Cloud Proxy Technology: The Changing Landscape

[Music]

we're going to get started you're appreciated all right so I'm Jeff silver I'll be your next speaker I house private a long day for all you guys isn't some good sessions I've got on those and today in this session did you come away with one or two key things to help you in your day job then this will be worth it students so different for you guys a little different right you what how many practitioners right alright so look if you're a practitioner my hope is that you step away and you look at your own security stack and you say yourself what am I going to do next year to make my staff more effective

could I use cloud proxy technology does that make sense does it not make sense if it doesn't do I understand why then you walk away your student what you want to walk way is technology interesting today is it interesting to me what can I do a lot of a student to understand that so Ron an operator when I'm an administrator I really understand the underlying technology and why it matters to the business alright so I work for Symantec we have about a hundred different security products I am NOT going to sit here and tell you about semantics and all that good stuff we want to talk about technology today all right so we know who you guys are let me lay

out the next 50 minutes a very quick overview of foxy technologies just a foundation we're not going to take a world with proxy and cover it even in an hour let alone 5-10 minutes but I want to give you a foundation this is not everyone here they even understand what that is next I want to go over some real stories we own that I administer a couple environments there are things that happen to last few weeks and I think they're interesting and I want to show them because I think sometimes real stories hone in on why this stuff matters and then we're going to end with network architecture and architecture does matter because you have to

understand where this fits in the modern day enterprise otherwise it's just an academic experiment and many of you are practitioners so you got to understand where and why it fits in the big picture today no company has one item in their step they use a bunch of different products and mainly use the firewall and the proxy so what's the difference fundamentally your terminating the connection and that's the difference firewall does not do that firewall does not as a good man in the middle in our business we think a man in the middle we think of a bad guy because really a lot of times that's exactly what's happening Starbucks someone goes and fires up their laptop and they don't realize

in the middle attack button modern-day enterprises today use proxy this is man in the middle but it's a good guy that are doing this to keep Alice safe from Bob it Bob is a threat actor so the key thing is we are terminating the connection and I'll show you a visual of how that works in a moment the ball does not wait for everything to terminate it just simply passes packets along when we take a look at that here in a moment so there's another thing to factor in as you look at this in the larger threat landscape email right there's an attachment someone clicks on that that's bad potentially and then what and some

ways email rank to web by clicking on a link at a moment but web and clicking on links is one of the biggest threat vectors that we have to deal with as security practitioners with that we gotta look at not just the connection which proxy helps within a wolf's or that a moment when they go to the words and content server and downloaded really so let's talk about proxy what that really means all this comes to proxy and then we see the whole thing and it's dumped in a firewall no not not really in our firewall what's going to happen is the malware piece piece by piece is going to go through and be inspected

maybe it will be caught maybe not when you look at a proxy and this is important it terminates the connection it acts as a man-in-the-middle in the opposite one so this object gets looked at in its entirety but there are two sites which go on the back now the user does you think they're downloading right but the reality is there's the connection and there are objects and when you're dealing with Network vulnerabilities you're dealing with what can add attacks those are the two things they look at it's not just the user going to the site it's what that site is downloading either willingly knowingly by the end-user or without them knowing it because it's some sort of script running

in the background or some web ad or some analytic they have no idea they're being redirected to all those things are a threat if you're an administrator trying to protect the environment so connections objects but in the end it's meant elegance it's the key this is really what matters this is what matters because unfortunately that far-end object the content server it's too dynamic it changes all the time there is no way anything you can purchase in itself is going to stop dynamically the threats in the threat landscape and so Intel is huge so here's a freebie for you site review gluto calm it is free I use it every one of you I guarantee regardless of what you do for a living

you or your parents and your friends IT department that's the way it should I clicked on this link I love that my favorite should I not have clicked on this link and the first thing you can do is go to site review blue TOCOM drop the link in that's your aunt or uncle just clicked on and you will see and I'll show you in a moment what's going to have you know you'll get an idea and you can confirm yes you're completely owned or you're not but there is more because people ask what do you what do you do to test out but these are other sites you can use my car is important it is the

known it is the gold standard it is the most boring of malware that you can possibly use it's not really whereas a test pilot fires off of every vendors engines for malware but it's important because it's safe imagine you want to buy a car and you say to the car sales guy has go for tester I say sure he's like hey do you mind if I do a head-on collision no well really understand my family's going to be in this car and they need to make sure all the airbags are going to work right because I love my family and I got to make sure usually you need to pull over get out you can walk your

we're done here because these I think you're crazy when you're evaluating solutions for your environment to do this and that way is probably not your production environment because that's doing a head-on collision which is bad you don't want to get fired you introduce coal power in your environment and the solution you're turning up doesn't stop it now it's in a while in your environment that's really bad this is a conundrum this right here is a clown car is probably a benign file that you can use and then tech defense is one that I use although this is a zoo right tread carefully tread carefully but it once again you say where can I go to get

malware that's probably not gonna I'm not gonna lose my job and test here oh I warn you right now when a customer says to me hey can you bring real malware it's my environment my answer is I will give you real malware but you will execute it in your environment I will not execute in your environment in most states probably on Delaware

and your corporate environment hi this one was my favorite on a church this is just last Sunday and children's care person says we Jeff I got blog going to the site I'm really upset about because I really want to get here orphan care coalition you know on that right now and I and check this out so what's interesting is it is what does a charitable organization because it is unfortunately sources and that's because I'm just go in there which comes in the next issue which we we have to deal with and your organization need that process a process to deal with what happens when a user can't get to where they want to go even when it's gonna hurt them in the

company that's really really important or if you walk away with nothing else that website is very valuable it is free and it's good because not only does and categorize sites it categorizes up to four so there's a charitable organization what has been owned it shows that this is what the end user is going to see in a proxy environment right and they don't like that and it doesn't matter what it says here in the end they're gonna call the help desk right and you need the SLA process matters because in the end you don't want to be in your organization a place where you said something up the organization is more secure but you didn't address the process and now

emotions get high and people call their bosses call their bosses which call your bosses boss they said turn that crap off your organization get to where they want to go unless they're educated in hey you get this you call this help desk they will help you with your options right now maybe you go use your own laptop let me know but that's important element as you look at cloud proxy or any user facing impacting security software that could put a screen like this up in front of them all right I said intelligence really matters intelligence really matters one of the previous speakers had brought up that we still like a million pieces of mail work for data are

produced right imaginative websites are turned up every day and turned down within 24 hours as all the good sites they are up in this day regardless one of the nice things about proxy technology and the sites this is where you categorize sites not only can you stop the category fishing stop the category mound map stop the category proxy avoidance and other badness but if the business said and I have a pharmaceutical customer said to me use the proxy to stop the contracted guards from streaming high-def TV in the middle of the day yeah why because there's a category for that and so we could say an Active Directory identified them who say that group can no longer to

go to this category boom done it's pretty mean now was that a function of the security team it became that it became that but they were able to go back to this say yeah business we can do this it's not you know they gave him guidance against it saying you pissed off the guys with guns but you know that's a whole other story you know I'm going to go over threat risk levels next as well which is another point of intelligence and solving a couple problems in one of the real-world stories I'm going to share with you that happened very recently I made a mistake as an administrator my policy which actually turned out infecting one of the

end users that I support and it was because my policy she had bothered me enough that I turned off suspicious as a category and I'll show you later why that came back to bite me in the butt how I solved that without ever blocking and I did it by using risk levels and so another item that you're going to see and pretty much any security solution that deals with Web today is through out risk level so you have categories right is this a controlled substance is this pornography is this

an abortion site right there's like 100 different categories but it but one of the things is not every site is categorized it cannot be there are suspicious and they're on categorized and in that middle ground is where it gets tough as a security practitioner it gets tough because you don't over block when certain sound theater came out of the summer with an event called Moses event it was on categorized totally clean legit site couldn't get there because I was walking on categorise totally legit that was ever my fault right and you know the way to overcome that is with your twist levels I'm going to block on categorized but only at risk level seven and above that's how you

overcome and that's a big deal to understand threat risk levels really matter the difference in categories and throw risk levels every site gets a threat risk level every site that this site just came up five minutes ago and it has no history by default it's a five as time moves on if they're shadiness it goes up to six seven by the end of the day it may be an eight if it's bad but every site gets a threat risk level that is an important key distinction when you're talking about web security all right so let's cruise through my students what's the difference between doing idea give me what why spear Toyo spearfishing what will makes that

different than regular fishing

that's it that's right spearfishing takes a little bit more effort but I'm targeting someone and specific one of the sites I was administering over the last couple months there was a spear phishing campaign which by the way I found out is part of a larger campaign going on today so it wasn't so let's go ahead the risk level 10 which reported this is known bad I can click on the link screenshot really if you were to look at just a Crenshaw harvester that's all it is and I can see that so if you were doing I guess oh you're doing the math like that bitcoins a lot more than that bro yeah but this is the dark web

right which let's number two and number two is is a little more interesting Mallory loves its mommy one thing I could tell you from my experience malware always speaks back when you have a cloud proxy agent on machine I don't care if you're on a virus picks up finds the malware or not I guarantee you you will see the command and control going back and that's how you can know and it is very very difficult for the malware writers to overcome that because of it don't they don't read the value it's harder than know that the machine has been fully infected and if they don't know that there's a risk in their sales efforts remember what matters to a

malware author is trying to sell it it's that when they say 80% of my stuff is going to work and if it's reputation if the people respond back on this guy is a you know he's a scam as a scam artist none of his stuff works he doesn't a business there's no Better Business Bureau in the dark web so malware loves its mommy it's got to speak back so he feels confident the borrower feels confident that in fact that machine is infected so it always goes feed back to the mothership that's how I know when they say how do you know it's infected yeah how do you know this is how I know now I'm going to show us

close-up of this in just a moment I know it's hard to see but this is what an administrator sees and what you can see here is this is the PC this is the login and then I'm gonna show up close up because I know it's hard to see this machine there's couple reasons right off the bat I know there's no one it's 5:00 p.m. and no kid is in the school by 5:00 p.m. so okay they're not gonna PC lab at 5:00 p.m. the other thing is notice the time hacks they're precise that is automation right at 5:00 or 3:23 5:13 about 23 23 and so on going to unblock my web because the malware can't get out

he's trying to figure out how do I get back to the mothership yeah you've just been stolen right that's how I know you are own so now you know know that machine has been stolen so when they say no that's how I know you want to see that's how I know now what's the proper way to deal with a machine has been Stallone it's the only way to be sure you just reimage malware is way too elegant these days to think you're going to go on the registry wait well you're not going in you're not cleaning it up and you do go in and get some tools to clean it up I guarantee you're also going to take out things

that are known good for in preparation because I just went ahead I took a machine that was owned and I took a program that's designed it's like a heavy-duty fact we don't we use it Symantec uses it we don't sell it it's a tool with a heavy-duty cleaner and I went through and I ran through to see if I can get rid of the infection I did I also got rid of the backup program that was running on the machine and a few other reputable programs and by the way I render them useless because I removed the registry keys right so you what I'm telling you is don't try to spend a day trying to get rid of malware reimage

it's quicker unless you just want to do it from lab purposes but you're like I'm just so into this which is fine but it's time-consuming grandpa wants to know if he can use those restore point that's a great scene out if it's not a corporal and now there's no backup then that's worth trying right one there is little damage to try that it is very easy and if everything works fine great if it doesn't then you're back to this most malware first thing it does it kills the restore points and then you really know your own right but that's a very good question a good point all right real-world exact number three this is a little more detail this is the

one where I made a mistake as an administrator I have since fixed back state but this is real this just happened as you can see October 18th not that long ago so people laugh this we actually noticed this person this is the domain this is the office administrator and one day and I just see this for and no excuse I wasn't sorted on the time column here a sort of another luck this is not time inward but you'll see it about 1933 the 944 forty five and ten forty five for an only four attempts to speak out back not shabby four times four times blocked because we said hey this category I was blocking this

category motions and outbound botnets but this caught my attention like crap over her machines infected but you see the HTTP code 403 blocked didn't go out I believe and a hat purposely haven't Ramage sir machine yet because I'm waiting one wait a full month and see if I see this again and 30 days because I think it well four times that who picked it out I'll go dormant for a little bit see try again I don't know we'll know on the 18th of November so close up here's a sight check this out small business Verizon calm now interesting interesting right so now let me go a little deeper what does a good admin do dump the logs

dump the logs let's take a closer look

so you see a web ad 4wv may set up top then the real horizon looks an ad ad and then you see a real pit to Verizon comm legit underneath that legit small business dr. Isaac comm legit and then down here everything went wrong but notice this is what happens when the administrators in India allow why because I wasn't walking suspicious this site was labeled as suspicious because it's not an arising site it is not a rise inside it looks like it it looks like this but it is not that now you can see it helped that spied we're here the next slide the bearing at century 403 it is blocked outbound spyware so I was able to block

that but the machines already infected so now back to my threat Explorer and I could see small business news rise calm you see the redirect you guys see that that was site no it's the risk level II have been blocking suspicious threat worst level even above this infection never would have happened I am doing that now why is it we're starting to see bad behavior this is what the good site look like she had hit this site risk level 2 this is standard horizon good good right I mean basically that is what happened and now her machine is part of the Bastile bomber so I will eventually reimage it but I do want to watch its

behavior because she swears her stay elegant met where is she like there's no difference in my PC now I see the stuff trying to go out but she can't write this malware is anything now alright let's just stop for a second I went through a few use cases any questions that you guys have on those use cases what you saw I only want to remember it rapidly but any questions but there are risk levels things like how geolocation would work I definitely go deep into that or categorization yes sir what do you criteria on where you do the walking that is a great question so there's when you block 5 6 in my opinion now over walking in the

enterprise because there's too many sites are going to first of the fall to spot so any new site that comes up you block that you might as well not all the time that's oh ok that's another great question one of the things when you guys in the enterprise are looking at any vendor it doesn't matter every vendor has an intelligence by the way every single vendor has one math semantics Alto every group has Intel people they were flip flops and cargo shorts that drink Mountain Dew for a pizza they're not allowed to speak to customers they're in locked rooms and you know they're great eyes they like the whole lives off of insects and you

know they're not going to construct bombs that's what they do and you know with all companies have these guys and they're really smart they have IQs off the charts they're like 135 150 the reality is that this stuff moves so dynamically that it's literally fluid it's literally fluid and so they have automated programs that are always running and changing the threat risk levels as things move and that's how they do it there are times when they have to have an analyst actually do a human interaction with it and that happens - typical case of that is using this rating to reach out to like hey this site i think is miss categorized by the way that happens a lot and they'll

respond within an hour will say it'll tell you whether our machine did it or an animal so when analysts have reviewed it and that we change the category in a worst-case they say they come back they argue with you now we're not changing every week with your frog so when whatever many they're working with make sure they can have a portal to of that Intel group because we don't I don't

so that's that's important my customers I make sure they get they log into this as well we don't really sell this but we've got this very carefully because there's a portal into our Intel group but my customers I can get them one locket for those there are criteria the American citizen you got to agree to play by the rules there's a few things you have to agree to but most security practitioners if you play by the rules and you're probably not and you're in this business anyway yes sir that's a good question let's let's explore that for a moment there's an origin content server serving up malware it got turned up ten minutes ago there's absolutely no it's reachable

but it's it's going to go through other devices to get their rank is that what we're saying that whether proxy or some other it began yeah there's something somewhat obscuring that origin content server that probably will automatically jump the threat risk level to at six or seven just right there right the cost now it doesn't look like something that's that's out of the ordinary right so but yeah but yeah it could be done but let's see then then the fortress level goes up the other thing is the sir

so network saying well why are we not Turkish way these guys are either going like wow they're legitimate sites you can't do that so that's the current fight I've got with those guys so there are other indicators of compromise that would force those businesses to re validate their certificate writers it's crazy how many would love to see that we're where we start to really lock that it we now be great just the cost people it just it just seems like bad internet i gene especially if you're a legitimate company yes sir I find blocking on categorizes one of my best attacks is in the environment under one through seven that you say [Music]

[Music]

which is a very

[Music]

[Music]

there is there is there's a known scientific decrease because what happens is work at sale hey there they're watching us cultures if it's a financial people there is no better they simply won't move for because they know they will be fired financials farmers hospitals bring those environments DoD they know I will not have a job today it's a concern right is that you're still allowing the end user to click ok you're putting the power in the end user so I would say it is doable and depending on the industry makes sense whether to use your knife you're using that today and it's been effective good for you as a security guy I hate that feature because you know I'm always

worried when they click it and I go for it anyway I gotta still I gotta do the cleanup and that's just taking one through six you're gonna let him go Zulu tango okay here's the other thing got to be cautious up a lot of companies have a limit what is my threshold of how much I can bother the users there's a communications company in Philadelphia this company has a very strong culture of let people get their job done look nothing wrong with that culture I'm a security guy I'm going to live within that because you know what I want to keep my job but yeah you know you gotta live with it you have to know

your own company and and so now whether you're a practitioner or a student this is important not just the technology you have to understand the culture of your organization is you put this stuff in there you put proxy technology anything that's going to have an end user blocking experience and you better understand the culture because you do not want to deal with the repercussions in a negative way is very very important and when I say understand your culture understand also the process in which things get remediated because if it's not strong you want to be a hero don't help make that strong ring that is important I have seen ya at the laundry because I work at Symantec and I get to

work with a lot of different customers I didn't see all the different cultures out there and they do vary drastically you were the hero I'm getting careful help fix the processes and you'll really make a difference all right we've got just a few more minutes I want to go into architecture because architecture really matters you can be a technologist you can really understand how technology works you can understand the impact of it but if you don't understand the bigger picture and how it sits in your environment on your environment works then you're really not solving business problems in the 1990s for the students back there when electricity was first formed right people like me went to work and we got

behind a desktop computer in the headquarters or one of the remote sites and we'd work then we went home and the computer stayed home this end laptops or the phones the companies or they bring your own device because cloud proxy one of the problems of traditional proxy is traditional proxy was guarding this but this is going so proxies diminish in the last 10 years now what you're seeing with cloud proxy as you put an agent whether it's your antivirus program or we're a distinct agent on the laptop whether it's a MacBook whether it's a PC whether it's your phone whatever it's going it's going through the cloud proxy instance so you as an administrator it doesn't

matter whether Susy is on our couch in the corporate office your policy is being applied so she cannot go to phishing sites she cannot go to sites based on your policy this matters in a mobile workforce you're gonna see a resurgence of proxy now over the next ten years because of cloud proxy cuz I can go ahead and now I can control the corporate resources when they leave the brick-and-mortar room this is going to go away over time whistles be retired when it's fully gone away but but this is sort of you're a wet right people are working from home now and I don't see that diminished is is continuing to diminish this is going to

be these users all over the world this is the new place to defend cloud proxy solves that problem so when your environment ask yourself how do I protect the laptop one leaves my broken water how do I do that today how do I do that you gotta have an answer to a security guy and you gotta find now how many of our people use mobile devices you got to understand that percentage you really got to know that so you can make a plan to the business to protect that you don't know wait until it's too late before you make this game plan you know the other item to understand is most everything as far as applications

your business or use your business is using our applications in the cloud how are you going to protect against that that's fairly new the last five years this is emerged you need to understand a strategy for that cloud proxy solves that service Casspi I got a Baris it's very safe social media site not sort of criminal for sure I never hit this site I'm not just hitting this site all these objects this HTML Java there's objects that can be downloaded ultimately not matter should not matter whether I'm here in a hotel or here in a corporate site you've gotta have a game plan to protect that this is still a massive vector of compromise we don't have time

unfortunately but I want to mention one technology that is emerging now for you to consider in your enterprises and that's web isolation om the web isolation we got a few more minutes and web isolation the concept is I'm a user I need my laptop I know two forces very safe social media web isolation says everything's man I don't care what it is it's bad and what it's going to do in the cloud it's going to open up a container and all the objects everything's and they get opened in that container only screenshots or render to the end-user they don't know but that's all they get nothing actually opens execute on their machine they don't know

any different but it's in the container in the cloud and when they're done their web browsing spectator is imploded it's done the site that site doesn't matter it's not just semantics than has this technology there's a lot of beggars out there that have it it's common it's emerging very few people are deploying it right now but that's something to consider to explore from an intellectual perspective and from a usability in your future security staff all right that's a great question that's the one in the box when it no I think that's been deprecated yeah that's a very good question how do we make that for the retail market I don't know the answer for that

at some point it's gonna become available it's just not right now right it's a great idea I think cuz it's expensive that would be the issue where the corporation will typically invest in their security staff but there's no way that you know someone would spend a hundred bucks for a web isolation especially for your service so that's probably the emergence technologies right when the big news TV comes out is like really expensive Brian takes a few years for it to come down in price so I think that's where we are now because it's emerging but a good point some point I think there will be a retail market for that yes sir yes yeah I thank you what rule and I

promise we'll end after this question thank you SSL decryption proxies I told you to man-in-the-middle how to do it well everything everything on the web at 70 percent or more as I sell ya Rocca's man the middle before we're looking at it we're breaking the encryption and slapping it back on so there are mechanisms to say if it's health care category so here's what categorize that categorize healthcare finances you say I'm not gonna I won't break it open

we're now looking at healthcare stuff and look at the finances or any other category you decide as a business to say don't look at that so SSL decryption is really important if you're not decrypting you're really not your as a security practitioner and you're not doing your job you don't do it well well and all these solutions factor that in because you gotta have some exemptions but you got to be able to do a book and you got to be able to crack that open and take a look you just have to be able to do that a lot of a malware writer I am definitely going over for free I'm definitely doing that no way am I going

to room all right guys thank you very much appreciate it