1. Платформенный подход McAfee к
защите корпоративных активов.
Andrei Novikau, Pre-Sale Engineer
McAfee Confidential—Internal Use Only
2. Intel и McAfee
Безопасность
vPro Network Security
Active Management Technology Cloud Security
Advanced Encryption Standard Security Management
Virtualization Endpoint Security
One Time Password Technology Ecosystem
Secure BIOS
McAfee Confidential—Internal Use Only
3. Новые требования
“Увеличивающийся рост
количества нацеленных атак и
повсеместное использование
облачных сервисов ведёт к
необходимости нового витка
развития систем сетевой
безопасности”
Gartner, Defining Next Generation Network Intrusion Prevention, 2011
3 October 16, 2012 McAfee Confidential—Internal Use Only
4. Чашка отменного кофе
Mark@buildgroup.net
Lisa@buildgroup.net
4 McAfee Confidential—Internal Use Only
5. Планирование будущего
To: julie@buildgroup.net
(100%)
Download Complete!
5 October 16, 2012 McAfee Confidential—Internal Use Only
6. Большой день
To: julie@buildgroup.net
SQL SERVER DOWN
6 McAfee Confidential—Internal Use Only
7. История важна
Aurora, Night Dragon, Shady RAT…
ROOT OF ATTACK QUIET INFILTRATION TARGET OF ATTACK
Contact theft Find the target Information Theft
7 October 16, 2012 McAfee Confidential—Internal Use Only
10. Фундаментальные изменения
ПОЛНЫЙ АНАЛИЗ
АВТОМАТИЗАЦИЯ
Обнаружить
Корень
Запретить причины
Обнаружить Запретить
Определить
10 McAfee Confidential—Internal Use Only
11. Неизвестная уязвимость:
Неоптимизированное решение
! • Уведомления & Анализ
• Определение состояния
Analysis • Реакция
• Мониторинг
Vulnerable Protection
Systems Status
Managed Priority
Existing
Systems Counter-
measures
Un-
managed Exposed
Systems Next Risk
Steps AV
IPS
Log FW
Manual
Scans Analysis
Ops
Team
Patch/
Updates Policy
Config Contact
Vendor Monitor
IPS
IPS AV
IPS
IPS AV
FW AV AV
FW FW
McAfee Confidential—Internal Use Only
11
12. Неизвестная уязвимость: Решение McAfee
!
Situational
Awareness
Recomm-
endations
Ops
Team
Policy Contact
Patch Monitor
Config Vendor
McAfee Confidential—Internal Use Only
12
13. Требования к NG-IPS
Традиционный IPS
Идентификация приложений (полная видимость)
Поддержка внешних контекстов
Глубокое изучение контента
McAfee Confidential—Internal Use Only
14. McAfee представляет NG IPS
Global Threat Intelligence Centralized Security and Risk Management
IP Protocol
File Application Compliance Risk Global Policy
Reporting Management Definition
Network Security Platform
Policy Network
Definition Reporting Visibility
and Alerts
McAfee Labs
Next
Generation
Intrusion
Prevention
Advanced Granular
Up to 80 Gbps Control
Visibility
Analysis
Inline inspection Extensions
Application
Awareness
Network Behavior
Analysis Extensions
System and User
Virtual Vulnerability Behavior
Advanced Environments Scans
DLP Forensics
Malware
McAfee Confidential—Internal Use Only
15. Лучший в индустрии
• Лидер в отчётах Gartner с 2003
• Лучшая база уязвимостей 2005-2011
Global Threat Intelligence Centralized Security and Risk Management
• Эвристический анализ бот-нет
• Определение DoS/DDoS
Network Security Platform
Visibility
Extensions
Analysis Extensions
15 October 16, 2012 McAfee Confidential—Internal Use Only
16. Требования для защиты от бот-нет
• Ботнеты стали очень дешёвыми ($8 за армию в 1000 ботов!)
• Миллионы ботов по всему Миру
• Умные ботнеты (как Storm, Conficker, etc.) продолжают свою
экспансию с помощью различных техник
• APT находятся на подъёме (Shady Rat, Stuxnet, Aurora, Duqu)
– Специальные боты являются частью инструментария к APT
– Необходимость определять неизвестные боты
16 October 16, 2012 McAfee Confidential—Internal Use Only
17. Защита от ботнет в McAfee IPS
• Сигнатуры атак для известных ботнет
• Эвристический модуль для определения новых ботнет
– Атаки ботнетов имеют фундаментальное поведение: наличие C&C,
скачивание .bin-файла, внутреннее сканирование, и т.д.
– Определение ботнетов сочетает в себе эвристический анализ и McAfee
global threat intelligence (GTI)
17 October 16, 2012 McAfee Confidential—Internal Use Only
18. Контроль приложений
• Идентификация для 1100+
приложений:
Global Threat Intelligence Centralized Security and Risk Management
Yahoo IM vs. Yahoo Chat
• Обзор каждого приложения по:
Network Security Platform
• Полосе
• Подключениям
• Атакам
Visibility
Extensions
• Риску
Analysis Extensions
18 October 16, 2012 McAfee Confidential—Internal Use Only
19. Необходимость визуализации
• Организации хотят видеть полную картину на любом устройстве
безопасности в сети
• IT хотят знать:
– Какие приложения используются в сети
– Как и какими сервисами используется полоса в различных сегментах
сети
– Риски, связанные с используемыми сервисами и приложениями
• Отображение трафика по проколам приводит к перекосам
– (например, все что можно определить как HTTP не имеет никакого
значения для клиента)
McAfee Confidential—Internal Use Only
21. Знания GTI бесценны
• Лента репутаций
• Основано на миллиардах запросов
Global Threat Intelligence Centralized Security and Risk Management
• File, IP, URL, протокол, гео-локация
• Комбинация контекста GTI и сигнатур
Network Security Platform
для лучшей точности
• Dos/DDoS
Visibility
Extensions
Analysis Extensions
Network Web Mail Host Host 3rd
Firewall Gatewa Gateway Party
IPS y AV IPS Feed
21 October 16, 2012 McAfee Confidential—Internal Use Only
22. GTI реагирует в реальном времени
• Влияет на контроль доступа
– Защита от DDoS в зависимости от гео-локации, репутации IP
• Сигнализирует, предотвращает опасные соединения
• Влияет на существующие сигнатуры
– Интеллектуальное блокирование с GTI
22 October 16, 2012 McAfee Confidential—Internal Use Only
23. Централизованное управление и аудит
• Постоянная оценка уязвимостей
• Интеграция сигналов с Host IPS
• Централизованная оценка рисков
Global Threat Intelligence Centralized Security and Risk Management • Отчётность и соответствие требованиям
Network Security Platform
Visibility
Extensions
Analysis Extensions
23 October 16, 2012 McAfee Confidential—Internal Use Only
24. Защита виртуальных сред
Network
IPS
Global Threat Intelligence Centralized Security and Risk Management
Network Security Platform
Visibility
Extensions
Analysis Extensions
Виртуальные
машины
McAfee Confidential—Internal Use Only
25. Идеальная производительность
Дата-центр Решение McAfee
Масштабируемость
• Производительность до 80 Gbps
• Интерфейсы 10 GigE
• Высокая плотность портов
• Модульная архитектура
• Встроенный HA
Выгоды
• Ликвидация узких мест в
безопасности
• Упрощение инфраструктуры
• Спокойное будущее
Вызовы
• Консолидация ресурсов требует
высокоскоростных сетей
• Старая инфраструктура не может
справится с 10 GigE/40 GigE
• Виртуализация требует
индивидуального подхода
McAfee Confidential—Internal Use Only
26. Анализ событий – партнёры McAfee
McAfee Confidential—Internal Use Only
27. GTI вместе с SIEM
Сортировка событий…
Я общался с плохими ребятами? 200M
записей
18,000
Какие соединения были блокированы? алертов
Десятки
Какие конкретно Сервера/ПК/Устройства были атакованы?
станций
Несколько
Какие учётные записи были скомпрометированы? юзеров
Точные
Что случилось с этими аккаунтами? нарушения
Точный
RESPOND Как я должен ответить? ответ
McAfee Confidential—Internal Use Only
28. Производительность и масштабируемость
• Недостижимая скорость
– Наиболее производительный
SIEM на рынке
– В сотни (а часто и в тысячи) раз быстрее
аналогичных решений конкурентов
– Запросы, корреляция и анализ за секунды (а не минуты или часы)
• Недостижимая масштабируемость
– Сбор всей релевантной информации
– Анализ информации за месяцы и годы,
включая высокоуровневую информацию о
контенте и контексте
– Работа с миллиардами записей в БД
McAfee Confidential—Internal Use Only
29. SIEM номер 1
McAfee Confidential—Internal Use Only
30. Платформа McAfee
Интеграция продуктов в решение
Global Threat Intelligence Centralized Security and Risk Management
IP Protocol
File Application Compliance Risk Global Policy
Reporting Management Definition
Network Security Platform
Policy Network
Definition Reporting Visibility
and Alerts
McAfee Labs
Next
Generation
Intrusion
Prevention
Advanced Granular
Up to 80 Gbps Control
Visibility
Analysis
Inline inspection Extensions
Application
Awareness
Network Behavior
Analysis Extensions
System and User
Virtual Vulnerability Behavior
Advanced Environments Scans
DLP Forensics
Malware
McAfee Confidential—Internal Use Only
31. Не мучайте себя, а летайте!
31 McAfee Confidential—Internal Use Only
32. Преимущества платформы McAfee
Резкое уменьшение расходов,
связанных с поиском и определением
рисков
Сокращение сроков для решения
проблем безопасности с недель до
нескольких часов
Ликвидация корня атак
предотвращает повторяющиеся
события
32 McAfee Confidential—Internal Use Only
Notas do Editor
“Threats are focusing on installing targeted malicious executables which use advanced techniques to avoid detection and use botnet delivery mechanisms to perform multistage attacks. Simply stopping attacks that are looking for unpatched servers is no longer sufficient in this environment.” – Gartner Report – ‘Defining Next Generation Network IPS’
2 years before the outbreak, Mark, manufacturing line manager, was in the café acress the street enjoying a flat white (Australian Coffee) each morning across the street from the office. He usually checks email on the somewhat slow free wifi, but today he sees a new hotspot called CafeHiSpeed he is anxious to give it a go. The captive portal simply asks for his email address and that refer a friend to the Café via email. He decides to send it to Lisa, since she usually comes here anyway. He logs on and enjoys the high speed.
That day Lisa got into the office late due to traffic. She sees the promo email from the Café that Mark mentioned in the elevator, but she is more interested in different email from Mark regarding a retirement planning tool offered by their pension fund. She checks out the website and downloads the tool, and does some quick modeling. Disappointed! Who wants to work until they are 82. She forward the link to Julie.
Fast forward 18 months, Lisa gets promoted to DBA for their ecommerce site. Julie had convinced her to take the class last year. She calls up Julie, but she indicates that she would not be able to set her up a DBA account until the SQL was brought back online.We can guess that these events are related, but given the span of time and no real context, it would be very hard to make some very important connections.
Mike’s new high speed hot spot is the root of infection. It is a technique that is proven to work, and can be accomplished easily with a commercial wireless router placed near or at the café. To offer for better service in exchange for contact information allowed the hackers to spoof Mike with the Email to Lisa about the retirement planning tool. At that point the infection spreads within the company based on a “trusted source” and the interest in the content. That tool was a customized agent that did some pretty simple things. Unpacked, then copied similar but different links to similar to all attached shares. Checked to see what applications Lisa was using, and then posted the list to a form on another non-threatening site. Finally it used the Firefox browser to download a simple web page and then check a hidden comment field for additional instructions.Julie was the actual source of the attack. As she had decided to check out the link that was loaded into the directory that used to share reports with Julie. The agent figured out that Julie was a DBA because she had SQL net open on her machine. It then notified the hackers that she was a target with access to resources. They would have developed a special exploit that would slowly and quiet mine her database tables.When there techniques ultimately tripped the network security tools to throw an alert based on anomalous behavior. They would have immediately cleaned up her machine and started their investigation.The problem with this is that there are still unknown attack vectors in play: the other file shares and let’s not forget Mike’s daily trips to the coffee shop. And sophisticated attackers are aware when a particular vector goes away, so the existing footprint will go quiet while they re-tool with different approaches.With APT’s the challenge is to understand the full scope before hackers can react.
Network security technologies have been designed to accelerate the time to mitigate the attack. The rest of the cycle is typically accelerated through best practices, Emergency Response Programs, and audit tools. In the age of APTs it is critically important to be able to develop a comprehensive understand and strategy to eliminate the attacker. Interestingly there are experts in the industry that recommend in some circumstances “no action” until the full Scope of the attack is understood, for fear of the implications of the counter-intelligence.Today we need technologies that can support and automate this full analysis process. Let’s look at the characteristics of a network security solution that addresses this need.
From Gartner report:Standard first-generation IPS capabilities — It should support vulnerability-facing signatures and threat-facing signatures. An IPS engine that can perform detection and blocking at wire speeds, and rapidly develop and deploy signatures, is a primary characteristic. Integration can include features such as providing suggested blocking at the firewall, based on IPS inspection. Application awareness and full-stack visibility — It should identify applications and enforce network security policy at the application layer, independent of the port and protocol, rather than only ports, protocols and services. Examples include the ability to block families of attacks, based on identifying hostile applications. Context awareness — It should bring information from sources outside the IPS to make improved blocking decisions, or to modify the blocking rule base. Examples include using directory integration to tie decisions to user identities, and using vulnerability, patching state and geolocation information (such as where the source is from or where it should be from) to make more effective blocking decisions. It could also include integrating reputation feeds, such as blacklists and whitelists of addresses. Content awareness — It should be able to inspect and classify inbound executables, and other similar file types, such as PDF and Microsoft Office files (which have already passed through antivirus screening), as well as outbound communications. It should also make pass, quarantine or drop decisions in near real time. Agile engine — It should support upgrade paths for the integration of new information feeds and new techniques to address future threats.
A typical use case that is far outside the reach of the common SIEM is simply answering the question of has here been communication with a bad actor? Ideally, at some point in time, McAfee has had the opportunity to discuss with you or Global Threat Intelligence Cloud. This is our collective understanding of all the bad and good in the world. When you want to do something as simple as saying, McAfee, I recognize that you are stopping the attack that was found today, but how do I know if I was ever interacting with a bad actor? With all the other network interactions, before you caught them, was I ever interacting with them? Answering that is a challenge for about every SIEM on the planet, for a couple of reasons. One, they do not have access to the data, and secondly, to crawl through the months, years of data and look for that is beyond their capability. That is what led us to build our solution; we built a highly scalable infrastructure that can take this information, this live threat feed, and in seconds, respond.Let’s walk through the Use Case: Have I communicated with a bad actor in this given period? Taking a sample company over a time of two weeks, they have two hundred million events. This could be a billion events for a larger company. With two hundred million interactions to review, they pull down that threat feed, looking for any interaction that was not blocked. By the way, this is one click, not a series. Right away, they reduce the events down to eighteen hundred. Most SIEMs would declare this a victory. This is still an unmanageable number to investigate. Let’s query it, yet again to understand which endpoints were actually breached, throwing away the logs and the noise, specifically to know which endpoints communicated with these bad actors. Now, we are down to a couple of endpoints that did interact, and this is where context starts to pay off, because the next question to ask is what user accounts were interacting with this event? Knowing the users is important, and once that is in place, we can drill down further to see what actually occurred. What was downloaded? What was discussed? What systems were accessed? What data was moved? Was an executable pushed? Then, you can go yet further, and respond. You can call ePO to run a quarantine script, and have it shut down the device, copy the executable off. At that point, much can be done to actually take action and move from this theoretical value of SIEM to practical day-to-day security improvements.This may not seem like a lot, but it is revolutionary in our world. In the security space today, all protection is a go for model. No one has the time, or energy, to tell you if you have been breached. For a hacker, however they can get access to you and then morph their communication after that access point; they are set up nicely for an APT. This helps in the APT defense tremendously. Next, we will look at the supporting architecture.
This architecture is really quite flexible. We roll all the way from a virtualized architecture, an all-in-one architecture, to a true distributed architecture, allowing receivers to be distributed across the environment. Additionally, we offer flexibility in how we do application and database monitoring. We have solutions that just monitor, but also some that protects and apply vulnerability management and patching to that. We provide the functionality that provides detailed reporting without affecting our primary box, so that you can look for things like anomalous detection or detailed reporting without affecting your ability to receive and process data. The proof is in the pudding.
Through integration with vulnerability management and McAfee ePO, we are able to correlate with
The objective of the security engineering team, the organization processes and tools is to reduce the overall effort. If our tools can identify the root attack then we have chance reducing the frequency of the waves. Reduction in frequency also improves predictability in delivering IT projects and infrastructure reliability. Speed in developing a mitigation strategy reduces the total scope or height of the wave. Finally by reducing the time to comprehensive permanent protection we can reduce the width of the wave.GRAPHICS