Cyber Defence attraverso un modello organizzativo e tecnologico Cap. tlm Valerio Visconti Capo Nucleo Sicurezza Logica (S.O.C.) C.doGen. CC -III Rep. CESIT Viale Romania, 45 - Maggio 2015
AGENDA Evoluzione delle Minacce Evoluzione delle strategie Nuove sfide della Cyber Security SOC Management System Incident Handling Security Intelligence 2
Evoluzione delle Minacce- Scenari sempre più ostili Increased Volume New Threats Evasion More Professional Targeted threats increased by 91% in 2013 Threats such as mobile botnets have emerged Threats are better designed to evade detection Increased Volume Well resourced, highly capable groups 3
Evoluzione delle Strategie Comando Generale dell Arma dei Carabinieri Increased Volume New Threats Evasion More Professional Create an INTELLIGENCE-BASED decision making and response advantage Focus & prioritization Proactive actions New forms of protection Rapid & efficient response 4
Nuove Sfide della Cyber Security Comando Generale dell Arma dei Carabinieri Escalating Threat Landscape Large Complex Environments Advanced Adversaries Expanded Attack Service - Targeted attacks - Multiple products - Well funded - Mobile protection - More data at risk - Thousands of servers - Nation states - BYOD - Internet of everything - Multiple endpoints - Country sponsored - Cloud infrastructure - Disguised attacks - Lack of talent - Underground market - Internet of everything 5
COME IDENTIFICARE E DARE UNA PRIORITÀ ALLE MINACCE IN COSTANTE AUMENTO? COME USARE AL MEGLIO LE PROPRIERISORSE E CAPACITA PER PROTEGGEREL ORGANIZZAZIONE? COME POSSO MISURARE E DIMOSTRARE IL VALORE DELLE SPESE IN AMBITO SICUREZZA? COME RISPONDERE RAPIDAMENTEAD UN INCIDENTEAL FINE DI CONTENERNE L IMPATTO E PROCEDERE CON IL RECOVERY? 6
SOC Management System - Framework di sicurezza Technology Solutions Industry and best practices alignment First-in-class reference model DLP Program Training & Awareness 7
SOC Management System - Modello basato su Best Practices Technology Services Catalog CMU HB 001 CMU HB 002 CMU TR 001 RFC 2350 NIST SP 800-61 CMU TR015 ISO 18044 ISF Organization COBIT 4.0, ISO 27002:2006 ISO 1335:2004 ISO 18044 ITIL SOC Standard & Best Practice Processes COBIT 4.0 ISO 27002:2006 NIST SP 800-61 CMU TR 015 ITIL Roles & Responsabilities COBIT 4.0 (RACI) ISO 17799:2005 Quality & Maturity ISO 21827 (CMM) COBIT 4.0 ISM3 8
SOC Management System - Catalogo Servizi Identification, Classification, Notification Containment Eradication Incident Recovery Post Mortem Analysis Monitoraggio real time Security Audit Security Intelligence Reporting Risk Assessment Training Policy Definition Incident Handling: Proactive: Goverance: 9
Processo di Incident Handling Preparation Post Mortem Analysis Identification Classification Notification Incident Recovery Containment Eradication Symantec SOC Management System 10 1 0
Technical Model Architecture Comando Generale dell Arma dei Carabinieri Compliance and Risk Management Sicurezza Proattiva Security Operation Center Vulnerabilità e Configurazioni Gestione Sicurezza Real Time Threat Monitoring Threat Monitoring Incident Handling Security Intelligence 11 11
Security Intelligence New Investments Global Data Collection Big Data Analysis DeepSight Attack Quarantine System Malware Protection Gateways Phishing Detections Data Fusion Warehouse Portal Signals Global Sensor Network 3 rd Party Affiliates Analytics DataFeeds Human Online Operations Social Media Monitoring Open Sourcing Mining Liaisons Sharing Forums Intelligence Analysts Directed Research Global Intelligence Network 121 2 12
Security Intelligence - Emerging Threats Comando Generale dell Arma dei Carabinieri IDS Threat Alert Trending 13
Security Intelligence - Metriche Reputazionali 9 35 Comportamenti anomali Behavior Severity Behavior Frequency Data Confidence History attività malevoli: Consecutività eventi malevoli Malicious activity ultimi 90 giorni Ratings 8 7 6 5 4 3 2 1 30 25 20 15 10 5 Historical Values 0 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 Day 0 Attack Rating (combined) Behaviour Reputation Total Reputation Consecutive Listings Historical Adjustment 14
D o m a n d e