Sourcefire Network Security Presentation - ISSA: Pittsburgh Chapter

decisioncrunchΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 4 μήνες)

71 εμφανίσεις

Taking Control of the
Advanced Threat
Problem

Adam Hogan, Security Engineer, Sourcefire

@
adamwhogan

ahogan@sourcefire.com


Frame the Advanced Threat Problem


Define “Next
-
Gen Security”


Traditional Network
-
Based Solutions: NG
-
IPS
and NGFW


Endpoint Approach to Advanced Malware
(Cloud Supported)



Agenda

IT Environments are Changing Rapidly

Virtualization

Consumerization

Mobilization

Application
s

Networks

Devices

VoIP

Threats are Increasingly Complex

Client
-
side Attacks

Targeted | Organized

Relentless | Innovative

Advanced Persistent Threats

Malware Droppers


Published in March 2011


51 U.S. companies interviewed with
breaches that occurred in 2010


4,200 to 105,000 records stolen


Breach costs ranged from $780,000 to
$35.3 million


Report highlights:


Average data breach cost: $7.2 million


Average cost per stolen record: $214


31% of breaches were criminal attacks


Breaches related to criminal attacks are
the most expensive


Customer turnover remains the main
driver of data breach costs

2010
Ponemon

Institute Study


Once a deviant industry is
professionalized, crackdowns
merely promote innovation.


Nils Gilman, 4th European Futurists Conference

“The criminal breaks the monotony
and humdrum security of bourgeois
life, he thereby insures it against
stagnation, and he arouses that
excitement and restlessness without
which even the spur of competition
would be blunted”

Karl Marx

Professionalization of Hacking

A Closer Look

Hacktivism

Targeted Attacks

Threats Change


Traditional Security Products Do Not

Static | Inflexible

Closed/Blind | Labor Intensive


Begin the
transformation to
context
-
aware and
adaptive security
infrastructure now as
you replace legacy
static security
infrastructure
.”

-

Neil MacDonald

VP & Gartner Fellow

Source: Gartner, Inc., “The Future of
Information Security is Context Aware
and Adaptive,” May 14, 2010

Next Gen Security is…

…a continuous process to respond to continuous change.

Agile
Security

You Can’t Protect What You Can’t See


Breadth: who, what, where, when


Depth: as much detail as you need


Real
-
time data


See everything in one place

“Seeing” provides
i
nformation
s
uperiority

Agile Security

OS

Users

Device
s

Threat
s

Applications

Files

Vulnerabilities

Network


Block
,
alert, log
modify, quarantine
,
remediate


Respond
via
automation


Reduce the ‘noise’


Automatically
optimize defenses


Lock down your
network to policy


Leverage open
architecture


Configure custom
fit security


Gain insight into
the reality of your
IT and security
posture


Get smarter by
applying
intelligence


Correlate,
prioritize, decide

Key: intelligence & automation

Security Before, During & After the Attack

Before

Policy & Control


Discover
environment

Implement access
policy

Harden assets

During

Identification & Block


Detect

Prevent

After

Analysis & Remediation


Determine Scope

Contain

Remediate

What is needed is a new
approach

to
protect your organization

What Can You Do?


Assess your vendors by assuming you will be
hacked


p.s.,
you will be

have been.


Your security tools are
tools
.


Forget about set
-
and
-
forget tech and think about how
each process, program or product helps your analysts
keep you safe.

Exploring Detection


There are some really useful rules not on by
default


INDICATOR
-
OBFUSCATION


Javascript

obfuscation
fromCharCode
, non alpha
-
numeric


Hidden
iFrames


Excessive queries for .
cn/.ru


HTTP POST to a JPG/GIF/PNG/BMP ?

Java 0
-
Day


SIDs

25301, 25302


Largely used by exploit kits (
Blackhole
, Cool Kit,
Nuclear,
Redkit
)
-

covered


Why is
java.exe

downloading
calc.exe
?

BTW, User Agents are telling


No, really:


User
-
Agent: Malware


(RFC 3514 anybody?)


Unless your proxy
rewrites them all...

What can we do? Communication


Watch hackers.


Many aren’t that sneaky. (L|H)OIC source code
is public, for crying out loud.


LOIC packet contains: “U dun goofed”


HOIC botched protocol, used two spaces where one
is allowed.


They recruit! Publicly. Get on twitter. Watch
pastebin.org
. Scrape it. Use
google

alerts if you
can’t script.

What Can You Do?


Hire analysts


It’s going to cost you.


And if they aren’t trained they depreciate.

Example: “Agile Security” Fuels
Automation in an IDS/IPS

IT Insight

Spot rogue hosts, anomalies,
policy violations, and more

Impact Assessment

Threat correlation reduces
actionable events by up to 99%

Automated Tuning

Adjust IPS policies automatically

based on network change

User Identification

Associate users with security

and compliance events

Reduce Risk with: Application Control



on the IPS!


Control access to Web
-
enabled apps and devices


“Employees may view
Facebook
, but only Marketing may
post to it”


“No one may use peer
-
to
-
peer file sharing apps”

Over 1,000
apps, devices,
and more!

Reduce Risk with: IP Reputation


Block and Alert on:


Botnet C&C Traffic


Known Attackers


Malware, Phishing, and
Spam Sources


Open Proxies and
Relays


Create Your Own Lists


Download from
Sourcefire or Third
Parties

So, what is the difference
between NG
-
IPS and
NGFW?

Gartner Defines NGIPS & NGFW

Next
-
Gen IPS (NGIPS)


Standard first
-
gen IPS


Application awareness and
full
-
stack visibility


Context awareness


Content awareness


Agile engine


Next
-
Gen Firewall (NGFW)


Standard first
-
gen firewall


Application awareness and
full
-
stack visibility


Integrated network IPS


Extrafirewall

intelligence


Source:

“Defining Next
-
Generation Network Intrusion Prevention,” Gartner, October 7, 2011.



“Defining the Next
-
Generation Firewall,” Gartner, October 12, 2009

“Next
-
generation network IPS will be incorporated
within a next
-
generation firewall, but
most next
-
generation firewall products currently include first
-
generation IPS capabilities
.“

Next
-
Generation
IPS Comparison

What is a Next
-
Generation Firewall?


Stateful First
-
Generation Firewall


Stateful protocol inspection


Switching, routing and NAT


Integrated Network Intrusion Prevention


Not merely “co
-
located”


Includes vulnerability
-

and threat
-
facing signatures


Application Awareness with Full
-
Stack Visibility


Example: Allow Skype, but disable Skype file sharing


Make
Facebook

“read
-
only”


Extrafirewall

Intelligence


User directory integration


Automated threat prevention policy updates


Gartner on Next
-
Generation IPS



“Next
-
generation network IPS
will be incorporated within a
next
-
generation firewall, but
most next
-
generation firewall
products currently include first
-
generation IPS capabilities
.”


Available now on

Sourcefire.com

Source: “Defining Next
-
Generation Network
Intrusion Prevention,” Gartner, October 7, 2011



Application awareness

Contextual awareness

Content awareness

Agile engine








Survey conducted in
October 2011


2,561 responses


Key Results:


Most
NGFWs

augment
(not replace) existing
firewalls


IPS component rated
“most important” for
securing data

Ponemon

NGFW Survey Highlights

What about an Endpoint
Approach to the Advanced
Threat Problem?

Threats Continue to Evolve

“Nearly 60% of respondents were at least ‘fairly certain’ their company
had been a target.”


Network World (11/2011)

The likelihood that you will be attacked by
advanced malware has never been greater.

Of attacks
are seen on
only one
computer

75%

Cost of Advanced Malware

Solve the Problem at the Endpoint


Action at point of entry


Best place to stop client
-
side
attacks is on the client


Awareness at source


Focus where files are executed


Do not miss threats due to
encryption

Secure
Endpoints
-

Wherever
They Are.


Clients need better visibility to detect
and assess advanced malware.
Visibility
answers questions like:


Do we have an advanced malware problem?


Which endpoint was infected first?


How extensive is the outbreak?


What does the malware do?



Clients also need help regaining
control after the inevitable attack.
Control
answers questions like:


What is needed to recover?


How can we stop other attacks?

What is needed to fight advance
malware at the Endpoint?

Cloud
-
Based Advanced Malware
Protection


Sample Architecture

Lightweight Agent



Watches for move/copy/execute


Traps fingerprint & attributes

Web
-
based Manager

Cloud Analytics &
Processing



Transaction Processing


Analytics


Intelligence

Agile Security for Advanced Malware


Endpoint Benefits


SEE


Advanced malware at the source


Patient 0 + propagation paths


APT reporting


LEARN


Real
-
time root cause analysis of threats


Collective immunity & comparative reporting


Data mining & machine
l
earning


ADAPT


Custom detections/signatures


Application control


Whitelisting


ACT


Immediate

& retrospective remediation


Action at the point of entry


Continuous scans
in cloud




Regain Control of Your Environment


Outbreak control


Custom Signatures for

immediate response


Whitelisting


Application Control


Immediate & retrospective remediation


Automatic remediation of damaged
endpoints with Cloud Recall


Collective Immunity

Arm YOU to fight advanced malware

Thank You.