scalar security roadshow - toronto stop
DESCRIPTION
Presentations from the Toronto Stop of the Scalar Security Roadshow on March 4, covering technologies from Palo Alto Networks, F5, Splunk, and Infoblox.TRANSCRIPT
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Security Road Show - Toronto
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
} 9:00am – 9:15am Welcome
} 9:15am – 9:45am Palo Alto Networks – You can’t control what you can’t see!
} 9:45am – 10:15am F5 – Protect your web applications
} 10:15am – 10:30am Break
} 10:30am – 11:00am Splunk – Big data, next generation SIEM
} 11am – 11:30am Infoblox – Are you fully prepared to withstand DNS attacks?
} 11:30am - 12:00pm Closing remarks, Q&A
} 12:00pm – 12:30pm Boxed Lunches
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
} Today’s Speakers – Gary Coldwell – Palo Alto
Networks – Peter Scheffler – F5 – Gilberto Castillo – Splunk – Ben Shelston - Infoblox
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Background in architecting mission-critical data centre infrastructure
Founded in 2004 $125M in CY13
Revenues Nationwide Presence
120 Employees Nationwide
25% Growth YoY Toronto | Vancouver
Ottawa | Calgary | London Greater than 1:1
technical:sales ratio
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
} The country’s most skilled IT infrastructure specialists, focused on security, performance and control tools
} Delivering infrastructure services which support core applications
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
WHY SCALAR?
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Experience Execution Innovation
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
} Top technical talent in Canada – Engineers average 15 years’ experience
} We train the trainers – Only Authorized Training Centre in Canada
for F5, Palo Alto Networks, and Infoblox
} Our partners recognize we’re the best – Brocade Partner of the Year – Innovation – Cisco Partner of the Year – Data Centre &
Virtualization – VMware Global Emerging Products Partner
of the Year – F5 Canadian Partner of the Year – Palo Alto Networks Rookie of the Year – NetApp Partner of the Year - Central
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
} Unique infrastructure solutions designed to meet your needs – StudioCloud – HPC & Trading Systems
} Testing Centre & Proving Grounds – Ensuring emerging technologies are
hardened, up to the task of Enterprise workloads
} Vendor Breadth – Our coverage spans Enterprise leaders and
Emerging technologies for niche workloads & developing markets
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
“Scalar […] has become our trusted advisor for architecting and implementing our storage, server and network infrastructure across multiple data centres”
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
“We’ve basically replaced our infrastructure at a lower cost than simply the maintenance on our prior infrastructure […] At the same time, we’ve improved performance and reduced our provisioning time”
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
“Numerous technologies needed to converge to make VDI a reality for us. The fact that Scalar is multi-disciplinary and has deep knowledge around architecture, deployment and management of all of these technologies was key”
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
PALO ALTO NETWORKS
Protecting Against Modern Malware and the Evolution of Cyber Security
Garry Coldwells Systems Engineer
March 2014
Palo Alto Networks at a glance
Corporate highlights
Palo Alto Networks is the Network Security Company
Safely enabling applica8ons and preven8ng cyber threats
Founded in 2005; first customer shipment in 2007
Excep8onal ability to support global customers
Experienced team of 1,300+ employees
Q1FY14: $128.2M revenue; 16,000 customers
4,700
9,000
13,500
0 2,000 4,000 6,000 8,000
10,000 12,000 14,000
Jul-11 Jul-12
$13 $49
$255
$396
$119
$0
$100
$200
$300
$400
FY09 FY10 FY11 FY12 FY13
Revenues
Enterprise customers
$MM
FYE July
Jul-13
16 | ©2013, Palo Alto Networks. Confidential and Proprietary.
How Time Has Changed
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
1995
2012
Levelset
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
The basics
Threat What it is What it does
Exploit Bad applica8on input usually in the form of network traffic.
Targets a vulnerability to hijack control of the target applica8on or machine.
Malware Malicious applica8on or code.
Anything – Downloads, hacks, explores, steals…
Command-‐and-‐control (C2)
Network traffic generated by malware.
Keeps the remote a`acker in control ands coordinates the a`ack.
Indicators of compromise (IoC)
Indica8ons that your network has been compromised
Allows security teams to find and confirm breaches
Known vs. unknown threats
28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Known threats Unknown threats
• Malware or exploits that have been seen before
• Commonly available and recycled
• Easily stopped by traditional security
• Malware or exploits that has never been seen before
• Unique, and often custom-crafted.
• Easily bypass traditional security
New Threat Landscape State of the Union
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Interests and motivations have also changed
From bored “geeks”
To na8on states and organized crime
The new threat landscape
§ Mostly addressed by traditional AV and IPS
§ Low sophistication, slowly changing
§ Machine vs. machine
§ Somewhat more sophisticated payloads
§ Evasion techniques often employed
§ Sandboxing and other smart detection often required
§ Intelligent and continuous monitoring of passive network-based and host-based sensors
§ Comprehensive investigation after an indicator is found
§ Highly coordinated response is required for effective prevention and remediation
Commodity threats (very common, easily identified)
Organized cybercrime (More customized exploits
and malware)
Nation state (Very targeted, persistent, creative)
Advanced threat
By the Numbers
Days - Of malware data accumulation
32 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Networks - Covering 1,000+ live enterprise networks
Antivirus Vendors - Tested against 6 fully-updated, industry-leading antivirus products
Unknown Malware (zero-day) - Resulted in finding 26,000+ malware that had NO coverage at the
time they were detected in the live enterprise network
Malware Delivery Vectors
33 | ©2012, Palo Alto Networks. Confidential and Proprietary.
90% Delivery via web-browsing/http
2% Delivery via eMail
Malware Vectors and Traditional Detection Times
Top 5 sources of unknown malware highlighted. FTP was a leading source and rarely detected.
4
21
35
Regaining Control
§ Bring the right anti-malware technologies into the network § End-point antivirus is falling way short § Need to look way beyond eMail and Web
§ 82 applications that are designed explicitly to avoid security (circumventors) § 260 applications designed to tunnel within allowed protocols (encryption, tunneling)
§ Expect unknowns § Implement a mechanism to take a deeper look at the unknown
§ Real-time detection and blocking when possible § Automate the kill chain to prevent manual response
§ Enforce user and application controls § Minimize the attack surface by controlling who can transfer files, using which apps,
in which direction and when
35 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Automated network effect of sharing § Automatic detection in real time in
private or public cloud
§ 10Gbps advanced threat visibility and prevention on all traffic, all ports (web, email, SMB, etc.)
§ Automatic generation of several defensive measures
§ Automatic distribution of defensive measures to all WildFire customers within 30 minutes after initial detection
§ Automatic installation of defensive measures provides full prevention immediately § Malware, DNS, URL, and C2 signatures
automatically created based on WildFire intelligence and delivered to customers globally
§ You benefit from the threat intelligence of 2,500+ organizations across the industry
WildFire TM
WildFire Appliance (optional)
Anti-malware signatures DNS intelligence Malware URL database Anti-C2 signatures
Soak sites, sinkholes, 3rd party sources
WildFire Users
Global intelligence and protection
delivered to all users
Command-and-control Staged malware downloads
Host ID and data exfil
Unique Identifiers
Samples - Of malware with
unique SHA256
37 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Unique Identifiers - Observed in multiple
malware samples
Identifiable Samples - Contained unique
identifiers
Potential - To be blocked by
unique identifier rather than hash/URI
Most Commonly Observed Malware Behaviours
38 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Regaining Control
§ Implement technology with stream-based analysis of headers and payloads § Block polymorphic variants using identifiers rather than hash or URI
§ Establish a solid baseline of ‘normal’ behaviour § Knowing what is normal allows the abnormal to become very apparent
§ Investigate and remediate unknowns § Investigate unknown and make it a goal to keep it below acceptable threshold
§ Restrict access to unknown, newly registered and dynamic DNS domains § The internet is dynamic so restrict executables from these, implement SSL
decryption and block HTTP-POST
§ Control eMail traffic flow § Only allow email traffic in/out between mail gateway and destination and never
allow email bypassing the corporate mail gateway
39 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Malware Use of Non-Standard Ports by Application
40 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Regaining Control
§ Restrict applications to their standard ports § Especially Limit FTP to its well-known ports
41 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Regaining Control over Modern Threats
Page 42 |
New Requirements for Threat Prevention
1. Visibility into all traffic regardless of port, protocol, evasive tactic or SSL
2. Stop all types of known network threats (IPS, Anti-malware, URL, etc.) while maintaining multi-gigabit performance
3. Find and stop new and unknown threats even without a pre-existing signature
A Next-Generation Cybersecurity Strategy
43 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
The Bigger Picture
44 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Imperatives to be secure
§ Evolving from incident response mindset to intelligence mindset
§ No intelligence exists without visibility
§ Applying the intelligence and resulting IOCs to the kill chain
§ Sharing what you know
Can’t understand what you don’t know
§ You don’t have intelligence if you don’t have visibility
§ Visibility required across the whole network
§ Ideally, you can see and understand applications, content, and users
§ Then make sense of what you see
Share what you know
§ In the cyber security battle, sharing is key
§ Three ways this is happening 1. External – industry initiatives
2. External – technology partnerships
3. Internal – your security technology should leverage the network
vSphere Virtual Firewall as a Guest VM
NSX Virtual Firewall
as a Hypervisor Service
VM-1000-HV Edition Modeled from VM-300
Gateway Edition VM-100 VM-200 VM-300
Automated Deployment, via Panorama
Regaining Control
51 | ©2012, Palo Alto Networks. Confidential and Proprietary.
A Next-Generation Cybersecurity Strategy (1)
52 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• Inspect all traffic
• 35% of all applications use SSL
• Non-standard ports and tunneled traffic
• Make NO assumptions
A Next-Generation Cybersecurity Strategy (2)
53 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• High risk applications and features
• Block files from unknown domains
• Find and control custom traffic
• Implement POSITIVE Security
A Next-Generation Cybersecurity Strategy (3)
54 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• Exploits, malware, C2
• Variants and polymorphism
• DNS, URLs, malicious clusters
• Implement NEGATIVE Security
Strategy for Modern Threat Prevention
55 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• Static and Behavioral and anomaly analysis
• Automatically create and deliver protections
• Share globally
• Implement Zero-Day Security
A Next-Generation Cybersecurity Strategy (5)
56 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• Feed the SIEM
• Share indicators of compromise
• Integrate with end-point security
• Evolve from Incident Response to Security Intelligence
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
F5
CONFIDENTIAL
F5 Security for an application driven world
© F5 Networks, Inc 59 CONFIDENTIAL
F5 Provides Complete Visibility and Control Across Applications and Users
Intelligent Services Platform
Users
Securing access to applications from anywhere
Resources
Protecting your applications regardless of where they live
TMOS
Network Firewall
Protocol Security
DDoS Protection
Dynamic Threat Defense
DNS Web Access
CONFIDENTIAL
Security Trends and Challenges
© F5 Networks, Inc 61 CONFIDENTIAL
May June July Aug Sep Oct Nov Dec
2012
Spear Phishing
Physical Access
XSS
Attack Type
Size of circle estimates relative impact of incident in terms of cost to business
© F5 Networks, Inc 62 CONFIDENTIAL
Bank Bank
Bank
Non Profit
Non Profit
Bank
Bank
Bank Gov
Industrial Online
SVC
Non Profit
Gov Auto
Online Services
Gov Gov
Online Services
Online SVC
Online Services
Industrial
EDU Bank
Bank Bank
Gov
Online Services
Online SVC
Gov Online Services
Online Services
News & Media
Edu
Telco
Cnsmr Electric
Cnsmr Electric
Bank
Telco
Online Services
Online Services
Education
Food Svc
Online Services
Bank
News & Media Gov
Soft- ware
Bank
Telco
Non- Profit
E-comm Utility
News & Media
Edu
Bank
Online Services
Bank Bank Online
Services
Online Services
Bank
Food Service
Banking Gaming
Gov
Gov Auto
Soft- ware
News & Media
Online Services
Consumer Electric
Online Services
Gov Util
Health Soft- ware
Online Services
Gov Cnsmr Elec
Online Svcs Gov Retail
Bank
Bank
Online Services
Soft- ware
Bank
Edu News & Media
Online Services
Online Services
Online Services
Online Services
Gov Gov
Indu- strial
Airport Retail
News & Media
Auto
Telco
Gov
Edu
DNS Provider
DNS Provider
Global Delivery
Auto
Gov
DNS Provider
DNS Provider
DNS Provider
Gov Consumer Electronics
Gove
Bank
Bank
Bank Gov
Online Svc
Software
Online Gaming
Telco
News & Media
Edu
Soft- ware
News & Media
Edu
News & Media
Online Services
Gov
Auto
Entnment Gov
Utility
News & Media
Online Svc
News & Media
Spear Phishing
Physical Access
Unknown
Attack Type
Size of circle estimates relative impact of incident in terms of cost to business
Jan Feb Mar Apr May Jun
2013
© F5 Networks, Inc 63 CONFIDENTIAL
More sophisticated attacks are multi-layer
Application
SSL
DNS
Network
© F5 Networks, Inc 64 CONFIDENTIAL
The business impact of DDoS
Cost of corrective action
Reputation management
The business impact of DDoS
© F5 Networks, Inc 65 CONFIDENTIAL
OWASP Top 3 Application Security Risks
1 - Injection
2 – Broken Authentication and
Session Management
3 – Cross Site Scripting (XSS)
Injection flaws, such as SQL and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing data.
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to comprimise passwords, keys or session tokens to assume another users’ identity.
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victims browser to hijack user sessions, deface web sites or redirect the user.
Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
CONFIDENTIAL
The F5 Approach
© F5 Networks, Inc 67 CONFIDENTIAL
Full Proxy Security
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
© F5 Networks, Inc 68 CONFIDENTIAL
The F5 Application Delivery Firewall Bringing deep application fluency to firewall security
One platform
SSL inspection
Traffic management
DNS security
Access control
Application security
Network firewall
EAL2+ EAL4+ (in process)
DDoS mitigation
© F5 Networks, Inc 69 CONFIDENTIAL
Positive vs Negative
• Positive Security • Known good traffic
• Permit only what is defined in the security policy (whitelisting).
• Block everything else
• Negative • Known-bad traffic • Pattern matching for malicious content using regular expressions.
• Policy enforcement is based on a Positive security logic
• Negative security logic is used to complement Positive logic.
© F5 Networks, Inc 70 CONFIDENTIAL
How Does It Work? Security at application, protocol and network level
Request made
Enforcement Content scrubbing Application cloaking
Security policy checked Server response
Response delivered
Security policy applied
BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application.
Actions: Log, block, allow
© F5 Networks, Inc 71 CONFIDENTIAL
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
6 Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
© F5 Networks, Inc 72 CONFIDENTIAL
Automatic HTTP/S DOS Attack Detection and Protection
• Accurate detection technique—based on latency • Three different mitigation techniques escalated
serially • Focus on higher value productivity while automatic
controls intervene
Drop only the attackers
Identify potential attackers
Detect a DOS condition
© F5 Networks, Inc 73 CONFIDENTIAL
To Simplify: Application-Oriented Policies and Reports
© F5 Networks, Inc 74 CONFIDENTIAL
IP INTELLIGENCE
IP intelligence service
IP address feed updates every 5 min
Custom application
Financial application
Internally infected devices and servers
Geolocation database
Botnet
Attacker
Anonymous requests
Anonymous proxies
Scanner
Restricted region or country
Built for intelligence, speed and scale
Users
Concurrent user sessions
100K Concurrent logins
1,500/sec.
Throughput
640 Gbps Concurrent connections 288 M
Connections per second
8 M
SSL TPS (2K keys)
240K/sec
DNS query response
10 M/sec
Resources
© F5 Networks, Inc 76 CONFIDENTIAL
Application Delivery Firewall
iRules extensibility everywhere
Products
Advanced Firewall Manager
• Stateful full-proxy firewall
• Flexible logging and reporting
• Native TCP, SSL and HTTP proxies
• Network and Session anti-DDoS
Access Policy Manager
• Dynamic, identity-based access control
• Simplified authentication infrastructure
• Endpoint security, secure remote access
Local Traffic Manager
• #1 application delivery controller
• Application fluency
• App-specific health monitoring
Application Security Manager
• Leading web application firewall
• PCI compliance
• Virtual patching for vulnerabilities
• HTTP anti-DDoS
• IP protection
Global Traffic Manager & DNSSEC
• Huge scale DNS solution
• Global server load balancing
• Signed DNS responses
• Offload DNS crypto
SSL inspection
Traffic management
DNS security
Access control
Application security
Network firewall
DDoS mitigation
© F5 Networks, Inc 77 CONFIDENTIAL
The F5 DDoS Protection Reference Architecture f5.com/architectures
Explore
© F5 Networks, Inc 78 CONFIDENTIAL
Summary
• Customers invest in network security, but most significant threats are at the application layer
• Current security trends – BYOD, Webification – mean you need to be even more aware of who and what can access application data
• A full proxy device is inherently secure, and coupled with high performance can overcome many security challenges
• F5 Application Delivery Firewall brings together the traditional network firewall with application centric security, and can understand the context of users, devices and access
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
BREAK
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
SPLUNK
Copyright © 2014 Splunk Inc.
Splunk for Security Intelligence
Splunk Overview Company (NASDAQ: SPLK) " Founded 2004, first sogware release in 2006 " HQ: San Francisco / Regional HQ: London, Hong Kong " Over 1000 employees, based in 12 countries " 2012 Revenue: $199M (YoY +60%)
Business Model / Products " Free download to massive scale " Splunk Enterprise, Splunk Cloud " Hunk: Splunk Analy8cs for Hadoop
6,400+ Customers " Customers in over 90 countries " 60 of the Fortune 100 " Largest license: Over 100 Terabytes per day
83
84
Make machine data accessible, usable and valuable to everyone.
The Accelera8ng Pace of Data
85
Volume | Velocity | Variety | Variability
GPS, RFID,
Hypervisor, Web Servers,
Email, Messaging, Clickstreams, Mobile,
Telephony, IVR, Databases, Sensors, Telema8cs, Storage,
Servers, Security Devices, Desktops
Machine data is fastest growing, most complex, most valuable area of big data
The Splunk Security Intelligence Plaqorm
Machine Data Security Use Cases
HA Indexes and Storage
Forensic InvesQgaQon
Security OperaQons Compliance Fraud
DetecQon
Commodity Servers
4
Online Services
Web Services
Servers Security GPS
Loca8on
Storage Desktops
Networks
Packaged Applica8ons
Custom Applica8ons Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
Rapid Ascent in the Gartner SIEM Magic Quadrant
87
2012 2013 2011
Industry Accolades
88
Best SIEM SoluQon
Best Enterprise Security SoluQon
Best Security Product
Over 2800 Global Security Customers
89
120+ security apps Splunk App for Enterprise Security
Splunk Security Intelligence Plaqorm
90
Palo Alto Networks
NetFlow Logic
FireEye
Blue Coat Proxy SG
OSSEC Cisco Security Suite
Ac8ve Directory
F5 Security
Juniper Sourcefire
Partner Ecosystem
What is the Value Add to ExisQng Customers?
Visibility and Correla8on of Rich Data Improved Security Posture
Configurable Dashboard Views
92
All Data is Security Relevant = Big Data
Servers
Service Desk
Storage
Desktops Email Web
Call Records
Network Flows
DHCP/ DNS
Hypervisor Custom Apps
Industrial Control
Badges
Databases
Mobile Intrusion Detec8on
Firewall
Data Loss Preven8on
An8-‐Malware
Vulnerability Scans
Tradi&onal SIEM
Authen8ca8on
Making Sound Security Decisions
93
Log Data Binary Data (flow and PCAP)
Context Data Threat Intelligence Feeds
Security Decisions
Volume Velocity Variety Variability
Case #1 -‐ Incident Inves8ga8on/Forensics
• Ogen ini8ated by alert in another product • May be a “cold case” inves8ga8on requiring
machine data going back months • Need all the original data in one place and a
fast way to search it to answer: – What happened and was it a false posi8ve? – How did the threat get in, where have they
gone, and did they steal any data?
– Has this occurred elsewhere in the past?
• Take results and turn them into a real-‐8me search/alert if needed
94
Suspect A Suspect B
Suspect C
client=unknown[99.120.205.249]<160>Jan 2616:27 (cJFFNMS
DHCPACK=ASCII from host=85.196.82.110
truncating integer value > 32 bits <46>Jan ASCII from client=unknown
Accomplice A
Accomplice B
January February March April
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-‐002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Sexngs/smithe/Local Sexngs/Temp/evil.tmp,"""",Actual ac8on: Quaran8ned,Requested ac8on: Cleaned, 8me: 2009-‐01-‐23 03:19:12,Inserted: 2009-‐01-‐23 03:20:12,End: 2009-‐01-‐23 03:19:12,Domain: Default,Group: My Company\ACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -‐> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classifica8on: Poten8al Corporate Privacy Viola8on] Credit Card Number Detected in Clear Text [Priority: 2]:
20130806041221.000000Cap8on=ACME-‐2975EB\Administrator Descrip8on=Built-‐in account for administering the computer/domainDomain=ACME-‐2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-‐1-‐5-‐21-‐1715567821-‐926492609-‐725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts
95
Case #2 – Real-‐8me Monitoring of Known Threats Sources
Time Range
Intrusion DetecQon
Endpoint Security
Windows AuthenQcaQon
All three occurring within a 24-‐hour period
Example CorrelaQon – Data Loss
Source IP
Source IP
Source IP Data Loss
Default Admin Account
Malware Found
2013-‐08-‐09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 -‐ -‐ OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compa8ble; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-‐RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
08/09/2013 16:23:51.0128event_status="(0)The opera8on completed successfully. "pid=1300 process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsog\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-‐PC\Printers\{}\ NeverSeenbefore" data_type""
2013-‐08-‐09T12:40:25.475Z,,exch-‐hub-‐den-‐01,,exch-‐mbx-‐cup-‐00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1,,, [email protected] , Please open this a`achment with payroll informa8on,, ,2013-‐08-‐09T22:40:24.975Z
96
Case #3 – Real-‐8me Monitoring of Unknown Threats
Sources
Time Range
Endpoint Logs
Web Proxy
Email Server
All three occurring within a 24-‐hour period
Example CorrelaQon -‐ Spearphishing User Name
User Name
Rarely seen email domain
Rarely visited web site
User Name
Rarely seen service
$500k Security ROI @ Interac • Challenges: Manual, costly processes
– Significant people and days/weeks required for incident inves8ga8ons. $10k+ per week. – No single repository or UI. Used mul8ple UIs, grep’d log files, reported in Excel – Tradi8onal SIEMs evaluated were too bloated, too much dev 8me, too expensive
• Enter Splunk: Fast inves8ga8ons and stronger security – Feed 15+ data sources into Splunk for incident inves8ga8ons, reports, real-‐8me alerts – Splunk reduced inves8ga8on 8me to hours. Reports can be created in minutes. – Real-‐8me correla8ons and aler8ng enables fast response to known and unknown threats – ROI quan8fied at $500k a year. Splunk TCO is less than 10% of this.
97
Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see.
“ “ Josh Diakun, Security Specialist, Informa8on Security Opera8ons
Replacing a SIEM @ Cisco • Challenges: SIEM could not meet security needs
– Very difficult to index non-‐security or custom app log data – Serious scale and speed issues. 10GB/day and searches took > 6 minutes – Difficult to customize with reliance on pre-‐built rules which generated false posi8ves
• Enter Splunk: Flexible SIEM and empowered team – Easy to index any type of machine data from any source – Over 60 users doing inves8ga8ons, RT correla8ons, repor8ng, advanced threat detec8on – All the data + flexible searches and repor8ng = empowered team – 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data – Es8mate Splunk is 25% the cost of a tradi8onal SIEM
98
We moved to Splunk from tradi8onal SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have.
“ “
Gavin Reid, Leader, Cisco Computer Security Incident Response Team
Security and Compliance @ Barclays • Challenges: Unable to meet demands of auditors
– Scale issues, hard to get data in, and impossible to get data out beyond summaries – Not op8mized for unplanned ques8ons or historical searches – Struggled to comply with global internal and external mandates, and to detect APTs – Other SIEMs evaluated were poor at complex correla8ons, data enrichment, repor8ng
• Enter Splunk: Stronger security and compliance posture – Fines avoided as searches easily turned into visualiza8ons for compliance repor8ng – Faster inves8ga8ons, threat aler8ng, be`er risk measurement, enrichment of old data – Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers – Other teams using Splunk for non-‐security use cases improves ROI
99
We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effec8veness of a certain control, the only way we can do these things is with Splunk.
“ “ Stephen Gailey, Head of Security Services
Splunk Key Differen8ators
100
Tradi8onal SIEM Splunk • Single product, UI, data store • Sogware-‐only; install on commodity hardware • Quick deployment + ease-‐of-‐use = fast 8me-‐to-‐value • Can easily index any data type • All original/raw data indexed and searchable • Big data architecture enables scale and speed • Flexible search and repor8ng enables be`er/faster threat
inves8ga8ons and detec8on, incl finding outliers/anomalies • Open plaqorm with API, SDKs, Apps • Use cases beyond security/compliance
For your own AHA! Moment Reach out to your Scalar and Splunk team for a demo Thank you!
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
INFOBLOX
103 | © 2013 Infoblox Inc. All Rights Reserved. 103 | © 2013 Infoblox Inc. All Rights Reserved.
DNS as a Threat & Threats to DNS Benoit Shelston, Senior Systems Engineer
104 | © 2013 Infoblox Inc. All Rights Reserved. 104 | © 2013 Infoblox Inc. All Rights Reserved.
Agenda
Why is DNS a target? What types of attacks?
DNS Threats
Infoblox Overview
Infoblox Advanced DNS Protection
105 | © 2013 Infoblox Inc. All Rights Reserved. 105 | © 2013 Infoblox Inc. All Rights Reserved.
Infoblox Overview
Founded in 1999
Headquartered in Santa Clara, CA with global operations in 25 countries
Market leadership • Gartner “Strong Positive” rating • 40%+ Market Share (DDI)
7,000+ customers, 64,000+ systems shipped
35 patents, 29 pending
IPO April 2012: NYSE BLOX
Leader in DNS, DHCP, and IP Address Management
106 | © 2013 Infoblox Inc. All Rights Reserved. 106 | © 2013 Infoblox Inc. All Rights Reserved.
TECHNOLOGY MANUFACTURING TELECOM
OTHER
Diverse Customer Base in All Key Verticals
GOVERNMENT
RECENT NEW CUSTOMERS
RETAIL HEALTHCARE FINANCIAL SERVICES
7 9 8 8 7
EXPOSURE TO INDUSTRY TOP 10 LEADERS
107 | © 2013 Infoblox Inc. All Rights Reserved. 107 | © 2013 Infoblox Inc. All Rights Reserved.
Why DNS an Ideal Target? • DNS is a bootstrap to networks and applications • DNS is easy to exploit • DNS can be both the threat, and the target • No one is looking
DNS downtime means business downtime
108 | © 2013 Infoblox Inc. All Rights Reserved. 108 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Attacks up 216%
Source: Arbor Networks
9%
6%
20%
54%
25%
77%
82%
0% 20% 40% 60% 80% 100%
Other
IRC
SIP/VOIP
HTTPS
SMTP
DNS
HTTP
Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013
ACK: 2.81% CHARGEN: 6.39%
FIN PUSH: 1.28% DNS: 9.58%
ICMP: 9.71% RESET: 1.4%
RP: 0.26% SYN: 14.56% TCP FRAGMENT: 0.13%
SYN PUSH: 0.38%
UDP FLOODS: 13.15%
UDP FRAGMENT: 17.11%
Survey Respondents
~ 10% of infrastructure attacks targeted DNS
~ 80% of organizations experienced application layer attacks on DNS
109 | © 2013 Infoblox Inc. All Rights Reserved. 109 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Threats Landscape
• Three types of DNS attacks Attack as Infrastructure: Attacks primarily focused on
disruption of DNS services (and everything else with it) Protocol Exploitation: Attacks that use DNS as a
vector for business exploitation Platform Hacks: Exploit the underlying DNS platform to
take control of DNS (for defacement, or redirection)
110 | © 2013 Infoblox Inc. All Rights Reserved. 110 | © 2013 Infoblox Inc. All Rights Reserved.
• Traditional DOS • Distributed DOS • Amplification • Reflection • …and the dreaded
combination: Distributed Reflection DOS (DrDOS)
DNS Infrastructure Attacks Example
Command & Control
DNS Server
111 | © 2013 Infoblox Inc. All Rights Reserved. 111 | © 2013 Infoblox Inc. All Rights Reserved.
Most DDoS Attacks Use Name Servers • Why?
Because name servers make surprisingly good amplifiers This one goes
to eleven…
112 | © 2013 Infoblox Inc. All Rights Reserved. 112 | © 2013 Infoblox Inc. All Rights Reserved.
DDoS Illustrated
Open recursive name servers
Evil resolver Target
Response to spoofed address
Spoofed query
113 | © 2013 Infoblox Inc. All Rights Reserved. 113 | © 2013 Infoblox Inc. All Rights Reserved.
$ dig @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec ; <<>> DiG 9.9.1-P1 <<>> @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34036 ;; flags: qr aa; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 15 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN ANY ;; ANSWER SECTION: isc.org. 7200 IN SOA ns-int.isc.org. hostmaster.isc.org. 2013090300 7200 3600 24796800 3600 isc.org. 7200 IN RRSIG SOA 5 2 7200 20131002233248 20130902233248 50012 isc.org. hUfqnG5gKbygAeVRHjP5As31lsheMKNPD7g9MJlWZTrmD2de6Z/eCwUX kQxRT5TV0lFWjtGFuA0a4svbCZ1qHS9d/rhWc7IMziu2u+L9tbho+c4j szvGAJ9kYvalNbgpmkHdm+wmOHWmiY3cYKcl5Ps8gs5N0Q1JdkaCARPF HQs= isc.org. 7200 IN NS sfba.sns-pb.isc.org. isc.org. 7200 IN NS ns.isc.afilias-nst.info. isc.org. 7200 IN NS ams.sns-pb.isc.org. isc.org. 7200 IN NS ord.sns-pb.isc.org. isc.org. 7200 IN RRSIG NS 5 2 7200 20131002233248 20130902233248 50012 isc.org. Fdfb5ND2XUlnk/nPcPOaNBCK6307LdrhC/dqdS+TMtBjKMmXU2NJBl0h D8fOnOdKbzlwNk1JLPXq25znMNBw+ZdjMekctR2r2jTO2Xm9mT+su4ff 8r1pMcUGhpsq73V6NjIbgA3LT6zfv4gWyFdos60Ma/Bsq26SmpECQFNA RpI= isc.org. 60 IN A 149.20.64.69 isc.org. 60 IN RRSIG A 5 2 60 20131002233248 20130902233248 50012 isc.org. CkSV2VzLktJGH2PXEJl1QssxeyyUYM5pALjb06NMW0BC5vcFyuQYng2l NE/Z0J1XIHflWwGo9Gv1YZ0u/K6rGPXwgWmkl/6t0T8uNtk9u3XDhaMx QBg2P2ZAp1NEg6r3ccznGu9y+Q71g/IxcK+5Ok7gI8L18hBTi+vpCAKY q6A= isc.org. 7200 IN MX 10 mx.pao1.isc.org. isc.org. 7200 IN RRSIG MX 5 2 7200 20131002233248 20130902233248 50012 isc.org. fiALi/ebGauXvqfL4vHt5YzgIY/X0kh2WNE37wICVU6BYKkqDuWF2h5T 4ry2TmdcKj4pqVOJVSDF/A7zzRPkcpcwibTM8h5yDEMJzELAsSimj2mX BFsqTgFGtDXIGV9IU7qryFkVMrDlj9gcLkTlg1EZpyxwQH2y2XCT5BhA bQA= isc.org. 7200 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 7200 IN TXT "$Id: isc.org,v 1.1845 2013-08-16 16:16:50 dmahoney Exp $" isc.org. 7200 IN RRSIG TXT 5 2 7200 20131002233248 20130902233248 50012 isc.org. J0UV7iIvQn7Pzu/itUN1JH4hLg8bjQo/73kBef/T/yzx/P8t6VX+MYDC ysyXNigSi1JPoWfYt7qu6eXcALQEwJ/Z156Rebefjls4R18wr+BttzWF ICb+zJ7K7o4meckc7ZQr12gIAXjij09dr9omYoObWo6/IH76S6N3Er4i xdg= isc.org. 60 IN AAAA 2001:4f8:0:2::69 isc.org. 60 IN RRSIG AAAA 5 2 60 20131002233248 20130902233248 50012 isc.org. OBWafw6hmgueTvaL06Q3zzpKODW3OIWKxHr3Z30mag1vJW5ECwlkK3xI lPr4A1Rg6SZiJp78yewBWkDB0436cY1uCJ0yzsk9YWlLW/5hScy1ueaH s2tfymZD7UdOh0FuLs05gunsxK2Of3DCG3Zh3cD4FMnu8ju1CuLD2+dU W1U= isc.org. 7200 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 7200 IN RRSIG NAPTR 5 2 7200 20131002233248 20130902233248 50012 isc.org. s9cuc6O0e2kgBNffd6dyJyJH1Zm5Wd0pRO1q5aKMc7UsiKFUI7MI7Q8N VzTqwM/zWh2VzvtV/w1O3IHuSiXBN9k51Loy4WGHJSDcXs865PWjHJwJ jRqfz1bE+LsW/aZD2Ud/iGyhCoQPeZIOcqB6plB+keIf3mGR0bHkdjV+ Zw4= isc.org. 3600 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 3600 IN RRSIG NSEC 5 2 3600 20131002233248 20130902233248 50012 isc.org. K3/RL0nn54FkFvcPnaecG26JjQVCZL1g41zB02YssxZnE/3lX9X4O8uk DrONRdvKEeMq51YUy8NBljWAlPOIRYD0lWUMrXuSNHMyGIFwHFIZqNrN CuQUl+24oPQXi3/wWX0TGH5XW9XF2IB+Dc1zdP/5qRHiKCjAnYDNE384 PAQ= isc.org. 7200 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 7200 IN DNSKEY 256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU= isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 12892 isc.org. ioYDVytf4YoAHCVxdz6U/fuQCaH2f2XVUExEexo48e55vLVSre5GkBG1 Wyn/4FeWLOUVWm5HElbL/hK2QEResp0csAwTnllU7W8fM65aS7pIO9JZ QWMvkPxQjsTYzEP1P2GA8NVGRUhz17RMLLSFgAJS9aEI7xK0fMwsd9U4 Az+B9J8xVz5GGMb8FStEXMYauE9r8Z5G4ZzRZUv619lXYH+Uhha5QUfq IcVYvtOt+QLlwdWV4Kt3fp3m6KveBAnIiorPSjOd40PfWZD3CQ4GqVIc EyYai55bKN1hVgtFRhL8MqGexvbPvU49RKekeJihf7pzfM6nlo5+Xqvj WBe+EQ== isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 50012 isc.org. HFc6EpppK8DieQnYccCLEMuP3uhCFENhY9pwbqcwYh9fVOMMeEim/XSy QIk9FsVGZnXw2SgC946gSXnTkLdaogwibOZLq2oJ0UGbsF2+4SreLIx0 nv6EyJh1WSxfQrh7DCFtuMSBUMBleJjOfPC12zTzFetu2qgNM4hCov8p 3vA= isc.org. 7200 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 7200 IN RRSIG SPF 5 2 7200 20131002233248 20130902233248 50012 isc.org. enxTFXMYwtZW9rmS2eZ0svQwlaRJn3whFCblQ2mpqjtT3BxuqpGcvlbC jwjLxNhn89x2Y2//pkN1EPvgwr2yd7lIBoLV9X/VnGCH/sBlNaRtckk2 SE75cuH2L7jkR1D6JCHCwLnQHpiHbYeLWWzW18yifj33TOrRU7HwUrha aN0= ;; ADDITIONAL SECTION: ams.sns-pb.isc.org. 7200 IN A 199.6.1.30 ams.sns-pb.isc.org. 7200 IN AAAA 2001:500:60::30 ord.sns-pb.isc.org. 7200 IN A 199.6.0.30 ord.sns-pb.isc.org. 7200 IN AAAA 2001:500:71::30 sfba.sns-pb.isc.org. 7200 IN A 149.20.64.3 sfba.sns-pb.isc.org. 7200 IN AAAA 2001:4f8:0:2::19 mx.pao1.isc.org. 3600 IN A 149.20.64.53 mx.pao1.isc.org. 3600 IN AAAA 2001:4f8:0:2::2b asterisk.isc.org. 300 IN A 149.20.32.15 ams.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. EyCDObCGhMVQeLsZEFsK6k72FT0Y0Ps3XhiZmusKDz/yl7K8eclF3+Zd y7u61A9nSEHbeLR7t3IbXuQgXOsBaYYEQBZ+YXwdpMQoSL02TbUsCa8t Qtap2EK9xJDajbfTR4kEYjCg6PtneOKGVCvQcC3Le2QEuM+aviEkWU6h Feo= ams.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20131002233248 20130902233248 50012 isc.org. RFpmtA/CAZOExrl8Pc6tDW38Eoc/xXxtuoS634xllKoM77zhGLx6vLRR wiH3Ny1gW++hyj6b6LMDVbBEm7vAMVxrOQVYM5fWtYCF/cN4IHVlti33 /Hgiuk2SSdsZEgeAu57FgxgZIMaO0TsB6YkpI3cgb1H6usISSEE3Cgng 6gU= ord.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. N/zYhIB9XSungjF+TaCdjtOnN5K8FCuRwMb3cjlr9DRU4hVJjFJOi8LP aNlBJQlWQKCirYsFqPw1/K0U9djvkEyU3W7JsdkE89Ep/4QX9M4Jt++w 9ZTFQO+e9SNPimQdjjEC5FbRYYfls7KX0V79gL9vG9dxqGMDNtGNJaFU NOE= ord.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20131002233248 20130902233248 50012 isc.org. H5eByfYUHm4c8V12auNIl1QhQL4UA9MV9w1wQPJiU/Rtxbfvvrl3rlVj ulUP6v4R5NVO3lad7bsNPb9xMou1qOC5FL9fn0MVFqU+qCwQ7GIRxyA6 fQaFKBNrOL6iiVbC6LbE+2uZPR6Z0HTD8L7pgAaNJ9YmrVZCU/F5pHy9 cso= sfba.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. sr0nh5ZbxmbnGaduo4ri1tHpPR4+D0Mf4WpEjzu21+iEBkgc3M1XdYCT gCpd8JRCEcz+gIu8wXQI5+29mUrK3QwPCIWJNx/AKol7TbIPxrYoKCiv pZv7yTwO2bC1SGfcNXZAm5UuKU0jl7jeIe2oIkHMrlPVFd2E6XKG9iWL ngA= ;; Query time: 35 msec ;; SERVER: 2001:4f8:0:2::19#53(2001:4f8:0:2::19) ;; WHEN: Wed Sep 4 11:14:01 2013 ;; MSG SIZE rcvd: 4077!
Amplification: They Go Past Eleven…
Query for isc.org/ANY 36 bytes sent, 4077 bytes
received ~113x amplification!
114 | © 2013 Infoblox Inc. All Rights Reserved. 114 | © 2013 Infoblox Inc. All Rights Reserved.
A Little Math • Say each bot has a measly 1 Mbps connection to the
Internet It can send 1Mbps/36B =~ 28K qps That generates 28K * 4077B =~ 913 Mbps
• So 11 bots > 10 Gbps
115 | © 2013 Infoblox Inc. All Rights Reserved. 115 | © 2013 Infoblox Inc. All Rights Reserved.
Malware Enablement • Malware infects clients when
they visit malicious web sites, whose names are resolved using DNS
• Malware rendezvous with command-and-control channels using hardwired domain names and rapidly changing IP addresses
• Malware tunnels new malicious code through DNS
116 | © 2013 Infoblox Inc. All Rights Reserved. 116 | © 2013 Infoblox Inc. All Rights Reserved.
Anatomy of an Attack Cryptolocker “Ransomware”
• Targets Windows-based computers
• Appears as an attachment to legitimate looking email
• Upon infection, encrypts files: local hard drive & mapped network drives
• Ransom: 72 hours to pay $300US
• Fail to pay and the encryption key is deleted and data is gone forever
• Only way to stop (after executable has started) is to block outbound connection to encryption server
117 | © 2013 Infoblox Inc. All Rights Reserved. 117 | © 2013 Infoblox Inc. All Rights Reserved.
Platform Hack
118 | © 2013 Infoblox Inc. All Rights Reserved. 118 | © 2013 Infoblox Inc. All Rights Reserved.
Threat Categories Description
Disruption of DNS
Services
DNS Cache Poisoning Threats
Illegitimate corruption of DNS cached records
DoS/DDoS Attacks DNS Flooding, Amplification, Reflection attacks Denial of service by exploiting vulnerabilities in OS / Applications
DNS Redirection Response manipulation, Man-in-the-Middle (MITM) Attacks
Geographic based Threats High percentage of threats originating from specific geographic locations
DNS Protocol Attacks Malformed Packets, Vulnerabilities, Buffer overflows, shell code insertion
Use DNS as a vector for business
exploitation
DNS Tunneling Frauds DNS tunneling, (use of port 53 as an open communication channel) Attacker tunnels SSH traffic through DNS requests
Data Leakage Using DNS to transport encrypted payloads
IP Fluxing Fluxing of IPs at extremely high frequencies
Domain Fluxing / Domain Generation Algorithms (DGA)
Domain Generation / Fluxing using dynamic algorithms that are hard to detect
Domain Phishing DNS response manipulation Malware using DNS to re-direct legitimate traffic to infected sites
Malicious Domains Detect and drop known malicious domains or exploits
Advanced Persistent Threats (APTs)
Machine generated FQDNs that are stealthy and persistent
DNS Threats Spectrum Overview
119 | © 2013 Infoblox Inc. All Rights Reserved. 119 | © 2013 Infoblox Inc. All Rights Reserved.
Introducing Infoblox Advanced DNS Protection The First DNS Server that Protects Itself Unique Detection and Mitigation
§ Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling
§ Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests.
Centralized Visibility § Centralized view of all attacks happening across the
network through detailed reports § Intelligence needed to take action
Ongoing Protection Against Evolving Threats
§ Regular automatic threat-rule updates based on threat analysis and research
§ Helps mitigate attacks sooner vs. waiting for patch updates
120 | © 2013 Infoblox Inc. All Rights Reserved. 120 | © 2013 Infoblox Inc. All Rights Reserved.
Dedicated Compute
• Infoblox designed network accelerator card • Performs deep packet inspection at wire-speed • Purpose built for analyzing DNS traffic • Blocks or Rate Limits threats before being processed by
standard operating system Ingress and Egress
121 | © 2013 Infoblox Inc. All Rights Reserved. 121 | © 2013 Infoblox Inc. All Rights Reserved.
Threat detection – more than just DDOS
DNS reflection/DrDoS attacks Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack
DNS amplification Using a specially crafted query to create an amplified response to flood the victim with traffic
DNS-based exploits Attacks that exploit vulnerabilities in the DNS software
TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic
DNS cache poisoning Corruption of the DNS cache data with a rogue address
Protocol anomalies Causing the server to crash by sending malformed packets and queries
Reconnaissance Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack
DNS tunneling Tunneling of another protocol through DNS for data exfiltration
122 | © 2013 Infoblox Inc. All Rights Reserved. 122 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Content Based Filtering
Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location
APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye)
Hacked Domains Hacking DNS registry(s) & re-directing users to malicious domain(s)
Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government
FireEye Block threats detected by your FireEye
123 | © 2013 Infoblox Inc. All Rights Reserved. 123 | © 2013 Infoblox Inc. All Rights Reserved.
Monitoring and Alerting
• Alert on threats Send over syslog to any SIEM
• Report and trend on threats • Report and trend on ALL DNS traffic • Capture and log all DNS queries, AND responses (optional) • Analyze and report on top patterns:
Most frequently requested FQDN Top talkers Frequent queries ending in errors (NXDOMAIN, time out, SERVFAIL,
etc)
124 | © 2013 Infoblox Inc. All Rights Reserved. 124 | © 2013 Infoblox Inc. All Rights Reserved.
Custom Rules
• Block or Rate Limit by: Source IP FQDN UDP or TCP
• Whitelists
Threat Update Service
• Threats are analyzed by a security team at Infoblox
• Appliances check for new signatures every hour
125 | © 2013 Infoblox Inc. All Rights Reserved. 125 | © 2013 Infoblox Inc. All Rights Reserved.
ADP In Action
Reporting Server
Automatic updates Block or Rate Limits
DNS threats
Infoblox Threat-rule Server Infoblox Advanced
DNS Protection
Grid Master
Reports on attack types, severity, and sends to a SIEM
Track and report
Rule distribution
Legi
timat
e Tr
affic
Infoblox Advanced DNS Protection
126 | © 2013 Infoblox Inc. All Rights Reserved. 126 | © 2013 Infoblox Inc. All Rights Reserved.
Deployment Options
127 | © 2013 Infoblox Inc. All Rights Reserved. 127 | © 2013 Infoblox Inc. All Rights Reserved.
External Protection against Internet-borne Attacks
INTERNET
Data Center
Advanced DNS Protection
Grid Master and Candidate (HA)
Advanced DNS Protection
D M Z
INTRANET
- Campus office - Regional office(s) - Disaster recovery site(s)
Advanced DNS Protection when deployed as an external authoritative DNS server can protect against cyberattacks
128 | © 2013 Infoblox Inc. All Rights Reserved. 128 | © 2013 Infoblox Inc. All Rights Reserved.
Internal Protection against Internal Attacks, or misconfigured applications, on Recursive or Authoritative Servers
Advanced DNS Protection can secure internal DNS environments where internal user traffic is hostile
GRID Master and Candidate (HA)
INTRANET
Endpoints
Advanced DNS Protection
Advanced DNS Protection
129 | © 2013 Infoblox Inc. All Rights Reserved. 129 | © 2013 Infoblox Inc. All Rights Reserved.
Advanced Appliances Come in Three Physical Platforms
Advanced Appliances have next-generation programmable processors that provide dedicated compute for threat mitigation.
The appliances offer both AC and DC power supply options.
130 | © 2013 Infoblox Inc. All Rights Reserved. 130 | © 2013 Infoblox Inc. All Rights Reserved.
Why QoS Matters
Settings
130
131 | © 2013 Infoblox Inc. All Rights Reserved. 131 | © 2013 Infoblox Inc. All Rights Reserved.
Summary • DNS is a core strategic asset that is often left unprotected • The bad guys are going after your DNS servers • Internal DNS is as exposed to failure • Infoblox can help
Deep visibility Unique expertise in DNS Scales up to the largest networks
132 | © 2013 Infoblox Inc. All Rights Reserved. 132 | © 2013 Infoblox Inc. All Rights Reserved.
Thank You www.infoblox.com
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
WRAP/Q&A
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
} Integration of Security Technologies
} Staffing
} Vulnerabilities
} Advanced threats
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
} Integration of Security Technologies is Challenging – Multiple formats of data – Data timing issues – Different types of security
controls – Other data types
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
} InfoSecurity Staff – Different skills requirements ﹘ Architects ﹘ Malware Handling ﹘ Forensics ﹘ Vulnerability ﹘ Incident Management ﹘ Risk and Compliance
– HR Costs ﹘ Premium technical personnel ﹘ Analysts, Specialists ﹘ Training and certification
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
} Vulnerabilities – Regular scheduled
disclosures – Large volumes of ad-hoc
patches – Many undisclosed zero days – Remediation is a continuous
process
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
} Advanced Threats – Advanced Persistent Threats – Imbedded threats
} Who? – State sponsored – Hactivism – Hackers – Organized crime
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
How to Secure It
} State-of-the-art Security Technologies
} Skills on Demand – Continuous Tuning of Rules
and Filters – Cyber Intelligence,
Advanced Analytics – Cyber Incident Response – Code Review, Vulnerability
and Assessment Testing
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
QUESTIONS?
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
THANK YOU.