Network Security Protection, Detection, and Remediation Multi-Layer Approach to Security Clay Ostlund Business Development Manager
What do these companies/organizations have in common?
Crime Syndicates New Mafia** (Hide in plain Site) Huge source of profits Nation States Chinese Russia Turkey North Korea Iran India WHY is Hacking on the rise? Hacktivist (Activism Hacking) Groups like Anonymous Groups that want to demonstrate their dissatisfaction with powerful organizations Businesses or Governments Easier than Ever to Create and Distribute Malware Malware toolkits non-developers can create and distribute malware
Malware Toolkits (Malware as a Service) 1. Sign up for the TOX Ransomware Service. The hosting Service is free. (You just have to register on the site.) 2. For Anonymity purposes - TOX uses TOR (Onion Router) and Bitcoin Over 1 per Week in 2015! 3. Once you register for the product, you can create your malware in three simple steps: 1. Enter your desired ransom amount Note the TOX Ransomware Service takes 20% of the ransom as commission 2. Enter your cause 3. Submit the captcha (To make sure you aren t a robot (comical), and download your executable malware 4. This process creates an executable of about 2MB that is disguised as a.scr (script) file which can be made to look like any document such as a PDF. The attacker distributes and installs the malware as they see fit. 5. The TOX site (on the TOR network) will track the number of installs and profit. 6. To withdraw funds, you need only supply a receiving Bitcoin address for the transfer (Malware as a Service - MaaS)
Targeting Small Businesses Small/Medium businesses often lack adequate security measures making them easy targets Small/Medium businesses don t have the resources to fight back so ransoms are paid at higher rates than larger enterprises Small/Medium businesses offer entry to bigger businesses The famous Target attack in 2013 was actually hacked through it s HVAC vendor Small/Medium business offer a much lower risk to attackers FBI/Secret Service can t investigate the sheer amount of attacks that happen, so they focus on the largest ones leaving small businesses to fend for themselves Malware Ratio in Email by Industry (Source: Symantec Internet Security Threat Report April 2016 Volume 21)
Common Attack Vectors Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu (Attackers try to trick internet surfers into downloading malware) (Attackers try to decode a password or pin number through trial and error) (Attacker overloads a server with more requests than the server can process) (Attackers intercept data before it can be encrypted by SSL) (Attackers scan for open ports through which they exploit to gain access to your systems) (Attackers redirects users to bogus websites when they are trying to access a legitimate one) (Attackers leverage software/hardware bugs/flaws to gain access to your systems) (Phishing, Social Engineering, Compromised Devices, Advertisements, etc.) (Source Mcafee Labs, March 2016 Security Report)
Common Customer Scenario Mobile Workforce Cloud Applications Internet World Wide Web Email Office Workforce
Common Customer Scenario Mobile Workforce Cloud Applications Internet World Wide Web Email Office Workforce
What do these things have in common? Layers! The best strategy against today s threats is to employ a Defense-in-Depth Layers Strategy: Deploy multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method
Defense-in-Depth Layers Strategy Solution Purpose Security Layer Vector Security Awareness Training Compromised Password Discovery Services Education Compromised Account Scanning Authentication Services (Strong Password Requirements) Authorization Services (Access Control) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint) Stateful L7 Firewall, Intrusion Prevention & Detection (IPS/IDS) Advanced Malware Protection (AMP) Client VPN Services Application Visibility Controls Authentication Malware Protection (edge) Content Filter Email: SPAM Pretension & Advanced Threat Detection Email: Link Protection Email: Compliance, Data Loss Prevention (DLP), Encrypted Email Backup: Local and Cloud Backup SPAM, DLP, Encryption Malware Protection (edge) Backup Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (edge) Content Filter Cloud Services Security Policy Enforcement Cloud Access Security Broker (CASB) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint)
Knowledge is the first line of defense, and when your people fail we must rely on a multi-layered security approach to protect you!
NINJIO COMPROMISED CREDENTIALS 63% of cyber attacks leverage stolen credentials The average employees use 27 apps at work Collaboration Social Media Content Sharing File Sharing Business Intelligence Other Breach one, breach them all.
Mobile Workforce Cloud Applications Internet World Wide Web Email Office Workforce
Defense-in-Depth Layers Strategy Solution Purpose Security Layer Vector Security Awareness Training Compromised Credentials Service Education Compromised Account Scanning Authentication Services (Strong Password Requirements) Authorization Services (Access Control) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint) Stateful L7 Firewall, Intrusion Prevention & Detection (IPS/IDS) Advanced Malware Protection (AMP) Client VPN Services Application Visibility Controls Authentication Malware Protection (edge) Content Filter Email: SPAM Pretension & Advanced Threat Detection Email: Link Protection Email: Compliance, Data Loss Prevention (DLP), Encrypted Email Backup: Local and Cloud Backup SPAM, DLP, Encryption Malware Protection (edge) Backup Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (edge) Content Filter Cloud Services Security Policy Enforcement Cloud Access Security Broker (CASB) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint)
Mobile Workforce Cloud Applications Internet World Wide Web Email Office Workforce
Security Policy Review & Remediation Assessment & Review: Policy Review: Document current Password Policy Document Screen Saver/Screen Lock Policy Security Review: Asset Detail Report Client Risk Report Share Permission Report External Vulnerability Report Remediation: Policy Remediation: Implement Strong Password Policy Implement Screen Saver/Screen Lock Policy Modify Service Account and other Never Expire accounts Security Remediation: Minimize risk by limiting shares, full admin accounts, and resource account permissions Mandate a patching policy & procedure Assess existing open ports and close all unnecessary external vulnerabilities Migrate unsecure remote resources to client VPN services
Defense-in-Depth Layers Strategy Solution Purpose Security Layer Vector Security Awareness Training Compromised Credentials Service Education Compromised Account Scanning Authentication Services (Strong Password Requirements) Authorization Services (Access Control) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint) Stateful L7 Firewall, Intrusion Prevention & Detection (IPS/IDS) Advanced Malware Protection (AMP) Client VPN Services Application Visibility Controls Authentication Malware Protection (edge) Content Filter Email: SPAM Pretension & Advanced Threat Detection Email: Link Protection Email: Compliance, Data Loss Prevention (DLP), Encrypted Email Backup: Local and Cloud Backup SPAM, DLP, Encryption Malware Protection (edge) Backup Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (edge) Content Filter Cloud Services Security Policy Enforcement Cloud Access Security Broker (CASB) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint)
Mobile Workforce Cloud Applications Internet World Wide Web Email Office Workforce
Zero-day Malware and Advanced Persistent Threat (APT) Prevention Predictive behavior recognition technology detects APTs and malware Dwell time alerting and reporting instantly reveals any endpoint infection Full visibility of any infection by endpoint with full reporting capabilities Always Protected and Up-To-Date No definition or signature file updates to manage Every endpoint protected individually (on and offline) All users instantly and collectively protected against new threats Fast and Easy to Deploy Never slows system performance Takes an average of 5 seconds to install and be fully operational World s smallest endpoint security agent (<750KB) Idle CPU usage of 0.10% 10.8% during scans Initial full system scan uses <15 MB of RAM Scheduled scans take an average of <30 seconds No conflict design so the agent can run alongside other security software No definition or signature Updates to Deploy or Manage Easy to Manage Low Operational Costs: No on premise hardware or software Full remote management of all endpoints Endpoint infection rollback and auto-remediation Highly automated management and customizable reporting Webroot leverages the Cloud to provide always up to date continuous real-time protection regardless of the users location. Anytime a file is modified, Webroot logs the change and validates if it is a known threat then takes action. Because all changes are logged, any changes that the WebRoot cloud later determines to be a threat (Zero Day attack) can be rolled back and mitigated Internet
Defense-in-Depth Layers Strategy Solution Purpose Security Layer Vector Security Awareness Training Compromised Credentials Service Education Compromised Account Scanning Authentication Services (Strong Password Requirements) Authorization Services (Access Control) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint) Stateful L7 Firewall, Intrusion Prevention & Detection (IPS/IDS) Advanced Malware Protection (AMP) Client VPN Services Application Visibility Controls Authentication Malware Protection (edge) Content Filter Email: SPAM Pretension & Advanced Threat Detection Email: Link Protection Email: Compliance, Data Loss Prevention (DLP), Encrypted Email Backup: Local and Cloud Backup SPAM, DLP, Encryption Malware Protection (edge) Backup Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (edge) Content Filter Cloud Services Security Policy Enforcement Cloud Access Security Broker (CASB) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint)
Mobile Workforce Cloud Applications Internet World Wide Web Email Office Workforce
Centralized Management Cloud Managed for Simplicity & Ease of Configuration Application Visibility and Control Always Up to Date Automatic Cloud Updates Security Features Stateful L2-L7 Identity-Based Firewall w/avc Intrusion Prevention (IPS) Advanced Malware Protection (AMP) Content Filtering (Category) Auto & Client VPN Meraki MX uses the AMP Threat Grid to capture and analyze file and traffic activity continuously For ports that are allowed > Traffic is sent to the IPS Engine for deeper inspection Stateful Firewall IPS Malware Protection Internet Which ports are Blocked vs Allowed
Meraki Security Center
Defense-in-Depth Layers Strategy Solution Purpose Security Layer Vector Security Awareness Training Compromised Credentials Service Education Compromised Account Scanning Authentication Services (Strong Password Requirements) Authorization Services (Access Control) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint) Stateful L7 Firewall, Intrusion Prevention & Detection (IPS/IDS) Advanced Malware Protection (AMP) Client VPN Services Application Visibility Controls Authentication Malware Protection (edge) Content Filter Email: SPAM Pretension & Advanced Threat Detection Email: Link Protection Email: Compliance, Data Loss Prevention (DLP), Encrypted Email Backup: Local and Cloud Backup SPAM, DLP, Encryption Malware Protection (edge) Backup Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (edge) Content Filter Cloud Services Security Policy Enforcement Cloud Access Security Broker (CASB) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint)
Mobile Workforce Backup Cloud Applications Internet World Wide Web Email Office Workforce Essentials Security Backup
Comprehensive Email Security Cloud Based Stop Email Threats before they get to your mail server Email SPAM Filtering Advanced Threat Detection Malware/Virus Filtering Link Protect Email Encryption Data Loss Prevention (DLP) Link Protect replaces all embedded links in emails with a link that hits the Barracuda Cloud to check for threats before the client is re-directed to the destination Advanced Threat Protection scans all attachments in real-time for ransomware, malware, virus, and targeted zero-day attacks before the messages are delivered to your mail service Internet Email Mail Server Message Encryption & Data Loss Prevention (DSP) Technology Internet Email Mail Server SPAM Filtering, Attachment Execution & Scanning, Link Protect
Cloud-Integrated All-in-One Backup Solution Backup locally to an onsite appliance Inline Deduplication for data storage savings Replication Offsite to Barracuda Secure Datacenters Unlimited Barracuda Cloud Storage SaaS Cloud-Cloud Hosted Application backup (Optional add-on) Backup Appliance Replicate to Barracuda s Secure Cloud Servers & Applications
Defense-in-Depth Layers Strategy Solution Purpose Security Layer Vector Security Awareness Training Compromised Credentials Service Education Compromised Account Scanning Authentication Services (Strong Password Requirements) Authorization Services (Access Control) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint) Stateful L7 Firewall, Intrusion Prevention & Detection (IPS/IDS) Advanced Malware Protection (AMP) Client VPN Services Application Visibility Controls Authentication Malware Protection (edge) Content Filter Email: SPAM Pretension & Advanced Threat Detection Email: Link Protection Email: Compliance, Data Loss Prevention (DLP), Encrypted Email Backup: Local and Cloud Backup SPAM, DLP, Encryption Malware Protection (edge) Backup Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (edge) Content Filter Cloud Services Security Policy Enforcement Cloud Access Security Broker (CASB) Authentication, Authorization Policy Enforcement Endpoint Malware & Virus Protection Advanced Persistent Threat & Zero Day Attack prevention Malware Protection (Endpoint)
Mobile Workforce Backup Cloud Applications Internet World Wide Web Email Office Workforce Essentials Security Backup
DNS-Layer Security Block threats before they reach your perimeter network Category Based Content Filtering Coverage ON or OFF the Enterprise network Protocol Independent Scale & Capacity #1 fastest and most reliable global DNS with 80M+ daily active users 100B+ daily Internet requests/connections 3M+ daily new domain names discovered Predictive Analysis Similar to Amazon learning from shopping patterns to suggest the next purchase, or Pandora learning from music listening patterns to play the next song, Umbrella learns from internet activity patterns to automatically identify attacker infrastructure being staged for the next threat. Device & Protocol Agnostic: Unlike agent based technologies, DNS layer protection extends to every device connected to the network even IoT devices
DNS-Layer Security Block threats before they reach your perimeter network Category Based Content Filtering Coverage ON or OFF the Enterprise network Protocol Independent Scale & Capacity #1 fastest and most reliable global DNS with 80M+ daily active users 100B+ daily Internet requests/connections 3M+ daily new domain names discovered Predictive Analysis Similar to Amazon learning from shopping patterns to suggest the next purchase, or Pandora learning from music listening patterns to play the next song, Umbrella learns from internet activity patterns to automatically identify attacker infrastructure being staged for the next threat. Device & Protocol Agnostic: Unlike agent based technologies, DNS layer protection extends to every device connected to the network even IoT devices Open DNS Cisco Umbrella Internet 1. User requests a Website www.google.com 2. Computer Asks it s DNS Server what IP Address to go to for the Web Address Requested 3. Cisco Umbrella (Open DNS) provides the DNS Name Resolution: 1. IF the Domain and resulting IP is known good, the connection is allowed 2. IF the Domain and resulting IP is known bad, the connection is blocked 3. IF the Domain and resulting IP is unknown to Cisco Umbrella, the response to the client is an IP Address for Cisco Umbrella vs the actual web server hosting the domain. All client traffic is sent through the Umbrella Platform which leverages Anti-Phishing, Advanced Malware Protection, File/Email Attachment Scanning and more
Anatomy of a Cyber Attack Reconnaissance and Infrastructure Setup Domain Registration, IP, ASN Intel., Public/Private Announcements Monitor Adaption Based on Results Patient Zero Hit Target Expansion Wide-Scale Adoption Defense Signature Built
Malware: Locky taddboxers.com (Flagged malicious: Sep 28, 2016)
Solution Staying Up to Date on patches is Critical Update Method Automatic Patching - Microsoft Update Policy Forced Update Schedule 100% Cloud Based Always up to date No User Action Required Automatic Firmware & Security Updates via the cloud No User Action Required Automatic Backup Schedule Marco Validated 100% Cloud Based (Email Protection) Always up to date No User Action Required 100% Cloud Based Always up to date No User Action Required Video Content is continually updated based on the threat landscape 100% Cloud Based Always up to date No User Action Required 100% Cloud Based Always up to date No User Action Required
Physical Security
Car accidents can still happen (Humans) but these tools keep injuries to a minimum
If you KNEW you were going to be compromised, would you DO security differently?