idg säkerhetsdagen, göteborg 2014 - computer … · idg säkerhetsdagen, göteborg 2014 ......
TRANSCRIPT
1
19 September 2014
IDG Säkerhetsdagen, Göteborg 2014
Vad behövs innan Sandboxing och varför?
Nils von Greyerz, System Engineer
Fortinet Sweden
2
Spam e-mails intercepted
Malware programs neutralized
Network intrusion attempts resisted
Attempts to access malicious websites blocked
Botnet command and control attempts thwarted
Website categorization requests
5 700 (2 500) Application
control rules
120 TB (70TB) of threat samples
15,9k (12k) Intrusion prevention rules
250 Million rated websites in
78 categories
143 Zero-Days discovered
170 (70) Intrusion prevention rules
8,000 Hours of research in labs around the globe
800k (150k) New and updated antivirus definitions
66 M (65M) New and updated antispam rules
2,7M (600k) URL ratings for web filtering
Problem #1: Antalet hot ökar Q3 2014, (Q3 2013)
Q2Y14
4
Problem #3: Många Befintliga Tjänster för att dölja
aktivteter
En fantastisk mängd skadliga
websiter och tjänster
5
Problem #3: Många Befintliga Tjänster för att dölja
aktivteter
En fantastisk mängd skadliga
websiter och tjänster
• June 2013: South Korea DDoS
» Hacked Korean website (Simdisk)
» TOR C&C Module (Deep Web)
» Nameserver takedown (DDoS)
6
What are APTs? ATAs ?? Defining Advanced Persistent Threats – D.S.I.
DISGUISE
• Advanced threats focus
on disguise to slip past
security detection
SURVIVABILITY
• Persistent threats aim
to survive on systems as
long as possible
IMPACT
• Hard drive killers
• Stolen IP, customer data
• Blackmail & Ransom
• Critical infrastructure Detect Disguise,
Kill the Chain Reduce Survivability,
Break Impact
Problem 4: APT and ATA
8
Q1 2013 (IDC):
79M PC Shipments
216.2M Smart Phones Shipped
February:
Claco Android X-
Platform Worm
March:
Android.Plankton
Hits Malware Top 10
July:
Android.FakeDefender
1st Mobile Ransomware
2013 Threat Landscape Developments
Jan 10
Java Remote Code Execution
MBEAN Exploit Zero-Day
CVE-2013-0422
7 UPnP Vulnerabilities
Remote Code Execution
CVE-2013-5958:5965
Jan 29
Spamhaus/CloudFlare DDoS
300GBit
DNS Amplification
Mar 19 Mar 20
South Korea HD Wiper
Wiped Windows & Linux
50,000+ Systems Destroyed
Jun 25
South Korea DDoS
Simdisk Hack
Government Nameservers
Nov 07
Fokirtor
Advanced Linux Worm
(SSH Piggyback)
NBC.com Hacked
MBean Exploit
Citadel Botnet Feb 28
Dec 15
Target
…
9
Q2 2014 (IDC):
301.3M Smart Phones Shipped
Android 84.7% Market
February:
Drive-By Mobile
(DriveGenie)
June:
Pletor Mobile Ransom
(Doc Encryption)
July:
Dorkbot/Ngrbot
Kamikaze
2014 Threat Landscape Developments
Feb 13
IoT:
The Moon Worm
Linksys Routers
Heartbleed
Vulnerable OpenSSL
Apr 07
Apple iCloud
Ransomware
$100 EUR
Oleg Pliss
May 26 Jun 23
Havex RAT
OPC Server Spy
Aug 05
Cybervor
1.2B User & Pass
500M emails
Aug 15
Supervalu Data Breach,
200 Stores Affected
Evernote Hack
164,644 Forum
Members
Jun 10 Evernote Hack
50M Users
Mar
2013
11
Real World “Internet of things” Vulnerabilities
SCADA/ICS HMI
(Human Machine Interface)
OPC
Communication
(Havex)
PLC Hardware
“The Moon Worm”
• This is real: we observe it
• Shodan + Vulnerabilities
» 2012: 10,000 public ICS
exposed, vulnerable
» 2014: 28,000 NAS drives
found
• UPnP, OPC, HNAP … more
problems 2012: Eireann Leverett, Mapped Vulnerabilities to Critical Systems
13
Fortinet Advantage: Consolidation
Simple & Cost Effective Fortinet Security Model
Complex & Costly Typical Adhoc Model
14
Category
Update
IM
Proxy
Network Service
Game
P2P
Video/Audio
Collaboration
Remote Access
Botnet
Social Media
General Internet
Storage Backup
More Categories
Technology
Browser-based
Network Protocol
Client Server
Peer-to-Peer
Popularity
★★★★★
★★★★★
★★★★★
★★★★★
★★★★★
Risk
Malware or Botnet
Bandwidth Consuming
None
Fortinet Advantage: Application Visibility, Manage Threats and
Productivity
15
Consolidated Security
Fortinet Delivers Complete Protection
AntiMalware Data Loss
Prevention
SSL
Inspection
Endpoint
Protection/
NAC
Firewall
VPN
IPS Application
Control
Real-Time
Threat
Updates
Wireless Controller/Wireless
LAN Dynamic
Routing
IPv6 & v4
ATP &
Sandboxing VoIP
Virtual Appliance/
Virtual Domains
BYOD
The Evolution of the Firewall
Web
Filtering
WAN Optimization
/ Traffic
Shaping
High
Availability
(HA)
Identity
Policies
16
FortiGuard
Research, Updates, Services
FortiGuard Research: • Rootkits: Kernel Hooks
• Botnets: Dynamic Monitoring, Spambots,
New Malware Protocols
• Malware: Code Techniques-PDF/Flash/Doc
• Security: Exploits & Vulnerabilities, Zero Day Detection
• Packer Research: Unpacking, Generic Detection
FortiGuard Services: • AV Signatures – 4x Daily
• IPS Signatures – 2x Daily
• Antispam/Web Content Filtering – Real Time
• Sample Collection
• Signature Creation
• Alerts & Escalation
Global Distribution Network: • Application Control
• Vulnerability Management
• Antispam
• Web Filtering
• Intrusion Prevention
• Antivirus
17
Fortinet Sandboxing Model – ATP - Advanced Threat
Protection. Layered Security.
Firewall
Application Control
Webfilter
Botnet & IP Reputation
AntiMalware
Intrusion Prevention
Data Leak Prevention
Sandboxing
@
RealTime Updates
through FortiGuard
18
“Innocent” Video Link:
»Redirects to malicious
Website
Integrated Web Filtering
Blocks access to malicious Website
Network Antivirus
Blocks download of virus
Intrusion Prevention
Blocks the spread of the worm
Error message:
»Installs on system and
attempts to propagate
“Out of date” Flash
player
»Download malware
file
Authentication
& Encryption
Fortinet in Action: Securing the clients & network
19
FortiGate Differentiators
One-Stop Shop.
• Everything developed in-house
Hardware Acceleration
• Real-Time Security features
• Custom built ASICs
Per Box Licensing
• No User restrictions
• No IP restrictions
• No Additional costs for HA etc
FortiGuard Services
• Developed, maintained and updated by Fortinet
Same functions in all sizes
• Same FortiOS
Worldwide Deployments
• EMEA and US are similar in revenue
• and then SEA
Third Party Certifications