Vancouver security road show master deck final

Security Road Show - Vancouver

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience



9:00am – 9:15am Welcome



9:15am – 9:45am Palo Alto Networks
–
You can’t control what you can’t see!



9:45am – 10:15am F5
–
Protect your web applications



10:15am – 10:30am Break



10:30am – 11:00am Splunk
–
Big data, next generation SIEM



11am – 11:30am Infoblox
–
Are you fully prepared to withstand DNS attacks?



11:30am - 12:00pm Closing remarks, Q&A



12:00pm – 12:30pm Boxed Lunches


 Today’s Speakers
– Alon Goldberg – Palo Alto
Networks
– Buu Lam – F5
– Menno Vanderlist – Splunk
– Ed O’Connell- Infoblox
– Rob Stonehouse - Scalar


Founded in 2004
$125M in CY13
Revenues

Nationwide Presence

120 Employees
Nationwide

25% Growth YoY

Toronto | Vancouver
Ottawa | Calgary | London

Greater than 1:1
technical:sales ratio

Background in architecting mission-critical
data centre infrastructure

 Scalar is joining the TORONTO2015 Pan Am/Parapan
Am Games as an Official Supplier
 Managing IT security, data centre integration, and
managed storage services

 The country’s most
skilled IT infrastructure
specialists, focused on
security, performance
and control tools

 Delivering
infrastructure services
which support core
applications


WHY SCALAR?


Experience

Innovation

Execution


 Top technical talent in Canada
– Engineers average 15 years’ experience

 We train the trainers
– Only Authorized Training Centre in Canada
for F5, Palo Alto Networks, and Infoblox

 Our partners recognize we’re
the best
– Brocade Partner of the Year – Innovation
– Cisco Partner of the Year – Data Centre &
Virtualization
– VMware Global Emerging Products Partner
of the Year
– F5 Canadian Partner of the Year
– Palo Alto Networks Rookie of the Year
– NetApp Partner of the Year - Central

 Unique infrastructure solutions
designed to meet your needs
– StudioCloud
– HPC & Trading Systems

 Testing Centre & Proving Grounds
– Ensuring emerging technologies are
hardened, up to the task of Enterprise
workloads

 Vendor Breadth
– Our coverage spans Enterprise leaders and
Emerging technologies for niche workloads
& developing markets


“Scalar […] has become our trusted
advisor for architecting and
implementing our storage, server and
network infrastructure across multiple
data centres”


“We’ve basically replaced our
infrastructure at a lower cost than
simply the maintenance on our prior
infrastructure […] At the same time,
we’ve improved performance and
reduced our provisioning time”


“Numerous technologies needed to
converge to make VDI a reality for us.
The fact that Scalar is multidisciplinary and has deep knowledge
around architecture, deployment and
management of all of these
technologies was key”


PALO ALTO NETWORKS


Next-Generation Protection for
Advanced Threats
Alon Zvi Goldberg, SE Palo Alto Networks


Hidden
within SSL

New domain
has no
reputation

Payload
designed to
avoid AV

Non-standard
port use evades
detection

Exploit Kit

Malware From
New Domain

ZeroAccess
Delivered

C2
Established

Data Stolen

Custom C2
& Hacking

Spread
Laterally

Secondary
Payload

RDP & FTP
allowed on the
network

Custom
malware = no
AV signature

Internal traffic is
not monitored

Custom protocol
avoids C2
signatures

15 | ©2012, Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Alto Networks.
Confidential and Proprietary.

1
Bait the
end-user
End-user
lured to a
dangerous
application
or website
containing
malicious
content

2

3

4

5

Exploit

Download
Backdoor

Establish
Back-Channel

Explore
& Steal

Infected
content
exploits the
end-user,
often
without
their
knowledge

Secondary
payload is
downloaded
in the
background.
Malware
installed

Malware
establishes
an outbound
connection
to the
attacker for
ongoing
control

Remote
attacker has
control inside
the network
and escalates
the attack

16 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience
© 2014 Scalar

Attacks are Blended


Traffic and Malware



Inbound and Outbound

Designed to Evade Security


Encryption, strange ports,
tunneling, polymorphic malware,
etc.

Break Security Assumptions


Exploits

Malware

Spyware,
C&C

Exploits are
delivered
over the
network

Malware is
delivered
over the
network

Malware
communicates
over the
network

Encryp on,
fragmenta on

Re-encoded
and targeted
malware

Proxies,
tunneling,
encryp on,
custom traffic

When attackers control both
ends of a connection they can
hide their traffic in any way they
want
© 2014 Scalar

1. Full Visibility of Traffic
– Equal analysis of all traffic across
all ports (no assumptions)
– Control the applications that
attackers use to hide
– Decrypt, decompress and
decode

2. Control the full attack lifecycle

Exploits

Malware

Exploits are
delivered
over the
network

Malware is
delivered
over the
network

Malware
communicates
over the
network

Encryp on,
fragmenta on

Re-encoded
and targeted
malware

Proxies,
tunneling,
encryp on,
custom traffic

– Exploits, malware, and malicious
traffic
– Maintain context across disciplines
– Maintain predictable performance

3. Expect the Unknown
– Detect and stop unknown malware
– Automatically manage unknown or
anomalous traffic
© 2014 Scalar

Spyware,
C&C

Applications
•

Sources

Visibility and
•
control of all traffic,
across all ports, all
the time

Known Threats

Control traffic
sources and
destinations based
on risk

Unknown Threats

•

Stop exploits,
malware, spying
tools, and
dangerous files

•

Automatically
identify and block
new and evolving
threats

Reducing
Risk
•

Reduce the attack
surface

•

Sites known to host
malware

•

NSS tested and
Recommended IPS

•

WildFire analysis of
unknown files

•

Control the threat
vector

•

•

Control the methods
that threats use to
hide

•

SSL decrypt high-risk
sites

Stream-based
anti-malware based
on millions of
samples

•

•

Find traffic to
command and control
servers

Visibility and
automated
management of
unknown traffic

•

Control threats
across any port

•

Anomalous behaviors

© 2014 Scalar

Visibility Into All Traffic


• The Rule of All
-

All traffic, all ports, all the time

-

Mobile and roaming users

• Progressive Inspection
-

Decode – 200+ application
and protocol decoders

-

Decrypt – based on policy

-

Decompress

• Stop the methods that

attackers use to hide
-

Proxies

-

Encrypted tunnels

-

Peer-to-peer

© 2014 Scalar

Non-Standard Ports
Applications that can
dynamically use
non-standard ports.

Evasive Applications – Standard application behavior

-

Security Best Practices – Moving internet facing
protocols off of standard ports (e.g. RDP)

Tunneling Within Allowed Protocols
Applications that can
tunnel other apps
and protocols

SSL and SSH

-

HTTP

-

DNS

Circumventors
Proxies

-

Anonymizers (Tor)

-

Applications designed
to avoid security

-

Custom Encrypted Tunnels (e.g. Freegate, Ultrasurf)

© 2014 Scalar

SSL
-

4,740 ports

Skype
-

Skype

1,802 ports

Skype Probe
-

Skype Probe

27,749 ports

BitTorrent
-

SSL

BitTorrent

21,222 ports
0

Page 23 |

© 2012 Palo Alto Networks. Proprietary and Confidential.

5,000

10,000 15,000 20,000 25,000 30,000


Based on a 3 month study of fully undetected malware
collected by WildFire
– 26,000+ malware samples
– 1,000+ networks

FTP was the most evasive application observed*
– 95% of unknown samples delivered via FTP were never
covered by antivirus.
– 97% of malware FTP sessions used non-standard ports,
and used 237 different non-standard ports.

Web-browsing delivered more malware, but was less
evasive.
– 10% of samples delivered over 90 different non-standard
web ports

Example: Sample 0-Day Malware
 Unknown traffic traversing the DNS port
 HTTP using ephemeral ports


|

© 2012 Palo Alto Networks. Proprietary and Confidential.


 Analysis of APT1 found:
– RDP was the application of choice ongoing management of the
attack
– Often proxied through intermediaries
– Used custom applications built on MSN Messenger, Jabber, and
Gmail Calendar
– Often hidden within SSL

 Recommended Actions
– Decrypt SSL

– Tightly control RDP and proxy applications
– Baseline instant messaging applications and investigate any
unknowns

Controlling Remote Desktop and Instant Messaging

Potential URL Categories for
Correlation
• Botnets
• Not-resolved
• Proxy-avoidance and
anonymizers
• Open-http-proxies
• Peer-to-peer 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
©

Requirement:
Expect the Unknowns


1. Unknown traffic becomes significant
–
–

Anything non-compliant or custom should be known and
approved
When the vast majority of traffic is identified, the unknowns
become manageable

2. Unknown traffic is common (99% of AVRs)
–
–
–

New publicly available commercial applications
Internally developed, custom applications
Rogue or malicious applications (malware)

3. Unknowns are manageable
–
–
–

Investigate unknowns
Customize App-ID to reduce the number of unknowns
Aggressively control or block remaining unknown traffic

40% MostUnknownObserved Malware Behaviors Blockable
of Commonly Malware Files Were on the Network
0.00%

10.00%

20.00%

30.00%

40% of unknown samples were identifiable as sister samples that shared
29.39%
Contained unknown TCP/UDP traffic
specific identifiers in the file header and payload
24.38%

Visited an unregistered domain

20.46%

Sent out emails
12.38%

Used the POST method in HTTP
Triggered known IPS signature

7.10%

IP country different from HTTP host
TLD

6.92%

Communicated with new DNS server
Downloaded files with an incorrect
file extension
Connected to a non standard HTTP
port

5.56%
4.53%
4.01%

Produced unknown traffic over the
HTTP port

2.33%

Visited a recently registered domain

1.87%

Visited a known dynamic DNS
domain

0.56%

Visited a fast-flux domain

0.47%

• Investigate and classify any
unknown traffic
• No file downloads from unknown
domains
• No HTTP posts to unknown
domains
• No email traffic not to the corp
email server

Source: Palo Alto Networks, WildFire Malware Report


Recent Sample of 0-Day Malware from WildFire
• Repeated pattern of DNS, HTTP and Unknown Traffic
• The “unknown” proved to be the most important traffic

The Unknown
traffic marks the
spot


A closer look at the unknown session


Capture and execute any
unknown files to observe real
behavior

Inspect all traffic

Block malware, C2
traffic and variants

© 2014 Scalar

|

EPSPitchPalo Alto Networks -for distribution outside of intended audience
© 2014 Scalar Decisions Inc. Not 601955643© 2012 Palo

40% of Unknown Malware Files Were Variants
 Opportunity to Block Malware
 In 40% of cases, a single signatures matched multiple samples
(variants)
 1 signature hit 1,500+ unique
SHA values
 Provides a way to block malware
even when it is repackaged to
avoid signatures

40% of Malware
Samples Were Related

 WildFire Subscription
 Delivers signatures in 30 to 60 minutes of new malware being
detected anywhere in the world

• Detailed analysis of malware
behaviors including
• Malware actions
• Domains visited

• Registry changes
• File changes

© 2014 Scalar

An Integrated Approach to Threat Prevention
Coordinated Threat Prevention
Bait the
end-user
App-ID

Exploit

Download
Backdoor

Establish
Back-Channel

Block
high-risk apps

Spyware
AV
Files

Threat License

IPS

Block C&C on
non-standard
ports

Block
known malware
sites

URL

Block malware,
fast-flux domains
Block
the exploit
Block spyware,
C&C traffic
Block malware
Prevent drive-bydownloads

WildFire

Explore &
Steal

Detect unknown
malware

Block new C&C
traffic

© 2014 Scalar

Coordinated
intelligence to
detect and block
active attacks
based on
signatures,
sources and
behaviors

Thank you!


F5


CONFIDENTIAL

F5 Security for an application
driven world

F5 Provides Complete Visibility and Control
Across Applications and Users

Users

Resources

DNS

Web

Access

Intelligent
Dynamic Threat Defense
Services
DDoS Protection
Platform
Protocol Security
Network Firewall
TMOS

Securing access to applications
from anywhere

© F5 Networks, Inc

Protecting your applications
regardless of where they live

CONFIDENTIAL

43

CONFIDENTIAL

Security Trends and Challenges

Attack Type

Spear Phishing

Physical Access

XSS

Size of circle
estimates relative
impact of incident
in terms of cost to
business

May

June

July

Aug

Sep

Oct

Nov

Dec

2012

© F5 Networks, Inc

CONFIDENTIAL

45

Bank

Bank
Bank

Industrial

Non
Profit
Non
Profit

Bank

Bank

Auto

Gov

Online
Services

Gov

Industrial

Online
SVC

EDU
Bank
Bank

Gov

Online
SVC

Edu

Online
Services
News &
Media

Edu

News &
Media

Utility

Software
Edu

Online
Services
Cnsmr
Electric

Telco

Food
Service

Telco

Bank

Online
Services

Bank

Bank

Cnsmr
Electric

Jan

Feb

Mar

Bank

Cnsmr
Elec
Education

Online
Services
Online
Services

Software

Online
Services

DNS
Provider

Online
Services
Auto

Gov

Gov

DNS
Provider

Health

Gov
Software

Util

May

Global
Delivery

Unknown

Online
Services

Gov
Gov

Physical Access

Edu

DNS
Provider

Gov

Auto

DNS
Provider

Auto

Gov
Online
Services

Apr

Online
Services
Online
Services

Online
Svcs

DNS
Provider

News &
Media

Gov

Online
Services

Bank

Telco
Auto

Gaming

Retail

Online
Services

Spear Phishing

Retail

Industrial

Online
Services

Bank

Airport

Attack Type

Online
Services

Entnment

Gov

Bank

Telco

Gov

Gov

Banking

NonProfit

Bank

Online
Services

Online
Gaming

News &
Media

Edu

Gov

Bank

Software

News &
Media

Bank

News &
Media
News &
Media

Gov

Food E-comm
Svc

Online
Services

Bank

Online
Services

Bank

Online
Services

Gov
Gov

News &
Media

Telco

Bank

Software

News &
Media

Software

Bank

Edu

Utility

Bank

Online
Services

Online
Svc

Consumer
Electric

Online
SVC

Gov

Gove

News &
Media

Online
Svc

Non
Profit

Consumer
Electronics

News &
Media

Gov

Size of circle
estimates relative
impact of incident
in terms of cost to
business

Jun

2013

© F5 Networks, Inc

CONFIDENTIAL

46

More sophisticated attacks are multi-layer

Application

SSL
DNS
Network

© F5 Networks, Inc

CONFIDENTIAL

47

The business impact of DDoS

The business
impact of DDoS

© F5 Networks, Inc

Cost of
corrective action

CONFIDENTIAL

Reputation
management

48

OWASP Top 3 Application Security Risks
1 - Injection

Injection flaws, such as SQL and LDAP injection occur when untrusted data is
sent to an interpreter as part of a command or query. The attackers hostile data
can trick the interpreter into executing unintended commands or accessing
data.

2 – Broken
Authentication
and Session
Management

Application functions related to authentication and session management are
often not implemented correctly, allowing attackers to comprimise passwords,
keys or session tokens to assume another users’ identity.

3 – Cross Site
Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to
a web browser without proper validation or escaping. XSS allows attackers to
execute scripts in the victims browser to hijack user sessions, deface web sites
or redirect the user.

Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

© F5 Networks, Inc

CONFIDENTIAL

49

Full Proxy Security

Client / Server

Client / Server

Web application

Web application

Application

Application

SSL inspection and SSL DDoS mitigation

Session

Session

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

Network

Network

Physical

Physical

Application health monitoring and performance anomaly detection
HTTP proxy, HTTP DDoS and application security

© F5 Networks, Inc

CONFIDENTIAL

51

The F5 Application Delivery Firewall
Bringing deep application fluency to firewall security

One platform

Network
firewall

Traffic
management

Application
security

Access
control

DDoS
mitigation

SSL
inspection

DNS
security

EAL2+
EAL4+ (in process)

© F5 Networks, Inc

CONFIDENTIAL

52

Positive vs Negative
• Positive Security
• Known good traffic
• Permit only what is defined in the security policy (whitelisting).

• Block everything else

• Negative
• Known-bad traffic
• Pattern matching for malicious content using regular expressions.

• Policy enforcement is based on a Positive security logic
• Negative security logic is used to complement Positive logic.
© F5 Networks, Inc

CONFIDENTIAL

53

How Does It Work?

Security at application, protocol and network level

Request made

Security policy
checked

Content scrubbing
Application cloaking

Enforcement

Response
delivered

Server
response

Security policy
applied

Actions:
Log, block, allow

BIG-IP enabled us to improve security instead of having to
invest time and money to develop a new, more secure application.

© F5 Networks, Inc

CONFIDENTIAL

54

Start by checking RFC
compliance

2

Then check for various length
limits in the HTTP

3

Then we can enforce valid
types for the application

4

Then we can enforce a list of
valid URLs

5

Then we can check for a list of
valid parameters

6

Then for each parameter we will
check for for value length
will checkmaxmax value length

7

Then scan each parameter, the
URI, the headers

© F5 Networks, Inc

GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44rn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; rn

CONFIDENTIAL

55

Automatic HTTP/S DOS Attack
Detection and Protection

•

Accurate detection technique—based on latency

•

•

Three different mitigation techniques escalated
serially

Focus on higher value productivity while automatic
controls intervene

Detect a DOS condition
Identify potential attackers
Drop only the attackers

© F5 Networks, Inc

CONFIDENTIAL

56

To Simplify: Application-Oriented Policies and Reports

© F5 Networks, Inc

CONFIDENTIAL

57

IP INTELLIGENCE

Botnet

Restricted
region or
country

IP intelligence
service

IP address feed
updates every 5 min
Attacker

Custom
application

Financial
application

Anonymou
s requests

Anonymous
proxies

Scanner
Geolocation database
Internally infected devices
and servers

© F5 Networks, Inc

CONFIDENTIAL

58

Built for intelligence, speed and scale

Users

Resources

Concurrent user sessions

100K
Concurrent logins

1,500/sec.

Throughput

640 Gbps
Concurrent connections

288 M
DNS query response

10 M/sec

SSL TPS (2K keys)

240K/sec
Connections per second

8M

Application Delivery Firewall

Network
firewall

Traffic
management

Application
security

Access
control

DDoS
mitigation

SSL
inspection

DNS
security

Products
Advanced Firewall
Manager

Local Traffic
Manager

Application
Security Manager

•

Stateful full-proxy
firewall

•

#1 application
delivery controller

•

Leading web
application firewall

•

Flexible logging
and reporting

•

Application fluency

•

Access Policy
Manager

PCI compliance

•

Native TCP, SSL
and HTTP proxies

•

Network and
Session anti-DDoS

•

App-specific health
monitoring

•

Virtual patching for
vulnerabilities

•

HTTP anti-DDoS

•

•

Dynamic, identitybased access
control

•

Simplified
authentication
infrastructure

IP protection

•

Endpoint security,
secure remote
access

Global Traffic
Manager & DNSSEC
•

Huge scale DNS
solution

•

Global server load
balancing

•

Signed DNS
responses

•

Offload DNS crypto

iRules extensibility everywhere

© F5 Networks, Inc

CONFIDENTIAL

60

Explore

The F5 DDoS Protection
Reference Architecture
f5.com/architectures

© F5 Networks, Inc

CONFIDENTIAL

61

Summary
• Customers invest in network security, but most significant threats are
at the application layer
• Current security trends – BYOD, Webification – mean you need to be
even more aware of who and what can access application data
• A full proxy device is inherently secure, and coupled with high
performance can overcome many security challenges
• F5 Application Delivery Firewall brings together the traditional
network firewall with application centric security, and can
understand the context of users, devices and access

© F5 Networks, Inc

CONFIDENTIAL

62

BREAK


SPLUNK


Copyright © 2014 Splunk Inc.

Splunk for Security
Intelligence

Make machine data accessible, usable
and valuable to everyone.

68

The Accelerating Pace of Data
Volume | Velocity | Variety | Variability

GPS,
Machine data is fastest growing, most
RFID,
Hypervisor,
complex, most valuable area of big data
Web Servers,
Email, Messaging,
Clickstreams, Mobile,
Telephony, IVR, Databases,
Sensors, Telematics, Storage,
Servers, Security Devices, Desktops

69

The Splunk Security Intelligence Platform
Security Use Cases

Machine Data

Online
Services

Forensic
Investigation

Web
Services

Security

Security
Operations

Compliance

Fraud
Detection

GPS
Location

Servers

Packaged
Applications
Networks
Desktops
Storage

Messaging

Telecoms

Custom
Applications

RFID
Energy
Meters

Online
Shopping
Cart
Databases
Web
Clickstreams

Call Detail
Records

HA Indexes
and Storage

Smartphones
and Devices

4

Commodity
Servers

Rapid Ascent in the Gartner SIEM Magic Quadrant
2011

2012

71

2013

Industry Accolades
Best SIEM
Solution

Best Enterprise
Security Solution

72

Best Security
Product

Over 2800 Global Security Customers

73

Splunk Security Intelligence Platform
120+ security apps

Splunk App for Enterprise Security

Palo Alto
Networks
Cisco Security
Suite

OSSEC

F5 Security

FireEye

NetFlow Logic

Active
Directory

Juniper

74

Blue Coat
Proxy SG

Sourcefire

Partner Ecosystem

What is the Value Add to Existing Customers?
Visibility and Correlation of Rich Data
Improved Security Posture
Configurable Dashboard Views

All Data is Security Relevant = Big Data
Databases

Email

Web

Desktops

Servers DHCP/ DNS Network
Flows

Traditional SIEM

Custom
Apps
Hypervisor Badges Firewall Authentication Vulnerability
Scans

Storage

Mobile

Data Loss
Intrusion
Detection Prevention

AntiMalware

Service
Desk

Call
Industrial
Control Records

Making Sound Security Decisions
Binary Data (flow
and PCAP)

Log Data

Security
Decisions

Threat Intelligence
Feeds

Context Data
Volume

Velocity

Variety
77

Variability

Case #1 - Incident Investigation/Forensics
January

•

May be a “cold case” investigation requiring
machine data going back months

March

Often initiated by alert in another product

•

February

•

Need all the original data in one place and a
fast way to search it to answer:
–

What happened and was it a false positive?

–

How did the threat get in, where have they
gone, and did they steal any data?

–
•

client=unknown[
99.120.205.249]
<160>Jan
2616:27
(cJFFNMS

truncating
integer value >
32 bits
<46>Jan
ASCII from
client=unknow
n

Has this occurred elsewhere in the past?

Take results and turn them into a real-time
search/alert if needed

DHCPACK
=ASCII
from
host=85.19
6.82.110

78

April

Case #2 – Real-time Monitoring of Known Threats
Sources

Example Correlation – Data Loss
20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering
the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20
TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1
Default Admin Account
Status=Degradedwmi_ type=UserAccounts
Source IP

Windows
Authentication
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer
name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and
Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time:
2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My
Malware Found
Source IP
CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Endpoint
Security
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]:
[1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text
Source IP
[Priority: 2]:

Data Loss

Intrusion
Detection

All three occurring within a 24-hour period
Time Range
79

Case #3 – Real-time Monitoring of Unknown Threats
Sources

Example Correlation - Spearphishing
User Name

2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1
,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-0809T22:40:24.975Z
Email Server

Rarely seen email domain
Rarely visited web site

2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET
www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"

User Name

Web Proxy

Endpoint
Logs

User Name
08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300
process_image="John DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“ registry_type
="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion Printers
PrintProviders John Doe-PCPrinters{} NeverSeenbefore" data_type""
Rarely seen service

All three occurring within a 24-hour period
Time Range
80

$500k Security ROI @ Interac
•

Challenges: Manual, costly processes
– Significant people and days/weeks required for incident investigations. $10k+ per week.
– No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel
– Traditional SIEMs evaluated were too bloated, too much dev time, too expensive

Enter Splunk: Fast investigations and stronger security
–
–
–
–

Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts
Splunk reduced investigation time to hours. Reports can be created in minutes.
Real-time correlations and alerting enables fast response to known and unknown threats
ROI quantified at $500k a year. Splunk TCO is less than 10% of this.

“

“

•

Splunk is a product that provides a looking glass into our environment for things
we previously couldn’t see or would otherwise have taken days to see.
Josh Diakun, Security Specialist, Information Security Operations

8
1

Replacing a SIEM @ Cisco
•

Challenges: SIEM could not meet security needs
– Very difficult to index non-security or custom app log data
– Serious scale and speed issues. 10GB/day and searches took > 6 minutes
– Difficult to customize with reliance on pre-built rules which generated false positives

Enter Splunk: Flexible SIEM and empowered team
–
–
–
–
–

Easy to index any type of machine data from any source
Over 60 users doing investigations, RT correlations, reporting, advanced threat detection
All the data + flexible searches and reporting = empowered team
900 GB/day and searches take < minute. 7 global data centers with 350TB stored data
Estimate Splunk is 25% the cost of a traditional SIEM

“

We moved to Splunk from traditional SIEM as Splunk is designed and
engineered for “big data” use cases. Our previous SIEM was not and simply
could not scale to the data volumes we have.

“

•

Gavin Reid, Leader, Cisco Computer Security Incident Response Team
8
2

Security and Compliance @ Barclays
Challenges: Unable to meet demands of auditors
–
–
–
–
•

Scale issues, hard to get data in, and impossible to get data out beyond summaries
Not optimized for unplanned questions or historical searches
Struggled to comply with global internal and external mandates, and to detect APTs
Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting

Enter Splunk: Stronger security and compliance posture
–
–
–
–

Fines avoided as searches easily turned into visualizations for compliance reporting
Faster investigations, threat alerting, better risk measurement, enrichment of old data
Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers
Other teams using Splunk for non-security use cases improves ROI

“

We hit our ROI targets immediately. Our regulators are very aggressive, so if
they say we need to demonstrate or prove the effectiveness of a certain
control, the only way we can do these things is with Splunk.

“

•

Stephen Gailey, Head of Security Services
8
3

Splunk Key Differentiators
•
•
•
•
•
•
•

Splunk
Single product, UI, data store
Traditional SIEM
Software-only; install on commodity hardware
Quick deployment + ease-of-use = fast time-to-value
Can easily index any data type
All original/raw data indexed and searchable
Big data architecture enables scale and speed
Flexible search and reporting enables better/faster threat
investigations and detection, incl finding outliers/anomalies
• Open platform with API, SDKs, Apps
• Use cases beyond security/compliance

84

For your own AHA! Moment
Reach out to your Scalar and
Splunk team for a demo

Thank you!

INFOBLOX


Are you prepared to withstand DNS attacks?
Ed O’Connell, Senior Product Marketing Manager

Infoblox Overview
DNS Security Challenges
Securing the DNS Platform
Defending Against DNS Attacks
Preventing Malware from using DNS


Total Revenue

Founded in 1999

(Fiscal Year Ending July 31)

Headquartered in Santa Clara, CA
with global operations in 25 countries

$250

Leader in technology
for network control

$200

($MM)
$225.0

$169.2

Market leadership

$150

$132.8

• Gartner “Strong Positive” rating
• 40%+ Market Share (DDI)

$102.2
$100

6,900+ customers, 64,000+
systems shipped

$56.0
$50

$61.7

$35.0

38 patents, 25 pending
IPO April 2012: NYSE BLOX

$0

FY2007

FY2008

FY2009

FY2010


FY2011

FY2012

FY2013

VIRTUAL MACHINES

PRIVATE CLOUD

APPLICATIONS

NETWORK
INFRASTRUCTURE

CONTROL PLANE

APPS &
END-POINTS

END POINTS

Infrastructure
Security

Historical / Real-time
Reporting & Control
Infoblox GridTM w/ Real-time
Network Database

FIREWALLS

SWITCHES

ROUTERS

WEB PROXY


LOAD BALANCERS

DNS is the
cornerstone of the
Internet used by
every business/
Government

DNS as a Protocol
is easy to exploit

Traditional
protection is
ineffective against
evolving threats

DNS outage = business downtime

1

Securing the DNS Platform

2

Defending Against DNS Attacks

3

Preventing Malware from using DNS


Infoblox DNS Firewall
Prevents Malware/APT from Using DNS

Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Hardened Appliance & OS
Secure the DNS Platform


– Many open ports subject to attack

– Users have OS-level account
privileges on server
– No visibility into good vs. bad
traffic
– Requires time-consuming manual
updates
– Requires multiple applications for
device management


Multiple
Open Ports

 Minimal attack surfaces
 Active/Active HA & DR recovery

 Centralized management
with role-based control

 Tested & certified to highest
Industry standards

 Secured Access,
communication & API

 Secure Inter-appliance
Communication

 Detailed audit logging
 Fast/easy upgrades


 No scripts / Auto-Resigning / 1-click
 Central configuration of all DNSSEC parameters

 Automatic maintenance of signed zones

~ 10% of infrastructure attacks targeted DNS
ACK: 2.81%

ICMP: 9.71%

RESET: 1.4%

CHARGEN: 6.39%

SYN: 14.56%

RP: 0.26%

FIN PUSH: 1.28%
DNS: 9.58%

SYN PUSH: 0.38%
TCP FRAGMENT: 0.13%

UDP FRAGMENT: 17.11%

UDP FLOODS: 13.15%

Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013

~ 80% of organizations surveyed experienced application layer attacks on DNS
HTTP

82%

DNS

77%

SMTP

25%

HTTPS

54%

SIP/VOIP

20%

IRC

6%

Other

9%
0%

20%

40%
60%
Survey Respondents

80%

100%


Source: Arbor Networks

Distributed Reflection DoS Attack (DrDoS)
How the attack works

 Combines Reflection and Amplification
 Use third-party open resolvers in the
Internet (unwitting accomplice)

Internet

 Attacker sends small spoofed packets
to the open recursive servers,
requesting a large amount of data to
be sent to the victim’s IP address
 Uses multiple such open resolvers,
often thousands of servers

Attacker

 Queries specially crafted to result in a
very large response
 Causes DDoS on the victim’s server
Target Victim


Legitimate Traffic
Block DNS
attacks
Infoblox Advanced
DNS Protection
(External DNS)

Data for
Reports

Infoblox
Threat-rule Server

Automatic
updates

Infoblox Advanced DNS
Protection
(Internal DNS)

Reporting
Server

Reports on attack types, severity


DNS reflection/DrDoS attacks
DNS amplification

Using third-party DNS servers(open resolvers) to propagate
a DOS or DDOS attack
Using a specially crafted query to create an amplified
response to flood the victim with traffic

DNS-based exploits

Attacks that exploit vulnerabilities in the DNS software

TCP/UDP/ICMP floods

Denial of service on layer 3 by bringing a network or
service down by flooding it with large amounts of traffic

DNS cache poisoning

Corruption of the DNS cache data with a rogue address

Protocol anomalies
Reconnaissance
DNS tunneling

Causing the server to crash by sending malformed packets
and queries
Attempts by hackers to get information on the network
environment before launching a DDoS or other type of
attack
Tunneling of another protocol through DNS for data
exfiltration


EXTERNAL

INTERNAL

INTRANET

INTERNET

Advanced DNS
Protection

Advanced DNS
Protection

GRID Master
and Candidate
(HA)

DATACENTER

Advanced DNS
Protection

CAMPUS/REGIONAL

Advanced DNS
Protection

DMZ
INTRANET
Grid Master
and Candidate (HA)

DATACENTER

CAMPUS/REGIONAL


Endpoints

2014

2013

Q2

Q3

Q4


Q1

Cryptolocker “Ransomware”


Targets Windows-based computers



Appears as an attachment to legitimate
looking email



Upon infection, encrypts files: local hard
drive & mapped network drives



Ransom: 72 hours to pay $300US



Fail to pay and the encryption key is
deleted and data is gone forever



Only way to stop (after executable has
started) is to block outbound connection
to encryption server


Infoblox Malware
Data Feed Service

1

4
2

Malicious
domains

IPs, Domains, etc.
of Bad Servers

2

Malware /
APT

An infected device brought
into the office. Malware
spreads to other devices on
network.
Malware makes a DNS query to
find “home.” (botnet / C&C).
Detect & Disrupt. DNS Firewall
detects & blocks DNS query to
malicious domain

Internet
Intranet

Infoblox DDI
with DNS
Firewall

Blocked attempt
sent to Syslog

1
2

3

Pinpoint. Infoblox Reporting lists

3 blocked attempts as well as the:
•
•
•
•
•

IP address
MAC address
Device type (DHCP fingerprint)
Host name
DHCP lease history

DNS Firewall is updated every 2

4 hours with blocking information
from Infoblox DNS Firewall
Subscription Svc

Malware / APT spreads
within network; Calls home

Malicious
Domains

1

Detect - FireEye detects APT,
alerts are sent to Infoblox.

Malware

Internet

2

2

Disrupt – Infoblox DNS
Firewall disrupts malware DNS
communication

Intranet
Infoblox DDI
with DNS
Firewall

3 Pin Point - Infoblox Reporting
3
Alerts

1

Endpoint Attempting
To Download
Infected File

Blocked attempt
sent to Syslog

provides list of blocked
attempts as well as the
•
•
•
•
•

IP address
MAC address
Device type (DHCP fingerprint)
DHCP Lease (on/off network)
Host Name

FireEye NX
Series
FireEye detonates
and detects malware


Fast Flux

Rapidly changing of domains & IP addresses by malicious
domains to obfuscate identity and location

APT / Malware

Malware designed to spread, morph and hide within IT
infrastructure to perpetrate a long term attack (FireEye)

DNS Hacking

Hacking DNS registry(s) & re-directing users to malicious
domain(s)

Geo-Blocking

Blocking access to geographies that have rates of malicious
domains or Economic Sanctions by US Government


DNS is the cornerstone
of the Internet

Unprotected DNS
infrastructure
introduces security
risks

Infoblox DNS Firewall
Prevents Malware/APT from Using DNS

Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Hardened Appliance & OS
Secure the DNS Platform

Secure DNS Solution
protects critical DNS
services


Thank you!
For more information
www.infoblox.com


Why Scalar for Security?


The Issues
 Integration of Security
Technologies

 Staffing
 Vulnerabilities
 Advanced threats


The Issues
 Integration of Security
Technologies is Challenging
– Multiple formats of data
– Data timing issues
– Different types of security
controls
– Other data types


The Issues
 InfoSecurity Staff
– Different skills requirements
﹘ Architects
﹘ Malware Handling
﹘ Forensics
﹘ Vulnerability
﹘ Incident Management
﹘ Risk and Compliance

– HR Costs
﹘ Premium technical personnel
﹘ Analysts, Specialists
﹘ Training and certification

The Issues
 Vulnerabilities
– Regular scheduled
disclosures
– Large volumes of ad-hoc
patches
– Many undisclosed zero days
– Remediation is a continuous
process


The Issues
 Advanced Threats
– Advanced Persistent Threats
– Imbedded threats
 Who?
– State sponsored
– Hactivism
– Hackers
– Organized crime


How to Secure It
 State-of-the-art Security
Technologies

 Skills on Demand
– Continuous Tuning of Rules
and Filters
– Cyber Intelligence,
Advanced Analytics
– Cyber Incident Response
– Code Review, Vulnerability
and Assessment Testing

WRAP/QUESTIONS?


THANK YOU.


Vancouver security road show master deck final

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (11)

Destacado

Destacado (20)

Similar a Vancouver security road show master deck final

Similar a Vancouver security road show master deck final (20)

Más de Scalar Decisions

Más de Scalar Decisions (20)

Vancouver security road show master deck final

Notas del editor