Security Solutions for the New Threads We see things others can t Pablo Grande Sales Director, SOLA pgrande@arbor.net
What a CISO Is Looking For Show Progress on Response Time Measurably improve our incident response time. Solutions To Reduce Detection Time I m looking for zero detection time with forensics Show Progress On Containing Risk We ll have a benchmark of our current risk and the metrics to prove that we re stopping the threats Solutions That Are Easy To Deploy And Use My staff isn t skilled w/these tools and training or mistakes are costly
The New Breed of Advanced Threats BotNets ATTACK SPECTRUM Loud Quiet 3
Five Styles of Advanced Threat Defense Time Real Time/ Near Real Time Post Compromise (Days/Weeks) Where to Look Network Payload Network Traffic Analysis Payload Analysis Peakflow Pravail APS + NSI Network Forensics Pravail SA Pravail SA Endpoint Endpoint Behavior Analysis Endpoint Forensics
Arbor s Roots Are In Understanding Traffic Patterns SP Network Security Intelligence Security Analytics Botnets TMS APS Mobile Location Based Insider Theft Multi-Vector DDoS Provider Networks Enterprise Networks Enterprise Assets Nation & Groups Volumetric DDoS Cybercrime External Attacks Internal Attacks External Attacks RATs, C&Cs, DDoS, Botnets, Exfiltration Data Fixed & Mobile Carriers Perimeter Defenses Firewall, IPS, Secure Web Gateways, Enterprise Assets User Devices, Servers, Databases Internal Attacks Insider Fraud, RATS, Nation State Campaigns View of Internal & External Traffic & Attack Risk Security Operations & Incident Response Attack Traffic Legit Traffic
Arbor: Securing the World s Largest Networks Percentage of world s 100% Tier 1 service providers who are Arbor customers 130 Number of countries with Arbor products deployed +140 Tbps Amount of global traffic monitored by the ATLAS security intelligence initiative right now 330+ ISPs sharing real-time data Very Significant portion of global Internet traffic! 15 Number of years Arbor has been delivering innovative security and network visibility technologies & products #1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments 67% of total market [Infonetics Research] 6
Malware Botnets Phishing P2P Behavioral Fingerprint ATLAS: Active Threat Level Analysis System ATLAS sensors are deployed in global internet darknet space to discover and classify attack activity Peakflow SP Pravail NSI ISP Network Pravail NSI Peakflow SP DARKNET ATLAS SENSOR Peakflow SP Pravail NSI The information is sent to an ATLAS central repository where it is combined with Arbor, thirdparty, and vulnerability data ISP Network DARKNET ATLAS SENSOR 1 2 ATLAS DATA CENTER ISP Network 3 DARKNET ATLAS SENSOR ASERT analyzes combined data and converts into actionable intelligence which is posted on the ATLAS public portal and updated to customer s devices Identify Analyze Protect Monitoring of worldwide infrastructure for network-borne threats. 1 2 3 7
Example of what we can see at Real-Time www.digitalattackmap.com 8
Anti-DDoS Solution Overview DDoS Defense for Datacenters
DDoS is an Exploding & Evolving Trend More Attack Motivations Geopolitical Burma taken offline by DDOS attack Protests Extortion Visa, PayPal, and MasterCard attacked Techwatch weathers DDoS extortion attack Greater Availability of Botnets Better Bots Easy Access More infected PCs with faster connections Using web 2.0 tools to control botnets Commoditized Cloud-based botnets, cheaper more attacks Increased Volume Increased Complexity Increased Frequency Largest volumetric DDoS has grown from 9 to 100 Gbps in 5 years Largest single DDos Attack Observed per Year in Gbps Over 25% of attacks are now application-based DDoS mostly targeting HTTP, DNS, SMTP Largest 7 DDos Attacks Against IDC >50% of data center operators experience >10 attacks per month Average Number of DDos Attacks per Month 10
DDoS Attack Categories Volumetric, Brute Force Attacks Traffic Floods Exhaust resources by creating high bps or pps volumes Overwhelm the infrastructure links, routers, switches, servers Layer 4-7, Smarter and Slow Attacks TCP resource exhaustion Exhaust resources in servers, load balancers, firewalls or routers Application Layer Take out specific services or applications 11
The Evolving Threat Against Data Centers Attackers use a combination of techniques ISP 1 Layer 4-7, Smart DDoS Impact DATA CENTER ISP 2 ISP SATURATION Firewall IPS Load Balancer Load Balancer Exhaustion of Service ISP n EXHAUSTION Target Applications & Services Volumetric, Brute Force DDoS Impact 12
DDoS Defense Offers in the Market ISP 1 SCRUBBING CENTER Cloud Signaling Cloud-based DDoS Protection DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n Target Applications & Services CPE-based DDoS Protection 13
Pravail APS + Arbor Cloud SCRUBBING CENTER Cloud-based DDoS Protection ISP 1 Cloud Signaling DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n On-premise DDoS Protection Target Applications & Services 14
Visibility and Malware Advance Threats Protection for Networks
Advanced Threats have different faces The more complex the network, the more opportunities there are for Advanced Threats Perimeter based security devices can t protect the network from inside threats Rogue Web Server Rogue Access Point Unsupervised Consultant Inside Attacker Malware Infected Host Calling Out to BotMaster Stealth Malware Infection Malware Drop Site CORPORATE New Mobile Device (BYOD) DATA CENTER DMZ INTERNET PRIVATE WAN 16
How NSI Works Unsupervised Consultant Inside Attacker Rogue Web Server Stealth Malware Infection Malware Infected Host Calling Out to Botmaster New Mobile Device (BYOD) Corporate Malware Drop Site Data Center DMZ Step 1: Collect Step 2: Analyze Step 3: Get Visibility Step 4: Take Action 17
How Pravail NSI can help Enterprise-Wide Visibility Know your network; see what needs to be protected Application Intelligence Classify applications & traffic to discover new threats Identity Tracking & Forensics See every BYOD & user and determine if they are infected NSI 5100 Easy Compliance Reporting Leverage built-in reports Advanced Threat Detection Profile critical systems and identify anomalous activity 18
Security Analytics & Forensics
Packet Capture or it didn t happen.. Pravail SA uses the richest source of data, Full Packet Captures Contains ALL of the network data, and can be taken from ANYWHERE in the network via TAP or SPAN Processed whenever you like years later Security analytics derived from each capture is cumulative Like CCTV for your network Play, Pause and Rewind your data Allows analyst to Explore and Understand, delivering Actionable Intelligence We see things others can t 20
We are 100% secure.are you sure? How can you look back in time to confirm what you didn t know then? Assume has happened previously, how can you prove it? How do you confirm exact intent and impact? How do you learn from the past to improve your future security posture? 21 21
Looping for Zero Day Attacks Detection capability update but without signature for the Zero Day attack Detection capability update INCLUDING signature for the Zero Day attack Zero Day attack here Detection capability updates occur at different times. ALL traffic stored is replayed through latest detection capability automatically Month 1 Traffic Month 2 Traffic Month 3 Traffic All Traffic Looped - Zero Day not found All Traffic Looped - Zero Day FOUND Total Analytics data after 1 month Now that Zero Day attack has been identified, the attack timeline can be established Total Analytics data after 2 months Total Analytics data after 3 months 22
What a CISO Is Looking For Show Progress on Response Time Show Progress On Containing Risk Measurably improve our incident response time. We ll have a benchmark of our current risk and the metrics to prove that we re stopping the threats Solutions To Reduce Detection Time I m looking for zero detection time with forensics Solutions That Are Easy To Deploy And Use My staff isn t skilled w/these tools and training or mistakes are costly
Thank You!