(S2.1) The importance of security intelligence in choosing a network protection system. Johannesburg

(S2.1) The importance of security intelligence in choosing a network protection system Johannesburg

Simon Leech CISSP-ISSAP CISM CRISC

Agenda Framing the Problem Working with Security Intelligence HP Network Security Solutions

Framing the Problem The Growing Cost of Cyber Crime! Cyber attacks continue to occur more frequently. Cost in m$ 11.6 6.5 8.4 8.9 2010 2011 2012 2013 Time in days 27 24 18 14 2010 2011 2012 2013 Why? Data loss is the top spending priority for CIOs worldwide. 1 Data breaches have an average cost of $7.2M. 2 Every three seconds someone becomes a victim of identity theft. 3 4 Data from HP 2012/3 Cyber Security Risk Study Target hacked, 70M records and 40M credit card numbers stolen. 4 1 Gartner, June 15, 2011, Lawrence Pingree 2 Ponemon Institute October2012 3 USA Today 4 Krebs on Security 2/14

Challenges you are facing 1 Nature and motivation of attacks (Fame to fortune, market adversary) SECURITY INTELLIGENCE Research Infiltration Discovery Capture Exfiltration 2 Consumption Transformation of enterprise IT (Delivery and consumption changes) SECURITY TECHNOLOGY Traditional DC Private cloud Managed cloud Public cloud Virtual desktops Notebooks Tablets Smart phones 3 Regulatory pressures (Increasing cost and complexity) SECURITY GOVERNANCE Basel III 5

Defining the adversary Cybercrime Market with distinct process Hacktivist The adversary Actors organize and specialize Intelligence is bought and sold Nation state 6

Redefine your ability to disrupt the enemy Research Infiltration Their ecosystem Discovery Capture Our enterprise This all happens on your network. It s your job to prevent this Exfiltration 7

How does security intelligence help you? Know your enemy Keep your game fresh HOME AWAY 1-1 Even the score 8

Dealing with vulnerabilities Understand the weaknesses that you have inherited Understand the weaknesses that you have created (Understand the weaknesses that you can use) Make your security intelligence work 9

Vulnerability Bounty Programs Good or Bad? 10

It s not just the bounty programs. Probably outside the realm of most information security policies But definitely becoming a usable tactic in the art of cyber warfare 11 Articles from Andy Greenberg, Forbes.com

Important to make security intelligence actionable Ecosystem partners ~3,000+ independent researchers SANS, CERT, NIST, OSVDB, software, and reputation vendors ~3000 researchers 2000+ customers sharing data 7000+ managed networks globally DVLabs Research & QA Actionable security intelligence HP Security Research 2,000+ customers participating Automatically integrated into HP products HP finds more vulnerabilities than the rest of the market combined Top security vulnerability research organization for the past four years Information shared with community via HPSR blog 12

Every Second Matters for Security Effectiveness Over 8,700 filters published to date Over 3,000 security researchers Focused on vulnerabilities rather than exploits Frost & Sullivan Market Share Leadership Award for Vulnerability Research 4 years in a row! Microsoft Vulnerability Acknowledgements 300 250 200 150 100 50 0 8x MSFT competitor over last 8 years At any time, 200 to 300 zero day vulnerabilities only HP knows about TP customers enjoy Zero Day peace of mind 2006 2007 2008 2009 2010 2011 2012 2013 Compiled from public data available at http://www.microsoft.com/technet/security/current.aspx and Adobe Advisories 13

Proactive Zero Day Coverage CVE-2014-1761 Every second matters! 24/3/14 - Microsoft announce RTF file format vulnerability in MS Word. Exploit sample in the wild No patch until 8/4/14 work around is to disable opening RTF content in Word HP TippingPoint customers have enjoyed proactive protection since December 2012 16 months before the patch Comprehensive blog available on HPSR blog 14

Need for Security Technology: The Network Infrastructure Has Revolutionized Mainframe Client/Server Web Computing Mobile & Cloud Computing 15

The Network Security Industry Is Falling Short Mainframe Client/Server Web Computing Mobile & Cloud Computing 16

The Legitimate User is Now the Primary Point of Infiltration... SFDC Box Google 17

Blocking Adversary Access Directly to Apps & Data Used to be Enough... in your Data Center in your Campus Network in your Branch Office 18

..Today We Need to Protect Interactions to Apps, Data & Users SFDC Box Google 19

Brief History of the Network Security Market Stateful Firewalls NGFW UTM IDS HP TippingPoint NGIPS 2001 Today 20

HP Stateful Firewalls High performance stateful firewall- deployed at the core, medium-large enterprise datacenters High performance stateful firewall VPN Firewall 10500/11900/7500 Module VPN Firewall 12500 Module 2-40 Gbps firewall throughput/device VPN Firewall F5000-A 40Gbps Appliance VPN Firewall F5000-C/S 12/20Gbps Appliance VPN Firewall F1000 2/4/8Gbps Appliance Up to 16 chassis based modules/chassis Scalable-aggregated in a single switch chassis, or as a stand alone appliance High Availability and Simplified management Full featured virtual firewall supporting multi-tenant deployments Data Center oriented firewalling 21

HP TippingPoint protects users, apps and data with market leading network security Simple Easy-to-use, configure and install with centralized management Effective Industry leading security intelligence with weekly DVLabs updates Reliable NGIPS with 99.99999% network uptime track record 22

HP TippingPoint Network Defense System Automated, Scalable Threat Protection SMS Security Management System Dirty Traffic Goes In Clean Traffic Comes Out Proactive NGIPS Sensors Network Defense System (NDS) Platform Designed for future security demands and services Security Costs In-line reliability In-line performance (throughput/latency) Filter accuracy Leading security research Fastest coverage Broadest coverage Quick to deploy Automated threat blocking Easy to manage 23

IPS Platform Solutions Security Intelligence 10 2600NX Security Management System (SMS) Digital Vaccine 20Mbps 2 Segments 3Gbps up to 24 Segments Virtual or Physical Appliance Broadest Coverage Evergreen Protection 110 5200NX Virtual Security Management System Digital Vaccine Toolkit 100Mbps 4 Segments 5Gbps up to 24 Segments Manage Multiple Units Central Dashboard Custom Signatures Snort Import 330 6200NX SSL Appliance S 1500S Web App DV and Scanning 300Mbps 4 Segments 10Gbps up to 24 Segments Transparent SSL Bridging and Off-Loading Web Scan Custom Filters PCI Report 660N 7100NX Reputation DV 750Mbps 10 Segments 15Gbps up to 24 Segments IP Reputation DNS Reputation 1400N 7500NX ThreatLinQ 24 1,5Gbps 10 Segments 20Gbps up to 24 Segments Real Time Threat Intelligence

Next Generation Security Platform Purpose-built for In-line performance Transparent (no MAC or IP Address) Performs like a switch NO forwarding tables (unlike a router/switch/firewall) Inspects ALL packets at the APPLICATION layer No noticeable latency (<40 us) special mode for bounded latency Performs cross packet reassembly stateful tracking flows/sessions (2.6 Million sessions) Does NOT drop traffic when flow limit is reached Will NOT drop traffic if packet enters mid-flow Provides PREDICTABLE and RELIABLE performance Can be installed anywhere in the network core, edge, perimeter, service providers Completely effective in both Asymmetric and Symmetric networks out of the box Blocks attacks in REAL-TIME Will ADAPT to the ever changing attack landscape 25

Drivers to Next Generation Firewall 1 Changing threat landscape (Sophistication and number of attacks) 2 Attack Vector explosion (Applications, locations, devices) Next Gen IPS Enterprise Firewall Integrated Policy 3 Loss of visibility/control (Traffic, undesirable/evasive applications) 4 Reduce Cost of Management (Disparate solutions, non-integrated policy) DVLabs research and feeds User and app policy 26

What is a Next Generation Firewall? 1. It s a Traditional Stateful Firewall First-generation firewall capabilities such as network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN) 2. It s an Intrusion Prevention System Integrated signature-based IPS engine the performs in-line, deep packet inspection and executes policy based rules 3. Provides application awareness and control Full stack visibility and granular application control 4. Incorporates information from outside the firewall Directory-based (user based) policy, blacklists (reputation) and white lists 5. Is upgradable to include future information feeds and security threats Provides new services to protect against future attack scenarios 27

TippingPoint Next Generation Firewall (NGFW) series Provides visibility and control deployed at the edge of the network TippingPoint NGFW S1050F TippingPoint NGFW S3010F/S3020F TippingPoint NGFW S8010F/S8005F Simple to configure and install with centralized management Effective security based on industry leading security intelligence with weekly DVLabs updates Reliable with (seven 9s) network uptime track record Inline deployment ideally at the edge of the network 99.99999% network uptime track record 8,700 filters of network protection Over 3,000 security researchers 28

HP NGFW is Simple Deploys in minutes Easy and powerful management Unified management of NGIPS and NGFW Set and forget security Effective Enterprise FW+ NGIPS Proven accuracy Automatic updates Zero Day threat protection Protect users and disrupt botnets with RepDV Optimize network performance with application and user policy Reliable Inline deployment without affecting network performance Active-passive 2-node high availability Transparent bypass Built on HP s proven NGIPS engine and security filters Leverage the power of HP Enterprise Security with NGFW & ArcSight 29

Simple: Easy and Powerful Management Best of Breed central management with SMS Unified management of IPS and NGFW devices Keep security current with DV active update Advanced reporting & visualization SMS 4.0 adds support for NGFW Powerful when you need it Role Based Access Control Forensic reporting ArcSight Logger for universal log management 3 rd Party integrations Easy to Use On-Box web interface Full Command Line Interface 30

Effective: World Class Security Research Over 8,700 filters published to date Over 3,000 security researchers Focused on vulnerabilities rather than exploits Frost & Sullivan Market Share Leadership Award for Vulnerability Research 4 years in a row! Microsoft Vulnerability Acknowledgements 300 250 200 150 100 50 0 8x MSFT competitor over last 8 years At any time, 200 to 300 zero day vulnerabilities only HP knows about TP customers enjoy Zero Day peace of mind 2006 2007 2008 2009 2010 2011 2012 2013 Compiled from public data available at http://www.microsoft.com/technet/security/current.aspx and Adobe Advisories 31

Effective: Firewall Policy Powerful and succinct rules Action, Traffic selectors, Services Negation and Exclude constructs Applications, Users, and Schedules Block, Rate limit, Trust, trap, email, pcap Bulk enable/disable Default block rule logging Position rules most specific at top Collapse multiple rules into one Using multiple selectors (like an or ), where the policy/action is the same Applications/stateful elements optional Inspection profile can be set per-rule 32

Effective: Applications and IPS IPS w/ Unknown Profile FW Rule Specific Profile All web apps look the same to a Stateful FW HP NGFW detects apps regardless of port Every bit of every packet is inspected Match Stateful FW Rule App Detected Change Matching FW Rule NGFW checks for better rule match on app detect IPS can be applied during the app detect phase NGFW can block encrypted applications App groups future proof policy, auto changing when new apps are added to a category Application updates delivered with DV update 33

HP Network Protector SDN Application Perimeter protection is no longer enough - enabling real-time threat detection across enterprise campus networks TippingPoint Simple security for BYOD Delivers real-time threat characterization with HP TippingPoint DVLabs database Protects from over 1million+ botnet, malware & spyware malicious sites Improves visibility and accuracy Offers protection from over 1M Botnet/Malware threats 34

HP Network security positioning Data Center Access Core NGFW S80XXF Routing HP Switch HP 12900/11900 (or TippingPoint IPS) HSR Firewall Module TP NGFW WAN Campus Routing HP MSR NGFW S30XXF TP NGFW Core HP 10500/7500 Firewall Module IP phone Tablet Laptop ProLiant Servers HP Switch F5000 F5000/F1000 HP Switch TippingPoint Next Generation Firewall ( NGFW) Position: Deployed at the perimeter of the network Requirement: Application visibility and control TippingPoint Next Generation IPS ( NGIPS) Position: Deployed at the (data center) perimeter Requirement: Intrusion Prevention VPN Firewall Module / Appliance Position: Deployed at the core Requirement: Higher throughput due to intra- datacenter traffic EAD UAM IMC Branch HP MSR NGFW S1050F TP NGFW IP phone Tablet Desktops HP Switch F1000 HP Network Protector SDN Security App (Integrated with TippingPoint DVLabs & Arcsight) 35

HP Security Disrupt the adversary, manage risk, and extend your capabilities 5000+ Disrupt the adversary Security technology Manage risk Risk & compliance Reduce cost & complexity Advisory & management 36

Thank You

Send Question via twitter using #HPWorldZA Johannesburg