TARINOITA TUOTANTOLINJALTA

HAVARO
AUTOREPORTER +
TARINOITA TUOTANTOLINJALTA
Viimeiset 6 tuntia 2012-10-28 11:00
Jani Kenttälä, Clarified Networks Oy, part of Codenomicon Group
• “Kyky, motivaatio
• “Vähistä
ja asenne” - pragmaattinen lähestymistapa
resursseista mahdollisimman paljon irti” - innovaatio
• “Public/Private
partnership (including universities) HAVARO yksi kulminaatiopiste
1
4
1. Howard Smidt briefing Mr. Bush about
Finnish Security Research Group Findings
2. Analyzer used in Bredolab botnet
takedown, Dutch TV-channel covers
5
Mikko Hyppönen (F-Secure) and Bob
Burls (eCrime-unit in UK) keynote,
Analyzer used to visualize evidence
against m00p gang.
3. Critical Infra SA deployment for the
Estonian Government
2
4. Situation rooms for NATO CCDCOE
cyber exercises.
3
6
5. Clarified Visualization in Mikko
Hyppönen’s TED talk, 500 000 views as
of 2011-09
6. News coverage of CERT.be fighting
against website hacks, TV-premiere for
our abuse handling tools.
PREVIOUS EPISODES
RESULTS - CASE FINLAND
OTHERS SAW IT TOO
Finland is known as having networks with the fewest malicious software (malware) infections, and
within Finland, the telecommunications company TeliaSonera prides itself in being the “cleanest of the
clean.”
--Microsoft Case Study
“The infection rates and other
metrics for Finland have consis
tently been
below the world-wide average
s, and we have often wondere
d ourselves
what the reason is for this”
-
Kimmo Bergius, Microsoft’s Ch
ief Security Advisor
WORLD IS FOLLOWING, NEXT STEP
WE ARE NOT STANDING STILL
Don’t try this on
national level
CASE EINSTEIN
(BASED ON PUBLIC INFORMATION)
2008: buged addition: $0.37 per US citizen
2011: 38 page article by Bellovin, Diffie et al. about
fundamental issues in using EINSTEIN in Critical Infra
context.
FOR US IT STARTED 2010
2010-12-08 01:19:44 Marko Laakso
• saulin kanssa psyykattiin mallia että AH:sta lähtis
senseroille ip osoitteita ja tyyppi miksi se on epäilyttävä,
per kriittinen sensoriasiakas vois olla sit lista tyypeistä
(tai *) mitkä ne hyväksyy sensorin triggeroivan, ip:t menis
capture filtteriksi, sensori tallettaa triggeröivien
osotteiden pcap:t talteen ja lähtettää niistä flow tiedot
takaisin viville missä ne ruokitaan havaintoina takaisin
ah:n jonka yli on tilannekuva vsr:llä
ROUGH IDEA
BUILD ON TOP OF EXISTING CAPABILITY
2011 - WARP 9
Production pilot
Pilot
2011
Sensor-integration
Contracts
Procurement process
END OF 2011
• Within
half a year CERT-FI has executed the plan,
• system
is operational,
• integrating
CERT-FI’s existing processes and tools,
• adding
new capability with a minimum impact to resourcing and
required tool know-how.
• 2012
will continue, focus will be on scaling internal know-how,
coverage of CIP-organizations and potentially adding new
capabilities.
HAVARO - IN NUMBERS
6 640 000 Events
49 822 IP addresses in observations
20 000 Suspected malicious events
Challenge for automation
Challenge for people
259 Reports
49 Reports with severity mediocre
16 Reports with severity high
KEEPING HUMAN EFFORT BEARABLE
Suspected malicious events
HAVARO CAPABILITIES
• Abuse Alerts:
• netflow
monitoring, raise alert if traffic
to known malicious identity
• Abuse
Records:
• record
all traffic to known malicious
identities
• IDS
alerts:
• observe
• Real-time
also malicious behavior
situation awareness
• Computer
assisted reporting
AUTOREPORTER + HAVARO
CIP5
CIP4
CIP3
CIP2
CIP1
Sensor
Enterprise1
ISP2 ISP3
ISP4
ISP1
Best in cleaning.
Get alerts and records.
Analyze &
report.
Feed malicious identities.
CERT
Best in aggregating and reporting.
Blogs, mailing lists
Add discoveries from the
daily media follow-ups
in to the mix.
Feeders
Best in monitoring.
PRESIDENT OF ESTONIA
2012-06-08