Published in March 2011 51 U.S. companies interviewed with breaches that occurred in 2010 ▸ 4,200 to 105,000 records stolen ▸ Breach costs ranged from $780,000 to $35.3 million Report highlights: ▸ Average data breach cost: $7.2 million ▸ Average cost per stolen record: $214 ▸ 31% of breaches were criminal attacks ▸ Breaches related to criminal attacks are the most expensive ▸ Customer turnover remains the main driver of data breach costs 2010 Ponemon Institute Study
“Once a deviant industry is professionalized, crackdowns merely promote innovation.” Nils Gilman, 4th European Futurists Conference “The criminal breaks the monotony and humdrum security of bourgeois life, he thereby insures it against stagnation, and he arouses that excitement and restlessness without which even the spur of competition would be blunted” Karl Marx Professionalization of Hacking
Threats Change — Traditional Security Products Do Not Static | Inflexible Closed/Blind | Labor Intensive Static | Inflexible Closed/Blind | Labor Intensive “Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure.” - Neil MacDonald VP & Gartner Fellow Source: Gartner, Inc., “The Future of Information Security is Context Aware and Adaptive,” May 14, 2010
Next Gen Security is… …a continuous process to respond to continuous change. Agile Security
You Can’t Protect What You Can’t See Breadth: who, what, where, when Depth: as much detail as you need Real-time data See everything in one place “Seeing” provides information superiority Agile Security OSUsers Device s Threat s Applications FilesVulnerabilities Network
Block, alert, log modify, quarantine, remediate Respond via automation Reduce the ‘noise’ Automatically optimize defenses Lock down your network to policy Leverage open architecture Configure custom fit security Gain insight into the reality of your IT and security posture Get smarter by applying intelligence Correlate, prioritize, decide Key: intelligence & automation
Security Before, During & After the Attack Before Policy & Control Discover environment Implement access policy Harden assets During Identification & Block Detect Prevent After Analysis & Remediation Determine Scope Contain Remediate What is needed is a new approach to protect your organization
What Can You Do? Assess your vendors by assuming you will be hacked ▸ p.s., you will be have been. Your security tools are tools. ▸ Forget about set-and-forget tech and think about how each process, program or product helps your analysts keep you safe.
Java 0-Day SIDs 25301, 25302 Largely used by exploit kits (Blackhole, Cool Kit, Nuclear, Redkit) - covered ▸ Why is java.exe downloading calc.exe?
BTW, User Agents are telling No, really: ▸ User-Agent: Malware ▸ (RFC 3514 anybody?) Unless your proxy rewrites them all...
What can we do? Communication Watch hackers. Many aren’t that sneaky. (L|H)OIC source code is public, for crying out loud. ▸ LOIC packet contains: “U dun goofed” ▸ HOIC botched protocol, used two spaces where one is allowed. They recruit! Publicly. Get on twitter. Watch pastebin.org. Scrape it. Use google alerts if you can’t script.
What Can You Do? Hire analysts ▸ It’s going to cost you. ▸ And if they aren’t trained they depreciate.
Example: “Agile Security” Fuels Automation in an IDS/IPS IT Insight Spot rogue hosts, anomalies, policy violations, and more Impact Assessment Threat correlation reduces actionable events by up to 99% Automated Tuning Adjust IPS policies automatically based on network change User Identification Associate users with security and compliance events
Reduce Risk with: Application Control – on the IPS! Control access to Web-enabled apps and devices ▸ “Employees may view Facebook, but only Marketing may post to it” ▸ “No one may use peer-to-peer file sharing apps” Over 1,000 apps, devices, and more!
Reduce Risk with: IP Reputation Block and Alert on: ▸ Botnet C&C Traffic ▸ Known Attackers ▸ Malware, Phishing, and Spam Sources ▸ Open Proxies and Relays Create Your Own Lists Download from Sourcefire or Third Parties
So, what is the difference between NG-IPS and NGFW?
Gartner Defines NGIPS & NGFW Next-Gen IPS (NGIPS) Standard first-gen IPS Application awareness and full-stack visibility Context awareness Content awareness Agile engine Next-Gen Firewall (NGFW) Standard first-gen firewall Application awareness and full-stack visibility Integrated network IPS Extrafirewall intelligence Source:“Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011. “Defining the Next-Generation Firewall,” Gartner, October 12, 2009 “Next-generation network IPS will be incorporated within a next-generation firewall, but most next- generation firewall products currently include first- generation IPS capabilities.“
What is a Next-Generation Firewall? Stateful First-Generation Firewall ▸ Stateful protocol inspection ▸ Switching, routing and NAT Integrated Network Intrusion Prevention ▸ Not merely “co-located” ▸ Includes vulnerability- and threat-facing signatures Application Awareness with Full-Stack Visibility ▸ Example: Allow Skype, but disable Skype file sharing ▸ Make Facebook “read-only” Extrafirewall Intelligence ▸ User directory integration ▸ Automated threat prevention policy updates
Gartner on Next-Generation IPS “Next-generation network IPS will be incorporated within a next-generation firewall, but most next-generation firewall products currently include first- generation IPS capabilities.” Available now on Sourcefire.com Source: “Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011 ✔ Application awareness Contextual awareness Content awareness Agile engine ✔ ✔ ✔
Survey conducted in October 2011 2,561 responses Key Results: ▸ Most NGFWs augment (not replace) existing firewalls ▸ IPS component rated “most important” for securing data Ponemon NGFW Survey Highlights
What about an Endpoint Approach to the Advanced Threat Problem?
Threats Continue to Evolve “Nearly 60% of respondents were at least ‘fairly certain’ their company had been a target.” – Network World (11/2011) The likelihood that you will be attacked by advanced malware has never been greater. Of attacks are seen on only one computer 75%
Solve the Problem at the Endpoint Action at point of entry ▸ Best place to stop client-side attacks is on the client Awareness at source ▸ Focus where files are executed ▸ Do not miss threats due to encryption Secure Endpoints - Wherever They Are.
Clients need better visibility to detect and assess advanced malware. Visibility answers questions like: ▸ Do we have an advanced malware problem? ▸ Which endpoint was infected first? ▸ How extensive is the outbreak? ▸ What does the malware do? Clients also need help regaining control after the inevitable attack. Control answers questions like: ▸ What is needed to recover? ▸ How can we stop other attacks? What is needed to fight advance malware at the Endpoint?
Agile Security for Advanced Malware – Endpoint Benefits SEE ▸ Advanced malware at the source ▸ Patient 0 + propagation paths ▸ APT reporting LEARN ▸ Real-time root cause analysis of threats ▸ Collective immunity & comparative reporting ▸ Data mining & machine learning ADAPT ▸ Custom detections/signatures ▸ Application control ▸ Whitelisting ACT ▸ Immediate & retrospective remediation ▸ Action at the point of entry ▸ Continuous scans in cloud
Regain Control of Your Environment Outbreak control ▸ Custom Signatures for immediate response ▸ Whitelisting ▸ Application Control Immediate & retrospective remediation ▸ Automatic remediation of damaged endpoints with Cloud Recall ▸ Collective Immunity Arm YOU to fight advanced malware