350 likes | 509 Views
Exposing APT. Jason Brevnik Vice President, Security Strategy. Exposing APT level threats requires. Intelligent and diligent people Cloud to Core coverage Constant visibility and awareness Healthy distrust in operational state and compensating controls
E N D
Exposing APT Jason Brevnik Vice President, Security Strategy
Exposing APT level threats requires • Intelligent and diligent people • Cloud to Core coverage • Constant visibility and awareness • Healthy distrust in operational state and compensating controls • Personalized protections that are tested and audited • Visibility at all levels
The Virus! • In 1949 John von Neumann began lecturing about “Theory and Organization of Complicated Automata” - Theory of self-reproducing automata published in 1966 • The Creeper virus was unleashed on ARPANET in 1971 • Elk Cloner appeared in the wild in 1981 affecting Apple DOS 3.3 • 1986 brought the Brain virus to your PC • ... And we installed AV
The worm! • Morris • And we installed the firewall • Melissa • ExploreWorm • I Love You • CodeRed • Slammer • Blaster • Sobig • Stuxnet • ...
Hacker Script Kiddie Advanced Persistent Threat Cybercriminal
Today’s Reality Dynamic Threats • Organized attackers • Sophisticated threats • Multiple attack vectors Static Defenses • Ineffective defenses • Black box limits flexibility • Set-and-forget doesn’t work “Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure.” Neil MacDonald VP & Gartner Fellow Source: Gartner, Inc., “The Future of Information Security is Context Aware and Adaptive,” May 14, 2010
Awareness Network Know what’s there, what’s vulnerable, and what’s under attack Application Identify change and enforce policy on hundreds of applications Behavior Detect anomalies in configuration, connections and data flow Identity Know who is doing what, with what, and where
EndpointRelevance End-userRelevance Intelligence ThreatIntelligence (Security Event) UserIntelligence(Context) EndpointIntelligence (Context) Forensic Analysis:Who accessed what, when, and where?
Tuning NSS – Q4 Independent Test ResultsKey Findings: Protection varied widely between 31% and 98%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous “catchable” attacks. Default Detection Tuned Detection Graphic by Sourcefire, Inc. Source data from NSS Labs“Network IPS 2010 Comparative Test Results plus 3D8260 NSS test”
Your applications Your Users Your network Should it travel Is access normal Personalization Content Privilege Purpose Forensic Analysis:Who accessed what, when, and where?
Cloud to Core protection requires • Comprehensive Audit (Logs/IDS/Test) • Comprehensive Control (AAA/IPS/FW/NG*) • Pervasive Awareness Platform • Coordinated Endpoint Control • Look-back forensics capability • Physical, virtual and cloud deployment • Mobile and Consumer integration • Visibility and Openness • Depth and Personalization