53_200906-iss-prg-utimaco.pdf

7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf

1/16

What LI can learn from Anti-SPAM, Anti-Virus,IDS/IPS, and DPI technologiesDirk Schrader

4 June 2009, ISS Track 2, 13:30! 14:00

Utimaco Safeware AG


2/16

2

UtimacoSafewareAG2

008

Contents

! Introductions

! Anti-SPAM and LI

! Anti-Virus and LI

! IDS/IPS and LI

! DPI and LI

! Summary

! Q&A and Thank You


3/16

3

UtimacoSafewareAG2

008

Introductions ! About Dirk

Dirk Schrader

Sales Director @ Utimaco LIMS

CISSP Certified InformationSystem Security Professional


4/16

4

UtimacoSafewareAG2

008 Offices

Reseller/Distributors

Introductions ! About Utimaco

! Founded in 1983

! Listed on the German Stock

Exchange

! "59.2 million (fiscal year 07/08)

! 300+ employees

in offices worldwide

! Headquarters in Germany

! 12 subsidiaries and established

distributor and partner networkaround

! recently acquired by Sophos Plc


5/16

5

UtimacoSafewareAG2

008

Introductions ! About the topic

You have heard about this technologies protecting your Notebook from

the evil lurking out there in the Net.What do they do exactly? How to use their methods for LI?

This session shall give an overview about the methods and the way

they can help improving LI in a world communicating in packets.

! Anti-SPAM,

! Antivirus,

! Intrusion Detection/

Prevention Systems,

! Deep Packet Inspection.


6/16

6

UtimacoSafewareAG2

008

Anti-SPAM ! Overview

! Basics

aka Email-Filtering, used in

automated techniques.

Some of these depend uponrejecting email from Internet sites

known or likely to send spam.

Others rely on automatically

analyzing the content of email

messages and weeding out thosewhich resemble spam.

! Keywords

w Regular Expressions

w Blocking and Filtering

w Checksum-based

w C/R System

w Bayesian (Statistical)

Filtering

w Transparent Proxyw B/W-List (DNS-based)


7/16

7

UtimacoSafewareAG2

008

Anti-SPAM ! LI implications

! Filters can help, but can also be evaded, if not kept up-

to-date

! Mass data (in average 80% of email is SPAM) needs tobe (pre-)handled, but can never be 100% correct

! Different approaches targeting the same goal can

increase accuracy


8/168

UtimacoSafewareAG2

008

Anti-Virus! Overview

! Basics

identifies and removes SW viruses,

or any kind of malware. Several

methods exist to identify malware.Signature based detection islimited as it can only identify a

limited amount of emerging threats.

Suspicious behavior monitors thebehavior of all programs. If one tries

to write data to an executable

program, the antivirus alerts.

Sophisticated AV-SW uses

heuristic analysis to identify newmalware.

! Keywords

w Metamorphic viruses

w False positives

w False negatives

w Signature Updates

w Sandbox


9/169

UtimacoSafewareAG2

008

Anti-Virus! LI implications

! Signatures must be kept up-to-date, using them for LI

purposes requires a repository to keep track.

! False positives are likely, as well as false negatives

!A secured environment is necessary to find information

covered by something which poses a threat to the LI

system.


10/1610

UtimacoSafewareAG2

008

IDS/IPS! Overview

! Basics

is SW a/o HW designed to

detect/prevent unwanted attempts

to manipulate a PC.A statistical anomaly basedsystem establishes a performance

baseline based on normal network

traffic evaluations.

A signature based system

examines network traffic forpreconfigured and predetermined

attack patterns.

! Keywords

w False positives

w False negatives

w Signature Updates

w Network-based

w Protocol-based

w Host-based

w Content-based


11/1611

UtimacoSafewareAG2

008

IDS/IPS! LI implications

! The interception access point dominates the LI

approach.

!Again: False positives are likely, as well as falsenegatives

! T$e 'roblem of baselines2 3$a4 is 5normal


12/1612

UtimacoSafewareAG2

008

DPI ! Overview

! Basics

DPI is a form of computer network

packet filtering that examines the

data and/or header part of apacket as it passes an inspection

point.

It enables advanced security

functions as well as internet data

mining.

DPI combines the functionality ofIDS, IPS and Stateful Firewalls to

have the ability to look at Layer 2

through Layer 7 of the OSI model.

! Keywords

w Traffic access point

w Intercepting proxy

server

w Protocol-awareness


13/1613

UtimacoSafewareAG2

008

DPI ! LI implications

! Layer 7 interception needs understanding of the ever

changing world of protocols.

! TA8 a4 4$e 3rong 'lace2 an; youll never see yourtarget.

! Layer 2 technologies like MPLS can be cumbersome


14/1614

UtimacoSafewareAG2

008

Summary

! Keep track of your trigger criterias in a kind of repository

! Keep your trigger criterias up-to-date

!Automation never produces 100% results, but greatly

reduces the workload for human intelligence.! The key is tuning the sensitivity (balancing false pos.

against false neg.)

! Mind your point of access to the network

! Protocol-awareness is crucial


15/1615

UtimacoSafewareAG2

008

Q&A and Thank You

Feel free to start the Q&A part

Thank you for your kind attention!


16/1616

UtimacoSafewareAG2

008

Contact details

Dirk Schrader

Director Sales LIMS

Utimaco Safeware AGGermanusstrasse 4

DE-52080 Aachen

[email protected]

Fon +49(241) 1696-226 ? @a BCDEFCGH GIDI-199Mobile +49(172)7556617

53_200906-iss-prg-utimaco.pdf

Documents