Copyright © 2016 Forcepoint. All rights reserved.

Advance cyber security strategy for

Insider threat and Ransomware

Copyright © 2016 Forcepoint. All rights reserved.Copyright © 2016 Forcepoint. All rights reserved. | 2

RansomwareInsider Threat

Data TheftNGFW

Copyright © 2016 Forcepoint. All rights reserved.Copyright © 2016 Forcepoint. All rights reserved. | 3

RansomwareInsider Threat

Data TheftNGFW

Copyright © 2016 Forcepoint. All rights reserved. | 4

CYBER THREAT LANDSCAPE IS CHANGING

4

Are we Secure from today’s cyber attacks?

OR Can you move with out fear?

• Ransomware• Insider threat • Data theft

Copyright © 2016 Forcepoint. All rights reserved. | 5

Ransomware –New Way of damage

Copyright © 2016 Forcepoint. All rights reserved. | 6

Copyright © 2016 Forcepoint. All rights reserved. | 7

Copyright © 2016 Forcepoint. All rights reserved. | 8

Ransomware is malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key. 

EXPERTS HAVE ESTIMATED THAT THE TOTAL AMOUNT PAID TO RANSOMWARE AUTHORSCOULD BE AS MUCH AS $325 MILLION (USD)

FOR SOME VARIANTS OF RANSOMWARE.

WHAT IS RANSOMWARE?

Copyright © 2016 Forcepoint. All rights reserved. | 9

Ransomware spreads through e-mail attachments, infected programs and compromised websites. A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm.

RANSOMWARE – HOW DOES IT WORK?

Copyright © 2016 Forcepoint. All rights reserved. | 10

A CLOSER LOOK AT CERBER

When infected, a victim's data files will be encrypted using AES encryption and will be told they need to pay a ransom of 1.24 bitcoins or ~500 USD to get their files back

Copyright © 2016 Forcepoint. All rights reserved. | 11

UNDERSTANDING OF 7 STAGE IS MUST…..

Copyright © 2016 Forcepoint. All rights reserved. | 12

THE CORE TECHNOLOGY

ACE

Copyright © 2016 Forcepoint. All rights reserved. | 17

1. Internal Security program2. Continuous Security Awareness3. Enforce backup program4. Remove admin rights where possible5. Institute privilege management program6. Implement controls at network egress points

Rules to block CnC Email Security gateway to block spam, anti-phising, malicious attachment Web security gateways to block unknown/uncategorized destinations

7. Implement endpoint controls Keep antivirus current Deploy endpoint tool to block bad applications

RANSOMWARE – HOW DO I PREVENT IT?

Copyright © 2016 Forcepoint. All rights reserved. | 19Copyright © 2016 Forcepoint. All rights reserved. | 19

RansomwareInsider Threat

Data TheftNGFW

Copyright © 2016 Forcepoint. All rights reserved. | 20

Worldwide Sales Conference 2016, Proprietary & Confidential | 20

How to Address Insider Threat?

Photo: Jeramey Jannene

Visibility + Context

Copyright © 2016 Forcepoint. All rights reserved. | 21

Abnormal after hours access by a contractor in

Hawaii

INSIDER CYBER THREAT INDICATORS

Unusual Lateral Movement on the network

Huge transfers of data to USB

Abnormal Administrator account activity

Abnormal account usage across 20-25 peer accounts all linked to attacker’s

IP Address

AH –MR.SNOWDEN.

Copyright © 2016 Forcepoint. All rights reserved. | 22

INSIDER THREAT ARCHITECTURE

Application General

Application (AIM, ICQ, Yahoo,

Sametime)

Clipboard Email File Keyboard Logon Printer Process System Info Video Web Web URL Webmail(Gmail, Yahoo,

Outlook)

Insider Threat

Analyst Dashboard Events & Collected

Data

Policies

On network users

Internet

Off network users

Copyright © 2016 Forcepoint. All rights reserved. | 23

INSIDER THREAT – INCIDENT CAPTURE

Copyright © 2016 Forcepoint. All rights reserved. | 24Copyright © 2016 Forcepoint. All rights reserved. | 24

RansomwareInsider Threat

Data TheftNGFW

Copyright © 2016 Forcepoint. All rights reserved. | 25

DATA LEAKS – REALITY

Copyright © 2016 Forcepoint. All rights reserved. | 26

CHANNEL DETECTION AND RESPONSE

Network DLP

Web

Audit*BlockAlertNotify

Email

AuditBlockQuarantineEncrypt**AlertNotify

FTP

Audit*BlockAlertNotify

Network Printer

Audit Block AlertNotify

Active Sync

AuditBlockAlertNotify

IM &

Custom Channel

s

AuditBlockAlertNotify

PermitConfirmBlockEncrypt to USBAlertNotify

Endpoint DLP

Applications

PermitConfirmBlockEmail QuarantineAlertNotify

Removable Media

Storage

Alert/LogScripts - Encrypt - Tombstone - Quarantine - EDRM

Copyright © 2016 Forcepoint. All rights reserved. | 29

RansomwareInsider Threat

Data TheftNGFW

NETWORK OPERATIONS - AVAILABILITY & SCALABILITY

Native active-active clustering

v5.8

v5.7

v5.6

Node 3: Software

Node 5: Software

A single cluster can support:• Different firmware versions

• Different appliance models and software on COTS hardware

• Up to 16 active-active nodes cluster, only with Stonesoft

Operational benefits:• Seamless updates with no scheduled

downtime

• Fully transparent failover practically eliminates unscheduled downtime

• 99.999% uptime

Stonesoft Next Generation Firewall

Cluster

Updates

Node 1: NGF-3206

Node 2: NGF-1402

Node 4: NGF-325

NETWORK OPERATIONS - AVAILABILITY & SCALABILITY

Network resiliency and cost savings

Multi-LinkBusiness Continuity

• Transparent failover• Load-balancing

or back-up links• Security

Augmented VPNFlexibility

• Supports multiple accesstechnologies

• QoS support • Optimize bandwidth usage

Alternative to MPLSCost Savings

• Provider and technology independent

• Add bandwidth easily

IISP 1

ISP 2

ISP N

Multi-LinkIPsec VPN

Cable

3/4G DSL 1

DSL 2

MPLS

RegularTraffic &Back-up

links

Critical Traffic

Up to 90%Savings on

MPLS costs

ISP 2

ISP N

3/4G DSL 1

CableDSL 2

MPLS

CENTRALIZED MANAGEMENT

NETWORK OPERATIONS - CENTRALIZED MANAGEMENT

Stonesoft Management Center

Plug-and-play deployment for fast and easy remote site rollouts

Initial configuration pushed from the cloud

Call home anddownload policies

Initial configurationuploaded

Cut deployment time from days or week to

Minutes

Stonesoft Next Generation Firewalls

Manages, updates & upgrades

New York

Paris

London

Tokyo

San Francisco

Sao Paolo

Stonesoft InstallationCloud

Copyright © 2016 Forcepoint. All rights reserved. | 34

SECURITY OPERATIONS -ADVANCED EVASION PREVENTION

Discover and block advanced evasion techniques (AETs)

PartialInspection

HiddenThreats

Complete visibility foraccurate continuous inspection

How to block AETs?Only full-stack normalization enables accurate continuous traffic inspection.

=+ +

Packet flow

OSI

Lay

ers

L.1

L.2

L.3

L.4

L.5

L.6

L.7

What is an AET?AETs deliver threats piecemeal across different or unexpected network layers or protocols for future reassembly.

Why are AETs successful?Other vendors use narrow or vertical traffic inspection windows to improve performance, allowing threats to remain hidden.

Stonesoft NextGeneration Firewall

THREAT INTELLIGENCE

WEBSENSE

MOBILE SECURITY

WEBSENSE

SureView Stonesoft

CLOUD & ON-PREMISE SERVICES

TRITON

NETWORKSECURITY

STONESOFT

INSIDER THREAT

ANALYSIS

RAYTHEON

ADVANCED THREAT

PROTECTION

RAYTHEON

EMAIL SECURITY

WEBSENSE

WEB SECURITY

WEBSENSE

DATA LOSS PREVENTION

WEBSENSE

THREAT INTELLIGENCE

RAYTHEONWEBSENSE

MOBILE SECURITY

RAYTHEONWEBSENSE

WHAT’S IN OUR DNA?

Copyright © 2016 Forcepoint. All rights reserved. | 37

THANK-YOU!Ajay Dubey98456-40322adubey@forcepoint.com