Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effective Security at the Core

Published bySydney Simmons Modified over 6 years ago

Similar presentations

Presentation on theme: "Effective Security at the Core"— Presentation transcript:

1 Effective Security at the Core
Ashraf Sheet | Infoblox Regional Manager MEA

2 Agenda Security Landscape and the Disconnect Security Challenges
Operational Challenges DNS: The Malware Control Plane DNS Attacks Affecting Availability Infoblox Security at the Core Summary and Next Steps

3 Today’s Security Landscape
400+ VENDORS

4 The Disconnect.. Security You Want Security You Often Get

5 Operational Challenges Malware using DNS as a Control Plane
Leads to: Operational Challenges Malware using DNS as a Control Plane Lack of Availability Difficult, manual processes of trying to assemble data from disparate sources and take effective action Malware using DNS to call home, spread Data exfiltration leading via DNS to financial & legal implications, loss of trust DDoS attacks disrupt service availability leading to lost productivity, revenue

6 Operational Challenges
Silos Lack of Visibility Lack of Context Lack of Automation These challenges lead to rising costs of security operations, in addition to a poor security posture Making sure systems are operational. Examples: Is my logging system collecting all the data? Is the newly connected user compliant relative to my security devices? Monitoring and visibility of overall security situation Floods of alerts – way more than they can handle Very hard to prioritize based on actual risk Incident Handling & Response Trying to decide what’s the Scope/Severity/Veracity of the threat? Assembling data from disparate sources to decide what to do Actual response: What actions to take and where? Keeping up with the general threat landscape Trying to make sense of vendor and “expert” claims and advice

7 Gartner’s View on Silos
Silos between network, edge, endpoint and data security systems and processes can restrict an organization’s ability to prevent, detect and respond to advanced attacks. Best Practices for Detecting and Mitigating Advanced Threats, 2016 Update 29 March 2016

8 DNS The Malware Control Plane

9 APT/Malware 91% 431M #1 Of malware uses DNS to carry out campaigns1 New unique pieces of malware in 20152 Malware C&C is #1 responsible vector for crimeware3 Intruders rely on DNS to infect devices, propagate malware and exfiltrate data Malware is designed to spread, morph and hide within your IT infrastructure Longer it takes to discover, the higher the cost of damage 1. Source: Cisco 2016 Annual Security Report 2. Symantec 2016 Internet Security Threat Report 3. Verizon 2016 Data Breach Investigations Report

10 DNS communicates via Port 53 and is NOT protected by these tools
Why is DNS a threat? INTERNET Firewall/NGFW Your SIEM Solution (ex: Splunk) Centralized logging and reporting IPS/IDS DNS communicates via Port 53 and is NOT protected by these tools Web Proxy /SPAM APT/Sandbox Biz IP/Data DNS DHCP

11 Motion of Malware through Networks: “PIE”
APT/malware uses DNS at every stage P I E Penetration Infection Exfiltration Query malicious domains and report to C&C Download malware to the infected host Transport the data offsite Malware uses DNS at various stages of the cyber kill chain to penetrate the network, infect devices and subsequently, through C&C callbacks, propagate malware laterally inside the network and even exfiltrate data. Hence, DNS security should be part of your defense-in-depth strategy. “100% of malware uses DNS at some point in the infection process” - SANS institute Infection – Malware can be delivered over DNS, HTTP. FTP, SMTP, or other methods. All of these methods require DNS lookups Exfiltration - “Almost 90 percent of firms have suffered an attack against their domain-name system infrastructure, and nearly half have detected data leaving their network through DNS.” – Cloud Mark 2014 report DNS server

12 Exfiltrating Data via DNS Tunneling
Uses DNS as a covert communication channel to bypass firewalls Attacker tunnels other protocols like SSH, or web within DNS Enables attackers to easily insert malware, pass stolen data or tunnel IP traffic without detection A DNS tunnel can be used as a full remote-control channel for a compromised internal host Examples Iodine OzymanDNS SplitBrain DNS2TCP Internet INTERNET ENTERPRISE IP traffic/ Data DNS server Encoded IP/Data in DNS queries Client-side tunnel program

13 Data Exfiltration over DNS Queries
Sophisticated (zero-day) Infected endpoint gets access to file containing sensitive data It encrypts and converts info into encoded format Text broken into chunks and sent via DNS using hostname.subdomain or TXT records Exfiltrated data reconstructed at the other end Can use spoofed addresses to avoid detection Attacker controller server- thief.com (C&C) NameMarySmith.foo.thief.com MRN foo.thief.com DOB foo.thief.com C&C commands Data INTERNET ENTERPRISE MarySmith.foo.thief.com SSN foo.thief.com DOB foo.thief.com MRN foo.thief.com Data Exfiltration via host/subdomain Simplified/unencrypted example: DNS server NameMarySmith.foo.thief.com MRN foo.thief.com DOB foo.thief.com Infected endpoint

14 Affecting Availability
DNS Attacks Affecting Availability

15 DNS Attacks Are Making Your Infrastructure Work Against You
78% 84% >$500 $1.5M The most common service targeted by application layer attacks is now, for the first time DNS1 Of reflection/amplification attacks use DNS1 Per minute cost of internet downtime due to DDoS attack2 Average total cost per year to deal with denial of service attacks2 DDoS attacks can significantly affect service and application availability Recovery is often complex and labor intensive 1. Source: Arbor WISR2016 Report 2. Ponemon Institute Study – The Cost of Denial-of-Service Attacks. March 2015

16 DNS DDOS Latest Attacks
Now lets take a closer look at what constitutes the DDOS attacks.. 75% of the DDOS traffic constitutes basic layer3- 4 infrastructure based attacks. And DNS based DDOS has quadrupled in just one year. Also if you look at stats by the top services target by the application, DNS is at the top only below http..

17 Infoblox Security at the CORE

18 Ideal Security Solution
Reduced risk from malicious activity Business and network context to help in prioritization of threats An Ideal Solution Provides the Following Tight ecosystem integrations and APIs to share rich network data with existing security systems Enhanced visibility of threats across diverse infrastructure – physical, virtual or cloud Advanced threat intelligence with context Automatic blocking of malicious activities at network control points (DNS) Overcome silos

19 Why Focus on DNS/DHCP/IPAM (DDI)?
Ubiquitous N/W infrastructure that can be used as enforcement points Provides rich network data, device inventory info that can be leveraged by existing security solutions for incident response, quarantine, compliance Provides context, which is important for prioritization “Seek solutions with cross-product integration that enables improvements towards context-based decision making.” Gartner, Best Practices for Detecting and Mitigating Advanced Threats, 2016 Update

20 The DDI Data Gold Mine IPAM DHCP DNS
Device Audit Trail and Fingerprinting Activity Audit Trail Application and Business Context A DHCP assignment signals the insertion of a device on to the network Includes context: Device info, MAC, lease history DHCP is an audit trail of devices on the network Fixed IP addresses are typically assigned to high value devices: Data center servers, network devices, etc. IPAM provides “metadata” via Extended Attributes: Owner, app, security level, location, ticket number Context for accurate risk assessment and event prioritization DNS query data provides a “client-centric” record of activity Includes internal activity inside the security perimeter Includes BYOD and IoT devices This provides an excellent basis to profile device & user activity

21 Security Ecosystem Integration

22 Summary Key Takeaways Address security challenges starting at the CORE
Infoblox Security Solutions provide: DNS Data Exfiltration Prevention Malware Containment & Control DNS Infrastructure Protection Threat Intel with ActiveTrust Summary Key Takeaways

23 Next Steps Security Assessment (PCAP) DNS Data Exfiltration Assessment
Path to Engagement

24 Q&A

Download ppt "Effective Security at the Core"

Similar presentations

Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.

“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.
11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.

11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.

The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Note: You need to customize slides 2, 5, 7 and 8 before using this presentation, and delete slide 1.

Note: You need to customize slides 2, 5, 7 and 8 before using this presentation, and delete slide 1.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.

1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Similar presentations

Ads by Google