taking control of the advanced threat problem
Post on 24-Feb-2016
52 Views
Preview:
DESCRIPTION
TRANSCRIPT
Taking Control of the Advanced Threat ProblemAdam Hogan, Security Engineer, Sourcefire@adamwhoganahogan@sourcefire.com
Frame the Advanced Threat Problem Define “Next-Gen Security” Traditional Network-Based Solutions: NG-IPS
and NGFW Endpoint Approach to Advanced Malware
(Cloud Supported)
Agenda
IT Environments are Changing Rapidly
Virtualization
ConsumerizationMobilization
Applications
NetworksDevices
VoIP
Threats are Increasingly Complex
Client-side Attacks
Targeted | OrganizedRelentless | Innovative
Advanced Persistent Threats
Malware Droppers
Published in March 2011 51 U.S. companies interviewed with
breaches that occurred in 2010▸ 4,200 to 105,000 records stolen▸ Breach costs ranged from $780,000 to
$35.3 million
Report highlights:▸ Average data breach cost: $7.2 million▸ Average cost per stolen record: $214▸ 31% of breaches were criminal attacks▸ Breaches related to criminal attacks are
the most expensive▸ Customer turnover remains the main
driver of data breach costs
2010 Ponemon Institute Study
“Once a deviant industry is professionalized, crackdowns merely promote innovation.”
Nils Gilman, 4th European Futurists Conference
“The criminal breaks the monotony and humdrum security of bourgeois life, he thereby insures it against stagnation, and he arouses that excitement and restlessness without which even the spur of competition would be blunted”
Karl Marx
Professionalization of Hacking
A Closer Look
Hacktivism
Targeted Attacks
Threats Change —Traditional Security Products Do Not
Static | InflexibleClosed/Blind | Labor Intensive
“Begin the transformation to
context-aware and adaptive security
infrastructure now as you replace legacy
static security infrastructure.”
- Neil MacDonaldVP & Gartner Fellow
Source: Gartner, Inc., “The Future of Information Security is Context Aware
and Adaptive,” May 14, 2010
Next Gen Security is…
…a continuous process to respond to continuous change.
Agile Security
You Can’t Protect What You Can’t See Breadth: who, what, where, when Depth: as much detail as you need Real-time data See everything in one place
“Seeing” provides information superiority
Agile SecurityOS Users
Devices
Threats
Applications
FilesVulnerabilities
Network
Block, alert, log modify, quarantine, remediate
Respond via automation
Reduce the ‘noise’
Automatically optimize defenses
Lock down your network to policy
Leverage open architecture
Configure custom fit security
Gain insight into the reality of your IT and security posture
Get smarter by applying intelligence
Correlate, prioritize, decide
Key: intelligence & automation
Security Before, During & After the Attack
BeforePolicy & Control
Discover environment
Implement access policy
Harden assets
DuringIdentification & Block
Detect
Prevent
AfterAnalysis & Remediation
Determine Scope
Contain
Remediate
What is needed is a new approach to protect your organization
What Can You Do?
Assess your vendors by assuming you will be hacked▸ p.s., you will be have been.
Your security tools are tools.▸ Forget about set-and-forget tech and think about how
each process, program or product helps your analysts keep you safe.
Exploring Detection
There are some really useful rules not on by default▸ INDICATOR-OBFUSCATION▸ Javascript obfuscation fromCharCode, non alpha-
numeric▸ Hidden iFrames▸ Excessive queries for .cn/.ru▸ HTTP POST to a JPG/GIF/PNG/BMP ?
Java 0-Day
SIDs 25301, 25302 Largely used by exploit kits (Blackhole, Cool Kit,
Nuclear, Redkit) - covered▸ Why is java.exe downloading calc.exe?
BTW, User Agents are telling
No, really:▸ User-Agent: Malware▸ (RFC 3514 anybody?)
Unless your proxy rewrites them all...
What can we do? Communication
Watch hackers. Many aren’t that sneaky. (L|H)OIC source code
is public, for crying out loud.▸ LOIC packet contains: “U dun goofed”▸ HOIC botched protocol, used two spaces where one
is allowed. They recruit! Publicly. Get on twitter. Watch
pastebin.org. Scrape it. Use google alerts if you can’t script.
What Can You Do?
Hire analysts▸ It’s going to cost you. ▸ And if they aren’t trained they depreciate.
Example: “Agile Security” Fuels Automation in an IDS/IPS
IT InsightSpot rogue hosts, anomalies,
policy violations, and more
Impact AssessmentThreat correlation reduces
actionable events by up to 99%
Automated TuningAdjust IPS policies automatically
based on network change
User IdentificationAssociate users with security
and compliance events
Reduce Risk with: Application Control – on the IPS! Control access to Web-enabled apps and devices
▸ “Employees may view Facebook, but only Marketing may post to it”
▸ “No one may use peer-to-peer file sharing apps”
Over 1,000 apps, devices, and more!
Reduce Risk with: IP Reputation
Block and Alert on:▸ Botnet C&C Traffic▸ Known Attackers▸ Malware, Phishing, and
Spam Sources▸ Open Proxies and
Relays Create Your Own Lists Download from
Sourcefire or Third Parties
So, what is the difference between NG-IPS and NGFW?
Gartner Defines NGIPS & NGFWNext-Gen IPS (NGIPS) Standard first-gen IPS Application awareness and
full-stack visibility Context awareness Content awareness Agile engine
Next-Gen Firewall (NGFW) Standard first-gen firewall Application awareness and
full-stack visibility Integrated network IPS Extrafirewall intelligence
Source: “Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011. “Defining the Next-Generation Firewall,” Gartner, October 12, 2009
“Next-generation network IPS will be incorporated within a next-generation firewall, but most next-generation firewall products currently include first-generation IPS capabilities.“
Next-Generation IPS Comparison
What is a Next-Generation Firewall?
Stateful First-Generation Firewall▸ Stateful protocol inspection▸ Switching, routing and NAT
Integrated Network Intrusion Prevention▸ Not merely “co-located”▸ Includes vulnerability- and threat-facing signatures
Application Awareness with Full-Stack Visibility▸ Example: Allow Skype, but disable Skype file sharing▸ Make Facebook “read-only”
Extrafirewall Intelligence▸ User directory integration▸ Automated threat prevention policy updates
Gartner on Next-Generation IPS
“Next-generation network IPS will be incorporated within a next-generation firewall, but most next-generation firewall products currently include first-generation IPS capabilities.”
Available now onSourcefire.com
Source: “Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011
✔ Application awarenessContextual awarenessContent awarenessAgile engine
✔✔✔
Survey conducted in October 2011
2,561 responses Key Results:
▸ Most NGFWs augment (not replace) existing firewalls
▸ IPS component rated “most important” for securing data
Ponemon NGFW Survey Highlights
What about an Endpoint Approach to the Advanced Threat Problem?
Threats Continue to Evolve
“Nearly 60% of respondents were at least ‘fairly certain’ their company had been a target.” – Network World (11/2011)
The likelihood that you will be attacked by advanced malware has never been greater.
Of attacks are seen on
only one computer
75%
Cost of Advanced Malware
Solve the Problem at the Endpoint
Action at point of entry▸ Best place to stop client-side
attacks is on the client Awareness at source
▸ Focus where files are executed ▸ Do not miss threats due to
encryption
Secure Endpoints - Wherever They Are.
Clients need better visibility to detect and assess advanced malware. Visibility answers questions like:▸ Do we have an advanced malware problem?▸ Which endpoint was infected first?▸ How extensive is the outbreak?▸ What does the malware do?
Clients also need help regaining control after the inevitable attack. Control answers questions like:▸ What is needed to recover?▸ How can we stop other attacks?
What is needed to fight advance malware at the Endpoint?
Cloud-Based Advanced Malware Protection – Sample Architecture
Lightweight Agent• Watches for move/copy/execute• Traps fingerprint & attributes
Web-based Manager
Cloud Analytics & Processing
• Transaction Processing• Analytics• Intelligence
Agile Security for Advanced Malware – Endpoint Benefits
SEE▸ Advanced malware at the source▸ Patient 0 + propagation paths▸ APT reporting
LEARN▸ Real-time root cause analysis of threats▸ Collective immunity & comparative reporting▸ Data mining & machine learning
ADAPT▸ Custom detections/signatures▸ Application control▸ Whitelisting
ACT▸ Immediate & retrospective remediation▸ Action at the point of entry▸ Continuous scans in cloud
Regain Control of Your Environment
Outbreak control▸ Custom Signatures for
immediate response▸ Whitelisting▸ Application Control
Immediate & retrospective remediation▸ Automatic remediation of damaged
endpoints with Cloud Recall▸ Collective Immunity
Arm YOU to fight advanced malware
Thank You.
top related