Wednesday, May 23, 2012

CISSP CPE6: NSS Labs - Consistency in Security Effectiveness

length: 01:00:00

Webinar with Sourcefire in regards the NSS IPS group test 2012

Dave Stuart,  marketing Sourcefire
Bob Walder  Chief Research officer, NSS Labs
Jason Brvenik VP, Security Strategy, Sourcefire

NSS: security research  analysis company, subscription to unlimited access to in depth tests..
Provide information that business need to be secure.
Independent ! NOT vendor founded!

Why perform test?
NSS the only one with in house testing facilities..
Right size not the same as throughput...
Effective protection?
Idea to see how devices perform in the real world
The bad guys are always one step ahead.. the good guys are always playing catching up..

% detection?
Protect better S2C or C2S?
Which application more covered?

6.2 IPS methodology
The methodology has been revised, largest and most comprehensive test ever..
1500 live exploits & evasions (this is just subset from the thousands of exploits) -not traffic replay
300 new exploit 75 new evasions
Connection dynamic & their real-world impact
All new management criteria & analysis - important point
All new device stability testing (extensive fuzzing test, leaking...)
3 year TCO & value calculation. (not only the purchase price, sensor, mgt, support, signature updates, man hours)
Effective security of the device.
Performance of the device.

If vendor perform consistently year after year - meaning that that vendor has keep on improving the product!!!
We talk to customer which product they want to see..
The test is quite challenging - not all vendor are willing to participate.

Does this product meet my needs?
Protect assets? Performance? scale?
What is the true TCO?
Do claim match reality
What questions should I ask? What catch rate is so low? Will session ramp up?
Giving much more data to potential buyers

Comparative analysis report:
Product improvement / maintained / degraded?
Should upgrade to the latest version?
Should consider another solution?
Are critical assets protected?
Which vendor are consistent? Which vendor shine brightly for brief year then fade...


Security value map:
Quadrant: Security - Value - Rating
Q1          +         +      recommended
Q1          -         +      neutral
Q3          -         -      caution
Q4          +         -      neutral


Sourcefire:
Buying security product is not like buying car... requires consistently improving performance & effectiveness.
Security evolve : larger attack surface & new attack vectors

4 key k

Protection
Real word IPS throughput
Concurrent connection
TCO


Source firewall NSS2012 result:
98.9& overall protection NSS result!
99% C2S
98% S2C
100% resistance to evasion
No attack leakage
the best overall protection of any vendor to date...

170% rated performance..
Design to perform, scalability , protection

Sourcefire          8260     8250      8120
-------------------------------------------
Protection        98.9%      98.9%     98.9%

Real world
IPS throughput    34Gbps     17Gbps    3.4Gbps

Concurrent
connection        60M        30M       15M

TCO/Mbps          $15        $19       $34

These are pretty impressive awesome result.
Rating well beyond what it was rated
We don’t believe that you have to make choice between security & performance
We believe if you make the investment you can achieve what you need.

Testing not completed in 2012...

8250 15Gbps
8260 34Gbps
8270 51Gbps* - three stack - does not require external device
8290 64Gbps* - four stack - does not require external device
-fail safe mode no need external tap / bypass kit.
Sourcefire - creator of snort... ClamAv razorback

Omar's question:
can vendor somehow cheat the tests? (like making more aggressive signatures but might cause false positive?)
this happens.. but NSS will detect cheaters...

Labels: ,

posted by omarg at 4:00 PM 0 Comments

Thursday, May 17, 2012

CISSP CPE6: Threat Review: Deconstructing Modern Trojans

Webinar by paloalto Length: 01:00:00

Analyzing samples collected by WildFire

Prevalence port/protocol evasion in malware as compare to non-malicious

Common tricks of evasive traffic:
1. use existing protocol in unexpected way (example IRC in port 80)
2. use standard protocol over non-standard ports to avoid signature

Example, DNS tunneling:
tcp-over-dns
Dns2tcp
Iodine
Heyoka
ozymanDNS
NSTX

Take advantage of recursive query to pass encapsulate TPC message to a remote DNS server and send responses back.

App-ID address the Evasion Problem.

WildFirew analysis center, sand box-based analysis looks over samples
- detect new and unknown malware samples
- Use appip to analyze traffic generated by malware
- focus on evasive traffic behavior an unusual traffic that could not be detected by APP-ID


16,497 newly discovered malware samples - in April 2012:
66% traffic were undetected by traditional AV vendor
80% traffic generated to Internet
59% 7,918 generated evasive traffic


Common evasive behavior:
sort http headers
Unknown traffic
ddyn, fastflux domain
Fake http
Non standard http
IRC on regular port
IRC on non standard port
(surprisingly little use of IRC - it's becoming obsolete for malware)


Unknown  traffic is significantly high rate in malware as oppose to valid network traffic
11% of malware session presented as unknown
0.6% of legitimate traffic present as unknown

Enterprise can progressive reduce the amount of unknown traffic:
Custom APP-IDs

I raised questions:
You mentioned that 66% of malware traffic is not detected by major AV software, how did you test it?
Did you involve AV company to test it?
There is a common mistake of AV testing simply using using the AV CLI functionality, such using VirusTotal, whereas AV have has multiple layers of protection that might not detect via CLI functionality.
The common mistake of AV testing is simply using the CLI engine without, whereas AV has many layers of protection that cannot be access via CLI.

Labels: ,

posted by omarg at 6:00 PM 0 Comments

CISSP CPE6: Deploying IPS Successfully



Webinar Juniper Length : 01:30:00


IPS Strength:
Data center protection
IPS good for protecting datacenter, especially protecting servers.
Protecting Client to Server direction.
But IPS is not so good protecting clients.

It's good to add IPS capability on FW, because no need to add another device, but this might be the right reason.

Policy compliance with IPS

FW/IPS consolidate where IPS use is light

Out of band/sniffer
1. Client to Server
2. Anomalous/Evasive Network protocol Behavior 3. Network Layer Server to Client Attack 4. Brute Force Attacks 5. DoS Attack

Mode:
Sniffer
Integrated
Tap
Full


IPS  Weakness:
Not one is box logging
IPS only vs standalone - lack of network profiling High performance price Malware detection - require file format/application analysis (ex: malicious PDF, excel, word, flash object, java object)

File format based detection
Specialized application security (WAF)
Reputation/profiling/data import based attack detection.


Questions before deploying IPS:
what assets to protect?
What throughput, sessions, CPS?
What type of IPS policy?

Labels: ,

posted by omarg at 4:00 PM 0 Comments

Friday, May 11, 2012

how many cell phone models do you need to dominate the world? 3


Have you ever  thought that apple only sell 3 phone models:
iPhone 4S
iPhone 4
iPhone 3GS
and they are dominating the world??

In total so far they have made only 5 different models:
(iPhone, iPhone 3G, iPhone 3GS, iPhone 4, iPhone 4S)

It's credible if you compare to Nokia who used to dominate have made something like 5000 different models..

I think Samsung is currently selling 88 different models and they have made hundreds different ones.

I know a lot of people "hate" Steve Job, but clearly he did a right thing :)

Labels: ,

posted by omarg at 7:19 AM 0 Comments