Securing your Data - eb-Qual€¦ · Securing your Data - Protecting the cheese, ... Imperva provides the third pillar of enterprise security ... of organizations with a public website

© 2013 Imperva, Inc. All rights reserved.

Securing your Data

Scenario: Targeted Attacks and Malware

Thien-Trung Nguyen

© 2012 Imperva, Inc. All rights reserved.. 1 Confidential


Agenda

Confidential 2

Imperva - Data Center Security

Securing your Data - Protecting the cheese, not chasing

the mice

Scenario: Targeted Attacks and Malware

A closer Look at the Threat

• How does it work?

• But Antivirus, Firewall, NGFW, IPS will stop it!

• What will mitigate Compromised Insiders?

• Solution Architecture – Integration with FireEye


17,7

32,1

39,3

55,4

78,3

104,2

46,1

59,9

0,0

20,0

40,0

60,0

80,0

100,0

120,0

2007 2008 2009 2010 2011 2012 YTD2012

YTD2013

Revenue ($M/Yr) ($M/YTD)

Imperva: A Leader in Data Center Security

Confidential 3

Our Mission We protect high-value applications and data assets in

physical and virtual data centers

Our Global Business Founded in 2002

Global operations; HQ in Redwood Shores, CA

640+ employees (180+ in R&D)

Customers in 75+ countries

Our Customers 2,600+ direct; thousands Cloud-Based

8 of the top 10 global telecommunications providers

5 of the top 10 US commercial banks

3 of the top 5 global financial services firms

4 of the top 5 global computer hardware companies

250+ government agencies and departments

337 of the Global 2000

© 2013 Imperva, Inc. All rights reserved. Confidential 4

“There are two types of companies:

companies that have been breached and

companies that don’t know they’ve been

breached.”

Shawn Henry, Former FBI Executive Assistant Director

NY Times, April 2012


Enterprise Security Is Evolving

Confidential 5

1st pillar: Endpoint Security

Blocks threats targeting devices

2nd pillar: Network Security

Blocks threats trying to access the network

3rd pillar: Data Center Security

Protects high-value targets, keeping them both secure and accessible

Imperva provides the third pillar of enterprise security


Meet the Characters - Cheese

CONFIDENTIAL 6

“Cheese”

Critical applications and high value data


Meet the Characters - Mice

CONFIDENTIAL 7

“Mice”

Possible threats to the cheese

Compromised Insider

An innocent user’s identity has

been taken over and is used for

malicious behavior

Malicious Insider

A user that has the

intent to cause harm

Privileged Insider

A user that works

close the cheese


Meet the Characters - Cats

CONFIDENTIAL 8

“Cats”

Existing network and endpoint security solutions are easily

circumvented by advanced attacks and can not address

insider abuse

Data Loss Prevention

(DLP)

Intrusion Protection System (IPS) /

Next Generation Firewall (NG FW)

Antivirus

(AV)


Imperva Mice and Cheese

CONFIDENTIAL 9


Imperva protects the cheese while others are busy chasing the mice!

CONFIDENTIAL 10


Scenario

Confidential 11

Targeted Attacks and Malware

© 2012 Imperva, Inc. All rights reserved..


Insider Threat

Insider Threat Defined

Confidential 12

Risk that the access rights of a

trusted person will be used to view,

take or modify data or intellectual

property.

Possible causes:

Accident

Malicious intent

Compromised device


A person with no malicious

motivation who becomes an

unknowing accomplice of third

parties who gain access to their

device and/or user credentials.

13

Compromised Insider Defined

Compromised Insider

Confidential


Few Users Are Malicious… All Can Be Compromised

Confidential 14

“Less than 1% of your employees may be

malicious insiders, but 100% of your employees

have the potential to be compromised insiders.”

Source: http://edocumentsciences.com/defend-against-compromised-insiders


What Attackers Are After

Confidential 15

Source: Verizon Data Breach Report, 2013


Data & IP

16

Two Paths, One Goal

User with access

rights (or his/her

device)

Hacking (various) used

in 52% of breaches

Online

Application

Malware (40%)

Social Engineering (29%)

Source: Verizon Data Breach Report, 2013

Servers 54%

Confidential

Users (devices) 71%

People 29%


A Targeted Database Attack

Confidential 17

Targeted, efficient, undetected

12-Sept-12 -

14-Sept-12

Attacker steals the

entire database

27-Aug-12

Attacker logs in

remotely and

accesses the

database

13-Aug-12

Attacker steals

login credentials

via phishing email

& malware

29-Aug-12 -

11-Sept-12

Additional

reconnaissance,

more credentials

stolen

PII: 4 M people

Pop: 5 M people

That’s…

80%


Malware

Confidential 18

Source: Verizon, 2013 Data Breach Investigations Report

40% of breaches incorporated malware

2012 by the numbers: Kaspersky Lab

now detects 200,000 new malicious

programs every day Source: www.kaspersky.com


Who’s Doing It and Why

Confidential 19

Governments

- Stealing Intellectual Property (IP) and raw data, and spying

- Motivated by: Policy, Politics and Nationalism

Industrialized hackers

- Stealing IP and data

- Motivated by: Profit

Hacktivists

- Exposing IP and data, and compromising the infrastructure

- Motivated by: Political causes, ideology, personal agendas


A closer look at the threat

Confidential 20

#1 – How does it work?


Searching on Social Networks…

Confidential 21


…The Results

Confidential 22


Next: Phishing and Malware

Confidential 23

How easy is it?

A three-month BlackHole license,

with Support included, is US$700

Specialized Frameworks and Hacking tools, such as BlackHole

2.0, allow easy setup for Host Hijacking and Phishing.


The Human Behavior Factor

Confidential 24

Source: Google Research Paper “Alice in Warningland”, July 2013


Drive-by Downloads Are Another Route

Confidential 25

September 2012 “iPhone 5 Images Leak” was caused by a

Trojan Download Drive-By


Cross Site Scripting Is Yet Another Path

Confidential 26

Persistent XSS Vulnerable Sites provide the

Infection Platform

GMAIL, June 2012

TUMBLR, July 2012


General Attack Pattern

Reconnaissance Compromise Foothold Privilege

Escalation

Internal Recon.

Objective

Completed

27

Eliminate traces

Return via-

backdoors

Scanners +

Credentials

Via stolen

credentials Steal/crack

additional

credentials

Install backdoors

Etc.

Gain access credentials

via…

Social engineering

Phishing emails

Malware

Drive-by-download

XSS

Pirated software

Infected USB, CD,

DVD, etc.

Malicious insider

Etc

Social

Network

Surfing

Etc.

Confidential



Confidential 28

#2 – But Antivirus, Firewall, NGFW, IPS will stop it!


Security Threats Have Evolved…

Confidential

Sources: Gartner, Imperva analysis

Script Kiddies &

“Digital Graffiti” artists,

Backdoors in open source

Code Red Nimda

Klez

Anna Kournikova

Cyberespionage, Organized

Criminals, Industrialized

hackers

APT Mobile phone attacks

Targeted attacks

232 million identities stolen

Security Spend

Anti-virus

Firewall/VPN

Content Filtering

IDS/IPS

Security Spend

Anti-virus

Firewall/VPN

Secure Email/Web

IPS

2001 2012

…Security spending hasn’t

29


Protect and Monitor the “Cheese”

Confidential 30

“Firewalls and intrusion prevention systems don’t provide

sufficient protections for most public-facing websites or

internal business-critical and custom Web applications.”

“Less than 20% of organizations with a firewall, an IPS or

a unified threat management (UTM) appliance can decrypt

inbound or outbound SSL traffic. However, more than 90%

of organizations with a public website and a WAF can

decrypt inbound Web traffic [Statistics based on the results

of a 2013 Gartner industry survey]”.

Source: Gartner – February 2014


Protect and Monitor the “Cheese”

Confidential 31

Most of security budget spend:

• Firewalls

• Virus prevention

• IPS

Front-line/end-user defenses

must be 100% accurate, since if

only 1 mouse gets past them the

cheese is gone

Problem: Most organizations chase the “mice” and don’t focus enough on protecting the “cheese”



Confidential 32

#3 – What will mitigate Compromised Insiders?


Understand Data and What Users Do With It

Confidential 33

Discover and classify sensitive information

Build security policies

Review and rationalize access rights

Audit, analyze, and alert on access activity

Look for unusual behavior

Identify and remediate compromised devices


Look for Unusual Behavior

Confidential 34

How?

• Profile normal, acceptable usage

and access to sensitive items by

Volume

Access speed

Privilege level

• Put in place monitoring or

“cameras in the vault”

Why? Anomalous probably means trouble


Incident Response Phases for Targeted Attacks

Confidential 35

Reduce Risk

Prevent Compromise

Detection

Containment

Insulate sensitive data

Password Remediation

Device Remediation

Post-incident Analysis

Size Up the Target

Compromise A User

Initial Exploration

Solidify Presence

Impersonate

Privileged User

Steal Confidential Data

Cover Tracks



Confidential 36

#4 – Solution Architecture


The Solution: Data Center Security

Confidential 37

Internal Employees

Malicious Insiders

Compromised Insiders

Usage

Audit

User Rights

Management

Access

Control

Tech. Attack

Protection

Logic Attack

Protection

Fraud

Prevention

External Customers

Staff, Partners

Hackers

Data Center Systems and Admins

Discovery &

Classification

Privileged User

Monitoring

Vulnerability

Scanning

Virtual

Patching

Attack

Protection

Auditing and

Reporting

Assessment & Risk Management


Enterprise Deployment

Confidential 38


Imperva-FireEye Joint Solution

Confidential 39

Automatically restrict data access of compromised hosts

• Immediate Mitigation: Prevent (block) or alert when

compromised users attempt to…

Access business critical applications

Access sensitive data – databases, intellectual property, deal data, etc.

Conduct administrative actions or privileged operations

• Non-disruptive: Mitigation enables business can continue while

device remediation takes place

• Full Forensics: Logs all activities originating from suspected

hosts

Identify Compromised Insiders and Limit Risk


Imperva-FireEye Joint Architecture

Confidential 40

FireEye Malware Protection System identifies

compromised assets

Imperva SecureSphere dynamically responds to

FireEye’s threat intelligence to prevent critical data

compromise and loss

SecureSphere

for SharePoint

File Activity

Monitoring

Management

Server (MX)

Database

Activity

Monitoring

INTERNET

Imperva

Agent

Imperva

Agent

Network

Monitoring

Network

Monitoring

Native

Audit

Internal

Users

Web Application

Firewall


Integration and Data Flow

Confidential 41

Data set

Data Description

IP Compromised device IP address

Hostname Compromised device hostname

Severity FireEye severity ranking

FireEye ID Unique FireEye ID for mapping

Source FireEye MPS source device

SecureSphere MX

SecureSphere Gateways


Information Flow From FireEye MPS to SecureSphere

Confidential 42

Configuration on FireEye side is very straightforward

• SecureSphere Server URL

• User/Password

• What to send

• Format of data


Comprehensive, Integrated Security Platform

Confidential 43

Internal Employees

Malicious Insiders

Compromised Insiders

Usage

Audit

User Rights

Management

Access

Control

Tech. Attack

Protection

Logic Attack

Protection

Fraud

Prevention

External Customers

Staff, Partners

Hackers

Data Center Systems and Admins

Discovery &

Classification

Privileged User

Monitoring

Vulnerability

Scanning

Virtual

Patching

Attack

Protection

Auditing and

Reporting

Assessment & Risk Management

Database Security Audit database access and deliver real-time protection against database attacks

File Security Auditing, protection and rights management for unstructured data

Web Application Security

Protection against large scale Web attacks with reputation controls, automated management and drop-in deployment


www.imperva.com

Confidential 44

Documents

Securing your Data - eb-Qual€¦ · Securing your Data - Protecting the cheese, ... Imperva provides the third pillar of enterprise security ... of organizations with a public website