2015 security conference ash patel intel security
TRANSCRIPT
2015 Security Conference
Ash PatelIntel Security
.
McAfeeNextGenerationFirewallandSecurityConnectedThreatEcosystem~LogicallisSecurityConference2015
AshishPatel–NetworkSecurityRegionalDirector
.
ThreatsAreGettingThrough
469,000 UniqueMalware
SamplesDiscoveredWeekly
83%Organizationshitby
AdvancedPersistentThreats
Mobilemalwaregrew30% with99% Android targeted
Root Kit AttacksReturntoGrowth
Subverting
Digital Signatures BecomingMoreCommon
FastestGrowingNon-mobileMalwareIs
Ransomware
Advanced
Evasion Techniques UseGrowingtoGetOld/NewMalwareThroughLegacyDefenses
.
4
“Connected” NGFW
Performance Enhanced NGFW
First NGFW
Firewall&NGFWEvolution
• Connectedtoendpointsecurity• ConnectedtoSIEM• Connectedtoadvancedthreatdetection• Connectedtoreal-timeglobalthreatdatabase
• Centralmanagementforlargenetworks• Highavailability• Advancedevasionprotection
• Inspection• Applicationanduser
awareness
Traditional FW
Com
pleten
essofSecurity
2012 2014201320081988
.
“”
AlbertEinstein
INSANITY: doingthesamething
andexpectingdifferentresults.
“”
Wecannotsolveourproblemswiththesame thinking
we used whenwecreatedthem.
over and over again
.
6
McAfeeDifferentiators
Unified Software
Core
StrongCentralized
Management
High Availability
Advanced Evasion
Prevention
Security Connected
.
7
McAfeeDifferentiators
Unified Software
Core
StrongCentralized
Management
High Availability
Advanced Evasion
Prevention
Security Connected
.
8
McAfeeNGFWpartoftheecosystemSecurityConnectedIntegrations
Information exchange betweennetwork,endpointandglobalthreatinformationforsuperiorprotection
McAfee Advanced Threat Defense • Superiormalwaredetection
againstzero-daythreats
McAfee ESM (SIEM)• Continuousmonitoringof
thewholenetworksecurityincludingNGFW
McAfee endpoint• Visibilitytoendpoint• Endpointinformationusein
policyenforcement
McAfee Global Threat Intelligence• Comprehensivethreat
informationforfilereputations
McAfeeNGFW
.
GTI
300MIPSattacks/mo.
300MIPSattacks/mo.
2BbotnetC&CIPreputationqueries/mo.
20Bmessagereputationqueries/mo.
2.5Bmalwarereputationqueries/mo.
300MIPSattacks/mo.
NetworkIPS
FirewallWeb
GatewayHostAV
MailGateway
HostIPS
3rdPartyFeed
Geolocationfeeds
NetworkActivityAffiliations
Ports/ProtocolIPAddress
WebReputationURL
WebActivity SenderReputationMailActivity
EmailAddress
FileReputationDNSServer
ApplicationDomain
DataActivity
Geo-location
THREATREPUTATION
GlobalThreatIntelligence
.
GTI
300MIPSattacks/mo.
300MIPSattacks/mo.
2BbotnetC&CIPreputationqueries/mo.
20Bmessagereputationqueries/mo.
2.5Bmalwarereputationqueries/mo.
300MIPSattacks/mo.
NetworkIPS
FirewallWeb
GatewayHostAV
MailGateway
HostIPS
3rdPartyFeed
Geolocationfeeds
THREATREPUTATION
GlobalThreatIntelligence
.
11
McAfeeDifferentiators
Unified Software
Core
StrongCentralized
Management
High Availability
Advanced Evasion
Prevention
Security Connected
.
12
FlexibleDeliveryUnifiedSoftwareCore
Adjustablesecuritylevelssupportawidevarietyofdeploymentscenarios
Performancelevelsaremaintainedevenwithdeeppacketinspectionenabled
NEXTGENERATIONFIREWALL
FIREWALL LAYER2FIREWALL
IPS
MILITARY
GLOBAL
ENTERPRISE
COMMERCIAL
SMB
VPN
SOFT VIRTUAL PHYSICAL
McAfee
.
13
McAfeeDifferentiators
Unified Software
Core
StrongCentralized
Management
High Availability
Advanced Evasion
Prevention
Security Connected
.
14
Enablerforaccuracy,efficiencyandbetteruseoftimeSinglePaneofGlassforSecurityManagement
McAfeeSecurityManagementCenter
(SMC)
FW/VPN
IPS
L2FW
NGFWONE UNIFIED APPLIANCE LOCATIONS
PLATFORMS---
Virtual (cloud)PhysicalHybrid
McAfeeESM
McAfeeEIA
McAfeeePO
SECURITYCONNECTED
.
15
Initialconfigurationpushedfrom
cloud
Plug-and-PlayDeploymentforremotesiterolloutsEfficientCentralizedManagement
Preconfigured
CallhomePolicypushfrom
theSMC
Initialconfigurationsuploaded Connectto
InstallationCloud
Cutdeploymenttimefrom weeks and days to minutes
McAfeeSMCMcAfeeNGFW
.
16
McAfeeDifferentiators
Unified Software
Core
StrongCentralized
Management
High Availability
Advanced Evasion
Prevention
Security Connected
.
WHY WORRY TODAY? How do AETs score against leading next generation network security products?
7 TEST CASE (Conficker worm)AET-BORNE ATTACKS
SUCCEEDED (undetected)
Divide exploit in IP fragments 70%
Divide exploit in TCP segments 90%Using grey areas of protocols to hide the exploit 90%
Change byte encoding methods 40%
TCP segmentation and re-ordering 80%TCP segmentation and re-ordering + urgent data 90%Sending TCP payload with old timestamps (PAWS) 80%
.
DEFINITIONS
APT
EVASIVE & ADVANCED MALWARE FOR HOST-BASED ATTACKS
Evasive & advanced
malware
NETWORK-BASED ADVANCED EVASION TECHNIQUES
AET
ADVANCED PERSISTENT THREAT“A highly motivated attacker implementing a targeted attack. Uses multiple hacking methods and advanced malware in order to penetrate, and stay stealthy, for a long period of time. Often uses AETs to improve the penetration success rate.”
“Any kind of malware designed and developed to operate and stay undetected while it has penetrated end points and target hosts.”
“A specific hacking technique that has been developed to bypass all security devices and deliver a malicious code or exploit to its target undetected. AETs can be used to deliver known and unknown exploits and malicious content.
.
When buying and developing new exploits hackers can improve ROI
substantially by using AETs. They can also recycle existing
malicious payloads by using AETs.
IMPROVE ROI
AETs SUPPORT THE HACKER BUSINESS CASE
ACCESS ALL AREAS
DO NOTGET CAUGHT
By using AETs hackers canpenetrate deep into the network.
… and they can do it undetected,with stealth.
.
20
FundamentalDifferenceinTrafficInspectionAdvancedEvasionPrevention
TraditionalInspectionArchitecture
ta t a
?
McAfeeNGFWStream-BasedFullStackNormalization
Protocolagents
tack at
ck
attack !
McAfee NGFW
Full-stack visibilityMcAfeedecodesandnormalizestrafficonallprotocollayers
Normalization-based evasion removalThenormalizationprocessremovesevasionsbeforedatastreaminspection
Application data stream-based detectionVulnerability-basedfingerprintsdetectexploitsinthenormalizedapplication-leveldatastreams
In-house research and toolsEvasion-proofproductqualityassuredwithautomatedevasionfuzzingtests
Upgrades and upgradesAnti-evasiontechnologyautomaticallyupdatedinNGFW
.
21
AdvancedEvasionPrevention-evader.mcafee.comDeviceTesting
With Evader getting access to the “protected” network is as simple as:Select the Exploit1
Identify Attack Target2
CiscoPaloAltoNetworksCheckPointFortinetJuniperSourceFireTippingPointSelect the Evasion
Technique3
.
22
McAfeeDifferentiators
Unified Software
Core
StrongCentralized
Management
High Availability
Advanced Evasion
Prevention
Security Connected
.
HighAvailability
23
Riskmitigationvs.resilience
FullStackResilienceenablingbusinesscontinuity
Clustering/loadbalancing
Siteresilienceenablingin-serviceupgrades
ServiceProvider
ServiceProvider
Link/VPNfailovers
Connectivityresilience
ManagementHA
Managementresilience
.
24
NativeActive-ActiveClusteringHighAvailability
99.999%
UPTIME
Node 1
Node 6 …16
Node 2 Node 3
Node 5Node 4
Mix of hardware and software
versions
“IcanupgradeaFWclusterwithout dropping a single packet”–McAfee NGFW customer
Internet
.
25
Cost-effectivealternative to MPLSwithsecurityincluded
HighAvailabilityAugmentedVPNforenterpriselevelsite-to-siteconnectivity
8Mbps
8Mbps
8Mbps
=upto24Mbps
+HQ
DistantSite
DistantSite
+
MPLS
ADSL
ISPA
ISPB
.
26
McAfeeDifferentiators
Unified Software
Core
StrongCentralized
Management
High Availability
Advanced Evasion
Prevention
Security Connected
.
27
PerfectfitforvariouslocationsandhybridenvironmentsMcAfeeNextGenerationFirewallPortfolio
Branchoffice
Ruggedized applianceWet,dust,shockproof
design
Temperaturehardened
Desktop appliancesModularandfixeddesigns
Integrationofaccesstechnologies
Rack installable appliances
Modularandadaptable
Highspeedinterfaces
Virtual and software appliances
Highsystemperformance
Supportforvariousplatforms
Unifiedplatform,fullNGFWfunctionality
.
28
“McAfeeNextGenerationFirewalldoes99%ofournetworkconfiguration,
reducing what used to take hours to minutes.”
– Julian DyerCOBWEB, Chief Technical Officer
.
29
Seemorefromwww.mcafee.com/ngfwCertifiedandValidatedby3rdParties
Certifications
Validations
.
ExtendstheConnected Firewallcapabilitiesby
connectingtheFirewallwithEnd-Point Intelligence
ProvidesnewflexibilitytoVirtualizedData Centers
.
31