Advanced Security and Risk Management for Cloud and Premise environments

Transcription

1 Advanced Security and Risk Management for Cloud and Premise environments Owen Cheng Practice Lead SIEM/SOC/MSS 2014 NTT Com Security

2 NTT Com Security Global Information Security & Risk Management Provider 2014 NTT Com Security 2

3 NTT Group Security global footprint SOCs and R&D Centres 2014 NTT Com Security

4 NTT Com Security Services Pillars: Consulting & Managed Services Technology Services Security Architecture Design Product Selection Global Procurement Global Deployment Global Staging Deployment Project Management Consulting Services Vulnerability Assessment Penetration Testing Code Review Secure Coding Data Loss Prevention SIEM Advisory Regulatory Standards Advisory Compliance Risk Assessment & Audits Security Strategy & Policy Development Security Awareness Managed Security Services Technicalsecurity phone support Remote Monitoring Service Remote Management Service (MSaaS) 2014 NTT Com Security 4

5 NTT s Global Threat Intelligence Report During 2013 * NTT researched the threats and published the Global Threat Information Report 2014 (GTIR) * We analyzed more than 3 Billion attacks on our customers, over the course of 2013 (that s 97 separate attacks per second) Findings * 95% of losses could be reduced by focused investment * 43% of incident response engagements were the result of malware * 34% of events were the result of botnet activity * The report also details specific case studies, Malware, Zero node, SQL injection RESULTS: On average a typical organization is targeted once every minute of every day including weekends, evenings, and holidays. During this presentation, your internet connected device will be attacked probably a half a dozen times and your organization will be attacked between times NTT Com Security 5

6 Managed Security Services Trend 2014 NTT Com Security

7 Market Trends: MSS Worldwide Market Drivers Security Risks to Information Systems Are Expanding at a Rapid Rate, Often Overcoming Organization Resources and Talent Compliance Mandates Continue to Provide Support for MSS Growth Buyers Trends Enterprise Buyers Prefer MSSPs With Strong Security Controls and Audit Transparency MSS Buyers Shift Away From the Stand-Alone IT Security Buyer and Expand to the Network Infrastructure Teams and the Busines Technology Trends MSSs Add Reputation Feeds and Blacklists to Enhance Customer Event Data With External Security Context Advanced Threat Protection Appliances Enter the MSSP Market Source: Gartner 2014 NTT Com Security 7

8 WideAngle Managed Security Services Architecture 2014 NTT Com Security

9 POD Concept Modular and easy to deploy infrastructure and the foundation for the GROC to deliver MSSP Services. PODs are interconnected over the GIN effectively making up a global platform embedded into multiple layers of the NTT Com Infrastructure NTT Com Security

10 WideAngle Advantages 2014 NTT Com Security

11 NTT WideAngle Managed Security Services 2014 NTT Com Security 11

12 Unique NTT threat feeds 30,000+ Websites scanned across the world each day to identify global threat trends Malware files identified & downloaded by our honeypots every day + =Ability to create uniquerules to combat threats Uniquehoney pot & sandbox environments to capture malicious activity 2014 NTT Com Security

13 Turns Data into Knowledge Data Information Knowledge Log/event data Proprietary signatures Security expert analysis 3 rd Party signatures Business context Global threat feeds Signature creation Custom threat trends Refined, actionable info Automated security analysis Security enrichment (human validation) 2014 NTT Com Security

14 Thank you Owen Cheng 2014 NTT Com Security

15 Next Generation Enterprise Security Platform Enhancing your Security Framework Charles Woo 18 June 2014

16 A Long Time Ago Securing the Data Center was Simple On Premise Data Center wired Apps in one place Users in one place Data in one place Employee , Palo Alto Networks. Confidential and Proprietary.

17 Now.Network Security Pressures in the Data Center Private Cloud SAAS Modern threats targeted, multi-vector, persistent Wired Wireless VPN VDI Employees, Guests, Partners, Contractors, and Temporary Workers , Palo Alto Networks. Confidential and Proprietary.

18 Applications Have Grown More Complex , , 443, 135, 137, , 3300, 8000, 3600, 8100, 50013, 50014, , 3478, 5223, 50,000-59, , 53, 42, 8, 13, 15, 17, 137, 138, 139, 445, 1025, 123, 507, 750, , 389, 636, 3268, 445, 161, 162, 42424, 691,

19 The Emergence of the User Kingdom , Palo Alto Networks. Confidential and Proprietary.

20 Exploits Using Business Critical Applications 10 out of 1,395 applications = 97% of the exploit logs; 9 of them are business critical 2,016 unique exploits, ~60M exploit logs Palo Alto Networks. Confidential and Proprietary. Source: Palo Alto Networks, Application Usage and Threat Report. Jan

21 Internet changes the Network Boundary Need to restore visibility and control in the firewall Ports Applica ons IP Addresses Users Packets Content Page Palo Alto Networks. Proprietary and Confidential.

22 Does it help? Questions: 1. Can you find out who is using what app in 30mins? 2. Full visibility of traffic and threat? 3. How long do you take to react on an incidence? 4. How can you enforce per user app control? 5. More devices = higher management effort and more error prone? 6. Can you really safely enable who can use what? Page Palo Alto Networks. Proprietary and Confidential

23 What about UTM? Questions: 1. How many features do you think you can turn on? 2. Is it a well integrated enterprise solution? Or just a all-in-one SMB solution? 3. Can it really integrate app control for app safe enablement? Or is just an app blocking solution by IPS engine? 4. Reports? Page Palo Alto Networks. Proprietary and Confidential

24 The Answer? Make the Firewall Do Its Job 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify and control users regardless of IP address, location, or device 3. Protect against known and unknown application-borne threats 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, low latency, in-line deployment , Palo Alto Networks. Confidential and Proprietary.

25 Palo Alto Networks Next-Generation Firewalls Enabling Applications, Users and Content Applications: Safe enablement begins with application classification by App-ID. Custom applications and unknowns in the data center can be classified Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect Differentiate data center access based on user, device and endpoint profile Content: Scanning content and protecting against all threats both known and unknown; with Content-ID and WildFire Protect against all threats including targeted attacks , Palo Alto Networks. Confidential and Proprietary.

26 Single-Pass Parallel Processing (SP3) Architecture Up to 20Gbps, Low Latency Single Pass Operations once per packet - Traffic classification (app identification) - User/group mapping - Content scanning threats, URLs, confidential data One policy Parallel Processing Function-specific parallel processing hardware engines Separate data/control planes Page Palo Alto Networks. Proprietary and Confidential.

27 Palo Alto Networks approach Single Pass Architecture Policy Engine Content-ID Data Filtering URL Filtering Real-Time Threat Prevention Application Protocol Decoding App-ID Application Protocol Detection and Decryption Application Signatures Heuristics User-ID L2/L3 Networking, HA, Config Management, Reporting Page Palo Alto Networks. Proprietary and Confidential.

28 Incumbents Bolt-on approach with Traditional Stateful inspection IPS Policy AV Policy URL Filtering Policy IPS Signatures AV Signatures Firewall Policy HTTP Decoder IPS Decoder AV Decoder & Proxy Port/Protocol-based ID Port/Protocol-based ID Port/Protocol-based ID Port/Protocol-based ID L2/L3 Networking, HA, Config Management, Reporting L2/L3 Networking, HA, Config Management, Reporting L2/L3 Networking, HA, Config Management, Reporting L2/L3 Networking, HA, Config Management, Reporting Page Palo Alto Networks. Proprietary and Confidential.

29 Our Research Team Discover Threat Our Research Team is active - Many of the IPS vendors have big research team for writing signatures - Our research team also discover vulnerabilities for zero day protection Palo Alto Networks McAfee Tipping Point Check Point Sourcefire Juniper Cisco Palo Alto Networks Discovering Microsoft Vulnerabilities in the past 4 years McAfee Tipping Point Check Point Source: OSVDB; as of June 15th 2011 Discovering Adobe Vulnerabilities in the past 4 years Sourcefire Juniper Cisco Source: OSVDB; as of August 15th 2011 Page Palo Alto Networks. Proprietary and Confidential.

30 Palo Alto Networks as an IPS Palo Alto Networks Tipping Point Mcafee Sourcefire Cisco [ref: osvdb.org] , Palo Alto Networks. Confidential and Proprietary.

31 Is your heart still bleeding? We provide unique protection from exploitation of the Heartbleed vulnerability, including: Innovative approach to identifying threats Unlike other security products, the next-generation design of our enterprise security platform, and the automated protections we released, prevented exploitation of Heartbleed. Automated vulnerability protection Starting April 9 th, 2014, multiple content updates were automatically sent that protected, detected, and immediately blocked attempted exploitation of the vulnerability (content updates 429 and 430, which include IPS vulnerability signature IDs 36416, 36417, 36418, and 40039). Inherent PAN-OS features Our core operating system (PAN-OS), is not impacted by CVE because it does not use a vulnerable version of the OpenSSL library. Page Palo Alto Networks. Proprietary and Confidential.

32 Reducing the Scope of Attack Only allow the apps you need Clean the allowed traffic of all threats in a single pass»the ever-expanding universe of applications, services and threats»traffic limited to approved business use cases based on App and User»Attack surface reduced by orders of magnitude»port, Protocol Agnostic»Complete threat library with no blind spots Bi-directional inspection Scans inside of SSL Scans inside compressed files Scans inside proxies and tunnels Scans unknown files , Palo Alto Networks. Confidential and Proprietary.

33 BUT when Everyone is talking about NGFW

34 Application Control Belongs in the Firewall Application Control as an Add-on Traffic Firewall Port Policy Decision Port IPS Applications App Ctrl Policy Decision Port-based decision first, apps second Applications treated as threats; only block what you expressly look for Key Points Two policies/log databases, no reconciliation Unable to effectively manage unknowns Application Control in the Firewall Firewall determines application identity; across all ports, for all traffic, all the time Traffic Application All policy decisions made based on application Key Points Firewall Applications IPS Single policy/log database all context is shared Policy decisions made based on shared context App Ctrl Policy Decision Scan Application for Threats Unknowns systematically managed

35 What NGFW should do: Safely enable application! User Safely enable Prohibited use Financial advisor Post info to a prospect s wall Chatting Clicking on infected links Sales rep Sharing opportunities with channel partner Sharing customer lists externally Marketing specialist Exchange of Photoshop files with agencies Downloading malware HR recruiter Communication with candidates Exposing lists of employees and their salaries

36 Vendor1 Do all policy turn on application control? How many policy you need to maintain? How to allow application effectively? Page 36

37 Vendor2 Two Separate Policy, No relationship between Two Separate Log Database Page 37

38 How we do: Unified Policy on Application basis Specify user Select application Single Policy, Single Log Database Do all policy turn on application? How many policy you need maintain? Page Palo Alto Networks. Proprietary and Confidential.

39 What we do: consolidated log details Every log is integrated with application Traffic Log Log Details URL Log Page Palo Alto Networks. Proprietary and Confidential.

40 What we do: consolidated log details React to incident quickly! Page Palo Alto Networks. Proprietary and Confidential.

41 Page Palo Alto Networks. Proprietary and Confidential. Performance

42 Traditionally, More Security = Poor Performance Best Case Performance Traditional Security Each security box or blade robs the network of performance Threat prevention technologies are often the worst offenders Firewall Leads to the classic friction between network and security IPS Anti-Malware , Palo Alto Networks. Confidential and Proprietary.

43 Vendor 1 Captured from official web site 13.64% 7.73% How about: -Firewall + IPS + AV throughput? -Firewall + IPS + AV + Application Control throughput? Page Palo Alto Networks. Proprietary and Confidential.

44 Vendor 2 Captured from official web site 3.6% 5.0% How about: -Firewall + IPS + AV throughput? -Firewall + IPS + AV + Application Control throughput? * Sophos AV is an in-the-cloudanti-virus solution, which requires less system resources and provides better scaling and performance, as compared to other anti-virus engines Page Palo Alto Networks. Proprietary and Confidential.

45 Guaranteed throughput with everything turn on! Layer 7 throughput, all policies turn on application with logging Threat throughput: ALL (AV, Antispyware, IDP, URL AND Wildfire) turn-on ALL Signature (not default, not recommended) turn-on ALL with logging Page Palo Alto Networks. Proprietary and Confidential.

46 Validated in 3 rd Party Testing Threat Preven on Performance (Mbps) Regardless of which UTM features we enabled - intrusion prevention, antispyware, antivirus, or any combination of these - results were essentially the same as if we'd turned on just one such feature. Simply put, there's no extra performance cost -NetworkWorld, Firewall + IPS Firewall + IPS +AV Firewall + IPS + AV + Spyware , Palo Alto Networks. Confidential and Proprietary.

47 And for Datacenter

48 Traditional Datacenter Segmentation Data Center A Port 1521 > 100 ports Port 80/443 Confidential Server Webex SSH SSL RDP / / /24 Partners and Contractors Page Palo Alto Networks. Proprietary and Confidential.

49 With Palo Alto Networks Solution: Data Center A Oracle Microsoft Servers Web Servers Confidential Server DB Zone App Zone Web Zone Mgmt Zone App-ID User-ID Webex- no file sharing SSH- no tunneling SSL- with decryption RDP-not port 3389 Content-ID CFO Finance VP of Sales Sales IT Partners and Contractors Page Palo Alto Networks. Proprietary and Confidential.

50 Our systematic approach for better security Provide global visibility & intelligence correlation 1 Apply positive controls 2 3 Prevent known threats Discover unknown threats Inspect all traffic across ports, protocols & encryption Copyright 2014, Palo Alto Networks, Inc. All Rights Reserved

51 Positive security controls Reduced attack surface with granular control High-risk applications & protocols Files from suspicious Domains and URLs Encryption and custom traffic 368 Applications can deliver files 34% Applications use SSL 17% Applications port-hop , Palo Alto Networks. Confidential and Proprietary.

52 Known threats Block known-bad content with evolving signatures Vulnerability exploits Known Malware & variants Malicious Domains, URL & DNS Command & Control (C2) 6,200 Signatures delivered per day 1,800 Variants of the threat blocked by 1 signature , Palo Alto Networks. Confidential and Proprietary.

53 Unknown threats WildFire Automated Visibility into threat unknown Visibility into unknown prevention traffic Purpose-built sandbox traffic In-line environment See unknown enforcement Running from applications next-generation full versions & of common firewall protocols applications & WildFire Near OSs Suspicious real-time domains & Full signature URLs Internet updates access for Disrupts C2, New domains, malicious threat URLs content delivery & Automated threat additional & (malware callbacks & payload (Anti- exploits) prevention Elastic malware, scale DNS, in the URL, cloud C2) or local appliance Global intelligence sharing & threat research Copyright 2014, Palo Alto Networks, Inc. All Rights Reserved. Palo Alto Networks Proprietary and/or Confidential. For Palo Alto Networks internal use only and as permitted by Palo Alto Networks for its authorized partners.

54 Building a complete platform for advanced threats Non-standard Attack surface ports Port-hopping SSL & SSH Vulnerability exploits (IPS) Malware Bad web sites Bad domains C&C Sandbox Unknown applications Suspicious file types / web sites MSS Malware intelligence Forensics Apply positive controls Prevent known threats Detect unknown threats Validate attack Remediate Copyright 2014, Palo Alto Networks, Inc. All Rights Reserved. Palo Alto Networks Proprietary and/or Confidential. For Palo Alto Networks internal use only and as permitted by Palo Alto Networks for its authorized partners.

55 A Three Time Gartner Magic Quadrant Leader Palo Alto Networks is assessed as a Leader, mostly because of its NGFW focus, because it set the direction of the market along the NGFW path, and because of its consistent visibility in shortlists, increasing revenue and market share, and its proven ability to disrupt the market. Gartner clients consistently rate the Palo Alto Networks App-ID and IPS higher than competitors offerings for ease of use and quality. The firewall and IPS are closely integrated, with App-ID implemented within the firewall and throughout the inspection stream. This "single pass" is a design advantage, as opposed to the unnecessary inspection that can occur in competing products that process traffic in serial order. --Gartner Magic Quadrant for Enterprise Network Firewalls

56 Get to know more about your network now! , Palo Alto Networks. Confidential and Proprietary.

57 Talk to us about the AVR report , Palo Alto Networks. Confidential and Proprietary.

58 Thank You!

59 Managed Security Service: From Device Management to Security Enrichment Owen Cheng 26 June NTT Com Security

60 Enriched Security Intelligences Next-Gen Challenges 2014 NTT Com Security Nick Williams -Public -Draft-v02 15 May

61 Firewall & perimeter challenges Do The Basics #1Counter measure to the changing THREATS 71% of new malware goes undetected when analysed in a sandbox 43% of incident response engagements were the result of Malware costing one business $109,000 Performing regular vulnerability scans significantly reduces your risk 77% of the organisations involved had no incident response team, policies or procedures in place Over 50%of vulnerabilities were already known some dating back to 2004 Risk is shaped dynamically. Security threats are increasingly complex Applications are the new internet. They are the bearer of corporate risk. We work and live in an agile global world 2014 NTT Com Security Nick Williams -Public -Draft -v02 15 May

62 Management & visibility Organisational challenges Effective security management Organisations require an effective solution to manage firewalls & perimeter assets Secure, consistent & scalable solution suitable for Next Generation security These assets need to be secured to minimise organisational risk and for compliance Security must change as business evolves Analysis of data needed for Risk & Security decision making Flexibility with expert deployment to meet compliance & organisational requirements Security controls tightly aligned to risks Enriched data analysis for rapid, accurate decision making 2014 NTT Com Security Nick Williams -Public -Draft-v02 15 May

63 WideAngleMSS Analysis Engine addresses the challenges 2014 NTT Com Security Nick Williams -Public -Draft-v02 15 May

64 Management & visibility making sense of the information Analyse and correlate huge amounts of data All event flows need to be analysed in order to identify potentially malicious behaviour. Often requires complex correlation rules to produce alerts of interest Filter and enrich Apply context, asset information, previous knowledge to reduce the number of false positives 00 s Millions of raw events Thousands of alerts Hundreds of alerts Enriched alerts 000 s 000,000 s Granular, enriched reports. Additional human validation for further business context 2014 NTT Com Security Nick Williams -Public -Draft-v02 15 May

65 Analysis Platform - Architecture Analysis Platform Components Inspector META Support Modules BDAE (Batch Engine) RTCE (CEP Engine) Drilldown and verification Alert enrichment Medium- to longterm detection focus Short- to mediumterm detection focus Alert grouping, filtering and drilldown UI Provides instant access to verification data (PCAP, sandbox details) Module based verdict system Able to perform crosscustomer correlation of alerts Splunk based engine Query based processing approach Able to identify weekly/ monthly patterns CEP based engine Correlates and processes all logs as event feeds Near-realtime response capabilities ALERT PROCESSING RAW LOG PROCESSING Example: PCAP shows that the exploit is target specific Example: This alert has been seen in confirmed incidents for two other customers Example: Regular network transfer peaks every Sunday evening by single user account Example: Executable download (proxy) followed by outbound firewall session within 10 minutes Internal - Confidential 2014 NTT Com Security

66 WideAngleMSS Services 2014 NTT Com Security Nick Williams -Public -Draft-v02 15 May

67 What WideAngle MSS provides 1Device Management 2Automatic Log Analysis 3Human enriched Analysis Customer can choose one of three function or combine them 1, 1+2,etc 2014 NTT Com Security

68 Package A Network Basic Firewall Network Basic Firewall only 1Device Management 2014 NTT Com Security

69 Package B Network Security Firewall + IPS/IDS Network Security Firewall + IPS/IDS 1Device Management 2Automatic Log Analysis 2014 NTT Com Security

70 Package C -Content Security Next Gen + Firewall + IPS/IDS + Web and Antivirus + URL Filtering + Application Filter Firewall IPS/IDS Web and Antivirus URL Filtering Application Filter 1Device Management 2Automatic Log Analysis Content Security Next Gen + 3Human enriched Analysis 2014 NTT Com Security

71 Portal Main navigation Status of services and devices, can be expanded to show service level and service type Bulletin board, holding important service messages from the Global Risk Operations Centers Tickets for changes, inquiries and problems, can be sorted per column for fast access as well as filtered on ticket types Health and availability incidents listing open incident, can be sorted by column and filtered using the dropdown Security incidents, defaults to open incidents and can be sorted based on columns or filtered by using the dropdown Event processing status showing the total of logs, events, incidents and validated incidents since service start Status on monitored VPN-tunnels 2014 NTT Com Security WideAngle Customer Portal Presentation-Public-Approved_V1 00

72 Human enriched Incident Report - Example 2014 NTT Com Security

73 Human enriched Incident Report - Example 2014 NTT Com Security

74 Human enriched Incident Report - Example 2014 NTT Com Security

75 Human enriched Incident Report - Example 2014 NTT Com Security

76 Human enriched Incident Report - Example 2014 NTT Com Security

77 Human enriched Incident Report - Example 2014 NTT Com Security

78 Human enriched Incident Report - Example 2014 NTT Com Security

79 Human enriched Incident Report - Example 2014 NTT Com Security

80 Thank you 2014 NTT Com Security