Network Security Missing Gap

Tony Teo
Regional SE Director – APAC
tteo@arbor.net
 Existing Solutions Have Critical Gaps

Mobile
Carriers
CDNs Internal
Apps

Remote
Offices

Never see Can’t Advanced Never see the

DDoS
the external withstand a threat already
Service
Providers
threat traffic direct attack
Threat inside enterprise Corporate
Servers

Employees
SaaS Enterprise
Mobile
Perimeter
WiFi
Cloud
Providers

2
 DDoS Challenges

3
Not Optimized for DDoS Protection

Weak in DDoS
Can be DDoSed
Countermeasure

• Add-On DDoS features • Firewall, IPS, WAF, Load

not effective against Balancer are Stateful
complex application layer Architecture
DDoS attack.
• Small packet traffic can
• Signature based detection spike the CPU resources
is effective against Flood
attack

• Cannot protect against

DDoS of upstream ISP
link.

4
 Modern DDoS Attacks Are Complex & Diverse
The Broad Impact of DDoS Attacks

DATA CENTER

IPS Load Balancer

Attack Traffic
Good Traffic

Today’s DDoS attacks can cause (1) saturation upstream, (2)

state exhaustion, or (3) service outages – many times a single
attack can result in all three – and all with the same end result:
5
5 critical services are no longer available!
 Total DDoS Protection

Mobile
Carriers
CDNs Internal
Apps

Remote
Offices
Peakflow SP/TMS
Pravail
Availability
See and Protection System Never see the
stop the
threat threat already
Service anywhere
Stop
inside enterprise Corporate
Providers Servers
Arbor Cloud the threat
(ATLAS) Cloud
Signaling

Employees
SaaS Enterprise
Mobile
Perimeter
WiFi
Cloud
Providers

6 Threat Dashboard
MAINTAINS LEAD IN OVERALL MARKET AND
HIGH-GROWTH SEGMENTS
In 1Q14 total DDoS prevention appliance revenue, Arbor ranks first with 48.8%; they
maintain a strong leadership position despite having a wide range of challengers.

DDoS Prevention Worldwide Quarterly Revenue Market Share, 3Q13

Source: DDoS Prevention Appliances

Biannual Worldwide and Regional Market Share, Size, and Forecasts: 1st
Edition
Report Excerpts
7 June 2014 ,By Analyst Jeff Wilson
 Competitive Landscape

Key takeaway: Changing technologies and customer requirements leave significant potential for
advancement in the competitive landscape.
Competitive Landscape
Total DDoS Mitigation Market: Global, 2013

Arbor Networks
Fortinet Corero Juniper Radware
Meets Market Demands

Verisign Network Networks Akamai

Huawei Security
NSFOCUS
Prolexic
Imperva
(Incapsula) Black
Neustar Lotus

Rio Rey

Market Leader Market Challenger Market Penetration

Market Contender Emerging Competitor Source: A custom excerpt from

Frost & Sullivan’s Global DDoS
Source: Frost & Sullivan
Mitigation Market Research Report
8
(NDD2-72) July, 2014
 ASERT Datasets: ATLAS Sensors

1. ATLAS sensors are deployed in global Internet

darknet space to discover and classify attack
activity.

2. This information is sent to an ATLAS central

repository where it is combined with Arbor
Peakflow, third-party, and vulnerability data.

3. ASERT analyzes combined data and converts

into actionable intelligence which is posted
9 ATLAS public portal.
on the
The Arbor ATLAS Initiative

 290+ ISPs sharing real-time data

– Automated hourly export of XML file to Arbor server (HTTPS)
– File is anonymous, only tagged with
– User Specified Region e.g. Europe
– Provider Type (self categorized) e.g. Tier 1

 Arbor has extensive sharing network 120+ TB

– Over a hundred national CERT teams (~50% coverage)
– ( the
Large cross-section of Approx 1/3through
security industry, of Daily
various sharing groups
– ATLAS portal has 711 unique users, registering 6,006 ASNs for reporting
world Internet Traffic )
 ATLAS Factoids
– ASERT has data for 44,570 ASNs of 45,369 ASNs total (~98%)
– ASERT has seen 2.63B unique IPv4 addresses (~71% theoretical)
– (2^32 – 588,514,304) public addresses
– ASERT monitors 1.76M “dark” IPv4 addresses
– The 6,006 ASNs provided ASERT intelligence maps to 1.25B IPv4 hosts (48%)

10
Did you know?
Arbor Networks collaborated with Google Ideas to create the Digital Attack
Map (www.digitalattackmap.com), a data visualization that maps global
distributed denial of service (DDoS) attacks.

This Attack Map leverages Arbor’s ATLAS data, allowing users to explore
historical DDoS trends in DDoS attacks, making the connections to
related news on any given day.
11
 Global
We see Intelligence.
things others Local
can’t
Protection.

12
 DDoS campaigns & Advanced Threats

ASERT

DATA
ISP 1 AIF Reputation Feed
CENTER

ISP
ISP 2
IPS
Load
Balancer

Attack Traffic Target

Good Traffic Applications &
ISP n Services

• IP reputation feed for active DDoS campaigns

• IP & DNS reputation for advanced threats
1313
DDoS & Malware Detection
ATLAS Intelligence Feeds
STANDARD FEED ADVANCED FEED
AIF Standard Feed Support Capabilities AIF Advanced Feed Support Capabilities
DDoS Threats Location-Based Threats
IP Geo-Location Email Threats
Web Crawler Identification Targeted Attacks
Command and Control Mobile
Malware

• Incorporates Domain & IP Reputation • Establishes confidence levels based

data to expand breadth of coverage on real-time Internet activities
• Improves accuracy of attack detection • Provides continuous research on
known threats

14
 Multi-Tier DDoS : The Cloud Signaling
Unite the Enterprise and
Service & Cloud Providers
via Arbor’s Cloud Signaling Subscriber Network Subscriber Network

Coalition Internet Service Provider

1. Service Operating
Arbor Arbor Peakflow Normally
SP / TMS-based
Cloud DDoS Service 2. Attack Begins & Blocked
by Pravail
3. Attack Grows Exceeding
Bandwidth
4. Cloud Signal
Arbor Pravail
APS Launched

Data Center Network

5. Customer Fully
Firewall / IPS / WAF Protected!
Cloud Signaling Status
Public Facing Servers

15
 Advanced Threat Challenges

16
 What is dwell time?

Dwell time refers to how much time attackers

have spent inside your system before discovery
and mitigation.
 Attacks in the later
stages of the kill
chain are taking up
residence in your
network.

 Once inside the

network, attacks
get more difficult
to track and
identify.

17
17
Time Lapsed Detecting An Advanced Threat
5. 1.
STEALS/ RECON
ACTS

THREAT
DETECTED

1 92 4. 2.
DAYS
COMMAND GETS IN
OUT

3.
SPREADS

18
APT Operation – Long Term Objective

19
Why Pravail Security Analytics

Purpose Built “Hunting” Solution To Empower Your

Security Teams
1. Easy to deploy
2. Full context of an attack
in minutes
3. See attacks as they
happen
4. Loops data to reveal
undetected attacks
5. ATLAS delivers high
fidelity security
intelligence based on
global attack traffic.

• .
20
Pravail Security Analytics Operation

Security Report
Security Packet
Intelligent Capture

Big Data
Engine

Data
Looping

21
 Pravail Security Analytics Data Looping

Security Report
Security Packet
Intelligent Capture

Big Data
Engine

Data
Looping

22
 Pravail Security Analytics for 0 Day Exploit Hunting

Zero Day attack here

Month 1 Traffic/PCAP Month 2 Traffic/PCAP Month 3 Traffic/PCAP

All Traffic Looped - Zero Day not found

All Traffic Looped - Zero Day not found

Now that Zero Day
attack has been
All Traffic Looped - Zero Day FOUND
identified, the attack
timeline can be
Total Analytics data after 1 month
established
Total Analytics data after 2 months

Total Analytics data after 3 months

Detection capability update but without signature for the Zero Day attack

Detection capability update INCLUDING signature for the Zero Day attack

23
 Hunting 0-Day Attack

24
0 Day Vulnerabilities / Attack Challenges

0 Day Vulnerability
Discovered by
Hacker

t=0

25
25
0 Day Vulnerabilities / Attack Challenges

Good guy
UNAWARE of New
0 Day
Vulnerability

t=0

26
26
0 Day Vulnerabilities / Attack Challenges

0 Day Exploit
Launched

t=0 t=3

27
27
0 Day Vulnerabilities / Attack Challenges

t=3 t=5
CnC

28
28
 0 Day Vulnerabilities / Exploits Challenges

• What do you do when you

receive a vulnerabilities
disclosure ?

• Patch affected system

t=0 t=50

29
29
0 Day Vulnerabilities / Attack Challenges

NO PROTECTION PROTECTED

t=0 t=3 t=50 t= 53

30
30
 Traditional Security Solution for 0 Day Exploit Hunting

PERIMETER INTERNAL NETWORK

t > 50 Correlated
Block Alert
AV Block Alert
Block Alert WAF
SIEM

Block Alert FW
LOGS
Block Alert IPS
PACKET
CAPTURE

Block Alert Sand

Box HOSTS

t=0 t=3 t=50

31 Mean time to detect 0 Day Attack timeline = Never ?

31
Pravail Security Analytics for 0 Day Exploit Hunting

Mean time to detect an 0 Day attack timeline = Minutes

Zero Day attack here

Month 1 Traffic/PCAP Month 2 Traffic/PCAP Month 3 Traffic/PCAP

All Traffic Looped - Zero Day not found

All Traffic Looped - Zero Day not found

Now that Zero Day
attack has been
All Traffic Looped - Zero Day FOUND
identified, the attack
timeline can be
Total Analytics data after 1 month
established
Total Analytics data after 2 months

Total Analytics data after 3 months

Attack Dwell Time

t=0 t=3 t=50

32
32
0 Day Vulnerabilities / Attack Challenges

0 Day Exploit
Launched

t=0 t=3

Attack Infection
33
33 Point !!
0 Day Vulnerabilities / Attack Challenges

t=3 t=5
CnC

34
34
 Arbor’s Solution Bridges the Gaps

Mobile
Carriers
CDNs Internal
Apps

Remote
Offices

Pravail
Security Analytics
Never see Can’t
the external withstand a
Service threat traffic direct attack Corporate
Providers Detect, Play, Pause & Rewind Servers
the threat / attack lurking
inside the enterprise

Employees
SaaS Enterprise
Mobile
Perimeter
WiFi
Cloud
Providers

Threat Dashboard
Arbor Overview
DDoS Advanced Threats
Arbor Cloud
Cloud Signaling
~100 Tbps Visibility

Arbor Networks-Wide Product Portfolio

SP/TMS
Mobile SP ATLAS/ASERT SP/TMS APS APS NSI SA

Mobile User/ Mobile Service Public Private Corporate Internal

Attacker Carrier Provider Clouds Clouds Networks Employee

Good traffic Malicious traffic & malware

13+ years experience on

90% of Tier 1 and 70% of Tier 2 40% of global internet traffic
Delivering innovative security
Service Providers monitored by ATLAS
technologies
Thank You