NetForts aims to allow networks to react in real-time to evolving threats by creating products and services that can detect and contain zero-day worms. Their solution monitors network traffic to detect worms within seconds, even stealthy or passive ones, and dynamically extracts signatures without false positives. This allows automatic and manual containment actions including blocking ports and isolating infected systems, protecting enterprises from costly data loss and downtime from worms.
2. NetForts, Inc. Proprietary and Confidential 2
NetForts Mission Statement
Create Products and Services to Allow
Networks to React in Real-Time to
Rapidly Evolving Threats
3. NetForts, Inc. Proprietary and Confidential 3
L3 Cloud
Access Layer
Switches
Biggest Cyber-threat:
Enterprise-Scale
Worm in Minutes
1. Zero-day worm outbreak
2. No patches
3. No worm signatures
4. Rapid worm proliferation
5. Complete compromise of
vulnerable systems
6. Manual repair & recovery
7. Possible loss of data
8. Downtime for critical systems
Layer 3 Cloud
NOC
1
2
3
4
5
?!!?
6
7 8
4. NetForts, Inc. Proprietary and Confidential 4
Worms are World’s Biggest Cyber-threat
A single worst-case worm can cause direct damages in
excess of $120B for US alone (DARPA study)
Next-Gen Worms will:
Target flaws on patch release day (first-day attacks)
Target unknown flaws (zero-day attacks)
Spread very fast, Internet scale in minutes
Have malicious payloads: delete, modify, expose data
Be able to launch a massive DDOS attack on the Internet
Any human mediated response inadequate
5. NetForts, Inc. Proprietary and Confidential 5
Stopping Worms: The Challenges
Zero-day attack, no signatures
Active propagation techniques
Scanning
Topological direction
Hit-List Direction: flash worms
Extremely fast spread rates
Conversely: slow and stealthy motion
Passive propagation techniques
Piggyback existing traffic
Infect via contagion
Cause no unusual traffic pattern
Easily cross firewall defenses
Worms may use multiple vectors
6. NetForts, Inc. Proprietary and Confidential 6
Existing Approaches
Signature Based NIDS/NIDP
Inadequate against worms with no previously known signature
Protocol Anomaly Based NIDP
Primarily designed for intrusion detection, not worms
False positives and False Negatives for unknown protocols/bugs
Need protocol anomaly detection updates
May not detect/block all kinds of worms
Statistical Anomaly Based NIDS
Long training & false positives/negatives for improper training
Will not detect worms that don’t trigger statistical anomalies
Worm oriented Traffic Analysis
Typically fast horizontal scan detection
Difficult to use against stealthy worms
False positives for increased sensitivity, false negatives otherwise
Host Based IDP
Require every host to be correctly configured
Performance penalty for normal operations
Need behavior blocking template updates
May not detect/block all kinds of network worms
7. NetForts, Inc. Proprietary and Confidential 7
Zero-day worm detection &
containment at network level
Detects and contains ALL kinds of
worms: fast, stealthy, passive etc.
Dynamic signature extraction
Zero false positive rate
No manual signature updates
required
No performance or availability
penalty
NetForts Solution:
Network-Level Worm Containment