Calgary security road show master deck final

40 %
60 %
Information about Calgary security road show master deck final

Published on March 7, 2014

Author: scalardecisions

Source: slideshare.net

Security Road Show - Calgary © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 9:00am – 9:15am Welcome  9:15am – 9:45am Palo Alto Networks – You can’t control what you can’t see!  9:45am – 10:15am F5 – Protect your web applications  10:15am – 10:30am Break  10:30am – 11:00am Splunk – Big data, next generation SIEM  11am – 11:30am Infoblox – Are you fully prepared to withstand DNS attacks?  11:30am - 12:00pm Closing remarks, Q&A  12:00pm – 12:30pm Boxed Lunches © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Today’s Speakers – Geoff Shukin – Palo Alto Networks – Clayton Sopel – F5 – Menno Vanderlist – Splunk – Ed O’Connell- Infoblox © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Founded in 2004 $125M in CY13 Revenues Nationwide Presence 120 Employees Nationwide 25% Growth YoY Toronto | Vancouver Ottawa | Calgary | London Greater than 1:1 technical:sales ratio Background in architecting mission-critical data centre infrastructure © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 The country’s most skilled IT infrastructure specialists, focused on security, performance and control tools  Delivering infrastructure services which support core applications © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

WHY SCALAR? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Experience Innovation Execution © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Top technical talent in Canada – Engineers average 15 years’ experience  We train the trainers – Only Authorized Training Centre in Canada for F5, Palo Alto Networks, and Infoblox  Our partners recognize we’re the best – Brocade Partner of the Year – Innovation – Cisco Partner of the Year – Data Centre & Virtualization – VMware Global Emerging Products Partner of the Year – F5 Canadian Partner of the Year – Palo Alto Networks Rookie of the Year – NetApp Partner of the Year - Central © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Unique infrastructure solutions designed to meet your needs – StudioCloud – HPC & Trading Systems  Testing Centre & Proving Grounds – Ensuring emerging technologies are hardened, up to the task of Enterprise workloads  Vendor Breadth – Our coverage spans Enterprise leaders and Emerging technologies for niche workloads & developing markets © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

“Scalar […] has become our trusted advisor for architecting and implementing our storage, server and network infrastructure across multiple data centres” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

“We’ve basically replaced our infrastructure at a lower cost than simply the maintenance on our prior infrastructure […] At the same time, we’ve improved performance and reduced our provisioning time” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

“Numerous technologies needed to converge to make VDI a reality for us. The fact that Scalar is multidisciplinary and has deep knowledge around architecture, deployment and management of all of these technologies was key” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

PALO ALTO NETWORKS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Palo Alto Networks Controlling Threats Geoff Shukin, Senior SE Palo Alto Networks #netgun © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

context |ˈkänˌtekst| noun the circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and assessed 14 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.

action intelligence context 15 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.

slideshare-uploading application function slideshare roadmap.pdf application file name HTTP file-sharing protocol URL category SSL canada protocol destination country 172.16.1.10 tcp/443 64.81.2.23 source IP destination port destination IP pdf file type prodmgmt group bjacobs user 344 KB 16 | ©2014, Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.

exe file type finance group fthomas user web-browsing shipment.exe application file name HTTP unknown protocol URL category SSL china protocol destination country 344 KB 172.16.1.10 tcp/443 64.81.2.23 source IP destination port destination IP 17 | ©2014, Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.

Hides within SSL New domain, no reputation Payload evades AV C2 hides using nonstandard ports Exploit Kit Contact New Domain ZeroAccess Delivered C2 Established Data Stolen Custom C2 & Hacking Spread Laterally Secondary Payload Exfiltration via RDP & FTP No signature for custom malware Hides in plain sight Payload evades C2 signatures 18 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.

 Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics  Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures  Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base 19 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.

All Applications, All Attack Vectors, All Threats Datacenter • Validate business applications & users • Find rogue/misconfigured apps • High speed threat prevention Gateway • Visibility into all traffic • Enable apps to reduce exposure • Block known/unknown threats Segmentation • Isolate critical data, business functions • Enable applications based on users • Block known/unknown threats 20 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.

Advanced threat Commodity threats Organized cybercrime Nation state (very common, easily identified) (More customized exploits and malware) (Very targeted, persistent, creative)  Mostly addressed by traditional AV and IPS  Somewhat more sophisticated payloads  Low sophistication, slowly changing  Evasion techniques often employed  Comprehensive investigation after an indicator is found  Machine vs. machine Intelligent and continuous monitoring of passive network-based and host-based sensors    Highly coordinated response is required for effective prevention and remediation Sandboxing and other smart detection often required © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Evolving from incident response mindset to intelligence mindset  No intelligence exists without visibility  Applying the intelligence and resulting IOCs to the kill chain  Sharing what you know © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 It’s a campaign, not just an attack  Appreciate and utilize the intelligence cycle Security stack • • • • • • Intelligence Cycle Block an IP address Block a URL Block a session Block a known virus Heuristically block spam Block bad attachments {A, • • • • • • • B, C, D, E, F, G, H, I, J, K, L, M, N, O} Recons by A, B and C Builds this kind of weapon: D Delivers the weapon by E, F and G Exploits the network by H and I Installs itself by J Establishes C2 by K, L and M Performs N and O on the objective © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 You don’t have intelligence if you don’t have visibility  Visibility required across the whole network  Ideally, you can see and understand applications, content, and users  Then make sense of what you see © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

1. Changes driven by “location” – Where’s the user? – Where’s the app? – Where’s the server? 2. Changes driven by security evolution – Who and where is the attacker? – What is their level of sophistication? – What are their motives? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Users are moving off the network © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Apps are moving off the network © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Servers are moving to private and public clouds Verizon Cloud BETA © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Traffic is moving off the network Verizon Cloud BETA © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Visibility provides intelligence around the indicators of compromise (IOC)  IOCs applied to the kill chain provide actionability  Highly automated kill chain © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Traditional Sandbox-based Anti-malware IPS (C&C) detection detection signature signature generation generation DNS (C&C) signature generation © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Malware URL list generation

 In the cyber security battle, sharing is key  Three ways this is happening 1. External – industry initiatives 2. External – technology partnerships 3. Internal – your security technology should leverage the network © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Automatic detection in real time in private or public cloud  Automatic generation of several defensive measures  Automatic distribution of defensive measures to all WildFire customers within 30 minutes after initial detection  Automatic installation of defensive measures provides full prevention immediately  You benefit from the threat intelligence of 2,500+ organizations across the industry © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

F5 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

CONFIDENTIAL F5 Security for an application driven world

F5 Provides Complete Visibility and Control Across Applications and Users Users Resources DNS Web Access Intelligent Dynamic Threat Defense Services DDoS Protection Platform Protocol Security Network Firewall TMOS Securing access to applications from anywhere © F5 Networks, Inc Protecting your applications regardless of where they live CONFIDENTIAL 38

CONFIDENTIAL Security Trends and Challenges

Attack Type Spear Phishing Physical Access XSS Size of circle estimates relative impact of incident in terms of cost to business May June July Aug Sep Oct Nov Dec 2012 © F5 Networks, Inc CONFIDENTIAL 40

Bank Bank Bank Industrial Non Profit Non Profit Bank Bank Auto Gov Online Services Gov Industrial Online SVC EDU Bank Bank Gov Online SVC Edu Online Services News & Media Edu News & Media Utility Software Edu Online Services Cnsmr Electric Telco Food Service Telco Bank Online Services Bank Bank Cnsmr Electric Jan Feb Mar Bank Cnsmr Elec Education Online Services Online Services Software Online Services DNS Provider Online Services Auto Gov Gov DNS Provider Health Gov Software Util May Global Delivery Unknown Online Services Gov Gov Physical Access Edu DNS Provider Gov Auto DNS Provider Auto Gov Online Services Apr Online Services Online Services Online Svcs DNS Provider News & Media Gov Online Services Bank Telco Auto Gaming Retail Online Services Spear Phishing Retail Industrial Online Services Bank Airport Attack Type Online Services Entnment Gov Bank Telco Gov Gov Banking NonProfit Bank Online Services Online Gaming News & Media Edu Gov Bank Software News & Media Bank News & Media News & Media Gov Food E-comm Svc Online Services Bank Online Services Bank Online Services Gov Gov News & Media Telco Bank Software News & Media Software Bank Edu Utility Bank Online Services Online Svc Consumer Electric Online SVC Gov Gove News & Media Online Svc Non Profit Consumer Electronics News & Media Gov Size of circle estimates relative impact of incident in terms of cost to business Jun 2013 © F5 Networks, Inc CONFIDENTIAL 41

More sophisticated attacks are multi-layer Application SSL DNS Network © F5 Networks, Inc CONFIDENTIAL 42

The business impact of DDoS The business impact of DDoS © F5 Networks, Inc Cost of corrective action CONFIDENTIAL Reputation management 43

OWASP Top 3 Application Security Risks 1 - Injection Injection flaws, such as SQL and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing data. 2 – Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to comprimise passwords, keys or session tokens to assume another users’ identity. 3 – Cross Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victims browser to hijack user sessions, deface web sites or redirect the user. Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf © F5 Networks, Inc CONFIDENTIAL 44

CONFIDENTIAL The F5 Approach

Full Proxy Security Client / Server Client / Server Web application Web application Application Application SSL inspection and SSL DDoS mitigation Session Session L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical Application health monitoring and performance anomaly detection HTTP proxy, HTTP DDoS and application security © F5 Networks, Inc CONFIDENTIAL 46

The F5 Application Delivery Firewall Bringing deep application fluency to firewall security One platform Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security EAL2+ EAL4+ (in process) © F5 Networks, Inc CONFIDENTIAL 47

Positive vs Negative • Positive Security • Known good traffic • Permit only what is defined in the security policy (whitelisting). • Block everything else • Negative • Known-bad traffic • Pattern matching for malicious content using regular expressions. • Policy enforcement is based on a Positive security logic • Negative security logic is used to complement Positive logic. © F5 Networks, Inc CONFIDENTIAL 48

How Does It Work? Security at application, protocol and network level Request made Security policy checked Content scrubbing Application cloaking Enforcement Response delivered Server response Security policy applied Actions: Log, block, allow BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application. © F5 Networks, Inc CONFIDENTIAL 49

Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters 6 Then for each parameter we will check for for value length will checkmaxmax value length 7 Then scan each parameter, the URI, the headers © F5 Networks, Inc GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44rn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; rn CONFIDENTIAL 50

Automatic HTTP/S DOS Attack Detection and Protection • Accurate detection technique—based on latency • • Three different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene Detect a DOS condition Identify potential attackers Drop only the attackers © F5 Networks, Inc CONFIDENTIAL 51

To Simplify: Application-Oriented Policies and Reports © F5 Networks, Inc CONFIDENTIAL 52

IP INTELLIGENCE Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker Custom application Financial application Anonymou s requests Anonymous proxies Scanner Geolocation database Internally infected devices and servers © F5 Networks, Inc CONFIDENTIAL 53

Built for intelligence, speed and scale Users Resources Concurrent user sessions 100K Concurrent logins 1,500/sec. Throughput 640 Gbps Concurrent connections 288 M DNS query response 10 M/sec SSL TPS (2K keys) 240K/sec Connections per second 8M

Application Delivery Firewall Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security Products Advanced Firewall Manager Local Traffic Manager Application Security Manager • Stateful full-proxy firewall • #1 application delivery controller • Leading web application firewall • Flexible logging and reporting • Application fluency • Access Policy Manager PCI compliance • Native TCP, SSL and HTTP proxies • Network and Session anti-DDoS • App-specific health monitoring • Virtual patching for vulnerabilities • HTTP anti-DDoS • • Dynamic, identitybased access control • Simplified authentication infrastructure IP protection • Endpoint security, secure remote access Global Traffic Manager & DNSSEC • Huge scale DNS solution • Global server load balancing • Signed DNS responses • Offload DNS crypto iRules extensibility everywhere © F5 Networks, Inc CONFIDENTIAL 55

Explore The F5 DDoS Protection Reference Architecture f5.com/architectures © F5 Networks, Inc CONFIDENTIAL 56

Summary • Customers invest in network security, but most significant threats are at the application layer • Current security trends – BYOD, Webification – mean you need to be even more aware of who and what can access application data • A full proxy device is inherently secure, and coupled with high performance can overcome many security challenges • F5 Application Delivery Firewall brings together the traditional network firewall with application centric security, and can understand the context of users, devices and access © F5 Networks, Inc CONFIDENTIAL 57

BREAK © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

SPLUNK © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Copyright © 2014 Splunk Inc. Splunk for Security Intelligence

Make machine data accessible, usable and valuable to everyone. 63

The Accelerating Pace of Data Volume | Velocity | Variety | Variability GPS, Machine data is fastest growing, most RFID, Hypervisor, complex, most valuable area of big data Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops 64

The Splunk Security Intelligence Platform Security Use Cases Machine Data Online Services Forensic Investigation Web Services Security Security Operations Compliance Fraud Detection GPS Location Servers Packaged Applications Networks Desktops Storage Messaging Telecoms Custom Applications RFID Energy Meters Online Shopping Cart Databases Web Clickstreams Call Detail Records HA Indexes and Storage Smartphones and Devices 4 Commodity Servers

Rapid Ascent in the Gartner SIEM Magic Quadrant 2011 2012 66 2013

Industry Accolades Best SIEM Solution Best Enterprise Security Solution 67 Best Security Product

Over 2800 Global Security Customers 68

Splunk Security Intelligence Platform 120+ security apps Splunk App for Enterprise Security Palo Alto Networks Cisco Security Suite OSSEC F5 Security FireEye NetFlow Logic Active Directory Juniper 69 Blue Coat Proxy SG Sourcefire

Partner Ecosystem What is the Value Add to Existing Customers? Visibility and Correlation of Rich Data Improved Security Posture Configurable Dashboard Views

All Data is Security Relevant = Big Data Databases Email Web Desktops Servers DHCP/ DNS Network Flows Traditional SIEM Custom Apps Hypervisor Badges Firewall Authentication Vulnerability Scans Storage Mobile Data Loss Intrusion Detection Prevention AntiMalware Service Desk Call Industrial Control Records

Making Sound Security Decisions Binary Data (flow and PCAP) Log Data Security Decisions Threat Intelligence Feeds Context Data Volume Velocity Variety 72 Variability

Case #1 - Incident Investigation/Forensics January • May be a “cold case” investigation requiring machine data going back months March Often initiated by alert in another product • February • Need all the original data in one place and a fast way to search it to answer: – What happened and was it a false positive? – How did the threat get in, where have they gone, and did they steal any data? – • client=unknown[ 99.120.205.249] <160>Jan 2616:27 (cJFFNMS truncating integer value > 32 bits <46>Jan ASCII from client=unknow n Has this occurred elsewhere in the past? Take results and turn them into a real-time search/alert if needed DHCPACK =ASCII from host=85.19 6.82.110 73 April

Case #2 – Real-time Monitoring of Known Threats Sources Example Correlation – Data Loss 20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Default Admin Account Status=Degradedwmi_ type=UserAccounts Source IP Windows Authentication Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My Malware Found Source IP CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20 Endpoint Security Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text Source IP [Priority: 2]: Data Loss Intrusion Detection All three occurring within a 24-hour period Time Range 74

Case #3 – Real-time Monitoring of Unknown Threats Sources Example Correlation - Spearphishing User Name 2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1 ,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-0809T22:40:24.975Z Email Server Rarely seen email domain Rarely visited web site 2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe," User Name Web Proxy Endpoint Logs User Name 08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="John DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“ registry_type ="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion Printers PrintProviders John Doe-PCPrinters{} NeverSeenbefore" data_type"" Rarely seen service All three occurring within a 24-hour period Time Range 75

$500k Security ROI @ Interac • Challenges: Manual, costly processes – Significant people and days/weeks required for incident investigations. $10k+ per week. – No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel – Traditional SIEMs evaluated were too bloated, too much dev time, too expensive Enter Splunk: Fast investigations and stronger security – – – – Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts Splunk reduced investigation time to hours. Reports can be created in minutes. Real-time correlations and alerting enables fast response to known and unknown threats ROI quantified at $500k a year. Splunk TCO is less than 10% of this. “ “ • Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see. Josh Diakun, Security Specialist, Information Security Operations 7 6

Replacing a SIEM @ Cisco • Challenges: SIEM could not meet security needs – Very difficult to index non-security or custom app log data – Serious scale and speed issues. 10GB/day and searches took > 6 minutes – Difficult to customize with reliance on pre-built rules which generated false positives Enter Splunk: Flexible SIEM and empowered team – – – – – Easy to index any type of machine data from any source Over 60 users doing investigations, RT correlations, reporting, advanced threat detection All the data + flexible searches and reporting = empowered team 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data Estimate Splunk is 25% the cost of a traditional SIEM “ We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have. “ • Gavin Reid, Leader, Cisco Computer Security Incident Response Team 7 7

Security and Compliance @ Barclays Challenges: Unable to meet demands of auditors – – – – • Scale issues, hard to get data in, and impossible to get data out beyond summaries Not optimized for unplanned questions or historical searches Struggled to comply with global internal and external mandates, and to detect APTs Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting Enter Splunk: Stronger security and compliance posture – – – – Fines avoided as searches easily turned into visualizations for compliance reporting Faster investigations, threat alerting, better risk measurement, enrichment of old data Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers Other teams using Splunk for non-security use cases improves ROI “ We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effectiveness of a certain control, the only way we can do these things is with Splunk. “ • Stephen Gailey, Head of Security Services 7 8

Splunk Key Differentiators • • • • • • • Splunk Single product, UI, data store Traditional SIEM Software-only; install on commodity hardware Quick deployment + ease-of-use = fast time-to-value Can easily index any data type All original/raw data indexed and searchable Big data architecture enables scale and speed Flexible search and reporting enables better/faster threat investigations and detection, incl finding outliers/anomalies • Open platform with API, SDKs, Apps • Use cases beyond security/compliance 79

For your own AHA! Moment Reach out to your Scalar and Splunk team for a demo Thank you!

INFOBLOX © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Are you prepared to withstand DNS attacks? Ed O’Connell, Senior Product Marketing Manager © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Infoblox Overview DNS Security Challenges Securing the DNS Platform Defending Against DNS Attacks Preventing Malware from using DNS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Total Revenue Founded in 1999 (Fiscal Year Ending July 31) Headquartered in Santa Clara, CA with global operations in 25 countries $250 Leader in technology for network control $200 ($MM) $225.0 $169.2 Market leadership $150 $132.8 • Gartner “Strong Positive” rating • 40%+ Market Share (DDI) $102.2 $100 6,900+ customers, 64,000+ systems shipped $56.0 $50 $61.7 $35.0 38 patents, 25 pending IPO April 2012: NYSE BLOX $0 FY2007 FY2008 FY2009 FY2010 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience FY2011 FY2012 FY2013

VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS NETWORK INFRASTRUCTURE CONTROL PLANE APPS & END-POINTS END POINTS Infrastructure Security Historical / Real-time Reporting & Control Infoblox GridTM w/ Real-time Network Database FIREWALLS SWITCHES ROUTERS WEB PROXY © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience LOAD BALANCERS

DNS is the cornerstone of the Internet used by every business/ Government DNS as a Protocol is easy to exploit Traditional protection is ineffective against evolving threats DNS outage = business downtime © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

1 Securing the DNS Platform 2 Defending Against DNS Attacks 3 Preventing Malware from using DNS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

– Many open ports subject to attack – Users have OS-level account privileges on server – No visibility into good vs. bad traffic – Requires time-consuming manual updates – Requires multiple applications for device management © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Multiple Open Ports

 Minimal attack surfaces  Active/Active HA & DR recovery  Centralized management with role-based control  Tested & certified to highest Industry standards  Secured Access, communication & API  Secure Inter-appliance Communication  Detailed audit logging  Fast/easy upgrades © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 No scripts / Auto-Resigning / 1-click  Central configuration of all DNSSEC parameters  Automatic maintenance of signed zones © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

~ 10% of infrastructure attacks targeted DNS ACK: 2.81% ICMP: 9.71% RESET: 1.4% CHARGEN: 6.39% SYN: 14.56% RP: 0.26% FIN PUSH: 1.28% DNS: 9.58% SYN PUSH: 0.38% TCP FRAGMENT: 0.13% UDP FRAGMENT: 17.11% UDP FLOODS: 13.15% Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013 ~ 80% of organizations surveyed experienced application layer attacks on DNS HTTP 82% DNS 77% SMTP 25% HTTPS 54% SIP/VOIP 20% IRC 6% Other 9% 0% 20% 40% 60% Survey Respondents 80% 100% © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Source: Arbor Networks

Distributed Reflection DoS Attack (DrDoS) How the attack works  Combines Reflection and Amplification  Use third-party open resolvers in the Internet (unwitting accomplice) Internet  Attacker sends small spoofed packets to the open recursive servers, requesting a large amount of data to be sent to the victim’s IP address  Uses multiple such open resolvers, often thousands of servers Attacker  Queries specially crafted to result in a very large response  Causes DDoS on the victim’s server Target Victim © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Legitimate Traffic Block DNS attacks Infoblox Advanced DNS Protection (External DNS) Data for Reports Infoblox Threat-rule Server Automatic updates Infoblox Advanced DNS Protection (Internal DNS) Reporting Server Reports on attack types, severity © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

DNS reflection/DrDoS attacks DNS amplification Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack Using a specially crafted query to create an amplified response to flood the victim with traffic DNS-based exploits Attacks that exploit vulnerabilities in the DNS software TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic DNS cache poisoning Corruption of the DNS cache data with a rogue address Protocol anomalies Reconnaissance DNS tunneling Causing the server to crash by sending malformed packets and queries Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack Tunneling of another protocol through DNS for data exfiltration © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

EXTERNAL INTERNAL INTRANET INTERNET Advanced DNS Protection Advanced DNS Protection GRID Master and Candidate (HA) DATACENTER Advanced DNS Protection CAMPUS/REGIONAL Advanced DNS Protection DMZ INTRANET Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Endpoints

Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

2014 2013 Q2 Q3 Q4 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Q1

Cryptolocker “Ransomware”  Targets Windows-based computers  Appears as an attachment to legitimate looking email  Upon infection, encrypts files: local hard drive & mapped network drives  Ransom: 72 hours to pay $300US  Fail to pay and the encryption key is deleted and data is gone forever  Only way to stop (after executable has started) is to block outbound connection to encryption server © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Infoblox Malware Data Feed Service 1 4 2 Malicious domains IPs, Domains, etc. of Bad Servers 2 Malware / APT An infected device brought into the office. Malware spreads to other devices on network. Malware makes a DNS query to find “home.” (botnet / C&C). Detect & Disrupt. DNS Firewall detects & blocks DNS query to malicious domain Internet Intranet Infoblox DDI with DNS Firewall Blocked attempt sent to Syslog 1 2 3 Pinpoint. Infoblox Reporting lists 3 blocked attempts as well as the: • • • • • IP address MAC address Device type (DHCP fingerprint) Host name DHCP lease history DNS Firewall is updated every 2 4 hours with blocking information from Infoblox DNS Firewall Subscription Svc Malware / APT spreads within network; Calls home © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Malicious Domains 1 Detect - FireEye detects APT, alerts are sent to Infoblox. Malware Internet 2 2 Disrupt – Infoblox DNS Firewall disrupts malware DNS communication Intranet Infoblox DDI with DNS Firewall 3 Pin Point - Infoblox Reporting 3 Alerts 1 Endpoint Attempting To Download Infected File Blocked attempt sent to Syslog provides list of blocked attempts as well as the • • • • • IP address MAC address Device type (DHCP fingerprint) DHCP Lease (on/off network) Host Name FireEye NX Series FireEye detonates and detects malware © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) DNS Hacking Hacking DNS registry(s) & re-directing users to malicious domain(s) Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

DNS is the cornerstone of the Internet Unprotected DNS infrastructure introduces security risks Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform Secure DNS Solution protects critical DNS services © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Thank you! For more information www.infoblox.com © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Why Scalar for Security? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

The Issues  Integration of Security Technologies  Staffing  Vulnerabilities  Advanced threats © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

The Issues  Integration of Security Technologies is Challenging – Multiple formats of data – Data timing issues – Different types of security controls – Other data types © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

The Issues  InfoSecurity Staff – Different skills requirements ﹘ Architects ﹘ Malware Handling ﹘ Forensics ﹘ Vulnerability ﹘ Incident Management ﹘ Risk and Compliance – HR Costs ﹘ Premium technical personnel ﹘ Analysts, Specialists ﹘ Training and certification © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

The Issues  Vulnerabilities – Regular scheduled disclosures – Large volumes of ad-hoc patches – Many undisclosed zero days – Remediation is a continuous process © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

The Issues  Advanced Threats – Advanced Persistent Threats – Imbedded threats  Who? – State sponsored – Hactivism – Hackers – Organized crime © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

How to Secure It  State-of-the-art Security Technologies  Skills on Demand – Continuous Tuning of Rules and Filters – Cyber Intelligence, Advanced Analytics – Cyber Incident Response – Code Review, Vulnerability and Assessment Testing © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

WRAP/QUESTIONS? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

THANK YOU. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Add a comment

Related presentations

Related pages

The City of Calgary - Home

Calgary.ca. ALL. DOCUMENTS; MAPS; NEWS; MULTIMEDIA; CALENDAR; GET INVOLVED; Browse by Topic. Search field Submit search. powered by Google Search Appliance ...
Read more

Decking Materials - BUYER'S GUIDES | RONA | RONA

RONA carries supplies for your Decking Materials ... Building a deck ... there are other factors that the homeowner should consider before making a final ...
Read more

2016 World Championships Information | Pokemon.com

Masters Division Pokémon TCG Decks. ... The Pokémon World Championships is an ... Please note that these websites' privacy policies and security ...
Read more

Magic: The Gathering Pro Tour season 2013–14 - Wikipedia ...

GP Calgary (27–28 July 2013) Format: ... Modern Masters Booster Draft, ... These are the final standings of the Player of the Year race, ...
Read more

WestJet | Book flights and vacation packages | WestJet.com

... fees and security. Advisories; ID, check ... WestJet is hard at work making improvements to give ... Find low fare direct flights from Calgary this ...
Read more

Master Halco, Inc. - Chain-Link, Vinyl (PVC), Wood, and ...

AT MASTER HALCO, WE ARE A COMPANY ... and wholesale distributor of perimeter security and ... Slat '1000'™, Hound Surround®, Legend®, Master Bond ...
Read more

Google

Advertising Programmes Business Solutions +Google About Google Google.com © 2016 - Privacy - Terms. Search; Images; Maps; Play; YouTube; News; Gmail ...
Read more

Tri-Ed - Security Products and Solutions

Tri-Ed distributes CCTV, IP video ... Advancements in technology mean rapid changes in the security industry. That’s why, at Tri-Ed, ... TRI-ED Calgary ...
Read more