Calgary security road show master deck final

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Security Road Show - Calgary


9:00am – 9:15am Welcome

9:15am – 9:45am Palo Alto Networks

– You can’t control what you can’t see!

9:45am – 10:15am F5

– Protect your web applications

10:15am – 10:30am Break

10:30am – 11:00am Splunk

– Big data, next generation SIEM

11am – 11:30am Infoblox

– Are you fully prepared to withstand DNS attacks?

11:30am - 12:00pm Closing remarks, Q&A

12:00pm – 12:30pm Boxed Lunches


Today’s Speakers

– Geoff Shukin – Palo Alto

Networks

– Clayton Sopel – F5

– Menno Vanderlist – Splunk

– Ed O’Connell- Infoblox


Background in architecting mission-critical

data centre infrastructure

Founded in 2004

$125M in CY13

Revenues

Nationwide Presence120 Employees

Nationwide

25% Growth YoYToronto | Vancouver

Ottawa | Calgary | London

Greater than 1:1

technical:sales ratio


The country’s most

skilled IT infrastructure

specialists, focused on

security, performance

and control tools

Delivering

infrastructure services

which support core

applications


WHY SCALAR?


Experience ExecutionInnovation


Top technical talent in Canada– Engineers average 15 years’ experience

We train the trainers– Only Authorized Training Centre in Canada

for F5, Palo Alto Networks, and Infoblox

Our partners recognize we’re the best– Brocade Partner of the Year – Innovation

– Cisco Partner of the Year – Data Centre & Virtualization

– VMware Global Emerging Products Partner of the Year

– F5 Canadian Partner of the Year

– Palo Alto Networks Rookie of the Year

– NetApp Partner of the Year - Central


Unique infrastructure solutions

designed to meet your needs– StudioCloud

– HPC & Trading Systems

Testing Centre & Proving Grounds– Ensuring emerging technologies are

hardened, up to the task of Enterprise

workloads

Vendor Breadth– Our coverage spans Enterprise leaders and

Emerging technologies for niche workloads

& developing markets


“Scalar […] has become our trusted advisor for architecting and implementing our storage, server and network infrastructure across multiple data centres”


“We’ve basically replaced our infrastructure at a lower cost than simply the maintenance on our prior infrastructure […] At the same time, we’ve improved performance and reduced our provisioning time”


“Numerous technologies needed to converge to make VDI a reality for us. The fact that Scalar is multi-disciplinary and has deep knowledge around architecture, deployment and management of all of these technologies was key”



PALO ALTO NETWORKS


Palo Alto Networks

Controlling Threats

Geoff Shukin, Senior SE Palo Alto Networks

#netgun


context |ˈkänˌtekst| nounthe circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and assessed

14 | ©2014 Palo Alto Networks.

Confidential and Proprietary.


context

intelligence

action



© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience16 | ©2014, Palo Alto Networks.


344 KB

file-sharingURL category

pdffile type

roadmap.pdffile name

bjacobsuser

prodmgmtgroup

canadadestination country

172.16.1.10source IP

64.81.2.23destination IP

tcp/443destination port

SSLprotocol

HTTPprotocol

slideshareapplication

slideshare-uploadingapplication function


344 KB

17 | ©2014, Palo Alto Networks.


unknownURL category

exefile type

shipment.exefile name

fthomasuser

financegroup

chinadestination country

SSLprotocol

HTTPprotocol

web-browsingapplication

172.16.1.10source IP

64.81.2.23destination IP

tcp/443destination port


Secondary

Payload

Spread

Laterally

Custom C2

& Hacking

Data Stolen

Exploit Kit Contact New

Domain

ZeroAccess

Delivered

C2

Established

Hides within

SSL

New domain,

no reputation

Payload

evades AV

C2 hides using non-

standard ports

No signature for

custom malware

Hides in plain

sight

Payload evades

C2 signatures

Exfiltration via

RDP & FTP




Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics

Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures

Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base




All Applications, All Attack Vectors, All Threats

Segmentation

• Isolate critical data, business functions

• Enable applications based on users

• Block known/unknown threats

Gateway

• Visibility into all traffic

• Enable apps to reduce exposure

• Block known/unknown threats

Datacenter

• Validate business applications & users

• Find rogue/misconfigured apps

• High speed threat prevention




Mostly addressed by

traditional AV and IPS

Low sophistication,

slowly changing

Machine vs. machine

Somewhat more

sophisticated payloads

Evasion techniques

often employed

Sandboxing and other

smart detection often

required

Intelligent and

continuous monitoring of

passive network-based

and host-based sensors

Comprehensive

investigation after an

indicator is found

Highly coordinated

response is required for

effective prevention and

remediation

Commodity threats(very common, easily identified)

Organized cybercrime(More customized exploits

and malware)

Nation state(Very targeted, persistent, creative)

Advanced threat


Evolving from incident response mindset to

intelligence mindset

No intelligence exists without visibility

Applying the intelligence and resulting IOCs to the kill

chain

Sharing what you know


It’s a campaign, not just an attack

Appreciate and utilize the intelligence cycle

Securitystack • Block an IP address

• Block a URL

• Block a session

• Block a known virus

• Heuristically block spam

• Block bad attachments

Intelligence Cycle

{A, B, C, D, E, F, G, H, I, J, K, L, M, N, O}

• Recons by A, B and C

• Builds this kind of weapon: D

• Delivers the weapon by E, F and G

• Exploits the network by H and I

• Installs itself by J

• Establishes C2 by K, L and M

• Performs N and O on the objective


You don’t have intelligence if you don’t have visibility

Visibility required across the whole network

Ideally, you can see and understand applications,

content, and users

Then make sense of what you see


1. Changes driven by “location”

– Where’s the user?

– Where’s the app?

– Where’s the server?

2. Changes driven by security evolution

– Who and where is the attacker?

– What is their level of sophistication?

– What are their motives?


Users are moving off the network


Apps are moving off the network


Servers are moving to private and public clouds

BETAVerizon Cloud


Traffic is moving off the network

BETAVerizon Cloud



Visibility provides intelligence around the indicators

of compromise (IOC)

IOCs applied to the kill chain provide actionability

Highly automated kill chain


Traditional

detection

Sandbox-based

detection

Anti-malware

signature

generation

IPS (C&C)

signature

generation

DNS (C&C)

signature

generation

Malware

URL list

generation


In the cyber security battle, sharing is key

Three ways this is happening

1. External – industry initiatives

2. External – technology partnerships

3. Internal – your security technology should leverage the network


Automatic detection in real time in private or public cloud

Automatic generation of several defensive measures

Automatic distribution of defensive measures to all WildFire customers within 30 minutes after initial detection

Automatic installation of defensive measures provides full prevention immediately

You benefit from the threat intelligence of 2,500+ organizations across the industry


F5

CONFIDENTIAL

F5 Security for an application driven world

© F5 Networks, Inc 38CONFIDENTIAL

F5 Provides Complete Visibility and Control Across Applications and Users

Intelligent

Services

Platform

Users

Securing access to applications

from anywhere

Resources

Protecting your applications

regardless of where they live

TMOS

Network Firewall

Protocol Security

DDoS Protection

Dynamic Threat Defense

DNS Web Access

CONFIDENTIAL

Security Trends and Challenges


May June July Aug Sep Oct Nov Dec

2012

Spear Phishing

Physical Access

XSS

Attack Type

Size of circle estimates relative impact of incident in terms of cost to business


BankBank

Bank

NonProfit

NonProfit

Bank

Bank

BankGov

Industrial

OnlineSVC

NonProfit

Gov

Auto

OnlineServices

GovGov

OnlineServices

OnlineSVC

OnlineServices

Industrial

EDU

Bank

Bank Bank

Gov

OnlineServices

OnlineSVC

GovOnline

Services

OnlineServices

News & Media

Edu

Telco

CnsmrElectric

CnsmrElectric

Bank

Telco

OnlineServices

OnlineServices

Education

FoodSvc

OnlineServices

Bank

News & Media Gov

Soft-ware

Bank

Telco

Non-Profit

E-commUtility

News & Media

Edu

Bank

OnlineServices

Bank

BankOnline

Services

OnlineServices

Bank

FoodService

BankingGaming

Gov

GovAuto

Soft-ware

News &Media

OnlineServices

ConsumerElectric

OnlineServices

Gov

Util

HealthSoft-ware

OnlineServices

GovCnsmr

Elec

OnlineSvcs

GovRetail

Bank

Bank

OnlineServices

Soft-ware

Bank

EduNews &Media

OnlineServices

OnlineServices

OnlineServices

OnlineServices

Gov

Gov

Indu-strial

Airport Retail

News &Media

Auto

Telco

Gov

Edu

DNSProvider

DNSProvider

GlobalDelivery

Auto

Gov

DNSProvider

DNSProvider

DNSProvider

Gov

ConsumerElectronics

Gove

Bank

Bank

BankGov

OnlineSvc

Software

OnlineGaming

Telco

News &Media

Edu

Soft-ware

News &Media

Edu

News &Media

OnlineServices

Gov

Auto

Entnment

Gov

Utility

News &Media

OnlineSvc

News &Media

Spear Phishing

Physical Access

Unknown

Attack Type

Size of circle estimates relative impact of incident in terms of cost to business

Jan Feb Mar Apr May Jun

2013


More sophisticated attacks are multi-layer

Application

SSL

DNS

Network


The business impact of DDoS

Cost of

corrective action

Reputation

management

The business

impact of DDoS


OWASP Top 3 Application Security Risks

1 - Injection

2 – Broken

Authentication

and Session

Management

3 – Cross Site

Scripting (XSS)

Injection flaws, such as SQL and LDAP injection occur when untrusted data is

sent to an interpreter as part of a command or query. The attackers hostile data

can trick the interpreter into executing unintended commands or accessing

data.

Application functions related to authentication and session management are

often not implemented correctly, allowing attackers to comprimise passwords,

keys or session tokens to assume another users’ identity.

XSS flaws occur whenever an application takes untrusted data and sends it to

a web browser without proper validation or escaping. XSS allows attackers to

execute scripts in the victims browser to hijack user sessions, deface web sites

or redirect the user.

Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

http://owasptop10.googlecode.com/files/OWASP Top 10 - 2013.pdf

CONFIDENTIAL

The F5 Approach


Full Proxy Security

Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Network

Session

Application

Web application

Physical

Client / Server


The F5 Application Delivery FirewallBringing deep application fluency to firewall security

One platform

SSL

inspection

Traffic

management

DNS

security

Access

control

Application

security

Network

firewall

EAL2+

EAL4+ (in process)

DDoS

mitigation


Positive vs Negative

• Positive Security

• Known good traffic

• Permit only what is defined in the security policy (whitelisting).

• Block everything else

• Negative

• Known-bad traffic

• Pattern matching for malicious content using regular expressions.

• Policy enforcement is based on a Positive security logic

• Negative security logic is used to complement Positive logic.


How Does It Work?Security at application, protocol and network level

Request made

Enforcement Content scrubbingApplication cloaking

Security policy

checked

Server

response

Response

delivered

Security policy

applied

BIG-IP enabled us to improve security instead of having to

invest time and money to develop a new, more secure application.

Actions:

Log, block, allow


Start by checking RFC

compliance

2 Then check for various length

limits in the HTTP

3 Then we can enforce valid

types for the application

4 Then we can enforce a list of

valid URLs

5 Then we can check for a list of

valid parameters

Then for each parameter we

will check for max value length

7 Then scan each parameter, the

URI, the headers

6

GET /search.php?name=Acme’s&admin=1 HTTP/1.1

Host: 172.29.44.44\r\n

Connection: keep-alive\r\n

User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n

Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n

Referer: http://172.29.44.44/search.php?q=data\r\n

Accept-Encoding: gzip,deflate,sdch\r\n

Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n

Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n


compliance


limits in the HTTP




valid URLs


valid parameters

6Then for each parameter we will

check for max value length


URI, the headers


Host: 172.29.44.44\r\n










compliance


limits in the HTTP




valid URLs


valid parameters




URI, the headers

6


Host: 172.29.44.44\r\n










compliance


limits in the HTTP




valid URLs


valid parameters




URI, the headers

6


Host: 172.29.44.44\r\n










compliance


limits in the HTTP




valid URLs


valid parameters




URI, the headers

6


Host: 172.29.44.44\r\n










compliance


limits in the HTTP




valid URLs


valid parameters




URI, the headers

6


Host: 172.29.44.44\r\n










Host: 172.29.44.44\r\n










compliance


limits in the HTTP




valid URLs


valid parameters




URI, the headers

6


Automatic HTTP/S DOS Attack Detection and Protection

• Accurate detection technique—based on latency

• Three different mitigation techniques escalated serially

• Focus on higher value productivity while automatic controls intervene

Drop only the attackers

Identify potential attackers

Detect a DOS condition


To Simplify: Application-Oriented Policies and Reports


IP INTELLIGENCE

IP intelligence

service

IP address feed

updates every 5 min

Custom

application

Financial

application

Internally infected devices

and servers

Geolocation database

Botnet

Attacker

Anonymou

s requests

Anonymous

proxies

Scanner

Restricted

region or

country

Built for intelligence, speed and scale

Users

Concurrent user sessions

100KConcurrent logins

1,500/sec.

Throughput

640 GbpsConcurrent connections

288 M

Connections per second

8 M

SSL TPS (2K keys)

240K/sec

DNS query response

10 M/sec

Resources


Application Delivery Firewall

iRules extensibility everywhere

Products

Advanced Firewall

Manager

• Stateful full-proxy

firewall

• Flexible logging

and reporting

• Native TCP, SSL

and HTTP proxies

• Network and

Session anti-DDoS

Access Policy

Manager

• Dynamic, identity-

based access

control

• Simplified

authentication

infrastructure

• Endpoint security,

secure remote

access

Local Traffic

Manager

• #1 application

delivery controller

• Application fluency

• App-specific health

monitoring

Application

Security Manager

• Leading web

application firewall

• PCI compliance

• Virtual patching for

vulnerabilities

• HTTP anti-DDoS

• IP protection

Global Traffic

Manager & DNSSEC

• Huge scale DNS

solution

• Global server load

balancing

• Signed DNS

responses

• Offload DNS crypto

SSL

inspection

Traffic

management

DNS

security

Access

control

Application

security

Network

firewall

DDoS

mitigation


The F5 DDoS Protection

Reference Architecture

f5.com/architectures

Explore

f5.com/architectures


Summary

• Customers invest in network security, but most significant threats are at the application layer

• Current security trends – BYOD, Webification – mean you need to be even more aware of who and what can access application data

• A full proxy device is inherently secure, and coupled with high performance can overcome many security challenges

• F5 Application Delivery Firewall brings together the traditional network firewall with application centric security, and can understand the context of users, devices and access


BREAK


SPLUNK

Copyright © 2014 Splunk Inc.

Splunk for Security Intelligence

63

Make machine data accessible, usable and valuable to everyone.

The Accelerating Pace of Data

64

Volume | Velocity | Variety | Variability

GPS,RFID,

Hypervisor,Web Servers,

Email, Messaging,Clickstreams, Mobile,

Telephony, IVR, Databases,Sensors, Telematics, Storage,

Servers, Security Devices, Desktops

Machine data is fastest growing, most complex, most valuable area of big data

The Splunk Security Intelligence Platform

Machine Data Security Use Cases

HA Indexes and Storage

Forensic Investigation

Security Operations

ComplianceFraud

Detection

CommodityServers

4

Online Services

Web Services

ServersSecurity

GPS Location

StorageDesktops

Networks

Packaged Applications

CustomApplicationsMessaging

Telecoms

Online Shopping

Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records

Smartphones and Devices

RFID

Rapid Ascent in the Gartner SIEM Magic Quadrant

66

2012 20132011

Industry Accolades

67

Best SIEMSolution

Best Enterprise Security Solution

Best Security Product

http://www.google.com/url?sa=i&rct=j&q=sc magazine 2012 winner europe&source=images&cd=&cad=rja&docid=_YcqgHXrP1KcvM&tbnid=AouvV4OtQpBt4M:&ved=0CAUQjRw&url=http://www.cyber-ark.com/news-events/awards.asp&ei=LiUEUsDiM5CgyAG09IHYCA&bvm=bv.50500085,d.cGE&psig=AFQjCNGzw_98z2HqhxqDmgXC3WTcYGxWXA&ust=1376089769508836

http://www.google.com/url?sa=i&rct=j&q=sc magazine 2012 winner europe&source=images&cd=&cad=rja&docid=_YcqgHXrP1KcvM&tbnid=AouvV4OtQpBt4M:&ved=0CAUQjRw&url=http://www.cyber-ark.com/news-events/awards.asp&ei=LiUEUsDiM5CgyAG09IHYCA&bvm=bv.50500085,d.cGE&psig=AFQjCNGzw_98z2HqhxqDmgXC3WTcYGxWXA&ust=1376089769508836

Over 2800 Global Security Customers

68

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=TKrbI-RCo1rRkM&tbnid=Hp_ZNkX26pRpyM:&ved=0CAUQjRw&url=http://msfhq.com/university-of-texas-austin-2013-master-in-finance-class-profile/&ei=bkRnUZzYApGWiQe9wYGABw&bvm=bv.45107431,d.aGc&psig=AFQjCNGCvfdRN8rkk9h3voeQobJKRtL49A&ust=1365808617893264

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=TKrbI-RCo1rRkM&tbnid=Hp_ZNkX26pRpyM:&ved=0CAUQjRw&url=http://msfhq.com/university-of-texas-austin-2013-master-in-finance-class-profile/&ei=bkRnUZzYApGWiQe9wYGABw&bvm=bv.45107431,d.aGc&psig=AFQjCNGCvfdRN8rkk9h3voeQobJKRtL49A&ust=1365808617893264

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=x-YdzzPEVCS8yM&tbnid=Sn2o3VJn1FJllM:&ved=0CAgQjRwwAA&url=http://seeklogo.com/tag.html?q=Interac&ei=arcnUq2wMoS6iwLVvIDYCg&psig=AFQjCNForeRyk6mGoDoJo4ic_q-_Xfy6GA&ust=1378420970938302

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=x-YdzzPEVCS8yM&tbnid=Sn2o3VJn1FJllM:&ved=0CAgQjRwwAA&url=http://seeklogo.com/tag.html?q=Interac&ei=arcnUq2wMoS6iwLVvIDYCg&psig=AFQjCNForeRyk6mGoDoJo4ic_q-_Xfy6GA&ust=1378420970938302

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=4yXDVgz4qF6F1M&tbnid=r0v36XTVsJOd5M:&ved=0CAUQjRw&url=http://swe.slc.engr.wisc.edu/regionals/sponsorship/sponsors.html&ei=EbgnUqntJ5DOigKA9ID4AQ&bvm=bv.51773540,d.cGE&psig=AFQjCNFyfA-cD2LFbGD9931Ut_al63z69g&ust=1378421132811785

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=4yXDVgz4qF6F1M&tbnid=r0v36XTVsJOd5M:&ved=0CAUQjRw&url=http://swe.slc.engr.wisc.edu/regionals/sponsorship/sponsors.html&ei=EbgnUqntJ5DOigKA9ID4AQ&bvm=bv.51773540,d.cGE&psig=AFQjCNFyfA-cD2LFbGD9931Ut_al63z69g&ust=1378421132811785

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=5h5wEuI8LfJYwM&tbnid=r0kCyy4Ope8nYM:&ved=0CAUQjRw&url=http://www.themommyinsider.com/2012/08/sears-icomfort-sertamattresses-twitterparty-830-1-2pm-ct/&ei=VbonUuncBIGwiQKKs4GYAg&bvm=bv.51773540,d.cGE&psig=AFQjCNGQikFZ7Hrc7vlRxbezz2lfNsWEqA&ust=1378421699179619

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=5h5wEuI8LfJYwM&tbnid=r0kCyy4Ope8nYM:&ved=0CAUQjRw&url=http://www.themommyinsider.com/2012/08/sears-icomfort-sertamattresses-twitterparty-830-1-2pm-ct/&ei=VbonUuncBIGwiQKKs4GYAg&bvm=bv.51773540,d.cGE&psig=AFQjCNGQikFZ7Hrc7vlRxbezz2lfNsWEqA&ust=1378421699179619

120+ security appsSplunk App for Enterprise Security

Splunk Security Intelligence Platform

69

Palo Alto Networks

NetFlow Logic

FireEye

Blue Coat Proxy SG

OSSECCisco Security Suite

Active Directory

F5 Security

Juniper Sourcefire

http://www.google.com/url?sa=i&rct=j&q=windows+image&source=images&cd=&cad=rja&docid=z3myVEI98mnMeM&tbnid=HNR7NeVJvUk-4M:&ved=0CAUQjRw&url=http://calibre-ebook.com/download&ei=mm8FUs3kCYe_igLupoHwDQ&bvm=bv.50500085,d.cGE&psig=AFQjCNHH3naLLWaYwHjBrfxvMl0XaMZUUg&ust=1376174358242651


Partner Ecosystem

What is the Value Add to Existing Customers?

Visibility and Correlation of Rich Data

Improved Security Posture

Configurable Dashboard Views

All Data is Security Relevant = Big Data

Servers

ServiceDesk

Storage

DesktopsEmail Web

Call Records

NetworkFlows

DHCP/ DNS

Hypervisor

Custom Apps

Industrial Control

Badges

Databases

MobileIntrusion Detection

Firewall

Data Loss Prevention

Anti-Malware

VulnerabilityScans

Traditional SIEM

Authentication



http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=jBNn_0iMk5Qx9M&tbnid=SbUAdPWMPBeBWM:&ved=0CAgQjRwwAA&url=http://www.webwinkelforum.nl/viewtopic.php?t=7677&ei=2m8FUoifC4aMigK3rIBQ&psig=AFQjCNHoc_8ppEGK-ZFXifecAYwcp7cBzA&ust=1376174426245805


http://www.iconarchive.com/show/security-icons-by-aha-soft/key-icon.html

http://www.iconarchive.com/show/security-icons-by-aha-soft/key-icon.html

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=UTzg3SQtqV89kM&tbnid=6_0M1GOFEw6WoM:&ved=&url=http://www.mricons.com/show/notification-icons&ei=Mjo6Ur6MLIW3qAH1-YDYCw&psig=AFQjCNGaY9zg03vkoXLq6YbvOOQqUCuHQQ&ust=1379634098778261

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=UTzg3SQtqV89kM&tbnid=6_0M1GOFEw6WoM:&ved=&url=http://www.mricons.com/show/notification-icons&ei=Mjo6Ur6MLIW3qAH1-YDYCw&psig=AFQjCNGaY9zg03vkoXLq6YbvOOQqUCuHQQ&ust=1379634098778261

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=pjfHJQonIy1JGM&tbnid=N_9eT5EpLxjWgM:&ved=0CAUQjRw&url=https://www.iconfinder.com/icons/25389/breach_low_security_shield_icon&ei=Lzw6UpKBMY61qAGI34Eo&psig=AFQjCNE5vr3MHZWXH13rGJh-ekK2TNA4uw&ust=1379634513388197

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=pjfHJQonIy1JGM&tbnid=N_9eT5EpLxjWgM:&ved=0CAUQjRw&url=https://www.iconfinder.com/icons/25389/breach_low_security_shield_icon&ei=Lzw6UpKBMY61qAGI34Eo&psig=AFQjCNE5vr3MHZWXH13rGJh-ekK2TNA4uw&ust=1379634513388197

Making Sound Security Decisions

72

Log DataBinary Data (flow

and PCAP)

Context DataThreat Intelligence

Feeds

Security Decisions

Volume Velocity Variety Variability

Case #1 - Incident Investigation/Forensics

• Often initiated by alert in another product

• May be a “cold case” investigation requiring machine data going back months

• Need all the original data in one place and a fast way to search it to answer:

– What happened and was it a false positive?

– How did the threat get in, where have they gone, and did they steal any data?

– Has this occurred elsewhere in the past?

• Take results and turn them into a real-time search/alert if needed

73

client=unknown[

99.120.205.249]

<160>Jan

2616:27

(cJFFNMS

DHCPACK

=ASCII

from

host=85.19

6.82.110

truncating

integer value >

32 bits

<46>Jan

ASCII from

client=unknow

n

January February March April

Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My Company\ACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20

Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text [Priority: 2]:

20130806041221.000000Caption=ACME-2975EB\Administrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts

74

Case #2 – Real-time Monitoring of Known Threats

Sources

Time Range

Intrusion Detection

Endpoint Security

Windows Authentication

All three occurring within a 24-hour period

Example Correlation – Data Loss

Source IP

Source IP

Source IP

Data Loss

Default Admin Account

Malware Found

2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"

08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-PC\Printers\{}\ NeverSeenbefore" data_type""

2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup-00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1,,, [email protected] , Please open this attachment with payroll information,, ,2013-08-09T22:40:24.975Z

75

Case #3 – Real-time Monitoring of Unknown Threats

Sources

Time Range

Endpoint Logs

Web Proxy

Email Server

All three occurring within a 24-hour period

Example Correlation - SpearphishingUser Name

User Name

Rarely seen email domain

Rarely visited web site

User Name

Rarely seen service





$500k Security ROI @ Interac• Challenges: Manual, costly processes

– Significant people and days/weeks required for incident investigations. $10k+ per week.– No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel– Traditional SIEMs evaluated were too bloated, too much dev time, too expensive

• Enter Splunk: Fast investigations and stronger security– Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts– Splunk reduced investigation time to hours. Reports can be created in minutes.– Real-time correlations and alerting enables fast response to known and unknown threats– ROI quantified at $500k a year. Splunk TCO is less than 10% of this.

76

Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see.

““Josh Diakun, Security Specialist, Information Security Operations

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=0o1nqeEm3viL-M&tbnid=d-z2E15cXBeCtM:&ved=0CAUQjRw&url=http://chairmanoftheboard.wordpress.com/2011/10/15/things-i-am-not-down-with-interac-chips/&ei=Ac1UUeq1Mcr9lAW32oGICg&bvm=bv.44442042,d.dGI&psig=AFQjCNF4UtLbnPRZF8n2PK8XxgD2cg8Gdg&ust=1364598398724426

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=0o1nqeEm3viL-M&tbnid=d-z2E15cXBeCtM:&ved=0CAUQjRw&url=http://chairmanoftheboard.wordpress.com/2011/10/15/things-i-am-not-down-with-interac-chips/&ei=Ac1UUeq1Mcr9lAW32oGICg&bvm=bv.44442042,d.dGI&psig=AFQjCNF4UtLbnPRZF8n2PK8XxgD2cg8Gdg&ust=1364598398724426

Replacing a SIEM @ Cisco• Challenges: SIEM could not meet security needs

– Very difficult to index non-security or custom app log data– Serious scale and speed issues. 10GB/day and searches took > 6 minutes– Difficult to customize with reliance on pre-built rules which generated false positives

• Enter Splunk: Flexible SIEM and empowered team– Easy to index any type of machine data from any source– Over 60 users doing investigations, RT correlations, reporting, advanced threat detection– All the data + flexible searches and reporting = empowered team– 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data– Estimate Splunk is 25% the cost of a traditional SIEM

77

We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have.

““

Gavin Reid, Leader, Cisco Computer Security Incident Response Team

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=Ys6wUbUDiATumM&tbnid=KhLtjx32PHDnGM:&ved=0CAgQjRwwAA&url=http://www.huntlogo.com/cisco-logo/&ei=38NUUfrUDa3oigLxhIHQDg&psig=AFQjCNHhuHMS0i2zVrwhAs7ut6zmccuG6A&ust=1364596063261782

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=Ys6wUbUDiATumM&tbnid=KhLtjx32PHDnGM:&ved=0CAgQjRwwAA&url=http://www.huntlogo.com/cisco-logo/&ei=38NUUfrUDa3oigLxhIHQDg&psig=AFQjCNHhuHMS0i2zVrwhAs7ut6zmccuG6A&ust=1364596063261782

Security and Compliance @ Barclays• Challenges: Unable to meet demands of auditors

– Scale issues, hard to get data in, and impossible to get data out beyond summaries– Not optimized for unplanned questions or historical searches– Struggled to comply with global internal and external mandates, and to detect APTs– Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting

• Enter Splunk: Stronger security and compliance posture– Fines avoided as searches easily turned into visualizations for compliance reporting– Faster investigations, threat alerting, better risk measurement, enrichment of old data– Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers– Other teams using Splunk for non-security use cases improves ROI

78

We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effectiveness of a certain control, the only way we can do these things is with Splunk.

““

Stephen Gailey, Head of Security Services

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=rbdBFdo6wiL1uM&tbnid=x-Lb1s006kA6QM:&ved=0CAUQjRw&url=http://bachmanstudios.wordpress.com/2012/06/07/top-10-big-banking-financial-institution-logos-plus-their-meanings/&ei=qspUUZbyGIaEkwWOtID4Aw&bvm=bv.44442042,d.dGI&psig=AFQjCNHCpj-bcm-3Unxs-0mA61q3lpDLSg&ust=1364597799181913

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=rbdBFdo6wiL1uM&tbnid=x-Lb1s006kA6QM:&ved=0CAUQjRw&url=http://bachmanstudios.wordpress.com/2012/06/07/top-10-big-banking-financial-institution-logos-plus-their-meanings/&ei=qspUUZbyGIaEkwWOtID4Aw&bvm=bv.44442042,d.dGI&psig=AFQjCNHCpj-bcm-3Unxs-0mA61q3lpDLSg&ust=1364597799181913

Splunk Key Differentiators

79

Traditional SIEMSplunk• Single product, UI, data store

• Software-only; install on commodity hardware

• Quick deployment + ease-of-use = fast time-to-value

• Can easily index any data type

• All original/raw data indexed and searchable

• Big data architecture enables scale and speed

• Flexible search and reporting enables better/faster threat investigations and detection, incl finding outliers/anomalies

• Open platform with API, SDKs, Apps

• Use cases beyond security/compliance

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=h4ob78PbSbEXDM&tbnid=lJNxE7PTGPdPpM:&ved=0CAUQjRw&url=http://dummr.wordpress.com/2009/07/&ei=RVkVUsHCEeH8igLU5IDwBw&bvm=bv.51156542,d.cGE&psig=AFQjCNGuuPS3f4POAZehQPcagICDVs1k6A&ust=1377217204541437

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=h4ob78PbSbEXDM&tbnid=lJNxE7PTGPdPpM:&ved=0CAUQjRw&url=http://dummr.wordpress.com/2009/07/&ei=RVkVUsHCEeH8igLU5IDwBw&bvm=bv.51156542,d.cGE&psig=AFQjCNGuuPS3f4POAZehQPcagICDVs1k6A&ust=1377217204541437

For your own AHA! Moment

Reach out to your Scalar and Splunk team for a demo

Thank you!


INFOBLOX


Are you prepared to withstand DNS attacks?Ed O’Connell, Senior Product Marketing Manager


Securing the DNS Platform

Defending Against DNS Attacks

Preventing Malware from using DNS

DNS Security Challenges

Infoblox Overview


($MM)

Founded in 1999

Headquartered in Santa Clara, CA

with global operations in 25 countries

Market leadership

• Gartner “Strong Positive” rating

• 40%+ Market Share (DDI)

6,900+ customers, 64,000+

systems shipped

38 patents, 25 pending

IPO April 2012: NYSE BLOX

Leader in technology

for network control

Total Revenue (Fiscal Year Ending July 31)

$35.0

$56.0$61.7

$102.2

$132.8

$169.2

$225.0

$0

$50

$100

$150

$200

$250

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013


Infrastructure

Security

NET

WO

RK

INFR

AST

RU

CT

UR

E

FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS

Historical / Real-time

Reporting & Control

APPS &

EN

D-P

OIN

TS

END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

CO

NT

RO

L P

LA

NE

Infoblox GridTM

w/ Real-time

Network Database


DNS is the

cornerstone of the

Internet used by

every business/

Government

DNS as a Protocol

is easy to exploit

DNS outage = business downtime

Traditional

protection is

ineffective against

evolving threats


Defending Against DNS Attacks2

Preventing Malware from using DNS3

Securing the DNS Platform1


Infoblox Advanced DNS Protection

Defend Against DNS Attacks

Infoblox DNS Firewall

Prevents Malware/APT from Using DNS

Hardened Appliance & OS

Secure the DNS Platform










– Many open ports subject to attack

– Users have OS-level account

privileges on server

– No visibility into good vs. bad

traffic

– Requires time-consuming manual

updates

– Requires multiple applications for

device management

Multiple

Open Ports


Minimal attack surfaces

Active/Active HA & DR recovery

Tested & certified to highest Industry standards

Secure Inter-appliance Communication

Centralized management

with role-based control

Secured Access,

communication & API

Detailed audit logging

Fast/easy upgrades


No scripts / Auto-Resigning / 1-click

Central configuration of all DNSSEC parameters

Automatic maintenance of signed zones









Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013

ACK: 2.81%

CHARGEN: 6.39%

FIN PUSH: 1.28%

DNS: 9.58%

ICMP: 9.71% RESET: 1.4%

RP: 0.26%SYN: 14.56%

TCP FRAGMENT: 0.13%

SYN PUSH: 0.38%

UDP FLOODS: 13.15%

UDP FRAGMENT: 17.11%

~ 10% of infrastructure attacks targeted DNS

Source: Arbor Networks

9%

6%

20%

54%

25%

77%

82%

0% 20% 40% 60% 80% 100%

Other

IRC

SIP/VOIP

HTTPS

SMTP

DNS

HTTP

~ 80% of organizations surveyed experienced application layer attacks on DNS

Survey Respondents


Distributed Reflection DoS Attack (DrDoS)

Combines Reflection and Amplification

Use third-party open resolvers in the

Internet (unwitting accomplice)

Attacker sends small spoofed packets

to the open recursive servers,

requesting a large amount of data to

be sent to the victim’s IP address

Uses multiple such open resolvers,

often thousands of servers

Queries specially crafted to result in a

very large response

Causes DDoS on the victim’s server

How the attack works

Attacker

Internet

Target Victim


ReportingServer

Automatic updates

Infoblox Threat-rule Server

Infoblox Advanced DNS Protection(External DNS)

Reports on attack types, severity

Legit

imate

Tra

ffic


(Internal DNS)D

ata

for

Report

s

Block DNS attacks


DNS reflection/DrDoS attacksUsing third-party DNS servers(open resolvers) to propagate

a DOS or DDOS attack

DNS amplificationUsing a specially crafted query to create an amplified

response to flood the victim with traffic

DNS-based exploits Attacks that exploit vulnerabilities in the DNS software

TCP/UDP/ICMP floodsDenial of service on layer 3 by bringing a network or

service down by flooding it with large amounts of traffic

DNS cache poisoning Corruption of the DNS cache data with a rogue address

Protocol anomaliesCausing the server to crash by sending malformed packets

and queries

ReconnaissanceAttempts by hackers to get information on the network

environment before launching a DDoS or other type of

attack

DNS tunnelingTunneling of another protocol through DNS for data

exfiltration


INTERNET

Advanced DNS

Protection

Grid Master

and Candidate (HA)

Advanced DNS

Protection

D M Z

INTRANET

DATACENTER CAMPUS/REGIONAL

GRID Master

and Candidate

(HA)

INTRANET

Endpoints

Advanced DNS

Protection

Advanced DNS

Protection

DATACENTER CAMPUS/REGIONAL

EXTERNAL INTERNAL









Q1Q3Q2 Q4

2013 2014


Cryptolocker “Ransomware”

Targets Windows-based computers

Appears as an attachment to legitimate looking email

Upon infection, encrypts files: local hard drive & mapped network drives

Ransom: 72 hours to pay $300US

Fail to pay and the encryption key is deleted and data is gone forever

Only way to stop (after executable has started) is to block outbound connection to encryption server


An infected device brought

into the office. Malware

spreads to other devices on

network.

1

2

3

Malware makes a DNS query to

find “home.” (botnet / C&C).

Detect & Disrupt. DNS Firewall

detects & blocks DNS query to

malicious domain

Malicious

domains

Infoblox DDI

with DNS

Firewall Blocked attempt

sent to Syslog

Malware /

APT

1

2

Malware / APT spreads

within network; Calls home

4

Pinpoint. Infoblox Reporting lists

blocked attempts as well as the:

• IP address

• MAC address

• Device type (DHCP fingerprint)

• Host name

• DHCP lease history

DNS Firewall is updated every 2

hours with blocking information

from Infoblox DNS Firewall

Subscription Svc

Infoblox MalwareData Feed Service

4

IPs, Domains, etc.of Bad Servers

Internet

Intranet

3

2


Detect - FireEye detects APT,

alerts are sent to Infoblox. 1

2

3

Disrupt – Infoblox DNS

Firewall disrupts malware DNS

communication

Pin Point - Infoblox Reporting

provides list of blocked

attempts as well as the

• IP address

• MAC address

• Device type (DHCP fingerprint)

• DHCP Lease (on/off network)

• Host Name

Malicious

Domains

Infoblox DDI

with DNS

Firewall Blocked attempt

sent to Syslog3

Malware

2

1

Alerts

FireEye NX

Series

FireEye detonates and detects malware

Internet

Intranet

Endpoint Attempting

To Download

Infected File


Fast FluxRapidly changing of domains & IP addresses by malicious

domains to obfuscate identity and location

APT / Malware Malware designed to spread, morph and hide within IT

infrastructure to perpetrate a long term attack (FireEye)

DNS HackingHacking DNS registry(s) & re-directing users to malicious

domain(s)

Geo-Blocking Blocking access to geographies that have rates of malicious

domains or Economic Sanctions by US Government


DNS is the cornerstone of the Internet

Unprotected DNS infrastructure

introduces security risks

Secure DNS Solution protects critical DNS

services








Thank you!

For more information

www.infoblox.com


Why Scalar for Security?


The Issues

Integration of Security

Technologies

Staffing

Vulnerabilities

Advanced threats


The Issues

Integration of Security

Technologies is Challenging

– Multiple formats of data

– Data timing issues

– Different types of security

controls

– Other data types


The Issues

InfoSecurity Staff

– Different skills requirements﹘Architects

﹘Malware Handling

﹘Forensics

﹘Vulnerability

﹘ Incident Management

﹘Risk and Compliance

– HR Costs﹘Premium technical personnel

﹘Analysts, Specialists

﹘Training and certification


The Issues

Vulnerabilities

– Regular scheduled

disclosures

– Large volumes of ad-hoc

patches

– Many undisclosed zero days

– Remediation is a continuous

process


The Issues

Advanced Threats

– Advanced Persistent Threats

– Imbedded threats

Who?

– State sponsored

– Hactivism

– Hackers

– Organized crime


How to Secure It

State-of-the-art Security

Technologies

Skills on Demand

– Continuous Tuning of Rules

and Filters

– Cyber Intelligence,

Advanced Analytics

– Cyber Incident Response

– Code Review, Vulnerability

and Assessment Testing


WRAP/QUESTIONS?


THANK YOU.

Date post:	15-Jan-2015
Category:	Documents
Upload:	scalar-decisions
View:	608 times
Download:	3 times