Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Download as PPTX, PDF1 like228 views
The document provides an overview of cloud proxy technology and cyber security. It discusses how proxies work by terminating connections between users and servers and inspecting transmitted objects. The document then shares several "real world" examples of how proxies can detect and prevent phishing attempts, malware infections, and other cyber threats by analyzing URLs, file downloads, and network traffic patterns. It emphasizes the importance of threat intelligence and how proxies use global intelligence networks to identify and block malicious activity in real-time.
![SESSION AGENDA
• Proxy Fundamentals [Quick overview as a foundation]
• Cyber Security ‘Real’ Forensics Stories
• Proxy Architecture in the Modern Business Environment
• Q & A](https://image.slidesharecdn.com/hackerhaltedoct2019-191031172637/85/Cloud-Proxy-Technology-Hacker-Halted-2019-Jeff-Silver-2-320.jpg)
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
- 1. Cloud Proxy Technology Cyber Security in a Web Browsing AgeJeff Silver; CISSP Symantec Senior Security Engineer
- 2. SESSION AGENDA • Proxy Fundamentals [Quick overview as a foundation] • Cyber Security ‘Real’ Forensics Stories • Proxy Architecture in the Modern Business Environment • Q & A
- 3. What Is a Proxy? What makes it unique and valuable in the security space PROXY 3 When you put a proxy between a user and a server on the internet, you are terminating the connection at the proxy, between the proxy and the user. The request from Alice ends at the proxy. A completely new session is started by the proxy to ask Bob for the current time. This is what makes a proxy so secure. It terminates connections and waits for entire objects to be assembled at the proxy for inspection.
- 4. Proxy and Downloaded Objects 4
- 5. NETWORK CONNECTIONS AND OBJECTS Proxy Architecture Compared to a Firewall SANDBOX Proxy Firewall Malicious payload delivered to end user Malicious payload detected by content analysis, blocked from delivery 5
- 6. CYBER INTELLIGENCE IS THE KEY https://sitereview.bluecoat.com www.tekdefense.com/downloads/malware-samples/ www.westfallave.com/insight/cloudcar.exe virustotal.com https://www.talosintelligence.com/reputation_center eicar.org
- 8. User Is Prevented From Going To The Site
- 10. URL Threat Risk Levels Risk Level10: Solid evidence of malicious (rated in database) Risk Level 9: Almost certainly malicious Risk Level 8: Stronger evidence of maliciousness Risk Level 7: Shady behavior (including Spam and Scams) Risk Level 6: Exercise caution; very new sites, or some evidence of shady behavior Risk Level 5: No established history of normal behavior Risk Level 4: Still probably safe (may be starting to establish a history of normal behavior) Risk Level 3: Probably safe Risk Level 2: Other top sites; consistently well-behaved Risk Level 1: Big names; long history of good behavior; huge traffic Risk Level 0: Customer Whitelist
- 11. Real World Incident 1 Please don’t feed the Phish!
- 15. Real World Incident 2 Malware LOVES its Mommy!
- 16. LETS GET A LITTLE GEEKY Jeff…Really, How do you know these PCs are infected with Malware? Because they ALWAYS ALWAYS speak back to to the Mother Ship!
- 17. WHAT A SECURITY ADMIN SEES
- 18. PROPER MALWARE REMOVAL TECHNIQUE
- 19. Real World Incident 3 An All Expense Paid Trip to Portugal!
- 21. Side Loaded Browser May Send You Places
- 24. Real World Incident 4 What Happens When it gets Messy?!!
- 25. SECURITY BLEEDS INTO HR What is the company policy on reporting this? Is there one? Make sure you know! Don’t confront the person if you know them. No emotion in reporting. Stick to the facts as you have the data to back it up.
- 26. SECURITY BLEEDS INTO LEGAL What is the law in your state? Who takes this from you…and have you gone through that drill before it actually happens? You cannot just turn a blind eye to this for moral and legal reasons.
- 27. PROXY WHITEBOARD CLOUD PROXY Site A Headquarters Work & Personal Devices Roaming Users PROX Y PROX Y PROX Y Site B Global Intelligence Network Content Analysis Sandboxing Web Isolation SSL Cert.
Editor's Notes
- #4: Real quickly let’s get a reminder on what a proxy is and what makes it so special in the security space. Here’s the very basic level definition of a proxy, It handles all the communication between two parties. When you put a proxy between two users (or a user and a server on the internet), you are terminating the connection at the proxy, between the proxy and the user. So in this example, Alice is the user, and asks Bob (who could be a server) for the current time. The request from Alice ends at the proxy. A completely new session is started by the proxy to ask Bob for the current time. This is what makes a proxy so secure. It doesn’t allow a connection to tunnel or make it through the proxy. It terminates the connections, and waits for entire objects to be assembled at the proxy for inspection. These features allow the proxy to guarantee all objects are inspected, and no evasive techniques can be used to bypass the proxy.
- #5: A proxy, on the other hand, reconstructs the full file before it attempts to make a decision on the content. Not only this makes scanning the content more effective, but it also eliminate one of the major attack vectors against streaming solutions, namely out-of-order TCP packet attack. Most people can recognize this picture now that it is fully constructed.
- #6: Let’s look at this in more detail. Here’s an example, where fragmenting a piece of malware and introducing a delay in some of the packets has no effect on the proxy detecting a piece of malware, but in the NGFW, the slight delay in some packets means that NGFW has already passed on parts of the malware and by the time the remaining packets show up, they also get delivered, and the end user gets the entire piece of malware.
- #7: How do you test out your vehicle’s air bags? Your family drives in that car…and they are important to you, so have you tested the airbags to make sure they work Trick question….of course you cannot do that. You also cannot go to malicious sites to check to make sure they are in fact…malicious. There is a better way.
- #10: Add a GIN graphic and remove the data feed one.