The lessons we can take from the incredible Ghost Army underscores the need for new methods to preventing attackers.A recent study tested 40 anti-virus programs, and showed that out of 80 new viruses tested, only 5% were detected. How many of you would feel protected knowing your defense has a 95% failure rate?Perhaps in deception there is a better path forward?
As we discussed earlier, each successful exploit has three parts – the attacker, threat type, and target – we continue to see change in each. Attacker - in 2005, we saw a shift starting from attackers wanting notoriety to wanting profitability. Today, cybercrime is fully organized and we see crime syndicates out to profit from attacks. These attackers are now well funded, use sophisticated and purpose built tools and target organizations purely for profit. While this is nothing new, what we are seeing today is a move to not only attack “.gov/.com” but to attack “.me/.you”. Attackers are becoming increasingly sophisticated and are profiling not only companies but also individuals. They understand that we all have online identities but also “phyiscal profiles” or “connection points” where we connect to the internet from a variety of places……work, internet café, airport lounge, home. They have realized that often times our security defenses are down or weak at some of these connection points and penetrating individuals’ devices can work quite well outside of the work place. If you can infect a business user at an internet café and then have them walk that device into the enterprise then you can infiltrate the enterprise infrastructure and bypass many of the defenses that are in place today. Attackers understand this and have adopted their behavior. Threat – The threat landscape is also undergoing a change both in terms of the types of attacks and the sophistication and maturation of existing attacks. As expected, we continue to see new types of attacks to bypass the latest technologies that enterprises deploy.historically, the first large virus outbreak was on the Apple II in 1981. Since then there have been many well documented outbreaks that include the “iLOVEYOU” worm in 2000, SQL Slammer and Blaster worm in 2003 and countless worms, trojans and other forms of malware. Today, DOS has given way to DDOS and newer threats such as rootkits and botnets have taken hold. The most recent threat is APT which is not only a new type of threat but also a new way to profile and attack networks, systems and organizations. While we see new types of attacks we also see the morphing of existing attack types. As an example a few years ago, the majority of malware was in cleartext which could often be detected by AV or IDP solutions. Today over 80% of malware uses encryption, compression or file packing to bypass traditional AV or IDP technologies. Target - Finally, we also see significant changes with attack targets. Over the past few years there has been an explosion in devices that attackers target ranging from smartphones, to tablets to cloud services. What is particularly interesting about these new targets is the variation of the architecture of these platforms that ranges from more secure platforms such as the iphone to more open platforms such as the the Android OS. The other primary change we see is around the types of applications being attacked. Historically, most attacks have been focused on traditional corporate application servers and productivity applications such as office. Today, have seen a significant shift to web 2.0 type applications and social networking apps where attackers take advantage of a trusted relationship that is built amongst online users. They understand that there is a real tendency for online users to trust links that other users send within these applications and have used this vector as a target of malware. Transition: The challenge for enterprises today is how do they address the and new and emerging threats in a way that is both scalable and does not significantly drive up cost.
We start with a strong foundational technology combines access control (our policy engine, Junos Pulse Secure Control Service) with advanced protection (perimeter protection, from SRX Series Gateways) These technologies were designed with the same performance and scalability as portfolio of switches and routers. Our heritage as bing a carrier-grade networking company influenced security architecture. This foundation support an extensive ecosystem in a consistent way:First, easy access. A strong policy engine that provides context-aware policies for access and communication. This gives us broad coverage for any kind of device, so we can make automated access decisions based on who, what, where, when and how they are logging on.Integrates with AD/LDAP or other directory storesEndpoint profiling and behavior monitoring offer additional security for unmanaged endpointsSecond, advanced attack protection from modern attacks, that provides consistent policies for physical, virtual, on and off premisesGoes beyond IP or signature based security, which has become too easy for criminals to work aroundWe have a range of capabilities that leverage this central foundation, delivering better economics, and a simpler, integrated approach.
Juniper’s data center solution is unique. Not only do we provide an incredible range of high-performance security gateways and firewalls, we provide virtual firewalls, threat intelligence, web app protection and DDoS protection.High performance firewalls:Leading high-end firewall; Proven datacenter scale; Integration with WebApp SecureScales to 200 (soon 300) GB/s, with capacity over 100 million sessionsLinear, incremental scaling: reduces forklift upgradesIn-service scaling: no down time, no business disruption for upgrades or capacity scalingSoftware-based pricing (FY 14)Juniper virtual firewalls are the first purpose-built, designed to minimize performance issues found in vLANs and other virtual solutions. 10x performance of other solutions; tested at around 32GB/s on a VM running 36GB/s. Binds and travels with the workloadProtects each VM instance from others that share the hypervisor (east-west) with micro-perimetersSmart groups ensure that no VMs are deployed without some level of protection. Juniper is the first and only company to provide Intrusion Deception technology, designed to stop an attack at the earliest possible stage – the reconnaissance stage. Earlier I mentioned that most attacks aren’t even noticed until weeks or months after the damage is done. With our technology, we change that dynamic, we get more offensive, and we take the economic incentive away from the attacker. This is our WebApp secure technology. Worth a deep dive session alone.DDoS prevention capabilities also stops attacks earlier, by employing a sophisticated behavioral analysis technology that can detect and divert network and app-level DDoS attack.And across all of this environment, our SIEM capability lets you monitor for emerging threats, to find and correlate events to that you see emerging threats.
Similarly in the cloud, where virtualization is de-regour, many of these capabilities are the same. We emphasize that zones and segmentation policies can be shared across physical and virtual environments, and our incredible performance metrics are enabled by the face that we purpose-built our virtual solution – most of the competition has tried to retrofit traditional firewall technology. We wanted to make sure that VM policies had certain characteristics that match the pace and what sometimes is confusing ownership and control over VMs. For example, since you might have a lot of developers spinning up VMs, and they might not otherwise implement security controls, we have a feature called “Smart Groups” that assures VM policy containment, as a default for any VM detected on the network. Our introspection capabilities ensures that policies are appropriate to the workload, because we can see into the workload type and configuration. Policies bind and travel with each VMIntra-VM protection
The secondstory I want to share with you is about the challenge of tracking and identifying.
In the single greatest battle fought during World War 2, not a single shot was fired.It was 1943, and the war was well under way as American, British and Canadian troops were amassing in the UK in preparation for an attack into Northern Europe.The Germans knew an attack was imminent and began to prepare troops to defend. The intelligence and troop buildups said the attack was likely going to happen at the narrowest point on the English Channel, the Port of Calais.Unfortunately, the English Channel was the site of many failed crossings in history including The Spanish Armada and Napoleon Bonaparte’s navy. The Allies were going to have to be perfect.On June 9th Hitler himself ordered his troops to stay at Calais, and even diverted troops heading for another potential site called Normandy to further reinforce Calais.Why did he send the troops to Calais?
They believed there were upwards of 50,000 soldiers on the other side of the Channel about to descend on Calais.What the Germans didn’t realize though, is that they were fighting against a very different enemy.The greatest deception in history.This an M4 Sherman tank, that weighs over 66,000 pounds being carried by four men across the battlefield. No, these are not supermen built in a lab somewhere, these are four artists carrying a 93 pound rubber inflatable tank to the next spot in the “battle”
The secondstory I want to share with you is about the challenge of tracking and identifying.
You are looking at a picture of what could be described as the very first mug shot.This is Alphonse Bertillon, a Frenchman whose concern for how hard it would be to record and track fingerprints, led him to invent an alternative method. A type of anthropometry, the Bertillon method used 11 measurements of the body including skull diameter, and length of the left arm from elbow to middle finger.It was a bit labor intensive to sift through Bertillon measurements trying to find your bad guy. But… Bertillon’s math claimed an incredible odds of better than 286 million to one in having a duplicate. Remember, in 1878, there were only about 1.5 Billion people in the world, so this was pretty good.Bertillon became famous for successfully identifying criminals using his new method, ended up heading the Paris Police Identification Bureau, and his system began to be used around the world. So why don’t any of you know Bertillon?
There, that’s better… because this was a case of two Will Wests.You are looking at two men, Will West and William West who have similar features, are dressed similarly, have nearly the same name… and have IDENTICAL Bertillon measurements. Identical.William West was immediately pulled from his cell, and both men were brought into the same room.That was the beginning of the end of the Bertillon method.In Bertillon, there is a lesson that the IT Security industry has yet to learn. Relying on unspecific data to chase bad actors will never prevent attacks.
I can rent a 100,000 botnets located in any country for a few hundred dollars over the Internet. The hackers are so convenient they even take PayPal.Plus, most companies and ISP’s run proxy servers so tens of thousands of users are often behind a single IP address.What’s the point of building databases around an unreliable and unspecific identifier?
Los Angeles not only has the worst traffic imaginable, but also has 1.7 Million fingerprints on file. 1.7 million… imagine what it would take to sort through those cards manually trying to match a pair of fingerprints left at a crime scene. It would take roughly sixty seven years to find a single one.If you are looking for a serial killer, they’ll die of natural causes before you find them.
Here’s a view into the AppSecure security suite for Branch SRX. As you can see, AppSecure is a security service offering a full range of security capabilities, from application tracking and monitoring to user tailored enforcement, to prioritization (which is a capability that will be available in 2H 2012).The AppSecure modules available with 11.4r1 on branch SRX are AppTrack and AppFW shown in dark blue. IPS as you know is already available on branch SRX and works together with AppTrack and AppFW as we will see in a minute. Shown in light blue is AppQoS planned for release in second half of 2012. Just as we saw in the IPS/IDS market, we’ve seen significant customer demand for visibility into the network – companies want to know what applications are running, who is using them, and what threats they could pose. That’s why we have rolled out AppTrack along with AppFW, a strategy that not only enforces security policies but allows for visibility to help in the planning of those policies. Juniper’s long-term strategy is to continue to deliver AppSecure functionality in a scalable, network-ready way.The AppSecure vision is to deliver these multiple capabilities in one security service that shares intelligence, and is scalable thanks to its integration with underlying Junos and SRX. All of these AppSecure capabilities run on SRX branch platforms, as part of the JUNOS feature set.All of this functionality is made available by a simple upgrade to Junos 11.4. An annual subscription then brings in over 850 application signatures, as well as daily IPS signatures developed by our Juniper Research Lab. As more signatures are available you are provided timely updates. The AppSecure functionality requires the high memory version of the SRX.
vGW is purpose-built for the virtual environment. The vGW solution relies on a few simple components that work in conjunction with one another to provide complete security. The entire solution is software-based and doesn’t rely on any other Juniper products, like SRX, STRM, etc. However, those other products can be integrated and we will discuss that shortly. Let’s take a look at the first component of vGW. The first component is the Security Design vGW VM, which is similar to a vCenter. It’s a VM that manages all of the solutions deployed and configured. It integrates heavily with vCenter so the security is as dynamic as the virtualized environment itself. After importing in the OVA for the SD vGW VM, virtual appliance and answering a few simple questions, an administrator can deploy the Security VMs on each of the physical ESX/ESXi hosts. These VMs are very lightweight. They serve a number of roles based on the product deployment type. Examples are IDS, antivirus engine, etc. It is also responsible for load and communicating with the third party components the vGW engine integrates with. The kernel module is integrated directly into the hypervisor and allows you to completely isolate communication flows to and from each VM on a host that has been selected for protection. The firewall, which is logically attached via this engine between the VM NICs and the vSwitching layer, isolates connection information and policy information from all other VMs and unique policies can be attached to each interface, such as per policy vNIC. Let’s examine the integration with vCenter a bit closer, as this is key to a purpose-built solution.
In campus, branch, or remote offices, anywhere where people work, we provide our next gen firewall. And it includes things like application visibility and control, IPS and other UTM capabilities. Bandwidth, app and network controls are easily managed. We have solutions that combine routing, switching and security within a single gateway, which is perfect for smaller offices or organizations. We provide DDoS and AppDoS protection, as well as management software to establish and enforce policies, and security information and event management, so within a single pane of glass you can identify potential threats before they become real problemsAnd, as with all of our solution areas, identity and context-based controls are in place through our policy engine.
The Branch office today has a plethora of devices, often from multiple vendors, to address the different components of networking, connectivity, and security. All of this adds up to high costs of managing disparate solutions, coupled with the complexity of integrating the different solutions, and making sure they work together to address security concerns.
Some of you are more networking-oriented and some may be security-focused. Many are new to SRX…It is a fully capable and yet, highly flexible platform.Firewall/VPN - well-regarded recognized leader and trusted vendorSecure Router – proven routing and switching using the same rock, solid technology used by our M and T series, carrier class routers. Based on Junos and broad (the most extensive in the industry) WAN interfaces, the Branch SRX delivers secure Wired and Wireless LAN and 3D wireless connectivity options.And UTM (unified threat management) which is the consolidation of security features such as anti-virus, anti-spam, web filtering, and content filtering. for branch offices and Small/medium businesses.Leverage each of these highly flexible solution components to meet your customers’ business needs.
For mobility and access, our technologies help protect users from the device to the data center. It’s frightening to note that 41% of people use their personal mobile device for business purposes without company support. Downright dangerous, from a security and DLP perspective.BYOD, or any mobilitiy initiative, needs to have access polices at the core of the system. We do this in our foundation technology, which we call the Junos Access Control Service (also know as user access control, UAC). You have to account for different classes of devices, corpoate owned, employee-owned and guest devices. You have to think about deploying client and client-less solutions, coverage across wired and wireless, remote secure connections. And most importantly, the seamless user experience. That’s why our focus is on context based controls… the who, what, where, when, how of every session. Orchestated by policy engine in the foundation; and integration to any directory store you might use, enforcement points like routers, switches and firewalls. We use a protocal called IF-MAP to enable a per-session authentication and context control.We even provide 802.1x device authenticationAnd we offer device profiling and integrations to change management for all of those other devices on your network – lilke printers, fax machines, anything with an IP address. Our mobility and access solutions let youOnboard (and off-board) users/devices quickly and easilyAuthenticate, control access, and secure connectivityProtect sensitive apps and data (malware, loss/theft, misuse, etc.)Manage enterprise user, device, data access and apps
Transcript of "eHaryana 2014 - Roadmap for CSCs & Basic... - Shri Puneet Ahuja, Sr Consultant..."
GOVT SITES HACKED
MTNL claims that only the webpage and server logs-files created
by the server of the activities performed by it-were damaged, but
cyber experts do not rule out the possibility of hackers having
obtained subscribers' addresses, phone numbers and other data
"As per the information reported to and tracked by Indian
Computer Response Team (CERT-In), a total number of 308, 371
and 78 government websites were hacked during the years
2011, 2012 and 2013 (up to June) respectively
INVALUABLE CITIZEN INFORMATION
PAN card records
Critical personal data
WHAT ARE WE UP AGAINST?
and motivated by
Groups or individual
with a common
Individuals or gangs
THE COST OF AN ATTACK
PONEMON INSTITUTE | AVERAGE BREACH COSTS $214 PER RECORD STOLEN
Sony Stolen Records
Sony Direct Costs
of ALL threats are at the
Web application layer.
of organizations have been
hacked in the past two years
through insecure Web apps.
.me / .you
Type of Attack
Internet Information Services
START WITH A
• Context-based access control for virtually any
device, any user, any time
Who, what, where, when, how
• Consistent and advanced protection across
physical, virtual, on- and off-premises
Beyond the IP address
• Better economics through leveragable foundation;
Improved efficiencies through centralized control
Data center security
Supporting app and network deployments…
• Flexible deployment models
• Policy sharing across virtual and physical
…while protecting from targeted attacks
• Intrusion Deception stops the attack, with no false
• Scale easily, incrementally
• DDoS behavioral analysis stops attacks earlier
• Security information and event management from a
single pane of glass
Our industry needs to move
beyond IP reputation databases
FINGERPRINT OF AN ATTACKER
attributes used to create
~ Real Time
availability of fingerprints
NEXT GENERATION DATACENTER SECURITY:
SPOTLIGHT SECURE ATTACKER DATABASE
Juniper’s Spotlight Secure, a global attacker
intelligence service, is a one-of-a-kind, cloud-based
security solution that identifies specific attackers
and delivers that intelligence to Junos security
Spotlight Attacker Database
SRX Series Services Gateways
DDoS SECURE – How does it work
• Packet validated against
pre-defined RFC filters
• Malformed and
• Individual IP addresses
assigned CHARM value
• Value assigned based
on IP behaviours
DATACENTER SECURITY: STOPPING THE UNKNOWN
• Global attacker fingerprint system
• Actionable – beyond IP address
• Low-and-slow and volumetric
• Intrusion Deception stops hacking
• Signature free: stops new attacks
• Near-zero false positives
• No tuning or thresholds
• No tuning or Web App changes
• Leading high-end firewall
• Proven datacenter scale
• Integration with WebApp Secure
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.