Advanced Security and Risk Management for Cloud and Premise environments

(1)

Advanced Security and Risk Management

for Cloud and Premise environments

Owen Cheng

(2)

NTT Com Security – Global Information Security & Risk

Management Provider

(3)

NTT Group Security global footprint

(4)

© 2014 NTT Com Security Technology Services • Security Architecture Design • Product Selection • Global Procurement • Global Deployment • Global Staging • Deployment Project Management Consulting Services • Vulnerability Assessment • Penetration Testing • Code Review • Secure Coding

• Data Loss Prevention • SIEM Advisory

• Regulatory Standards Advisory

• Compliance Risk Assessment & Audits • Security Strategy &

Policy Development • Security Awareness Managed Security Services • Technical security phone support • Remote Monitoring Service • Remote Management Service (MSaaS)

NTT Com Security Services Pillars:

Consulting & Managed Services

(5)

NTT’s Global Threat Intelligence Report

D

u

ri

n

g

2

0

1

3 D

u

ri

n

g

2

0

1

3

_{* NTT researched the}

threats and published the Global Threat Information Report 2014 (GTIR)

* We analyzed more than 3 Billion attacks on our

customers, over the course of 2013 (that’s 97 separate attacks per second)

* The report also details specific case studies, Malware, Zero node, SQL injection

* NTT researched the threats and published the Global Threat Information Report 2014 (GTIR)

* We analyzed more than 3 Billion attacks on our

customers, over the course of 2013 (that’s 97 separate attacks per second)

* The report also details specific case studies, Malware, Zero node, SQL injection

F

in

d

in

g

s

F

in

d

in

g

s

* 95% of losses could be reduced by focused investment * 43% of incident response engagements were the result of malware

* 34% of events were the result of botnet activity * 95% of losses could be reduced by focused investment

* 43% of incident response engagements were the result of malware

* 34% of events were the result of botnet activity

RESULTS: On average a typical organization is targeted once every minute of every day including weekends, evenings, and holidays. During this presentation, your internet connected device will be attacked probably a half a dozen times and your organization will be attacked between 20-30 times.

(6)

Managed Security

Services Trend

(7)

Market Trends: MSS Worldwide

Source: Gartner 7

Market Drivers

• Security Risks to

Information Systems

Are Expanding at a

Rapid Rate, Often

Overcoming

Organization

Resources and Talent

• Compliance

Mandates Continue

to Provide Support

for MSS Growth

Buyers Trends

• Enterprise Buyers

Prefer MSSPs With

Strong Security

Controls and Audit

Transparency

• MSS Buyers Shift

Away From the

Stand-Alone IT

Security Buyer and

Expand to the

Network

Infrastructure Teams

and the Busines

Technology Trends

• MSSs Add

Reputation Feeds

and Blacklists to

Enhance Customer

Event Data With

External Security

Context

• Advanced Threat

Protection

Appliances Enter the

MSSP Market

(8)

WideAngle

Managed Security

(9)

POD Concept

Modular and easy to deploy infrastructure and the foundation for the GROC to

deliver MSSP Services. PODs are interconnected over the GIN effectively making

up a global platform embedded into multiple layers of the NTT Com

(10)

WideAngle

Advantages

(11)

NTT WideAngle Managed Security Services

(12)

Unique NTT threat feeds

30,000+

1000+

+

Malware files identified

& downloaded by our

honeypots every day

=

Ability to create

unique

rules

to

combat threats

Unique

honey pot & sandbox environments

to

capture

malicious activity

Websites scanned across the world

(13)

Turns Data into Knowledge

Automated

security analysis

3

rd

_{Party signatures}

Global threat feeds

Custom threat trends

Proprietary signatures

Security enrichment

(human validation)

Signature creation

Refined, actionable info

Security expert analysis

Business context

Information

Knowledge

Log/event data

(14)

Thank you

Owen Cheng

(15)

Next Generation Enterprise Security Platform

– Enhancing your Security Framework

Charles Woo

18 June 2014

(16)

A Long Time Ago…Securing the Data Center was Simple

wired

Employee

On Premise Data Center

Apps in one place

Users in one place

Data in one place

(17)

Now….Network Security Pressures in the Data Center

Wired Wireless VPN VDI

Employees, Guests, Partners, Contractors, and Temporary Workers •Modern threats –

targeted, multi-vector, persistent

SAAS

Private Cloud

(18)

Applications Have Grown More Complex

80, 443, 135, 137, 139 3200, 3300, 8000, 3600, 8100, 50013, 50014, 65000 443, 3478, 5223, 50,000-59,999 3389, 53, 42, 8, 13, 15, 17, 137, 138, 139, 445, 1025, 123, 507, 750, 88+464, 389, 636, 3268, 445, 161, 162, 42424, 691, 1024-65535

80 443 135

137

139

139 3200 3300 3600 8100

5223

50000 – 59,999

53 3389 42 4424

8

13

15

17 445 1024 123 507 750

389 636

3268

42424

161

88+464

(19)

The Emergence of the User Kingdom

(20)

Exploits Using Business Critical Applications

Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.

10 out of 1,395 applications = 97% of the exploit logs;

9 of them are business critical

2,016 unique exploits, ~60M exploit logs

(21)

“Internet” changes the Network Boundary

Need to restore visibility and control in the firewall

• Ports ≠ Applica=ons

• IP Addresses ≠ Users

• Packets ≠ Content

(22)

Page 22 |

Does it help?

Questions:

1.

Can you find out “who” is using “what app” in

30mins?

2.

Full visibility of traffic and threat?

3.

How long do you take to react on an

incidence?

4.

How can you enforce per user app control?

5. More devices = higher management effort and

more error prone?

6. Can you really safely enable who can use

what?

(23)

Page 23 |

What about UTM?

Questions:

1.

How many features do you think you can turn

on?

2.

Is it a well integrated enterprise solution?

Or just a “all-in-one” SMB solution?

3.

Can it really integrate app control for app safe

enablement? Or is just an app blocking

solution by IPS engine?

(24)

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify and control users regardless of IP address, location, or device

3. Protect against known and unknown application-borne threats

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, low latency, in-line deployment

The Answer? Make the Firewall Do Its Job

(25)

Applications: Safe enablement begins with

application classification by

App-ID.

Custom applications and unknowns in the data center

can be classified

Users: Tying users and devices, regardless of

location, to applications with

User-ID

and

GlobalProtect

Differentiate data center access based on user, device

and endpoint profile

Content: Scanning content and protecting

against all threats – both known and unknown;

with

Content-ID

and

WildFire

Protect against all threats including targeted attacks

Palo Alto Networks Next-Generation Firewalls

Enabling Applications, Users and Content

(26)

Single-Pass Parallel Processing™ (SP3) Architecture

Single Pass

•

Operations once per

packet

- Traffic classification (app

identification)

- User/group mapping - Content scanning –

threats, URLs, confidential data •

One policy

Parallel Processing

•

Function-specific parallel

processing hardware

engines

•

Separate data/control

planes

Up to 20Gbps, Low Latency

(27)

Palo Alto Networks approach – Single Pass Architecture

L2/L3 Networking, HA, Config

Management, Reporting

L2/L3 Networking, HA, Config

Management, Reporting

App-ID

Content-ID

Policy Engine

Application Protocol Detection and Decryption

Application Protocol Decoding

Heuristics Heuristics Application Signatures Application Signatures URL Filtering URL Filtering

Real-Time Threat Prevention

Data Filtering

User-ID

(28)

Incumbents “Bolt-on” approach with Traditional Stateful

inspection

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 28 | Port/Protocol-based ID Port/Protocol-based ID L2/L3 Networking, HA, Config Management, Reporting L2/L3 Networking, HA, Config Management, Reporting Port/Protocol-based ID Port/Protocol-based ID HTTP Decoder HTTP Decoder L2/L3 Networking, HA, Config Management, Reporting L2/L3 Networking, HA, Config Management, Reporting URL Filtering Policy URL Filtering Policy

Port/Protocol-based ID Port/Protocol-based ID IPS Signatures IPS Signatures L2/L3 Networking, HA, Config Management, Reporting L2/L3 Networking, HA, Config Management, Reporting IPS Policy IPS Policy Port/Protocol-based ID Port/Protocol-based ID AV Signatures AV Signatures L2/L3 Networking, HA, Config Management, Reporting L2/L3 Networking, HA, Config Management, Reporting AV Policy AV Policy Firewall Policy

(29)

Our Research Team “Discover” Threat

• Our Research Team is “active”

-

Many of the IPS vendors have big research team for “writing signatures”

-

Our research team also “discover” vulnerabilities for zero day protection

Palo Alto Networks McAfee Tipping Point Check Point

Sourcefire Juniper Cisco

20

7

3

1

0

0 Discovering Microsoft Vulnerabilities in the past 4 years

Palo Alto Networks McAfee Tipping Point Check Point

Sourcefire Juniper Cisco

14

1

0

0 Discovering Adobe Vulnerabilities in the past 4 years

Source: OSVDB; as of June 15th 2011

(30)

http://osvdb.org/affiliations/1094-tippingpoint-dvlabs http://osvdb.org/affiliations/1148-palo-alto-networks

http://osvdb.org/affiliations/1163-mcafee-avert-labshttp://osvdb.org/affiliations/1437-sourcefire-vrt

Palo Alto Networks as an IPS

Tipping Point

Palo Alto Networks

Mcafee

_Sourcefire

Cisco

http://www.osvdb.org/affiliations/2654-cisco-systems-inc

(31)

Is your heart still bleeding?

We provide unique protection from exploitation of the Heartbleed

vulnerability, including:

Innovative approach to identifying threats – Unlike other security

products, the next-generation design of our enterprise security

platform, and the automated protections we released, prevented

exploitation of Heartbleed.

Automated vulnerability protection – Starting

April 9

th

_{, 2014}

_,

multiple content updates were automatically sent that protected,

detected, and immediately blocked attempted exploitation of the

vulnerability (content updates 429 and 430, which include IPS

vulnerability signature IDs

36416, 36417, 36418, and 40039

).

Inherent PAN-OS features – Our core operating system (PAN-OS),

is not impacted by CVE-2014-0160 because it does not use a

vulnerable version of the OpenSSL library.

(32)

Reducing the Scope of Attack

»

The ever-expanding

universe of applications,

services and threats

»

Traffic limited to

approved business

use cases based on

App and User

»

Attack surface

reduced by orders of

magnitude

»

Port, Protocol

Agnostic

»

Complete threat library with no

blind spots

Bi-directional inspection

Scans inside of SSL

Scans inside compressed

files

Scans inside proxies and

tunnels

Scans unknown files

Only allow the

apps you need

Clean the allowed

traffic of all threats

in a single pass

(33)

(34)

Application Control Belongs in the Firewall

Port Policy Decision

App Ctrl Policy Decision

Application Control as an Add-on

•Port-based decision first, apps second

•Applications treated as threats; only block what you expressly look for

Key Points

•Two policies/log databases, no reconciliation

•Unable to effectively manage unknowns

IPS

Applications

Firewall

Port Traffic

Firewall

_IPS

App Ctrl Policy Decision Scan Application for Threats Applications Application Traffic

Application Control in the Firewall

•Firewall determines application identity; across all ports, for all traffic, all the time

•All policy decisions made based on application

Key Points

•Single policy/log database – all context is shared

•Policy decisions made based on shared context

(35)

What NGFW should do: Safely enable application !

Safely enable

Prohibited

_use

User

Post info to a prospect’s wall Chatting Clicking on infected links Financial advisor Exchange of Photoshop files with agencies Downloading malware Marketing specialist Communication with candidates Exposing lists of employees and their salaries HR recruiter Sharing opportunities with channel partner Sharing customer lists externally Sales rep

(36)

Page 36 |

Vendor1

Do all policy turn on

application control?

How many policy you

need to maintain?

How to allow

(37)

Page 37 |

Vendor2

Two Separate Policy,

No relationship between

Two Separate Log Database

(38)

How we do: Unified Policy on Application basis

Specify user Select application

Single Policy, Single Log Database

Do all policy turn on application?

(39)

What we do: consolidated log details

Traffic Log

Every log is integrated with application

URL Log

Log Details

(40)

What we do: consolidated log details

(41)

Performance

© 2012 Palo Alto Networks. Proprietary and Confidential.

(42)

Traditionally, More Security = Poor Performance

Traditional Security

Each security box or blade robs

the network of performance

Threat prevention technologies

are often the worst offenders

Leads to the classic friction

between network and security

Best Case

Performance

Firewall

Anti-Malware

IPS

(43)

Vendor 1

How about:

-Firewall + IPS + AV throughput ?

-Firewall + IPS + AV + Application Control throughput ?

Captured from official web site

7.73%

13.64%

(44)

Vendor 2

Captured from official web site

5.0%

* Sophos AV is an in-the-cloudanti-virus solution, which requires less system resources and provides better scaling and performance, as compared to other anti-virus engines

How about:

-Firewall + IPS + AV throughput ?

-Firewall + IPS + AV + Application Control throughput ?

(45)

Guaranteed throughput with everything turn on!

Layer 7 throughput, all policies turn on application with logging

Threat throughput:

ALL (AV, Antispyware, IDP, URL

AND

Wildfire) turn-on

ALL Signature (not default, not recommended) turn-on

ALL with logging

(46)

Validated in 3

rd

_{Party Testing}

“Regardless of which UTM

features we enabled - intrusion

prevention, antispyware, antivirus,

or any combination of these

-results were essentially the same

as if we'd turned on just one such

feature. Simply put, there's no

extra performance cost…”

-NetworkWorld, 2012

5372 ₅₃₁₈ ₅₂₆₅ 0 1000 2000 3000 4000 5000 6000

Firewall_{+ IPS} Firewall_{+ IPS +AV Firewall + IPS + AV} +_Spyware

Threat

Preven on

Performance

(Mbps)

(47)

(48)

Traditional Datacenter Segmentation

Port 80/443 192.168.1.0/24 _{192.168.2.0/24} 192.168.3.0/24 Data Center A Port 1521 > 100 ports Partners and Contractors Webex SSH SSL RDP Confidential Server

(49)

With Palo Alto Networks Solution:

Finance Sales IT Data Center A Oracle Microsoft Servers Confidential Server Partners and Contractors CFO _{VP of Sales}

Webex- no file sharing SSH- no tunneling SSL- with decryption RDP- not port 3389

Web Servers

DB Zone App Zone Web Zone Mgmt Zone

App-ID

User-ID

Content-ID

(50)

Our systematic approach for better security

Provide global visibility & intelligence correlation

Discover

unknown threats

Discover

unknown threats

Inspect all traffic across ports, protocols & encryption

Prevent

known threats

Prevent

known threats

2 3

Apply

positive controls

Apply

positive controls

1

(51)

Positive security controls

368 Applications can deliver files

34%

Applications use SSL

17%

Applications port-hop

High-risk applications &

protocols

Files from suspicious

Domains and URLs

Encryption and custom

traffic

Reduced attack surface with

granular control

(52)

Known threats

6,200

Signatures delivered per day

1,800

Variants of the threat blocked by 1

signature

Vulnerability exploits

Known Malware &

variants

Malicious Domains, URL

& DNS

Block known-bad content

with evolving signatures

(53)

Visibility into unknown

traffic

Visibility into unknown

traffic

WildFire

Automated threat

prevention

Automated threat

prevention

Visibility into unknown

traffic

• See unknown

applications &

protocols

• Suspicious domains &

URLs

• New malicious content

(malware & exploits)

Visibility into unknown

traffic

• See unknown

applications &

protocols

• Suspicious domains &

URLs

• New malicious content

(malware & exploits)

Visibility into unknown

traffic

• See unknown

applications &

protocols

• Suspicious domains &

URLs

• New malicious content

(malware & exploits)

WildFire

• Purpose-built sandbox

environment

• Running full versions of

common applications &

OSs

• Full Internet access for

C2, domains, URLs &

additional payload

• Elastic scale in the

cloud or local appliance

WildFire

• Purpose-built sandbox

environment

• Running full versions of

common applications &

OSs

• Full Internet access for

C2, domains, URLs &

additional payload

• Elastic scale in the

cloud or local appliance

WildFire

• Purpose-built sandbox

environment

• Running full versions of

common applications &

OSs

• Full Internet access for

C2, domains, URLs &

additional payload

• Elastic scale in the

cloud or local appliance

Automated threat

prevention

• In-line enforcement

from next-generation

firewall

• Near real-time

signature updates

• Disrupts threat delivery

& callbacks

(Anti-malware, DNS, URL,

C2)

Automated threat

prevention

• In-line enforcement

from next-generation

firewall

• Near real-time

signature updates

• Disrupts threat delivery

& callbacks

(Anti-malware, DNS, URL,

C2)

Automated threat

prevention

• In-line enforcement

from next-generation

firewall

• Near real-time

signature updates

• Disrupts threat delivery

& callbacks

(Anti-malware, DNS, URL,

C2)

Unknown threats

Global intelligence sharing

& threat research

Copyright © 2014, Palo Alto Networks, Inc. All Rights Reserved. Palo Alto Networks Proprietary and/or Confidential. For Palo Alto Networks internal use only and as permitted by Palo Alto Networks for its authorized partners.

(54)

Building a complete platform for advanced threats

Prevent

known threats

Prevent

known threats

Detect

unknown

threats

Detect

unknown

threats

Validate attack

Remediate

Vulnerability

exploits (IPS)

Malware

Bad web sites

Bad domains

C&C

Sandbox

Unknown

applications

Suspicious

file types /

web sites

MSS

Apply

positive

controls

Apply

positive

controls

Attack

surface

Attack

surface

Non-standard

ports

Port-hopping

SSL & SSH

Malware

intelligence

Forensics

Copyright © 2014, Palo Alto Networks, Inc. All Rights Reserved. Palo Alto Networks Proprietary and/or Confidential. For Palo Alto Networks internal use only and as permitted by Palo Alto Networks for its authorized partners.

(55)

A Three Time Gartner Magic Quadrant Leader

Palo Alto Networks is assessed as a Leader, mostly because of its NGFW focus, because it set the direction of the market along the NGFW path, and because of its consistent visibility in shortlists, increasing revenue and market share, and its provenability to disrupt the market.

Gartner clients consistently rate the Palo Alto Networks App-ID and IPS higher than competitors’ offerings for ease of use and quality.

The firewall and IPS are closely integrated, with App-ID implemented within the firewall and throughout the inspection stream. This "single pass" is a design advantage, as opposed to the unnecessary inspection that can occur in competing products that process traffic in serial order.

--Gartner Magic Quadrant for Enterprise Network Firewalls

(56)

Get to know more about your

network now!

(57)

Talk to us about the AVR report

(58)

(59)

Managed Security Service: From

Device Management to Security

Enrichment

Owen Cheng 26 June 2014

(60)

Enriched Security

Intelligences

Next-Gen Challenges

15 May 2014

(61)

Firewall & perimeter challenges

15 May 2014 ₆₁ Nick Williams - Public - Draft - v02

Do The Basics

#1

Counter measure to the changing

THREATS

71%

of new malware goes undetected when analysed in a sandbox

43%

of incident response engagements were the result of

Malware

costing one

business

$109,000

Performing

regular

vulnerability scans significantly reduces your

risk

77%

of the organisations involved had

no

incident response team, policies or procedures in place

Over

50%

of vulnerabilities were already known some dating back to

2004

Risk is shaped dynamically.

Security threats are increasingly complex

Applications are the new internet. They are the bearer of corporate risk. We work and live in an

agile global

world

(62)

Analysis of data needed for Risk &

Security decision making

Security must change as business evolves These assets need

to be secured to minimise organisational risk and for compliance

Management & visibility

Organisational challenges

Organisations require an effective solution to manage firewalls & perimeter assets

Enriched data analysis for rapid, accurate decision making Security controls tightly aligned to risks Flexibility with expert deployment to meet compliance & organisational requirements

Effective security management

Secure, consistent & scalable solution suitable for Next Generation security

15 May 2014

(63)

WideAngle MSS

Analysis Engine

addresses the challenges

15 May 2014

(64)

Filter and enrich

Apply context, asset information, previous knowledge to reduce the number of false positives

Management & visibility – making sense of the information

Thousands of alerts

Hundreds of alerts

Enriched

alerts

Granular, enriched reports. Additional human validation for further business context

Millions of raw events

Analyse and correlate huge amounts of data

All event flows need to be analysed in order to identify potentially malicious behaviour. Often requires complex correlation rules to produce alerts of interest

000’s

000,000’s

00’s

15 May 2014

(65)

Analysis Platform Components

Analysis Platform - Architecture

BDAE

(Batch Engine)BDAE

(Batch Engine) (CEP Engine)(CEP Engine)RTCERTCE

• CEP based engine

• Correlates and processes all logs as event feeds • Near-realtime response

capabilities

Short- to medium-term detection focus

Inspector META Inspector

META Modules Modules SupportSupport

• Splunk based engine • Query based processing approach • Able to identify weekly/ monthly patterns Medium- to long-term detection focus Alert enrichment

• Module based verdict system

• Able to perform cross-customer correlation of alerts

Example:

”Executable download

(proxy) followed by outbound firewall session within 10 minutes”

Example:

”Regular network transfer peaks every Sunday evening by single user account”

Drilldown and verification

• Alert grouping, filtering and drilldown UI

• Provides instant access to verification data (PCAP, sandbox details)

Example:

”This alert has been seen in confirmed incidents for two other customers”

Example:

”PCAP shows that the exploit is target specific ”

ALERT PROCESSING

ALERT PROCESSING RAW LOG PROCESSINGRAW LOG PROCESSING

(66)

WideAngle MSS

Services

15 May 2014

(67)

①Device

Management

②Automatic Log

Analysis

③Human enriched

Analysis

Customer can choose one of three function or combine them

1, 1+2, etc…

(68)

Package A – Network Basic

Firewall

Firewall only

Network Basic

①Device

Management

(69)

Package B – Network Security

Firewall + IPS/IDS

Network

Security

①Device

Management

②Automatic Log

Analysis

(70)

Package C -

Content Security Next Gen +

Firewall + IPS/IDS + Web and Email Antivirus + URL Filtering +

Application Filter

Firewall IPS/IDS

Web and Email Antivirus URL Filtering Application Filter

Content Security

Next Gen +

②Automatic Log

Analysis

①Device

Management

③Human enriched

Analysis

(71)

Portal

Status of services and devices, can be expanded to show service level and service type

Tickets for changes, inquiries and problems, can be sorted per column for fast access as well as filtered on ticket types

Security incidents, defaults to open incidents and can be sorted based on columns or filtered by using the dropdown Main navigation Status on monitored VPN-tunnels Bulletin board, holding important service messages from the Global Risk Operations Centers

Health and

availability incidents listing open incident, can be sorted by column and filtered using the dropdown

Event processing status showing the total of logs, events, incidents and validated incidents since service start

WideAngle Customer Portal Presentation-Public-Approved_V1 00

(72)

(73)

(74)

(75)

(76)

(77)

(78)

(79)

(80)