Title: So You Thought You Were Secure ! What Has Changed ?
1So You Thought You Were Secure !What Has Changed
?
2Agenda
- Define the Problem
- What has Changed
- The Barrier Solution
- Conclusion
- Industry
- Barrier
- Contact Information
3 So You Thought You Were Secure?
- Independent Perimeter Security consisting of
Firewall, IDS/IDP, Anti-Spam/Virus, Web Content
Filtering - 87 Survey Respondents had either a virus or
spyware incident in the past 12 months. Over
5,000 incidences - What Security Technology was in production?
- 98.2 Anti- Virus
- 90.7 Firewall
- 76.2 Anti Spam
- 24.5 Web Content Filtering
- 23 IDS/IDP
- Source FBI 2005 Survey with 2066 Respondents
- WMF virus discovered on 12-27-05 delivered via
Web sites and or email. Within 3 days there were
50 variants - Vulnerabilities in Router Code, OS, etc.
4Are You Prepared to Protect New Present
Applications
- Data
- VOIP
- IM Instant Messenger
- P2P Point to Point Applications
- IP Video
- Barrier1 Appliance is Doing it TODAY
5The Landscape Has Changed
- Rules of the game have changed- Security is no
longer about protecting the wire but protecting
mission-critical business data - Problems and Solutions available are at a point
where NEW TECHNOLOGY will cause change - People
- The Thrill and Excitement
- Money
- Organized, Sophisticated, Intelligent
- 1998 32 Attack Types
- Denial of service, remote to local, user to root,
probing/surveillance - Only 75 could be detected
- 2005 291 variants of the MyTob Virus Alone
- 5,00 samples of malicious code are received each
month. DOUBLE what they received 1 year ago - Source Eugene Kaspersky a Russian Research Lab
- Blended Attacks
- Zero Day
- Monetary Gain
6Malicious Economy ex. Spyware
- CoolWeb Search
- 6 cents per install
- 11,000 per week in commissions
- 175,000 new installs per week
- FlowBy botnet
- 32,000 unique IPs installing adware
- 584.99 per day
- Recent Trojan Infection
- Arrived disguised as a business proposal
- Customized for each target to evade scanners
- Compromised machines were generating 17,000 per
month - 150 companies in the UK and Israel have been
attacked so far
7What are Industry Experts Saying?
- New threats dont make anti-virus technology
irrelevant, but they do change its role within
enterprises - Source Mr. Hogan Symantec eWeek Oct.17,
2005 - Signature-based detection is still valuable for
protecting email and detection of the network
perimeter. Its a technology thats necessary but
not sufficient. - Source John Pescatore analyst at Gartner Group
8Market Shift
Software
General Purpose Appliance
VPN/VPN FIrewall Servers Web Content Servers
Specialty Appliances
Firewall Intrusion Protection Anti-Virus Anti
Spam Web Content Filtering
Unified Threat Management (UTM)
Static Environment
Unified Threat Management (UTM)
Intelligent Environment
Listen Learn Predict and React
9Point Solutions are Not Enough
VPN/Firewall
IDS/IDP
-Only Generates Log Packets -Alerts
sends Email, Call Pager -Limited Captering
Features
-Only Stops traffic to and from designated
ports. They are either always open or always
closed -Can not determine the type of request
or intent - Does not handle application layer
protoc
Barrier 1
Only Stops - Known - Designated sites -
Based on list
Only searches for KNOWN - Valid Recipient -
Black List - Email body/header test
Web Content Filtering
Anti-Spam/Virus
Listen- Learn- Predict- React
10Latest Blended Attack WMF
- What is it? Vulnerability to Microsoft ME, XP,
2000,2003 - When did it appear? 12-27-05 Originally 10 sites
- Who Issued the Alert? CERT.org and along with
several others - How Do You Get It? - Visit a Web Site with an
Image File WMF files - Open an email
containing the WMF files - Why is it Vulnerable? - Metafile allows image
files to contain actual code - Trojan opens
backdoor. Unregisters a .dll then calls
GDI32.dll which does the work. - Microsoft
claims a feature and needed to stop print
runs if concealed in mid stream. - Other
vulnerabilities as well - Microsoft response? - Block Access to all WMF
files Designed a patch in a few days
Release the patch on Jan. 10,06 - As of Jan. 3, 2006 Most Major Anti Virus, Anti
Spam, and Web Content Companies do not have a
solution
11Why Point Solutions Would Not Work
- Firewall - Open Port and Not Intelligent -
Could Not limit Web Sites - Anti Virus - Dependant on a list. Signatures
are not released - WMF Virus has web content
component - Web Content - Helps but WMF has an email
component - IDS/IDP - Can create signatures that looks at
email and network traffic and then block
Issue Attachment has to be
clear text Not Encrypted ie Zip Files and
SSL Connections - UTM - Not Intelligent and doesnt learn from
other technology - General - No single technology learned from the
other technologies - Source eWeek Magazine 1-2-06 Edition
Larry Seltzer Author - Summary None of the major security vendors
could respond to the problem at all. When
they did, it took over 5 days. - The Barrier Group was the only vendor to protect
on Day 0 the WMF virus in all 4 quadrants.
12How Barrier1 Solved The Problem
- 12-27-05 Appliance and Human Intervention
- Appliance Due to profiling unusual traffic was
noted and an alert was sent to
administrator and GTC - Human - Global Threat Center Received
notification from 1 of 70
monitored virus definition suppliers
- Began blocking source address
- Created an IDS, Anti Virus, Web Content Rule
to exclude WMF files
- Verified Virus Definitions - Pushed it
out to all of our customer - Elapsed Time 1.5 hrs
- Long Term - Barrier1 learns all attributes and
behavior and will block mutations. The
mutation could be keeping the file
structure but renaming WMF to something more
traditional naming conventions
13Security Needs Effective / Affordable Protection
- What Does It Take to Deliver Secure Effective
Protection? - Intelligence Automation Speed
Support Effectiveness - Barrier Solution
- Intelligence Math List Learning Ability
- Automation Ability to React to Anomalies and
block - Speed Analyze- Predict- React within Micro
second - Support Monitoring Public, Private, and
Remote Sensors for learning
14The Solution
- The Barrier Group is the first to market with an
effective, cost efficient single source IT
Security solution. A solution that evolves. -
15Feature Set By Function
- Firewall/VPN
- Stateful Firewall
- Multiple DMZ
- VPN
- Traffic Shaping
- Anti-Virus Anti-Spam
- Anti-Virus
- Anti-Spam
- E-mail Filtering
- E-mail Forwarding w/masking
- Web Content
- Web Content Filtering
- Cache Server
- Proxy Server
- Web Forwarding w/masking
- IDS/IDP
- Intrusion Detection
- Intrusion Prevention
- Honey Pot
- Anomaly Detection
16Firewall Feature Set
- Stateful Inspection
- Multiple DMZ
- VPN Gateway
- Concurrent VPN Tunnel
- IPSec, PPTP, L2TP, GRE, SSL-VPN
- SNMP, SNMPv2c, SNMPv3, SSHv2 (secure Telnet
FTP) - SSH/TLS, Secure HTTP
- Traffic Shaping
- Network Monitoring
- Firewall/VPN
- Stateful Firewall
- Multiple DMZ
- VPN
- Traffic Shaping
- Anti-Virus Anti-Spam
- Anti-Virus
- Anti-Spam
- E-mail Filtering
- E-mail Forwarding w/masking
- Web Content
- Web Content Filtering
- Cache Server
- Proxy Server
- Web Forwarding w/masking
- IDS/IDP
- Intrusion Detection
- Intrusion Prevention
- Honey Pot
- Anomaly Detection
17IDS/IDP Feature Set
- Firewall/VPN
- Stateful Firewall
- Multiple DMZ
- VPN
- Traffic Shaping
- Anti-Virus Anti-Spam
- Anti-Virus
- Anti-Spam
- E-mail Filtering
- E-mail Forwarding w/masking
- Signature Updates 2 times per hour
- Anomaly detection
- Full IP defragmentation
- Pattern matching
- Protocol decoding
- 802.1Q detection
- Dynamic proactive protection
- Web Content
- Web Content Filtering
- Cache Server
- Proxy Server
- Web Forwarding w/masking
- IDS/IDP
- Intrusion Detection
- Intrusion Prevention
- Honey Pot
- Anomaly Detection
18Anti-Virus/Anti Spam Feature Set
- Firewall/VPN
- Stateful Firewall
- Multiple DMZ
- VPN
- Traffic Shaping
- Anti-Virus Anti-Spam
- Anti-Virus
- Anti-Spam
- E-mail Filtering
- E-mail Forwarding w/masking
- Header inspection and analysis
- Full text inspection and analysis
- Attachment inspection and analysis
- 19 Different Test Criteria
- Black List updates
- Virus Definition updates 2 times per Hour
- Spam definition by domain
- Learns and adapts
- LDAP Authentication
- Malware and Adware Protection
- Web Content
- Web Content Filtering
- Cache Server
- Proxy Server
- Web Forwarding w/masking
- IDS/IDP
- Intrusion Detection
- Intrusion Prevention
- Honey Pot
- Anomaly Detection
19Web Content Feature Set
- Firewall/VPN
- Stateful Firewall
- Multiple DMZ
- VPN
- Traffic Shaping
- Anti-Virus Anti-Spam
- Anti-Virus
- Anti-Spam
- E-mail Filtering
- E-mail Forwarding w/masking
- List based filtering
- Domain
- URL
- Expression
- Web Proxy Server
- Web Cache Server
- HTTP, HTTPS, FTP, VPN filtering
- LDAP authentication
- Time Space filtering
- Web Content
- Web Content Filtering
- Cache Server
- Proxy Server
- Web Forwarding w/masking
- IDS/IDP
- Intrusion Detection
- Intrusion Prevention
- Honey Pot
- Anomaly Detection
20The Solution
W32Sobig.F_at_mm
21The Barrier Solution AARE Engine
Web Content Filter
IDS Rules
Firewall Rules
Anti-Virus System
Approved Packets
AARE Engine
Denied Packet information loaded in AARE
database. Analysis on packet information shared
with other technologies.
If packet is infected, the messages is thrown out
and the source IP address is loaded into AARE
engine.
22What Does The AARE Engine Capture
- 19 Data Elements at 9 different Inspection Points
- Ie Source IP Address, Packet Structure Good
Host Bad Host - Each inspection point could have 1000s of
addition inspection elements - Ie Firewall Rules, Anti Virus definition, etc.
- Individual Network Profile
- Normal Volume
- Time of Day
- Normal Destination Address
23Global Threat Management Center
- Good security solutions require good process
- At The Barrier Group the Global Threat Management
Center supports the process of security through - 24/7 monitoring Barrier1 install base
- 24/7 monitoring global security events
- Review findings in AARE from all Barrier1
appliances - Insuring all Barrier1 appliances are current and
are protecting our customers environment - Notifying customers of any suspicious activities
24Case Study
- County
- Presently using Firewalls, Anti-Spam, Anti-Virus
- Was Infected By a Root kit
- 637,185 Priority 1 VERY high probability that
servers and pc have been compromised - 1,375,116 Priority 2
- 5,163,434 Priority 3
- Priority 0 This indicates an attempt to
compromise the Barrier1 appliance itself. - Priority 1 Events HIGH This indicates a high
risk external attack or possibly a compromised
internal computer. - Priority 2 Events MEDIUM This are attacks against
known vulnerabilities that you may or may not
be susceptible to. - Priority 3 Events LOW These are reconnaissance
type attacks and are used to gather
information regarding your network and computers.
25Industry and Barrier Conclusion
- Industry Conclusion
- Flexibility and a nimble proactive approach is
required - Any organization can be compromised
- Barrier Conclusion
- New technologies and Methods for Attacks are
being developed - Correlation and anomaly detection are being
improved - Human driven protections are too slow today
- Risk is growing
- The Barrier1 Appliance has You Protected
26Contact Information
- Doug Hermanson 612-390-9252
- Jim Libersky 763-230-1041
- Rob Demopoulos 763-422-3776
- Kip Farrington 773-580-8630
- hi3 Wendell Norton (Federal) 866-861-0808
- Visit us at www.thebarriergroup.com