Next Generation IPS and Reputation Services



Similar documents
Fighting Advanced Threats

The Hillstone and Trend Micro Joint Solution

Cisco Remote Management Services for Security

Modular Network Security. Tyler Carter, McAfee Network Security

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Cisco Security Intelligence Operations

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

IBM Advanced Threat Protection Solution

IT Sicherheit im Web 2.0 Zeitalter

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Unified Security Management and Open Threat Exchange

Cisco Advanced Malware Protection

Cisco RSA Announcement Update

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

End-user Security Analytics Strengthens Protection with ArcSight

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

How To Prevent Hacker Attacks With Network Behavior Analysis

Next-Generation Firewalls: Critical to SMB Network Security

WildFire. Preparing for Modern Network Attacks

Practical Steps To Securing Process Control Networks

Whose IP Is It Anyways: Tales of IP Reputation Failures

聚 碩 科 技 主 題 : 如 何 幫 企 業 行 動 商 務 建 立 安 全 機 制 職 稱 : 技 術 顧 問

Sikkerhet Network Protector SDN app Geir Åge Leirvik HP Networking

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Cloud Services Prevent Zero-day and Targeted Attacks Tom De Belie Security Engineer. [Restricted] ONLY for designated groups and individuals

REVOLUTIONIZING ADVANCED THREAT PROTECTION

SANS Top 20 Critical Controls for Effective Cyber Defense

On-Premises DDoS Mitigation for the Enterprise

Cisco Reputation Filtering: Providing New Levels of Network Security. Solution Overview

Securing Cloud-Based

IndusGuard Web Application Firewall Test Drive User Registration

24/7 Visibility into Advanced Malware on Networks and Endpoints

ThreatSTOP Technology Overview

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Protecting Data From the Cyber Theft Pandemic. A FireEye Whitepaper - April, 2009

Braindumps QA

SourceFireNext-Generation IPS

Introducing IBM s Advanced Threat Protection Platform

Firewall Testing Methodology W H I T E P A P E R

IBM Internet Security Systems

Zscaler Internet Security Frequently Asked Questions

Security Services. 30 years of experience in IT business

Security Intelligence Blacklisting

Symantec Advanced Threat Protection: Network

Unknown threats in Sweden. Study publication August 27, 2014

Unified Threat Management, Managed Security, and the Cloud Services Model

Content Security: Protect Your Network with Five Must-Haves

The Latest Internet Threats to Affect Your Organisation. Tom Gillis SVP Worldwide Marketing IronPort Systems, Inc.

IBM Security X-Force Threat Intelligence

Proactively protecting your messaging infrastructure with the IBM Lotus Protector for Mail Security solution.

IBM Internet Security Systems products and services

Critical Security Controls

Protecting the Infrastructure: Symantec Web Gateway

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Endpoint Threat Detection without the Pain

Cloud Services Prevent Zero-day and Targeted Attacks

REPUTATION-BASED MAIL FLOW CONTROL

McAfee Network Security Platform Administration Course

Networking for Caribbean Development

Joshua Beeman University Information Security Officer October 17, 2011

Security Without Compromise: Context-Aware and Adaptive Next-Generation Firewalls

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Veranderende bedreigingen Security in het virtuele datacenter

SIEM is only as good as the data it consumes

Intelligent. Data Sheet

Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

DYNAMIC DNS: DATA EXFILTRATION

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Security Administration R77

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

SR B17. The Threat Landscape Continues to Change: How are You Keeping Pace? Dean Turner

Cisco & Big Data Security

Cisco EXAM Implementing Cisco Threat Control Solutions (SITCS) Buy Full Product.

Technology Blueprint. Defend Against Denial of Service Attacks. Protect each IT service layer against exploitation and abuse

APPLICATION PROGRAMMING INTERFACE

GOING BEYOND BLOCKING AN ATTACK

Scaling Big Data Mining Infrastructure: The Smart Protection Network Experience

On and off premises technologies Which is best for you?

Marble & MobileIron Mobile App Risk Mitigation

A Case for Managed Security

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Chapter 9 Firewalls and Intrusion Prevention Systems

McAfee Network Security Platform

IBM Global Technology Services Preemptive security products and services

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Managing Web Security in an Increasingly Challenging Threat Landscape

I D C A N A L Y S T C O N N E C T I O N


Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

HP TIPPINGPOINT ADAPTIVE REAL-WORLD SECURITY. Stefan Schmid Sales Manager Central & Eastern Europe & Middle East s.schmid@hp.com

IDS or IPS? Pocket E-Guide

Open Source Software for Cyber Operations:

Transcription:

Next Generation IPS and Reputation Services Richard Stiennon Chief Research Analyst IT-Harvest 2011 IT-Harvest 1

IPS and Reputation Services REPUTATION IS REQUIRED FOR EFFECTIVE IPS Reputation has become an effective and required ingredient for many aspects of security. Using a large database of known suspicious or bad source IP addresses, even URLs, has made dramatic improvements to spam filters and web security gateways. Now reputation is beginning to be used to improve the effectiveness of Intrusion Prevention Systems (IPS). How these systems employ reputation will be the determining factor in the success of any IPS solution. Anti-spam vendors have long used reputation. Through a series of honey pots, email accounts set up to capture spam samples it is possible to quickly identify the sources of spam, usually infected hosts belonging to consumers with broad band access. The behavior of such a spam bot is easy to identify as it spews millions of spam messages. Once identified it is simple to quickly update anti-spam solutions with a list of spam sources that are automatically blocked. This saves on processing requirements as the individual messages do not need to be investigated. One of the fastest and thus lowest stress on network gear, functions is dropping connections from a list of sites. Secure web gateways also rely on reputation to quickly identify sources of malware and block access to URLs that are known to contain malware. Discovering malicious URLs, however, needs a different approach. Honey pots, passive email accounts, are not effective at discovering sources of malware. Likewise, a web crawling robot which follows links such as Google is not effective. Most reputation services for identifying malicious sites relies on a large install base of deployed appliances that report new URLs and their associated behavior back to a central database for automated inspection backed up by teams of researchers for those sites that defy automated analysis. Through this technique a realtime list of bad URLs is formed and pushed back out to the secure web gateways for blocking. However, signatures that are written to be general purpose and block based on a category of potential exploits against known vulnerabilities can cause false positives and thus block legitimate connections. While IPS vendors strive to reduce these false positives and increase the effectiveness of their signature bases they are also beginning to borrow from the success other solutions have had with reputation. An example of how reputation services could protect an organization is provided by the recent attack against NASDAQ s Director s Desk service. The Director s Desk is a service that NASDAQ offers to public companies whose stock is traded on the NASDAQ exchange. Directors Desk is a third party hosting solution for critical documents and communication generated by the boards of over 230 companies. There are over 10,000 users of the service. In February, 2011 it was revealed that malware had been inserted into the Director s Desk portal. This is a common 2011 IT-Harvest 2

way for attackers to target high-value users. In this case, the users were high value in that they had access to valuable inside information and from a cyber criminal s perspective were likely to engage in high value transactions on other platforms such as banking and stock trading sites. Infecting their machines to garner additional information on target organizations or steal access credentials would justify the attack. Similar infections through ad serving sites have been recorded. An IP reputation service, once the NASDAQ site had been identified as compromised through either publication or detection by continual IPS reputation evaluation, would have given system administrators early warning of the attack. Reputation, if properly executed, can improve both the performance and accuracy of modern IPS solutions. Developing a reliable, scalable, and effective reputation service is the key to effective IPS and will quickly become a required function in next generation IPS. This paper examines the IPS solutions that have begun to use reputation services, looking specifically at flexibility, effectiveness and performance. Of note, there are a number of IPS vendors that were not included in this study due to lack of a reputation solution. Cisco Cisco acquired IronPort, an email gateway antispam and protection vendor in 2008. IronPort's strongest feature was the use of reputation to enhance the speed and accuracy of spam blocking. Cisco has incorporated some of Iron Port's technology in their IPS which is included in the Cisco ASA gateway device (note that the ASA is a firewall with a separate card that can be configured to provide anti-virus delivered from Trend Micro Systems, or their own IPS service). Cisco's Global Correlation is a cloud based store of of sources of attacks and provides threat scores from 1 to 10. Like all reputation services it can also incorporate the feeds of known sources of attacks and command and control servers that is provided by open source and private research teams. Cisco derives reputation from its Sensor Base: all the IPS, firewall, web proxies, and IronPort gateways that have enrolled. The assigning of reputation scores from 1-10 is done automatically in the Cisco Security Information Operation (SIO), a cloud hosted database of signatures and reputations. Cisco IPS is available in stand alone appliances IPS 4200 series and in Advanced Inspection and Protection (AIP) Security Service Modules or Security Service Cards (SSM or SSC) in the Cisco ASA 5500 series. Cisco Global Correlation is an update feed of IPS signatures delivered every 3 to 5 minutes for low bad reputations and immediately for any reputation data scored from 8 to 10. Cisco IPS scores threats from 1 to 10 and in version 7.0 for the Cisco IPS appliances and 8.2 for ASA appliances reputation is used to enhance those scores. However, direct visibility into reputation scores for particular IP addresses is not available and rules cannot be written taking advantage of reputation. 2011 IT-Harvest 3

HP TippingPoint is the IPS technology that HP acquired along with 3Com in 2010. The HP TippingPoint Reputation Digital Vaccine (RepDV) is a product of HP DVLabs. Globally deployed sensors in their ThreatLinQ network as well as customer IPS appliances participate in providing a constant stream of known attacks and misbehavior on the part of IP addresses. A threat score of 1 to 100 is applied and IPS devices receive a constantly updated feed of both IP addresses and domains with associated threat scores. The data base is aged and refreshed quickly (every two hours) which avoids unwarranted black holing of innocent IPs. The HP TippingPoint RepDV service is the most feature rich reputation service we have investigated for IPS. In addition to the IP and domain reputations, an administrator can choose to block entire ranges of IP addresses based on country. Feeds are incorporated from numerous sources including open source, SANS, and the ThreatLinQ database. Customers can use the capability to add their own blacklists or modify feeds by whitelisting sources. Customers also have access to the ThreatLinQ library of threat data to help understand why a particular IP address or domain has received is score. Reputation feeds are tagged with additional information that assists in setting policies. The source of the feed is one such tag so, for instance, one could choose to apply one policy to threats reported by SANS and another policy to an internally generated blacklist. A critical capability that is rapidly becoming one of the most important functions for IPS devices is the ability to detect and block communication from inside a network to known bad IP addresses. This anti-botnet feature, often called beaconing detection, is one of the most powerful tools for countering Advanced Persistent Threats that have managed to infiltrate a network and exfiltrate data to command and control servers of cyber criminals or state sponsored industrial spies. Juniper Networks Juiper Networks is another IPS vendor that has incorporated IP reputation into their IPS appliances. Each deployed appliance can report back to the cloud new suspicious sources of attacks which get incorporated into the threat database and pushed to all appliances that are subscribed to the service. Juniper's management interface does not provide much visibility into how reputation is applied to come up with risk scores and there is no ability for the administrator to add or change reputation rules. 2011 IT-Harvest 4

Toplayer TopLayer is an IPS and DDoS mitigation vendor. They depend on the SANS Dshield service which collects log data from IDS sensors deployed around the world which TopLayer uses to create a list of IP addresses that are behaving poorly and then provides a feed to its IPS 5500 ap-pliances. Customers can choose to block traffic from those IPS addresses. This provides the benefit of improving performance by reducing the amount of traffic the IPS has to inspect. Threat scores are not created so the service is binary in nature; either allow or deny with no in-herent ability to provide better judgement to IPS decisions, thus it is not a full implementation of IPS reputation services. McAfee McAfee s IPS product is the Network Security Platform. It is an in-line appliance based on the technology acquired when they purchased Intruvert. McAfee has incorporated reputation services derived from their Global Threat Intelligence network connection reputation service. Data is collected from a global network of participating devices and assigned a threat score based on as-sociation with bad behavior such as participation in a botnet or DDoS attack. IPS administrators can use these threat scores to determine what action to take based on policy. McAfee shares with TippingPoint the ability to block communication to Command and Control servers by Advanced Persistent Threats. IBM IBM ISS global filter database is one of the largest environments for cataloging and ranking the reputations of domains, URLs, and malicious content. It is comprised of over 1,000 clustered CPUs. It combines web crawling with open source lists as well as custom lists created from input from their X-Force research team. Customers can elect to set their IBM security products to report unclassified URLs too. The core technology of the global filter database was acquired by ISS in 2004 with the purchase of the German company Cobion, an early innovator in the automatic classification of web sites. The reputation data base sends updates to IBM Security s web and email filtering products. While the IBM Security IPS products, which are stand alone IPS appliances, do not receive these updates, the IBM Proventia Multifunction Security Appliance does. The reputation scores are used to block spam and update the URL Content Filtering services of this UTM device. 2011 IT-Harvest 5

CRITICAL FEATURES OF REPUTATION ENHANCED IPS As reputation becomes recognized as a game changing way to enhance the efficiency, reliability, and effectiveness of IPS products IT-Harvest has identified the following components of best in class use of reputation for IPS. Reputation intelligence gathered from customer networks. IPS appliance vendors have the opportunity to collect reputation from their deployed base. The size and distribution of that base is key to feeding the reputation database and enhancing negative reputation scores. Customer networks see real attacks coming from malicious source IP addresses. This capability, by a vendor, is much more effective than web crawlers or honey pots. Feeds from 3rd parties. There are many open source lists of malicious hosts, and command and control servers, such as: Spamhous, the Domain Name System Real-time Black List, and ShadowServer.org. A key feature is the ability to accept feeds from these organizations into the IPS reputation service. Policy based on reputation score. Every IPS needs tuning based on the types of assets being protecting within an organization as well as the types of services and attacks that need to be allowed or denied. Setting policy based on a the scoring provided by the reputation service enhances the administrator s ability to eliminate false positives and ensure blocking of as much suspicious traffic as possible. Knowledgebase. It is valuable to understand the reputation scores of individual attack sources. The vendors should make it easy to navigate their knowledgebase in order for the administrator to have full knowledge of the reason a particular score is assigned. Customer blacklists/whitelists. Every environment will encounter special use cases where wither adding particular IP addresses (black listing) or allowing IP addresses (whitelisting) is required. This level of customization is required to enhance the usability of reputation services. 2011 IT-Harvest 6

FEATURE CISCO JUNIPER McAFEE IBM TopLayer HP Intel from own devices Feeds from 3rd parties Policy based on reputation score Knowledge base Customer black listing/ white listing CONCLUSION An effective reputation service must have three primary qualities to enhance IPS catch rates, and throughputs. First is the quality and number of deployed sensors that capture and report attack sites. Second is the research and automation that turns those reports into a stream of constantly updated sources. Finally is the management interface that allows flexibility in applying reputation. From our investigation of available data HP Networking's TippingPoint IPS solution makes the best use of IPS reputation. REFERENCES IBM ISS global filter database content analysis technology http://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=sa&subtype=wh&appname=gtse_gt_gt_usen&html fid=gtw03026usen&attachment=gtw03026usen.pdf IBM Security Network Intrusion Prevention System data sheet http://www.ibm.com/common/ssi/cgi-bin/ssialias?infotype=pm&subtype=sp&appname=swge_wg_wg_usen&ht mlfid=wgd03002usen&attachment=wgd03002usen_hr.pdf Spam realtime black lists. http://netwinsite.com/surgemail/help/rbl.htm Shadowserver.org http://www.shadowserver.org/wiki/pmwiki.php/shadowserver/mission NASDAQ Director s Desk exploit. http://nakedsecurity.sophos.com/2011/02/06/nasdaq-reports-hackers-broke-intoserv-ers/?utm_source=feedburner&utm_medium=feed&utm_campaign=feed%3a+nakedsecurity+%28naked+ Security+-+Sophos%29 2011 IT-Harvest 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information