advertisement

Vancouver security road show master deck final

60 %
40 %
advertisement
Information about Vancouver security road show master deck final

Published on March 7, 2014

Author: scalardecisions

Source: slideshare.net

advertisement

Security Road Show - Vancouver © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 9:00am – 9:15am Welcome  9:15am – 9:45am Palo Alto Networks – You can’t control what you can’t see!  9:45am – 10:15am F5 – Protect your web applications  10:15am – 10:30am Break  10:30am – 11:00am Splunk – Big data, next generation SIEM  11am – 11:30am Infoblox – Are you fully prepared to withstand DNS attacks?  11:30am - 12:00pm Closing remarks, Q&A  12:00pm – 12:30pm Boxed Lunches © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Today’s Speakers – Alon Goldberg – Palo Alto Networks – Buu Lam – F5 – Menno Vanderlist – Splunk – Ed O’Connell- Infoblox – Rob Stonehouse - Scalar © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Founded in 2004 $125M in CY13 Revenues Nationwide Presence 120 Employees Nationwide 25% Growth YoY Toronto | Vancouver Ottawa | Calgary | London Greater than 1:1 technical:sales ratio Background in architecting mission-critical data centre infrastructure © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Scalar is joining the TORONTO2015 Pan Am/Parapan Am Games as an Official Supplier  Managing IT security, data centre integration, and managed storage services © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 The country’s most skilled IT infrastructure specialists, focused on security, performance and control tools  Delivering infrastructure services which support core applications © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

WHY SCALAR? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Experience Innovation Execution © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Top technical talent in Canada – Engineers average 15 years’ experience  We train the trainers – Only Authorized Training Centre in Canada for F5, Palo Alto Networks, and Infoblox  Our partners recognize we’re the best – Brocade Partner of the Year – Innovation – Cisco Partner of the Year – Data Centre & Virtualization – VMware Global Emerging Products Partner of the Year – F5 Canadian Partner of the Year – Palo Alto Networks Rookie of the Year – NetApp Partner of the Year - Central © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Unique infrastructure solutions designed to meet your needs – StudioCloud – HPC & Trading Systems  Testing Centre & Proving Grounds – Ensuring emerging technologies are hardened, up to the task of Enterprise workloads  Vendor Breadth – Our coverage spans Enterprise leaders and Emerging technologies for niche workloads & developing markets © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

“Scalar […] has become our trusted advisor for architecting and implementing our storage, server and network infrastructure across multiple data centres” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

“We’ve basically replaced our infrastructure at a lower cost than simply the maintenance on our prior infrastructure […] At the same time, we’ve improved performance and reduced our provisioning time” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

“Numerous technologies needed to converge to make VDI a reality for us. The fact that Scalar is multidisciplinary and has deep knowledge around architecture, deployment and management of all of these technologies was key” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

PALO ALTO NETWORKS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Next-Generation Protection for Advanced Threats Alon Zvi Goldberg, SE Palo Alto Networks © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Hidden within SSL New domain has no reputation Payload designed to avoid AV Non-standard port use evades detection Exploit Kit Malware From New Domain ZeroAccess Delivered C2 Established Data Stolen Custom C2 & Hacking Spread Laterally Secondary Payload RDP & FTP allowed on the network Custom malware = no AV signature Internal traffic is not monitored Custom protocol avoids C2 signatures 15 | ©2012, Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.

1 Bait the end-user End-user lured to a dangerous application or website containing malicious content 2 3 4 5 Exploit Download Backdoor Establish Back-Channel Explore & Steal Infected content exploits the end-user, often without their knowledge Secondary payload is downloaded in the background. Malware installed Malware establishes an outbound connection to the attacker for ongoing control Remote attacker has control inside the network and escalates the attack 16 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.

Attacks are Blended  Traffic and Malware  Inbound and Outbound Designed to Evade Security  Encryption, strange ports, tunneling, polymorphic malware, etc. Break Security Assumptions  Exploits Malware Spyware, C&C Exploits are delivered over the network Malware is delivered over the network Malware communicates over the network Encryp on, fragmenta on Re-encoded and targeted malware Proxies, tunneling, encryp on, custom traffic When attackers control both ends of a connection they can hide their traffic in any way they want 17 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.

1. Full Visibility of Traffic – Equal analysis of all traffic across all ports (no assumptions) – Control the applications that attackers use to hide – Decrypt, decompress and decode 2. Control the full attack lifecycle Exploits Malware Exploits are delivered over the network Malware is delivered over the network Malware communicates over the network Encryp on, fragmenta on Re-encoded and targeted malware Proxies, tunneling, encryp on, custom traffic – Exploits, malware, and malicious traffic – Maintain context across disciplines – Maintain predictable performance 3. Expect the Unknown – Detect and stop unknown malware – Automatically manage unknown or 18 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience anomalous traffic © 2014 Scalar Confidential and Proprietary. Spyware, C&C

Applications • Sources Visibility and • control of all traffic, across all ports, all the time Known Threats Control traffic sources and destinations based on risk Unknown Threats • Stop exploits, malware, spying tools, and dangerous files • Automatically identify and block new and evolving threats Reducing Risk • Reduce the attack surface • Sites known to host malware • NSS tested and Recommended IPS • WildFire analysis of unknown files • Control the threat vector • • Control the methods that threats use to hide • SSL decrypt high-risk sites Stream-based anti-malware based on millions of samples • • Find traffic to command and control servers Visibility and automated management of unknown traffic • Control threats across any port • Anomalous behaviors 19 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.

Visibility Into All Traffic © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

• The Rule of All - All traffic, all ports, all the time - Mobile and roaming users • Progressive Inspection - Decode – 200+ application and protocol decoders - Decrypt – based on policy - Decompress • Stop the methods that attackers use to hide - Proxies - Encrypted tunnels - Peer-to-peer 21 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.

Non-Standard Ports Applications that can dynamically use non-standard ports. Evasive Applications – Standard application behavior - Security Best Practices – Moving internet facing protocols off of standard ports (e.g. RDP) Tunneling Within Allowed Protocols Applications that can tunnel other apps and protocols SSL and SSH - HTTP - DNS Circumventors Proxies - Anonymizers (Tor) - Applications designed to avoid security - Custom Encrypted Tunnels (e.g. Freegate, Ultrasurf) 22 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.

SSL - 4,740 ports Skype - Skype 1,802 ports Skype Probe - Skype Probe 27,749 ports BitTorrent - SSL BitTorrent 21,222 ports 0 Page 23 | © 2012 Palo Alto Networks. Proprietary and Confidential. 5,000 10,000 15,000 20,000 25,000 30,000 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Based on a 3 month study of fully undetected malware collected by WildFire – 26,000+ malware samples – 1,000+ networks FTP was the most evasive application observed* – 95% of unknown samples delivered via FTP were never covered by antivirus. – 97% of malware FTP sessions used non-standard ports, and used 237 different non-standard ports. Web-browsing delivered more malware, but was less evasive. – 10% of samples delivered over 90 different non-standard web ports © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Example: Sample 0-Day Malware  Unknown traffic traversing the DNS port  HTTP using ephemeral ports © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Page 26 | © 2012 Palo Alto Networks. Proprietary and Confidential. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 Analysis of APT1 found: – RDP was the application of choice ongoing management of the attack – Often proxied through intermediaries – Used custom applications built on MSN Messenger, Jabber, and Gmail Calendar – Often hidden within SSL  Recommended Actions – Decrypt SSL – Tightly control RDP and proxy applications – Baseline instant messaging applications and investigate any unknowns © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Controlling Remote Desktop and Instant Messaging Potential URL Categories for Correlation • Botnets • Not-resolved • Proxy-avoidance and anonymizers • Open-http-proxies • Peer-to-peer 2014 Scalar Decisions Inc. Not for distribution outside of intended audience ©

Requirement: Expect the Unknowns © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

1. Unknown traffic becomes significant – – Anything non-compliant or custom should be known and approved When the vast majority of traffic is identified, the unknowns become manageable 2. Unknown traffic is common (99% of AVRs) – – – New publicly available commercial applications Internally developed, custom applications Rogue or malicious applications (malware) 3. Unknowns are manageable – – – Investigate unknowns Customize App-ID to reduce the number of unknowns Aggressively control or block remaining unknown traffic © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

40% MostUnknownObserved Malware Behaviors Blockable of Commonly Malware Files Were on the Network 0.00% 10.00% 20.00% 30.00% 40% of unknown samples were identifiable as sister samples that shared 29.39% Contained unknown TCP/UDP traffic specific identifiers in the file header and payload 24.38% Visited an unregistered domain 20.46% Sent out emails 12.38% Used the POST method in HTTP Triggered known IPS signature 7.10% IP country different from HTTP host TLD 6.92% Communicated with new DNS server Downloaded files with an incorrect file extension Connected to a non standard HTTP port 5.56% 4.53% 4.01% Produced unknown traffic over the HTTP port 2.33% Visited a recently registered domain 1.87% Visited a known dynamic DNS domain 0.56% Visited a fast-flux domain 0.47% • Investigate and classify any unknown traffic • No file downloads from unknown domains • No HTTP posts to unknown domains • No email traffic not to the corp email server Source: Palo Alto Networks, WildFire Malware Report © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Recent Sample of 0-Day Malware from WildFire • Repeated pattern of DNS, HTTP and Unknown Traffic • The “unknown” proved to be the most important traffic The Unknown traffic marks the spot © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

A closer look at the unknown session © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Capture and execute any unknown files to observe real behavior Inspect all traffic Block malware, C2 traffic and variants 34 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.

Page 35 | EPSPitchPalo Alto Networks -for distribution outside of intended audience © 2014 Scalar Decisions Inc. Not 601955643© 2012 Palo

40% of Unknown Malware Files Were Variants  Opportunity to Block Malware  In 40% of cases, a single signatures matched multiple samples (variants)  1 signature hit 1,500+ unique SHA values  Provides a way to block malware even when it is repackaged to avoid signatures 40% of Malware Samples Were Related  WildFire Subscription  Delivers signatures in 30 to 60 minutes of new malware being detected anywhere in the world © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

• Detailed analysis of malware behaviors including • Malware actions • Domains visited • Registry changes • File changes 37 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.

An Integrated Approach to Threat Prevention Coordinated Threat Prevention Bait the end-user App-ID Exploit Download Backdoor Establish Back-Channel Block high-risk apps Spyware AV Files Threat License IPS Block C&C on non-standard ports Block known malware sites URL Block malware, fast-flux domains Block the exploit Block spyware, C&C traffic Block malware Prevent drive-bydownloads WildFire Explore & Steal Detect unknown malware Block new C&C traffic 38 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary. Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors

Thank you! © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

F5 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

CONFIDENTIAL F5 Security for an application driven world

F5 Provides Complete Visibility and Control Across Applications and Users Users Resources DNS Web Access Intelligent Dynamic Threat Defense Services DDoS Protection Platform Protocol Security Network Firewall TMOS Securing access to applications from anywhere © F5 Networks, Inc Protecting your applications regardless of where they live CONFIDENTIAL 43

CONFIDENTIAL Security Trends and Challenges

Attack Type Spear Phishing Physical Access XSS Size of circle estimates relative impact of incident in terms of cost to business May June July Aug Sep Oct Nov Dec 2012 © F5 Networks, Inc CONFIDENTIAL 45

Bank Bank Bank Industrial Non Profit Non Profit Bank Bank Auto Gov Online Services Gov Industrial Online SVC EDU Bank Bank Gov Online SVC Edu Online Services News & Media Edu News & Media Utility Software Edu Online Services Cnsmr Electric Telco Food Service Telco Bank Online Services Bank Bank Cnsmr Electric Jan Feb Mar Bank Cnsmr Elec Education Online Services Online Services Software Online Services DNS Provider Online Services Auto Gov Gov DNS Provider Health Gov Software Util May Global Delivery Unknown Online Services Gov Gov Physical Access Edu DNS Provider Gov Auto DNS Provider Auto Gov Online Services Apr Online Services Online Services Online Svcs DNS Provider News & Media Gov Online Services Bank Telco Auto Gaming Retail Online Services Spear Phishing Retail Industrial Online Services Bank Airport Attack Type Online Services Entnment Gov Bank Telco Gov Gov Banking NonProfit Bank Online Services Online Gaming News & Media Edu Gov Bank Software News & Media Bank News & Media News & Media Gov Food E-comm Svc Online Services Bank Online Services Bank Online Services Gov Gov News & Media Telco Bank Software News & Media Software Bank Edu Utility Bank Online Services Online Svc Consumer Electric Online SVC Gov Gove News & Media Online Svc Non Profit Consumer Electronics News & Media Gov Size of circle estimates relative impact of incident in terms of cost to business Jun 2013 © F5 Networks, Inc CONFIDENTIAL 46

More sophisticated attacks are multi-layer Application SSL DNS Network © F5 Networks, Inc CONFIDENTIAL 47

The business impact of DDoS The business impact of DDoS © F5 Networks, Inc Cost of corrective action CONFIDENTIAL Reputation management 48

OWASP Top 3 Application Security Risks 1 - Injection Injection flaws, such as SQL and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing data. 2 – Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to comprimise passwords, keys or session tokens to assume another users’ identity. 3 – Cross Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victims browser to hijack user sessions, deface web sites or redirect the user. Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf © F5 Networks, Inc CONFIDENTIAL 49

CONFIDENTIAL The F5 Approach

Full Proxy Security Client / Server Client / Server Web application Web application Application Application SSL inspection and SSL DDoS mitigation Session Session L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical Application health monitoring and performance anomaly detection HTTP proxy, HTTP DDoS and application security © F5 Networks, Inc CONFIDENTIAL 51

The F5 Application Delivery Firewall Bringing deep application fluency to firewall security One platform Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security EAL2+ EAL4+ (in process) © F5 Networks, Inc CONFIDENTIAL 52

Positive vs Negative • Positive Security • Known good traffic • Permit only what is defined in the security policy (whitelisting). • Block everything else • Negative • Known-bad traffic • Pattern matching for malicious content using regular expressions. • Policy enforcement is based on a Positive security logic • Negative security logic is used to complement Positive logic. © F5 Networks, Inc CONFIDENTIAL 53

How Does It Work? Security at application, protocol and network level Request made Security policy checked Content scrubbing Application cloaking Enforcement Response delivered Server response Security policy applied Actions: Log, block, allow BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application. © F5 Networks, Inc CONFIDENTIAL 54

Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters 6 Then for each parameter we will check for for value length will checkmaxmax value length 7 Then scan each parameter, the URI, the headers © F5 Networks, Inc GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44rn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; rn CONFIDENTIAL 55

Automatic HTTP/S DOS Attack Detection and Protection • Accurate detection technique—based on latency • • Three different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene Detect a DOS condition Identify potential attackers Drop only the attackers © F5 Networks, Inc CONFIDENTIAL 56

To Simplify: Application-Oriented Policies and Reports © F5 Networks, Inc CONFIDENTIAL 57

IP INTELLIGENCE Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker Custom application Financial application Anonymou s requests Anonymous proxies Scanner Geolocation database Internally infected devices and servers © F5 Networks, Inc CONFIDENTIAL 58

Built for intelligence, speed and scale Users Resources Concurrent user sessions 100K Concurrent logins 1,500/sec. Throughput 640 Gbps Concurrent connections 288 M DNS query response 10 M/sec SSL TPS (2K keys) 240K/sec Connections per second 8M

Application Delivery Firewall Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security Products Advanced Firewall Manager Local Traffic Manager Application Security Manager • Stateful full-proxy firewall • #1 application delivery controller • Leading web application firewall • Flexible logging and reporting • Application fluency • Access Policy Manager PCI compliance • Native TCP, SSL and HTTP proxies • Network and Session anti-DDoS • App-specific health monitoring • Virtual patching for vulnerabilities • HTTP anti-DDoS • • Dynamic, identitybased access control • Simplified authentication infrastructure IP protection • Endpoint security, secure remote access Global Traffic Manager & DNSSEC • Huge scale DNS solution • Global server load balancing • Signed DNS responses • Offload DNS crypto iRules extensibility everywhere © F5 Networks, Inc CONFIDENTIAL 60

Explore The F5 DDoS Protection Reference Architecture f5.com/architectures © F5 Networks, Inc CONFIDENTIAL 61

Summary • Customers invest in network security, but most significant threats are at the application layer • Current security trends – BYOD, Webification – mean you need to be even more aware of who and what can access application data • A full proxy device is inherently secure, and coupled with high performance can overcome many security challenges • F5 Application Delivery Firewall brings together the traditional network firewall with application centric security, and can understand the context of users, devices and access © F5 Networks, Inc CONFIDENTIAL 62

BREAK © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

SPLUNK © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Copyright © 2014 Splunk Inc. Splunk for Security Intelligence

Make machine data accessible, usable and valuable to everyone. 68

The Accelerating Pace of Data Volume | Velocity | Variety | Variability GPS, Machine data is fastest growing, most RFID, Hypervisor, complex, most valuable area of big data Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops 69

The Splunk Security Intelligence Platform Security Use Cases Machine Data Online Services Forensic Investigation Web Services Security Security Operations Compliance Fraud Detection GPS Location Servers Packaged Applications Networks Desktops Storage Messaging Telecoms Custom Applications RFID Energy Meters Online Shopping Cart Databases Web Clickstreams Call Detail Records HA Indexes and Storage Smartphones and Devices 4 Commodity Servers

Rapid Ascent in the Gartner SIEM Magic Quadrant 2011 2012 71 2013

Industry Accolades Best SIEM Solution Best Enterprise Security Solution 72 Best Security Product

Over 2800 Global Security Customers 73

Splunk Security Intelligence Platform 120+ security apps Splunk App for Enterprise Security Palo Alto Networks Cisco Security Suite OSSEC F5 Security FireEye NetFlow Logic Active Directory Juniper 74 Blue Coat Proxy SG Sourcefire

Partner Ecosystem What is the Value Add to Existing Customers? Visibility and Correlation of Rich Data Improved Security Posture Configurable Dashboard Views

All Data is Security Relevant = Big Data Databases Email Web Desktops Servers DHCP/ DNS Network Flows Traditional SIEM Custom Apps Hypervisor Badges Firewall Authentication Vulnerability Scans Storage Mobile Data Loss Intrusion Detection Prevention AntiMalware Service Desk Call Industrial Control Records

Making Sound Security Decisions Binary Data (flow and PCAP) Log Data Security Decisions Threat Intelligence Feeds Context Data Volume Velocity Variety 77 Variability

Case #1 - Incident Investigation/Forensics January • May be a “cold case” investigation requiring machine data going back months March Often initiated by alert in another product • February • Need all the original data in one place and a fast way to search it to answer: – What happened and was it a false positive? – How did the threat get in, where have they gone, and did they steal any data? – • client=unknown[ 99.120.205.249] <160>Jan 2616:27 (cJFFNMS truncating integer value > 32 bits <46>Jan ASCII from client=unknow n Has this occurred elsewhere in the past? Take results and turn them into a real-time search/alert if needed DHCPACK =ASCII from host=85.19 6.82.110 78 April

Case #2 – Real-time Monitoring of Known Threats Sources Example Correlation – Data Loss 20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Default Admin Account Status=Degradedwmi_ type=UserAccounts Source IP Windows Authentication Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My Malware Found Source IP CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20 Endpoint Security Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text Source IP [Priority: 2]: Data Loss Intrusion Detection All three occurring within a 24-hour period Time Range 79

Case #3 – Real-time Monitoring of Unknown Threats Sources Example Correlation - Spearphishing User Name 2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1 ,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-0809T22:40:24.975Z Email Server Rarely seen email domain Rarely visited web site 2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe," User Name Web Proxy Endpoint Logs User Name 08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="John DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“ registry_type ="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion Printers PrintProviders John Doe-PCPrinters{} NeverSeenbefore" data_type"" Rarely seen service All three occurring within a 24-hour period Time Range 80

$500k Security ROI @ Interac • Challenges: Manual, costly processes – Significant people and days/weeks required for incident investigations. $10k+ per week. – No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel – Traditional SIEMs evaluated were too bloated, too much dev time, too expensive Enter Splunk: Fast investigations and stronger security – – – – Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts Splunk reduced investigation time to hours. Reports can be created in minutes. Real-time correlations and alerting enables fast response to known and unknown threats ROI quantified at $500k a year. Splunk TCO is less than 10% of this. “ “ • Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see. Josh Diakun, Security Specialist, Information Security Operations 8 1

Replacing a SIEM @ Cisco • Challenges: SIEM could not meet security needs – Very difficult to index non-security or custom app log data – Serious scale and speed issues. 10GB/day and searches took > 6 minutes – Difficult to customize with reliance on pre-built rules which generated false positives Enter Splunk: Flexible SIEM and empowered team – – – – – Easy to index any type of machine data from any source Over 60 users doing investigations, RT correlations, reporting, advanced threat detection All the data + flexible searches and reporting = empowered team 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data Estimate Splunk is 25% the cost of a traditional SIEM “ We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have. “ • Gavin Reid, Leader, Cisco Computer Security Incident Response Team 8 2

Security and Compliance @ Barclays Challenges: Unable to meet demands of auditors – – – – • Scale issues, hard to get data in, and impossible to get data out beyond summaries Not optimized for unplanned questions or historical searches Struggled to comply with global internal and external mandates, and to detect APTs Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting Enter Splunk: Stronger security and compliance posture – – – – Fines avoided as searches easily turned into visualizations for compliance reporting Faster investigations, threat alerting, better risk measurement, enrichment of old data Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers Other teams using Splunk for non-security use cases improves ROI “ We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effectiveness of a certain control, the only way we can do these things is with Splunk. “ • Stephen Gailey, Head of Security Services 8 3

Splunk Key Differentiators • • • • • • • Splunk Single product, UI, data store Traditional SIEM Software-only; install on commodity hardware Quick deployment + ease-of-use = fast time-to-value Can easily index any data type All original/raw data indexed and searchable Big data architecture enables scale and speed Flexible search and reporting enables better/faster threat investigations and detection, incl finding outliers/anomalies • Open platform with API, SDKs, Apps • Use cases beyond security/compliance 84

For your own AHA! Moment Reach out to your Scalar and Splunk team for a demo Thank you!

INFOBLOX © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Are you prepared to withstand DNS attacks? Ed O’Connell, Senior Product Marketing Manager © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Infoblox Overview DNS Security Challenges Securing the DNS Platform Defending Against DNS Attacks Preventing Malware from using DNS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Total Revenue Founded in 1999 (Fiscal Year Ending July 31) Headquartered in Santa Clara, CA with global operations in 25 countries $250 Leader in technology for network control $200 ($MM) $225.0 $169.2 Market leadership $150 $132.8 • Gartner “Strong Positive” rating • 40%+ Market Share (DDI) $102.2 $100 6,900+ customers, 64,000+ systems shipped $56.0 $50 $61.7 $35.0 38 patents, 25 pending IPO April 2012: NYSE BLOX $0 FY2007 FY2008 FY2009 FY2010 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience FY2011 FY2012 FY2013

VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS NETWORK INFRASTRUCTURE CONTROL PLANE APPS & END-POINTS END POINTS Infrastructure Security Historical / Real-time Reporting & Control Infoblox GridTM w/ Real-time Network Database FIREWALLS SWITCHES ROUTERS WEB PROXY © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience LOAD BALANCERS

DNS is the cornerstone of the Internet used by every business/ Government DNS as a Protocol is easy to exploit Traditional protection is ineffective against evolving threats DNS outage = business downtime © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

1 Securing the DNS Platform 2 Defending Against DNS Attacks 3 Preventing Malware from using DNS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

– Many open ports subject to attack – Users have OS-level account privileges on server – No visibility into good vs. bad traffic – Requires time-consuming manual updates – Requires multiple applications for device management © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Multiple Open Ports

 Minimal attack surfaces  Active/Active HA & DR recovery  Centralized management with role-based control  Tested & certified to highest Industry standards  Secured Access, communication & API  Secure Inter-appliance Communication  Detailed audit logging  Fast/easy upgrades © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

 No scripts / Auto-Resigning / 1-click  Central configuration of all DNSSEC parameters  Automatic maintenance of signed zones © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

~ 10% of infrastructure attacks targeted DNS ACK: 2.81% ICMP: 9.71% RESET: 1.4% CHARGEN: 6.39% SYN: 14.56% RP: 0.26% FIN PUSH: 1.28% DNS: 9.58% SYN PUSH: 0.38% TCP FRAGMENT: 0.13% UDP FRAGMENT: 17.11% UDP FLOODS: 13.15% Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013 ~ 80% of organizations surveyed experienced application layer attacks on DNS HTTP 82% DNS 77% SMTP 25% HTTPS 54% SIP/VOIP 20% IRC 6% Other 9% 0% 20% 40% 60% Survey Respondents 80% 100% © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Source: Arbor Networks

Distributed Reflection DoS Attack (DrDoS) How the attack works  Combines Reflection and Amplification  Use third-party open resolvers in the Internet (unwitting accomplice) Internet  Attacker sends small spoofed packets to the open recursive servers, requesting a large amount of data to be sent to the victim’s IP address  Uses multiple such open resolvers, often thousands of servers Attacker  Queries specially crafted to result in a very large response  Causes DDoS on the victim’s server Target Victim © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Legitimate Traffic Block DNS attacks Infoblox Advanced DNS Protection (External DNS) Data for Reports Infoblox Threat-rule Server Automatic updates Infoblox Advanced DNS Protection (Internal DNS) Reporting Server Reports on attack types, severity © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

DNS reflection/DrDoS attacks DNS amplification Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack Using a specially crafted query to create an amplified response to flood the victim with traffic DNS-based exploits Attacks that exploit vulnerabilities in the DNS software TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic DNS cache poisoning Corruption of the DNS cache data with a rogue address Protocol anomalies Reconnaissance DNS tunneling Causing the server to crash by sending malformed packets and queries Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack Tunneling of another protocol through DNS for data exfiltration © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

EXTERNAL INTERNAL INTRANET INTERNET Advanced DNS Protection Advanced DNS Protection GRID Master and Candidate (HA) DATACENTER Advanced DNS Protection CAMPUS/REGIONAL Advanced DNS Protection DMZ INTRANET Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Endpoints

Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

2014 2013 Q2 Q3 Q4 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Q1

Cryptolocker “Ransomware”  Targets Windows-based computers  Appears as an attachment to legitimate looking email  Upon infection, encrypts files: local hard drive & mapped network drives  Ransom: 72 hours to pay $300US  Fail to pay and the encryption key is deleted and data is gone forever  Only way to stop (after executable has started) is to block outbound connection to encryption server © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Infoblox Malware Data Feed Service 1 4 2 Malicious domains IPs, Domains, etc. of Bad Servers 2 Malware / APT An infected device brought into the office. Malware spreads to other devices on network. Malware makes a DNS query to find “home.” (botnet / C&C). Detect & Disrupt. DNS Firewall detects & blocks DNS query to malicious domain Internet Intranet Infoblox DDI with DNS Firewall Blocked attempt sent to Syslog 1 2 3 Pinpoint. Infoblox Reporting lists 3 blocked attempts as well as the: • • • • • IP address MAC address Device type (DHCP fingerprint) Host name DHCP lease history DNS Firewall is updated every 2 4 hours with blocking information from Infoblox DNS Firewall Subscription Svc Malware / APT spreads within network; Calls home © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Malicious Domains 1 Detect - FireEye detects APT, alerts are sent to Infoblox. Malware Internet 2 2 Disrupt – Infoblox DNS Firewall disrupts malware DNS communication Intranet Infoblox DDI with DNS Firewall 3 Pin Point - Infoblox Reporting 3 Alerts 1 Endpoint Attempting To Download Infected File Blocked attempt sent to Syslog provides list of blocked attempts as well as the • • • • • IP address MAC address Device type (DHCP fingerprint) DHCP Lease (on/off network) Host Name FireEye NX Series FireEye detonates and detects malware © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) DNS Hacking Hacking DNS registry(s) & re-directing users to malicious domain(s) Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

DNS is the cornerstone of the Internet Unprotected DNS infrastructure introduces security risks Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform Secure DNS Solution protects critical DNS services © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Thank you! For more information www.infoblox.com © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Why Scalar for Security? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

The Issues  Integration of Security Technologies  Staffing  Vulnerabilities  Advanced threats © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

The Issues  Integration of Security Technologies is Challenging – Multiple formats of data – Data timing issues – Different types of security controls – Other data types © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

The Issues  InfoSecurity Staff – Different skills requirements ﹘ Architects ﹘ Malware Handling ﹘ Forensics ﹘ Vulnerability ﹘ Incident Management ﹘ Risk and Compliance – HR Costs ﹘ Premium technical personnel ﹘ Analysts, Specialists ﹘ Training and certification © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

The Issues  Vulnerabilities – Regular scheduled disclosures – Large volumes of ad-hoc patches – Many undisclosed zero days – Remediation is a continuous process © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

The Issues  Advanced Threats – Advanced Persistent Threats – Imbedded threats  Who? – State sponsored – Hactivism – Hackers – Organized crime © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

How to Secure It  State-of-the-art Security Technologies  Skills on Demand – Continuous Tuning of Rules and Filters – Cyber Intelligence, Advanced Analytics – Cyber Incident Response – Code Review, Vulnerability and Assessment Testing © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

WRAP/QUESTIONS? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

THANK YOU. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Add a comment