Post on 24-Aug-2020
transcript
Malware vs ochrona www
Warszawa, 21 czerwca 2017
Sebastian Nowicki
Secure Web Gateway
LIST (WEB)
Copyright © 2016 Symantec Corporation3
“I need a point of control over web and cloud access while satisfying the policy and governance requirements from SecOps and Info Risk / Compliance.”
We need to connect to the web, but need a pretty advanced set of policy controls and intelligence to do that safely
SWG (ProxySG, SWG, ASG, Web Security Service)
Terminate, emulate, decrypt, enforce policy, inspect content, orchestrate files
NEED
CHALLENGES
PRODUCT
CAPABILITIES
Proxy-based Secure Web GatewayLIST (WEB)
Copyright © 2016 Symantec Corporation4
Web
Blue Coat Proxy-based Secure Web Gateway (SWG)Critical Network Control Point for Security and Compliance
• Appliance (ProxySG)
• Virtual Appliance (vSWG)
• Web Security Service (WSS)
File Extraction & Orchestration Services (ATP, DLP)
Powerful, Open Policy Platform- In Cloud, On Prem, Virtual, AWS
Web Access Governance & Threat Protection
+ Blue Coat Intelligence Services (BCIS)
or Blue Coat Web Filter (BCWF) subscriptions
PROXY
BCIS
Web Security Service (WSS)
PROXY
LIST (WEB)
Copyright © 2016 Symantec Corporation6
Extract ContentEnable ATP, DLP, forensics
4Decrypt SelectivelyPrivacy compliance
3Terminate & EmulateSecure all endpoint types
2
Proxy All EndpointsArchitecture for Content Extraction and Device Emulation
Authenticate UsersIntegrate identity management
1
Proxy
SSLAuth Windows
SSO
Radius
IWA
SAML
LDAP
RadiusKerberos
AD
NovellSSO
OracleCoreID
CASite
Minder
CertRealmAuth
LocalRealmAuth
14.EXE
1010101
0010101
1010101
ICAP/s-ICAP
StreamProxy
Policy Select
Decrypt
High RiskSuspicious
Unsanctioned
Bypass
Low RiskHealthcareSanctioned
A B
LIST (WEB)
Copyright © 2016 Symantec Corporation8
Secure web gateway: data & workflow
GLOBAL INTELLIGENCE NETWORK
PROXY SG SSL
AUTH DBREPORTER
USERREQUEST
CONTENT ANALYSISSYSTEM
SWG CORE
SECURITY ANALYTICS PLATFORM
DLP
Internet
ICA
P
E-Ta
p
ICAP
MALWARE ANALYSIS
Last Updated: 20.12.2013
Copyright © 2016 Symantec Corporation9
Secure web gateway:functions
Proxy ForwardingTransparent (Inline, WCCP,
Loadbalanced)Explicit Proxy / PAC / WPAD
Policy / Enablement
SSL Inspection Authentication Authorization Logging
Categorization
Anti-malware
App & Operation ControlsDLP IDS
White & Blacklisting
Sandboxing GEO Location
Local Central
ICA
P &
E-T
ap In
tegr
atio
n
Connectivity
Platform
Policy
Services
Management
Cloud Virtual Appliance Appliance
Reporting: On-Premise, Cloud or Unified
Unified PolicyAppliance
Monitoring
Hybrid
Global Intelligence Network
Object CachingSecurity Analytics Platform
Last Updated: 20.12.2013
Copyright © 2016 Symantec Corporation10
Secure web gateway: topology
USERS
CONTENT ANALAYSIS
MALWARE ANALYSIS
USER DIRECTORY
SWITCH
INTERNET
GLOBAL INTELLIGENCE NETWORK
PROXY SG(Forward
Proxy)
CENTRAL MANAGEMENT
ADMIN
FIREWALL
FIREWALL
CLOUD SECURITYSERVICE
REMOTE OFFICE(direct to the Net)
MPLS
PROXY SG
REMOTE USER
PROXY SG(Reverse Proxy)
Last Updated: 20.12.2013
Copyright © 2016 Symantec Corporation12
Prevent Threats & Orchestrate ContentProxy Architecture Compared to Next Gen Firewall
SANDBOX
Proxy
Next Gen FirewallMalicious payload
delivered to end user
Malicious payload detected by content
analysis, blocked from delivery
LIST (WEB)
Copyright © 2016 Symantec Corporation13
Use Proxy to Build a Better SandboxImprove detection, reduce sandbox capacity requirements
Leverage proxy to feed the sandbox
• Decrypt SSL, ICAP documents to CAS
• Block web-based threats, C&C traffic
• High availability, inline, active blocking
• Enables centralized sandboxing
Pre-filter sandbox with content analysis
• Analyzes content before delivery to sandbox via SSL Tunnel (ICAP also available)
• Applies multiple AV engines, white list
• File code analysis with machine learning finds 0-day threats
PROXYSG
CONTENTANALYSIS
.JAR .EXEPROXY
LIST (WEB)
Copyright © 2016 Symantec Corporation14
Content Analysis (CAS)
Multiple Engines Identify & Prevent Entry of Basic & Advanced Malware
Hash Reputation
Dual AV
Predictive File Analysis
Passes acceptable files to user
Signatures evaluated for known bad
Analyzes code for malicious character
• Custom User WL/BL• File Reputation
Broker to Sandbox
ICAP
API
.JAR .EXEPROXY
LIST (WEB)
Copyright © 2016 Symantec Corporation15
Content Inspection & Orchestration
Drastically Reduced Incident Response Queue (Customer Results)
Web Threats
URL Category & Risk Score
Behavioral AnalysisSandbox
63MWeb requests
18KFiles
“detonated” (emulation)
12MFiles scanned
IncidentResponse
3Alerts
needing response
White ListHash Reputation
Dual AVMalware Signature
File AnalysisMalicious Character
LIST (WEB)
Copyright © 2016 Symantec Corporation16
96.96% Detected
4599 files blocked (logged,
not alarmed)
CONTENTANALYSIS+
CAS Enables Better Sandbox Architecture
• 4x Better Detection
• Prevent delivery, dramatically reduce IR queues
• Reduce sandbox capacity requirements by 75%
Increases Protection, Decrease Alarms
24.22%Detected
1099Alarms
LIST (WEB)
Copyright © 2016 Symantec Corporation17
Dramatically Reduce Costs
50% Reduced Sandbox Cost
• Reduce sandbox capacity 75%• Dramatically fewer samples to process• Centralized architecture “pools” sandbox• Lower capital acquisition costs
90% Savings on Incident Response Costs
• 90%+ reduction in alerts• More efficient use of staff time
Content Analysis
LIST (WEB)
Copyright © 2016 Symantec Corporation18
Take Branches “Direct to Net”
We need to rearchictect our backhauled WAN architecture so remote sites have safe direct to internet access
Backhauled WAN architectures increase costs and decrease performance for cloud apps
Web Security Service (WSS)
Cloud-delivered proxy protection for any device including authentication, access control and logging, threat protection
NEED
CHALLENGES
PRODUCT
CAPABILITIES
LIST (WEB)
Copyright © 2016 Symantec Corporation19
Backhaul Network ArchitectureBranch Connects to Internet Via Main Data Center
ConsumerInternet
Shadow Cloud IT
LIST (WEB)
Main Data
Center
BranchOffice
Congested – recreational traffic mixes with critical enterprise apps
Expensive – MPLS links, pay bandwidth multiple times
Poor Cloud App Performance –multiple hops, congested
Copyright © 2016 Symantec Corporation20
Take Remote Sites Safely “Direct to Net”Symantec Web Security Service
ConsumerInternet
Shadow Cloud IT
Proxy
LIST (WEB)
Better Performance for Cloud Apps• Fewer hops for app access• Less congested links
Lower Network Service Costs• Lower cost Internet services• Unburden MPLS links
Cloud-Delivered Threat Protection & Governance• Same advanced technology• Universal policy and reporting
Copyright © 2016 Symantec Corporation21
Web Security Service with Malware Analysis Service Add-On
Web Security Service (WSS)
• ProxySG Secure Web Gateway
• Dual Anti-Virus Scanning
• Global Intelligence Network
• URL Filtering and Categorization
• Comprehensive Reporting
• SSL Interception / Policy-Based Decryption
• CASB Audit Integration
Malware Analysis Service (MAS)
• Static Code Analysis
• YARA Rules Analysis
• Behavioral Analysis
• Emulation of Windows Processes
• Inline, Real-Time Blocking
• File and URL Reputation
MAS prevents first-client infection from unknown malware
LIST (WEB)
Copyright © Clearswift 2017www.clearswift.com
Adaptive Web Security
SECURE Web GatewaySECURE ICAP Gateway
Gateway 4.6.1
Copyright © Clearswift 2017www.clearswift.com 23
Delivery Methods and Evasiveness
• Delivery methods constantly evolving
• Ransomware designed to bypass traditional anti-virus and sandboxing technologies
Ransomware Payload(Malicious Scripts, Macros, PowerShell) Evasion
Weaponized Emails Spoofed Websites &Drive-by Downloads
Malicious Cloud Files
Copyright © Clearswift 2017www.clearswift.com 24
• SECURE Web Gateway
– Full proxy solution
– HTTPS Inspection
– Adaptive Redaction
– Mobile Remote Users
Clearswift Adaptive Web Security Family
• SECURE ICAP Gateway
– Integrates with third parties through ICAP
– Adaptive Redaction and Antivirus options
Copyright © Clearswift 2017www.clearswift.com 25
Clearswift SECURE ICAP Gateway
• The SECURE ICAP Gateway complements third party’s proxy solutions to control web traffic to enforce corporate’s security policy without impacting business processes
• Provides protection to the corporate browsing traffic as well as corporate web servers
Corporate Web Servers
ICAP
SECURE ICAP GatewayExternal Web
Servers
External Users
Internal Users
Copyright © Clearswift 2017www.clearswift.com 27
Clearswift SECURE Web Gateway
Content Aware Policy Controls • File signature• Filename• Lexical analysis• Pattern match• Encrypted data• Granular policies
Deep Content Inspection• Adaptive Redaction• Document Sanitization• HTTPS inspection• File type controls• Keyword search• PCI/PII Templates• Headers, footers and properties
Advanced Threat Prevention
• Dual Anti-Virus engine• APT & zero-day protection• Structural Sanitisation• Active Content stripping• Accurate malware and phishing URLs
database• Over 100 URL categories using machine
learning categorization
Compliance Regulations• GDPR• IBAN• HIPPA• Credit Card• National Insurance number• Social Security number• Custom regulations
Copyright © Clearswift 2017www.clearswift.com 28
Modifying Content to Reduce Disruption to Business
Adaptive Data Loss Prevention
Data RedactionCONFI
DENTIAL*********
DataRedaction
Overwrites critical information to prevent breach Communication is not blocked
Document Sanitization
METADATA
Document Sanitization
Strips out hidden information (e.g. change tracking, properties, comments, etc.)
Structural Sanitization
ACTIVECONTENT
StructuralSanitization
Removes active content (e.g. scripts, code, etc.)Information is left intact in original file format
EncryptionCONFI
DENTIALEncryption Secures data in transit
Automated to avoid delays and mistakes
Copyright © Clearswift 2017www.clearswift.com 30
Structural Sanitization – formats and exploitable items
VBA
Macro Javascript Vbscript ActiveX OO Basic Python Beanshell
DocX y n/a y y n/a n/a n/a
PptX y n/a y y n/a n/a n/a
XlsX y n/a y y n/a n/a n/a
HTML n/a y n/a y n/a n/a n/a
RTF encoded
HTML n/a y n/a y n/a n/a n/a
PDF n/a y n/a n/a n/a n/a n/a
RTF n/a n/a n/a y n/a n/a n/a
Calc n/a Y n/a n/a Y Y Y
Draw n/a Y n/a n/a Y Y Y
Impress n/a Y n/a n/a Y Y Y
Writer n/a Y n/a n/a Y Y Y
Dziekuję