Moving Security Model From Content to Context
Malware is getting more and more sophisticated and capable to circumvent traditional security technologies, redefining the information security landscape. Firewalls, Next Generation Firewalls and Intrusion Prevention Systems are converging to a new breed of security devices capable of moving the security enforcement paradigm to context, taking over the old model based on IP Address, Protocol and Access Control to a new model focused on user, application and anomaly.
<ul><li> 1. Moving Security ModelFrom Content To ContextQuick Random Thoughts on Security Trends and Technologies for 2012Paolo Passeri paulsparrows.wordpress.com</li></ul>
<p> 2. Why Next Generation Technologies Are Needed Malware is getting more and more sophisticated and capable to circumvent traditional security technologiespaulsparrows.wordpress.com 3. APTs Are Changing The Rules Of The GameAPTs threaten Organizations on different levels (from users to application) andheterogeneous time scales, redefining the information security landscape. Firewalls, NextGeneration Firewalls and Intrusion Prevention Systems are converging to a new breedof security devices capable of moving the security enforcement paradigm to context, takingover the old model based on IP Address, Protocol and Access Control to a new modelfocused on user, application and anomaly.paulsparrows.wordpress.com 4. The Next Level: From Content to ContextContext-aware security is the use of supplemental information to improve securitydecisions at the time the decision is made. Supplemental Information include: GeoLocation, Reputation, and the interaction of the user with the environment (applications,directory, etc.). This class of devices is called Next Generation IPS:http://blogs.gartner.com/neil_macdonald/2011/10/13/next-gen-context-aware-intrusion-prevention/ paulsparrows.wordpress.com 5. NG-IPS Vs The Rest Of The World FirewallIPS NGF NG-IPSWorks At Layer 3-4 Layer 4-7 Layer 7 Layer 4-7Security Paradigm IP Address Protocol User User Port Vulnerability Application Application Protocol VulnerabilityScansAll Traffic All Traffic Classified Applications All Traffic including classified ApplicationsDeployed as Layer 3 Gateway Transparent Mode Layer 3 Gateway Layer 3 Gateway Transparent Mode Connected to TAP Transparent Mode Transparent Mode Connected to Span PortDefends Against Intrusions by Intrusions by everyone Misuse of applications by Users; Intrusions by everyone exploiting unauthorized usersexploiting vulnerabilities at Intrusions by unauthorized usersapplication and server vulnerabilities, exploiting known ports; Layer 4-7;exploiting classified applications; Misuse of applications by usersPerforms AccessYes NoYes YesControlAccess Control By IP Address- User User Port Application Application Protocol IP address Port ProtocolDetection Algorithms Packet Filter Deep Packet Inspection Application Classification via Stateful Inspection Application Proxy Signaturesproprietary methods Deep Packet Inspection Stateful Inspection Pattern Matching Application Classification Protocol-Based Signatures Anomaly Detection Pattern Matching Heuristics Anomaly Detection (ApplAnd Protocol) HeuristicsUse cloud basedNoYes for updating signatures Yes for updating applicationYes for updating signatures andservices from data received from other fingerprints and dynamically classify application fingerprints sensors unknown applicationsUse reputation and NoPartially NoYesGeo-locationDedicated Device Yes May exist as a dedicated device Once existed as a dedicated device, Yes, Will replace traditional Firewalls, NG or as a security feature on a now is a security feature on top of a Firewalls, IPSs UTM traditional firewallDeployed atPerimeter On perimeter firewall or behind Perimeter, focused to protect Perimeter it and in front of Key Asset soutbound trafficMay Scan SSL NoYes NoYes paulsparrows.wordpress.com 6. Web Application Firewalls The growing number of vulnerabilities targeting Web Applications and cyber attacks carried on against banks together with the need to be compliant with strict requirements and regulations are pushing the adoption of Web Application Firewalls. Although Technology tends to consolidate traditional security solutions, WAFs are destined to remain standalone dedicated devices in front of key web assets to protect. These devices are required by PCI-DSS and most of all by the growing attention by Cybercrookers for exploiting vulnerabilities in banking web applications. Only this year, famous victims included CitiGroup and Samsung Card. In particular attackers were able to subtract $2.7 million to Citigroup. http://spectrum.ieee.org/riskfactor/telecom/security/citigroup-admits-being-hacked-in- may-coy-about-extent-of-impact http://www.databreaches.net/?p=20522paulsparrows.wordpress.com 7. WAFs Against The Rest Of The World paulsparrows.wordpress.com 8. So Which Is The Most Revolutionary Technology?Avoid to invest in new technologies without first patching the user!APT Holds only for 1%, (human) vulnerabilities for theremaining 99%paulsparrows.wordpress.com 9. ReferencesOct 5, 2011:Information, The Next Battlefieldhttp://paulsparrows.wordpress.com/2011/10/05/information-the-next-battlefield/Oct 7, 2011:Next Generation Firewalls and Web Applications Firewall Q&Ahttp://paulsparrows.wordpress.com/2011/10/07/next-generation-firewalls-and-web-applications-firewall-qa/Oct 13, 2011: Advanced Persistent Threats and Security Information Managementhttp://paulsparrows.wordpress.com/2011/10/13/apts-and-security-information-management/Oct 27, 2011: Are You Ready For The Next Generation IPS?http://paulsparrows.wordpress.com/2011/10/27/are-you-ready-for-the-next-generation-ips/Nov 20, 2011: Advanced Persistent Threats and Human Errorshttp://paulsparrows.wordpress.com/2011/11/20/advanced-persistent-threats-and-human-errors/</p>