1.
Moving Security Model
From Content To Context
Quick Random Thoughts on
Security Trends and Technologies for 2012
Paolo Passeri
paulsparrows.wordpress.com

2.
Why Next Generation Technologies Are Needed
Malware is getting more and more sophisticated and capable to
circumvent traditional security technologies
paulsparrows.wordpress.com

3.
APTs Are Changing The Rules Of The Game
APTs threaten Organizations on different levels (from users to application) and
heterogeneous time scales, redefining the information security landscape. Firewalls, Next
Generation Firewalls and Intrusion Prevention Systems are converging to a new breed
of security devices capable of moving the security enforcement paradigm to context, taking
over the old model based on “IP Address, Protocol and Access Control” to a new model
focused on “user, application and anomaly”.
paulsparrows.wordpress.com

4.
The Next Level: From Content to Context
Context-aware security is the use of supplemental information to improve security
decisions at the time the decision is made. Supplemental Information include: Geo
Location, Reputation, and the interaction of the user with the environment (applications,
directory, etc.). This class of devices is called Next Generation IPS:
http://blogs.gartner.com/neil_macdonald/2011/10/13/next-gen-context-aware-intrusion-
prevention/
paulsparrows.wordpress.com

5.
NG-IPS Vs The Rest Of The World
Firewall IPS NGF NG-IPS
Works At Layer 3-4 Layer 4-7 Layer 7 Layer 4-7
Security Paradigm • IP Address • Protocol • User • User
• Port • Vulnerability • Application • Application
• Protocol • Vulnerability
Scans All Traffic All Traffic Classified Applications All Traffic including classified Applications
Deployed as • Layer 3 Gateway • Transparent Mode • Layer 3 Gateway • Layer 3 Gateway
• Transparent Mode • Connected to TAP • Transparent Mode • Transparent Mode
• Connected to Span Port
Defends Against • Intrusions by • Intrusions by everyone • Misuse of applications by Users; • Intrusions by everyone exploiting
unauthorized users exploiting vulnerabilities at • Intrusions by unauthorized users application and server vulnerabilities,
exploiting known ports; Layer 4-7; exploiting classified applications; • Misuse of applications by users
Performs Access Yes No Yes Yes
Control
Access Control By • IP Address - • User • User
• Port • Application • Application
• Protocol • IP address
• Port
• Protocol
Detection Algorithms • Packet Filter • Deep Packet Inspection • Application Classification via • Stateful Inspection
• Application Proxy • Signatures proprietary methods • Deep Packet Inspection
• Stateful Inspection • Pattern Matching • Application Classification
• Protocol-Based • Signatures
• Anomaly Detection • Pattern Matching
• Heuristics • Anomaly Detection (ApplAnd Protocol)
• Heuristics
Use cloud based No Yes for updating signatures Yes for updating application Yes for updating signatures and
services from data received from other fingerprints and dynamically classify application fingerprints
sensors unknown applications
Use reputation and No Partially No Yes
Geo-location
Dedicated Device Yes May exist as a dedicated device Once existed as a dedicated device, Yes, Will replace traditional Firewalls, NG
or as a security feature on a now is a security feature on top of a Firewalls, IPSs
UTM “traditional firewall”
Deployed at Perimeter On perimeter firewall or behind Perimeter, focused to protect Perimeter
it and in front of Key Asset s outbound traffic
May Scan SSL No Yes No Yes
paulsparrows.wordpress.com

6.
Web Application Firewalls
The growing number of vulnerabilities targeting Web Applications and cyber attacks
carried on against banks together with the need to be compliant with strict requirements
and regulations are pushing the adoption of Web Application Firewalls. Although
Technology tends to consolidate traditional security solutions, WAFs are destined to
remain standalone dedicated devices in front of key web assets to protect.
These devices are required by PCI-DSS and most of all by the growing attention by
Cybercrookers for exploiting vulnerabilities in banking web applications. Only this year,
famous victims included CitiGroup and Samsung Card. In particular attackers were able
to subtract $2.7 million to Citigroup.
http://spectrum.ieee.org/riskfactor/telecom/security/citigroup-admits-being-hacked-in-
may-coy-about-extent-of-impact
http://www.databreaches.net/?p=20522
paulsparrows.wordpress.com

7.
WAFs Against The Rest Of The World
paulsparrows.wordpress.com

8.
So Which Is The Most Revolutionary Technology?
Avoid to invest in new technologies without first patching the user!
APT Holds only for 1%, (human) vulnerabilities for the
remaining 99%
paulsparrows.wordpress.com

9.
References
Oct 5, 2011: Information, The Next Battlefield
http://paulsparrows.wordpress.com/2011/10/05/information-the-
next-battlefield/
Oct 7, 2011: Next Generation Firewalls and Web Applications Firewall Q&A
http://paulsparrows.wordpress.com/2011/10/07/next-generation-
firewalls-and-web-applications-firewall-qa/
Oct 13, 2011: Advanced Persistent Threats and Security Information Management
http://paulsparrows.wordpress.com/2011/10/13/apts-and-
security-information-management/
Oct 27, 2011: Are You Ready For The Next Generation IPS?
http://paulsparrows.wordpress.com/2011/10/27/are-you-ready-
for-the-next-generation-ips/
Nov 20, 2011: Advanced Persistent Threats and Human Errors
http://paulsparrows.wordpress.com/2011/11/20/advanced-
persistent-threats-and-human-errors/