• Like
Vancouver   security road show master deck final
Upcoming SlideShare
Loading in...5
×

Vancouver security road show master deck final

  • 1,644 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,644
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
7
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies & adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical & sales certifications with leading security companies including McAfee, Cisco.Key Partners & Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection & DefenceThe first line of defence is to stop unwanted intrusions & attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS & IP address properties and control user activity while ensuring speed and performance are maintained. Incident & Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective & coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff & training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment & Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize & rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.
  • Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies & adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical & sales certifications with leading security companies including McAfee, Cisco.Key Partners & Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection & DefenceThe first line of defence is to stop unwanted intrusions & attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS & IP address properties and control user activity while ensuring speed and performance are maintained. Incident & Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective & coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff & training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment & Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize & rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.
  • Growth Recognized on the PROFIT list of the fastest-growing companies in Canada for the last four years (since we became eligible in year 5 of our business). In 2013, we were 94 on the overall list, but 15 within the IT industry, and one of the highest-revenue companies overall.Canadian company with nationwide presenceNumber 15 on the CDN List of Top 100 Solution ProvidersAlso named #46 on Branham300 of Canada’s leading ICT companiesWe have a deep technical bench, we are not a call centre shipping product, we position ourselves as an extension of your business, and have the team in place to back this upThough Scalar is in its 10th fiscal year, our founders have been doing this since 1990 when they were running Enterprise Technology Group (ETG). Since then that team has delivered over $1BN in mission-critical infrastructure.
  • Growth Recognized on the PROFIT list of the fastest-growing companies in Canada for the last four years (since we became eligible in year 5 of our business). In 2013, we were 94 on the overall list, but 15 within the IT industry, and one of the highest-revenue companies overall.Canadian company with nationwide presenceNumber 15 on the CDN List of Top 100 Solution ProvidersAlso named #46 on Branham300 of Canada’s leading ICT companiesWe have a deep technical bench, we are not a call centre shipping product, we position ourselves as an extension of your business, and have the team in place to back this upThough Scalar is in its 10th fiscal year, our founders have been doing this since 1990 when they were running Enterprise Technology Group (ETG). Since then that team has delivered over $1BN in mission-critical infrastructure.
  • Core infrastructure is our background, our experience, and the primary focus of what we do – it underpins our business.As infrastructure has changed with the industry to be spread across public, private, hybrid etc, our customer needs have changed, and therefore so does our portfolio and focus. Today, we focus on building core infrastructure and then assisting our clients in securing it, ensuring it is running well (performance), and managing it (control).Though core infrastructure is the delivery vehicle for all applications, we do not deal at the application layer – We deal with security, performance, and control only as they relate to core infrastructure. This focus allows us to be the very best at what we do.We answer the questions:Core Infrastructure – How to Build It?Security – How to secure it?Performance – How is it running?Control – How to manage it?
  • Feel free to remove these section cover-slides
  • Also: Dedicated PMO, finance, inside sales and operations teams. Every team in our organization is the best at what they do.It’s difficult to prove experience on a powerpoint slide. Take a meeting with us and we’ll show you how our technical team is world-class.
  • Unique infrastructure solutions designed to meet your needsA great example is StudioCloud. When our media customers came to us with a problem, we developed an entirely new way for them to do business. We didn’t attempt to sell them more compute, or optimize their individual environments – we helped them form a coalition and a community cloud that allows them to pay for servers on an as-needed basis, and sub-lease to other companies in our cloud when they have excess capacityWhether it’s a product-based solution, a professional service, or a managed service, we deliver the solution.Testing Centre & Proving GroundsWe train our engineers to be constantly evaluating and testing emerging vendors in our in-house testing centre. We offer fresh, cutting-edge technologies to our customers, while at the same time ensuring we have vetted, tested, and trained in those technologies. We offer leading-edge technologies that we KNOW are up to the task of Enterprise environments.Vendor BreadthWe offer both current and future market leaders in our portfolio.
  • Execution is difficult to demonstrate on a slide, so instead we’ve decided to show you what some our customers have said about us.Our tagline says it all – We Deliver. This is not “marketing speak” but the foundation of our business. Our commitment is first and foremost to our customers and we strive to become a trusted advisor and an extension of your business. This does not happen overnight, but rather through proving ourselves again and again. We are dedicated to finding the right solution for your business needs and delivering it to you efficiently and effectively.
  • You may wish to switch some of these out depending on the specific messaging of your presentation. See appendix slides for more logos that you can copy and paste in. Please try not to have more than 12-15 logos on the slide overall.
  • The most significant risk of social media and video is the enticement factor. Awwww, so cute I must click – then bam….looky what I got. This is how the zerogen access bot is delivered – it is one of the most commonly found bot these days…Real cyberattacks are considerably more sophisticated than the attacks that one would expect to see even a few years ago. Most of these attacks will leverage multiple steps, in which each step builds on the previous toward a strategic goal. Multiple techniques are coordinated to work together, and the attackers attempt to hide their traffic and infrastructure whenever possible. This example walks through the very common steps of a modern data breach.Step 1 – Many attacks today begin by using a compromised website to deliver an exploit and malware to an end-user. This process is called a drive-by-download and it often begins with something called an exploit kit. For example, Blackhole is a very well-known exploit kit. An attacker can craft a website that uses the exploit kit or simply find a vulnerable website where the attacker can add his exploit kit code. Either way, once the exploit kit code is running on the target website, the exploit kit will automatically identify vulnerable visitors to the site and exploit the end-user machine.Step 2 – Once the exploit has been delivered to the target, now the user is now compromised, and the attacker can deliver malware to the compromised user. The malware is typically not delivered from the same site hosting the exploit kit, as this would very quickly make it obvious that the site was infected. Instead the attacker will redirect traffic to new or unknown domain to deliver the malware. The attacker can constantly cycle through these domains to keep his operation a secret.Step 3 – Once malware is delivered to the target, it is often the job of the first stage malware to establish persistence and communication on the infected host. In many cases this is done via a root-kit and downloader. Zero Access is very common rootkit that meets this requirement, but there are many others.Step 4- Once the rootkit is installed, it now needs to set up a command-and-control channel with the remote attacker. This link is one of the most important in the attack lifecycle because it provides the attacker with remote control over his attack, and a control point inside the target network. This traffic tends to be highly evasive because the attacker is in control of both ends of the connection (both the malware sending the traffic and server that it is communicating with). This gives the attacker a great deal of freedom in terms of ports, protocols, encryption and tunneling.Step 5 – Once the attacker is inside the network, and communicate back out, he can now download a second wave of malware that is more geared to the actual goal of the attack, such as stealing information. These payloads can be customized to a particular attack and often give a more unique view into the attacker and the ultimate goal of an attack. Step 6 – Often it is the goal of the secondary payload to dig deeper into the network to access protected data. To do this the attacker will attempt to spread to other nodes in the network, and to attempt to escalate his privilege in the network. For example, the attacker may have initially compromised a low level employee with limited rights on the network. The attack may try to use that initial compromise in order to steal credentials for a network administrator in the network, which in turn would provide free reign over the network.Step 7 – As part of digging deeper into the network, attackers will often leverage a variety of hacking tools both to enumerate the internal environment, find weaknesses and steal data. Furthermore, the attackers will use a variety of techniques to quietly communicate from inside the network. This can include custom protocols that have been designed by the attackers or traffic and covert communications that are tunneled within allowed traffic. Step 8 – Of course the ultimate goal of most attacks is to steal data. What this data is will of course vary depending on the target, but can include everything from credit card numbers to personally identifiable information, to trade secrets and intellectual property. This often requires using applications that are effective at transferring large volumes of data such as FTP, peer-to-peer applications or other web-based file transfer applications.
  • FTP was the most interesting application observed in the review. Most samples appeared to be targeted, were never covered by AV, were rarely seen in more than one location and were almost always evasive in terms of port usage. 97% of the FTP sessions never touched port 20 or 21. This is a stark reminder that even some of the old network standards can be a real source of threats.
  • Commonly observed network traffic behaviors observed in malware generated traffic. Unknown or custom traffic was the most common identifier in malware traffic. Unknowns can be blocked proactively or investigated by IT to determine if they are malware or not.Unknown or newly registered domains were also very common. Customers may not want to block all unknown domains, but it is very easy to create a rule to never accept files or executables from these unknown sites. The next 3 slides show how to do this.
  • Now that we have seen some information about the malware that is getting through our defenses, lets shift gears and talk about what we can do about it. One of the most interesting aspects of the study, was that we saw that a large percentage of seemingly unique malware, was actually not unique after all. Our stream-based malware engine looks into the header and body of malware to find unique identifiers for blocking. These signatures were able to detect that 40% of samples (with unique hash values) were actually just repackaged versions of malware that we were seeing earlier in the day. This directly shows the value of the WildFire subscription because 40% of the malware that is leaking into the network can be blocked proactively if signatures are delivered on time.
  • Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?
  • Want to touch on:You’ve heard about ISPThe purpose of this preso is provide more info on the security servicesBefore we do that let’s talk about some technology trendsMobility and elasticity of data centers (consolidation, webification, private & public clouds… data centers have changed)Before ip we had sna, ipxEach app had it’s own portNow consolidating all these apps down to HTTPSComplexity resides over HTTPImpacting over all infrastructure
  • {NOTE TO SPEAKER: The key points to get across on this slide really are around the fact -- and this can be conveyed and leveraged in multiple different ways. What I like to articulate here is really that if you look at the attack types, you know, major attack types that exist here are application type attacks and web attacks. In addition to that, you can see here that the key thing is every single one of these customers in themselves had a firewall, and it was most likely a next generation firewall. And the reality of the situation is once again due to the fact that they leverage a piece of technology that was not designed to protect their data center, the resulting effect was that they weren't protected and they were exploited. And it's important that the individual conveying the slide, if you're talking to a partner, that you can articulate that you do not want your customers to be one of the next large bubbles or bubbles that exist on this eye chart. Or if you happen to be a customer the last thing that you want is the company that you're working for or protecting to be on this eye chart.}
  • {NOTE TO SPEAKER: The key points to get across on this slide really are around the fact -- and this can be conveyed and leveraged in multiple different ways. What I like to articulate here is really that if you look at the attack types, you know, major attack types that exist here are application type attacks and web attacks. In addition to that, you can see here that the key thing is every single one of these customers in themselves had a firewall, and it was most likely a next generation firewall. And the reality of the situation is once again due to the fact that they leverage a piece of technology that was not designed to protect their data center, the resulting effect was that they weren't protected and they were exploited. And it's important that the individual conveying the slide, if you're talking to a partner, that you can articulate that you do not want your customers to be one of the next large bubbles or bubbles that exist on this eye chart. Or if you happen to be a customer the last thing that you want is the company that you're working for or protecting to be on this eye chart.}
  • Loss of business/customer baseLoss of intellectual propertyRegulatory Fines/Legal costsCost of corrective actionCost of volumetric flood serviceChanging methods of doing business – drives new processes. Partners loss of trust in working with your company. Scrubbing service.Reputation Management
  • Leveraging its expertise in application delivery and its deep fluency with applications, F5 introduces the Application Delivery Firewall, a new solution that integrates multiple networking and security components onto a single platform. The F5 Application Delivery Firewall runs across the entire product platform line, from virtual editions to the BIG-IP hardware line to the VIPRION. The F5 Application Delivery Firewall includes an integrated native network firewall, which is ICSA lab certified, traffic management, industry leading application security, access control, DDoS mitigation, SSL inspection, and DNS security. It's also important to notice that the F5 ADF, besides the ICSA firewall certification, also is certified for IPsec, SSL VPN, and web application firewall. On top of that the F5 Application Delivery Firewall has EAL2+ common criteria certification and EAL4+ is currently in progress.
  • When you’re delivering an application, you also have to worry about security. Again you have a few options – you can try to modify the application, you can put in point solutions, or you can use your ADC as a strategic point of control to secure both your applications and your data. BIG-IP LTM has a number of features that provide security at the application level.Resource cloaking and content security – Prevent error codes and sensitive content from being presented to hackersCustomized application attack filtering – search for and apply rules to block known application level attacksPacket filtering – L4 based filtering rules to protect at the network levelNetwork attack prevention – protect against DoS, SYN floods, and other network attacks while delivering uninterrupted service for legitimate connections.Message Security Module (add-on module)Protocol Security Module (add-on module)Application Security Manager (add-on module)
  • One of the key use cases of the application security solution is to provide defense and mitigation against HTTP and HTTP-S based DOS attacks. And the way that we achieve this is a couple of ways.  And here what we have is a screenshot of the configuration. At the base level we're able to detect a DOS condition based on certain conditions. In this case it's what we're highlighting here is configurable parameters for latency. If the latency falls outside of the bounds, then we raise -- then it looks like a potential denial of service condition. Added to that we're able to identify potential attackers by some additional -- by layering on top of that some additional criteria. In this case what we're seeing here is the TPS metrics. And if that falls out of specified bounds, then we add to the -- then it looks additionally suspicious. And then finally what we do is we drop only the attackers, and we're able to distinguish based on a couple of parameters, namely some source IP based, some URL based parameters. And the idea is that what we want to do is block the malicious attackers but at the same time allow through valid users, because we don't -- the denial of service mitigation is more than just blocking all connections, right? We want to make sure that the availability of the application is maintained.
  • Unable to secure disperse web appsNo virtual WAF option for private cloud apps Replication of production environment complicated and cost-prohibitiveNeed to block app requests from countries or regions due to compliance restrictionsLimiting app. access based on location is a good practice to quickly reduce the attack sourcesScanner scans applications to identify vulnerabilities and directly configures BIG-IP ASM policies to implement a virtual patch that blocks web app attacksBIG-IP ASM is now importing vulnerabilities – not patches – (in v11), it effectively becomes a Vulnerability Management Tool along with being WAF.  Obviously, the net effect is enabling very rapid response, particularly in the instance where you're waiting for the third-party vendor to patch the vulnerability.
  • {NOTE TO SPEAKER: At this point in time in the presentation we should have already built the premise that we have an intelligent service platform, that we are discussing the security services portion of that platform, and that a huge advantage of our security offering is our full proxy architecture, and that since we have a custom built hardware we are able to achieve speeds and feeds that are far superior to anyone else. The other thing that we really need to be able to convey in this slide is that our technology has been designed for customers of the data center, and our requirements have always been driven from service provider, you know, in very, very large customers with very, very significant demands.  I don't normally mention Facebook specifically named, but I talk about the fact that we have customers that have a billion unique users that are actually traversing our particular technology. And these advantages have really enabled us to be able to build a security technology that is far superior to what our competition is. And so I like to convey that I've worked with customers that have load balanced firewalls, that they load balanced logs coming from firewalls, and even just recently I talked to a customer that actually was load balancing Juniper SSL VPNs. And I asked him how many users they had, and they had 20,000 users. And what was interesting is our largest box can do 5x of what that box can do, and they were having to load balance I think six or seven other devices. So we really need to be able to tie specific use cases in this slide, we really need to be able to tie this back to our custom-built technology, and then we really need to be able to also ensure that they understand other elements such as the fact that DDoS requires connections per second, it requires the ability to ramp connections, it requires the ability to sustain connections, but in addition to that, beyond just malicious DDoS, just traditional increase in traffic from good purposes also require significant increase in connections per second. And they should have, all of our customers should have the capacity to be able to withstand, whether it's malicious or non-malicious. So it's very critical that we're able to not just give these numbers as a bunch of blah but that we're actually able to articulate and correlate and tie these back to why it's so beneficial that each of these stats will provide them significant value. You know, one more element here is speaking on the access side of it is that as more users, more things become mobile, as more applications are moved out to the cloud, the demand on remote access devices is significantly increasing.  So we've spent a lot of time talking about our data center firewall or the ADF, and we've spent a lot of time talking about the needs and speeds and feeds in other areas, but it's also very critical that the demand on our customers around remote access also has just as much of a need for these performance requirements.}
  • Here we have a view of the Application Delivery Firewall solution as it maps to the constituent software modules in the BIG-IP family. It's important to note that ADF is an umbrella solution with various software modules that can be licensed, depending upon the exact requirements and the deployment scenario for the customer. And what this means is that there's an extensibility in investment protection in the BIG-IP system, meaning that at its core the Application Delivery Firewall, which consists of the Advanced Firewall Manager as its base, is extendable, and customers can add on additional modules as they need, depending on what their network demands. So as I mentioned, AFM, the BIG-IP AFM is the base, the foundation of the ADF solution. And AFM is the integrated, the native stateful full proxy firewall upon which the rest of the security modules are oriented. So AFM has the integrated UIs, so the configuration of security policy is oriented around applications. It has flexible logging and reporting, which is also detailed, which enables security teams to do analysis on what's going on with their security posture in the network. It natively supports, of course, layer four up through layer seven, so native TCP, SSL and HTTP full proxies. And the SSL, of course, includes the SSL visibility. And it also includes network and session DDoS mitigation. So aside from AFM, there's BIG-IP LTM, and this is, of course, the traffic management or the application delivery controller functionality that F5 excels at. So this is the industry's number one, the leading application delivery controller, which really brings with it the application fluency and the per application or the app specific health monitoring. Aside from that, the rest of the modules that are available are BIG-IP ASM. This is our web application firewall product, which is a no-brainer for PCI compliance needs. PCI compliance requires at a minimum web application firewall or the alternative to that would be very expensive annual security audits. ASM also has virtual patching for newfound vulnerabilities. It has with it also HTTP DDoS mitigation, and IP detection. IP is intellectual property. So this is the ability to detect bots that would basically do screen scraping.  So imagine you have a website -- actually strike that, because there's going to be another slide that talks about IP protection in specific. So let's move to BIG-IP Access Policy Manager. So this is APM, and it has not only identity access control but also includes the SSL VPN component. But this really is what does the unified access management for applications. And additionally we have GTM and DNS SEC. GTM is the Global Traffic Manager, which is essentially an extremely scalable DNS solution, but at the same time can also offload DNS queries and also even assign DNS responses. Beyond this, we also have IP intelligence and geolocation. These are licensable modules or -- yeah, these are licensable add-ons, not licensable modules but licensable add-ons which provide context-aware security. So IP intelligence, for instance, provides with it reputation information, so based on the source IP address. So source IP address comes in and -- well, anyways, again strike this, because there's an additional slide covering this. But also geolocation, and geolocation is the ability to tie an IP address to a specific region in the world. So with both IP intelligence and geolocation what we're able to do is make more intelligent decisions. This is the context-aware intelligence that we speak about. Of course, supporting all of this we have iRules, which is the extensibility piece of the BIG-IP family, and iRules is the ability to have -- it's a scripting language, which allows the BIG-IP system to have customizable actions in the data plane depending on specific something or other. And that something or other would be characteristics within the traffic itself that's transiting the system. 
  • Splunk now has more than 850 employees worldwide, with headquarters in San Francisco and 14 offices around the world.Since first shipping its software in 2006, Splunk now has over 6,000 customers in 90+ countries. These organizations are using Splunk software to improve service levels, reduce operations costs, mitigate security risks, enable compliance, enhance DevOps collaboration and create new product and service offerings. Please always refer to latest company data found here: http://www.splunk.com/company.
  • At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. Andthis overarching mission is what drives our company and product priorities.
  • Data is growing and embodies new characteristics not found in traditional structured data: Volume, Velocity, Variety, Variability/Veracity.Machine data is one of the fastest, growing, most complex and most valuable segments of big data.All the webservers, applications, network devices – all of the technology infrastructure running an enterprise or organization – generates massive streams of data, in an array of unpredictable formats that are difficult to process and analyze by traditional methods or in a timely manner. Why is this “machine data” valuable? Because it contains a trace - a categorical record - of user behavior, cyber-security risks, application behavior, service levels, fraudulent activity and customer experience.
  • Our rapid ascent reflects the customer traction we have and value we deliver to customers – with over 2800 security customers and 50% year-over-year growth, we are the fastest growing SIEM vendor in the market. In 2 short years we raced up to the top quadrant in the MQ.
  • SC magazine award was determined by the readers of SC Mag who are IT Security professionals. We beat out:HP for ArcSight ExpressIBM Software Group for QRadar SIEMLogRhythm for LogRhythmNetIQ for NetIQ Sentinel 7SolarWinds for SolarWinds Log & Event Manager (LEM)
  • Over 2800 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.Over 2800 customers use Splunk for security and/or compliance use casesApprox. 400 use the Splunk App for Enterprise SecurityFirst introduced in 2009 with v1.0Customers using Splunk to build their own SIEM as early as 2007Leader in the Gartner MQ in 2013Splunk used for adjacent use cases such as fraud, compliance and insider threatsWidely used across many verticals for securityFlexibility, Scalability, Speed (time-to-answer), search and analytics are why customers use Splunk for security
  • 1 solution for Splunk for Security, but 3 offerings. At bottom is Splunk Enterprise, our core product. Every Splunk deployment includes this as this is where the core indexing and searching resides. Many customers build their own searches/reports/dashboards on top of it. On top of it, optional Apps can be installed. Apps are basically a collection of reports, dashboards, and searches purpose-built for a specific use case or product. Can be built by Splunk, customer, partners and all but a few are free on Splunkbase. Apps are great for customers who want out-of-the-box content and do want to have to build it themselves, and want to extend point solutions. One key App is the Splunk-built Enterprise Security app with the arrow pointing at it. It is basically an out-of-the-box SIEM with reports, dashboards, correlation rules, and workflow for security use cases. (It does have a cost though) Besides this app there are over 80 security-centric free Apps on Splunkbase. These are offering 3.The majority of Splunk security customers do Splunk Enterprise and the free apps. Also customers do leverage the API and SDKs that come with Splunk to further extend the platform.
  • Key part of IT security is protecting confidential data. Which means detecting advanced threats, like cybercriminals or malicious insiders, before they can steal your data. To detect or investigatethem, you need non-security and security data because advanced threats avoid detection from signature-based security products; the fingerprints of an advanced threat often are in the “non-security” data. Most traditional SIEMs just focus on gathering signature-based threats which do *not* have the fingerprints of advanced threats.Also the above scenario is worse if there is no SIEM. Instead point UIs and grep are used and aggregating data is very manual and time consuming.
  • To make sound security decisions 4 data types requiredTraditional structured and unstructured log dataBinary data -- flowdata for machine to machine communications and packet capture for analysis of packet payloads looking for malicious code in PDFs, TIFFs or PNGs, or email for example Context data is the data locked in business systems that are clues to employee behaviors – examples is Joe on vacation, has he not taken a vacation in the last 24 months, who’s being laid off, etc.Threat intelligence data that can tell us in near real-time about new IPs and domains that may be maliciousThe sheer volume, velocity, variety and variability of the data make this a big data problem
  • Use case 1. Alert from a point product UI or traditional SIEM. Pin board image on right indicates “cold case/CSI” sort of investigation that Splunk can enable. (FYI - papers on the pin board image do not tell a “real” investigation story so do not try to read all the images on the pin board). From a forensics perspective, things like endpoint OS logs or packet captures can be put into Splunk at the time of the investigation to get deeper into the details.With exiting SIEMs they struggle with incident investigations because they cannot:Retain all the original unmodified data (because the normalize/reduce it)Often it is hard to pivot among the data b/c it is in different data stores (logger/SIEM/Hadoop/etc) with no common UIQuickly return back search results (because their DB causes scale/speed issues)Limited flexibility/ability to do external lookups
  • Use case 3. It is about about taking thousands of security events that are low severity in isolation and connecting the dots in an automated, policy-driven manner to see when a combination of seemingly low severity events, when correlated, is actually a high-severity incident that needs immediate attention.There are hundreds of possible cross-product correlations. One is above and tells the story of a data loss event being detected by signature-based security productsFor a specific internal IP address running Windows, someone logs into it using a default administrative user name “Administrator” which is not good. All users should have a unique user name (not root or Administrator) so you know exactly who is doing what in the IT environment. The OS logs see this log in.Endpoint-based anti-malware sees known, bad malware running on that machine. Malware means “malicious software” and is a red flag because it may lead to data being stolen by a hackerA data loss prevention tool (in this case the Snort Intrusion Detection Prevention product) sees unencrypted credit card numbers leaving the organization from the above machine. This data loss of credit cards is a major red flag.Why these 3 events are bad: These 3 events happening on the same machine in a short time period indicates a hacker inappropriately logged into the machine, probably using stolen credentials, then put malware on the machine, perhaps a backdoor to remotely connect back to the machine later, then exfiltrated stolen credit cards from the machine. The credit cards may have then been used for illegal purposes which ultimately may have resulted in the costs of re-issuing credit cards, bad publicity, unhappy customers taking their business elsewhere, customer lawsuits, fines for PCI non-compliance, etc.Splunk can correlate on all these 3 events happening on the same machine and within a short time period. It has connected the dots to find the proverbial needle in the haystack. Splunk can detect and/or alert on these sorts of correlations in real-time or on a scheduled bases.Two other sample correlations:Firewall on an internal PC indicates the PC is being port scanned from an internal IP addressNetwork-based firewall indicates it is being port scanned from the same internal IP addressImportant settings have been changed on the suspicious internal machineWhy: The machine associated with the IP address may have been compromised by a threat which is doing internal reconnaissanceVulnerability scanner shows that an internal server has an unpatched OSIntrusion Detection System sees an external attack on that specific server that exploits the vulnerability in the OS Why: The server is likely to be successfully compromised
  • Use case 4. Like prior slide so see notes at the top. But in this case the events being correlated on all are from “non-security” data sources. This is because the threats are “unknown” to traditional security products because no signature exists for them. Each of these events in isolation would raise no alarms. Only when combined can see you see that they are risky because they represent outliers/anomolies that could be advanced threats like a sophisticated cybercriminal or a nation-state.There are hundreds of possible cross-product correlations. One is above and tells the story of a spearphising attack done in order to obtain and steal confidential data. More sample correlations are on the next slide. In this scenario above Splunk is keeping track of all the external email domains that are sending emails into the company, all external web sites being visited by internal employees, and all the services and executables running on internal machines. It can automatically count up things like # of emails received by each external domain, # of times employees visit external web domains, etc, to see the rarely seen items that are outliers. In the above scenario:Splunk sees an email reach an internal employee from an external email domain that has never/rarely been seen beforeThat same employee then visits a web site that is never/rarely visited by internal employeesA service starts up on the employees machine that is never/rarely seen in the organizationWhy these 3 events are bad: These 3 events happening on the same machine in a short time period indicates a hacker has performed a spearphising attack. They sent a realistic looking email to an internal employee that compelled the employee to click on a link or open an executable. This resulted in the web site dropping malware on the machine.Splunk can correlate on all these 3 events happening on the same machine and within a short time period. It has connected the dots to find the proverbial needle in the haystack. Splunk can detect and/or alert on these sorts of correlations in real-time or on a scheduled bases.
  • Interac, a leader in debit & electronic payment services out of Canada. On Splunk.com we have an ROI story for them and they have presented at Splunk events several times.Before Splunk, they used point UIs and grep to do security investigations and run daily security reports. Very time consuming and inefficient. They would have many different personnel involved in security-related data collection, analysis and correlation. It was a very involved, manual, process that consisted of reviewing a variety of different log formats from a mixture of devices and interfaces. No single tool or interface existed for incident and root cause analysis. This lead to an increased amount of time researching issues and building reports for senior management. Security investigation could take days if there was a low severity event to weeks if any events were deemed medium to high severity.Looked at traditional SIEMS and found them too bloated, required extensive resource and development time, and too expensiveNow have over 15 data sources going into Splunk and they created 3 custom Apps that have over 80 reports driven through 8 menus and 26 individual dashboards. Very easy for IT Security and others to use Splunk for security use cases. They also do real-time alerting on things like user privileges being escalated, possible data loss, and anomalous database activity. End result is the ROI listed here. Not listed here, but IT also uses Splunk for root cause analysis on key business applications and underlying storage systems. Also developers can access the log data to help them with troubleshooting.See ROI study at:http://www.splunk.com/web_assets/pdfs/secure/Splunk_at_Interac.pdf
  • Cisco, the global networking company. Their internal security team uses us. 7 clusters around globe, 900GB a day, 350TB stored data. (note – while Cisco has presented this info at numerous public events, and also blogged about it, please limit this information just to the customer you are presenting to – do not make public)Some logging and SIEM solutions we have used or evaluated required considerable effort to process custom formats (custom parsers, etc.)In our experience with SIEM 1 we found it to be rigid, inflexible, and difficult to customizeModifying how We like the ability to throw data of virtually any format/structure at our logging systemNo API/CLIFat java-based clientsOnly direct database access or worse, no alternative accessMaking scripting and automation more challengingIn the past, it wasn’t uncommon for regular reports and ad-hoc queries run against the SIEMs to take hours to completeCSIRT undertookreevaluation of logging/SIEM project in mid-2010 running a number of trials and proof of concepts, wrapping up in early 2011In CY12Q1 we retired the SIEM that had been in use since CY03 (NetIQ)Extensive migration project to replicate all existing playbook reports from SIEM in Splunk logging has been successful.Moved over 400 regularly scheduled reports from our SIEM into the new logging solution.Global logging solution deployed by end of CY11Also see:http://blogs.cisco.com/security/security-logging-in-an-enterprise-part-2-of-2/Based on sheer cost of deployment, we estimate that investment for a global logging solution was roughly 25% of what deploying a full SIEM would have cost usBegan mid-2010, completed early 2011Evaluated, trialed, Ran PoCs: Splunk and three other loggersSIEM 1 and six other SIEMsStrategy moving forward:Retire current SIEMUndertake global loggingEstimated: 25% of SIEM costOver 90% 0f the team is using the tool (where as before we primarily had analysts running reports)It is a great fit for the brand new analyst all the way up to the most seasoned investigatorsMuch higher percentage than SIEM 1 (which required logging in via a fat client or using direct DB access)With our revamped event collection deployment we are: Indexing over 35x the volume of data we were previouslyQuerying on average 20x fasterLong Queries:With SIEM 1: 2% over 1 hourWith Splunk: <0.5% over 1 hour
  • Barclays, the large financial services firm out of Europe. Use us for incident investigations, security dashboards (top malware sites employees visit, potentially infected endpoints), IT opps use cases as well.Needed a security logging and monitoring solution that could scale and was flexible for historical searches. (note – while Barclays has presented this info at numerous public events, and also discussed it in the media, please limit this information just to the customer you are presenting to – do not make public)Also see:http://www.computing.co.uk/ctg/news/2262548/without-splunk-we-might-be-taken-out-of-the-market-says-barclayshttp://www.computerweekly.com/news/2240183238/Barclays-indexes-machine-data-to-meet-complex-regulationhttp://www.computerworlduk.com/in-depth/applications/3442941/barclays-tackles-complex-regulatory-environment-with-splunk/
  • Infoblox is not a start-up. The company was started more than a dozen years ago – our technology is mature and field provenThe company HQ is in the heart of Silicon Valley with global operations in all major geographies – We do business in 3 regions (Americas, EMEA, APJ)We have sales, support and development operations in 25 countries and we do business in over 70 countries around the worldInfoblox makes essential technology to control networks – we’ll dig into that a bit later in theWe are a market leader in the space that we serve – with Strong Positive ratings from Gartner (3 years in a row) and 40% market share (Note: Gartner Market Scope and market share stat is specific to DDI)Infoblox has a massive customer base – our latest count is 6,900 different companies- we have shipped 64,000 systemsWe are innovative, with a formal patent program for our employees. As of right now we own 32 patents and 25 more pendingLast but not least – the company did a successful IPO in April 2012. We now share our financial results publicly – which can be seen on the right.
  • Infoblox can help organizations deal with the risks and expenses associated with key trends in the world of networks…Let’s take a look at how:Click: The modern network is made up of the infrastructure layer, which is all the devices you’re very familiar with (switches, routers, firewalls, load balancers, web proxy’s etc.)Click: These devices exist to support this layer – your Apps and Endpoints. Ranging from Voice Over IP Phones to tablets and smart phones, to all the VM’s and private clouds, all servicing the applications that drive the business.Click: Infoblox plays in the middle. In the control plane. We put our technology on high performance, highly available and secure platform (we call this the Grid). The grid has a very powerful, distributed network database that keeps all the information in one placeSo what does Infoblox do?Click: We deliver Discovery, Real-time Configuration & Change management, and compliance for this layerClick: And we deliver Essential Network Control functions like DNS, DHCP and IPAM (known as DDI) for this layerClick: Since we’re the new threat vectors are targeted at the network, specially the DNS architecture, we offers security solutions for risk mitigationAnd since we touch all these devices and capture real-time data in a single place…Click: we can do some amazing real-time and historical reporting as well as advanced control
  • Networks are constantly being exploited using DNS for a variety of criminal purposes today. DNS is the cornerstone of the internet and attackers know that DNS is a high-value target. Without their DNS functioning properly, enterprises cannot conduct business online. DNS protocol is stateless which means attackers also cannot be traced easily.The DNS protocol can be exploited easily. It is easy to craft DNS queries that can cause the DNS server to crash or respond with a much amplified response that can congest the bandwidth.The queries can be spoofed which means attackers can direct huge amounts of traffic to its victim with the help of unsuspecting accomplices. (open resolvers on the internet)All these reasons make the DNS an ideal attack target.
  • We are a critical component of the customer infrastructure and a target for many of these attacks. Big issue using DNS as a open global communication mechanism that is not well secured..not a well protected channel. Customers can use our purpose built hardware and best practices to ensure infrastructure safe.Malware communicates using DNS to resolve the ahe name. Purpose-built secure hardware Common criteria certifiedRate limitingBest practices
  • Hacking of DNS servers is becoming more prevalent each day. For those bad actors with extensive hacking skills it’s a quick path to inflicting damage and getting a hold of mass amounts of traffic/users quickly. Just in the last 15 months there are have been hacks of DNS servers of LinkedIn, Google Malaysia, and MIT. Traffic to these sites, in the thousands of visitors per hour provide a great source of unwilling participants for Hackers.
  • Security – Purpose Built AppliancesInfoblox has design, built and delivered hardened appliances from which secured DNS, DHCP, and IP Address management applications are delivered.For the appliances Infoblox has delivered:Minimal Attack Surface (Task specific hardware) – No extra or unused ports that could be used to access OS or power external devices – e.g. USB port for Wi-Fi access port.Active/Active HA & DR recoverySimple VRRP-based HA setup – Fail-over and fail-back to ensure availability.Active/active DR recovery – Ensure operations during a DisasterTested & certified to highest Industry standardsCommon Criteria EAL-2 Cert. – Hardware/software and manufacturing processes verified.FIPS 140-2 certificationSecure Inter-appliance communication128-bit AES Grid VPN comm. – All cross appliance communication is protected and cannot be intercepted.Centralized management with role-based controlCentral view of all appliances/processes & management.Role-based admin controls – Segment access, control, and management of applications or networks.Secured Access, communication & API6 authentication methodsTwo factor Auth. (CAC/PKI)HTTPS Web access – Secured accessSSL-Based REST/Perl APIGSS-TSIG & TSIGDetailed audit logging – For tracking of changes and enabling un-do of incorrect changes.Fast/easy upgrades – Reduce downtime and risk of upgrades.** NOT ON SLIDE **Restrictive/hardened Linux OS – hardened OS. Non-essential processes not enabled.Root access disabled – Control over operations cannot be compromised.
  • DNSSEC in 1-clickNo scripts / Auto-Resigning / 1-clickCentral configuration of all DNSSEC parametersAutomatic maintenance of signed zones
  • Arbor survey: This year Arbor collected 220 responses to the Infrastructure Security Survey, November 2012 to October 2013
  • The Adv Appliance can sit on the Grid. Now let’s see the Advanced DNS Protection in action. Regular GRID appliances like the GRID master and the reporting server sit on the GRIDLet’s assume we have two Advanced Appliances, one external authoritative and the other functioning as an internal recursive server. DNS attacks come interspersed with legitimate DNS traffic at the external authoritative server.Advanced DNS Protection pre-processes the requests to filter out attacksIt responds to legitimate DNS requestsThe attack types and patterns are sent to Infoblox Reporting server When Infoblox detects new threats, it creates rules and updates the Advanced Appliance. The rule updates are propagated to other Advanced Appliances on the Grid.
  • Here’s a high level categorization of the attacks that the Advanced DNS Protection protects against. These are just a high level categorization and there are several rules that are created of each of these attack types. Some of the key attacks we have seen growing in number in the last year or so are the DrDoS attacks that use a combination of reflection from multiple open recursive servers on the internet and amplification to really flood the target victim’s server.The reflection, amplification, floods all cause huge amounts of traffic to be sent to the target victim overwhelming the target server and eventually leading to a Denial of Service(DoS) attack.Detailed explanation of attacks (if more info is needed):DNS reflection/DrDoS attacks Reflection attacks are attacks that use a third party DNS server, mostly an open resolver, in the internet to propagate a DDoS attack on the victim’s server. A recursive server will process queries from any IP address and return responses. An attacker spoofs the DNS queries he sends to the recursive server by including the victim’s IP address as the source IP in the queries. So when the recursive name server receives the requests, it sends all the responses to the victim’s IP address. DrDoS or Distributed Reflection Denial of Service uses multiple such “host” machines or open resolvers in the internet, often thousands of servers, to launch an attack on the target victim. Amplification (described in the next row) can also be used while generating these queries to increase the impact on the victim. A high volume of such “reflected” traffic could overwhelm the victim server and bring down the victim’s site, thereby creating a Denial of Service (DoS).DNS amplification DNS amplification is an attack where a large number of specially crafted DNS queries are sent to the victim server. These specially crafted queries result in a very large response that can reach up to 70 times the size of the request. Since DNS relies on the User Datagram Protocol (UDP), the attacker can use a small volume of outbound traffic to cause the DNS server to generate a much larger volume. When the victim tries to respond to these specially crafted queries, the amplification congests the DNS server’s outbound bandwidth. This results in a Denial of Service (DoS). DNS-based exploits These are attacks that exploit vulnerabilities in the DNS software. This causes the DNS software to terminate abnormally, causing the server to stop responding or crash. TCP/UDP/ICMP floods These are volumetric attacks with massive numbers of packets that consume a network’s bandwidth and resources. TCP SYN floods consist of large volumes of half-opened TCP connections. This attack takes advantage of the way TCP establishes connections. The attacking software generates spoofed packets that appear to the server to be valid new connections. These packets enter the queue, but the connection is never completed—leaving false connections in the queue until they time out. The system under attack quits responding to new connections until the attack stops. This means the server is not responding to legitimate requests from clients to open new connections, resulting in a Denial of Service (DoS). UDP floods send large numbers of UDP packets to random ports on a remote server, which checks for applications listening to the port but doesn’t find them. The remote server is then forced to return a large number of ICMP Destination Unreachable packets to the attacker saying that the destination is unreachable. The attacker can also spoof the return IP address so that the replies don’t go to the attacker’s servers. Sending the replies exhausts the victim server’s resources and causes it to become unreachable. ICMP attacks use network devices like routers to send error messages when a requested service is not available or the remote server cannot be reached. Examples of ICMP attacks include ping floods, ping-of-death and smurf attacks. This overwhelms the victim server or causes it to crash due to overflow of memory buffers DNS cache poisoning Corruption of DNS cache data. It involves inserting a false address record for an Internet domain into the DNS query. If the DNS server accepts the record, subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. For as long as the false entry is cached, incoming web requests and emails will go to the attacker’s address. New cache-poisoning attacks such as the “birthday paradox” use brute force, flooding DNS responses and queries at the same time, hoping to get a match on one of the responses and poison the cache. Cache poisoning prevents access or redirects the clients to a rogue address, preventing legitimate users from accessing the company’s site. Inducing a name server to cache bogus resource recordsCan redirect…web browsers to bogus replicas of web sites, where logins, passwords and credit card numbers are capturedemail to hostile mail servers, where mail can be recorded or modifiedProtocol anomalies Send malformed DNS packets, including unexpected header and payload values, to the targeted server. They make use of software bugs in protocol parsing and processing implementation. The victim server stops responding by going into an infinite loop or crashes. Reconnaissance This attack consists of attempts to get information on the network environment before launching a large DDoS or other type of attack. Techniques include port scanning and finding versions and authors. These attacks exhibit abnormal behavior patterns that, if identified, can provide early warning. No direct effect on the server but indicates an impending attack. DNS tunneling This attack involves tunneling another protocol through DNS port 53—which is allowed if the firewall is configured to carry non-DNS traffic—for the purposes of data exfiltration. A free ISC-licensed tunneling application for forwarding IPv4 traffic through DNS servers is widely used in this kind of attack.
  • Enterprises can deploy the Adv DNS Protection either as an external authoritative server or a recursive/caching server inside their network. This diagram shows a typical deployment scenario in the external case and in the internal case. The first scenario helps to protect the network from external internet borne attacks that target the authoritative DNS. The second scenario is more common in education vertical where the university traffic can be as bad as the internet traffic. So Universities’ IT departments can use the Adv DNS Protection for their internal DNS server to ensure that the internal network is protected from attacks launched from within their network.
  • Before we talk about disrupting Malware which maybe random or targeted we need to understand the problem first. The problem is malware is used to drive security breaches around sensitive information or to steal money.Before you on the screen right now is just some of the breaches from CQ’ 2013 into CQ1’ 2014 that used Malware extensively. Let me go through a couple of examples. In the 1st quarter, the NY Times was hacked and information exfiltrated over a period of 4 months. An outside company was brought in at great expense to clean up the NY Times infrastructure. The outside vendor found 45 different malware instances only 1 of which was caught by Anti-Virus. Another example in the 1st quarter is Facebook. Facebook was infected via a Java-based malware that was accidentally download by several Facebook employees outside of the Facebook network and brought back into the network. Facebook found the Java-based malware because a DNS administrator found a sudden burst of DNS requests for domains in Russia.In the 2nd quarter it was announced that Malware was used to steal credit card numbers and other information from the likes of VISA, JC Penneys, NASDAQ and Carrefour which totaled $300 million. In the 3rd quarter of this year Adobe was hacked using malware and a outside security researcher discovered the breach when he found source code for 4 of Adobe’s products on a known hacker website.Finally – Retail was big target in late CQ4’ 2013 and early CQ’2014. Neiman Marcus, Target and several others were breached and credit card information for tens of millions were stolen. Target, Neiman Marcus, URM Stores (Washington State) found that their Credit Card Point-of-Sale (Windows) computers were breached and customer credit card data stolen. Each vendor had to announce it publicly. The impact on their business was 3-fold. (1) Customers shopped elsewhere because they lost faith in the retailers. (2) They also had to hire a 3rd party vendor to do forensics on their environment to find out what happened.(3) IT lost productivity because all servers and POS systems had to checked, updated and cleaned.
  • Here is one more example of Malware that DNS Firewall is effective against. Cryptolocker is a new name for a piece of malware (so called Ransomware) that has been updated and is now back in distribution.CryptoLocker is a Windows-based that is spread via various “pay per infection” methods. That is the crooks pay other crooks to infect you. Currently it is being spread by at least two different ways. One is email where the attached Malware is disguised as a PDF or voice-mail audio file. A second is via trojans already present on the machine which are commanded to download cryptolocker. Once CryptoLocker is on a Windows machine it enrypts the files on the local hard drive or shared drives by getting a encryption key from a internet based server. The encryption key is a 2048-bit RSA key. As you can see on the screen a pop-up windows informs you that your files are encrypted and you have 72 or 100 hours to pay $300 dollars or Euro’s to get access to your data. The only way to stop the encryption process is block access to the Encryption servers on the Internet. Infoblox DNS Firewall disrupts CryptoLocker by blocking DNS queries to the Encryption servers.
  • Infoblox DNS Firewall – How does it work?1. An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network.2. The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection.3. The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains. 4. Infoblox Reporting provides list of blocked attempts as well as the IP addressMAC addressDevice type (DHCP fingerprint)Host NameDHCP Lease history (on/off network)5. Reputation data comes from:Infoblox DNS Firewall Subscription Service – blocking data on domains and IP addresses from 35+ sources throughout the world. Geo-blocking also apart of the service as wellInfoblox DNS Firewall – FireEye Adapter – APT malware domains and IP addresses to be blocked communicated to DNS Firewall from from FireEye NX Series.
  • What Protection does DNS Firewall Provide?DGA (Domain Generating Algorithm) - malware that randomly generates domains to connect to malicious networks or botnets. Initial infection seeking to connect and down load more software.Fast Flux - Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and locationAPT / Malware – Targeted attack APT / Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack. Integration with FireEye enables DNS Firewall to protect against APT.DNS Hijacking - Hijacking DNS registry(s) & re-directing users to malicious domain(s). Example of this is the Syrian Electronic Army hijacking of DNS servers in Australia and directing NY Times and Twitter users to their malicious domains.Geo-Blocking - Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government. Ideal for governments and small business that don’t do business overseas and therefore users would not have a legitimate reason to be going to a domain hosted in this country. Examples of regions with high ratio of malicious domains (Russia, Moldova, Lithuania, most countries in Africa, etc.). A good example of how Geo-blocking helps – Cryptolocker – DNS Firewall with DNS Firewall Subscription service with Geo-blocks for Eastern Europe provides ZERO-Day protection against Cryptolocker.
  • DNSSEC enablement with automated key maintenance simplifies implementation and reduces risk
  • This concludes the Infoblox Webinar - Protect DNS from Being an Accomplice to Malware. We hope it has been informative for you.If you’d like to find out more you can:Contact Infoblox Sales at sales@infoblox.com or go to the infoblox website at www.infoblox.com
  • Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies & adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical & sales certifications with leading security companies including McAfee, Cisco.Key Partners & Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection & DefenceThe first line of defence is to stop unwanted intrusions & attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS & IP address properties and control user activity while ensuring speed and performance are maintained. Incident & Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective & coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff & training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment & Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize & rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.
  • SEIM is only as good as the people that deploy and the processes that manage it- URL Filtering Data typically shows up late- Different types. Multiple vendors or similar technologies (firewalls from different vendors- Other data types. Vulnerability data, Physical Security systems
  • InfoSec Staff are expensiveThey are smart and ambitious As soon as they are trained they leave…They have, in some cases, very granular skillsFacilities costs Labs, tools (IDA Pro, Responder Pro, Encase)
  • Vulnerability Management is a continuous process that must have measurable results. It is not solely about patching or fixing vulnerabilities. It is about managing part of your business. It is about auditable results.-Needs to be continuous processRequires an advanced knowledge of vulnerabilities and patching as well as server hardening. Not all vulnerabilities are patch related. Compliance and other types of issuesDealing with zero days Assessing risk
  • APT is a very overused term these days. It is THE problem but does not explain how to resolve it. It is resolved with state-of-the-art technology deployed in the right place and managed by the right people who understand how to interpret the results and action them in the correct priority.Infected devices video cables etcWhoNeiman Marcus 60K events triggered but these were probably just noise inside millions of events.NSA ANT TAO Tailored Access Operations
  • Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies & adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical & sales certifications with leading security companies including McAfee, Cisco.Key Partners & Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection & DefenceThe first line of defence is to stop unwanted intrusions & attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS & IP address properties and control user activity while ensuring speed and performance are maintained. Incident & Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective & coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff & training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment & Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize & rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.

Transcript

  • 1. Security Road Show - Vancouver © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 2.  9:00am – 9:15am Welcome  9:15am – 9:45am Palo Alto Networks – You can’t control what you can’t see!  9:45am – 10:15am F5 – Protect your web applications  10:15am – 10:30am Break  10:30am – 11:00am Splunk – Big data, next generation SIEM  11am – 11:30am Infoblox – Are you fully prepared to withstand DNS attacks?  11:30am - 12:00pm Closing remarks, Q&A  12:00pm – 12:30pm Boxed Lunches © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 3.  Today’s Speakers – Alon Goldberg – Palo Alto Networks – Buu Lam – F5 – Menno Vanderlist – Splunk – Ed O’Connell- Infoblox – Rob Stonehouse - Scalar © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 4. Founded in 2004 $125M in CY13 Revenues Nationwide Presence 120 Employees Nationwide 25% Growth YoY Toronto | Vancouver Ottawa | Calgary | London Greater than 1:1 technical:sales ratio Background in architecting mission-critical data centre infrastructure © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 5.  Scalar is joining the TORONTO2015 Pan Am/Parapan Am Games as an Official Supplier  Managing IT security, data centre integration, and managed storage services © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 6.  The country’s most skilled IT infrastructure specialists, focused on security, performance and control tools  Delivering infrastructure services which support core applications © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 7. WHY SCALAR? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 8. Experience Innovation Execution © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 9.  Top technical talent in Canada – Engineers average 15 years’ experience  We train the trainers – Only Authorized Training Centre in Canada for F5, Palo Alto Networks, and Infoblox  Our partners recognize we’re the best – Brocade Partner of the Year – Innovation – Cisco Partner of the Year – Data Centre & Virtualization – VMware Global Emerging Products Partner of the Year – F5 Canadian Partner of the Year – Palo Alto Networks Rookie of the Year – NetApp Partner of the Year - Central © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 10.  Unique infrastructure solutions designed to meet your needs – StudioCloud – HPC & Trading Systems  Testing Centre & Proving Grounds – Ensuring emerging technologies are hardened, up to the task of Enterprise workloads  Vendor Breadth – Our coverage spans Enterprise leaders and Emerging technologies for niche workloads & developing markets © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 11. “Scalar […] has become our trusted advisor for architecting and implementing our storage, server and network infrastructure across multiple data centres” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 12. “We’ve basically replaced our infrastructure at a lower cost than simply the maintenance on our prior infrastructure […] At the same time, we’ve improved performance and reduced our provisioning time” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 13. “Numerous technologies needed to converge to make VDI a reality for us. The fact that Scalar is multidisciplinary and has deep knowledge around architecture, deployment and management of all of these technologies was key” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 14. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 15. PALO ALTO NETWORKS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 16. Next-Generation Protection for Advanced Threats Alon Zvi Goldberg, SE Palo Alto Networks © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 17. Hidden within SSL New domain has no reputation Payload designed to avoid AV Non-standard port use evades detection Exploit Kit Malware From New Domain ZeroAccess Delivered C2 Established Data Stolen Custom C2 & Hacking Spread Laterally Secondary Payload RDP & FTP allowed on the network Custom malware = no AV signature Internal traffic is not monitored Custom protocol avoids C2 signatures 15 | ©2012, Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.
  • 18. 1 Bait the end-user End-user lured to a dangerous application or website containing malicious content 2 3 4 5 Exploit Download Backdoor Establish Back-Channel Explore & Steal Infected content exploits the end-user, often without their knowledge Secondary payload is downloaded in the background. Malware installed Malware establishes an outbound connection to the attacker for ongoing control Remote attacker has control inside the network and escalates the attack 16 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.
  • 19. Attacks are Blended  Traffic and Malware  Inbound and Outbound Designed to Evade Security  Encryption, strange ports, tunneling, polymorphic malware, etc. Break Security Assumptions  Exploits Malware Spyware, C&C Exploits are delivered over the network Malware is delivered over the network Malware communicates over the network Encryp on, fragmenta on Re-encoded and targeted malware Proxies, tunneling, encryp on, custom traffic When attackers control both ends of a connection they can hide their traffic in any way they want 17 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.
  • 20. 1. Full Visibility of Traffic – Equal analysis of all traffic across all ports (no assumptions) – Control the applications that attackers use to hide – Decrypt, decompress and decode 2. Control the full attack lifecycle Exploits Malware Exploits are delivered over the network Malware is delivered over the network Malware communicates over the network Encryp on, fragmenta on Re-encoded and targeted malware Proxies, tunneling, encryp on, custom traffic – Exploits, malware, and malicious traffic – Maintain context across disciplines – Maintain predictable performance 3. Expect the Unknown – Detect and stop unknown malware – Automatically manage unknown or 18 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience anomalous traffic © 2014 Scalar Confidential and Proprietary. Spyware, C&C
  • 21. Applications • Sources Visibility and • control of all traffic, across all ports, all the time Known Threats Control traffic sources and destinations based on risk Unknown Threats • Stop exploits, malware, spying tools, and dangerous files • Automatically identify and block new and evolving threats Reducing Risk • Reduce the attack surface • Sites known to host malware • NSS tested and Recommended IPS • WildFire analysis of unknown files • Control the threat vector • • Control the methods that threats use to hide • SSL decrypt high-risk sites Stream-based anti-malware based on millions of samples • • Find traffic to command and control servers Visibility and automated management of unknown traffic • Control threats across any port • Anomalous behaviors 19 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.
  • 22. Visibility Into All Traffic © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 23. • The Rule of All - All traffic, all ports, all the time - Mobile and roaming users • Progressive Inspection - Decode – 200+ application and protocol decoders - Decrypt – based on policy - Decompress • Stop the methods that attackers use to hide - Proxies - Encrypted tunnels - Peer-to-peer 21 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.
  • 24. Non-Standard Ports Applications that can dynamically use non-standard ports. Evasive Applications – Standard application behavior - Security Best Practices – Moving internet facing protocols off of standard ports (e.g. RDP) Tunneling Within Allowed Protocols Applications that can tunnel other apps and protocols SSL and SSH - HTTP - DNS Circumventors Proxies - Anonymizers (Tor) - Applications designed to avoid security - Custom Encrypted Tunnels (e.g. Freegate, Ultrasurf) 22 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.
  • 25. SSL - 4,740 ports Skype - Skype 1,802 ports Skype Probe - Skype Probe 27,749 ports BitTorrent - SSL BitTorrent 21,222 ports 0 Page 23 | © 2012 Palo Alto Networks. Proprietary and Confidential. 5,000 10,000 15,000 20,000 25,000 30,000 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 26. Based on a 3 month study of fully undetected malware collected by WildFire – 26,000+ malware samples – 1,000+ networks FTP was the most evasive application observed* – 95% of unknown samples delivered via FTP were never covered by antivirus. – 97% of malware FTP sessions used non-standard ports, and used 237 different non-standard ports. Web-browsing delivered more malware, but was less evasive. – 10% of samples delivered over 90 different non-standard web ports © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 27. Example: Sample 0-Day Malware  Unknown traffic traversing the DNS port  HTTP using ephemeral ports © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 28. Page 26 | © 2012 Palo Alto Networks. Proprietary and Confidential. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 29.  Analysis of APT1 found: – RDP was the application of choice ongoing management of the attack – Often proxied through intermediaries – Used custom applications built on MSN Messenger, Jabber, and Gmail Calendar – Often hidden within SSL  Recommended Actions – Decrypt SSL – Tightly control RDP and proxy applications – Baseline instant messaging applications and investigate any unknowns © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 30. Controlling Remote Desktop and Instant Messaging Potential URL Categories for Correlation • Botnets • Not-resolved • Proxy-avoidance and anonymizers • Open-http-proxies • Peer-to-peer 2014 Scalar Decisions Inc. Not for distribution outside of intended audience ©
  • 31. Requirement: Expect the Unknowns © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 32. 1. Unknown traffic becomes significant – – Anything non-compliant or custom should be known and approved When the vast majority of traffic is identified, the unknowns become manageable 2. Unknown traffic is common (99% of AVRs) – – – New publicly available commercial applications Internally developed, custom applications Rogue or malicious applications (malware) 3. Unknowns are manageable – – – Investigate unknowns Customize App-ID to reduce the number of unknowns Aggressively control or block remaining unknown traffic © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 33. 40% MostUnknownObserved Malware Behaviors Blockable of Commonly Malware Files Were on the Network 0.00% 10.00% 20.00% 30.00% 40% of unknown samples were identifiable as sister samples that shared 29.39% Contained unknown TCP/UDP traffic specific identifiers in the file header and payload 24.38% Visited an unregistered domain 20.46% Sent out emails 12.38% Used the POST method in HTTP Triggered known IPS signature 7.10% IP country different from HTTP host TLD 6.92% Communicated with new DNS server Downloaded files with an incorrect file extension Connected to a non standard HTTP port 5.56% 4.53% 4.01% Produced unknown traffic over the HTTP port 2.33% Visited a recently registered domain 1.87% Visited a known dynamic DNS domain 0.56% Visited a fast-flux domain 0.47% • Investigate and classify any unknown traffic • No file downloads from unknown domains • No HTTP posts to unknown domains • No email traffic not to the corp email server Source: Palo Alto Networks, WildFire Malware Report © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 34. Recent Sample of 0-Day Malware from WildFire • Repeated pattern of DNS, HTTP and Unknown Traffic • The “unknown” proved to be the most important traffic The Unknown traffic marks the spot © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 35. A closer look at the unknown session © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 36. Capture and execute any unknown files to observe real behavior Inspect all traffic Block malware, C2 traffic and variants 34 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.
  • 37. Page 35 | EPSPitchPalo Alto Networks -for distribution outside of intended audience © 2014 Scalar Decisions Inc. Not 601955643© 2012 Palo
  • 38. 40% of Unknown Malware Files Were Variants  Opportunity to Block Malware  In 40% of cases, a single signatures matched multiple samples (variants)  1 signature hit 1,500+ unique SHA values  Provides a way to block malware even when it is repackaged to avoid signatures 40% of Malware Samples Were Related  WildFire Subscription  Delivers signatures in 30 to 60 minutes of new malware being detected anywhere in the world © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 39. • Detailed analysis of malware behaviors including • Malware actions • Domains visited • Registry changes • File changes 37 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary.
  • 40. An Integrated Approach to Threat Prevention Coordinated Threat Prevention Bait the end-user App-ID Exploit Download Backdoor Establish Back-Channel Block high-risk apps Spyware AV Files Threat License IPS Block C&C on non-standard ports Block known malware sites URL Block malware, fast-flux domains Block the exploit Block spyware, C&C traffic Block malware Prevent drive-bydownloads WildFire Explore & Steal Detect unknown malware Block new C&C traffic 38 | ©2012, Palo Alto Networks. Decisions Inc. Not for distribution outside of intended audience © 2014 Scalar Confidential and Proprietary. Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors
  • 41. Thank you! © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 42. F5 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 43. CONFIDENTIAL F5 Security for an application driven world
  • 44. F5 Provides Complete Visibility and Control Across Applications and Users Users Resources DNS Web Access Intelligent Dynamic Threat Defense Services DDoS Protection Platform Protocol Security Network Firewall TMOS Securing access to applications from anywhere © F5 Networks, Inc Protecting your applications regardless of where they live CONFIDENTIAL 43
  • 45. CONFIDENTIAL Security Trends and Challenges
  • 46. Attack Type Spear Phishing Physical Access XSS Size of circle estimates relative impact of incident in terms of cost to business May June July Aug Sep Oct Nov Dec 2012 © F5 Networks, Inc CONFIDENTIAL 45
  • 47. Bank Bank Bank Industrial Non Profit Non Profit Bank Bank Auto Gov Online Services Gov Industrial Online SVC EDU Bank Bank Gov Online SVC Edu Online Services News & Media Edu News & Media Utility Software Edu Online Services Cnsmr Electric Telco Food Service Telco Bank Online Services Bank Bank Cnsmr Electric Jan Feb Mar Bank Cnsmr Elec Education Online Services Online Services Software Online Services DNS Provider Online Services Auto Gov Gov DNS Provider Health Gov Software Util May Global Delivery Unknown Online Services Gov Gov Physical Access Edu DNS Provider Gov Auto DNS Provider Auto Gov Online Services Apr Online Services Online Services Online Svcs DNS Provider News & Media Gov Online Services Bank Telco Auto Gaming Retail Online Services Spear Phishing Retail Industrial Online Services Bank Airport Attack Type Online Services Entnment Gov Bank Telco Gov Gov Banking NonProfit Bank Online Services Online Gaming News & Media Edu Gov Bank Software News & Media Bank News & Media News & Media Gov Food E-comm Svc Online Services Bank Online Services Bank Online Services Gov Gov News & Media Telco Bank Software News & Media Software Bank Edu Utility Bank Online Services Online Svc Consumer Electric Online SVC Gov Gove News & Media Online Svc Non Profit Consumer Electronics News & Media Gov Size of circle estimates relative impact of incident in terms of cost to business Jun 2013 © F5 Networks, Inc CONFIDENTIAL 46
  • 48. More sophisticated attacks are multi-layer Application SSL DNS Network © F5 Networks, Inc CONFIDENTIAL 47
  • 49. The business impact of DDoS The business impact of DDoS © F5 Networks, Inc Cost of corrective action CONFIDENTIAL Reputation management 48
  • 50. OWASP Top 3 Application Security Risks 1 - Injection Injection flaws, such as SQL and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing data. 2 – Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to comprimise passwords, keys or session tokens to assume another users’ identity. 3 – Cross Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victims browser to hijack user sessions, deface web sites or redirect the user. Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf © F5 Networks, Inc CONFIDENTIAL 49
  • 51. CONFIDENTIAL The F5 Approach
  • 52. Full Proxy Security Client / Server Client / Server Web application Web application Application Application SSL inspection and SSL DDoS mitigation Session Session L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical Application health monitoring and performance anomaly detection HTTP proxy, HTTP DDoS and application security © F5 Networks, Inc CONFIDENTIAL 51
  • 53. The F5 Application Delivery Firewall Bringing deep application fluency to firewall security One platform Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security EAL2+ EAL4+ (in process) © F5 Networks, Inc CONFIDENTIAL 52
  • 54. Positive vs Negative • Positive Security • Known good traffic • Permit only what is defined in the security policy (whitelisting). • Block everything else • Negative • Known-bad traffic • Pattern matching for malicious content using regular expressions. • Policy enforcement is based on a Positive security logic • Negative security logic is used to complement Positive logic. © F5 Networks, Inc CONFIDENTIAL 53
  • 55. How Does It Work? Security at application, protocol and network level Request made Security policy checked Content scrubbing Application cloaking Enforcement Response delivered Server response Security policy applied Actions: Log, block, allow BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application. © F5 Networks, Inc CONFIDENTIAL 54
  • 56. Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters 6 Then for each parameter we will check for for value length will checkmaxmax value length 7 Then scan each parameter, the URI, the headers © F5 Networks, Inc GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44rn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; rn CONFIDENTIAL 55
  • 57. Automatic HTTP/S DOS Attack Detection and Protection • Accurate detection technique—based on latency • • Three different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene Detect a DOS condition Identify potential attackers Drop only the attackers © F5 Networks, Inc CONFIDENTIAL 56
  • 58. To Simplify: Application-Oriented Policies and Reports © F5 Networks, Inc CONFIDENTIAL 57
  • 59. IP INTELLIGENCE Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker Custom application Financial application Anonymou s requests Anonymous proxies Scanner Geolocation database Internally infected devices and servers © F5 Networks, Inc CONFIDENTIAL 58
  • 60. Built for intelligence, speed and scale Users Resources Concurrent user sessions 100K Concurrent logins 1,500/sec. Throughput 640 Gbps Concurrent connections 288 M DNS query response 10 M/sec SSL TPS (2K keys) 240K/sec Connections per second 8M
  • 61. Application Delivery Firewall Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security Products Advanced Firewall Manager Local Traffic Manager Application Security Manager • Stateful full-proxy firewall • #1 application delivery controller • Leading web application firewall • Flexible logging and reporting • Application fluency • Access Policy Manager PCI compliance • Native TCP, SSL and HTTP proxies • Network and Session anti-DDoS • App-specific health monitoring • Virtual patching for vulnerabilities • HTTP anti-DDoS • • Dynamic, identitybased access control • Simplified authentication infrastructure IP protection • Endpoint security, secure remote access Global Traffic Manager & DNSSEC • Huge scale DNS solution • Global server load balancing • Signed DNS responses • Offload DNS crypto iRules extensibility everywhere © F5 Networks, Inc CONFIDENTIAL 60
  • 62. Explore The F5 DDoS Protection Reference Architecture f5.com/architectures © F5 Networks, Inc CONFIDENTIAL 61
  • 63. Summary • Customers invest in network security, but most significant threats are at the application layer • Current security trends – BYOD, Webification – mean you need to be even more aware of who and what can access application data • A full proxy device is inherently secure, and coupled with high performance can overcome many security challenges • F5 Application Delivery Firewall brings together the traditional network firewall with application centric security, and can understand the context of users, devices and access © F5 Networks, Inc CONFIDENTIAL 62
  • 64. BREAK © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 65. SPLUNK © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 66. Copyright © 2014 Splunk Inc. Splunk for Security Intelligence
  • 67. Make machine data accessible, usable and valuable to everyone. 68
  • 68. The Accelerating Pace of Data Volume | Velocity | Variety | Variability GPS, Machine data is fastest growing, most RFID, Hypervisor, complex, most valuable area of big data Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops 69
  • 69. The Splunk Security Intelligence Platform Security Use Cases Machine Data Online Services Forensic Investigation Web Services Security Security Operations Compliance Fraud Detection GPS Location Servers Packaged Applications Networks Desktops Storage Messaging Telecoms Custom Applications RFID Energy Meters Online Shopping Cart Databases Web Clickstreams Call Detail Records HA Indexes and Storage Smartphones and Devices 4 Commodity Servers
  • 70. Rapid Ascent in the Gartner SIEM Magic Quadrant 2011 2012 71 2013
  • 71. Industry Accolades Best SIEM Solution Best Enterprise Security Solution 72 Best Security Product
  • 72. Over 2800 Global Security Customers 73
  • 73. Splunk Security Intelligence Platform 120+ security apps Splunk App for Enterprise Security Palo Alto Networks Cisco Security Suite OSSEC F5 Security FireEye NetFlow Logic Active Directory Juniper 74 Blue Coat Proxy SG Sourcefire
  • 74. Partner Ecosystem What is the Value Add to Existing Customers? Visibility and Correlation of Rich Data Improved Security Posture Configurable Dashboard Views
  • 75. All Data is Security Relevant = Big Data Databases Email Web Desktops Servers DHCP/ DNS Network Flows Traditional SIEM Custom Apps Hypervisor Badges Firewall Authentication Vulnerability Scans Storage Mobile Data Loss Intrusion Detection Prevention AntiMalware Service Desk Call Industrial Control Records
  • 76. Making Sound Security Decisions Binary Data (flow and PCAP) Log Data Security Decisions Threat Intelligence Feeds Context Data Volume Velocity Variety 77 Variability
  • 77. Case #1 - Incident Investigation/Forensics January • May be a “cold case” investigation requiring machine data going back months March Often initiated by alert in another product • February • Need all the original data in one place and a fast way to search it to answer: – What happened and was it a false positive? – How did the threat get in, where have they gone, and did they steal any data? – • client=unknown[ 99.120.205.249] <160>Jan 2616:27 (cJFFNMS truncating integer value > 32 bits <46>Jan ASCII from client=unknow n Has this occurred elsewhere in the past? Take results and turn them into a real-time search/alert if needed DHCPACK =ASCII from host=85.19 6.82.110 78 April
  • 78. Case #2 – Real-time Monitoring of Known Threats Sources Example Correlation – Data Loss 20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Default Admin Account Status=Degradedwmi_ type=UserAccounts Source IP Windows Authentication Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My Malware Found Source IP CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20 Endpoint Security Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text Source IP [Priority: 2]: Data Loss Intrusion Detection All three occurring within a 24-hour period Time Range 79
  • 79. Case #3 – Real-time Monitoring of Unknown Threats Sources Example Correlation - Spearphishing User Name 2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1 ,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-0809T22:40:24.975Z Email Server Rarely seen email domain Rarely visited web site 2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe," User Name Web Proxy Endpoint Logs User Name 08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="John DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“ registry_type ="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion Printers PrintProviders John Doe-PCPrinters{} NeverSeenbefore" data_type"" Rarely seen service All three occurring within a 24-hour period Time Range 80
  • 80. $500k Security ROI @ Interac • Challenges: Manual, costly processes – Significant people and days/weeks required for incident investigations. $10k+ per week. – No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel – Traditional SIEMs evaluated were too bloated, too much dev time, too expensive Enter Splunk: Fast investigations and stronger security – – – – Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts Splunk reduced investigation time to hours. Reports can be created in minutes. Real-time correlations and alerting enables fast response to known and unknown threats ROI quantified at $500k a year. Splunk TCO is less than 10% of this. “ “ • Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see. Josh Diakun, Security Specialist, Information Security Operations 8 1
  • 81. Replacing a SIEM @ Cisco • Challenges: SIEM could not meet security needs – Very difficult to index non-security or custom app log data – Serious scale and speed issues. 10GB/day and searches took > 6 minutes – Difficult to customize with reliance on pre-built rules which generated false positives Enter Splunk: Flexible SIEM and empowered team – – – – – Easy to index any type of machine data from any source Over 60 users doing investigations, RT correlations, reporting, advanced threat detection All the data + flexible searches and reporting = empowered team 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data Estimate Splunk is 25% the cost of a traditional SIEM “ We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have. “ • Gavin Reid, Leader, Cisco Computer Security Incident Response Team 8 2
  • 82. Security and Compliance @ Barclays Challenges: Unable to meet demands of auditors – – – – • Scale issues, hard to get data in, and impossible to get data out beyond summaries Not optimized for unplanned questions or historical searches Struggled to comply with global internal and external mandates, and to detect APTs Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting Enter Splunk: Stronger security and compliance posture – – – – Fines avoided as searches easily turned into visualizations for compliance reporting Faster investigations, threat alerting, better risk measurement, enrichment of old data Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers Other teams using Splunk for non-security use cases improves ROI “ We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effectiveness of a certain control, the only way we can do these things is with Splunk. “ • Stephen Gailey, Head of Security Services 8 3
  • 83. Splunk Key Differentiators • • • • • • • Splunk Single product, UI, data store Traditional SIEM Software-only; install on commodity hardware Quick deployment + ease-of-use = fast time-to-value Can easily index any data type All original/raw data indexed and searchable Big data architecture enables scale and speed Flexible search and reporting enables better/faster threat investigations and detection, incl finding outliers/anomalies • Open platform with API, SDKs, Apps • Use cases beyond security/compliance 84
  • 84. For your own AHA! Moment Reach out to your Scalar and Splunk team for a demo Thank you!
  • 85. INFOBLOX © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 86. Are you prepared to withstand DNS attacks? Ed O’Connell, Senior Product Marketing Manager © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 87. Infoblox Overview DNS Security Challenges Securing the DNS Platform Defending Against DNS Attacks Preventing Malware from using DNS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 88. Total Revenue Founded in 1999 (Fiscal Year Ending July 31) Headquartered in Santa Clara, CA with global operations in 25 countries $250 Leader in technology for network control $200 ($MM) $225.0 $169.2 Market leadership $150 $132.8 • Gartner “Strong Positive” rating • 40%+ Market Share (DDI) $102.2 $100 6,900+ customers, 64,000+ systems shipped $56.0 $50 $61.7 $35.0 38 patents, 25 pending IPO April 2012: NYSE BLOX $0 FY2007 FY2008 FY2009 FY2010 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience FY2011 FY2012 FY2013
  • 89. VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS NETWORK INFRASTRUCTURE CONTROL PLANE APPS & END-POINTS END POINTS Infrastructure Security Historical / Real-time Reporting & Control Infoblox GridTM w/ Real-time Network Database FIREWALLS SWITCHES ROUTERS WEB PROXY © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience LOAD BALANCERS
  • 90. DNS is the cornerstone of the Internet used by every business/ Government DNS as a Protocol is easy to exploit Traditional protection is ineffective against evolving threats DNS outage = business downtime © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 91. 1 Securing the DNS Platform 2 Defending Against DNS Attacks 3 Preventing Malware from using DNS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 92. Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 93. Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 94. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 95. – Many open ports subject to attack – Users have OS-level account privileges on server – No visibility into good vs. bad traffic – Requires time-consuming manual updates – Requires multiple applications for device management © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Multiple Open Ports
  • 96.  Minimal attack surfaces  Active/Active HA & DR recovery  Centralized management with role-based control  Tested & certified to highest Industry standards  Secured Access, communication & API  Secure Inter-appliance Communication  Detailed audit logging  Fast/easy upgrades © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 97.  No scripts / Auto-Resigning / 1-click  Central configuration of all DNSSEC parameters  Automatic maintenance of signed zones © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 98. Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 99. ~ 10% of infrastructure attacks targeted DNS ACK: 2.81% ICMP: 9.71% RESET: 1.4% CHARGEN: 6.39% SYN: 14.56% RP: 0.26% FIN PUSH: 1.28% DNS: 9.58% SYN PUSH: 0.38% TCP FRAGMENT: 0.13% UDP FRAGMENT: 17.11% UDP FLOODS: 13.15% Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013 ~ 80% of organizations surveyed experienced application layer attacks on DNS HTTP 82% DNS 77% SMTP 25% HTTPS 54% SIP/VOIP 20% IRC 6% Other 9% 0% 20% 40% 60% Survey Respondents 80% 100% © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Source: Arbor Networks
  • 100. Distributed Reflection DoS Attack (DrDoS) How the attack works  Combines Reflection and Amplification  Use third-party open resolvers in the Internet (unwitting accomplice) Internet  Attacker sends small spoofed packets to the open recursive servers, requesting a large amount of data to be sent to the victim’s IP address  Uses multiple such open resolvers, often thousands of servers Attacker  Queries specially crafted to result in a very large response  Causes DDoS on the victim’s server Target Victim © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 101. Legitimate Traffic Block DNS attacks Infoblox Advanced DNS Protection (External DNS) Data for Reports Infoblox Threat-rule Server Automatic updates Infoblox Advanced DNS Protection (Internal DNS) Reporting Server Reports on attack types, severity © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 102. DNS reflection/DrDoS attacks DNS amplification Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack Using a specially crafted query to create an amplified response to flood the victim with traffic DNS-based exploits Attacks that exploit vulnerabilities in the DNS software TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic DNS cache poisoning Corruption of the DNS cache data with a rogue address Protocol anomalies Reconnaissance DNS tunneling Causing the server to crash by sending malformed packets and queries Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack Tunneling of another protocol through DNS for data exfiltration © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 103. EXTERNAL INTERNAL INTRANET INTERNET Advanced DNS Protection Advanced DNS Protection GRID Master and Candidate (HA) DATACENTER Advanced DNS Protection CAMPUS/REGIONAL Advanced DNS Protection DMZ INTRANET Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Endpoints
  • 104. Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 105. 2014 2013 Q2 Q3 Q4 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Q1
  • 106. Cryptolocker “Ransomware”  Targets Windows-based computers  Appears as an attachment to legitimate looking email  Upon infection, encrypts files: local hard drive & mapped network drives  Ransom: 72 hours to pay $300US  Fail to pay and the encryption key is deleted and data is gone forever  Only way to stop (after executable has started) is to block outbound connection to encryption server © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 107. Infoblox Malware Data Feed Service 1 4 2 Malicious domains IPs, Domains, etc. of Bad Servers 2 Malware / APT An infected device brought into the office. Malware spreads to other devices on network. Malware makes a DNS query to find “home.” (botnet / C&C). Detect & Disrupt. DNS Firewall detects & blocks DNS query to malicious domain Internet Intranet Infoblox DDI with DNS Firewall Blocked attempt sent to Syslog 1 2 3 Pinpoint. Infoblox Reporting lists 3 blocked attempts as well as the: • • • • • IP address MAC address Device type (DHCP fingerprint) Host name DHCP lease history DNS Firewall is updated every 2 4 hours with blocking information from Infoblox DNS Firewall Subscription Svc Malware / APT spreads within network; Calls home © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 108. Malicious Domains 1 Detect - FireEye detects APT, alerts are sent to Infoblox. Malware Internet 2 2 Disrupt – Infoblox DNS Firewall disrupts malware DNS communication Intranet Infoblox DDI with DNS Firewall 3 Pin Point - Infoblox Reporting 3 Alerts 1 Endpoint Attempting To Download Infected File Blocked attempt sent to Syslog provides list of blocked attempts as well as the • • • • • IP address MAC address Device type (DHCP fingerprint) DHCP Lease (on/off network) Host Name FireEye NX Series FireEye detonates and detects malware © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 109. Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) DNS Hacking Hacking DNS registry(s) & re-directing users to malicious domain(s) Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 110. DNS is the cornerstone of the Internet Unprotected DNS infrastructure introduces security risks Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform Secure DNS Solution protects critical DNS services © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 111. Thank you! For more information www.infoblox.com © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 112. Why Scalar for Security? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 113. The Issues  Integration of Security Technologies  Staffing  Vulnerabilities  Advanced threats © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 114. The Issues  Integration of Security Technologies is Challenging – Multiple formats of data – Data timing issues – Different types of security controls – Other data types © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 115. The Issues  InfoSecurity Staff – Different skills requirements ﹘ Architects ﹘ Malware Handling ﹘ Forensics ﹘ Vulnerability ﹘ Incident Management ﹘ Risk and Compliance – HR Costs ﹘ Premium technical personnel ﹘ Analysts, Specialists ﹘ Training and certification © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 116. The Issues  Vulnerabilities – Regular scheduled disclosures – Large volumes of ad-hoc patches – Many undisclosed zero days – Remediation is a continuous process © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 117. The Issues  Advanced Threats – Advanced Persistent Threats – Imbedded threats  Who? – State sponsored – Hactivism – Hackers – Organized crime © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 118. How to Secure It  State-of-the-art Security Technologies  Skills on Demand – Continuous Tuning of Rules and Filters – Cyber Intelligence, Advanced Analytics – Cyber Incident Response – Code Review, Vulnerability and Assessment Testing © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 119. WRAP/QUESTIONS? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 120. THANK YOU. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience