Infosec cert service

  • View
    877

  • Download
    1

Embed Size (px)

DESCRIPTION

From my journey to SK Telecom, Seoul, Korea - May 2013.

Text of Infosec cert service

MSS

0/8

Name Infosec CEO Shin Soojung

Domains

Security Consulting

Security System Integration

Security Monitoring & Management

Professional Service

Period Jun, 2000 ~ Present (13yrs)

Infosec is an affiliate company of SK C&C and a total Security Service Provider,

providing Security Consulting Service, Security System Integration, Security Monitoring and Management

Company Summary

Sales

Organization

CEO

MSS Biz HQ

Sales HQ Solution Biz HQ

Consulting Biz HQ

Management Support HQ

Security Lab.

860 Employee (May. 1st. 2013)

Products

Mobile Device Mgmt.

Private Information

Scanner

Private Information Transfer Control

(USD)

Years 2012 2011 2010

Consulting 14,575,000 13,048,000 10,792,000

SI 53,190,000 53,449,000 37,631,000

MSS 33,204,000 21,519,000 14,525,000

Total 100,969,000 88,016,000 62,948,000

Growth (%) 14.7 39.8 45.9

2

Windows Linux UNIX CISCO S/W

Prevention

OS Configuration Check

FW ACL Review

Web Application Vulnerability Check

Juniper Cisco Port Scanning /w NMAP

Scanners (IBM AppScan) Professionals

Management & Monitoring

Firewall

IPS

Anti-DDoS

WAF

Incident Analysis

Infected System Investigation

Malicious Code Review

Security Audit Trail Review

File System Registry / Log Process Memory

Dynamic Analysis Static Analysis

Security Events System/Web Log IE Cache History Registry

24*7

Health

Check

ACL Control

Report 24*7

Security

Event

Monitoring

24*7

Incident

Handling

(Alerting &

Access Control)

Dedicated

Professionals

SK Infosec provide full coverage of managed security service in Korea, prevention, management, monitoring, and incident handling

3

Organization (CERT Center) R&R

ITEM R&R

PM Project Management / Service Delivery

Top-CERT Cyber Forensic

Site Manager Follow up Customer Requirements

SPOC(Single Point Of Contact)

Dedicated CERT

Apply security policies

1st line support when breaches occurs

Periodic Report about security situation

CERT

2nd line support when dedicated CERT

failed

Veterans in Analyzing Incidents (at least 7

year experiences)

Find zero-day exploits and figure out

countermeasures

Monitoring 24H*365D Real-time monitoring

4 Teams / 2 Teams a day

Penetration

Tester

White-hat Hackers

Simulated Hacking and Point out Vulns.

Security Engineer

Install and Maintain Security Systems

Technical Review about Network

Architecture in the view point of Security

CERT

MSS Biz Team

Lee Jaewoo

CERT Team / PM

Son Youngwoo

Monitoring Penetration

Tester

System

Manager

Security

Engineer

Site

Manager Top-CERT

System

Developer

Dedicated

CERT

MSS Biz HQ

Cho Raehyun

4

Detect incident Customers suspicious

Prior attacker IP block

Send incident alerting message to customer

Attacker IP block

- IP address boundary (ex : from China)

- Event list (ex : /etc/passwd scanning)

- Time base (ex : night time / 18:00~next day 09:00)

- No agreement of block and notice

- When customer orders to block attacker IP

Send abuse notification to attacker-side ISP

Release blocked IP - Release blocked IP address one month later

- Because we use dynamic IP address, it is no more malicious, it can be

customer

When incident is detected and verified, SK Infosec alerts customer via E-Mail and SMS.

If customer agreed the process block and notice, SK Infosec will block attacker IP from Firewall prior

5

In-house ESM detects incidents from security events according to ISMM, SK Infosecs own monitoring methodology, ISMM

Detected Incident with its event name, count, src IP, dest IP, and status

Security

Incident

Incident is expanded with its detail information to check whether it is true or false

Detail

Info.

Who deals this incident and whether he send alerting to customer and attackers ISP

Response

ISMM : Infosec Security Monitoring Methodology

6

APT is one of the big trends in security world. SK Infosec bind IPS signature and malware analyzing tool and provides zero-day exploit detection

Storage

Malicious code download

(from Event URLs)

Event detected (IBM Proventia)

URL Collection File transfer

Multi-AV Scan

Reporting ESM

Block in FW

Malicious code Storage

Malicious code Analysis & Detection

Collect Malicious Code Store Malicious Code Analyze Malicious Code Report Malicious Code

7

Two types of service will be provided. For IPS monitoring service customer, when attack is occurred, SK Infosec checks the victim system to investigate extent of damage. For potential customer, SK Infosec checks whether his system is infected or not.

Step Process Investigation Item

1 Initial Stage

- Environmental Info.

- System process

- Network situation

2

Victim

system

investigation

- Attack scenario

- Time-line analyze

- Investigation tools

- Infected files

3 Log file

analysis

- Event log

- System log

- Web log

- Security equipment log

4 Report and

Feedback

- Incident handling report

- Root cause

- Design countermeasure

- Recommendation

Vo

latile

Da

ta

No

n-V

ola

tile D

ata

System Info

File System

User

Registry

Weblog

Webshell

Network

Process

Date System Config Environmental

Login info Users User activity

Network connection ARP Interface info

Process List Handle, dll Services

Event log File attribute MACTIME

Registry Dump Autorun Key creation time

Web attack Keyword Webshell execution Keyword

Webshell Keyword Encoding Keyword

Category Item

8

Availability Check Coverage

- Security Systems

- IT Assets agreed on SOW

Checking Criteria

- 24H*365D Monitoring

- Basically ICMP Health-Check is provided

- If needed, Infosec provide Service check based on ports

Tools

- Infosec develops an in-house NMS using Open Source NMS (called Nagios)

Function Comments Notes

. Alive-Check . ICMP and Service Port Check

. Developed in Jun. 2011

. Internal Test on Sept. 2011

. Applied on Customer Site

in Oct. 2011

. Threshold Mgmt. . Traffic, CPU, Memory check via SNMP provide warning

. Network Equipments

. Log Analyze . Analyze error log from Security Systems

. Customer Report . Monitoring Tool and Automated SMS report

9

Name of Event (Trouble)

Who, When, How, Why

handle the Event

Detail Information of Event

Simple

Trouble Shooting Procedure

10

Web hacking occupies 90% of attacks. In order to get the control of victim, hackers use web-shells and then insert a script-code in web pages to dispense malware to client.

Web hacking occupies 90% of attacks. In order to get the control of

victims, hackers use web-shells

Monitoring homepage and ad-pages whether malware is inserted or

not

In-house pattern

(Our experience)

Filter

Obfuscation

Appliance

System

At least

1 time per 2 hours Recursive checking Indicate actual link

W-MDS

11

SK Infosec provides monthly report with automated system to avoid human errors. But executive summary is written by security experts

Item Content Note

Executive summary Security experts opinion about site situation and recommendation

Event trend by day Detected event count by day diagram and table

Event trend by severity Detected event count by severity diagram and table

Top 10 event By event name, attackers IP, and victims IP

Including event description

12

Intelligence Gathering

SK-NET Mobile/Wireless Financial Sector

Industry

Cooperation

BM

T

Analyzing and Testing Information Sharing (Back-Line Support)

u-CERT Center

ISP / IDC

Malware Information Gathering

Sharing Analyzed Information

Consulting HQ CHINA

ISCM

IVHM

IPPM

Site Manager CISO

Security Planning Proactive

Security Trend

Support

Compliance issues

Provide Security Info.

Monitoring by ISMM

Prevention

Detection

Customer

SEOCHO T-Tower