35. Botnet Detection
A botnet comprises a large number of malware-infected
client computers that are controlled by a remote server
to perform malicious acts
– Denial-of-service attacks
– Sending spam and viruses
– Stealing private data from clients
Botnets are now finding other paths to control infected
botnet clients using non-traditional network ports, social
networks, and PTP networks
40
37. Botnet Detection
The new Botnet Detection Subscription Service uses a
feed of known botnet site IP addresses from Kaspersky
and adds these addresses to the Blocked Sites List
– Note: The Botnet Sites list is too large to display in the Blocked
Sites List
Enables your Firebox to block botnet activity at the
packet filter level
Botnet Detection is enabled with the RED feature key
available e.g. with Security Suite
42
38. Botnet Detection — Configuration
Botnet Detection is enabled by default
You can create exceptions to the Botnet Detection Sites
list
43
40. Wat zegt Nederlandse wetgeving?
• Niet meer gegevens gebruiken dan nodig is
• Bewaar de data niet langer dan noodzakelijk of toegestaan (retentieperiode)
• Toegang tot gegevens beperken
• Bewaar data alleen binnen EU of land met passend beschermingsniveau
• Moderne beveiligingstechnieken gebruiken
• Zorgen voor monitoring via logging gegevens
• Meld het datalek
Europese wetgeving aanvaard op 14 april 2016, introductie nu in voorbereiding
Bron: https://cbpweb.nl/nl/over-privacy/persoonsgegevens/beveiliging-van-persoonsgegevens
41. Moderne beveiligingstechniek gebruiken
De organisatie moet uw persoonsgegevens beveiligen in overeenstemming
met de stand van de techniek.
Dit houdt in dat de organisatie geen verouderde techniek gebruikt om uw
gegevens te beveiligen.
Hierdoor krijgen bijvoorbeeld hackers geen of weinig kans om zich toegang te
verschaffen tot uw persoonsgegevens.
42. WatchGuard Data Lek Preventie
Over 200 predefined rules for sensitive and personally identifiable information,
including Government ID numbers (e.g. SSN); bank account numbers; health care
records; confidential document markers;
• Predefined sensors for PCI and HIPAA Compliance mandates
• Personal Identifiable Data (PII) detection
43. Detectie van landspecifieke kenmerken
Personal Identifiable Data (PII) detection including
Netherlands, Belgium and other European specific
identifiers
48
The Netherlands
Belgium
Global and European specific (e.g. IBAN)
45. Cryptolocker & het gevecht tegen
IT’s grootste nieuwe vijand
Martijn Nielen
Sr. Sales Engineer WatchGuard
46. Houston, we have a problem!
• « My antivirus and IPS are updated but I got infected anyway »
47. First reason: « Zero Day »
• The vulnerabilty is still unkown
• Or the fix is still not available
48. Second reason: Technology changes, including hackers…
• “Antivirus is Dead” Brian Dye Senior VP of Symantec
49. *Malwise - An Effective and Efficient Classification System for
Packed and Polymorphic Malware, Deakin University, Victoria, June
2013
Nearly 88% of malware morphs to
evade signature-based antivirus
solutions*
Antivirus can’t keep up
50. AV Vendor Review
57
http://labs.lastline.com/lastline-labs-av-isnt-dead-it-just-cant-keep-up
• Average of 2 days for at least one AV scanner to detect what was not
detected on day 0
• Detection rates increase to 61% after two weeks
• After a year 10% of scanners still do not detect some malware
• The 1-perecentile of malware least likely to be detected was undetected by
a majority of AV scanners for Months
• In some cases the malware was never detected
51. Advanced Persistent Threat (APT)
• Nation-State techniques now used for financial gain
• Antivirus can’t keep up. New malware has been created as a variant of
existing malware to avoid detection by classic techniques
58
52. 59
Evolution of APTs
Today, normal criminal malware exploits the
same advanced tactics as nation-state APTs.
Every organization is at risk of advanced
threats!
Zeus copies Stuxnet 0day
Criminals use 0day malware (Cryptolocker)
Zeus uses stolen certificates
Criminal spear phishing
Criminal watering hole attacks
57. AV OS / ApplicationSandBox
Malware And
Virus Detection
Zero Day Threat Curve
58. Sandbox
OS – XP /Win 7
Hypervisor
Server
Process
Emulation
XP /Win 7
Functions
XP /Win 7
Functions
XP /Win 7
Functions
XP /Win 7
Functions
CPU Memory
Server
System
Emulation
OS – XP /Win 7
CPU / Memory
Server
High Fidelity
Low Visibility
Low Fidelity
High Visibility
High Fidelity
High Visibility
Advanced Malware Analysis
1st
2nd 3rd
59. APT Blocker with Code Emulation
• Evasion detection is critical
67
60. Stalling
Looping
Malware?
Exploit
Key logger C&C Network Traffic
Inaction
• Malware Checks the Environment
• Multi-Path execution
• Next step based on results
• Stalling / Looping
• Wait long enough for analysis to time out
Malware Checks the Environment Stalling / Looping
Multi-Path execution Wait long enough for analysis to time out
Next step based on results
Dynamic evasions
66. Did you get Locky ?
http://watchguardsecuritycenter.com
Once I verified that many of our UTM’s security services could detect Locky, I ran through one last
test… I personally tried to download the malicious file “Rechnung-263-0779.xls” from my webmail.
I’ve configured my WatchGuard Firebox with HTTPS Deep Inspection. This feature allows
WatchGuard’s security services, such as GAV and Intrusion Prevention Service (IPS), to run security
scans even on encrypted web traffic, like the webmail I was using to download this ransomware.
Despite the encrypted webmail connection, our Firebox detected and blocked the Locky invoice file
with the GAV service. It was unable to reach my workstation.
As you can see, WatchGuard XTM and Firebox appliances have several features that can help
prevent ransomware like Locky. However, these protections only work if you turn them on and
configure them properly. If you want to keep Locky off your network , I highly recommend you read the
Knowledgebase Article “How to prevent ransomware and other malicious malware with your
Firebox” — Jonas Spieckermann
You need to enable HTTPS DPI on your Firebox!
84
67. An APT solution should
• not be dependent on (AV) signatures
• not depend on traditional sandbox technology
• detect evasions
• take prompt actions in real-time
85
68. True APT’s – even obvious from the Dutch file-names
• Advanced: trigger interest
• Targeted e.g. containing the
name of the organization
• Threats: True APT’s
• Watering holes –
“Eucharistieviering”, Dutch
• Chain-of-Trust: by using
‘religious activities’ and social
engineering based factors
• Non-profit organizations
targeted
88
75. Network Visibility — Scan Details
Several scan stages to
determine host details
– Quick Host Discover
– TCP and OS
– UDP and Service
Version
UDP and Service
Version scan stage
takes the longest time
A full scan for a
x.x.x.x/24 network with
100 active hosts can
take several hours
101
76. Network Visibility — View Devices
From the Network Map tab, you can:
– Select a device
– View the address in FireWatch or Traffic Monitor
– Remember Device — Add descriptive details for the Firebox and
save the description in the map configuration
103
77. Network Visibility — Device List
Select System Status > Network Visibility > Device
List tab
104
79. Mobile Network Access
106
• Set policy by device type
• Enforce OS level
• Limit access to clean
devices
• No Malware
• No Jailbroken devices
• No Rooted devices
• Approved download
sources
• License required
80. 4. The Firebox allows traffic from compliant devices
Mobile Security Overview
107
1. Enable and configure Mobile Security
3. The user runs the FireClient app to
check compliance
2. The Android or iOS device
connects to the network
The Firebox drops traffic from mobile devices that are not
compliant
FireClient
81. Mobile Security — Device Compliance
FireClient downloads the device-specific compliance
settings to use as criteria for mobile device compliance
– Android and iOS devices have different available settings
108
Reconnection
settings
Settings for
Android or iOS
devices
83. Allowed Google Apps Domains
Inserts
X-GoogApps-Allowed-
Domains HTTP header
followed by a domain
name list into all
requests for
*.google.com
Google services that
do not require
authentication, such as
Google Search or
YouTube, cannot be
blocked
121
85. Guest Services – what it is
Enables hotels, restaurants, and shops to
provide wireless access to their customers
– Custom hotspot splash pages
– Company logos and styles
– Custom Terms and Conditions
Flexible Account Options
– Configurable time limits
– Batch generated guest usernames and passwords
– Password only (voucher) option
Guest Administrator Role (ideal for Hotel
Manager or Receptionist)
– Non IT staff can generate accounts
– Printed vouchers with Guest Account details
(customizable)
Temporary User Accounts
90. Multiple Hotspots Overview
You can now configure multiple hotspots
You can enable each hotspot for one or more interfaces
– Interfaces can be physical or virtual (VLAN, bridge, link
aggregation, wireless)
Each hotspot can use a different authentication type
– Connect without credentials
– Require users to authenticate with generated credentials
(user name and passphrase or passphrase only)
External Guest Authentication
– There is still only one external guest hotspot
– You can now enable it for multiple interfaces
128
91. 129
3rd Party Captive Portal:
Turn hotspots into marketing tools
Uses WatchGuard’s external hotspot API
Cloud hosted, fully customizable captive
portal
– SMS, Email, Token (thermal printer)
– Facebook Login: Coming soon
– Add advertisements and offers with the
web page editor using pictures and text
– Form fields can easily be added &
removed for additional data collection
Contact:
http://guestair.net
Email: guestair@guestair.net
Phone: +354 519 0300
93. RADIUS SSO — Overview
RADIUS SSO (RSSO) enables single sign-on for users
who have already authenticated to a RADIUS server with
802.1x authentication
– Targeted primarily at wireless users
• Many universities and large schools have existing wireless networks
that use RADIUS for user authentication
– Can also work for a wired network
• Switch must have 802.1x enabled and must be used for NAC
(network access control) with the RADIUS server
131
94. RADIUS SSO — Overview
– Requirement for RSSO
• The wireless access point (AP), switch, or access controller (AC)
that users connect to must support 802.1x authentication and
RADIUS accounting
• The AP or AC switch must send RADIUS accounting messages that
include the user’s IP address to the RADIUS server
132
95. RSSO — How it Works
1. Client authenticates to the AP with WPA/WPA2
Enterprise
2. AP interacts with RADIUS server to authenticate the
user
3. AP sends RADIUS accounting messages with user
name and IP address through RADIUS proxy server to
the Firebox
4. Firebox creates a firewall session for the authenticated
user
133
97. Dimension 2.1
Subscription Services Dashboard
Policy Usage report
Admin auditing on report generation
Anonymized Mode for reports
Administration with RADIUS users
140
98. Policy Usage report
Get more detail on Policy Usage information for a managed device
over a specified time range.
142
• Gain awareness of which policies
are most active.
• Learn which policies are least used.
99. Anonymized Mode for reports
143
Meet key privacy requirements for many European countries
• New Anonymization Officer role.
• Each session has a unique, randomized
key.
101. 145
It will cover more cloud support including IKEv2, AWS & Azure
amongst many others.
WatchGuard Confidential.
Roadmap ahead
102. 146
Het HawkEye G-platform van Hexis maakt dreigingen zichtbaar en
geeft organisaties de tools om snel en effectief op
cyberincidenten te reageren.
Dankzij passieve en actieve heuristiek voor het opsporen van
onbekende dreigingen en een verfijnd scoremodel biedt HawkEye G
ongeëvenaarde zichtbaarheid van het netwerk en is daarmee het meest
geavanceerde response- en detectieproduct op de markt.
Overname beveiligingstechnologie HawkEye G
103. 147
New Secure Wireless solution
Veel nieuwe security features
Keuze tussen on-premise en cloud controller
Nieuwe authenticatie methodes
Veelzijdige beheerscontrole mogleijkheden
Traceren van bezoekers, b.v. gedrag in winkels
Etc. etc. etc.