Threat Landscape Ryan Kane – SWAT Specialist - Secure Wireless, & Access Technologies Data Connectors ABQ December 2015

Trend: Device Growth Continues More devices and newer device types are entering the network 33 Billion endpoints projected to be connected by 2020 – Gartner New device types entering the network ‘headless’ IoT, wireless sensor nodes, beacons, wearables In total, Gartner arrives at 33 billion objects connected to the Internet by 2020. http://www.siemens.com/innovation/en/home/pictures-of-the-future/digitalization-and-software/internet-of-things-facts-and-forecasts.html Others predict similar figures.

A Global Leader and Innovator in Network Security Fortinet Quick Facts Revenue 2003 2014 Founded in 2000, 1st shipment 2002, IPO 2009 HQ: Sunnyvale… 80+ offices worldwide Employees: 3700+ 247,000+ customers Over 2 million devices shipped #1 unit share worldwide in network security (IDC) Market-leading tech… 243 patents, 215 pending Consistent , accelerating growth Strong positive cash flow Profitable Cash 2003 2014 Custom ASIC-based scalable architecture FortiASIC Custom, converged Networking + Security OS FortiOS Before I jump into what Fortinet does to address the challenge of these 33 billion devices, let me tell you a little bit about who we are at Fortinet. Founders story. Ramped quickly to about $1B in revenue. Fun fact, we also have about $1B in cash which allows to do some unique things in the marketplace. Industry-leading, validated Threat Research FortiGuard Global Infrastructure & Support FortiCare

A Global Leader and Innovator in Network Security Fortinet Quick Facts FortiGate Revenue By Segment Q2 2015 Founded in 2000, 1st shipment 2002, IPO 2009 HQ: Sunnyvale… 80+ offices worldwide Employees: 3700+ 247,000+ customers Over 2 million devices shipped #1 unit share worldwide in network security (IDC) Market-leading tech… 243 patents, 215 pending Balanced business across segments Balanced revenue and growth around the globe Fortinet Revenue By Region Q2 2015 Custom ASIC-based scalable architecture FortiASIC Custom, converged Networking + Security OS FortiOS If you’re not very familiar with Fortinet and want to know where we play and who our customers are you can see here that we are pretty evenly distributed from SMB and small branch offices all the way up to large enterprises and high end data centers where we actually have the fastest firewall in the world. Industry-leading, validated Threat Research FortiGuard Global Infrastructure & Support FortiCare

A Global Leader and Innovator in Network Security Balanced Revenue Across Product Segments 37% High-end Entry Level 26% Mid-range 9 of Top 10 Global 100 7 of Top 10 Global 100 Major Banks 7 of Top 10 Global 100 Computer Services 9 of Top 10 Global 100 Aerospace & Defense We’re in almost every carrier. AT&T, Verizon, etc. all use Fortinet firewalls in their datacenters. Billings by Product Segment Q2 2015

A Global Leader and Innovator in Network Security Fortinet Quick Facts Worldwide Network Security Appliance Shipments Cisco Check Point Juniper Palo Alto Founded in 2000, 1st shipment 2002, IPO 2009 HQ: Sunnyvale… 80+ offices worldwide Employees: 3700+ 247,000+ customers Over 2 million devices shipped #1 unit share worldwide in network security (IDC) Market-leading tech… 243 patents, 215 pending Gaining overall market share, pulling away Gaining share in higher-end markets Worldwide Data Center Firewall Unit Share Cisco Custom ASIC-based scalable architecture FortiASIC Custom, converged Networking + Security OS FortiOS World largest security company by unit volume. We have about 2MM Fortinet firewalls deployed today and what makes that even cooler is that everyone of those devices becomes part of the ecosystem reporting back to our threat research team to identify new threats and inform all of our core security services. We essentially have 2MM honeypots out there helping us increase our knowledge of the threat landscape. Check Point Industry-leading, validated Threat Research FortiGuard Global Infrastructure & Support FortiCare Juniper McAfee

Scalable, High Performance Security FortiASICs Dramatically Boost Performance 6Gbps 2Gbps 3.5Gbps FW VPN IPS CPU Baseline CP 8 NP 6 40Gbps 25Gbps 10Gbps 9Gbps Network Processor Content 10X data center firewall performance 5X NGFW performance Security that keeps up with growing bandwidth requirements (IPsec) (SSL) Here is what really makes our our technology so unique compared to the competition. Custom built ASIC = Application Integrated Specific Circuit Our founders found that if they built a custom ASIC network processor they could increase the throughput speed for things like routing, traffic shaping, etc. to dramatically improve performance versus just stacking off-the-shelf Intel CPU’s. And if they built custom ASIC content processors they accelerate processes like for things like application inspection, content filtering, scanning for AV, Spyware, Malware all at a substantially faster pace. That’s how we achieve such tremendous speed increases over the competition. And because we design and build our own chips we’re able to keep the price down so that we end up being one of the least expensive solutions as well as the highest performing.

Proven, Certified Security Unparalleled 3rd Party Validation Description Fortinet Check Point Cisco Palo Alto Networks Juniper FireEye NSS - Firewall NGFW Recommended & Neutral Caution x NSS - Firewall DC NSS - Breach Detection NSS - WAF NSS – Next Gen IPS Neutral NSS - IPS (DC) ✔ BreakingPoint Resiliency Record High - 95 Poor - 53 ICSA Firewall ICSA IPS ICSA Antivirus ICSA WAF VB 100 AV Comparative Common Criteria FIPS If you want to validate any of these performance numbers we aggressively participate in all the major independent 3rd party certification testing organizations like NSS labs. Fortinet aggressively certifies its products in all the major, independent certification organizations Fortinet aggressively tests and validates its solutions via truly independent, 3rd party testers like NSSLabs. We do not engage in “pay for play” test reports like our competition does. (i.e. Tolly, Miercom, etc., where you pay the vendor to run the test and write a report, and magically the sponsor always looks good) No other network security vendor achieves such a large set of successful certifications and “recommended” validations. Some analysts might speak highly of some of our competition, but when you actually plug the products in and test them in real-life scenarios, Fortinet shines while the competition often fails. Our competition often fails to live up to their own datasheet performance and effectiveness claims, while Fortinet meets or exceeds its claims. It is a part of Fortinet’s culture and a founding principle of the company, to build great products and certify/validate/test them rigorously to prove their value.

Security Advantage – FortiGuard Threat Research Labs IPS Anti-malware App Control Anti-spam FortiGuard Services Web Filtering Vulnerability IP Reputation Fortinet Development Roadmaps & Engines Threat Mitigation Technology FDN Services Customer Service FortiCare FortiGate Web Threat Research FortiClient Malicious Javascript Fortinet Devices FortiGuard Labs Consolidated Intelligence In addition to our industry leading hardware performance, the other advantage that Fortinet has is FortiGuard labs. I mentioned FortiGuard when I talked about the 2MM Fortinet devices reporting back to our in-house threat research team. Some vendors outsource some or all of their threat intel, use open source, or simply lack key tools needed to break the chain of an attack at any given link. This means they fail to stop the threat, or they react too slow to new threat information. ……Fortinet has a comprehensive set of IN-HOUSE tools that can be brought to bear against the threat lifecycle/kill chain. We control and own all these technologies, allowing us to respond quickly and in a coordinated manner to new information and threat behavior. Integrating them together inside FortiOS also allows for more coordination and rapid response to threats, with less admin burden. No more point solution sprawl when it comes to security technologies. FortiGuard is Fortinet’s threat research and intelligence services team. They are an experienced team (over 10 years in place) of nearly 200 strong (researchers + Supporting roles)… ~120 researchers estimated This team discovers new threats, creates the intelligence that informs all Fortinet products, and pushes out dynamic updates many times a day via a dedicated Distribution Network of nodes/servers strategically located around the world, to ensure the updates reach the devices as soon as possible. Distinct services have been created to push specific types of threat intelligence to Fortinet devices, based on the deployment scenario and activated features of that device. Fortinet’s FortiGuard team also participates in all major industry threat sharing initiatives. We even founded the Cyber Threat Alliance (with PAN), to share more advanced threat behavioral/pattern information. US President Barack Obama mentioned the CTA in his speech at the recent White House Cyber Security Summit in Stanford, California. FortiManager Security Research FortiSandbox Botnet Research FortiMail Mobile Research FortiWeb

Breaking the Kill Chain: Prevent, Detect, and Mitigate Threats Terry Zechman, Systems Engineer Name Position Intro Data Connectors ABQ December 2015

Common Attack Vectors Malicious Spam Email Web Filtering Web Site Malware Web Filtering Intrusion Prevention Antivirus App Ctrl / IP Rep Exploit Web Site Anatomy of an advanced attack Most common way malware enters a network – Email spam Why – it works! Users endlessly open email attachments and click on links. (I love you virus) Generic spam or sophisticated targeted spear fishing attacks on C-level or any individual within organization. It can be based on public info found on linkedin and facebook or other social media. Examples, golf/sports, contest site, enter info, download and complete pdf (malware), normal firewall rules will not block this! Free itunes, etc Legitimate websites can be exploited through compromised ad networks delivering malware to their visitors.

Signature Based Threat Prevention Spam Malicious Email Malware Anti-spam Intrusion Prevention Antivirus Exploit Web Site Adding a firewall gives us some basic protection against threats. However, hackers continue to adapt and improve their penetration methods. Darknet markets sell zero day software exploits, hacking services, denial of service attacks, credit card and counterfeiting services and complete transactions in internet currencies such as bitcoin.

Next Gen Firewall Spam Malicious Email Malware Bot Commands C&C Malicious Link Stolen Data Anti-spam Web Filtering Intrusion Prevention Antivirus App Ctrl / IP Rep Exploit Web Site Utilizing a next generation firewall inspects traffic in both directions. If the signature based inspection doesn’t catch the threat on the way in, we still have a second chance to reduce the impact of the compromise by stopping the traffic exiting the network.

Malware? Goodware? Idon’tknowware? The Continuum Known Good Probably Good Might be Good Completely Unknown Somewhat Suspicious Very Suspicious Known Bad Code Continuum Whitelists Reputation: File, IP, App, Email Signatures Digitally signed files Sandboxing Heuristics Reputation: File, IP, App, Email Generic Signatures Blacklists Signatures Security Technologies Signature based inspection can positively ID known threats. Application whitelisting can positively ID mission critical applications. Heuristics can give us a rating of a threat potential, but it’s a grey area. How can we protect against zero-day vulnerabilities? SANDBOXING!

Add Sandbox to make Unknowns Known Malicious Link Spam Malicious Email Malware Bot Commands C&C Stolen Data Anti-spam Web Filtering Intrusion Prevention Antivirus App Ctrl / IP Rep Exploit Web Site Sandbox Adding sandboxing technology to your layered security environment evaluates unknown executables and links to determine their behavior and make a determination on whether there is a threat or not. The sandbox will spin up a workstation vm in a secure environment and analyze activity - system changes, exploit efforts, site visits, subsequent downloads, and botnet communications to expose sophisticated threats. One caveat about Sandboxing, it is resource intensive and it can take time. This works well for store and forward technologies like email where a sandbox integrated with a secure email gateway can prevent malware attached to email from ever being delivered to the end user. However, in the case of network traffic, the sandbox, however fast, is not typically used as a blocking device. It is used as a detection and mitigation tool. Combining sandboxing with endpoint control can quickly quarantine a workstation until such time that the threat can be erradicated.

Attacks Hide Behind SSL Encryption 2- SSL connection to compromised web server and Trojan download 1- Downloader emailed to victim ENCRYPTION! Who has been personally or knows someone that has been hit by Cryptolocker? How does it get on your network? Typically it’s a download emailed to victim. Encrypted and compressed files gets past security. It can enter your network through a compromised USB. It comes in and out of your network on encrypted channels. Ransomware is paid in Bitcoin. 3- Credentials captured enabling unauthorized access https://blog.fortinet.com/post/the-stealthy-downloader

Just How Prevalent Is This? In 2017, more than 50% of the network attacks targeting enterprises will use encrypted traffic to bypass controls, up from less than 5% in 2013 -Gartner Encryption increase from 5% to 50%!!!

Sandbox SSL Inspection Add SSL Inspection Spam Malicious Email Malware Bot Commands C&C Malicious Link Stolen Data Anti-spam Web Filtering Intrusion Prevention Antivirus App Ctrl / IP Rep Exploit Web Site Sandbox SSL Inspection Add SSL Inspection! This creates a framework to protect the organization and the network. Decrypting and re-encrypting traffic flow exposes the traffic for traditional inspection.

Why Don’t Organizations Inspect SSL Traffic? Privacy laws Employees might not like it Performance impact on NGFWs Most organizations today do not inspect SSL traffic – even when their NGFW has the capability to do it. Why? If we know that attacks are hiding in SSL encrypted sessions, why are so few organizations inspecting this traffic? There are 3 main reasons: #1- regulatory complexity local privacy laws can prevent or restrict an organization from decrypting traffic that is considered private communications. #2- risk of conflict with employees Employees expect encrypted communications to be private. Data carried over the encrypted channel is more likely to include personal or confidential data #3- performance impact According to NSS Labs, decrypting SSL traffic on a firewall can reduce performance by 74%. These problems are surmountable through research, communication with users, and judicious used of SSL inspection. And you should get a NGFW that delivers better performance so it can handle SSL inspection and keep the throughput performance you need. They do exist. How to get around? Work with HR. Educate employees on what they should/shouldn’t be doing. Let them know what you are and are not inspecting. 39%

Advanced Threats Take Advantage of the “Flat Internal” Network Border Existing Firewalls focused on the Border Internal network no longer “trusted” Many ways into the network Once inside threats can spread quickly EXTERNAL INTERNAL Email (Phishing) Vulnerabilities Web Downloads Social Engineering Exploits (Zero Days) Threat Production + Recon 1 3 4 Disposal Package Encrypt Stage Hide, Spread, Disarm, Access, Contact Botnet CC, Update Threat Vector Infection Communication Extraction 2 Everything we looked at so far is focused at the Border. Should your Internal network be considered “trusted”? There are many ways into your network - Insiders - Guests/Contractors – Partners - Data Center DMZ - Infrastructure Cloud - Application Cloud Once, in the Internal Network is very flat and open.

Consider Segmenting Your Internal Network External Internal Segmentation Firewall (ISFW) Private Cloud ISFW Internet Data Center Edge Gateway Cloud Internal Network (100 Gbps+) Segment your network into distinct groups. You may choose to use full UTM or a subset depending on interzone traffic. Internal Segmentation Firewalls provide line speed routing and switching with low latency. Internal Branch Office Home Office WAN

Summary / Recommendations Make sure you have a good layered security defense to break the kill chain Next Generation Firewall, Secure Email Gateway, Endpoint Protection User/App/Device type ID & control, IPS, AV, Web Filtering, IP Reputation, AntiSpam, etc. Good solutions must have great security & great performance – Make sure your choice is validated by industry neutral third-party tests (such as NSS Labs) or do your own testing Build an Advanced Threat Protection Framework that includes sandboxing The best choice is a sandbox that integrates with your other security Start inspecting SSL traffic Your NGFW should have this capability; if not, make sure your next NGFW does Work with compliance & HR on privacy regulations Implement Internal Segmentation Firewalls Keep threats from running rampant throughout your internal network 3rd party certification / NSS labs Layered security protection.

DON’T GO UNPROTECTED