Transcript Intel Security

2015 Security Conference
Ash Patel
Intel Security
McAfee Next Generation Firewall
and Security Connected Threat Ecosystem
~ Logicallis Security Conference 2015
Ashish Patel – Network Security Regional Director
.
Threats Are Getting Through
469,000
Unique Malware
Samples Discovered Weekly
Subverting
Digital Signatures
Becoming More Common
83%
Organizations hit by
Advanced Persistent Threats
Fastest Growing
Non-mobile Malware Is
Ransomware
Mobile malware grew 30%
with 99% Android targeted
Advanced
Evasion Techniques
Root Kit
Attacks Return to Growth
Use Growing to Get Old/New Malware
Through Legacy Defenses
.
Firewall & NGFW Evolution
“Connected” NGFW
Completeness of Security
•
•
•
•
Connected to endpoint security
Connected to SIEM
Connected to advanced threat detection
Connected to real-time global threat database
Performance Enhanced NGFW
• Central management for large networks
• High availability
• Advanced evasion protection
First NGFW
• Inspection
• Application and user
awareness
Traditional FW
1988
2008
2012
2013
2014
.
4
“
Albert Einstein
“
INSANITY:
doing the same thing
over and over again
and expecting different results.
”
”
We cannot solve our problems
with the same thinking
we used when we created them.
.
McAfee Differentiators
Unified
Software
Core
Strong
Centralized
Management
Security
Connected
High
Availability
Advanced
Evasion
Prevention
.
6
McAfee Differentiators
Unified
Software
Core
Strong
Centralized
Management
Security
Connected
High
Availability
Advanced
Evasion
Prevention
.
7
Security Connected Integrations
McAfee NGFW part of the ecosystem
McAfee endpoint
• Visibility to endpoint
• Endpoint information use in
policy enforcement
McAfee Global Threat
Intelligence
• Comprehensive threat
information for file reputations
McAfee NGFW
McAfee ESM (SIEM)
• Continuous monitoring of
the whole network security
including NGFW
McAfee Advanced Threat
Defense
• Superior malware detection
against zero-day threats
Information exchange between network, endpoint and global threat information
for superior protection
.
8
Global Threat Intelligence
THREAT
REPUTATION
Network Activity
Affiliations
Geo-location
Application
Domain
Data Activity
Ports/Protocol
IP Address
Web Reputation
URL
Web Activity
Network
IPS
Firewall
300M IPS
attacks/mo.
300M IPS
attacks/mo.
Sender Reputation
Mail Activity
Email Address
File Reputation
DNS Server
Web
Gateway
Mail
Gateway
Host
AV
Host
IPS
3rd Party
Feed
2B botnet C&C
IP reputation
queries/mo.
20B message
reputation
queries/mo.
2.5B malware
reputation
queries/mo.
300M IPS
attacks/mo.
Geo location
feeds
.
Global Threat Intelligence
THREAT
REPUTATION
Network
IPS
Firewall
300M IPS
attacks/mo.
300M IPS
attacks/mo.
Web
Gateway
Mail
Gateway
Host
AV
Host
IPS
3rd Party
Feed
2B botnet C&C
IP reputation
queries/mo.
20B message
reputation
queries/mo.
2.5B malware
reputation
queries/mo.
300M IPS
attacks/mo.
Geo location
feeds
.
McAfee Differentiators
Unified
Software
Core
Strong
Centralized
Management
Security
Connected
High
Availability
Advanced
Evasion
Prevention
.
11
Unified Software Core
Flexible Delivery
NEXT GENERATION FIREWALL
LAYER 2
FIREWALL
FIREWALL
McAfee
MILITARY
IPS
VPN
GLOBAL
ENTERPRISE
COMMERCIAL
SMB
SOFT
VIRTUAL
PHYSICAL
Adjustable security levels support a wide variety of deployment scenarios
Performance levels are maintained even with deep packet inspection enabled
.
12
McAfee Differentiators
Unified
Software
Core
Strong
Centralized
Management
Security
Connected
High
Availability
Advanced
Evasion
Prevention
.
13
Single Pane of Glass for Security Management
Enabler for accuracy, efficiency and better use of time
NGFW
ONE UNIFIED
APPLIANCE
LOCATIONS
FW / VPN
L2FW
IPS
PLATFORMS
--Virtual (cloud)
Physical
Hybrid
McAfee Security
Management Center
(SMC)
SECURITY
CONNECTED
McAfee
ESM
McAfee
ePO
McAfee
EIA
.
14
Efficient Centralized Management
Plug-and-Play Deployment for remote site rollouts
Initial
configurations
uploaded
McAfee SMC
Connect to
Installation Cloud
Call home
Policy push from the
SMC
Initial
configuration
pushed from
cloud
Preconfigured
McAfee NGFW
Cut deployment time from weeks and days to minutes
.
15
McAfee Differentiators
Unified
Software
Core
Strong
Centralized
Management
Security
Connected
High
Availability
Advanced
Evasion
Prevention
.
16
WHY
WORRY
TODAY?
How do AETs score against leading next generation network security products?
7 TEST CASE (Conficker worm)
AET-BORNE ATTACKS
SUCCEEDED (undetected)
Divide exploit in IP fragments
70%
Divide exploit in TCP segments
90%
Using grey areas of protocols to hide the exploit
90%
Change byte encoding methods
40%
TCP segmentation and re-ordering
80%
TCP segmentation and re-ordering + urgent data
90%
Sending TCP payload with old timestamps (PAWS)
80%
.
DEFINITIONS
APT
ADVANCED
PERSISTENT THREAT
“A highly motivated attacker
implementing a targeted attack. Uses
multiple hacking methods and
advanced malware in order to
penetrate, and stay stealthy, for a long
period of time. Often uses AETs to
improve the penetration success rate.”
Evasive
& advanced
malware
EVASIVE & ADVANCED
MALWARE
FOR HOST-BASED
ATTACKS
“Any kind of malware designed and
developed to operate and stay
undetected while it has penetrated end
points and target hosts.”
AET
NETWORK-BASED
ADVANCED EVASION
TECHNIQUES
“A specific hacking technique that
has been developed to bypass all
security devices and deliver a
malicious code or exploit to its target
undetected. AETs can be used to
deliver known and unknown exploits
and malicious content.
.
AETs SUPPORT THE HACKER BUSINESS CASE
IMPROVE
ROI
When buying and developing new
exploits hackers can improve ROI
substantially by using AETs.
They can also recycle existing
malicious payloads by using AETs.
ACCESS
ALL AREAS
By using AETs hackers can
penetrate deep into the network.
DO NOT
GET CAUGHT
… and they can do it undetected,
with stealth.
.
Advanced Evasion Prevention
Fundamental Difference in Traffic Inspection
Traditional Inspection
Architecture
McAfee NGFW
Full-stack visibility
McAfee decodes and normalizes traffic on all protocol layers
McAfee NGFW Stream-Based
Full Stack Normalization
?
Normalization-based evasion removal
The normalization process removes evasions before data
stream inspection
Application data stream-based detection
ta
ck
t
a
Vulnerability-based fingerprints detect exploits in the
normalized application-level data streams
attack
Protocol
agents
ck
at
!
ta
In-house research and tools
Evasion-proof product quality assured with automated evasion
fuzzing tests
Upgrades and upgrades
Anti-evasion technology automatically updated in NGFW
.
20
Advanced Evasion Prevention - evader.mcafee.com
Device Testing
1
With Evader getting access to the
Select the Exploit
“protected”
network is as simple as:
2
Identify Attack Target
3
Select the Evasion
Technique
Cisco
Palo Alto Networks
Check Point
Fortinet
Juniper
SourceFire
Tipping Point
.
21
McAfee Differentiators
Unified
Software
Core
Strong
Centralized
Management
Security
Connected
High
Availability
Advanced
Evasion
Prevention
.
22
High Availability
Full Stack Resilience enabling business continuity
Site resilience enabling
in-service upgrades
Connectivity resilience
Management resilience
Service
Provider
Service
Provider
Clustering / load balancing
Link / VPN failovers
Management HA
Risk mitigation vs. resilience
.
23
High Availability
Native Active-Active Clustering
99
Node 1
.
UPTIME
Internet
Node 2
Node 4
Node 3
Node 5
Node 6
…16
Mix of hardware
and software
versions
“I can upgrade a FW cluster without dropping a single packet”
– McAfee NGFW customer
.
24
High Availability
Augmented VPN for enterprise level site-to-site connectivity
Distant Site
8Mbps
MPLS
HQ
+
ISP A
Distant Site
8Mbps
+
8Mbps
ISP B
=
up to
ADSL
24
Mbps
Cost-effective alternative to MPLS
with security included
.
25
McAfee Differentiators
Unified
Software
Core
Strong
Centralized
Management
Security
Connected
High
Availability
Advanced
Evasion
Prevention
.
26
McAfee Next Generation Firewall Portfolio
Perfect fit for various locations and hybrid environments
Branch office
Ruggedized appliance
Desktop appliances
Wet, dust, shock proof
design
Temperature hardened
Modular and fixed designs
Integration of access
technologies
Rack installable
appliances
Virtual and software
appliances
Modular and adaptable
High speed interfaces
High system performance
Support for various platforms
Unified platform, full NGFW functionality
.
27
“McAfee Next Generation
Firewall does 99% of our
network configuration,
reducing what used to
take hours to minutes.”
– Julian Dyer
COBWEB, Chief Technical Officer
.
28
Certified and Validated by 3rd Parties
See more from www.mcafee.com/ngfw
Certifications
Validations
.
29
Extends the Connected
Firewall capabilities by
connecting the Firewall with
End-Point Intelligence
Provides new flexibility to
Virtualized Data Centers
.
.
31