Taking Control of the Advanced Threat ProblemAdam Hogan, Security Engineer, Sourcefire@adamwhoganahogan@sourcefire.com

Frame the Advanced Threat Problem Define “Next-Gen Security” Traditional Network-Based Solutions: NG-IPS

and NGFW Endpoint Approach to Advanced Malware

(Cloud Supported)

Agenda

IT Environments are Changing Rapidly

Virtualization

ConsumerizationMobilization

Applications

NetworksDevices

VoIP

Threats are Increasingly Complex

Client-side Attacks

Targeted | OrganizedRelentless | Innovative

Advanced Persistent Threats

Malware Droppers

Published in March 2011 51 U.S. companies interviewed with

breaches that occurred in 2010▸ 4,200 to 105,000 records stolen▸ Breach costs ranged from $780,000 to

$35.3 million

Report highlights:▸ Average data breach cost: $7.2 million▸ Average cost per stolen record: $214▸ 31% of breaches were criminal attacks▸ Breaches related to criminal attacks are

the most expensive▸ Customer turnover remains the main

driver of data breach costs

2010 Ponemon Institute Study

“Once a deviant industry is professionalized, crackdowns merely promote innovation.”

Nils Gilman, 4th European Futurists Conference

“The criminal breaks the monotony and humdrum security of bourgeois life, he thereby insures it against stagnation, and he arouses that excitement and restlessness without which even the spur of competition would be blunted”

Karl Marx

Professionalization of Hacking

A Closer Look

Hacktivism

Targeted Attacks

Threats Change —Traditional Security Products Do Not

Static | InflexibleClosed/Blind | Labor Intensive

“Begin the transformation to

context-aware and adaptive security

infrastructure now as you replace legacy

static security infrastructure.”

- Neil MacDonaldVP & Gartner Fellow

Source: Gartner, Inc., “The Future of Information Security is Context Aware

and Adaptive,” May 14, 2010

Next Gen Security is…

…a continuous process to respond to continuous change.

Agile Security

You Can’t Protect What You Can’t See Breadth: who, what, where, when Depth: as much detail as you need Real-time data See everything in one place

“Seeing” provides information superiority

Agile SecurityOS Users

Devices

Threats

Applications

FilesVulnerabilities

Network

Block, alert, log modify, quarantine, remediate

Respond via automation

Reduce the ‘noise’

Automatically optimize defenses

Lock down your network to policy

Leverage open architecture

Configure custom fit security

Gain insight into the reality of your IT and security posture

Get smarter by applying intelligence

Correlate, prioritize, decide

Key: intelligence & automation

Security Before, During & After the Attack

BeforePolicy & Control

Discover environment

Implement access policy

Harden assets

DuringIdentification & Block

Detect

Prevent

AfterAnalysis & Remediation

Determine Scope

Contain

Remediate

What is needed is a new approach to protect your organization

What Can You Do?

Assess your vendors by assuming you will be hacked▸ p.s., you will be have been.

Your security tools are tools.▸ Forget about set-and-forget tech and think about how

each process, program or product helps your analysts keep you safe.

Exploring Detection

There are some really useful rules not on by default▸ INDICATOR-OBFUSCATION▸ Javascript obfuscation fromCharCode, non alpha-

numeric▸ Hidden iFrames▸ Excessive queries for .cn/.ru▸ HTTP POST to a JPG/GIF/PNG/BMP ?

Java 0-Day

SIDs 25301, 25302 Largely used by exploit kits (Blackhole, Cool Kit,

Nuclear, Redkit) - covered▸ Why is java.exe downloading calc.exe?

BTW, User Agents are telling

No, really:▸ User-Agent: Malware▸ (RFC 3514 anybody?)

Unless your proxy rewrites them all...

What can we do? Communication

Watch hackers. Many aren’t that sneaky. (L|H)OIC source code

is public, for crying out loud.▸ LOIC packet contains: “U dun goofed”▸ HOIC botched protocol, used two spaces where one

is allowed. They recruit! Publicly. Get on twitter. Watch

pastebin.org. Scrape it. Use google alerts if you can’t script.

What Can You Do?

Hire analysts▸ It’s going to cost you. ▸ And if they aren’t trained they depreciate.

Example: “Agile Security” Fuels Automation in an IDS/IPS

IT InsightSpot rogue hosts, anomalies,

policy violations, and more

Impact AssessmentThreat correlation reduces

actionable events by up to 99%

Automated TuningAdjust IPS policies automatically

based on network change

User IdentificationAssociate users with security

and compliance events

Reduce Risk with: Application Control – on the IPS! Control access to Web-enabled apps and devices

▸ “Employees may view Facebook, but only Marketing may post to it”

▸ “No one may use peer-to-peer file sharing apps”

Over 1,000 apps, devices, and more!

Reduce Risk with: IP Reputation

Block and Alert on:▸ Botnet C&C Traffic▸ Known Attackers▸ Malware, Phishing, and

Spam Sources▸ Open Proxies and

Relays Create Your Own Lists Download from

Sourcefire or Third Parties

So, what is the difference between NG-IPS and NGFW?

Gartner Defines NGIPS & NGFWNext-Gen IPS (NGIPS) Standard first-gen IPS Application awareness and

full-stack visibility Context awareness Content awareness Agile engine

Next-Gen Firewall (NGFW) Standard first-gen firewall Application awareness and

full-stack visibility Integrated network IPS Extrafirewall intelligence

Source: “Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011. “Defining the Next-Generation Firewall,” Gartner, October 12, 2009

“Next-generation network IPS will be incorporated within a next-generation firewall, but most next-generation firewall products currently include first-generation IPS capabilities.“

Next-Generation IPS Comparison

What is a Next-Generation Firewall?

Stateful First-Generation Firewall▸ Stateful protocol inspection▸ Switching, routing and NAT

Integrated Network Intrusion Prevention▸ Not merely “co-located”▸ Includes vulnerability- and threat-facing signatures

Application Awareness with Full-Stack Visibility▸ Example: Allow Skype, but disable Skype file sharing▸ Make Facebook “read-only”

Extrafirewall Intelligence▸ User directory integration▸ Automated threat prevention policy updates

Gartner on Next-Generation IPS

“Next-generation network IPS will be incorporated within a next-generation firewall, but most next-generation firewall products currently include first-generation IPS capabilities.”

Available now onSourcefire.com

Source: “Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011

✔ Application awarenessContextual awarenessContent awarenessAgile engine

✔✔✔

Survey conducted in October 2011

2,561 responses Key Results:

▸ Most NGFWs augment (not replace) existing firewalls

▸ IPS component rated “most important” for securing data

Ponemon NGFW Survey Highlights

What about an Endpoint Approach to the Advanced Threat Problem?

Threats Continue to Evolve

“Nearly 60% of respondents were at least ‘fairly certain’ their company had been a target.” – Network World (11/2011)

The likelihood that you will be attacked by advanced malware has never been greater.

Of attacks are seen on

only one computer

75%

Cost of Advanced Malware

Solve the Problem at the Endpoint

Action at point of entry▸ Best place to stop client-side

attacks is on the client Awareness at source

▸ Focus where files are executed ▸ Do not miss threats due to

encryption

Secure Endpoints - Wherever They Are.

Clients need better visibility to detect and assess advanced malware. Visibility answers questions like:▸ Do we have an advanced malware problem?▸ Which endpoint was infected first?▸ How extensive is the outbreak?▸ What does the malware do?

Clients also need help regaining control after the inevitable attack. Control answers questions like:▸ What is needed to recover?▸ How can we stop other attacks?

What is needed to fight advance malware at the Endpoint?

Cloud-Based Advanced Malware Protection – Sample Architecture

Lightweight Agent• Watches for move/copy/execute• Traps fingerprint & attributes

Web-based Manager

Cloud Analytics & Processing

• Transaction Processing• Analytics• Intelligence

Agile Security for Advanced Malware – Endpoint Benefits

SEE▸ Advanced malware at the source▸ Patient 0 + propagation paths▸ APT reporting

LEARN▸ Real-time root cause analysis of threats▸ Collective immunity & comparative reporting▸ Data mining & machine learning

ADAPT▸ Custom detections/signatures▸ Application control▸ Whitelisting

ACT▸ Immediate & retrospective remediation▸ Action at the point of entry▸ Continuous scans in cloud

Regain Control of Your Environment

Outbreak control▸ Custom Signatures for

immediate response▸ Whitelisting▸ Application Control

Immediate & retrospective remediation▸ Automatic remediation of damaged

endpoints with Cloud Recall▸ Collective Immunity

Arm YOU to fight advanced malware

Thank You.