Scalar Security Roadshow - Toronto Stop
Upcoming SlideShare
Loading in...5
×
 

Scalar Security Roadshow - Toronto Stop

on

  • 456 views

Presentations from the Toronto Stop of the Scalar Security Roadshow on March 4, covering technologies from Palo Alto Networks, F5, Splunk, and Infoblox.

Presentations from the Toronto Stop of the Scalar Security Roadshow on March 4, covering technologies from Palo Alto Networks, F5, Splunk, and Infoblox.

Statistics

Views

Total Views
456
Views on SlideShare
447
Embed Views
9

Actions

Likes
0
Downloads
10
Comments
0

3 Embeds 9

https://twitter.com 5
http://www.linkedin.com 2
http://www.slideee.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Scalar Security Roadshow - Toronto Stop Scalar Security Roadshow - Toronto Stop Presentation Transcript

  • Security Road Show - Toronto © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • }  9:00am – 9:15am Welcome }  9:15am – 9:45am Palo Alto Networks –  You can’t control what you can’t see! }  9:45am – 10:15am F5 –  Protect your web applications }  10:15am – 10:30am Break }  10:30am – 11:00am Splunk –  Big data, next generation SIEM }  11am – 11:30am Infoblox –  Are you fully prepared to withstand DNS attacks? }  11:30am - 12:00pm Closing remarks, Q&A }  12:00pm – 12:30pm Boxed Lunches © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • }  Today’s Speakers –  Gary Coldwell – Palo Alto Networks –  Peter Scheffler – F5 –  Gilberto Castillo – Splunk –  Ben Shelston - Infoblox © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • Founded in 2004 $125M in CY13 Revenues Nationwide Presence 120 Employees Nationwide 25% Growth YoY Toronto | Vancouver Ottawa | Calgary | London Greater than 1:1 technical:sales ratio Background in architecting mission-critical data centre infrastructure © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • }  The country’s most skilled IT infrastructure specialists, focused on security, performance and control tools }  Delivering infrastructure services which support core applications © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • WHY SCALAR? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • Experience Innovation Execution © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • }  Top technical talent in Canada –  Engineers average 15 years’ experience }  We train the trainers –  Only Authorized Training Centre in Canada for F5, Palo Alto Networks, and Infoblox }  Our partners recognize we’re the best –  Brocade Partner of the Year – Innovation –  Cisco Partner of the Year – Data Centre & Virtualization –  VMware Global Emerging Products Partner of the Year –  F5 Canadian Partner of the Year –  Palo Alto Networks Rookie of the Year –  NetApp Partner of the Year - Central © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • }  Unique infrastructure solutions designed to meet your needs –  StudioCloud –  HPC & Trading Systems }  Testing Centre & Proving Grounds –  Ensuring emerging technologies are hardened, up to the task of Enterprise workloads }  Vendor Breadth –  Our coverage spans Enterprise leaders and Emerging technologies for niche workloads & developing markets © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • “Scalar […] has become our trusted advisor for architecting and implementing our storage, server and network infrastructure across multiple data centres” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • “We’ve basically replaced our infrastructure at a lower cost than simply the maintenance on our prior infrastructure […] At the same time, we’ve improved performance and reduced our provisioning time” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • “Numerous technologies needed to converge to make VDI a reality for us. The fact that Scalar is multidisciplinary and has deep knowledge around architecture, deployment and management of all of these technologies was key” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • PALO ALTO NETWORKS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • Protecting Against Modern Malware and the Evolution of Cyber Security Garry Coldwells Systems Engineer March 2014
  • Palo Alto Networks at a glance Corporate highlights Revenues $MM Palo  Alto  Networks  is  the  Network  Security  Company   $396 $400 $300 Safely  enabling  applica8ons  and  preven8ng  cyber  threats   $255 $200 $119 $100 $13 $49 $0 Founded  in  2005;  first  customer  shipment  in  2007     FYE July FY09 FY10 FY11 FY12 FY13 Enterprise customers Excep8onal  ability  to  support  global  customers   13,500 14,000 12,000 9,000 10,000 Experienced  team  of  1,300+  employees   8,000 6,000 4,700 4,000 Q1FY14:  $128.2M  revenue;  16,000  customers   16 | ©2013, Palo Alto Networks. Confidential and Proprietary. 2,000 0 Jul-11 Jul-12 Jul-13
  • How Time Has Changed 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • 1995  
  • 2012  
  • Levelset 26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • The basics Threat   What  it  is   What  it  does   Exploit   Bad  applica8on  input   usually  in  the  form  of   network  traffic.     Targets  a  vulnerability  to   hijack  control  of  the  target   applica8on  or  machine.   Malware   Malicious  applica8on  or   code.     Anything  –  Downloads,   hacks,  explores,  steals…   Command-­‐and-­‐control   (C2)   Network  traffic  generated   Keeps  the  remote  a`acker   by  malware.   in  control  ands   coordinates  the  a`ack.     Indicators  of   compromise  (IoC)   Indica8ons  that  your   network  has  been   compromised   Allows  security  teams  to   find  and  confirm  breaches  
  • Known vs. unknown threats Known threats •  Malware or exploits that have been seen before •  Commonly available and recycled •  Easily stopped by traditional security 28 | ©2012, Palo Alto Networks. Confidential and Proprietary. Unknown threats •  Malware or exploits that has never been seen before •  Unique, and often customcrafted. •  Easily bypass traditional security
  • New Threat Landscape State of the Union 29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • Interests and motivations have also changed From  bored  “geeks”   To  na8on  states  and  organized  crime  
  • The new threat landscape Advanced threat Commodity threats Organized cybercrime Nation state (More customized exploits and malware) (very common, easily identified) (Very targeted, persistent, creative) §  Mostly addressed by traditional AV and IPS §  Somewhat more sophisticated payloads §  Low sophistication, slowly changing §  Evasion techniques often employed Machine vs. machine §  Intelligent and continuous monitoring of passive network-based and host-based sensors §  §  §  Comprehensive investigation after an indicator is found §  Highly coordinated response is required for effective prevention and remediation Sandboxing and other smart detection often required
  • By the Numbers     Days -  Of malware data accumulation Networks -  Covering 1,000+ live enterprise networks Antivirus Vendors -  Tested against 6 fully-updated, industry-leading antivirus products Unknown Malware (zero-day) -  32 | ©2012, Palo Alto Networks. Confidential and Proprietary. Resulted in finding 26,000+ malware that had NO coverage at the time they were detected in the live enterprise network
  • Malware Delivery Vectors 90% Delivery via web-browsing/http 2% Delivery via eMail 33 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • Malware Vectors and Traditional Detection Times Top 5 sources of unknown malware highlighted. FTP was a leading source and rarely detected. 4 1 2 3 5
  • Regaining Control §  Bring the right anti-malware technologies into the network §  End-point antivirus is falling way short §  Need to look way beyond eMail and Web §  82 applications that are designed explicitly to avoid security (circumventors) §  260 applications designed to tunnel within allowed protocols (encryption, tunneling) §  Expect unknowns §  Implement a mechanism to take a deeper look at the unknown §  Real-time detection and blocking when possible §  Automate the kill chain to prevent manual response §  Enforce user and application controls §  Minimize the attack surface by controlling who can transfer files, using which apps, in which direction and when 35 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • Automated network effect of sharing §  Automatic detection in real time in private or public cloud §  §  Global intelligence and protection delivered to all users Anti-malware signatures DNS intelligence Malware URL database Anti-C2 signatures 10Gbps advanced threat visibility and prevention on all traffic, all ports (web, email, SMB, etc.) Automatic generation of several defensive measures §  Automatic distribution of defensive measures to all WildFire customers within 30 minutes after initial detection §  WildFire TM Automatic installation of defensive measures provides full prevention immediately §  §  Command-and-control Staged malware downloads Host ID and data exfil WildFire Appliance (optional) Malware, DNS, URL, and C2 signatures automatically created based on WildFire intelligence and delivered to customers globally You benefit from the threat intelligence of 2,500+ organizations across the industry Soak sites, sinkholes, 3rd party sources WildFire Users
  • Unique Identifiers     Samples -  Of malware with unique SHA256 Unique Identifiers -  Observed in multiple malware samples Identifiable Samples -  Contained unique identifiers Potential -  37 | ©2012, Palo Alto Networks. Confidential and Proprietary. To be blocked by unique identifier rather than hash/URI
  • Most Commonly Observed Malware Behaviours 38 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • Regaining Control §  Implement technology with stream-based analysis of headers and payloads §  Block polymorphic variants using identifiers rather than hash or URI §  Establish a solid baseline of ‘normal’ behaviour §  Knowing what is normal allows the abnormal to become very apparent §  Investigate and remediate unknowns §  Investigate unknown and make it a goal to keep it below acceptable threshold §  Restrict access to unknown, newly registered and dynamic DNS domains §  The internet is dynamic so restrict executables from these, implement SSL decryption and block HTTP-POST §  Control eMail traffic flow §  Only allow email traffic in/out between mail gateway and destination and never allow email bypassing the corporate mail gateway 39 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • Malware Use of Non-Standard Ports by Application 40 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • Regaining Control §  Restrict applications to their standard ports §  Especially Limit FTP to its well-known ports 41 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • Regaining Control over Modern Threats New Requirements for Threat Prevention 1. Visibility into all traffic regardless of port, protocol, evasive tactic or SSL 2. Stop all types of known network threats (IPS, Anti-malware, URL, etc.) while maintaining multi-gigabit performance 3. Find and stop new and unknown threats even without a pre-existing signature Page 42 |
  • A Next-Generation Cybersecurity Strategy Everything must go in the funnel Reduce the attack surface Block everything you can Test and adapt to unknowns Investigate and cleanup 43 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • The Bigger Picture 44 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • Imperatives to be secure §  Evolving from incident response mindset to intelligence mindset §  No intelligence exists without visibility §  Applying the intelligence and resulting IOCs to the kill chain §  Sharing what you know
  • Can’t understand what you don’t know §  You don’t have intelligence if you don’t have visibility §  Visibility required across the whole network §  Ideally, you can see and understand applications, content, and users §  Then make sense of what you see
  • Share what you know §  In the cyber security battle, sharing is key §  Three ways this is happening 1.  External – industry initiatives 2.  External – technology partnerships 3.  Internal – your security technology should leverage the network
  • vSphere Virtual Firewall as a Guest VM Gateway Edition VM-100 NSX Virtual Firewall as a Hypervisor Service VM-1000-HV Edition VM-200 VM-300 Modeled from VM-300
  • Automated Deployment, via Panorama
  • Regaining Control 51 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  • A Next-Generation Cybersecurity Strategy (1) Everything must go in the funnel Reduce the attack surface Block everything you can Test and adapt to unknowns Investigate and cleanup 52 | ©2012, Palo Alto Networks. Confidential and Proprietary. •  Inspect all traffic •  35% of all applications use SSL •  Non-standard ports and tunneled traffic •  Make NO assumptions
  • A Next-Generation Cybersecurity Strategy (2) Everything must go in the funnel Reduce the attack surface •  High risk applications and features
 Block everything you can •  Block files from unknown domains
 Test and adapt to unknowns •  Find and control custom traffic Investigate and cleanup 53 | ©2012, Palo Alto Networks. Confidential and Proprietary. •  Implement POSITIVE Security
  • A Next-Generation Cybersecurity Strategy (3) Everything must go in the funnel Reduce the attack surface •  Exploits, malware, C2 Block everything you can •  Variants and polymorphism Test and adapt to unknowns Investigate and cleanup 54 | ©2012, Palo Alto Networks. Confidential and Proprietary. •  DNS, URLs, malicious clusters •  Implement NEGATIVE Security
  • Strategy for Modern Threat Prevention Everything must go in the funnel Reduce the attack surface Block everything you can Test and adapt to unknowns •  Static and Behavioral and anomaly analysis
 •  Automatically create and deliver protections
 •  Share globally Investigate and cleanup 55 | ©2012, Palo Alto Networks. Confidential and Proprietary. •  Implement Zero-Day Security
  • A Next-Generation Cybersecurity Strategy (5) Everything must go in the funnel •  Feed the SIEM
 Reduce the attack surface Block everything you can Test and adapt to unknowns Investigate and cleanup 56 | ©2012, Palo Alto Networks. Confidential and Proprietary. •  Share indicators of compromise
 •  Integrate with end-point security
 •  Evolve from Incident Response to Security Intelligence
  • F5 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • CONFIDENTIAL F5 Security for an application driven world
  • F5 Provides Complete Visibility and Control Across Applications and Users Users Resources DNS Web Access Intelligent Dynamic Threat Defense Services DDoS Protection Platform Protocol Security Network Firewall TMOS Securing access to applications from anywhere © F5 Networks, Inc Protecting your applications regardless of where they live CONFIDENTIAL 59
  • CONFIDENTIAL Security Trends and Challenges
  • Attack Type Spear Phishing Physical Access XSS Size of circle estimates relative impact of incident in terms of cost to business May June July Aug Sep Oct Nov Dec 2012 © F5 Networks, Inc CONFIDENTIAL 61
  • Bank Bank Bank Industrial Non Profit Non Profit Bank Bank Gov Industrial Online SVC EDU Bank Gov Food E-comm Utility Svc News & Media Telco Software Edu Online Services News & Media Feb Edu Cnsmr Electric Telco Food Service Telco Bank Online Services Bank Bank Mar Bank Cnsmr Elec Education Online Services Online Services Software Online Services DNS Provider Online Services Auto Gov Gov Health Gov Software Util May Global Delivery Unknown Online Services Gov Gov Physical Access Edu DNS Provider DNS Provider Gov Auto Gov Online Services Apr Online Services Online Services Online Svcs DNS Provider News & Media Gov Online Services Bank Telco Auto Gaming Retail Spear Phishing Retail Gov Banking Online Services Airport Attack Type Online Services Entnment Industrial Online Services Bank NonProfit Gov Gov Bank Online Services Cnsmr Electric Jan Edu News & Media Online Services Online Gaming News & Media Edu Gov Bank Software Bank Online Services Bank Online Services Online SVC Bank News & Media News & Media Gov Online Services Online Services Gov Bank Bank Auto Gov Gov News & Media Telco Bank Software News & Media Software Bank Edu Utility Bank Online Services Online Svc Consumer Electric Online SVC Gov Gove News & Media Online Svc Non Profit Auto Consumer Electronics News & Media Gov DNS Provider Size of circle estimates relative impact of incident in terms of cost to business Jun 2013 © F5 Networks, Inc CONFIDENTIAL 62
  • More sophisticated attacks are multi-layer Application SSL DNS Network © F5 Networks, Inc CONFIDENTIAL 63
  • The business impact of DDoS The business impact of DDoS © F5 Networks, Inc Cost of corrective action CONFIDENTIAL Reputation management 64
  • OWASP Top 3 Application Security Risks 1 - Injection Injection flaws, such as SQL and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing data. 2 – Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to comprimise passwords, keys or session tokens to assume another users’ identity. 3 – Cross Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victims browser to hijack user sessions, deface web sites or redirect the user. Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf © F5 Networks, Inc CONFIDENTIAL 65
  • CONFIDENTIAL The F5 Approach
  • Full Proxy Security Client / Server Client / Server Web application Web application Application Application SSL inspection and SSL DDoS mitigation Session Session L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical Application health monitoring and performance anomaly detection HTTP proxy, HTTP DDoS and application security © F5 Networks, Inc CONFIDENTIAL 67
  • The F5 Application Delivery Firewall Bringing deep application fluency to firewall security One platform Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security EAL2+ EAL4+ (in process) © F5 Networks, Inc CONFIDENTIAL 68
  • Positive vs Negative •  Positive Security •  Known good traffic •  Permit only what is defined in the security policy (whitelisting). •  Block everything else •  Negative •  Known-bad traffic •  Pattern matching for malicious content using regular expressions. •  Policy enforcement is based on a Positive security logic •  Negative security logic is used to complement Positive logic. © F5 Networks, Inc CONFIDENTIAL 69
  • How Does It Work? Security at application, protocol and network level Request made Security policy checked Content scrubbing Application cloaking Enforcement Response delivered Server response Security policy applied Actions: Log, block, allow BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application. © F5 Networks, Inc CONFIDENTIAL 70
  • Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters 6 Then for each parameter we will check for max value length 7 Then scan each parameter, the URI, the headers © F5 Networks, Inc GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44rn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; rn CONFIDENTIAL 71
  • Automatic HTTP/S DOS Attack Detection and Protection •  •  Accurate detection technique—based on latency Three different mitigation techniques escalated •  serially Focus on higher value productivity while automatic controls intervene Detect a DOS condition Identify potential attackers Drop only the attackers © F5 Networks, Inc CONFIDENTIAL 72
  • To Simplify: Application-Oriented Policies and Reports © F5 Networks, Inc CONFIDENTIAL 73
  • IP INTELLIGENCE Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker Custom application Financial application Anonymous requests Anonymous proxies Scanner Geolocation database Internally infected devices and servers © F5 Networks, Inc CONFIDENTIAL 74
  • Built for intelligence, speed and scale Users Resources Concurrent user sessions 100K Concurrent logins 1,500/sec. Throughput 640 Gbps Concurrent connections 288 M DNS query response 10 M/sec SSL TPS (2K keys) 240K/sec Connections per second 8M
  • Application Delivery Firewall Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security Products Advanced Firewall Manager Local Traffic Manager Application Security Manager •  Stateful full-proxy firewall •  #1 application delivery controller •  Leading web application firewall •  Flexible logging and reporting •  Application fluency •  Access Policy Manager PCI compliance •  Native TCP, SSL and HTTP proxies •  Network and Session anti-DDoS •  App-specific health monitoring •  Virtual patching for vulnerabilities •  HTTP anti-DDoS •  IP protection •  Dynamic, identitybased access control •  Simplified authentication infrastructure •  Endpoint security, secure remote access Global Traffic Manager & DNSSEC •  Huge scale DNS solution •  Global server load balancing •  Signed DNS responses •  Offload DNS crypto iRules extensibility everywhere © F5 Networks, Inc CONFIDENTIAL 76
  • Explore The F5 DDoS Protection Reference Architecture f5.com/architectures © F5 Networks, Inc CONFIDENTIAL 77
  • Summary •  Customers invest in network security, but most significant threats are at the application layer •  Current security trends – BYOD, Webification – mean you need to be even more aware of who and what can access application data •  A full proxy device is inherently secure, and coupled with high performance can overcome many security challenges •  F5 Application Delivery Firewall brings together the traditional network firewall with application centric security, and can understand the context of users, devices and access © F5 Networks, Inc CONFIDENTIAL 78
  • BREAK © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • SPLUNK © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • Copyright  ©  2014  Splunk  Inc.   Splunk  for  Security   Intelligence    
  • Splunk  Overview   Company  (NASDAQ:  SPLK)   "  "  "  "  Founded  2004,  first  sogware  release  in  2006   HQ:  San  Francisco  /  Regional  HQ:  London,  Hong  Kong   Over  1000  employees,  based  in  12  countries   2012  Revenue:  $199M  (YoY  +60%)   Business  Model  /  Products   "  Free  download  to  massive  scale   "  Splunk  Enterprise,  Splunk  Cloud   Hunk:  Splunk  Analy8cs  for  Hadoop   "  6,400+  Customers   "  Customers  in  over  90  countries   60  of  the  Fortune  100   "  Largest  license:  Over  100  Terabytes  per  day   "  83  
  • Make  machine  data  accessible,  usable     and  valuable  to  everyone.     84  
  • The  Accelera8ng  Pace  of  Data   Volume    |    Velocity    |    Variety  |  Variability   GPS,   Machine  data  is  fastest  growing,  most   RFID,   Hypervisor,   complex,  most  valuable  area  of  big  data   Web  Servers,   Email,  Messaging,   Clickstreams,  Mobile,     Telephony,  IVR,  Databases,   Sensors,  Telema8cs,  Storage,   Servers,  Security  Devices,  Desktops     85  
  • The  Splunk  Security  Intelligence  Plaqorm   Security  Use  Cases   Machine  Data   Online   Services   Forensic   InvesQgaQon   Web   Services   Security   Servers   Security   OperaQons   Compliance   Fraud   DetecQon   GPS   Loca8on   Networks   Packaged   Applica8ons   Desktops   Storage   Messaging   Telecoms   Custom   Applica8ons   RFID   Energy   Meters   Online   Shopping   Cart   Databases   Web   Clickstreams   Call  Detail   Records   HA  Indexes   and  Storage   Smartphones   and  Devices   4   Commodity   Servers  
  • Rapid  Ascent  in  the  Gartner  SIEM  Magic  Quadrant   2011   2012   87   2013  
  • Industry  Accolades     Best  SIEM   SoluQon   Best  Enterprise   Security  SoluQon   88   Best  Security   Product  
  • Over  2800  Global  Security  Customers   89  
  • Splunk  Security  Intelligence  Plaqorm   120+  security  apps   Splunk  App  for  Enterprise  Security   Palo  Alto   Networks   Cisco  Security   Suite   OSSEC   F5  Security   FireEye   NetFlow  Logic   Ac8ve   Directory   Juniper   90   Blue  Coat   Proxy  SG   Sourcefire  
  • Partner  Ecosystem     What  is  the  Value  Add  to  ExisQng  Customers?     Visibility  and  Correla8on  of  Rich  Data     Improved  Security  Posture   Configurable  Dashboard  Views    
  • All  Data  is  Security  Relevant  =  Big  Data   Databases   Email   Web   Desktops   Servers   DHCP/  DNS   Network   Flows   Tradi&onal  SIEM   Custom   Hypervisor   Badges   Firewall   Authen8ca8on   Vulnerability   Apps   Scans   Storage   Mobile   An8-­‐ Intrusion     Data  Loss   Detec8on   Preven8on   Malware   Service   Desk   Industrial   Call     Control   Records  
  • Making  Sound  Security  Decisions   Binary  Data  (flow   and  PCAP)   Log  Data   Security   Decisions   Threat   Intelligence  Feeds   Context  Data   Volume          Velocity          Variety          Variability   93  
  • Case  #1  -­‐  Incident  Inves8ga8on/Forensics   January   •  May  be  a  “cold  case”  inves8ga8on  requiring   machine  data  going  back  months   March   April   Ogen  ini8ated  by  alert  in  another  product   •  February   •  Suspect A Need  all  the  original  data  in  one  place  and  a   fast  way  to  search  it  to  answer:   client=unknown[ 99.120.205.249] <160>Jan 2616:27 (cJFFNMS Suspect B –  What  happened  and  was  it  a  false  posi8ve?   –  How  did  the  threat  get  in,  where  have  they   gone,  and  did  they  steal  any  data?   truncating integer value > 32 bits <46>Jan ASCII from client=unknow n –  Has  this  occurred  elsewhere  in  the  past?   •  Take  results  and  turn  them  into  a  real-­‐8me   search/alert  if  needed   Accomplice A DHCPACK =ASCII from host=85.19 6.82.110 Suspect C Accomplice B 94  
  • Case  #2  –  Real-­‐8me  Monitoring  of  Known  Threats   Sources   Example  CorrelaQon  –  Data  Loss   20130806041221.000000Cap8on=ACME-­‐2975EBAdministrator  Descrip8on=Built-­‐in  account  for  administering   the  computer/domainDomain=ACME-­‐2975EB  InstallDate=NULLLocalAccount  =  IP:  10.11.36.20     TrueName=Administrator  SID  =S-­‐1-­‐5-­‐21-­‐1715567821-­‐926492609-­‐725345543  500SIDType=1   Default  Admin  Account   Status=Degradedwmi_  type=UserAccounts   Source  IP   Windows   AuthenQcaQon   Aug  08  06:09:13  acmesep01.acmetech.com  Aug  09  06:17:24  SymantecServer  acmesep01:  Virus  found,Computer   name:  ACME-­‐002,Source:  Real  Time  Scan,Risk  name:  Hackertool.rootkit,Occurrences:  1,C:/Documents  and   Sexngs/smithe/Local  Sexngs/Temp/evil.tmp,"""",Actual  ac8on:  Quaran8ned,Requested  ac8on:  Cleaned,  8me:   2009-­‐01-­‐23  03:19:12,Inserted:  2009-­‐01-­‐23  03:20:12,End:  2009-­‐01-­‐23  03:19:12,Domain:  Default,Group:  My   Malware  Found   Source  IP   CompanyACME  Remote,Server:  acmesep01,User:  smithe,Source  computer:    ,Source  IP:  10.11.36.20   Endpoint   Security   Aug  08  08:26:54  snort.acmetech.com  {TCP}  10.11.36.20:5072  -­‐>  10.11.36.26:443  itsec  snort[18774]:     [1:100000:3]  [Classifica8on:  Poten8al  Corporate  Privacy  Viola8on]    Credit  Card  Number  Detected  in  Clear  Text   Source  IP   [Priority:  2]:   Data  Loss   Intrusion   DetecQon   All  three  occurring  within  a  24-­‐hour  period   Time  Range   95  
  • Case  #3  –  Real-­‐8me  Monitoring  of  Unknown  Threats     -­‐  Spearphishing   Sources   Example  CorrelaQon   User  Name   2013-­‐08-­‐09T12:40:25.475Z,,exch-­‐hub-­‐den-­‐01,,exch-­‐mbx-­‐cup-­‐00,,,STOREDRIVER,DELIVER, 79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1,,,   hacker@neverseenbefore.com  ,  Please  open  this  a`achment  with  payroll  informa8on,,  , 2013-­‐08-­‐09T22:40:24.975Z   Email  Server   Rarely  seen  email  domain   Rarely  visited  web  site   2013-­‐08-­‐09  16:21:38  10.11.36.29  98483  148  TCP_HIT  200  200  0  622  -­‐  -­‐  OBSERVED  GET   www.neverbeenseenbefore.com    HTTP/1.1  0  "Mozilla/4.0  (compa8ble;  MSIE  6.0;  Windows  NT  5.1;  SV1;  .NET  CLR   2.0.50727;  InfoPath.1;  MS-­‐RTC  LM  8;  .NET  CLR  1.1.4322;  .NET  CLR  3.0.4506.2152;  )  User  John  Doe,"       User  Name   Web  Proxy   Endpoint   Logs   User  Name   08/09/2013  16:23:51.0128event_status="(0)The  opera8on  completed  successfully.  "pid=1300   process_image="John  DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“  registry_type   ="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosogWindows  NTCurrentVersion  Printers   PrintProviders  John  Doe-­‐PCPrinters{}  NeverSeenbefore"  data_type""   Rarely  seen  service   All  three  occurring  within  a  24-­‐hour  period   Time  Range   96  
  • $500k  Security  ROI  @  Interac   •  Challenges:  Manual,  costly  processes   –  Significant    people  and  days/weeks  required  for  incident  inves8ga8ons.  $10k+  per  week.   –  No  single  repository  or  UI.  Used  mul8ple  UIs,  grep’d  log  files,  reported  in  Excel   –  Tradi8onal  SIEMs  evaluated  were  too  bloated,  too  much  dev  8me,  too  expensive   Enter  Splunk:  Fast  inves8ga8ons  and  stronger  security   –  –  –  –  Feed  15+  data  sources  into  Splunk  for  incident  inves8ga8ons,  reports,  real-­‐8me  alerts   Splunk  reduced  inves8ga8on  8me  to  hours.  Reports  can  be  created  in  minutes.   Real-­‐8me  correla8ons  and  aler8ng  enables  fast  response  to  known  and  unknown  threats   ROI  quan8fied  at  $500k  a  year.  Splunk  TCO  is  less  than  10%  of  this.   “   “   •  Splunk  is  a  product  that  provides  a  looking  glass  into  our  environment  for  things   we  previously  couldn’t  see  or  would  otherwise  have  taken  days  to  see.       Josh  Diakun,  Security  Specialist,  Informa8on  Security  Opera8ons   97  
  • Replacing  a  SIEM  @  Cisco   •  Challenges:  SIEM  could  not  meet  security  needs   –  Very  difficult  to  index  non-­‐security  or  custom  app  log  data   –  Serious  scale  and  speed  issues.  10GB/day  and  searches  took  >  6  minutes   –  Difficult  to  customize  with  reliance  on  pre-­‐built  rules  which  generated  false  posi8ves   Enter  Splunk:  Flexible  SIEM  and  empowered  team   –  –  –  –  –  Easy  to  index  any  type  of  machine  data  from  any  source   Over  60  users  doing  inves8ga8ons,  RT  correla8ons,  repor8ng,  advanced  threat  detec8on   All  the  data  +  flexible  searches  and  repor8ng  =  empowered  team   900  GB/day  and  searches  take  <  minute.    7  global  data  centers  with  350TB  stored  data   Es8mate  Splunk  is  25%  the  cost  of  a  tradi8onal  SIEM     “   We  moved  to  Splunk  from  tradi8onal  SIEM  as  Splunk  is  designed  and   engineered  for  “big  data”  use  cases.  Our  previous  SIEM  was  not  and  simply   could  not  scale  to  the  data  volumes  we  have.       Gavin  Reid,  Leader,  Cisco  Computer  Security  Incident  Response  Team   “   •  98  
  • Security  and  Compliance  @  Barclays   Challenges:  Unable  to  meet  demands  of  auditors   –  –  –  –  •  Scale  issues,  hard  to  get  data  in,  and  impossible  to  get  data  out  beyond  summaries   Not  op8mized  for  unplanned  ques8ons  or  historical  searches   Struggled  to  comply  with  global  internal  and  external  mandates,  and  to  detect  APTs   Other  SIEMs  evaluated  were  poor  at  complex  correla8ons,  data  enrichment,  repor8ng   Enter  Splunk:  Stronger  security  and  compliance  posture   –  –  –  –  Fines  avoided  as  searches  easily  turned  into  visualiza8ons  for  compliance  repor8ng   Faster  inves8ga8ons,  threat  aler8ng,  be`er  risk  measurement,  enrichment  of  old  data   Scale  and  speed:  Over  1  TB/day,  44  B  events  per  min,  460  data  sources,  12  data  centers   Other  teams  using  Splunk  for  non-­‐security  use  cases  improves  ROI   “   We  hit  our  ROI  targets  immediately.  Our  regulators  are  very  aggressive,  so  if   they  say  we  need  to  demonstrate  or  prove  the  effec8veness  of  a  certain   control,  the  only  way  we  can  do  these  things  is  with  Splunk.       Stephen  Gailey,  Head  of  Security  Services   “   •  99  
  • Splunk  Key  Differen8ators   Splunk   Single  product,  UI,  data  store   Tradi8onal  SIEM   Sogware-­‐only;  install  on  commodity  hardware   Quick  deployment    +    ease-­‐of-­‐use    =    fast  8me-­‐to-­‐value   Can  easily  index  any  data  type   All  original/raw  data  indexed  and  searchable       Big  data  architecture  enables  scale  and  speed   Flexible  search  and  repor8ng  enables  be`er/faster  threat   inves8ga8ons  and  detec8on,  incl  finding  outliers/anomalies   •  Open  plaqorm  with  API,  SDKs,  Apps   •  Use  cases  beyond  security/compliance   •  •  •  •  •  •  •  100
  • For  your  own  AHA!  Moment     Reach  out  to  your  Scalar  and   Splunk  team  for  a  demo       Thank  you!  
  • INFOBLOX © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • DNS as a Threat & Threats to DNS Benoit Shelston, Senior Systems Engineer 103 | © 2013 Infoblox Inc. All Rights Reserved.
  • Agenda Infoblox Overview DNS Threats Why is DNS a target? What types of attacks? Infoblox Advanced DNS Protection 104 | © 2013 Infoblox Inc. All Rights Reserved.
  • Infoblox Overview Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries Leader in DNS, DHCP, and IP Address Management Market leadership •  Gartner “Strong Positive” rating •  40%+ Market Share (DDI) 7,000+ customers, 64,000+ systems shipped 35 patents, 29 pending IPO April 2012: NYSE BLOX 105 | © 2013 Infoblox Inc. All Rights Reserved.
  • Diverse Customer Base in All Key Verticals HEALTHCARE EXPOSURE TO INDUSTRY TOP 10 LEADERS RETAIL FINANCIAL SERVICES MANUFACTURING TELECOM 7 TECHNOLOGY 9 8 GOVERNMENT OTHER 8 7 106 | © 2013 Infoblox Inc. All Rights Reserved. RECENT NEW CUSTOMERS
  • Why DNS an Ideal Target? •  •  •  •  DNS is a bootstrap to networks and applications DNS is easy to exploit DNS can be both the threat, and the target No one is looking DNS downtime means business downtime 107 | © 2013 Infoblox Inc. All Rights Reserved.
  • DNS Attacks up 216% ~ 10% of infrastructure attacks targeted DNS ACK: 2.81% ICMP: 9.71% RESET: 1.4% CHARGEN: 6.39% RP: 0.26% FIN PUSH: 1.28% DNS: 9.58% SYN: 14.56% SYN PUSH: 0.38% TCP FRAGMENT: 0.13% UDP FRAGMENT: 17.11% UDP FLOODS: 13.15% Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013 ~ 80% of organizations experienced application layer attacks on DNS 82% HTTP 77% DNS 25% SMTP HTTPS 54% SIP/VOIP 20% 6% IRC 9% Other 0% 108 | © 2013 Infoblox Inc. All Rights Reserved. 20% 40% 60% Survey Respondents 80% 100% Source: Arbor Networks
  • DNS Threats Landscape •  Three types of DNS attacks ̶  Attack as Infrastructure: Attacks primarily focused on disruption of DNS services (and everything else with it) ̶  Protocol Exploitation: Attacks that use DNS as a vector for business exploitation ̶  Platform Hacks: Exploit the underlying DNS platform to take control of DNS (for defacement, or redirection) 109 | © 2013 Infoblox Inc. All Rights Reserved.
  • DNS Infrastructure Attacks Example •  •  •  •  •  Traditional DOS Distributed DOS Amplification Reflection …and the dreaded combination: Distributed Reflection DOS (DrDOS) Command & Control DNS Server 110 | © 2013 Infoblox Inc. All Rights Reserved.
  • Most DDoS Attacks Use Name Servers •  Why? ̶  Because name servers make surprisingly good amplifiers This one goes to eleven… 111 | © 2013 Infoblox Inc. All Rights Reserved.
  • DDoS Illustrated Open recursive name servers Spoofed query Evil resolver 112 | © 2013 Infoblox Inc. All Rights Reserved. Response to spoofed address Target
  • Amplification: They Go Past Eleven… $ dig @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec ; <<>> DiG 9.9.1-P1 <<>> @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34036 ;; flags: qr aa; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 15 Query for isc.org/ANY 36 bytes sent, 4077 bytes received ~113x amplification! ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN ANY ;; ANSWER SECTION: isc.org. 7200 IN SOA ns-int.isc.org. hostmaster.isc.org. 2013090300 7200 3600 24796800 3600 isc.org. 7200 IN RRSIG SOA 5 2 7200 20131002233248 20130902233248 50012 isc.org. hUfqnG5gKbygAeVRHjP5As31lsheMKNPD7g9MJlWZTrmD2de6Z/eCwUX kQxRT5TV0lFWjtGFuA0a4svbCZ1qHS9d/rhWc7IMziu2u+L9tbho+c4j szvGAJ9kYvalNbgpmkHdm+wmOHWmiY3cYKcl5Ps8gs5N0Q1JdkaCARPF HQs= isc.org. 7200 IN NS sfba.sns-pb.isc.org. isc.org. 7200 IN NS ns.isc.afilias-nst.info. isc.org. 7200 IN NS ams.sns-pb.isc.org. isc.org. 7200 IN NS ord.sns-pb.isc.org. isc.org. 7200 IN RRSIG NS 5 2 7200 20131002233248 20130902233248 50012 isc.org. Fdfb5ND2XUlnk/nPcPOaNBCK6307LdrhC/ dqdS+TMtBjKMmXU2NJBl0h D8fOnOdKbzlwNk1JLPXq25znMNBw+ZdjMekctR2r2jTO2Xm9mT+su4ff 8r1pMcUGhpsq73V6NjIbgA3LT6zfv4gWyFdos60Ma/Bsq26SmpECQFNA RpI= isc.org. 60 IN A 149.20.64.69 isc.org. 60 IN RRSIG A 5 2 60 20131002233248 20130902233248 50012 isc.org. CkSV2VzLktJGH2PXEJl1QssxeyyUYM5pALjb06NMW0BC5vcFyuQYng2l NE/Z0J1XIHflWwGo9Gv1YZ0u/K6rGPXwgWmkl/6t0T8uNtk9u3XDhaMx QBg2P2ZAp1NEg6r3ccznGu9y+Q71g/IxcK+5Ok7gI8L18hBTi+vpCAKY q6A= isc.org. 7200 IN MX 10 mx.pao1.isc.org. isc.org. 7200 IN RRSIG MX 5 2 7200 20131002233248 20130902233248 50012 isc.org. fiALi/ebGauXvqfL4vHt5YzgIY/ X0kh2WNE37wICVU6BYKkqDuWF2h5T 4ry2TmdcKj4pqVOJVSDF/A7zzRPkcpcwibTM8h5yDEMJzELAsSimj2mX BFsqTgFGtDXIGV9IU7qryFkVMrDlj9gcLkTlg1EZpyxwQH2y2XCT5BhA bQA= isc.org. 7200 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 7200 IN TXT "$Id: isc.org,v 1.1845 2013-08-16 16:16:50 dmahoney Exp $" isc.org. 7200 IN RRSIG TXT 5 2 7200 20131002233248 20130902233248 50012 isc.org. J0UV7iIvQn7Pzu/itUN1JH4hLg8bjQo/73kBef/ T/yzx/P8t6VX+MYDC ysyXNigSi1JPoWfYt7qu6eXcALQEwJ/Z156Rebefjls4R18wr+BttzWF ICb+zJ7K7o4meckc7ZQr12gIAXjij09dr9omYoObWo6/IH76S6N3Er4i xdg= isc.org. 60 IN AAAA 2001:4f8:0:2::69 isc.org. 60 IN RRSIG AAAA 5 2 60 20131002233248 20130902233248 50012 isc.org. OBWafw6hmgueTvaL06Q3zzpKODW3OIWKxHr3Z30mag1vJW5ECwlkK3xI lPr4A1Rg6SZiJp78yewBWkDB0436cY1uCJ0yzsk9YWlLW/5hScy1ueaH s2tfymZD7UdOh0FuLs05gunsxK2Of3DCG3Zh3cD4FMnu8ju1CuLD2+dU W1U= isc.org. 7200 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 7200 IN RRSIG NAPTR 5 2 7200 20131002233248 20130902233248 50012 isc.org. s9cuc6O0e2kgBNffd6dyJyJH1Zm5Wd0pRO1q5aKMc7UsiKFUI7MI7Q8N VzTqwM/zWh2VzvtV/w1O3IHuSiXBN9k51Loy4WGHJSDcXs865PWjHJwJ jRqfz1bE+LsW/aZD2Ud/iGyhCoQPeZIOcqB6plB+keIf3mGR0bHkdjV+ Zw4= isc.org. 3600 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 3600 IN RRSIG NSEC 5 2 3600 20131002233248 20130902233248 50012 isc.org. K3/ RL0nn54FkFvcPnaecG26JjQVCZL1g41zB02YssxZnE/3lX9X4O8uk DrONRdvKEeMq51YUy8NBljWAlPOIRYD0lWUMrXuSNHMyGIFwHFIZqNrN CuQUl+24oPQXi3/wWX0TGH5XW9XF2IB+Dc1zdP/5qRHiKCjAnYDNE384 PAQ= isc.org. 7200 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/ 9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 7200 IN DNSKEY 256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/ x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU= isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 12892 isc.org. ioYDVytf4YoAHCVxdz6U/ 113 | © 2013 Infoblox Inc. All Rights Reserved. fuQCaH2f2XVUExEexo48e55vLVSre5GkBG1 Wyn/4FeWLOUVWm5HElbL/hK2QEResp0csAwTnllU7W8fM65aS7pIO9JZ QWMvkPxQjsTYzEP1P2GA8NVGRUhz17RMLLSFgAJS9aEI7xK0fMwsd9U4 Az
  • A Little Math •  Say each bot has a measly 1 Mbps connection to the Internet ̶  It can send 1Mbps/36B =~ 28K qps ̶  That generates 28K * 4077B =~ 913 Mbps •  So 11 bots > 10 Gbps 114 | © 2013 Infoblox Inc. All Rights Reserved.
  • Malware Enablement •  Malware infects clients when they visit malicious web sites, whose names are resolved using DNS •  Malware rendezvous with command-and-control channels using hardwired domain names and rapidly changing IP addresses •  Malware tunnels new malicious code through DNS 115 | © 2013 Infoblox Inc. All Rights Reserved.
  • Anatomy of an Attack Cryptolocker “Ransomware” •  Targets Windows-based computers •  Appears as an attachment to legitimate looking email •  Upon infection, encrypts files: local hard drive & mapped network drives •  Ransom: 72 hours to pay $300US •  Fail to pay and the encryption key is deleted and data is gone forever •  Only way to stop (after executable has started) is to block outbound connection to encryption server 116 | © 2013 Infoblox Inc. All Rights Reserved.
  • Platform Hack 117 | © 2013 Infoblox Inc. All Rights Reserved.
  • DNS Threats Spectrum Overview Threat Categories DNS Cache Poisoning Threats Disruption of DNS Services Description Illegitimate corruption of DNS cached records DoS/DDoS Attacks DNS Flooding, Amplification, Reflection attacks Denial of service by exploiting vulnerabilities in OS / Applications DNS Redirection Response manipulation, Man-in-the-Middle (MITM) Attacks Geographic based Threats High percentage of threats originating from specific geographic locations DNS Protocol Attacks Malformed Packets, Vulnerabilities, Buffer overflows, shell code insertion DNS Tunneling Frauds DNS tunneling, (use of port 53 as an open communication channel) Attacker tunnels SSH traffic through DNS requests Data Leakage Use DNS as a vector for business exploitation Using DNS to transport encrypted payloads IP Fluxing Fluxing of IPs at extremely high frequencies Domain Fluxing / Domain Generation Algorithms (DGA) Domain Phishing Malicious Domains Advanced Persistent Threats (APTs) 118 | © 2013 Infoblox Inc. All Rights Reserved. Domain Generation / Fluxing using dynamic algorithms that are hard to detect DNS response manipulation Malware using DNS to re-direct legitimate traffic to infected sites Detect and drop known malicious domains or exploits Machine generated FQDNs that are stealthy and persistent
  • Introducing Infoblox Advanced DNS Protection The First DNS Server that Protects Itself Unique Detection and Mitigation §  Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling §  Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests. Centralized Visibility §  Centralized view of all attacks happening across the network through detailed reports §  Intelligence needed to take action Ongoing Protection Against Evolving Threats §  Regular automatic threat-rule updates based on threat analysis and research §  Helps mitigate attacks sooner vs. waiting for patch updates 119 | © 2013 Infoblox Inc. All Rights Reserved.
  • Dedicated Compute •  •  •  •  Infoblox designed network accelerator card Performs deep packet inspection at wire-speed Purpose built for analyzing DNS traffic Blocks or Rate Limits threats before being processed by standard operating system ̶  Ingress and Egress 120 | © 2013 Infoblox Inc. All Rights Reserved.
  • Threat detection – more than just DDOS DNS reflection/DrDoS attacks Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack DNS amplification Using a specially crafted query to create an amplified response to flood the victim with traffic DNS-based exploits Attacks that exploit vulnerabilities in the DNS software TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic DNS cache poisoning Corruption of the DNS cache data with a rogue address Protocol anomalies Reconnaissance DNS tunneling 121 | © 2013 Infoblox Inc. All Rights Reserved. Causing the server to crash by sending malformed packets and queries Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack Tunneling of another protocol through DNS for data exfiltration
  • DNS Content Based Filtering Fast Flux APT / Malware Hacked Domains Geo-Blocking FireEye 122 | © 2013 Infoblox Inc. All Rights Reserved. Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) Hacking DNS registry(s) & re-directing users to malicious domain(s) Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government Block threats detected by your FireEye
  • Monitoring and Alerting •  Alert on threats ̶  Send over syslog to any SIEM •  •  •  •  Report and trend on threats Report and trend on ALL DNS traffic Capture and log all DNS queries, AND responses (optional) Analyze and report on top patterns: ̶  Most frequently requested FQDN ̶  Top talkers ̶  Frequent queries ending in errors (NXDOMAIN, time out, SERVFAIL, etc) 123 | © 2013 Infoblox Inc. All Rights Reserved.
  • Custom Rules Threat Update Service •  Block or Rate Limit by: •  Threats are analyzed by a security team at Infoblox •  Appliances check for new signatures every hour ̶  Source IP ̶  FQDN ̶  UDP or TCP •  Whitelists 124 | © 2013 Infoblox Inc. All Rights Reserved.
  • Legitimate Traffic ADP In Action Automatic updates Infoblox Threat-rule Server Block or Rate Limits DNS threats Rule distribution Infoblox Advanced DNS Protection Infoblox Advanced DNS Protection Grid Master Track and report Reporting Server Reports on attack types, severity, and sends to a SIEM 125 | © 2013 Infoblox Inc. All Rights Reserved.
  • Deployment Options 126 | © 2013 Infoblox Inc. All Rights Reserved.
  • External Protection against Internet-borne Attacks INTERNET Advanced DNS Protection Advanced DNS Protection DMZ INTRANET Grid Master and Candidate (HA) Data Center - Campus office - Regional office(s) - Disaster recovery site(s) Advanced DNS Protection when deployed as an external authoritative DNS server can protect against cyberattacks 127 | © 2013 Infoblox Inc. All Rights Reserved.
  • Internal Protection against Internal Attacks, or misconfigured applications, on Recursive or Authoritative Servers INTRANET GRID Master and Candidate (HA) Advanced DNS Protection Advanced DNS Protection Endpoints Advanced DNS Protection can secure internal DNS environments where internal user traffic is hostile 128 | © 2013 Infoblox Inc. All Rights Reserved.
  • Advanced Appliances Come in Three Physical Platforms Advanced Appliances have next-generation programmable processors that provide dedicated compute for threat mitigation. The appliances offer both AC and DC power supply options. 129 | © 2013 Infoblox Inc. All Rights Reserved.
  • Why QoS Matters Settings 130 | © 2013 Infoblox Inc. All Rights Reserved. 130
  • Summary •  •  •  •  DNS is a core strategic asset that is often left unprotected The bad guys are going after your DNS servers Internal DNS is as exposed to failure Infoblox can help ̶  Deep visibility ̶  Unique expertise in DNS ̶  Scales up to the largest networks 131 | © 2013 Infoblox Inc. All Rights Reserved.
  • Thank You www.infoblox.com 132 | © 2013 Infoblox Inc. All Rights Reserved.
  • WRAP/Q&A © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • The Issues }  Integration of Security Technologies }  Staffing }  Vulnerabilities }  Advanced threats © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • The Issues }  Integration of Security Technologies is Challenging –  Multiple formats of data –  Data timing issues –  Different types of security controls –  Other data types © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • The Issues }  InfoSecurity Staff –  Different skills requirements ﹘  ﹘  ﹘  ﹘  ﹘  ﹘  Architects Malware Handling Forensics Vulnerability Incident Management Risk and Compliance –  HR Costs ﹘  Premium technical personnel ﹘  Analysts, Specialists ﹘  Training and certification © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • The Issues }  Vulnerabilities –  Regular scheduled disclosures –  Large volumes of ad-hoc patches –  Many undisclosed zero days –  Remediation is a continuous process © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • The Issues }  Advanced Threats –  Advanced Persistent Threats –  Imbedded threats }  Who? –  State sponsored –  Hactivism –  Hackers –  Organized crime © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • How to Secure It }  State-of-the-art Security Technologies }  Skills on Demand –  Continuous Tuning of Rules and Filters –  Cyber Intelligence, Advanced Analytics –  Cyber Incident Response –  Code Review, Vulnerability and Assessment Testing © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • QUESTIONS? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • THANK YOU. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience