cyber threat intelligence sharing and blocking · • c&c communication, network communications...
TRANSCRIPT
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1
Cyber Threat Intelligence Sharing and BlockingFirst & Last Line of Smart Automated Defense
Tony Teo
Director Sales Engineering – APJ
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2
Infographic by Digital Guardian
Artificial
Intelligent (AI)
Machine
Learning
Behaviour
Analysis
Signature less
Threat
Hunting
Etc…etc…etc.
The Security Stack is Complex……
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3
#1 – Stop Hackers from DISRUPTING your service
#2 – Stop Hackers for STEALING from your Network
Back to Core Fundamental
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4
Security Stack of Yesterday
Sandbox, Etc. …
IPS
End Point
NGFW
SEIM/ Security
Process
Internet
Stateful
blocking
DD
oS
DDoS (Add-On)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5
Source: Arbor Networks Annual Worldwide Infrastructure Security Report
Y2015
Y2014
Y2013
43%Y2016
Y2017
• 51% had
firewalls or IPS devices fail or contributeto an outage during a DDoS attack
• 61% of enterprises experienced attacks against infrastructure devices
Traditional Defense Failed to Stop DDoS Attacks
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6
The Security Stack is Complex
All had an existing
security stack in
place… THAT FAILED
…and Not Working
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7
….Industry is changing approach to protection
• Bad guys leaves Traces• C&C Communication, Network communications• Forum, Posts• Malware Analysis, etc
• These Traces remain on the web• They cannot totally hides themselves from the Web and/or Darkweb.• Retrieve these traces and track their moves – Attack Hunting
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8
….Industry is changing approach to protection
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9
• Nonprofit organization that provides a central depository with information pertaining to cyber threats
• Ecosystem to automatically share cyber threat intelligence in real-timeto enable real-time defense
• Automation of machine to machinesharing of information to counter fast-moving threats (STIX/TAXII format)
• Split into verticals, countries and international:
– Government (G-ISAC)
– National (N-ISAC)
– Financial Services (FS-ISAC)
– Electricity (E-ISAC)
– Water (W-ISAC)
– Oil and Gas (ONG-ISAC)
– And many more …
Emergence of ISACInformation Sharing and Analysis Center
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10
What’s in Cyber Threat Intelligent ? - IOC
• High-scale, high-efficiency blocking of known threats at the perimeter
• Based on Reputation
• IP/Proto/Port
• Domain
• URL
• TLS cert
• MD5 Hash
• Millions of Indicators of Compromise (IOC) in memory with line-rate performance at 10Gbps+
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11
Sandbox, Etc. …
End Point
NGFW
SEIM/ Security
Process
Internet
1. Stateless DDoS
Protection.
2. IPS being consumed by
NGFW.
3. IoCs, (Reputation
blocking) in NGFW is
expensive, is impacting
performance and can be
done better with stateless
devices
IPS2
Security Stack of Today
IOC Blocking3
Cyb
er
Th
rea
t
Inte
llig
en
ce
Vendor
specific
Arbor APS
DDoS
1
DD
oS
Ou
tbo
un
d D
Do
S
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12
Prove it! - NGFW Performance Degradation
TCP Connection Rate
Firewall(US Only IOC)
Firewall(No IOC)
Latency (Milliseconds)
Firewall(US Only IOC)
Firewall(No IOC)
Source: bandurasystems.com
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13
What’s a Threat Intelligence Gateway (TIG)?
Because multifunction firewalls apply so many security inspection and prevention capabilities, they typically are limited from as low as 30,000threat indicators to as high as 300,000 for larger (higher-end) appliances…..
….A new solution is needed for this problem, and one now exists.
Gartner Emerging Technologies : Threat Intelligence Gateways, November 2017
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14
Sandbox, Etc. …
End Point
NGFW
SEIM/ Security
Process
Internet
Arbor APS
DDoS
IPS
4. Threat Intelligence
Platform (TIP) managing
multiple forms of CTI.
5. Emergence of Threat
Intelligence Gateway
(TIG) trying to take
pressure off NGFW –
uses stateless
technology
Security Stack of Today
TIP
Cyb
er
Th
rea
t
Inte
llig
en
ceTIG
4
5IOC Blocking
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15
AED Augments Existing Security Stack (Future)
Sandbox, Etc. …
NGFW
End Point
NGFW
IPSTIP
SEIM/ Security
Process
Internet
Cyb
er
Th
rea
t
Inte
llig
en
ce
Arbor Edge Defense
DDoS
Integration Points:▪ Stop inbound &
outbound DDoS and
other cyber threats
▪ Intelligence to/from TIP
▪ Alerts to SEIM
▪ APIs enable further
integration
Consolidation:▪ Stateless DDoS
protection and
reputational blocking
▪ Embedded TIG
TIGTIG
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16
ASNs: 44,570
Unique IPv4
Addresses: 2.63B
“Dark” IPv4
Addresses: 1.76M
The Foundation of Global Threat Visibility
Statistics:
• 400 Active SP
Contributors
• ATLAS “sees” 1/3 of
All Internet Traffic
• Ingests 140Tbps
• 200K Malware
Samples per Day
• 250K High Fidelity
IOCs (IP/DNS/URL)
in AIF
• 2M+ IOCs
supported
140 Tbps
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17
Industry Threat Intelligence – STIX / TAXII
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18
Arbor Edge DefenseFirst & Last Line of Smart Automated Defense
Unique
Global Threat
Intelligence
Inbound Threats
Outbound Threats
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19
1. Always-on advanced
cyber threat protection
• Volumetric, Application
and state-starvation
DDoS + Cloud
Signalling
• Stateless high
performance & scale
reputation blocking
(Threat Intelligence
Gateway function)
• Integrated perimeter
enforcement point
Arbor Edge DefenseFirst & Last Line of Smart Automated Defense
Inbound Threats:
Continuous
AIF Update
Unique
Global Threat
Intelligence
Continuous
Update
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20
2. Stop compromise becoming breach
• Automatically BLOCK outbound
connections using curated and
user-defined IoCs. (i.e. AIF)
• Augment existing perimeter
security
3. Identify advanced threats that
have evaded existing defenses
• Machine learning + Analyst
oversight
• Contextual Threat Intelligence
Arbor Edge DefenseFirst & Last Line of Smart Automated Defense
Outbound Threats:
Unique
Global Threat
Intelligence
Continuous
Update
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21
• First and Last Line of Smart Defense
• Protect availability of network, services and other security devices from DDoS
• Stop malware and other cyber threats that leads to data breach
• Helps to offload pressure on downstream security devices
• Integrate with existing security stack/processes (STIX/TAXII, RESTful API)
Benefits of Arbor Edge Defender (AED)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22
#1 – Stop Hackers from DISRUPTING your service
#2 – Stop Hackers for STEALING from your Network
Network Security with Arbor Edge Defense
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23
Thank You
Tony Teo
Email : [email protected]