Securing From the Inside Out Geoffrey Van Beylen Manager Systems Engineering
© Copyright Fortinet Inc. All rights reserved.
1
What We Used To Think
2
How We Think Today
3
The Anatomy Of An Attack
“Generic Threat” Bot Zero Day Threat
Trojan Virus Worm
Devices Email Web sites Physical media
4
Advanced Targeted Attack Lifecycle Day 1
2 Years + “Bot net” Activation
Advanced Targeted Attack
“Social Engineering”
Zero Day Exploit 5
The Threat is Worse Than Ever
*Akylus July 2014
6
With A Consistent Motivation
*Hackmageddon July 2014
7
2014 Threat Landscape Developments Heartbleed Vulnerable OpenSSL
IoT: The Moon Worm Linksys Routers
Feb 13!
Apple iCloud Ransomware $100 EUR Oleg Pliss
May 26!
Apr 07!
Havex RAT OPC Server Spy
Jun 23!
Aug 05!
Cybervor 1.2B User & Pass 500M emails
Aug 15!
Supervalu Data Breach, 200 Stores Affected Evernote Hack 50M Users
Q2 2014 (IDC): 301.3M Smart Phones Shipped Android 84.7% Market
Mar! 2013!
February: Drive-By Mobile (DriveGenie)
Jun 10!
Evernote Hack 164,644 Forum Members
June: Pletor Mobile Ransom (Doc Encryption)
July: Dorkbot/Ngrbot Kamikaze
8
No One Is Immune
Did you change your password?
9
ebay – The Impact by the Numbers
145 M 525,600 262,800 551
User accounts compromised
Minutes in a year
Number of Passwords changed in a year (Average 2 minutes/password) Man/years wasted changing passwords
10
Follow The Acronym Trail
11
Is There A Silver Bullet For Defeating an ATA?
Advanced Targeted Attack
12
Focus on Three Key Actions
Step 1 - Prevent
Step 2 - Detect
Step 3 - Mitigate
• Prevent threats before they enter your network
• Discover threats that have or tried to enter the network
• Respond to any threats that have breached the network
• Proactive is key
13
Fortinet Advanced Threat Protection Framework
14
Step 1 - Prevent § Stateful Firewall § 2 Factor Authentication § Intrusion Prevention § Application Control § Web Filtering § Email Filtering § Anti-Virus
15
A Cornerstone of efficient Migitation
The reports of my death have been greatly exaggerated.
16
The Human Factor - Laziness
“Old Habits Die Hard”
17
Operating Systems Require Constant Updates
Installed PC Operating Systems* 3%
9%
12% Windows 8/8.1 Windows 7
24%
Windows XP Windows Vista Other 52%
*Net Applications September 2014
18
Not All Anti-Virus Solutions are Equal
Detection Technology
Network Placement
Operational Efficacy 19
Step 2 - Detect § Stateful Firewall
§ Botnet detection
§ 2 Factor Authentication
§ Client reputation
§ Intrusion Prevention
§ Network behavior analysis
§ Application Control
§ Sandboxing
§ Web Filtering § Email Filtering § Antivirus
20
Payload Analysis (aka “sandboxing”) § What is it?
Unsafe action, escape attempt
X
» Virtual container, reflecting an end user desktop, in which untrusted programs can be safely examined
§ What happens in it? » Code is executed in an contained, virtual environment communication » Activity is logged and is analyzed for suspect characteristics Controlled inspection » Rating is determined based on system, file, web and traffic activity
§ Why is it important? » Traditional security looks at static attributes (signature, heuristic, pattern, reputation, etc.) rather than dynamic activity » In many cases, a site or code is just the first, small stage 21
But a Word of Caution,,,,,
http://www.darkreading.com/attacks-breaches/the-increasing-failure-of-malware-sandbo/240159977
22
Step 3 - Mitigate § Stateful Firewall
§ Client reputation
§ 2 Factor Authentication
§ Network behavior analysis
§ Intrusion Prevention
§ Sandboxing
§ Application Control § Web Filtering
§ Consolidated logs and reports
§ Email Filtering
§ Professional Services
§ Antivirus
§ User or Device Quarantine
§ Botnet detection
§ Real-time Activity Views § Security Reporting § Threat Intelligence § Threat Prevention Updates 23
Coordinated Defense Strategy
In-Network Defenses
Continuous Updates
Threat Research and Discovery
24
The Fortinet ATP Solution
FortiGuard Lab FortiGuard Services
25
Fortinet Secure EcoSystem
SANDBOX INTEGRATION Provides advanced FortiGuard Analysis • FortiGate – Verdict Query and Quarantine – Log Analysis • FortiClient – Verdict Query, Hold and File Quarantine – Local Sandbox Signature Scan • FortiMail – Hold and Await Verdict Response
FortiGate
FortiMail
FortiClient
FortiSandbox
26
Fortinet Secure EcoSystem Securing From the Inside Out FAST. SECURE. GLOBAL. FortiPresence
FortiCloud
FortiSandbox
FortiToken
Active Directory
Analyses customer presence in your retail stores and leverages powerful data mining capabilities to provide business intelligence
Provides cloud-based logging and centralized access point management
FortiGate
FortiDDoS
FortiAP
Detonates malware and detects zero-day and advanced attacks. Prevents your organization from making the news.
FortiADC
FortiGate
Secures against Ensures protection Ensures WAN link malicious websites, against application redundancy and undesirable applications, provides inbound level denial of client targeting attacks GSLB load service attacks and malware balancing
FortiExtender
Retail Location
FortiAuthenticator
Provides reliable LTE coverage by ensuring adequate placement of your LTE backhaul link
FortiManager FortiAnalyzer
Identifies users wherever they are, and enforces strong authentication
FortiMail
Servers Secures against email threats and prevents SPAM and virus alike from reaching your users
FortiADC
FortiWeb
Ensures your assets remain available
Product List FortiGate FortiAnalyzer FortiManager FortiWeb FortiADC FortiDB FortiMail FortiAuthenticator FortiToken FortiSandbox FortiAP FortiExtender FortiPresence FortiCloud FortiDDoS
NGFW Log Analysis Centralized Management Web App Firewall App Delivery Controller Database security Email Security 2FA and SSO Token 2FA ATP Wifi AP 3G/LTE termination Presence Analytics Cloud Logging DDoS Prevention
FortiGate FortiAP
Centralized policy management and offers a single pane of glass for your security configuration, logging and reporting
Prevents web application attacks against your critical web assets
FortiDB Provides secure, scalable wireless access to your users leveraging native firewalling on FortiOS
Databases
Inspects and monitors database transactions and ensures your database, and its data, do not fall in the wrong hands
Branch Office
Enterprise
27
FortiGuard Minute
Per Minute
Updates Per Week
FortiGuard Database
72,000
53 Million
150
210,000
100
17,000
68,000
920,000
5,800
Malware programs neutralized
New & updated AV definitions
Application Control rules
310,000
1 Million
250 Million
Malicious Website accesses blocked
New URL ratings
Rated websites in 78 categories
67,000
8,000
151
Spam emails intercepted
Network Intrusion Attempts resisted
Botnet C&C attempts thwarted
New & updated spam rules
Intrusion prevention rules
Hours of threat research globally
Terabytes of threat samples
Intrusion Prevention rules
Zero-day threats discovered
34 Million
Website categorization requests
Based on Q4 2014 data
28
Protecting Today’s Network § Evolution, evolution, evolution
§ Wherever there is value, the cyber criminal will follow
29
Protecting Today’s Network § Evolution, evolution, evolution
§ Wherever there is value, the cyber criminal will follow § Anticipate, React, Respond
30
Thank You!
31