Vital Threat Management for
Enterprise / CarrierIn a Digitally Integrated World
Derek Manky
Project Manager, Cyber Security & Threat Research
CMMA: June 17th, 2009
Presentation Overview
Vital Threat Management For:
Enterprise & APAC
Malware Trends
Cost Effective, Next Generation Security
The Threatscape Today
Layered Security
Mobile Threats
Q&A
Fortinet Confidental 2
Enterprise & APAC
Targeted Attacks
Documents Favored
Various Exploits Used
PDF, XLS, DOC
Common Malware Dropped
Social Engineering 2.0
Location Based Services
Profiling
UPS / DHL Attacks
Salesforce Snow-Ball Effect January 31, 2007: 29,800 Customers
September 2007: Phishing attacks compromise sensitive data
November 2007: FTC spoofed attacks with compromised data
Fortinet Confidental 3
Enterprise & APAC
Targeted Attacks
GhostNet[1]
1,295 unique infections:103 countries
Ministry of Foreign Affairs, Embassies
Concentration in Asia
Spoofed Email (ie: [email protected])
Malicious MS Word document – exploit
Drops trojan (Ghost RAT), and innocent document
HTTP Communication Used for C&C
Fortinet Confidental 4
GhostNet Source
1: Information Warfare: http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network
Enterprise & APAC
Targeted Attacks
Fortinet Confidental 5
XLS, DOC, PDF Exploits
January - May 2009
0
5,000
10,000
15,000
20,000
25,000
Jan-09 Feb-09 Mar-09 Apr-09 May-09
Det
ecte
d A
ctiv
ity
AMER APAC EMEA
Enterprise & APAC
Targeted Attacks
Fortinet Confidental 6
Enterprise & APAC
W32/Virut.A
Dominant in Asia
Prevalent for 1+ Years in Korea
Parasitic File Infector
Newly Discovered Hybrids
Especially Nasty to Clean
Hybrid Effect
Blended Threats
MyDoom, Netsky, Scareware
Botnets & Control
Polymorphic
Fortinet Confidental 7
Enterprise & APAC Volume & Infection Rate Increase Over 1.5 Years
Source: Fortinet’s FortiGate and Worldwide Intelligence Systems
Fortinet Confidental 8
Netsky vs. Virut
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
Oct
07
Nov
07
Dec
07
Jan
08
Feb
08
Mar
08
Apr
08
May
08
Jun
08
Jul
08
Aug
08
Sep
08
Oct
08
Nov
08
Dec
08
Jan
09
Feb
09
Mar
09
Apr
09
May
09
Dete
cte
d A
cti
vit
y
W32/Netsky!similar W32/Virut.A
Cost Effective
Next Generation Security
Vital Threat Management
Cost Effective, Next Gen Security Volume & Infection Rate Increase Over 2 Years
Source: Fortinet’s FortiGate and Worldwide Intelligence Systems
Malware Received (Annual)
Infected
Infected
Totals
Totals
2007 2008
Receiv
ed
Sam
ple
s
+52.6%
+31.8%
Fortinet Confidental 10
Cost Effective, Next Gen Security Volume & Infection Rate Increase Over 3 Quarters
Source: Fortinet’s FortiGate and Worldwide Intelligence Systems
Malware Received (Q1)
InfectedInfected
Infected
Totals
Totals
Totals
2007-Q1 2008-Q1 2009-Q1
Receiv
ed
Sam
ple
s
+54.9%
+92.0%
+54.0%
+54.9%
Fortinet Confidental 11
Cost Effective, Next Gen Security APAC Leading 2009 Malware Detections
Source: Fortinet’s FortiGate and Worldwide Intelligence Systems
Fortinet Confidental 12
Global Malware Volume
January - May 2009
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
2009/01 2009/02 2009/03 2009/04 2009/05
Dete
cte
d A
cti
vit
y
AMER APAC EMEA
Ringfence corporate security networks
Blended Threatscape curve
Y2 – Point solutions: costly, patchy security
Z1 – Perceived competitive gap over
time (when economy recovers) if
enterprises adopt UTM security
approach. Z1 can be reduced if IT
managers are trained and FortiGuard
updates are applied due diligence.
Z3 – Greatest perceived gap, if
enterprises are unfocused in
spending and approach. Worst case
scenario, big attack takes place and
enterprises’ assets are compromised.
Will need to play catch up game over
time to bridge the competitive gap.
Z2 – Perceived gap when companies
attempt to patch security holes with
costly point services. Creates a
greater gap for enterprises, which
indirectly causes enterprises to be
less competitive over time.
Protection versus
Threatscape
Competitive
Outcome overtime
Fortinet Confidental 13
Next Gen Threats
Public
Internet
Social
Networks
Koobface
Web
XSS
CSRF
SQL Injections
Exploit Kits
Telecomm
Bridge
SymbOs/Yxes
Platforms++ == Vulnerabilities
Bridged Threats
Search
EnginesCloud
ServicesSEO Attacks
Data Breaches
Legacy
Mass Mailers
File Infectors
Digital UndergroundPortable
USB
Bluetooth
MP3
Cameras
Laptops
Financial
/ Auction
Phishing
ScamsIM/Games
Fortinet Confidental 14
Layered Security
Solution A
AntiVirus
Public
Solution D
AntiSpam
UTM
Solution
Solution B
WCF
Solution C
IPS
UTM vs. End Point Approach
Fresh
Web
0-Day
Exploit
Variant #2
Hosted
Variant #1
AttachedMass Mail
12
3
4
5
1
1 2 3 4 5
2 5
3
4
Fortinet Confidental 15
Security
Function
The Big Picture
Layered Security
Gateway
End PointsServers
Web
Database
Mobile
Employees
Threatscape
Updates Monitoring Administration
IPS
AntiVirus
WebFiltering
AntiSpam
DLP
Firewall
Fortinet Confidental 16
Consolidated Approach (UTM)
Consolidates Management and Deployment
Operating Expenses Smoothed
Licenses--
Smaller Footprint
Capital Expenditures Reduced
Scalable to Address:
Threat Growth
Growing Operations
Manageable
Monitored View of all Threat Vectors
Increased Incident Response
Layered Security
Fortinet Confidental 17
In Summary
Modern Threats Require Layered Solution
Too Complex of a Challenge
Defense in Depth
UTM
Cost Effective; Security != $$
Provides Enhanced Security
Both Client & Server Side
Policies & Education
Scalable Solution Required for Threatscape
Security is Essential
Huge Losses Possible
Breaches Damage Reputation
Layered Security
Fortinet Confidental 18
Mobile Threats
Vital Threat Management
Mobile Threats on the Rise
Past and Present
2004:
• SymbOS/Cabir (PoC) Bluetooth
• SymbOS/Skulls (DoS)
2005:• SymbOS/CommWarrior
Bluetooth, MMS, MMC
2008/2009: • SymbOS/Flocker
• SymbOS/BeSeLo File Extension Tricks
• SymbOS/CurseSMS (DoS)
• SymbOS/YxesBeSeLo Propagation on S60 Phones
Destruction & Defacement Monetization
Mobile Threats on the Rise
A Growing Trend
Statistics from Fortinet’s network security appliances worldwide
Mobile Threat Detections
January 2008 - May 2009
20,000
40,000
60,000
80,000
100,000
120,000
Jan-08 Mar-08 May-08 Jul-08 Sep-08 Nov-08 Jan-09 Mar-09 May-09
Det
ecte
d M
ob
ile T
hre
ats
SymbOS Threats
Moving Forward: Securing The Future
Active Threat Ingredients
• Plethora of smart devices
• Increased complexity / functionality
Bridges created
Security holes introduced
• New platforms introduced
• Roaming insider threat
• Adoption of 3G Roadmap to 4G
Traffic == Cold Hard Cash
On The Horizon
• Increased integration
Smart devices & cloud services
• Digital underground invests
Custom malware / targeted attacks
Zero-days, roaming botnets
Moving Forward: Securing The Future
Protecting Against Attacks
• Enterprise Security
Endpoint Solution (Roaming)
Gateway Solution (Bridged)
Policies & Education
• Carrier Security
Gateway Solution (MMS)
Monitoring & Alerts
• Vendor Security
Safe Coding / R&D Practices
Responsible Disclosure
FortiCarrier
FortiClient Mobile
FortiGuard Global Security Research Team
Questions
Thank You!