53_200906-iss-prg-utimaco.pdf
TRANSCRIPT
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
1/16
What LI can learn from Anti-SPAM, Anti-Virus,IDS/IPS, and DPI technologiesDirk Schrader
4 June 2009, ISS Track 2, 13:30! 14:00
Utimaco Safeware AG
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
2/16
2
UtimacoSafewareAG2
008
Contents
! Introductions
! Anti-SPAM and LI
! Anti-Virus and LI
! IDS/IPS and LI
! DPI and LI
! Summary
! Q&A and Thank You
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
3/16
3
UtimacoSafewareAG2
008
Introductions ! About Dirk
Dirk Schrader
Sales Director @ Utimaco LIMS
CISSP Certified InformationSystem Security Professional
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
4/16
4
UtimacoSafewareAG2
008 Offices
Reseller/Distributors
Introductions ! About Utimaco
! Founded in 1983
! Listed on the German Stock
Exchange
! "59.2 million (fiscal year 07/08)
! 300+ employees
in offices worldwide
! Headquarters in Germany
! 12 subsidiaries and established
distributor and partner networkaround
! recently acquired by Sophos Plc
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
5/16
5
UtimacoSafewareAG2
008
Introductions ! About the topic
You have heard about this technologies protecting your Notebook from
the evil lurking out there in the Net.What do they do exactly? How to use their methods for LI?
This session shall give an overview about the methods and the way
they can help improving LI in a world communicating in packets.
! Anti-SPAM,
! Antivirus,
! Intrusion Detection/
Prevention Systems,
! Deep Packet Inspection.
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
6/16
6
UtimacoSafewareAG2
008
Anti-SPAM ! Overview
! Basics
aka Email-Filtering, used in
automated techniques.
Some of these depend uponrejecting email from Internet sites
known or likely to send spam.
Others rely on automatically
analyzing the content of email
messages and weeding out thosewhich resemble spam.
! Keywords
w Regular Expressions
w Blocking and Filtering
w Checksum-based
w C/R System
w Bayesian (Statistical)
Filtering
w Transparent Proxyw B/W-List (DNS-based)
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
7/16
7
UtimacoSafewareAG2
008
Anti-SPAM ! LI implications
! Filters can help, but can also be evaded, if not kept up-
to-date
! Mass data (in average 80% of email is SPAM) needs tobe (pre-)handled, but can never be 100% correct
! Different approaches targeting the same goal can
increase accuracy
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
8/168
UtimacoSafewareAG2
008
Anti-Virus! Overview
! Basics
identifies and removes SW viruses,
or any kind of malware. Several
methods exist to identify malware.Signature based detection islimited as it can only identify a
limited amount of emerging threats.
Suspicious behavior monitors thebehavior of all programs. If one tries
to write data to an executable
program, the antivirus alerts.
Sophisticated AV-SW uses
heuristic analysis to identify newmalware.
! Keywords
w Metamorphic viruses
w False positives
w False negatives
w Signature Updates
w Sandbox
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
9/169
UtimacoSafewareAG2
008
Anti-Virus! LI implications
! Signatures must be kept up-to-date, using them for LI
purposes requires a repository to keep track.
! False positives are likely, as well as false negatives
!A secured environment is necessary to find information
covered by something which poses a threat to the LI
system.
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
10/1610
UtimacoSafewareAG2
008
IDS/IPS! Overview
! Basics
is SW a/o HW designed to
detect/prevent unwanted attempts
to manipulate a PC.A statistical anomaly basedsystem establishes a performance
baseline based on normal network
traffic evaluations.
A signature based system
examines network traffic forpreconfigured and predetermined
attack patterns.
! Keywords
w False positives
w False negatives
w Signature Updates
w Network-based
w Protocol-based
w Host-based
w Content-based
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
11/1611
UtimacoSafewareAG2
008
IDS/IPS! LI implications
! The interception access point dominates the LI
approach.
!Again: False positives are likely, as well as falsenegatives
! T$e 'roblem of baselines2 3$a4 is 5normal
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
12/1612
UtimacoSafewareAG2
008
DPI ! Overview
! Basics
DPI is a form of computer network
packet filtering that examines the
data and/or header part of apacket as it passes an inspection
point.
It enables advanced security
functions as well as internet data
mining.
DPI combines the functionality ofIDS, IPS and Stateful Firewalls to
have the ability to look at Layer 2
through Layer 7 of the OSI model.
! Keywords
w Traffic access point
w Intercepting proxy
server
w Protocol-awareness
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
13/1613
UtimacoSafewareAG2
008
DPI ! LI implications
! Layer 7 interception needs understanding of the ever
changing world of protocols.
! TA8 a4 4$e 3rong 'lace2 an; youll never see yourtarget.
! Layer 2 technologies like MPLS can be cumbersome
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
14/1614
UtimacoSafewareAG2
008
Summary
! Keep track of your trigger criterias in a kind of repository
! Keep your trigger criterias up-to-date
!Automation never produces 100% results, but greatly
reduces the workload for human intelligence.! The key is tuning the sensitivity (balancing false pos.
against false neg.)
! Mind your point of access to the network
! Protocol-awareness is crucial
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
15/1615
UtimacoSafewareAG2
008
Q&A and Thank You
Feel free to start the Q&A part
Thank you for your kind attention!
-
7/28/2019 53_200906-ISS-PRG-UTIMACO.pdf
16/1616
UtimacoSafewareAG2
008
Contact details
Dirk Schrader
Director Sales LIMS
Utimaco Safeware AGGermanusstrasse 4
DE-52080 Aachen
Fon +49(241) 1696-226 ? @a BCDEFCGH GIDI-199Mobile +49(172)7556617