“next generation security” isaca june training seminar philip hurlston 6/20/14
TRANSCRIPT
“Next Generation Security”
ISACA June Training Seminar
Philip Hurlston
6/20/14
ISACA June Training Seminar
Agenda
• Today’s threat landscape is next generation
• Definition of Next Generation Security
• What really makes it different
• 20 things your next generation security must do
• Closing & Questions
ISACA June Training Seminar
Today’s Threat Landscape
Organized Attackers
Increasing Volume
Sophisticated
Remediation isbroken
Must prevent attacks across
perimeter, cloud and mobile
Limited correlationacross disjointed
securitytechnologies.
Limited securityexpertise
CSO challenges
ISACA June Training Seminar
SaaS - Apps are moving off the network
ISACA June Training Seminar
CLOUD + VIRTUALIZATIONServers are moving to private and public clouds
BETAVerizon Cloud
ISACA June Training Seminar
Over 27% of applications can use SSL encryption
Which represents nearly 25% of enterprise bandwidth
ENCRYPTIONTraffic is increasingly being encrypted
ISACA June Training Seminar
MOBILITYUsers are moving off the network
Over 300 new malicious Android APKs discovered per week by our Threat Research Team
ISACA June Training Seminar
Known threats
Ent
erpr
ise
risk
Zero-day exploits/Vulnerabilities
Unknown & polymorphic malware
Evasive command-and-control
Lateral movement
TODAY’S APTBEFORE
Sophisticated & multi-threaded
SSL encryption
Changing application environment
Clear-text
Limited or known protocols
Known malware & exploits
Known vulnerabilities
Known command-and-control
COMMODIZATION OF THREATSAdvanced tools available to all
ISACA June Training Seminar
Tectonic Shifts Create the Perfect Storm
SOCIAL +CONSUMERIZATION
SaaS
CLOUD +VIRTUALIZATION
MOBILITY + BYOD
ENCRYPTION
Massive opportunityfor cyber attackers
COMMODIZATION OF THREATS
ISACA June Training Seminar
Target data breach – APTs in action
Maintain access
Spear phishing
third-party HVAC
contractor
Moved laterally &
installed POS Malware
Exfiltrated data C&C
servers over FTP
Recon on companies
Target works with
Compromised internal
server to collect
customer data
Breached Target with
stolen payment
credentials
ISACA June Training Seminar
Agenda
• Today’s threat landscape is next generation
• Definition of Next Generation Security
• What really makes it different
• 20 things your next generation security must do
• Closing & Questions
ISACA June Training Seminar
Definition of a Next Generation Firewall (NGFW)
From the Gartner IT Glossary, a NGFW is a:
• Deep-packet inspection firewall,
• Moves beyond port/protocol inspection and blocking,
• Adds application-level inspection,
• Adds intrusion prevention, and
• Brings intelligence from outside the firewall.
ISACA June Training Seminar
Definition of a Next Generation Firewall (NGFW)
Should not be confused with:
• A stand-alone network intrusion prevention system (IPS), which includes a commodity or non-enterprise firewall, or
• A firewall and IPS in the same appliance that are not closely integrated.
ISACA June Training Seminar
Agenda
• Today’s threat landscape is next generation
• Definition of Next Generation Security
• What really makes it different
• 20 things your next generation security must do
• Closing & Questions
ISACA June Training Seminar
20 Years of Security Technology Sprawl
Enterprise Network
• Ports and IP addresses aren’t reliable anymore
• More stuff has become the problem
• Too many policies, limited integration
• Lacks context across individual products
URLAVIPS DLPSandboxProxy
UTM
Internet
ISACA June Training Seminar
Sample of a True Next Generation Architecture
• Single Pass
• Identifies applications
• User/group mapping
• Threats, viruses, URLs, confidential data
• One policy to manage
• Correlates all security information to Apps and Users
ISACA June Training Seminar
FirewallFirewall
Next Generation vs. Legacy Firewalls
App-ID Legacy Firewalls
Firewall Rule: ALLOW SMTP Firewall Rule: ALLOW Port 25
SMTP=SMTP: Packet on Port 25: Allow Allow
✔ ✔SMTP SMTP SMTP SMTP
Bittorrent ✗
Bittorrent≠SMTP:
Visibility: Bittorrent detected and blocked
Deny
Bittorrent ✔
Packet on Port 25: Allow
Visibility: Port 25 allowed
Bittorrent
ISACA June Training Seminar
App IPSFirewallFirewall
Next Generation vs. Legacy Firewall + App IPS
App-ID Legacy Firewalls
Firewall Rule: ALLOW SMTP Firewall Rule: ALLOW Port 25
SMTP=SMTP: Packet on Port 25: Allow Allow
✔ ✔SMTP SMTP SMTP SMTP
Bittorrent ✗
Bittorrent ≠ SMTP:
Visibility: Bittorrent detected and blocked
Deny
Bittorrent ✔
Bittorrent: Deny
Visibility: Bittorrent detected and blocked
✔ SMTP
Bittorrent ✗
Application IPS Rule: Block Bittorrent
ISACA June Training Seminar
App IPSFirewallFirewall
App-ID Legacy Firewalls
Firewall Rule: ALLOW SMTP Firewall Rule: ALLOW Port 25
SMTP=SMTP: Packet on Port 25: Allow Allow
✔ ✔SMTP SMTP SMTP SMTP
✗
Bittorrent ✔
Visibility: Packets on Port 25 allowed
✔ SMTP
Bittorrent ✗
Application IPS Rule: Block Bittorrent
Bittorrent ✗✔ ✔
Packet ≠ Bittorrent: Allow
Visibility: each app detected and blocked
DenySkype≠SMTP:SSH≠SMTP:
Ultrasurf≠SMTP:DenyDeny
SSH, Skype, Ultrasurf
SSH, Skype, Ultrasurf
SSH, Skype, Ultrasurf
SSH, Skype, Ultrasurf
Next Generation vs. Legacy Firewall + App IPS
ISACA June Training Seminar
FirewallFirewall
App-ID Legacy Firewalls
Firewall Rule: ALLOW SMTP Firewall Rule: ALLOW Port 25
SMTP=SMTP: Packet on Port 25: Allow Allow
✔ ✔SMTP SMTP SMTP SMTP
C & C ✗
Command & Control ≠ SMTP:
Visibility: Unknown traffic detected and blocked
Deny
Bittorrent ✔
Visibility: Packet on Port 25 allowed
✔ SMTP
Bittorrent ✗
Application IPS Rule: Block Bittorrent
Bittorrent ✗C & C ✔ C & C ✔ C & C
C & C ≠ Bittorrent: Allow
App IPS
Next Generation vs. Legacy Firewall + App IPS
ISACA June Training Seminar
Next Generation Closes the Loop for Threats
• Scan ALL applications, including SSL – Reduces attack surface, and Provides context for forensics
• Prevent attacks across ALL attack vectors – Exploits, Malwares, DNS, Command & Control, and URLs
• Detect zero day malware – Turn unknown into known, and update the firewall
ISACA June Training Seminar
Sandboxing for Turning Unknown into Known
ISACA June Training Seminar
Security Context from Next Generation
Policies:• Allowing 10.1.2.4 to 148.62.45.6 on port 80 does not provide context.
Allowing Sales Users on Corporate LAN to access Salesforce.com but
look for threats and malware inside the decrypted SSL tunnel, and easily
seeing you have done so is context.
Threats:• Seeing you had 10 tunneling apps, 15 IPS hits, and 4 visits to malware
sites no context.
Seeing Dave Smith visited a malware site, downloaded 0-day Malware,
and his device is visiting other known malware sites, and using tunneling
apps that is context.
ISACA June Training Seminar
Next Generation and the Attack Kill-chain
Attack kill-chain
Initial compromiseDeliver malware
and communicate with attacker
Move laterally and infect
additional hosts
Steal intellectual property
Prevent attacks by stopping one step in the kill-chain
EXFILTRATE DATA
ENDPOINT OPERATIONS
DELIVER MALWARE
BREACH PERIMETER
ISACA June Training Seminar
Agenda
• Today’s threat landscape is next generation
• Definition of Next Generation Security
• What really makes it different
• 20 things your next generation security must do
• Closing & Questions
ISACA June Training Seminar
20 Things Your Next Gen Security Must Do
1. Control applications and components regardless of Port or IP
2. Identify users regardless of IP address
3. Protect real-time against threats and exploits
4. Identify Circumventors (Tor, Ultrasurf, proxy, anonymizers)
5. Decrypt SSL Traffic
6. Packet shape traffic to Prioritize Critical Applications or De-Prioritize Unproductive applications
7. Visualize Application Traffic
8. Block Zero Day Malware, Botnets, C&C and APT’s
9. Block Peer-to-Peer
10. Manage Bandwidth for a group of Users
ISACA June Training Seminar
20 Things Your Next Gen Security Must Do
11. Prevent or Monitor Data Leakage
12. Single Pass Inspection
13. Same security at mobile end-point
14. Central management console with relay logs & events
15. Policy for unknown traffic
16. Be cost effective by combining multiple functionalities
17. Deliver protection today, tomorrow, and in the future by being firmware upgradeable
18. Interface with other end-point solutions to have a consistent protection
19. Sinkhole DNS capabilities
20. Block base on URL
ISACA June Training Seminar
Agenda
• Today’s threat landscape is next generation
• Definition of Next Generation Security
• What really makes it different
• 20 things your next generation security must do
• Closing & Questions