SlideShare a Scribd company logo

Netforts

Download as PPT, PDF
Wing Venture Capital
Wing Venture Capital

NetForts aims to allow networks to react in real-time to evolving threats by creating products and services that can detect and contain zero-day worms. Their solution monitors network traffic to detect worms within seconds, even stealthy or passive ones, and dynamically extracts signatures without false positives. This allows automatic and manual containment actions including blocking ports and isolating infected systems, protecting enterprises from costly data loss and downtime from worms.

Investor Relations
1 of 12
Corporate Presentation Ashar Aziz (ashar@netforts.com)
NetForts, Inc. Proprietary and Confidential 2 NetForts Mission Statement Create Products and Services to Allow Networks to React in Real-Time to Rapidly Evolving Threats
NetForts, Inc. Proprietary and Confidential 3 L3 Cloud Access Layer Switches Biggest Cyber-threat: Enterprise-Scale Worm in Minutes 1. Zero-day worm outbreak 2. No patches 3. No worm signatures 4. Rapid worm proliferation 5. Complete compromise of vulnerable systems 6. Manual repair & recovery 7. Possible loss of data 8. Downtime for critical systems Layer 3 Cloud NOC 1 2 3 4 5 ?!!? 6 7 8
NetForts, Inc. Proprietary and Confidential 4 Worms are World’s Biggest Cyber-threat  A single worst-case worm can cause direct damages in excess of $120B for US alone (DARPA study)  Next-Gen Worms will:  Target flaws on patch release day (first-day attacks)  Target unknown flaws (zero-day attacks)  Spread very fast, Internet scale in minutes  Have malicious payloads: delete, modify, expose data  Be able to launch a massive DDOS attack on the Internet  Any human mediated response inadequate
NetForts, Inc. Proprietary and Confidential 5 Stopping Worms: The Challenges  Zero-day attack, no signatures  Active propagation techniques  Scanning  Topological direction  Hit-List Direction: flash worms  Extremely fast spread rates  Conversely: slow and stealthy motion  Passive propagation techniques  Piggyback existing traffic  Infect via contagion  Cause no unusual traffic pattern  Easily cross firewall defenses  Worms may use multiple vectors
NetForts, Inc. Proprietary and Confidential 6 Existing Approaches  Signature Based NIDS/NIDP  Inadequate against worms with no previously known signature  Protocol Anomaly Based NIDP  Primarily designed for intrusion detection, not worms  False positives and False Negatives for unknown protocols/bugs  Need protocol anomaly detection updates  May not detect/block all kinds of worms  Statistical Anomaly Based NIDS  Long training & false positives/negatives for improper training  Will not detect worms that don’t trigger statistical anomalies  Worm oriented Traffic Analysis  Typically fast horizontal scan detection  Difficult to use against stealthy worms  False positives for increased sensitivity, false negatives otherwise  Host Based IDP  Require every host to be correctly configured  Performance penalty for normal operations  Need behavior blocking template updates  May not detect/block all kinds of network worms
NetForts, Inc. Proprietary and Confidential 7  Zero-day worm detection & containment at network level  Detects and contains ALL kinds of worms: fast, stealthy, passive etc.  Dynamic signature extraction  Zero false positive rate  No manual signature updates required  No performance or availability penalty NetForts Solution: Network-Level Worm Containment
NetForts, Inc. Proprietary and Confidential 8 Inline Content Filtering Device L3 Cloud Access Layer Switches Virtual Network/ Signature Extractor Traffic Anomaly Sensor Traffic Anomaly Sensor Tap Network Deployment Scenario A: Out-of-Data-Path 1. Monitor network 2. Detect worm 3. Confirm worm 4. Extract signature 5. Alert NOC, recommend actions 6. Isolate infected systems 7. Distribute signatures 8. Generate worm removal scripts 1 Layer 3 Cloud NOC 2 3 4 5 6 7 7 7 8
NetForts, Inc. Proprietary and Confidential 9 Worm Sensor/Filter L3 Cloud Access Layer Switches Virtual Network/ Signature Extractor Worm Sensor/Filter Tap Network Deployment Scenario B: Inline-to-Data-Path 1. Monitor network 2. Detect worm 3. Confirm worm 4. Extract signature 5. Alert NOC, recommend actions 6. Isolate infected systems 7. Distribute signatures 8. Generate worm removal scripts 1 Layer 3 Cloud NOC 2 3 4 5 6 7 7 7 8 Worm Sensor/Filter
NetForts, Inc. Proprietary and Confidential 10 Worm Sensor/Filter L3 Cloud Access Layer Switches Tap Network Deployment Scenario C: Signatures from Internet Sensors in Real-Time 1. Monitor Internet (Early Warning System) 2. Detect & Confirm Worm 3. Extract worm signatures 4. Alert NOC, recommend actions 5. Distribute Signatures 1 Intranet NOC 2 5 5 Worm Sensor/Filter Internet Internet Based Sensors 3 4
NetForts, Inc. Proprietary and Confidential 11 Real-time Worm Attack Notification NOC Worm Attack Detected 4:35:30 pm First Detected Infection: 4:35:27 pm (3 secs ago) Detection Using : Traffic Analysis Positive Confirmation: Yes Subnets affected: 192.34.5.X, 195.33.7.X Confirmed Infections: 3 Payload: None Detected Spread rate: 15 scans/sec Vulnerable Systems: Windows XP, Windows 2000 Ports affected: 135/tcp, 2233/tcp, 5556/tcp Worm signature: 0x9678903897956729, port 135/tcp Recommended Actions: Block worm signature for Port 135/tcp Block ports 2233/tcp, 5556/tcp Isolate 192.34.5.78 (laptop1.xx.yy.com) Isolate 192.34.5.9 (laptop2.xx.yy.com) Isolate 195.33.7.4 (server2.xx.yy.com) Isolate infections since report Approve All Checked Actions Worm Attack Detected 4:35:30 pm First Detected Infection: 4:35:27 pm (3 secs ago) Detection Using : Traffic Analysis Positive Confirmation: Yes Subnets affected: 192.34.5.X, 195.33.7.X Confirmed Infections: 3 Payload: None Detected Spread rate: 15 scans/sec Vulnerable Systems: Windows XP, Windows 2000 Ports affected: 135/tcp, 2233/tcp, 5556/tcp Worm signature: 0x9678903897956729, port 135/tcp Recommended Actions: Block worm signature for Port 135/tcp Block ports 2233/tcp, 5556/tcp Isolate 192.34.5.78 (laptop1.xx.yy.com) Isolate 192.34.5.9 (laptop2.xx.yy.com) Isolate 195.33.7.4 (server2.xx.yy.com) Isolate infections since report Approve All Checked Actions OK Cancel
NetForts, Inc. Proprietary and Confidential 12 Unique Features  Zero-day worm detection and containment  Fast worm detection  Stealth worm detection  Slow active  Passive  Polymorphic worms  Worm containment for  Scanning worms  Topological worms  Passive worms  Real-time payload analysis  Time-delayed action and payload analysis  Real-time worm signature determination  Integration with existing infrastructure elements  Operator in-the-loop & automated policy actions  Zero False Positives

Recommended

Introduction to Virus,Worms,Trojans & Malwares - NullAhm pre-meet
Introduction to Virus,Worms,Trojans & Malwares - NullAhm pre-meet Introduction to Virus,Worms,Trojans & Malwares - NullAhm pre-meet
Introduction to Virus,Worms,Trojans & Malwares - NullAhm pre-meet
Pranjal Vyas
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
n|u - The Open Security Community
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown
AlienVault
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoors
jibinmanjooran
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
Chaitali Patel
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability Tester
Aditya Jain
 

Recommended

Introduction to Virus,Worms,Trojans & Malwares - NullAhm pre-meet
Introduction to Virus,Worms,Trojans & Malwares - NullAhm pre-meet Introduction to Virus,Worms,Trojans & Malwares - NullAhm pre-meet
Introduction to Virus,Worms,Trojans & Malwares - NullAhm pre-meet
Pranjal Vyas
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
n|u - The Open Security Community
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown
AlienVault
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoors
jibinmanjooran
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
Chaitali Patel
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability Tester
Aditya Jain
 
Malicious software
Malicious softwareMalicious software
Malicious software
CAS
 
Counter Measures Of Virus
Counter Measures Of VirusCounter Measures Of Virus
Counter Measures Of Virus
shusrusha
 
Malicious Software and Virus
Malicious Software and Virus Malicious Software and Virus
Malicious Software and Virus
Tasif Tanzim
 
Backdoor
BackdoorBackdoor
Backdoor
phanleson
 
Common malware and countermeasures
Common malware and countermeasuresCommon malware and countermeasures
Common malware and countermeasures
Noushin Ahson
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learning
Cysinfo Cyber Security Community
 
introtomalware
introtomalwareintrotomalware
introtomalware
Alexander Rivera
 
Malicious Software Identification
Malicious Software IdentificationMalicious Software Identification
Malicious Software Identification
sandeep shergill
 
Shadow IT
Shadow ITShadow IT
Shadow IT
Risk Analysis Consultants, s.r.o.
 
Botnets
BotnetsBotnets
Botnets
Kavisha Miyan
 
Wireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS FlawsWireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS Flaws
Amirali Sanatinia
 
Ips and ids
Ips and idsIps and ids
Ips and ids
padolph25
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer worm
Sumaiya Ismail
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
Gregory Hanis
 
J1078184
J1078184J1078184
J1078184
IJERD Editor
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
Sophos Benelux
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
Sophos Benelux
 
Spy Programs
Spy ProgramsSpy Programs
Spy Programs
HHSome
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876
Momita Sharma
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
UltraUploader
 

More Related Content

What's hot

Wireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS FlawsWireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS Flaws
Amirali Sanatinia
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
Spy Programs
Spy ProgramsSpy Programs
Spy Programs
HHSome
 

What's hot (19)

Malicious software
Malicious softwareMalicious software
Malicious software
 
Counter Measures Of Virus
Counter Measures Of VirusCounter Measures Of Virus
Counter Measures Of Virus
 
Malicious Software and Virus
Malicious Software and Virus Malicious Software and Virus
Malicious Software and Virus
 
Backdoor
BackdoorBackdoor
Backdoor
 
Common malware and countermeasures
Common malware and countermeasuresCommon malware and countermeasures
Common malware and countermeasures
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learning
 
introtomalware
introtomalwareintrotomalware
introtomalware
 
Malicious Software Identification
Malicious Software IdentificationMalicious Software Identification
Malicious Software Identification
 
Shadow IT
Shadow ITShadow IT
Shadow IT
 
Botnets
BotnetsBotnets
Botnets
 
Wireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS FlawsWireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS Flaws
 
Ips and ids
Ips and idsIps and ids
Ips and ids
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer worm
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
J1078184
J1078184J1078184
J1078184
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
Spy Programs
Spy ProgramsSpy Programs
Spy Programs
 

Similar to Netforts

Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
UltraUploader
 

Similar to Netforts (20)

Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHacking
 
Intrusion Detection with Neural Networks
Intrusion Detection with Neural NetworksIntrusion Detection with Neural Networks
Intrusion Detection with Neural Networks
 
web-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdfweb-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdf
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Malware
MalwareMalware
Malware
 
Day4
Day4Day4
Day4
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking Presentation
 
Vulnerability
VulnerabilityVulnerability
Vulnerability
 
Network security and System Admin
Network security and System AdminNetwork security and System Admin
Network security and System Admin
 
Internet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining TechniquesInternet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining Techniques
 

More from Wing Venture Capital

More from Wing Venture Capital (13)

Research Note RSA 2019
Research Note RSA 2019Research Note RSA 2019
Research Note RSA 2019
 
IoT Startup State of The Union
IoT Startup State of The Union IoT Startup State of The Union
IoT Startup State of The Union
 
Blockchain 101 by Wing Venture Capital
Blockchain 101 by Wing Venture Capital Blockchain 101 by Wing Venture Capital
Blockchain 101 by Wing Venture Capital
 
IoT Startup State of The Union Update
IoT Startup State of The Union UpdateIoT Startup State of The Union Update
IoT Startup State of The Union Update
 
Kky.wing io t conference deck master (2)
Kky.wing io t conference deck master (2)Kky.wing io t conference deck master (2)
Kky.wing io t conference deck master (2)
 
IoT Startup State Of The Union 2016
IoT Startup State Of The Union 2016IoT Startup State Of The Union 2016
IoT Startup State Of The Union 2016
 
MobileIron Presentation
MobileIron PresentationMobileIron Presentation
MobileIron Presentation
 
MobileIrn Presentation
MobileIrn PresentationMobileIrn Presentation
MobileIrn Presentation
 
Video54 Series A 2004
Video54 Series A 2004Video54 Series A 2004
Video54 Series A 2004
 
Nimble Storage Series A presentation 2007
Nimble Storage Series A presentation 2007Nimble Storage Series A presentation 2007
Nimble Storage Series A presentation 2007
 
Redback Networks
Redback NetworksRedback Networks
Redback Networks
 
Ruckus
Ruckus Ruckus
Ruckus
 
Jasper September 2004
Jasper September 2004Jasper September 2004
Jasper September 2004
 

Recently uploaded

一比一原版CBU毕业证卡普顿大学毕业证成绩单如何办理
一比一原版CBU毕业证卡普顿大学毕业证成绩单如何办理一比一原版CBU毕业证卡普顿大学毕业证成绩单如何办理
一比一原版CBU毕业证卡普顿大学毕业证成绩单如何办理
btohy
 
一比一原版MQU毕业证麦考瑞大学毕业证成绩单如何办理
一比一原版MQU毕业证麦考瑞大学毕业证成绩单如何办理一比一原版MQU毕业证麦考瑞大学毕业证成绩单如何办理
一比一原版MQU毕业证麦考瑞大学毕业证成绩单如何办理
aytyn
 

Recently uploaded (7)

Collective Mining | Corporate Presentation - May 2024
Collective Mining | Corporate Presentation - May 2024Collective Mining | Corporate Presentation - May 2024
Collective Mining | Corporate Presentation - May 2024
 
一比一原版CBU毕业证卡普顿大学毕业证成绩单如何办理
一比一原版CBU毕业证卡普顿大学毕业证成绩单如何办理一比一原版CBU毕业证卡普顿大学毕业证成绩单如何办理
一比一原版CBU毕业证卡普顿大学毕业证成绩单如何办理
 
Teck Investor Presentation - May 23, 2024
Teck Investor Presentation - May 23, 2024Teck Investor Presentation - May 23, 2024
Teck Investor Presentation - May 23, 2024
 
Investor Day 2024 Presentation Sysco 2024
Investor Day 2024 Presentation Sysco 2024Investor Day 2024 Presentation Sysco 2024
Investor Day 2024 Presentation Sysco 2024
 
cyberagent_For New Investors_EN_240424.pdf
cyberagent_For New Investors_EN_240424.pdfcyberagent_For New Investors_EN_240424.pdf
cyberagent_For New Investors_EN_240424.pdf
 
Collective Mining | Corporate Presentation - May 2024
Collective Mining | Corporate Presentation - May 2024Collective Mining | Corporate Presentation - May 2024
Collective Mining | Corporate Presentation - May 2024
 
一比一原版MQU毕业证麦考瑞大学毕业证成绩单如何办理
一比一原版MQU毕业证麦考瑞大学毕业证成绩单如何办理一比一原版MQU毕业证麦考瑞大学毕业证成绩单如何办理
一比一原版MQU毕业证麦考瑞大学毕业证成绩单如何办理
 

Netforts

  • 1. Corporate Presentation Ashar Aziz (ashar@netforts.com)
  • 2. NetForts, Inc. Proprietary and Confidential 2 NetForts Mission Statement Create Products and Services to Allow Networks to React in Real-Time to Rapidly Evolving Threats
  • 3. NetForts, Inc. Proprietary and Confidential 3 L3 Cloud Access Layer Switches Biggest Cyber-threat: Enterprise-Scale Worm in Minutes 1. Zero-day worm outbreak 2. No patches 3. No worm signatures 4. Rapid worm proliferation 5. Complete compromise of vulnerable systems 6. Manual repair & recovery 7. Possible loss of data 8. Downtime for critical systems Layer 3 Cloud NOC 1 2 3 4 5 ?!!? 6 7 8
  • 4. NetForts, Inc. Proprietary and Confidential 4 Worms are World’s Biggest Cyber-threat  A single worst-case worm can cause direct damages in excess of $120B for US alone (DARPA study)  Next-Gen Worms will:  Target flaws on patch release day (first-day attacks)  Target unknown flaws (zero-day attacks)  Spread very fast, Internet scale in minutes  Have malicious payloads: delete, modify, expose data  Be able to launch a massive DDOS attack on the Internet  Any human mediated response inadequate
  • 5. NetForts, Inc. Proprietary and Confidential 5 Stopping Worms: The Challenges  Zero-day attack, no signatures  Active propagation techniques  Scanning  Topological direction  Hit-List Direction: flash worms  Extremely fast spread rates  Conversely: slow and stealthy motion  Passive propagation techniques  Piggyback existing traffic  Infect via contagion  Cause no unusual traffic pattern  Easily cross firewall defenses  Worms may use multiple vectors
  • 6. NetForts, Inc. Proprietary and Confidential 6 Existing Approaches  Signature Based NIDS/NIDP  Inadequate against worms with no previously known signature  Protocol Anomaly Based NIDP  Primarily designed for intrusion detection, not worms  False positives and False Negatives for unknown protocols/bugs  Need protocol anomaly detection updates  May not detect/block all kinds of worms  Statistical Anomaly Based NIDS  Long training & false positives/negatives for improper training  Will not detect worms that don’t trigger statistical anomalies  Worm oriented Traffic Analysis  Typically fast horizontal scan detection  Difficult to use against stealthy worms  False positives for increased sensitivity, false negatives otherwise  Host Based IDP  Require every host to be correctly configured  Performance penalty for normal operations  Need behavior blocking template updates  May not detect/block all kinds of network worms
  • 7. NetForts, Inc. Proprietary and Confidential 7  Zero-day worm detection & containment at network level  Detects and contains ALL kinds of worms: fast, stealthy, passive etc.  Dynamic signature extraction  Zero false positive rate  No manual signature updates required  No performance or availability penalty NetForts Solution: Network-Level Worm Containment
  • 8. NetForts, Inc. Proprietary and Confidential 8 Inline Content Filtering Device L3 Cloud Access Layer Switches Virtual Network/ Signature Extractor Traffic Anomaly Sensor Traffic Anomaly Sensor Tap Network Deployment Scenario A: Out-of-Data-Path 1. Monitor network 2. Detect worm 3. Confirm worm 4. Extract signature 5. Alert NOC, recommend actions 6. Isolate infected systems 7. Distribute signatures 8. Generate worm removal scripts 1 Layer 3 Cloud NOC 2 3 4 5 6 7 7 7 8
  • 9. NetForts, Inc. Proprietary and Confidential 9 Worm Sensor/Filter L3 Cloud Access Layer Switches Virtual Network/ Signature Extractor Worm Sensor/Filter Tap Network Deployment Scenario B: Inline-to-Data-Path 1. Monitor network 2. Detect worm 3. Confirm worm 4. Extract signature 5. Alert NOC, recommend actions 6. Isolate infected systems 7. Distribute signatures 8. Generate worm removal scripts 1 Layer 3 Cloud NOC 2 3 4 5 6 7 7 7 8 Worm Sensor/Filter
  • 10. NetForts, Inc. Proprietary and Confidential 10 Worm Sensor/Filter L3 Cloud Access Layer Switches Tap Network Deployment Scenario C: Signatures from Internet Sensors in Real-Time 1. Monitor Internet (Early Warning System) 2. Detect & Confirm Worm 3. Extract worm signatures 4. Alert NOC, recommend actions 5. Distribute Signatures 1 Intranet NOC 2 5 5 Worm Sensor/Filter Internet Internet Based Sensors 3 4
  • 11. NetForts, Inc. Proprietary and Confidential 11 Real-time Worm Attack Notification NOC Worm Attack Detected 4:35:30 pm First Detected Infection: 4:35:27 pm (3 secs ago) Detection Using : Traffic Analysis Positive Confirmation: Yes Subnets affected: 192.34.5.X, 195.33.7.X Confirmed Infections: 3 Payload: None Detected Spread rate: 15 scans/sec Vulnerable Systems: Windows XP, Windows 2000 Ports affected: 135/tcp, 2233/tcp, 5556/tcp Worm signature: 0x9678903897956729, port 135/tcp Recommended Actions: Block worm signature for Port 135/tcp Block ports 2233/tcp, 5556/tcp Isolate 192.34.5.78 (laptop1.xx.yy.com) Isolate 192.34.5.9 (laptop2.xx.yy.com) Isolate 195.33.7.4 (server2.xx.yy.com) Isolate infections since report Approve All Checked Actions Worm Attack Detected 4:35:30 pm First Detected Infection: 4:35:27 pm (3 secs ago) Detection Using : Traffic Analysis Positive Confirmation: Yes Subnets affected: 192.34.5.X, 195.33.7.X Confirmed Infections: 3 Payload: None Detected Spread rate: 15 scans/sec Vulnerable Systems: Windows XP, Windows 2000 Ports affected: 135/tcp, 2233/tcp, 5556/tcp Worm signature: 0x9678903897956729, port 135/tcp Recommended Actions: Block worm signature for Port 135/tcp Block ports 2233/tcp, 5556/tcp Isolate 192.34.5.78 (laptop1.xx.yy.com) Isolate 192.34.5.9 (laptop2.xx.yy.com) Isolate 195.33.7.4 (server2.xx.yy.com) Isolate infections since report Approve All Checked Actions OK Cancel
  • 12. NetForts, Inc. Proprietary and Confidential 12 Unique Features  Zero-day worm detection and containment  Fast worm detection  Stealth worm detection  Slow active  Passive  Polymorphic worms  Worm containment for  Scanning worms  Topological worms  Passive worms  Real-time payload analysis  Time-delayed action and payload analysis  Real-time worm signature determination  Integration with existing infrastructure elements  Operator in-the-loop & automated policy actions  Zero False Positives