Security trend-with-sec point

Security Evolution on the Edge

The State of Insecurity

State of Security

3

• Network Attacks are on the rise - Viruses, Worms, and Trojans

• “9 Of 10 Companies Hit By Computer Crime” - FBI

• Their presence is global

*CERT stats for 2004 and 2005 are based off comments on the CERT site that the number of incidents are too large to track anymore (figure here is a low estimate)

Source: Kaspersky Labs – May 2009

You’ve Seen It In The News

4

You’ve Seen It In The News

5

New York Police Department

under Chinese cyber-attacksUS Air Traffic Control Vulnerable to Cyber-attack

Staged cyber attack reveals Vulnerability in power grid

And more breaking news every day….

6

The IT Security Paradox

100% of these organizations

have purchased

“IT security” solutions

7

High

Low

1980 1985 1990 1995 2005

IntruderKnowledge

AttackSophistication

Cross site scripting

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools“stealth” / advanced

scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

Staged

Auto Coordinated

Attack Sophistication vs.Intruder Technical Knowledge

Vulnerability Exploit Cycle

AdvancedIntrudersDiscover NewVulnerability

CrudeExploit Tools

Distributed

Novice IntrudersUse Crude

Exploit Tools

AutomatedScanning/ExploitTools Developed

Widespread Use of Automated Scanning/Exploit

Tools

Intruders Begin Using New Types of Exploits

Highest ExposureTime

# OfIncidents

Today’s Reality1. Organizations and people are dependant on

technology2. Attacks are now both obscured and actionable3. Time from vulnerability to exploit is shorter

9

Perpetuated by: Outdated technologyContinual security changesLimited controlHuman factors

The new attackers: Cybercrime Organizations Mafia OrganizationsProfessional HackersCompany insiders

Past and Present Solutions

Legacy Firewall Solutions

• Legacy firewall technology is limited & cannot effectively prevent today’s threats or network misuse

• For complete protection many have cobbled together security solutions from multiple vendors with little to no integration

11

Threats

Threats

However, the net result is higher overall cost of ownership and increased resource demand &

performance concerns

Internal Network Users

Typical Firewalls Only Inspect the “Luggage Tag”

Complete Protection MeansDEEP Inspection

Network Traffic

Fir

ew

all

Route

r

Anti

-Spy

Gate

way A

V

Clie

nt

AV

Wir

ele

ss S

ec.

Conte

nt

Filt

er

Anti

-Phis

hin

g

Intr

usi

on P

rev.

Fir

ew

all

Route

Anti

-Spy

Gate

way A

V

Clie

nt

AV

VPN

Conte

nt

Filt

er

Anti

-Phis

hin

g

Intr

usi

on P

rev.

Internal Network Users

However, the net result is higher overall cost of ownership and increased resource

demand & performance concerns

Advanced L-7 ClassificationFoundation of Visibility

12

Static Port 8080

Dynamic Port 8072280722

IP 192.168.1.1192.168.1.1

Link Layer 00D059B71F3E00D059B71F3E

TCP/UDP 06/1106/11

Applications

HTTP/SSL, SMTP/POP3,

FTP

HTTP/SSL, SMTP/POP3,

FTP

Oracle,SAP,

KaZaA

Oracle,SAP,

KaZaA

Oracle, SAP,KaZaA over

HTTP

Oracle, SAP,KaZaA over

HTTP

Typical Router, Probe, etc.

Stateful Inspection

CompleteApplication

Classification

Application sub-classifications, validation, behavioral characteristics, multi-packet flow analysis and profiling intelligence for encrypted, tunneled

and evasive applications.

Packeteer

Over 450 Application

Classifications

Threat Protection Differences

13

Static Port 80

Dynamic Port Multiple ports

IP 192.168.1.1

Link Layer 00D059B71F3E

TCP/UDP 06/11

ApplicationsLayer Threat

Limited Virus Protection, AppLayer Threats

Viruses WormsTrojans Spyware

IM/P2P apps

Unlimited File Sizes andUnlimited

Users

Routers/ Nat Filters

Stateful Inspection

Typical Deep

Packet

SecPoint Deep

Inspection

Complete Protection

14

Better Protection & PerformanceSolutions Are Not Created Equal

Current FirewallsPort blocking TCP/IP RulesIP RoutingLink Layer

Routers Firewalls Cisco/FortinetUTM

SecPointUTM

Intelligent UTM ProtectionScan Unlimited Sized Files & UsersBlock Applications such as MSNOutbound Spyware ControlContent Filtering/Control & PhishingStream-based file support

Att

ack

Sop

hist

icat

ion

Typical UTM Protection

Limited scanning for Viruses/Worms/TrojansInbound Spyware protectionSNTP, HTTP, IMAP supportContent Filtering

Network ThreatsSimple DoS Attack IP SpoofSmurf Attack

“Highest Risk” ThreatsHidden malware in large filesSpyware communication outboundViruses on to network drivesP2P/Instant Messenger threatsPhishing attacksRootkits

Typical Threats Downloaded or emailed VirusesEasy to acquire SpywareMisuse of network resources

Se

cPo

int

Un

ified T

hrea

t Ma

nag

em

en

t

15

Typical Firewall

Traffic Path

INSPECT

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP ChecksumSource IP Address

Destination IP AddressIP Options

SourceUDP Port

DestinationUDP Port

UDPLength

UDP Checksum

Source

212.56.32.49

Destination

65.26.42.17

Source Port

823747

Dest Port

80

Sequence

28474

Sequence

2821

Syn state

SYN

IP Option

none

StatefulPacket

Inspection

Legacy Firewalls

Stateful is limited inspection that can only block on ports

No Data Inspection!

Data goes through unchecked!

16

Firewall Traffic Path

INSPECT





SourceUDP Port

DestinationUDP Port

UDPLength

UDP Checksum

SecPoint Signatures

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

INSPECT

StatefulPacket

Inspection

Unified Threat Management Platform

UTM Inspection inspects all traffic moving through a device – 98% more inspection

Security Prod.

SecPoint UTM

Dynamic

Management / Reporting

Reliable

The New Firewall Standard – UTMEnterprise security for the all business

FROM

AVAS

FW

URLIPS

VPN

« UTM security appliances will continue to be the more popular approach. This is because UTM appliances offer additional benefits

over single function standalone solutions ».

Source: IDC – Mars 2009

A Large, Fast Growing Market

2005-2012 : Western Europe Security Appliance Revenue ($M)

The New Firewall Standard – UTMEnterprise security for the all business

• Unified Threat Management– Integration of all modules

• Intrusion Prevention for blocking network threats

• Award winning Anti SPAM

• Anti-Virus for blocking file based threats

• Anti-Spyware for blocking Spyware & Malware

• Content Filtering for productive Internet usage

– Updates to the threat environment

19

SecPoint Solutions

SecPoint Solution Suite

21

P1600/P2100P700 P1100

Small Networks5-25 usersADSL Internet access

Media Networks50-250 usersDSL Internet access

Enterprise Networks500-2000 usersFiber/DSL Internet access

http://shop.secpoint.com/shop/secpoint-protector-2000-199p.html

SecPoint UTM Appliance

Security Integration• Anti-Virus• Anti-Spyware• IDS/IPS

Productivity Control• Application Control• Web Content Filtering

Network Intelligence• Dynamic Routing• High Availability

Client Identity and Integrity• Network Access

23

Management and ReportingDynamically Updated Architecture

Security Integration

Productivity Control

Network Intelligence

Client Identity/Integrity

Management and Reporting

SecPoint Unified Threat Management Platform

Dynamically Updated Architecture



Network Intelligence

Client Identity/Integrity

25





SourceUDP Port

DestinationUDP Port

UTM Platform ApproachReal Time Scanning Engine

Real-time Scanning

Inspecting

Protection for ALL Traffic and

ALL Users

SecPoint UTM – Unique Scalability

# of Users Traffic

max

min

max

min

Network Use

Inspection possible

Not inspected

Management and Reporting



Network Resiliency

SecPoint Unified Threat Management

Dynamically Updated

Adaptable Architecture

26

Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

AV Database

Ph/Spy/IPS Database

Spy Database

The UTM Platform is continually updated to prevent

emerging threats, 24x7

Future-proofed investment for security

The platform continually evolves to block emerging threats

Updates to the security posture are completely automated - no user intervention

SecPoint Response Team

Intrusion Prevention Service

• Uses real-time Packet Inspection and signatures to scan for know vulnerabilities and exploits.

• Scans data connections for prohibited applications

• Terminates connections that match signatures

• Signatures updated real-time in the cloud

27

28

Database of IPS ApplicationsInstant Messenger Apps

AOL Instant Messenger

Yahoo Instant Messenger

MSN Messenger

ICQ

IRC

Many more

Multimedia Apps

Windows Media Player

Real Player

iTunes

Musicmatch

Shoutcast

Audio galaxy

Many more

Peer-to-Peer Apps

Napster

GNUTella

Kazaa

Morpheus

BitTorrent

eDonkey

eMule

Filetopia

MP2P

iMesh

Grokster

Many more

Anti Spyware Protection

• Blocks spyware delivered through auto-installed ActiveX components, the most common vehicle for distributing malicious spyware & Malware programs

• Scans and logs spyware threats that are transmitted through the network and alerts administrators when new spyware is detected and/or blocked

• Stops existing spyware programs from communicating in the background with hackers and servers on the Internet, preventing the transfer of confidential information

• Provides granular control over networked applications by enabling administrators to selectively permit or deny the installation of individual spyware or malware programs

• Prevents e-mailed spyware threats by scanning and then blocking infected e-mails transmitted either through SMTP, IMAP or Web-based e-mail

29

30

Better Protection & PerformanceSolutions Are Not Created Equal

Current FirewallsPort blocking TCP/IP RulesIP RoutingLink Layer

Routers Firewalls Cisco/FortinetUTM

SecPointUTM

Intelligent UTM ProtectionScan Unlimited Sized Files & UsersBlock Applications such as SkypeOutbound Spyware ControlContent Filtering/Control & PhishingStream-based file support

Att

ack

Sop

hist

icat

ion

Typical UTM Protection

Limited scanning for Viruses/Worms/TrojansInbound Spyware protectionSMTP, HTTP, IMAP supportContent Filtering

Network ThreatsSimple DoS Attack IP SpoofSmurf Attack

“Highest Risk” ThreatsHidden malware in large filesSpyware communication outboundViruses on to network drivesSkype/Instant Messenger threatsPhishing attacksRootkits

Typical Threats Downloaded or emailed VirusesEasy to acquire SpywareMisuse of network resources

Se

cPo

int

Un

ified T

hrea

t Ma

nag

em

en

t

More Then External Security

– 30% to 40% of employee Internet use is not work related*

– 80 Million Americans or 27% of the US population use IM*

– 55% of online users have been infected with spyware*

– Instant messaging security threats double every 6 months*

32

*Intl Data Corp * Consumer Affairs *Bigfoot Interactive *Gartner

21%

4%

10%

14%

16%

29%

44%

47%

54%

0% 10% 20% 30% 40% 50% 60%

None

Hacking Tools

Illegal Software

DVDs

P2P File Sharing

MP3s

Streaming Media

Games

Personal IM

Non-work related activities

The “Enemy” Within: the Human Factor

The average employee is the unwitting accomplice:

Productivity Counts Too!• On average an employee spends 1 hour per day on the Internet for

non-work related activities. (Source: International Data Corp.)

• A typical 25 employee company can lose over $150K annually in lost productivity from Internet misuse.

Non Work related Internet use per week

0%

2%

5%

51%

42%

2%

3%

3%

51%

41%

0% 10% 20% 30% 40% 50% 60%

Not sure

Over 11 hours

6 to 10 hours

1 to 5 hours

0 hours

2005 2004

33

Source: Web@Work 2005, Harris Interactive

SecPoint All in One

34

The Protector is a dedicated appliances purpose built for the unique needs of application layer security

Content Security Appliance

A Dynamic Threat Management solution for customers with installed firewalls from Cisco, Checkpoint,

Juniper or other vendors

• Gateway Anti Spam• Gateway Anti-Virus• Gateway Anti-Spyware• Web Content Filtering• IM & P2P Filtering• Works Behind any Firewall

UTM for non SP Networks

35

SecPoint Content Security Management:

• Appliance = Simple and cost-effective

• Multi-threat ready = Total security

• Modular licensing = Scalable

• Any firewall = Large market

SMBs need a cost-effective means of upgrading their security without necessarily upgrading their firewall

Questions?

Thank you

Martin de Gier

SecPoint Nederland

[email protected]

Security trend-with-sec point

Business

Transcript of Security trend-with-sec point