Network Security Missing Gap

Tony Teo

Regional SE Director – APAC

tteo@arbor.net

2

CDNs

Mobile

Carriers

SaaS

Cloud

Providers

Enterprise

Perimeter Mobile

WiFi

Employees

Remote

Offices

Internal

Apps

Never see the external threat traffic

Can’t withstand a direct attack

Never see the threat already

inside enterprise

Existing Solutions Have Critical Gaps

Service

Providers

Corporate

Servers

DDoS

Advanced Threat

3

DDoS Challenges

4

Weak in DDoS

Countermeasure Can be DDoSed

• Firewall, IPS, WAF, Load

Balancer are Stateful

Architecture

• Small packet traffic can

spike the CPU resources

Not Optimized for DDoS Protection

• Add-On DDoS features

not effective against

complex application layer

DDoS attack.

• Signature based detection

is effective against Flood

attack

• Cannot protect against

DDoS of upstream ISP

link.

5

Today’s DDoS attacks can cause (1) saturation upstream, (2)

state exhaustion, or (3) service outages – many times a single

attack can result in all three – and all with the same end result:

critical services are no longer available!

Modern DDoS Attacks Are Complex & Diverse

5

Load Balancer

DATA CENTER

Attack Traffic Good Traffic T

he B

road

Im

pact

of

DD

oS

Att

ack

s

IPS

6

Arbor Cloud

(ATLAS)

Pravail Availability

Protection System See and stop the threat

anywhere Stop

the threat

CDNs

Mobile

Carriers

SaaS

Cloud

Providers

Enterprise

Perimeter Mobile

WiFi

Employees

Remote

Offices

Threat Dashboard

Total DDoS Protection

Internal

Apps

Service

Providers

Corporate

Servers

Never see the threat already

inside enterprise

Peakflow SP/TMS

Cloud

Signaling

7

MAINTAINS LEAD IN OVERALL MARKET AND

HIGH-GROWTH SEGMENTS

Source: DDoS Prevention Appliances Biannual Worldwide and Regional Market Share, Size, and Forecasts: 1st Edition Report Excerpts June 2014 ,By Analyst Jeff Wilson

In 1Q14 total DDoS prevention appliance revenue, Arbor ranks first with 48.8%; they maintain a strong leadership position despite having a wide range of challengers.

DDoS Prevention Worldwide Quarterly Revenue Market Share, 3Q13

8

Source: Frost & Sullivan

Me

ets

Ma

rke

t D

em

an

ds

Market Penetration

Emerging Competitor

Market Challenger Market Leader

Market Contender

Competitive Landscape

Key takeaway: Changing technologies and customer requirements leave significant potential for

advancement in the competitive landscape.

Competitive Landscape Total DDoS Mitigation Market: Global, 2013

Arbor Networks

Black

Lotus

Corero

Network

Security

Prolexic

Radware

Huawei

Verisign Juniper

Networks

Neustar

NSFOCUS

Fortinet

Imperva

(Incapsula)

Rio Rey

Akamai

Source: A custom excerpt from

Frost & Sullivan’s Global DDoS

Mitigation Market Research Report

(NDD2-72) July, 2014

9

1. ATLAS sensors are deployed in global Internet darknet space to discover and classify attack activity.

2. This information is sent to an ATLAS central repository where it is combined with Arbor Peakflow, third-party, and vulnerability data.

3. ASERT analyzes combined data and converts into actionable intelligence which is posted on the ATLAS public portal.

ASERT Datasets: ATLAS Sensors

10

The Arbor ATLAS Initiative

290+ ISPs sharing real-time data – Automated hourly export of XML file to Arbor server (HTTPS) – File is anonymous, only tagged with

– User Specified Region e.g. Europe – Provider Type (self categorized) e.g. Tier 1

Arbor has extensive sharing network – Over a hundred national CERT teams (~50% coverage) – Large cross-section of the security industry, through various sharing groups – ATLAS portal has 711 unique users, registering 6,006 ASNs for reporting

ATLAS Factoids

– ASERT has data for 44,570 ASNs of 45,369 ASNs total (~98%) – ASERT has seen 2.63B unique IPv4 addresses (~71% theoretical)

– (2^32 – 588,514,304) public addresses – ASERT monitors 1.76M “dark” IPv4 addresses

– The 6,006 ASNs provided ASERT intelligence maps to 1.25B IPv4 hosts (48%)

120+ TB ( Approx 1/3 of Daily

world Internet Traffic )

11

Did you know?

Arbor Networks collaborated with Google Ideas to create the Digital Attack Map (www.digitalattackmap.com), a data visualization that maps global

distributed denial of service (DDoS) attacks.

This Attack Map leverages Arbor’s ATLAS data, allowing users to explore historical DDoS trends in DDoS attacks, making the connections to

related news on any given day.

12

Global Intelligence. Local

Protection.

We see things others can’t

13

DDoS campaigns & Advanced Threats

• IP reputation feed for active DDoS campaigns

• IP & DNS reputation for advanced threats

13

ISP 2

ISP 1

ISP n

ISP

Target

Applications &

Services

DATA

CENTER

IPS

Load Balancer

Attack Traffic

Good Traffic

ASERT

AIF Reputation Feed

14

DDoS & Malware Detection

AIF Standard Feed Support Capabilities

DDoS Threats

IP Geo-Location

Web Crawler Identification

Command and Control

Malware

AIF Advanced Feed Support Capabilities

Location-Based Threats

Email Threats

Targeted Attacks

Mobile

STANDARD FEED ADVANCED FEED

• Incorporates Domain & IP Reputation data to expand breadth of coverage

• Improves accuracy of attack detection

• Establishes confidence levels based on real-time Internet activities

• Provides continuous research on known threats

ATLAS Intelligence Feeds

15

Multi-Tier DDoS : The Cloud Signaling

Arbor Peakflow

SP / TMS-based

DDoS Service

Arbor Pravail APS

Data

Cen

ter

Netw

ork

Firewall / IPS / WAF

Pu

blic

Fac

ing

Serv

ers

Subscriber Network Subscriber Network

Internet Service Provider 1. Service Operating

Normally

2. Attack Begins & Blocked by Pravail

3. Attack Grows Exceeding Bandwidth

4. Cloud Signal Launched

5. Customer Fully Protected!

Cloud Signaling Status

Unite the Enterprise and Service & Cloud Providers via Arbor’s Cloud Signaling

Coalition

Arbor Cloud

16

Advanced Threat Challenges

17

What is dwell time?

Dwell time refers to how much time attackers

have spent inside your system before discovery

and mitigation.

17

Attacks in the later stages of the kill chain are taking up residence in your network.

Once inside the network, attacks get more difficult to track and identify.

18

THREAT

DETECTED

2 9 1 DAYS

RECON

1.

GETS IN

2.

SPREADS 3.

COMMAND

OUT

4.

STEALS/

ACTS

5.

Time Lapsed Detecting An Advanced Threat

19

APT Operation – Long Term Objective

20

Why Pravail Security Analytics

1. Easy to deploy

2. Full context of an attack

in minutes

3. See attacks as they

happen

4. Loops data to reveal

undetected attacks

5. ATLAS delivers high

fidelity security

intelligence based on

global attack traffic.

• .

Purpose Built “Hunting” Solution To Empower Your

Security Teams

Pravail Security Analytics Operation

21

Packet Capture

Security Intelligent

Big Data Engine

Data Looping

Security Report

Pravail Security Analytics Data Looping

22

Packet Capture

Security Intelligent

Big Data Engine

Data Looping

Security Report

23

Month 1 Traffic/PCAP Month 2 Traffic/PCAP Month 3 Traffic/PCAP

Total Analytics data after 1 month

Total Analytics data after 2 months

Total Analytics data after 3 months

Zero Day attack here

All Traffic Looped - Zero Day not found

All Traffic Looped - Zero Day FOUND

Now that Zero Day

attack has been

identified, the attack

timeline can be

established

All Traffic Looped - Zero Day not found

Detection capability update but without signature for the Zero Day attack

Detection capability update INCLUDING signature for the Zero Day attack

Pravail Security Analytics for 0 Day Exploit Hunting

24

Hunting 0-Day Attack

25 25

t=0

0 Day Vulnerability Discovered by

Hacker

0 Day Vulnerabilities / Attack Challenges

26 26

t=0

0 Day Vulnerabilities / Attack Challenges

Good guy UNAWARE of New

0 Day Vulnerability

27 27

t=0 t=3

0 Day Exploit Launched

0 Day Vulnerabilities / Attack Challenges

28 28

t=5 CnC

t=3

0 Day Vulnerabilities / Attack Challenges

29

0 Day Vulnerabilities / Exploits Challenges

29

• What do you do when you receive a vulnerabilities disclosure ?

• Patch affected system

t=0 t=50

30 30

t=0 t=50 t= 53

PROTECTED

t=3

0 Day Vulnerabilities / Attack Challenges

NO PROTECTION

31 31

Traditional Security Solution for 0 Day Exploit Hunting

Mean time to detect 0 Day Attack timeline = Never ?

WAF

FW

SIEM

AV

LOGS

PACKET CAPTURE

HOSTS

PERIMETER INTERNAL NETWORK

IPS

SandBox

Block Alert

Block Alert

Block Alert

Block Alert

t > 50 Correlated Block Alert

Block Alert

t=0 t=3 t=50

32 32

Month 1 Traffic/PCAP Month 2 Traffic/PCAP Month 3 Traffic/PCAP

Total Analytics data after 1 month

Total Analytics data after 2 months

Total Analytics data after 3 months

Zero Day attack here

All Traffic Looped - Zero Day not found

All Traffic Looped - Zero Day FOUND

Now that Zero Day

attack has been

identified, the attack

timeline can be

established

All Traffic Looped - Zero Day not found

Pravail Security Analytics for 0 Day Exploit Hunting

t=0 t=3 t=50

Attack Dwell Time

Mean time to detect an 0 Day attack timeline = Minutes

33 33

t=0 t=3

0 Day Exploit Launched

0 Day Vulnerabilities / Attack Challenges

Attack Infection Point !!

34 34

t=5 CnC

t=3

0 Day Vulnerabilities / Attack Challenges

Pravail

Detect, Play, Pause & Rewind the threat / attack lurking

inside the enterprise

CDNs

Mobile

Carriers

SaaS

Cloud

Providers

Enterprise

Perimeter Mobile

WiFi

Employees

Remote

Offices

Threat Dashboard

Arbor’s Solution Bridges the Gaps

Internal

Apps

Service

Providers

Corporate

Servers

Security Analytics Can’t

withstand a direct attack

Never see the external threat traffic

Arbor Overview

DDoS Advanced Threats Arbor Cloud Cloud Signaling

~100 Tbps Visibility

Good traffic Malicious traffic & malware

Public Clouds

Corporate Networks

Mobile Carrier

Private Clouds

Service Provider

Mobile User/ Attacker

Internal Employee

NSI Mobile SP SP/TMS

ATLAS/ASERT SP/TMS APS APS

Arbor Networks-Wide Product Portfolio

SA

40% of global internet traffic monitored by ATLAS

90% of Tier 1 and 70% of Tier 2 Service Providers

13+ years experience on Delivering innovative security

technologies

Thank You