1 / 18

Intrusion Prevention anno 2012: Widening the IPS concept

Intrusion Prevention anno 2012: Widening the IPS concept. Traditional IDS/IPS doesn’t cut it anymore…. Blended attacks Application-focused attacks “Oldies but Goodies” still exist Nothing goes away. Ever. “Survival instinct” of applications much higher than before

teige
Download Presentation

Intrusion Prevention anno 2012: Widening the IPS concept

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intrusion Prevention anno 2012: Widening the IPS concept

  2. Traditional IDS/IPS doesn’t cut it anymore… • Blended attacks • Application-focused attacks • “Oldies but Goodies” still exist • Nothing goes away. Ever. • “Survival instinct” of applications much higher than before • Built-in evasion techniques • Must assume malicious activity occurs within trusted applications • Let’s take a closer look at some examples…

  3. Threat Landscape-Blended Threat & Botnet Examples CIO Fears and Concerns • The Corporate Botnet - PhishingEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the compromise of the integrity of the entire network. . ZEUS/ZBOT • The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . • Email contains link to false domain • Credentials entered in to fake site • BOT infection sent to user as a “ Facebook Security Update” application • User installs BOT and is now infected, all data is compromised • Connection is then redirected to real Facebook site so user is not suspicious • Prevalent today and sold as a crime kit.

  4. Threat Landscape-Blended Threat & Botnet Examples CIO Fears and Concerns • The Corporate Botnet – Legitimate Site CompromisedEmployee access a legitimate site, but it or one of its content providers has been compromised and is now hosting malicious code. • . FakeAV Botnet • The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . • In 2009 the advertising network used by the New York Times was infected by a malicious flash advertisement • Readers were accessing the NYT site but were provided with the infected advertisement • This directed users to a site hosting the exploit code to install fake antivirus software. .

  5. Threat Landscape-Blended Threat & Botnet Examples CIO Fears and Concerns • Targeted Attack – Spear PhishingUsing social engineering to distribute emails with links to malware, the emails are relevant to the corporation being targeted. Infected documents (PDF, DOC, XLS) can use software exploits to infect systems • . Kneber (Zeus) Botnet • The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . • In 2010 a spear phishing attack on US .mil and .gov employees by a Zeus variant infected 50,000+ end systems • Data stolen included:Corporate Login credentials Email and webmail access Online Banking sites Social Network credentials SSL Certificates

  6. Threat Landscape-Blended Threat & Botnet Examples CIO Fears and Concerns • RansomwareOnce installed is very difficult to reverse, files are encrypted, this isn’t just based on the fear that something might happen, once you are reading the ransom note your data has already been encrypted. gpCode Ransomware • The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . • Once installed searches hard drive for document and media files • Files are encrypted with a 1024bit key which only the attacker has the decryption key • Ransom note is displayed to user, system continues to operator but data is inaccessible • Will encrypt xls, doc, pdf, txt, rar, zip, avi, jpg, mov, etc…

  7. Addressing the Threat Landscape: Fortinet’s Next Generation Enterprise Security!

  8. Beyond Application Identification • Today’s Network Security Requires Application Detection, Monitoring, and Control • Allowing access to Web 2.0 applications has made enforcing data security policies far more complex • User-created content embeds threats in content, pages, links, comments to blogs… • Protection against effects of social media applications • Data loss • Threat propagation • Bandwidth consumption • Inappropriate use • Endpoint to the Core • “Single pane of glass” management for visibility & control

  9. Fortinet Confidential **Internal view only** Life of a Packet with IPS enhancements • DoS Policy Inspection addition • Inspected first prior to firewall inspection IN DoS Policy Inspection PASS Firewall Inspection PASS IPS / App. Control PASS AV / WF (Proxy) OUT Block (deny) Block (attack) Block (attack / disallowed application) Block (Virus / Web Content Block

  10. Fortinet Confidential **Internal view only** Life of a Packet with IPS enhancements • IPS & Application Control processing • Then hand off to proxies engines IN DoS Policy Inspection PASS Firewall Inspection PASS IPS / App. Control PASS AV / WF (Proxy) OUT Block (deny) Block (attack) Block (attack / disallowed application) Block (Virus / Web Content Block

  11. Three Components • Complete Content Protection Requires • Identification • Customizable list of approximately 2,000 apps, growing weekly • Consolidated security: DLP, AV/AS, SSL Inspection, Endpoint protection • Monitoring • See what’s in your network • Control • Granular control of behavior • Apps & features within apps • Users • Traffic

  12. Identification • Over 2,000 applications • More added every week • Category • IM, P2P, Remote Access, Video, etc. • Ranked on popularity & risk • Independent of port, protocol, IP address • Decrypt encrypted traffic • Including HTTPS, POP3S, SMTPS and IMAPS protocols

  13. Identification - Application Botnet Category

  14. Monitoring • Understand what’s in your network • Summary & detailed reports • Application usage • Behavior of user • Bandwidth consumption • Visualization of trends, threats, and behaviors that put your network at risk

  15. Control • Granular control of behavior • Apps & features within apps • Categories of apps • Individual apps • Actions within apps • Users • Domain, groups, individual users • Traffic • Prioritize • Limit access by groups or users • Time of day • Day of week

  16. Integrated Web Filtering Blocks access to malicious Website Intrusion Protection Blocks the spread of the worm Network Antivirus Blocks download of virus Real Threat Protection in Action Problem: Error message: “Drops” copy of itself on system and attempts to propagate “Innocent” Video Link: Redirects to malicious Website “Out of date” Flash player error: “Download” malware file Solution: Fortinet Confidential

  17. Consolidated Security with Real Time Updates • Application Control: Unwanted Services and P2P LimitingBotnet command channel, compromised Facebook applications, independent of port or protocol • Intrusion Prevention: Vulnerabilities and ExploitsBrowser and website attack code crafted by hackers and criminal gangs. • Web Filtering: Multiple categories and Malicious sitesBotnet command, phishing, search poisoning, inappropriate content • Vulnerability Management: Real time exploit updatesMultiple scanning points FortiGate, FortiAnalyzer, FortiWeb, FortiDB, and FortiScan • Antispam: Unsolicited messagesPhishing, Malware, Social Engineering and Junk • Antivirus: All malicious codeDocuments, macros, scripts, executablesDelivered via Web, Email, USB, Instant messaging, social networks, etc

  18. Thank You!

More Related