Presentations from the Toronto Stop of the Scalar Security Roadshow on March 4, covering technologies from Palo Alto Networks, F5, Splunk, and Infoblox.
27. The basics
Threat
What
it
is
What
it
does
Exploit
Bad
applica8on
input
usually
in
the
form
of
network
traffic.
Targets
a
vulnerability
to
hijack
control
of
the
target
applica8on
or
machine.
Malware
Malicious
applica8on
or
code.
Anything
–
Downloads,
hacks,
explores,
steals…
Command-‐and-‐control
(C2)
Network
traffic
generated
Keeps
the
remote
a`acker
by
malware.
in
control
ands
coordinates
the
a`ack.
Indicators
of
compromise
(IoC)
Indica8ons
that
your
network
has
been
compromised
Allows
security
teams
to
find
and
confirm
breaches
31. The new threat landscape
Advanced threat
Commodity threats
Organized cybercrime
Nation state
(More customized exploits
and malware)
(very common, easily identified)
(Very targeted, persistent, creative)
§
Mostly addressed by
traditional AV and IPS
§
Somewhat more
sophisticated payloads
§
Low sophistication,
slowly changing
§
Evasion techniques
often employed
Machine vs. machine
§
Intelligent and
continuous monitoring of
passive network-based
and host-based sensors
§
§
§
Comprehensive
investigation after an
indicator is found
§
Highly coordinated
response is required for
effective prevention and
remediation
Sandboxing and other
smart detection often
required
34. Malware Vectors and Traditional Detection Times
Top 5 sources of unknown malware highlighted. FTP was a leading source
and rarely detected.
4
1 2
3
5
36. Automated network effect of sharing
§
Automatic detection in real time in
private or public cloud
§
§
Global intelligence
and protection
delivered to all users
Anti-malware signatures
DNS intelligence
Malware URL database
Anti-C2 signatures
10Gbps advanced threat visibility and
prevention on all traffic, all ports (web, email,
SMB, etc.)
Automatic generation of several
defensive measures
§
Automatic distribution of defensive
measures to all WildFire customers
within 30 minutes after initial detection
§
WildFire
TM
Automatic installation of defensive
measures provides full prevention
immediately
§
§
Command-and-control
Staged malware downloads
Host ID and data exfil
WildFire Appliance
(optional)
Malware, DNS, URL, and C2 signatures
automatically created based on WildFire
intelligence and delivered to customers globally
You benefit from the threat intelligence
of 2,500+ organizations across the
industry
Soak sites, sinkholes,
3rd party sources
WildFire Users
42. Regaining Control over Modern Threats
New Requirements for
Threat Prevention
1. Visibility into all traffic regardless of
port, protocol, evasive tactic or SSL
2. Stop all types of known network threats
(IPS, Anti-malware, URL, etc.) while
maintaining multi-gigabit performance
3. Find and stop new and unknown
threats even without a pre-existing
signature
Page 42 |
45. Imperatives to be secure
§ Evolving from incident response mindset to intelligence
mindset
§ No intelligence exists without visibility
§ Applying the intelligence and resulting IOCs to the kill
chain
§ Sharing what you know
46. Can’t understand what you don’t know
§ You don’t have intelligence if you don’t have visibility
§ Visibility required across the whole network
§ Ideally, you can see and understand applications,
content, and users
§ Then make sense of what you see
47. Share what you know
§ In the cyber security battle, sharing is key
§ Three ways this is happening
1. External – industry initiatives
2. External – technology partnerships
3. Internal – your security technology should leverage the network
48. vSphere
Virtual Firewall
as a Guest VM
Gateway Edition
VM-100
NSX
Virtual Firewall
as a Hypervisor Service
VM-1000-HV Edition
VM-200
VM-300
Modeled from VM-300
75. Built for intelligence, speed and scale
Users
Resources
Concurrent user sessions
100K
Concurrent logins
1,500/sec.
Throughput
640 Gbps
Concurrent connections
288 M
DNS query response
10 M/sec
SSL TPS (2K keys)
240K/sec
Connections per second
8M
83. Splunk
Overview
Company
(NASDAQ:
SPLK)
"
"
"
"
Founded
2004,
first
sogware
release
in
2006
HQ:
San
Francisco
/
Regional
HQ:
London,
Hong
Kong
Over
1000
employees,
based
in
12
countries
2012
Revenue:
$199M
(YoY
+60%)
Business
Model
/
Products
"
Free
download
to
massive
scale
"
Splunk
Enterprise,
Splunk
Cloud
Hunk:
Splunk
Analy8cs
for
Hadoop
"
6,400+
Customers
"
Customers
in
over
90
countries
60
of
the
Fortune
100
"
Largest
license:
Over
100
Terabytes
per
day
"
83
85. The
Accelera8ng
Pace
of
Data
Volume
|
Velocity
|
Variety
|
Variability
GPS,
Machine
data
is
fastest
growing,
most
RFID,
Hypervisor,
complex,
most
valuable
area
of
big
data
Web
Servers,
Email,
Messaging,
Clickstreams,
Mobile,
Telephony,
IVR,
Databases,
Sensors,
Telema8cs,
Storage,
Servers,
Security
Devices,
Desktops
85
86. The
Splunk
Security
Intelligence
Plaqorm
Security
Use
Cases
Machine
Data
Online
Services
Forensic
InvesQgaQon
Web
Services
Security
Servers
Security
OperaQons
Compliance
Fraud
DetecQon
GPS
Loca8on
Networks
Packaged
Applica8ons
Desktops
Storage
Messaging
Telecoms
Custom
Applica8ons
RFID
Energy
Meters
Online
Shopping
Cart
Databases
Web
Clickstreams
Call
Detail
Records
HA
Indexes
and
Storage
Smartphones
and
Devices
4
Commodity
Servers
87. Rapid
Ascent
in
the
Gartner
SIEM
Magic
Quadrant
2011
2012
87
2013
88. Industry
Accolades
Best
SIEM
SoluQon
Best
Enterprise
Security
SoluQon
88
Best
Security
Product
91. Partner
Ecosystem
What
is
the
Value
Add
to
ExisQng
Customers?
Visibility
and
Correla8on
of
Rich
Data
Improved
Security
Posture
Configurable
Dashboard
Views
92. All
Data
is
Security
Relevant
=
Big
Data
Databases
Email
Web
Desktops
Servers
DHCP/
DNS
Network
Flows
Tradi&onal
SIEM
Custom
Hypervisor
Badges
Firewall
Authen8ca8on
Vulnerability
Apps
Scans
Storage
Mobile
An8-‐
Intrusion
Data
Loss
Detec8on
Preven8on
Malware
Service
Desk
Industrial
Call
Control
Records
93. Making
Sound
Security
Decisions
Binary
Data
(flow
and
PCAP)
Log
Data
Security
Decisions
Threat
Intelligence
Feeds
Context
Data
Volume
Velocity
Variety
Variability
93
94. Case
#1
-‐
Incident
Inves8ga8on/Forensics
January
•
May
be
a
“cold
case”
inves8ga8on
requiring
machine
data
going
back
months
March
April
Ogen
ini8ated
by
alert
in
another
product
•
February
•
Suspect
A
Need
all
the
original
data
in
one
place
and
a
fast
way
to
search
it
to
answer:
client=unknown[
99.120.205.249]
<160>Jan
2616:27
(cJFFNMS
Suspect
B
– What
happened
and
was
it
a
false
posi8ve?
– How
did
the
threat
get
in,
where
have
they
gone,
and
did
they
steal
any
data?
truncating
integer value >
32 bits
<46>Jan
ASCII from
client=unknow
n
– Has
this
occurred
elsewhere
in
the
past?
•
Take
results
and
turn
them
into
a
real-‐8me
search/alert
if
needed
Accomplice A
DHCPACK
=ASCII
from
host=85.19
6.82.110
Suspect
C
Accomplice B
94
95. Case
#2
–
Real-‐8me
Monitoring
of
Known
Threats
Sources
Example
CorrelaQon
–
Data
Loss
20130806041221.000000Cap8on=ACME-‐2975EBAdministrator
Descrip8on=Built-‐in
account
for
administering
the
computer/domainDomain=ACME-‐2975EB
InstallDate=NULLLocalAccount
=
IP:
10.11.36.20
TrueName=Administrator
SID
=S-‐1-‐5-‐21-‐1715567821-‐926492609-‐725345543
500SIDType=1
Default
Admin
Account
Status=Degradedwmi_
type=UserAccounts
Source
IP
Windows
AuthenQcaQon
Aug
08
06:09:13
acmesep01.acmetech.com
Aug
09
06:17:24
SymantecServer
acmesep01:
Virus
found,Computer
name:
ACME-‐002,Source:
Real
Time
Scan,Risk
name:
Hackertool.rootkit,Occurrences:
1,C:/Documents
and
Sexngs/smithe/Local
Sexngs/Temp/evil.tmp,"""",Actual
ac8on:
Quaran8ned,Requested
ac8on:
Cleaned,
8me:
2009-‐01-‐23
03:19:12,Inserted:
2009-‐01-‐23
03:20:12,End:
2009-‐01-‐23
03:19:12,Domain:
Default,Group:
My
Malware
Found
Source
IP
CompanyACME
Remote,Server:
acmesep01,User:
smithe,Source
computer:
,Source
IP:
10.11.36.20
Endpoint
Security
Aug
08
08:26:54
snort.acmetech.com
{TCP}
10.11.36.20:5072
-‐>
10.11.36.26:443
itsec
snort[18774]:
[1:100000:3]
[Classifica8on:
Poten8al
Corporate
Privacy
Viola8on]
Credit
Card
Number
Detected
in
Clear
Text
Source
IP
[Priority:
2]:
Data
Loss
Intrusion
DetecQon
All
three
occurring
within
a
24-‐hour
period
Time
Range
95
96. Case
#3
–
Real-‐8me
Monitoring
of
Unknown
Threats
-‐
Spearphishing
Sources
Example
CorrelaQon
User
Name
2013-‐08-‐09T12:40:25.475Z,,exch-‐hub-‐den-‐01,,exch-‐mbx-‐cup-‐00,,,STOREDRIVER,DELIVER,
79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1,,,
hacker@neverseenbefore.com
,
Please
open
this
a`achment
with
payroll
informa8on,,
,
2013-‐08-‐09T22:40:24.975Z
Email
Server
Rarely
seen
email
domain
Rarely
visited
web
site
2013-‐08-‐09
16:21:38
10.11.36.29
98483
148
TCP_HIT
200
200
0
622
-‐
-‐
OBSERVED
GET
www.neverbeenseenbefore.com
HTTP/1.1
0
"Mozilla/4.0
(compa8ble;
MSIE
6.0;
Windows
NT
5.1;
SV1;
.NET
CLR
2.0.50727;
InfoPath.1;
MS-‐RTC
LM
8;
.NET
CLR
1.1.4322;
.NET
CLR
3.0.4506.2152;
)
User
John
Doe,"
User
Name
Web
Proxy
Endpoint
Logs
User
Name
08/09/2013
16:23:51.0128event_status="(0)The
opera8on
completed
successfully.
"pid=1300
process_image="John
DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“
registry_type
="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosogWindows
NTCurrentVersion
Printers
PrintProviders
John
Doe-‐PCPrinters{}
NeverSeenbefore"
data_type""
Rarely
seen
service
All
three
occurring
within
a
24-‐hour
period
Time
Range
96
97. $500k
Security
ROI
@
Interac
•
Challenges:
Manual,
costly
processes
– Significant
people
and
days/weeks
required
for
incident
inves8ga8ons.
$10k+
per
week.
– No
single
repository
or
UI.
Used
mul8ple
UIs,
grep’d
log
files,
reported
in
Excel
– Tradi8onal
SIEMs
evaluated
were
too
bloated,
too
much
dev
8me,
too
expensive
Enter
Splunk:
Fast
inves8ga8ons
and
stronger
security
–
–
–
–
Feed
15+
data
sources
into
Splunk
for
incident
inves8ga8ons,
reports,
real-‐8me
alerts
Splunk
reduced
inves8ga8on
8me
to
hours.
Reports
can
be
created
in
minutes.
Real-‐8me
correla8ons
and
aler8ng
enables
fast
response
to
known
and
unknown
threats
ROI
quan8fied
at
$500k
a
year.
Splunk
TCO
is
less
than
10%
of
this.
“
“
•
Splunk
is
a
product
that
provides
a
looking
glass
into
our
environment
for
things
we
previously
couldn’t
see
or
would
otherwise
have
taken
days
to
see.
Josh
Diakun,
Security
Specialist,
Informa8on
Security
Opera8ons
97
98. Replacing
a
SIEM
@
Cisco
•
Challenges:
SIEM
could
not
meet
security
needs
– Very
difficult
to
index
non-‐security
or
custom
app
log
data
– Serious
scale
and
speed
issues.
10GB/day
and
searches
took
>
6
minutes
– Difficult
to
customize
with
reliance
on
pre-‐built
rules
which
generated
false
posi8ves
Enter
Splunk:
Flexible
SIEM
and
empowered
team
–
–
–
–
–
Easy
to
index
any
type
of
machine
data
from
any
source
Over
60
users
doing
inves8ga8ons,
RT
correla8ons,
repor8ng,
advanced
threat
detec8on
All
the
data
+
flexible
searches
and
repor8ng
=
empowered
team
900
GB/day
and
searches
take
<
minute.
7
global
data
centers
with
350TB
stored
data
Es8mate
Splunk
is
25%
the
cost
of
a
tradi8onal
SIEM
“
We
moved
to
Splunk
from
tradi8onal
SIEM
as
Splunk
is
designed
and
engineered
for
“big
data”
use
cases.
Our
previous
SIEM
was
not
and
simply
could
not
scale
to
the
data
volumes
we
have.
Gavin
Reid,
Leader,
Cisco
Computer
Security
Incident
Response
Team
“
•
98
99. Security
and
Compliance
@
Barclays
Challenges:
Unable
to
meet
demands
of
auditors
–
–
–
–
•
Scale
issues,
hard
to
get
data
in,
and
impossible
to
get
data
out
beyond
summaries
Not
op8mized
for
unplanned
ques8ons
or
historical
searches
Struggled
to
comply
with
global
internal
and
external
mandates,
and
to
detect
APTs
Other
SIEMs
evaluated
were
poor
at
complex
correla8ons,
data
enrichment,
repor8ng
Enter
Splunk:
Stronger
security
and
compliance
posture
–
–
–
–
Fines
avoided
as
searches
easily
turned
into
visualiza8ons
for
compliance
repor8ng
Faster
inves8ga8ons,
threat
aler8ng,
be`er
risk
measurement,
enrichment
of
old
data
Scale
and
speed:
Over
1
TB/day,
44
B
events
per
min,
460
data
sources,
12
data
centers
Other
teams
using
Splunk
for
non-‐security
use
cases
improves
ROI
“
We
hit
our
ROI
targets
immediately.
Our
regulators
are
very
aggressive,
so
if
they
say
we
need
to
demonstrate
or
prove
the
effec8veness
of
a
certain
control,
the
only
way
we
can
do
these
things
is
with
Splunk.
Stephen
Gailey,
Head
of
Security
Services
“
•
99
100. Splunk
Key
Differen8ators
Splunk
Single
product,
UI,
data
store
Tradi8onal
SIEM
Sogware-‐only;
install
on
commodity
hardware
Quick
deployment
+
ease-‐of-‐use
=
fast
8me-‐to-‐value
Can
easily
index
any
data
type
All
original/raw
data
indexed
and
searchable
Big
data
architecture
enables
scale
and
speed
Flexible
search
and
repor8ng
enables
be`er/faster
threat
inves8ga8ons
and
detec8on,
incl
finding
outliers/anomalies
• Open
plaqorm
with
API,
SDKs,
Apps
• Use
cases
beyond
security/compliance
•
•
•
•
•
•
•
100
101. For
your
own
AHA!
Moment
Reach
out
to
your
Scalar
and
Splunk
team
for
a
demo
Thank
you!