COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

Cyber Threat Intelligence Sharing and BlockingFirst & Last Line of Smart Automated Defense

Tony Teo

Director Sales Engineering – APJ

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

Infographic by Digital Guardian

Artificial

Intelligent (AI)

Machine

Learning

Behaviour

Analysis

Signature less

Threat

Hunting

Etc…etc…etc.

The Security Stack is Complex……

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3

#1 – Stop Hackers from DISRUPTING your service

#2 – Stop Hackers for STEALING from your Network

Back to Core Fundamental

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

Security Stack of Yesterday

Sandbox, Etc. …

IPS

End Point

NGFW

SEIM/ Security

Process

Internet

Stateful

blocking

DD

oS

DDoS (Add-On)

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Source: Arbor Networks Annual Worldwide Infrastructure Security Report

Y2015

Y2014

Y2013

43%Y2016

Y2017

• 51% had

firewalls or IPS devices fail or contributeto an outage during a DDoS attack

• 61% of enterprises experienced attacks against infrastructure devices

Traditional Defense Failed to Stop DDoS Attacks

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

The Security Stack is Complex

All had an existing

security stack in

place… THAT FAILED

…and Not Working

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

….Industry is changing approach to protection

• Bad guys leaves Traces• C&C Communication, Network communications• Forum, Posts• Malware Analysis, etc

• These Traces remain on the web• They cannot totally hides themselves from the Web and/or Darkweb.• Retrieve these traces and track their moves – Attack Hunting

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

….Industry is changing approach to protection

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

• Nonprofit organization that provides a central depository with information pertaining to cyber threats

• Ecosystem to automatically share cyber threat intelligence in real-timeto enable real-time defense

• Automation of machine to machinesharing of information to counter fast-moving threats (STIX/TAXII format)

• Split into verticals, countries and international:

– Government (G-ISAC)

– National (N-ISAC)

– Financial Services (FS-ISAC)

– Electricity (E-ISAC)

– Water (W-ISAC)

– Oil and Gas (ONG-ISAC)

– And many more …

Emergence of ISACInformation Sharing and Analysis Center

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

What’s in Cyber Threat Intelligent ? - IOC

• High-scale, high-efficiency blocking of known threats at the perimeter

• Based on Reputation

• IP/Proto/Port

• Domain

• URL

• TLS cert

• MD5 Hash

• Millions of Indicators of Compromise (IOC) in memory with line-rate performance at 10Gbps+

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

Sandbox, Etc. …

End Point

NGFW

SEIM/ Security

Process

Internet

1. Stateless DDoS

Protection.

2. IPS being consumed by

NGFW.

3. IoCs, (Reputation

blocking) in NGFW is

expensive, is impacting

performance and can be

done better with stateless

devices

IPS2

Security Stack of Today

IOC Blocking3

Cyb

er

Th

rea

t

Inte

llig

en

ce

Vendor

specific

Arbor APS

DDoS

1

DD

oS

Ou

tbo

un

d D

Do

S

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

Prove it! - NGFW Performance Degradation

TCP Connection Rate

Firewall(US Only IOC)

Firewall(No IOC)

Latency (Milliseconds)

Firewall(US Only IOC)

Firewall(No IOC)

Source: bandurasystems.com

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

What’s a Threat Intelligence Gateway (TIG)?

Because multifunction firewalls apply so many security inspection and prevention capabilities, they typically are limited from as low as 30,000threat indicators to as high as 300,000 for larger (higher-end) appliances…..

….A new solution is needed for this problem, and one now exists.

Gartner Emerging Technologies : Threat Intelligence Gateways, November 2017

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

Sandbox, Etc. …

End Point

NGFW

SEIM/ Security

Process

Internet

Arbor APS

DDoS

IPS

4. Threat Intelligence

Platform (TIP) managing

multiple forms of CTI.

5. Emergence of Threat

Intelligence Gateway

(TIG) trying to take

pressure off NGFW –

uses stateless

technology

Security Stack of Today

TIP

Cyb

er

Th

rea

t

Inte

llig

en

ceTIG

4

5IOC Blocking

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

AED Augments Existing Security Stack (Future)

Sandbox, Etc. …

NGFW

End Point

NGFW

IPSTIP

SEIM/ Security

Process

Internet

Cyb

er

Th

rea

t

Inte

llig

en

ce

Arbor Edge Defense

DDoS

Integration Points:▪ Stop inbound &

outbound DDoS and

other cyber threats

▪ Intelligence to/from TIP

▪ Alerts to SEIM

▪ APIs enable further

integration

Consolidation:▪ Stateless DDoS

protection and

reputational blocking

▪ Embedded TIG

TIGTIG

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

ASNs: 44,570

Unique IPv4

Addresses: 2.63B

“Dark” IPv4

Addresses: 1.76M

The Foundation of Global Threat Visibility

Statistics:

• 400 Active SP

Contributors

• ATLAS “sees” 1/3 of

All Internet Traffic

• Ingests 140Tbps

• 200K Malware

Samples per Day

• 250K High Fidelity

IOCs (IP/DNS/URL)

in AIF

• 2M+ IOCs

supported

140 Tbps

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

Industry Threat Intelligence – STIX / TAXII

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

Arbor Edge DefenseFirst & Last Line of Smart Automated Defense

Unique

Global Threat

Intelligence

Inbound Threats

Outbound Threats

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

1. Always-on advanced

cyber threat protection

• Volumetric, Application

and state-starvation

DDoS + Cloud

Signalling

• Stateless high

performance & scale

reputation blocking

(Threat Intelligence

Gateway function)

• Integrated perimeter

enforcement point

Arbor Edge DefenseFirst & Last Line of Smart Automated Defense

Inbound Threats:

Continuous

AIF Update

Unique

Global Threat

Intelligence

Continuous

Update

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

2. Stop compromise becoming breach

• Automatically BLOCK outbound

connections using curated and

user-defined IoCs. (i.e. AIF)

• Augment existing perimeter

security

3. Identify advanced threats that

have evaded existing defenses

• Machine learning + Analyst

oversight

• Contextual Threat Intelligence

Arbor Edge DefenseFirst & Last Line of Smart Automated Defense

Outbound Threats:

Unique

Global Threat

Intelligence

Continuous

Update

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

• First and Last Line of Smart Defense

• Protect availability of network, services and other security devices from DDoS

• Stop malware and other cyber threats that leads to data breach

• Helps to offload pressure on downstream security devices

• Integrate with existing security stack/processes (STIX/TAXII, RESTful API)

Benefits of Arbor Edge Defender (AED)

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

#1 – Stop Hackers from DISRUPTING your service

#2 – Stop Hackers for STEALING from your Network

Network Security with Arbor Edge Defense

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

Thank You

Tony Teo

Email : tony.teo@netscout.com