Download pdf - Moving Security Model From Content to Context

Moving Security ModelFrom Content To Context

paulsparrows.wordpress.com

Quick Random Thoughts on Security Trends and Technologies for 2012

Paolo Passeri

Why Next Generation Technologies Are Needed


Malware is getting more and more sophisticated and capable tocircumvent traditional security technologies

APTs Are Changing The Rules Of The Game

APTs threaten Organizations on different levels (from users to application) andheterogeneous time scales, redefining the information security landscape. Firewalls, NextGeneration Firewalls and Intrusion Prevention Systems are converging to a new breedof security devices capable of moving the security enforcement paradigm to context, takingover the old model based on “IP Address, Protocol and Access Control” to a new modelfocused on “user, application and anomaly”.


The Next Level: From Content to Context

Context-aware security is the use of supplemental information to improve securitydecisions at the time the decision is made. Supplemental Information include: GeoLocation, Reputation, and the interaction of the user with the environment (applications,directory, etc.). This class of devices is called Next Generation IPS:

http://blogs.gartner.com/neil_macdonald/2011/10/13/next-gen-context-aware-intrusion-prevention/


Firewall IPS NGF NG-IPS

Works At Layer 3-4 Layer 4-7 Layer 7 Layer 4-7

Security Paradigm • IP Address

• Port

• Protocol

• Protocol

• Vulnerability

• User

• Application

• User

• Application

• Vulnerability

Scans All Traffic All Traffic Classified Applications All Traffic including classified Applications

Deployed as • Layer 3 Gateway

• Transparent Mode


• Connected to TAP

• Connected to Span Port

• Layer 3 Gateway


• Layer 3 Gateway


Defends Against • Intrusions by

unauthorized users

exploiting known ports;

• Intrusions by everyone

exploiting vulnerabilities at

Layer 4-7;

• Misuse of applications by Users;

• Intrusions by unauthorized users

exploiting classified applications;

• Intrusions by everyone exploiting

application and server vulnerabilities,

• Misuse of applications by users

Performs Access

Control

Yes No Yes Yes

Access Control By • IP Address

• Port

• Protocol

- • User

• Application

• User

• Application

• IP address

• Port

• Protocol

Detection Algorithms • Packet Filter

• Application Proxy

• Stateful Inspection

• Deep Packet Inspection

• Signatures

• Pattern Matching

• Protocol-Based

• Anomaly Detection

• Heuristics

• Application Classification via

proprietary methods

• Stateful Inspection

• Deep Packet Inspection

• Application Classification

• Signatures

• Pattern Matching

• Anomaly Detection (ApplAnd Protocol)

• Heuristics

Use cloud based

services

No Yes for updating signatures

from data received from other

sensors

Yes for updating application

fingerprints and dynamically classify

unknown applications

Yes for updating signatures and

application fingerprints

Use reputation and

Geo-location

No Partially No Yes

Dedicated Device Yes May exist as a dedicated device

or as a security feature on a

UTM

Once existed as a dedicated device,

now is a security feature on top of a

“traditional firewall”

Yes, Will replace traditional Firewalls, NG

Firewalls, IPSs

Deployed at Perimeter On perimeter firewall or behind

it and in front of Key Asset s

Perimeter, focused to protect

outbound traffic

Perimeter

May Scan SSL No Yes No Yes

NG-IPS Vs The Rest Of The World


Web Application Firewalls

The growing number of vulnerabilities targeting Web Applications and cyber attackscarried on against banks together with the need to be compliant with strict requirementsand regulations are pushing the adoption of Web Application Firewalls. AlthoughTechnology tends to consolidate traditional security solutions, WAFs are destined toremain standalone dedicated devices in front of key web assets to protect.

These devices are required by PCI-DSS and most of all by the growing attention byCybercrookers for exploiting vulnerabilities in banking web applications. Only this year,famous victims included CitiGroup and Samsung Card. In particular attackers were ableto subtract $2.7 million to Citigroup.

http://spectrum.ieee.org/riskfactor/telecom/security/citigroup-admits-being-hacked-in-may-coy-about-extent-of-impact

http://www.databreaches.net/?p=20522


WAFs Against The Rest Of The World


So Which Is The Most Revolutionary Technology?

Avoid to invest in new technologies without first patching the user!

APT Holds only for 1%, (human) vulnerabilities for theremaining 99%


References

Oct 5, 2011: Information, The Next Battlefieldhttp://paulsparrows.wordpress.com/2011/10/05/information-the-next-battlefield/

Oct 7, 2011: Next Generation Firewalls and Web Applications Firewall Q&Ahttp://paulsparrows.wordpress.com/2011/10/07/next-generation-firewalls-and-web-applications-firewall-qa/

Oct 13, 2011: Advanced Persistent Threats and Security Information Managementhttp://paulsparrows.wordpress.com/2011/10/13/apts-and-security-information-management/

Oct 27, 2011: Are You Ready For The Next Generation IPS?http://paulsparrows.wordpress.com/2011/10/27/are-you-ready-for-the-next-generation-ips/

Nov 20, 2011: Advanced Persistent Threats and Human Errorshttp://paulsparrows.wordpress.com/2011/11/20/advanced-persistent-threats-and-human-errors/