Know More About Threats, Risks and Regulations

Ken PappasCEO

True North Security

Prepared for:

Professional Career

Personal

Ken Pappas BIO

• Founder and CEO of True North Security• VP Marketing and Security Strategist at Top Layer Security • Security Strategist at TippingPoint • Director of Product Management at 3Com

• Acquired TippingPoint “IPS technology”

• General Manager Security Division Enterasys Networks• Acquired Security Wizards “Dragon IDS technology”• Acquired Indus River “Remote VPN technology”

• Security Clearance, Department Of Homeland Security• Computer Forensics• CISM• InfraGard, Boston Chapter sponsored by the FBI and DHS• Appearance in Wall Street Journal, Fortune, etc.• BLOG> http://secsystems.wordpress.com• Twitter> TruNorthSec

Agenda

Today’s Reality

Future Threats & Challenges

About Sourcefire

About True North Security

Today’s Reality

Security Highlights• Over 285 million records stolen in 2008 vs. 230 million between the years

2004 – 2007 with Education being the highest. • WHY?

• Who do you think will be #1 in the next two years?

• 31% more bot-infected computers per day in 2008 vs 2007

• 90% of breaches from organized crime targeting corporate information

• Cyber crime cost companies more than $650 million worldwide

• Majority of breaches caused by insider negligence

• Users blurring their social life, personal life and work life with regards to Internet Usage

www.idtheftcenter.org

Haiti Relief email

IRS Form W2 Spoof contains malware

Mortgage Fraud

Pop up Anti-Virus Advertisement contains virus

H1N1 email alert contains malware

FDIC email stating bank merger or that your bank is a failed bank. Click here? Get a surprise

2010 Census by emailSURPRISE the Census bureau does not use email

Recent Scams

Intruder Knowledge

High

Low

1980 1985 1990 1995 2000+

Attack Sophistication

Attack

Sophistication

Cross site scripting

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking

sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributed

attack tools

Staged

Auto Coordinated

Source: Carnegie Mellon University

Motivation

Recession

Social Media Sites

Younger/Older generation using computers

Availability of Sophisticated tools

Trickery & Foolery

What’s Causing Rise In Cyber Crime

Increase in specialized threatsToolkits used to create virus attacks, making specialization of participants a lucrative shadow economy.

Sophistication of high end threats is evolving rapidly

Targeted threats attack specific companies, persons and systems.

Blended threats becoming more common

Carefully targeted attack may go unnoticed for an undetermined amount of time.

“Zero Hour” Threats Rising

Harnessing The Power of BotnetsSource: Symantec

Industrial Espionage Targeted Attacks

Source: MessageLabs Intelligence

60% of recipients were of a high or medium-level ranking

42%of recipients of targeted

attacks were sent to high ranking individuals

42%of recipients of targeted

attacks were sent to high ranking individuals

18%of recipients were of

medium-level seniority

18%of recipients were of

medium-level seniority

5%of recipients were of a lower-ranking security

5%of recipients were of a lower-ranking security

19%of targeted attacks were

directed at general mailboxes such as

“info@”

19%of targeted attacks were

directed at general mailboxes such as

“info@”

Individually Targeted Attacks

Blocked Per Day (Average)

Source: Symantec

Targeted Trojans

Targeted trojans are specialized pieces of

malware written to extract high value information from

known subjects.

Targeted trojans are specialized pieces of

malware written to extract high value information from

known subjects.Source:

http://www.nypost.com/p/news/business/

hackers_targeting_UquyMBhuVAyl6wAn413lGJ

Targeted Trojans

Source: MessageLabs Intelligence

22005

PER WEEK

12006

PER DAY AVG

102007

PER DAY AVG

502008

PER DAY AVG

602009

PER DAY AVG357

RecentPeaks

PER DAY

Frequency:

Payload:

Source: Symantec

Website Security Trends

Source: MessageLabs Intelligence

New sites with malware in 2009:

2,465/day

New sites with malware in 2009:

2,465/day

Unique domains hosting malware:

30,000

Unique domains hosting malware:

30,000

Source: Symantec

Web 2.0

Multitude of Threat Vectors

Social Media• Facebook, MySpace, Linkedin

Rogue 3rd Party Apps

Tiny URL’s

Translations

RogueWare

No Industry Is Being Left Behind

• Financial

• Heartland• Retail

• Hannaford's• Education

• Harvard University• Oklahoma State University

• Medical

• Department of Veterans• Cedars-Sinai Medical Center

• Government

• North Korea Attacks American Networks• China hacking into NASA• Israel Attacking Iran

The cyber warfare HAS

begun!

Space Programs

USA RUSSIA

Easy Availability of Exploit Tools

Multitude of Regulations

• PCI (Payment Card Industry)

• GLBA (Gramm-Leach Bliley Act)

• HIPAA (Health Insurance Portability and Accountability Act)

• FISMA (Federal Information Security Management Act)

• HITECH

• MA 201 CMR 17

• NERC

Perimeter Protection Is Not Enough

Communications between machines inside the corporate LAN and between choke-points are not filtered or protected by a perimeter firewall in front of each machine.

Servers in the DMZ, Kiosks, workstations used by temporary employees, and other “hot spots”

• Mobile users are becoming the back door to the house• Telecommuters are becoming more popular, more risks being brought inside

FTP-21

HTTP-80

Sub 7-6776

Quake-26000

SMTP-25

From: 66.121.11.7

To: 115.13.73.1

Historical Firewall Configuration

HTTP-80

FTP-21

SMTP-25

BackOrifice-31337

Today’s Firewall Configurations

The Complacency of Fools Will Destroy Us

Future Threats & Challenges

IT resources and services that are abstracted from the underlying infrastructure and provided “On-Demand” and “At

Scale” in a multi-tenant environment

CLOUD COMPUTING

Next Inflection Point

Where does your data go when the cloud blows awayWhen data is breached, who will be at fault?

Waiting for first court battle

Looks like, feels like SNA?Make sure you have a solid SLA!

Clouds Blow Away

Next Generation Threats

Next Generation Threats Will Use Stealth Methods vs. Today’s Threats• User Error will be the way of malware• Information Leakage due to negligence and theft• Domestic and International Terrorist stealing company technology and secrets

New Methods Will Evolve to Adapt to User Behavior• Tempt-to-Click Email• Tempt-to-Click IM• False pop-ups

New Computing Environments and Applications will be targets• VoIP• Cloud Computing• SaaS (Software as a Service)• Social Media

Protection Will Require Education And Technology

Protect Dysfunctional Users Against Themselves

How Do We Best Protect Ourselves and Our Data

What Companies Are Thinking About

Virtualizing

Security

Securing

Virtualization

SANS Recommends - Deploy IPS

Strategies To Defeat Threats

Anti-Virus Updates

Deploy an IPS Today!• IPS Filters Turned on and Updated

Encrypt Hard Drive Data

Operating System Security Updates

Educate Users

Institute Company Wide Security Policy

Implement Defense In Depth• IPS, Anti-Virus, Encryption, Multiple Passwords, Other

There is no silver bullet

About Sourcefire

Stop Threats and Start Partying!

.

.

..

....

.. .

...

..

.

.. .

.

.

.

.

About Sourcefire

Founded in 2001 by Snort Creator, Martin Roesch, CTO

Headquarters: Columbia, MD

Fastest-growing IPS vendor

Global Security Alliance partner network

NASDAQ: FIRE

Open Source Community

+Sourcefire Development

Best of Both Worlds

Mission:

To deliver intelligent security infrastructure for the most efficient, effective risk management.

Powered by Snort

• 270,000 Users• 3.7 Million Downloads• 80% of Fortune 500• 40% of Global 2000• 100+ Snort Integrators• 9,000+ Snort Rules• World’s Largest Threat Response Community

Most Widely Used IPS Engine Worldwide

Problems With a Traditional IPS

Traditional IPS

ClosedArchitecture

ClosedArchitecture

Exploit-Based

Exploit-Based

None orLimitedNone orLimited

ManualOperation

ManualOperation

ArchitectureArchitecture

OperationOperation

IntelligenceIntelligence

AccuracyAccuracy

A New Approach

Traditional IPS

ClosedArchitecture

ClosedArchitecture

Exploit-Based

Exploit-Based

None orLimitedNone orLimited

ManualOperation

ManualOperation

ArchitectureArchitecture

OperationOperation

IntelligenceIntelligence

AccuracyAccuracy

Open Rules& IPS EngineOpen Rules

& IPS Engine

Vulnerability-

Based

Vulnerability-

Based

Real-time,All-the-timeReal-time,

All-the-time

Highly Automated

Highly Automated

Sourcefire IPS

Backed by Sourcefire Vulnerability Research Team VRT

Comprehensive Protection

Private &PublicThreatFeeds

SnortCommunity

Insight

300 NewThreats

per Month

20,000MalwareSamplesper Day

VRT Research & Analysis

VRT LAB

>150 millionperformance &regression tests

1000s ofsoftwarepackages

100s ofhardwareplatforms

Advanced Microsoft Disclosure

Unrivalled Protection Against Advanced Persistent Threats

Best-in-Class Detection

Based on Snort—de facto IPS standardVulnerability-based, zero-day protectionOpen architectureFlexible custom rulesRanked #1 in detection by NSS Labs*

* “Network Intrusion Prevention Systems Comparative Test Results,” December 2009. Comparison using a tuned policy.

NSS Labs Group IPS TestBlock Rate Comparison

Source: Graphic used with permission by NSS Labs. “Network Intrusion Prevention Systems Comparative Test Results,” December 2009.

Sourcefire Appliance Product Lines

Sourcefire Defense Center®

Sourcefire 3D®

Sensor

DC1000

DC3000

PERFORMANCE

DC500

3D5005 Mbps

3D100045 Mbps

3D2000 100 Mbps

3D2100 250 Mbps

3D2500 500 Mbps

3D35001 Gbps

3D65004 Gbps

3D45002 Gbps

3D9900 10 Gbps

VMware Virtual AppliancesVirtual Defense Center™Virtual 3D Sensor™

Why Sourcefire?

Powered by SnortDriven by IntelligenceBest-in-Class DetectionOpen ArchitectureHighly Automated

Stop Doing Things the “Old” Way!Leverage the Only “Intelligent” IPS.

True North Security

Vulnerability Audits

Create / Enhance Security Policies

Network & Data Protection Solutions

Security Awareness Training

PCI Compliance

Video Monitoring and Surveillance Solutions

kenpappas@truenorthsecurity.com

978.846.1175

Summary

Cyber security attacks are common and costlyAttackers are sophisticated, well-financed and highly motivatedYou have limited IT resourcesTraditional security products can’t keep up

“Not knowing what’s on your network is going to continue

to be the biggest problem for most security practitioners.”

Marcus RanumCSO Magazine

Thank You

Ken PappasCEO

True North Security

Prepared for:

kenpappas@truenorthsecurity.com