Moving Security Model From Content to Context

1. Moving Security ModelFrom Content To Context Quick Random Thoughts on Security Trends and Technologies for 2012 Paolo Passeri paulsparrows.wordpress.com

2. Why Next Generation Technologies Are Needed Malware is getting more and more sophisticated and capable to circumvent traditional security technologies paulsparrows.wordpress.com

3. APTs Are Changing The Rules Of The Game APTs threaten Organizations on different levels (from users to application) and heterogeneous time scales, redefining the information security landscape. Firewalls, Next Generation Firewalls and Intrusion Prevention Systems are converging to a new breed of security devices capable of moving the security enforcement paradigm to context, taking over the old model based on “IP Address, Protocol and Access Control” to a new model focused on “user, application and anomaly”. paulsparrows.wordpress.com

4. The Next Level: From Content to Context Context-aware security is the use of supplemental information to improve security decisions at the time the decision is made. Supplemental Information include: Geo Location, Reputation, and the interaction of the user with the environment (applications, directory, etc.). This class of devices is called Next Generation IPS: http://blogs.gartner.com/neil_macdonald/2011/10/13/next-gen-context-aware-intrusion- prevention/ paulsparrows.wordpress.com

5. NG-IPS Vs The Rest Of The World Firewall IPS NGF NG-IPSWorks At Layer 3-4 Layer 4-7 Layer 7 Layer 4-7Security Paradigm • IP Address • Protocol • User • User • Port • Vulnerability • Application • Application • Protocol • VulnerabilityScans All Traffic All Traffic Classified Applications All Traffic including classified ApplicationsDeployed as • Layer 3 Gateway • Transparent Mode • Layer 3 Gateway • Layer 3 Gateway • Transparent Mode • Connected to TAP • Transparent Mode • Transparent Mode • Connected to Span PortDefends Against • Intrusions by • Intrusions by everyone • Misuse of applications by Users; • Intrusions by everyone exploiting unauthorized users exploiting vulnerabilities at • Intrusions by unauthorized users application and server vulnerabilities, exploiting known ports; Layer 4-7; exploiting classified applications; • Misuse of applications by usersPerforms Access Yes No Yes YesControlAccess Control By • IP Address - • User • User • Port • Application • Application • Protocol • IP address • Port • ProtocolDetection Algorithms • Packet Filter • Deep Packet Inspection • Application Classification via • Stateful Inspection • Application Proxy • Signatures proprietary methods • Deep Packet Inspection • Stateful Inspection • Pattern Matching • Application Classification • Protocol-Based • Signatures • Anomaly Detection • Pattern Matching • Heuristics • Anomaly Detection (ApplAnd Protocol) • HeuristicsUse cloud based No Yes for updating signatures Yes for updating application Yes for updating signatures andservices from data received from other fingerprints and dynamically classify application fingerprints sensors unknown applicationsUse reputation and No Partially No YesGeo-locationDedicated Device Yes May exist as a dedicated device Once existed as a dedicated device, Yes, Will replace traditional Firewalls, NG or as a security feature on a now is a security feature on top of a Firewalls, IPSs UTM “traditional firewall”Deployed at Perimeter On perimeter firewall or behind Perimeter, focused to protect Perimeter it and in front of Key Asset s outbound trafficMay Scan SSL No Yes No Yes paulsparrows.wordpress.com

6. Web Application Firewalls The growing number of vulnerabilities targeting Web Applications and cyber attacks carried on against banks together with the need to be compliant with strict requirements and regulations are pushing the adoption of Web Application Firewalls. Although Technology tends to consolidate traditional security solutions, WAFs are destined to remain standalone dedicated devices in front of key web assets to protect. These devices are required by PCI-DSS and most of all by the growing attention by Cybercrookers for exploiting vulnerabilities in banking web applications. Only this year, famous victims included CitiGroup and Samsung Card. In particular attackers were able to subtract $2.7 million to Citigroup. http://spectrum.ieee.org/riskfactor/telecom/security/citigroup-admits-being-hacked-in- may-coy-about-extent-of-impact http://www.databreaches.net/?p=20522 paulsparrows.wordpress.com

7. WAFs Against The Rest Of The World paulsparrows.wordpress.com

8. So Which Is The Most Revolutionary Technology? Avoid to invest in new technologies without first patching the user! APT Holds only for 1%, (human) vulnerabilities for the remaining 99% paulsparrows.wordpress.com

9. ReferencesOct 5, 2011: Information, The Next Battlefield http://paulsparrows.wordpress.com/2011/10/05/information-the- next-battlefield/Oct 7, 2011: Next Generation Firewalls and Web Applications Firewall Q&A http://paulsparrows.wordpress.com/2011/10/07/next-generation- firewalls-and-web-applications-firewall-qa/Oct 13, 2011: Advanced Persistent Threats and Security Information Management http://paulsparrows.wordpress.com/2011/10/13/apts-and- security-information-management/Oct 27, 2011: Are You Ready For The Next Generation IPS? http://paulsparrows.wordpress.com/2011/10/27/are-you-ready- for-the-next-generation-ips/Nov 20, 2011: Advanced Persistent Threats and Human Errors http://paulsparrows.wordpress.com/2011/11/20/advanced- persistent-threats-and-human-errors/