This document outlines an agenda for a Security Road Show event taking place in Calgary. The event will include presentations from four cybersecurity vendors: Palo Alto Networks, F5, Splunk, and Infoblox. There will be a welcome at 9:00am followed by 30 minute presentations from each vendor throughout the morning, ending at 11:30am. The event will conclude with a Q&A and boxed lunches will be provided.
55. Built for intelligence, speed and scale
Users
Resources
Concurrent user sessions
100K
Concurrent logins
1,500/sec.
Throughput
640 Gbps
Concurrent connections
288 M
DNS query response
10 M/sec
SSL TPS (2K keys)
240K/sec
Connections per second
8M
64. The Accelerating Pace of Data
Volume | Velocity | Variety | Variability
GPS,
Machine data is fastest growing, most
RFID,
Hypervisor,
complex, most valuable area of big data
Web Servers,
Email, Messaging,
Clickstreams, Mobile,
Telephony, IVR, Databases,
Sensors, Telematics, Storage,
Servers, Security Devices, Desktops
64
65. The Splunk Security Intelligence Platform
Security Use Cases
Machine Data
Online
Services
Forensic
Investigation
Web
Services
Security
Security
Operations
Compliance
Fraud
Detection
GPS
Location
Servers
Packaged
Applications
Networks
Desktops
Storage
Messaging
Telecoms
Custom
Applications
RFID
Energy
Meters
Online
Shopping
Cart
Databases
Web
Clickstreams
Call Detail
Records
HA Indexes
and Storage
Smartphones
and Devices
4
Commodity
Servers
66. Rapid Ascent in the Gartner SIEM Magic Quadrant
2011
2012
66
2013
69. Splunk Security Intelligence Platform
120+ security apps
Splunk App for Enterprise Security
Palo Alto
Networks
Cisco Security
Suite
OSSEC
F5 Security
FireEye
NetFlow Logic
Active
Directory
Juniper
69
Blue Coat
Proxy SG
Sourcefire
70. Partner Ecosystem
What is the Value Add to Existing Customers?
Visibility and Correlation of Rich Data
Improved Security Posture
Configurable Dashboard Views
71. All Data is Security Relevant = Big Data
Databases
Email
Web
Desktops
Servers DHCP/ DNS Network
Flows
Traditional SIEM
Custom
Apps
Hypervisor Badges Firewall Authentication Vulnerability
Scans
Storage
Mobile
Data Loss
Intrusion
Detection Prevention
AntiMalware
Service
Desk
Call
Industrial
Control Records
72. Making Sound Security Decisions
Binary Data (flow
and PCAP)
Log Data
Security
Decisions
Threat Intelligence
Feeds
Context Data
Volume
Velocity
Variety
72
Variability
73. Case #1 - Incident Investigation/Forensics
January
•
May be a “cold case” investigation requiring
machine data going back months
March
Often initiated by alert in another product
•
February
•
Need all the original data in one place and a
fast way to search it to answer:
–
What happened and was it a false positive?
–
How did the threat get in, where have they
gone, and did they steal any data?
–
•
client=unknown[
99.120.205.249]
<160>Jan
2616:27
(cJFFNMS
truncating
integer value >
32 bits
<46>Jan
ASCII from
client=unknow
n
Has this occurred elsewhere in the past?
Take results and turn them into a real-time
search/alert if needed
DHCPACK
=ASCII
from
host=85.19
6.82.110
73
April
74. Case #2 – Real-time Monitoring of Known Threats
Sources
Example Correlation – Data Loss
20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering
the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20
TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1
Default Admin Account
Status=Degradedwmi_ type=UserAccounts
Source IP
Windows
Authentication
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer
name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and
Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time:
2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My
Malware Found
Source IP
CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Endpoint
Security
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]:
[1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text
Source IP
[Priority: 2]:
Data Loss
Intrusion
Detection
All three occurring within a 24-hour period
Time Range
74
75. Case #3 – Real-time Monitoring of Unknown Threats
Sources
Example Correlation - Spearphishing
User Name
2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1
,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-0809T22:40:24.975Z
Email Server
Rarely seen email domain
Rarely visited web site
2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET
www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
User Name
Web Proxy
Endpoint
Logs
User Name
08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300
process_image="John DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“ registry_type
="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion Printers
PrintProviders John Doe-PCPrinters{} NeverSeenbefore" data_type""
Rarely seen service
All three occurring within a 24-hour period
Time Range
75
76. $500k Security ROI @ Interac
•
Challenges: Manual, costly processes
– Significant people and days/weeks required for incident investigations. $10k+ per week.
– No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel
– Traditional SIEMs evaluated were too bloated, too much dev time, too expensive
Enter Splunk: Fast investigations and stronger security
–
–
–
–
Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts
Splunk reduced investigation time to hours. Reports can be created in minutes.
Real-time correlations and alerting enables fast response to known and unknown threats
ROI quantified at $500k a year. Splunk TCO is less than 10% of this.
“
“
•
Splunk is a product that provides a looking glass into our environment for things
we previously couldn’t see or would otherwise have taken days to see.
Josh Diakun, Security Specialist, Information Security Operations
7
6
77. Replacing a SIEM @ Cisco
•
Challenges: SIEM could not meet security needs
– Very difficult to index non-security or custom app log data
– Serious scale and speed issues. 10GB/day and searches took > 6 minutes
– Difficult to customize with reliance on pre-built rules which generated false positives
Enter Splunk: Flexible SIEM and empowered team
–
–
–
–
–
Easy to index any type of machine data from any source
Over 60 users doing investigations, RT correlations, reporting, advanced threat detection
All the data + flexible searches and reporting = empowered team
900 GB/day and searches take < minute. 7 global data centers with 350TB stored data
Estimate Splunk is 25% the cost of a traditional SIEM
“
We moved to Splunk from traditional SIEM as Splunk is designed and
engineered for “big data” use cases. Our previous SIEM was not and simply
could not scale to the data volumes we have.
“
•
Gavin Reid, Leader, Cisco Computer Security Incident Response Team
7
7
78. Security and Compliance @ Barclays
Challenges: Unable to meet demands of auditors
–
–
–
–
•
Scale issues, hard to get data in, and impossible to get data out beyond summaries
Not optimized for unplanned questions or historical searches
Struggled to comply with global internal and external mandates, and to detect APTs
Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting
Enter Splunk: Stronger security and compliance posture
–
–
–
–
Fines avoided as searches easily turned into visualizations for compliance reporting
Faster investigations, threat alerting, better risk measurement, enrichment of old data
Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers
Other teams using Splunk for non-security use cases improves ROI
“
We hit our ROI targets immediately. Our regulators are very aggressive, so if
they say we need to demonstrate or prove the effectiveness of a certain
control, the only way we can do these things is with Splunk.
“
•
Stephen Gailey, Head of Security Services
7
8
79. Splunk Key Differentiators
•
•
•
•
•
•
•
Splunk
Single product, UI, data store
Traditional SIEM
Software-only; install on commodity hardware
Quick deployment + ease-of-use = fast time-to-value
Can easily index any data type
All original/raw data indexed and searchable
Big data architecture enables scale and speed
Flexible search and reporting enables better/faster threat
investigations and detection, incl finding outliers/anomalies
• Open platform with API, SDKs, Apps
• Use cases beyond security/compliance
79
80. For your own AHA! Moment
Reach out to your Scalar and
Splunk team for a demo
Thank you!
Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies & adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical & sales certifications with leading security companies including McAfee, Cisco.Key Partners & Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection & DefenceThe first line of defence is to stop unwanted intrusions & attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS & IP address properties and control user activity while ensuring speed and performance are maintained. Incident & Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective & coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff & training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment & Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize & rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.
Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies & adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical & sales certifications with leading security companies including McAfee, Cisco.Key Partners & Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection & DefenceThe first line of defence is to stop unwanted intrusions & attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS & IP address properties and control user activity while ensuring speed and performance are maintained. Incident & Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective & coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff & training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment & Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize & rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.
Growth Recognized on the PROFIT list of the fastest-growing companies in Canada for the last four years (since we became eligible in year 5 of our business). In 2013, we were 94 on the overall list, but 15 within the IT industry, and one of the highest-revenue companies overall.Canadian company with nationwide presenceNumber 15 on the CDN List of Top 100 Solution ProvidersAlso named #46 on Branham300 of Canada’s leading ICT companiesWe have a deep technical bench, we are not a call centre shipping product, we position ourselves as an extension of your business, and have the team in place to back this upThough Scalar is in its 10th fiscal year, our founders have been doing this since 1990 when they were running Enterprise Technology Group (ETG). Since then that team has delivered over $1BN in mission-critical infrastructure.
Core infrastructure is our background, our experience, and the primary focus of what we do – it underpins our business.As infrastructure has changed with the industry to be spread across public, private, hybrid etc, our customer needs have changed, and therefore so does our portfolio and focus. Today, we focus on building core infrastructure and then assisting our clients in securing it, ensuring it is running well (performance), and managing it (control).Though core infrastructure is the delivery vehicle for all applications, we do not deal at the application layer – We deal with security, performance, and control only as they relate to core infrastructure. This focus allows us to be the very best at what we do.We answer the questions:Core Infrastructure – How to Build It?Security – How to secure it?Performance – How is it running?Control – How to manage it?
Feel free to remove these section cover-slides
Also: Dedicated PMO, finance, inside sales and operations teams. Every team in our organization is the best at what they do.It’s difficult to prove experience on a powerpoint slide. Take a meeting with us and we’ll show you how our technical team is world-class.
Unique infrastructure solutions designed to meet your needsA great example is StudioCloud. When our media customers came to us with a problem, we developed an entirely new way for them to do business. We didn’t attempt to sell them more compute, or optimize their individual environments – we helped them form a coalition and a community cloud that allows them to pay for servers on an as-needed basis, and sub-lease to other companies in our cloud when they have excess capacityWhether it’s a product-based solution, a professional service, or a managed service, we deliver the solution.Testing Centre & Proving GroundsWe train our engineers to be constantly evaluating and testing emerging vendors in our in-house testing centre. We offer fresh, cutting-edge technologies to our customers, while at the same time ensuring we have vetted, tested, and trained in those technologies. We offer leading-edge technologies that we KNOW are up to the task of Enterprise environments.Vendor BreadthWe offer both current and future market leaders in our portfolio.
Execution is difficult to demonstrate on a slide, so instead we’ve decided to show you what some our customers have said about us.Our tagline says it all – We Deliver. This is not “marketing speak” but the foundation of our business. Our commitment is first and foremost to our customers and we strive to become a trusted advisor and an extension of your business. This does not happen overnight, but rather through proving ourselves again and again. We are dedicated to finding the right solution for your business needs and delivering it to you efficiently and effectively.
You may wish to switch some of these out depending on the specific messaging of your presentation. See appendix slides for more logos that you can copy and paste in. Please try not to have more than 12-15 logos on the slide overall.
Context has many applications. Without context, a question from a colleague may sound like gibberish. With the appropriate context, the nonsensical begins to make sense.
ANIMATED SLIDE - practice344 KB. Somewhat meaningless. Sure, its roughly 1/3 of a MB, but so what. <click> traditional security will give you info on the IP addresses, and the port. So now you have a bit more context, but not much more. Its something going across port 443. may or may not be using SSL. But what else do you know? <click> But what if you had who the user was, which group they are in?<click> and wouldn’t the actual protocol be helpful? <click> and the application, and possibly the function in use? <click> the file type and file nameThe context of the traffic being observed is more meaningful, allowing you to make more intelligent decisions, respond more rapidly to security incidents, generate more complete reports. Think about what you can do, from a security perspective, with this data.
ANIMATED SLIDE – practice!Or perhaps the 344 KB is more suspicious? <click> What if the 344 KB was a file being downloaded to the CFOs desktop from an unknown URL registered in China?The context of the 344 KB again, becomes far more meaningful. And in this case, the context may mean that more aggressive action needs to be taken.
Now lets look at a more real world example of the value of context. Todays cyberattacks are considerably more sophisticated than the attacks that one would expect to see even a few years ago. Most of these attacks will leverage multiple steps, in which each step builds on the previous toward a strategic goal. Multiple techniques are coordinated to work together, and the attackers attempt to hide their traffic and infrastructure whenever possible. This example walks through the very common steps of a modern data breach.First the user is enticed to click to see the pretty cat video. Enticement has become easy due to the unprecedented level of trust that social media has built. <click> when the unsuspecting user clicks, in the background, the exploit kit is downloaded.<click> Once delivered, the exploit calls a new URL with no reputation<click> from that new URL, the complete piece of malware is pulled down<click> its installed in the background, established a connection and C2 traffic begins. <click> a secondary payload may be pulled down, then spreads laterally<click> once the malware finds an attractive target, C2 is re-established and the exfiltration begins<click> making the challenge of stopping this attack becomes more significant when you realize that it uses SSL, contacts new URLs that are spun up/taken down instantly, uses AV evasion techniques, communications using UDP and non-standard ports, pulls down added payload, spreads internally hiding in plain sight mimicking traffic patterns on your network, then begins exfiltration using applications commonly found on your network.
Our platform is unique in its ability to natively classify and inspect all traffic, inclusive of applications, threats and content. And then we tie that traffic to the user, regardless of location or device type. Box 1: We scan ALL applications (including SSL traffic) to secure all avenues in/out of a network, applying positive control model security in order to reduce the attack surface area, and provide context for forensicsBox 2: Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signaturesBox 3 and feedback loop:Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer baseOur approach is applicable across the network. At the gateway, in the datacenter, for segmentation and for carriers.
Unique to our platform is a traffic classification that natively inspects all traffic, inclusive of applications, threats and content, then ties that traffic to the user, regardless of location or device type. Box 1: Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensicsBox 2: Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signaturesBox 3 and feedback loop:Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer baseOur approach is applicable across the network. At the gateway, in the datacenter, for segmentation and for carriers. For carriers, they are going to use a mix of the features across the listed use cases. * protect customers from each other and carriers from customers* robust availability* scale to aggregate customer feeds
Let me start with the well worn topic on the evolving threat landscapeI wanted to start here as we have all seen this and it is talked about everywhereIt’s time to turn the page on this and discuss what does it mean to be secure in the cyber world as opposed to what it means to be insecureIn other words, if we understand the problem, what’s the solution and what do we have today and what do we need to get thereAlong the way I’ll do a few commercials for PANW but will make it obvious when I am doing itAppreciate this being interactive
So, if you want to be secure in a cyber world, what must be trueLot of things for sure, but let me start with 4First, you must change your mindset from responding to cyber incidents to one of a cyber campaign. In doing that, you see the need for intelligence as no war is won without thatIntelligence gives you a sense of what’s happening and why, and when you understand that, you are better preparedBut, you can’t have intelligence without visibility and the visibility must be broad and continuousFrom the visibility and intelligence you see the indicators of compromiseAnd you can apply what you know of the IOCs to the kill chainAnd then, ideally, everyone would share it all
Starting with intelligenceIn some verticals, this is well understood. Going from a mindset of a discrete attack against which you are defending and then waiting for the next oneTo one of an intelligence cycle where you look for the intelligence cycle in what you are seeingAnd think of them as related to the campaign, not a discrete attack or point fo attack
But, you don’t have much intelligence if you don’t start with visibility. And visibility must be across your whole networkThe concept of network really should include endpointsAnd the network and the endpoints should be talking to each otherAnd visibility wise, at a min, you should see and understand all applications, the content and the usersAnd then try to make sense of all you are seeing – the premise of big dataMaybe that sounds simple, but most organizations do not think in terms of intelligence, don’t have this kind of visibility, can’t make sense of what they do see, and don’t share or receive much of anything from anyone else
That’s bad enough but even if you want to do all that and had the capability to do it, it is getting much harder. Much fasterJust think of the idea of the NetworkThat’s changing rapidly itself and this presents a whole new set of issuesThese changes are driven by things like location at the same time there are major advances in threat sophistication
Users off the network – not a big problem until all the apps moved off the network too.
Users off the network – not a big problem until all the apps moved off the network too. Now no visibility or network security. (SSL VPN / Always Connected)Personal devices coming back on the network – but can operate off the network at will to bypass controls. (SSL VPN / BYOD)
Servers being virtualized, giving rise to “east-west” traffic. (Firewall / Virtualization)Virtualized apps moving to the cloud – not even on the corporate network anymore. (Firewall / Public Cloud)Oh, and much of the traffic remaining within the corporate network is now encrypted. (Firewall / SWG)
Giving rise to the concept of the new network and the traffic realityAll of which is well understood by the modern hacker. (IPS – Modern Malware)What does all this mean?To get intelligence and visibility, you have to have it across the network, but your technology to do this must be keeping up or better yet in front of all these changes.PANW – you will hear all about this today. What we are doing in this regard.
And then of course, but not simple. Let’s say you had all this great visibility and intelligence. What does it all mean?That’s where big data comes in. Our commercial here is the work we have done with Splunk, Netwitness, Arcsight etc.Interestingly perhaps is the usefulness of data that is based on apps, content and users. Great feedback from the joint PANW/Splunk customers
So, if you have the intelligenceIn addition to making sense of it with big dataWhat would be very helpful is to apply it to the kill chainAnd what would be even better is if it were applied in a highly automated way
We have some sense of thisPANW commercial – this is how our platform is architected and how it worksIt natively incorporates lots of the kill chain functionality that used to be disparateAs a result, it can quickly and in an automated fashion bring the kill chain to bear as opposed to hoping that each element stays ahead
Okay, so now let’s say you have the right mindset, have technology that gets you visibility, use the visibility to gain intelligence, apply the intelligence to the kill chain in a highly automated manner, and are feeling pretty good.How does it get better than thatLeverage – always a good thing to have a certainly in this case it helps a lotYou can get leverage by sharing what you know and vice versa with pretty much everyone within the context of what you want or allowed to doLots of focus on this in the external cases of standards efforts and partnership efforts
But, wouldn’t it be great, right no, if your NW was automatically getting and receiving all the intelligence we discussed?PANW commercial – that’s how we think it should work and it is working right now with WildfireOver 2000 customers getting the benefits of each others work here and the value of the network effect of sharing
Want to touch on:You’ve heard about ISPThe purpose of this preso is provide more info on the security servicesBefore we do that let’s talk about some technology trendsMobility and elasticity of data centers (consolidation, webification, private & public clouds… data centers have changed)Before ip we had sna, ipxEach app had it’s own portNow consolidating all these apps down to HTTPSComplexity resides over HTTPImpacting over all infrastructure
{NOTE TO SPEAKER: The key points to get across on this slide really are around the fact -- and this can be conveyed and leveraged in multiple different ways. What I like to articulate here is really that if you look at the attack types, you know, major attack types that exist here are application type attacks and web attacks. In addition to that, you can see here that the key thing is every single one of these customers in themselves had a firewall, and it was most likely a next generation firewall. And the reality of the situation is once again due to the fact that they leverage a piece of technology that was not designed to protect their data center, the resulting effect was that they weren't protected and they were exploited. And it's important that the individual conveying the slide, if you're talking to a partner, that you can articulate that you do not want your customers to be one of the next large bubbles or bubbles that exist on this eye chart. Or if you happen to be a customer the last thing that you want is the company that you're working for or protecting to be on this eye chart.}
{NOTE TO SPEAKER: The key points to get across on this slide really are around the fact -- and this can be conveyed and leveraged in multiple different ways. What I like to articulate here is really that if you look at the attack types, you know, major attack types that exist here are application type attacks and web attacks. In addition to that, you can see here that the key thing is every single one of these customers in themselves had a firewall, and it was most likely a next generation firewall. And the reality of the situation is once again due to the fact that they leverage a piece of technology that was not designed to protect their data center, the resulting effect was that they weren't protected and they were exploited. And it's important that the individual conveying the slide, if you're talking to a partner, that you can articulate that you do not want your customers to be one of the next large bubbles or bubbles that exist on this eye chart. Or if you happen to be a customer the last thing that you want is the company that you're working for or protecting to be on this eye chart.}
Loss of business/customer baseLoss of intellectual propertyRegulatory Fines/Legal costsCost of corrective actionCost of volumetric flood serviceChanging methods of doing business – drives new processes. Partners loss of trust in working with your company. Scrubbing service.Reputation Management
Leveraging its expertise in application delivery and its deep fluency with applications, F5 introduces the Application Delivery Firewall, a new solution that integrates multiple networking and security components onto a single platform. The F5 Application Delivery Firewall runs across the entire product platform line, from virtual editions to the BIG-IP hardware line to the VIPRION. The F5 Application Delivery Firewall includes an integrated native network firewall, which is ICSA lab certified, traffic management, industry leading application security, access control, DDoS mitigation, SSL inspection, and DNS security. It's also important to notice that the F5 ADF, besides the ICSA firewall certification, also is certified for IPsec, SSL VPN, and web application firewall. On top of that the F5 Application Delivery Firewall has EAL2+ common criteria certification and EAL4+ is currently in progress.
When you’re delivering an application, you also have to worry about security. Again you have a few options – you can try to modify the application, you can put in point solutions, or you can use your ADC as a strategic point of control to secure both your applications and your data. BIG-IP LTM has a number of features that provide security at the application level.Resource cloaking and content security – Prevent error codes and sensitive content from being presented to hackersCustomized application attack filtering – search for and apply rules to block known application level attacksPacket filtering – L4 based filtering rules to protect at the network levelNetwork attack prevention – protect against DoS, SYN floods, and other network attacks while delivering uninterrupted service for legitimate connections.Message Security Module (add-on module)Protocol Security Module (add-on module)Application Security Manager (add-on module)
One of the key use cases of the application security solution is to provide defense and mitigation against HTTP and HTTP-S based DOS attacks. And the way that we achieve this is a couple of ways. And here what we have is a screenshot of the configuration. At the base level we're able to detect a DOS condition based on certain conditions. In this case it's what we're highlighting here is configurable parameters for latency. If the latency falls outside of the bounds, then we raise -- then it looks like a potential denial of service condition. Added to that we're able to identify potential attackers by some additional -- by layering on top of that some additional criteria. In this case what we're seeing here is the TPS metrics. And if that falls out of specified bounds, then we add to the -- then it looks additionally suspicious. And then finally what we do is we drop only the attackers, and we're able to distinguish based on a couple of parameters, namely some source IP based, some URL based parameters. And the idea is that what we want to do is block the malicious attackers but at the same time allow through valid users, because we don't -- the denial of service mitigation is more than just blocking all connections, right? We want to make sure that the availability of the application is maintained.
Unable to secure disperse web appsNo virtual WAF option for private cloud apps Replication of production environment complicated and cost-prohibitiveNeed to block app requests from countries or regions due to compliance restrictionsLimiting app. access based on location is a good practice to quickly reduce the attack sourcesScanner scans applications to identify vulnerabilities and directly configures BIG-IP ASM policies to implement a virtual patch that blocks web app attacksBIG-IP ASM is now importing vulnerabilities – not patches – (in v11), it effectively becomes a Vulnerability Management Tool along with being WAF. Obviously, the net effect is enabling very rapid response, particularly in the instance where you're waiting for the third-party vendor to patch the vulnerability.
{NOTE TO SPEAKER: At this point in time in the presentation we should have already built the premise that we have an intelligent service platform, that we are discussing the security services portion of that platform, and that a huge advantage of our security offering is our full proxy architecture, and that since we have a custom built hardware we are able to achieve speeds and feeds that are far superior to anyone else. The other thing that we really need to be able to convey in this slide is that our technology has been designed for customers of the data center, and our requirements have always been driven from service provider, you know, in very, very large customers with very, very significant demands. I don't normally mention Facebook specifically named, but I talk about the fact that we have customers that have a billion unique users that are actually traversing our particular technology. And these advantages have really enabled us to be able to build a security technology that is far superior to what our competition is. And so I like to convey that I've worked with customers that have load balanced firewalls, that they load balanced logs coming from firewalls, and even just recently I talked to a customer that actually was load balancing Juniper SSL VPNs. And I asked him how many users they had, and they had 20,000 users. And what was interesting is our largest box can do 5x of what that box can do, and they were having to load balance I think six or seven other devices. So we really need to be able to tie specific use cases in this slide, we really need to be able to tie this back to our custom-built technology, and then we really need to be able to also ensure that they understand other elements such as the fact that DDoS requires connections per second, it requires the ability to ramp connections, it requires the ability to sustain connections, but in addition to that, beyond just malicious DDoS, just traditional increase in traffic from good purposes also require significant increase in connections per second. And they should have, all of our customers should have the capacity to be able to withstand, whether it's malicious or non-malicious. So it's very critical that we're able to not just give these numbers as a bunch of blah but that we're actually able to articulate and correlate and tie these back to why it's so beneficial that each of these stats will provide them significant value. You know, one more element here is speaking on the access side of it is that as more users, more things become mobile, as more applications are moved out to the cloud, the demand on remote access devices is significantly increasing. So we've spent a lot of time talking about our data center firewall or the ADF, and we've spent a lot of time talking about the needs and speeds and feeds in other areas, but it's also very critical that the demand on our customers around remote access also has just as much of a need for these performance requirements.}
Here we have a view of the Application Delivery Firewall solution as it maps to the constituent software modules in the BIG-IP family. It's important to note that ADF is an umbrella solution with various software modules that can be licensed, depending upon the exact requirements and the deployment scenario for the customer. And what this means is that there's an extensibility in investment protection in the BIG-IP system, meaning that at its core the Application Delivery Firewall, which consists of the Advanced Firewall Manager as its base, is extendable, and customers can add on additional modules as they need, depending on what their network demands. So as I mentioned, AFM, the BIG-IP AFM is the base, the foundation of the ADF solution. And AFM is the integrated, the native stateful full proxy firewall upon which the rest of the security modules are oriented. So AFM has the integrated UIs, so the configuration of security policy is oriented around applications. It has flexible logging and reporting, which is also detailed, which enables security teams to do analysis on what's going on with their security posture in the network. It natively supports, of course, layer four up through layer seven, so native TCP, SSL and HTTP full proxies. And the SSL, of course, includes the SSL visibility. And it also includes network and session DDoS mitigation. So aside from AFM, there's BIG-IP LTM, and this is, of course, the traffic management or the application delivery controller functionality that F5 excels at. So this is the industry's number one, the leading application delivery controller, which really brings with it the application fluency and the per application or the app specific health monitoring. Aside from that, the rest of the modules that are available are BIG-IP ASM. This is our web application firewall product, which is a no-brainer for PCI compliance needs. PCI compliance requires at a minimum web application firewall or the alternative to that would be very expensive annual security audits. ASM also has virtual patching for newfound vulnerabilities. It has with it also HTTP DDoS mitigation, and IP detection. IP is intellectual property. So this is the ability to detect bots that would basically do screen scraping. So imagine you have a website -- actually strike that, because there's going to be another slide that talks about IP protection in specific. So let's move to BIG-IP Access Policy Manager. So this is APM, and it has not only identity access control but also includes the SSL VPN component. But this really is what does the unified access management for applications. And additionally we have GTM and DNS SEC. GTM is the Global Traffic Manager, which is essentially an extremely scalable DNS solution, but at the same time can also offload DNS queries and also even assign DNS responses. Beyond this, we also have IP intelligence and geolocation. These are licensable modules or -- yeah, these are licensable add-ons, not licensable modules but licensable add-ons which provide context-aware security. So IP intelligence, for instance, provides with it reputation information, so based on the source IP address. So source IP address comes in and -- well, anyways, again strike this, because there's an additional slide covering this. But also geolocation, and geolocation is the ability to tie an IP address to a specific region in the world. So with both IP intelligence and geolocation what we're able to do is make more intelligent decisions. This is the context-aware intelligence that we speak about. Of course, supporting all of this we have iRules, which is the extensibility piece of the BIG-IP family, and iRules is the ability to have -- it's a scripting language, which allows the BIG-IP system to have customizable actions in the data plane depending on specific something or other. And that something or other would be characteristics within the traffic itself that's transiting the system.
Splunk now has more than 850 employees worldwide, with headquarters in San Francisco and 14 offices around the world.Since first shipping its software in 2006, Splunk now has over 6,000 customers in 90+ countries. These organizations are using Splunk software to improve service levels, reduce operations costs, mitigate security risks, enable compliance, enhance DevOps collaboration and create new product and service offerings. Please always refer to latest company data found here: http://www.splunk.com/company.
At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. Andthis overarching mission is what drives our company and product priorities.
Data is growing and embodies new characteristics not found in traditional structured data: Volume, Velocity, Variety, Variability/Veracity.Machine data is one of the fastest, growing, most complex and most valuable segments of big data.All the webservers, applications, network devices – all of the technology infrastructure running an enterprise or organization – generates massive streams of data, in an array of unpredictable formats that are difficult to process and analyze by traditional methods or in a timely manner. Why is this “machine data” valuable? Because it contains a trace - a categorical record - of user behavior, cyber-security risks, application behavior, service levels, fraudulent activity and customer experience.
Our rapid ascent reflects the customer traction we have and value we deliver to customers – with over 2800 security customers and 50% year-over-year growth, we are the fastest growing SIEM vendor in the market. In 2 short years we raced up to the top quadrant in the MQ.
SC magazine award was determined by the readers of SC Mag who are IT Security professionals. We beat out:HP for ArcSight ExpressIBM Software Group for QRadar SIEMLogRhythm for LogRhythmNetIQ for NetIQ Sentinel 7SolarWinds for SolarWinds Log & Event Manager (LEM)
Over 2800 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.Over 2800 customers use Splunk for security and/or compliance use casesApprox. 400 use the Splunk App for Enterprise SecurityFirst introduced in 2009 with v1.0Customers using Splunk to build their own SIEM as early as 2007Leader in the Gartner MQ in 2013Splunk used for adjacent use cases such as fraud, compliance and insider threatsWidely used across many verticals for securityFlexibility, Scalability, Speed (time-to-answer), search and analytics are why customers use Splunk for security
1 solution for Splunk for Security, but 3 offerings. At bottom is Splunk Enterprise, our core product. Every Splunk deployment includes this as this is where the core indexing and searching resides. Many customers build their own searches/reports/dashboards on top of it. On top of it, optional Apps can be installed. Apps are basically a collection of reports, dashboards, and searches purpose-built for a specific use case or product. Can be built by Splunk, customer, partners and all but a few are free on Splunkbase. Apps are great for customers who want out-of-the-box content and do want to have to build it themselves, and want to extend point solutions. One key App is the Splunk-built Enterprise Security app with the arrow pointing at it. It is basically an out-of-the-box SIEM with reports, dashboards, correlation rules, and workflow for security use cases. (It does have a cost though) Besides this app there are over 80 security-centric free Apps on Splunkbase. These are offering 3.The majority of Splunk security customers do Splunk Enterprise and the free apps. Also customers do leverage the API and SDKs that come with Splunk to further extend the platform.
Key part of IT security is protecting confidential data. Which means detecting advanced threats, like cybercriminals or malicious insiders, before they can steal your data. To detect or investigatethem, you need non-security and security data because advanced threats avoid detection from signature-based security products; the fingerprints of an advanced threat often are in the “non-security” data. Most traditional SIEMs just focus on gathering signature-based threats which do *not* have the fingerprints of advanced threats.Also the above scenario is worse if there is no SIEM. Instead point UIs and grep are used and aggregating data is very manual and time consuming.
To make sound security decisions 4 data types requiredTraditional structured and unstructured log dataBinary data -- flowdata for machine to machine communications and packet capture for analysis of packet payloads looking for malicious code in PDFs, TIFFs or PNGs, or email for example Context data is the data locked in business systems that are clues to employee behaviors – examples is Joe on vacation, has he not taken a vacation in the last 24 months, who’s being laid off, etc.Threat intelligence data that can tell us in near real-time about new IPs and domains that may be maliciousThe sheer volume, velocity, variety and variability of the data make this a big data problem
Use case 1. Alert from a point product UI or traditional SIEM. Pin board image on right indicates “cold case/CSI” sort of investigation that Splunk can enable. (FYI - papers on the pin board image do not tell a “real” investigation story so do not try to read all the images on the pin board). From a forensics perspective, things like endpoint OS logs or packet captures can be put into Splunk at the time of the investigation to get deeper into the details.With exiting SIEMs they struggle with incident investigations because they cannot:Retain all the original unmodified data (because the normalize/reduce it)Often it is hard to pivot among the data b/c it is in different data stores (logger/SIEM/Hadoop/etc) with no common UIQuickly return back search results (because their DB causes scale/speed issues)Limited flexibility/ability to do external lookups
Use case 3. It is about about taking thousands of security events that are low severity in isolation and connecting the dots in an automated, policy-driven manner to see when a combination of seemingly low severity events, when correlated, is actually a high-severity incident that needs immediate attention.There are hundreds of possible cross-product correlations. One is above and tells the story of a data loss event being detected by signature-based security productsFor a specific internal IP address running Windows, someone logs into it using a default administrative user name “Administrator” which is not good. All users should have a unique user name (not root or Administrator) so you know exactly who is doing what in the IT environment. The OS logs see this log in.Endpoint-based anti-malware sees known, bad malware running on that machine. Malware means “malicious software” and is a red flag because it may lead to data being stolen by a hackerA data loss prevention tool (in this case the Snort Intrusion Detection Prevention product) sees unencrypted credit card numbers leaving the organization from the above machine. This data loss of credit cards is a major red flag.Why these 3 events are bad: These 3 events happening on the same machine in a short time period indicates a hacker inappropriately logged into the machine, probably using stolen credentials, then put malware on the machine, perhaps a backdoor to remotely connect back to the machine later, then exfiltrated stolen credit cards from the machine. The credit cards may have then been used for illegal purposes which ultimately may have resulted in the costs of re-issuing credit cards, bad publicity, unhappy customers taking their business elsewhere, customer lawsuits, fines for PCI non-compliance, etc.Splunk can correlate on all these 3 events happening on the same machine and within a short time period. It has connected the dots to find the proverbial needle in the haystack. Splunk can detect and/or alert on these sorts of correlations in real-time or on a scheduled bases.Two other sample correlations:Firewall on an internal PC indicates the PC is being port scanned from an internal IP addressNetwork-based firewall indicates it is being port scanned from the same internal IP addressImportant settings have been changed on the suspicious internal machineWhy: The machine associated with the IP address may have been compromised by a threat which is doing internal reconnaissanceVulnerability scanner shows that an internal server has an unpatched OSIntrusion Detection System sees an external attack on that specific server that exploits the vulnerability in the OS Why: The server is likely to be successfully compromised
Use case 4. Like prior slide so see notes at the top. But in this case the events being correlated on all are from “non-security” data sources. This is because the threats are “unknown” to traditional security products because no signature exists for them. Each of these events in isolation would raise no alarms. Only when combined can see you see that they are risky because they represent outliers/anomolies that could be advanced threats like a sophisticated cybercriminal or a nation-state.There are hundreds of possible cross-product correlations. One is above and tells the story of a spearphising attack done in order to obtain and steal confidential data. More sample correlations are on the next slide. In this scenario above Splunk is keeping track of all the external email domains that are sending emails into the company, all external web sites being visited by internal employees, and all the services and executables running on internal machines. It can automatically count up things like # of emails received by each external domain, # of times employees visit external web domains, etc, to see the rarely seen items that are outliers. In the above scenario:Splunk sees an email reach an internal employee from an external email domain that has never/rarely been seen beforeThat same employee then visits a web site that is never/rarely visited by internal employeesA service starts up on the employees machine that is never/rarely seen in the organizationWhy these 3 events are bad: These 3 events happening on the same machine in a short time period indicates a hacker has performed a spearphising attack. They sent a realistic looking email to an internal employee that compelled the employee to click on a link or open an executable. This resulted in the web site dropping malware on the machine.Splunk can correlate on all these 3 events happening on the same machine and within a short time period. It has connected the dots to find the proverbial needle in the haystack. Splunk can detect and/or alert on these sorts of correlations in real-time or on a scheduled bases.
Interac, a leader in debit & electronic payment services out of Canada. On Splunk.com we have an ROI story for them and they have presented at Splunk events several times.Before Splunk, they used point UIs and grep to do security investigations and run daily security reports. Very time consuming and inefficient. They would have many different personnel involved in security-related data collection, analysis and correlation. It was a very involved, manual, process that consisted of reviewing a variety of different log formats from a mixture of devices and interfaces. No single tool or interface existed for incident and root cause analysis. This lead to an increased amount of time researching issues and building reports for senior management. Security investigation could take days if there was a low severity event to weeks if any events were deemed medium to high severity.Looked at traditional SIEMS and found them too bloated, required extensive resource and development time, and too expensiveNow have over 15 data sources going into Splunk and they created 3 custom Apps that have over 80 reports driven through 8 menus and 26 individual dashboards. Very easy for IT Security and others to use Splunk for security use cases. They also do real-time alerting on things like user privileges being escalated, possible data loss, and anomalous database activity. End result is the ROI listed here. Not listed here, but IT also uses Splunk for root cause analysis on key business applications and underlying storage systems. Also developers can access the log data to help them with troubleshooting.See ROI study at:http://www.splunk.com/web_assets/pdfs/secure/Splunk_at_Interac.pdf
Cisco, the global networking company. Their internal security team uses us. 7 clusters around globe, 900GB a day, 350TB stored data. (note – while Cisco has presented this info at numerous public events, and also blogged about it, please limit this information just to the customer you are presenting to – do not make public)Some logging and SIEM solutions we have used or evaluated required considerable effort to process custom formats (custom parsers, etc.)In our experience with SIEM 1 we found it to be rigid, inflexible, and difficult to customizeModifying how We like the ability to throw data of virtually any format/structure at our logging systemNo API/CLIFat java-based clientsOnly direct database access or worse, no alternative accessMaking scripting and automation more challengingIn the past, it wasn’t uncommon for regular reports and ad-hoc queries run against the SIEMs to take hours to completeCSIRT undertookreevaluation of logging/SIEM project in mid-2010 running a number of trials and proof of concepts, wrapping up in early 2011In CY12Q1 we retired the SIEM that had been in use since CY03 (NetIQ)Extensive migration project to replicate all existing playbook reports from SIEM in Splunk logging has been successful.Moved over 400 regularly scheduled reports from our SIEM into the new logging solution.Global logging solution deployed by end of CY11Also see:http://blogs.cisco.com/security/security-logging-in-an-enterprise-part-2-of-2/Based on sheer cost of deployment, we estimate that investment for a global logging solution was roughly 25% of what deploying a full SIEM would have cost usBegan mid-2010, completed early 2011Evaluated, trialed, Ran PoCs: Splunk and three other loggersSIEM 1 and six other SIEMsStrategy moving forward:Retire current SIEMUndertake global loggingEstimated: 25% of SIEM costOver 90% 0f the team is using the tool (where as before we primarily had analysts running reports)It is a great fit for the brand new analyst all the way up to the most seasoned investigatorsMuch higher percentage than SIEM 1 (which required logging in via a fat client or using direct DB access)With our revamped event collection deployment we are: Indexing over 35x the volume of data we were previouslyQuerying on average 20x fasterLong Queries:With SIEM 1: 2% over 1 hourWith Splunk: <0.5% over 1 hour
Barclays, the large financial services firm out of Europe. Use us for incident investigations, security dashboards (top malware sites employees visit, potentially infected endpoints), IT opps use cases as well.Needed a security logging and monitoring solution that could scale and was flexible for historical searches. (note – while Barclays has presented this info at numerous public events, and also discussed it in the media, please limit this information just to the customer you are presenting to – do not make public)Also see:http://www.computing.co.uk/ctg/news/2262548/without-splunk-we-might-be-taken-out-of-the-market-says-barclayshttp://www.computerweekly.com/news/2240183238/Barclays-indexes-machine-data-to-meet-complex-regulationhttp://www.computerworlduk.com/in-depth/applications/3442941/barclays-tackles-complex-regulatory-environment-with-splunk/
Infoblox is not a start-up. The company was started more than a dozen years ago – our technology is mature and field provenThe company HQ is in the heart of Silicon Valley with global operations in all major geographies – We do business in 3 regions (Americas, EMEA, APJ)We have sales, support and development operations in 25 countries and we do business in over 70 countries around the worldInfoblox makes essential technology to control networks – we’ll dig into that a bit later in theWe are a market leader in the space that we serve – with Strong Positive ratings from Gartner (3 years in a row) and 40% market share (Note: Gartner Market Scope and market share stat is specific to DDI)Infoblox has a massive customer base – our latest count is 6,900 different companies- we have shipped 64,000 systemsWe are innovative, with a formal patent program for our employees. As of right now we own 32 patents and 25 more pendingLast but not least – the company did a successful IPO in April 2012. We now share our financial results publicly – which can be seen on the right.
Infoblox can help organizations deal with the risks and expenses associated with key trends in the world of networks…Let’s take a look at how:Click: The modern network is made up of the infrastructure layer, which is all the devices you’re very familiar with (switches, routers, firewalls, load balancers, web proxy’s etc.)Click: These devices exist to support this layer – your Apps and Endpoints. Ranging from Voice Over IP Phones to tablets and smart phones, to all the VM’s and private clouds, all servicing the applications that drive the business.Click: Infoblox plays in the middle. In the control plane. We put our technology on high performance, highly available and secure platform (we call this the Grid). The grid has a very powerful, distributed network database that keeps all the information in one placeSo what does Infoblox do?Click: We deliver Discovery, Real-time Configuration & Change management, and compliance for this layerClick: And we deliver Essential Network Control functions like DNS, DHCP and IPAM (known as DDI) for this layerClick: Since we’re the new threat vectors are targeted at the network, specially the DNS architecture, we offers security solutions for risk mitigationAnd since we touch all these devices and capture real-time data in a single place…Click: we can do some amazing real-time and historical reporting as well as advanced control
Networks are constantly being exploited using DNS for a variety of criminal purposes today. DNS is the cornerstone of the internet and attackers know that DNS is a high-value target. Without their DNS functioning properly, enterprises cannot conduct business online. DNS protocol is stateless which means attackers also cannot be traced easily.The DNS protocol can be exploited easily. It is easy to craft DNS queries that can cause the DNS server to crash or respond with a much amplified response that can congest the bandwidth.The queries can be spoofed which means attackers can direct huge amounts of traffic to its victim with the help of unsuspecting accomplices. (open resolvers on the internet)All these reasons make the DNS an ideal attack target.
We are a critical component of the customer infrastructure and a target for many of these attacks. Big issue using DNS as a open global communication mechanism that is not well secured..not a well protected channel. Customers can use our purpose built hardware and best practices to ensure infrastructure safe.Malware communicates using DNS to resolve the ahe name. Purpose-built secure hardware Common criteria certifiedRate limitingBest practices
Hacking of DNS servers is becoming more prevalent each day. For those bad actors with extensive hacking skills it’s a quick path to inflicting damage and getting a hold of mass amounts of traffic/users quickly. Just in the last 15 months there are have been hacks of DNS servers of LinkedIn, Google Malaysia, and MIT. Traffic to these sites, in the thousands of visitors per hour provide a great source of unwilling participants for Hackers.
Security – Purpose Built AppliancesInfoblox has design, built and delivered hardened appliances from which secured DNS, DHCP, and IP Address management applications are delivered.For the appliances Infoblox has delivered:Minimal Attack Surface (Task specific hardware) – No extra or unused ports that could be used to access OS or power external devices – e.g. USB port for Wi-Fi access port.Active/Active HA & DR recoverySimple VRRP-based HA setup – Fail-over and fail-back to ensure availability.Active/active DR recovery – Ensure operations during a DisasterTested & certified to highest Industry standardsCommon Criteria EAL-2 Cert. – Hardware/software and manufacturing processes verified.FIPS 140-2 certificationSecure Inter-appliance communication128-bit AES Grid VPN comm. – All cross appliance communication is protected and cannot be intercepted.Centralized management with role-based controlCentral view of all appliances/processes & management.Role-based admin controls – Segment access, control, and management of applications or networks.Secured Access, communication & API6 authentication methodsTwo factor Auth. (CAC/PKI)HTTPS Web access – Secured accessSSL-Based REST/Perl APIGSS-TSIG & TSIGDetailed audit logging – For tracking of changes and enabling un-do of incorrect changes.Fast/easy upgrades – Reduce downtime and risk of upgrades.** NOT ON SLIDE **Restrictive/hardened Linux OS – hardened OS. Non-essential processes not enabled.Root access disabled – Control over operations cannot be compromised.
DNSSEC in 1-clickNo scripts / Auto-Resigning / 1-clickCentral configuration of all DNSSEC parametersAutomatic maintenance of signed zones
Arbor survey: This year Arbor collected 220 responses to the Infrastructure Security Survey, November 2012 to October 2013
The Adv Appliance can sit on the Grid. Now let’s see the Advanced DNS Protection in action. Regular GRID appliances like the GRID master and the reporting server sit on the GRIDLet’s assume we have two Advanced Appliances, one external authoritative and the other functioning as an internal recursive server. DNS attacks come interspersed with legitimate DNS traffic at the external authoritative server.Advanced DNS Protection pre-processes the requests to filter out attacksIt responds to legitimate DNS requestsThe attack types and patterns are sent to Infoblox Reporting server When Infoblox detects new threats, it creates rules and updates the Advanced Appliance. The rule updates are propagated to other Advanced Appliances on the Grid.
Here’s a high level categorization of the attacks that the Advanced DNS Protection protects against. These are just a high level categorization and there are several rules that are created of each of these attack types. Some of the key attacks we have seen growing in number in the last year or so are the DrDoS attacks that use a combination of reflection from multiple open recursive servers on the internet and amplification to really flood the target victim’s server.The reflection, amplification, floods all cause huge amounts of traffic to be sent to the target victim overwhelming the target server and eventually leading to a Denial of Service(DoS) attack.Detailed explanation of attacks (if more info is needed):DNS reflection/DrDoS attacks Reflection attacks are attacks that use a third party DNS server, mostly an open resolver, in the internet to propagate a DDoS attack on the victim’s server. A recursive server will process queries from any IP address and return responses. An attacker spoofs the DNS queries he sends to the recursive server by including the victim’s IP address as the source IP in the queries. So when the recursive name server receives the requests, it sends all the responses to the victim’s IP address. DrDoS or Distributed Reflection Denial of Service uses multiple such “host” machines or open resolvers in the internet, often thousands of servers, to launch an attack on the target victim. Amplification (described in the next row) can also be used while generating these queries to increase the impact on the victim. A high volume of such “reflected” traffic could overwhelm the victim server and bring down the victim’s site, thereby creating a Denial of Service (DoS).DNS amplification DNS amplification is an attack where a large number of specially crafted DNS queries are sent to the victim server. These specially crafted queries result in a very large response that can reach up to 70 times the size of the request. Since DNS relies on the User Datagram Protocol (UDP), the attacker can use a small volume of outbound traffic to cause the DNS server to generate a much larger volume. When the victim tries to respond to these specially crafted queries, the amplification congests the DNS server’s outbound bandwidth. This results in a Denial of Service (DoS). DNS-based exploits These are attacks that exploit vulnerabilities in the DNS software. This causes the DNS software to terminate abnormally, causing the server to stop responding or crash. TCP/UDP/ICMP floods These are volumetric attacks with massive numbers of packets that consume a network’s bandwidth and resources. TCP SYN floods consist of large volumes of half-opened TCP connections. This attack takes advantage of the way TCP establishes connections. The attacking software generates spoofed packets that appear to the server to be valid new connections. These packets enter the queue, but the connection is never completed—leaving false connections in the queue until they time out. The system under attack quits responding to new connections until the attack stops. This means the server is not responding to legitimate requests from clients to open new connections, resulting in a Denial of Service (DoS). UDP floods send large numbers of UDP packets to random ports on a remote server, which checks for applications listening to the port but doesn’t find them. The remote server is then forced to return a large number of ICMP Destination Unreachable packets to the attacker saying that the destination is unreachable. The attacker can also spoof the return IP address so that the replies don’t go to the attacker’s servers. Sending the replies exhausts the victim server’s resources and causes it to become unreachable. ICMP attacks use network devices like routers to send error messages when a requested service is not available or the remote server cannot be reached. Examples of ICMP attacks include ping floods, ping-of-death and smurf attacks. This overwhelms the victim server or causes it to crash due to overflow of memory buffers DNS cache poisoning Corruption of DNS cache data. It involves inserting a false address record for an Internet domain into the DNS query. If the DNS server accepts the record, subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. For as long as the false entry is cached, incoming web requests and emails will go to the attacker’s address. New cache-poisoning attacks such as the “birthday paradox” use brute force, flooding DNS responses and queries at the same time, hoping to get a match on one of the responses and poison the cache. Cache poisoning prevents access or redirects the clients to a rogue address, preventing legitimate users from accessing the company’s site. Inducing a name server to cache bogus resource recordsCan redirect…web browsers to bogus replicas of web sites, where logins, passwords and credit card numbers are capturedemail to hostile mail servers, where mail can be recorded or modifiedProtocol anomalies Send malformed DNS packets, including unexpected header and payload values, to the targeted server. They make use of software bugs in protocol parsing and processing implementation. The victim server stops responding by going into an infinite loop or crashes. Reconnaissance This attack consists of attempts to get information on the network environment before launching a large DDoS or other type of attack. Techniques include port scanning and finding versions and authors. These attacks exhibit abnormal behavior patterns that, if identified, can provide early warning. No direct effect on the server but indicates an impending attack. DNS tunneling This attack involves tunneling another protocol through DNS port 53—which is allowed if the firewall is configured to carry non-DNS traffic—for the purposes of data exfiltration. A free ISC-licensed tunneling application for forwarding IPv4 traffic through DNS servers is widely used in this kind of attack.
Enterprises can deploy the Adv DNS Protection either as an external authoritative server or a recursive/caching server inside their network. This diagram shows a typical deployment scenario in the external case and in the internal case. The first scenario helps to protect the network from external internet borne attacks that target the authoritative DNS. The second scenario is more common in education vertical where the university traffic can be as bad as the internet traffic. So Universities’ IT departments can use the Adv DNS Protection for their internal DNS server to ensure that the internal network is protected from attacks launched from within their network.
Before we talk about disrupting Malware which maybe random or targeted we need to understand the problem first. The problem is malware is used to drive security breaches around sensitive information or to steal money.Before you on the screen right now is just some of the breaches from CQ’ 2013 into CQ1’ 2014 that used Malware extensively. Let me go through a couple of examples. In the 1st quarter, the NY Times was hacked and information exfiltrated over a period of 4 months. An outside company was brought in at great expense to clean up the NY Times infrastructure. The outside vendor found 45 different malware instances only 1 of which was caught by Anti-Virus. Another example in the 1st quarter is Facebook. Facebook was infected via a Java-based malware that was accidentally download by several Facebook employees outside of the Facebook network and brought back into the network. Facebook found the Java-based malware because a DNS administrator found a sudden burst of DNS requests for domains in Russia.In the 2nd quarter it was announced that Malware was used to steal credit card numbers and other information from the likes of VISA, JC Penneys, NASDAQ and Carrefour which totaled $300 million. In the 3rd quarter of this year Adobe was hacked using malware and a outside security researcher discovered the breach when he found source code for 4 of Adobe’s products on a known hacker website.Finally – Retail was big target in late CQ4’ 2013 and early CQ’2014. Neiman Marcus, Target and several others were breached and credit card information for tens of millions were stolen. Target, Neiman Marcus, URM Stores (Washington State) found that their Credit Card Point-of-Sale (Windows) computers were breached and customer credit card data stolen. Each vendor had to announce it publicly. The impact on their business was 3-fold. (1) Customers shopped elsewhere because they lost faith in the retailers. (2) They also had to hire a 3rd party vendor to do forensics on their environment to find out what happened.(3) IT lost productivity because all servers and POS systems had to checked, updated and cleaned.
Here is one more example of Malware that DNS Firewall is effective against. Cryptolocker is a new name for a piece of malware (so called Ransomware) that has been updated and is now back in distribution.CryptoLocker is a Windows-based that is spread via various “pay per infection” methods. That is the crooks pay other crooks to infect you. Currently it is being spread by at least two different ways. One is email where the attached Malware is disguised as a PDF or voice-mail audio file. A second is via trojans already present on the machine which are commanded to download cryptolocker. Once CryptoLocker is on a Windows machine it enrypts the files on the local hard drive or shared drives by getting a encryption key from a internet based server. The encryption key is a 2048-bit RSA key. As you can see on the screen a pop-up windows informs you that your files are encrypted and you have 72 or 100 hours to pay $300 dollars or Euro’s to get access to your data. The only way to stop the encryption process is block access to the Encryption servers on the Internet. Infoblox DNS Firewall disrupts CryptoLocker by blocking DNS queries to the Encryption servers.
Infoblox DNS Firewall – How does it work?1. An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network.2. The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection.3. The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains. 4. Infoblox Reporting provides list of blocked attempts as well as the IP addressMAC addressDevice type (DHCP fingerprint)Host NameDHCP Lease history (on/off network)5. Reputation data comes from:Infoblox DNS Firewall Subscription Service – blocking data on domains and IP addresses from 35+ sources throughout the world. Geo-blocking also apart of the service as wellInfoblox DNS Firewall – FireEye Adapter – APT malware domains and IP addresses to be blocked communicated to DNS Firewall from from FireEye NX Series.
What Protection does DNS Firewall Provide?DGA (Domain Generating Algorithm) - malware that randomly generates domains to connect to malicious networks or botnets. Initial infection seeking to connect and down load more software.Fast Flux - Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and locationAPT / Malware – Targeted attack APT / Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack. Integration with FireEye enables DNS Firewall to protect against APT.DNS Hijacking - Hijacking DNS registry(s) & re-directing users to malicious domain(s). Example of this is the Syrian Electronic Army hijacking of DNS servers in Australia and directing NY Times and Twitter users to their malicious domains.Geo-Blocking - Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government. Ideal for governments and small business that don’t do business overseas and therefore users would not have a legitimate reason to be going to a domain hosted in this country. Examples of regions with high ratio of malicious domains (Russia, Moldova, Lithuania, most countries in Africa, etc.). A good example of how Geo-blocking helps – Cryptolocker – DNS Firewall with DNS Firewall Subscription service with Geo-blocks for Eastern Europe provides ZERO-Day protection against Cryptolocker.
DNSSEC enablement with automated key maintenance simplifies implementation and reduces risk
This concludes the Infoblox Webinar - Protect DNS from Being an Accomplice to Malware. We hope it has been informative for you.If you’d like to find out more you can:Contact Infoblox Sales at sales@infoblox.com or go to the infoblox website at www.infoblox.com
Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies & adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical & sales certifications with leading security companies including McAfee, Cisco.Key Partners & Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection & DefenceThe first line of defence is to stop unwanted intrusions & attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS & IP address properties and control user activity while ensuring speed and performance are maintained. Incident & Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective & coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff & training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment & Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize & rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.
SEIM is only as good as the people that deploy and the processes that manage it- URL Filtering Data typically shows up late- Different types. Multiple vendors or similar technologies (firewalls from different vendors- Other data types. Vulnerability data, Physical Security systems
InfoSec Staff are expensiveThey are smart and ambitious As soon as they are trained they leave…They have, in some cases, very granular skillsFacilities costs Labs, tools (IDA Pro, Responder Pro, Encase)
Vulnerability Management is a continuous process that must have measurable results. It is not solely about patching or fixing vulnerabilities. It is about managing part of your business. It is about auditable results.-Needs to be continuous processRequires an advanced knowledge of vulnerabilities and patching as well as server hardening. Not all vulnerabilities are patch related. Compliance and other types of issuesDealing with zero days Assessing risk
APT is a very overused term these days. It is THE problem but does not explain how to resolve it. It is resolved with state-of-the-art technology deployed in the right place and managed by the right people who understand how to interpret the results and action them in the correct priority.Infected devices video cables etcWhoNeiman Marcus 60K events triggered but these were probably just noise inside millions of events.NSA ANT TAO Tailored Access Operations
Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies & adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical & sales certifications with leading security companies including McAfee, Cisco.Key Partners & Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection & DefenceThe first line of defence is to stop unwanted intrusions & attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS & IP address properties and control user activity while ensuring speed and performance are maintained. Incident & Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective & coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff & training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment & Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize & rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.