"DAMBALLA CSP" là một bộ cảm biến được cài đặt trong môi trường kết nối nhiều mạng, theo dõi lưu lượng và phân tích DNS với công cụ phát hiện mối đe dọa để phát hiện sự liên lạc với máy chủ C & C và thiết bị đầu cuối bị nhiễm phần mềm độc hại. Tính năng lớn nhất của nó là có khả năng tự học dựa trên dữ liệu khổng lồ.
2. Tổng quan về Damballa CSP
Telcos & ISPs
Giải pháp DUY NHẤT có thể tự động phát hiện các thuê bao
Các thiết bị nguy hiểm khi nằm dưới sự điều khiển của tội phạm
Bảo vệ hơn 500+ triệu thiết bị toàn cầu
Tất cả các ISPs và Telcos lớn nhất trên toàn cầu
Introduce yourself and state the purpose of the presentation.
Who?
Industry Innovator
Pioneering cyber threat research, analysis and detection since 2006
Born out of Georgia Tech security researchers
Research backed by the U.S. Department of Homeland Security, the Office of Naval Research, the Air Force Research Labs, the Army Research Office, and Google
Six patents-pending
Discussion points – Damballa Research takes advantage of Big Data collected in the form of a massive Passive DNS database from ISPs/Telcos and Enterprise companies. We are able to study this data and build Query profilers as well as DGA Profilers (Domain Generation Algorithm )
Quick overview of the product in a nutshell.
This slide should be used when time is restricted and you want to show as much as possible up front from a technical and business perspective
Currently we have focused exclusively on DNS query and DGA (Domain Generation Algorithm) detection around C&C traffic. – See backup slides for DGA and Query profiler details.
The road map is to move toward not only additional DNS data (MX records, TXT, etc) but also to potentially consume Flow samples or even offer an Egress sensor that will take a sample of the connection data to flesh out a convection engine.
Why? What do we allow you to do?
Differentiate your subscriber offering
Address Regulatory Concerns:
the Australian High Tech Crime Centre (AHTCC)
Criminal Code 1995 – Botnets are illegal to operate]
ACMA –
Australian Internet Security Initiative (AISI)
In June 2010, the Internet Industry Association of Australia (IIA) launched a voluntary ISP code of practice, the icode, (similar to CSRIC -- Communications Security, Reliability and Interoperability Council's ABC – Anti Bot Code of conduct)
Damballa CSP addresses the security concerns of ISPs and Telcos by offering a solution that:
PROVIDE A SECURE SERVICE OFFERING
PROVIDE A DIFFERENTIATED SERVICE OFFERING
DEPLOY QUICKLY WITH AN OUTSTANDING ROI
Identifies potential threats to bandwidth consumption and thus subscriber experience
Creates goodwill with customers by providing an enhanced security offering
Offers protection without threats to privacy. No PII data is collected.
Is low risk to deploy
Cost is minimal with a focus only on DNS traffic. No need for devices at all egress and proxy points.
Technical – out of band system that does not put the subscriber’s expected experience at risk.
Simple Deployment and Integration
Highly Scalable to see entire network
No PII (Personal Identification Info) traffic to avoid ‘opt in’ requirements
Cost effective and integrates with existing systems / solutions
Perftech for in browser notification
HP ArcSight SIEM for off box reporting and correlation
Generic Syslog also an option
Blocking via DNS Spoofing – sensors can inject spoofed responses to queries regarding known C&C systems. Ideally injecting both above and below the recursive
While Damballa’s threat Detections are key to the Provider’s Security Eco-System, we also partner with other vendors to drive up our value and help both the Provider and their Subscribers.
Notifications-
Perftech (Partners) partnership for nearly 4 years now. Their focus is around subscriber notifications. Initially focused on in-browser notifications, they also offer email notifications and walled garden solutions to help notify and educate the customer base.
FrontPorch (in discussions) that offer a similar discussion and encourage you to obtain any feedback on other notification vendors that a Service Provider might use.
Xerocole (reseller partner) – they focus on walled garden solutions, but they also have a DNS offering that you should be aware of when discussing potential customers or integrations.
SIEM/Reporting –
HP ArcSight SIEM integration
Syslog – Generic Syslog integration
Splunk – Splunk consumes Syslog data so while we currently as of 2.0 release do not have an explicit Splunk integration in CSP, we are able to integrate via syslog.
Remediation -
Microsoft MSRT (Malicious Software Removal Toolkit) integrations have been in the product for 4 years now
F-Secure – As of CSP 2.0, we have an integration with F-Secure which offers a “high/medium/low” confidence in the ability of F-Secure to remediate any specific threat.
MalwareBytes – Not in the product today, but an example of one of the other vendors we are talking with about integrations
At this point we will move into an overview of the standard Damballa CSP deployment
This is a high level overview of how you would deploy Damballa CSP MC and Sensors
-Hub/Spoke Deployment model
-Monitoring only DNS traffic exclusively via TAP or SPAN (Out of Band)
(just as in Failsafe)
Out-of-band (span or tap)
Damballa CSP is the Detection leg of the 3 legged chair of Detection Notification and Remediation.
Enables the eco system and allows providers to meet expectations of their customers and of regulators.
Also allows them to go above and beyond their competitors
Damballa CSP detects threats and delivers that detection to partners in a variety of manners:
- .json (Compromised/Resolved/NXDomain)
- .csv (Threat Trending Report)
- .pdf (Executive/Trend/Health)
- .html(Executive/Trend/Health) – also remember the Dashboard widgets
Integrations:
Perftech (notifications)
HP ArcSight (SIEM)
Syslog
Sample of the CSV Trend report and the PDF/HTML report
You can see from the long tail that the majority of the threats are clustered near the left.
This means that a targeted approach with tools like F-Secure AntiBot can allow you to make a big difference in the security of your deployment.
The basic concept behind this slide is that while there may be thousands of threats, you can take a targeted approach at the most active and make a significant impact on the Security of the Subscriber Deployment.
Big Impact on targeting a few threats.
Targeted Attack on the Threats in the network with tools that can remediate the issue.
Perftech integration overview
1 – Subscriber attempts to lookup “badguy.com” and Damballa Sensor detects DNS Query to “badguy.com” a known Command and Control server
2 – Sensor delivers detection results to Damballa MC
3 – Damballa MC delivers a custom string based on the Perftech API integration and sends this information over to Perftech
4 – Perftech correlates Damballa’s threat detection information with the subscriber identification system and deliver an in-browser notification to the Infected Subscriber
5 – The Subscriber attempts to go online and the notification is delivered alerting them of their infection. This information will likely have the Damballa Research Notes and potential remediation options
Specifics on how we might work with F_secure as a remediation tool.
The concept on a basic level is Detection by Damballa and Remediation by F-Secure.
HP ArcSight and Syslog integration overview
1 – Subscriber attempts to lookup “badguy.com” and Damballa Sensor detects DNS Query to “badguy.com” a known Command and Control server
2 – Sensor delivers detection results to Damballa MC
3 – Damballa MC delivers either Syslog or CEF formatted data depending on the product (i.e. ArcSight or Syslog)
4 – Admins can review the ArcSight / Syslog systems and generate rules / policies / alerts accordingly.
Damballa solves this problem by reducing the time it takes security teams to detect actual infections and respond before loss occurs.
Enterprises have invested heavily in prevention yet today’s advanced threats can easily evade prevention controls. The gap between failed prevention and the time it takes to detect and respond to infections creates a security gap.
Damballa automatically detects infections that have bypassed prevention controls and helps responders prioritize and shorten the time it takes to remediate the risk.