Exposing APT

Exposing APT

Jason BrevnikVice President, Security Strategy

2

Exposing APT level threats requires

● Intelligent and diligent people

● Cloud to Core coverage● Constant visibility and awareness● Healthy distrust in operational state and

compensating controls● Personalized protections that are tested

and audited● Visibility at all levels

Then.

4

The Virus!

● In 1949 John von Neumann began lecturing about “Theory and Organization of Complicated Automata” - Theory of self-reproducing automata published in 1966

● The Creeper virus was unleashed on ARPANET in 1971

● Elk Cloner appeared in the wild in 1981 affecting Apple DOS 3.3

● 1986 brought the Brain virus to your PC● ... And we installed AV

5

The worm!● Morris

► And we installed the firewall● Melissa● ExploreWorm● I Love You● CodeRed● Slammer● Blaster● Sobig● Stuxnet● ...

6

7

8

Classic firewall and AV is not enough

Now

10

It is not just in Software!

11

Hacker

Advanced Persistent ThreatScript Kiddie

Cybercriminal

12

13

14

15

16

17

The reality

19

Stop APT Now!

20

21

Easy Picking

22

Two factor auth won’t keep them out

23

Today’s Reality

Dynamic Threats● Organized attackers● Sophisticated threats● Multiple attack vectors

Static Defenses● Ineffective defenses● Black box limits flexibility● Set-and-forget doesn’t work

“Begin the transformation to context-aware and adaptive security infrastructure now as you

replace legacy static security infrastructure.”

Source: Gartner, Inc., “The Future of Information Security is Context Aware and Adaptive,” May 14, 2010

Neil MacDonaldVP & Gartner Fellow

What then?

25

Awareness

BehaviorDetect anomalies in configuration,

connections and data flow

NetworkKnow what’s there, what’s vulnerable,

and what’s under attack

ApplicationIdentify change and enforce policy

on hundreds of applications

IdentityKnow who is doing what,

with what, and where

26

Intelligence

ThreatIntelligence

(Security Event)

EndpointIntelligence

(Context)

UserIntelligence

(Context)

EndpointRelevance

End-userRelevance

Forensic Analysis:Who accessed what, when, and where?

27

Knowledge

28

Tuning

NSS – Q4 Independent Test ResultsKey Findings: Protection varied widely between 31% and 98%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous “catchable” attacks.

Graphic by Sourcefire, Inc. Source data from NSS Labs “Network IPS 2010 Comparative Test Results plus 3D8260 NSS test”

Default DetectionTuned Detection

29

Personalization

Privilege

Content

Purpose

Your applications

Your Users

Your network

Should it travel

Is access normal

Forensic Analysis:Who accessed what, when, and where?

30

Is that enough?

31

We have to learn and share

32

Intelligent Protection: Cloud to Core

33

Cloud to Core protection requires

● Comprehensive Audit (Logs/IDS/Test)● Comprehensive Control (AAA/IPS/FW/NG*)● Pervasive Awareness Platform● Coordinated Endpoint Control● Look-back forensics capability● Physical, virtual and cloud deployment● Mobile and Consumer integration● Visibility and Openness● Depth and Personalization

34

35

Questions