능성및 정확성 강화

보안 거버넌스확립

실시간 대응가능성 강화

위험관리/정보 보증능력강화

사후 책임추적가능성 강화

발표자

프레젠테이션 노트

위험 관리 차원에서 정보보호 대응이 필수적이며, 설계부터 보안을 고려하여 기술, 정책, 인력 등 대응방안 마련 필요

국내 보안 시장의 흐름

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

80.0%

2011Year 2012Year 2013Year 2014Year 2015Year 2016Year

0.4% 0.4% 0.4% 0.5% 0.5% 0.5%

7.1% 7.5% 8.4% 9.3% 10.2% 11.0%

21.7% 21.6% 22.3% 23.0% 23.6% 24.1%

70.8% 70.5% 68.9% 67.2% 65.7% 64.3%

Communication Governance & Compliance Auditing and Analyzing Technical(Network, System and Application) Security

보안활동의 골든 타임

84%

Initial Attack to Compromise

78%

Initial Compromiseto Discovery

Hours

60%

Days

13%

weeks

2% Seconds11%

Minutes13% Months

62%Weeks12%

Days11%

Hours

9%Years

4%

CISO들의 생각

Who did this to us?

How did they do it?

What systems and data were affected?

Can we be sure it is over?

Can it happen again?

현대 위협의 대응

TODAY’SADVANCED

THREATLANDSCAPE

2014년 Security Key-words& ATP : Advanced Threat Protection

INTELLIGENT VISIBILITY ANALYTICS

Integration Layer

Threat Intelligence

Big Data Security Analytics Security Visibili

tyFull Packet Capture

Layer 2 - 7 indexing & classification

Visual InsightContext, real-time awareness, alerts

Advanced Malware DetectionWhite/blacklists, sandboxing, feeds

Big Data Security Analytics for Advanced Threat Protection

발표자


Network Visibility Full packet capture Layers 2-7 indexing Deep packet inspection User configurable, flexible parsing Session/App reconstruction Physical and virtual Big Data Security Analytics Situational awareness Context: normal/anomalous/dangerous Heuristic detection and correlation Inferential Reporting Data-/Behavioral-based predictive alerts Exception reporting Visual insight Threat Intelligence Real-time Whitelists/Blacklists Across social/mobile/cloud/BYOD Solera Cloud—proxied Hash, IP/URL lookup Sandbox detonation—on-premise/cloud User-defined External Data Sources Solera Intelligence Community Automatic signature generation

Security Analytics andAdvanced Threat Protection

Security Visibility

Security Visibility• Full packet capture• Layers 2-7 indexing• Deep packet inspection• Session reconstruction• Scalability and performance• Single pane-of-glass

발표자


Network Visibility Full packet capture – you can only analyze what you have at your disposal Layers 2-7 indexing – partial analysis and only metadata isn’t sufficient Deep packet inspection – identifying what applications are active, and in what way, across your network User configurable, flexible parsing – you may have custom apps or protocols that you need to analyze Session/App reconstruction – Be able to turn the data into something you recognize Physical and virtual – What’s happening on the physical and virtual network

Big Data Security Analytics• Heuristic detection• Statistical analysis• Inferential reporting• Context-aware analysis• IOC’s & TTP’s• Visual insight


Security Visibility

Big Data Security Analytics

발표자


Big Data Security Analytics Situational awareness – with analysis of the data you expand your awareness of what’s going on. Context: normal/anomalous/dangerous – what happened before, during, or after an alert. Is it normal, abnormal and potentially dangerous Inferential Reporting – with added context, can you easily report on what is inferred Visual insight – Does it visually make sense. Would your pointy-haired boss get it? Data-/Behavioral-based predictive alerts – With what we now know, can we make better decisions about what might happen? Exception reporting – If there are exceptions to the norm, we need to know Heuristic detection and correlation – are we learning from our past and getting better at detecting in the future.


Security Visibility

Big Data Security Analytics

Threat Intelligence

Threat Intelligence• Real-time white/black lists• Sandbox detonation• On-premises or cloud-based• External data enrichment• Dynamic Intelligence Cloud• Machine-learning architecture

발표자


Threat Intelligence – Utilizing what we know or have access to Real-time Whitelists/Blacklists – if we know what it looks like, we should be able to safely let it in or protect against it Across social/mobile/cloud/BYOD – intelligence is needed across all environments Sandbox detonation – if we are not sure, let’s blow it up and see what it looks like On-premise/cloud – Threat intelligence should support your security environment, whether or premise or cloud Automatic signature generation – If we find out something is bad, let’s automate against it. External data enrichment – to be effective, we should be able to enrich our own data with outside threat intelligence

Integration Layer

Threat Intelligence

Big Data Security Analytics Security Visibili

ty

Integrated Advanced Threat Protection

Security Ecosystem

Context-Aware Security

Adaptive Security

Enhance existing investments

Integrated workflow automation

Integration Layer

Threat Intelligence

Big Data Security Analytic

s

Security Visibility

발표자


Integrated Advanced Threat protection doesn’t replace what you’ve invested in…it actually actually makes these tools better, enhancing them, giving them the context they lack and the evidence they can’t provide. As Gartner has indicated, context-aware security will be the only way to securely support our changing business and infrastructure during the next 10 years.

네트워크 포렌식 솔루션

1

4

2

2

3

1

1=Check 2=Check

3=Check

4

Packet Security Tools

Network Forensics

Unknown Packet

- When?- Where?- What?- How?- How Long?- Who?- Target(s)?

아무도 모름?

Full Packets Capture

분류추출색인

모니터링분석

보고서저장

Raw

Data

원본 저장

Replay

의심점특이사항

(악성코드)

네트워크 포렌식 솔루션은 기존의 보안 솔루션에 의해 탐지/식별되지 않은 패킷들에 대한 검사가 가능하게 함

Integration

수백만 개의 달하는데이터 요소의

미심쩍은 활동 포착 필요

다수 미심쩍은 사고에서중요한 사고를 추려냄

보안침입사건에서기업들은명확한

침입증거가있었음에도불구하고데이터

과부하로증거를발견하지못함

.

모든 관련데이터 분석

문제의 징후를지능적으로 포착

분석된 정보를사전 예방에 활용

AnalyticsSecurity Intelligence

실시간 모니터링

근원 분석

Layer 2 ~ 7 분석

어플리케이션 분류

상관 관계 분석

Pre-

Explo

itPo

st-E

xplo

it

네트워크 포렌식 - SA (Security Analytics)

블루코트의 네트워크 포렌식 솔루션 - SAP

블루코트의 네트워크 포렌식 솔루션(SAP)(Security Analytics Platform)

1. WebThreat BLADE inspects all web traffic and identifies malicious communications

2. FileThreat BLADE identifies known good and known bad files

3. If no clear verdict, suspicious file delivered to MalwareAnalysis BLADE

Solera is the Security Camera for your Network

DPI classification of over 1,800 applications and thousands of meta attributes

On the wire, file-level visibility and analysis of data exfiltration & malware infiltration

Context enrichment – including Reputation, User and Social Personas…

Attribute-based packet, report and artifact access

Real-time navigation of 100s GBs of data in seconds, 100s TBs in minutes

Records, classifies and indexes all packets and flows up to 10Gbps per instance

SOLERA IS THE SECURITY CAMERA FOR YOUR NETWORK

Providing real-time analysis and full visibility of everything going in and out of your network

do we do what we do?

발표자


So how do we do what we do? Think of Solera Networks as a security camera for your network. Very similar to how a bank works. A bank has lots of locks, lots of safes. They've got doors that have sophisticated entry and locking systems. They even have armed guards in the bank. But at the end of the day, a bank knows that someone, despite all of that, robbery attempts will be made, but they don’t know how the attempt will be made. When they do, the bank has cameras everywhere so that they can replay the tape and see details of the robbery. We're somewhat similar to that. We're allow you to play back the tape and show everything that's happened, going in and out of your network, because you have a 24/7, full fidelity recording of everything. So you have clear answers to all those tough questions, we record, classify, index, and replay all packets, flows, files, and applications—from layer 2 to layer 7. We're giving you that visibility of malicious infiltration, advance malware, data exfiltration, all the bad things in and out of your network. We leverage, very actionable, context aware intelligence and forensics capabilities. We provide comprehensive situational awareness and enrichment and context to data flows and warehousing of all the raw network data for clear evidence when needed. Of course, all of this wouldn't be worth much to you if it wasn't accessible, flexible, and cost effective. That’s why we’ve focused on making the technology easy-to-deployed and easy-to-operate.

ProxySG Not From Known Malicious Site/Malnet

ALLOW Further Inspection

Blue Coat Malware Sandbox

Non-BlueCoatSandbox

BLOCKKnown Malicious Site/Malnet/

Malware

Not In Malware Signature Databases

Allow Further Inspection

On WhitelistALLOW DELIVERY

Not On WhitelistSend To Malware Signature

Databases

MaliciousUPDATE & ALERT

Not Malicious

MaliciousALERT

WebPulseGlobal Intelligence Networ

k

Internet

Content Analysis System

Malware Signatures Databases

Application Whitelist

다계층 악성코드 분석 플로우

ATP(Advanced threat protection)전략

CAS

Advanced Threat Protectionthat Unifies Big Data Security Analytics,Threat Intelligence and Security Visibility

we deliver

발표자


What we deliver, we believe, is Advanced Persistent Security. It's always there. It’s always on. It's always looking. It's always capturing, indexing and giving you context, insight and visibility to help you see and understand what to look for and what to look at.

Documents

빅데이터로풀어보는보안전략 - Cuvix Information 1-2.pdf빅데이터로풀어보는보안전략 김창오 | 컨설팅/기술이사 ... Real-time navigation of 100s GBs of