BayNewsletter_2 by Bay Computing

Bay Newsletter new1.pmd

14/3/2551, 9:59

EDITORâ&#x20AC;&#x2122;S NOTE & NEWS UPDATE !" #$ % ' %

* + -/ # '3 4 / * / '. . . */ 5 6 73* :%5 '3 4 '.;.2550 "=% 6 3 7 4 > */ ' 6 ? % - 73*$ 4 $ % :5 > 6 @3 434 D 5 : % 6 7 4 > >4 '3 G H= / - : 6 3 -/ # > 6 4 G */ *J 5 ! ! 5: ; (Security Information & Event Management SIEM) :'% K

4 5 * 6 + Log BayNs Newsletter P :Q / : Q : 4 7 : *:5 ' 6 / : 5 > 6 > / 4 J 5 ! 4: / *J 6 *#> TU 6 6 - 5 H= ' K 6 */ 5 4 * -G6 : % $/ !" #$ % '. . . /! : % : 6!5$ % W $/

= H ! :Q$ $ / * 4 :5 ! % ' / W $ 6 U -/ # % "=% Newsletter P :Q / 6 :5*53% -=Q 4 : % 3 % / P :>% / BayNs Newsletter *'3 ' -=Q ? 5 4 ' % 75>' /#> 6> ! / ! ! 5: :%4/ 5 5 / * / * ! *> / $ % :% 5 # * > 6 5 -! ; ' */ :% info@baycoms.com ,

To comply with the Computer Crime Act B.E. 2550 (2007), a great number of organizations are now trying to acquire the perfect solution that will help them storing computer traffic data. But one question that they really would like some answers is XHow are we going to measure the Return on Investment (ROI) for this solution?Y To answer this with a simple statistical value or profit figures is not enough, and it is not what the solution is all about. Instead, it is more about social responsibility, their reputations and compliance with the Act. On the contrary, if they look at the value of implementing the Security Information & Event Management (SIEM), they will see the tangible outcomes. This is because the system will provide threats report and notify possible attacks, so the organizations can lower network administrative and monitoring tasks as well as developing the network systems in the most effective way. During this time, these organizations looking for the solution to comply with the Computer Crime Act, which may cause delay in other important, projects. Therefore, in this issue, we pick up from the last one and provide more details on Data Leakage Protection solution. Bay`s Newsletter is published quarterly to provide knowledge on new computer technologies and trends. To confirm or cancel subscription, please send your name, address and telephone number to info@baycoms.com.

Nida Tangwongsiri, General Manager

PatchLink <"&# ' ( ? ) B " & 3 " 'J&<"#& 3& $ Patching Remediation 3 'N@ " & & ! IDC " & # H= 14 ' @ & IDC & ' ( *7 * & )&" ) &07 &H= 'N 2011 " * 7 # H= 18.4 ' @ &

$ * + Enterprise Solution Manager 3 " ( % B * 07 <"# 07 & H*7 101.5MHz 3& !" X & )&" %*+= 7 B ! !" # ( 3& Y 0 7 'J& 3 " "# <"#GZ *7 !" # ! ( 3& ( &

Patchlink is a leading network security and vulnerability management solution provider for corporate customers and has been ranged as one of the leaders in Patching and Remediation market for 3 years consecutively. Furthermore, IDC reported that the market for information security management and risk analysis solutions will continue to expand until 2011, with estimated 18.4% growth.

Khun Avirut Liangsiri, Enterprise Solution Manager of Bay Computing, gave an interview on Data Leakage trends and case studies in corporate network to IT for Executive radio show aired on Chula Radio (101.5 MHz) to provider knowledge on risks and protection of data leakage both inside and outside organizations.

Lumension Security ' + < &+= ' + > (US Veteran Affairs) 0 3?")@ #?& ' ( Sanctuary Endpoint Security Solution ? 3 " 3?"&) ) ( ' * B " *' ( $ 3?" 07 & = !" # B' " D & *@ * 250,000 07 , ' ' @ G 07 '2 & 7 B ! !" # B'H= $ )' B = '

By recognizing traffic details and itNs application Lumension Security announced that US Veteran Affairs had chosen the Sanctuary endpoint security solution to enforce their main and subsidiary policies as well as control portable devices. Sanctuary Device Control is installed to 250,000 computers along with servers and laptops to protect data from leaking and control malware and unauthorized program installation.

RSA Log !" # $ % " & ' ( )&) * & + (Security Information & Event Management SIEM) RSA enVision " & " 0 &( ) * 12 0 ! 3& & & EMC 4 RSA Computer Related Crime Act Seminar 2008 & *7 19 $ ( & 2551 *<7 &

Bay Computing in collaboration with RSA arrange an EMC RSA Computer Related Crime Act Seminar 2008 on February 19, 2008, demonstrating log system, Security Information & Event Management (SIEM), RSA enVision as well as example threats report, possible attack notification and network monitoring.

2 l Bay Computing Newsletter l Issue 2 Bay Newsletter new1.pmd

14/3/2551, 9:59

SUCCESS STORY

Packet Logic !"

Krieangsak Pramepornviput System Administrator University of the Thai Chamber of Commerce

% 6 3 +4 3 5 5 / 5 4/ 7/# $/ 3 +4 "=% 6 : 3 G -=Q % 5W -G6 :% 6 G- 3 5 5 : * / H-5 5> * *3 q 3 +4 / ':5 ' > 4/ */ ' % > / - :Q 3 5 5 / 5 = : {{| - $/ 3 +4 3 5 5 3 6 ' > * *3 q $/ 3 +4 3 5 5 H= 80-90 "+ 4 H# $/ ' % ! * Bittorrent "= % : 6!5$ 4 ;= ~ 7 / > * *3 q 3 +4 # :5 !*5 $ 4 */ 5 4 :Q 3 5 5 = :> 3* : % 6 *> * *3 q $/ Bittorrent / / 5 ' % '3 % 43 /> 3 3 +4 % W "= % : * 5 # 5> 6 ? $/" {4 > >4 : % 4 >4 5+ */7 4 4/ : % * 3 5 5 = G PacketLogic 3~ 5 '3 43 Q "= % ? G 3 * > * *3 q * $/ */ 5 43*4 Q 6 { +4 3 J 5 3 5 5 !*5 6 - PacketLogic : % /# $ 3*- -/ # 5 6 :5* $ 5 /7 /# 3 6 H * !5 5 $/ 3 +4 - 3

3 +44 W */ 5 : 6 3 q3J ' *> * 3*q ! * Bittorrent $ 5 / $/ 3 +4 / -=Q 6 H> * 5 $/ 3 +4> :5 / */ : :% : 3 3 +4 * : 3 G $/ # 73* 43 "=% > / H > 6 * */ 5 : H= H $/ 5 > *#5/ ' % ;= ~ ' 43 $/ 3 +4J 5 3 5 5 ' % GJ ' / 3 4 W / 6 > 6 : 6 3 q3J '53 % -= Q

The problem that University of Thai Chamber of Commerce faced with their internet system was the insufficient bandwidth problem due to a growing number of users. To eliminate this problem, the university analyzed their network traffic data and found that 80-90% of all traffic went from/to bittorrent sites, which was not educational-related and a waste of network bandwidth. To limit the use of bittorrent and preserve the bandwidth for use in other purposes, the university has tried various solutions including router management software, but found no success. Finally, they have brought in PacketLogic from Bay Computing, which is a bandwidth management system, to install between the firewalls and network system. The PacketLogic helps the university enforce their internet policies, limit the use of bittorrent, and increase value of the internet. The system can show the use of the internet in real-time; they will know instantly if the internet usage is too high probably due to malware and computer viruses. Therefore, the university can control this problem almost right away. Furthermore, the univeristy can study internet usersN behaviors in the past, so they can modify the internet system properly and effectively. Bay Computing Newsletter l Issue 2 l 3 Bay Newsletter new1.pmd

14/3/2551, 9:59

COVER STORY

# $ % Data Leakage and itâ&#x20AC;&#x2122;s impact to business

, Enterprise Solution Manager/Senior Security Consultant , Security Engineer, By Avirut Liangsiri, Enterprise Solution Manager/Senior Security Consultant and Pramote Uthayochat, Security Engineer, !" , Bay Computing Co., Ltd.

68 !" # (Sensitive Data) $% 6 & ' * + * 22 $% 22 & , ' * + $ - . ' / ' # !/ ' 1,000 4* - 4 . .! Fortune , . ! & 5 Fortune 1000 74 75 !4 ;# - !$ 7 4 !" # < ! 74 ! , . - / .* %& , & % ' =

-" - 74 4 .5 ' *44 5 - < ! . > 4 $ = =, . * 4 ? , ! @ . . > 4 ! 4 < ! & < A /4 /B % & * , % & %& . 4 & 5 < ! > 4 7 .

It is reported that 68 percent of organizations experienced six losses of sensitive data annually while some other 22 percent encountered more than 22 data-leak incidents per year. WhatGs more, 75 percent of Fortune 1000 companies also fell victim to accidental and/or malicious data leakage. Data leakage is a very common problem in IT; it is an accident waiting to happen. Organizational data loss occurs daily and through common channels like email, such as sending email messages to unintended recipients or to someone with the same name but in the different companies. The level of impact if the message is disclosed depends on the sensitivity of the message. 4 l Bay Computing Newsletter l Issue 2 Bay Newsletter new1.pmd

14/3/2551, 9:59

COVER STORY - !" - .!"

-. 451 Group 74 98 ! / - , , /4 / * IDC . P 70 ! / - 4/ Q .'

* .

7. * ^ ' @ & . > " + -; -/4 . % < _ >. " *- . 7. * $, < > V

;--/4 ;# - . (Identity Theft) % $ '= . =# , *R 7, *! > .= < ;# 74 % & , .5 "' ' .5 U V .* 4 .4 . = PCI (Payment Card Industry standard) % < 4 .4 .> ' 4 4 = VISA, MasterCard 7, 4 4'= 4 !$ 4 " ' \ * ' U ! .- V . ?> 4 ! 4/ <

' (# ( )*+ , - # ( # $ * #,.

' , 7.U. 2549 ! = !, 7 7 Boston Globe * Worcester Telegram & Gazette 240,000 4 .$% 4 , 74 . 4 ! = & $ 7 7 4 Routing Slip . > 7 , - '= ? &"

' , 7.U. 2549 74 4 $ .' , ! ' @ !$ . 4 -/ . ' R @{ $ .' 20 .#! | 4 . & - .! 4 > 4 ! /}

. * = Q 7 $% & 4 ' @ !$ * .=, *

' 7.U. 2548 4 ? Westpac ' U ! . $ ,& .' 7. 1 7, ? 7 4 ? ! @ Excel . +

' , . . 7.U. 2549 TD Ameritrade % < 4 ? 7. ' 4 ,& . 7 . * 44 * - -74 unauthorized code % < = ' 4/

Identity theft is a crime involving illegal usage of another individualGs identity by crime organizations or hackers, and has become one of the fastest growing crimes. Several countries have issued a law and standard, such as PCI (Payment Card Industry standard), which is a collaborative effort by Visa, Master Card, and other credit card associations to safeguard customer information by mandating financial institutions to meet certain minimum standards. Furthermore, in Australia, there is a new law, which punishes service providers who fail to safeguard their customer information.

In January of 2006, more than 240,000 of Boston Globe and Worcester Telegram & Gazette newspaper subscribers was shocked when they found their credit card data on the back of the routing slip due to a mistake printing on the reused paper.

Examples of case studies In 2005, AustraliaGs Westpac was banned from trading in the stock market for 1 day as a punishment, because one of its employees accidentally sent an excel file containing annual financial reports and profit reports to a financial analyst. This is considered as a violation of the rule, which stated that a company must report a profit before disclosing the profit report.

Q . ! $ $% =, * ! . * 4 U 7 - 4 . - ' , / Q 7 } 7.U. 2550 4 ? DuPont > > QP ~ * > Q P~ . , .' # . , @\ 7 % - 74 7 > & ! 4 22,000 4 4 - " 4 DuPont 10 + - " & % $% > Q P~ . .

-. * 7 Â&#x20AC; 44 ? * ' ' , 7Â ?Q 7.U. 2550 Carson County | Nevada ! | > ! '= . - 4 '= * \ 7 7 (Key Logger) * !> '= * !> - , - County 7, $% 4 #= > } * ! $ . $ % 450,000 .#! |

In February of 2007, DuPont - a large chemical company - sued one of its former employees, who had downloaded more than 22,000 confidential, trading documents and brought this information with him to work for the competitor after working for DuPont for 10 years.

In March of 2006, a computer hard-disk containing top-secret U.S. military data was sold at a second-hand market in Afghanistan for a price of 20 U.S. dollars. The disk contained personal mails, military records specifying the names of the soldiers who had been trained in the nuclear, biological and chemical weapon program as well as intelligence news and sources in Afghanistan.

In September of 2006, TD Ameritrade, an online brokerage service provider, suffered data breach, which stemmed from unauthorized code that allowed hackers to access its customersG names, email addresses, home addresses, and telephone numbers.

In March of 2007, at Carson County of Nevada, U.S., unknown hackers got a key logger installed on city treasurer as well as user names and passwords. The hackers used this access to online saving accounts and manage to steal 450,000 U.S. Dollars.

Causes and Solutions Based on a research conducted by CSI/FBI, it is found that 74% of financial loss is caused by virus attacks, unauthorized network access, stolen laptops and portable devices, and violations of intellectual property. 53% of people who completed the survey did not know what they kept on their USB Thumb Drive before it was stolen. 98% of data-leakBay Computing Newsletter l Issue 2 l 5

Bay Newsletter new1.pmd

14/3/2551, 9:59

COVER STORY / * / 0 (

! / 744 . , * (Malware) 7 \ !

, - ' ;--/4 < . . "4 , - P * %& ' ' * & -" > > 44 ? Q .' 5 - ! $ = House of Lords U Â ? ! _ >.

- U% ?

- . - - ' 74 74 . ! 7

' 6,200 . * ' -" & 28 ! $$ -- 4 * \ . * \ ! 7

1 , $ 74 70 ! $$ -- 4 * \ , - P * ' ; - -/ 4 7 Â&#x20AC; = Stratio , Stration , Warezov % < =, 7

(Worm) % ! $ . / 5 30 7, . - 7 4 . * \ ! 7

& '= * = eVade OGMatic 7, . * ?P ! "' -74 , 7 . 10 . ! $ ! 7 & 5 .

* * * - = (Vulnerabilities) 44 ^ 4 (Operating System) * * ./ (Application) . '= * Q Fuzzing 7, = . = - P= * 7 % & / + * ' ;--/4 % % < = % & ' Web Application % < = ' ' 4/ - *R 7, $% * < .= ' = U ?| -

age incidents are caused by accidents or stupidity.

reduce the discovery rate to 10% without harming the virusG capabilities.

Data leakage is most commonly caused by malware because there are new threats every day, making it hard for security solution providers to create protections for every viruses, worms, and Trojans. House of Lords in England recently released a document which said that, according to a study made on underground traffic data, there are newly discovered 6,200 viruses every day, 28% of which can be detected and quarantined by anti-virus software. One month after 70% of all viruses can be detected and quarantined.

In addition, hackers are competing with one another to find vulnerabilities in operating systems and applications by using fuzzing programs. This type of programs help the hackers find vulnerabilities, more than 50% of which found in web applications. Hackers exploit these vulnerabilities to attack the systems and access the inside data for financial and personal gains.

Gateway (Web, e-Mail, FTP, Instant Messaging) by examining data which are uploaded via Web or FTP, or come through e-mail and Instant Messaging, such as MSN Messenger or Yahoo Messenger.

- U% ? CSI/FBI ' + 7.U. 2549 74 74 ! # ! . %& - ! / 5 , - ! 7 '= , . . 4 /# (Unauthorized Network Access) ! # . . ' , * , / P 7 7 * . . 4 7. ! ;## , 4 * 53 > 4*44! 4$ 4 4 4 USB Thumb Drive $ . , "! # . 98 . 4 /4 / , (Stupidity)

Malware is becoming more and more sophisticated. For example, Stratio, Stration and Warezov are new worms that can update themselves every 30 minutes to conceal from discovery by anti-virus software. Other tricks include the use of evade OGMatic, which updates viruses to

\ ! , 4 ' - = & (Data Classification)

- 44 7, " .4 .' \ & ' 4 Desktop 7, \ " 4!, 7 7 Gateway (Web, e-Mail, FTP, Instant Messaging) . -! 4 > & ! > Web/FTP upload , ! > e-Mail * Instant Messaging

Policy to manage data according to user responsibilities and types of data

Identity Management

Policy for Change Control Management and Document Management

Proper solutions for protection against data leakage are to set up :

Policy for data leakage responses

Policy for regular data recovery

Data classification

Policy to prevent the data leakage at the level of : Desktop by preventing users from copying

data to their portable devices

Bay Computing has tested the Sanctuary Device Control (SDC), a solution which prevents data leakage and has been used by more than 2,000,000 people in 1,700 organizations around the world. The summarized detail of the solution is as follows :

6 l Bay Computing Newsletter l Issue 2 Bay Newsletter new1.pmd

14/3/2551, 9:59

COVER STORY = MSN Messenger , Yahoo Messenger <

.4 .' 4 - 4> = 4 - * Q

4 - (Identity Management)

" .4 .!" 4 Change control management * Document management

.4 . 4! / . 7

.4 .' " Data Discovery . ! " !

4 ? 4. 7

& -" '= 44 \ , Sanctuary Device Control (SDC) % >' = 1,700 , 2 -% " ! < ' & Sanctuary Device Control < 44 *44 7, \ ' 4 !

Sanctuary Device Control secures your endpoints and eliminates data loss through I/O devices, such as USB Removable Storage, CD-RW, DVD-RW, Wireless, LAN, and so on. Program users can link device policies to users, user groups, and computers easily and flexibly. The device policy enforcement can be specified in deep details. For example, system admin can assign read/write permission to different files, usage period for each device, and specify permissions both online and offline. Moreover, the use of wireless connection and

!" 4 \ > 7 I/O 5 , 7 = USB Removable Storage, CD-RW, DVD-RW, Wireless, LAN * , 5 . " * - " .4 .' '= * Devices ! } Â&#x17D; User, Group , Computer % ., . / * .' '= ! " .4 .' * User, Group , Computer & ! $ " . . = " ' @ * ! $ . (Read/Write Permission) " = ' '= Device , * * " Permission *44 Online * Offline = = . ' " -- /# ' '= LAN ' !, ! 7 . & ! ! ' !, ! , 5 ! , ' 4 * , > ' = " , 7

44 - /# ' ! } 'Â&#x17D; '= ! , <

/) ' 1. ! $' @ - Access (File Filter) ' ! Filter File * ! $ $% 4 @ & 5 *! ' - rename , .

! / @ . 7 -- 4 = % - * 4 * , 5 . ' -- 4 & - 7 . ! / @ & -' 4 % $ < = & 7 . . ! / @ ! $ / 7 - -- 4 *

2. " .4 . (Policy Permission) ' 4 User, Group * Computer 4 Directory . 3. /P! 4 ' " Shadow file 7, 4 < | 4. P / ! 4 ! Device *44 AES 256 5. Log . . '- . * 7 .' '= , ! $ 4 /P! 4 ' 4 ' /P * ' ! Log . ! $4 4 ' . ! , * @ .

modem can be disabled at the office, and are enabled when users work from their home.

2. Policy Permission for User, Group and Computers in directories

Feature

3. Shadow file for copies

1. File accessing filter, which can read the file contents. Even though a file has been renamed or type changed, the system can still detect it. This exempts Sanctuary from other competitors, because they cannot check the content - only for a file extension. In this case, if users change the file extension, their systems will not be able to detect it.

4. Device encryption using AES 256 5. Easy-to-read logs that have easy-touse templates and can be configured & customized. The logs also show when users read and modify files stored in the system

Bay Computing Newsletter l Issue 2 l 7 Bay Newsletter new1.pmd

14/3/2551, 9:59

COVER STORY ' (1

1. - / P I/O : 4 . Devices = 5 Sanctuary 4 " $% Status Program * License

2. Explorer : - = .' Manage Devices = Add Device " 4 , . -" < - Log

. / P '= 4 ,

I/O devices management consists of various device details supported by Sanctuary as well as program statuses and licenses.

Explorer menu helps managing devices, such as adding devices connected to a client without having to search in the logs

Examples of client devices search

3. " Permission ' 4 Device = 5 .! $ & * , = Permission - " 4 Device = & 5 . . . . . . 4 .

Device permissions assignment by right-clicking a device and select permission types, which are

Add/Modify Permissions : < Permission

Add/Modify Permissions : Main permissions

Add/Modify Online Permissions : < Permission *44 Online , ' P @ 4

Add/Modify Online Permissions : Online permissions during client connection with servers

Add/Modify Offline Permissions : < Permission *44 Online , ' P @ ! $ 4

Add/Modify Offline Permissions : Online permissions during the time that client cannot connect with servers

Add Schedule : " = ' '= ' 4 / P

Add Schedule : Defining device usage period

Add Temporary Permissions : " Temporary ' Access Device (! $ " *44 Offline * ! ' " 7 )

Add Temporary Permissions : Defining temporary device usage period (can be done via offline and sent updates to clients)

Add Shadow : " Shadow Files 4 ' " Shadow ! $ 4 *44 7 =, @ & , - 4 & @

Add Shadow : Making shadow files (Only names or names & contents)

Add Copy Limit : " ' & Limit ' Â? 4 + Â? @ ' *

Add Copy Limit : Defining limit for file copying per day

Add Event Notification : Sending notifications to clients

Add Event Notification : " ' *- ,

8 l Bay Computing Newsletter l Issue 2 Bay Newsletter new1.pmd

14/3/2551, 9:59

COVER STORY

. . ' " Policy ! $ " ' 4 Read, Write, Encrypt, Decrypt, Export to file, Export to media, Import

' ! " File Filter - = @ 4 / ! 5 = 7 Microsoft Office, Archive files, Entertainment Files = @ Q 7 7 < * . 4= @ , 5 .

4. ' ! Log - *! . . = - ! $4 4 > ' @ * @ , ' . Device = <

Available permissions are : Read, Write, Encrypt, Decrypt, Export to file, Export to media, and Import

Examples of file type filtering are : Microsoft Office, Archive files, Entertainment files (pictures, music, etc.), and other file types.

4. Logs specifying details of users, what files are read and modified, when this happens, and using which devices.

-% 44 4 / * \ < | ! & /P! 4 . . . 7 " ' ?P > ' = . - & . P / ! 4 . ! $ " ' & !" 4 7 ! $! 4$ . 0-2962-2223 Sanctuary is a world-standard data leakage protection and control system, and has so many useful features that cannot be described all of them here. It is useful for every type of organizations, especially with ones that have a variety of users. For further information, please contact Bay Computing, Tel. 0-2962-2223.

Bay Computing Newsletter l Issue 2 l 9 Bay Newsletter new1.pmd

14/3/2551, 9:59

SOLUTION UPDATE

PatchLink and VMS (Vulnerability Management Solution)

# , Senior System Engineer, !" By Chaivit Pongjaroenchai, Senior System Engineer, Bay Computing Co.,Ltd.

! "# $% " # & ! ' # &( ! & & )* ! ! )*+ , , !- ( . )/+ " )*+ #( 0(+ ) + , 1 2+ ! 1 ! #* ( ,

! #( Vulnerability 3 4 * * ! #( % ) ! 3 3+ VM (Vulnerability Management System) 0(+7 )/+ " #* ( , ! #( $% / &* , , !- 8 ) 0! (Proactive) &( , * / &* ! #( $ % + )*+2(+ ! " ! " /

(Remediation) ! 7 )/+ 1 / ! & 8 0 , *

9* ! * VM + 2 , + " / 3 4 ) !

(+ #' Manual Patch % 0 " " ! Vulnerability )* ! #( $% 0(+ Patch Management 1 ! ! / )*+, 7 #( % " / 0

* " + 0(+8 ) ! ( . ! ! ! &( )/+ + * + ! 0 ! 0 ! %

PatchLink Update 1 0 , * Patch Management 3$ / , (+ 2+2 # * * ) , * 3 4

! )*+ PatchLink Update 1 ! % 2+ # 2+ ) " / 3 4 ( .

VMS (Vulnerability Management Solution) 1 # !# VM Patch Management + 0 + (+ " / )*+2+ ( , 7 , Vulnerability Patch 0(+, ( ( # $ % VMS ! ( % 0 Lumension 2+ ( ! % ! 0(+ VMS ! , 7 #* ( 0(+ , : ! , (

)/+ PatchLink Scan ! * + ! 1 VM 3$ + Vulnerability Set ! ! , ( ) 0(+ " ( )* ( ) 0(+ (+ ; ( & Common Criteria EAL2 Certified

To support business growth, many organizations have been expanding their network systems and the number of their computers. Each organization brought in new technologies to boost up the speed of the systems in order to gain competitive advantages and be a leader in their field. With the huge number of computers and complex network systems, it is quite difficult to manage the system risks resulting from software vulnerabilities. Vulnerability Management System (VM) is used to proactively manage risks arising from system vulnerabilities in real time. In order to do that, VM scans for system security holes and notify the system administrators to provide a remedy, such as patching, before a cracker, virus or malware can exploit them. Since there are a number of computers in a network system, it is hard for the system administrators to implement the manual patching on each machine

(+ PatchLink Security Management Console ! )*+ , 7 # * ( ! % VM Patch Management 0(+8 ) &3 ( ! )*+)/+

0(+ , ( ( . (+ VM Patch Management ! . ; + Vulnerability Patch ! ! $ )*+ " * % )/+ " VM Lumension 0 & # 3$ ! # * Vulnerability ! , " ' )*+ 1 / ( ( " / &

" / ! 1 + )/+ 3 4 )*+ , . , " / ( , , * ( 2+ ( 1 Lumension $

and catch up with a new vulnerability discovered daily. With Patch Management that comes with the VM, patches are distributed and installed on several machines simultaneously within a short period of time. This can be implemented using only 2-3 IT people resources. Vulnerability Management Solution (VMS) is integration between Vulnerability Management (VM) and Patch Management, enabling the system administrators to easily detect system vulnerabilities and manage patches. However, there are only a few good VMS available in the market. Lumension is proud to say that we are the only one who has the best VMS which offer full service vulnerability management. It contains: Patchlink Scan, which is a part of the Vulnerability Management (VM) and contains the most extensive and updated Vulnerability Set, certified with Common Criteria EAL2 standard

10 l Bay Computing Newsletter l Issue 2 Bay Newsletter new1.pmd

14/3/2551, 9:59

SOLUTION UPDATE 1 VMS ! ,#!'#8 " VM 0(+ ( )*+)/+ ) ! + ( ; #* ( (8 ! ! , !# NASA ! &* ,* ; #

! )/+ / , # / * " #

Accurate Identification and Remediation : , Vulnerability " / +0 0(+

* ! * 0 + , * DScan and PatchF 8 ) (

Lumension VMS 1 ! , ) * $ " )*+ ! , 7 #* ( , Vulnerability ) 0% (+ ,#!'#8 "

Comprehensive and Compliance Report : , 7, + ,( 2 0(+ * +

Remediation Recommendations : ) Patch Vulnerability ! , " " )/+ 1 ! ) (,# ) , * , 7) ! ! & (( (

Lumension VMS 0(+ SafeScan : , 7, &( 0 !

Auto Updating : , 7, , 0(+ + ! % , ( * * (

Adaptive Scanning : ( , Access Level 0(+

Comprehensive Coverage : , 7 + * Vulnerability ! " * :

Patchlink Update, which is a part of Patch Management and widely well-known in a long time. With the help from various software providers in the industry, Patchlink Update is the first and a leader in bringing in patches from the providers quickly and effectively.

Patchlink Security Management Console allows both Vulnerability Management (VM) and Patch Management to run in the same console. Users can access and use both applications quickly and easily. This strong combination of VM and Patch Management makes vulnerabilities and patches database well-covered and widely acknowledged by many organizations. Furthermore, LumensionJs Vulnerability Management (VM) is very easy to use, because it has an automatic mechanism that manages related vulnerabilities into one group and maps the appropriate remedial patches from each software camp for those vulnerabilities. This is why

LumensionJs Vulnerability Management Solution (VMS) is much more effective than any other VM providers and used by organizations that need high levels of security, such as NASA and U.S. Department of Defense. LumensionJs Vulnerability Management System features include : SafeScan : system scan with no interrupting on other parts of the network

Auto Updating : on-demand system scan which can be implemented daily, weekly and monthly

Adaptive Scanning : set the type of scanning and control user access level

Accurate Identification and Remediation : monitor system vulnerabilities and accurately identify remedial patches

Comprehensive and Compliance Report : create and show standard/customized reports Remediation Recommendations : provide advices on patches for detected system vulnerabilities to make a consideration

If your company is looking for solutions that have Dscan and patchF capability - both in one system, LumesionJs Vulnerability Management Solution is the one tool that helps you achieve that. It lets you effectively manage and control all the risks arising from current system vulnerabilities.

Comprehensive Coverage : search and identify system vulnerabilities in network devices, such as routers, switches or printers

Bay Computing Newsletter l Issue 2 l 11 Bay Newsletter new1.pmd

14/3/2551, 9:59

SOLUTION UPDATE

SIEM /4 ' $ 56 1 6 ($ / # $ Log SIEM - Log data analysis at its best

" $ %, CISSP, CISA, CCSP, Security+ "& ' ( , Engineer, !" By Tada Kijmartsuvun, CISSP, CISA, CCSP, Security+ and Kong Chantem, Engineer, Bay Computing Co., Ltd. ;--/4 =, . , . 7

< . ! > ' !, ! < . ! * ! % & 7 , -" < ' 4 / '= * ? Q . , . % ? Q . 44 , . < . * % & . - - *7 4 ! 7

%& ' , . % ! > 4 , 7

* , .-" 4 - 44 , .' ;--/4 -% -" < U . , , % & 7, -! 4 > % & ' 44 , . $% 4! / P % & - & . V 4 .4 5 7 % & = 7 =4 ##

. " > . 4 7

7.U. Â&#x2018;Â&#x2019;Â&#x2019;Â&#x201C; "' ? Q .* Â&#x201D;\ / P 5 ! "* " % $% 7 % & !" 4 ' # 4 Log " ' 7 =4 # # . " > . 4

These days network connections are available almost everywhere, which accelerates communications between PCs and individuals. However, these network systems need to have controls and security systems in place to protect them from potential harms. Network security updates are very fast changing due to new damaging threats, such as computer virus attacks that affect all network computers. As a consequence, network systems need to rely on other devices to check for irregular activities and respond to security incidents. Moreover, the new Computer Crime Act B.E. 2550 which has just come out, forces many organizations to manage system security and monitor the security incidents more closely than before. To comply with the Act, these organizations must keep their traffic data logs for analysis. For a large organization, this could cost millions to achieve. Aside from that,

they have to invest time in studying the technology and implement it. However, in real situation, the system brings little value to daily operations. This is because of the lack of log normalization, correlation and analysis and reporting tools. Seeing this, some organizations are reluctant to make the investment. As a matter of fact, these logs are all useful at some point. Organizations should know how to retain log data that are useful for analyzing, building relationships in real-time and creating reports - all of these data are beneficial for business operations. Furthermore, SIEM can help the organizations handle alerts and events which occur millions of times per day. It can also filter and prioritize these incidents so proper incident response can be conducted. In this newsletter, we present a research on an SIEM utilization study. SIEM (Security Information and Event

12 l Bay Computing Newsletter l Issue 2 Bay Newsletter new1.pmd

14/3/2551, 9:59

SOLUTION UPDATE

7.U. Â&#x2018;Â&#x2019;Â&#x2019;Â&#x201C; 4 < Q - '= / 4 4 , - U% ? 44 - & 44- !" - * , '= - 74 .= 4 ' = -" & . 7 44 - " Log & . 4 4 '= .= 4 - / 7 .= " }/ - ' -- * 5 4 & * * .= 7 . * 7- P - 44 4 Log /P! 4

! ! 7 } *44 . - ! . ' *44 5 ,& .= }/ - - & 4 , 4 , (Alert) * / P (Event) - 44 5 4*! 4 / P -" < 7% 7 44 SIEM ' * - " 4 !" # 7, ' ! $ 4! / P . $ (Proper Incident Response) ' 4 4 & -% " ! > * U% ? * " 44 SIEM '= SIEM (Security Information and Event Management , 444 * / P Q .) % < 44 !/ 7 Â&#x20AC; % & . " . SIM (Security Information Management - < 44 ' = '

* " '= ' .= ' 5 = " . " ! > 4 , > -! 4- Q . $% " '= ' " Compliance !* 5 = ISO 17799/27001, SOX, BASEL II, PCI < ) * SEM (Security Event Management - < 44 ' = ' 4

Log - / P , @ * '= .

' , . 7, *! ' > 5 % & Q .' , . ) 4 . '= 44 SIEM ! } Q 7 - " . "7 44 SIEM * - =, (Integrate) * " 4 Security device . . ! 4 P 7, ' > !/ " =, 4 44 & , Firewall, IDS sensor, 44 ., . 4/ (AAA, LDAP, AD, etc..) * > !* = (Vulnerability scan data) % - "' 4 , 4 / P % & < . $ - & " Forensic 7, 4/ / P * . 4> = 4 V . & - 4 4 !" 4 -! 4Q .' * ^ 4

V 4 .4 5 - . . , 7, *! ' $% . 4* ^ 4 V 4 .4 5 44 SIEM 4 .! 5 & 1. Log Consolidation : 44- 4 4 Log U . $% ! (Encryption), -! 4 $ (Authenticated) * 4 4 (Compression) .'= 44| 7 Â&#x20AC; . 7 - ! $ 4 Log - / 5 = / P ' , . . 7 Â&#x20AC; * 7 2. Threat Correlation : < 44 - . (artificial intelligence) '= -! 4 Log 5 7, - - % & *44 .

Management) is the latest technology that combines SIM (Security Information Management) and SEM (Security Event Management). SIM is a data analysis system and can be used to create management and audit reports, and measure standards compliance, such as ISO17799/27001, SOX, BASEL II, and PCI. As for SEM, it is a log retention and analysis system and can be used to examine and collect unusual activity information in the network or application system.

useful for internal auditing as well as producing reports to comply with Act and procedures.

For SIEM to work effectively, it has to integrate with other security devices. Integration with firewalls; IDS sensors; user identity system like AAA, LDAP, AD; and vulnerability scan data makes the system most effective and respond to the security incident properly.

2. Threat Correlation - Artificial intelligence system that examines log data for possible attacks in real-time

The log data is an invaluable resource for computer forensic analysis and can also be used as evidence in legal proceedings. Furthermore, log data retention is

Notification - Email, SMS, Pager or notifying to the Enterprise Manager i.e. MOM, HP Openview

SIEM consists of: 1. Log Consolidation - Central log retention that has encryption, authentication and compression feature; using specialized database; and can be programmed to collect data from any network devices.

3. Incident Management - Including workflow system which responds to detected threats

Bay Computing Newsletter l Issue 2 l 13 Bay Newsletter new1.pmd

14/3/2551, 9:59

SOLUTION UPDATE

RSA enVision RSA Envision Features

Enterprise Dashboard RSA enVision RSA Envision Enterprise Dashboard

Dashboard RSA enVision RSA Envision Dashboard

Event Explorer Admin ! "# $ % &' % ' '( ! ( Event Explorer for system administrator to monitor events more clearly and flexibly

3. Incident Management : = 44

@ % - < 44 .- , -74Q . / * - "

Notification Â&#x2013; Email, SMS, Pagers , *- . 44 Enterprise Managers = MOM, HP Openview

Trouble Ticket Creation - working with other call center applications, such as Remedy Automated responses activated by execution of scripts

Response and Remediation logging

Trouble Ticket Creation ! $ " 4 44 Q . = Remedy <

Automated responses $% . '= Scripts

Response and Remediation logging

4. Reporting 7, * -! 4 / P 5 . 4 .4 . = .4 . Q . (Security Policies) , Change Management = 4 % . * Configuration / P - " Compliance | 5 -/ 4 / ! } Q 7' 44 '= . * , !,4! ! 4! (Forensics)

4. Reporting - monitor and check for events against all policies, such as security policies and change management tasks including configuration-changing log, standards compliance, efficiency improvement and computer forensics.

: A Practical Application of SIM/SEM/ SIEM Automating Threat Identification/SANS Institute Source : A Practical Application of SIM/SEM/SIEM Automating Threat Identification/SANS Institute.