Scalar Security Roadshow - Toronto Stop

Security Road Show - Toronto

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

} 

9:00am – 9:15am Welcome

} 

9:15am – 9:45am Palo Alto Networks
– 
You can’t control what you can’t see!

} 

9:45am – 10:15am F5
– 
Protect your web applications

} 

10:15am – 10:30am Break

} 

10:30am – 11:00am Splunk
– 
Big data, next generation SIEM

} 

11am – 11:30am Infoblox
– 
Are you fully prepared to withstand DNS attacks?

} 

11:30am - 12:00pm Closing remarks, Q&A

} 

12:00pm – 12:30pm Boxed Lunches


}  Today’s Speakers
–  Gary Coldwell – Palo Alto
Networks
–  Peter Scheffler – F5
–  Gilberto Castillo – Splunk
–  Ben Shelston - Infoblox


Founded in 2004
$125M in CY13
Revenues

Nationwide Presence

120 Employees
Nationwide

25% Growth YoY

Toronto | Vancouver
Ottawa | Calgary | London

Greater than 1:1
technical:sales ratio

Background in architecting mission-critical
data centre infrastructure

}  The country’s most
skilled IT infrastructure
specialists, focused on
security, performance
and control tools
}  Delivering
infrastructure services
which support core
applications


WHY SCALAR?


Experience

Innovation

Execution


}  Top technical talent in Canada

–  Engineers average 15 years’ experience

}  We train the trainers

–  Only Authorized Training Centre in Canada
for F5, Palo Alto Networks, and Infoblox

}  Our partners recognize we’re
the best

–  Brocade Partner of the Year – Innovation
–  Cisco Partner of the Year – Data Centre &
Virtualization
–  VMware Global Emerging Products Partner
of the Year
–  F5 Canadian Partner of the Year
–  Palo Alto Networks Rookie of the Year
–  NetApp Partner of the Year - Central


}  Unique infrastructure solutions
designed to meet your needs
–  StudioCloud
–  HPC & Trading Systems

}  Testing Centre & Proving Grounds
–  Ensuring emerging technologies are
hardened, up to the task of Enterprise
workloads

}  Vendor Breadth
–  Our coverage spans Enterprise leaders and
Emerging technologies for niche workloads
& developing markets


“Scalar […] has become our trusted
advisor for architecting and
implementing our storage, server and
network infrastructure across multiple
data centres”


“We’ve basically replaced our
infrastructure at a lower cost than
simply the maintenance on our prior
infrastructure […] At the same time,
we’ve improved performance and
reduced our provisioning time”


“Numerous technologies needed to
converge to make VDI a reality for us.
The fact that Scalar is multidisciplinary and has deep knowledge
around architecture, deployment and
management of all of these
technologies was key”


PALO ALTO NETWORKS


Protecting Against Modern Malware and
the Evolution of Cyber Security
Garry Coldwells
Systems Engineer
March 2014

Palo Alto Networks at a glance
Corporate highlights

Revenues
$MM

Palo
Alto
Networks
is
the
Network
Security
Company

$396

$400
$300

Safely
enabling
applica8ons
and
preven8ng
cyber
threats

$255

$200
$119
$100
$13

$49

$0

Founded
in
2005;
ﬁrst
customer
shipment
in
2007

FYE July

FY09 FY10 FY11

FY12 FY13

Enterprise customers

Excep8onal
ability
to
support
global
customers

13,500

14,000
12,000
9,000

10,000

Experienced
team
of
1,300+
employees

8,000
6,000

4,700

4,000

Q1FY14:
$128.2M
revenue;
16,000
customers

16 | ©2013, Palo Alto Networks. Confidential and Proprietary.

2,000
0

Jul-11

Jul-12

Jul-13

How Time Has Changed


Levelset


The basics
Threat

What
it
is

What
it
does

Exploit

Bad
applica8on
input

usually
in
the
form
of

network
traffic.

Targets
a
vulnerability
to

hijack
control
of
the
target

applica8on
or
machine.

Malware

Malicious
applica8on
or

code.

Anything
–
Downloads,

hacks,
explores,
steals…

Command-‐and-‐control

(C2)

Network
traffic
generated
Keeps
the
remote
aàcker

by
malware.

in
control
ands

coordinates
the
aàck.

Indicators
of

compromise
(IoC)

Indica8ons
that
your

network
has
been

compromised

Allows
security
teams
to

find
and
confirm
breaches

Known vs. unknown threats

Known threats
•  Malware or exploits that
have been seen before
•  Commonly available and
recycled
•  Easily stopped by
traditional security


Unknown threats
•  Malware or exploits that
has never been seen
before
•  Unique, and often customcrafted.
•  Easily bypass traditional
security

New Threat Landscape
State of the Union


Interests and motivations have also changed

From
bored
“geeks”

To
na8on
states
and
organized
crime

The new threat landscape
Advanced threat
Commodity threats

Organized cybercrime

Nation state

(More customized exploits
and malware)

(very common, easily identified)

(Very targeted, persistent, creative)

§ 

Mostly addressed by
traditional AV and IPS

§ 

Somewhat more
sophisticated payloads

§ 

Low sophistication,
slowly changing

§ 

Evasion techniques
often employed

Machine vs. machine

§ 

Intelligent and
continuous monitoring of
passive network-based
and host-based sensors

§ 
§ 

§ 

Comprehensive
investigation after an
indicator is found

§ 

Highly coordinated
response is required for
effective prevention and
remediation

Sandboxing and other
smart detection often
required

By the Numbers

Days
- 

Of malware data accumulation

Networks
- 

Covering 1,000+ live enterprise networks

Antivirus Vendors
- 

Tested against 6 fully-updated, industry-leading antivirus products

Unknown Malware (zero-day)
- 


Resulted in ﬁnding 26,000+ malware that had NO coverage at the
time they were detected in the live enterprise network

Malware Delivery Vectors

90%
Delivery via web-browsing/http

2%
Delivery via eMail


Malware Vectors and Traditional Detection Times
Top 5 sources of unknown malware highlighted. FTP was a leading source
and rarely detected.
4
1 2

3

5

Regaining Control
§  Bring the right anti-malware technologies into the network
§  End-point antivirus is falling way short
§  Need to look way beyond eMail and Web
§  82 applications that are designed explicitly to avoid security (circumventors)
§  260 applications designed to tunnel within allowed protocols (encryption, tunneling)

§  Expect unknowns
§  Implement a mechanism to take a deeper look at the unknown

§  Real-time detection and blocking when possible
§  Automate the kill chain to prevent manual response

§  Enforce user and application controls
§  Minimize the attack surface by controlling who can transfer files, using which apps,
in which direction and when


Automated network effect of sharing
§ 

Automatic detection in real time in
private or public cloud
§ 

§ 

Global intelligence
and protection
delivered to all users

Anti-malware signatures
DNS intelligence
Malware URL database
Anti-C2 signatures

10Gbps advanced threat visibility and
prevention on all traffic, all ports (web, email,
SMB, etc.)

Automatic generation of several
defensive measures

§ 

Automatic distribution of defensive
measures to all WildFire customers
within 30 minutes after initial detection

§ 

WildFire

TM

Automatic installation of defensive
measures provides full prevention
immediately
§ 

§ 

Command-and-control
Staged malware downloads
Host ID and data exfil

WildFire Appliance
(optional)

Malware, DNS, URL, and C2 signatures
automatically created based on WildFire
intelligence and delivered to customers globally

You benefit from the threat intelligence
of 2,500+ organizations across the
industry

Soak sites, sinkholes,
3rd party sources

WildFire Users

Unique Identifiers

Samples
- 

Of malware with
unique SHA256

Unique Identifiers
- 

Observed in multiple
malware samples

Identifiable Samples
- 

Contained unique
identiﬁers

Potential
- 


To be blocked by
unique identiﬁer rather
than hash/URI

Most Commonly Observed Malware Behaviours


Regaining Control
§  Implement technology with stream-based analysis of headers and payloads
§  Block polymorphic variants using identifiers rather than hash or URI

§  Establish a solid baseline of ‘normal’ behaviour
§  Knowing what is normal allows the abnormal to become very apparent

§  Investigate and remediate unknowns
§  Investigate unknown and make it a goal to keep it below acceptable threshold

§  Restrict access to unknown, newly registered and dynamic DNS domains
§  The internet is dynamic so restrict executables from these, implement SSL
decryption and block HTTP-POST

§  Control eMail traffic flow
§  Only allow email traffic in/out between mail gateway and destination and never
allow email bypassing the corporate mail gateway


Malware Use of Non-Standard Ports by Application


Regaining Control
§  Restrict applications to their standard ports
§  Especially Limit FTP to its well-known ports


Regaining Control over Modern Threats
New Requirements for
Threat Prevention
1. Visibility into all traffic regardless of
port, protocol, evasive tactic or SSL
2. Stop all types of known network threats
(IPS, Anti-malware, URL, etc.) while
maintaining multi-gigabit performance
3. Find and stop new and unknown
threats even without a pre-existing
signature

Page 42 |

A Next-Generation Cybersecurity Strategy
Everything must go in the funnel

Reduce the attack surface

Block everything you can

Test and adapt to unknowns

Investigate and cleanup


The Bigger Picture


Imperatives to be secure
§  Evolving from incident response mindset to intelligence
mindset
§  No intelligence exists without visibility
§  Applying the intelligence and resulting IOCs to the kill
chain
§  Sharing what you know

Can’t understand what you don’t know
§  You don’t have intelligence if you don’t have visibility
§  Visibility required across the whole network
§  Ideally, you can see and understand applications,
content, and users
§  Then make sense of what you see

Share what you know
§  In the cyber security battle, sharing is key
§  Three ways this is happening
1.  External – industry initiatives

2.  External – technology partnerships

3.  Internal – your security technology should leverage the network

vSphere
Virtual Firewall
as a Guest VM

Gateway Edition
VM-100

NSX
Virtual Firewall
as a Hypervisor Service

VM-1000-HV Edition
VM-200

VM-300

Modeled from VM-300

Automated Deployment, via Panorama

Regaining Control


A Next-Generation Cybersecurity Strategy (1)






•  Inspect all
traﬃc

•  35% of all
applications
use SSL

•  Non-standard
ports and
tunneled traﬃc

•  Make NO
assumptions



•  High risk
applications
and features 


•  Block ﬁles
from unknown
domains 


•  Find and
control custom
traﬃc



•  Implement
POSITIVE
Security



•  Exploits,
malware, C2


•  Variants and
polymorphism




•  DNS, URLs,
malicious
clusters

•  Implement
NEGATIVE
Security

Strategy for Modern Threat Prevention




•  Static and
Behavioral and
anomaly
analysis 

•  Automatically
create and
deliver
protections 

•  Share globally



•  Implement
Zero-Day
Security

•  Feed the SIEM 






•  Share
indicators of
compromise 

•  Integrate with
end-point
security 

•  Evolve from
Incident
Response to
Security
Intelligence

F5


CONFIDENTIAL

F5 Security for an application
driven world

F5 Provides Complete Visibility and Control
Across Applications and Users

Users

Resources

DNS

Web

Access

Intelligent
Dynamic Threat Defense
Services
DDoS Protection
Platform
Protocol Security
Network Firewall
TMOS

Securing access to applications from
anywhere

© F5 Networks, Inc

Protecting your applications regardless
of where they live

CONFIDENTIAL

59

CONFIDENTIAL

Security Trends and Challenges

Attack Type
Spear Phishing

Physical Access

XSS

Size of circle
estimates relative
impact of incident in
terms of cost to
business

May

June

July

Aug

Sep

Oct

Nov

Dec

2012

© F5 Networks, Inc

CONFIDENTIAL

61

Bank

Bank
Bank

Industrial

Non
Profit
Non
Profit

Bank

Bank

Gov

Industrial

Online
SVC

EDU
Bank

Gov

Food E-comm Utility
Svc

News &
Media

Telco

Software

Edu

Online
Services
News &
Media

Feb

Edu

Cnsmr
Electric

Telco

Food
Service

Telco

Bank

Online
Services

Bank

Bank

Mar

Bank

Cnsmr
Elec
Education

Online
Services
Online
Services

Software

Online
Services

DNS
Provider

Online
Services
Auto

Gov

Gov
Health

Gov
Software

Util

May

Global
Delivery

Unknown

Online
Services

Gov
Gov

Physical Access

Edu

DNS
Provider

DNS
Provider

Gov

Auto

Gov
Online
Services

Apr

Online
Services
Online
Services

Online
Svcs

DNS
Provider

News &
Media

Gov

Online
Services

Bank

Telco

Auto

Gaming

Retail

Spear Phishing

Retail

Gov

Banking
Online
Services

Airport

Attack Type

Online
Services

Entnment

Industrial

Online
Services

Bank

NonProfit

Gov

Gov

Bank

Online
Services

Cnsmr
Electric

Jan

Edu

News &
Media
Online
Services

Online
Gaming

News &
Media

Edu

Gov

Bank

Software
Bank

Online
Services

Bank
Online
Services

Online
SVC

Bank

News &
Media
News &
Media

Gov

Online
Services

Online
Services

Gov

Bank

Bank

Auto

Gov
Gov

News &
Media

Telco

Bank

Software

News &
Media

Software

Bank

Edu

Utility

Bank

Online
Services

Online
Svc

Consumer
Electric

Online
SVC

Gov

Gove

News &
Media

Online
Svc

Non
Profit

Auto
Consumer
Electronics

News &
Media

Gov

DNS
Provider
Size of circle
estimates relative
impact of incident in
terms of cost to
business

Jun

2013

© F5 Networks, Inc

CONFIDENTIAL

62

More sophisticated attacks are multi-layer

Application
SSL
DNS
Network

© F5 Networks, Inc

CONFIDENTIAL

63

The business impact of DDoS

The business
impact of DDoS

© F5 Networks, Inc

Cost of
corrective action

CONFIDENTIAL

Reputation
management

64

OWASP Top 3 Application Security Risks
1 - Injection

Injection flaws, such as SQL and LDAP injection occur when untrusted data is sent
to an interpreter as part of a command or query. The attackers hostile data can
trick the interpreter into executing unintended commands or accessing data.

2 – Broken
Authentication and
Session
Management

Application functions related to authentication and session management are often
not implemented correctly, allowing attackers to comprimise passwords, keys or
session tokens to assume another users’ identity.

3 – Cross Site
Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a
web browser without proper validation or escaping. XSS allows attackers to execute
scripts in the victims browser to hijack user sessions, deface web sites or redirect
the user.

Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

© F5 Networks, Inc

CONFIDENTIAL

65

Full Proxy Security

Client / Server

Client / Server

Web application

Web application

Application

Application

SSL inspection and SSL DDoS mitigation

Session

Session

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

Network

Network

Physical

Physical

Application health monitoring and performance anomaly detection
HTTP proxy, HTTP DDoS and application security

© F5 Networks, Inc

CONFIDENTIAL

67

The F5 Application Delivery Firewall
Bringing deep application fluency to firewall security

One platform

Network
firewall

Traffic
management

Application
security

Access
control

DDoS
mitigation

SSL
inspection

DNS
security

EAL2+
EAL4+ (in process)

© F5 Networks, Inc

CONFIDENTIAL

68

Positive vs Negative
•  Positive Security
•  Known good traffic
•  Permit only what is defined in the security policy (whitelisting).

•  Block everything else

•  Negative
•  Known-bad traffic
•  Pattern matching for malicious content using regular expressions.

•  Policy enforcement is based on a Positive security logic
•  Negative security logic is used to complement Positive logic.
© F5 Networks, Inc

CONFIDENTIAL

69

How Does It Work?

Security at application, protocol and network level

Request made

Security policy
checked

Content scrubbing
Application cloaking

Enforcement

Response
delivered

Server response

Security policy
applied

Actions:
Log, block, allow

BIG-IP enabled us to improve security instead of having to
invest time and money to develop a new, more secure application.

© F5 Networks, Inc

CONFIDENTIAL

70

Start by checking RFC
compliance
2

Then check for various
length limits in the HTTP

3

Then we can enforce valid
types for the application

4

Then we can enforce a list of
valid URLs

5

Then we can check for a list
of valid parameters

6

Then for each parameter we
will check for max value
length

7

Then scan each parameter,
the URI, the headers

© F5 Networks, Inc

GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44rn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; rn

CONFIDENTIAL

71

Automatic HTTP/S DOS Attack
Detection and Protection

• 
• 

Accurate detection technique—based on latency
Three different mitigation techniques escalated

• 

serially
Focus on higher value productivity while automatic
controls intervene

Detect a DOS condition
Identify potential attackers
Drop only the attackers

© F5 Networks, Inc

CONFIDENTIAL

72

To Simplify: Application-Oriented Policies and Reports

© F5 Networks, Inc

CONFIDENTIAL

73

IP INTELLIGENCE

Botnet

Restricted
region or
country

IP intelligence
service

IP address feed
updates every 5 min
Attacker

Custom
application

Financial
application

Anonymous
requests

Anonymous
proxies

Scanner
Geolocation database
Internally infected devices and
servers

© F5 Networks, Inc

CONFIDENTIAL

74

Built for intelligence, speed and scale

Users

Resources

Concurrent user sessions

100K
Concurrent logins

1,500/sec.

Throughput

640 Gbps
Concurrent connections

288 M
DNS query response

10 M/sec

SSL TPS (2K keys)

240K/sec
Connections per second

8M

Application Delivery Firewall

Network
firewall

Traffic
management

Application
security

Access
control

DDoS
mitigation

SSL
inspection

DNS
security

Products
Advanced Firewall
Manager

Local Traffic
Manager

Application Security
Manager

• 

Stateful full-proxy
firewall

• 

#1 application
delivery controller

• 

Leading web
application firewall

• 

Flexible logging and
reporting

• 

Application fluency

• 

Access Policy
Manager

PCI compliance

• 

Native TCP, SSL and
HTTP proxies

• 

Network and
Session anti-DDoS

• 

App-specific health
monitoring

• 

Virtual patching for
vulnerabilities

• 

HTTP anti-DDoS

• 

IP protection

• 

Dynamic, identitybased access
control

• 

Simplified
authentication
infrastructure

• 

Endpoint security,
secure remote
access

Global Traffic Manager
& DNSSEC
• 

Huge scale DNS
solution

• 

Global server load
balancing

• 

Signed DNS
responses

• 

Offload DNS crypto

iRules extensibility everywhere

© F5 Networks, Inc

CONFIDENTIAL

76

Explore

The F5 DDoS Protection
Reference Architecture
f5.com/architectures

© F5 Networks, Inc

CONFIDENTIAL

77

Summary
•  Customers invest in network security, but most significant threats are at
the application layer
•  Current security trends – BYOD, Webification – mean you need to be
even more aware of who and what can access application data
•  A full proxy device is inherently secure, and coupled with high
performance can overcome many security challenges
•  F5 Application Delivery Firewall brings together the traditional network
firewall with application centric security, and can understand the context
of users, devices and access

© F5 Networks, Inc

CONFIDENTIAL

78

BREAK


SPLUNK


Copyright
©
2014
Splunk
Inc.

Splunk
for
Security

Intelligence

Splunk
Overview

Company
(NASDAQ:
SPLK)

" 
" 
" 
" 

Founded
2004,
ﬁrst
sogware
release
in
2006

HQ:
San
Francisco
/
Regional
HQ:
London,
Hong
Kong

Over
1000
employees,
based
in
12
countries

2012
Revenue:
$199M
(YoY
+60%)

Business
Model
/
Products

" 

Free
download
to
massive
scale

" 

Splunk
Enterprise,
Splunk
Cloud

Hunk:
Splunk
Analy8cs
for
Hadoop

" 

6,400+
Customers

" 

Customers
in
over
90
countries

60
of
the
Fortune
100

" 

Largest
license:
Over
100
Terabytes
per
day

" 

83

Make
machine
data
accessible,
usable

and
valuable
to
everyone.

84

The
Accelera8ng
Pace
of
Data

Volume

|

Velocity

|

Variety
|
Variability

GPS,

Machine
data
is
fastest
growing,
most

RFID,

Hypervisor,

complex,
most
valuable
area
of
big
data

Web
Servers,

Email,
Messaging,

Clickstreams,
Mobile,

Telephony,
IVR,
Databases,

Sensors,
Telema8cs,
Storage,

Servers,
Security
Devices,
Desktops

85

The
Splunk
Security
Intelligence
Plaqorm

Security
Use
Cases

Machine
Data

Online

Services

Forensic

InvesQgaQon

Web

Services

Security

Servers

Security

OperaQons

Compliance

Fraud

DetecQon

GPS

Loca8on

Networks

Packaged

Applica8ons

Desktops

Storage

Messaging

Telecoms

Custom

Applica8ons

RFID

Energy

Meters

Online

Shopping

Cart

Databases

Web

Clickstreams

Call
Detail

Records

HA
Indexes

and
Storage

Smartphones

and
Devices

4

Commodity

Servers

Rapid
Ascent
in
the
Gartner
SIEM
Magic
Quadrant

2011

2012

87

2013

Industry
Accolades

Best
SIEM

SoluQon

Best
Enterprise

Security
SoluQon

88

Best
Security

Product

Over
2800
Global
Security
Customers

89

Splunk
Security
Intelligence
Plaqorm

120+
security
apps

Splunk
App
for
Enterprise
Security

Palo
Alto

Networks

Cisco
Security

Suite

OSSEC

F5
Security

FireEye

NetFlow
Logic

Ac8ve

Directory

Juniper

90

Blue
Coat

Proxy
SG

Sourceﬁre

Partner
Ecosystem

What
is
the
Value
Add
to
ExisQng
Customers?

Visibility
and
Correla8on
of
Rich
Data

Improved
Security
Posture

Conﬁgurable
Dashboard
Views

All
Data
is
Security
Relevant
=
Big
Data

Databases
Email

Web

Desktops

Servers
DHCP/
DNS
Network

Flows

Tradi&onal
SIEM

Custom

Hypervisor
Badges
Firewall
Authen8ca8on
Vulnerability
Apps

Scans

Storage

Mobile

An8-‐
Intrusion

Data
Loss

Detec8on
Preven8on
Malware

Service

Desk

Industrial
Call

Control
Records

Making
Sound
Security
Decisions

Binary
Data
(ﬂow

and
PCAP)

Log
Data

Security

Decisions

Threat

Intelligence
Feeds

Context
Data

Volume

Velocity

Variety

Variability

93

Case
#1
-‐
Incident
Inves8ga8on/Forensics

January

• 

May
be
a
“cold
case”
inves8ga8on
requiring

machine
data
going
back
months

March

April

Ogen
ini8ated
by
alert
in
another
product

• 

February

• 

Suspect
A

Need
all
the
original
data
in
one
place
and
a

fast
way
to
search
it
to
answer:

client=unknown[
99.120.205.249]
<160>Jan
2616:27
(cJFFNMS

Suspect
B

–  What
happened
and
was
it
a
false
posi8ve?

–  How
did
the
threat
get
in,
where
have
they

gone,
and
did
they
steal
any
data?

truncating
integer value >
32 bits
<46>Jan
ASCII from
client=unknow
n

–  Has
this
occurred
elsewhere
in
the
past?

• 

Take
results
and
turn
them
into
a
real-‐8me

search/alert
if
needed

Accomplice A

DHCPACK
=ASCII
from
host=85.19
6.82.110

Suspect
C
Accomplice B

94

Case
#2
–
Real-‐8me
Monitoring
of
Known
Threats

Sources

Example
CorrelaQon
–
Data
Loss

20130806041221.000000Cap8on=ACME-‐2975EBAdministrator
Descrip8on=Built-‐in
account
for
administering

the
computer/domainDomain=ACME-‐2975EB
InstallDate=NULLLocalAccount
=
IP:
10.11.36.20

TrueName=Administrator
SID
=S-‐1-‐5-‐21-‐1715567821-‐926492609-‐725345543
500SIDType=1

Default
Admin
Account

Status=Degradedwmi_
type=UserAccounts

Source
IP

Windows

AuthenQcaQon

Aug
08
06:09:13
acmesep01.acmetech.com
Aug
09
06:17:24
SymantecServer
acmesep01:
Virus
found,Computer

name:
ACME-‐002,Source:
Real
Time
Scan,Risk
name:
Hackertool.rootkit,Occurrences:
1,C:/Documents
and

Sexngs/smithe/Local
Sexngs/Temp/evil.tmp,"""",Actual
ac8on:
Quaran8ned,Requested
ac8on:
Cleaned,
8me:

2009-‐01-‐23
03:19:12,Inserted:
2009-‐01-‐23
03:20:12,End:
2009-‐01-‐23
03:19:12,Domain:
Default,Group:
My

Malware
Found

Source
IP

CompanyACME
Remote,Server:
acmesep01,User:
smithe,Source
computer:

,Source
IP:
10.11.36.20

Endpoint

Security

Aug
08
08:26:54
snort.acmetech.com
{TCP}
10.11.36.20:5072
-‐>
10.11.36.26:443
itsec
snort[18774]:

[1:100000:3]
[Classiﬁca8on:
Poten8al
Corporate
Privacy
Viola8on]

Credit
Card
Number
Detected
in
Clear
Text

Source
IP

[Priority:
2]:

Data
Loss

Intrusion

DetecQon

All
three
occurring
within
a
24-‐hour
period

Time
Range

95

Case
#3
–
Real-‐8me
Monitoring
of
Unknown
Threats

-‐
Spearphishing

Sources

Example
CorrelaQon

User
Name

2013-‐08-‐09T12:40:25.475Z,,exch-‐hub-‐den-‐01,,exch-‐mbx-‐cup-‐00,,,STOREDRIVER,DELIVER,
79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1,,,

hacker@neverseenbefore.com
,
Please
open
this
a`achment
with
payroll
informa8on,,
,
2013-‐08-‐09T22:40:24.975Z

Email
Server

Rarely
seen
email
domain

Rarely
visited
web
site

2013-‐08-‐09
16:21:38
10.11.36.29
98483
148
TCP_HIT
200
200
0
622
-‐
-‐
OBSERVED
GET

www.neverbeenseenbefore.com

HTTP/1.1
0
"Mozilla/4.0
(compa8ble;
MSIE
6.0;
Windows
NT
5.1;
SV1;
.NET
CLR

2.0.50727;
InfoPath.1;
MS-‐RTC
LM
8;
.NET
CLR
1.1.4322;
.NET
CLR
3.0.4506.2152;
)
User
John
Doe,"

User
Name

Web
Proxy

Endpoint

Logs

User
Name

08/09/2013
16:23:51.0128event_status="(0)The
opera8on
completed
successfully.
"pid=1300

process_image="John
DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“
registry_type

="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosogWindows
NTCurrentVersion
Printers

PrintProviders
John
Doe-‐PCPrinters{}
NeverSeenbefore"
data_type""

Rarely
seen
service

All
three
occurring
within
a
24-‐hour
period

Time
Range

96

$500k
Security
ROI
@
Interac

• 

Challenges:
Manual,
costly
processes

–  Significant

people
and
days/weeks
required
for
incident
inves8ga8ons.
$10k+
per
week.

–  No
single
repository
or
UI.
Used
mul8ple
UIs,
grep’d
log
files,
reported
in
Excel

–  Tradi8onal
SIEMs
evaluated
were
too
bloated,
too
much
dev
8me,
too
expensive

Enter
Splunk:
Fast
inves8ga8ons
and
stronger
security

– 
– 
– 
– 

Feed
15+
data
sources
into
Splunk
for
incident
inves8ga8ons,
reports,
real-‐8me
alerts

Splunk
reduced
inves8ga8on
8me
to
hours.
Reports
can
be
created
in
minutes.

Real-‐8me
correla8ons
and
aler8ng
enables
fast
response
to
known
and
unknown
threats

ROI
quan8fied
at
$500k
a
year.
Splunk
TCO
is
less
than
10%
of
this.

“

“

• 

Splunk
is
a
product
that
provides
a
looking
glass
into
our
environment
for
things

we
previously
couldn’t
see
or
would
otherwise
have
taken
days
to
see.

Josh
Diakun,
Security
Specialist,
Informa8on
Security
Opera8ons

97

Replacing
a
SIEM
@
Cisco

• 

Challenges:
SIEM
could
not
meet
security
needs

–  Very
difficult
to
index
non-‐security
or
custom
app
log
data

–  Serious
scale
and
speed
issues.
10GB/day
and
searches
took
>
6
minutes

–  Difficult
to
customize
with
reliance
on
pre-‐built
rules
which
generated
false
posi8ves

Enter
Splunk:
Flexible
SIEM
and
empowered
team

– 
– 
– 
– 
– 

Easy
to
index
any
type
of
machine
data
from
any
source

Over
60
users
doing
inves8ga8ons,
RT
correla8ons,
repor8ng,
advanced
threat
detec8on

All
the
data
+
flexible
searches
and
repor8ng
=
empowered
team

900
GB/day
and
searches
take
<
minute.

7
global
data
centers
with
350TB
stored
data

Es8mate
Splunk
is
25%
the
cost
of
a
tradi8onal
SIEM

“

We
moved
to
Splunk
from
tradi8onal
SIEM
as
Splunk
is
designed
and

engineered
for
“big
data”
use
cases.
Our
previous
SIEM
was
not
and
simply

could
not
scale
to
the
data
volumes
we
have.

Gavin
Reid,
Leader,
Cisco
Computer
Security
Incident
Response
Team

“

• 

98

Security
and
Compliance
@
Barclays

Challenges:
Unable
to
meet
demands
of
auditors

– 
– 
– 
– 
• 

Scale
issues,
hard
to
get
data
in,
and
impossible
to
get
data
out
beyond
summaries

Not
op8mized
for
unplanned
ques8ons
or
historical
searches

Struggled
to
comply
with
global
internal
and
external
mandates,
and
to
detect
APTs

Other
SIEMs
evaluated
were
poor
at
complex
correla8ons,
data
enrichment,
repor8ng

Enter
Splunk:
Stronger
security
and
compliance
posture

– 
– 
– 
– 

Fines
avoided
as
searches
easily
turned
into
visualiza8ons
for
compliance
repor8ng

Faster
inves8ga8ons,
threat
aler8ng,
be`er
risk
measurement,
enrichment
of
old
data

Scale
and
speed:
Over
1
TB/day,
44
B
events
per
min,
460
data
sources,
12
data
centers

Other
teams
using
Splunk
for
non-‐security
use
cases
improves
ROI

“

We
hit
our
ROI
targets
immediately.
Our
regulators
are
very
aggressive,
so
if

they
say
we
need
to
demonstrate
or
prove
the
eﬀec8veness
of
a
certain

control,
the
only
way
we
can
do
these
things
is
with
Splunk.

Stephen
Gailey,
Head
of
Security
Services

“

• 

99

Splunk
Key
Differen8ators

Splunk

Single
product,
UI,
data
store

Tradi8onal
SIEM

Sogware-‐only;
install
on
commodity
hardware

Quick
deployment

+

ease-‐of-‐use

=

fast
8me-‐to-‐value

Can
easily
index
any
data
type

All
original/raw
data
indexed
and
searchable

Big
data
architecture
enables
scale
and
speed

Flexible
search
and
repor8ng
enables
beèr/faster
threat

inves8ga8ons
and
detec8on,
incl
finding
outliers/anomalies

•  Open
plaqorm
with
API,
SDKs,
Apps

•  Use
cases
beyond
security/compliance

• 
• 
• 
• 
• 
• 
• 

100

For
your
own
AHA!
Moment

Reach
out
to
your
Scalar
and

Splunk
team
for
a
demo

Thank
you!

INFOBLOX


Agenda

Infoblox Overview
DNS Threats
Why is DNS a target?
What types of attacks?

Infoblox Advanced DNS Protection


Infoblox Overview
Founded in 1999
Headquartered in Santa Clara, CA
with global operations in 25 countries
Leader in DNS, DHCP, and IP
Address Management
Market leadership
•  Gartner “Strong Positive” rating
•  40%+ Market Share (DDI)

7,000+ customers, 64,000+
systems shipped
35 patents, 29 pending
IPO April 2012: NYSE BLOX

Diverse Customer Base in All Key Verticals
HEALTHCARE
EXPOSURE TO INDUSTRY
TOP 10 LEADERS

RETAIL

FINANCIAL SERVICES

MANUFACTURING

TELECOM

7

TECHNOLOGY

9
8

GOVERNMENT

OTHER

8
7

RECENT NEW CUSTOMERS

Why DNS an Ideal Target?
• 
• 
• 
• 

DNS is a bootstrap to networks and applications
DNS is easy to exploit
DNS can be both the threat, and the target
No one is looking

DNS downtime means business downtime

DNS Attacks up 216%
~ 10% of infrastructure attacks targeted DNS
ACK: 2.81%

ICMP: 9.71%

RESET: 1.4%

CHARGEN: 6.39%
RP: 0.26%

FIN PUSH: 1.28%
DNS: 9.58%

SYN: 14.56%

SYN PUSH: 0.38%
TCP FRAGMENT: 0.13%

UDP FRAGMENT: 17.11%

UDP FLOODS: 13.15%

Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013

~ 80% of organizations experienced application layer attacks on DNS
82%

HTTP

77%

DNS
25%

SMTP
HTTPS

54%

SIP/VOIP

20%
6%

IRC

9%

Other
0%


20%

40%
60%
Survey Respondents

80%

100%

Source: Arbor Networks

DNS Threats Landscape
•  Three types of DNS attacks
̶  Attack as Infrastructure: Attacks primarily focused on
disruption of DNS services (and everything else with it)
̶  Protocol Exploitation: Attacks that use DNS as a
vector for business exploitation
̶  Platform Hacks: Exploit the underlying DNS platform to
take control of DNS (for defacement, or redirection)


DNS Infrastructure Attacks Example
• 
• 
• 
• 
• 

Traditional DOS
Distributed DOS
Amplification
Reflection
…and the dreaded
combination: Distributed
Reflection DOS (DrDOS)

Command & Control

DNS Server


Most DDoS Attacks Use Name Servers
•  Why?
̶  Because name servers make surprisingly good amplifiers

This one goes
to eleven…


DDoS Illustrated

Open recursive name servers
Spoofed
query

Evil resolver

Response
to spoofed
address

Target

Ampliﬁcation: They Go Past Eleven…

$ dig @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec
; <<>> DiG 9.9.1-P1 <<>> @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34036
;; flags: qr aa; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 15

Query for isc.org/ANY

36 bytes sent, 4077 bytes
received

~113x ampliﬁcation!

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org.

IN

ANY

;; ANSWER SECTION:
isc.org.
7200
IN
SOA
ns-int.isc.org. hostmaster.isc.org. 2013090300 7200 3600 24796800 3600
isc.org.
7200
IN
RRSIG
SOA 5 2 7200 20131002233248 20130902233248 50012 isc.org.
hUfqnG5gKbygAeVRHjP5As31lsheMKNPD7g9MJlWZTrmD2de6Z/eCwUX kQxRT5TV0lFWjtGFuA0a4svbCZ1qHS9d/rhWc7IMziu2u+L9tbho+c4j szvGAJ9kYvalNbgpmkHdm+wmOHWmiY3cYKcl5Ps8gs5N0Q1JdkaCARPF
HQs=
isc.org.
7200
IN
NS
sfba.sns-pb.isc.org.
isc.org.
7200
IN
NS
ns.isc.afilias-nst.info.
isc.org.
7200
IN
NS
ams.sns-pb.isc.org.
isc.org.
7200
IN
NS
ord.sns-pb.isc.org.
isc.org.
7200
IN
RRSIG
NS 5 2 7200 20131002233248 20130902233248 50012 isc.org. Fdfb5ND2XUlnk/nPcPOaNBCK6307LdrhC/
dqdS+TMtBjKMmXU2NJBl0h D8fOnOdKbzlwNk1JLPXq25znMNBw+ZdjMekctR2r2jTO2Xm9mT+su4ff 8r1pMcUGhpsq73V6NjIbgA3LT6zfv4gWyFdos60Ma/Bsq26SmpECQFNA RpI=
isc.org.
60
IN
A
149.20.64.69
isc.org.
60
IN
RRSIG
A 5 2 60 20131002233248 20130902233248 50012 isc.org.
CkSV2VzLktJGH2PXEJl1QssxeyyUYM5pALjb06NMW0BC5vcFyuQYng2l NE/Z0J1XIHflWwGo9Gv1YZ0u/K6rGPXwgWmkl/6t0T8uNtk9u3XDhaMx QBg2P2ZAp1NEg6r3ccznGu9y+Q71g/IxcK+5Ok7gI8L18hBTi+vpCAKY q6A=
isc.org.
7200
IN
MX
10 mx.pao1.isc.org.
isc.org.
7200
IN
RRSIG
MX 5 2 7200 20131002233248 20130902233248 50012 isc.org. fiALi/ebGauXvqfL4vHt5YzgIY/
X0kh2WNE37wICVU6BYKkqDuWF2h5T 4ry2TmdcKj4pqVOJVSDF/A7zzRPkcpcwibTM8h5yDEMJzELAsSimj2mX BFsqTgFGtDXIGV9IU7qryFkVMrDlj9gcLkTlg1EZpyxwQH2y2XCT5BhA bQA=
isc.org.
7200
IN
TXT
"v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"
isc.org.
7200
IN
TXT
"$Id: isc.org,v 1.1845 2013-08-16 16:16:50 dmahoney Exp $"
isc.org.
7200
IN
RRSIG
TXT 5 2 7200 20131002233248 20130902233248 50012 isc.org. J0UV7iIvQn7Pzu/itUN1JH4hLg8bjQo/73kBef/
T/yzx/P8t6VX+MYDC ysyXNigSi1JPoWfYt7qu6eXcALQEwJ/Z156Rebefjls4R18wr+BttzWF ICb+zJ7K7o4meckc7ZQr12gIAXjij09dr9omYoObWo6/IH76S6N3Er4i xdg=
isc.org.
60
IN
AAAA
2001:4f8:0:2::69
isc.org.
60
IN
RRSIG
AAAA 5 2 60 20131002233248 20130902233248 50012 isc.org.
OBWafw6hmgueTvaL06Q3zzpKODW3OIWKxHr3Z30mag1vJW5ECwlkK3xI lPr4A1Rg6SZiJp78yewBWkDB0436cY1uCJ0yzsk9YWlLW/5hScy1ueaH s2tfymZD7UdOh0FuLs05gunsxK2Of3DCG3Zh3cD4FMnu8ju1CuLD2+dU
W1U=
isc.org.
7200
IN
NAPTR
20 0 "S" "SIP+D2U" "" _sip._udp.isc.org.
isc.org.
7200
IN
RRSIG
NAPTR 5 2 7200 20131002233248 20130902233248 50012 isc.org.
s9cuc6O0e2kgBNffd6dyJyJH1Zm5Wd0pRO1q5aKMc7UsiKFUI7MI7Q8N VzTqwM/zWh2VzvtV/w1O3IHuSiXBN9k51Loy4WGHJSDcXs865PWjHJwJ jRqfz1bE+LsW/aZD2Ud/iGyhCoQPeZIOcqB6plB+keIf3mGR0bHkdjV+ Zw4=
isc.org.
3600
IN
NSEC
_adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF
isc.org.
3600
IN
RRSIG
NSEC 5 2 3600 20131002233248 20130902233248 50012 isc.org. K3/
RL0nn54FkFvcPnaecG26JjQVCZL1g41zB02YssxZnE/3lX9X4O8uk DrONRdvKEeMq51YUy8NBljWAlPOIRYD0lWUMrXuSNHMyGIFwHFIZqNrN CuQUl+24oPQXi3/wWX0TGH5XW9XF2IB+Dc1zdP/5qRHiKCjAnYDNE384 PAQ=
isc.org.
7200
IN
DNSKEY
257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr
hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/
9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd
isc.org.
7200
IN
DNSKEY
256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/
x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU=
isc.org.
7200
IN
RRSIG
DNSKEY 5 2 7200 20131002230127 20130902230127 12892 isc.org. ioYDVytf4YoAHCVxdz6U/
fuQCaH2f2XVUExEexo48e55vLVSre5GkBG1 Wyn/4FeWLOUVWm5HElbL/hK2QEResp0csAwTnllU7W8fM65aS7pIO9JZ QWMvkPxQjsTYzEP1P2GA8NVGRUhz17RMLLSFgAJS9aEI7xK0fMwsd9U4 Az

A Little Math
•  Say each bot has a measly 1 Mbps connection to the
Internet
̶  It can send 1Mbps/36B =~ 28K qps
̶  That generates 28K * 4077B =~ 913 Mbps

•  So 11 bots > 10 Gbps


Malware Enablement
•  Malware infects clients when
they visit malicious web sites,
whose names are resolved
using DNS
•  Malware rendezvous with
command-and-control channels
using hardwired domain names
and rapidly changing IP
addresses
•  Malware tunnels new malicious
code through DNS


Anatomy of an Attack
Cryptolocker “Ransomware”
•  Targets Windows-based computers
•  Appears as an attachment to legitimate
looking email
•  Upon infection, encrypts files: local hard
drive & mapped network drives
•  Ransom: 72 hours to pay $300US
•  Fail to pay and the encryption key is
deleted and data is gone forever
•  Only way to stop (after executable has
started) is to block outbound connection to
encryption server


Platform Hack


DNS Threats Spectrum Overview
Threat Categories
DNS Cache Poisoning
Threats

Disruption
of DNS
Services

Description
Illegitimate corruption of DNS cached records

DoS/DDoS Attacks

DNS Flooding, Amplification, Reflection attacks
Denial of service by exploiting vulnerabilities in OS / Applications

DNS Redirection

Response manipulation, Man-in-the-Middle (MITM) Attacks

Geographic based Threats

High percentage of threats originating from specific geographic
locations

DNS Protocol Attacks

Malformed Packets, Vulnerabilities, Buffer overflows,
shell code insertion

DNS Tunneling Frauds

DNS tunneling, (use of port 53 as an open communication channel)
Attacker tunnels SSH traffic through DNS requests

Data Leakage

Use DNS as
a vector for
business
exploitation

Using DNS to transport encrypted payloads

IP Fluxing

Fluxing of IPs at extremely high frequencies

Domain Fluxing / Domain
Generation Algorithms (DGA)
Domain Phishing
Malicious Domains
Advanced Persistent Threats
(APTs)


Domain Generation / Fluxing using dynamic algorithms that are hard
to detect
DNS response manipulation
Malware using DNS to re-direct legitimate traffic to infected sites
Detect and drop known malicious domains or exploits
Machine generated FQDNs that are stealthy and persistent

Introducing Infoblox Advanced DNS Protection
The First DNS Server that Protects Itself
Unique Detection and Mitigation
§  Intelligently distinguishes legitimate DNS traffic from
attack traffic like DDoS, DNS exploits, tunneling
§  Mitigates attacks by dropping malicious traffic and
responding to legitimate DNS requests.
Centralized Visibility
§  Centralized view of all attacks happening across the
network through detailed reports
§  Intelligence needed to take action
Ongoing Protection Against Evolving Threats
§  Regular automatic threat-rule updates based on
threat analysis and research
§  Helps mitigate attacks sooner vs. waiting for patch
updates

Dedicated Compute
• 
• 
• 
• 

Infoblox designed network accelerator card
Performs deep packet inspection at wire-speed
Purpose built for analyzing DNS traffic
Blocks or Rate Limits threats before being processed by
standard operating system
̶  Ingress and Egress


Threat detection – more than just DDOS
DNS reflection/DrDoS attacks

Using third-party DNS servers(open resolvers) to propagate
a DOS or DDOS attack

DNS amplification

Using a specially crafted query to create an amplified
response to flood the victim with traffic

DNS-based exploits

Attacks that exploit vulnerabilities in the DNS software

TCP/UDP/ICMP floods

Denial of service on layer 3 by bringing a network or service
down by flooding it with large amounts of traffic

DNS cache poisoning

Corruption of the DNS cache data with a rogue address

Protocol anomalies
Reconnaissance
DNS tunneling


Causing the server to crash by sending malformed packets
and queries
Attempts by hackers to get information on the network
environment before launching a DDoS or other type of attack
Tunneling of another protocol through DNS for data
exfiltration

DNS Content Based Filtering
Fast Flux
APT / Malware
Hacked Domains
Geo-Blocking
FireEye


Rapidly changing of domains & IP addresses by malicious
domains to obfuscate identity and location
Malware designed to spread, morph and hide within IT
infrastructure to perpetrate a long term attack (FireEye)
Hacking DNS registry(s) & re-directing users to malicious
domain(s)
Blocking access to geographies that have rates of malicious
domains or Economic Sanctions by US Government
Block threats detected by your FireEye

Monitoring and Alerting
•  Alert on threats
̶  Send over syslog to any SIEM

• 
• 
• 
• 

Report and trend on threats
Report and trend on ALL DNS traffic
Capture and log all DNS queries, AND responses (optional)
Analyze and report on top patterns:
̶  Most frequently requested FQDN
̶  Top talkers
̶  Frequent queries ending in errors (NXDOMAIN, time out, SERVFAIL,
etc)


Custom Rules

Threat Update Service

•  Block or Rate Limit by:

•  Threats are analyzed by a
security team at Infoblox
•  Appliances check for new
signatures every hour

̶  Source IP
̶  FQDN
̶  UDP or TCP

•  Whitelists


Legitimate Traffic

ADP In Action

Automatic
updates

Infoblox
Threat-rule Server

Block or Rate Limits
DNS threats
Rule distribution
Infoblox Advanced
DNS Protection
Infoblox Advanced
DNS Protection

Grid Master
Track and report

Reporting
Server

Reports on attack types, severity, and sends to a SIEM


Deployment
Options


External
Protection against Internet-borne Attacks

INTERNET

Advanced DNS
Protection

Advanced DNS
Protection

DMZ
INTRANET
Grid Master
and Candidate (HA)
Data Center

- Campus office
- Regional office(s)
- Disaster recovery site(s)

Advanced DNS Protection when deployed as an external authoritative DNS server
can protect against cyberattacks

Internal
Protection against Internal Attacks, or misconfigured applications,
on Recursive or Authoritative Servers
INTRANET
GRID Master
and Candidate (HA)

Advanced DNS
Protection

Advanced DNS
Protection

Endpoints

Advanced DNS Protection can secure internal DNS environments where internal
user traffic is hostile

Advanced Appliances Come in Three
Physical Platforms

Advanced Appliances have next-generation programmable processors
that provide dedicated compute for threat mitigation.
The appliances offer both AC and DC power supply options.

Why QoS Matters

Settings


130

Summary
• 
• 
• 
• 

DNS is a core strategic asset that is often left unprotected
The bad guys are going after your DNS servers
Internal DNS is as exposed to failure
Infoblox can help
̶  Deep visibility
̶  Unique expertise in DNS
̶  Scales up to the largest networks


Thank You
www.infoblox.com


WRAP/Q&A


The Issues
}  Integration of Security
Technologies
}  Staffing
}  Vulnerabilities
}  Advanced threats


The Issues
}  Integration of Security
Technologies is Challenging
–  Multiple formats of data
–  Data timing issues
–  Different types of security
controls
–  Other data types


The Issues
}  InfoSecurity Staff
–  Different skills requirements
﹘ 
﹘ 
﹘ 
﹘ 
﹘ 
﹘ 

Architects
Malware Handling
Forensics
Vulnerability
Incident Management
Risk and Compliance

–  HR Costs
﹘  Premium technical personnel
﹘  Analysts, Specialists
﹘  Training and certification

The Issues
}  Vulnerabilities
–  Regular scheduled
disclosures
–  Large volumes of ad-hoc
patches
–  Many undisclosed zero days
–  Remediation is a continuous
process


The Issues
}  Advanced Threats
–  Advanced Persistent Threats
–  Imbedded threats
}  Who?
–  State sponsored
–  Hactivism
–  Hackers
–  Organized crime


How to Secure It
}  State-of-the-art Security
Technologies
}  Skills on Demand
–  Continuous Tuning of Rules
and Filters
–  Cyber Intelligence,
Advanced Analytics
–  Cyber Incident Response
–  Code Review, Vulnerability
and Assessment Testing

QUESTIONS?


THANK YOU.


Scalar Security Roadshow - Toronto Stop

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Scalar Security Roadshow - Toronto Stop

Semelhante a Scalar Security Roadshow - Toronto Stop (20)

Mais de Scalar Decisions

Mais de Scalar Decisions (20)

Último

Último (20)

Scalar Security Roadshow - Toronto Stop