Stopping the bad guysand what you can do about itBrian A. McHenrySr. Security Solutions Architectbam@f5.com@bamchenry

Enterprise Blindspots inthe Age of Malware & Insider ThreatsBrian A. McHenrySr. Security Solutions Architectbam@f5.com@bamchenry

Who is this guy?• Brian A. McHenry, Sr. Security Solutions

Architect, F5 Networks• 9 years at F5, focused on application security

solutions• Regular contributor on DevCentral.f5.com &

InformationSecurityBuzz.com• Follow me on Twitter @bamchenry

Greatest threats to data loss?

External• Injection attacks

• SQL, cmd, etc.

• Open TCP ports• SSH, Telnet, FTP, etc.

• Phishing

Internal• Undetected malware

• Servers, desktops, laptops, etc.

• Employees, contractors• Disgruntled or Careless

• Unverified backup systems

Detecting Malware

Mitigate Malicious Communication - RPZOpen Service DNS Query Filtering by Reputation

Prevent malware and sites hosting malicious content from ever communicating with a client.

Live updates

BIG-IP

Inhibit the threat at the earliest opportunity. Internet activity starts with a DNS request.

Domain Reputation

Mitigate DNS threats by blocking access to malicious IPs. Reduce malware and virus infections.

Select Your Service

Response Policy Zone (RPZ) Live Feed

DNS Server/Proxy

Protecting the ClientThe internet isn’t an altogether safe place

MALICIOUS THREATS UNDESIRABLE CONTENT DUPING THE USER

BotNetsInadvertently downloaded and used to mount distributed attacks.

VirusesOnce installed, causes malicious activity on end-user device, sometimes for ransom.

OS VulnerabilitiesUnprotected, unpatched devices are extremely vulnerable.

Phishing scams and Man in the MiddleWebsites which impersonate real websites, often linked from email or a website.

Scammers aim to capture credentials.

Site redirectionDNS traffic is captured and sent to a malicious DNS server serving bad DNS results.

OffensiveContent may violate HR or local rules.Violation of decency standards.Be age inappropriate.

IrrelevantDistractive content incompatible with job function or policy.

Illegal contentFile sharing or sites identified as hosting banned material.

DNS IP and Name Reputation ChoicesRESPONSE POLICY

ZONES

URL FILTERING

IP REPUTATION

Screens a DNS request against domains with a bad reputation.

Intercept a DNS request in iRules. Categorize & make a decision.

Intercept a DNS response in iRules. Categorize & make a decision.

INHIBITS THREATS BY FQDN

INHIBITS THREATS BY IP

INHIBITS THREATS BY FQDN

POLICY CONTROL BY FQDN

Technical Use Cases

http://www.badsite.com

http://194.71.107.15

http://www.facebook.com

IP REPUTATION

URL FILTERINGTHREAT TYPE

Virus, malware etc.DNS lookup required.

Virus, malware etcNo DNS lookup issued

Social networkingAgainst corp policy.

RPZ

No DNS lookup to filter.

Cover malicious content only.

Limited to IP address reputation.

Limited to IP address reputation.

No URL or FQDN to examine.

Prevent malware and sites hosting malicious content from ever communicating with a client.

Internet activity starts with a DNS request. Inhibit the threat at the earliest opportunity.

Live updates

CACH

E

RESO

LVER

PROTOCOL

VALIDATION

SCRIPTING

IPV4/V6

LISTENER

REPUTATION

DATABASE

SPECIAL HANDLING

DNS Server or Proxy

Use Case – User ProtectionPrevent subscribers from reaching known bad domains

RPZ live feed

Use Case – ISP Layered Client Protection

QUERY: WWW.DOMAIN.COM

DNS Policy

CACHE

RESOLVER

iContol

Subscriber Policy

RPZ

IP Reputation

URL Filtering

EGRESS DNS PATH

INGRESS DNS PATH

• Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad domains.• URL Filtering further provides granular policy controls using categories.• IP Intelligence blocks based on the resolved IP.

• It can also be used in the data path for other protocols.RPZ Feed IP Rep Feed URL

Feed

Policy

Thank you!http://www.informationsecuritybuzz.com/articles/mutating-malware-and-data-center-blind-spots-in-2016/http://www.slideshare.net/bamchenryhttps://www.linkedin.com/in/bamchenryhttps://twitter.com/bamchenry

Title and Content Layout with List• Add your first bullet point here• Add your second bullet point here• Add your third bullet point here

Title and Content Layout with Chart

Category 1 Category 2 Category 3 Category 40

1

2

3

4

5

6

Series 1 Series 2 Series 3

Two Content Layout with Table• First bullet point here• Second bullet point here• Third bullet point here

Class Group 1 Group 2

Class 1 82 95

Class 2 76 88

Class 3 84 90

Title and Content Layout with SmartArt

Step 1 TitleTask

descriptionTask

descriptionTask

descriptionTask

description

Step 2 TitleTask

descriptionTask

descriptionTask

description

Step 3 TitleTask

descriptionTask

description

Step 4 TitleTask

descriptionTask

description

Add a Slide Title - 1

Add a Slide Title - 2

Add a Slide Title - 3

Add a Slide Title - 4

Add a Slide Title - 5

Drag picture to placeholder or click icon to add