intrusion prevention anno 2012: widening the ips concept

Download Intrusion Prevention anno 2012: Widening the IPS concept

Post on 29-Mar-2015

219 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Slide 1

Intrusion Prevention anno 2012: Widening the IPS concept Slide 2 2 Traditional IDS/IPS doesnt cut it anymore Blended attacks Application-focused attacks Oldies but Goodies still exist Nothing goes away. Ever. Survival instinct of applications much higher than before Built-in evasion techniques Must assume malicious activity occurs within trusted applications Lets take a closer look at some examples Slide 3 Threat Landscape-Blended Threat & Botnet Examples The Corporate Botnet - Phishing Employee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the compromise of the integrity of the entire network.. CIO Fears and Concerns The Corporate Botnet Employee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.. ZEUS/ZBOT Email contains link to false domain Credentials entered in to fake site BOT infection sent to user as a Facebook Security Update application User installs BOT and is now infected, all data is compromised Connection is then redirected to real Facebook site so user is not suspicious Prevalent today and sold as a crime kit. 3 Slide 4 Threat Landscape-Blended Threat & Botnet Examples The Corporate Botnet Legitimate Site Compromised Employee access a legitimate site, but it or one of its content providers has been compromised and is now hosting malicious code.. CIO Fears and Concerns The Corporate Botnet Employee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.. FakeAV Botnet In 2009 the advertising network used by the New York Times was infected by a malicious flash advertisement Readers were accessing the NYT site but were provided with the infected advertisement This directed users to a site hosting the exploit code to install fake antivirus software.. 4 Slide 5 Threat Landscape-Blended Threat & Botnet Examples Targeted Attack Spear Phishing Using social engineering to distribute emails with links to malware, the emails are relevant to the corporation being targeted. Infected documents (PDF, DOC, XLS) can use software exploits to infect systems. CIO Fears and Concerns The Corporate Botnet Employee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.. Kneber (Zeus) Botnet In 2010 a spear phishing attack on US.mil and.gov employees by a Zeus variant infected 50,000+ end systems Data stolen included: Corporate Login credentials Email and webmail access Online Banking sites Social Network credentials SSL Certificates 5 Slide 6 Threat Landscape-Blended Threat & Botnet Examples Ransomware Once installed is very difficult to reverse, files are encrypted, this isnt just based on the fear that something might happen, once you are reading the ransom note your data has already been encrypted. CIO Fears and Concerns The Corporate Botnet Employee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.. gpCode Ransomware Once installed searches hard drive for document and media files Files are encrypted with a 1024bit key which only the attacker has the decryption key Ransom note is displayed to user, system continues to operator but data is inaccessible Will encrypt xls, doc, pdf, txt, rar, zip, avi, jpg, mov, etc 6 Slide 7 Addressing the Threat Landscape: Fortinets Next Generation Enterprise Security! Slide 8 Beyond Application Identification Todays Network Security Requires Application Detection, Monitoring, and Control Allowing access to Web 2.0 applications has made enforcing data security policies far more complex User-created content embeds threats in content, pages, links, comments to blogs Protection against effects of social media applications Data loss Threat propagation Bandwidth consumption Inappropriate use Endpoint to the Core Single pane of glass management for visibility & control 8 Slide 9 Life of a Packet with IPS enhancements DoS Policy Inspection addition Inspected first prior to firewall inspection DoS Policy Inspection Firewall Inspection IPS / App. Control AV / WF (Proxy) IN PASS Block (attack) Block (deny) Block (attack / disallowed application) Block (Virus / Web Content Block OUT 9 Fortinet Confidential **Internal view only** Slide 10 Life of a Packet with IPS enhancements IPS & Application Control processing Then hand off to proxies engines DoS Policy Inspection Firewall Inspection IPS / App. Control AV / WF (Proxy) IN PASS Block (attack) Block (deny) Block (attack / disallowed application) Block (Virus / Web Content Block OUT 10 Fortinet Confidential **Internal view only** Slide 11 Three Components Complete Content Protection Requires Identification Customizable list of approximately 2,000 apps, growing weekly Consolidated security: DLP, AV/AS, SSL Inspection, Endpoint protection Monitoring See whats in your network Control Granular control of behavior Apps & features within apps Users Traffic 11 Slide 12 Identification Over 2,000 applications More added every week Category IM, P2P, Remote Access, Video, etc. Ranked on popularity & risk Independent of port, protocol, IP address Decrypt encrypted traffic Including HTTPS, POP3S, SMTPS and IMAPS protocols 12 Slide 13 Identification - Application Botnet Category Slide 14 Monitoring Understand whats in your network Summary & detailed reports Application usage Behavior of user Bandwidth consumption Visualization of trends, threats, and behaviors that put your network at risk 14 Slide 15 Control Granular control of behavior Apps & features within apps Categories of apps Individual apps Actions within apps Users Domain, groups, individual users Traffic Prioritize Limit access by groups or users Time of day Day of week 15 Slide 16 Fortinet Confidential Real Threat Protection in Action Innocent Video Link: Redirects to malicious Website Integrated Web Filtering Blocks access to malicious Website Network Antivirus Blocks download of virus Intrusion Protection Blocks the spread of the worm Solution: Error message: Drops copy of itself on system and attempts to propagate Out of date Flash player error: Download malware file Problem: Slide 17 17 Consolidated Security with Real Time Updates Intrusion Prevention: Vulnerabilities and Exploits Browser and website attack code crafted by hackers and criminal gangs. Application Control: Unwanted Services and P2P Limiting Botnet command channel, compromised Facebook applications, independent of port or protocol Web Filtering: Multiple categories and Malicious sites Botnet command, phishing, search poisoning, inappropriate content Antispam: Unsolicited messages Phishing, Malware, Social Engineering and Junk Antivirus: All malicious code Documents, macros, scripts, executables Delivered via Web, Email, USB, Instant messaging, social networks, etc Vulnerability Management: Real time exploit updates Multiple scanning points FortiGate, FortiAnalyzer, FortiWeb, FortiDB, and FortiScan Slide 18 Thank You!

Recommended

View more >