1 / 26

So You Thought You Were Secure ! What Has Changed ?

So You Thought You Were Secure ! What Has Changed ?. Agenda. Define the Problem What has Changed The Barrier Solution Conclusion Industry Barrier Contact Information. So You Thought You Were Secure?.

buzz
Download Presentation

So You Thought You Were Secure ! What Has Changed ?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. So You Thought You Were Secure !What Has Changed ?

  2. Agenda • Define the Problem • What has Changed • The Barrier Solution • Conclusion • Industry • Barrier • Contact Information

  3. So You Thought You Were Secure? • Independent Perimeter Security consisting of Firewall, IDS/IDP, Anti-Spam/Virus, Web Content Filtering • 87% Survey Respondents had either a virus or spyware incident in the past 12 months. Over 5,000 incidences • What Security Technology was in production? • 98.2% Anti- Virus • 90.7% Firewall • 76.2% Anti Spam • 24.5 %Web Content Filtering • 23 % IDS/IDP • Source; FBI 2005 Survey with 2066 Respondents • WMF virus discovered on 12-27-05 delivered via Web sites and or email. Within 3 days there were 50 variants • Vulnerabilities in Router Code, OS, etc.

  4. Are You Prepared to Protect New & Present Applications • Data • VOIP • IM Instant Messenger • P2P Point to Point Applications • IP Video • Barrier1 Appliance is Doing it TODAY

  5. The Landscape Has Changed • Rules of the game have changed- Security is no longer about protecting the wire but protecting mission-critical business data • Problems and Solutions available are at a point where NEW TECHNOLOGY will cause change • People • The Thrill and Excitement • Money • Organized, Sophisticated, Intelligent • 1998 32 Attack Types • Denial of service, remote to local, user to root, probing/surveillance • Only 75% could be detected • 2005 291 variants of the MyTob Virus Alone • 5,00 samples of malicious code are received each month. DOUBLE what they received 1 year ago • Source Eugene Kaspersky a Russian Research Lab • Blended Attacks • Zero Day • Monetary Gain

  6. Malicious Economy ex. Spyware • CoolWeb Search • 6 cents per install • $11,000 per week in commissions • 175,000 new installs per week • FlowBy botnet • 32,000 unique IPs – installing adware • $584.99 per day • Recent Trojan Infection • Arrived disguised as a business proposal • Customized for each target to evade scanners • Compromised machines were generating 17,000 per month • 150+ companies in the UK and Israel have been attacked so far

  7. What are Industry Experts Saying? • “New threats don’t make anti-virus technology irrelevant, but they do change it’s role within enterprises” • Source: Mr. Hogan Symantec eWeek Oct.17, 2005 • “Signature-based detection is still valuable for protecting email and detection of the network perimeter. It’s a technology that’s necessary but not sufficient.” • Source: John Pescatore analyst at Gartner Group

  8. Market Shift Software General Purpose Appliance VPN/VPN FIrewall Servers Web Content Servers Specialty Appliances Firewall Intrusion Protection Anti-Virus Anti Spam Web Content Filtering Unified Threat Management (UTM) Static Environment Unified Threat Management (UTM) Intelligent Environment Listen Learn Predict and React

  9. Point Solutions are Not Enough VPN/Firewall IDS/IDP -Only Generates Log Packets -Alerts sends Email, Call Pager -Limited Captering Features -Only Stops traffic to and from designated ports. They are either always open or always closed -Can not determine the type of request or intent - Does not handle application layer protoc Barrier 1 Only Stops - Known - Designated sites - Based on list Only searches for KNOWN - Valid Recipient - Black List - Email body/header test Anti-Spam/Virus Web Content Filtering Listen- Learn- Predict- React

  10. Latest Blended Attack WMF • What is it? Vulnerability to Microsoft ME, XP, 2000,2003 • When did it appear? 12-27-05 Originally 10 sites • Who Issued the Alert? CERT.org and along with several others • How Do You Get It? - Visit a Web Site with an Image File & WMF files - Open an email containing the WMF files • Why is it Vulnerable? - Metafile allows image files to contain actual code - Trojan opens backdoor. Unregisters a .dll then calls GDI32.dll which does the work. - Microsoft claims a feature and needed to stop print runs if concealed in mid stream. - Other vulnerabilities as well • Microsoft response? - Block Access to all WMF files – Designed a patch in a few days – Release the patch on Jan. 10,06 • As of Jan. 3, 2006 Most Major Anti Virus, Anti Spam, and Web Content Companies do not have a solution

  11. Why Point Solutions Would Not Work • Firewall - Open Port and Not Intelligent - Could Not limit Web Sites • Anti Virus - Dependant on a list. Signatures are not released - WMF Virus has web content component • Web Content - Helps but WMF has an email component • IDS/IDP - Can create signatures that looks at email and network traffic and then block Issue: Attachment has to be clear text Not Encrypted ie Zip Files and SSL Connections • UTM - Not Intelligent and doesn’t learn from other technology • General - No single technology learned from the other technologies • Source: eWeek Magazine 1-2-06 Edition Larry Seltzer Author • Summary; None of the major security vendors could respond to the problem at all. When they did, it took over 5 days. • The Barrier Group was the only vendor to protect on Day 0 the WMF virus in all 4 quadrants.

  12. How Barrier1 Solved The Problem • 12-27-05 Appliance and Human Intervention • Appliance – Due to profiling unusual traffic was noted and an alert was sent to administrator and GTC • Human - Global Threat Center Received notification from 1 of 70 monitored virus definition suppliers - Began blocking source address - Created an IDS, Anti Virus, Web Content Rule to exclude WMF files - Verified Virus Definitions - Pushed it out to all of our customer • Elapsed Time: 1.5 hrs • Long Term - Barrier1 learns all attributes and behavior and will block mutations. The mutation could be keeping the file structure but renaming WMF to something more traditional naming conventions

  13. Security Needs Effective / Affordable Protection • What Does It Take to Deliver Secure Effective Protection? Intelligence + Automation + Speed + Support = Effectiveness • Barrier Solution • Intelligence Math + List + Learning Ability • Automation Ability to React to Anomalies and block • Speed Analyze- Predict- React within Micro second • Support Monitoring – Public, Private, and Remote Sensors for learning

  14. The Solution • The Barrier Group is the first to market with an effective, cost efficient single source IT Security solution. A solution that evolves.

  15. Firewall/VPN Stateful Firewall Multiple DMZ VPN Traffic Shaping Feature Set By Function • Anti-Virus Anti-Spam • Anti-Virus • Anti-Spam • E-mail Filtering • E-mail Forwarding w/masking • Web Content • Web Content Filtering • Cache Server • Proxy Server • Web Forwarding w/masking • IDS/IDP • Intrusion Detection • Intrusion Prevention • Honey Pot • Anomaly Detection

  16. Firewall Feature Set Firewall/VPN Stateful Firewall Multiple DMZ VPN Traffic Shaping • Stateful Inspection • Multiple DMZ • VPN Gateway • Concurrent VPN Tunnel • IPSec, PPTP, L2TP, GRE, SSL-VPN • SNMP, SNMPv2c, SNMPv3, SSHv2 (secure Telnet & FTP) • SSH/TLS, Secure HTTP • Traffic Shaping • Network Monitoring • Anti-Virus Anti-Spam • Anti-Virus • Anti-Spam • E-mail Filtering • E-mail Forwarding w/masking • Web Content • Web Content Filtering • Cache Server • Proxy Server • Web Forwarding w/masking • IDS/IDP • Intrusion Detection • Intrusion Prevention • Honey Pot • Anomaly Detection

  17. Firewall/VPN Stateful Firewall Multiple DMZ VPN Traffic Shaping IDS/IDP Feature Set • Signature Updates 2 times per hour • Anomaly detection • Full IP defragmentation • Pattern matching • Protocol decoding • 802.1Q detection • Dynamic proactive protection • Anti-Virus Anti-Spam • Anti-Virus • Anti-Spam • E-mail Filtering • E-mail Forwarding w/masking • Web Content • Web Content Filtering • Cache Server • Proxy Server • Web Forwarding w/masking • IDS/IDP • Intrusion Detection • Intrusion Prevention • Honey Pot • Anomaly Detection

  18. Firewall/VPN Stateful Firewall Multiple DMZ VPN Traffic Shaping Anti-Virus/Anti Spam Feature Set • Header inspection and analysis • Full text inspection and analysis • Attachment inspection and analysis • 19 Different Test Criteria • Black List updates • Virus Definition updates 2 times per Hour • Spam definition by domain • Learns and adapts • LDAP Authentication • Malware and Adware Protection • Anti-Virus Anti-Spam • Anti-Virus • Anti-Spam • E-mail Filtering • E-mail Forwarding w/masking • Web Content • Web Content Filtering • Cache Server • Proxy Server • Web Forwarding w/masking • IDS/IDP • Intrusion Detection • Intrusion Prevention • Honey Pot • Anomaly Detection

  19. Firewall/VPN Stateful Firewall Multiple DMZ VPN Traffic Shaping Web Content Feature Set • List based filtering • Domain • URL • Expression • Web Proxy Server • Web Cache Server • HTTP, HTTPS, FTP, VPN filtering • LDAP authentication • Time Space filtering • Anti-Virus Anti-Spam • Anti-Virus • Anti-Spam • E-mail Filtering • E-mail Forwarding w/masking • Web Content • Web Content Filtering • Cache Server • Proxy Server • Web Forwarding w/masking • IDS/IDP • Intrusion Detection • Intrusion Prevention • Honey Pot • Anomaly Detection

  20. The Solution W32Sobig.F@mm

  21. The Barrier Solution AARE Engine Inbound Web Content Filter Firewall Rules IDS Rules Anti-Virus System Approved Packets AARE Engine Denied Packet information loaded in AARE database. Analysis on packet information shared with other technologies. If packet is infected, the messages is thrown out and the source IP address is loaded into AARE engine.

  22. What Does The AARE Engine Capture • 19 Data Elements at 9 different Inspection Points • Ie Source IP Address, Packet Structure Good Host Bad Host • Each inspection point could have 1000’s of addition inspection elements • Ie Firewall Rules, Anti Virus definition, etc. • Individual Network Profile • Normal Volume • Time of Day • Normal Destination Address

  23. Global Threat Management Center • Good security solutions require good process • At The Barrier Group the Global Threat Management Center supports the process of security through: • 24/7 monitoring Barrier1 install base • 24/7 monitoring global security events • Review findings in AARE from all Barrier1 appliances • Insuring all Barrier1 appliances are current and are protecting our customers environment • Notifying customers of any suspicious activities

  24. Case Study • County • Presently using Firewalls, Anti-Spam, Anti-Virus • Was Infected By a Root kit • 637,185 Priority 1 VERY high probability that servers and pc have been compromised • 1,375,116 Priority 2 • 5,163,434 Priority 3 Priority 0 This indicates an attempt to compromise the Barrier1 appliance itself. Priority 1 Events HIGH This indicates a high risk external attack or possibly a compromised internal computer. Priority 2 Events MEDIUM This are attacks against known vulnerabilities that you may or may not be susceptible to. Priority 3 Events LOW These are reconnaissance type attacks and are used to gather information regarding your network and computers.

  25. Industry and Barrier Conclusion • Industry Conclusion • Flexibility and a nimble proactive approach is required • Any organization can be compromised • Barrier Conclusion • New technologies and Methods for Attacks are being developed • Correlation and anomaly detection are being improved • Human driven protections are too slow today • Risk is growing • The Barrier1 Appliance has You Protected

  26. Contact Information • Doug Hermanson 612-390-9252 • Jim Libersky 763-230-1041 • Rob Demopoulos 763-422-3776 • Kip Farrington 773-580-8630 • hi3 Wendell Norton (Federal) 866-861-0808 • Visit us at: www.thebarriergroup.com

More Related