Check Point designing a security
11 likes5,584 views
The document discusses the key elements needed to design an effective security intelligence architecture. It emphasizes the importance of visibility into the network through extensive logging, context about the environment, and control over network flows. Specifically, it recommends mapping the network topology, understanding application architecture and business goals, logging at all layers including layer 7 applications, and ensuring the security team has resources to generate higher level threat intelligence from the data. The end goal is to reduce the time needed to analyze security incidents and enable real-time response capabilities.
Check Point designing a security
- 1. Designing a Security Intelligence Architecture Daniel Wiley Senior Security Consultant ©2013 Check Point Software Technologies Ltd.
- 2. You have been told that you have an infected machine in your network… You have seconds to make a difference Now what? ©2013 Check Point Software Technologies Ltd. 2
- 3. Threats are always changing Attackers are using any method available to infiltrate networks Attacks are moving up the network stack means more information is needed to deal with them Scaling tools and architecture is not simple as you move up to threat landscape If you have something worth stealing someone will try ©2013 Check Point Software Technologies Ltd. 3
- 4. Need architecture that adapts • Can’t limit yourself to one function anymore • Need versatility ability to find the right tool quickly • Ability to layer capabilities on existing architectures ©2013 Check Point Software Technologies Ltd. 4
- 5. What does that really all mean You need features that can adapt to changing environments Ability to react to attacks needs to be in real time Need to think outside of the box sometimes The more data the better Sometimes you have to make the hard decisions ©2013 Check Point Software Technologies Ltd. 5
- 6. What does it take? 1 Know your environment 2 You need context 3 Build visibility into your network 4 Don’t forget Layer 7 and 8 ©2013 Check Point Software Technologies Ltd. 6
- 7. This doesn’t help Internet Internal ©2013 Check Point Software Technologies Ltd. 7
- 8. Sounds simple but isn’t Understand the whole Network Topology Application Architecture is vital to defense Network Design is vital to get the visibility you need What do users normally do? Can you answer the basic questions about core data flows and business drivers? Who are your partners ©2013 Check Point Software Technologies Ltd. 8
- 9. What does it take? 1 Know your environment 2 You need context to the data 3 Build visibility into your network 4 Don’t forget Layer 7 and 8 ©2013 Check Point Software Technologies Ltd. 9
- 10. What does this all mean! Context • Having an IP address alone does not help • What does the log really mean to my environment • It’s hard to see who is actually attacking you • Layering context is great but what do you with the data ©2013 Check Point Software Technologies Ltd. 10
- 11. How do you build context Automated Manual • Geo Location • Past Experiences • Identity Awareness • Application Flows • Application Intelligence • Business Goals and Direction • DLP • Relationships • URL Filtering/Logging • Third party information • Hit count • Network Architecture • Smart Monitor/Smart Log • Compliance Requirements • Header Identification • Change Control • Machine Identification • Lessons Learned ©2013 Check Point Software Technologies Ltd. 11
- 12. Some examples What we used to see in a log: Source: 1.1.1.1 Destination: 2.2.2.2 Service: TCP/80 Action: Allow What we see now: Source: 1.1.1.1 Destination 2.2.2.2 Service: TCP/80 User: Bob Barker Machine: PriceIsRight OS: WinXP Browser: Chrome Server: Apache URL: www.hackme.org/malware.exe URL Category: Hacking Site IPS: Binary Download Country: US Anti-Bot: reallybadstuff.v52 Packet Capture: onaplatter.exe Action: Block ©2013 Check Point Software Technologies Ltd. 12
- 13. What does it take? 1 Know your environment 2 You need context to the data 3 Build visibility into your network 4 Don’t forget Layer 7 and 8 ©2013 Check Point Software Technologies Ltd. 13
- 14. I can’t see anything Engineer with logging in mind – The more you log the more you can see Ensure you are capturing all key metrics (SmartMonitor/SNMP) at gateway and network Learn TCPDUMP/WireShark/fw monitor Utilize Packet Capture mode within IPS and Anti-Bot Understand what you are capturing and why Everything creates a log – Learn them ©2013 Check Point Software Technologies Ltd. 14
- 15. Advanced Visibility When you identify the really nasty stuff you need to know how to deal with it. • Threat Emulation • Malware Reversing • Locating infected hosts • Having control over network means blocking hostile code ©2013 Check Point Software Technologies Ltd. 15
- 16. What does it take? 1 Know your environment 2 You need context to the data 3 Build visibility into your network 4 Don’t forget Layer 7 and 8 ©2013 Check Point Software Technologies Ltd. 16
- 17. Layer 7 Without application layer data finding golden nugget is almost impossible Email Data Exfil Web Anti-Bot/DLP Application Control/URL Filtering IPS IP Addresses / Services / Time / Direction ©2013 Check Point Software Technologies Ltd. 17
- 18. Layer 7 Once you know the attack vectors you can trace the risk to your network and maybe the actual attacker Fraud Event Corp Espionage Hacking Event CEO ©2013 Check Point Software Technologies Ltd. 18
- 19. Layer 8 – Man humans are difficult Without management on board having all the information in the world won’t help Incident Response is vital – Plan, Test, Evaluate, Repeat Do you have a plan for interacting with law enforcement Who is really attacking you and why Know your gaps and try and address them ©2013 Check Point Software Technologies Ltd. 19
- 20. Core Items Need As many blades as possible with advanced features (Packet Capture/URL Logging/SMTP Information) Large logging infrastructure A Network Map A Org Chart SmartEvent SmartLog Enough resources to generate higher level data ©2013 Check Point Software Technologies Ltd. 20
- 21. Putting it all together For any intelligence system try to answer the following questions: Who: Financial officer was targeted What: Installation of malware on PC, attempted to upload Excel spreadsheet to C&C Where: PC location within executive zone, C&C located in Brazil When: Over 5 month period multiple spear fishing emails Why: After full analysis determined that excel spreadsheet would give completive advantage to competition Infrastructure – DLP, Anti-Bot, Anti-Virus, Endpoint, Logging, SmartEvent ©2013 Check Point Software Technologies Ltd. 21
- 22. What’s the point of all of this Time for analysis and full understand of an event is greatly decreased Ability to identify who is targeted and what the risk really is You need to make blocking decisions quickly Talking about it over 5 days isn’t going to help If you can react to malware events in minutes or seconds you are doing as good as the best ©2013 Check Point Software Technologies Ltd. 22
- 23. How can you use Check Point - Gateway • Firewall - Advanced Logging Options such as URL logging Log all rules • Utilize Application Control and URL Filtering • Identity Awareness • Anti-Bot/Anti-Virus - Utilize Packet Capture Ability • IPS - Utilize Packet Capture Ability - Ensure advanced features are enabled on the IPS Blade - GeoLocation ©2013 Check Point Software Technologies Ltd. 23
- 24. How can you use Check Point Management • SmartLog - Create predefined searches for specific events – Such as Logon / Logoff events for Identity logs • SmartEvent • Endpoint - Compliance Checks - MD5/OS Checks - AV Events - Firewall Logs ©2013 Check Point Software Technologies Ltd. 24
- 25. Summary Visibility Advanced Blades Log everything Network Map Full Team Envolvement Context Known your environment Understand network Overlay business requirements Control Create areas of control Management Onboard Builds Intelligence ©2013 Check Point Software Technologies Ltd. 25
- 26. Thank You! Daniel Wiley Senior Security Consultant ©2013 Check Point Software Technologies Ltd.