Moving Security ModelFrom Content To Context
paulsparrows.wordpress.com
Quick Random Thoughts on Security Trends and Technologies for 2012
Paolo Passeri
Why Next Generation Technologies Are Needed
paulsparrows.wordpress.com
Malware is getting more and more sophisticated and capable tocircumvent traditional security technologies
APTs Are Changing The Rules Of The Game
APTs threaten Organizations on different levels (from users to application) andheterogeneous time scales, redefining the information security landscape. Firewalls, NextGeneration Firewalls and Intrusion Prevention Systems are converging to a new breedof security devices capable of moving the security enforcement paradigm to context, takingover the old model based on “IP Address, Protocol and Access Control” to a new modelfocused on “user, application and anomaly”.
paulsparrows.wordpress.com
The Next Level: From Content to Context
Context-aware security is the use of supplemental information to improve securitydecisions at the time the decision is made. Supplemental Information include: GeoLocation, Reputation, and the interaction of the user with the environment (applications,directory, etc.). This class of devices is called Next Generation IPS:
http://blogs.gartner.com/neil_macdonald/2011/10/13/next-gen-context-aware-intrusion-prevention/
paulsparrows.wordpress.com
Firewall IPS NGF NG-IPS
Works At Layer 3-4 Layer 4-7 Layer 7 Layer 4-7
Security Paradigm • IP Address
• Port
• Protocol
• Protocol
• Vulnerability
• User
• Application
• User
• Application
• Vulnerability
Scans All Traffic All Traffic Classified Applications All Traffic including classified Applications
Deployed as • Layer 3 Gateway
• Transparent Mode
• Transparent Mode
• Connected to TAP
• Connected to Span Port
• Layer 3 Gateway
• Transparent Mode
• Layer 3 Gateway
• Transparent Mode
Defends Against • Intrusions by
unauthorized users
exploiting known ports;
• Intrusions by everyone
exploiting vulnerabilities at
Layer 4-7;
• Misuse of applications by Users;
• Intrusions by unauthorized users
exploiting classified applications;
• Intrusions by everyone exploiting
application and server vulnerabilities,
• Misuse of applications by users
Performs Access
Control
Yes No Yes Yes
Access Control By • IP Address
• Port
• Protocol
- • User
• Application
• User
• Application
• IP address
• Port
• Protocol
Detection Algorithms • Packet Filter
• Application Proxy
• Stateful Inspection
• Deep Packet Inspection
• Signatures
• Pattern Matching
• Protocol-Based
• Anomaly Detection
• Heuristics
• Application Classification via
proprietary methods
• Stateful Inspection
• Deep Packet Inspection
• Application Classification
• Signatures
• Pattern Matching
• Anomaly Detection (ApplAnd Protocol)
• Heuristics
Use cloud based
services
No Yes for updating signatures
from data received from other
sensors
Yes for updating application
fingerprints and dynamically classify
unknown applications
Yes for updating signatures and
application fingerprints
Use reputation and
Geo-location
No Partially No Yes
Dedicated Device Yes May exist as a dedicated device
or as a security feature on a
UTM
Once existed as a dedicated device,
now is a security feature on top of a
“traditional firewall”
Yes, Will replace traditional Firewalls, NG
Firewalls, IPSs
Deployed at Perimeter On perimeter firewall or behind
it and in front of Key Asset s
Perimeter, focused to protect
outbound traffic
Perimeter
May Scan SSL No Yes No Yes
NG-IPS Vs The Rest Of The World
paulsparrows.wordpress.com
Web Application Firewalls
The growing number of vulnerabilities targeting Web Applications and cyber attackscarried on against banks together with the need to be compliant with strict requirementsand regulations are pushing the adoption of Web Application Firewalls. AlthoughTechnology tends to consolidate traditional security solutions, WAFs are destined toremain standalone dedicated devices in front of key web assets to protect.
These devices are required by PCI-DSS and most of all by the growing attention byCybercrookers for exploiting vulnerabilities in banking web applications. Only this year,famous victims included CitiGroup and Samsung Card. In particular attackers were ableto subtract $2.7 million to Citigroup.
http://spectrum.ieee.org/riskfactor/telecom/security/citigroup-admits-being-hacked-in-may-coy-about-extent-of-impact
http://www.databreaches.net/?p=20522
paulsparrows.wordpress.com
WAFs Against The Rest Of The World
paulsparrows.wordpress.com
So Which Is The Most Revolutionary Technology?
Avoid to invest in new technologies without first patching the user!
APT Holds only for 1%, (human) vulnerabilities for theremaining 99%
paulsparrows.wordpress.com
References
Oct 5, 2011: Information, The Next Battlefieldhttp://paulsparrows.wordpress.com/2011/10/05/information-the-next-battlefield/
Oct 7, 2011: Next Generation Firewalls and Web Applications Firewall Q&Ahttp://paulsparrows.wordpress.com/2011/10/07/next-generation-firewalls-and-web-applications-firewall-qa/
Oct 13, 2011: Advanced Persistent Threats and Security Information Managementhttp://paulsparrows.wordpress.com/2011/10/13/apts-and-security-information-management/
Oct 27, 2011: Are You Ready For The Next Generation IPS?http://paulsparrows.wordpress.com/2011/10/27/are-you-ready-for-the-next-generation-ips/
Nov 20, 2011: Advanced Persistent Threats and Human Errorshttp://paulsparrows.wordpress.com/2011/11/20/advanced-persistent-threats-and-human-errors/