Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Transcription

1 Threat Containment and Operations Yong Kwang Kek, Director of Presales SE, APJ Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved.

2 Three Aspects of Security #1 Infrastructure Protection Better Application and Service Availability #2 Data Protection and Malware Mitigation Protect Users and Data #3 Threat Containment and Operations Efficiency & Optimization of Security Operations Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

3 Agenda The Big Disconnect in IT Infoblox solution for Threat Containment and Operations Why Infoblox Next Steps #1 Infrastructure Protection Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved. #2 Data Protection and Malware Mitigation #3 Threat Containment and Operations

4 Today s Security Landscape 400+ VENDORS Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

5 And Yet There is a Disconnect Security You Want Security You Often Get Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

6 Silos Exist Between Teams and Technologies Network and Security Separate Teams with Different Priorities Network Team High Availability Network Infrastructure: routers, APs, switches, etc. Security Team Risk Mitigation Security Infrastructure: firewalls, endpoints, sandboxing, etc. Silos between network, edge, endpoint and data security systems and processes can restrict an organization s ability to prevent, detect and respond to advanced attacks. Network Logging and Monitoring Security Logging and Monitoring (SIEM) Best Practices for Detecting and Mitigating Advanced Threats, 2016 Update 29 March Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

7 Ineffective Threat Intelligence Poor incident response and manual processes 70% 46% 45% of survey respondents that felt Threat Intel is not timely 1 % of survey respondents unable to prioritize the threat by category 1 % of survey respondents lacked context for threat intel to make it actionable 1 Siloed Threat Intelligence impacts effectiveness & trust Lack of prioritization and context slows remediation 1. Source: Ponemon Institute, 2016 Second Annual Study on Exchange Cyber Threat Intelligence: There Has to Be a Better Way Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

8 No Knowledge of Threat Context Context environmental information required to take the right action WHO (identity) WHAT (what network device) WHERE (where and what part of the network) WHEN (time of day, how often) Today s security teams: Face too many alerts with no way to prioritize based on actual risk Lack easy access to network data for context Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

9 Lack of Automation Security tools can t take action automatically based on network activities When new network elements join the network When malicious activities are detected by DNS security tools Today s security teams use difficult, manual processes to assemble data from disparate sources Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

10 Solution: Threat Containment and Operations Ease Security Operations with Better Context, Automation and Consolidated Threat Intel Threat Intelligence Optimization Enforce policy using timely, consolidated & high quality threat intelligence Improve incident response with consolidate threat intelligence from multiple sources Eliminate silos and accelerate remediation by centralizing threat intelligence Security Orchestration Automatically share DNS IoCs with security ecosystem for more efficient incident response Share network context and actionable intelligence (IP address, DHCP fingerprint, lease history etc.) to help assess risk and prioritize alerts Rapid Triage/Resource Optimization Investigate threats faster to free up security personnel Timely access to context for threat indicators #1 Infrastructure Protection Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved. #2 Data Protection and Malware Mitigation #3 Threat Containment and Operations

11 1 1 2 Solution Components Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

12 Consolidated Threat Intelligence A single vendor relationship enables organizations to Leverage specialized feeds from different vendors (no one source knows it all) across entire infrastructure Eliminate conflicts between sources NGEP Get higher rate of accuracy as all systems use same source of truth Efficient use of resources NGEP NGFW SIEM Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

13 Timely, Consolidated & High Quality Threat Intelligence Out-of-the-box Integration of native threat intelligence with DDI for policy enforcement Verified and curated threat intelligence with <.01% historic rate of false positives Easily Acquire, Aggregate and Distribute Threat Intelligence Data Easily Deploy Threat Intelligence Data to Mitigate Threats Operationalize Threat Intelligence Data Distribution of threat intelligence to existing security infrastructure to prevent future attacks Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

14 Leveraging Threat Intel Across Entire Security Infrastructure Infoblox C&C IP List SURBL Marketplace Custom TI TIDE Define Data Policy, Governance & Translation Phishing & Malware URLs Spambot IPs C&C & Malware Host/Domain Various file formats Dossier Investigate Threats RESULT: Single-source of TI management Faster triage Threat Prioritization Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

15 Security Orchestration Accelerating Incident Handling and Response with Automation Context to Prioritize Remediation Device Audit Trail and Fingerprinting SIEM Vulnerability Management DHCP Device info, MAC, lease history Threat Intelligence Platform Network Access Control IPAM Application and Business Context Metadata via Extended Attributes: Owner, app, security level, location, ticket number Context for accurate risk assessment and event prioritization Malicious activity inside the security perimeter Advanced Threat Detection Next-gen Endpoint Security DNS Includes BYOD and IoT devices Profile device & user activity Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

16 Visualize Your Network Clearly and Automatically Inform Ecosystem See every network asset, every IP address and switch port, with unmatched clarity. Consolidate core network infrastructure into a single, comprehensive, authoritative database. Automatically notify ecosystem of changes in network Manage Diverse Devices Intelligently as You Grow Identify New or Unmanaged Network Elements Quickly to Enforce Security Notify Security Tools of Network Changes in Real Time Discovery and Visibility IPAM Sync Ecosystem Integrations with security vendors Reporting Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

17 Mine Valuable Historical DNS data for Security & Troubleshooting Forensic data mining for security operations Determine scope of a security incident by searching for systems that visited malware control site Automate correlation of network context and data with security events Unified reporting of security events for on-premises and cloud Help reduce Splunk Enterprise license costs by optimizing DNS data transfer through filtering Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

18 Rapid Threat Investigation and Triage Single view for multiple sources Provides timely access to contextual information on threat actor, threat campaign, associated breaches in other organizations Allows rapid threat investigation and automation to free up security personnel Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

19 Why 1 2 Easy to apply threat intelligence not just in DNS infrastructure but across the entire security infrastructure In-house advanced threat research team 3 4 Proven Integrations with leading security technologies using STIX/TAXII, REST APIs, pxgrid, syslog for automating response to threats track record: market leader in DNS, DHCP and IPAM 50% market share, over 8000 customers Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

20 Next Steps Path to Engagement Free Trials/software ActiveTrust (on-premises) eval Security(PCAP) assessment Engage with Infoblox to find out if we integrate with your security tools Follow up with sales teams for deep dive on products Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

21 Q&A Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

22 Technical Section Note to presenter: Include technical slides if needed based on audience Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

23 How does Infoblox Threat Intel Provide the Most Value? High accuracy and wide coverage Provides context enabling security to focus on most crucial indicators Deletion of outdated intelligence utilizing TTL (time to live) Single source of truth: streamlines policy enforcement, incident response, and threat analyst activities (blacklisted domains easy to find in Dossier) Wide set of Threat Intel partners integrated into platform, business model and common API Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

24 Leveraging Threat Intel Across Entire Security Infrastructure Infoblox C&C IP List SURBL Marketplace Custom TI TIDE Define Data Policy, Governance & Translation Phishing & Malware URLs Spambot IPs C&C & Malware Host/Domain CSV File JSON STIX RBL Zone File RPZ Dossier Investigate Threats RESULT: Single-source of TI management Faster triage Threat Prioritization Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

25 The DNS, DHCP and IPAM Data Gold Mine DHCP Device Audit Trail and Fingerprinting A DHCP assignment signals the insertion of a device on to the network Includes context: Device info, MAC, lease history DHCP is an audit trail of devices on the network IPAM Application and Business Context Fixed IP addresses are typically assigned to high value devices: Data center servers, network devices, etc. IPAM provides metadata via Extended Attributes: Owner, app, security level, location, ticket number Context for accurate risk assessment and event prioritization DNS Activity Audit Trail DNS query data provides a client-centric record of activity Includes internal activity inside the security perimeter Includes BYOD and IoT devices This provides an excellent basis to profile device & user activity Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

26 Ecosystem API Integration Options Automated Action and Remediation STIX/TAXII Mitigation/Course of Action: Enable 3 rd party to block IP and Domain Third-Party Propriety REST API Infoblox Third-Party System Interfaces Indicator of Compromise: DNSFW or Data Exfiltration event notification to trigger automated action or provide to the monitoring platform Data Enrichment: 3 rd party requests data (IP Address, DNS records, Location) Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

27 Quarantining Endpoints and Containment Infoblox and Carbon Black Infoblox sends alert to Carbon Black Infoblox identifies domain associated with data exfiltration and blocks connection Infected endpoint attempts data exfiltration Carbon Black correlates endpoint, network data and remediates infected endpoint automatically Kills endpoint process, preserves evidence Updates security policy [kill process] on all endpoints Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

28 Improving Operational Efficiency thru Information Exchange Cisco ISE pxgrid Integration CISCO ISE pxgrid ecosystem Subscribe INFOBLOX The Challenge Security and Network Operation Center tools are isolated leading to inefficiency INFOBLOX publish EVENT CISCO ISE pxgrid ecosystem Infoblox Solution Infoblox will publish critical data that will enrich the ISE database and 3 rd party partners Infoblox will subscribe for user identity data available via ISE to enhance IPAM. Infoblox will publish Secure DNS events (infected devices) for further analysis and remediation by ecosystem partners. MITIGATE CISCO NETWORK Customer Benefits Easier Troubleshooting: With additional identity and network data Security Operations Efficiency: By sharing data Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

29 Easing Compliance & Audit Infoblox & Vulnerability Scanners Opportunity Lack of complete and up-to-date information about network devices and non-compliant hosts limits effectiveness of vulnerability scanning Solution Infoblox acts as the Single Source of Truth for the network and devices. Network & device discovery with metadata Notifies Qualys/Rapid 7 on new networks, devices as they are identified Triggers on-demand vulnerability scan Vulnerability Scans Policy Enforcement Remediation Benefits Efficient vulnerability management & compliance processes Faster response to potential risks associated with new devices or virtual workloads on the network Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

30 SIEM Integration Infoblox and LogRhythm DNS Security Events IP Address Changes Infoblox DNS security and DHCP services Infoblox provides visibility into DNS security events and IP address changes, which can be used by SIEM for analysis Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

31 SIEM Integration - Infoblox and Splunk Splunk Universal Forwarder Helps reduce Splunk Infoblox Data Connector VM Infoblox Grid Members CSV Infoblox Grid Master Splunk Enterprise Enterprise license costs by optimizing DNS data transfer through filtering Saves time and human resources by automating the collection, transfer, and conversion of DNS data from Infoblox Grid members Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

32 Gain Insights with Reporting and Analytics Unlock the Value of Core Network Services Data Harness rich network data to gain actionable insights Visibility into infected endpoints with contextual info(can include DHCP fingerprinting info username, MAC address, device type, lease history etc.) Ensure Compliance with Historical Visibility Identify Security Risks and Impacted Devices at Present Time Plan Future Requirements with Predictive Reports Integrated Data Collection Engine Historical Tracking of DDI Unique Algorithm and Predictive Reports Pre-built Reports and Customization Cost Effective Deployment Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

33 Backup Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

34 Industry Recommendations: SANS Critical Security Controls 1) Inventory of Authorized and Unauthorized Devices 2) Inventory of Authorized and Unauthorized Software 1 2 3) Secure Configurations for Hardware and Software 3 Source: Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved. 13) Data Protection ) Boundary Defense 11) Secure Configurations for Network Devices 8 8) Malware Defenses

35 Additional Challenges Companies view their defense against cyber attacks as ineffective Companies view their processes to use internal and external actionable threat intelligence data and as ineffective. Information overload for users who are monitoring and responding to incidents Research and context gathering requires multiple tools leading to slow response Cannot share data internally in controlled manner Source: Second Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

36 서울시구로구디지털로 31 길 38-21, 609 호 ( 구로동, E&C 벤처드림타워 3 차 ) Tel. 02) / Fax. 02) / Copyrightc Expernet Co.,Ltd.All rights reserved Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.