Investigating and Preventing Cyber Attacks with Security Analytics and Visualization Orion Suydam Director of Product Management, 21CT June 12, 2013
Unleash Your Data. Secure Your World.
About 21CT
21CT Established: Innovation incubator
for Department of Defense and Intel
community
21CT applies Graph Pattern Matching
technology to Department of Defense projects for detecting
terrorist activity
Commercialization of Graph Pattern Matching in cyber
security
Launch of LYNXeon for intelligence
community
Launch of LYNXeon for cyber security
within DoD
LYNXeon launches for enterprise cyber
security
LYNXeon releases enhanced graph
search for pattern-detection
1999 2001 2003 2005 2007 2009 2011 2013
8 Patents Awarded and 5 Applied
21CT surpasses 100
employees
2
3
Human Versus Human Battle
You know they are inside your network and you want to go on the offensive
Protecting the business is YOUR business and perimeter defenses only stop what they recognize
Unleash Your Data
• Provide unprecedented network visibility
• Identify previously hidden malicious behavior
• Determine incident impact with full activity history
pre- and post-breach
• Create active defense and go head-to-head against
the adversaries
LYNXeon from 21CT Security Data Visualization & Analytics
4
LYNXeon Demo Threat Feed Insights
Threat Feed Demo (Step 1)
6
• We’ve imported our favorite threat feed of known bad IP addresses • Question: Which internal hosts have connected to a known bad IP? • Answer: 10.0.10.139 initiated 2 port 80 connections to a known bad IP
Threat Feed Demo (Step 2)
7
• We’ve “expanded” on the known bad host to learn more about it • The good news: no other internal hosts have connected to it • More good news: we have some detail on one of the port 80 connections • The bad news: the external website is called “virus-doctor.com” • Hovering over the HTTP node reveals that a binary was downloaded in
the process
Threat Feed Demo (Step 3)
8
• Let’s find other cases of this binary being downloaded from other sites • We ask the question by clicking on the nodes that represent our pattern
of interest: an external host, an internal host, and an HTTP file download • Note that we retain the MD5 hash of the downloaded file • With this pattern defined, LYNXeon finds all other instances
Threat Feed Demo (Step 4)
9
• The bad news is that we have identified yet another internal host that downloaded the same file (but from a different external site)
• This new external site was NOT in our threat feed • So we now have two internal hosts to investigate & remediate and a new
external IP to add to our list of known bad IP addresses • The good news is that no other internal hosts connected to this 2nd host
LYNXeon Use Cases
11
“Using LYNXeon is like setting fire to the haystack to find the needle.”
Josh Sokol, National Instruments
• “Ultimate Malware Intelligence” | “Threat Feed Intelligence” | “Behavioral Analysis Intelligence”
12
Malware Insight – Confirmed gaps in
Malware Detection – Identified other
undetected infected hosts
– Extended the value of their perimeter defense
Threat Feed Insight – Cross-check threat feeds
against historical NetFlow and DPI logs
– Identify suspicious host activity
– Find similarly undetected patterns in the network
Hunting Insight – Reveal hosts not
conforming to corporate policy
– Highlight and flag assets acting abnormally
– Find compromised hosts that no detection system will find
Malware Insight
13
LYNXeon in use by National Instruments to extend
malware threat defense
Challenge: • Perimeter defense systems (IPS/IDS, Malware
detection, etc…) miss attacks
Need: • Comprehensive malware coverage
“By combining our malware analysis using FireEye and our NetFlow analysis using LYNXeon, we have created a hybrid system capable of far more than either of these tools by themselves. This is the magic of symbiotic security in action.”
--Josh Sokol, NI
• Fuse data from existing systems: FireEye & NetFlow
• FireEye alert detected between malicious host and internal host
Malware Insight: Step 1 FireEye
Alert Malicious host
14
Malware Insight: Step 2
1. Original host pair
2. Other Hosts
3. LYNXeon analytic reveals potential command and control
hosts
LYNXeon: – Reveals other compromised hosts and potentially malicious external hosts – Extends the value of perimeter defenses
15
Threat Feed Insights
16
Challenge: • US Air Force receives a constant stream of
intelligence feeds from various sources • Analysts typically have limited experience to
utilize and respond to threat feeds
Need: • Analysts must quickly answer:
– Have we seen these threats on our network? – How did a threat propagate? – Who was affected?
“First term airmen with limited experience can easily operate LYNXeon, developing their own query patterns to uncover suspicious and potentially threatening network activity.” --Air Force, Cyber Threat Analysis Lead
• In seconds determine which hosts are talking to known bad sites
• Further investigation quickly reveals the depth of the problem
Threat Feed Insights These hosts have
talked to known bad host
From which other sites were these
files downloaded?
Were files downloaded?
17
Hunting Insight
18
Challenge: • Investigating anomalous network behavior to
proactively remediate issues
Need: • Implement active defenses and stay ahead
of the threat
Rackspace also uses LYNXeon for “proactive hunting” to uncover abnormalities and are revealing surprising results.
• Rapidly visualize network and observe the behavior of high value assets
• Find managed assets using external DNS
• LYNXeon uncovers managed asset using more than 216 different external DNS servers in one day
19
Domain Controllers
Internal system
connecting to myriad external
DNS
Hunting for Anomalies
Policy violation: web traffic leaving domain controllers
LYNXeon: – Reveals hosts not conforming to corporate policy, helping IT resolve policy issues – In the best case: a policy violation – In the worst case: compromised asset
Hunting for Anomalies
20
6011 W Courtyard Dr Building 5, Suite 300
Austin, TX 78730
Phone: 512.682.4700 Fax: 512.682.4701
www.21CT.com
21