View/Download Presentation
Download
Report
Transcript View/Download Presentation
“Next Generation Security”
ISACA June Training Seminar
Philip Hurlston
6/20/14
Agenda
• Today’s threat landscape is next generation
• Definition of Next Generation Security
• What really makes it different
• 20 things your next generation security must do
• Closing & Questions
ISACA June Training Seminar
Today’s Threat Landscape
Organized
Attackers
Remediation is
broken
Must prevent
attacks across
perimeter, cloud
and mobile
Limited correlation
across disjointed
security
technologies.
Limited security
expertise
Increasing
Volume
Sophisticated
CSO challenges
ISACA June Training Seminar
SaaS - Apps are moving off the network
ISACA June Training Seminar
CLOUD + VIRTUALIZATION
Servers are moving to private and public clouds
Verizon Cloud
ISACA June Training Seminar
BETA
ENCRYPTION
Traffic is increasingly being encrypted
Over 27% of applications can use
SSL encryption
Which represents nearly
25% of enterprise bandwidth
ISACA June Training Seminar
MOBILITY
Users are moving off the network
Over 300 new malicious
Android APKs discovered per
week by our Threat Research
Team
ISACA June Training Seminar
COMMODIZATION OF THREATS
Advanced tools available to all
Sophisticated & multi-threaded
Changing application environment
SSL encryption
Zero-day exploits/Vulnerabilities
Lateral movement
Clear-text
Evasive command-and-control
Limited or known protocols
Known malware & exploits
Known threats
Known vulnerabilities
Known command-and-control
BEFORE
TODAY’S APT
ISACA June Training Seminar
Enterprise risk
Unknown & polymorphic malware
Tectonic Shifts Create the Perfect Storm
SaaS
ENCRYPTION
SOCIAL +
CONSUMERIZATION
CLOUD +
VIRTUALIZATION
MOBILITY + BYOD
Massive opportunity
for cyber attackers
COMMODIZATION OF THREATS
ISACA June Training Seminar
Target data breach – APTs in action
Recon on
companies
Target works
with
Spear
phishing
third-party
HVAC
contractor
Breached
Target with
stolen
payment
credentials
Moved
laterally &
installed POS
Malware
Maintain access
ISACA June Training Seminar
Compromised
internal
server to
collect
customer
data
Exfiltrated
data C&C
servers over
FTP
Agenda
• Today’s threat landscape is next generation
• Definition of Next Generation Security
• What really makes it different
• 20 things your next generation security must do
• Closing & Questions
ISACA June Training Seminar
Definition of a Next Generation Firewall (NGFW)
From the Gartner IT Glossary, a NGFW is a:
• Deep-packet inspection firewall,
• Moves beyond port/protocol inspection and
blocking,
• Adds application-level inspection,
• Adds intrusion prevention, and
• Brings intelligence from outside the firewall.
ISACA June Training Seminar
Definition of a Next Generation Firewall (NGFW)
Should not be confused with:
• A stand-alone network intrusion prevention system
(IPS), which includes a commodity or nonenterprise firewall, or
• A firewall and IPS in the same appliance that are
not closely integrated.
ISACA June Training Seminar
Agenda
• Today’s threat landscape is next generation
• Definition of Next Generation Security
• What really makes it different
• 20 things your next generation security must do
• Closing & Questions
ISACA June Training Seminar
20 Years of Security Technology Sprawl
•
Ports and IP addresses aren’t reliable anymore
•
More stuff has become the problem
•
Too many policies, limited integration
•
Lacks context across individual products
UTM
Internet
IPS
AV
URL
Proxy
Sandbox
DLP
Enterprise
Network
ISACA June Training Seminar
Sample of a True Next Generation Architecture
• Single Pass
• Identifies applications
• User/group mapping
• Threats, viruses,
URLs, confidential
data
• One policy to manage
• Correlates all security
information to Apps
and Users
ISACA June Training Seminar
Next Generation vs. Legacy Firewalls
App-ID
Legacy Firewalls
Firewall Rule: ALLOW SMTP
SMTP
✔
SMTP
Firewall Rule: ALLOW Port 25
SMTP
Firewall
Bittorrent
✔
SMTP
Firewall
✗
Bittorrent
SMTP=SMTP: Allow
Bittorrent≠SMTP: Deny
✔
Bittorrent
Packet on Port 25: Allow
Visibility: Bittorrent detected and blocked
Packet on Port 25: Allow
Visibility: Port 25 allowed
ISACA June Training Seminar
Next Generation vs. Legacy Firewall + App IPS
App-ID
Legacy Firewalls
Firewall Rule: ALLOW SMTP
SMTP
✔
SMTP
Firewall Rule: ALLOW Port 25
Application IPS Rule: Block Bittorrent
SMTP
Firewall
Bittorrent
✔
Bittorrent
SMTP=SMTP: Allow
✔
SMTP
App IPS
Firewall
✗
✔
SMTP
Bittorrent
✗
Packet on Port 25: Allow
Bittorrent ≠ SMTP: Deny
Bittorrent: Deny
Visibility: Bittorrent detected and blocked
Visibility: Bittorrent detected and blocked
ISACA June Training Seminar
Next Generation vs. Legacy Firewall + App IPS
App-ID
Legacy Firewalls
Firewall Rule: ALLOW SMTP
Firewall Rule: ALLOW Port 25
Application IPS Rule: Block Bittorrent
Firewall
SMTP
Bittorrent
SSH, Skype,
Ultrasurf
✔
✗
✗
✔
✔
✔
App IPS
Firewall
SMTP
SMTP
Bittorrent
SSH, Skype,
Ultrasurf
SMTP=SMTP: Allow
Skype≠SMTP: Deny
SSH≠SMTP: Deny
Ultrasurf≠SMTP: Deny
Visibility: each app detected and blocked
SMTP
Bittorrent
SSH, Skype,
Ultrasurf
✔
✗
✔
Packet on Port 25: Allow
Packet ≠ Bittorrent: Allow
Visibility: Packets on Port 25 allowed
ISACA June Training Seminar
SMTP
SSH, Skype,
Ultrasurf
Next Generation vs. Legacy Firewall + App IPS
App-ID
Legacy Firewalls
Firewall Rule: ALLOW SMTP
Firewall Rule: ALLOW Port 25
Application IPS Rule: Block Bittorrent
Firewall
SMTP
Bittorrent
C&C
✔
✗
✗
✔
✔
✔
App IPS
Firewall
SMTP
SMTP
Bittorrent
C&C
SMTP=SMTP: Allow
Bittorrent
C&C
✔
✗
✔
Packet on Port 25: Allow
Command & Control ≠ SMTP: Deny
Visibility: Unknown traffic
detected and blocked
SMTP
C & C ≠ Bittorrent: Allow
Visibility: Packet on Port 25 allowed
ISACA June Training Seminar
SMTP
C&C
Next Generation Closes the Loop for Threats
• Scan ALL applications, including SSL – Reduces attack surface,
and Provides context for forensics
• Prevent attacks across ALL attack vectors – Exploits, Malwares,
DNS, Command & Control, and URLs
• Detect zero day malware – Turn unknown into known, and update the
firewall
ISACA June Training Seminar
Sandboxing for Turning Unknown into Known
ISACA June Training Seminar
Security Context from Next Generation
Policies:
•
Allowing 10.1.2.4 to 148.62.45.6 on port 80 does not provide context.
Allowing Sales Users on Corporate LAN to access Salesforce.com but
look for threats and malware inside the decrypted SSL tunnel, and easily
seeing you have done so is context.
Threats:
•
Seeing you had 10 tunneling apps, 15 IPS hits, and 4 visits to malware
sites no context.
Seeing Dave Smith visited a malware site, downloaded 0-day Malware,
and his device is visiting other known malware sites, and using tunneling
apps that is context.
ISACA June Training Seminar
Next Generation and the Attack Kill-chain
Attack kill-chain
BREACH
PERIMETER
DELIVER
MALWARE
ENDPOINT
OPERATIONS
EXFILTRATE
DATA
Initial compromise
Deliver malware
and communicate
with attacker
Move laterally
and infect
additional hosts
Steal intellectual
property
Prevent attacks by stopping one step in the kill-chain
ISACA June Training Seminar
Agenda
• Today’s threat landscape is next generation
• Definition of Next Generation Security
• What really makes it different
• 20 things your next generation security must do
• Closing & Questions
ISACA June Training Seminar
20 Things Your Next Gen Security Must Do
1. Control applications and components regardless of Port or IP
2. Identify users regardless of IP address
3. Protect real-time against threats and exploits
4. Identify Circumventors (Tor, Ultrasurf, proxy, anonymizers)
5. Decrypt SSL Traffic
6. Packet shape traffic to Prioritize Critical Applications or De-
Prioritize Unproductive applications
7. Visualize Application Traffic
8. Block Zero Day Malware, Botnets, C&C and APT’s
9. Block Peer-to-Peer
10. Manage Bandwidth for a group of Users
ISACA June Training Seminar
20 Things Your Next Gen Security Must Do
11. Prevent or Monitor Data Leakage
12. Single Pass Inspection
13. Same security at mobile end-point
14. Central management console with relay logs & events
15. Policy for unknown traffic
16. Be cost effective by combining multiple functionalities
17. Deliver protection today, tomorrow, and in the future by
being firmware upgradeable
18. Interface with other end-point solutions to have a
consistent protection
19. Sinkhole DNS capabilities
20. Block base on URL
ISACA June Training Seminar
Agenda
• Today’s threat landscape is next generation
• Definition of Next Generation Security
• What really makes it different
• 20 things your next generation security must do
• Closing & Questions
ISACA June Training Seminar