Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh

NAPIER UNIVERSITY, EDINBURGH

MAY 2016

BIG DATA IN CYBERSECURITY

TODAY’STOPICS

• Introduction

• Credentials

• Age of compromise

• Today’s InfoSec Challenges

• Inside Out Security: Detect, Assess, Respond & Recover

• Leverage existing infrastructure

• Summary: Can you afford to be one of the numbers?

2

MARKET LEADING DIGITAL

FORENSICS, E-DISCOVERY,

AND ENDPOINT DETECTION &

RESPONSE

• Gartner #1 in Endpoint Detection & Response*

• Standard in Digital Forensics- Cited in 100+ published court opinions

• 25+ million servlets deployed- 70% of Fortune 100 and 45% of Fortune 500

• Industry recognized Training with 5000+ EnCE- “Best IT Security-Related Training Program” SC Magazine

• Industry leading Professional Services

3

CREDENTIALS

ENDPOINT IS THE TARGET OF ATTACKERS

COMPANY DATA:THE EPICENTER

OF RISK

BUSINESS

INTELLIGENCE

INTELLECTUAL

PROPERTY

CUSTOMER

DATA

CARDHOLDER AND

FINANCIAL DATA

AUTHENTICATION

CREDENTIALS

HUMAN

RESOURCES

ELECTRONIC

HEALTH RECORDS

4

AGE OF COMPROMISE

Anthem: Jan 2015

2nd Largest US Health Insurer

Customer PII

Ebay: March 2015

Used employee details to access

User Credentials

Target: Summer 2013

$10B drop in market cap (30%)

CEO Terminated

CIO Resigns

5

WHY IS IT LIKELY YOU ARE BREACHED?Signature-based Detection is Not Sufficient

6

DETECTION AND RESPONSE TIMES ARE UNTENABLE

60%in minutes Initial attack to

compromise

60% of organizations breached in minutes or less1

1Verizon 2015 Data Breach Investigation Report

7

Compromise to

Discovery

66%in Months

or Years

DETECTION AND RESPONSE TIMES ARE UNTENABLE60% of organizations breached in minutes or less1

66% of breaches take months or years to discover2

1Verizon 2015 Data Breach Investigation Report2Verizon 2013 Data Breach Investigation Report

8



70-90% of malware samples are unique to an organization1


Unknown Threat66%in Months

or Years

9



70-90% of malware samples are unique to an organization1

32 days to respond to an incident2


Time to

Resolution

66%in Months

or Years

10

“It smacks us with the fact that the bad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.”

METHODOLOGY

OF AN ATTACK

11

Our

Enterprise

Their

EcosystemOpportunity

RESEARCH

INFILTRATION Patient Zero

DISCOVERY

EXFILTRATION CAPTURE

DAYS TO WEEKS SECONDS TO MINUTES WEEKS TO MONTHS

• Perimeter defenses are breached, almost at will

- More than half of survey participants operate assuming compromise

- Attackers don’t need stealth or APT-style funding to get the job done.

- Proactive hunting is the only way to detect adversaries that have bypassed initial detection

- The majority of respondents say they want to be able to obtain data from all queried endpoints in under 1 hour

- Some critical endpoints (e.g. payment processing servers) cannot afford any downtime.

SANS SURVEY

ENDPOINT SECURITY TAKEAWAYS

12

• Not sure if you have been breached!

• Prevention isn’t working but there is no next step

YOUR CHALLENGES

14



• Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint

YOUR CHALLENGES

Five Styles of Advanced Threat Defense

Real-Time/

Near-Real-Time

Postcompromise

(Days/Weeks)

Network

Network Traffic

Analysis

Network Forensics

PayloadPayload Analysis

Endpoint

Endpoint Behavior

Analysis

Endpoint Forensics

TIME

WH

ER

E T

O L

OO

K

Style 1 Style 2

Style 3

Style 4 Style 5

15




• Too may alerts! What volume do you see?

YOUR CHALLENGES

16





• No way to identify security gaps and verify policies are working

YOUR CHALLENGES

17






• Lack of visibility into sensitive data

YOUR CHALLENGES

18



• Everything occurs on the endpoint, but Perimeter, network, & logs ≠ endpoint



• Lack of visibility into sensitive data

• Analysts spend too much time collecting and correlating data

YOUR CHALLENGES

19

YOU CAN FIND THEM !

SO YOU CAN’T STOP THEM GETTING IN, BUT…

20

• Broad operating system support ensures all your assets are covered, not just servers

• Non-reliance on the operating system for trusted and verifiable information

• Correlation across disparate data types

• Visibility into restricted, hidden and encrypted areas

• Forensic-level access to disk, memory and attached devices

• True remediation (wiping) capabilities

ENDPOINT VISIBILITY IS EVERYTHING

21

HOW DEEP IS DEEP?

• Deep File System

• Dead Registry

• OS Exe/DLL Interaction

− App Compat Cache

− Windows SxS

• Windows Event Logs

• SQL/AD Event Logs

• Windows Management Instrumentation (WMI)

• Registry

• Processes

• ARP Tables

• Memory

• Lnk Files

• Anti-Forensic

Defection

• PreFetch

• Hash/Entropy

• Open Ports

• DNS Cache

• Email

• Internet

• Open Files

Human

Readable Easy Data

Access

High Barrier

to EntryReverse

engineering

required for

truth

No

interpretation

required

Individual

Forensic

Interpretation

22

23

ENDPOINT ACTIVITY CAN REVEAL PATIENT ZERO

Machine Name

File NameProcess Hash

User Account

• Vendor Agnostic

• Process to implement a Security Framework that moves from a Passive to Active Defense

• Applicable for teams with new or mature security plans

• Increase ROI on security analysts and technology

INSIDE OUT SECURITY FRAMEWORK

24

• Every tiny action leaves an artefact of either system or user activity

• Artefact correlation defines a baseline and tells a story of use, no limitations

• Proactively detect the aberrations –known, unknown, insider, and zero day threats

- Anomalies indicate unseen threats

- Review of security policies redefine direction

25

KNOWN AND UNKNOWN

DETECTION OF THE

Eliminate your reliance on signatures,

heuristics, policies or IOCs

The only way to detect what you

haven’t already!

DETECT & ASSESS

• Proactively discover any sensitive data across the organization

- Endpoints

- Structured Repositories (Office 365, Shares, etc.)

• Enforce sensitive data policies

• Prioritize incident response around high-risk assets

MAJOR RISK

EXPOSED DATA IS

Limit risk and exposure an

internal or external threat!

26

ASSESS & RESPOND

• Automated forensic collection integrates with existing security technologies

- No information decay; works 24/7

• Reduce false-positive events quickly and gain down-stream benefits

• Identify unknown binaries triggering behavioral or heuristic alerts

INCIDENTRESPONSE

AUTOMATED

Ensure valid perimeter, network and

log events are being seen!

Reduce compromise to discovery

from months to days or hours

27

RESPOND AUTOMATICALLY

Response shouldn’t take forever

• Quickly identify suspect processes using localized white/black lists

• Root out all potential indicators

• Determine if suspect files are Threats with ThreatGrid and other intelligence sources

• Determine scope and impact across the organization of any threat instance

• Integrate with existing workflow management, home grown and third party point solutions

INCIDENTRESPONSE

ON-DEMAND

Reduce compromise to discovery and

time to resolution from months to hours

28

RESPOND ON DEMAND

• Kill running processes

• Surgically remove all iterations of malware and related artifacts

• Wipe sensitive data from unauthorized locations

• Produce reports demonstrating success/compliance

RECOVERY AND

REMEDIATION

Wipe and reimage costs weeks!

Reduce time to resolution from

weeks to hours

29

RECOVER & REMEDIATE

DEFENSE IN DEPTH: LEVERAGE EXISTING INFRASTRUCTURE

30

• #1 in Endpoint Detection and Response by Gartner

• There is no Security without endpoint visibility

• Detect unknown threats that perimeter, network, and logs can’t see

• Detect attacks before you end up a headline

• Enable your team to discover and resolve valid threats immediately

CAN YOU AFFORD TO

BE ONE OF THE

NUMBERS?

31

THANK YOU

IAN RAINSBOROUGH

GUIDANCE SOFTWARE

EMAIL: [email protected]

Technology

Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh