exposing apt

35
Exposing APT Jason Brevnik Vice President, Security Strategy

Upload: junius

Post on 23-Feb-2016

115 views

Category:

Documents


0 download

DESCRIPTION

Exposing APT. Jason Brevnik Vice President, Security Strategy. Exposing APT level threats requires. Intelligent and diligent people Cloud to Core coverage Constant visibility and awareness Healthy distrust in operational state and compensating controls - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Exposing APT

Exposing APT

Jason BrevnikVice President, Security Strategy

Page 2: Exposing APT

2

Exposing APT level threats requires

● Intelligent and diligent people

● Cloud to Core coverage● Constant visibility and awareness● Healthy distrust in operational state and

compensating controls● Personalized protections that are tested

and audited● Visibility at all levels

Page 3: Exposing APT

Then.

Page 4: Exposing APT

4

The Virus!

● In 1949 John von Neumann began lecturing about “Theory and Organization of Complicated Automata” - Theory of self-reproducing automata published in 1966

● The Creeper virus was unleashed on ARPANET in 1971

● Elk Cloner appeared in the wild in 1981 affecting Apple DOS 3.3

● 1986 brought the Brain virus to your PC● ... And we installed AV

Page 5: Exposing APT

5

The worm!● Morris

► And we installed the firewall● Melissa● ExploreWorm● I Love You● CodeRed● Slammer● Blaster● Sobig● Stuxnet● ...

Page 6: Exposing APT

6

Page 7: Exposing APT

7

Page 8: Exposing APT

8

Classic firewall and AV is not enough

Page 9: Exposing APT

Now

Page 10: Exposing APT

10

It is not just in Software!

Page 11: Exposing APT

11

Hacker

Advanced Persistent ThreatScript Kiddie

Cybercriminal

Page 12: Exposing APT

12

Page 13: Exposing APT

13

Page 14: Exposing APT

14

Page 15: Exposing APT

15

Page 16: Exposing APT

16

Page 17: Exposing APT

17

Page 18: Exposing APT

The reality

Page 19: Exposing APT

19

Stop APT Now!

Page 20: Exposing APT

20

Page 21: Exposing APT

21

Easy Picking

Page 22: Exposing APT

22

Two factor auth won’t keep them out

Page 23: Exposing APT

23

Today’s Reality

Dynamic Threats● Organized attackers● Sophisticated threats● Multiple attack vectors

Static Defenses● Ineffective defenses● Black box limits flexibility● Set-and-forget doesn’t work

“Begin the transformation to context-aware and adaptive security infrastructure now as you

replace legacy static security infrastructure.”

Source: Gartner, Inc., “The Future of Information Security is Context Aware and Adaptive,” May 14, 2010

Neil MacDonaldVP & Gartner Fellow

Page 24: Exposing APT

What then?

Page 25: Exposing APT

25

Awareness

BehaviorDetect anomalies in configuration,

connections and data flow

NetworkKnow what’s there, what’s vulnerable,

and what’s under attack

ApplicationIdentify change and enforce policy

on hundreds of applications

IdentityKnow who is doing what,

with what, and where

Page 26: Exposing APT

26

Intelligence

ThreatIntelligence

(Security Event)

EndpointIntelligence

(Context)

UserIntelligence

(Context)

EndpointRelevance

End-userRelevance

Forensic Analysis:Who accessed what, when, and where?

Page 27: Exposing APT

27

Knowledge

Page 28: Exposing APT

28

Tuning

NSS – Q4 Independent Test ResultsKey Findings: Protection varied widely between 31% and 98%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous “catchable” attacks.

Graphic by Sourcefire, Inc. Source data from NSS Labs “Network IPS 2010 Comparative Test Results plus 3D8260 NSS test”

Default DetectionTuned Detection

Page 29: Exposing APT

29

Personalization

Privilege

Content

Purpose

Your applications

Your Users

Your network

Should it travel

Is access normal

Forensic Analysis:Who accessed what, when, and where?

Page 30: Exposing APT

30

Is that enough?

Page 31: Exposing APT

31

We have to learn and share

Page 32: Exposing APT

32

Intelligent Protection: Cloud to Core

Page 33: Exposing APT

33

Cloud to Core protection requires

● Comprehensive Audit (Logs/IDS/Test)● Comprehensive Control (AAA/IPS/FW/NG*)● Pervasive Awareness Platform● Coordinated Endpoint Control● Look-back forensics capability● Physical, virtual and cloud deployment● Mobile and Consumer integration● Visibility and Openness● Depth and Personalization

Page 34: Exposing APT

34

Page 35: Exposing APT

35

Questions