vancouver security road show master deck final

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Security Road Show - Vancouver


9:00am – 9:15am Welcome

9:15am – 9:45am Palo Alto Networks

– You can’t control what you can’t see!

9:45am – 10:15am F5

– Protect your web applications

10:15am – 10:30am Break

10:30am – 11:00am Splunk

– Big data, next generation SIEM

11am – 11:30am Infoblox

– Are you fully prepared to withstand DNS attacks?

11:30am - 12:00pm Closing remarks, Q&A

12:00pm – 12:30pm Boxed Lunches


Today’s Speakers

– Alon Goldberg – Palo Alto

Networks

– Buu Lam – F5

– Menno Vanderlist – Splunk

– Ed O’Connell- Infoblox

– Rob Stonehouse - Scalar


Background in architecting mission-critical

data centre infrastructure

Founded in 2004

$125M in CY13

Revenues

Nationwide Presence120 Employees

Nationwide

25% Growth YoYToronto | Vancouver

Ottawa | Calgary | London

Greater than 1:1

technical:sales ratio


Scalar is joining the TORONTO2015 Pan Am/Parapan

Am Games as an Official Supplier

Managing IT security, data centre integration, and

managed storage services


The country’s most

skilled IT infrastructure

specialists, focused on

security, performance

and control tools

Delivering

infrastructure services

which support core

applications


WHY SCALAR?


Experience ExecutionInnovation


Top technical talent in Canada– Engineers average 15 years’ experience

We train the trainers– Only Authorized Training Centre in Canada

for F5, Palo Alto Networks, and Infoblox

Our partners recognize we’re the best– Brocade Partner of the Year – Innovation

– Cisco Partner of the Year – Data Centre & Virtualization

– VMware Global Emerging Products Partner of the Year

– F5 Canadian Partner of the Year

– Palo Alto Networks Rookie of the Year

– NetApp Partner of the Year - Central


Unique infrastructure solutions

designed to meet your needs– StudioCloud

– HPC & Trading Systems

Testing Centre & Proving Grounds– Ensuring emerging technologies are

hardened, up to the task of Enterprise

workloads

Vendor Breadth– Our coverage spans Enterprise leaders and

Emerging technologies for niche workloads

& developing markets


“Scalar […] has become our trusted advisor for architecting and implementing our storage, server and network infrastructure across multiple data centres”


“We’ve basically replaced our infrastructure at a lower cost than simply the maintenance on our prior infrastructure […] At the same time, we’ve improved performance and reduced our provisioning time”


“Numerous technologies needed to converge to make VDI a reality for us. The fact that Scalar is multi-disciplinary and has deep knowledge around architecture, deployment and management of all of these technologies was key”


PALO ALTO NETWORKS


Next-Generation Protection for

Advanced Threats

Alon Zvi Goldberg, SE Palo Alto Networks

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience15 | ©2012, Palo Alto Networks.

Confidential and Proprietary.

Secondary

Payload

Spread

Laterally

Custom C2

& Hacking

Data Stolen

Exploit Kit Malware From

New Domain

ZeroAccess

Delivered

C2

Established

Hidden

within SSL

New domain

has no

reputation

Payload

designed to

avoid AV

Non-standard

port use evades

detection

Custom

malware = no

AV signature

Internal traffic is

not monitored

Custom protocol

avoids C2

signatures

RDP & FTP

allowed on the

network


Bait the

end-user

1

End-user

lured to a

dangerous

application

or website

containing

malicious

content

Exploit

2

Infected

content

exploits the

end-user,

often

without

their

knowledge

Download

Backdoor

3

Secondary

payload is

downloaded

in the

background.

Malware

installed

Establish

Back-Channel

4

Malware

establishes

an outbound

connection

to the

attacker for

ongoing

control

Explore

& Steal

5

Remote

attacker has

control inside

the network

and escalates

the attack

16 | ©2012, Palo Alto Networks.




Exploitsaredeliveredoverthenetwork

Malwareisdeliveredoverthenetwork

Malwarecommunicatesoverthenetwork

Exploits MalwareSpyware,

C&C

Encryp on,fragmenta on

Proxies,tunneling,encryp on,customtraffic

Re-encodedandtargetedmalware

Attacks are Blended

Traffic and Malware

Inbound and Outbound

Designed to Evade Security

Encryption, strange ports,

tunneling, polymorphic malware,

etc.

Break Security Assumptions

When attackers control both

ends of a connection they can

hide their traffic in any way they

want


1. Full Visibility of Traffic

– Equal analysis of all traffic across

all ports (no assumptions)

– Control the applications that

attackers use to hide

– Decrypt, decompress and

decode

2. Control the full attack lifecycle

– Exploits, malware, and malicious

traffic

– Maintain context across disciplines

– Maintain predictable performance

3. Expect the Unknown

– Detect and stop unknown malware

– Automatically manage unknown or

anomalous traffic18 | ©2012, Palo Alto Networks.


Exploitsaredeliveredoverthenetwork

Malwareisdeliveredoverthenetwork

Malwarecommunicatesoverthenetwork

Exploits MalwareSpyware,

C&C

Encryp on,fragmenta on

Proxies,tunneling,encryp on,customtraffic

Re-encodedandtargetedmalware


Applications

• Visibility and

control of all traffic,

across all ports, all

the time

Sources

• Control traffic

sources and

destinations based

on risk

Known Threats

• Stop exploits,

malware, spying

tools, and

dangerous files

Unknown Threats

• Automatically

identify and block

new and evolving

threats

• Reduce the attack

surface

• Control the threat

vector

• Control the methods

that threats use to

hide

• Sites known to host

malware

• Find traffic to

command and control

servers

• SSL decrypt high-risk

sites

• NSS tested and

Recommended IPS

• Stream-based

anti-malware based

on millions of

samples

• Control threats

across any port

• WildFire analysis of

unknown files

• Visibility and

automated

management of

unknown traffic

• Anomalous behaviors

R e d u c i n g

R i s k




Visibility Into All Traffic


• The Rule of All

- All traffic, all ports, all the time

- Mobile and roaming users

• Progressive Inspection

- Decode – 200+ application and protocol decoders

- Decrypt – based on policy

- Decompress

• Stop the methods that attackers use to hide

- Proxies

- Encrypted tunnels

- Peer-to-peer




Non-Standard Ports

- Evasive Applications – Standard application behavior

- Security Best Practices – Moving internet facing protocols off of standard ports (e.g. RDP)

Tunneling Within Allowed Protocols

- SSL and SSH

- HTTP

- DNS

Circumventors

- Proxies

- Anonymizers (Tor)

- Custom Encrypted Tunnels (e.g. Freegate, Ultrasurf)

Applications that can

dynamically use

non-standard ports.

Applications that can

tunnel other apps

and protocols

Applications designed

to avoid security




SSL

- 4,740 ports

Skype

- 1,802 ports

Skype Probe

- 27,749 ports

BitTorrent

- 21,222 ports

© 2012 Palo Alto Networks. Proprietary and Confidential.Page 23 |

0 5,000 10,000 15,000 20,000 25,000 30,000

BitTorrent

SkypeProbe

Skype

SSL


Based on a 3 month study of fully undetected malware

collected by WildFire

– 26,000+ malware samples

– 1,000+ networks

FTP was the most evasive application observed*

– 95% of unknown samples delivered via FTP were never

covered by antivirus.

– 97% of malware FTP sessions used non-standard ports,

and used 237 different non-standard ports.

Web-browsing delivered more malware, but was less

evasive.

– 10% of samples delivered over 90 different non-standard

web ports


Unknown traffic traversing the DNS port

HTTP using ephemeral ports

Example: Sample 0-Day Malware


Analysis of APT1 found:

– RDP was the application of choice ongoing management of the

attack

– Often proxied through intermediaries

– Used custom applications built on MSN Messenger, Jabber, and

Gmail Calendar

– Often hidden within SSL

Recommended Actions

– Decrypt SSL

– Tightly control RDP and proxy applications

– Baseline instant messaging applications and investigate any

unknowns


Controlling Remote Desktop and Instant Messaging

Potential URL Categories for

Correlation

• Botnets

• Not-resolved

• Proxy-avoidance and

anonymizers

• Open-http-proxies

• Peer-to-peer

• Spyware


Requirement:

Expect the Unknowns


1. Unknown traffic becomes significant

– Anything non-compliant or custom should be known and

approved

– When the vast majority of traffic is identified, the unknowns

become manageable

2. Unknown traffic is common (99% of AVRs)– New publicly available commercial applications

– Internally developed, custom applications

– Rogue or malicious applications (malware)

3. Unknowns are manageable

– Investigate unknowns

– Customize App-ID to reduce the number of unknowns

– Aggressively control or block remaining unknown traffic


40% of Unknown Malware Files Were Blockable

40% of unknown samples were identifiable as sister samples that shared

specific identifiers in the file header and payload

0.00% 10.00% 20.00% 30.00%

Contained unknown TCP/UDP traffic

Visited an unregistered domain

Sent out emails

Used the POST method in HTTP

Triggered known IPS signature

IP country different from HTTP host

TLD

Communicated with new DNS server

Downloaded files with an incorrect

file extension

Connected to a non standard HTTP

port

Produced unknown traffic over the

HTTP port

Visited a recently registered domain

Visited a known dynamic DNS

domain

Visited a fast-flux domain

29.39%

24.38%

20.46%

12.38%

7.10%

6.92%

5.56%

4.53%

4.01%

2.33%

1.87%

0.56%

0.47%

Source: Palo Alto Networks, WildFire Malware Report

Most Commonly Observed Malware Behaviors on the Network

• Investigate and classify any

unknown traffic

• No file downloads from unknown

domains

• No HTTP posts to unknown

domains

• No email traffic not to the corp

email server


Recent Sample of 0-Day Malware from WildFire

• Repeated pattern of DNS, HTTP and Unknown Traffic

• The “unknown” proved to be the most important traffic

The Unknown

traffic marks the

spot


A closer look at the unknown session


Inspect all traffic

Capture and execute any

unknown files to observe real

behavior

Block malware, C2

traffic and variants



© 2014 Scalar Decisions Inc. Not for distribution outside of intended audienceEPS\Pitch\Palo Alto Networks - 601955643© 2012 Palo

Alto Networks. Proprietary and Confidential.

Page 35|


40% of Unknown Malware Files Were Variants

Opportunity to Block Malware

In 40% of cases, a single signatures matched multiple samples

(variants)

1 signature hit 1,500+ unique

SHA values

Provides a way to block malware

even when it is repackaged to

avoid signatures

WildFire Subscription

Delivers signatures in 30 to 60 minutes of new malware being

detected anywhere in the world

40% of Malware

Samples Were Related



• Detailed analysis of malware

behaviors including

• Malware actions

• Domains visited

• Registry changes

• File changes


App-ID

URL

IPS

Thre

at

Lic

ense

Spyware

AV

Files

WildFire

Block high-risk apps

Block known malware sites

Block the exploit

Prevent drive-by-downloads

Detect unknown malware

Block malware

Bait the

end-user

Exploit Download

Backdoor

Establish

Back-Channel

Explore &

Steal

Block spyware, C&C traffic

Block C&C on non-standard ports

Block malware, fast-flux domains

Block new C&C traffic

Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors

Coordinated Threat PreventionAn Integrated Approach to Threat Prevention




Thank you!


F5

CONFIDENTIAL

F5 Security for an application driven world

© F5 Networks, Inc 43CONFIDENTIAL

F5 Provides Complete Visibility and Control Across Applications and Users

Intelligent

Services

Platform

Users

Securing access to applications

from anywhere

Resources

Protecting your applications

regardless of where they live

TMOS

Network Firewall

Protocol Security

DDoS Protection

Dynamic Threat Defense

DNS Web Access

CONFIDENTIAL

Security Trends and Challenges


May June July Aug Sep Oct Nov Dec

2012

Spear Phishing

Physical Access

XSS

Attack Type

Size of circle estimates relative impact of incident in terms of cost to business


BankBank

Bank

NonProfit

NonProfit

Bank

Bank

BankGov

Industrial

OnlineSVC

NonProfit

Gov

Auto

OnlineServices

GovGov

OnlineServices

OnlineSVC

OnlineServices

Industrial

EDU

Bank

Bank Bank

Gov

OnlineServices

OnlineSVC

GovOnline

Services

OnlineServices

News & Media

Edu

Telco

CnsmrElectric

CnsmrElectric

Bank

Telco

OnlineServices

OnlineServices

Education

FoodSvc

OnlineServices

Bank

News & Media Gov

Soft-ware

Bank

Telco

Non-Profit

E-commUtility

News & Media

Edu

Bank

OnlineServices

Bank

BankOnline

Services

OnlineServices

Bank

FoodService

BankingGaming

Gov

GovAuto

Soft-ware

News &Media

OnlineServices

ConsumerElectric

OnlineServices

Gov

Util

HealthSoft-ware

OnlineServices

GovCnsmr

Elec

OnlineSvcs

GovRetail

Bank

Bank

OnlineServices

Soft-ware

Bank

EduNews &Media

OnlineServices

OnlineServices

OnlineServices

OnlineServices

Gov

Gov

Indu-strial

Airport Retail

News &Media

Auto

Telco

Gov

Edu

DNSProvider

DNSProvider

GlobalDelivery

Auto

Gov

DNSProvider

DNSProvider

DNSProvider

Gov

ConsumerElectronics

Gove

Bank

Bank

BankGov

OnlineSvc

Software

OnlineGaming

Telco

News &Media

Edu

Soft-ware

News &Media

Edu

News &Media

OnlineServices

Gov

Auto

Entnment

Gov

Utility

News &Media

OnlineSvc

News &Media

Spear Phishing

Physical Access

Unknown

Attack Type

Size of circle estimates relative impact of incident in terms of cost to business

Jan Feb Mar Apr May Jun

2013


More sophisticated attacks are multi-layer

Application

SSL

DNS

Network


The business impact of DDoS

Cost of

corrective action

Reputation

management

The business

impact of DDoS


OWASP Top 3 Application Security Risks

1 - Injection

2 – Broken

Authentication

and Session

Management

3 – Cross Site

Scripting (XSS)

Injection flaws, such as SQL and LDAP injection occur when untrusted data is

sent to an interpreter as part of a command or query. The attackers hostile data

can trick the interpreter into executing unintended commands or accessing

data.

Application functions related to authentication and session management are

often not implemented correctly, allowing attackers to comprimise passwords,

keys or session tokens to assume another users’ identity.

XSS flaws occur whenever an application takes untrusted data and sends it to

a web browser without proper validation or escaping. XSS allows attackers to

execute scripts in the victims browser to hijack user sessions, deface web sites

or redirect the user.

Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

http://owasptop10.googlecode.com/files/OWASP Top 10 - 2013.pdf

CONFIDENTIAL

The F5 Approach


Full Proxy Security

Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Network

Session

Application

Web application

Physical

Client / Server


The F5 Application Delivery FirewallBringing deep application fluency to firewall security

One platform

SSL

inspection

Traffic

management

DNS

security

Access

control

Application

security

Network

firewall

EAL2+

EAL4+ (in process)

DDoS

mitigation


Positive vs Negative

• Positive Security

• Known good traffic

• Permit only what is defined in the security policy (whitelisting).

• Block everything else

• Negative

• Known-bad traffic

• Pattern matching for malicious content using regular expressions.

• Policy enforcement is based on a Positive security logic

• Negative security logic is used to complement Positive logic.


How Does It Work?Security at application, protocol and network level

Request made

Enforcement Content scrubbingApplication cloaking

Security policy

checked

Server

response

Response

delivered

Security policy

applied

BIG-IP enabled us to improve security instead of having to

invest time and money to develop a new, more secure application.

Actions:

Log, block, allow


Start by checking RFC

compliance

2 Then check for various length

limits in the HTTP

3 Then we can enforce valid

types for the application

4 Then we can enforce a list of

valid URLs

5 Then we can check for a list of

valid parameters

Then for each parameter we

will check for max value length

7 Then scan each parameter, the

URI, the headers

6

GET /search.php?name=Acme’s&admin=1 HTTP/1.1

Host: 172.29.44.44\r\n

Connection: keep-alive\r\n

User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n

Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n

Referer: http://172.29.44.44/search.php?q=data\r\n

Accept-Encoding: gzip,deflate,sdch\r\n

Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n

Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n


compliance


limits in the HTTP




valid URLs


valid parameters

6Then for each parameter we will

check for max value length


URI, the headers


Host: 172.29.44.44\r\n










compliance


limits in the HTTP




valid URLs


valid parameters




URI, the headers

6


Host: 172.29.44.44\r\n










compliance


limits in the HTTP




valid URLs


valid parameters




URI, the headers

6


Host: 172.29.44.44\r\n










compliance


limits in the HTTP




valid URLs


valid parameters




URI, the headers

6


Host: 172.29.44.44\r\n










compliance


limits in the HTTP




valid URLs


valid parameters




URI, the headers

6


Host: 172.29.44.44\r\n










Host: 172.29.44.44\r\n










compliance


limits in the HTTP




valid URLs


valid parameters




URI, the headers

6


Automatic HTTP/S DOS Attack Detection and Protection

• Accurate detection technique—based on latency

• Three different mitigation techniques escalated serially

• Focus on higher value productivity while automatic controls intervene

Drop only the attackers

Identify potential attackers

Detect a DOS condition


To Simplify: Application-Oriented Policies and Reports


IP INTELLIGENCE

IP intelligence

service

IP address feed

updates every 5 min

Custom

application

Financial

application

Internally infected devices

and servers

Geolocation database

Botnet

Attacker

Anonymou

s requests

Anonymous

proxies

Scanner

Restricted

region or

country

Built for intelligence, speed and scale

Users

Concurrent user sessions

100KConcurrent logins

1,500/sec.

Throughput

640 GbpsConcurrent connections

288 M

Connections per second

8 M

SSL TPS (2K keys)

240K/sec

DNS query response

10 M/sec

Resources


Application Delivery Firewall

iRules extensibility everywhere

Products

Advanced Firewall

Manager

• Stateful full-proxy

firewall

• Flexible logging

and reporting

• Native TCP, SSL

and HTTP proxies

• Network and

Session anti-DDoS

Access Policy

Manager

• Dynamic, identity-

based access

control

• Simplified

authentication

infrastructure

• Endpoint security,

secure remote

access

Local Traffic

Manager

• #1 application

delivery controller

• Application fluency

• App-specific health

monitoring

Application

Security Manager

• Leading web

application firewall

• PCI compliance

• Virtual patching for

vulnerabilities

• HTTP anti-DDoS

• IP protection

Global Traffic

Manager & DNSSEC

• Huge scale DNS

solution

• Global server load

balancing

• Signed DNS

responses

• Offload DNS crypto

SSL

inspection

Traffic

management

DNS

security

Access

control

Application

security

Network

firewall

DDoS

mitigation


The F5 DDoS Protection

Reference Architecture

f5.com/architectures

Explore

f5.com/architectures


Summary

• Customers invest in network security, but most significant threats are at the application layer

• Current security trends – BYOD, Webification – mean you need to be even more aware of who and what can access application data

• A full proxy device is inherently secure, and coupled with high performance can overcome many security challenges

• F5 Application Delivery Firewall brings together the traditional network firewall with application centric security, and can understand the context of users, devices and access


BREAK


SPLUNK

Copyright © 2014 Splunk Inc.

Splunk for Security Intelligence

68

Make machine data accessible, usable and valuable to everyone.

The Accelerating Pace of Data

69

Volume | Velocity | Variety | Variability

GPS,RFID,

Hypervisor,Web Servers,

Email, Messaging,Clickstreams, Mobile,

Telephony, IVR, Databases,Sensors, Telematics, Storage,

Servers, Security Devices, Desktops

Machine data is fastest growing, most complex, most valuable area of big data

The Splunk Security Intelligence Platform

Machine Data Security Use Cases

HA Indexes and Storage

Forensic Investigation

Security Operations

ComplianceFraud

Detection

CommodityServers

4

Online Services

Web Services

ServersSecurity

GPS Location

StorageDesktops

Networks

Packaged Applications

CustomApplicationsMessaging

Telecoms

Online Shopping

Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records

Smartphones and Devices

RFID

Rapid Ascent in the Gartner SIEM Magic Quadrant

71

2012 20132011

Industry Accolades

72

Best SIEMSolution

Best Enterprise Security Solution

Best Security Product

http://www.google.com/url?sa=i&rct=j&q=sc magazine 2012 winner europe&source=images&cd=&cad=rja&docid=_YcqgHXrP1KcvM&tbnid=AouvV4OtQpBt4M:&ved=0CAUQjRw&url=http://www.cyber-ark.com/news-events/awards.asp&ei=LiUEUsDiM5CgyAG09IHYCA&bvm=bv.50500085,d.cGE&psig=AFQjCNGzw_98z2HqhxqDmgXC3WTcYGxWXA&ust=1376089769508836

http://www.google.com/url?sa=i&rct=j&q=sc magazine 2012 winner europe&source=images&cd=&cad=rja&docid=_YcqgHXrP1KcvM&tbnid=AouvV4OtQpBt4M:&ved=0CAUQjRw&url=http://www.cyber-ark.com/news-events/awards.asp&ei=LiUEUsDiM5CgyAG09IHYCA&bvm=bv.50500085,d.cGE&psig=AFQjCNGzw_98z2HqhxqDmgXC3WTcYGxWXA&ust=1376089769508836

Over 2800 Global Security Customers

73

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=TKrbI-RCo1rRkM&tbnid=Hp_ZNkX26pRpyM:&ved=0CAUQjRw&url=http://msfhq.com/university-of-texas-austin-2013-master-in-finance-class-profile/&ei=bkRnUZzYApGWiQe9wYGABw&bvm=bv.45107431,d.aGc&psig=AFQjCNGCvfdRN8rkk9h3voeQobJKRtL49A&ust=1365808617893264

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=TKrbI-RCo1rRkM&tbnid=Hp_ZNkX26pRpyM:&ved=0CAUQjRw&url=http://msfhq.com/university-of-texas-austin-2013-master-in-finance-class-profile/&ei=bkRnUZzYApGWiQe9wYGABw&bvm=bv.45107431,d.aGc&psig=AFQjCNGCvfdRN8rkk9h3voeQobJKRtL49A&ust=1365808617893264

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=x-YdzzPEVCS8yM&tbnid=Sn2o3VJn1FJllM:&ved=0CAgQjRwwAA&url=http://seeklogo.com/tag.html?q=Interac&ei=arcnUq2wMoS6iwLVvIDYCg&psig=AFQjCNForeRyk6mGoDoJo4ic_q-_Xfy6GA&ust=1378420970938302

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=x-YdzzPEVCS8yM&tbnid=Sn2o3VJn1FJllM:&ved=0CAgQjRwwAA&url=http://seeklogo.com/tag.html?q=Interac&ei=arcnUq2wMoS6iwLVvIDYCg&psig=AFQjCNForeRyk6mGoDoJo4ic_q-_Xfy6GA&ust=1378420970938302

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=4yXDVgz4qF6F1M&tbnid=r0v36XTVsJOd5M:&ved=0CAUQjRw&url=http://swe.slc.engr.wisc.edu/regionals/sponsorship/sponsors.html&ei=EbgnUqntJ5DOigKA9ID4AQ&bvm=bv.51773540,d.cGE&psig=AFQjCNFyfA-cD2LFbGD9931Ut_al63z69g&ust=1378421132811785

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=4yXDVgz4qF6F1M&tbnid=r0v36XTVsJOd5M:&ved=0CAUQjRw&url=http://swe.slc.engr.wisc.edu/regionals/sponsorship/sponsors.html&ei=EbgnUqntJ5DOigKA9ID4AQ&bvm=bv.51773540,d.cGE&psig=AFQjCNFyfA-cD2LFbGD9931Ut_al63z69g&ust=1378421132811785

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=5h5wEuI8LfJYwM&tbnid=r0kCyy4Ope8nYM:&ved=0CAUQjRw&url=http://www.themommyinsider.com/2012/08/sears-icomfort-sertamattresses-twitterparty-830-1-2pm-ct/&ei=VbonUuncBIGwiQKKs4GYAg&bvm=bv.51773540,d.cGE&psig=AFQjCNGQikFZ7Hrc7vlRxbezz2lfNsWEqA&ust=1378421699179619

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=5h5wEuI8LfJYwM&tbnid=r0kCyy4Ope8nYM:&ved=0CAUQjRw&url=http://www.themommyinsider.com/2012/08/sears-icomfort-sertamattresses-twitterparty-830-1-2pm-ct/&ei=VbonUuncBIGwiQKKs4GYAg&bvm=bv.51773540,d.cGE&psig=AFQjCNGQikFZ7Hrc7vlRxbezz2lfNsWEqA&ust=1378421699179619

120+ security appsSplunk App for Enterprise Security

Splunk Security Intelligence Platform

74

Palo Alto Networks

NetFlow Logic

FireEye

Blue Coat Proxy SG

OSSECCisco Security Suite

Active Directory

F5 Security

Juniper Sourcefire

http://www.google.com/url?sa=i&rct=j&q=windows+image&source=images&cd=&cad=rja&docid=z3myVEI98mnMeM&tbnid=HNR7NeVJvUk-4M:&ved=0CAUQjRw&url=http://calibre-ebook.com/download&ei=mm8FUs3kCYe_igLupoHwDQ&bvm=bv.50500085,d.cGE&psig=AFQjCNHH3naLLWaYwHjBrfxvMl0XaMZUUg&ust=1376174358242651


Partner Ecosystem

What is the Value Add to Existing Customers?

Visibility and Correlation of Rich Data

Improved Security Posture

Configurable Dashboard Views

All Data is Security Relevant = Big Data

Servers

ServiceDesk

Storage

DesktopsEmail Web

Call Records

NetworkFlows

DHCP/ DNS

Hypervisor

Custom Apps

Industrial Control

Badges

Databases

MobileIntrusion Detection

Firewall

Data Loss Prevention

Anti-Malware

VulnerabilityScans

Traditional SIEM

Authentication



http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=jBNn_0iMk5Qx9M&tbnid=SbUAdPWMPBeBWM:&ved=0CAgQjRwwAA&url=http://www.webwinkelforum.nl/viewtopic.php?t=7677&ei=2m8FUoifC4aMigK3rIBQ&psig=AFQjCNHoc_8ppEGK-ZFXifecAYwcp7cBzA&ust=1376174426245805


http://www.iconarchive.com/show/security-icons-by-aha-soft/key-icon.html

http://www.iconarchive.com/show/security-icons-by-aha-soft/key-icon.html

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=UTzg3SQtqV89kM&tbnid=6_0M1GOFEw6WoM:&ved=&url=http://www.mricons.com/show/notification-icons&ei=Mjo6Ur6MLIW3qAH1-YDYCw&psig=AFQjCNGaY9zg03vkoXLq6YbvOOQqUCuHQQ&ust=1379634098778261

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=UTzg3SQtqV89kM&tbnid=6_0M1GOFEw6WoM:&ved=&url=http://www.mricons.com/show/notification-icons&ei=Mjo6Ur6MLIW3qAH1-YDYCw&psig=AFQjCNGaY9zg03vkoXLq6YbvOOQqUCuHQQ&ust=1379634098778261

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=pjfHJQonIy1JGM&tbnid=N_9eT5EpLxjWgM:&ved=0CAUQjRw&url=https://www.iconfinder.com/icons/25389/breach_low_security_shield_icon&ei=Lzw6UpKBMY61qAGI34Eo&psig=AFQjCNE5vr3MHZWXH13rGJh-ekK2TNA4uw&ust=1379634513388197

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=pjfHJQonIy1JGM&tbnid=N_9eT5EpLxjWgM:&ved=0CAUQjRw&url=https://www.iconfinder.com/icons/25389/breach_low_security_shield_icon&ei=Lzw6UpKBMY61qAGI34Eo&psig=AFQjCNE5vr3MHZWXH13rGJh-ekK2TNA4uw&ust=1379634513388197

Making Sound Security Decisions

77

Log DataBinary Data (flow

and PCAP)

Context DataThreat Intelligence

Feeds

Security Decisions

Volume Velocity Variety Variability

Case #1 - Incident Investigation/Forensics

• Often initiated by alert in another product

• May be a “cold case” investigation requiring machine data going back months

• Need all the original data in one place and a fast way to search it to answer:

– What happened and was it a false positive?

– How did the threat get in, where have they gone, and did they steal any data?

– Has this occurred elsewhere in the past?

• Take results and turn them into a real-time search/alert if needed

78

client=unknown[

99.120.205.249]

<160>Jan

2616:27

(cJFFNMS

DHCPACK

=ASCII

from

host=85.19

6.82.110

truncating

integer value >

32 bits

<46>Jan

ASCII from

client=unknow

n

January February March April

Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My Company\ACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20

Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text [Priority: 2]:

20130806041221.000000Caption=ACME-2975EB\Administrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts

79

Case #2 – Real-time Monitoring of Known Threats

Sources

Time Range

Intrusion Detection

Endpoint Security

Windows Authentication

All three occurring within a 24-hour period

Example Correlation – Data Loss

Source IP

Source IP

Source IP

Data Loss

Default Admin Account

Malware Found

2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"

08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-PC\Printers\{}\ NeverSeenbefore" data_type""

2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup-00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1,,, [email protected] , Please open this attachment with payroll information,, ,2013-08-09T22:40:24.975Z

80

Case #3 – Real-time Monitoring of Unknown Threats

Sources

Time Range

Endpoint Logs

Web Proxy

Email Server

All three occurring within a 24-hour period

Example Correlation - SpearphishingUser Name

User Name

Rarely seen email domain

Rarely visited web site

User Name

Rarely seen service





$500k Security ROI @ Interac• Challenges: Manual, costly processes

– Significant people and days/weeks required for incident investigations. $10k+ per week.– No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel– Traditional SIEMs evaluated were too bloated, too much dev time, too expensive

• Enter Splunk: Fast investigations and stronger security– Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts– Splunk reduced investigation time to hours. Reports can be created in minutes.– Real-time correlations and alerting enables fast response to known and unknown threats– ROI quantified at $500k a year. Splunk TCO is less than 10% of this.

81

Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see.

““Josh Diakun, Security Specialist, Information Security Operations

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=0o1nqeEm3viL-M&tbnid=d-z2E15cXBeCtM:&ved=0CAUQjRw&url=http://chairmanoftheboard.wordpress.com/2011/10/15/things-i-am-not-down-with-interac-chips/&ei=Ac1UUeq1Mcr9lAW32oGICg&bvm=bv.44442042,d.dGI&psig=AFQjCNF4UtLbnPRZF8n2PK8XxgD2cg8Gdg&ust=1364598398724426

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=0o1nqeEm3viL-M&tbnid=d-z2E15cXBeCtM:&ved=0CAUQjRw&url=http://chairmanoftheboard.wordpress.com/2011/10/15/things-i-am-not-down-with-interac-chips/&ei=Ac1UUeq1Mcr9lAW32oGICg&bvm=bv.44442042,d.dGI&psig=AFQjCNF4UtLbnPRZF8n2PK8XxgD2cg8Gdg&ust=1364598398724426

Replacing a SIEM @ Cisco• Challenges: SIEM could not meet security needs

– Very difficult to index non-security or custom app log data– Serious scale and speed issues. 10GB/day and searches took > 6 minutes– Difficult to customize with reliance on pre-built rules which generated false positives

• Enter Splunk: Flexible SIEM and empowered team– Easy to index any type of machine data from any source– Over 60 users doing investigations, RT correlations, reporting, advanced threat detection– All the data + flexible searches and reporting = empowered team– 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data– Estimate Splunk is 25% the cost of a traditional SIEM

82

We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have.

““

Gavin Reid, Leader, Cisco Computer Security Incident Response Team

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=Ys6wUbUDiATumM&tbnid=KhLtjx32PHDnGM:&ved=0CAgQjRwwAA&url=http://www.huntlogo.com/cisco-logo/&ei=38NUUfrUDa3oigLxhIHQDg&psig=AFQjCNHhuHMS0i2zVrwhAs7ut6zmccuG6A&ust=1364596063261782

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=Ys6wUbUDiATumM&tbnid=KhLtjx32PHDnGM:&ved=0CAgQjRwwAA&url=http://www.huntlogo.com/cisco-logo/&ei=38NUUfrUDa3oigLxhIHQDg&psig=AFQjCNHhuHMS0i2zVrwhAs7ut6zmccuG6A&ust=1364596063261782

Security and Compliance @ Barclays• Challenges: Unable to meet demands of auditors

– Scale issues, hard to get data in, and impossible to get data out beyond summaries– Not optimized for unplanned questions or historical searches– Struggled to comply with global internal and external mandates, and to detect APTs– Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting

• Enter Splunk: Stronger security and compliance posture– Fines avoided as searches easily turned into visualizations for compliance reporting– Faster investigations, threat alerting, better risk measurement, enrichment of old data– Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers– Other teams using Splunk for non-security use cases improves ROI

83

We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effectiveness of a certain control, the only way we can do these things is with Splunk.

““

Stephen Gailey, Head of Security Services

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=rbdBFdo6wiL1uM&tbnid=x-Lb1s006kA6QM:&ved=0CAUQjRw&url=http://bachmanstudios.wordpress.com/2012/06/07/top-10-big-banking-financial-institution-logos-plus-their-meanings/&ei=qspUUZbyGIaEkwWOtID4Aw&bvm=bv.44442042,d.dGI&psig=AFQjCNHCpj-bcm-3Unxs-0mA61q3lpDLSg&ust=1364597799181913

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=rbdBFdo6wiL1uM&tbnid=x-Lb1s006kA6QM:&ved=0CAUQjRw&url=http://bachmanstudios.wordpress.com/2012/06/07/top-10-big-banking-financial-institution-logos-plus-their-meanings/&ei=qspUUZbyGIaEkwWOtID4Aw&bvm=bv.44442042,d.dGI&psig=AFQjCNHCpj-bcm-3Unxs-0mA61q3lpDLSg&ust=1364597799181913

Splunk Key Differentiators

84

Traditional SIEMSplunk• Single product, UI, data store

• Software-only; install on commodity hardware

• Quick deployment + ease-of-use = fast time-to-value

• Can easily index any data type

• All original/raw data indexed and searchable

• Big data architecture enables scale and speed

• Flexible search and reporting enables better/faster threat investigations and detection, incl finding outliers/anomalies

• Open platform with API, SDKs, Apps

• Use cases beyond security/compliance

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=h4ob78PbSbEXDM&tbnid=lJNxE7PTGPdPpM:&ved=0CAUQjRw&url=http://dummr.wordpress.com/2009/07/&ei=RVkVUsHCEeH8igLU5IDwBw&bvm=bv.51156542,d.cGE&psig=AFQjCNGuuPS3f4POAZehQPcagICDVs1k6A&ust=1377217204541437

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=h4ob78PbSbEXDM&tbnid=lJNxE7PTGPdPpM:&ved=0CAUQjRw&url=http://dummr.wordpress.com/2009/07/&ei=RVkVUsHCEeH8igLU5IDwBw&bvm=bv.51156542,d.cGE&psig=AFQjCNGuuPS3f4POAZehQPcagICDVs1k6A&ust=1377217204541437

For your own AHA! Moment

Reach out to your Scalar and Splunk team for a demo

Thank you!


INFOBLOX


Are you prepared to withstand DNS attacks?Ed O’Connell, Senior Product Marketing Manager


Securing the DNS Platform

Defending Against DNS Attacks

Preventing Malware from using DNS

DNS Security Challenges

Infoblox Overview


($MM)

Founded in 1999

Headquartered in Santa Clara, CA

with global operations in 25 countries

Market leadership

• Gartner “Strong Positive” rating

• 40%+ Market Share (DDI)

6,900+ customers, 64,000+

systems shipped

38 patents, 25 pending

IPO April 2012: NYSE BLOX

Leader in technology

for network control

Total Revenue (Fiscal Year Ending July 31)

$35.0

$56.0$61.7

$102.2

$132.8

$169.2

$225.0

$0

$50

$100

$150

$200

$250

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013


Infrastructure

Security

NET

WO

RK

INFR

AST

RU

CT

UR

E

FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS

Historical / Real-time

Reporting & Control

APPS &

EN

D-P

OIN

TS

END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

CO

NT

RO

L P

LA

NE

Infoblox GridTM

w/ Real-time

Network Database


DNS is the

cornerstone of the

Internet used by

every business/

Government

DNS as a Protocol

is easy to exploit

DNS outage = business downtime

Traditional

protection is

ineffective against

evolving threats


Defending Against DNS Attacks2

Preventing Malware from using DNS3

Securing the DNS Platform1


Infoblox Advanced DNS Protection

Defend Against DNS Attacks

Infoblox DNS Firewall

Prevents Malware/APT from Using DNS

Hardened Appliance & OS

Secure the DNS Platform


– Many open ports subject to attack

– Users have OS-level account

privileges on server

– No visibility into good vs. bad

traffic

– Requires time-consuming manual

updates

– Requires multiple applications for

device management

Multiple

Open Ports


Minimal attack surfaces

Active/Active HA & DR recovery

Tested & certified to highest Industry standards

Secure Inter-appliance Communication

Centralized management

with role-based control

Secured Access,

communication & API

Detailed audit logging

Fast/easy upgrades


No scripts / Auto-Resigning / 1-click

Central configuration of all DNSSEC parameters

Automatic maintenance of signed zones


Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013

ACK: 2.81%

CHARGEN: 6.39%

FIN PUSH: 1.28%

DNS: 9.58%

ICMP: 9.71% RESET: 1.4%

RP: 0.26%SYN: 14.56%

TCP FRAGMENT: 0.13%

SYN PUSH: 0.38%

UDP FLOODS: 13.15%

UDP FRAGMENT: 17.11%

~ 10% of infrastructure attacks targeted DNS

Source: Arbor Networks

9%

6%

20%

54%

25%

77%

82%

0% 20% 40% 60% 80% 100%

Other

IRC

SIP/VOIP

HTTPS

SMTP

DNS

HTTP

~ 80% of organizations surveyed experienced application layer attacks on DNS

Survey Respondents


Distributed Reflection DoS Attack (DrDoS)

Combines Reflection and Amplification

Use third-party open resolvers in the

Internet (unwitting accomplice)

Attacker sends small spoofed packets

to the open recursive servers,

requesting a large amount of data to

be sent to the victim’s IP address

Uses multiple such open resolvers,

often thousands of servers

Queries specially crafted to result in a

very large response

Causes DDoS on the victim’s server

How the attack works

Attacker

Internet

Target Victim


ReportingServer

Automatic updates

Infoblox Threat-rule Server

Infoblox Advanced DNS Protection(External DNS)

Reports on attack types, severity

Legit

imate

Tra

ffic


(Internal DNS)D

ata

for

Report

s

Block DNS attacks


DNS reflection/DrDoS attacksUsing third-party DNS servers(open resolvers) to propagate

a DOS or DDOS attack

DNS amplificationUsing a specially crafted query to create an amplified

response to flood the victim with traffic

DNS-based exploits Attacks that exploit vulnerabilities in the DNS software

TCP/UDP/ICMP floodsDenial of service on layer 3 by bringing a network or

service down by flooding it with large amounts of traffic

DNS cache poisoning Corruption of the DNS cache data with a rogue address

Protocol anomaliesCausing the server to crash by sending malformed packets

and queries

ReconnaissanceAttempts by hackers to get information on the network

environment before launching a DDoS or other type of

attack

DNS tunnelingTunneling of another protocol through DNS for data

exfiltration


INTERNET

Advanced DNS

Protection

Grid Master

and Candidate (HA)

Advanced DNS

Protection

D M Z

INTRANET

DATACENTER CAMPUS/REGIONAL

GRID Master

and Candidate

(HA)

INTRANET

Endpoints

Advanced DNS

Protection

Advanced DNS

Protection

DATACENTER CAMPUS/REGIONAL

EXTERNAL INTERNAL


Q1Q3Q2 Q4

2013 2014


Cryptolocker “Ransomware”

Targets Windows-based computers

Appears as an attachment to legitimate looking email

Upon infection, encrypts files: local hard drive & mapped network drives

Ransom: 72 hours to pay $300US

Fail to pay and the encryption key is deleted and data is gone forever

Only way to stop (after executable has started) is to block outbound connection to encryption server


An infected device brought

into the office. Malware

spreads to other devices on

network.

1

2

3

Malware makes a DNS query to

find “home.” (botnet / C&C).

Detect & Disrupt. DNS Firewall

detects & blocks DNS query to

malicious domain

Malicious

domains

Infoblox DDI

with DNS

Firewall Blocked attempt

sent to Syslog

Malware /

APT

1

2

Malware / APT spreads

within network; Calls home

4

Pinpoint. Infoblox Reporting lists

blocked attempts as well as the:

• IP address

• MAC address

• Device type (DHCP fingerprint)

• Host name

• DHCP lease history

DNS Firewall is updated every 2

hours with blocking information

from Infoblox DNS Firewall

Subscription Svc

Infoblox MalwareData Feed Service

4

IPs, Domains, etc.of Bad Servers

Internet

Intranet

3

2


Detect - FireEye detects APT,

alerts are sent to Infoblox. 1

2

3

Disrupt – Infoblox DNS

Firewall disrupts malware DNS

communication

Pin Point - Infoblox Reporting

provides list of blocked

attempts as well as the

• IP address

• MAC address

• Device type (DHCP fingerprint)

• DHCP Lease (on/off network)

• Host Name

Malicious

Domains

Infoblox DDI

with DNS

Firewall Blocked attempt

sent to Syslog3

Malware

2

1

Alerts

FireEye NX

Series

FireEye detonates and detects malware

Internet

Intranet

Endpoint Attempting

To Download

Infected File


Fast FluxRapidly changing of domains & IP addresses by malicious

domains to obfuscate identity and location

APT / Malware Malware designed to spread, morph and hide within IT

infrastructure to perpetrate a long term attack (FireEye)

DNS HackingHacking DNS registry(s) & re-directing users to malicious

domain(s)

Geo-Blocking Blocking access to geographies that have rates of malicious

domains or Economic Sanctions by US Government


DNS is the cornerstone of the Internet

Unprotected DNS infrastructure

introduces security risks

Secure DNS Solution protects critical DNS

services








Thank you!

For more information

www.infoblox.com


Why Scalar for Security?


The Issues

Integration of Security

Technologies

Staffing

Vulnerabilities

Advanced threats


The Issues

Integration of Security

Technologies is Challenging

– Multiple formats of data

– Data timing issues

– Different types of security

controls

– Other data types


The Issues

InfoSecurity Staff

– Different skills requirements﹘Architects

﹘Malware Handling

﹘Forensics

﹘Vulnerability

﹘ Incident Management

﹘Risk and Compliance

– HR Costs﹘Premium technical personnel

﹘Analysts, Specialists

﹘Training and certification


The Issues

Vulnerabilities

– Regular scheduled

disclosures

– Large volumes of ad-hoc

patches

– Many undisclosed zero days

– Remediation is a continuous

process


The Issues

Advanced Threats

– Advanced Persistent Threats

– Imbedded threats

Who?

– State sponsored

– Hactivism

– Hackers

– Organized crime


How to Secure It

State-of-the-art Security

Technologies

Skills on Demand

– Continuous Tuning of Rules

and Filters

– Cyber Intelligence,

Advanced Analytics

– Cyber Incident Response

– Code Review, Vulnerability

and Assessment Testing


WRAP/QUESTIONS?


THANK YOU.

vancouver security road show master deck final

Documents

scalar decisions

se palo alto networks

year palo alto networks

infrastructure services

network infrastructure

year netapp partner

year f5 canadian partner

infrastructure specialists