Advance threat protection frameworks
-
Upload
adnet-technologies -
Category
Technology
-
view
108 -
download
1
Transcript of Advance threat protection frameworks
Advance Threat Protection - Sandboxing
David Leinberry, Don MurphyEnhanced Technologies – Americas
Industry Information In the US, estimated $300 Billion a year of Intellectual Property (IP) is Stolen The Average incursion went 200+ days without detection 300% uptick, $206 Mil, FBI - in Ransomware in the last 3 months Verizon 2016 Data Breach Report: "Phishing Tops The List Of Increasing
Concerns Incident Response results:
o 100% of victims had Up-to-Date Antivirus signatureso 100% of the breaches involved use of stolen credentialso 67% of companies learned they were breached from and external entityo 46% of the compromised systems had no Malware on themo Breaches are not any one industry All verticals are vulnerable
• Healthcare 80 million records• Home Improvement Chain 56 million records• Finance 76 million records
A new defense strategy is needed
Audience Poll #1
What do you think the average cost of a data breach was in 2014?A. $2mB. $3.5mC. $3.8mD. $162mE. Don’t Know
Data Breach Cost Data PointsB.
Why a Sandbox?
To provide a pristine & isolated environment that automatically tests potentially malicious softwareo Will need a feature to act like a mouse, executes the file just like a human would ( double
click)o Sandbox steps through the file open other programs as need to execute it ( Office , Adobe,
etc,)o If a GUI is opened we screen shot the malware installo Call back/C2 is trackedo A forensics report needs to be created and emailed to the pre-defined alias list
After testing, intelligence is applied in deciding to alert Multiple VM in a single appliance allows for multiple files and threats to be
analyzed at once Integrated with multiple Security Platforms is critical in being proactive – Mail,
endpoint, edge (FW) Integration with all major SIEMs should be a part of the integration
Insider Threat the Unintentional Participant (This can lead to APT) Intentional Participants are IMHO already APT s Who are they?
o Any Employee, it is not intentional (executives are usually a High Value Target) Use Case 1 Why did I click it?
o A user clicks a link that they don’t know is bad • FortiGate coupled with FortiSandbox can detect, block, and alert on bad links
Use Case 2 phishing spear phishing A user opens an attachment they shouldn’t have o Attacks are sophisticated now its no longer a smash and grabo FortiMail , FortiSandbox will block, clean, and alert even if you have another spam
solution Use Case 3 insufficient best practices for password, user behavior (Audits)
o Default Admin/Application passwords or shared passwordso Unusual Behavior in DB access ( that little healthcare breach)o FortiDB, FortiAuthenticator User Profiling and Strong Authentication no default or
shared PW’s
Audience Poll #3
What are you most concerned about losing as result of a cyber attack? Customer Data System Availability/Business Continuity Intellectual Property Employee Data Company Brand
Sandbox – Usually has 4 Steps to Enhance Security
Call Back Detection
Full Virtual Sandbox
Cloud File Query
AV Prefilter • Apply top-rated anti-malware engine
• Examine real-time, full lifecycle activity in the sandbox to get the threat to expose itself
• Check community intelligence & file reputation
• Identify the ultimate aim, call back & exfiltration• Mitigate w/ analytics
14 Types of Danger and some examples
Adware BitTorrent
Riskware smsreg
Botnet Fastflux
Hijack Trovi
Trojan CryptoLocker 40 Variants
in the Extreme DB
Worm Backdoor Rootkit Dropper Downloader Injector Attacker Stealer Infector
Flexible Deployment Modes
Standalone Mode – Ideal for scalable requirements
Data Center
Integrated Mode – Ideal for centralized gateway with inline protection
Headquarters(Enterprise Core)
Distributed Mode – Ideal for protection in distributed environment
Branch Offices(Distributed Enterprise)
All Input Methods Supported Simultaneously
Deviceso Files submitted from a edge
FW product Sniffer
o Files extraction from monitored traffic
File Shareo Files are examined on a
network share On-demand
o Files or URLs manually submitted through the web-based manager of the Sandbox
Sandbox
Devices Sniffer On-demand
File SharesNFS/CIFS
Breaking the Kill Chain of Advanced Threats
Spam MaliciousEmailMalicious
Link
MaliciousWeb Site
Exploit
Malware
Bot Commands& Stolen Data
Command &Control Center
Spam
MaliciousLink
Exploit
Malware
Bot Commands& Stolen Data
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/IP Reputation
Breaking the Kill Chain of Advanced Threats
Spam MaliciousEmailMalicious
Link
MaliciousWeb Site
Exploit
Malware
Bot Commands& Stolen Data
Command &Control Center
Spam
MaliciousLink
Exploit
Malware
Bot Commands& Stolen Data
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/IP Reputation
Sand
box
FortiSandbox Detecting Targeted Attacks
Prefilters objects, identifying known threats
Uncovers full threat lifecycle and presents indicators of compromise
Full deployment capabilities Sniffer: span port mode to capture all
packets On-demand: manual submission &
analysis Integrated: with FortiGate, FortiMail,
FortiWeb & FortiClient to feed into and act on intelligence out of FortiSandbox
Integrated File Share scan capability True dynamic URL analysis engine plus
integration with other Forti-components
Network Traffic
CloudFile Query
AVPrefilter
Code Emulation
Full Sandbox
CallbackDetection
Products
How Should It All Work?
File Submission/ Result
Quarantine Devices/Block Traffic
Sandbox
Client
Device/File Quarantine
Fire Wall/Mail/Web Sever
Block Objects
Security, follow the sun analytical Labs
Intelligence Sharing
Security Updates
Forensics and Response
File Submission/ Result
3b
2a
2b2d
2c
11
4
Real-time intelligence updates3a
Ongoing
A Sandbox Should Sit at the Heart of Every Security System
Web Server
Analytical Lab
Mail Server
Web Server
Mail Server
QUESTIONS?
Our PartnersADNET proudly partners with leading technology and business solution providers to help our clients find the best possible fit for their needs. We encourage you to visit our partners' websites to learn more about their services.
@FORTINET
@FORTINET
@FORTINET
www.FORTINET.com
@ADNETTech
@ADNETTechnologiesLLC
@ADNETTechnologiesLLC
www.thinkADNET.com
@MarcumLLP
@Marcum-LLP
@MarcumLLP
www.marcumllp.com