Corero Network Security First Line of Defense Introduction Corero First Line of Defense introduction © 2014 Corero www.corero.com

DDoS attacks making headlines © 2014 Corero www.corero.com

€700K 20% 86 €8K DDoS Attacks, 2013-2014 Total Attack Bandwidth Gbps To edit animated text on the bottom of the page: Select a text box Click the Format tab Click Selection Pane You will see the Animation1, Animation2, Animation3 and Animation4 Click on the eye icon to hide these layers This will allow you to edit the text on the animation you want DDoS Attacks, 2013-2014 Total Attack Bandwidth Gbps Data shown represents the top ~2% of reported attacks AUG 9 2013 DEC 31 2013 MAJOR HOSTING SITES MAR 29 2014 400 Format tab Selection Pane Eye Icon Animation Layer 300 200 100 DDoS attacks have been increasing in frequency, capacity and overall effectiveness in recent months. This is just a sampling. You will notice a variety of spikes on this chart that indicate single attacks that that neared or exceeded 300Gbps per second. 100Gbps attacks are no longer uncommon, and there are very few environments that can withstand that class of attack. 20% of datacenter downtime is attributed to DDoS attacks Average downtime of 86 min, translating to an average of 86k in costs. With Total outage damage averaging 700k This is a sophisticated problem that requires a First Line of Defense. JUN 1 JUL 1 AUG 1 SEP 1 OCT 1 NOV 1 DEC 1 JAN 1 2014 FEB 1 MAR 1 APR 1 MAY 1 JUN 1 JUL 1 JUNE 21 2013 DEC 4 2013 MAR 17 2014 JUNE 23 2014 HONG KONG VOTING SITES €700K per incident is the average cost of a DDoS outage 20% of data center downtime is caused by a DDoS attack 86 minutes is an average of data center downtime due to DDoS attacks €8K per minute is the average cost of this downtime Source: Network Computing/Ponemon Institute © 2014 Corero www.corero.com Source: Digital Attack Map - DDoS attacks around the globe

Businesses need protection from the Internet With a first line of defense that: network/service outages by blocking attacks in real time PREVENTS customers can access online services ASSURES insight into attacks and evolving threats PROVIDES the effective life of your existing security investments EXTENDS In an era where more bandwidth is required, and more bandwidth is being purchased, organizations are increasing their attack surface from a volumetric DDoS attack perspective. Corero provides a FLoD that prevents network and service outages by blocking attacks in real time. We do this unlike most competitive offerings that provide strictly scrubbing center solutions. Our solution ensures that customers’ online services are maintained even while under attack. We block all attack traffic while allowing the good traffic to transit into your environment. We provide robust analytics/reporting to gain insight into the attacks and threats against your network. The FLoD extends the effective life of your security investments—your firewalls, IPS’s etc, by protecting those security solutions from attacks allowing them to operate as intended without forcing you into costly upgrades to support the expanded bandwidth requirements associated with the peak of attacks. © 2014 Corero www.corero.com

Solution - Corero’s First Line of Defense Corero protects your IT infrastructure by removing broad based attacks DDoS Attacks Undesired Users & Services Attackers X IPS Customer Traffic Router SLB Good Users WAF AETs & Protocol Abuse Server Side Exploits First Line of Defense Efficient Firewalls Effective IT Infrastructure High Performing Applications © 2013 Corero www.corero.com

Attack Detection to Prevention Process Service Provider Defenses The hybrid approach $ $$ $$$ $$$$ Cloud Service Pricing 30 Mins. 20Mins. 10 Mins. Attack Begins Attack Detected Rerouted to Scrubbing Center Time to Reroute Attack Detection to Prevention Process Protected Critical Infrastructure Good Traffic Attack Traffic On-Premises Defenses L3-L7 Good Traffic Users Attackers N Service Provider Defenses L3-L4 Attack Traffic Leakage Good © 2014 Corero www.corero.com

What categories do I need to defend against? ATTACKS & TECHNIQUES Network Level DDoS SYN, TCP, UDP, ICMP Floods Reflective Amplified DDoS DNS, NTP, SNMP, QOTD Floods Fragmented Packet DDoS Overlapping, Missing, Too Many Application Layer DDoS Low and Slow, App Scripts Specially Crafted Packet Stack, Protocol, Buffer THREAT LANDSCAPE There are a variety of DDoS attacks and techniques used today. The Corero FLoD is architected to deal with the entire landscape of DDoS attacks. From network level attacks, like SYN, ICMP, UDP floods, to reflective and amplified attacks, like NTP and DNS. To fragmented packet attacks intended to take down traditional security infrastructure, like firewalls and routers by utilizing overlapping, missing or copied fragments that totally occupy state stables of that infrastructure equipment and forces CPU rates to grow or be completely pegged. We also offer application layer DDoS protection as previously mentioned, to mitigate against slow loris, slow read etc…other connection oriented attack vectors. Additionally we can mitigate against specially crafted packets which are intended to exploit well known vulnerability in an infrastructure utilizing stack, protocol and buffer overflow techniques. Our systems can remove those and allow those systems to remain threat free. The FLoD defends your traditional border infrastructure. DDOS is intended to take your outer layers down. The FLoD is architected at line rate to deal with any volume of DDoS attack and protect the layers of your security infrastructure and environment behind it. In doing so, we keep your critical network service up and operational. We allow you to maximize the efficacy of your other security technologies. We protect you online business integrity. We know that Outages result in brand damage—we mitigate against that by taking the attacks out at the first possible point in your environment. We also mitigate against costly total system failures. Where your infrastructure is so compromised that it that it requires a re-boot, patch or complete swap out. The Corero FloD maximizes your investment. By offering a cost effective solution that is best in the market in terms of cost per GB, rack utilization, foot print space and even power. Your investment in FLOD will pay real dividends. We also enhance the productivity of your environment by keeping your systems up, but also the productivity of your IT staff that are no longer tasked with dealing with volumetric DDoS attacks using legacy systems and solutions that are simply not up to the task. Protecting your business and allowing it to remain up protects your public image. Incidentally , many organizations with lots of bandwidth find themselves under attack, because they are ideal environments to be exploited for utilization for DDoS attacks. Particularly in the Hosting and service provider space, those datacenters are targeted because if an attacker can gain access to the vulnerable, unpatched servers, they can be utilized as an attack launch point. This clearly can damage the brand of any entity that is used to attack someone else. We protect your LOB we keep them up and running. We allow transactions to take place in the face on an attack. We alert you instantaneously in the event of an attack. Finally, the FLoD protects against escalating costs. Utilizing legacy security equipment , like firewalls and IPS’s to try to deal with this new and volumetric attack landscape (which they were not intended for) will only result in escalating costs. We protect you from that and allow your investments in t hose class of products a much longer lifecycle. © 2014 Corero www.corero.com The industry separates these categories into L3/L4 L7 © 2014 Corero www.corero.com

Corero First Line of Defense ATTACKS & TECHNIQUES Network Level DDoS Reflective Amplified DDoS Fragmented Packet DDoS Application Layer DDoS Specially Crafted Packet SYN, TCP, UDP, ICMP Floods DNS, NTP, SNMP, QOTD Floods Overlapping, Missing, Too Many Low and Slow, App Scripts Stack, Protocol, Buffer THREAT LANDSCAPE CORERO FIRST LINE OF DEFENSE There are a variety of DDoS attacks and techniques used today. The Corero FLoD is architected to deal with the entire landscape of DDoS attacks. From network level attacks, like SYN, ICMP, UDP floods, to reflective and amplified attacks, like NTP and DNS. To fragmented packet attacks intended to take down traditional security infrastructure, like firewalls and routers by utilizing overlapping, missing or copied fragments that totally occupy state stables of that infrastructure equipment and forces CPU rates to grow or be completely pegged. We also offer application layer DDoS protection as previously mentioned, to mitigate against slow loris, slow read etc…other connection oriented attack vectors. Additionally we can mitigate against specially crafted packets which are intended to exploit well known vulnerability in an infrastructure utilizing stack, protocol and buffer overflow techniques. Our systems can remove those and allow those systems to remain threat free. The FLoD defends your traditional border infrastructure. DDOS is intended to take your outer layers down. The FLoD is architected at line rate to deal with any volume of DDoS attack and protect the layers of your security infrastructure and environment behind it. In doing so, we keep your critical network service up and operational. We allow you to maximize the efficacy of your other security technologies. We protect you online business integrity. We know that Outages result in brand damage—we mitigate against that by taking the attacks out at the first possible point in your environment. We also mitigate against costly total system failures. Where your infrastructure is so compromised that it that it requires a re-boot, patch or complete swap out. The Corero FloD maximizes your investment. By offering a cost effective solution that is best in the market in terms of cost per GB, rack utilization, foot print space and even power. Your investment in FLOD will pay real dividends. We also enhance the productivity of your environment by keeping your systems up, but also the productivity of your IT staff that are no longer tasked with dealing with volumetric DDoS attacks using legacy systems and solutions that are simply not up to the task. Protecting your business and allowing it to remain up protects your public image. Incidentally , many organizations with lots of bandwidth find themselves under attack, because they are ideal environments to be exploited for utilization for DDoS attacks. Particularly in the Hosting and service provider space, those datacenters are targeted because if an attacker can gain access to the vulnerable, unpatched servers, they can be utilized as an attack launch point. This clearly can damage the brand of any entity that is used to attack someone else. We protect your LOB we keep them up and running. We allow transactions to take place in the face on an attack. We alert you instantaneously in the event of an attack. Finally, the FLoD protects against escalating costs. Utilizing legacy security equipment , like firewalls and IPS’s to try to deal with this new and volumetric attack landscape (which they were not intended for) will only result in escalating costs. We protect you from that and allow your investments in t hose class of products a much longer lifecycle. Traditional Border Infrastructure Critical Network Services Other Security Technologies Online Business Integrity Total System Failures Productivity Investment Public Image Lines of Business Escalating Costs PROTECTION © 2014 Corero www.corero.com © 2014 Corero www.corero.com

Existing security layers can’t handle the onslaught Corero’s attack observations: Bandwidth Saturation Connection Saturation Spoofed Connections Reflections/Amplifications Fragments Partial Saturation © 2014 Corero www.corero.com

Real concerns with partial saturation attacks They’re beyond small attacks exhausting a particular resource Worse than traditional attacks targeting infrastructure Designed to consume time, attention, resources, and storage Attacks are a diversion for much larger threats Enable persistent backdoors, planting malware, data exfiltration Expect password-guessing attacks on SSH, HTTPS, FTP, and others © 2014 Corero www.corero.com

Corero First Line of Defense Product Family SmartWall® Threat Defense System (TDS) The Corero First Line of Defense Solution Includes: The Corero SmartWall TDS Tech support, software maintenance, threat updates SecureWatch server for 24x7 monitoring by Corero SOC Monitoring of system faults and security events Automatic support case creation for incident escalations Alerting/notification to customer within 1 business day Access to SecureWatch Analytics dashboards Available Services (additional): SecureWatch PLUS Advance Hardware Replacement Enterprises & Service/Hosting Providers On Premises or Cloud deployments Protection in modular increments of 1-10 Gbps In-line or scrubbing topologies KEY COMPONENTS ADVANCED DDOS&CYBERTHREAT TECHNOLOGY NEW GENERATION ARCHITECTURE COMPREHENSIVE ATTACK VISIBILITY & NETWORK FORENSICS © 2014 Corero www.corero.com

SmartWall TDS – Power in a Small Package Scalable Deployment Increments of 10 Gbps, 30M PPS ¼ rack width © 2014 Corero www.corero.com

Next Gen - First Line of Defense Modular Security Appliances (each 4 x 10Gb ports) Network Threat Defense (DDoS) Network Forensics (PCAP) Network Bypass (ZPB, TAP) Corero Management Server Single Management View 1RU Rack Width © 2014 Corero www.corero.com

Connection: Bypass-Forensics-Threat Defense Corero Management Server 10 Gbps Packet Flow (10 Gbps) Service Providers (Internet) 1 RU Data Center Network Bypass Appliance Threat Defense Packet Capture Storage 10 Gig (iSCSI) Forensics Internal side packet flow External side packet flow Legend CLI Web UI REST API SNMP Syslog SmartWall Mgmt VLAN

Example 10G HA Deployment with Bypass Peers (Internet) SERVICE PROVIDER Server Central Management Splunk Analytics/ Reporting 10 Gbps NB Packet Flow (10 Gbps) NTD 10 Gbps NB Packet Flow (10 Gbps) NTD Packet Flow (10 Gbps) Packet Flow (10 Gbps) 10 Gbps 10 Gbps Legend OSPF or 802.1d (layer 2) Internal side packet flow External side packet flow NB = Network Bypass NTD = Network Threat Defense HOSTING PROVIDERS & DATA CENTERS © 2014 Corero www.corero.com

SmartWall – Solution Architecture Real-time Alerting, Historical Reporting, Behavioral Analysis ANALYTICS AND REPORTING ENGINE Automated Provisioning REST API - CLI Corero CMS Event and Alert Reporting Syslog - SNMP Web User Interface Browser Corero CMS AUTOMATION AND PROVISIONING SYSTEM Management Unified Threat Defense Appliance DO-NO-HARM DETECTION AND PROTECTION TECHNOLOGY PARTNERS N n x 1/10G 1G/ 10G 1G/10G © 2014 Corero www.corero.com

Advanced DDoS/Cyber Threat Protection Comprehensive Visibility Next Generation Architecture The Corero FLoD employs a Next Generation architecture that delivers advanced DDoS and cyber threat protection, as well as comprehensive visibility into the attack landscape associated with your network. We will dig into each of these key areas in the following slides. © 2014 Corero www.corero.com

Next Generation Architecture Industry Leading DDoS Protection and Performance DO-NO-HARM PROTECTION MODULAR AND SCALABLE PURPOSE-BUILT MULTI-CORE PLATFORM AUTOMATED PROVISIONING NFV/SDN AND CLOUD READY Corero offers industry leading DDoS protection and performance. The Corero FLoD solution is line-rate 10Gbps (both directions) and 30million packets per second. System provides do no harm protection, meaning that we do not tolerate false positives, and the system cannot be DDoS’d itself. Our system is the only one in the marketplace that operates at full line rate with full visibility and protection against DDoS attacks. System is modular and scalable, recognizing that protection solutions must be purchased in right size components today, that allow you to grow accordingly, scaling with the needs of your business in the future. Purpose-built multi-core network processing platform. Perfectly optimized for dealing with high volume DDoS attacks. Automated Provisioning with a Single management console, contains all the policy and provisioning construct and manages multiple of our appliances with a single pane of glass Architecture was designed to be incorporated into NFV and SDN and cloud environments. We’ve employed rest API’S and the ability to federate with multiple service provider and enterprise SDN. © 2014 Corero www.corero.com

Advanced DDoS/Cyber Threat Protection FLEXIBLE POLICY CONTROLS PRECISE ENFORCEMENT INFRASTRUCTURE PROTECTION Inspect / Analyze / Respond / Mitigate Multiple Protection Groups IP Reputation /Whitelists / Blacklists Configurable Rate Limits Do No Harm Philosophy Volumetric DDoS attack mitigation Reflective / Amplification DDoS attack mitigation Application Layer DDoS attack mitigation Protect firewalls, IPSs, routers, switches, servers Bandwidth Optimization Service Availability /Optimization Ability to deploy policies in a highly flexible manner. Allowing you to determine if you want to inspect and analyze , respond with alerts, or to mitigate and remove attack traffic from your network in real time. The Corero FLoD is the only realistically deployable appliance for in-line DDoS defense in your environment. Competitors resort to out of band scrubbing scenarios. We can support that model as well, if needed, but the Corero FLoD In-line model allows for real time mitigation as apposed to waiting up to hours for an out of band scrubbing solution to become effective. We allow the ability to define multiple protection groups. Such as a group of IP addresses, servers or tenants in a multitenant environment. We support white lists, black lists and IP reputation that allow you to determine before inspection whether something should never be allowed on your network, and drop it, or conversely, determine if something is clearly allowed on your network and not force it to go through inspection. This allows for minimum latency with sufficient protection. We also allow you to have configurable rate limits associated with a variety of services and end points. We employ a do no harm philosophy. We provide precise enforcement without false positives. Our solution is designed to handle volumetric network based DDoS attacks or floods, reflective amplified spoof attacks, like DNS and NTP attacks, as well as application layer attacks that are typically too low to be detected by out of band solutions—such as slow loris, slow read etc. These are the attacks that are intended to occupy connections on your web facing properties to starve out legitimate connections and transactions. We also offer infrastructure protection by protecting your firewalls, IPS, routers switches and servers from being overwhelmed by volumetric attacks. All of these devices can be susceptible to DDoS attack. Furthermore, it is unnecessary to scale these devices to meet the absolute peak of your bandwidth just to protect against an attack. We provide bandwidth optimization by removing attack traffic from your environment at the earliest possible point. We ensure service availability and optimization by making sure those services are not compromised or exploited to be used in DDoS attacks themselves. © 2014 Corero www.corero.com

Comprehensive Visibility REAL-TIME SECURITY EVENT VISUALIZATION ADVANCED SYSLOG EVENT DATA BUILT-IN REPORTS & CUSTOM QUERY CAPABILITIES ARCHIVED EVENT & PACKET CAPTURE ANALYTICS, REPORTING AND FORENSICS Additionally the FLoD provides comprehensive visibility. We provide real time security event visualization. As soon as attack enters your network we detect and notify you. Typical scrubbing center applications rely on sample data from the routing infrastructure that is looking simply for peaks from the flow data in your environment. This is not sufficient to detect early probes, or ramp up of an attack. An inline solution like FLoD discovers the attack in the very first packets. We can then provide detailed visibility into the attack utilizing advanced sys log event data that is integrated with Splunk for rich analytics that provide packaged dashboards and drill down screens that allow your IT and security operations teams to see exactly what is happening in real-time as well as historically.. There are built in security dashboards as well as custom query capabilities to look at your environment and see the full magnitude of the threats against you. All of this data is archived, and we also support line rate packet capture at 10Gbps that allow real forensics capability to correlate the attack information with all of the data, in real time so you can determine what class of threat is being utilized against you. These analysts forensics and reporting tools are integrated with Splunk today, but can be integrated with any log management tool. © 2014 Corero www.corero.com

Comprehensive Visibility and Analytics using the Corero SmartWall Corero First Line of Defense® Security Events Threat Intelligence System Health Data Forensics Data Network Statistics VALUABLE RAW DATA Powerful Analytics Engine Virtual SOC Portal 10:00 PM ACTIONABLE SECURITY ANALYTICS & VISUALIZATION Real-time Dashboards Historical Reporting Forensic Analysis Behavioral Analysis Powered by © 2014 Corero www.corero.com

Network & Security Level Visibility Provide complete traffic visibility Bandwidth Flows & Setups Packets Security Events Monitor all connections Monitor all requests Block all unwanted traffic Allow all good traffic We also provide network as well as security level visibility in terms of bandwidth, flows and set up rates, packet rates, top security events in your environment. This screen shows a security event as it is happening, indicating a spike, indicating a massive volumetric attack happening at this point in time. We show what clients are participating in the attacks. We allow you to drill down to view which of your services or servers are being targeted. We provide all of this visibility in an instantaneous fashion. As well as a historical view into your attack data. © 2015 Corero www.corero.com

Network & Security Level Visibility Provide in-depth security information Bandwidth Blocked clients Targeted Servers & Ports Log all security policy violations Record attack traffic – PCAP Gather attack intelligence We also provide network as well as security level visibility in terms of bandwidth, flows and set up rates, packet rates, top security events in your environment. This screen shows a security event as it is happening, indicating a spike, indicating a massive volumetric attack happening at this point in time. We show what clients are participating in the attacks. We allow you to drill down to view which of your services or servers are being targeted. We provide all of this visibility in an instantaneous fashion. As well as a historical view into your attack data. INSTANTANEOUS attack VISIBILITY and HISTORICAL view into your environment © 2015 Corero www.corero.com

Who is Corero Network Security? HQ Boston, MA, USA Publicly traded CNS:LN Sales through channels EMEA sales office in F, D, CH, UK, Spain 500+ active customers across many verticals world-wide E-commerce, Finance, Admin, Hosting, ISP, Insurance, etc. First Line of Defense® against DDoS attacks and cyber threats Corero is Headquartered in Hudson, MA with offices worldwide 500 active customers WW across a number of Verticals Corero Provides the First Line of Defense against DDoS attacks and Cyber threats Our products and services protect and optimize YOUR critical infrastructure and online services. Our First Line of Defense solutions are appropriate for: Hosting Providers and Data Centers Internet Service Providers Med to Large Enterprises Corero products and services PROTECT AND OPTIMIZE your critical infrastructure and online services HOSTING PROVIDERS & DATA CENTERS SERVICE PROVIDERS ENTERPRISE © 2014 Corero www.corero.com

First Line of Defense Applications In the Cloud Service providers, IT hosting and Cloud providers On Premises Enterprises – financial services, e-commerce providers, gaming, education SP Internet DDOS Cloud Service On Premise IPS/APT Peering Points SLB/ADC Protected Critical Infrastructure and Services Hosting WAF DDOS Protection © 2014 Corero www.corero.com

Integration with the Provider’s Customer Portal Corero Management Server & Splunk Enabled Analytics App Provider’s Customer CUSTOMERS CAN VIEW DASHBOARDS OF THEIR OWN DATA DASHBOARD 1 DASHBOARD 2 DASHBOARD 5 Corero Secure Operations Center CORERO SOC CAN REMOTELY ASSIST THE PROVIDER DASHBOARD 3 DASHBOARD 4 DASHBOARD 6 Dashboard 6 Provider PROVIDERS CAN PROVISION AND CUSTOMIZE DASHBOARDS PER CUSTOMER Customer A Customer B Customer C Providers get a single point of provisioning and analytics reporting. Corero’s Analytics Splunk app can integrate with provider’s customer portal for customer accessible reporting. © 2014 Corero www.corero.com

First Line of Defense Infrastructure Optimization STRATEGIC OPERATIONAL TECHNOLOGY BUSINESS Infrastructure Optimization Broad protection at all layers protects critical infrastructure & optimizes its performance. Actionable Intelligence Real-time visibility and historical analysis provide actionable intelligence so you can not only stop threats today but also be better prepared for the future. Operational Uptime Service availability protects business integrity, increases productivity, and reduces costs. Extensible Platform Modular and scalable architecture makes your DDoS protection investment timeless. And it evolves with industry trends (NFV/SDN) so you can utilize off-the shelf hardware that best fits your needs. This diagram outlines the First Line of Defense value in a four quadrant point of view. This quadrant is intended to show the benefit of any IT component in terms of it’s technology and business value on the lower access, and the operational and strategic value on the upper axis. From an operational/technology benefit perspective, we provide infrastructure optimization. We protect all of the layers of your infrastructure, mitigate against DDoS attacks and allow good traffic to flow as intended. By optimizing your infrastructure you can delay upgrades intended to deal with peak utilization associated with attacks. You can protect with a targeted solution in FLoD that is cost optimized for this function. From a strategic technological advantage perspective, we have delivered an extensible platform in our FLoD. It is modular, scalable the performance will grow with virtually any environment. It is architected to integrate with NFV, SDN and cloud environments. It also allows you to pick and utilize the hardware and bandwidth that best fits your need. From a business and operational perspective. We are focused on maximizing operational uptime. This is our number one objective because DDoS as Denial of Service would indicate, is intended to create NO operational uptime—to deny service. Our solutions are architected to focus explicitly on this problem, and they are optimized to remove volumetric, reflective or amplified and even layer 7, application attacks. Finally, from a business strategy perspective, any IT organization requires actionable intelligence as well as visibility into their environment so that they can be better prepared for the future, so they can better understand the attacks against their systems, so they can have full visibility for their auditors and other regulatory compliance initiatives and that they can evolve into the future with a solution that is able to grow with them. © 2014 Corero www.corero.com

NEXT STEPS Arrange for a proof of concept Learn more at: www.corero.com Adrian Bisaz VP of Sales EMEA adrian.bisaz@corero.com +41 79 540 2420 Connect with your local sales personnel to discuss a POC. Why? Because if you take and deploy the Corero our First Line of Defense in your environment, you will be amazed at the amount attacks that are already occurring in your environment whether that be initial probes looking for vulnerable surfaces, or already significant attacks that are already occurring that you are not aware of. Our systems can be deployed in under an hour, up and running and providing benefit. © 2014 Corero www.corero.com