Soul School Sponsorship Deck - KTRS 550 Radio Show & Podcast
Calgary security road show master deck final
-
Upload
scalar-decisions -
Category
Documents
-
view
608 -
download
3
description
Transcript of Calgary security road show master deck final
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Security Road Show - Calgary
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
9:00am – 9:15am Welcome
9:15am – 9:45am Palo Alto Networks
– You can’t control what you can’t see!
9:45am – 10:15am F5
– Protect your web applications
10:15am – 10:30am Break
10:30am – 11:00am Splunk
– Big data, next generation SIEM
11am – 11:30am Infoblox
– Are you fully prepared to withstand DNS attacks?
11:30am - 12:00pm Closing remarks, Q&A
12:00pm – 12:30pm Boxed Lunches
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Today’s Speakers
– Geoff Shukin – Palo Alto
Networks
– Clayton Sopel – F5
– Menno Vanderlist – Splunk
– Ed O’Connell- Infoblox
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Background in architecting mission-critical
data centre infrastructure
Founded in 2004
$125M in CY13
Revenues
Nationwide Presence120 Employees
Nationwide
25% Growth YoYToronto | Vancouver
Ottawa | Calgary | London
Greater than 1:1
technical:sales ratio
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The country’s most
skilled IT infrastructure
specialists, focused on
security, performance
and control tools
Delivering
infrastructure services
which support core
applications
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Experience ExecutionInnovation
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Top technical talent in Canada– Engineers average 15 years’ experience
We train the trainers– Only Authorized Training Centre in Canada
for F5, Palo Alto Networks, and Infoblox
Our partners recognize we’re the best– Brocade Partner of the Year – Innovation
– Cisco Partner of the Year – Data Centre & Virtualization
– VMware Global Emerging Products Partner of the Year
– F5 Canadian Partner of the Year
– Palo Alto Networks Rookie of the Year
– NetApp Partner of the Year - Central
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Unique infrastructure solutions
designed to meet your needs– StudioCloud
– HPC & Trading Systems
Testing Centre & Proving Grounds– Ensuring emerging technologies are
hardened, up to the task of Enterprise
workloads
Vendor Breadth– Our coverage spans Enterprise leaders and
Emerging technologies for niche workloads
& developing markets
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
“Scalar […] has become our trusted advisor for architecting and implementing our storage, server and network infrastructure across multiple data centres”
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
“We’ve basically replaced our infrastructure at a lower cost than simply the maintenance on our prior infrastructure […] At the same time, we’ve improved performance and reduced our provisioning time”
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
“Numerous technologies needed to converge to make VDI a reality for us. The fact that Scalar is multi-disciplinary and has deep knowledge around architecture, deployment and management of all of these technologies was key”
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Palo Alto Networks
Controlling Threats
Geoff Shukin, Senior SE Palo Alto Networks
#netgun
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
context |ˈkänˌtekst| nounthe circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and assessed
14 | ©2014 Palo Alto Networks.
Confidential and Proprietary.
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
context
intelligence
action
15 | ©2014 Palo Alto Networks.
Confidential and Proprietary.
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience16 | ©2014, Palo Alto Networks.
Confidential and Proprietary.
344 KB
file-sharingURL category
pdffile type
roadmap.pdffile name
bjacobsuser
prodmgmtgroup
canadadestination country
172.16.1.10source IP
64.81.2.23destination IP
tcp/443destination port
SSLprotocol
HTTPprotocol
slideshareapplication
slideshare-uploadingapplication function
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
344 KB
17 | ©2014, Palo Alto Networks.
Confidential and Proprietary.
unknownURL category
exefile type
shipment.exefile name
fthomasuser
financegroup
chinadestination country
SSLprotocol
HTTPprotocol
web-browsingapplication
172.16.1.10source IP
64.81.2.23destination IP
tcp/443destination port
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Secondary
Payload
Spread
Laterally
Custom C2
& Hacking
Data Stolen
Exploit Kit Contact New
Domain
ZeroAccess
Delivered
C2
Established
Hides within
SSL
New domain,
no reputation
Payload
evades AV
C2 hides using non-
standard ports
No signature for
custom malware
Hides in plain
sight
Payload evades
C2 signatures
Exfiltration via
RDP & FTP
18 | ©2014 Palo Alto Networks.
Confidential and Proprietary.
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics
Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures
Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base
19 | ©2014 Palo Alto Networks.
Confidential and Proprietary.
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
All Applications, All Attack Vectors, All Threats
Segmentation
• Isolate critical data, business functions
• Enable applications based on users
• Block known/unknown threats
Gateway
• Visibility into all traffic
• Enable apps to reduce exposure
• Block known/unknown threats
Datacenter
• Validate business applications & users
• Find rogue/misconfigured apps
• High speed threat prevention
20 | ©2014 Palo Alto Networks.
Confidential and Proprietary.
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Mostly addressed by
traditional AV and IPS
Low sophistication,
slowly changing
Machine vs. machine
Somewhat more
sophisticated payloads
Evasion techniques
often employed
Sandboxing and other
smart detection often
required
Intelligent and
continuous monitoring of
passive network-based
and host-based sensors
Comprehensive
investigation after an
indicator is found
Highly coordinated
response is required for
effective prevention and
remediation
Commodity threats(very common, easily identified)
Organized cybercrime(More customized exploits
and malware)
Nation state(Very targeted, persistent, creative)
Advanced threat
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Evolving from incident response mindset to
intelligence mindset
No intelligence exists without visibility
Applying the intelligence and resulting IOCs to the kill
chain
Sharing what you know
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
It’s a campaign, not just an attack
Appreciate and utilize the intelligence cycle
Securitystack • Block an IP address
• Block a URL
• Block a session
• Block a known virus
• Heuristically block spam
• Block bad attachments
Intelligence Cycle
{A, B, C, D, E, F, G, H, I, J, K, L, M, N, O}
• Recons by A, B and C
• Builds this kind of weapon: D
• Delivers the weapon by E, F and G
• Exploits the network by H and I
• Installs itself by J
• Establishes C2 by K, L and M
• Performs N and O on the objective
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
You don’t have intelligence if you don’t have visibility
Visibility required across the whole network
Ideally, you can see and understand applications,
content, and users
Then make sense of what you see
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
1. Changes driven by “location”
– Where’s the user?
– Where’s the app?
– Where’s the server?
2. Changes driven by security evolution
– Who and where is the attacker?
– What is their level of sophistication?
– What are their motives?
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Users are moving off the network
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Apps are moving off the network
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Servers are moving to private and public clouds
BETAVerizon Cloud
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Traffic is moving off the network
BETAVerizon Cloud
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Visibility provides intelligence around the indicators
of compromise (IOC)
IOCs applied to the kill chain provide actionability
Highly automated kill chain
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Traditional
detection
Sandbox-based
detection
Anti-malware
signature
generation
IPS (C&C)
signature
generation
DNS (C&C)
signature
generation
Malware
URL list
generation
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
In the cyber security battle, sharing is key
Three ways this is happening
1. External – industry initiatives
2. External – technology partnerships
3. Internal – your security technology should leverage the network
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Automatic detection in real time in private or public cloud
Automatic generation of several defensive measures
Automatic distribution of defensive measures to all WildFire customers within 30 minutes after initial detection
Automatic installation of defensive measures provides full prevention immediately
You benefit from the threat intelligence of 2,500+ organizations across the industry
© F5 Networks, Inc 38CONFIDENTIAL
F5 Provides Complete Visibility and Control Across Applications and Users
Intelligent
Services
Platform
Users
Securing access to applications
from anywhere
Resources
Protecting your applications
regardless of where they live
TMOS
Network Firewall
Protocol Security
DDoS Protection
Dynamic Threat Defense
DNS Web Access
© F5 Networks, Inc 40CONFIDENTIAL
May June July Aug Sep Oct Nov Dec
2012
Spear Phishing
Physical Access
XSS
Attack Type
Size of circle estimates relative impact of incident in terms of cost to business
© F5 Networks, Inc 41CONFIDENTIAL
BankBank
Bank
NonProfit
NonProfit
Bank
Bank
BankGov
Industrial
OnlineSVC
NonProfit
Gov
Auto
OnlineServices
GovGov
OnlineServices
OnlineSVC
OnlineServices
Industrial
EDU
Bank
Bank Bank
Gov
OnlineServices
OnlineSVC
GovOnline
Services
OnlineServices
News & Media
Edu
Telco
CnsmrElectric
CnsmrElectric
Bank
Telco
OnlineServices
OnlineServices
Education
FoodSvc
OnlineServices
Bank
News & Media Gov
Soft-ware
Bank
Telco
Non-Profit
E-commUtility
News & Media
Edu
Bank
OnlineServices
Bank
BankOnline
Services
OnlineServices
Bank
FoodService
BankingGaming
Gov
GovAuto
Soft-ware
News &Media
OnlineServices
ConsumerElectric
OnlineServices
Gov
Util
HealthSoft-ware
OnlineServices
GovCnsmr
Elec
OnlineSvcs
GovRetail
Bank
Bank
OnlineServices
Soft-ware
Bank
EduNews &Media
OnlineServices
OnlineServices
OnlineServices
OnlineServices
Gov
Gov
Indu-strial
Airport Retail
News &Media
Auto
Telco
Gov
Edu
DNSProvider
DNSProvider
GlobalDelivery
Auto
Gov
DNSProvider
DNSProvider
DNSProvider
Gov
ConsumerElectronics
Gove
Bank
Bank
BankGov
OnlineSvc
Software
OnlineGaming
Telco
News &Media
Edu
Soft-ware
News &Media
Edu
News &Media
OnlineServices
Gov
Auto
Entnment
Gov
Utility
News &Media
OnlineSvc
News &Media
Spear Phishing
Physical Access
Unknown
Attack Type
Size of circle estimates relative impact of incident in terms of cost to business
Jan Feb Mar Apr May Jun
2013
© F5 Networks, Inc 42CONFIDENTIAL
More sophisticated attacks are multi-layer
Application
SSL
DNS
Network
© F5 Networks, Inc 43CONFIDENTIAL
The business impact of DDoS
Cost of
corrective action
Reputation
management
The business
impact of DDoS
© F5 Networks, Inc 44CONFIDENTIAL
OWASP Top 3 Application Security Risks
1 - Injection
2 – Broken
Authentication
and Session
Management
3 – Cross Site
Scripting (XSS)
Injection flaws, such as SQL and LDAP injection occur when untrusted data is
sent to an interpreter as part of a command or query. The attackers hostile data
can trick the interpreter into executing unintended commands or accessing
data.
Application functions related to authentication and session management are
often not implemented correctly, allowing attackers to comprimise passwords,
keys or session tokens to assume another users’ identity.
XSS flaws occur whenever an application takes untrusted data and sends it to
a web browser without proper validation or escaping. XSS allows attackers to
execute scripts in the victims browser to hijack user sessions, deface web sites
or redirect the user.
Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
© F5 Networks, Inc 46CONFIDENTIAL
Full Proxy Security
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
© F5 Networks, Inc 47CONFIDENTIAL
The F5 Application Delivery FirewallBringing deep application fluency to firewall security
One platform
SSL
inspection
Traffic
management
DNS
security
Access
control
Application
security
Network
firewall
EAL2+
EAL4+ (in process)
DDoS
mitigation
© F5 Networks, Inc 48CONFIDENTIAL
Positive vs Negative
• Positive Security
• Known good traffic
• Permit only what is defined in the security policy (whitelisting).
• Block everything else
• Negative
• Known-bad traffic
• Pattern matching for malicious content using regular expressions.
• Policy enforcement is based on a Positive security logic
• Negative security logic is used to complement Positive logic.
© F5 Networks, Inc 49CONFIDENTIAL
How Does It Work?Security at application, protocol and network level
Request made
Enforcement Content scrubbingApplication cloaking
Security policy
checked
Server
response
Response
delivered
Security policy
applied
BIG-IP enabled us to improve security instead of having to
invest time and money to develop a new, more secure application.
Actions:
Log, block, allow
© F5 Networks, Inc 50CONFIDENTIAL
Start by checking RFC
compliance
2 Then check for various length
limits in the HTTP
3 Then we can enforce valid
types for the application
4 Then we can enforce a list of
valid URLs
5 Then we can check for a list of
valid parameters
Then for each parameter we
will check for max value length
7 Then scan each parameter, the
URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n
Accept-Encoding: gzip,deflate,sdch\r\n
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC
compliance
2 Then check for various length
limits in the HTTP
3 Then we can enforce valid
types for the application
4 Then we can enforce a list of
valid URLs
5 Then we can check for a list of
valid parameters
6Then for each parameter we will
check for max value length
7 Then scan each parameter, the
URI, the headers
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n
Accept-Encoding: gzip,deflate,sdch\r\n
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC
compliance
2 Then check for various length
limits in the HTTP
3 Then we can enforce valid
types for the application
4 Then we can enforce a list of
valid URLs
5 Then we can check for a list of
valid parameters
Then for each parameter we
will check for max value length
7 Then scan each parameter, the
URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n
Accept-Encoding: gzip,deflate,sdch\r\n
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC
compliance
2 Then check for various length
limits in the HTTP
3 Then we can enforce valid
types for the application
4 Then we can enforce a list of
valid URLs
5 Then we can check for a list of
valid parameters
Then for each parameter we
will check for max value length
7 Then scan each parameter, the
URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n
Accept-Encoding: gzip,deflate,sdch\r\n
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC
compliance
2 Then check for various length
limits in the HTTP
3 Then we can enforce valid
types for the application
4 Then we can enforce a list of
valid URLs
5 Then we can check for a list of
valid parameters
Then for each parameter we
will check for max value length
7 Then scan each parameter, the
URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n
Accept-Encoding: gzip,deflate,sdch\r\n
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC
compliance
2 Then check for various length
limits in the HTTP
3 Then we can enforce valid
types for the application
4 Then we can enforce a list of
valid URLs
5 Then we can check for a list of
valid parameters
Then for each parameter we
will check for max value length
7 Then scan each parameter, the
URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n
Accept-Encoding: gzip,deflate,sdch\r\n
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n
Accept-Encoding: gzip,deflate,sdch\r\n
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC
compliance
2 Then check for various length
limits in the HTTP
3 Then we can enforce valid
types for the application
4 Then we can enforce a list of
valid URLs
5 Then we can check for a list of
valid parameters
Then for each parameter we
will check for max value length
7 Then scan each parameter, the
URI, the headers
6
© F5 Networks, Inc 51CONFIDENTIAL
Automatic HTTP/S DOS Attack Detection and Protection
• Accurate detection technique—based on latency
• Three different mitigation techniques escalated serially
• Focus on higher value productivity while automatic controls intervene
Drop only the attackers
Identify potential attackers
Detect a DOS condition
© F5 Networks, Inc 53CONFIDENTIAL
IP INTELLIGENCE
IP intelligence
service
IP address feed
updates every 5 min
Custom
application
Financial
application
Internally infected devices
and servers
Geolocation database
Botnet
Attacker
Anonymou
s requests
Anonymous
proxies
Scanner
Restricted
region or
country
Built for intelligence, speed and scale
Users
Concurrent user sessions
100KConcurrent logins
1,500/sec.
Throughput
640 GbpsConcurrent connections
288 M
Connections per second
8 M
SSL TPS (2K keys)
240K/sec
DNS query response
10 M/sec
Resources
© F5 Networks, Inc 55CONFIDENTIAL
Application Delivery Firewall
iRules extensibility everywhere
Products
Advanced Firewall
Manager
• Stateful full-proxy
firewall
• Flexible logging
and reporting
• Native TCP, SSL
and HTTP proxies
• Network and
Session anti-DDoS
Access Policy
Manager
• Dynamic, identity-
based access
control
• Simplified
authentication
infrastructure
• Endpoint security,
secure remote
access
Local Traffic
Manager
• #1 application
delivery controller
• Application fluency
• App-specific health
monitoring
Application
Security Manager
• Leading web
application firewall
• PCI compliance
• Virtual patching for
vulnerabilities
• HTTP anti-DDoS
• IP protection
Global Traffic
Manager & DNSSEC
• Huge scale DNS
solution
• Global server load
balancing
• Signed DNS
responses
• Offload DNS crypto
SSL
inspection
Traffic
management
DNS
security
Access
control
Application
security
Network
firewall
DDoS
mitigation
© F5 Networks, Inc 56CONFIDENTIAL
The F5 DDoS Protection
Reference Architecture
f5.com/architectures
Explore
© F5 Networks, Inc 57CONFIDENTIAL
Summary
• Customers invest in network security, but most significant threats are at the application layer
• Current security trends – BYOD, Webification – mean you need to be even more aware of who and what can access application data
• A full proxy device is inherently secure, and coupled with high performance can overcome many security challenges
• F5 Application Delivery Firewall brings together the traditional network firewall with application centric security, and can understand the context of users, devices and access
The Accelerating Pace of Data
64
Volume | Velocity | Variety | Variability
GPS,RFID,
Hypervisor,Web Servers,
Email, Messaging,Clickstreams, Mobile,
Telephony, IVR, Databases,Sensors, Telematics, Storage,
Servers, Security Devices, Desktops
Machine data is fastest growing, most complex, most valuable area of big data
The Splunk Security Intelligence Platform
Machine Data Security Use Cases
HA Indexes and Storage
Forensic Investigation
Security Operations
ComplianceFraud
Detection
CommodityServers
4
Online Services
Web Services
ServersSecurity
GPS Location
StorageDesktops
Networks
Packaged Applications
CustomApplicationsMessaging
Telecoms
Online Shopping
Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
Industry Accolades
67
Best SIEMSolution
Best Enterprise Security Solution
Best Security Product
Over 2800 Global Security Customers
68
120+ security appsSplunk App for Enterprise Security
Splunk Security Intelligence Platform
69
Palo Alto Networks
NetFlow Logic
FireEye
Blue Coat Proxy SG
OSSECCisco Security Suite
Active Directory
F5 Security
Juniper Sourcefire
Partner Ecosystem
What is the Value Add to Existing Customers?
Visibility and Correlation of Rich Data
Improved Security Posture
Configurable Dashboard Views
All Data is Security Relevant = Big Data
Servers
ServiceDesk
Storage
DesktopsEmail Web
Call Records
NetworkFlows
DHCP/ DNS
Hypervisor
Custom Apps
Industrial Control
Badges
Databases
MobileIntrusion Detection
Firewall
Data Loss Prevention
Anti-Malware
VulnerabilityScans
Traditional SIEM
Authentication
Making Sound Security Decisions
72
Log DataBinary Data (flow
and PCAP)
Context DataThreat Intelligence
Feeds
Security Decisions
Volume Velocity Variety Variability
Case #1 - Incident Investigation/Forensics
• Often initiated by alert in another product
• May be a “cold case” investigation requiring machine data going back months
• Need all the original data in one place and a fast way to search it to answer:
– What happened and was it a false positive?
– How did the threat get in, where have they gone, and did they steal any data?
– Has this occurred elsewhere in the past?
• Take results and turn them into a real-time search/alert if needed
73
client=unknown[
99.120.205.249]
<160>Jan
2616:27
(cJFFNMS
DHCPACK
=ASCII
from
host=85.19
6.82.110
truncating
integer value >
32 bits
<46>Jan
ASCII from
client=unknow
n
January February March April
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My Company\ACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text [Priority: 2]:
20130806041221.000000Caption=ACME-2975EB\Administrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts
74
Case #2 – Real-time Monitoring of Known Threats
Sources
Time Range
Intrusion Detection
Endpoint Security
Windows Authentication
All three occurring within a 24-hour period
Example Correlation – Data Loss
Source IP
Source IP
Source IP
Data Loss
Default Admin Account
Malware Found
2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-PC\Printers\{}\ NeverSeenbefore" data_type""
2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup-00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1,,, [email protected] , Please open this attachment with payroll information,, ,2013-08-09T22:40:24.975Z
75
Case #3 – Real-time Monitoring of Unknown Threats
Sources
Time Range
Endpoint Logs
Web Proxy
Email Server
All three occurring within a 24-hour period
Example Correlation - SpearphishingUser Name
User Name
Rarely seen email domain
Rarely visited web site
User Name
Rarely seen service
$500k Security ROI @ Interac• Challenges: Manual, costly processes
– Significant people and days/weeks required for incident investigations. $10k+ per week.– No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel– Traditional SIEMs evaluated were too bloated, too much dev time, too expensive
• Enter Splunk: Fast investigations and stronger security– Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts– Splunk reduced investigation time to hours. Reports can be created in minutes.– Real-time correlations and alerting enables fast response to known and unknown threats– ROI quantified at $500k a year. Splunk TCO is less than 10% of this.
76
Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see.
““Josh Diakun, Security Specialist, Information Security Operations
Replacing a SIEM @ Cisco• Challenges: SIEM could not meet security needs
– Very difficult to index non-security or custom app log data– Serious scale and speed issues. 10GB/day and searches took > 6 minutes– Difficult to customize with reliance on pre-built rules which generated false positives
• Enter Splunk: Flexible SIEM and empowered team– Easy to index any type of machine data from any source– Over 60 users doing investigations, RT correlations, reporting, advanced threat detection– All the data + flexible searches and reporting = empowered team– 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data– Estimate Splunk is 25% the cost of a traditional SIEM
77
We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have.
““
Gavin Reid, Leader, Cisco Computer Security Incident Response Team
Security and Compliance @ Barclays• Challenges: Unable to meet demands of auditors
– Scale issues, hard to get data in, and impossible to get data out beyond summaries– Not optimized for unplanned questions or historical searches– Struggled to comply with global internal and external mandates, and to detect APTs– Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting
• Enter Splunk: Stronger security and compliance posture– Fines avoided as searches easily turned into visualizations for compliance reporting– Faster investigations, threat alerting, better risk measurement, enrichment of old data– Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers– Other teams using Splunk for non-security use cases improves ROI
78
We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effectiveness of a certain control, the only way we can do these things is with Splunk.
““
Stephen Gailey, Head of Security Services
Splunk Key Differentiators
79
Traditional SIEMSplunk• Single product, UI, data store
• Software-only; install on commodity hardware
• Quick deployment + ease-of-use = fast time-to-value
• Can easily index any data type
• All original/raw data indexed and searchable
• Big data architecture enables scale and speed
• Flexible search and reporting enables better/faster threat investigations and detection, incl finding outliers/anomalies
• Open platform with API, SDKs, Apps
• Use cases beyond security/compliance
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Are you prepared to withstand DNS attacks?Ed O’Connell, Senior Product Marketing Manager
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Securing the DNS Platform
Defending Against DNS Attacks
Preventing Malware from using DNS
DNS Security Challenges
Infoblox Overview
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
($MM)
Founded in 1999
Headquartered in Santa Clara, CA
with global operations in 25 countries
Market leadership
• Gartner “Strong Positive” rating
• 40%+ Market Share (DDI)
6,900+ customers, 64,000+
systems shipped
38 patents, 25 pending
IPO April 2012: NYSE BLOX
Leader in technology
for network control
Total Revenue (Fiscal Year Ending July 31)
$35.0
$56.0$61.7
$102.2
$132.8
$169.2
$225.0
$0
$50
$100
$150
$200
$250
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Infrastructure
Security
NET
WO
RK
INFR
AST
RU
CT
UR
E
FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS
Historical / Real-time
Reporting & Control
APPS &
EN
D-P
OIN
TS
END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
CO
NT
RO
L P
LA
NE
Infoblox GridTM
w/ Real-time
Network Database
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
DNS is the
cornerstone of the
Internet used by
every business/
Government
DNS as a Protocol
is easy to exploit
DNS outage = business downtime
Traditional
protection is
ineffective against
evolving threats
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Defending Against DNS Attacks2
Preventing Malware from using DNS3
Securing the DNS Platform1
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS
Hardened Appliance & OS
Secure the DNS Platform
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS
Hardened Appliance & OS
Secure the DNS Platform
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
– Many open ports subject to attack
– Users have OS-level account
privileges on server
– No visibility into good vs. bad
traffic
– Requires time-consuming manual
updates
– Requires multiple applications for
device management
Multiple
Open Ports
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Minimal attack surfaces
Active/Active HA & DR recovery
Tested & certified to highest Industry standards
Secure Inter-appliance Communication
Centralized management
with role-based control
Secured Access,
communication & API
Detailed audit logging
Fast/easy upgrades
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
No scripts / Auto-Resigning / 1-click
Central configuration of all DNSSEC parameters
Automatic maintenance of signed zones
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS
Hardened Appliance & OS
Secure the DNS Platform
Infoblox Advanced DNS Protection
Defend Against DNS Attacks
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013
ACK: 2.81%
CHARGEN: 6.39%
FIN PUSH: 1.28%
DNS: 9.58%
ICMP: 9.71% RESET: 1.4%
RP: 0.26%SYN: 14.56%
TCP FRAGMENT: 0.13%
SYN PUSH: 0.38%
UDP FLOODS: 13.15%
UDP FRAGMENT: 17.11%
~ 10% of infrastructure attacks targeted DNS
Source: Arbor Networks
9%
6%
20%
54%
25%
77%
82%
0% 20% 40% 60% 80% 100%
Other
IRC
SIP/VOIP
HTTPS
SMTP
DNS
HTTP
~ 80% of organizations surveyed experienced application layer attacks on DNS
Survey Respondents
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Distributed Reflection DoS Attack (DrDoS)
Combines Reflection and Amplification
Use third-party open resolvers in the
Internet (unwitting accomplice)
Attacker sends small spoofed packets
to the open recursive servers,
requesting a large amount of data to
be sent to the victim’s IP address
Uses multiple such open resolvers,
often thousands of servers
Queries specially crafted to result in a
very large response
Causes DDoS on the victim’s server
How the attack works
Attacker
Internet
Target Victim
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
ReportingServer
Automatic updates
Infoblox Threat-rule Server
Infoblox Advanced DNS Protection(External DNS)
Reports on attack types, severity
Legit
imate
Tra
ffic
Infoblox Advanced DNS Protection
(Internal DNS)D
ata
for
Report
s
Block DNS attacks
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
DNS reflection/DrDoS attacksUsing third-party DNS servers(open resolvers) to propagate
a DOS or DDOS attack
DNS amplificationUsing a specially crafted query to create an amplified
response to flood the victim with traffic
DNS-based exploits Attacks that exploit vulnerabilities in the DNS software
TCP/UDP/ICMP floodsDenial of service on layer 3 by bringing a network or
service down by flooding it with large amounts of traffic
DNS cache poisoning Corruption of the DNS cache data with a rogue address
Protocol anomaliesCausing the server to crash by sending malformed packets
and queries
ReconnaissanceAttempts by hackers to get information on the network
environment before launching a DDoS or other type of
attack
DNS tunnelingTunneling of another protocol through DNS for data
exfiltration
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
INTERNET
Advanced DNS
Protection
Grid Master
and Candidate (HA)
Advanced DNS
Protection
D M Z
INTRANET
DATACENTER CAMPUS/REGIONAL
GRID Master
and Candidate
(HA)
INTRANET
Endpoints
Advanced DNS
Protection
Advanced DNS
Protection
DATACENTER CAMPUS/REGIONAL
EXTERNAL INTERNAL
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Hardened Appliance & OS
Secure the DNS Platform
Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Cryptolocker “Ransomware”
Targets Windows-based computers
Appears as an attachment to legitimate looking email
Upon infection, encrypts files: local hard drive & mapped network drives
Ransom: 72 hours to pay $300US
Fail to pay and the encryption key is deleted and data is gone forever
Only way to stop (after executable has started) is to block outbound connection to encryption server
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
An infected device brought
into the office. Malware
spreads to other devices on
network.
1
2
3
Malware makes a DNS query to
find “home.” (botnet / C&C).
Detect & Disrupt. DNS Firewall
detects & blocks DNS query to
malicious domain
Malicious
domains
Infoblox DDI
with DNS
Firewall Blocked attempt
sent to Syslog
Malware /
APT
1
2
Malware / APT spreads
within network; Calls home
4
Pinpoint. Infoblox Reporting lists
blocked attempts as well as the:
• IP address
• MAC address
• Device type (DHCP fingerprint)
• Host name
• DHCP lease history
DNS Firewall is updated every 2
hours with blocking information
from Infoblox DNS Firewall
Subscription Svc
Infoblox MalwareData Feed Service
4
IPs, Domains, etc.of Bad Servers
Internet
Intranet
3
2
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Detect - FireEye detects APT,
alerts are sent to Infoblox. 1
2
3
Disrupt – Infoblox DNS
Firewall disrupts malware DNS
communication
Pin Point - Infoblox Reporting
provides list of blocked
attempts as well as the
• IP address
• MAC address
• Device type (DHCP fingerprint)
• DHCP Lease (on/off network)
• Host Name
Malicious
Domains
Infoblox DDI
with DNS
Firewall Blocked attempt
sent to Syslog3
Malware
2
1
Alerts
FireEye NX
Series
FireEye detonates and detects malware
Internet
Intranet
Endpoint Attempting
To Download
Infected File
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Fast FluxRapidly changing of domains & IP addresses by malicious
domains to obfuscate identity and location
APT / Malware Malware designed to spread, morph and hide within IT
infrastructure to perpetrate a long term attack (FireEye)
DNS HackingHacking DNS registry(s) & re-directing users to malicious
domain(s)
Geo-Blocking Blocking access to geographies that have rates of malicious
domains or Economic Sanctions by US Government
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
DNS is the cornerstone of the Internet
Unprotected DNS infrastructure
introduces security risks
Secure DNS Solution protects critical DNS
services
Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS
Hardened Appliance & OS
Secure the DNS Platform
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Thank you!
For more information
www.infoblox.com
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Why Scalar for Security?
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
Integration of Security
Technologies
Staffing
Vulnerabilities
Advanced threats
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
Integration of Security
Technologies is Challenging
– Multiple formats of data
– Data timing issues
– Different types of security
controls
– Other data types
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
InfoSecurity Staff
– Different skills requirements﹘Architects
﹘Malware Handling
﹘Forensics
﹘Vulnerability
﹘ Incident Management
﹘Risk and Compliance
– HR Costs﹘Premium technical personnel
﹘Analysts, Specialists
﹘Training and certification
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
Vulnerabilities
– Regular scheduled
disclosures
– Large volumes of ad-hoc
patches
– Many undisclosed zero days
– Remediation is a continuous
process
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
Advanced Threats
– Advanced Persistent Threats
– Imbedded threats
Who?
– State sponsored
– Hactivism
– Hackers
– Organized crime
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
How to Secure It
State-of-the-art Security
Technologies
Skills on Demand
– Continuous Tuning of Rules
and Filters
– Cyber Intelligence,
Advanced Analytics
– Cyber Incident Response
– Code Review, Vulnerability
and Assessment Testing