2. Agenda
• MSS high-level overview
• Industry Examples
• Things to think about
• Summary
• Q&A
Symantec Managed Services
3. Managed Security Services Mission Statement
Symantec Managed Security Services (MSS) helps organizations
anticipate and counteract the constantly changing threat
environment by providing:
• Unparalleled global threat visibility.
• Comprehensive edge-to-endpoint incident detection and
analysis.
• 24/7 direct access to Symantec’s industry-leading security
specialists.
Symantec Managed Security Services
4. Symantec Managed Security Services
Security Monitoring
–
–
–
–
–
–
–
24x7x365 global operation
>300 staff dedicated to delivering MSS
>50 GIAC-certified Intrusion Analysts
10min Severe Event Escalation Warranty
High Accuracy, Low False-positive
Collect , retain and analyse >400B logs per month
Escalate >400 validated severe incidents per day
across 1,200 Global customers
– Strong Service Governance (ITIL, ISO27001, SSAE 16)
Infrastructure Management
– Network IDS/IPS Management Services
– Firewall Management Services
– Symantec Endpoint Protection Management Services
Symantec Managed Security Services
5. Symantec Managed Security Services
The only Gartner recognised leader in
ALL regions
Unparalleled Global Intelligence Network
Edge-to-Endpoint Security Monitoring
Enterprise-wide Pricing Model
NIDS
HIDS
Web
Proxy
Firewall
Endpoint
OS & Apps
WebApp
Firewall
Network Infra.
VA
Symantec Managed Security Services
6. Critical Protection Challenges
How MSS Can Help
Visibility
Focus
on top
priorities
Stay ahead
of threats
Evolving Threat Landscape
• Targeted attacks
• Social networking
• Zero-day vulnerabilities and
rootkits
• Attack kits
• Mobile threats
Symantec Managed Security Services
Build a
sustainable
program
Connect to
Business
7. Critical Protection Challenges
How MSS Can Help
Visibility
Focus
on top
priorities
Build a
sustainable
program
Connect to
Business
Stay ahead
of threats
Where are the gaps?
• Complete coverage of surface
area, Edge-to-Endpoint
• Standardise security monitoring
across all sites, all geographies, all
systems
• Where am I at risk of attack?
Symantec Managed Security Services
NIDS
HIDS
Web
Proxy
Firewall
Endpoint
OS &
Apps
WebApp
Firewall
Network
Infra.
VA
8. Critical Protection Challenges
How MSS Can Help
Visibility
Focus
on top
priorities
Stay ahead
of threats
Actionable Incidents
• Focus on the most critical
problems first
• Eliminate the risk of chasing
irrelevant events
• Avoid over and under-reacting
• Report everything
Symantec Managed Security Services
Build a
sustainable
program
Connect to
Business
9. Critical Protection Challenges
How MSS Can Help
Visibility
Focus
on top
priorities
Stay ahead
of threats
Security Operation Demands
•
•
•
•
•
24x7, Global, Certified
Scalable, Available
Performing
Future ‘proof’ architecture
Recruitment
Symantec Managed Security Services
Build a
sustainable
program
Connect to
Business
10. Critical Protection Challenges
How MSS Can Help
Visibility
Focus
on top
priorities
Stay ahead
of threats
How to Demonstrate Value?
•
•
•
•
Protect revenue
Process improvement
Predictable cost-base
Measure and report on
effectiveness and improvement
• Time-to-Benefit
Symantec Managed Security Services
Build a
sustainable
program
Connect
with
Business
11. Symantec MSS Portfolio
Deepsight Global Threat Intelligence
• Unified threat Intelligence portal and XML Data Feeds
• Vulnerability, Threat and Risk content
Log Collection, Retention and Access
Firewalls
• 2FA Portal Access, tamper proof, searchable, exportable
• PCI and ISO27001 reporting features
IDS / IPS
Real-time Security Monitoring and Analysis
Web Proxy
• 24x7 security event monitoring and log analysis
• Global Intelligence Network correlation
Endpoint
Security Incident Notification and Reporting
OS & Apps
• Incident Prioritisation, 10min Severe Event Notification
• Real-time security dashboard
Switches
& Routers
Infrastructure Management
• Managed Network IDS/IPS, Managed Firewall, Managed SEP
12. Monitoring Service Tiers
Service Transition
Essential
Advanced
Log Collection
Correlation
Analysis
GIN
•Collect Logs from
Man Systems
•Store Logs Online
•Available for
Download and
Reporting
•Internal
Vulnerabilities
•Rate against
Assets
•Analyze against
log/alert data
•Enterprise Wide
Security Analysis
•Expert Human
Analysis
•Protect
Information Assets
•Correlate Against
GIN
•Anomalous
Activity monitoring
•Protect against
Emerging Threats
Applicable to ALL
Systems
Applicable to ALL
Systems
Applicable to all
Systems with Security
Data
Applicable to Egress
Points, such as FW’s
Symantec Managed Security Services
13. Global Intelligence Network
Identifies more threats, takes action faster & prevents impact
Calgary, Alberta
San Francisco, CA
Mountain View, CA
Culver City, CA
Dublin, Ireland
Tokyo, Japan
Chengdu, China
Austin, TX
Taipei, Taiwan
Chennai, India
Pune, India
Worldwide Coverage
Global Scope and Scale
24x7 Event Logging
Rapid Detection
Attack Activity
Malware Intelligence
• 240,000+ sensors
• 64M total internet sensors
• 200+ countries
• 180M+ systems monitored
• 13 security response
centers
Preemptive Security Alerts
Symantec Managed Security Services
Vulnerabilities
• 50,000+ vulnerabilities
• 15,000+ vendors
• 105,000+ technologies
Information Protection
Spam/Phishing
• 5M+ decoy accounts
• 8B+ email messages/day
• 1B+ web requests/day
Threat Triggered Actions
14. Process - Symantec Security Monitoring
Firewalls/
VPN
Intrusion
Detection
Systems
Server and
Desktop OS
User Activity
Monitoring
Network
Equipment
Critical file
modifications
Vulnerability
Assessment
Anti-Virus
Policy
Malicious IP
Changes
Traffic
Applications
Web
Traffic
Identified .
threats
Known vulnerabilities
Business-critical IT assets
Risk-based Prioritization
Industrial IT Security 2012
Databases
Tens of Millions:
Raw Events
Millions:
Security Relevant Events
Hundreds:
Correlated Events
Threat Determined
15. Without MSS
Service
Device Logs:
Perimeter FW
LAN FW
IDS
Web Proxy
http://paypay.co/vv/config.bin
Outbound TCP connection acc from
10.1.25.1 to 98.77.1.11/80
10.1.25.1 --> 98.77.1.11 - Overnet
Client Scan
Inbound TCP connection acc from
14.28.75.64 to 12.55.26.85/80
Inbound TCP connection acc from
10.2.75.64 to 10.1.26.85/445
10.2.1.58 --> 44.75.26.88 - POLICY
Yahoo Webmail client chat
http://121.242.39.105/www.paypa
l.us/account.limited.us/cgi.bin/we
bscr.htm
Outbound TCP connection acc from
10.1.25.1 to 98.77.1.11/80
Outbound TCP connection acc from
10.1.25.1 to 98.77.1.11/80
10.1.22.7 --> 16.1.82.9 SHELLCODE base64 x86 NOOP
http://yeeshiedot.ru/bin/xingaepa.
bin
Outbound TCP connection acc from
10.1.22.7 to 55.10.17.22/80
Outbound TCP connection acc from
10.1.22.7 to 55.10.17.22/80
10.1.11.4 --> 64.99.57.12 SHELLCODE x86 NOOP
http://zsbiz.in/php/cfg002.bin
Inbound TCP connection acc from
14.28.75.64 to 12.55.26.85/80
Internet
Outbound TCP connection acc from
10.1.25.1 to 10.2.55.17/445
Outbound TCP connection acc from
10.2.14.1 to 10.1.14.1/445
10.2.64.27 --> 18.197.26.177 SNMP trap udp
Outbound TCP connection acc from
10.1.25.1 to 98.77.1.11/80
Outbound TCP connection drop
from 10.1.25.1 to 98.77.1.11/25
19.11.157.22 --> 45.4.55.1 - SQL
Query in HTTP Request
Outbound UDP connection acc
from 10.235.22.11 to
198.28.22.5/53
Outbound UDP connection acc
from 10.2.32.11 to 10.1.19.11/137
48.45.66.99 --> 48.77.88.11 - UDP
eDonkey Activity
Outbound TCP connection acc from
10.1.17.4 to 18.7.13.2/80
10.2.1.58 --> 44.75.26.88 - WEBMISC cat%20 access
Inbound TCP connection acc from
14.28.75.64 to 12.55.26.85/80
Outbound TCP connection acc from
10.1.22.7 to 55.10.17.22/80
Inbound UDP connection acc from
198.28.22.5 to 10.235.22.11/10256
Inbound TCP connection acc from
14.28.75.64 to 12.55.26.85/80
Outbound TCP connection acc from
10.1.25.1 to 98.77.1.11/80
Inbound TCP connection acc from
14.28.75.64 to 12.55.26.85/80
Outbound TCP connection acc from
Outbound ICMP ping acc from
10.1.25.1 to 10.2.1.11/ 00-08
Windows SMB
10.1.11.4 --> 64.99.57.12 - WEBtraffic PHP test.php access
http://ww3.irs.gov.binnet11.net/re
fund/form
http://johgheejae.ru/bin/laangiet.
LAN
bin
http://push.bbc.co.uk/http-bind/
http://scores.espn.go.com/ncf/cas
ter/snapshot?sessionId=CFBGamec
LAN 2
ast9
http://money.cnn.com/.element/s
si/main/2.0/content_ssi.exclude.ht
ml
Outbound TCP connection drop
from 10.1.25.1 toEmail traffic
14.231.5.16/25
10.2.64.27 --> 18.197.26.177 SNMP request udp
http://www.sunshinelive.de/typo3temp/JS_playlistfeed
_hash.txt?
Outbound TCP connection acc from
10.1.22.7 to 55.10.17.22/80
10.2.64.27 --> 18.197.26.177 SNMP public access udp
9140000/newsid_9141700/
Inbound TCP connection acc from
14.28.75.64 to 12.55.26.85/80
10.2.1.58 --> 27.192.26.88 IRC_Rogue_Session
http://cdnedge.bbc.co.uk/sport/hi
/english/static/football/statistics
Outbound TCP connection acc from
10.1.25.1 to 10.2.55.17/445
10.1.25.1 --> 98.77.1.11 - Overnet
Client Scan
http://jskit.com/api/echo/subscribe?existin
15
gRenderers=%5B0%2C1%5D&
Inbound TCP connection acc from
10.2.75.64 to 10.1.26.85/445
10.2.1.58 --> 44.75.26.88 - POLICY
Web traffic
1
http://www.youtube.com/set_awe
16. Example Stats, one Wednesday afternoon...
• Log lines analysed - 15,279,389,291
• Number of Incidents Created including Summaries - 7966
• Number of Real Time Incidents presented to analysts for
validation – 3124
• Number of Real Time Published Incidents – 964
• Number of Summary Published Incidents - 1007
• Number of Real Time Critical Incidents – 244
Symantec Managed Services
17. Symantec MSS Portal
• Customizable modules
for organizing data in
different ways
• Trend graphs for
visibility of incident
trends
• New Incidents arrive in
real time to the Home
Page
• Modular elements
customizable to each
user
Symantec Managed Security Services
18. Symantec Managed Security Services
Reliability and Trust - Symantec Managed Security Services
has been a Gartner Quadrant Leader for 11 consecutive years
Proven – Symantec Managed Service s clients include 6 of
Fortune 10, 44 of Fortune 100 and 117 of Fortune 500
Scalable - Symantec MSS analyzes >12 Billion logs from
727,000 devices every day
Detection - Symantec MSS identifies an average of 15,000
security events and escalates 200 critical incidents every day
Flexible – Symantec has flexible pricing and service levels to
deliver the right protection and compliance at the right price.
Personal – Symantec provides Named personnel for
transition , service management and security analysis duties
to drive personal relationships and customer care
Symantec Managed Security Services
Symantec detected over 286 million new malware variants and recorded over 3 billion malware attacks in 2010. Average cost of U.S. data breach: $7.2 million1
Advanced Security MonitoringSymantec MSS Advanced Security Monitoring Service provides enterprise-wide, intelligence-driven security analysis to identify known and emerging threats to critical infrastructure, enabling clients to protect their information assets and demonstrate compliance with industry regulations.Essential Security MonitoringSymantec MSS Essential Security Monitoring Service provides enterprise-wide security analysis to identify threats to critical infrastructure, enabling clients to protect their information assets and demonstrate compliance with industry regulations.Talk about HLR for some systems, and how this relates.NOTE ESSENTIALSOC writes own signaturesEmerging ThreatsNOTE ADVANCEDDon’t need to do day oneDue Diligence for choice of systems to uplift
Slide ObjectiveDescribe the strength of the Global Intelligence Network, which is truly a differentiator for Symantec. ScriptAt the heart of all of our products is the Symantec Global Intelligence Network. We are incredibly proud of this Network, and it just gets more and more powerful all the time.We have a 95% detection rate—that’s the highest of any security vendor And the lowest number of false positives (0.0001%)***KM: This is just the anti-spam stat. What stat do we have for our overall effectiveness?***This is, by far, the largest, most sophisticated intelligence network on the planet.It processes over 8 billion email messages daily and gathers malicious code data from 130 million systemsThe Network updates every 5-10 Minutes from 240,000 Sensors In over 200 CountriesThere are more than 35,000 vulnerabilities in the Symantec vulnerability databaseThere are 5 million decoy accounts in the Symantec Probe NetworkThere are 4 Symantec Security Operations Centerslocated in Australia, UK, USA, IndiaThere are 11 Security Response Centers in the USA, Australia, Canada, India, China, IrelandWhat all of this means is that if there is a malicious attack about to hit you, we know about it first. We block it, we keep it from affecting your business, and we tell you how to take action. It’s about prioritized risk and response, and our intelligence network keeps you protected and tells you what to do first. There simply is no approach that’s faster or more thorough than ours. This Network is the main reason that 99% of the Fortune 500 & 1000 utilize our products. This is what makes all the difference between having security software and knowing that your information is protected 24/7.
The theme of this slide is “There are five things wrong with this network that are invisible wit h your current monitoring”.Host infected with Botnet malware via browser attackTCP 445 worm on the LANSMTP spambot infectionSMTP server being used as open relayWeb server being targetted by vulnerability scan
Endpoint Security (#1 market position2, Positioned in Leader’s Quadrant in Gartner Magic Quadrant3)• Messaging Security (#1 market position4, Positioned in Leader’s Quadrant in Gartner Magic Quadrant leader5) • Policy & Compliance (#1 market position6)• Email Archiving (#1market position7, Positioned in Leader’s Quadrant in Gartner Magic Quadrant8, Forrester Wave leader9)• Data Loss Prevention (#1 market position, Positioned in Leader’s Quadrant in Gartner Magic Quadrant10 and Forrester Wave leader11)• Security Management (#1 market position12)• Security Information & Event Management (SIEM) (Positioned in Leader’s Quadrant in Gartner Magic Quadrant13)• Network Access Control (Positioned in Leader’s Quadrant in Gartner Magic Quadrant14)• Endpoint Management (Positioned in Leader’s Quadrant in Gartner Magic Quadrant15)