exposing apt
Embed Size (px)
DESCRIPTION
Exposing APT. Jason Brevnik Vice President, Security Strategy. Exposing APT level threats requires. Intelligent and diligent people Cloud to Core coverage Constant visibility and awareness Healthy distrust in operational state and compensating controls - PowerPoint PPT PresentationTRANSCRIPT
Exposing APT
Jason BrevnikVice President, Security Strategy
2
Exposing APT level threats requires
● Intelligent and diligent people
● Cloud to Core coverage● Constant visibility and awareness● Healthy distrust in operational state and
compensating controls● Personalized protections that are tested
and audited● Visibility at all levels
Then.
4
The Virus!
● In 1949 John von Neumann began lecturing about “Theory and Organization of Complicated Automata” - Theory of self-reproducing automata published in 1966
● The Creeper virus was unleashed on ARPANET in 1971
● Elk Cloner appeared in the wild in 1981 affecting Apple DOS 3.3
● 1986 brought the Brain virus to your PC● ... And we installed AV
5
The worm!● Morris
► And we installed the firewall● Melissa● ExploreWorm● I Love You● CodeRed● Slammer● Blaster● Sobig● Stuxnet● ...
6
7
8
Classic firewall and AV is not enough
Now
10
It is not just in Software!
11
Hacker
Advanced Persistent ThreatScript Kiddie
Cybercriminal
12
13
14
15
16
17
The reality
19
Stop APT Now!
20
21
Easy Picking
22
Two factor auth won’t keep them out
23
Today’s Reality
Dynamic Threats● Organized attackers● Sophisticated threats● Multiple attack vectors
Static Defenses● Ineffective defenses● Black box limits flexibility● Set-and-forget doesn’t work
“Begin the transformation to context-aware and adaptive security infrastructure now as you
replace legacy static security infrastructure.”
Source: Gartner, Inc., “The Future of Information Security is Context Aware and Adaptive,” May 14, 2010
Neil MacDonaldVP & Gartner Fellow
What then?
25
Awareness
BehaviorDetect anomalies in configuration,
connections and data flow
NetworkKnow what’s there, what’s vulnerable,
and what’s under attack
ApplicationIdentify change and enforce policy
on hundreds of applications
IdentityKnow who is doing what,
with what, and where
26
Intelligence
ThreatIntelligence
(Security Event)
EndpointIntelligence
(Context)
UserIntelligence
(Context)
EndpointRelevance
End-userRelevance
Forensic Analysis:Who accessed what, when, and where?
27
Knowledge
28
Tuning
NSS – Q4 Independent Test ResultsKey Findings: Protection varied widely between 31% and 98%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous “catchable” attacks.
Graphic by Sourcefire, Inc. Source data from NSS Labs “Network IPS 2010 Comparative Test Results plus 3D8260 NSS test”
Default DetectionTuned Detection
29
Personalization
Privilege
Content
Purpose
Your applications
Your Users
Your network
Should it travel
Is access normal
Forensic Analysis:Who accessed what, when, and where?
30
Is that enough?
31
We have to learn and share
32
Intelligent Protection: Cloud to Core
33
Cloud to Core protection requires
● Comprehensive Audit (Logs/IDS/Test)● Comprehensive Control (AAA/IPS/FW/NG*)● Pervasive Awareness Platform● Coordinated Endpoint Control● Look-back forensics capability● Physical, virtual and cloud deployment● Mobile and Consumer integration● Visibility and Openness● Depth and Personalization
34
35
Questions