Warszawa, 21 czerwca 2017 · Malware vs ochrona www Warszawa, 21 czerwca 2017 Sebastian Nowicki. Secure Web Gateway LIST (WEB) Copyright © 2016 Symantec Corporation 3 “I need a

Malware vs ochrona www

Warszawa, 21 czerwca 2017

Sebastian Nowicki

Secure Web Gateway

LIST (WEB)

Copyright © 2016 Symantec Corporation3

“I need a point of control over web and cloud access while satisfying the policy and governance requirements from SecOps and Info Risk / Compliance.”

We need to connect to the web, but need a pretty advanced set of policy controls and intelligence to do that safely

SWG (ProxySG, SWG, ASG, Web Security Service)

Terminate, emulate, decrypt, enforce policy, inspect content, orchestrate files

NEED

CHALLENGES

PRODUCT

CAPABILITIES

Proxy-based Secure Web GatewayLIST (WEB)


Web

Blue Coat Proxy-based Secure Web Gateway (SWG)Critical Network Control Point for Security and Compliance

• Appliance (ProxySG)

• Virtual Appliance (vSWG)

• Web Security Service (WSS)

File Extraction & Orchestration Services (ATP, DLP)

Powerful, Open Policy Platform- In Cloud, On Prem, Virtual, AWS

Web Access Governance & Threat Protection

+ Blue Coat Intelligence Services (BCIS)

or Blue Coat Web Filter (BCWF) subscriptions

PROXY

BCIS

Web Security Service (WSS)

PROXY

LIST (WEB)


Extract ContentEnable ATP, DLP, forensics

4Decrypt SelectivelyPrivacy compliance

3Terminate & EmulateSecure all endpoint types

2

Proxy All EndpointsArchitecture for Content Extraction and Device Emulation

Authenticate UsersIntegrate identity management

1

Proxy

SSLAuth Windows

SSO

Radius

IWA

SAML

LDAP

RadiusKerberos

AD

NovellSSO

OracleCoreID

CASite

Minder

CertRealmAuth

LocalRealmAuth

14.EXE

1010101

0010101

1010101

ICAP/s-ICAP

StreamProxy

Policy Select

Decrypt

High RiskSuspicious

Unsanctioned

Bypass

Low RiskHealthcareSanctioned

A B

LIST (WEB)


Secure web gateway: data & workflow

GLOBAL INTELLIGENCE NETWORK

PROXY SG SSL

AUTH DBREPORTER

USERREQUEST

CONTENT ANALYSISSYSTEM

SWG CORE

SECURITY ANALYTICS PLATFORM

DLP

Internet

ICA

P

E-Ta

p

ICAP

MALWARE ANALYSIS

Last Updated: 20.12.2013


Secure web gateway:functions

Proxy ForwardingTransparent (Inline, WCCP,

Loadbalanced)Explicit Proxy / PAC / WPAD

Policy / Enablement

SSL Inspection Authentication Authorization Logging

Categorization

Anti-malware

App & Operation ControlsDLP IDS

White & Blacklisting

Sandboxing GEO Location

Local Central

ICA

P &

E-T

ap In

tegr

atio

n

Connectivity

Platform

Policy

Services

Management

Cloud Virtual Appliance Appliance

Reporting: On-Premise, Cloud or Unified

Unified PolicyAppliance

Monitoring

Hybrid

Global Intelligence Network

Object CachingSecurity Analytics Platform



Secure web gateway: topology

USERS

CONTENT ANALAYSIS

MALWARE ANALYSIS

USER DIRECTORY

SWITCH

INTERNET

GLOBAL INTELLIGENCE NETWORK

PROXY SG(Forward

Proxy)

CENTRAL MANAGEMENT

ADMIN

FIREWALL

FIREWALL

CLOUD SECURITYSERVICE

REMOTE OFFICE(direct to the Net)

MPLS

PROXY SG

REMOTE USER

PROXY SG(Reverse Proxy)



Prevent Threats & Orchestrate ContentProxy Architecture Compared to Next Gen Firewall

SANDBOX

Proxy

Next Gen FirewallMalicious payload

delivered to end user

Malicious payload detected by content

analysis, blocked from delivery

LIST (WEB)


Use Proxy to Build a Better SandboxImprove detection, reduce sandbox capacity requirements

Leverage proxy to feed the sandbox

• Decrypt SSL, ICAP documents to CAS

• Block web-based threats, C&C traffic

• High availability, inline, active blocking

• Enables centralized sandboxing

Pre-filter sandbox with content analysis

• Analyzes content before delivery to sandbox via SSL Tunnel (ICAP also available)

• Applies multiple AV engines, white list

• File code analysis with machine learning finds 0-day threats

PROXYSG

CONTENTANALYSIS

.JAR .EXEPROXY

LIST (WEB)


Content Analysis (CAS)

Multiple Engines Identify & Prevent Entry of Basic & Advanced Malware

Hash Reputation

Dual AV

Predictive File Analysis

Passes acceptable files to user

Signatures evaluated for known bad

Analyzes code for malicious character

• Custom User WL/BL• File Reputation

Broker to Sandbox

ICAP

API

.JAR .EXEPROXY

LIST (WEB)


Content Inspection & Orchestration

Drastically Reduced Incident Response Queue (Customer Results)

Web Threats

URL Category & Risk Score

Behavioral AnalysisSandbox

63MWeb requests

18KFiles

“detonated” (emulation)

12MFiles scanned

IncidentResponse

3Alerts

needing response

White ListHash Reputation

Dual AVMalware Signature

File AnalysisMalicious Character

LIST (WEB)


96.96% Detected

4599 files blocked (logged,

not alarmed)

CONTENTANALYSIS+

CAS Enables Better Sandbox Architecture

• 4x Better Detection

• Prevent delivery, dramatically reduce IR queues

• Reduce sandbox capacity requirements by 75%

Increases Protection, Decrease Alarms

24.22%Detected

1099Alarms

LIST (WEB)


Dramatically Reduce Costs

50% Reduced Sandbox Cost

• Reduce sandbox capacity 75%• Dramatically fewer samples to process• Centralized architecture “pools” sandbox• Lower capital acquisition costs

90% Savings on Incident Response Costs

• 90%+ reduction in alerts• More efficient use of staff time

Content Analysis

LIST (WEB)


Take Branches “Direct to Net”

We need to rearchictect our backhauled WAN architecture so remote sites have safe direct to internet access

Backhauled WAN architectures increase costs and decrease performance for cloud apps


Cloud-delivered proxy protection for any device including authentication, access control and logging, threat protection

NEED

CHALLENGES

PRODUCT

CAPABILITIES

LIST (WEB)


Backhaul Network ArchitectureBranch Connects to Internet Via Main Data Center

ConsumerInternet

Shadow Cloud IT

LIST (WEB)

Main Data

Center

BranchOffice

Congested – recreational traffic mixes with critical enterprise apps

Expensive – MPLS links, pay bandwidth multiple times

Poor Cloud App Performance –multiple hops, congested


Take Remote Sites Safely “Direct to Net”Symantec Web Security Service

ConsumerInternet

Shadow Cloud IT

Proxy

LIST (WEB)

Better Performance for Cloud Apps• Fewer hops for app access• Less congested links

Lower Network Service Costs• Lower cost Internet services• Unburden MPLS links

Cloud-Delivered Threat Protection & Governance• Same advanced technology• Universal policy and reporting


Web Security Service with Malware Analysis Service Add-On


• ProxySG Secure Web Gateway

• Dual Anti-Virus Scanning

• Global Intelligence Network

• URL Filtering and Categorization

• Comprehensive Reporting

• SSL Interception / Policy-Based Decryption

• CASB Audit Integration

Malware Analysis Service (MAS)

• Static Code Analysis

• YARA Rules Analysis

• Behavioral Analysis

• Emulation of Windows Processes

• Inline, Real-Time Blocking

• File and URL Reputation

MAS prevents first-client infection from unknown malware

LIST (WEB)

Copyright © Clearswift 2017www.clearswift.com

Adaptive Web Security

SECURE Web GatewaySECURE ICAP Gateway

Gateway 4.6.1

Copyright © Clearswift 2017www.clearswift.com 23

Delivery Methods and Evasiveness

• Delivery methods constantly evolving

• Ransomware designed to bypass traditional anti-virus and sandboxing technologies

Ransomware Payload(Malicious Scripts, Macros, PowerShell) Evasion

Weaponized Emails Spoofed Websites &Drive-by Downloads

Malicious Cloud Files


• SECURE Web Gateway

– Full proxy solution

– HTTPS Inspection

– Adaptive Redaction

– Mobile Remote Users

Clearswift Adaptive Web Security Family

• SECURE ICAP Gateway

– Integrates with third parties through ICAP

– Adaptive Redaction and Antivirus options


Clearswift SECURE ICAP Gateway

• The SECURE ICAP Gateway complements third party’s proxy solutions to control web traffic to enforce corporate’s security policy without impacting business processes

• Provides protection to the corporate browsing traffic as well as corporate web servers

Corporate Web Servers

ICAP

SECURE ICAP GatewayExternal Web

Servers

External Users

Internal Users


Clearswift SECURE Web Gateway

Content Aware Policy Controls • File signature• Filename• Lexical analysis• Pattern match• Encrypted data• Granular policies

Deep Content Inspection• Adaptive Redaction• Document Sanitization• HTTPS inspection• File type controls• Keyword search• PCI/PII Templates• Headers, footers and properties

Advanced Threat Prevention

• Dual Anti-Virus engine• APT & zero-day protection• Structural Sanitisation• Active Content stripping• Accurate malware and phishing URLs

database• Over 100 URL categories using machine

learning categorization

Compliance Regulations• GDPR• IBAN• HIPPA• Credit Card• National Insurance number• Social Security number• Custom regulations


Modifying Content to Reduce Disruption to Business

Adaptive Data Loss Prevention

Data RedactionCONFI

DENTIAL*********

DataRedaction

Overwrites critical information to prevent breach Communication is not blocked

Document Sanitization

METADATA

Document Sanitization

Strips out hidden information (e.g. change tracking, properties, comments, etc.)

Structural Sanitization

ACTIVECONTENT

StructuralSanitization

Removes active content (e.g. scripts, code, etc.)Information is left intact in original file format

EncryptionCONFI

DENTIALEncryption Secures data in transit

Automated to avoid delays and mistakes


Structural Sanitization – formats and exploitable items

VBA

Macro Javascript Vbscript ActiveX OO Basic Python Beanshell

DocX y n/a y y n/a n/a n/a

PptX y n/a y y n/a n/a n/a

XlsX y n/a y y n/a n/a n/a

HTML n/a y n/a y n/a n/a n/a

RTF encoded

HTML n/a y n/a y n/a n/a n/a

PDF n/a y n/a n/a n/a n/a n/a

RTF n/a n/a n/a y n/a n/a n/a

Calc n/a Y n/a n/a Y Y Y

Draw n/a Y n/a n/a Y Y Y

Impress n/a Y n/a n/a Y Y Y

Writer n/a Y n/a n/a Y Y Y

Dziekuję

Documents

Warszawa, 21 czerwca 2017 · Malware vs ochrona www Warszawa, 21 czerwca 2017 Sebastian Nowicki. Secure Web Gateway LIST (WEB) Copyright © 2016 Symantec Corporation 3 “I need a