Embed Size (px)
Citation preview
AGENDA
Setting the stageGetting startedgCase Study #1Maturing the programCase study #2Presentation & reportingAppendices
2
3
GREAT EXPECTATIONS
This is not a presentation focused on ‘Big Data’ The g
This is a presentation
The Gap
This is a presentation about fighting a losing battle…but a winningwar
2006 2012
Source: 2012 E&Y Global Information Security Survey
4
FOCUS ON EFFICIENCY
No company has the capability and capacity to prevent all attacks from being successfulp gThe only way to operate securely is to assume a breach has occurred, is occurring and will occurgWith this mindset, your company needs better Security Analytics:
(Technical Controls + Business Context + User Behavior) * Intelligence
5
REALIZING REAL INVESTMENT RESULTS
It can be challenging to make the financial business case (ROI) for security
Setting a priority order for investing in risk reduction (or ‘Return on Security Control’ educt o (o etu o Secu ty Co t o (ROSCo)) is easier to accomplish
For most companies the biggest ROSCoFor most companies, the biggest ROSCocomes from improved monitoring
6
WHY MONITORING?
If we can agree that preventative controls aren’t sufficiently effective at
i h ipreventing, then companiesneed to adopt a new strategy.
Respond only works if youcan detect and detection
l f it ionly comes from monitoring(or, more often, from3rd parties)p )
7
8
3 FOUNDATIONS OF SECURITY MONITORINGWhat do I monitor? Where do I monitor?
Targets System/operating system
Id tit / t
21Environment Host-based
Identity/accounts Network traffic Application/database Data/file Transactions
Network-based Internal External Infrastructure
How do I monitor?
Transactions
3Algorithms
A ti /b h i b dApproach
R l ti / l ti Action/behavior based Heuristics Anomaly
Attribute based Signature
Real-time/near real-time Post-event analytics Batch data processing
See Appendix A for Cheat Sheet Signature pp
9
WHAT CAN WE DO WITH WHAT WE ALREADY HAVE?ALREADY HAVE?Determine the organization responsible for collecting and analyzing data In most cases, the Security Operations Center makes sense due to their , y p
integration with logging/monitoring/SIEM/threat intel and their reporting relationship with both Information Security and IT Operations
Any analytics requires data, preferably good data Lay foundation with business teams, so you can obtain the data you needUnderstand your goals Improve identity analytics?p y y Identify attacks-in-progress? Provide additional triggers for monitoring employees?
10
ANALYTICS SUPPORT EXISTING INFORMATION SECURITY PROCESSESUtilize your Security Incident and Event Management (SIEM) data collection Analytics will need to hand-off information to both SIEM and Incident Response
teamsWithout basic InfoSec maturity, analytics create confusion & information overload
WHAT’S IMPORTANT?Think about how you can establish rules - understand what data is valuable to you internally and externally Why is it valuable? What is its external value? y Where is this data? Is it consolidated in a high-value location? Structured (e.g., relational DB) vs unstructured (e.g., file shares, SharePoint) If there is an Enterprise Data Warehouse, this would be a good starting point due
to the high value of lots of information stored in one place. If not, use your top databases with mission-critical information
Who has access to the data (e.g., what roles/groups) and how do they access it (e.g., what credentials are needed)? What makes it unique / identifiable?
This information is valuable in all aspects of Complicate, Detect, Respond & EducateComplicate, Detect, Respond & Educate
Credit card #sSSNsCredit card #sSSNsCredit card #sSSNsSSNsPHIIntellectual Property
SSNsPHIIntellectual Property
SSNsPHIIntellectual Property 12
SECURITY ANALYTICS MODEL
13
!External threat i nfonmation
(news feeds,
government
agencies, alert
subscriptions, etc.)
...
Asset informat ion {access logs, secur ity a lerts,
vulnerability scans, etc.)
~ Inside r isk
analysis
Security
analytics
Third-party risk
evaluation
Enab e fact-based secu( ty decisions
.. Thi rd-party r isk
informat ion (vendor r isk
assessments,
t hird- party security
audits .. etc.)
GENERAL PROCESS FLOWEven basic analytics use multiple data sourcesThreat intelligence and identity information are criticalU i ti SIEM ll tUse existing SIEM collectorsTwo analysis methods: Rules for defined eventsAnomaly-based analysisBoth are valuable, but anomalies utilize data history over timeThe results of one methodcan be an input to the other
14
EXAMPLES OF BASIC RULESWeb usage RULE: Correlate users to external IPs Add in threat intelligence to known “bad” IPs
IAM data
Firewall logs
Add in threat intelligence to known bad IPs Why is this not being blocked? Is there a loophole?
Add in their identity/roleA th i l th t ld ll i th t b i iti th it ?
Threat intel
IAM/HR dataPolicies Are they in a role that would normally require them to be visiting these sites?
RULE: Remote access connections that begin from inside the firewall Add in user’s identity/role Are they administrators?
Firewall logsIAM/HR data
Policies
y Add in the destination IP addresses – are they domestic? Add in threat intel – are any of those IPs “bad?” What time of day did these occur?
A th “ li hti ?” A th i d ti l i d?
Threat intel
Are they “moonlighting?” Are their credentials compromised?
15
EXAMPLES OF ANOMALIES –UNDERSTAND BEHAVIORSUNDERSTAND BEHAVIORS
ANOMALY: Analyze external connection traffic for users Add in analysis by user group What types of connections are normally established (e.g., HTTP, FTP) and what users
f ll id h “ ?”
Firewall log
IAM data
fall outside the “norm?” For a specific user group, what sites are normal and what users fall outside the
“norm?”
ANOMALY: Mean time between use of application roleApplication
transaction logANOMALY: Mean time between use of application role Add in analysis by user group What users fall outside the “norm” usage patterns?
ANOMALY: Users with the same job role/code
transaction logIAM data
HR dataj Add in IAM data – do all users have the same access? What users fall outside the “norm” groups/accesses?
With anomaly-based analysis, you must always ask WHY?
IAM data
16
RESULTS OF RULE AND ANOMALY ANALYSISANALYSISProvide inputs into business role restructuringProvide business decision information, for example: Can we limit some users to specific hours of the day?p y Can we minimize the number of VPN sessions? What is the impact of enforcing multi-factor authentication for specific
transactions?
d f l /bl k lProvide input to filtering/blocking rules at egress points
Remove unnecessary and/or unused accessWho are the “trouble users” that you may not already know?
17
CASE STUDY #1Company was notified by federal agency (twice) about suspicious behavior; first time, thought they had it covered, second time, knew they didn’tsecond time, knew they didn tQuickly developed a monitoring strategy, leveraging:Router administration tools to monitor for beaconing C2
traffic and known bad IPstraffic and known bad IPsWindows/VPN logs for account activity (e.g., account
creation, anomalous logins)C ll ti I t lli F k* (CIF) f Collective Intelligence Framework* (CIF) server for
aggregation of public/private data feedsAdvanced malware detection software for non-conforming
Windows binaries * https://code google com/p/collective-intelligence-framework/Windows binaries https://code.google.com/p/collective-intelligence-framework/
18
CASE STUDY #1 (CONTINUED)
Based on results of enhanced monitoring capability, created a remediation strategy that accomplished the following:Clearly defined forensic keys (or IOCs) for future
identification/confirmation of related malwareidentification/confirmation of related malwareImplementation of a privileged credential
partitioning (‘Red Forest’) and a Privileged Id i M (PIM) lIdentity Management (PIM) toolDeveloped and deployed information asset-driven
hardening guidelines for key platformsg g y p
19
20
UNDERSTAND KNOWN THREATS AND THEIR APPLICABILITY TO YOU
Open source and commercial threat intelligence options are available (see Appendix B for examples)available (see Appendix B for examples)Insider threats (buildingon what information isimportant to you)Maltego or similar analysistools identify potentialtools identify potentialanalytic queries orconfirm your results
21
CONSOLIDATE, DEFINE, REPORT, ANALYZEANALYZEUse a standalone analytics platforms or build intermediary between other data sourcesOpen source analytics tool examples HUE (Hadoop User Experience) – can be deployed locally Drill (Dremel/BigQuery) – uses Google’s servers( / gQ y) g
Commercial analytics tool examples Google MapReduce Solera Networks
RSA enVision Click Security Solera Networks
SecurOnix Greenplum
Click Security LogRhythm Light Cyber
22
MATURING THE PROGRAM THROUGH ADDITIONAL FEEDSADDITIONAL FEEDSIntegrate business information Critical transactions can be used to establish rules or run anomaly analysis
Integrate Asset inventory and classificationIntegrate Asset inventory and classificationIntegrate Vulnerability Management What systems are outliers in their actions and are those up to date / patched?
R i i t hi t i l d t t d t i t ti l Run scenarios against historical data to determine potential threat applicabilityDevelop performance metrics and report over time Determine effectiveness of defenses
Identity analysisWhitelisting – application, network, eventsg pp , ,
See Appendix C for leading practices
23
CASE STUDY #2Company was able to use analytics to identify malwareUsing analytics, they were able to gain more insight: Report on the number of alerts a given individual has across the Report on the number of alerts a given individual has across the
enterprise (failed logons, data loss prevention (DLP) alerts, web gateway violations, Antivirus logs, requests to blocked IPs) Correlate multiple logs back to a single asset using an inventoryCorrelate multiple logs back to a single asset using an inventory Identified connections between unconnected activities that warrant
an asset being labeled as “high risk” Results led company to suspect malware was trying to steal Results led company to suspect malware was trying to steal
sensitive data from a server that has an antivirus alertThis was not activity that was identified as malware through endpoint securityendpoint security
24
CASE STUDY #2 (CONTINUED)R IT i d ill d d di h h Response: IT security team drilled down to discover that the employee has an unusual level of security alerts and network activity compared with his peer group Map various alerts to the employee
D t i th t th l li k d li k ithi hi hi il Determine that the employee clicked on a link within a phishing email Realize the attack originated from a vendorThe IT and security teams can then take action: Quarantine the employee’s systemQ p y y Update the email filters to look for additional emails coming from
this vendor Notify the vendor that it has probably been hacked and is
launching phishing emails from its environmentlaunching phishing emails from its environment Feed information and new rules back to the SIEM. What we learn in
analytics can help reduce the number of false positives we deal with elsewhere.
25
PRESENTATION AND REPORTINGProvide drill-down capability Include both analysis drill-downs and performance metrics
drill-downsVisualization tools available Various cloud options, some
require sensitive data uploadq p TableauMany Eyes (IBM)Google Fusion Google Fusion PixlCloud
Processing R Project R-Project
26
QUESTIONS?
Thanks for your time & attention!y
Steve Currie | [email protected] | (612) 371-8605Matt Hynes | [email protected] | (612) 371-6344
27
APPENDIX A: DETECTION ‘CHEAT SHEET’Typical attack lifecycle
Malware focused detection Attacker behavior focused detection
Attacker TTPttac e
• OSINT • Spear Phishing • RATs • Web Shell • Port scans • RDP • Pwdump • WinRar • DNS exfil • Citrix
• HUMINT • SQL Inject • Droppers • Registry • Windows Enum • PSExec • ASP script • XOR • FTP •SSH /
Telnet
SIGINT • Strat. web U d Sti k K • Internal • Team G d X 509 t HTTP(S) VPN• SIGINT Compromise • User creds • Sticky Keys websites Viewer • Gsecdump • X.509 certs • HTTP(S) • VPN
Security monitoring / attack detection countermeasures
• OPSEC • Net based real time
• Heuristic • DMZ sweeps
• AD log analysis
• DMZ to internal base
• Service gen alerting
• IDS non-compliant
• DNS log analysis
• ECAT / MIR
• Web log • Authent • IOC sweeps • Flow • Admin tool • File integrity • Cert • FTP log • DMZ• Pastebin • Web log analysis
• Authent. data
• IOC sweeps • Flow analysis
• Admin tool baselining
• File integrity monitoring
• Cert analysis
• FTP log analysis
• DMZ sweeps
• Social Media • Proxy log reviews
• Darknet activity • •Proxy log
analysis•VPN log analysis
Detecting earlier in lifecycle reduces risks of attacker achieving objectives
28
APPENDIX B: OPEN SOURCE THREAT INTELLIGENCEINTELLIGENCEspamhaus.orgzeustracker.abuse.ch
threatexpert.commalwaredomainlist.com
alienvault.commalwaredomains.comdragonresearchgroup org
malc0de.compaste bin rsa dumpphishtank comdragonresearchgroup.org
sshbl.orgdanger.rulez.sk
phishtank.comshadowserver.orgspyeyetracker.abuse.chg
malware.com.brmalwareblacklist.com
py y infiltrated.net
29
APPENDIX C: SECURITY ANALYTICS LEADING/EMERGING PRACTICES
Qualified threats identified “indicators of
Deployed SIEM solution with fully integrated, relevant log sources that provide context to determine event severity and next steps
Lack of threat focused proactive monitoring
No aggregated source of log data to enable efficient security monitoring including event correlation
LEADING/EMERGING PRACTICES
Proactive research and partnerships used to craft general and targeted rules/procedures to avoid gaps
Qualified threats identified, indicators of compromise” or signatures created and integrated into enterprise monitoring solutions
ee
Monitoring rules and/or procedures are not aligned with attacker techniques, tactics and procedures/not aligned to threat intelligence
Lack of threat focused, proactive monitoring
nges
nges
After action reports, red teaming, and tabletop exercises used to tune monitoring solutions
g p
Well trained resources dedicated to security monitoring Standard event triage workflower
red
stat
erre
d st
at
Lack of team focused on detection analysis
Monitoring rules inadequately tuned/too many false positives
g
n ch
alle
nn
chal
len
monitoring. Standard event triage workflow
Analysis designed to detect commodity versus targeted or advanced attacks
Pref
ePr
efe
Monitoring teams overwhelmed with events
Com
mo
Com
mo
Incomplete coverage (e.g., some versus all egress points are monitored)
Asset, network, data, threat inventory guides enterprise wide sensor deployment
Company standard critical asset list developed to add context to monitoring to drive prioritized
Monitored threat vectors too narrowly focused (e.g., network monitoring only, no host-based IDS)
response
30
APPENDIX D: SECURE THE ANALYTICS DATAWith all this data in one place don’t forget to secure it!
Foundational SecurityFoundational Security Migration ConsiderationsMigration Considerations Security as a CustomerSecurity as a Customer
With all this data in one place, don’t forget to secure it! Inappropriate access can result in disclosure Business users will want to use this for other purposes
Fu
Examples:1. How has aggregate data been
considered as a high value target• How have security roles and
access controls been modified to reflect the unique needs of data in
Examples:1. How has aggregate data been
considered as a high value target• How have security roles and
access controls been modified to reflect the unique needs of data in
Examples:1. How have threat models, use cases
and security requirements been modified for EDW considerations?
2. How have information protection, data privacy and aggregate data
Examples:1. How have threat models, use cases
and security requirements been modified for EDW considerations?
2. How have information protection, data privacy and aggregate data
Examples:1. What is the Methodology for
leveraging the EDW to develop Security analytics?
2. How has security developed/ enabled processes to support security
Examples:1. What is the Methodology for
leveraging the EDW to develop Security analytics?
2. How has security developed/ enabled processes to support securityer
atio
nser
atio
nsuture R
eview
reflect the unique needs of data in aggregate
2. How has security been adjusted to reflect the structured, unstructured, semi-structured data environments?
reflect the unique needs of data in aggregate
2. How has security been adjusted to reflect the structured, unstructured, semi-structured data environments?
data privacy and aggregate data stores been modified to reflect data consolidation.
3. How has the data architecture and data taxonomy been developed to enable security?
data privacy and aggregate data stores been modified to reflect data consolidation.
3. How has the data architecture and data taxonomy been developed to enable security?
processes to support security analytics?• Threat profiling (internal/ external)• Risk profiling (individual and in
aggregate)• Risk aggregation
processes to support security analytics?• Threat profiling (internal/ external)• Risk profiling (individual and in
aggregate)• Risk aggregationKe
y C
onsi
deKe
y C
onsi
deC
onsideratio
Focus Areas (how have the following been implemented?):• Two-factor authentication• Need-to-know security model• Logging & monitoring systems and
Focus Areas (how have the following been implemented?):• Two-factor authentication• Need-to-know security model• Logging & monitoring systems and
Focus Areas (How have the following secure data processes been modified?):• Security architecture• Security threat and protection
Focus Areas (How have the following secure data processes been modified?):• Security architecture• Security threat and protection
Focus Areas (What is the process for developing and providing requirements for EDW analytics?):• Security use case development• Security process and data
Focus Areas (What is the process for developing and providing requirements for EDW analytics?):• Security use case development• Security process and datavi
ties
vitie
sons• Logging & monitoring systems and
access• Data Leakage Protection• Encryption• Big data training• Patch & Vulnerability Management• Secured Enclave
• Logging & monitoring systems and access
• Data Leakage Protection• Encryption• Big data training• Patch & Vulnerability Management• Secured Enclave
• Security threat and protection guidance
• Security gates and governance processes
• Security threat and protection guidance
• Security gates and governance processes
• Security process and data development
• Integration with security architecture?• Governance, risk and compliance
enablement
• Security process and data development
• Integration with security architecture?• Governance, risk and compliance
enablement
Rev
iew
Act
ivR
evie
w A
ctiv
31
APPENDIX E: ABOUT ERNST & YOUNGForrester considered Ernst & Young the top-ranked information security consulting provider for its “strong service offering and exceptional strategy”
• EY had the highest score (4 90 our of 5 00) of all • EY had the highest score (4.90 our of 5.00) of all of the consulting providers in the evaluation for its strategy which includes its value proposition and future direction.
Gartner has ranked Ernst & Young as having the d l t d k t h ld id second largest revenue and market share worldwide
in security consulting services for calendar year 2012:
• Security consulting service revenue: $966m• Revenue growth: 16.9%• Market share: 8 9%• Market share: 8.9%
Source: Forrester WaveTM: Information Security
“Companies looking for a long-term partner with a solid suite of services and a great strategy for the future
should look to E&Y.”- Forrester 2013 Q1 Wave Reportf y
consulting services, Q1 2013. Forrester Research, Inc.The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.Gartner Market Share: Security Consulting Services Worldwide, 2012. 26 April 2013 ID: G00245585. All y g pstatements in this report attributable to Gartner represent Ernst & Young's interpretation of data, research opinion or viewpoints published as part of a syndicated subscription service by Gartner, Inc., and have not been reviewed by Gartner. Each Gartner publication speaks as of its original publication date (and not as of the date of this proposal). The opinions expressed in Gartner publications are not representations of fact, and are subject to change without notice.
APPENDIX E: ABOUT ERNST & YOUNG (CONTINUED)(CONTINUED)
Client outcomesAcceleratorsAssess Transform Sustain
• Business and industry sector focus
• Technical research through Advanced
• Transformed security program driving business performance
• Integrated information security and IT risk approach across enterprise
Security program management
• Security strategy & roadmap• Security program assessment• InfoSec risk assessment• Benchmarking
• Security reporting and metrics• Third-party risk management• Security function co-sourcing• Chief security executive
Security Centers
• Diverse personnel who drive fact-based, creative business
• Identified and evaluated internal and external threats
• Optimized measures to mitigate threats
Integrated security operations• Threat intelligence• Threat and Vulnerability
Management• Infrastructure and application
attack and penetration
• Security operation center services
• Proactive malware identification• Incident response and
investigationsimprovement
• Proprietary frameworks, tools and thought leadership
• Understand who has or needs access to important data and applications
• Sustainable, compliant and efficient access processes
Identity and access management
attack and penetration investigations
• Strategy and governance• Request and approval• Provisioning and de-
provisioning
• Review and certification• Role and rules management• Reconciliation• Reporting and analytics
• Most globally aligned of the Big Four with an award-winning people culture
• Protect information that matters and detect leakage
• Regulatory and industry compliance
Information protection and privacy
p g• Enforcement
p g y
• Data protection strategy• Privacy implementation design• Host security
• Data loss prevention• Privacy assessment and
remediationy• Asset management
