O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio

Confira estes a seguir

1 de 33 Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (20)

Anúncio

Semelhante a IPS (20)

Anúncio

Mais recentes (20)

IPS

  1. 1. Платформенный подход McAfee к защите корпоративных активов. Andrei Novikau, Pre-Sale Engineer McAfee Confidential—Internal Use Only
  2. 2. Intel и McAfee Безопасность vPro Network Security Active Management Technology Cloud Security Advanced Encryption Standard Security Management Virtualization Endpoint Security One Time Password Technology Ecosystem Secure BIOS McAfee Confidential—Internal Use Only
  3. 3. Новые требования “Увеличивающийся рост количества нацеленных атак и повсеместное использование облачных сервисов ведёт к необходимости нового витка развития систем сетевой безопасности” Gartner, Defining Next Generation Network Intrusion Prevention, 2011 3 October 16, 2012 McAfee Confidential—Internal Use Only
  4. 4. Чашка отменного кофе Mark@buildgroup.net Lisa@buildgroup.net 4 McAfee Confidential—Internal Use Only
  5. 5. Планирование будущего To: julie@buildgroup.net (100%) Download Complete! 5 October 16, 2012 McAfee Confidential—Internal Use Only
  6. 6. Большой день To: julie@buildgroup.net SQL SERVER DOWN 6 McAfee Confidential—Internal Use Only
  7. 7. История важна Aurora, Night Dragon, Shady RAT… ROOT OF ATTACK QUIET INFILTRATION TARGET OF ATTACK Contact theft Find the target Information Theft 7 October 16, 2012 McAfee Confidential—Internal Use Only
  8. 8. Киберпреступность касается каждого Информация о 77 000 000 пользователей досталась хакерам! McAfee Confidential—Internal Use Only
  9. 9. Применение половинчатого решения… McAfee Confidential—Internal Use Only
  10. 10. Фундаментальные изменения ПОЛНЫЙ АНАЛИЗ АВТОМАТИЗАЦИЯ Обнаружить Корень Запретить причины Обнаружить Запретить Определить 10 McAfee Confidential—Internal Use Only
  11. 11. Неизвестная уязвимость: Неоптимизированное решение ! • Уведомления & Анализ • Определение состояния Analysis • Реакция • Мониторинг Vulnerable Protection Systems Status Managed Priority Existing Systems Counter- measures Un- managed Exposed Systems Next Risk Steps AV IPS Log FW Manual Scans Analysis Ops Team Patch/ Updates Policy Config Contact Vendor Monitor IPS IPS AV IPS IPS AV FW AV AV FW FW McAfee Confidential—Internal Use Only 11
  12. 12. Неизвестная уязвимость: Решение McAfee ! Situational Awareness Recomm- endations Ops Team Policy Contact Patch Monitor Config Vendor McAfee Confidential—Internal Use Only 12
  13. 13. Требования к NG-IPS Традиционный IPS Идентификация приложений (полная видимость) Поддержка внешних контекстов Глубокое изучение контента McAfee Confidential—Internal Use Only
  14. 14. McAfee представляет NG IPS Global Threat Intelligence Centralized Security and Risk Management IP Protocol File Application Compliance Risk Global Policy Reporting Management Definition Network Security Platform Policy Network Definition Reporting Visibility and Alerts McAfee Labs Next Generation Intrusion Prevention Advanced Granular Up to 80 Gbps Control Visibility Analysis Inline inspection Extensions Application Awareness Network Behavior Analysis Extensions System and User Virtual Vulnerability Behavior Advanced Environments Scans DLP Forensics Malware McAfee Confidential—Internal Use Only
  15. 15. Лучший в индустрии • Лидер в отчётах Gartner с 2003 • Лучшая база уязвимостей 2005-2011 Global Threat Intelligence Centralized Security and Risk Management • Эвристический анализ бот-нет • Определение DoS/DDoS Network Security Platform Visibility Extensions Analysis Extensions 15 October 16, 2012 McAfee Confidential—Internal Use Only
  16. 16. Требования для защиты от бот-нет • Ботнеты стали очень дешёвыми ($8 за армию в 1000 ботов!) • Миллионы ботов по всему Миру • Умные ботнеты (как Storm, Conficker, etc.) продолжают свою экспансию с помощью различных техник • APT находятся на подъёме (Shady Rat, Stuxnet, Aurora, Duqu) – Специальные боты являются частью инструментария к APT – Необходимость определять неизвестные боты 16 October 16, 2012 McAfee Confidential—Internal Use Only
  17. 17. Защита от ботнет в McAfee IPS • Сигнатуры атак для известных ботнет • Эвристический модуль для определения новых ботнет – Атаки ботнетов имеют фундаментальное поведение: наличие C&C, скачивание .bin-файла, внутреннее сканирование, и т.д. – Определение ботнетов сочетает в себе эвристический анализ и McAfee global threat intelligence (GTI) 17 October 16, 2012 McAfee Confidential—Internal Use Only
  18. 18. Контроль приложений • Идентификация для 1100+ приложений: Global Threat Intelligence Centralized Security and Risk Management Yahoo IM vs. Yahoo Chat • Обзор каждого приложения по: Network Security Platform • Полосе • Подключениям • Атакам Visibility Extensions • Риску Analysis Extensions 18 October 16, 2012 McAfee Confidential—Internal Use Only
  19. 19. Необходимость визуализации • Организации хотят видеть полную картину на любом устройстве безопасности в сети • IT хотят знать: – Какие приложения используются в сети – Как и какими сервисами используется полоса в различных сегментах сети – Риски, связанные с используемыми сервисами и приложениями • Отображение трафика по проколам приводит к перекосам – (например, все что можно определить как HTTP не имеет никакого значения для клиента) McAfee Confidential—Internal Use Only
  20. 20. Визуализация в McAfee IPS 20 October 16, 2012 McAfee Confidential—Internal Use Only
  21. 21. Знания GTI бесценны • Лента репутаций • Основано на миллиардах запросов Global Threat Intelligence Centralized Security and Risk Management • File, IP, URL, протокол, гео-локация • Комбинация контекста GTI и сигнатур Network Security Platform для лучшей точности • Dos/DDoS Visibility Extensions Analysis Extensions Network Web Mail Host Host 3rd Firewall Gatewa Gateway Party IPS y AV IPS Feed 21 October 16, 2012 McAfee Confidential—Internal Use Only
  22. 22. GTI реагирует в реальном времени • Влияет на контроль доступа – Защита от DDoS в зависимости от гео-локации, репутации IP • Сигнализирует, предотвращает опасные соединения • Влияет на существующие сигнатуры – Интеллектуальное блокирование с GTI 22 October 16, 2012 McAfee Confidential—Internal Use Only
  23. 23. Централизованное управление и аудит • Постоянная оценка уязвимостей • Интеграция сигналов с Host IPS • Централизованная оценка рисков Global Threat Intelligence Centralized Security and Risk Management • Отчётность и соответствие требованиям Network Security Platform Visibility Extensions Analysis Extensions 23 October 16, 2012 McAfee Confidential—Internal Use Only
  24. 24. Защита виртуальных сред Network IPS Global Threat Intelligence Centralized Security and Risk Management Network Security Platform Visibility Extensions Analysis Extensions Виртуальные машины McAfee Confidential—Internal Use Only
  25. 25. Идеальная производительность Дата-центр Решение McAfee Масштабируемость • Производительность до 80 Gbps • Интерфейсы 10 GigE • Высокая плотность портов • Модульная архитектура • Встроенный HA Выгоды • Ликвидация узких мест в безопасности • Упрощение инфраструктуры • Спокойное будущее Вызовы • Консолидация ресурсов требует высокоскоростных сетей • Старая инфраструктура не может справится с 10 GigE/40 GigE • Виртуализация требует индивидуального подхода McAfee Confidential—Internal Use Only
  26. 26. Анализ событий – партнёры McAfee McAfee Confidential—Internal Use Only
  27. 27. GTI вместе с SIEM Сортировка событий… Я общался с плохими ребятами? 200M записей 18,000 Какие соединения были блокированы? алертов Десятки Какие конкретно Сервера/ПК/Устройства были атакованы? станций Несколько Какие учётные записи были скомпрометированы? юзеров Точные Что случилось с этими аккаунтами? нарушения Точный RESPOND Как я должен ответить? ответ McAfee Confidential—Internal Use Only
  28. 28. Производительность и масштабируемость • Недостижимая скорость – Наиболее производительный SIEM на рынке – В сотни (а часто и в тысячи) раз быстрее аналогичных решений конкурентов – Запросы, корреляция и анализ за секунды (а не минуты или часы) • Недостижимая масштабируемость – Сбор всей релевантной информации – Анализ информации за месяцы и годы, включая высокоуровневую информацию о контенте и контексте – Работа с миллиардами записей в БД McAfee Confidential—Internal Use Only
  29. 29. SIEM номер 1 McAfee Confidential—Internal Use Only
  30. 30. Платформа McAfee Интеграция продуктов в решение Global Threat Intelligence Centralized Security and Risk Management IP Protocol File Application Compliance Risk Global Policy Reporting Management Definition Network Security Platform Policy Network Definition Reporting Visibility and Alerts McAfee Labs Next Generation Intrusion Prevention Advanced Granular Up to 80 Gbps Control Visibility Analysis Inline inspection Extensions Application Awareness Network Behavior Analysis Extensions System and User Virtual Vulnerability Behavior Advanced Environments Scans DLP Forensics Malware McAfee Confidential—Internal Use Only
  31. 31. Не мучайте себя, а летайте! 31 McAfee Confidential—Internal Use Only
  32. 32. Преимущества платформы McAfee Резкое уменьшение расходов, связанных с поиском и определением рисков Сокращение сроков для решения проблем безопасности с недель до нескольких часов Ликвидация корня атак предотвращает повторяющиеся события 32 McAfee Confidential—Internal Use Only

Notas do Editor

  • “Threats are focusing on installing targeted malicious executables which use advanced techniques to avoid detection and use botnet delivery mechanisms to perform multistage attacks. Simply stopping attacks that are looking for unpatched servers is no longer sufficient in this environment.” – Gartner Report – ‘Defining Next Generation Network IPS’
  • 2 years before the outbreak, Mark, manufacturing line manager, was in the café acress the street enjoying a flat white (Australian Coffee) each morning across the street from the office. He usually checks email on the somewhat slow free wifi, but today he sees a new hotspot called CafeHiSpeed he is anxious to give it a go. The captive portal simply asks for his email address and that refer a friend to the Café via email. He decides to send it to Lisa, since she usually comes here anyway. He logs on and enjoys the high speed.
  • That day Lisa got into the office late due to traffic. She sees the promo email from the Café that Mark mentioned in the elevator, but she is more interested in different email from Mark regarding a retirement planning tool offered by their pension fund. She checks out the website and downloads the tool, and does some quick modeling. Disappointed! Who wants to work until they are 82. She forward the link to Julie.
  • Fast forward 18 months, Lisa gets promoted to DBA for their ecommerce site. Julie had convinced her to take the class last year. She calls up Julie, but she indicates that she would not be able to set her up a DBA account until the SQL was brought back online.We can guess that these events are related, but given the span of time and no real context, it would be very hard to make some very important connections.
  • Mike’s new high speed hot spot is the root of infection. It is a technique that is proven to work, and can be accomplished easily with a commercial wireless router placed near or at the café. To offer for better service in exchange for contact information allowed the hackers to spoof Mike with the Email to Lisa about the retirement planning tool. At that point the infection spreads within the company based on a “trusted source” and the interest in the content. That tool was a customized agent that did some pretty simple things. Unpacked, then copied similar but different links to similar to all attached shares. Checked to see what applications Lisa was using, and then posted the list to a form on another non-threatening site. Finally it used the Firefox browser to download a simple web page and then check a hidden comment field for additional instructions.Julie was the actual source of the attack. As she had decided to check out the link that was loaded into the directory that used to share reports with Julie. The agent figured out that Julie was a DBA because she had SQL net open on her machine. It then notified the hackers that she was a target with access to resources. They would have developed a special exploit that would slowly and quiet mine her database tables.When there techniques ultimately tripped the network security tools to throw an alert based on anomalous behavior. They would have immediately cleaned up her machine and started their investigation.The problem with this is that there are still unknown attack vectors in play: the other file shares and let’s not forget Mike’s daily trips to the coffee shop. And sophisticated attackers are aware when a particular vector goes away, so the existing footprint will go quiet while they re-tool with different approaches.With APT’s the challenge is to understand the full scope before hackers can react.
  • Network security technologies have been designed to accelerate the time to mitigate the attack. The rest of the cycle is typically accelerated through best practices, Emergency Response Programs, and audit tools. In the age of APTs it is critically important to be able to develop a comprehensive understand and strategy to eliminate the attacker. Interestingly there are experts in the industry that recommend in some circumstances “no action” until the full Scope of the attack is understood, for fear of the implications of the counter-intelligence.Today we need technologies that can support and automate this full analysis process. Let’s look at the characteristics of a network security solution that addresses this need.
  • From Gartner report:Standard first-generation IPS capabilities — It should support vulnerability-facing signatures and threat-facing signatures. An IPS engine that can perform detection and blocking at wire speeds, and rapidly develop and deploy signatures, is a primary characteristic. Integration can include features such as providing suggested blocking at the firewall, based on IPS inspection. Application awareness and full-stack visibility — It should identify applications and enforce network security policy at the application layer, independent of the port and protocol, rather than only ports, protocols and services. Examples include the ability to block families of attacks, based on identifying hostile applications. Context awareness — It should bring information from sources outside the IPS to make improved blocking decisions, or to modify the blocking rule base. Examples include using directory integration to tie decisions to user identities, and using vulnerability, patching state and geolocation information (such as where the source is from or where it should be from) to make more effective blocking decisions. It could also include integrating reputation feeds, such as blacklists and whitelists of addresses. Content awareness — It should be able to inspect and classify inbound executables, and other similar file types, such as PDF and Microsoft Office files (which have already passed through antivirus screening), as well as outbound communications. It should also make pass, quarantine or drop decisions in near real time. Agile engine — It should support upgrade paths for the integration of new information feeds and new techniques to address future threats.
  • A typical use case that is far outside the reach of the common SIEM is simply answering the question of has here been communication with a bad actor? Ideally, at some point in time, McAfee has had the opportunity to discuss with you or Global Threat Intelligence Cloud. This is our collective understanding of all the bad and good in the world. When you want to do something as simple as saying, McAfee, I recognize that you are stopping the attack that was found today, but how do I know if I was ever interacting with a bad actor? With all the other network interactions, before you caught them, was I ever interacting with them? Answering that is a challenge for about every SIEM on the planet, for a couple of reasons. One, they do not have access to the data, and secondly, to crawl through the months, years of data and look for that is beyond their capability. That is what led us to build our solution; we built a highly scalable infrastructure that can take this information, this live threat feed, and in seconds, respond.Let’s walk through the Use Case: Have I communicated with a bad actor in this given period? Taking a sample company over a time of two weeks, they have two hundred million events. This could be a billion events for a larger company. With two hundred million interactions to review, they pull down that threat feed, looking for any interaction that was not blocked. By the way, this is one click, not a series. Right away, they reduce the events down to eighteen hundred. Most SIEMs would declare this a victory. This is still an unmanageable number to investigate. Let’s query it, yet again to understand which endpoints were actually breached, throwing away the logs and the noise, specifically to know which endpoints communicated with these bad actors. Now, we are down to a couple of endpoints that did interact, and this is where context starts to pay off, because the next question to ask is what user accounts were interacting with this event? Knowing the users is important, and once that is in place, we can drill down further to see what actually occurred. What was downloaded? What was discussed? What systems were accessed? What data was moved? Was an executable pushed? Then, you can go yet further, and respond. You can call ePO to run a quarantine script, and have it shut down the device, copy the executable off. At that point, much can be done to actually take action and move from this theoretical value of SIEM to practical day-to-day security improvements.This may not seem like a lot, but it is revolutionary in our world. In the security space today, all protection is a go for model. No one has the time, or energy, to tell you if you have been breached. For a hacker, however they can get access to you and then morph their communication after that access point; they are set up nicely for an APT. This helps in the APT defense tremendously. Next, we will look at the supporting architecture.
  • This architecture is really quite flexible. We roll all the way from a virtualized architecture, an all-in-one architecture, to a true distributed architecture, allowing receivers to be distributed across the environment. Additionally, we offer flexibility in how we do application and database monitoring. We have solutions that just monitor, but also some that protects and apply vulnerability management and patching to that. We provide the functionality that provides detailed reporting without affecting our primary box, so that you can look for things like anomalous detection or detailed reporting without affecting your ability to receive and process data. The proof is in the pudding.
  • Through integration with vulnerability management and McAfee ePO, we are able to correlate with
  • The objective of the security engineering team, the organization processes and tools is to reduce the overall effort. If our tools can identify the root attack then we have chance reducing the frequency of the waves. Reduction in frequency also improves predictability in delivering IT projects and infrastructure reliability. Speed in developing a mitigation strategy reduces the total scope or height of the wave. Finally by reducing the time to comprehensive permanent protection we can reduce the width of the wave.GRAPHICS

×