Presentation is loading. Please wait.

Presentation is loading. Please wait.

Frederic Fleurat ffleurat@arbor.net SIT mazagan 2014 Frederic Fleurat ffleurat@arbor.net.

Published byElizabeth Jones Modified over 9 years ago

Similar presentations

Presentation on theme: "Frederic Fleurat ffleurat@arbor.net SIT mazagan 2014 Frederic Fleurat ffleurat@arbor.net."— Presentation transcript:

1 Frederic Fleurat ffleurat@arbor.net
SIT mazagan 2014 Frederic Fleurat

2 Arbor - a Trusted & Proven Vendor Securing the World’s Largest and Most Demanding Networks
Percentage of world’s Tier 1 service providers who are Arbor customers 107 Number of countries with Arbor products deployed 90% 79.1 Tbps Amount of global traffic monitored by the ATLAS security intelligence initiative right now – 25% of global Internet traffic! Number of years Arbor has been delivering innovative security and network visibility technologies & products 13 #1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments – 61% of total market [Infonetics Research Dec 2011] $16B 2011 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing

3 Global Coverage and Visibility
28 Canada 49 UK 11 Russian 266 USA 86 EU 21 Asia 9 Mid East 29 Africa 24 Malaysia 28 LATAM Global Coverage Offices: 13 Offices on 4 Continents SOC: Sterling VA Scrubbing Centers: Ashburn, VA Amsterdam, NL Singapore San Jose, CA Customer Service and Support: 50+ Globally 7x24 Follow-the-sun Support Model 3 Operation Centers: Burlington, Ann Arbor, Bangalore In-Region post sales support: UK, Germany, Hong Kong, India, Brazil Global Visibility: 270+ World-wide Sensors Analyzing over 70TB of data per second Monitoring over 110K malware families

4 ATLAS/ASERT Global Attack Intelligence

5 Datacenter Problems Global Traffic Visibility Availability Protection
Internal Traffic Visibility Mobile Carriers Internal Apps CDNs Remote Offices Need to understand and stop internal attack traffic Cant see global external attack traffic Can’t withstand a direct attack Service Providers Corporate Servers Solutions lack specialized attack intelligence that can span pre to post attack. Need to find indicators of attack that are hard to distinguish Current solutions cannot see all external and internal traffic. Drowning in alerts and combing through logs Security teams have no single place to investigate and view most critical attacks. Employees SaaS Mobile WiFi Cloud Providers Enterprise Perimeter

6 Arbor Solutions Overview
DDoS Advanced Threats Arbor Cloud Cloud Signaling ~70 Tbps Visibility Arbor Network-Wide Product Portfolio SP/TMS ATLAS/ASERT Mobile SP SP/TMS APS APS NSI SA Mobile User/ Attacker Mobile Carrier Service Provider Public Clouds Private Clouds Corporate Networks Internal Employee Good traffic Malicious traffic & malware 80% of Tier 1 and 60% of Tier 2 Service Providers 90% of Gartner Cloud and Web Hoster MQ Providers 9/10 of Nielsen’s Top Online Brands

7 Data Center DDoS Attacks & Impact (2014 WISR)
Among those who saw attacks, 71% reported 1-10 per month. Coincidental with the 71% who reported seeing ANY attacks. While data center infrastructure continues to be heavily targeted, the proportion of respondents who saw attacks against data center customers declined this year—from over three-quarters to slightly over half 71% reported DDoS attacks, up from only 45% last year 36% see attacks exceed total Internet bandwidth, 2x last year Nearly 10 percent see more than 100 attacks per month 81% reported operational expenses as a business impact 35% reported customer churn and 27% cited revenue loss

8 Multi-Stage & Multi-Vector
“Operation Ababil” – Highly Targeted, Complex Attack Multi-Stage & Multi-Vector Attack Corporate Servers GET and POST app layer attacks on HTTP and HTTP/S DNS query app-layer attack, mainly against ISP authoritative DNS servers Floods on UDP, TCP SYN floods on TCP/53 against ISP authoritative DNS servers & target organization Web properties Cyber Fighters of Izz ad-din Al Qassam BadBank.com ISP Phase 1 (Sep 2012) 1-2 banks concurrently attacked, mainly HTTP & HTTP/S combined with malformed DNS flooding attacks Targeting only the largest institutions Phase 2 (Dec 2012) 3-5 banks concurrently attacked – some HTTP, but more SSL combined with malformed DNS flooding attacks Targeting regional and mid-size institutions Phase 3 (Feb 2013) 6+ organizations attacked simultaneously, different characteristics for each target, application attacks mostly HTTP/S & malformed DNS Targeting additional institutions such as credit unions and non-customer facing financial services Expanded target base to Europe Phase 4 (Jul/Aug 2013) A few hours of attacks targeting 2-3 institutions simultaneously, then nothing until mid-August; 1 institution targeted the week of 11Aug13. Somewhat improved attack methodology, UDP/53 traffic directed towards authoritative DNS servers for targeted organizations Volumetric Attacks Classic DDoS attack method Attempt to consume bandwidth Within target networks Between the internet and the network TCP State Exhausting Attacks Attempt to consume connection state tables (load balancers, firewalls, application servers) Target the traditional security infrastructure itself Application Layer Attacks Stealthy and hard to detect Target some aspect of an application or service on layer 7

9 Today’s Techniques For Advanced Threats
Where Cloud/Perimeter Attack Mitigation Network Forensics Traffic Analysis Payload Payload Analysis Endpoint Behavior Analysis When Post- compromise Real-time . Arbor Today

10 An Attack Coming To A Retail Store Near You…
Target has found that the hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers and addresses. “Target’s problems point to the difficulties of defending large, Internet-connected networks.It’s literally impossible to prevent unauthorized access to the network”

11 The Target Attack:Operation Kaptoxa
Advanced Threats Are… Attacks planned for a specific organization Multi-stage and traverse in and out of network bypassing existing controls Hard to detect from regular patterns Use VPS in Russia to download data for 2 weeks Online malware kit customized for Target 4 1 Global Network Internet/ Cloud Perimeter Defenses Enterprise Assets Local Network 2 Wht are they different Applications on Non-Standard Ports – Non-HTTP traffic going over port 80 or non-FTP traffic going over port 21 can often indicate someone trying to go un-noticed. Encrypted Communications on Non-Standard Ports – Anytime there is encrypted traffic on ports that aren’t SSH, HTTPS or a slew of other known encrypted traffic it can be a red flag. Communications to Foreign Countries – Communications out of the network to foreign countries, where you don’t do much business. Particularly countries that are known for high infection rates, China, Russia and foreign embargoed nations. 2 Enters via vulnerable web server. Malware infiltrates POS servers and sets up internal server to collect data After 6 days, exfiltrated data from Target server sent to external FTP server on hijacked site 3

12 How Could Arbor Help Customers With Kaptoka?
Before Compromise Near-Real Time After Compromise Post- Compromise APS NSI SA Block inbound and outbound if an identified campaign with new AIF feed in 2014 (5.6) Should be alerted if irregular activity based on tracked communications between infected servers and POS terminals (Today) Use published attack signatures(Snort) to examine segments of network to understand if and when attacked (Today) Block outbound communication of Target IP addresses if alert within NSI detected (5.7) Alert if irregular activity detected between server and hijacked website in Russia collecting data (Updated Feed in Q2) Use AIF or other attack intelligence to determine whether been attacked and when, at various stages of the kill chain (Q1) Block within APS if attack identified within SA (H2 2014) Alert if identified campaign with AIF feed (Today)

13 View of Internal & External Traffic & Attack Risk
The Solution Layers APS NSI Attack Traffic Legit Traffic SA Looking externally before the threats hit the network Bring together a view of whats happening externally as well as everything happening internally on the network Connected two traffic viewpoiints Top fan (red to light green) Internal Bottom fan (dark green to light green) External External Attacks RATs, C&Cs, DDoS, Botnets, Exfiltration Data Carriers Perimeter Defenses Firewall, IPS, Secure Web Gateways, Enterprise Assets User Devices, Servers, Databases Internal Attacks Insider Fraud, RATS, Nation State Campaigns View of Internal & External Traffic & Attack Risk Security Operations & Incident Response

14 Integrating Layers of Response
1 Identify:NSI Detect abnormal traffic or patterns, signs and intelligence and where you are compromised. Act:APS&Arbor Cloud Block the attack at the network edge or in the cloud. Understand:SA Quickly explore and understand the attack in detail and the extent of the compromise. 2 3

15 Internal Traffic View with NSI

16 Indicator Of Potential Attack

17 External Traffic View With APS

18 Geo Policies with APS

19 Security Analytics User View

20 Detailed User View

21 Arbor’s Layered Solution for Targeted Attacks
Arbor’s Winning Solution Components Current solutions cannot see all external and internal traffic. Current solutions only deal with attacks after the event. Sec Ops and IR teams have no single place to investigate and view most critical attacks Global Internet Threats Global Network Arbor Cloud APS Servers Arbor Security Analytics Enterprise Perimeter Files, Packets & Flow Arbor NSI Act Internal Network Files, Packets & Flow Enterprise Assets Understand Identify

Download ppt "Frederic Fleurat ffleurat@arbor.net SIT mazagan 2014 Frederic Fleurat ffleurat@arbor.net."

Similar presentations

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.

SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.
Arbor Multi-Layer Cloud DDoS Protection

Arbor Multi-Layer Cloud DDoS Protection
Arbor Networks solutions

Arbor Networks solutions
Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg

Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.
Mitigating network security threats for superior online availability and service in the iGaming industry Tony Teo, Arbor Networks.

Mitigating network security threats for superior online availability and service in the iGaming industry Tony Teo, Arbor Networks.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Worldwide Infrastructure Security Report C F Chui, Arbor Networks.

Worldwide Infrastructure Security Report C F Chui, Arbor Networks.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
2012 Infrastructure Security Report Darren Anstee, Arbor Solutions Architect 8 th Annual Edition.

2012 Infrastructure Security Report Darren Anstee, Arbor Solutions Architect 8 th Annual Edition.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.
M2M Cloud-based Platform M2M Market The total M2M connections will grow from 62 million in 2010 to 2.1 billion in 2020, with an annual rate of 36%. M2M.

M2M Cloud-based Platform M2M Market The total M2M connections will grow from 62 million in 2010 to 2.1 billion in 2020, with an annual rate of 36%. M2M.

Similar presentations

Ads by Google