Information Security Management: Protecting IT Assets from Current and Future Threats John McCumber Strategic Program Manager

Key Information Security Challenges: Blurring lines: “securing” IT assets vs. “managing” them: who ultimately has the responsibility? Too much information: deluge of security news (i.e. viruses, new patches) must be custom formatted for my environment – takes time! Shortage of trained and experienced personnel Need to wrap protection around evolving architectures and business models (i.e. wireless LANs, remote access) Investment in new security tools necessitates a new console to manage, alerts to correlate “Undesired” ranks are expanding: blended threats, P2P, spam, “spyware,” insider threats – together require more than traditional server and desktop solutions

25,000 50,000 75, , , ,000 World-Wide Attack Trends Infection Attempts *Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2003 estimated **Source: CERT 100M 200M 300M 400M 500M 600M 700M 800M 900M Network Intrusion Attempts 0 Blended Threats (CodeRed, Nimda, Slammer) Denial of Service (Yahoo!, eBay) Mass Mailer Viruses (Love Letter/Melissa) Zombies Polymorphic Viruses (Tequila) Malicious Code Infection Attempts * Network Intrusion Attempts **

Source: Bugtraq Vulnerabilities Software Vulnerabilities Average number of new vulnerabilities discovered every week

Vulnerability Trend Highlights Newly discovered vulnerabilities are increasingly severe. Accordingly, the number of low severity vulnerabilities is decreasing. High-severity vulnerabilities give increased privileges and access to more prominent targets. Month New vulnerabilities Breakdown of Volume by Severity

Vulnerability Trend Highlights Symantec reports that 70% of the vulnerabilities found in 2003 could be easily exploited, due to the fact that an exploit was either not required or was readily available. This is a 10% increase over 2002, where only 60% were easily exploitable. Month Percentage of vulnerabilities Percentage of Easily Exploitable New Vulnerabilities

Attack Trend Highlights Almost one third of all attacking systems targeted the vulnerability exploited by Blaster and its successors. Other worms that surfaced in previous periods continue to survive and target Firewall and IDS systems globally. A sufficient number of unpatched systems remain to sustain them. RankPortDescription Percentage of Attackers 1TCP/135 Microsoft / DCE-Remote Procedure Call (Blaster) 32.9% 2TCP/80HTTP / Web19.7% 3TCP/4662E-donkey / Peer-to-peer file sharing9.8% 4TCP/6346Gnutella / Peer-to-peer file sharing8.9% 5TCP/445Microsoft CIFS Filesharing6.9% 6UDP/53DNS5.9% 7UDP/137Microsoft CIFS Filesharing4.7% 8UDP/41170Blubster / Peer-to-peer Filesharing3.2% 9TCP/7122Unknown2.5% 10UDP/1434Microsoft SQL Server (Slammer)2.4%

How do we achieve proactive security management to mitigate current and future risks? Focus on four key elements: Alert - gain early warning, take evasive action Protect – deploy defense-in-depth Respond – react in prioritized fashion Manage – applies to a 360-degree view of security and managing the secure lifecycles of our individual assets

 Early awareness of threats  “Listening posts”  Prevent unwanted attacks  Detect physical breaches  Security of information assets  Internal Workflow Auto-configuration Disaster recovery  External Hotline Signature updates Environment Policies and Vulnerabilities Device/Patch Configuration User Access Identity Management Information Events and incidents Alert Protect ManageRespond Proactive Control Security Fundamentals

Alert: Spotting the ‘Blaster’ worm early DeepSight Notification IP Addresses Infected With The Blaster Worm 7/16 - DeepSight Alerts & TMS initial alerts on the RPC DCOM attack 7/23 - DeepSight TMS warns of suspected exploit code in the wild. Advises to expedite patching. 7/25 - DeepSight TMS & Alerts update with a confirmation of exploit code in the wild. Clear text IDS signatures released. 8/5 - DeepSight TMS Weekly Summary, warns of impending worm. 8/7 TMS alerts stating activity is being seen in the wild. 8/11 - Blaster worm breaks out. ThreatCon is raised to level 3 Alert

The Convergence Imperative Assure security policy compliance Receive early awareness of threats Prevent & detect attacks & breaches Protect privacy of information Rapidly & easily recover from loss of critical systems & information Insure via policies that adequate storage available for applications & backup Create secure archives for preserving information assets Discover & track HW/SW assets Provision, update & configure systems via automated policies Instantly push security patches & signatures to all managed devices Assure software license compliance & remove unauthorized applications De-provision & repurpose systems securely

Threat, vulnerability & event-driven patch & configuration management Solving the Convergence Challenge Policy-driven backup Monitor storage resources & perform corrective action System & data recovery Threat, vulnerability & event-driven backup Recovery from attack

Normal Protect Depth & Frequency of backup Management in Action: Integrated Security, Systems & Storage Threat Vulnerabilities Attack SEA platform Rapid Recovery from Attack, Faulty Patch Adjust Protection Granularity High Risk Alert Normal ScanTestDeploy Remove Vulnerability Recover Alert Action Policie s

Summary Risk is escalating: Threats are more complex, exploiting more vulnerabilities in less time – requires more comprehensive strategies leveraging integrated capabilities and strengths In the public sector, there are additional strong catalysts driving the “A.P.R.M.” approach, such as compliance (i.e. FISMA) and safely enabling information-sharing. Take advantage of tools that serve multiple needs (i.e. asset inventory, policy compliance and patch management) Given the nature of threats, we need to play to natural strengths gained through merging security, system and storage functions – on both a technology and personnel level Knowing what we have, how it is configured, and how it can be restored – in the context of what is happening “in the wild” (exploits, vulnerabilities, patterns) is the best defense for what the future brings

Thank You!