Luke Worrall Social Media and SDSN
•Download as PPTX, PDF•
0 likes•107 views
Social Media and SDSN
Recommended
Recommended
More Related Content
More from North Texas Chapter of the ISSA
More from North Texas Chapter of the ISSA (20)
Recently uploaded
Recently uploaded (20)
Luke Worrall Social Media and SDSN
- 1. NTXISSA.org Social Media and SDSN Luke Worrall Sr. Security Specialist Juniper Networks October 5th, 2018
- 2. A defender has to be flawless every single time …An attacker only needs to succeed once!
- 3. Flow management Load balancers Perimeter firewalls Aggregation firewall SSL PAC File 1 2 3 28 27 26 10 15, 16 Client - side SSL tunnel SSLSandbox Web Filter 11 Log files Email Inspection DLP
- 5. Social media is a rich hunting ground
- 7. Anatomy of a Social Media attack
- 12. Phishing still just works
- 13. Why wouldn’t you click through?
- 19. Crypto mining malware timeline
- 20. Drive-by Cryptocurrency Mining – One week snapshot • 35,000+ unique URLs associated with coinhive.min.js. • 144 unique IP addresses • 1,025 unique hostnames • 6,000-10,000 newURLs per day leading to the coinhive script
- 21. Breaches aren’t being discovered internally
- 22. Payloads are almost always unique
- 23. Rapid Response is critical Time to compromise Time to exfiltration
- 25. How fast can you respond. 2 6 Reconnaissance Research: Scan, Social Info Weaponization Create Malware Delivery Push Email or Pull Content Exploit Execution of Payload (Vulnerability + Exploit) Installation Compromise Host and/or Lateral Movement Command & Control Remote Control Attained by Adversary Actions Data Breach or Damage PreCompromiseDuringAttackPost Compromise *Active engagements with partners
- 26. Flow management Load balancers Perimeter firewalls Aggregation firewall SSL PAC File 1 2 3 28 27 26 10 15, 16 Client - side SSL tunnel SSLSandbox Web Filter 11 Log files Email Inspection DLP
- 28. Software Defined Secure Networks
- 30. Software Defined Secure Networks Global Policy Orchestration, Policy Engine Open and Unified Threat Detection Dynamic, Automated Enforcement IPSWAF Sandbox AV NGFW SIEMWeb Email Uncoordinated and perimeter focused Orchestrated, holistic system encompassing security + infrastructure
- 31. Day 0 Establish standard-based network interfaces and data models Automate network provisioning & management Simplify security and network operations Human-driven automation Day 1 Gather security & network information (Telemetry) Intelligence drives automated response and policies Rule-based action on critical network events (Closed loop automation) Event-driven automation Day N Use machine-learning tools to train the system Machines makes decisions and drives network change Humans make decisions where machines cannot Machine-driven automation How do we get there?
- 32. Significant Response Improvements With Automation Malware Investigation Tasks Manual Effort Juniper SDSN Identify host and user 10min Automated Collect AV and EDTR data for given host 25min Automated Collect network data (NGFW, SWG) 25min Automated Analyze & correlate 35min Automated Determine progression and scope 15min Automated Contain the threat 10min Automated TOTAL TIME > 2hrs < 10min
- 33. Detection • Fast, effective protection from advanced threats • Integrated threat intelligence Policy • Adaptive enforcement to firewalls, switches, 3rd party devices and routers • Robust visibility and management Enforcement • Consistent protection across physical/virtual • Open and programmable environment SDSN Architecture The Network fabric is now a single enforcement domain Third Party Threat Intel Security Director + Policy Enforcer Policy Enforcement, Visibility, Automation SRX Physical Firewalls vSRX/cSRX Virtual Firewalls SkyATP Advanced Threat Prevention (ATP) Analysis Threat Intelligence RoutersEX Switches Third Party Elements DETECTION POLICY DETECTION ENFORCEMENT
- 34. What if your Network could be a Firewall? DETECTION POLICY DETECTION & ENFORCEMENT School District Network Sally Instant threat intelligence and detection Dynamically adapting policy, deployed in real- time Enforce security everywhere You need true end-to- end visibility to secure the entire network
- 35. How does SDSN completely isolate infected host? • Stateful filter on Firewall + Access list on the switch port SKY ATP NGFW SWITCH 192.168.10.225 NGFW SWITCH 192.168.20.2 Infected Host = 192168.10.225
- 36. Data Center Micro-segmentation Internet DATA CENTER SDSN Policy Engine DMZ VLAN SDN Controller Security Groups • “IT Apps” • “Fin Apps” 3rd Party Feeds Threat Feeds SKY ATP DB_VLAN IT DB Fin DB 🚫 DMZ VLAN vFWvFW vFWvFW Perimeter Firewall Cluster Internal Firewall Cluster Provisions vSRX in Service Chain vSRX Policy Switch ACLs 🚫 🚫 IT App Fin App IT Web Fin Web • Policy defined in Policy Engine 1. “IT Applications cannot access Finance Applications even if they share same VLAN” 2. Traffic in and out of Infected Applications should be logged POLICY • Sky detection applicable for infected applications scenario (#2 above) DETECTION • VM related traffic controls enforced in vSRX • Physical to physical traffic controls in access/aggregation switches ENFORCEMENT
- 37. Security Director • Threat condition visibility • Dynamic enforcement adapts to changing threat conditions • Pre-create security policy for agile workloads based on metadata • Reduced effort by 20x • Reduced user error • Improved remediation time Enforcement Rules Policy Automation Application Behavior Dashboard SIEM
- 38. Innovative visibility… 1. Interactive/Graphical Summary of Applications. 2. Data from different angles. 3. Who is using what 4. Perform correcting actions - –identify and block usage 5. Toggle to launch to details Grid view 1 2 3 5 4
- 39. Policy Enforcer Define Once – Detect, Enforce and Contain Everywhere Public Cloud Private Cloud Contrail Security Cloud User Premise Sky Advanced Threat Prevention (ATP) Malware Defense
- 40. Policy Enforcer • Automated containment via Policy Enforcer in Security Director • Extended containment to access switches • Updates enforcement criteria automatically with new threat data • Tracks infected host/endpoint movement from site to site via MAC address vs IP address • Block, quarantine, release and track
- 41. Sky ATP
- 42. Juniper Advanced Threat Prevention (ATP) Appliance Advanced Malware Detection One-Touch Mitigation Threat Behavior Analytics 31 2 Juniper ATP Appliance Detection • On-premise solution that can detect advanced threats across web, email and lateral traffic • Machine learning + behavior analysis + threat feeds Analytics • Improve productivity of SOC and IR teams by automating manual activities • Timeline view of all security events that have occurred on a host or user Mitigation • Leverage existing security infrastructure to mitigate threats • Automatically block malicious IPs, URLs and infected hosts
Editor's Notes
- Cliched but absolutely true. Attackers don’t have to play by any rules…defenders are constrained by compliance, certification, business, etc. Are people more scared of their auditor or their attackers?
- This resonates with all customers because they have all basically built this “best of breed” architecture. However, all of these solutions are at best 99.9X% effective, so there will always be a small security gap. I very rarely meet a customer who confidently says they have an expert team that manages all of this
- The reality is that 99.35% effective means 248 malware payloads are executed in an environment
- This timeline really highlights the pace, innovation and sophistication in the ransomware space. It’s a great area to follow as the malware authors treat this a business and are constantly evolving. Fileless malware is a great example
- Why are breaches being discovered by Law enforcement or merchant providers? Or even someone like Brian Krebs - https://krebsonsecurity.com/
- The days of being able to detect malware based on signatures is long gone.
- Malware doesn’t wait!! It compromises and exhilarates at machine speed. It’s not waiting for a chain of events to occur, then a ticket to be raised, and someone to get back off coffee break to begin it’s attackes. SDSN can respond at the machine speed! Sec Ops guys can get back to chasing down sophisticated attacks, pen testing and running deception honeypots
- As any chess player would know, the best defense is understanding your opponent’s strategy. When we start mapping our efforts to attacker’s infiltration steps, we can determine where to plug the gaps. The “cyber kill chain” is a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attacker’s path. Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on how actual attacks happen. Considered in the context of network intrusions, the kill chain process is as follows Kill chain is broadly categorized as Pre-Comp, During Attack, and Post Comp. Let’s quickly walk through the steps and see how Juniper can defend and remediate customer’s assets at every step of the way.
- This resonates with all customers because they have all basically built this “best of breed” architecture. However, all of these solutions are at best 99.9X% effective, so there will always be a small security gap. I very rarely meet a customer who confidently says they have an expert team that manages all of this
- It’s time to transform to a new security model Today solutions in the market are uncoordinated and focused on firewall. Can’t stop spread of an attack laterally in the network. Trying to secure everything and in the end not being more secure, (trying to use endpoint protection, and firewall for east-west traffic) SDSN is a complete transformation from deploying myriad of network security tools, each with their own policy, detection and enforcement to a holstic security system that unifies detection and enforcement and globalizes policy. This is a strategy. It is a vision. It is not separate from the products we are shipping. You can sell what is on the truck and as we add services and capabilties to build out SDSN they will just add on.
- This illustrates the path that we are on to get to what I guess we could call, “self driving networks”, where networks react, very similar to what routing protocols do now, in a programmed fashion and have a learning side to them. We are a bit away from that, but there are things we can do today to start on this journey. Day 0 is pretty much where we are today. Human-Driven automation. What this means is that we are looking at an open ended architecture where something comes out of the system, and a human has to make a decision. This can be done with some common Develops tools that perhaps some of you have heard of like Puppet or Chef, or even Ansible. This is where we enter some type of templates and workflow and we push buttons to stamp out solutions. This this in someway is how we solve some of initial problems, like the building deployments in mass we discussed earlier. You can do tasks over and over again without the concern of the machine getting distracted over it’s favorite song. But moving to more of a closed loop automated system where you begin to use telemetry to determine what actions to take based on workflows you design or have been setup in the network. For instance, if you detect something on your system (note I didn’t say network), let’s say by some type of endpoint client. Perhaps someone has taken their machine out of your secure zone and received an unauthorized package. You detect this either at your perimeter due to unusual traffic or perhaps you have some type end point software on the client that notifies your central point of enforcement. Can you shut this user down at the port level? What if the user moves around?
- Numbers generated by user input calculator
- 35
- Customer Benefit: Block East-West traffic to limit attack surface Support physical servers as well as virtualized applications Infected status based actions (monitor, block, quarantine)
- When it comes to security we cannot allow valuable security practitioners to waste their time with excess manual work. Our visibility and management solution, Security Director, automates and simplifies the management of SDSN components. The automation inherent in Security Director has reduced the amount of effort needed to administer policies by 20x as compared to manual processes. And with the our latest advances in enforcement automation and orchestration, practitioners don’t have to struggle with manually updating static rules. Imagine the number of user errors that can be reduced and the time saved when managing multiple sites and thousands of devices in the network. All this us unified in a single pane of glass, further simplifying the workflow of your scarce security specialists.
- And our most innovative addition to SDSN is Policy Enforcer. This is a revolutionary concept, enabling policies to be defined once for detection, enforcement and containment everywhere – no matter the environment.
- we are taking visibility and management with Policy Enforcer to the next level With Policy Enforcer, Extend threat containment to access switches, including Cisco’s Update enforcement criteria automatically with new threat data Tracks infected host/endpoint movement from site to site via MAC address vs IP address We can Block, quarantine, release and track…all seamlessly Policy Enforcer is fueled by with Sky ATP advanced malware defense and is being integrated with our eco system partners for extended defense
- We all know what a menace ransomware has become. During the recent WannaCry outbreak Sky ATP was able to detect and block the exploit in 90 seconds NOTE: If a more current example of a breakout has occurred, use that vs WannaCry http://forums.juniper.net/t5/Security-Now/Rapid-Response-The-WannaCry-Ransomware-Outbreak/ba-p/307835 Demo video
- On-Premise anti-malware appliance Threat analytics and correlation Lateral propagation detection Cloud email threat detection MAC OS support