“next generation security” isaca june training seminar philip hurlston 6/20/14

“Next Generation Security”

ISACA June Training Seminar

Philip Hurlston

6/20/14


Agenda

• Today’s threat landscape is next generation

• Definition of Next Generation Security

• What really makes it different

• 20 things your next generation security must do

• Closing & Questions


Today’s Threat Landscape

Organized Attackers

Increasing Volume

Sophisticated

Remediation isbroken

Must prevent attacks across

perimeter, cloud and mobile

Limited correlationacross disjointed

securitytechnologies.

Limited securityexpertise

CSO challenges


SaaS - Apps are moving off the network


CLOUD + VIRTUALIZATIONServers are moving to private and public clouds

BETAVerizon Cloud


Over 27% of applications can use SSL encryption

Which represents nearly 25% of enterprise bandwidth

ENCRYPTIONTraffic is increasingly being encrypted


MOBILITYUsers are moving off the network

Over 300 new malicious Android APKs discovered per week by our Threat Research Team


Known threats

Ent

erpr

ise

risk

Zero-day exploits/Vulnerabilities

Unknown & polymorphic malware

Evasive command-and-control

Lateral movement

TODAY’S APTBEFORE

Sophisticated & multi-threaded

SSL encryption

Changing application environment

Clear-text

Limited or known protocols

Known malware & exploits

Known vulnerabilities

Known command-and-control

COMMODIZATION OF THREATSAdvanced tools available to all


Tectonic Shifts Create the Perfect Storm

SOCIAL +CONSUMERIZATION

SaaS

CLOUD +VIRTUALIZATION

MOBILITY + BYOD

ENCRYPTION

Massive opportunityfor cyber attackers

COMMODIZATION OF THREATS


Target data breach – APTs in action

Maintain access

Spear phishing

third-party HVAC

contractor

Moved laterally &

installed POS Malware

Exfiltrated data C&C

servers over FTP

Recon on companies

Target works with

Compromised internal

server to collect

customer data

Breached Target with

stolen payment

credentials


Agenda







Definition of a Next Generation Firewall (NGFW)

From the Gartner IT Glossary, a NGFW is a:

• Deep-packet inspection firewall,

• Moves beyond port/protocol inspection and blocking,

• Adds application-level inspection,

• Adds intrusion prevention, and

• Brings intelligence from outside the firewall.


Definition of a Next Generation Firewall (NGFW)

Should not be confused with:

• A stand-alone network intrusion prevention system (IPS), which includes a commodity or non-enterprise firewall, or

• A firewall and IPS in the same appliance that are not closely integrated.


Agenda







20 Years of Security Technology Sprawl

Enterprise Network

• Ports and IP addresses aren’t reliable anymore

• More stuff has become the problem

• Too many policies, limited integration

• Lacks context across individual products

URLAVIPS DLPSandboxProxy

UTM

Internet


Sample of a True Next Generation Architecture

• Single Pass

• Identifies applications

• User/group mapping

• Threats, viruses, URLs, confidential data

• One policy to manage

• Correlates all security information to Apps and Users


FirewallFirewall

Next Generation vs. Legacy Firewalls

App-ID Legacy Firewalls

Firewall Rule: ALLOW SMTP Firewall Rule: ALLOW Port 25

SMTP=SMTP: Packet on Port 25: Allow Allow

✔ ✔SMTP SMTP SMTP SMTP

Bittorrent ✗

Bittorrent≠SMTP:

Visibility: Bittorrent detected and blocked

Deny

Bittorrent ✔

Packet on Port 25: Allow

Visibility: Port 25 allowed

Bittorrent


App IPSFirewallFirewall

Next Generation vs. Legacy Firewall + App IPS





Bittorrent ✗

Bittorrent ≠ SMTP:


Deny

Bittorrent ✔

Bittorrent: Deny


✔ SMTP

Bittorrent ✗

Application IPS Rule: Block Bittorrent


App IPSFirewallFirewall





✗

Bittorrent ✔

Visibility: Packets on Port 25 allowed

✔ SMTP

Bittorrent ✗


Bittorrent ✗✔ ✔

Packet ≠ Bittorrent: Allow

Visibility: each app detected and blocked

DenySkype≠SMTP:SSH≠SMTP:

Ultrasurf≠SMTP:DenyDeny

SSH, Skype, Ultrasurf






FirewallFirewall





C & C ✗

Command & Control ≠ SMTP:

Visibility: Unknown traffic detected and blocked

Deny

Bittorrent ✔

Visibility: Packet on Port 25 allowed

✔ SMTP

Bittorrent ✗


Bittorrent ✗C & C ✔ C & C ✔ C & C

C & C ≠ Bittorrent: Allow

App IPS



Next Generation Closes the Loop for Threats

• Scan ALL applications, including SSL – Reduces attack surface, and Provides context for forensics

• Prevent attacks across ALL attack vectors – Exploits, Malwares, DNS, Command & Control, and URLs

• Detect zero day malware – Turn unknown into known, and update the firewall


Sandboxing for Turning Unknown into Known


Security Context from Next Generation

Policies:• Allowing 10.1.2.4 to 148.62.45.6 on port 80 does not provide context.

Allowing Sales Users on Corporate LAN to access Salesforce.com but

look for threats and malware inside the decrypted SSL tunnel, and easily

seeing you have done so is context.

Threats:• Seeing you had 10 tunneling apps, 15 IPS hits, and 4 visits to malware

sites no context.

Seeing Dave Smith visited a malware site, downloaded 0-day Malware,

and his device is visiting other known malware sites, and using tunneling

apps that is context.


Next Generation and the Attack Kill-chain

Attack kill-chain

Initial compromiseDeliver malware

and communicate with attacker

Move laterally and infect

additional hosts

Steal intellectual property

Prevent attacks by stopping one step in the kill-chain

EXFILTRATE DATA

ENDPOINT OPERATIONS

DELIVER MALWARE

BREACH PERIMETER


Agenda







20 Things Your Next Gen Security Must Do

1. Control applications and components regardless of Port or IP

2. Identify users regardless of IP address

3. Protect real-time against threats and exploits

4. Identify Circumventors (Tor, Ultrasurf, proxy, anonymizers)

5. Decrypt SSL Traffic

6. Packet shape traffic to Prioritize Critical Applications or De-Prioritize Unproductive applications

7. Visualize Application Traffic

8. Block Zero Day Malware, Botnets, C&C and APT’s

9. Block Peer-to-Peer

10. Manage Bandwidth for a group of Users


20 Things Your Next Gen Security Must Do

11. Prevent or Monitor Data Leakage

12. Single Pass Inspection

13. Same security at mobile end-point

14. Central management console with relay logs & events

15. Policy for unknown traffic

16. Be cost effective by combining multiple functionalities

17. Deliver protection today, tomorrow, and in the future by being firmware upgradeable

18. Interface with other end-point solutions to have a consistent protection

19. Sinkhole DNS capabilities

20. Block base on URL


Agenda






“next generation security” isaca june training seminar philip hurlston 6/20/14

Documents