Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly. In this quick-fire, half-day roadshow, Scalar brings you solutions to these problems from three of our most strategic security vendors, as well as a full presentation on our managed security services portfolio.
48. pe·rim·e·ter
1.the continuous line forming the boundary of a closed geometric figure.
"the perimeter of a rectangle"
synonyms: circumference, outside, outer edge
"the perimeter of a circle"
the outermost parts or boundary of an area or object.
"the perimeter of the garden"
synonyms: boundary, border, limits, bounds, confines, edge, margin, fringe(s),
periphery, borderline, verge; More
a defended boundary of a military position or base.
In Networking we call it…DMZ
50. Defense in depth
The principle of defense-in-depth is that layered security
mechanisms increase security of the system as a whole. If an
attack causes one security mechanism to fail, other mechanisms
may still provide the necessary security to protect the
system……Implementing a defense-in-depth strategy can add to
the complexity of an application, which runs counter to the
“simplicity” principle often practiced in security. That is, one could
argue that adding new protection functionality adds additional
complexity that might bring new risks with it.
https://www.owasp.org/index.php/Defense_in_depth
52. Perimeter Security Technologies
A long time ago… and then… present day… and now with F5!
Firewalls started out as
proxies
Stateless filters
accelerated firewalls, but
weakened security
Stateful firewalls added
security with deep
inspection, but still fall
short of proxies
F5 brings full proxy back
to firewalls: highest
security matched by a
high-scale and high-performance
architecture
F5 Agility 2014 52
53. Protecting against Threats is challenging
Webification of apps Device proliferation
71% of internet experts predict
most people will do work via web
or mobile by 2020.
95%of workers use at least
one personal device for work.
130 millionenterprises will
use mobile apps by 2014
Evolving security threats Shifting perimeter
58%of all e-theft tied
to activist groups.
81%of breaches
involved hacking
80%of new apps will
target the cloud.
72%IT leaders have or will
move applications to the cloud.
F5 Agility 2014 53
57. BIG-IP Application Security Manager
BIG-IP ® ASM™ protects the applications your business relies on most and scales
to meet changing demands.
Multiple deployment
options
Visibility and
analysis
Comprehensive
protections
• Standalone or ADC add-on
• Appliance or Virtual edition
• Manual or automatic policy
building
• 3rd party DAST integration
• Visibility and analysis
• High speed customizable syslog
• Granular attack details
• Expert attack tracking
and profiling
• Policy & compliance reporting
• Integrates with SIEM software
• Full HTTP/S request logging
• Granular rules on every HTTP
element
• Client side parameter
manipulation protection
• Response checks for error &
data leakage
• AV integrations
F5 Agility 2014 57
58. Comprehensive Protections
BIG-IP ASM extends protection to more than application vulnerabilities
L7 DDOS
Web Scraping
Web bot
identification
XML filtering,
validation &
mitigation
XML Firewall
Geolocation
blocking
ICAP anti-virus
Integration
ASM
F5 Agility 2014 58
59. Network Threats
Application
Threats
90% of security investment focused here Yet 75% of attacks are focused here
Attack Vectors
TCP SYN Flood
TCP Conn Flood
DNS Flood
HTTP GET Flood
Attack Vectors
HTTP Slow Loris
DNS Cache Poison
SQL Injection
Cross Site Scripting
F5 Agility 2014 59
62. Who’s Requesting Access?
Employees Partner Customer Administrator
Manage access based on identity
IT challenged to:
• Control access based on user-type and role
• Unify access to all applications (mobile, VDI, Web, client-server, SaaS)
• Provide fast authentication and SSO
• Audit and report access and application metrics
F5 Agility 2014 62
63. Security at the Critical Point in the Network
Physical
Virtual
Cloud
Storage
Total Application Delivery Networking
Services
Clients Remote
access
SSL
VPN
APP
firewall
F5 Agility 2014 63
64. BIG-IP APM Use Cases
Secure Web Gateway
Accelerated Remote
Access
Internet Apps
Enterprise Data
& Apps
Federation
Single Sign-on
Cloud, SaaS,
and Partner
Apps
Internet
VDI App Access Management
Exchange
Sharepoint
Oracle
Web
VPN
BIG-IP APM
F5 Agility 2014 64
65. Which Threat mitigation to use?
Content Delivery Network
Carrier Service Provider
Cloud-based DDoS Service
Cloud/Hosted Service
Network firewall with SSL inspection
Web Application Firewall
On-premise DDoS solution
Intrusion Detection/Prevention
On-Premise Defense
F5 Agility 2014 65
67. Full Proxy Security
Client / Server
Web application
Application
Session
Network
Physical
Application health monitoring and performance anomaly detection
HTTP proxy, HTTP DDoS and application security
SSL inspection and SSL DDoS mitigation
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
Client / Server
Web application
Application
Session
Network
Physical
F5 Agility 2014 67
68. F5 Provides Complete Visibility and Control
Across Applications and Users
DNS Web Access
Intelligent
Services
Platform
Users
Securing access to applications
from anywhere
Resources
Protecting your applications
regardless of where they live
Dynamic Threat Defense
DDoS Protection
Protocol Security
Network Firewall
TMOS
F5 Agility 2014 68
69. PROTECTING THE DATA CENTER
Use case
Load
Balancer
Firewall/VPN
• Consolidation of
firewall, app security,
traffic management
Network DDoS
DNS Security
Balancer & SSL
• Protection for data
centers and
application servers
Application DDoS
Web Application Firewall
Load
• High scale for the
most common
inbound protocols
Before f5
with f5
Web Access
Management
F5 Agility 2014 69
70. F5 Bringing deep application fluency to Perimeter security
One platform
SSL
inspection
Traffic
management
DNS
security
Access
control
Application
security
Network
firewall
EAL2+
EAL4+ (in process)
DDoS
mitigation
F5 Agility 2014 70
71. Application (7)
Presentation
(6)
Increasing difficulty of attack detection
DDoS MITIGATION
Physical (1) Data Link (2) Network (3) Transport (4) Session (5)
Network attacks Session attacks Application attacks
OWASP Top 10 (SQL
Injection, XSS, CSRF,
etc.), Slowloris, Slow
Post, HashDos, GET
Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK
Floods, Teardrop, ICMP Floods, Ping Floods and Smurf
Attacks
BIG-IP ASM
Positive and negative
policy reinforcement,
iRules, full proxy for
HTTP, server
performance anomaly
detection
DNS UDP Floods, DNS Query
Floods, DNS NXDOMAIN Floods,
SSL Floods, SSL Renegotiation
BIG-IP LTM and GTM
High-scale performance, DNS
Express, SSL termination, iRules,
SSL renegotiation validation
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection
table, full-proxy traffic visibility, rate-limiting, strict TCP
forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built,
customized hardware solution that increases scale by an order
of magnitude above software-only solutions.
OSI
stack
F5 mitigation technologies
OSI
stack
F5 mitigation technologies
F5 Agility 2014 71
72. How do I implement
perimeter Security with
F5?
73. Reference Architectures
DDoS
Protection
S/Gi
Network
Simplificatio
n
Security for
Service
Providers
Application
Services
LTE
Roaming
Migration
to Cloud DevOps
Secure
Mobility
DNS
Cloud
Federation
Cloud
Bursting
F5 Agility 2014 73
INSTRUCTIONS – These first 8 slides are very short, and paint a picture of who Scalar is (size, reach, background). You can go through them at any speed but they were designed to be spoken to pretty quickly. Most slides have just one or two main points, so not much to say.
SPEAKER NOTES
From our 2 founders we’ve grown to 145 full time employees nationally (as of July 1 2014)
MORE THAN 80 ENGINEERS!!
All these employees share the focus on data centre & internet related infrastructure
NOTE – In keeping with the numbers theme, you can say “Another number – 145 – that’s the number of employees we have”
INSTRUCTIONS – These first 8 slides are very short, and paint a picture of who Scalar is (size, reach, background). You can go through them at any speed but they were designed to be spoken to pretty quickly. Most slides have just one or two main points, so not much to say.
SPEAKER NOTES
“54% - our compound (or cumulative, whichever you prefer) annual growth rate since we started in 2004”
INSTRUCTIONS – None.
SPEAKER NOTES
We are recognized for our expertise by our partners. Our expertise translates into trust, confidence, and success.
TO ACHIEVE CONTINUOUS ADVANCED THREAT PROTECTION, YOU NEED THE BEST RESEARCH CAPABILITIES AND EXPERTISE TO DELIVER THE BEST DETECTION ON THE PLANET.
IT ALL STARTS WITH OUR VULNERABILITY RESEARCH TEAM (VRT)
THE VRT AT CISCO IS A TEAM OF HIGHLY EXPERIENCED SECURITY EXPERTS WHOSE CORE MISSION IS TO INFUSE THE MOST UP TO DATE DETECTION INTO OUR ADVANCED THREAT PROTECTION
WE POSSESS A DISTINCT ADVANTAGE OVER ALL OTHER COMPANIES IN THE INDUSTRY.
WE OWN AND CONTROL TWO OF THE MOST POPULAR OPEN SOURCE SECURITY PROJECTS IN THE WORLD: SNORT AND CLAM AV
THESE OPEN SOURCE PROJECTS ARE A GOLDMINE OF EXPLOIT INTELLIGENCE – MILLIONS OF USERS, ALL OVER THE WORLD, ARE CONTRIBUTING INTELLIGENCE TO THE VRT EVERY DAY
WE ALSO SUBSCRIBE TO MANY PRIVATE AND PUBLIC FEEDS OF INTELLIGENCE, AS WELL AS PARTICIPATE IN INFORMATION SHARING WITH GOVERNMENTS AND COMPANIES ACROSS THE GLOBE
AS A CONSEQUENCE WE RECEIVE OVER 100,000 SAMPLES OF ATTACKS AND MALWARE EVERY DAY! AND YOUR SECURITY IS ONLY AS GOOD AS WHAT IT CAN SEE, UNDERSTAND, TAKE ACTION ON – IN REAL-TIME BUT ALSO RETROSPECTIVELY.
With Cisco ASA, all the different layers of security you see at the bottom of this slide work together, so we’re able to pull intelligence from these layers. Unlike traditional solutions, we layer security intelligence, for greater visibility and to protect against threats coming from multiple vectors across the attack continuum.
With our unique approach, all the solution parts know about each other. For example, the firewall knows about the IPS and its policies, the IPS sees data coming through the firewall, and the malware engine correlates its events with the IPS events.
Cisco FireSIGHT’s comprehensive impact assessment relies on information from passive discovery, including OS, clients, and server applications. It allows analysts to focus on the smaller subset of events they could be vulnerable to.
[NEED ADDITIONAL SPEAKER NOTES?]
Steve: Try to consolidate Impact Assessment + IOCs onto one slide
File extraction, and storage
For forensic, quarantine, and policy purposes
Example: “Store copies of all Neutral and Malicious EXE files downloaded from the internet by call center staff”
Sandbox execution of files to discover Zero-day malware
Capture file in transfer
Execute in sandbox
Trigger Retrospective events
Speak about the definition as it pertains to keep people out. Talk to most Apps are web based and you really want to get people IN. No longer is the DMZ for standonle systems its now a integral part of the network.
Speak about the definition as it pertains to keep people out. Talk to most Apps are web based and you really want to get people IN. No longer is the DMZ for standonle systems its now a integral part of the network.
Attackers are moving up the stack to not only deny service, but compromise the application infrastructure in more damaging ways. As an infosec industry, we’ve gotten pretty good at securing the network and placing good sensors and signaling to let us know when we’re under attack. Attackers are forced to move onto DNS, SSL, and HTTP to attempt to compromise a targeted organization in one way or another.
Without all three of these layers functional, it becomes difficult or even impossible to make an application available to the intended end-user.
With ASM you gain the ability to deploy effective advanced firewall measures for all applications.
BIG-IP ASM can secure any parameter from manipulation and validate login parameters and application flow. Upon inspection of requests, ASM can identify HTTP parameter pollution and block attacks and illegal URL requests.
Volumetric and rate limits enforces limits set for suspect traffic and invalid traffic conditions common to DDoS. Anomalies are detected when a large number of sessions or requests are from a specific IP address, and a large increase of sessions or requests from a specific IP address. This is common to web scraping.
BIG-IP ASM differentiates between a human and a bot behind a browser, recognizing an increase in request volumes and for web scraping distinguishing known whitelisted IP addresses approved to web scrape from those unknown.
ASM includes an integrated XML firewall that detects and prevents XML specific attacks such as extremely large messages, highly nested elements, coercive parsing, recursive parsing, schema and WSDL poisoning, and routing based attacks. All of which can overwhelm servers and cause an outage. ASM reports violations against a defied schema and blocks violations.
.
BIG-IP ASM provides anti-virus support by striping uploaded SOAP and SMTP files from the HTTP request and forwarding the files to an antivirus server over ICAP. If the file is clean, the antivirus server responds to accept the request. If the file is not clean, BIG-IP ASM blocks the request to protect the network from virus intrusion.
Want to touch on:
You’ve heard about ISP
The purpose of this preso is provide more info on the security services
Before we do that let’s talk about some technology trends
Mobility and elasticity of data centers (consolidation, webification, private & public clouds… data centers have changed)
Before ip we had sna, ipx
Each app had it’s own port
Now consolidating all these apps down to HTTPS
Complexity resides over HTTP
Impacting over all infrastructure
You may have read just a few months ago that even Symantec came out and said that AV is dead and cannot stop today’s modern attacks. This is backed up by all of the Gartner and Forrester analysts, who all recommend augmenting your traditional defenses.
All legacy security technologies rely on detecting malware or “known good” files to protect the endpoint.
Network Firewalls only allow unknown information into a network for a few types of programs, like the web browser and e-mail which are now the biggest risks.
Intrusion Prevention Systems require signatures for “known” attacks to be effective. “Unknown” attacks get through without a problem.
Gateways rely on “reputation systems” that attempt to determine if a web site or e-mail is “risky”. If the guess wrong the malware gets through.
PC Firewalls work just like network firewalls and have the same limitations, attacks targeted at e-mail or the web browser are allowed through.
Anti-virus systems use signatures or “heuristic algorithms” to detect known malware and have the same limitations of the network IPS.
Only hardware isolation is able to ensure that the endpoint remains immune to attacks as ALL data targeting the most risky programs, the browser and e-mail is prevented from actually getting to or running on the protected machine
Bromium is redefining the model of security. Over the last 20 plus years, the industry built up around detection-based methodologies, pattern-matching. Bromium is transforming this legacy model with a new model based on isolation and micro-virtualization. We were founded by the leaders of XenSource, who created the Xen hypervisor, now the foundational technology for cloud computing. Amazon and Google use it to power their cloud services, for example. We have the leaders in virtually every industry, such as Aetna, ADP, Blackrock, NYSE, Box, to name a few. We also have the 2 of the top 4 largest banks, 3 of the top 5 largest insurance companies, 2 of the top 5 largest private companies, etc….
There are many different advantages to the Bromium solution and every customer is different. Browsing is typically a major issue for every organization and the #1 source of breaches and Bromium delivers the most secure browsing experience available.
We have to be compliant!”
Auditing, regulators and compliance
Maturity Models
Risk Assessments
Frameworks
The Result?
Minimal effort on detecting the hackers and monitoring the data
One customers quote:
“We turned the IDS on last week. It was horrible. I haven’t looked at it since” “We only need to have it to be compliant anyway”
“We have a guy that manages the security for us” Really?
COBIT, ISO27001/2, ITIL
Large companies and Fis are doing their best. Even they are looking to partner. Cyber Intelligence is the new tool set
The Result?
Minimal effort on detecting the hackers and monitoring the data“
Infosec is hard
Many types of professionals needed
Analysts, Specialists, Incident responders, Anti-Malware Specialists, Forensics
Software and hardware tools, Labs
You cannot do this alone
- Find a partner who does this every day…all day
Get your teams up to speed
Plan/Budget to spend the money
You are going to have to fight for it
TRADITIONAL MODEL SPENDS MORE TIME AND MONEY ON PREVENTION
MITIGATES A MAJORITY OF PRIMITIVE THREATS
ALL IT TAKES IS ONE
REAL-TIME ACTIVITY: FROM IPS OR FIREWALL
LONG TERM PATTERNS: NETWORK TRAFFIC VOLUME, RECURRING VIRUSES
PATTERNS ACROSS PLATFORMS: FIREWALL > WEB SERVER > DATABASE
NOTES – THE NEXT SET OF SLIDES OUTLINE HOW WE CAN WORK WITH A CUSTOMER. THE SLIDES DESCRIBE BOTH A PROCESS (AUDIT, DESIGN, DEPLOY, MANAGE) AND OUR SERVICES (PS, MS, PRODUCT RESALE).
KEY MESSAGE – CONVEY TO THE CUSTOMER THAT WE CAN BE AS INVOLVED AS THEY WANT. WE CAN SET STRATEGY & WORK END TO END, OR WE CAN DEPLOY A TACTICAL SOLUTION AND LEAVE IT IN THEIR HANDS. UP TO THEM.
Two large Canadian banking institutions needed a technology partner to take them from a concept to a production environment in a few short months. They wanted to launch a new competitive mobile wallet platform, but had no resources to assign to the project, and nowhere to house the solution.
In 5 months, Scalar built and deployed a virtualized development environment in our elastic cloud, then designed and deployed multiple physical environments for testing and production. Working closely as a sales and services team, Scalar provides 100% of the ongoing 24x7 environment management and operations.
Scalar essentially helped two banks build a net new company before the ink was dry on their new business registration. Without Scalar, there is a good chance the project would not have gotten off the ground. The seamless integration with the architecture team, through the deployment, and into the ongoing management, Scalar acted with speed and agility to break down traditional barriers of building new IT environments, while maintaining low risk and high security (they are BANKS of course, with VERY high security demands)
Today Scalar continues to manage the platform, and continues to design new solutions, such as DR and archive solutions, as well as enhancing the development environment for our client.