Upload
vunguyet
View
217
Download
3
Embed Size (px)
Citation preview
© 2013 Imperva, Inc. All rights reserved.
Securing your Data
Scenario: Targeted Attacks and Malware
Thien-Trung Nguyen
© 2012 Imperva, Inc. All rights reserved.. 1 Confidential
© 2013 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
Imperva - Data Center Security
Securing your Data - Protecting the cheese, not chasing
the mice
Scenario: Targeted Attacks and Malware
A closer Look at the Threat
• How does it work?
• But Antivirus, Firewall, NGFW, IPS will stop it!
• What will mitigate Compromised Insiders?
• Solution Architecture – Integration with FireEye
© 2013 Imperva, Inc. All rights reserved.
17,7
32,1
39,3
55,4
78,3
104,2
46,1
59,9
0,0
20,0
40,0
60,0
80,0
100,0
120,0
2007 2008 2009 2010 2011 2012 YTD2012
YTD2013
Revenue ($M/Yr) ($M/YTD)
Imperva: A Leader in Data Center Security
Confidential 3
Our Mission We protect high-value applications and data assets in
physical and virtual data centers
Our Global Business Founded in 2002
Global operations; HQ in Redwood Shores, CA
640+ employees (180+ in R&D)
Customers in 75+ countries
Our Customers 2,600+ direct; thousands Cloud-Based
8 of the top 10 global telecommunications providers
5 of the top 10 US commercial banks
3 of the top 5 global financial services firms
4 of the top 5 global computer hardware companies
250+ government agencies and departments
337 of the Global 2000
© 2013 Imperva, Inc. All rights reserved. Confidential 4
“There are two types of companies:
companies that have been breached and
companies that don’t know they’ve been
breached.”
Shawn Henry, Former FBI Executive Assistant Director
NY Times, April 2012
© 2013 Imperva, Inc. All rights reserved.
Enterprise Security Is Evolving
Confidential 5
1st pillar: Endpoint Security
Blocks threats targeting devices
2nd pillar: Network Security
Blocks threats trying to access the network
3rd pillar: Data Center Security
Protects high-value targets, keeping them both secure and accessible
Imperva provides the third pillar of enterprise security
© 2013 Imperva, Inc. All rights reserved.
Meet the Characters - Cheese
CONFIDENTIAL 6
“Cheese”
Critical applications and high value data
© 2013 Imperva, Inc. All rights reserved.
Meet the Characters - Mice
CONFIDENTIAL 7
“Mice”
Possible threats to the cheese
Compromised Insider
An innocent user’s identity has
been taken over and is used for
malicious behavior
Malicious Insider
A user that has the
intent to cause harm
Privileged Insider
A user that works
close the cheese
© 2013 Imperva, Inc. All rights reserved.
Meet the Characters - Cats
CONFIDENTIAL 8
“Cats”
Existing network and endpoint security solutions are easily
circumvented by advanced attacks and can not address
insider abuse
Data Loss Prevention
(DLP)
Intrusion Protection System (IPS) /
Next Generation Firewall (NG FW)
Antivirus
(AV)
© 2013 Imperva, Inc. All rights reserved.
Imperva Mice and Cheese
CONFIDENTIAL 9
© 2013 Imperva, Inc. All rights reserved.
Imperva protects the cheese while others are busy chasing the mice!
CONFIDENTIAL 10
© 2013 Imperva, Inc. All rights reserved.
Scenario
Confidential 11
Targeted Attacks and Malware
© 2012 Imperva, Inc. All rights reserved..
© 2013 Imperva, Inc. All rights reserved.
Insider Threat
Insider Threat Defined
Confidential 12
Risk that the access rights of a
trusted person will be used to view,
take or modify data or intellectual
property.
Possible causes:
Accident
Malicious intent
Compromised device
© 2013 Imperva, Inc. All rights reserved.
A person with no malicious
motivation who becomes an
unknowing accomplice of third
parties who gain access to their
device and/or user credentials.
13
Compromised Insider Defined
Compromised Insider
Confidential
© 2013 Imperva, Inc. All rights reserved.
Few Users Are Malicious… All Can Be Compromised
Confidential 14
“Less than 1% of your employees may be
malicious insiders, but 100% of your employees
have the potential to be compromised insiders.”
Source: http://edocumentsciences.com/defend-against-compromised-insiders
© 2013 Imperva, Inc. All rights reserved.
What Attackers Are After
Confidential 15
Source: Verizon Data Breach Report, 2013
© 2013 Imperva, Inc. All rights reserved.
Data & IP
16
Two Paths, One Goal
User with access
rights (or his/her
device)
Hacking (various) used
in 52% of breaches
Online
Application
Malware (40%)
Social Engineering (29%)
Source: Verizon Data Breach Report, 2013
Servers 54%
Confidential
Users (devices) 71%
People 29%
© 2013 Imperva, Inc. All rights reserved.
A Targeted Database Attack
Confidential 17
Targeted, efficient, undetected
12-Sept-12 -
14-Sept-12
Attacker steals the
entire database
27-Aug-12
Attacker logs in
remotely and
accesses the
database
13-Aug-12
Attacker steals
login credentials
via phishing email
& malware
29-Aug-12 -
11-Sept-12
Additional
reconnaissance,
more credentials
stolen
PII: 4 M people
Pop: 5 M people
That’s…
80%
© 2013 Imperva, Inc. All rights reserved.
Malware
Confidential 18
Source: Verizon, 2013 Data Breach Investigations Report
40% of breaches incorporated malware
2012 by the numbers: Kaspersky Lab
now detects 200,000 new malicious
programs every day Source: www.kaspersky.com
© 2013 Imperva, Inc. All rights reserved.
Who’s Doing It and Why
Confidential 19
Governments
- Stealing Intellectual Property (IP) and raw data, and spying
- Motivated by: Policy, Politics and Nationalism
Industrialized hackers
- Stealing IP and data
- Motivated by: Profit
Hacktivists
- Exposing IP and data, and compromising the infrastructure
- Motivated by: Political causes, ideology, personal agendas
© 2013 Imperva, Inc. All rights reserved.
A closer look at the threat
Confidential 20
#1 – How does it work?
© 2013 Imperva, Inc. All rights reserved.
Searching on Social Networks…
Confidential 21
© 2013 Imperva, Inc. All rights reserved.
…The Results
Confidential 22
© 2013 Imperva, Inc. All rights reserved.
Next: Phishing and Malware
Confidential 23
How easy is it?
A three-month BlackHole license,
with Support included, is US$700
Specialized Frameworks and Hacking tools, such as BlackHole
2.0, allow easy setup for Host Hijacking and Phishing.
© 2013 Imperva, Inc. All rights reserved.
The Human Behavior Factor
Confidential 24
Source: Google Research Paper “Alice in Warningland”, July 2013
© 2013 Imperva, Inc. All rights reserved.
Drive-by Downloads Are Another Route
Confidential 25
September 2012 “iPhone 5 Images Leak” was caused by a
Trojan Download Drive-By
© 2013 Imperva, Inc. All rights reserved.
Cross Site Scripting Is Yet Another Path
Confidential 26
Persistent XSS Vulnerable Sites provide the
Infection Platform
GMAIL, June 2012
TUMBLR, July 2012
© 2013 Imperva, Inc. All rights reserved.
General Attack Pattern
Reconnaissance Compromise Foothold Privilege
Escalation
Internal Recon.
Objective
Completed
27
Eliminate traces
Return via-
backdoors
Scanners +
Credentials
Via stolen
credentials Steal/crack
additional
credentials
Install backdoors
Etc.
Gain access credentials
via…
Social engineering
Phishing emails
Malware
Drive-by-download
XSS
Pirated software
Infected USB, CD,
DVD, etc.
Malicious insider
Etc
Social
Network
Surfing
Etc.
Confidential
© 2013 Imperva, Inc. All rights reserved.
A closer look at the threat
Confidential 28
#2 – But Antivirus, Firewall, NGFW, IPS will stop it!
© 2013 Imperva, Inc. All rights reserved.
Security Threats Have Evolved…
Confidential
Sources: Gartner, Imperva analysis
Script Kiddies &
“Digital Graffiti” artists,
Backdoors in open source
Code Red Nimda
Klez
Anna Kournikova
Cyberespionage, Organized
Criminals, Industrialized
hackers
APT Mobile phone attacks
Targeted attacks
232 million identities stolen
Security Spend
Anti-virus
Firewall/VPN
Content Filtering
IDS/IPS
Security Spend
Anti-virus
Firewall/VPN
Secure Email/Web
IPS
2001 2012
…Security spending hasn’t
29
© 2013 Imperva, Inc. All rights reserved.
Protect and Monitor the “Cheese”
Confidential 30
“Firewalls and intrusion prevention systems don’t provide
sufficient protections for most public-facing websites or
internal business-critical and custom Web applications.”
“Less than 20% of organizations with a firewall, an IPS or
a unified threat management (UTM) appliance can decrypt
inbound or outbound SSL traffic. However, more than 90%
of organizations with a public website and a WAF can
decrypt inbound Web traffic [Statistics based on the results
of a 2013 Gartner industry survey]”.
Source: Gartner – February 2014
© 2013 Imperva, Inc. All rights reserved.
Protect and Monitor the “Cheese”
Confidential 31
Most of security budget spend:
• Firewalls
• Virus prevention
• IPS
Front-line/end-user defenses
must be 100% accurate, since if
only 1 mouse gets past them the
cheese is gone
Problem: Most organizations chase the “mice” and don’t focus enough on protecting the “cheese”
© 2013 Imperva, Inc. All rights reserved.
A closer look at the threat
Confidential 32
#3 – What will mitigate Compromised Insiders?
© 2013 Imperva, Inc. All rights reserved.
Understand Data and What Users Do With It
Confidential 33
Discover and classify sensitive information
Build security policies
Review and rationalize access rights
Audit, analyze, and alert on access activity
Look for unusual behavior
Identify and remediate compromised devices
© 2013 Imperva, Inc. All rights reserved.
Look for Unusual Behavior
Confidential 34
How?
• Profile normal, acceptable usage
and access to sensitive items by
Volume
Access speed
Privilege level
• Put in place monitoring or
“cameras in the vault”
Why? Anomalous probably means trouble
© 2013 Imperva, Inc. All rights reserved.
Incident Response Phases for Targeted Attacks
Confidential 35
Reduce Risk
Prevent Compromise
Detection
Containment
Insulate sensitive data
Password Remediation
Device Remediation
Post-incident Analysis
Size Up the Target
Compromise A User
Initial Exploration
Solidify Presence
Impersonate
Privileged User
Steal Confidential Data
Cover Tracks
© 2013 Imperva, Inc. All rights reserved.
A closer look at the threat
Confidential 36
#4 – Solution Architecture
© 2013 Imperva, Inc. All rights reserved.
The Solution: Data Center Security
Confidential 37
Internal Employees
Malicious Insiders
Compromised Insiders
Usage
Audit
User Rights
Management
Access
Control
Tech. Attack
Protection
Logic Attack
Protection
Fraud
Prevention
External Customers
Staff, Partners
Hackers
Data Center Systems and Admins
Discovery &
Classification
Privileged User
Monitoring
Vulnerability
Scanning
Virtual
Patching
Attack
Protection
Auditing and
Reporting
Assessment & Risk Management
© 2013 Imperva, Inc. All rights reserved.
Enterprise Deployment
Confidential 38
© 2013 Imperva, Inc. All rights reserved.
Imperva-FireEye Joint Solution
Confidential 39
Automatically restrict data access of compromised hosts
• Immediate Mitigation: Prevent (block) or alert when
compromised users attempt to…
Access business critical applications
Access sensitive data – databases, intellectual property, deal data, etc.
Conduct administrative actions or privileged operations
• Non-disruptive: Mitigation enables business can continue while
device remediation takes place
• Full Forensics: Logs all activities originating from suspected
hosts
Identify Compromised Insiders and Limit Risk
© 2013 Imperva, Inc. All rights reserved.
Imperva-FireEye Joint Architecture
Confidential 40
FireEye Malware Protection System identifies
compromised assets
Imperva SecureSphere dynamically responds to
FireEye’s threat intelligence to prevent critical data
compromise and loss
SecureSphere
for SharePoint
File Activity
Monitoring
Management
Server (MX)
Database
Activity
Monitoring
INTERNET
Imperva
Agent
Imperva
Agent
Network
Monitoring
Network
Monitoring
Native
Audit
Internal
Users
Web Application
Firewall
© 2013 Imperva, Inc. All rights reserved.
Integration and Data Flow
Confidential 41
Data set
Data Description
IP Compromised device IP address
Hostname Compromised device hostname
Severity FireEye severity ranking
FireEye ID Unique FireEye ID for mapping
Source FireEye MPS source device
SecureSphere MX
SecureSphere Gateways
© 2013 Imperva, Inc. All rights reserved.
Information Flow From FireEye MPS to SecureSphere
Confidential 42
Configuration on FireEye side is very straightforward
• SecureSphere Server URL
• User/Password
• What to send
• Format of data
© 2013 Imperva, Inc. All rights reserved.
Comprehensive, Integrated Security Platform
Confidential 43
Internal Employees
Malicious Insiders
Compromised Insiders
Usage
Audit
User Rights
Management
Access
Control
Tech. Attack
Protection
Logic Attack
Protection
Fraud
Prevention
External Customers
Staff, Partners
Hackers
Data Center Systems and Admins
Discovery &
Classification
Privileged User
Monitoring
Vulnerability
Scanning
Virtual
Patching
Attack
Protection
Auditing and
Reporting
Assessment & Risk Management
Database Security Audit database access and deliver real-time protection against database attacks
File Security Auditing, protection and rights management for unstructured data
Web Application Security
Protection against large scale Web attacks with reputation controls, automated management and drop-in deployment
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
Confidential 44