MANAGING EVOLVED THREATS

Threats have evolved radically in just a few years.

The culmination of vulnerable software, sophisticated social engineering tactics, device diversity, and readily available hacker-developed criminal tools has resulted in a dramatically expanded threat landscape. Additionally, threats have evolved to evade the traditional security appliances that organizations use to fight device remediation, network breaches and data loss incidents.

THEN
SOCIAL Emails or Web posts from trusted friend or friend-of-friend accounts. COMPELLING Used general, timely content that broad audiences could relate to. INDISCRMINATE Sent email with a malicious link or file exploit unpatched vulnerability. Posted comment with malicious link. SIMPLE Polymorphic kits created variants that appeared different per victim.

and NOW
BUSINESS Emails or Web posts from trusted employer or education accounts. URGENT Uses deep, personal knowledge to compel a specific target to take action. PERSISTENT Attaches target-specific-named file exploiting a zero-day vulnerability. Includes a link to regularly visited, recently compromised, Websites. ADVANCED Modular kits create unique exploits that appear and behave differently for each target. Theyre never reused. TARGETED Uses zero-day vulnerabilities to exploit targets known software, or compromises targets known regularly visited Websites. BUSINESS-CRITICAL Gains access to corporate networks with high-value assets. STEALTH Uses P2P or protocol (e.g. DNS) tunnels for distributed command and control. Very difficult to detect and block. DISCRETE Hackers rent or sell access to smaller numbers of infected devices. LUCRATIVE Steals high-value corporate data, and launches unique spear phishing or DDoS attacks.

PHISHING

MALWARE

OPPORTUNISTIC Exploited the most popular software, e.g. Windows, old IE versions, Flash. GENERAL Used for small-scale ID theft, financial fraud and bandwidth for spam/DDoS. NOISY Used IRC or HTTP protocols & ports for centralized command & control. Was easier for authorities to shutdown. MASSIVE 10s of millions of infected devices, e.g. Conficker, Mariposa, Bredolab. PROFITABLE Used for knockoff pharma sales, click fraud, large-scale DDoS & cracking captchas/passwords.

BOTNET

Meanwhile, technology has transformed how people work.

Employees work wherever they need to in order to get work done. They bring their own devices to work, take corporate-owned devices home and on the road, access cloud applications without using a VPN to connect back to the corporate network, and frequently access unsecured Wi-Fi. Moreover, the rise of social and streaming networks and the shift of business-critical applications to the cloud, Web traffic is skyrocketing.

DEVICE DIVERSITY
Employees BYOD and corporate-owned devices roam free on and offnetwork. New OS platforms.

UBIQUITOUS CONNECTIVITY
Unsecured Wi-Fi and carrier wireless is available everywhere.

DISRUPTIVE TO IT CLOUD SERVICES

Access cloud-hosted apps and data without VPN. Web traffic will increase 23x over the next few years.

VIRTUALIZATION
Easy for good and bad guys to spin up infrastructures in minutes, not weeks.

Yet despite the changes, security vendors still search for threats using the same methods. And those methods are failing.
Hardware- and software-based security products remain fixated on the appearances and behaviors of threats. However, criminals have infinite opportunities to adapt how threats appear and behave. The one finite attribute that all threats share is an Internet host. While appliance-based solutions lack the key elements necessary to evolve toward a strategy of blocking threat origins, vendors that deliver Internet-wide security via the cloud are optimized to successfully transform.

BLOCK BY APPEARANCE
SOLUTION CATEGORIES Antivirus, intrusion prevention, secure web gateway, nextgeneration firewall or UTM. Collect samples, and then react by creating new signatures. Crawl known malicious Internet hosts. Infinite possible threat appearances prevent data scientists from predicting how the next unknown threat will appear. Inspect content, and match against signature database. Research cant keep up. SOLUTION LIMITATIONS Big data cannot be used to predict how the next sample will appear. Enforcement is too delayed, and cannot block botnets.

BLOCK BY ORIGIN
Web filter, secure web gateway, next-generation firewall, UTM, sandbox or DNS resolution service. Crawl or honeypot hosts, and match against signatures or heuristics. Reverse engineer or observe samples to discover Internet hosts. Internet hosts that will be used by criminals can be predicted by correlating spatial & temporal patterns for all hosts & networks. Intercept connection or content request, and match against host attribute database or rules. Most vendors rely on appliances, so enforcement is too delayed, and cannot protect off-network devices. Most vendors only researches Web sites and enforces Web traffic.

BLOCK BY BEHAVIOR
Real-time malware analysis or sandbox (aka. virtualized machine environments). Collect and observe samples, then react by creating new heuristics. Honeypot known malicious Internet hosts. Infinite possible threat behaviors prevent data scientists from predicting how the next unknown threat will behave. Emulate content, and match against heuristic rules. Research still limited; no phishing. Big data cannot be used to predict how the next sample will behave. Enforcement is too expensive, and cannot protect off-network devices.

SECURITY RESEARCH

BIG DATA ANALYTICS

ENFORCEMENT TECHIQUES

PENDNS CONFIDENTIAL NOT FOR DISTRIBUTION TO CUSTOMERS OR THIRD-PARTIES

To effectively fight evolved threats, the delivery model for Web security needs to shift to the cloud. Thats where we come in.
In order for Internet security to effectively evolve at a pace ahead of todays threats, it should actually work the way the Internet does. Umbrella by OpenDNS is cloud-delivered Web security that protects all ports, protocols and apps, ensures always-on protection for users that leave your secure network environment, and leverages Big Data analytics to predict future threat origins. Plus, Umbrella delivers all the benefits of the cloud: scalability, centralized management, low cost of ownership and no new latency or performance impact.

ALWAYS-ON INTERNET-WIDE PREDICTIVE

FOR USERS THAT GO ON AND OFF YOUR NETWORK

FOR TRAFFIC ON ALL FOR FUTURE THREAT ORIGINS PORTS, PROTOCOLS & APPS VIA BIG DATA ANALYTICS

Join the more than 7,000 businesses that trust Umbrella today.
I needed an easy-to-deploy solution that would block the intrusion before it ever got to my doorstep not when it was already in the kitchen making a sandwich. Ryan Pierce, Network Engineer, Crestwood Behavioral Health Umbrella allows our people to leave the security of our company networks and stay protected in todays world of rapidly evolving threats, without impacting performance. Umbrella enables us to effectively extend our secure computing environment out into the field. Gabe DiSarro, IT Director, Coldwell Banker Prime Properties Learn how Umbrella by OpenDNS will enable your business to effectively block evolved malware, botnets and phishing threats.

VISIT http://www.umbrella.com EMAIL [email protected] CALL 877-811-2367

Copyright 2013 OpenDNS, Inc. All rights reserved worldwide. Information contained in this document is believed to be accurate and reliable, however, OpenDNS, Inc. assumes no responsibility for its use. DS-Managing-Evolved-Threats.pdf