Exposing APT. Jason Brevnik Vice President, Security Strategy. Exposing APT level threats requires. Intelligent and diligent people Cloud to Core coverage Constant visibility and awareness Healthy distrust in operational state and compensating controls - PowerPoint PPT Presentation
Exposing APTJason BrevnikVice President, Security Strategy#
Exposing APT level threats requiresIntelligent and diligent people
Cloud to Core coverageConstant visibility and awarenessHealthy distrust in operational state and compensating controlsPersonalized protections that are tested and auditedVisibility at all levels#Then.#The Virus!In 1949 John von Neumann began lecturing about Theory and Organization of Complicated Automata - Theory of self-reproducing automata published in 1966The Creeper virus was unleashed on ARPANET in 1971Elk Cloner appeared in the wild in 1981 affecting Apple DOS 3.3 1986 brought the Brain virus to your PC... And we installed AV
#The worm!MorrisAnd we installed the firewallMelissaExploreWormI Love YouCodeRedSlammerBlasterSobigStuxnet...
#L0pht in the 1994
#HOPE - 19997Classic firewall and AV is not enough
#Now#It is not just in Software!
HackerAdvanced Persistent ThreatScript KiddieCybercriminal#
Stop APT Now!#
#Two factor auth wont keep them out
#Todays RealityDynamic ThreatsOrganized attackersSophisticated threatsMultiple attack vectors
Static DefensesIneffective defensesBlack box limits flexibilitySet-and-forget doesnt work
Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure.
Source: Gartner, Inc., The Future of Information Security is Context Aware and Adaptive, May 14, 2010 Neil MacDonaldVP & Gartner Fellow#Security needs to be context aware and adaptive
The network security model is broken!
The attackers are well financed, motivated, and sophisticated in their methods of breaking into networks.
How do you defend a network that is in a constant state of flux?
Your set-and-forget IPS is not going to stop the attackers.
We need to come up with a different solution to effectively protect our information
23What then?#AwarenessBehaviorDetect anomalies in configuration, connections and data flowNetworkKnow whats there, whats vulnerable, and whats under attackApplicationIdentify change and enforce policy on hundreds of applicationsIdentityKnow who is doing what, with what, and where
#The Next-Generation IPS is contextually aware and adaptive.
In Sourcefires system, we infuse the IPS system with deep intelligence about the users, their usage, behavior, and data:
The system then automatically customizes the detection and makes prevention recommendations based on whats running on your network.The system monitors the applications running on your system, so that you can flexibly enforce the appropriate detection and compliance.The system enables you to detect compromise of your key systems and assets by constantly monitoring change of behavior and configuration.And finally, give you the ability to associate all detection to a specific user name and contact info.
Sourcefire brings you a super-intelligent IPS system that is fully integrated and always on 24/7.
25IntelligenceThreatIntelligence(Security Event)EndpointIntelligence(Context)UserIntelligence(Context)EndpointRelevanceEnd-userRelevanceForensic Analysis:Who accessed what, when, and where?#26Knowledge
#27This is called tuning.TuningNSS Q4 Independent Test ResultsKey Findings: Protection varied widely between 31% and 98%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous catchable attacks. Graphic by Sourcefire, Inc. Source data from NSS Labs Network IPS 2010 Comparative Test Results plus 3D8260 NSS test
Default DetectionTuned Detection
Your applicationsYour UsersYour networkShould it travelIs access normalForensic Analysis:Who accessed what, when, and where?#29Is that enough?
#We have to learn and share
Intelligent Protection: Cloud to Core#
Cloud to Core protection requiresComprehensive Audit (Logs/IDS/Test)Comprehensive Control (AAA/IPS/FW/NG*)Pervasive Awareness PlatformCoordinated Endpoint ControlLook-back forensics capabilityPhysical, virtual and cloud deploymentMobile and Consumer integrationVisibility and OpennessDepth and Personalization#