So You Thought You Were Secure ! What Has Changed ?

1
So You Thought You Were Secure !What Has Changed
?
2
Agenda

• Define the Problem
• What has Changed
• The Barrier Solution
• Conclusion
• Industry
• Barrier
• Contact Information

3
So You Thought You Were Secure?

• Independent Perimeter Security consisting of
  Firewall, IDS/IDP, Anti-Spam/Virus, Web Content
  Filtering
• 87 Survey Respondents had either a virus or
  spyware incident in the past 12 months. Over
  5,000 incidences
• What Security Technology was in production?
• 98.2 Anti- Virus
• 90.7 Firewall
• 76.2 Anti Spam
• 24.5 Web Content Filtering
• 23 IDS/IDP
• Source FBI 2005 Survey with 2066 Respondents
• WMF virus discovered on 12-27-05 delivered via
  Web sites and or email. Within 3 days there were
  50 variants
• Vulnerabilities in Router Code, OS, etc.

4
Are You Prepared to Protect New Present
Applications

• Data
• VOIP
• IM Instant Messenger
• P2P Point to Point Applications
• IP Video
• Barrier1 Appliance is Doing it TODAY

5
The Landscape Has Changed

• Rules of the game have changed- Security is no
  longer about protecting the wire but protecting
  mission-critical business data
• Problems and Solutions available are at a point
  where NEW TECHNOLOGY will cause change
• People
• The Thrill and Excitement
• Money
• Organized, Sophisticated, Intelligent
• 1998 32 Attack Types
• Denial of service, remote to local, user to root,
  probing/surveillance
• Only 75 could be detected
• 2005 291 variants of the MyTob Virus Alone
• 5,00 samples of malicious code are received each
  month. DOUBLE what they received 1 year ago
• Source Eugene Kaspersky a Russian Research Lab
• Blended Attacks
• Zero Day
• Monetary Gain

6
Malicious Economy ex. Spyware

• CoolWeb Search
• 6 cents per install
• 11,000 per week in commissions
• 175,000 new installs per week
• FlowBy botnet
• 32,000 unique IPs installing adware
• 584.99 per day
• Recent Trojan Infection
• Arrived disguised as a business proposal
• Customized for each target to evade scanners
• Compromised machines were generating 17,000 per
  month
• 150 companies in the UK and Israel have been
  attacked so far

7
What are Industry Experts Saying?

• New threats dont make anti-virus technology
  irrelevant, but they do change its role within
  enterprises
• Source Mr. Hogan Symantec eWeek Oct.17,
  2005
• Signature-based detection is still valuable for
  protecting email and detection of the network
  perimeter. Its a technology thats necessary but
  not sufficient.
• Source John Pescatore analyst at Gartner Group

8
Market Shift
Software

General Purpose Appliance
VPN/VPN FIrewall Servers Web Content Servers
Specialty Appliances
Firewall Intrusion Protection Anti-Virus Anti
Spam Web Content Filtering
Unified Threat Management (UTM)
Static Environment
Unified Threat Management (UTM)
Intelligent Environment
Listen Learn Predict and React
9
Point Solutions are Not Enough
VPN/Firewall
IDS/IDP
-Only Generates Log Packets -Alerts
sends Email, Call Pager -Limited Captering
Features
-Only Stops traffic to and from designated
ports. They are either always open or always
closed -Can not determine the type of request
or intent - Does not handle application layer
protoc
Barrier 1
Only Stops - Known - Designated sites -
Based on list
Only searches for KNOWN - Valid Recipient -
Black List - Email body/header test
Web Content Filtering
Anti-Spam/Virus
Listen- Learn- Predict- React
10
Latest Blended Attack WMF

• What is it? Vulnerability to Microsoft ME, XP,
  2000,2003
• When did it appear? 12-27-05 Originally 10 sites
  
• Who Issued the Alert? CERT.org and along with
  several others
• How Do You Get It? - Visit a Web Site with an
  Image File WMF files - Open an email
  containing the WMF files
• Why is it Vulnerable? - Metafile allows image
  files to contain actual code - Trojan opens
  backdoor. Unregisters a .dll then calls
  GDI32.dll which does the work. - Microsoft
  claims a feature and needed to stop print
  runs if concealed in mid stream. - Other
  vulnerabilities as well
• Microsoft response? - Block Access to all WMF
  files Designed a patch in a few days
  Release the patch on Jan. 10,06
• As of Jan. 3, 2006 Most Major Anti Virus, Anti
  Spam, and Web Content Companies do not have a
  solution

11
Why Point Solutions Would Not Work

• Firewall - Open Port and Not Intelligent -
  Could Not limit Web Sites
• Anti Virus - Dependant on a list. Signatures
  are not released - WMF Virus has web content
  component
• Web Content - Helps but WMF has an email
  component
• IDS/IDP - Can create signatures that looks at
  email and network traffic and then block
  Issue Attachment has to be
  clear text Not Encrypted ie Zip Files and
  SSL Connections
• UTM - Not Intelligent and doesnt learn from
  other technology
• General - No single technology learned from the
  other technologies
• Source eWeek Magazine 1-2-06 Edition
  Larry Seltzer Author
• Summary None of the major security vendors
  could respond to the problem at all. When
  they did, it took over 5 days.
• The Barrier Group was the only vendor to protect
  on Day 0 the WMF virus in all 4 quadrants.

12
How Barrier1 Solved The Problem

• 12-27-05 Appliance and Human Intervention
• Appliance Due to profiling unusual traffic was
  noted and an alert was sent to
  administrator and GTC
• Human - Global Threat Center Received
  notification from 1 of 70
  monitored virus definition suppliers
  - Began blocking source address
  - Created an IDS, Anti Virus, Web Content Rule
  to exclude WMF files
  - Verified Virus Definitions - Pushed it
  out to all of our customer
• Elapsed Time 1.5 hrs
• Long Term - Barrier1 learns all attributes and
  behavior and will block mutations. The
  mutation could be keeping the file
  structure but renaming WMF to something more
  traditional naming conventions

13
Security Needs Effective / Affordable Protection

• What Does It Take to Deliver Secure Effective
  Protection?
• Intelligence Automation Speed
  Support Effectiveness
• Barrier Solution
• Intelligence Math List Learning Ability
• Automation Ability to React to Anomalies and
  block
• Speed Analyze- Predict- React within Micro
  second
• Support Monitoring Public, Private, and
  Remote Sensors for learning

14
The Solution

• The Barrier Group is the first to market with an
  effective, cost efficient single source IT
  Security solution. A solution that evolves.

15
Feature Set By Function

• Firewall/VPN
• Stateful Firewall
• Multiple DMZ
• VPN
• Traffic Shaping

• Anti-Virus Anti-Spam
• Anti-Virus
• Anti-Spam
• E-mail Filtering
• E-mail Forwarding w/masking

• Web Content
• Web Content Filtering
• Cache Server
• Proxy Server
• Web Forwarding w/masking

• IDS/IDP
• Intrusion Detection
• Intrusion Prevention
• Honey Pot
• Anomaly Detection

16
Firewall Feature Set

• Stateful Inspection
• Multiple DMZ
• VPN Gateway
• Concurrent VPN Tunnel
• IPSec, PPTP, L2TP, GRE, SSL-VPN
• SNMP, SNMPv2c, SNMPv3, SSHv2 (secure Telnet
  FTP)
• SSH/TLS, Secure HTTP
• Traffic Shaping
• Network Monitoring

• Firewall/VPN
• Stateful Firewall
• Multiple DMZ
• VPN
• Traffic Shaping

• Anti-Virus Anti-Spam
• Anti-Virus
• Anti-Spam
• E-mail Filtering
• E-mail Forwarding w/masking

• Web Content
• Web Content Filtering
• Cache Server
• Proxy Server
• Web Forwarding w/masking

• IDS/IDP
• Intrusion Detection
• Intrusion Prevention
• Honey Pot
• Anomaly Detection

17
IDS/IDP Feature Set

• Firewall/VPN
• Stateful Firewall
• Multiple DMZ
• VPN
• Traffic Shaping

• Anti-Virus Anti-Spam
• Anti-Virus
• Anti-Spam
• E-mail Filtering
• E-mail Forwarding w/masking

• Signature Updates 2 times per hour
• Anomaly detection
• Full IP defragmentation
• Pattern matching
• Protocol decoding
• 802.1Q detection
• Dynamic proactive protection

• Web Content
• Web Content Filtering
• Cache Server
• Proxy Server
• Web Forwarding w/masking

• IDS/IDP
• Intrusion Detection
• Intrusion Prevention
• Honey Pot
• Anomaly Detection

18
Anti-Virus/Anti Spam Feature Set

• Firewall/VPN
• Stateful Firewall
• Multiple DMZ
• VPN
• Traffic Shaping

• Anti-Virus Anti-Spam
• Anti-Virus
• Anti-Spam
• E-mail Filtering
• E-mail Forwarding w/masking

• Header inspection and analysis
• Full text inspection and analysis
• Attachment inspection and analysis
• 19 Different Test Criteria
• Black List updates
• Virus Definition updates 2 times per Hour
• Spam definition by domain
• Learns and adapts
• LDAP Authentication
• Malware and Adware Protection

• Web Content
• Web Content Filtering
• Cache Server
• Proxy Server
• Web Forwarding w/masking

• IDS/IDP
• Intrusion Detection
• Intrusion Prevention
• Honey Pot
• Anomaly Detection

19
Web Content Feature Set

• Firewall/VPN
• Stateful Firewall
• Multiple DMZ
• VPN
• Traffic Shaping

• Anti-Virus Anti-Spam
• Anti-Virus
• Anti-Spam
• E-mail Filtering
• E-mail Forwarding w/masking

• List based filtering
• Domain
• URL
• Expression
• Web Proxy Server
• Web Cache Server
• HTTP, HTTPS, FTP, VPN filtering
• LDAP authentication
• Time Space filtering

• Web Content
• Web Content Filtering
• Cache Server
• Proxy Server
• Web Forwarding w/masking

• IDS/IDP
• Intrusion Detection
• Intrusion Prevention
• Honey Pot
• Anomaly Detection

20
The Solution
W32Sobig.F_at_mm
21
The Barrier Solution AARE Engine
Web Content Filter
IDS Rules
Firewall Rules
Anti-Virus System
Approved Packets
AARE Engine
Denied Packet information loaded in AARE
database. Analysis on packet information shared
with other technologies.
If packet is infected, the messages is thrown out
and the source IP address is loaded into AARE
engine.
22
What Does The AARE Engine Capture

• 19 Data Elements at 9 different Inspection Points
• Ie Source IP Address, Packet Structure Good
  Host Bad Host
• Each inspection point could have 1000s of
  addition inspection elements
• Ie Firewall Rules, Anti Virus definition, etc.
• Individual Network Profile
• Normal Volume
• Time of Day
• Normal Destination Address

23
Global Threat Management Center

• Good security solutions require good process
• At The Barrier Group the Global Threat Management
  Center supports the process of security through
• 24/7 monitoring Barrier1 install base
• 24/7 monitoring global security events
• Review findings in AARE from all Barrier1
  appliances
• Insuring all Barrier1 appliances are current and
  are protecting our customers environment
• Notifying customers of any suspicious activities

24
Case Study

• County
• Presently using Firewalls, Anti-Spam, Anti-Virus
• Was Infected By a Root kit
• 637,185 Priority 1 VERY high probability that
  servers and pc have been compromised
• 1,375,116 Priority 2
• 5,163,434 Priority 3
• Priority 0 This indicates an attempt to
  compromise the Barrier1 appliance itself.
• Priority 1 Events HIGH This indicates a high
  risk external attack or possibly a compromised
  internal computer.
• Priority 2 Events MEDIUM This are attacks against
  known vulnerabilities that you may or may not
  be susceptible to.
• Priority 3 Events LOW These are reconnaissance
  type attacks and are used to gather
  information regarding your network and computers.

25
Industry and Barrier Conclusion

• Industry Conclusion
• Flexibility and a nimble proactive approach is
  required
• Any organization can be compromised
• Barrier Conclusion
• New technologies and Methods for Attacks are
  being developed
• Correlation and anomaly detection are being
  improved
• Human driven protections are too slow today
• Risk is growing
• The Barrier1 Appliance has You Protected

26
Contact Information

• Doug Hermanson 612-390-9252
• Jim Libersky 763-230-1041
• Rob Demopoulos 763-422-3776
• Kip Farrington 773-580-8630
• hi3 Wendell Norton (Federal) 866-861-0808
• Visit us at www.thebarriergroup.com