Belgacom Security Convention. Tuesday 15 October 2013, Aula Magna, Louvain-la-Neuve

Transcription

1 Belgacom Security Convention Tuesday 15 October 2013, Aula Magna, Louvain-la-Neuve

2 Belgacom Security Convention Cloud and Security Bart Callens Product Manager ICT Security 10/17/2013 Slide 2

3 Agenda 13:30 14:30 Protect your Business from External threats and Cyber criminality - Setting the Scene Bart Callens (Belgacom) - DDOS attack trends Dirk Aertgeerts (Arbor Networks) - Case Study : Prevent banking Fraud and phishing issues, what has been put in place? Danny Moerenhout (ING) 14:30 15:00 Break 15:30-16:30 Secure your move to the cloud - Secure Blueprint of a Private Cloud - Antonio Paci/Nicolas Rollier (Belgacom) - Next generation application delivery controller Philippe Bogaerts (F5 Networks) Slide 3 - Optimized security solutions for Hybrid Virtual Cloud Environments - Steven Heyde (Trendmicro)

4 Cyber war going on impacting every individual and organisation Every day, websites got hacked worldwide. (Source : Sophos) phishing websites are identified worldwide. (Source : APWG,March 2013) 6 out of 10 Belgians faced online safety issues during (Source : cert.be) 23,89% of Belgian computers are infected with malware (Source :APWG) Every month, 334 Cyberincidents are notified in Belgium (Source : cert.be) 10/17/2013 Slide 4

5 What is important to win the Cyber War 故 曰 : 知 彼 知 己, 百 戰 不 殆 ; 不 知 彼 而 知 己, 一 勝 一 負 ; 不 知 彼, 不 知 己, 每 戰 必 殆 So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. Slide 5

6 Know yourself!

7 Know your enemy!

8

9 Today tactics in cyber-attacks and what are the solutions - Script-kiddies - Hacktivists NGFW, WAF Training, Awareness, DLP Infiltrate Research Reconaissance Social research Direct attack Social Engineering IPS,DAP,NAC Hop attack Update Exfiltrate NGFW, Content Gateway, DLP NGFW, WAF, DDOS, IPS, SSL-VPN, Strong Auth, Virtsec Anti-phraud, Content Gateway, Patch Management, encryption - Organised cyber-criminals - State-sponsored cybercriminals - Cyber industrial espionage criminals SIEM, Vulnerability Management, Forensics, Penetration testing Incident Response Team, Disaster Recovery Plan 10/17/2013 Slide 9

10 Protection against cyber-attacks Recommendations - Adhere to a Defense-in-depth strategy - Share security intelligence across different security controls - Context awareness - Unifying security processes - Staff appropriately - If necessary outsource - Liaise with other CERT/CSIRT s Source : Gartner Best Practices for Mitigating Advanced Persistent Threats

11 Protection against cyber-attacks Recommendation examples - Deploy latest (stable) versions of your security infrastructure - Context awareness - Behaviour/anomaly - Reputation services - DLP capabilities - Integrate with SIEM - SSL-VPN - Risk appropriate authentication method - Limit access - IPS also for SSL-VPN - Appropriate level of logging - SIEM integration - Reduce network-level VPN - MDM for mobile devices Source : Gartner Best Practices for Mitigating Advanced Persistent Threats

12 Protection against cyber-attacks Recommendation examples - Firewall - IDP - Consider GEO IP filtering - Application awareness - Include dynamic threat feeds - Proper zoning/segmentation - Adequate level of logging - Block instead of Detect-only - Botnet prevention - Traffic anomaly detection - Reputation based/real-time block lists - Protocol anomaly detection - All internal segments - Tap in virtualised environments Source : Gartner Best Practices for Mitigating Advanced Persistent Threats

13 Real life case cyber-attack Customer environment Company based in Belgium 1000 users, shared over 5 sites 150 virtual servers hosted on 30 physcial hosts, installed over 2 Datacenters Almost real-time production

14 Real life case cyber-attack Discovery Suspicious activity detected on some workstations Investigation by internal IT to control all the existing security footprint The problem persists & other end-points are infected Deeper investigation inside the machine and on the lan Detection of malware programs & traffic but impossible to clean Impossible to stop malware traffic to internet Verdict: Advanced Persistent Attack on going on more than 150 workstations & servers! Call for assistance

15 Real life case cyber-attack Belgacom intervention : Episode 1 Description of the problem with Belgacom security experts Debriefing at Belgacom for organize the answers Decision to visit the customer & collect some more information Installation of an Analyser in out of band mode for traffic analysis First analysis of the results after a few hours Understanding on the way the malware is communicating The malware has entered via Internet surfing The malware was downloaded in several undetectable parts Once complete, the malware stole the credentials asked in the browser & sent them to multiple botnet Command&Control servers Installation of the Analyser in-line mode to stop malware traffic to internet

16 Real life case cyber-attack Belgacom intervention : Episode 2 Further investigation on the end-point with alternative AV Detection of the malware (Trojan) on the end-points Test of the best tool to remove the Trojan Support from AV vendor for the patch Publication & deployment of the patch for cleaning the infected machines

17 Real life case cyber-attack (Almost) Happy Ending Internal debriefing for better design and policies Installation of a new full featured NGFW Smooth migration of the security rules Decision to introduce a second AV vendor for the servers Decommissioning of the Analyzer Regular meeting of a multidisciplinary work force BUT : Took almost 2 weeks and 16 FTEs for cleaning and restoring Switched fully to DRP mode for 1 week

18 Questions? 10/17/2013 Slide 18

19 Thank you Do not forget the evaluation form and the contest! The winners will be designated at on the Belgacom booth. Win tickets for Belgium-Wales or a free hacking training

20 DDOS, how to protect your organization? Dirk Aertgeerts Territory Sales Manager Benelux

21 Agenda What is DDOS, the threats. Main Drivers of DDOS Attacks. Steps to defend yourself. Why Arbor Atlas. Chances are it will happen to you. 2

22 The Evolving Threat Against Data Centers Attackers use a combination of techniques ISP 1 Layer 4-7, Smart DDoS Impact DATA CENTER ISP 2 ISP Exhaustion of Service SATURATION Firewall IPS Load Balancer ISP n EXHAUSTION Target Applications & Services Volumetric, Brute Force DDoS Impact

23 DDOS Drivers Financially Driven Deviation Bringing down security components in your infrastructure Blackmail -> reputation loss Activism Vandalism Specificly target market online gaming: extremely vulnerableto DDOS 4

24 Steps to defend yourself Create a Plan Think about it, if no anti-ddos solution is present pulling the wire might be a plan Above all, avoid having to be too creative under attack panic leads to disaster and extra damage Determine how important it is to avoid any downtime for your organization, maybe you can live with a sporadic couple of hours downtime, maybe not. Determine how important it is for you to avoid an absolute maximum in false positives. Determine how important it is to have as much visibility as possible when under attack. 5

25 Layered DDoS Defense Defense options: Start: ISP-based Needed: ISP-based + CPE-based 6

26 Stopping Volumetric Attacks SCRUBBING CENTER Cloud-based DDoS Protection ISP 1 Peakflow SP/TMS DATA CENTER ISP 2 Local ISP Firewall IPS ISP n Volumetric DDoS mitigation must be done up stream, before traffic gets to Data Center Activated on demand : only active when an attack is detected or reported.

27 Stopping Layer 4-7, Smart Attacks ISP 1 CPE-based DDoS Protection DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n CPE-based: L4-7 DDoS mitigation must be done at the Data Center Fine-tuned to the services behind it to minimize false positives Always ON: immediate mitigation 8 Target Applications & Services

28 Layered DDoS Defense Defense options: Start: ISP-based Needed: ISP-based + CPE-based 9

29 Overview CPE BASED: (Pravail) Continuous mitigation, no delay (inline) Layer 7 visibility and control Placed at the perimeter of your network -> controll Configure specifically on your infrastructure-applications Service Provider using Arbor peakflow TMS: Protection of the line, no full visibility and control over advanced mitigation Limited delay to reroute traffic (ibgp) Pure Cloud solutions in comparison to Service provider: Delay when rerouting + DNS or BGP /24 necessary to reroute Little visibility, control over advanced mitigation 10 Serious risk on massive false positives

30 Why Arbor Networks? A Trusted & Proven Vendor Securing the World s Largest and Most Demanding Networks 100% Percentage of world s Tier 1 service providers who are Arbor customers Tbps #1 11 $16B Number of countries with Arbor products deployed Amount of global traffic monitored by the ATLAS security intelligence initiative right now 25% of global Internet traffic! Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments 61% of total market [Infonetics Research Dec 2011] Number of years Arbor has been delivering innovative security and network visibility technologies & products 2011 GAAP revenues [USD] of Danaher Arbor s parent company providing deep financial backing

31 ATLAS Intelligence Feed (AIF) Leverages the global intelligence in Arbor s ATLAS to stop emerging DDoS and Botnet attacks Unique to Arbor Networks Continuously updated feed of botnet DDoS threats to availability Layer 7 fingerprints focused on inbound botnet attack traffic ASERT threat level/confidence assessment ASERT tracking 100s of individual botnets in the wild 12

32 DDoS Attack? It Will Not Happen to Me The Ostrich Mentality When an ostrich is afraid, it buries its head in the ground, assuming if it can t see danger, danger cannot see it. The attitude to DDoS as an Availability Threat has been similar. But it is changing dramatically because of 13

33 DDoS Attack? It Will Happen to You 14

34 Questions? Thank You