Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf ·...
Transcript of Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf ·...
![Page 2: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/2.jpg)
Myth 1Intrusion Detection SystemsDetect Intrusions
![Page 3: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/3.jpg)
Reality:Intrusion Detection Systems ProvideVisibility Into the Security Posture ofYour Network
l If you’re hoping that the IDS will“catch them in the act,” you don’treally understand what IDS is good at
![Page 4: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/4.jpg)
Here’s amonth’sworth ofevents…
![Page 5: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/5.jpg)
Firewall Holeimproperly openedor internal SQLSlammer infectedsystem (not anintrusion)
![Page 6: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/6.jpg)
Hyperactive protocoldecoder… make suresystems being‘touched’ arepatched; probablymany false positives
![Page 7: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/7.jpg)
Improperlyconfigured VoIPsystem. Track downand fix. (not anintrusion)
![Page 8: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/8.jpg)
Policy issue. Is NFSallowed or isn’t it?Is SNMP allowed orisn’t it? (not anintrusion)
![Page 9: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/9.jpg)
Why is VNChappening acrossthis IPS? Policyproblem or firewallhole! (attemptedintrusion)
![Page 10: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/10.jpg)
IDSes Can Help You With theProblems You Might Have TomorrowChance of your companybeing “intruded” atrandom from the Internet
Chance of your IDSdiscovering the intrusionas it happens
![Page 11: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/11.jpg)
IDSes Do Help You With the ProblemsYou Have TodayChances your companyhas at least one networksecurity problem
Chances of your IDSdiscovering networksecurity problems
![Page 12: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/12.jpg)
IPSes Also Have Their Area of Strength
External network
Internal Net
Internal Net
DMZ
But have thesame structuralconcerns as IDS
![Page 13: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/13.jpg)
Grain Of Truth: Use IDS and IPSWhere They Make Sense
l Your goal with an IDS should be improvednetwork security visibility
• Which can help you dramatically increase totalsecurity!
l Your goal with an IPS should be improvedvisibility and “narrowing” of patch window
• Which may or may not be redundant, but willadd visibility in the same way IDS does
![Page 14: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/14.jpg)
Myth 2Unified Threat Management(UTM) Firewalls withAnti-Virus provide effectivemalware protection
![Page 15: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/15.jpg)
Reality:UTM Firewalls Provide Secondary andTertiary Protections
l Desktop protection is required!
l Application-specific protection is required!
• Example: anti-spam/anti-virus email gateway
l “Layer 7 aware” protection is stronglyrecommended!
• Example: web proxy for outbound
![Page 16: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/16.jpg)
Vendor Product
Protocols
Covered
Catch
Score
Astaro ASG 425a
FTP, HTTP, SMTP,
POP3 67%
Check Point UTM-1 2050
FTP, HTTP, SMTP,
POP3 70%
Crossbeam C25
FTP, HTTP, SMTP,
POP3 70%
Fortinet
FortiGate
3600A
FTP, HTTP, SMTP,
IMAP, POP3, IM,
NNTP 75%
IBM/ISS
Proventia
MX5010
FTP, HTTP, SMTP,
POP3 60%
Juniper
Networks SSG-520M
FTP, HTTP, SMTP,
IMAP, POP3 72%
Nokia IP290
FTP, HTTP, SMTP,
POP3 75%
Secure
Computing
Sidewinder
2150D with
IPS accel. FTP, HTTP, SMTP 75%
SonicWALL PRO 5060
FTP, HTTP, SMTP,
IMAP, POP3,
CIFS, TCP 85%
WatchGuard
Firebox Peak
X8500e SMTP, HTTP, TCP 45%
RealTestingShows A/VProtectionOnly(Except forSonicwall)onStandardPorts!
![Page 17: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/17.jpg)
Vendor Product Version Scenario Notes
Client
Score
Server
Score
Astaro ASG 425a v7.009 Recommended Settings 19% 36%
Check Point UTM-1 2050
NGX
R65 SecureDefense 27% 32%
Cisco ASA5540 7.2.3 Block at 85% confidence 20% 30%
Block at 55% confidence 37% 33%
Crossbeam C25
NGX
R65 SecureDefense 27% 32%
Fortinet
FortiGate
3600A
v3.00
MR4 major/critical severity 14% 23%
all signatures 41% 24%
IBM
System
x3650
NGX
R65 SecureDefense 27% 32%
IBM/ISS
Proventia
MX5010 v3.12 Recommended Settings 75% 44%
Juniper
Networks ISG-1000 6.0.0 IDP, high severity 42% 46%
IDP all severities 87% 70%
No additional protections 5% 17%
Juniper
Networks SSG-520M 6.0.0 Deep Inspection, maj/crit 19% 24%
Deep Inspection, all sigs 21% 25%
Nokia IP290
NGX
R65 SecureDefense 27% 32%
Secure
Computing
Sidewinder
2150D v7.0 with IPS 22% 34%
only proxy 7% 14%
SonicWALL PRO 5060 v4.0.0.0 major/critical severity 22% 19%
all signatures 45% 46%
WatchGuard
Firebox Peak
X8500e v9.0.1 major/critical severity 39% 30%
all signatures 40% 31%
RealTestingShows IPSProtectionby UTMLower ThanStandaloneIPS
![Page 18: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/18.jpg)
Don’t Get Me Wrong: UTMs are Great!
Ability to bring security services in and out of theequation quickly supports threat responserequirements best
Flexibility
A single management interface reduces thepossibility of mistakes
Management
High Availability and Scalability are dramaticallysimplified in UTM
Complexity
By intelligently routing traffic to different engines,performance of a single large box can exceed multiplesmall boxes
Performance
Long-term costs for UTM will likely be lower thanindividual point solutions
Cost
NotesCriteria
![Page 19: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/19.jpg)
Grain of Truth: Use UTMs to ProvideBoth Primary and Secondary SecurityServices
l As border firewalls, UTMs provide the sameprotection you’re used to
l Services such as content filtering and URLcontrol are ideal at UTM firewalls
l Security services such as Anti-Malware helpback-stop other technologies as a “defense indepth” strategy
![Page 20: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/20.jpg)
Myth 3Updating Anti-VirusSignatures Every 30 SecondsIs The Best ProtectionAgainst New Threats
![Page 21: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/21.jpg)
Reality:New Threats Are Application LayerThreatsl Focusing on viruses makes you lose
sight of the larger threat landscape
![Page 22: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/22.jpg)
CVSS Says: 6500+ Vulnerabilities in2007. That’s Not Viruses.
![Page 23: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/23.jpg)
Attrition.ORG Says: Viruses the Leastof Your Worries in 2007 for Breaches
![Page 24: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/24.jpg)
Look Beyond Yesterday’s ThreatsAnd Focus on Tomorrow’s ThreatsMalwaredistributedvia physicalmedia … via email
… via webpages(“drive by”)
… viacompromisedsystems
![Page 25: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/25.jpg)
Look Beyond Yesterday’s Threats AndFocus on Tomorrow’s ThreatsMalwaredistributedvia physicalmedia … via email
… via webpages(“drive by”)
… viacompromisedsystems
Spam
Phishing
SocialEngineering
Data LeakProtection
IntellectualProperty
ContentFiltering
AppropriateUse
ApplicationFirewalls
ApplicationControls
![Page 26: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/26.jpg)
Grain of Truth: Be Proactive InResponding To New Threats
l But focus on the threat vectorrather than on the threat du jour
MalwareViruses
![Page 27: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/27.jpg)
Myth 4Zero-Day Threats AreYour Biggest Problem
![Page 28: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/28.jpg)
Reality:Old, Tired, Reliable Threats Are YourBiggest Problem
l You do have to worry about newthreats.
l But the greatest likelihood of aproblem is going to come from oldthreats.
![Page 29: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/29.jpg)
Microsoft says: Oldies are Still Goodies
82% ofdetected
malware byMSRT are
more than 6months old!
![Page 30: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/30.jpg)
Rootkits are successful with old attacks
MS-DAC Vuln. (CVE-2006-0003);
WebViewFolderIcon ActiveX Control
Buffer Overflow Vuln. (CVE-2006-
3730); MS Management Console Vuln.
(CVE-2006-3643); Vector Markup
Language Vuln. (CVE-2007-0024); MS
DirectX Media 6.0 Live Picture
Corp. DirectTransform FlashPix
ActiveX (CVE-2007-4336); Yahoo!
Messenger Webcam ActiveX Remote
Buffer Overflow Vuln. (CVE-2007-
3147/3148); Yahoo! Widgets YDP
ActiveX Control Buffer Overflow
Vuln. (CVE-2007-4034); WMP Plug-In
with Non-Microsoft IE Vuln. (CVE-
2006-0005); JavaScript Navigator
Object Vuln. (CVE-2006-3677)
MS-DAC Vuln. (CVE-2006-
0003); Apple QuickTime
RTSP URI Remote Buffer
Overflow Vuln. (CVE-2007-
0015); WinZip FileView
ActiveX Control Multiple
Vulns (CVE-2006-6884);
MS WebViewFolderIcon
ActiveX Control Buffer
Overflow Vuln. (CVE-2006-
3730); MS Management
Console Vuln. (CVE-2006-
3643); Windows Media
Player MP Plug-In with
Non-MS IE Vuln. (CVE-
2006-0005)
MS-DAC Vuln. (CVE-
2006-0003);
Windows VML Vuln.
(CVE-2006-4868);
MS Virtual Machine
Vuln. (CVE-2003-
0111); Windows
Media Player Plug-
In with Non-MS
Internet Explorer
Vuln. (CVE-2006-
0005); Exploitable
crash in
InstallVersion.com
pareTo Vuln. (
CVE-2005-2265 )
IcePack (9/07)MPack V0.94WebAttacker (9/06)
![Page 31: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/31.jpg)
Old Attacks Outnumber New
SQL SlammerAttacks Per Hour
at Opus One,May 2008: 810
![Page 32: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/32.jpg)
Really Old Attacks are Still Around!
Code Red AttacksPer Hour at OpusOne, May 2008:
4
![Page 33: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/33.jpg)
Grain of Truth: There Will Be A NewAttack Tomorrow
But Old AttacksNever Go Away!
![Page 34: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/34.jpg)
Myth 5I Can’t Afford To Buy AllThe Products That EveryoneWants To Sell Me
![Page 35: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/35.jpg)
Reality:You can’t afford to waste money
l Many networks have security 20 layersthick in some places, and 0 layers thickin others
![Page 36: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/36.jpg)
Build Balance Into Your Threat Protection
BadContent
ControlUsage
BadActivity
EnforcePolicy
Anti-Spam
Anti-Virus
Anti-Spyware
Anti-Phishing
IntrusionPrevention
DoS/DDoSMitigation
ContentFiltering
ApplicationBlocking
BandwidthManagement
RegulatoryLogging/Blocking
![Page 37: Five Myths of Threat Management - Opus One®opus1.com/www/presentations/fivemyths2008.pdf · Five Myths of Threat Management Joel Snyder jms@opus1.com Opus One. Myth 1 Intrusion](https://reader033.fdocuments.net/reader033/viewer/2022042303/5ece1efee024a86a295d847b/html5/thumbnails/37.jpg)
Grain of Truth: Security CompaniesAre There To Make Money First
l … And To Protect You
You have to takeresponsibility for a balanced
and rational strategy!