“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14
ISACA June Training Seminar Agenda Today’s threat landscape is next generation Definition of Next Generation Security What really makes it different 20 things your next generation security must do Closing & Questions
ISACA June Training Seminar Today’s Threat Landscape Organized Attackers Increasing Volume Sophisticated Remediation is broken Must prevent attacks across perimeter, cloud and mobile Limited correlation across disjointed security technologies. Limited security expertise CSO challenges
ISACA June Training Seminar SaaS - Apps are moving off the network
ISACA June Training Seminar CLOUD + VIRTUALIZATION Servers are moving to private and public clouds BETA Verizon Cloud
ISACA June Training Seminar Over 27% of applications can use SSL encryption Which represents nearly 25% of enterprise bandwidth ENCRYPTION Traffic is increasingly being encrypted
ISACA June Training Seminar MOBILITY Users are moving off the network Over 300 new malicious Android APKs discovered per week by our Threat Research Team
ISACA June Training Seminar Known threats Enterprise risk Zero-day exploits/Vulnerabilities Unknown & polymorphic malware Evasive command-and-control Lateral movement TODAY’S APTBEFORE Sophisticated & multi-threaded SSL encryption Changing application environment Clear-text Limited or known protocols Known malware & exploits Known vulnerabilities Known command-and-control COMMODIZATION OF THREATS Advanced tools available to all
ISACA June Training Seminar Tectonic Shifts Create the Perfect Storm SOCIAL + CONSUMERIZATION SaaS CLOUD + VIRTUALIZATION MOBILITY + BYOD ENCRYPTION Massive opportunity for cyber attackers COMMODIZATION OF THREATS
ISACA June Training Seminar Target data breach – APTs in action Maintain access Spear phishing third-party HVAC contractor Moved laterally & installed POS Malware Exfiltrated data C&C servers over FTP Recon on companies Target works with Breached Target with stolen payment credentials
ISACA June Training Seminar Agenda Today’s threat landscape is next generation Definition of Next Generation Security What really makes it different 20 things your next generation security must do Closing & Questions
ISACA June Training Seminar Definition of a Next Generation Firewall (NGFW) From the Gartner IT Glossary, a NGFW is a: Deep-packet inspection firewall, Moves beyond port/protocol inspection and blocking, Adds application-level inspection, Adds intrusion prevention, and Brings intelligence from outside the firewall.
ISACA June Training Seminar Definition of a Next Generation Firewall (NGFW) Should not be confused with: A stand-alone network intrusion prevention system (IPS), which includes a commodity or non- enterprise firewall, or A firewall and IPS in the same appliance that are not closely integrated.
ISACA June Training Seminar Agenda Today’s threat landscape is next generation Definition of Next Generation Security What really makes it different 20 things your next generation security must do Closing & Questions
ISACA June Training Seminar 20 Years of Security Technology Sprawl Enterprise Network Ports and IP addresses aren’t reliable anymore More stuff has become the problem Too many policies, limited integration Lacks context across individual products URL AV IPS DLP Sandbox Proxy UTM Internet
ISACA June Training Seminar Sample of a True Next Generation Architecture Single Pass Identifies applications User/group mapping Threats, viruses, URLs, confidential data One policy to manage Correlates all security information to Apps and Users
ISACA June Training Seminar Firewall Next Generation vs. Legacy Firewalls App-IDLegacy Firewalls Firewall Rule: ALLOW SMTPFirewall Rule: ALLOW Port 25 SMTP=SMTP: Packet on Port 25: Allow ✔ ✔ SMTP Bittorrent ✗ Bittorrent≠SMTP: Visibility: Bittorrent detected and blocked Deny Bittorrent ✔ Packet on Port 25:Allow Visibility: Port 25 allowed Bittorrent
ISACA June Training Seminar App IPS Firewall Next Generation vs. Legacy Firewall + App IPS App-IDLegacy Firewalls Firewall Rule: ALLOW SMTPFirewall Rule: ALLOW Port 25 SMTP=SMTP: Packet on Port 25: Allow ✔ ✔ SMTP Bittorrent ✗ Bittorrent ≠ SMTP: Visibility: Bittorrent detected and blocked Deny Bittorrent ✔ Bittorrent: Deny Visibility: Bittorrent detected and blocked ✔ SMTP Bittorrent ✗ Application IPS Rule: Block Bittorrent
ISACA June Training Seminar App IPS Firewall App-IDLegacy Firewalls Firewall Rule: ALLOW SMTPFirewall Rule: ALLOW Port 25 SMTP=SMTP: Packet on Port 25: Allow ✔ ✔ SMTP ✗ Bittorrent ✔ Visibility: Packets on Port 25 allowed ✔ SMTP Bittorrent ✗ Application IPS Rule: Block Bittorrent Bittorrent ✗ ✔ ✔ Packet ≠ Bittorrent: Allow Visibility: each app detected and blocked DenySkype≠SMTP: SSH≠SMTP: Ultrasurf≠SMTP: Deny SSH, Skype, Ultrasurf Next Generation vs. Legacy Firewall + App IPS
ISACA June Training Seminar Firewall App-IDLegacy Firewalls Firewall Rule: ALLOW SMTPFirewall Rule: ALLOW Port 25 SMTP=SMTP: Packet on Port 25: Allow ✔ ✔ SMTP C & C ✗ Command & Control ≠ SMTP: Visibility: Unknown traffic detected and blocked Deny Bittorrent ✔ Visibility: Packet on Port 25 allowed ✔ SMTP Bittorrent ✗ Application IPS Rule: Block Bittorrent Bittorrent ✗ C & C ✔ ✔ C & C ≠ Bittorrent: Allow App IPS Next Generation vs. Legacy Firewall + App IPS
ISACA June Training Seminar Next Generation Closes the Loop for Threats Scan ALL applications, including SSL – Reduces attack surface, and Provides context for forensics Prevent attacks across ALL attack vectors – Exploits, Malwares, DNS, Command & Control, and URLs Detect zero day malware – Turn unknown into known, and update the firewall
ISACA June Training Seminar Sandboxing for Turning Unknown into Known
ISACA June Training Seminar Security Context from Next Generation Policies: Allowing to on port 80 does not provide context. Allowing Sales Users on Corporate LAN to access Salesforce.com but look for threats and malware inside the decrypted SSL tunnel, and easily seeing you have done so is context. Threats: Seeing you had 10 tunneling apps, 15 IPS hits, and 4 visits to malware sites no context. Seeing Dave Smith visited a malware site, downloaded 0-day Malware, and his device is visiting other known malware sites, and using tunneling apps that is context.
ISACA June Training Seminar Next Generation and the Attack Kill-chain Attack kill-chain Initial compromise Deliver malware and communicate with attacker Move laterally and infect additional hosts Steal intellectual property Prevent attacks by stopping one step in the kill-chain EXFILTRATE DATA ENDPOINT OPERATIONS DELIVER MALWARE BREACH PERIMETER
ISACA June Training Seminar Security Use Cases for Next Generation Security Mobile/BYOD Devices Internet Offload Identify & Control Violators Zero Day Protection Securing Microsoft Apps Audit & Compliance Zero Trust Networks Flexible HR Policies Virtual Desktops & Apps Application Visibility DNS Sinkhole Data Center Virtualization Targeted Attacks Emergency Networks SCADA Networks Windows & Mac Laptops Contractors / Partners Denial of Service Attacks Network Segmentation Window XP Protection M&A / Divestitures / JV’s Traffic Control/QoS
ISACA June Training Seminar Agenda Today’s threat landscape is next generation Definition of Next Generation Security What really makes it different 20 things your next generation security must do Closing & Questions
ISACA June Training Seminar 20 Things Your Next Gen Security Must Do 1. Control applications and components regardless of Port or IP 2. Identify users regardless of IP address 3. Protect real-time against threats and exploits 4. Identify Circumventors (Tor, Ultrasurf, proxy, anonymizers) 5. Decrypt SSL Traffic 6. Packet shape traffic to Prioritize Critical Applications or De- Prioritize Unproductive applications 7. Visualize Application Traffic 8. Block Zero Day Malware, Botnets, C&C and APT’s 9. Block Peer-to-Peer 10. Manage Bandwidth for a group of Users
ISACA June Training Seminar 20 Things Your Next Gen Security Must Do 11. Prevent or Monitor Data Leakage 12. Single Pass Inspection 13. Same security at mobile end-point 14. Central management console with relay logs & events 15. Policy for unknown traffic 16. Be cost effective by combining multiple functionalities 17. Deliver protection today, tomorrow, and in the future by being firmware upgradeable 18. Interface with other end-point solutions to have a consistent protection 19. Sinkhole DNS capabilities 20. Block base on URL
ISACA June Training Seminar Agenda Today’s threat landscape is next generation Definition of Next Generation Security What really makes it different 20 things your next generation security must do Closing & Questions