title slide with name - securedata€¦ · blue coat looks at etm as a design point in your...
TRANSCRIPT
Security FocusesThe SSL Conundrum
The SSL Threat Landscape & Encrypted Traffic Management“What you can’t see can hurt you.”
Thomas J. Quinlan, CISSP, CCFP, GREMEMEA Solutions Architect – Advanced Threat Protection
A Bad Year for Yahoo!
• September 2016– Reports of 500 million accounts stolen
• Not related to SSL (that we know)
– Breach allegedly occurred in Late 2014
• August 2015– Malvertising campaign found on Yahoo! ad network
• Definitely related to SSL
– Exposed potentially hundreds of millions of people to malware• Angler Exploit Kit• Cryptowall, Teslacrypt, others
4
Copyright © 2015 Symantec Corporation
A Bad Year for Everyone?
• SSL Malware is on the Rise....– Our own research shows:
• Command and control (C&C) servers using SSL to disguise malware increased 200x last year• Encrypted C&C traffic (malware <-> server) increased 58x last year
• ....Because SSL is on the Rise– Approximately 65% of internet traffic is SSL now– Google search ranking penalises sites that aren’t using SSL– LetsEncrypt.org makes SSL free & easier to use
• Private beta late Oct/early Nov 2015• Public beta December 2015
5
Copyright © 2015 Symantec Corporation
A Timeline of the Increase....
6
Copyright © 2015 Symantec Corporation
Source: https://www.bluecoat.com/security-blog/2016-07-31/escalation-ssl-based-malware
And an updated one....
7
Copyright © 2015 Symantec Corporation
Source: Blue Coat Labs Oslo
SSL Does Help Us.... it Just Also Helps the Bad GuysA Tale of Two PCAPs – One encrypted traffic, the other not.
8
Copyright © 2015 Symantec Corporation
A Tale of Two PCAPs (Continued)Encrypted traffic invisible to security tools.
9
Copyright © 2015 Symantec Corporation
A Tale of Two PCAPs (Continued)ETM gives much more information.
10
Copyright © 2015 Symantec Corporation
A Tale of Two PCAPs (Continued)Security tool sees the threat.
11
Copyright © 2015 Symantec Corporation
Example Attack
• Phishing– Spam email crafted
• targeted: “receipt”, “invoice”, etc.
– Spam email sent
– Spam email received by potential victim
– Attachment executed
– Machine compromised
– SSL traffic for C&C
• Sweden Example– email crafted with “kvitto_[date].exe” attachment
– attachment is retefe malware
– malware installs a new root certificate on the machine
– all traffic for particular financial institutions is intercepted (MITM) over HTTPS by attacker server first
– additional malware may be downloaded
12
Copyright © 2015 Symantec Corporation
Example Attack• Malvertising
– Ads Submitted to Network• May or may not be checked• Good ads may be replaced with bad ones
– Web page served• Victim may be “fingerprinted”
– this may be done by the criminal– this may be done by the ad network!
– Advert served• iFrames• (SSL) Redirects
– Exploit served• drive-by download• exploit
– browser– content plugins (flash, etc.)
• United Kingdom Example– popular news website
– doubleclick ad website
– tracking site
– fake ad server• domain shadowed
– exploit/malware (angler/neutrino)
13
Copyright © 2015 Symantec Corporation
DLP ANTI-MALWARENETWORK FORENSICS
Web Proxy VendorsNGFW’s
*Sources: NSS Labs, Gartner
“Tool by tool” SSL decryption doesn’t work.• Costly upgrades: NGFW and IPS solutions .
suffer up to 80% performance degradation*.• Numerous, evolving cryptographic suites.• Additional complexity—arduous scripting.LB’s/ ADC’s
Security Tools Are Not Designed For This
Most security solutions are “blind” to SSL. • DLP, IDS, Sandboxing, Forensics, Analytics.
CISOs Are Aware:SSL/TLS Threats Are a Top Concern
• Malware
• Phishing
• SSL-Encrypted Threats
• DoS / DDoS
• APTs
Source: CyberEdge CDR 2016 Report
15
TYPES OF CYBERTHREATS
Encrypted Traffic ManagementResponsible SSL Decryption as a Solution
Copyright © 2015 Symantec Corporation 16
Automated elimination
of SSL blind-spot
Ensure highest level of encryptionmaintained
Enhance effectiveness
and ROI of existing
security tools
Preserve privacy and compliance
while enabling security
ENCRYPTED TRAFFIC MANAGEMENT A Key Design Point
• Automatically discover all SSL/TLS traffic, regardless of port or application– Complex scripting not required– Faster ‘time-to-productivity’– Any port – Any Protocol - automatically*
• High-performance inspection – 9 Gbps SSL throughput– 800K connections / second (CPS)– Software and hardware acceleration– Support for multiple network segments simultaneously
* TCP Ports used by Dyre Trojan for Hidden Command & Control
- Blue Coat Labs
ELIMINATE THE BLIND SPOT CAUSED BY SSLAutomatically
• Support for the latest cryptographic standards– Timely and complete coverage: 70+ cipher suites
and key exchanges supported • e.g. AES-GCM, ChaCha, Camellia
• Maintain security posture– Do not modify the existing infrastructure
security posture– No “downgrading” of cryptography – utilize
what’s established• No “replay vulnerable” RSA forced for key exchange
– Ensure compliance• No exposure or vulnerability of decrypted data
SUPPORT HIGHEST LEVELS OF CRYPTODo Not Downgrade Crypto
Sandbox / Anti-Malware
GLOBAL INTELLIGENCE NETWORK
NGFW / IDS / IPSSecurity Analytics
Certificate & Key Management
APM / NPB
Policy Data
for Host Categorization
DLP
SSL Visibility Appliance
Certified Partners
ENHANCE EXISTING SECURITY TOOLSDecrypt Once Feed Many
Set White / Black Lists automatically by category• Host Categorization Service
• Leverages the combined Blue Coat/Symantec Global Intelligence Network – Utilizes 80+ categories,
in 55 languages– Processes +1.2B NEW web and
file requests per day
• Easily customizable per regional and organizational needs
Policy Examples• Block or decrypt traffic from suspicious
sites and known malnets• Bypass / Do not decrypt financial and
banking-related traffic
PRESERVE PRIVACY AND COMPLIANCEResponsible Decryption
Inbound SSL DecryptionOrigin: from the InternetDestination: your hosted services
– Web Servers– Email Servers– Customer Web Portals
Outbound SSL Decryption
Origin: inside your networkDestination: to the internet
– Outbound Encrypted Internet Traffic– Encrypted Email– Shadow IT (SaaS)
ClientsHosted Services
Security Solution
Internet
Providing Visibility for the Entire Security Stack…IPS – IDS – APT – DLP – APM – SEIM – Full Packet Capture
Security Solution
Internet
RESPONSIBLE SSL DECRYPTIONTwo Approaches
Eliminating the SSL/Encryption Blind SpotSSL Reduces Security Tools Effectiveness
InternetFIREWALL PROXY
SANDBOX
IPS
ANALYTICS
APM
NETWORKTUNING
TAP
Eliminating the SSL/Encryption Blind SpotEnabling SSL Decryption On Each Appliance
InternetFIREWALL PROXY
SANDBOX
NGFW/NGIPS
ANALYTICS
APM
NETWORKTUNING
TAP
Eliminating the SSL/Encryption Blind SpotCompliant and Secure Approach to SSL Decryption
FIREWALL PROXY
SANDBOX
IPS APM
NETWORKTUNING
TAP
ANALYTICS
Internet
Visibility & Control of SSL/TLS Traffic at ScaleA Common Use CaseGigaSECURE® Features
Load Balancing
Bypass
Security service chaining
SSL Visibility Appliance OffersComprehensive policy enforcement
High performance
Various deployment modes (inline, out-of-line, active, passive)
BenefitsComplete SSL visibility and control
Cost-effective scaling with fault tolerance
More effective security/faster time to detection Network EncryptedBlue Coat Decrypted
SMT-HC0-X16 TAP-HC0-G100C0
SSL Visibility ApplianceSV3800
1
2
Production Network 1
Side A
Production Network 2
Side A
Production Network 1
Side A
Production Network 2
Side A
SSL Security AnalyticsAnti-Malware
Function SV800-250M SV800-500M SV1800 SV2800 SV3800 SV3800B-20 Total Packet Processing 8 Gbps 8 Gbps 8 Gbps 20 Gbps 40 Gbps 40 Gbps
SSL Visibility Throughput 250 Mbps 500 Mbps 1.5 Gbps 2.5 Gbps 4 Gbps 9 Gbps
Concurrent SSL Flow States (CPS) 20,000 20,000 100,000 200,000 400,000 800,000
New Full Handshake SSL sessions (CPS) (i.e. Setups / Tear Downs)• 1024-bit keys• 2048- bit keys• ECDHE256
• 1,000• 1,000• 500
• 2,000• 2,000• 1,000
• 8,000• 3,000• 3,500
• 12,500• 3,000• 6,000
• 15,000• 6,000• 8,000
• 30,000• 6,000• 11,000
Configuration Fixed Fixed Fixed Modular 3 Slots Modular 7 Slots Modular 7 Slots
Input / Output 810/100/1000 Copper (fixed)
810/100/1000 Copper
or Fiber (fixed)2x10G-Fiber, 4x1G Copper, 4x1G Fiber Network Mods
Resiliency Fail-to-Wire (FTW) / Fail-to-Appliance (FTA)
Network Modules / Net Mods (USD) N / A
• 4 port copper 1G : NTMD-SV-4x1G-C • 4 port fiber 1G : NTMD-SV-4x1G-F • 2 port fiber 10G SR : NTMD-SV-2x10G-SR• 2 port fiber 10G LR : NTMD-SV-2x10G-LR
SSL VISIBILITY APPLIANCE FAMILY
Regardless of the vertical the solution and the problem are constant.
• We have security tools
• SSL is 50% of traffic
• Single point to manage policy and gain visibility
VERTICAL DEPLOYMENT %
ETM AS DESIGN POINT FOR ATP47 SITES
GLOBAL TOP 10 BANK
• RFP for Threat Defense– Large $ project and board level visibility – Increasing Advanced Persistent Threats (APTs) and malware attacks – Bake off 3 vendors (3 FireEye, Trend, Blue Coat)
• Solution– Pitched Blue Coat ATP (SA+MAA)– Pitched ETM Solutions for all Vendors (FireEye, Trend, BlueCoat)
• Results– Customer used ETM as best practice for all of the ATP vendors– Trend Micro was chosen as the ATP solution– Customer stated +/- 2% on Malware effectiveness BUT– Without SSL Visibility all solutions were 50% less effective.
BLIND SPOT : MULTIPLE TOOLSHR/LEGAL
US-based Fortune 10 Company• Pain Points
– Realized they have massive blind spots with their IPS (HP), forensics (NetWitness) and malware analysis (FireEye) solutions
– Faced confusion regarding SSL offload and “back-to-back” solutions– Spent 4 months with alternative solutions, unsuccessfully
• Solution– Blue Coat educated customer on ETM– Addressed Legal Dept. concerns with Host Categorization– Quickly Shipped Equipment – POC set up and showed the value in just 3.5 hours
• Results– 24 SV2800 appliances in < 60 days (DataCenter 1)
Pain Points – Rapid growth of SSL required strengthened security posture– NGFW was insufficient due to poor performance and no support for
cert/key management and ciphers that firm needed to utilize.• NGFW upgrades were significantly (4x) over budget
– 2 month deadline for current FY
Solution– SSL Visibility Appliances feed NGFW+IDS and support Venafi Trust
Protection Platform– “Decrypt Once-Feed Many” architecture allows future growth – Additional security projects in discussion
Results– Solution procured / delivered / deployed within 3 weeks– Satisfied customer with a newly enhanced secure network that
complements their existing solutions within budget
• Large National Financial Customer• +1000 server infrastructure supporting +8000
employees• Using Venafi to distribute, validate and manage
cryptographic certs & keys
NEXT GENERATION FIRE WALLSOMETIMES ALL IN ONE ISN’T ALL IN ONE
In addition to enhancing your security by removing the SSL blind spot. Use this calculator to see what having tools that cannot see this traffic is costing you over time.
ROI CalculatorWhat is your blind spot costing you? ROI TOOL LINK
Thank you!
Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thomas J. [email protected]+447876556271