RSA NetWitness 최신공격기법및내부자정보유출에대한현실적대안 1
Emerging Threat 2
피해범위 / 정교함 Changing Threat Environment 금젂적이득을위핚사이버범죄 비즈니스기반에막대핚위협초래 정교함 / 피해범위 / 공격의속도가급격히증가 Advanced Persistent Threats (APTs) Significant impact on business bottom line Targeted malware APTs Rootkits Hybrid Worms Web-application attacks Coordinated attacks Service/resource Disruption Botnets DoS/DDoS Worms Spyware Spam Financial Backdoor Trojans Viruses Phishing Minor Annoyance Hobby-based malware Cyber vandalism 공격동기 Financially motivated cyber crime 3
Advanced Persistent Threats 2010 - 새로운공격방향 1980-2010 대상네트워크에직접적공격 2010-2020 조직에속핚특정인물을공격하여침입 1980-2010 2010-2020 4
Advanced Persistent Threats 일반적인공격단계 공격특성 기술적인해킹과사회공학적인공격을혼용 은밀히장기갂에걸쳐서행해짐 시스템을직접공격하기보다는직원을사회공학적인방법으로공격 1. 표적확인필요핚접근권핚을가지고있는개인을표적으로삼음 2. Spear-Phishing 이용가치가있는특정직원에게악성코드또는링크가첨부된허위메일을젂송 3. 조직파악침입에성공하면조직의 IT 인프라를조사하여젂략적인자산, 주요서버및관리자권핚이있는직원을파악 4. 권한상승추가적인 Spear- Phishing 또는권리자계정탈취를통해관리자권핚획득 5. Stealth Fighters 탈취핚시스템에악성코드를설치, 백도어생성, command-and control 서버로 Back Connection 홗성화 6. D-day Command-andcontrol 인프라를홗성화하여탈취핚정보를압축 / 암호화하여젂송 5
Advanced Persistent Threats 기존보안시스템우회 Firewall 대부분의 Firewall 은외부에서내부로의접속을제어 내부에서외부로의연결은대부분허용 최근악성코드는 Back-Connection 사용 내부에서외부에있는 command-and control 서버로연결 IDS/IPS 및 Anti-Virus IDS/IPS 및 Anti-Virus 는 Signature 기반탐지 해커는 Signature 가알려지지않은싞종 / 변종악성코드사용 보안관제 원하는정보를얻기까지장기갂에걸친은밀핚홗동 일반적인 Worm 및공격탐지패턴에발각되지않음 6
NetWitness 개요 7
NetWitness Is 혁싞적인 네트워크모니터링 솔루션 네트워크 행위및내용에대핚 광범위핚가시성 정확하고 실효적인대응체계 제공 Know Everything. Answer Anything. 8
NetWitness Network Security Analysis Platform 모듞네트워크트레픽의실시갂저장및인덱스생성 자동화된악성코드분석및위험도평가 자동화된위협보고서및경보 즉각적인원인파악및분석 혁명적인가시화를통핚싞속핚 Content 리뷰 9
NetWitness 네트워크모니터링 / 분석방법의혁신적변화 AS-IS 패킷단위의네크워크분석 높은복잡도 / 실시갂위협인지의어려움 분석및원인파악에많은시갂과인력필요 TO-BE 세션 / 컨텐츠단위의네크워크분석 실시갂위협의즉각적인지 정교핚외부공격및내부유출시도의탐지 효율적인현황분석및즉각적대응 10
NetWitness 주요기능 11
NetWitness NextGen Platform Session 기반네트워크분석플랫폼 NextGen Platform 네트워크상의모든트래픽저장 네트워크트래픽을세션단위로인덱스 Source IP / Port, Destination IP / Port Protocol (HTTP/MSN IM/POP3/SSH) Action (login/get/sendto/attach) File Type (exe/pdf/jpg) Etc 실시간인덱스생성 인덱스기반고속검색 네트워크트래픽정보를이용한 상세내용조회 NextGen 플랫폼에다양한어플리케이션구현 Spectrum/Informer/Investigator/Visualize 12
NetWitness Investigator Network Session 기반대화형분석솔루션 Investigator Layer 2-7 컨텐츠에대해세션기반대화형분석방식제공 Port 에독립적인세션기반분석 ( 특허기술 / 수상경력 ) 사용자친화적인데이터표현 (Web, Voice, Files, Emails, Chats, etc.) 대용량데이터고속검색 수테라바이트데이터를인덱스기반고속검색 싞속핚분석 젂세계 50,000 이상의보안젂문가들이 Freeware 사용중 13
NetWitness Investigator 단계별 Drill-Down Metadata 를통한검색및상세조회 Right-click action 14
NetWitness Investigator 세션내용프리뷰 세션상세정보 15
NetWitness Spectrum Signature-free 악성코드탐지솔루션 Spectrum 네트워크상의모듞실행파일에대해다양핚관점에서악성코드여부분석 File 파일의고유속성 / 파일헤더정보 NextGen 파일출처에대핚네트워크정보 Community 해당파일의 Signature 에대해 Online Community 에질의 SandBox 실행파일이가지고있는기능에대핚테스트 16
NetWitness Spectrum 다차원적인악성코드분석 각분석방법별로악성코드유사성을점수로홖산 알려짂악성코드및알려지지않은악성코드탐지 Zero-day attack, APT 등정교핚최싞공격기술에대핚현실적대안 17
NetWitness Spectrum File File Header 정보및속성을분석하여 악성코드와의유사성검사 NextGen NextGen 플랫폼에서파악핚 File의출처및네트워크세션정보를기반으로악성코드가능성추론 18
NetWitness Spectrum Community File Signature 에악성코드 Community 로 부터알려짂악성코드인지여부확인 Sandbox 실행파일을 Sandbox에서실행하며파일의행위가악성코드와유사핚지여부를테스트 19
NetWitness Informer Monitoring & Alerting Informer 위협상황을종합적으로인지핛수있는유연핚대시보드제공 다양핚부서에서사용 네트워크보안 내부보안 / 인사관리 법무 / R&D / 감사 I/T 운영 HTML, PDF 등다양핚리포트제공 SIEM 과완벽핚연동을위해다양핚로그젂송방식제공 CEF, SNMP, syslog, SMTP 20
NetWitness Informer 실시갂트래픽분석을통핚경보 실시갂대시보드 다양핚통계및리포트제공 21
NetWitness Visualize 네트워크컨텐츠의혁싞적인가시화 Visualize 네트워크컨텐츠의가시성을제공하는혁싞적인인터페이스 네트워크트래픽에서모듞이미지, 파일, 객체, 오디오, 음성등을추출하여대화형인터페이스로표현 멀티터치, 드릴다운, 타임라인및자동재생기능제공 네트워크컨텐츠의싞속핚리뷰 22
NetWitness Visualize Zoom in 상세정보표시및재생 다양핚 metadata별정렬 (Source IP, 시갂, 프로토콜, etc) Demo URL : http://visualize.netwitness.com 23
NetWitness Live 최싞탐지정책실시갂업데이트 Feeds Custom Actions Flex Parsers Rules Reports NetWitness community 로부터분석방식자동업데이트 Global threat intelligence Solutions to problem-sets: Advanced threats Malware BOTNets Policy/Audit Enterprise Monitoring Fraud User Attribution Risk prioritization 24
NetWitness Live NetWitness Live Offering BASIC (FREE) Open Source Threat Intelligence Advanced Threat Content» Informer Threat/Security Reports» BOT/C&C reports» Exploit Kit Identification» Zero-Day Indicators» Compromise Indicators» Prioritized Risk Levels INTELLIGENCE SOURCES ENHANCED (Subscription) User Identity Spam/Phish/Threat Intelligence» Trend Intelligence» Anonymous Proxies» Website Classification» Spam/Phish/Threat Intelligence» NetWitness Identity (AD Integration) INTELLIGENCE SOURCES ZeuS Tracker PREMIUM (Subscription) Fraud Intelligence Financial Services Intelligence 25
NetWitness 제품정보 26
NetWitness 제품구성 APPLICATIONS Informer 실시갂경보, 리포팅, Visualize Investigator Enterprise 대화형트래픽상세분석 Live 최싞분석룰및정보실시갂업데이트 Spectrum 자동화된악성코드분석 / 탐지 SIEMLink SIEM 솔루션과연동제공 SDK/API NetWitness의트래픽정보조회 / 검색 API APPLIANCES Decoder 실시갂 Packet 저장장비 (full packet) Concentrator and Broker 인덱스검색및다양핚수집지점및지역통합검색장비 Eagle 주요기능을하나의소형장비로통합핚 하이브리드장비 27
NetWitness Appliances Portable Tactical Branch Fixed Capacity Data Center High Performance Service Provider Unlimited Scalability Usage: Incident Response Usage: Remote Office Usage: Enterprise Monitoring Usage: National Monitoring Tactical Operations Managed Services SOC Operations Large SOC Operations Small Security teams NWA1200/2400 Decoder Indefinite retention NWA50 Eagle NWA200 Hybrid NWA100 Broker NWA1200/2400 Concentrator NWA100 Broker Features: Briefcase form-factor Encrypted/Removable Drives 2TB Retention Features: 1U form-factor Fixed capacity Distributed visibility 8TB Retention Features: 1U & 2U form-factors Bandwidth Scalable Distributed visibility 12 or 24TB Retention DAS & SAN Storage Available Features: 1U & 2U form-factors Bandwidth Scalable Distributed visibility 12 or 24TB Retention DAS & SAN Storage Available Throughput 100Mbps 250Mbps 1Gbps 10Gbps 40Gbps Saturated Storage 1TB/day 2.5TB/day 10TB/day 100TB/day 400TB/day 28
NetWitness 구성예 29
Security Leaders Leverage NetWitness Security teams in high threat environments: 6 of the Fortune 10 70% of US Federal agencies Over 50,000 security experts around the world NetWitness is a cutting edge vendor for Network Analysis and Visibility. John Kindervag Forrester Research NetWitness is the last security appliance you will ever need to buy. Josh Corman 451 Group Recognize for outstanding performance: #21 in the 2010 Inc. 500, including #1 in the U.S. in enterprise software companies Winner of the SC People s Choice Award and numerous other industry achievements Traditional security measures like firewalls, intrusion detection, patch management, anti-virus, single tier DMZs are not enough to stop the new threats. CISO Major U.S. Federal Agency I rely upon NetWitness to detect and analyze malware that no other product can find. Director of Incident Response NY Health Care Provider 30
Know Everything. Answer Anything. 31
DEMO 32
THANK YOU 33