Presentation is loading. Please wait.

Presentation is loading. Please wait.

Taking Control of the Advanced Threat Problem Adam Hogan, Security Engineer,

Similar presentations

Presentation on theme: "Taking Control of the Advanced Threat Problem Adam Hogan, Security Engineer,"— Presentation transcript:

1 Taking Control of the Advanced Threat Problem Adam Hogan, Security Engineer, Sourcefire @adamwhogan

2  Frame the Advanced Threat Problem  Define “Next-Gen Security”  Traditional Network-Based Solutions: NG-IPS and NGFW  Endpoint Approach to Advanced Malware (Cloud Supported) Agenda

3 IT Environments are Changing Rapidly Virtualization Consumerization Mobilization Application s Networks Devices VoIP

4 Threats are Increasingly Complex Client-side Attacks Targeted | Organized Relentless | Innovative Advanced Persistent Threats Malware Droppers

5  Published in March 2011  51 U.S. companies interviewed with breaches that occurred in 2010 ▸ 4,200 to 105,000 records stolen ▸ Breach costs ranged from $780,000 to $35.3 million  Report highlights: ▸ Average data breach cost: $7.2 million ▸ Average cost per stolen record: $214 ▸ 31% of breaches were criminal attacks ▸ Breaches related to criminal attacks are the most expensive ▸ Customer turnover remains the main driver of data breach costs 2010 Ponemon Institute Study

6 “Once a deviant industry is professionalized, crackdowns merely promote innovation.” Nils Gilman, 4th European Futurists Conference “The criminal breaks the monotony and humdrum security of bourgeois life, he thereby insures it against stagnation, and he arouses that excitement and restlessness without which even the spur of competition would be blunted” Karl Marx Professionalization of Hacking

7 A Closer Look

8 Hacktivism

9 Targeted Attacks

10 Threats Change — Traditional Security Products Do Not Static | Inflexible Closed/Blind | Labor Intensive Static | Inflexible Closed/Blind | Labor Intensive “Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure.” - Neil MacDonald VP & Gartner Fellow Source: Gartner, Inc., “The Future of Information Security is Context Aware and Adaptive,” May 14, 2010

11 Next Gen Security is… …a continuous process to respond to continuous change. Agile Security

12 You Can’t Protect What You Can’t See  Breadth: who, what, where, when  Depth: as much detail as you need  Real-time data  See everything in one place “Seeing” provides information superiority Agile Security OSUsers Device s Threat s Applications FilesVulnerabilities Network

13  Block, alert, log modify, quarantine, remediate  Respond via automation  Reduce the ‘noise’  Automatically optimize defenses  Lock down your network to policy  Leverage open architecture  Configure custom fit security  Gain insight into the reality of your IT and security posture  Get smarter by applying intelligence  Correlate, prioritize, decide Key: intelligence & automation

14 Security Before, During & After the Attack Before Policy & Control Discover environment Implement access policy Harden assets During Identification & Block Detect Prevent After Analysis & Remediation Determine Scope Contain Remediate What is needed is a new approach to protect your organization

15 What Can You Do?  Assess your vendors by assuming you will be hacked ▸ p.s., you will be have been.  Your security tools are tools. ▸ Forget about set-and-forget tech and think about how each process, program or product helps your analysts keep you safe.

16 Exploring Detection  There are some really useful rules not on by default ▸ INDICATOR-OBFUSCATION ▸ Javascript obfuscation fromCharCode, non alpha- numeric ▸ Hidden iFrames ▸ Excessive queries ▸ HTTP POST to a JPG/GIF/PNG/BMP ?

17 Java 0-Day  SIDs 25301, 25302  Largely used by exploit kits (Blackhole, Cool Kit, Nuclear, Redkit) - covered ▸ Why is java.exe downloading calc.exe?

18 BTW, User Agents are telling  No, really: ▸ User-Agent: Malware ▸ (RFC 3514 anybody?)  Unless your proxy rewrites them all...

19 What can we do? Communication  Watch hackers.  Many aren’t that sneaky. (L|H)OIC source code is public, for crying out loud. ▸ LOIC packet contains: “U dun goofed” ▸ HOIC botched protocol, used two spaces where one is allowed.  They recruit! Publicly. Get on twitter. Watch Scrape it. Use google alerts if you can’t script.

20 What Can You Do?  Hire analysts ▸ It’s going to cost you. ▸ And if they aren’t trained they depreciate.

21 Example: “Agile Security” Fuels Automation in an IDS/IPS IT Insight Spot rogue hosts, anomalies, policy violations, and more Impact Assessment Threat correlation reduces actionable events by up to 99% Automated Tuning Adjust IPS policies automatically based on network change User Identification Associate users with security and compliance events

22 Reduce Risk with: Application Control – on the IPS!  Control access to Web-enabled apps and devices ▸ “Employees may view Facebook, but only Marketing may post to it” ▸ “No one may use peer-to-peer file sharing apps” Over 1,000 apps, devices, and more!

23 Reduce Risk with: IP Reputation  Block and Alert on: ▸ Botnet C&C Traffic ▸ Known Attackers ▸ Malware, Phishing, and Spam Sources ▸ Open Proxies and Relays  Create Your Own Lists  Download from Sourcefire or Third Parties

24 So, what is the difference between NG-IPS and NGFW?

25 Gartner Defines NGIPS & NGFW Next-Gen IPS (NGIPS)  Standard first-gen IPS  Application awareness and full-stack visibility  Context awareness  Content awareness  Agile engine Next-Gen Firewall (NGFW)  Standard first-gen firewall  Application awareness and full-stack visibility  Integrated network IPS  Extrafirewall intelligence Source:“Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011. “Defining the Next-Generation Firewall,” Gartner, October 12, 2009 “Next-generation network IPS will be incorporated within a next-generation firewall, but most next- generation firewall products currently include first- generation IPS capabilities.“

26 Next-Generation IPS Comparison

27 What is a Next-Generation Firewall?  Stateful First-Generation Firewall ▸ Stateful protocol inspection ▸ Switching, routing and NAT  Integrated Network Intrusion Prevention ▸ Not merely “co-located” ▸ Includes vulnerability- and threat-facing signatures  Application Awareness with Full-Stack Visibility ▸ Example: Allow Skype, but disable Skype file sharing ▸ Make Facebook “read-only”  Extrafirewall Intelligence ▸ User directory integration ▸ Automated threat prevention policy updates

28 Gartner on Next-Generation IPS “Next-generation network IPS will be incorporated within a next-generation firewall, but most next-generation firewall products currently include first- generation IPS capabilities.” Available now on Source: “Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011 ✔ Application awareness Contextual awareness Content awareness Agile engine ✔ ✔ ✔

29  Survey conducted in October 2011  2,561 responses  Key Results: ▸ Most NGFWs augment (not replace) existing firewalls ▸ IPS component rated “most important” for securing data Ponemon NGFW Survey Highlights

30 What about an Endpoint Approach to the Advanced Threat Problem?

31 Threats Continue to Evolve “Nearly 60% of respondents were at least ‘fairly certain’ their company had been a target.” – Network World (11/2011) The likelihood that you will be attacked by advanced malware has never been greater. Of attacks are seen on only one computer 75%

32 Cost of Advanced Malware

33 Solve the Problem at the Endpoint  Action at point of entry ▸ Best place to stop client-side attacks is on the client  Awareness at source ▸ Focus where files are executed ▸ Do not miss threats due to encryption Secure Endpoints - Wherever They Are.

34  Clients need better visibility to detect and assess advanced malware. Visibility answers questions like: ▸ Do we have an advanced malware problem? ▸ Which endpoint was infected first? ▸ How extensive is the outbreak? ▸ What does the malware do?  Clients also need help regaining control after the inevitable attack. Control answers questions like: ▸ What is needed to recover? ▸ How can we stop other attacks? What is needed to fight advance malware at the Endpoint?

35 Cloud-Based Advanced Malware Protection – Sample Architecture Lightweight Agent Watches for move/copy/execute Traps fingerprint & attributes Web-based Manager Cloud Analytics & Processing Transaction Processing Analytics Intelligence

36 Agile Security for Advanced Malware – Endpoint Benefits  SEE ▸ Advanced malware at the source ▸ Patient 0 + propagation paths ▸ APT reporting  LEARN ▸ Real-time root cause analysis of threats ▸ Collective immunity & comparative reporting ▸ Data mining & machine learning  ADAPT ▸ Custom detections/signatures ▸ Application control ▸ Whitelisting  ACT ▸ Immediate & retrospective remediation ▸ Action at the point of entry ▸ Continuous scans in cloud

37 Regain Control of Your Environment  Outbreak control ▸ Custom Signatures for immediate response ▸ Whitelisting ▸ Application Control  Immediate & retrospective remediation ▸ Automatic remediation of damaged endpoints with Cloud Recall ▸ Collective Immunity Arm YOU to fight advanced malware

38 Thank You.

Download ppt "Taking Control of the Advanced Threat Problem Adam Hogan, Security Engineer,"

Similar presentations

Ads by Google