1

We all know the security market has changed. There are more threats than ever before.

DigiNotar went brankrupt.

Why?
DigiNotar was a Dutch certificate authority owned by VASCO Data Security International.[1]
On September 3, 2011, after it had become clear that a security breach had resulted in the
fraudulent issuing of certificates, the Dutch government took over operational
management of DigiNotar's systems.[2] That same month, the company was declared
bankrupt.
Dozens of fraudulent certificates had been created.
Hacker had breached the perimeter using malware.
Then hopped around to find servers where they could find privileged account names.
Used Cain and Able to brute force attack to ultimately get privileged acess details.
Used SQL injection attack to retrieve CA details.
Then sold these to rogue individuals who used it to set up phony websites that looked like
real ones. Used to make money and steal identity etc.
ArcSight could have prevented this from happening:
Perimeter breach, high login activity, unusual login activity (after hours and from Iran), sql
injection attacks.

Cyber-crime is on the rise and the rewards for cyber-criminals is greater than ever
Likewise, impact to corporations is greater than ever
In the news: Sony Playstation, Epsilon, Citigroup
New cyber-criminals are well funded, coordinated, and more sophisticated
Organized crime
Nation-state sponsored
Political hacktivists
Clearly, the traditional approach is not working
Cyberkriminalitt ist im Vormarsch und der Gewinn fr Kriminelle war nie grer
Ebenso ist aber auch der Druck auf die Firmen noch nie grer gewesen
Wir sehen Firmen wie Sony, Citigroup, RSA usw. in den Schlagzeilen wie sie
anscheinend von einer Meute gezielt gehetzt und erlegt werden
Internet Kriminelle sind sowohl finanziell als auch technisch gut ausgerstet und mit jeder
Krise stehen mehr gut ausgebildete Personen zur Verfgung
Wir sehen uns sowohl mit organisierter Kriminalitt konfrontiert als auch mit von
Staaten gesponsorten Angriffen sowie politisch motivierten Attacken
Es ist offensichtlich, da der bisherige Ansatz gescheitert so nicht funktioniert

Customers struggle to manage the security challenge

Nature & Motivation of Attacks
(Fame
fortune, hacker nations)
Attacks motivated by information marketplace creating a broader threat
landscape
I will attack anything of value
thats weaker than the peer group because I know I can sell it somewhere

Explosion of attack surface: burgeoning IT complexity in demand for service

delivery and diverse device
Transformation of Enterprise IT
(Mobility, cloud, information, social)

Regulatory Pressures
(Increasing cost and complexity)
Government-imposed complicance requirements
Using compliance to define your security strategy sets a low barthe last place
you want to be in this environment

Applications: SDLC, testing, Fortify, WAF, vulnerability scans

Systems: OS patching, opsware automation, vulnerability scans
Risk mapping: EnterpriseView, Arcsight
Visibility: EnterpriseView, ArcSight, TippingPoint, DVLabs
Blocking: Tippingpoint, DVLabs
Internally: ArcSight, Autonomy, Atalla
Externally: ArcSight, Autonomy, Atalla

Your security effectiveness is only as good as the security research behind it and DVLabs
has been the industry leader for years. In addition to our own in-house security
researchers, DVLabs manages Zero Day Initiative (ZDI) which is a global organization of
researchers constantly looking for new application vulnerabilities:

1,500+ researchers registered

Typical profile: male, teen to mid twenties, hobbyist

3,400+ 0-day vulnerabilities submitted by these researchers

1100+ 0-day vulnerabilities purchased (30+%)

Plus, over 2000 customers leverage and contribute information to our ThreatLinQ security
portal. ThreatLinQ houses up to the minute security information from around the globe
that customers have access to 24 hours a day, 7 days a week.
We also partner with other leading research organizations like SANS, CERT and NIST to
consolidate security intelligence resulting in the most advanced intelligence network
anywhere in the world.

10

We package our software to meet the needs of our customers, recognizing that everyones
starting place and journey may be different.
In 2011 HP pioneered the idea of the worlds first Performance System for IT the IT
Performance Suite. In just 12 months, HPs IT Performance Suite has helped IT departments
improve the performance of IT outcomes while lowering costs and increasing business
alignment.
With the acquisitions of Autonomy, Arcsight and Vertica were now ready to able to offer
performance systems tailored to the needs of Security, Legal and Marketing professionals, to
ensure that no matter what, your applications and information work for you.
These HP Performance Systems combine HP software and expertise to develop and run the
best applications and deliver insight in real time from 100% of your information, all while
ensuring your IT assets are secure, reliable and compliant.
All supported by the industry leader in customer satisfaction for enterprise software as well as
a global partner ecosystem.
And were proud to have a portfolio that is open and flexible enabling you to run our software in
diverse environments on your infrastructure or in the cloud, easily integrating to your systems
and data sources, all while taking advantage of some of the most innovative computer science
and mathematics breakthroughs covered by over 2000 patents and patents pending.

11

12

Fortify gives you advanced technologies to ensure your applications are secure. Fortify
inspects applications at the source code level (static testing) and while they are running
(dynamic testing). Fortify supports more languages than any other application security
vendor with significant strengths in the area of mobile application security. But its not
just built for custom applications, Fortify and determine if vulnerabilities exist in
commercial, custom and open source activities. And even more differentiated, Fortify can
be delivered as a software you purchase or as a service. With unmatched flexibility and
depth of coverage, Fortify ensures you have a world class application security program in
place.

13

The ArcSight solution gives you the ability to collect information from any device, any time
any where to ensure you have complete enterprise security visibility. Whats more,
ArcSight is supported by the revolutionary CORR Engine which delivers industry leading
correlation speeds with significant storage requirement decreases from prior versions.
The ArcSight solution allows you to capture logs, correlate events, monitor applications,
check for fraud and manager uses and controls.
Focusing on turning information into intelligence, the ArcSight solution stands apart in the
industry

14

15

WebAppDV Scan a web application for vulnerabilities and based on the results custom
signatures or filter can be created to protect the web application by preventing traffic
passing through that are trying to exploit the vulnerability.
Good for inhouse applications.
Its a service.

16

17

18

19

20

21

Adversaries collaborate with each other.

They form groups, specialize in different functions, share tools and attack attempts and
successes are shared between them.
So why dont companies also collaborate together? Effectively telling your neighbors you
have been attacked and by who and how they did it.
Of course you can maintain your privacy and remain anonymous in your threat exchange.

22

Slide 22
A1

Philippa this is Deb. Tomas says, "this is an image pulled from the Internet and may be copyrighted.
Philippa could you put in some kind of image similar to this suggesting a hacking activity, but something
aesthetically pleasing?"
Author, 03/02/2014

The intelligence that comes to TC will be normalized so relevant data such as IP addresses
and file hashes can be isolated and distributed to companies to feed for example their
ArcSight SIEM and TippingPoint devices.

23

24

25

3 companies. All 3 have different products, and security profiles. Company A detects a new
zero day and shares that with Threat Central. Companies B and C both receive an event
with the actionable indicators from company As submission.
Company B detects a malware variant that is not discovered in company A or C.
And so on

26

STIX is a collaborative community-driven effort to define and develop a

standardized language to represent structured cyber threat information.

HP has Threat Central which is a Security Intelligence Platform

Intelligence is sent to TC through various intelligence feeds including HP Security
Research. Example of intelligent information are active malicious IP addresses or file
hashes of dangerous files that have been used in recent attacks.
TC clients are subscribers sending intel to TC and having intel sent to them via TC.
TC clients can choose to expose their intel to small private communities or larger
communities.

E.g. One for UK Gov, one for US Gov, one for Financial organisations, one for
telcos or even smaller communities or larger communites.

27

28

29