scalar security roadshow - toronto stop

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Security Road Show - Toronto


}  9:00am – 9:15am Welcome

}  9:15am – 9:45am Palo Alto Networks –  You can’t control what you can’t see!

}  9:45am – 10:15am F5 –  Protect your web applications

}  10:15am – 10:30am Break

}  10:30am – 11:00am Splunk –  Big data, next generation SIEM

}  11am – 11:30am Infoblox –  Are you fully prepared to withstand DNS attacks?

}  11:30am - 12:00pm Closing remarks, Q&A

}  12:00pm – 12:30pm Boxed Lunches


}  Today’s Speakers –  Gary Coldwell – Palo Alto

Networks –  Peter Scheffler – F5 –  Gilberto Castillo – Splunk –  Ben Shelston - Infoblox


Background in architecting mission-critical data centre infrastructure

Founded in 2004 $125M in CY13

Revenues Nationwide Presence

120 Employees Nationwide

25% Growth YoY Toronto | Vancouver

Ottawa | Calgary | London Greater than 1:1

technical:sales ratio


}  The country’s most skilled IT infrastructure specialists, focused on security, performance and control tools

}  Delivering infrastructure services which support core applications


WHY SCALAR?


Experience Execution Innovation


}  Top technical talent in Canada –  Engineers average 15 years’ experience

}  We train the trainers –  Only Authorized Training Centre in Canada

for F5, Palo Alto Networks, and Infoblox

}  Our partners recognize we’re the best –  Brocade Partner of the Year – Innovation –  Cisco Partner of the Year – Data Centre &

Virtualization –  VMware Global Emerging Products Partner

of the Year –  F5 Canadian Partner of the Year –  Palo Alto Networks Rookie of the Year –  NetApp Partner of the Year - Central


}  Unique infrastructure solutions designed to meet your needs –  StudioCloud –  HPC & Trading Systems

}  Testing Centre & Proving Grounds –  Ensuring emerging technologies are

hardened, up to the task of Enterprise workloads

}  Vendor Breadth –  Our coverage spans Enterprise leaders and

Emerging technologies for niche workloads & developing markets


“Scalar […] has become our trusted advisor for architecting and implementing our storage, server and network infrastructure across multiple data centres”


“We’ve basically replaced our infrastructure at a lower cost than simply the maintenance on our prior infrastructure […] At the same time, we’ve improved performance and reduced our provisioning time”


“Numerous technologies needed to converge to make VDI a reality for us. The fact that Scalar is multi-disciplinary and has deep knowledge around architecture, deployment and management of all of these technologies was key”


PALO ALTO NETWORKS

Protecting Against Modern Malware and the Evolution of Cyber Security

Garry Coldwells Systems Engineer

March 2014

Palo Alto Networks at a glance

Corporate highlights

Palo Alto Networks is the Network Security Company

Safely enabling applica8ons and preven8ng cyber threats

Founded in 2005; first customer shipment in 2007

Excep8onal ability to support global customers

Experienced team of 1,300+ employees

Q1FY14: $128.2M revenue; 16,000 customers

4,700

9,000

13,500

0 2,000 4,000 6,000 8,000

10,000 12,000 14,000

Jul-11 Jul-12

$13 $49

$255

$396

$119

$0

$100

$200

$300

$400

FY09 FY10 FY11 FY12 FY13

Revenues

Enterprise customers

$MM

FYE July

Jul-13

16 | ©2013, Palo Alto Networks. Confidential and Proprietary.

How Time Has Changed


Levelset


The basics

Threat What it is What it does

Exploit Bad applica8on input usually in the form of network traffic.

Targets a vulnerability to hijack control of the target applica8on or machine.

Malware Malicious applica8on or code.

Anything – Downloads, hacks, explores, steals…

Command-‐and-‐control (C2)

Network traffic generated by malware.

Keeps the remote a`acker in control ands coordinates the a`ack.

Indicators of compromise (IoC)

Indica8ons that your network has been compromised

Allows security teams to find and confirm breaches

Known vs. unknown threats


Known threats Unknown threats

•  Malware or exploits that have been seen before

•  Commonly available and recycled

•  Easily stopped by traditional security

•  Malware or exploits that has never been seen before

•  Unique, and often custom-crafted.

•  Easily bypass traditional security

New Threat Landscape State of the Union


Interests and motivations have also changed

From bored “geeks”

To na8on states and organized crime

The new threat landscape

§  Mostly addressed by traditional AV and IPS

§  Low sophistication, slowly changing

§  Machine vs. machine

§  Somewhat more sophisticated payloads

§  Evasion techniques often employed

§  Sandboxing and other smart detection often required

§  Intelligent and continuous monitoring of passive network-based and host-based sensors

§  Comprehensive investigation after an indicator is found

§  Highly coordinated response is required for effective prevention and remediation

Commodity threats (very common, easily identified)

Organized cybercrime (More customized exploits

and malware)

Nation state (Very targeted, persistent, creative)

Advanced threat

By the Numbers

Days -  Of malware data accumulation


Networks -  Covering 1,000+ live enterprise networks

Antivirus Vendors -  Tested against 6 fully-updated, industry-leading antivirus products

Unknown Malware (zero-day) -  Resulted in finding 26,000+ malware that had NO coverage at the

time they were detected in the live enterprise network

Malware Delivery Vectors


90% Delivery via web-browsing/http

2% Delivery via eMail

Malware Vectors and Traditional Detection Times

Top 5 sources of unknown malware highlighted. FTP was a leading source and rarely detected.

4

21

35

Regaining Control

§  Bring the right anti-malware technologies into the network §  End-point antivirus is falling way short §  Need to look way beyond eMail and Web

§  82 applications that are designed explicitly to avoid security (circumventors) §  260 applications designed to tunnel within allowed protocols (encryption, tunneling)

§  Expect unknowns §  Implement a mechanism to take a deeper look at the unknown

§  Real-time detection and blocking when possible §  Automate the kill chain to prevent manual response

§  Enforce user and application controls §  Minimize the attack surface by controlling who can transfer files, using which apps,

in which direction and when


Automated network effect of sharing §  Automatic detection in real time in

private or public cloud

§  10Gbps advanced threat visibility and prevention on all traffic, all ports (web, email, SMB, etc.)

§  Automatic generation of several defensive measures

§  Automatic distribution of defensive measures to all WildFire customers within 30 minutes after initial detection

§  Automatic installation of defensive measures provides full prevention immediately §  Malware, DNS, URL, and C2 signatures

automatically created based on WildFire intelligence and delivered to customers globally

§  You benefit from the threat intelligence of 2,500+ organizations across the industry

WildFire TM

WildFire Appliance (optional)

Anti-malware signatures DNS intelligence Malware URL database Anti-C2 signatures

Soak sites, sinkholes, 3rd party sources

WildFire Users

Global intelligence and protection

delivered to all users

Command-and-control Staged malware downloads

Host ID and data exfil

Unique Identifiers

Samples -  Of malware with

unique SHA256


Unique Identifiers -  Observed in multiple

malware samples

Identifiable Samples -  Contained unique

identifiers

Potential -  To be blocked by

unique identifier rather than hash/URI

Most Commonly Observed Malware Behaviours


Regaining Control

§  Implement technology with stream-based analysis of headers and payloads §  Block polymorphic variants using identifiers rather than hash or URI

§  Establish a solid baseline of ‘normal’ behaviour §  Knowing what is normal allows the abnormal to become very apparent

§  Investigate and remediate unknowns §  Investigate unknown and make it a goal to keep it below acceptable threshold

§  Restrict access to unknown, newly registered and dynamic DNS domains §  The internet is dynamic so restrict executables from these, implement SSL

decryption and block HTTP-POST

§  Control eMail traffic flow §  Only allow email traffic in/out between mail gateway and destination and never

allow email bypassing the corporate mail gateway


Malware Use of Non-Standard Ports by Application


Regaining Control

§  Restrict applications to their standard ports §  Especially Limit FTP to its well-known ports


Regaining Control over Modern Threats

|

New Requirements for Threat Prevention

1. Visibility into all traffic regardless of port, protocol, evasive tactic or SSL

2. Stop all types of known network threats (IPS, Anti-malware, URL, etc.) while maintaining multi-gigabit performance

3. Find and stop new and unknown threats even without a pre-existing signature

A Next-Generation Cybersecurity Strategy


Everything must go in the funnel

Reduce the attack surface

Block everything you can

Test and adapt to unknowns

Investigate and cleanup

The Bigger Picture


Imperatives to be secure

§  Evolving from incident response mindset to intelligence mindset

§  No intelligence exists without visibility

§  Applying the intelligence and resulting IOCs to the kill chain

§  Sharing what you know

Can’t understand what you don’t know

§  You don’t have intelligence if you don’t have visibility

§  Visibility required across the whole network

§  Ideally, you can see and understand applications, content, and users

§  Then make sense of what you see

Share what you know

§  In the cyber security battle, sharing is key

§  Three ways this is happening 1.  External – industry initiatives

2.  External – technology partnerships

3.  Internal – your security technology should leverage the network

vSphere Virtual Firewall as a Guest VM

NSX Virtual Firewall

as a Hypervisor Service

VM-1000-HV Edition Modeled from VM-300

Gateway Edition VM-100 VM-200 VM-300

Automated Deployment, via Panorama

Regaining Control


A Next-Generation Cybersecurity Strategy (1)







•  Inspect all traffic

•  35% of all applications use SSL

•  Non-standard ports and tunneled traffic

•  Make NO assumptions








•  High risk applications and features

•  Block files from unknown domains

•  Find and control custom traffic

•  Implement POSITIVE Security








•  Exploits, malware, C2

•  Variants and polymorphism

•  DNS, URLs, malicious clusters

•  Implement NEGATIVE Security

Strategy for Modern Threat Prevention







•  Static and Behavioral and anomaly analysis

•  Automatically create and deliver protections

•  Share globally

•  Implement Zero-Day Security








•  Feed the SIEM

•  Share indicators of compromise

•  Integrate with end-point security

•  Evolve from Incident Response to Security Intelligence


F5

CONFIDENTIAL

F5 Security for an application driven world

© F5 Networks, Inc 59 CONFIDENTIAL

F5 Provides Complete Visibility and Control Across Applications and Users

Intelligent Services Platform

Users

Securing access to applications from anywhere

Resources

Protecting your applications regardless of where they live

TMOS

Network Firewall

Protocol Security

DDoS Protection

Dynamic Threat Defense

DNS Web Access

CONFIDENTIAL

Security Trends and Challenges


May June July Aug Sep Oct Nov Dec

2012

Spear Phishing

Physical Access

XSS

Attack Type

Size of circle estimates relative impact of incident in terms of cost to business


Bank Bank

Bank

Non Profit

Non Profit

Bank

Bank

Bank Gov

Industrial Online

SVC

Non Profit

Gov Auto

Online Services

Gov Gov

Online Services

Online SVC

Online Services

Industrial

EDU Bank

Bank Bank

Gov

Online Services

Online SVC

Gov Online Services

Online Services

News & Media

Edu

Telco

Cnsmr Electric

Cnsmr Electric

Bank

Telco

Online Services

Online Services

Education

Food Svc

Online Services

Bank

News & Media Gov

Soft- ware

Bank

Telco

Non- Profit

E-comm Utility

News & Media

Edu

Bank

Online Services

Bank Bank Online

Services

Online Services

Bank

Food Service

Banking Gaming

Gov

Gov Auto

Soft- ware

News & Media

Online Services

Consumer Electric

Online Services

Gov Util

Health Soft- ware

Online Services

Gov Cnsmr Elec

Online Svcs Gov Retail

Bank

Bank

Online Services

Soft- ware

Bank

Edu News & Media

Online Services

Online Services

Online Services

Online Services

Gov Gov

Indu- strial

Airport Retail

News & Media

Auto

Telco

Gov

Edu

DNS Provider

DNS Provider

Global Delivery

Auto

Gov

DNS Provider

DNS Provider

DNS Provider

Gov Consumer Electronics

Gove

Bank

Bank

Bank Gov

Online Svc

Software

Online Gaming

Telco

News & Media

Edu

Soft- ware

News & Media

Edu

News & Media

Online Services

Gov

Auto

Entnment Gov

Utility

News & Media

Online Svc

News & Media

Spear Phishing

Physical Access

Unknown

Attack Type

Size of circle estimates relative impact of incident in terms of cost to business

Jan Feb Mar Apr May Jun

2013


More sophisticated attacks are multi-layer

Application

SSL

DNS

Network


The business impact of DDoS

Cost of corrective action

Reputation management

The business impact of DDoS


OWASP Top 3 Application Security Risks

1 - Injection

2 – Broken Authentication and

Session Management

3 – Cross Site Scripting (XSS)

Injection flaws, such as SQL and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing data.

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to comprimise passwords, keys or session tokens to assume another users’ identity.

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victims browser to hijack user sessions, deface web sites or redirect the user.

Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

CONFIDENTIAL

The F5 Approach


Full Proxy Security

Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Network

Session

Application

Web application

Physical

Client / Server


The F5 Application Delivery Firewall Bringing deep application fluency to firewall security

One platform

SSL inspection

Traffic management

DNS security

Access control

Application security

Network firewall

EAL2+ EAL4+ (in process)

DDoS mitigation


Positive vs Negative

•  Positive Security •  Known good traffic

•  Permit only what is defined in the security policy (whitelisting).

•  Block everything else

•  Negative •  Known-bad traffic •  Pattern matching for malicious content using regular expressions.

•  Policy enforcement is based on a Positive security logic

•  Negative security logic is used to complement Positive logic.


How Does It Work? Security at application, protocol and network level

Request made

Enforcement Content scrubbing Application cloaking

Security policy checked Server response

Response delivered

Security policy applied

BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application.

Actions: Log, block, allow


Start by checking RFC compliance

2 Then check for various length limits in the HTTP

3 Then we can enforce valid types for the application

4 Then we can enforce a list of valid URLs

5 Then we can check for a list of valid parameters

Then for each parameter we will check for max value length

7 Then scan each parameter, the URI, the headers

6

GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n






6 Then for each parameter we will check for max value length










6









6









6









6










6


Automatic HTTP/S DOS Attack Detection and Protection

•  Accurate detection technique—based on latency •  Three different mitigation techniques escalated

serially •  Focus on higher value productivity while automatic

controls intervene

Drop only the attackers

Identify potential attackers

Detect a DOS condition


To Simplify: Application-Oriented Policies and Reports


IP INTELLIGENCE

IP intelligence service

IP address feed updates every 5 min

Custom application

Financial application

Internally infected devices and servers

Geolocation database

Botnet

Attacker

Anonymous requests

Anonymous proxies

Scanner

Restricted region or country

Built for intelligence, speed and scale

Users

Concurrent user sessions

100K Concurrent logins

1,500/sec.

Throughput

640 Gbps Concurrent connections 288 M

Connections per second

8 M

SSL TPS (2K keys)

240K/sec

DNS query response

10 M/sec

Resources


Application Delivery Firewall

iRules extensibility everywhere

Products

Advanced Firewall Manager

•  Stateful full-proxy firewall

•  Flexible logging and reporting

•  Native TCP, SSL and HTTP proxies

•  Network and Session anti-DDoS

Access Policy Manager

•  Dynamic, identity-based access control

•  Simplified authentication infrastructure

•  Endpoint security, secure remote access

Local Traffic Manager

•  #1 application delivery controller

•  Application fluency

•  App-specific health monitoring

Application Security Manager

•  Leading web application firewall

•  PCI compliance

•  Virtual patching for vulnerabilities

•  HTTP anti-DDoS

•  IP protection

Global Traffic Manager & DNSSEC

•  Huge scale DNS solution

•  Global server load balancing

•  Signed DNS responses

•  Offload DNS crypto

SSL inspection

Traffic management

DNS security

Access control

Application security

Network firewall

DDoS mitigation


The F5 DDoS Protection Reference Architecture f5.com/architectures

Explore


Summary

•  Customers invest in network security, but most significant threats are at the application layer

•  Current security trends – BYOD, Webification – mean you need to be even more aware of who and what can access application data

•  A full proxy device is inherently secure, and coupled with high performance can overcome many security challenges

•  F5 Application Delivery Firewall brings together the traditional network firewall with application centric security, and can understand the context of users, devices and access


BREAK


SPLUNK

Copyright © 2014 Splunk Inc.

Splunk for Security Intelligence

Splunk Overview Company (NASDAQ: SPLK) "  Founded 2004, first sogware release in 2006 "  HQ: San Francisco / Regional HQ: London, Hong Kong "  Over 1000 employees, based in 12 countries "  2012 Revenue: $199M (YoY +60%)

Business Model / Products "  Free download to massive scale "  Splunk Enterprise, Splunk Cloud "  Hunk: Splunk Analy8cs for Hadoop

6,400+ Customers "  Customers in over 90 countries "  60 of the Fortune 100 "  Largest license: Over 100 Terabytes per day

83

84

Make machine data accessible, usable and valuable to everyone.

The Accelera8ng Pace of Data

85

Volume | Velocity | Variety | Variability

GPS, RFID,

Hypervisor, Web Servers,

Email, Messaging, Clickstreams, Mobile,

Telephony, IVR, Databases, Sensors, Telema8cs, Storage,

Servers, Security Devices, Desktops

Machine data is fastest growing, most complex, most valuable area of big data

The Splunk Security Intelligence Plaqorm

Machine Data Security Use Cases

HA Indexes and Storage

Forensic InvesQgaQon

Security OperaQons Compliance Fraud

DetecQon

Commodity Servers

4

Online Services

Web Services

Servers Security GPS

Loca8on

Storage Desktops

Networks

Packaged Applica8ons

Custom Applica8ons Messaging

Telecoms Online

Shopping Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records

Smartphones and Devices

RFID

Rapid Ascent in the Gartner SIEM Magic Quadrant

87

2012 2013 2011

Industry Accolades

88

Best SIEM SoluQon

Best Enterprise Security SoluQon

Best Security Product

Over 2800 Global Security Customers

89

120+ security apps Splunk App for Enterprise Security

Splunk Security Intelligence Plaqorm

90

Palo Alto Networks

NetFlow Logic

FireEye

Blue Coat Proxy SG

OSSEC Cisco Security Suite

Ac8ve Directory

F5 Security

Juniper Sourcefire

Partner Ecosystem

What is the Value Add to ExisQng Customers?

Visibility and Correla8on of Rich Data Improved Security Posture

Configurable Dashboard Views

92

All Data is Security Relevant = Big Data

Servers

Service Desk

Storage

Desktops Email Web

Call Records

Network Flows

DHCP/ DNS

Hypervisor Custom Apps

Industrial Control

Badges

Databases

Mobile Intrusion Detec8on

Firewall

Data Loss Preven8on

An8-‐Malware

Vulnerability Scans

Tradi&onal SIEM

Authen8ca8on

Making Sound Security Decisions

93

Log Data Binary Data (flow and PCAP)

Context Data Threat Intelligence Feeds

Security Decisions

Volume Velocity Variety Variability

Case #1 -‐ Incident Inves8ga8on/Forensics

•  Ogen ini8ated by alert in another product •  May be a “cold case” inves8ga8on requiring

machine data going back months •  Need all the original data in one place and a

fast way to search it to answer: –  What happened and was it a false posi8ve? –  How did the threat get in, where have they

gone, and did they steal any data?

–  Has this occurred elsewhere in the past?

•  Take results and turn them into a real-‐8me search/alert if needed

94

Suspect A Suspect B

Suspect C

client=unknown[99.120.205.249]<160>Jan 2616:27 (cJFFNMS

DHCPACK=ASCII from host=85.196.82.110

truncating integer value > 32 bits <46>Jan ASCII from client=unknown

Accomplice A

Accomplice B

January February March April

Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-‐002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Sexngs/smithe/Local Sexngs/Temp/evil.tmp,"""",Actual ac8on: Quaran8ned,Requested ac8on: Cleaned, 8me: 2009-‐01-‐23 03:19:12,Inserted: 2009-‐01-‐23 03:20:12,End: 2009-‐01-‐23 03:19:12,Domain: Default,Group: My Company\ACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20

Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -‐> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classifica8on: Poten8al Corporate Privacy Viola8on] Credit Card Number Detected in Clear Text [Priority: 2]:

20130806041221.000000Cap8on=ACME-‐2975EB\Administrator Descrip8on=Built-‐in account for administering the computer/domainDomain=ACME-‐2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-‐1-‐5-‐21-‐1715567821-‐926492609-‐725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts

95

Case #2 – Real-‐8me Monitoring of Known Threats Sources

Time Range

Intrusion DetecQon

Endpoint Security

Windows AuthenQcaQon

All three occurring within a 24-‐hour period

Example CorrelaQon – Data Loss

Source IP

Source IP

Source IP Data Loss

Default Admin Account

Malware Found

2013-‐08-‐09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 -‐ -‐ OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compa8ble; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-‐RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"

08/09/2013 16:23:51.0128event_status="(0)The opera8on completed successfully. "pid=1300 process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsog\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-‐PC\Printers\{}\ NeverSeenbefore" data_type""

2013-‐08-‐09T12:40:25.475Z,,exch-‐hub-‐den-‐01,,exch-‐mbx-‐cup-‐00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1,,, [email protected] , Please open this a`achment with payroll informa8on,, ,2013-‐08-‐09T22:40:24.975Z

96

Case #3 – Real-‐8me Monitoring of Unknown Threats

Sources

Time Range

Endpoint Logs

Web Proxy

Email Server

All three occurring within a 24-‐hour period

Example CorrelaQon -‐ Spearphishing User Name

User Name

Rarely seen email domain

Rarely visited web site

User Name

Rarely seen service

$500k Security ROI @ Interac •  Challenges: Manual, costly processes

–  Significant people and days/weeks required for incident inves8ga8ons. $10k+ per week. –  No single repository or UI. Used mul8ple UIs, grep’d log files, reported in Excel –  Tradi8onal SIEMs evaluated were too bloated, too much dev 8me, too expensive

•  Enter Splunk: Fast inves8ga8ons and stronger security –  Feed 15+ data sources into Splunk for incident inves8ga8ons, reports, real-‐8me alerts –  Splunk reduced inves8ga8on 8me to hours. Reports can be created in minutes. –  Real-‐8me correla8ons and aler8ng enables fast response to known and unknown threats –  ROI quan8fied at $500k a year. Splunk TCO is less than 10% of this.

97

Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see.

“ “ Josh Diakun, Security Specialist, Informa8on Security Opera8ons

Replacing a SIEM @ Cisco •  Challenges: SIEM could not meet security needs

–  Very difficult to index non-‐security or custom app log data –  Serious scale and speed issues. 10GB/day and searches took > 6 minutes –  Difficult to customize with reliance on pre-‐built rules which generated false posi8ves

•  Enter Splunk: Flexible SIEM and empowered team –  Easy to index any type of machine data from any source –  Over 60 users doing inves8ga8ons, RT correla8ons, repor8ng, advanced threat detec8on –  All the data + flexible searches and repor8ng = empowered team –  900 GB/day and searches take < minute. 7 global data centers with 350TB stored data –  Es8mate Splunk is 25% the cost of a tradi8onal SIEM

98

We moved to Splunk from tradi8onal SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have.

“ “

Gavin Reid, Leader, Cisco Computer Security Incident Response Team

Security and Compliance @ Barclays •  Challenges: Unable to meet demands of auditors

–  Scale issues, hard to get data in, and impossible to get data out beyond summaries –  Not op8mized for unplanned ques8ons or historical searches –  Struggled to comply with global internal and external mandates, and to detect APTs –  Other SIEMs evaluated were poor at complex correla8ons, data enrichment, repor8ng

•  Enter Splunk: Stronger security and compliance posture –  Fines avoided as searches easily turned into visualiza8ons for compliance repor8ng –  Faster inves8ga8ons, threat aler8ng, be`er risk measurement, enrichment of old data –  Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers –  Other teams using Splunk for non-‐security use cases improves ROI

99

We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effec8veness of a certain control, the only way we can do these things is with Splunk.

“ “ Stephen Gailey, Head of Security Services

Splunk Key Differen8ators

100

Tradi8onal SIEM Splunk •  Single product, UI, data store •  Sogware-‐only; install on commodity hardware •  Quick deployment + ease-‐of-‐use = fast 8me-‐to-‐value •  Can easily index any data type •  All original/raw data indexed and searchable •  Big data architecture enables scale and speed •  Flexible search and repor8ng enables be`er/faster threat

inves8ga8ons and detec8on, incl finding outliers/anomalies •  Open plaqorm with API, SDKs, Apps •  Use cases beyond security/compliance

For your own AHA! Moment Reach out to your Scalar and Splunk team for a demo Thank you!


INFOBLOX


Agenda

Why is DNS a target? What types of attacks?

DNS Threats

Infoblox Overview

Infoblox Advanced DNS Protection


Infoblox Overview

Founded in 1999

Headquartered in Santa Clara, CA with global operations in 25 countries

Market leadership •  Gartner “Strong Positive” rating •  40%+ Market Share (DDI)

7,000+ customers, 64,000+ systems shipped

35 patents, 29 pending

IPO April 2012: NYSE BLOX

Leader in DNS, DHCP, and IP Address Management


TECHNOLOGY MANUFACTURING TELECOM

OTHER

Diverse Customer Base in All Key Verticals

GOVERNMENT

RECENT NEW CUSTOMERS

RETAIL HEALTHCARE FINANCIAL SERVICES

7 9 8 8 7

EXPOSURE TO INDUSTRY TOP 10 LEADERS


Why DNS an Ideal Target? •  DNS is a bootstrap to networks and applications •  DNS is easy to exploit •  DNS can be both the threat, and the target •  No one is looking

DNS downtime means business downtime


DNS Attacks up 216%

Source: Arbor Networks

9%

6%

20%

54%

25%

77%

82%

0% 20% 40% 60% 80% 100%

Other

IRC

SIP/VOIP

HTTPS

SMTP

DNS

HTTP

Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013

ACK: 2.81% CHARGEN: 6.39%

FIN PUSH: 1.28% DNS: 9.58%

ICMP: 9.71% RESET: 1.4%

RP: 0.26% SYN: 14.56% TCP FRAGMENT: 0.13%

SYN PUSH: 0.38%

UDP FLOODS: 13.15%

UDP FRAGMENT: 17.11%

Survey Respondents

~ 10% of infrastructure attacks targeted DNS

~ 80% of organizations experienced application layer attacks on DNS


DNS Threats Landscape

•  Three types of DNS attacks   Attack as Infrastructure: Attacks primarily focused on

disruption of DNS services (and everything else with it)   Protocol Exploitation: Attacks that use DNS as a

vector for business exploitation   Platform Hacks: Exploit the underlying DNS platform to

take control of DNS (for defacement, or redirection)


•  Traditional DOS •  Distributed DOS •  Amplification •  Reflection •  …and the dreaded

combination: Distributed Reflection DOS (DrDOS)

DNS Infrastructure Attacks Example

Command & Control

DNS Server


Most DDoS Attacks Use Name Servers •  Why?

  Because name servers make surprisingly good amplifiers This one goes

to eleven…


DDoS Illustrated

Open recursive name servers

Evil resolver Target

Response to spoofed address

Spoofed query


$ dig @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec ; <<>> DiG 9.9.1-P1 <<>> @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34036 ;; flags: qr aa; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 15 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN ANY ;; ANSWER SECTION: isc.org. 7200 IN SOA ns-int.isc.org. hostmaster.isc.org. 2013090300 7200 3600 24796800 3600 isc.org. 7200 IN RRSIG SOA 5 2 7200 20131002233248 20130902233248 50012 isc.org. hUfqnG5gKbygAeVRHjP5As31lsheMKNPD7g9MJlWZTrmD2de6Z/eCwUX kQxRT5TV0lFWjtGFuA0a4svbCZ1qHS9d/rhWc7IMziu2u+L9tbho+c4j szvGAJ9kYvalNbgpmkHdm+wmOHWmiY3cYKcl5Ps8gs5N0Q1JdkaCARPF HQs= isc.org. 7200 IN NS sfba.sns-pb.isc.org. isc.org. 7200 IN NS ns.isc.afilias-nst.info. isc.org. 7200 IN NS ams.sns-pb.isc.org. isc.org. 7200 IN NS ord.sns-pb.isc.org. isc.org. 7200 IN RRSIG NS 5 2 7200 20131002233248 20130902233248 50012 isc.org. Fdfb5ND2XUlnk/nPcPOaNBCK6307LdrhC/dqdS+TMtBjKMmXU2NJBl0h D8fOnOdKbzlwNk1JLPXq25znMNBw+ZdjMekctR2r2jTO2Xm9mT+su4ff 8r1pMcUGhpsq73V6NjIbgA3LT6zfv4gWyFdos60Ma/Bsq26SmpECQFNA RpI= isc.org. 60 IN A 149.20.64.69 isc.org. 60 IN RRSIG A 5 2 60 20131002233248 20130902233248 50012 isc.org. CkSV2VzLktJGH2PXEJl1QssxeyyUYM5pALjb06NMW0BC5vcFyuQYng2l NE/Z0J1XIHflWwGo9Gv1YZ0u/K6rGPXwgWmkl/6t0T8uNtk9u3XDhaMx QBg2P2ZAp1NEg6r3ccznGu9y+Q71g/IxcK+5Ok7gI8L18hBTi+vpCAKY q6A= isc.org. 7200 IN MX 10 mx.pao1.isc.org. isc.org. 7200 IN RRSIG MX 5 2 7200 20131002233248 20130902233248 50012 isc.org. fiALi/ebGauXvqfL4vHt5YzgIY/X0kh2WNE37wICVU6BYKkqDuWF2h5T 4ry2TmdcKj4pqVOJVSDF/A7zzRPkcpcwibTM8h5yDEMJzELAsSimj2mX BFsqTgFGtDXIGV9IU7qryFkVMrDlj9gcLkTlg1EZpyxwQH2y2XCT5BhA bQA= isc.org. 7200 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 7200 IN TXT "$Id: isc.org,v 1.1845 2013-08-16 16:16:50 dmahoney Exp $" isc.org. 7200 IN RRSIG TXT 5 2 7200 20131002233248 20130902233248 50012 isc.org. J0UV7iIvQn7Pzu/itUN1JH4hLg8bjQo/73kBef/T/yzx/P8t6VX+MYDC ysyXNigSi1JPoWfYt7qu6eXcALQEwJ/Z156Rebefjls4R18wr+BttzWF ICb+zJ7K7o4meckc7ZQr12gIAXjij09dr9omYoObWo6/IH76S6N3Er4i xdg= isc.org. 60 IN AAAA 2001:4f8:0:2::69 isc.org. 60 IN RRSIG AAAA 5 2 60 20131002233248 20130902233248 50012 isc.org. OBWafw6hmgueTvaL06Q3zzpKODW3OIWKxHr3Z30mag1vJW5ECwlkK3xI lPr4A1Rg6SZiJp78yewBWkDB0436cY1uCJ0yzsk9YWlLW/5hScy1ueaH s2tfymZD7UdOh0FuLs05gunsxK2Of3DCG3Zh3cD4FMnu8ju1CuLD2+dU W1U= isc.org. 7200 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 7200 IN RRSIG NAPTR 5 2 7200 20131002233248 20130902233248 50012 isc.org. s9cuc6O0e2kgBNffd6dyJyJH1Zm5Wd0pRO1q5aKMc7UsiKFUI7MI7Q8N VzTqwM/zWh2VzvtV/w1O3IHuSiXBN9k51Loy4WGHJSDcXs865PWjHJwJ jRqfz1bE+LsW/aZD2Ud/iGyhCoQPeZIOcqB6plB+keIf3mGR0bHkdjV+ Zw4= isc.org. 3600 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 3600 IN RRSIG NSEC 5 2 3600 20131002233248 20130902233248 50012 isc.org. K3/RL0nn54FkFvcPnaecG26JjQVCZL1g41zB02YssxZnE/3lX9X4O8uk DrONRdvKEeMq51YUy8NBljWAlPOIRYD0lWUMrXuSNHMyGIFwHFIZqNrN CuQUl+24oPQXi3/wWX0TGH5XW9XF2IB+Dc1zdP/5qRHiKCjAnYDNE384 PAQ= isc.org. 7200 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 7200 IN DNSKEY 256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU= isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 12892 isc.org. ioYDVytf4YoAHCVxdz6U/fuQCaH2f2XVUExEexo48e55vLVSre5GkBG1 Wyn/4FeWLOUVWm5HElbL/hK2QEResp0csAwTnllU7W8fM65aS7pIO9JZ QWMvkPxQjsTYzEP1P2GA8NVGRUhz17RMLLSFgAJS9aEI7xK0fMwsd9U4 Az+B9J8xVz5GGMb8FStEXMYauE9r8Z5G4ZzRZUv619lXYH+Uhha5QUfq IcVYvtOt+QLlwdWV4Kt3fp3m6KveBAnIiorPSjOd40PfWZD3CQ4GqVIc EyYai55bKN1hVgtFRhL8MqGexvbPvU49RKekeJihf7pzfM6nlo5+Xqvj WBe+EQ== isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 50012 isc.org. HFc6EpppK8DieQnYccCLEMuP3uhCFENhY9pwbqcwYh9fVOMMeEim/XSy QIk9FsVGZnXw2SgC946gSXnTkLdaogwibOZLq2oJ0UGbsF2+4SreLIx0 nv6EyJh1WSxfQrh7DCFtuMSBUMBleJjOfPC12zTzFetu2qgNM4hCov8p 3vA= isc.org. 7200 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 7200 IN RRSIG SPF 5 2 7200 20131002233248 20130902233248 50012 isc.org. enxTFXMYwtZW9rmS2eZ0svQwlaRJn3whFCblQ2mpqjtT3BxuqpGcvlbC jwjLxNhn89x2Y2//pkN1EPvgwr2yd7lIBoLV9X/VnGCH/sBlNaRtckk2 SE75cuH2L7jkR1D6JCHCwLnQHpiHbYeLWWzW18yifj33TOrRU7HwUrha aN0= ;; ADDITIONAL SECTION: ams.sns-pb.isc.org. 7200 IN A 199.6.1.30 ams.sns-pb.isc.org. 7200 IN AAAA 2001:500:60::30 ord.sns-pb.isc.org. 7200 IN A 199.6.0.30 ord.sns-pb.isc.org. 7200 IN AAAA 2001:500:71::30 sfba.sns-pb.isc.org. 7200 IN A 149.20.64.3 sfba.sns-pb.isc.org. 7200 IN AAAA 2001:4f8:0:2::19 mx.pao1.isc.org. 3600 IN A 149.20.64.53 mx.pao1.isc.org. 3600 IN AAAA 2001:4f8:0:2::2b asterisk.isc.org. 300 IN A 149.20.32.15 ams.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. EyCDObCGhMVQeLsZEFsK6k72FT0Y0Ps3XhiZmusKDz/yl7K8eclF3+Zd y7u61A9nSEHbeLR7t3IbXuQgXOsBaYYEQBZ+YXwdpMQoSL02TbUsCa8t Qtap2EK9xJDajbfTR4kEYjCg6PtneOKGVCvQcC3Le2QEuM+aviEkWU6h Feo= ams.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20131002233248 20130902233248 50012 isc.org. RFpmtA/CAZOExrl8Pc6tDW38Eoc/xXxtuoS634xllKoM77zhGLx6vLRR wiH3Ny1gW++hyj6b6LMDVbBEm7vAMVxrOQVYM5fWtYCF/cN4IHVlti33 /Hgiuk2SSdsZEgeAu57FgxgZIMaO0TsB6YkpI3cgb1H6usISSEE3Cgng 6gU= ord.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. N/zYhIB9XSungjF+TaCdjtOnN5K8FCuRwMb3cjlr9DRU4hVJjFJOi8LP aNlBJQlWQKCirYsFqPw1/K0U9djvkEyU3W7JsdkE89Ep/4QX9M4Jt++w 9ZTFQO+e9SNPimQdjjEC5FbRYYfls7KX0V79gL9vG9dxqGMDNtGNJaFU NOE= ord.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20131002233248 20130902233248 50012 isc.org. H5eByfYUHm4c8V12auNIl1QhQL4UA9MV9w1wQPJiU/Rtxbfvvrl3rlVj ulUP6v4R5NVO3lad7bsNPb9xMou1qOC5FL9fn0MVFqU+qCwQ7GIRxyA6 fQaFKBNrOL6iiVbC6LbE+2uZPR6Z0HTD8L7pgAaNJ9YmrVZCU/F5pHy9 cso= sfba.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. sr0nh5ZbxmbnGaduo4ri1tHpPR4+D0Mf4WpEjzu21+iEBkgc3M1XdYCT gCpd8JRCEcz+gIu8wXQI5+29mUrK3QwPCIWJNx/AKol7TbIPxrYoKCiv pZv7yTwO2bC1SGfcNXZAm5UuKU0jl7jeIe2oIkHMrlPVFd2E6XKG9iWL ngA= ;; Query time: 35 msec ;; SERVER: 2001:4f8:0:2::19#53(2001:4f8:0:2::19) ;; WHEN: Wed Sep 4 11:14:01 2013 ;; MSG SIZE rcvd: 4077!

Amplification: They Go Past Eleven…

Query for isc.org/ANY 36 bytes sent, 4077 bytes

received ~113x amplification!


A Little Math •  Say each bot has a measly 1 Mbps connection to the

Internet   It can send 1Mbps/36B =~ 28K qps   That generates 28K * 4077B =~ 913 Mbps

•  So 11 bots > 10 Gbps


Malware Enablement •  Malware infects clients when

they visit malicious web sites, whose names are resolved using DNS

•  Malware rendezvous with command-and-control channels using hardwired domain names and rapidly changing IP addresses

•  Malware tunnels new malicious code through DNS


Anatomy of an Attack Cryptolocker “Ransomware”

•  Targets Windows-based computers

•  Appears as an attachment to legitimate looking email

•  Upon infection, encrypts files: local hard drive & mapped network drives

•  Ransom: 72 hours to pay $300US

•  Fail to pay and the encryption key is deleted and data is gone forever

•  Only way to stop (after executable has started) is to block outbound connection to encryption server


Platform Hack


Threat Categories Description

Disruption of DNS

Services

DNS Cache Poisoning Threats

Illegitimate corruption of DNS cached records

DoS/DDoS Attacks DNS Flooding, Amplification, Reflection attacks Denial of service by exploiting vulnerabilities in OS / Applications

DNS Redirection Response manipulation, Man-in-the-Middle (MITM) Attacks

Geographic based Threats High percentage of threats originating from specific geographic locations

DNS Protocol Attacks Malformed Packets, Vulnerabilities, Buffer overflows, shell code insertion

Use DNS as a vector for business

exploitation

DNS Tunneling Frauds DNS tunneling, (use of port 53 as an open communication channel) Attacker tunnels SSH traffic through DNS requests

Data Leakage Using DNS to transport encrypted payloads

IP Fluxing Fluxing of IPs at extremely high frequencies

Domain Fluxing / Domain Generation Algorithms (DGA)

Domain Generation / Fluxing using dynamic algorithms that are hard to detect

Domain Phishing DNS response manipulation Malware using DNS to re-direct legitimate traffic to infected sites

Malicious Domains Detect and drop known malicious domains or exploits

Advanced Persistent Threats (APTs)

Machine generated FQDNs that are stealthy and persistent

DNS Threats Spectrum Overview


Introducing Infoblox Advanced DNS Protection The First DNS Server that Protects Itself Unique Detection and Mitigation

§  Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling

§  Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests.

Centralized Visibility §  Centralized view of all attacks happening across the

network through detailed reports §  Intelligence needed to take action

Ongoing Protection Against Evolving Threats

§  Regular automatic threat-rule updates based on threat analysis and research

§  Helps mitigate attacks sooner vs. waiting for patch updates


Dedicated Compute

•  Infoblox designed network accelerator card •  Performs deep packet inspection at wire-speed •  Purpose built for analyzing DNS traffic •  Blocks or Rate Limits threats before being processed by

standard operating system   Ingress and Egress


Threat detection – more than just DDOS

DNS reflection/DrDoS attacks Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack

DNS amplification Using a specially crafted query to create an amplified response to flood the victim with traffic

DNS-based exploits Attacks that exploit vulnerabilities in the DNS software

TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic

DNS cache poisoning Corruption of the DNS cache data with a rogue address

Protocol anomalies Causing the server to crash by sending malformed packets and queries

Reconnaissance Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack

DNS tunneling Tunneling of another protocol through DNS for data exfiltration


DNS Content Based Filtering

Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location

APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye)

Hacked Domains Hacking DNS registry(s) & re-directing users to malicious domain(s)

Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government

FireEye Block threats detected by your FireEye


Monitoring and Alerting

•  Alert on threats   Send over syslog to any SIEM

•  Report and trend on threats •  Report and trend on ALL DNS traffic •  Capture and log all DNS queries, AND responses (optional) •  Analyze and report on top patterns:

  Most frequently requested FQDN   Top talkers   Frequent queries ending in errors (NXDOMAIN, time out, SERVFAIL,

etc)


Custom Rules

•  Block or Rate Limit by:   Source IP   FQDN   UDP or TCP

•  Whitelists

Threat Update Service

•  Threats are analyzed by a security team at Infoblox

•  Appliances check for new signatures every hour


ADP In Action

Reporting Server

Automatic updates Block or Rate Limits

DNS threats

Infoblox Threat-rule Server Infoblox Advanced

DNS Protection

Grid Master

Reports on attack types, severity, and sends to a SIEM

Track and report

Rule distribution

Legi

timat

e Tr

affic

Infoblox Advanced DNS Protection


Deployment Options


External Protection against Internet-borne Attacks

INTERNET

Data Center

Advanced DNS Protection

Grid Master and Candidate (HA)


D M Z

INTRANET

- Campus office - Regional office(s) - Disaster recovery site(s)

Advanced DNS Protection when deployed as an external authoritative DNS server can protect against cyberattacks


Internal Protection against Internal Attacks, or misconfigured applications, on Recursive or Authoritative Servers

Advanced DNS Protection can secure internal DNS environments where internal user traffic is hostile

GRID Master and Candidate (HA)

INTRANET

Endpoints




Advanced Appliances Come in Three Physical Platforms

Advanced Appliances have next-generation programmable processors that provide dedicated compute for threat mitigation.

The appliances offer both AC and DC power supply options.


Why QoS Matters

Settings

130


Summary •  DNS is a core strategic asset that is often left unprotected •  The bad guys are going after your DNS servers •  Internal DNS is as exposed to failure •  Infoblox can help

  Deep visibility   Unique expertise in DNS   Scales up to the largest networks


Thank You www.infoblox.com


WRAP/Q&A


The Issues

}  Integration of Security Technologies

}  Staffing

}  Vulnerabilities

}  Advanced threats


The Issues

}  Integration of Security Technologies is Challenging –  Multiple formats of data –  Data timing issues –  Different types of security

controls –  Other data types


The Issues

}  InfoSecurity Staff –  Different skills requirements ﹘  Architects ﹘  Malware Handling ﹘  Forensics ﹘  Vulnerability ﹘  Incident Management ﹘  Risk and Compliance

–  HR Costs ﹘  Premium technical personnel ﹘  Analysts, Specialists ﹘  Training and certification


The Issues

}  Vulnerabilities –  Regular scheduled

disclosures –  Large volumes of ad-hoc

patches –  Many undisclosed zero days –  Remediation is a continuous

process


The Issues

}  Advanced Threats –  Advanced Persistent Threats –  Imbedded threats

}  Who? –  State sponsored –  Hactivism –  Hackers –  Organized crime


How to Secure It

}  State-of-the-art Security Technologies

}  Skills on Demand –  Continuous Tuning of Rules

and Filters –  Cyber Intelligence,

Advanced Analytics –  Cyber Incident Response –  Code Review, Vulnerability

and Assessment Testing


QUESTIONS?


THANK YOU.

scalar security roadshow - toronto stop

Technology