title slide with name - securedata€¦ · blue coat looks at etm as a design point in your...

$: Title Slide with Name - SecureData€¦ · Blue Coat looks at ETM as a design point in your architecture.\ ... Providing Visibility for the Entire Security Stack… IPS – IDS –$
Security FocusesThe SSL Conundrum

Presenter

Presentation Notes

Tip: simple SEO adjustments can make your presentation more discoverable. Read this PDF for best practices: http://seo.ges.symantec.com/seo-best-practices-for-file-optimization.pdf

The SSL Threat Landscape & Encrypted Traffic Management“What you can’t see can hurt you.”

Thomas J. Quinlan, CISSP, CCFP, GREMEMEA Solutions Architect – Advanced Threat Protection

Presenter

Presentation Notes

Tip: simple SEO adjustments can make your presentation more discoverable. Read this PDF for best practices: http://seo.ges.symantec.com/seo-best-practices-for-file-optimization.pdf

SSL Threat LandscapeSSL Malware Gains a Foothold

Copyright © 2015 Symantec Corporation 3

A Bad Year for Yahoo!

• September 2016– Reports of 500 million accounts stolen

• Not related to SSL (that we know)

– Breach allegedly occurred in Late 2014

• August 2015– Malvertising campaign found on Yahoo! ad network

• Definitely related to SSL

– Exposed potentially hundreds of millions of people to malware• Angler Exploit Kit• Cryptowall, Teslacrypt, others

4

Copyright © 2015 Symantec Corporation

Presenter

Presentation Notes

[Note that we are not being conclusive here – w/r/t recent events I am merely mentioning things that are *reported*, or *alleged*. For the 2015 bits, that has been shown repeatedly in many instances online and in papers.] W/r/t cryptowall – less than .3% of victims paid the ransom, but that still netted the authors over $1M.

A Bad Year for Everyone?

• SSL Malware is on the Rise....– Our own research shows:

• Command and control (C&C) servers using SSL to disguise malware increased 200x last year• Encrypted C&C traffic (malware <-> server) increased 58x last year

• ....Because SSL is on the Rise– Approximately 65% of internet traffic is SSL now– Google search ranking penalises sites that aren’t using SSL– LetsEncrypt.org makes SSL free & easier to use

• Private beta late Oct/early Nov 2015• Public beta December 2015

5


Presenter

Presentation Notes

Based on Blue Coat Norway research. LetsEncrypt.org certificates being available to the public corresponds to the time that SSL attacks increased significantly, which is not listed on the slide but will be mentioned.

A Timeline of the Increase....

6


Source: https://www.bluecoat.com/security-blog/2016-07-31/escalation-ssl-based-malware

Presenter

Presentation Notes

Note the hockey stick there on the right.

And an updated one....

7


Source: Blue Coat Labs Oslo

Presenter

Presentation Notes

Note the hockey stick there on the right.

SSL Does Help Us.... it Just Also Helps the Bad GuysA Tale of Two PCAPs – One encrypted traffic, the other not.

8


A Tale of Two PCAPs (Continued)Encrypted traffic invisible to security tools.

9


A Tale of Two PCAPs (Continued)ETM gives much more information.

10


A Tale of Two PCAPs (Continued)Security tool sees the threat.

11


Example Attack

• Phishing– Spam email crafted

• targeted: “receipt”, “invoice”, etc.

– Spam email sent

– Spam email received by potential victim

– Attachment executed

– Machine compromised

– SSL traffic for C&C

• Sweden Example– email crafted with “kvitto_[date].exe” attachment

– attachment is retefe malware

– malware installs a new root certificate on the machine

– all traffic for particular financial institutions is intercepted (MITM) over HTTPS by attacker server first

– additional malware may be downloaded

12


Presenter

Presentation Notes

The targeted email in question may look quite convincing.

Example Attack• Malvertising

– Ads Submitted to Network• May or may not be checked• Good ads may be replaced with bad ones

– Web page served• Victim may be “fingerprinted”

– this may be done by the criminal– this may be done by the ad network!

– Advert served• iFrames• (SSL) Redirects

– Exploit served• drive-by download• exploit

– browser– content plugins (flash, etc.)

• United Kingdom Example– popular news website

– doubleclick ad website

– tracking site

– fake ad server• domain shadowed

– exploit/malware (angler/neutrino)

13


Presenter

Presentation Notes

Ads may or may not be checked by the company receiving them, but today, most companies will check them. However, that does not prevent the submitters from changing the ads later. Victims may be fingerprinted – tracking technology may check their browser type, OS, machine type, and a number of other critera (including the presence of certain security softwares) to determine ad suitability by the advert network, and then (again) by the malware authors whether to server malware. Drive-by-downloads do not require the users to do anything other than load the particular ad in question. This happened to Spotify, showing that it doesn’t even just have to be on websites. Domain shadowing refers to the use of stolen registration credentials for a particular domain registration that then allows the attacker to create a subdomain of the real site.

DLP ANTI-MALWARENETWORK FORENSICS

Web Proxy VendorsNGFW’s

*Sources: NSS Labs, Gartner

“Tool by tool” SSL decryption doesn’t work.• Costly upgrades: NGFW and IPS solutions .

suffer up to 80% performance degradation*.• Numerous, evolving cryptographic suites.• Additional complexity—arduous scripting.LB’s/ ADC’s

Security Tools Are Not Designed For This

Most security solutions are “blind” to SSL. • DLP, IDS, Sandboxing, Forensics, Analytics.

CISOs Are Aware:SSL/TLS Threats Are a Top Concern

• Malware

• Phishing

• SSL-Encrypted Threats

• DoS / DDoS

• APTs

Source: CyberEdge CDR 2016 Report

15

TYPES OF CYBERTHREATS

Encrypted Traffic ManagementResponsible SSL Decryption as a Solution

Copyright © 2015 Symantec Corporation 16

Automated elimination

of SSL blind-spot

Ensure highest level of encryptionmaintained

Enhance effectiveness

and ROI of existing

security tools

Preserve privacy and compliance

while enabling security

ENCRYPTED TRAFFIC MANAGEMENT A Key Design Point

Presenter

Presentation Notes

Blue Coat looks at ETM as a design point in your architecture. We see a world moving to 100% ET, what does that look like?

• Automatically discover all SSL/TLS traffic, regardless of port or application– Complex scripting not required– Faster ‘time-to-productivity’– Any port – Any Protocol - automatically*

• High-performance inspection – 9 Gbps SSL throughput– 800K connections / second (CPS)– Software and hardware acceleration– Support for multiple network segments simultaneously

* TCP Ports used by Dyre Trojan for Hidden Command & Control

- Blue Coat Labs

ELIMINATE THE BLIND SPOT CAUSED BY SSLAutomatically

• Support for the latest cryptographic standards– Timely and complete coverage: 70+ cipher suites

and key exchanges supported • e.g. AES-GCM, ChaCha, Camellia

• Maintain security posture– Do not modify the existing infrastructure

security posture– No “downgrading” of cryptography – utilize

what’s established• No “replay vulnerable” RSA forced for key exchange

– Ensure compliance• No exposure or vulnerability of decrypted data

SUPPORT HIGHEST LEVELS OF CRYPTODo Not Downgrade Crypto

Sandbox / Anti-Malware

GLOBAL INTELLIGENCE NETWORK

NGFW / IDS / IPSSecurity Analytics

Certificate & Key Management

APM / NPB

Policy Data

for Host Categorization

DLP

SSL Visibility Appliance

Certified Partners

ENHANCE EXISTING SECURITY TOOLSDecrypt Once Feed Many

Set White / Black Lists automatically by category• Host Categorization Service

• Leverages the combined Blue Coat/Symantec Global Intelligence Network – Utilizes 80+ categories,

in 55 languages– Processes +1.2B NEW web and

file requests per day

• Easily customizable per regional and organizational needs

Policy Examples• Block or decrypt traffic from suspicious

sites and known malnets• Bypass / Do not decrypt financial and

banking-related traffic

PRESERVE PRIVACY AND COMPLIANCEResponsible Decryption

Presenter

Presentation Notes

Inbound SSL DecryptionOrigin: from the InternetDestination: your hosted services

– Web Servers– Email Servers– Customer Web Portals

Outbound SSL Decryption

Origin: inside your networkDestination: to the internet

– Outbound Encrypted Internet Traffic– Encrypted Email– Shadow IT (SaaS)

ClientsHosted Services

Security Solution

Internet

Providing Visibility for the Entire Security Stack…IPS – IDS – APT – DLP – APM – SEIM – Full Packet Capture

Security Solution

Internet

RESPONSIBLE SSL DECRYPTIONTwo Approaches

Eliminating the SSL/Encryption Blind SpotSSL Reduces Security Tools Effectiveness

InternetFIREWALL PROXY

SANDBOX

IPS

ANALYTICS

APM

NETWORKTUNING

TAP

Eliminating the SSL/Encryption Blind SpotEnabling SSL Decryption On Each Appliance

InternetFIREWALL PROXY

SANDBOX

NGFW/NGIPS

ANALYTICS

APM

NETWORKTUNING

TAP

Eliminating the SSL/Encryption Blind SpotCompliant and Secure Approach to SSL Decryption

FIREWALL PROXY

SANDBOX

IPS APM

NETWORKTUNING

TAP

ANALYTICS

Internet

Visibility & Control of SSL/TLS Traffic at ScaleA Common Use CaseGigaSECURE® Features

Load Balancing

Bypass

Security service chaining

SSL Visibility Appliance OffersComprehensive policy enforcement

High performance

Various deployment modes (inline, out-of-line, active, passive)

BenefitsComplete SSL visibility and control

Cost-effective scaling with fault tolerance

More effective security/faster time to detection Network EncryptedBlue Coat Decrypted

SMT-HC0-X16 TAP-HC0-G100C0

SSL Visibility ApplianceSV3800

1

2

Production Network 1

Side A


Side A


Side A


Side A

SSL Security AnalyticsAnti-Malware

Function SV800-250M SV800-500M SV1800 SV2800 SV3800 SV3800B-20 Total Packet Processing 8 Gbps 8 Gbps 8 Gbps 20 Gbps 40 Gbps 40 Gbps

SSL Visibility Throughput 250 Mbps 500 Mbps 1.5 Gbps 2.5 Gbps 4 Gbps 9 Gbps

Concurrent SSL Flow States (CPS) 20,000 20,000 100,000 200,000 400,000 800,000

New Full Handshake SSL sessions (CPS) (i.e. Setups / Tear Downs)• 1024-bit keys• 2048- bit keys• ECDHE256

• 1,000• 1,000• 500

• 2,000• 2,000• 1,000

• 8,000• 3,000• 3,500

• 12,500• 3,000• 6,000

• 15,000• 6,000• 8,000

• 30,000• 6,000• 11,000

Configuration Fixed Fixed Fixed Modular 3 Slots Modular 7 Slots Modular 7 Slots

Input / Output 810/100/1000 Copper (fixed)

810/100/1000 Copper

or Fiber (fixed)2x10G-Fiber, 4x1G Copper, 4x1G Fiber Network Mods

Resiliency Fail-to-Wire (FTW) / Fail-to-Appliance (FTA)

Network Modules / Net Mods (USD) N / A

• 4 port copper 1G : NTMD-SV-4x1G-C • 4 port fiber 1G : NTMD-SV-4x1G-F • 2 port fiber 10G SR : NTMD-SV-2x10G-SR• 2 port fiber 10G LR : NTMD-SV-2x10G-LR

SSL VISIBILITY APPLIANCE FAMILY

Regardless of the vertical the solution and the problem are constant.

• We have security tools

• SSL is 50% of traffic

• Single point to manage policy and gain visibility

VERTICAL DEPLOYMENT %

ETM AS DESIGN POINT FOR ATP47 SITES

GLOBAL TOP 10 BANK

• RFP for Threat Defense– Large $ project and board level visibility – Increasing Advanced Persistent Threats (APTs) and malware attacks – Bake off 3 vendors (3 FireEye, Trend, Blue Coat)

• Solution– Pitched Blue Coat ATP (SA+MAA)– Pitched ETM Solutions for all Vendors (FireEye, Trend, BlueCoat)

• Results– Customer used ETM as best practice for all of the ATP vendors– Trend Micro was chosen as the ATP solution– Customer stated +/- 2% on Malware effectiveness BUT– Without SSL Visibility all solutions were 50% less effective.

Presenter

Presentation Notes

Company Description Company is a consumer credit reporting agency headquartered in the Southeast US and is one of the three largest American credit agencies. A kindred spirit to Blue Coat, the company describes itself as “empowering businesses and consumers with information they can trust.” Company has a strong heritage of innovation and leadership and leverages its unique data, advanced analytics and proprietary technology to enrich the performance of businesses and the lives of consumers. Background: Business Drivers and Blue Coat Opportunity Company had been using an IBM Intrusion Protection System (IPS), but that equipment was approaching end of life (EOL) and the company was preparing for an IPS refresh. Company needed new technology for its corporate headquarters and 20 locations throughout the U.S. and worldwide. After a bake-off, the company selected Sourcefire for the IPS refresh program. However, during the evaluation process, questions were raised around how they were handling, or not handling, SSL traffic. The company was aware of the increasing use of SSL to hide advanced attacks—in fact 80% of advanced persistent threats use encrypted traffic/SSL and go undetected—and the urgency of SSL visibility was rising due to recent breaches at Company as well as the broader financial sector. (Steve Terrell and Rob Crawson were engaged with the Sourcefire PoC prior to acquisition.) How We Identified the Opportunity The opportunity was brought to the attention of Blue Coat by Sayers, a Premier Partner. Sayers initially engaged us to be a cooperative partner with their Sourcefire IPS project. The Sayers account manager was instrumental in helping us to build the Blue Coat SSL Visibility Appliance (SSL VA) into this project, negotiate terms, and even bring the deal to closure on the final day and night of the quarter. Sayers also actively evangelized Blue Coat through user groups and forums and peer relationships. How We Won The Blue Coat SSL VA simply offered capabilities no competitive product could match. IBM’s promise of IPS with built-in SSL visibility fell short due to performance concerns and the fact that it couldn’t “decrypt once and feed many” like the SSL VA could (the SSL VA can send copies out to multiple devices over additional ports, which allows you to feed all traffic, decrypted and non-SSL, to additional passive devices on the network). Sourcefire was also evaluated and was deemed to have an uncertain future roadmap for SSL visibility. In addition, the added value of WebPulse as the heart of their existing ProxySG and ProxyAV environment, and the future capabilities of the SSL VA made Blue Coat the clear choice, even over OEM appliances through Sourcefire. Value for the Customer The SSL Visibility Appliance will provide the visibility that Company was missing to ensure compliance and help protect against threats through this encrypted channel. Future integration with existing FireEye. Strategic Importance The overwhelming advantages of the SSL VA, combined with the close teamwork between Sayers and Blue Coat, positively impressed senior management at Company and opened the door to future opportunities. Company is now looking more closely at the possibilities of the Security Analytics technologies and may be receptive to the lifecycle defense concept. The win also provides a rock-solid reference in the financial services industry, an example we can present to virtually every prospect in financial services. Lessons Learned Ask discovery questions regarding any/all security projects. SSL can and should be built into the budget in FW/IPS/APT initiatives Take advantage of all the various communication channels to get the word out about Blue Coat’s advantages in SSL visibility: user groups, bulletin boards, blogs, informal tech talks, and so on. In this case our partner, Sayers, was extremely effective in evangelizing at multiple levels throughout the customer’s organization, gaining support among IT admins, security professionals, and senior executives. This was a key factor in getting the win.

BLIND SPOT : MULTIPLE TOOLSHR/LEGAL

US-based Fortune 10 Company• Pain Points

– Realized they have massive blind spots with their IPS (HP), forensics (NetWitness) and malware analysis (FireEye) solutions

– Faced confusion regarding SSL offload and “back-to-back” solutions– Spent 4 months with alternative solutions, unsuccessfully

• Solution– Blue Coat educated customer on ETM– Addressed Legal Dept. concerns with Host Categorization– Quickly Shipped Equipment – POC set up and showed the value in just 3.5 hours

• Results– 24 SV2800 appliances in < 60 days (DataCenter 1)

Pain Points – Rapid growth of SSL required strengthened security posture– NGFW was insufficient due to poor performance and no support for

cert/key management and ciphers that firm needed to utilize.• NGFW upgrades were significantly (4x) over budget

– 2 month deadline for current FY

Solution– SSL Visibility Appliances feed NGFW+IDS and support Venafi Trust

Protection Platform– “Decrypt Once-Feed Many” architecture allows future growth – Additional security projects in discussion

Results– Solution procured / delivered / deployed within 3 weeks– Satisfied customer with a newly enhanced secure network that

complements their existing solutions within budget

• Large National Financial Customer• +1000 server infrastructure supporting +8000

employees• Using Venafi to distribute, validate and manage

cryptographic certs & keys

NEXT GENERATION FIRE WALLSOMETIMES ALL IN ONE ISN’T ALL IN ONE

In addition to enhancing your security by removing the SSL blind spot. Use this calculator to see what having tools that cannot see this traffic is costing you over time.

ROI CalculatorWhat is your blind spot costing you? ROI TOOL LINK

http://asp.aprilsix.com/bluecoat/100902/

Thank you!

Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thomas J. [email protected]+447876556271

title slide with name - securedata€¦ · blue coat looks at etm as a design point in your...

Documents