packetviper: addressing the hidden killer in network security

THE HIDDEN NETWORK KILLERFRANCESCO TRAMA / CO-FOUNDER

AGENDA▸ Traffic Volume, Velocity, and Variety

▸ How Traffic Volume Supports Threats

▸ Network Security Practices Today

▸ Decreasing Volume Improves Security

▸ Challenges in today’s security paradigm

▸ PacketViper

TRAFFIC VOLUME, VELOCITY, AND VARIETY

INTERNET WAS BUILT ON A SHARED PLATFORM

TRAFFIC TRENDS EST BY 2020 ‣ Global IP traffic will reach 2.3 ZB per year, or 194 EB

per month

‣ Global IP traffic will increase nearly threefold

‣ Smartphone traffic will exceed PC traffic

‣ IP traffic in North America will reach 59.1 EB per month

‣ IP traffic in Western Europe will reach 28.0 EB per month

‣ IP traffic in Asia Pacific will reach 67.8 EB per month

‣ IP traffic in Latin America will reach 11.6 EB per month

‣ Devices connected to IP networks will be 3X as high as the global population.

Reference: Cisco VNI™ Forecast June 2016

NETWORK SECURITY TODAY

THERE PLENTY OF SECURITY TOOLS. EACH PROVIDE THEIR OWN EXPERTISE TO SECURITY. NO ONE ALONE SOLVES THE SECURITY

PROBLEM!

EACH IMPROVED BY LESS TRAFFIC VOLUME

How Traffic Volume Supports Threats

THIS IS THE REALITY

‣ Protection has always been a short term fix ‣ Software has breadcrumbs to its origins ‣ Upgrades and Patching not equally done ‣ Short term memory ‣ We are all connected!

LET’S SAY IT OUT LOUD! THREATS WILL ALWAYS BE

A New Zero-Day Vulnerability Discovered Each Week In 2015, the number of zero-day vulnerabilities discovered more than doubled to 54, a 125 percent increase from the year before. Or put another way, a new zero-day vulnerability was found every week (on average) in 2015.

Source Symantec: 2016 Internet Security Threat Report

APPLICATION LAYER DDOS AND BOTS

▸ 18 BOTNET INFECTIONS PER SECOND According to the director of FBI’s cyber division, Joseph Demarest,

▸ 2016 perpetrators could slip through standard security challenges, commonly used to filter out attack traffic.

▸ In Q1 2016, the number of such bots mushroomed to 36.6 percent of total bot traffic

▸ Such capabilities, when combined with a legitimate looking HTTP fingerprint, make malicious bots impervious to most common detection methods.

Source: Q1 2016 Global DDoS Threat Landscape Report Mad Skills

500 MILLION Compromised computers per year.

196 COUNTRIESAs stated by the FBI in a recent Senate statement,

“Botnets have caused over $9 Billion in losses to US victims and over $110 Billion in losses globally. Approximately 500 Million computers are infected globally each year, translating into 18 Victims per second”

Source: Global Security, Safety, and Sustainability

DELIVERY PLATFORMS▸ 2 Million + Apple Apps

▸ 2.2 Million + Android Apps

▸ 669,000 Microsoft Apps

▸ 1.1 Billion Websites

▸ 130+ Billion Emails per day

▸ 3 + Billion Users

▸ 7.2 Billion Mobile Devices

▸ Billions Of USB sticks

▸ 6.4 Billion IoT Devices

Sources: Radicati, Windows Central, Statista, US Census

PITFALLS THAT HURT NETWORK SECURITY

‣ Failure to recognize security is about humans

‣ You believe your are seeing all threats

‣ Believing “Top Anything” reports is the complete picture.

‣ Believe Garbage in not Garbage Out

‣ You Have Clear Visibility

‣ You are prepared for the inevitable breach

‣ OPEX Budgets do not determine your network security strength, viability, and effectiveness.

ATTACKERS ARE AWARE OF YOUR NETWORK CHALLENGES!

Stay Small, Nimble, and Humble

NOT UNDERSTANDING OR OVER THINKING THE GLOBAL REACH OF NETWORKS

▸ CDN and ADN’s provide businesses with content and application everywhere capabilities

▸ Low rent cloud providers provide business and hackers global capabilities.

▸ Applications and business are borderless

Forces security teams to loosen perimeter security and nearly abandoned large scale IP prevention

Security devices do not consider the Business of the Internet, rather the Application of the Internet.

Windows Firewall and Port Settings for Client Computers in Configuration Manager

For the management point to notify client computers about an action that it must take when an administrative user selects a client action in the Configuration Manager console, such as download computer policy or initiate a malware scan, add the following as an exception to the Windows Firewall:

Outbound: TCP Port 10123

Remote Control: To use Configuration Manager remote control, allow the following port:

Inbound: TCP Port2701

Wake-Up Proxy: For System Center 2012 Configuration Manager SP1 and later:

Outbound: UDP Port 25536 Outbound: UDP Port 9

‣ Complexity of today’s internet business.

‣ Services provide live data of the latest malicious IP Traffic via cloud or other wise

‣ Management of such large list become cumbersome and weigh security devices down.

‣ Firewalls would reach their limits attempting to handle a large rule base.

ABANDONMENT OF LARGE SCALE IP PREVENTION FACTORS

‣ Softening perimeter rules, ‣ Exposure of portals (VPN, OWA, FTP, ETC) ‣ To restrictions could introduce latency and complexity ‣ Logging is vague and difficult to understand who or what ‣ Inspect everything cause drag on the team, systems, and

causes logging whiteouts

RESULTS

Network Security Practices Today


▸ Deep Packet Inspection ▸ Stateful Inspections ▸ Application Identification ▸ Protocol Analysis and Detection ▸ Blacklist, AutoShun, Honeypot ▸ Content Inspection ▸ Algorithmic Detection ▸ Operational Behavioral Detection ▸ Logging, Alerting

WWW

SSH

TELN

IMAP

FI

RE

WA

LL

IDS

IPS

SSL

APP

SPI

Rule

s

Con

tent

Insp

ectio

ns

Auth

APP

ID

RBL

ID

LOG

/

Aler

t

Mal

war

e In

spec

tions

LOG ANALYZE ALERTTRAFFIC

24X7X365Monitoring and Management Required

Limits Visibility, Accuracy, Dependability

Increases Latency

Hampers threat identification and remediation

Increases Logging, Alerting, False Positives

Increase costs

Adds Complexity, Management time, and Fatigue

VOLUMETRAFFIC

ITS EFFECT TO NETWORK SECURITY

Decreasing Volume Improves Security

REDUCING TRAFFIC VOLUME REDUCES NETWORK SECURITY INSPECTIONS

TSA▸ Less Deep Packet Inspection ▸ Less Stateful Inspections ▸ Less Application Identification ▸ Less Protocol Analysis and Detection ▸ Less Blacklist, AutoShun, Honeypot ▸ Less Content Inspection ▸ Less Algorithmic Detection ▸ Less Operational Behavioral Detection ▸ Less Logging, Alerting

COMMON SENSE APPLICATION USE

IDENTIFYING YOUR INTERNET BUSINESS

VPN

FTP

OWA

CONNECTION

ChinaItalyRussia

Canada


ChinaItalyRussia

Canada



Italy

Canada

AmazonBusiness AGoogle

Business DGoogle


APPLICATION LOCATION PROBABILITY

▸ Does traffic need to come from high risk areas of the world?

▸ What are your operating areas?

▸ Which businesses are within those high risk areas?

▸ What public services are being offered to customers and employees:

▸ VPN, FTP, WEB, MAILINSPECTION

COUNTRYPORT, PROBABILITY

BUSINESSPORT, PROBABILITY

APPLICATION USEPORT, PROBABILITY

LOCATION THREAT FACTORS

NETWORKPORT, PROBABILITY

BUSINESSKEY FACTORS TO REDUCING TRAFFIC

▸ Business Operating Space

▸ Country

▸ Business

▸Network

▸ Threat probability

COLOCATION CLOUD

CN

UK

IT

RU

AU

OPERATING NETWORK

PERMITTED SERVICES

SERVICES

Targeting probability areas of expected traffic vectors eliminates unwanted traffic and reduces perimeter noise.

WWW

VPN

SSH

TELN

IMAP

FTP

MAIL

HTTP

VPN

SSH

TELNET

IMAP

Less Activity

V

S

T

I

FTPMAIHTVPSSTELIMA

LOG ANALYZE ALERTTRAFFIC

Connections

Challenges in today’s security paradigm


UNFORTUNATELY SECURITY IS NOT ALL UNICORNS AND RAINBOWS

‣ The belief this can be done with existing firewalls (FW/NGFW)

‣ Rules and management efforts would be tremendous

‣ Can not effectively identify the business factors of the traffic

‣ firewalls have limited global sight

‣ There are limits to the amount of rules

‣ Firewalls have limits on the amount of objects and rules

‣ The effort needed within existing firewalls would make it latent

‣ Firewalls are great inspection point, but lack global business perspective

Nuts!

THREAT INTELLIGENCE CONUNDRUM! “WE MUST HAVE THREAT INTELLIGENCE!”▸ “Threat of the Day”

▸ Many threats go unannounced for months and years

▸ Threat intelligence can not look into the future. Many assumption lead to many false positives.

▸ To many threat intelligence sources can/will be overwhelming.

▸ Does your team understand proper key indicators to new or unannounced threats?

▸ Fact is: You have little control over threats

Coming

Off Radar

Cultivating

FRANCESCO TRAMA - CO-FOUNDER

PACKETVIPER - BASED IN PITTSBURGH PA

▸ Advanced IP-Filtering Solution

▸ Address traffic at the perimeter before it enters the security environment

▸ Inline device that replaces nothing, no latency

▸ 5 min install

▸ Patented Advanced IP filtering that addresses the country, company, network space, and threats bi-directionally by network port

WHAT IS PACKETVIPER?

Geo Location Data

Rules Management

Logging & Reporting Engine

REDUCE THE VOLUMEIMPROVE SECURITY

with

www.packetviper.com

855-758-4737