The document provides an overview of cloud proxy technology and cyber security. It discusses how proxies work by terminating connections between users and servers and inspecting transmitted objects. The document then shares several "real world" examples of how proxies can detect and prevent phishing attempts, malware infections, and other cyber threats by analyzing URLs, file downloads, and network traffic patterns. It emphasizes the importance of threat intelligence and how proxies use global intelligence networks to identify and block malicious activity in real-time.
2. SESSION AGENDA
• Proxy Fundamentals [Quick overview as a foundation]
• Cyber Security ‘Real’ Forensics Stories
• Proxy Architecture in the Modern Business Environment
• Q & A
3. What Is a Proxy?
What makes it unique and valuable in the security space
PROXY
3
When you put a proxy between a user and
a server on the internet, you are
terminating the connection at the proxy,
between the proxy and the user.
The request from Alice ends at the proxy.
A completely new session is started by the
proxy to ask Bob for the current time.
This is what makes a proxy so secure. It
terminates connections and waits for
entire objects to be assembled at the proxy
for inspection.
5. NETWORK CONNECTIONS AND OBJECTS
Proxy Architecture Compared to a Firewall
SANDBOX
Proxy
Firewall
Malicious payload
delivered to end user
Malicious payload
detected by content
analysis, blocked
from delivery
5
6. CYBER INTELLIGENCE IS THE KEY
https://sitereview.bluecoat.com
www.tekdefense.com/downloads/malware-samples/
www.westfallave.com/insight/cloudcar.exe
virustotal.com
https://www.talosintelligence.com/reputation_center
eicar.org
10. URL Threat Risk Levels
Risk Level10: Solid evidence of malicious (rated in database)
Risk Level 9: Almost certainly malicious
Risk Level 8: Stronger evidence of maliciousness
Risk Level 7: Shady behavior (including Spam and Scams)
Risk Level 6: Exercise caution; very new sites, or some evidence of shady behavior
Risk Level 5: No established history of normal behavior
Risk Level 4: Still probably safe (may be starting to establish a history of normal behavior)
Risk Level 3: Probably safe
Risk Level 2: Other top sites; consistently well-behaved
Risk Level 1: Big names; long history of good behavior; huge traffic
Risk Level 0: Customer Whitelist
16. LETS GET A LITTLE GEEKY
Jeff…Really, How do
you know these PCs are
infected with Malware?
Because they ALWAYS
ALWAYS speak back to
to the Mother Ship!
25. SECURITY BLEEDS INTO HR
What is the company policy on reporting this? Is there one? Make sure you know!
Don’t confront the person if you know them.
No emotion in reporting. Stick to the facts as you have the data to back it up.
26. SECURITY BLEEDS INTO LEGAL
What is the law in your state?
Who takes this from you…and have you gone through that drill before it actually
happens?
You cannot just turn a blind eye to this for moral and legal reasons.
27. PROXY WHITEBOARD
CLOUD PROXY
Site A
Headquarters
Work & Personal Devices
Roaming
Users
PROX
Y
PROX
Y
PROX
Y
Site B
Global Intelligence Network
Content Analysis
Sandboxing
Web Isolation
SSL
Cert.
Real quickly let’s get a reminder on what a proxy is and what makes it so special in the security space. Here’s the very basic level definition of a proxy, It handles all the communication between two parties.
When you put a proxy between two users (or a user and a server on the internet), you are terminating the connection at the proxy, between the proxy and the user. So in this example, Alice is the user, and asks Bob (who could be a server) for the current time. The request from Alice ends at the proxy. A completely new session is started by the proxy to ask Bob for the current time.
This is what makes a proxy so secure. It doesn’t allow a connection to tunnel or make it through the proxy. It terminates the connections, and waits for entire objects to be assembled at the proxy for inspection. These features allow the proxy to guarantee all objects are inspected, and no evasive techniques can be used to bypass the proxy.
A proxy, on the other hand, reconstructs the full file before it attempts to make a decision on the content. Not only this makes scanning the content more effective, but it also eliminate one of the major attack vectors against streaming solutions, namely out-of-order TCP packet attack.
Most people can recognize this picture now that it is fully constructed.
Let’s look at this in more detail. Here’s an example, where fragmenting a piece of malware and introducing a delay in some of the packets has no effect on the proxy detecting a piece of malware, but in the NGFW, the slight delay in some packets means that NGFW has already passed on parts of the malware and by the time the remaining packets show up, they also get delivered, and the end user gets the entire piece of malware.
How do you test out your vehicle’s air bags? Your family drives in that car…and they are important to you, so have you tested the airbags to make sure they work Trick question….of course you cannot do that. You also cannot go to malicious sites to check to make sure they are in fact…malicious. There is a better way.