Copyright © 2016 Forcepoint. All rights reserved.
Advance cyber security strategy for
Insider threat and Ransomware
Copyright © 2016 Forcepoint. All rights reserved.Copyright © 2016 Forcepoint. All rights reserved. | 2
RansomwareInsider Threat
Data TheftNGFW
Copyright © 2016 Forcepoint. All rights reserved.Copyright © 2016 Forcepoint. All rights reserved. | 3
RansomwareInsider Threat
Data TheftNGFW
Copyright © 2016 Forcepoint. All rights reserved. | 4
CYBER THREAT LANDSCAPE IS CHANGING
4
Are we Secure from today’s cyber attacks?
OR Can you move with out fear?
• Ransomware• Insider threat • Data theft
Copyright © 2016 Forcepoint. All rights reserved. | 5
Ransomware –New Way of damage
Copyright © 2016 Forcepoint. All rights reserved. | 6
Copyright © 2016 Forcepoint. All rights reserved. | 7
Copyright © 2016 Forcepoint. All rights reserved. | 8
Ransomware is malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key.
EXPERTS HAVE ESTIMATED THAT THE TOTAL AMOUNT PAID TO RANSOMWARE AUTHORSCOULD BE AS MUCH AS $325 MILLION (USD)
FOR SOME VARIANTS OF RANSOMWARE.
WHAT IS RANSOMWARE?
Copyright © 2016 Forcepoint. All rights reserved. | 9
Ransomware spreads through e-mail attachments, infected programs and compromised websites. A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm.
RANSOMWARE – HOW DOES IT WORK?
Copyright © 2016 Forcepoint. All rights reserved. | 10
A CLOSER LOOK AT CERBER
When infected, a victim's data files will be encrypted using AES encryption and will be told they need to pay a ransom of 1.24 bitcoins or ~500 USD to get their files back
Copyright © 2016 Forcepoint. All rights reserved. | 11
UNDERSTANDING OF 7 STAGE IS MUST…..
Copyright © 2016 Forcepoint. All rights reserved. | 12
THE CORE TECHNOLOGY
ACE
Copyright © 2016 Forcepoint. All rights reserved. | 17
1. Internal Security program2. Continuous Security Awareness3. Enforce backup program4. Remove admin rights where possible5. Institute privilege management program6. Implement controls at network egress points
Rules to block CnC Email Security gateway to block spam, anti-phising, malicious attachment Web security gateways to block unknown/uncategorized destinations
7. Implement endpoint controls Keep antivirus current Deploy endpoint tool to block bad applications
RANSOMWARE – HOW DO I PREVENT IT?
Copyright © 2016 Forcepoint. All rights reserved. | 19Copyright © 2016 Forcepoint. All rights reserved. | 19
RansomwareInsider Threat
Data TheftNGFW
Copyright © 2016 Forcepoint. All rights reserved. | 20
Worldwide Sales Conference 2016, Proprietary & Confidential | 20
How to Address Insider Threat?
Photo: Jeramey Jannene
Visibility + Context
Copyright © 2016 Forcepoint. All rights reserved. | 21
Abnormal after hours access by a contractor in
Hawaii
INSIDER CYBER THREAT INDICATORS
Unusual Lateral Movement on the network
Huge transfers of data to USB
Abnormal Administrator account activity
Abnormal account usage across 20-25 peer accounts all linked to attacker’s
IP Address
AH –MR.SNOWDEN.
Copyright © 2016 Forcepoint. All rights reserved. | 22
INSIDER THREAT ARCHITECTURE
Application General
Application (AIM, ICQ, Yahoo,
Sametime)
Clipboard Email File Keyboard Logon Printer Process System Info Video Web Web URL Webmail(Gmail, Yahoo,
Outlook)
Insider Threat
Analyst Dashboard Events & Collected
Data
Policies
On network users
Internet
Off network users
Copyright © 2016 Forcepoint. All rights reserved. | 23
INSIDER THREAT – INCIDENT CAPTURE
Copyright © 2016 Forcepoint. All rights reserved. | 24Copyright © 2016 Forcepoint. All rights reserved. | 24
RansomwareInsider Threat
Data TheftNGFW
Copyright © 2016 Forcepoint. All rights reserved. | 25
DATA LEAKS – REALITY
Copyright © 2016 Forcepoint. All rights reserved. | 26
CHANNEL DETECTION AND RESPONSE
Network DLP
Web
Audit*BlockAlertNotify
AuditBlockQuarantineEncrypt**AlertNotify
FTP
Audit*BlockAlertNotify
Network Printer
Audit Block AlertNotify
Active Sync
AuditBlockAlertNotify
IM &
Custom Channel
s
AuditBlockAlertNotify
PermitConfirmBlockEncrypt to USBAlertNotify
Endpoint DLP
Applications
PermitConfirmBlockEmail QuarantineAlertNotify
Removable Media
Storage
Alert/LogScripts - Encrypt - Tombstone - Quarantine - EDRM
Copyright © 2016 Forcepoint. All rights reserved. | 29
RansomwareInsider Threat
Data TheftNGFW
NETWORK OPERATIONS - AVAILABILITY & SCALABILITY
Native active-active clustering
v5.8
v5.7
v5.6
Node 3: Software
Node 5: Software
A single cluster can support:• Different firmware versions
• Different appliance models and software on COTS hardware
• Up to 16 active-active nodes cluster, only with Stonesoft
Operational benefits:• Seamless updates with no scheduled
downtime
• Fully transparent failover practically eliminates unscheduled downtime
• 99.999% uptime
Stonesoft Next Generation Firewall
Cluster
Updates
Node 1: NGF-3206
Node 2: NGF-1402
Node 4: NGF-325
NETWORK OPERATIONS - AVAILABILITY & SCALABILITY
Network resiliency and cost savings
Multi-LinkBusiness Continuity
• Transparent failover• Load-balancing
or back-up links• Security
Augmented VPNFlexibility
• Supports multiple accesstechnologies
• QoS support • Optimize bandwidth usage
Alternative to MPLSCost Savings
• Provider and technology independent
• Add bandwidth easily
IISP 1
ISP 2
ISP N
Multi-LinkIPsec VPN
Cable
3/4G DSL 1
DSL 2
MPLS
RegularTraffic &Back-up
links
Critical Traffic
Up to 90%Savings on
MPLS costs
ISP 2
ISP N
3/4G DSL 1
CableDSL 2
MPLS
CENTRALIZED MANAGEMENT
NETWORK OPERATIONS - CENTRALIZED MANAGEMENT
Stonesoft Management Center
Plug-and-play deployment for fast and easy remote site rollouts
Initial configuration pushed from the cloud
Call home anddownload policies
Initial configurationuploaded
Cut deployment time from days or week to
Minutes
Stonesoft Next Generation Firewalls
Manages, updates & upgrades
New York
Paris
London
Tokyo
San Francisco
Sao Paolo
Stonesoft InstallationCloud
Copyright © 2016 Forcepoint. All rights reserved. | 34
SECURITY OPERATIONS -ADVANCED EVASION PREVENTION
Discover and block advanced evasion techniques (AETs)
PartialInspection
HiddenThreats
Complete visibility foraccurate continuous inspection
How to block AETs?Only full-stack normalization enables accurate continuous traffic inspection.
=+ +
Packet flow
OSI
Lay
ers
L.1
L.2
L.3
L.4
L.5
L.6
L.7
What is an AET?AETs deliver threats piecemeal across different or unexpected network layers or protocols for future reassembly.
Why are AETs successful?Other vendors use narrow or vertical traffic inspection windows to improve performance, allowing threats to remain hidden.
Stonesoft NextGeneration Firewall
THREAT INTELLIGENCE
WEBSENSE
MOBILE SECURITY
WEBSENSE
SureView Stonesoft
CLOUD & ON-PREMISE SERVICES
TRITON
NETWORKSECURITY
STONESOFT
INSIDER THREAT
ANALYSIS
RAYTHEON
ADVANCED THREAT
PROTECTION
RAYTHEON
EMAIL SECURITY
WEBSENSE
WEB SECURITY
WEBSENSE
DATA LOSS PREVENTION
WEBSENSE
THREAT INTELLIGENCE
RAYTHEONWEBSENSE
MOBILE SECURITY
RAYTHEONWEBSENSE
WHAT’S IN OUR DNA?
Copyright © 2016 Forcepoint. All rights reserved. | 37
THANK-YOU!Ajay [email protected]