A long time Ago…………Security was Simpler wired Employee On Premise Data Center Apps in one place Users in one place Data in one place Devices Controlled Devices Dumb Network Simple IT Controls it all …..
Complexity Has Grown..…A Lot Cloud Internet Content / tools Modern threats – targeted, multi- vector, persistent wirelessVPNVDI Guest Mobile employee Partner/contractor wired Employee The Network On Premise Apps all over the place Users all over place Data all over the place Devices not controlled Devices Smart Network is Complex IT Controls only some of it Users control increased Risks are FAR higher
Modern Attacks are Targeted, Stealthy and Multi-Step What Has Changed / What is the Same The attacker has changed Nation-states Criminal organizations Political groups Attack strategy has evolved Patient, multi-step process Compromise a user, then expand Attack techniques have evolved New applications as the threat vector Avoidance of traditional AV signatures Hiding malware communications DateMotive NY Times Jan 31, 2013State- sponsored CIA Feb 10, 2012Hacktivism Symantec Feb 8, 2012Extortion Zappos Jan 15, 2012Cybercrime Danish Government Aug 22, 2011Government practices Sony PSN April 19, 2011Hacktivism Epsilon April 1, 2011Financial RSA March 17, 2011State- sponsored
Real Attacks Employ Multiple Techniques Bait the end-user 1 End-user lured to a dangerous application or website containing malicious content Exploit 2 Infected content exploits the end-user, often without their knowledge Download Backdoor 3 Secondary payload is downloaded in the background. Malware installed Establish Back-Channel 4 Malware establishes outbound connection to the attacker for ongoing control Explore & Steal 5 Remote attacker has control inside the network and escalates the attack
The Gaps in Traditional Antivirus Protection Targeted and custom malware Polymorphic malware Newly released malware Highly variable time to protection Page 15 | Modern malware is increasingly able to: - Avoid falling into traditional AV honey-pots - Evolve before protection can be delivered (Note: WildFire finds 200 – 400 unique new malware samples undetectable by leading antivirus software every day.)
Requirements for Security in a Brave New World 1.See All Traffic – reduce or eliminate blind spots 2.Safe Application Enablement Identify Applications by deep inspection, not by port filtering Control Application Use by User/group-based Policies Inspect that traffic which you allow - protect against known and unknown threats 3.Segment all parts of the network 4.Be nimble - Address the moving parts Tie security policies to VM Orchestration – VM creation / movement Give mobile users controlled access Rapidly deploy protections against new threats
1.Known Traffic is controlled using positive enforcement Allow the good, block everything else Positive control reduces endless Whack-a-Mole of finding/stopping unwanted apps 2.Identify Unknown Applications Anything non-compliant or custom should be known and approved When the vast majority of traffic is identified, the unknowns become manageable 3.Unknown traffic is common – every network has some New publicly available commercial applications Internally developed, custom applications Rogue or malicious applications (malware) 4.Unknowns are manageable Investigate unknowns Aggressively control or block remaining unknown traffic Identify Unknowns
Behavioral Analysis of Potential Malware Malware Analysis Potentially malicious files from Internet Protection delivered to all customer firewalls Unknown files are forwarded for deeper analysis Sandbox-based analysis that finds malware based on behaviors Generates detailed forensics report Creates malware and C&C signatures