Taking Control of the Advanced Threat Problem Adam Hogan, Security Engineer, Sourcefire @adamwhogan email@example.com
Agenda • Frame the Advanced Threat Problem • Define “Next-Gen Security” • Traditional Network-Based Solutions: NG-IPS and NGFW • Endpoint Approach to Advanced Malware (Cloud Supported)
IT Environments are Changing Rapidly Devices Networks Applications VoIP Virtualization Mobilization Consumerization
Threats are Increasingly Complex Targeted | Organized Relentless | Innovative Client-side Attacks Malware Droppers Advanced Persistent Threats
2010 Ponemon Institute Study • Published in March 2011 • 51 U.S. companies interviewed with breaches that occurred in 2010 • 4,200 to 105,000 records stolen • Breach costs ranged from $780,000 to $35.3 million • Report highlights: • Average data breach cost: $7.2 million • Average cost per stolen record: $214 • 31% of breaches were criminal attacks • Breaches related to criminal attacks are the most expensive • Customer turnover remains the main driver of data breach costs
Professionalization of Hacking “Once a deviant industry is professionalized, crackdowns merely promote innovation.” Nils Gilman, 4th European Futurists Conference “The criminal breaks the monotony and humdrum security of bourgeois life, he thereby insures it against stagnation, and he arouses that excitement and restlessness without which even the spur of competition would be blunted” Karl Marx
Threats Change —Traditional Security Products Do Not Static | Inflexible Closed/Blind | Labor Intensive “Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure.” - Neil MacDonaldVP & Gartner Fellow Source: Gartner, Inc., “The Future of Information Security is Context Aware and Adaptive,” May 14, 2010
Next Gen Security is… Agile Security …a continuous process to respond to continuous change.
You Can’t Protect What You Can’t See Agile Security • Breadth: who, what, where, when • Depth: as much detail as you need • Real-time data • See everything in one place Threats Devices Applications Network Vulnerabilities OS Users Files “Seeing” provides information superiority
Block, alert, log modify, quarantine, remediate • Respond via automation • Reduce the ‘noise’ • Gain insight into the reality of your IT and security posture • Get smarter by applying intelligence • Correlate, prioritize, decide • Automatically optimize defenses • Lock down your network to policy • Leverage open architecture • Configure custom fit security Key: intelligence & automation
Security Before, During & After the Attack Before Policy & Control Discover environment Implement access policy Harden assets During Identification & Block Detect Prevent AfterAnalysis & Remediation Determine Scope Contain Remediate What is needed is a new approach to protect your organization
What Can You Do? • Assess your vendors by assuming you will be hacked • p.s., you will be have been. • Your security tools are tools. • Forget about set-and-forget tech and think about how each process, program or product helps your analysts keep you safe.
Java 0-Day • SIDs 25301, 25302 • Largely used by exploit kits (Blackhole, Cool Kit, Nuclear, Redkit) - covered • Why is java.exe downloading calc.exe?
BTW, User Agents are telling • No, really: • User-Agent: Malware • (RFC 3514 anybody?) • Unless your proxy rewrites them all...
What can we do? Communication • Watch hackers. • Many aren’t that sneaky. (L|H)OIC source code is public, for crying out loud. • LOIC packet contains: “U dun goofed” • HOIC botched protocol, used two spaces where one is allowed. • They recruit! Publicly. Get on twitter. Watch pastebin.org. Scrape it. Use google alerts if you can’t script.
What Can You Do? • Hire analysts • It’s going to cost you. • And if they aren’t trained they depreciate.
Example: “Agile Security” Fuels Automation in an IDS/IPS IT Insight Spot rogue hosts, anomalies, policy violations, and more Impact Assessment Threat correlation reduces actionable events by up to 99% User Identification Associate users with securityand compliance events Automated Tuning Adjust IPS policies automatically based on network change
Control access to Web-enabled apps and devices “Employees may view Facebook, but only Marketing may post to it” “No one may use peer-to-peer file sharing apps” Reduce Risk with: Application Control – on the IPS! Over 1,000 apps, devices, and more!
Reduce Risk with: IP Reputation • Block and Alert on: • Botnet C&C Traffic • Known Attackers • Malware, Phishing, and Spam Sources • Open Proxies and Relays • Create Your Own Lists • Download from Sourcefire or Third Parties
Next-Gen IPS (NGIPS) Standard first-gen IPS Application awareness and full-stack visibility Context awareness Content awareness Agile engine Next-Gen Firewall (NGFW) Standard first-gen firewall Application awareness and full-stack visibility Integrated network IPS Extrafirewall intelligence Gartner Defines NGIPS & NGFW “Next-generation network IPS will be incorporated within a next-generation firewall, but most next-generation firewall products currently include first-generation IPS capabilities.“ Source: “Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011. “Defining the Next-Generation Firewall,” Gartner, October 12, 2009
What is a Next-Generation Firewall? • Stateful First-Generation Firewall • Stateful protocol inspection • Switching, routing and NAT • Integrated Network Intrusion Prevention • Not merely “co-located” • Includes vulnerability- and threat-facing signatures • Application Awareness with Full-Stack Visibility • Example: Allow Skype, but disable Skype file sharing • Make Facebook “read-only” • Extrafirewall Intelligence • User directory integration • Automated threat prevention policy updates
Gartner on Next-Generation IPS “Next-generation network IPS will be incorporated within a next-generation firewall, but most next-generation firewall products currently include first-generation IPS capabilities.” Source: “Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011 Application awareness Contextual awareness Content awareness Agile engine ✔ ✔ ✔ Available now onSourcefire.com ✔
Ponemon NGFW Survey Highlights • Survey conducted in October 2011 • 2,561 responses • Key Results: • Most NGFWs augment (not replace) existing firewalls • IPS component rated “most important” for securing data
Threats Continue to Evolve 75% The likelihood that you will be attacked by advanced malware has never been greater. • Of attacks are seen on only one computer “Nearly 60% of respondents were at least ‘fairly certain’ their company had been a target.” – Network World (11/2011)
Solve the Problem at the Endpoint • Action at point of entry • Best place to stop client-side attacks is on the client • Awareness at source • Focus where files are executed • Do not miss threats due to encryption Secure Endpoints - Wherever They Are.
What is needed to fight advance malware at the Endpoint? • Clients need better visibility to detect and assess advanced malware. Visibility answers questions like: • Do we have an advanced malware problem? • Which endpoint was infected first? • How extensive is the outbreak? • What does the malware do? • Clients also need help regaining control after the inevitable attack. Control answers questions like: • What is needed to recover? • How can we stop other attacks?
Cloud-Based Advanced Malware Protection – Sample Architecture • Lightweight Agent • Watches for move/copy/execute • Traps fingerprint & attributes Cloud Analytics & Processing • Transaction Processing • Analytics • Intelligence Web-based Manager
Agile Security for Advanced Malware – Endpoint Benefits • SEE • Advanced malware at the source • Patient 0 + propagation paths • APT reporting • LEARN • Real-time root cause analysis of threats • Collective immunity & comparative reporting • Data mining & machine learning • ADAPT • Custom detections/signatures • Application control • Whitelisting • ACT • Immediate & retrospective remediation • Action at the point of entry • Continuous scans in cloud
Regain Control of Your Environment • Outbreak control • Custom Signatures for immediate response • Whitelisting • Application Control • Immediate & retrospective remediation • Automatic remediation of damaged endpoints with Cloud Recall • Collective Immunity Arm YOU to fight advanced malware