Uncover Threats in SSL Traffic with SSL Insight November, 2015 Stephen Shapiro Regional Sales Director NY Metro 02242015

World’s Largest Data Breaches Impact of a Breach: Investigation and notification costs Brand damage Lost revenue Regulatory fines Lawsuits Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Source: Information Is Beautiful

Cyber Threats Hidden in SSL Traffic 67% 50% 80% of Internet traffic will be encrypted by 2016 of attacks will use encryption to bypass controls by 2017 of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic Sources: Sandvine Internet Phenomena Report “Security Leaders Must Address Threats From Rising SSL Traffic,” 2013

100%? 67% 25-35% SSL Traffic Is Increasing… In 2016 In 2013 4 Source: Sandvine 4

Reasons Why More Organizations Are Encrypting Traffic Snowden revelations of NSA snooping Disclosures in 2014 that governments were injecting surveillance software in web traffic YouTube and Microsoft Live used as conduits to inject malware Both now encrypt traffic Google ranks SSL sites higher for SEO Source: Washington Post As a result “Google and Microsoft executives said they are accelerating previous plans to encrypt” traffic Source for picture: https://www.washingtonpost.com/world/national-security/spyware-tools-allow-buyers-to-slip-malicious-code-into-youtube-videos-microsoft-pages/2014/08/15/31c5696c-249c-11e4-8593-da634b334390_story.html Application owners are adding SSL support to improve Google search engine ranking.

Solutions are Failing Despite $71.1B investment in security Next Gen Firewall Network Forensics Secure Web Gateway Data Loss Prevention Intrusion Detection & Prevention Network Access Control Advanced Threat Prevention Unified Threat Management SIEM SOURCE: Information Security, Worldwide, 2012-2018, 2Q14 Update, Gartner 

Attacks that Can Hide in SSL Traffic

Infiltration and Attacks Malvertising delivered over SSL-encrypted Adtech networks Malware distributed via social media Malware sent as attachments in email and instant messaging apps DDoS and Web app attacks Yahoo malvertising attack Facebook, Twitter, LinkedIn use SSL Koobface was a multimillion malware campaign that used Facebook Skype, Whatsapp, Snapchat encrypt IM Attackers can use SSL to bypass controls or overwhelm servers

Data Exfiltration Hidden in SSL Insider Abuse Insiders can send sensitive data through web-based email Gmail, Yahoo Mail, MS Live encrypt Insiders can upload sensitive files to file sharing services Box, Dropbox, iCloud, OneDrive encrypt data C&C Communications Malware-infected machines communicate to command & control servers via SSL China’s APT1, Zeus, Shylock, KINS and CryptoWall malware use SSL

How Malware Developers Exploit Encrypted Traffic Bot Infection Hidden in SSL Traffic Data Exfiltration over SSL Malicious attachment sent over SMTPS Malicious file in instant messaging Drive-by download from an HTTPS site C&C = Command and Control Command and control server communication Stolen data sent via email or to cloud storage sites Malware receiving C&C updates from social media sites

Security Infrastructure Inspects Traffic to Stop Attacks ATP IPS Firewall DLP Network Forensics Accounting Engineering Sales & Marketing Alert Alert Block Block z Sales & Marketing Accounting Engineering

Encryption Makes Security Devices Blind to Attacks Anomalous Activity Data Exfiltration Network Forensics DLP Successful Attack Undetected Malware Accounting Engineering Sales & Marketing IPS ATP Firewall z Sales & Marketing Accounting Engineering

SSL Insight Uncover Threats In SSL Traffic

SSL Insight Difference Flexible transparent and explicit proxy deployment modes 10x more performance SSL Insight Difference Scale security performance with load balancing

Eliminate the SSL Blind Spot with Compromising Performance SSL Insight Benefit: Detect encrypted malware, insider abuse, and attacks in SSL/TLS traffic Client A10 Thunder ADC Internet Server Security Device Encrypted Decrypted SSL Insight Features: Full SSL visibility including ECDHE ciphers 10x more performance 40 Gbps max compared to 4 Gbps Load balancing to scale security infrastructure Transparent proxy or explicit proxy deployment ICAP support to decrypt traffic for DLP or AV scanners Dynamic port intercept of SSL traffic

URL Classification Service Powered by Webroot Meet compliance by keeping sensitive data encrypted Block malicious sites with URL filtering* 460+ million domains 83+ website categories Web Classification Cloud Security Device Inspection and Protection URL Category Validation Thunder ADC Internet Server User * URL filtering supported in ACOS 4.1.0

CASE STUDY: Fortune 500 Healthcare Company Customer Challenge Needed a high-performance solution that would enable FireEye IronPort, Palo Alto and other vendors to inspect SSL traffic Competitors: F5 and Blue Coat SOLUTION A10 Thunder appliances with SSL Insight URL Classification subscription WHY A10 Scalability and reliability: A10 was the only vendor that could meet the customer’s performance requirements Product expertise: A10 was the only company that answered company’s technical questions completely; customer required advanced SSL inspection features like URL classification and explicit forward proxy deployment

Government Case Study: Impact of Not Inspecting SSL Background Organization had deployed security devices from many leading security vendors SSL traffic not inspected due to performance, scale, & complexity Result of Attack Attackers infiltrated network, installed malware, and stole data across multiple end-points Organization dropped internet connectivity for days, performed lengthy forensics and remediation FINDINGS: Network security tools could have prevented this attack if the tools had had visibility into SSL traffic ESTIMATED FINANCIAL COSTS Lost productivity and forensic investigation= Medium Cost Loss of intellectual property = High Cost

Ironclad Protection from the A10 Security Alliance SSL Inspection and Scaling Advanced Detection & Analysis Programmatic Security Control Certificate Management Intelligence Authentication

SSL Inspection and Scaling Partners A10 has validated and documented SSL Insight integration with leading security vendors FireEye NX IBM QRadar Incident Forensics RSA Security Analytics Trend Micro Deep Discovery Check Point Next Generation Firewall Cisco ASA and FirePOWER Cyphort Threat Defense Vectra S-series & X-series

Why Customer Choose A10 Best-in Class Performance Advanced Security & Networking Features All-Inclusive Licensing and Support Flexible Cloud Deployment & APIs Data Center Efficient Design Gold Standard for Reliability and Support

SSL Insight Provides the Visibility You Need Escalating Risks from SSL Traffic SSL Insight Value $ Data breaches are costly SSL traffic renders security devices ineffective; decrypting SSL traffic slows down firewalls To ensure you’re not the next victim, deploy an SSL inspection platforms Full SSL visibility to uncover attacks and prevent breaches C&C = Command and Control 10x More Performance Decrypt once and inspect many times with load balancing and flexible explicit and transparent proxy deployment

Thank you

Reference Architectures

SSL Insight – Inline Single Appliance Deployment Firewall or Inline Security Device HTTP ADP 1 ADP 2 SSL SSL Secure Traffic Clear Traffic This deployment mode provides SSL visibility to an inline security device One partition decrypts SSL traffic and forwards it to security devices A second partition encrypts traffic L2 deployment

SSL Insight – Inline and Passive Mode Security Devices SWG Secure Web Gateway SSL HTTP IPS/Firewall ATP / SIEM Client Secure Traffic Clear Traffic Open once and inspect multiple times Multiple security devices Inline (Layer 2) and passive (TAP) mode devices supported on SPAN/Mirror Port

SSL Insight – Network and Passive Mode Security Devices ATP / SIEM SSL SSL HTTP HTTP Client SWG Secure Web Gateway IPS/Firewall Secure Traffic Clear Traffic Open once and inspect multiple times Multiple security devices Network (Layer 3) and passive (TAP) mode devices supported on SPAN/Mirror Port High availability (HA) Support

SSL Insight Inline Mode with Explicit Proxy Firewall or Inline Security Device HTTP SSL (Explicit Proxy) ADP 2 ADP 1 ADP 3 SSL Client First A10 Partition Forwards the explicit proxy traffic to SSL; Connect Header is removed and destination IP is changed Second A10 Partition Forwards SSL traffic to HTTP and sends traffic to firewall for inspection Third A10 Partition Convert HTTP back to SSL HTTPS traffic is forwarded to destination

SSL Insight – ICAP topology Data Loss Prevention(DLP) Reqmod/ Respmod Firewall or Inline Security Device SSL ADP 1 SSL ADP 2 This deployment mode provides an SSL visibility to an ICAP enabled DLP Requires an ICAP template bound to a vPort ICAP solution is based on RFC standard 3507 Configurable to work with internal and external Thunder devices

SSL Insight in Passive Inline with Explicit Proxy ATP / SIEM Firewall/IPS HTTP SSL (Explicit Proxy) SSL ADP 2 ADP 1 ADP 3 Client This deployment mode offers explicit proxy configuration and supports multiple inline and passive (TAP) security devices Customers deploy in explicit proxy mode when they are replacing an existing explicit proxy or prefer it over our standard SSL proxy

Inline mode with Bypass Switch/AFO Firewall or Inline Security Device HTTP ADP 1 ADP 2 SSL SSL Bypass Traffic Bypass Switch This deployment is standard inline mode with the option to deploy a bypass switch AFO-Active Failover Open- utilizes network traffic as a heartbeat. If the network heartbeat fails, the traffic will switch to bypass mode with network interruptions

Inline mode with Bypass Switch/AFO Firewall or Inline Security Device HTTP SSL SSL Bypass Traffic Bypass Switch This deployment is standard inline (L2) mode in a multi-device deployment with a bypass switch option. AFO-Active Failover Open- utilizes network traffic as a heartbeat. If the network heartbeat fails, the traffic will switch to bypass mode with network interruptions

Additional Slides

Top Causes of Large-Scale Breaches Advanced Persistent Threats Insider Abuse Malware 225,000 new malware strains detected per day 55% of abuse caused by users with legitimate access 66% believe their organization will be the target of APT Sources: PandaLabs Report Q1 2015 | 2015 Verizon Data Breach Investigation Report | Mandiant, a FireEye company

SSL Insight Benefits 1 3 Security Uncover threats concealed in inbound and outbound SSL traffic Availability Faster server response time and automatic redundancy 2 4 Performance Relieves the security gateway and server of SSL tasks Scalability Scale server and security gateway capacity with integrated load balancing

Advanced SSL Insight Features URL Classification for Bypass and Filtering Selective bypass of sensitive sites URL filtering to block malicious or undesirable sites in 4.1.0 Explicit Proxy and ICAP Explicit proxy is commonly used by Secure Web Gateways ICAP connectivity offers inline inspection for DLP & AV scanners SSL Insight for vThunder Lab Edition available in 4.0.3 General availability in 4.1.0 Bypass Traffic that Can’t Be Decrypted Dynamic SSL Insight bypass for client certificate traffic Auto-bypass and white lists