Upload
napier-university
View
417
Download
0
Embed Size (px)
Citation preview
TODAY’STOPICS
• Introduction
• Credentials
• Age of compromise
• Today’s InfoSec Challenges
• Inside Out Security: Detect, Assess, Respond & Recover
• Leverage existing infrastructure
• Summary: Can you afford to be one of the numbers?
2
MARKET LEADING DIGITAL
FORENSICS, E-DISCOVERY,
AND ENDPOINT DETECTION &
RESPONSE
• Gartner #1 in Endpoint Detection & Response*
• Standard in Digital Forensics- Cited in 100+ published court opinions
• 25+ million servlets deployed- 70% of Fortune 100 and 45% of Fortune 500
• Industry recognized Training with 5000+ EnCE- “Best IT Security-Related Training Program” SC Magazine
• Industry leading Professional Services
3
CREDENTIALS
ENDPOINT IS THE TARGET OF ATTACKERS
COMPANY DATA:THE EPICENTER
OF RISK
BUSINESS
INTELLIGENCE
INTELLECTUAL
PROPERTY
CUSTOMER
DATA
CARDHOLDER AND
FINANCIAL DATA
AUTHENTICATION
CREDENTIALS
HUMAN
RESOURCES
ELECTRONIC
HEALTH RECORDS
4
AGE OF COMPROMISE
Anthem: Jan 2015
2nd Largest US Health Insurer
Customer PII
Ebay: March 2015
Used employee details to access
User Credentials
Target: Summer 2013
$10B drop in market cap (30%)
CEO Terminated
CIO Resigns
5
DETECTION AND RESPONSE TIMES ARE UNTENABLE
60%in minutes Initial attack to
compromise
60% of organizations breached in minutes or less1
1Verizon 2015 Data Breach Investigation Report
7
Compromise to
Discovery
66%in Months
or Years
DETECTION AND RESPONSE TIMES ARE UNTENABLE60% of organizations breached in minutes or less1
66% of breaches take months or years to discover2
1Verizon 2015 Data Breach Investigation Report2Verizon 2013 Data Breach Investigation Report
8
DETECTION AND RESPONSE TIMES ARE UNTENABLE60% of organizations breached in minutes or less1
66% of breaches take months or years to discover2
70-90% of malware samples are unique to an organization1
1Verizon 2015 Data Breach Investigation Report2Verizon 2013 Data Breach Investigation Report
Unknown Threat66%in Months
or Years
9
DETECTION AND RESPONSE TIMES ARE UNTENABLE60% of organizations breached in minutes or less1
66% of breaches take months or years to discover2
70-90% of malware samples are unique to an organization1
32 days to respond to an incident2
1Verizon 2015 Data Breach Investigation Report2Verizon 2013 Data Breach Investigation Report
Time to
Resolution
66%in Months
or Years
10
“It smacks us with the fact that the bad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.”
METHODOLOGY
OF AN ATTACK
11
Our
Enterprise
Their
EcosystemOpportunity
RESEARCH
INFILTRATION Patient Zero
DISCOVERY
EXFILTRATION CAPTURE
DAYS TO WEEKS SECONDS TO MINUTES WEEKS TO MONTHS
• Perimeter defenses are breached, almost at will
- More than half of survey participants operate assuming compromise
- Attackers don’t need stealth or APT-style funding to get the job done.
- Proactive hunting is the only way to detect adversaries that have bypassed initial detection
- The majority of respondents say they want to be able to obtain data from all queried endpoints in under 1 hour
- Some critical endpoints (e.g. payment processing servers) cannot afford any downtime.
SANS SURVEY
ENDPOINT SECURITY TAKEAWAYS
12
• Not sure if you have been breached!
• Prevention isn’t working but there is no next step
YOUR CHALLENGES
14
• Not sure if you have been breached!
• Prevention isn’t working but there is no next step
• Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint
YOUR CHALLENGES
Five Styles of Advanced Threat Defense
Real-Time/
Near-Real-Time
Postcompromise
(Days/Weeks)
Network
Network Traffic
Analysis
Network Forensics
PayloadPayload Analysis
Endpoint
Endpoint Behavior
Analysis
Endpoint Forensics
TIME
WH
ER
E T
O L
OO
K
Style 1 Style 2
Style 3
Style 4 Style 5
15
• Not sure if you have been breached!
• Prevention isn’t working but there is no next step
• Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint
• Too may alerts! What volume do you see?
YOUR CHALLENGES
16
• Not sure if you have been breached!
• Prevention isn’t working but there is no next step
• Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint
• Too may alerts! What volume do you see?
• No way to identify security gaps and verify policies are working
YOUR CHALLENGES
17
• Not sure if you have been breached!
• Prevention isn’t working but there is no next step
• Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint
• Too may alerts! What volume do you see?
• No way to identify security gaps and verify policies are working
• Lack of visibility into sensitive data
YOUR CHALLENGES
18
• Not sure if you have been breached!
• Prevention isn’t working but there is no next step
• Everything occurs on the endpoint, but Perimeter, network, & logs ≠ endpoint
• Too may alerts! What volume do you see?
• No way to identify security gaps and verify policies are working
• Lack of visibility into sensitive data
• Analysts spend too much time collecting and correlating data
YOUR CHALLENGES
19
• Broad operating system support ensures all your assets are covered, not just servers
• Non-reliance on the operating system for trusted and verifiable information
• Correlation across disparate data types
• Visibility into restricted, hidden and encrypted areas
• Forensic-level access to disk, memory and attached devices
• True remediation (wiping) capabilities
ENDPOINT VISIBILITY IS EVERYTHING
21
HOW DEEP IS DEEP?
• Deep File System
• Dead Registry
• OS Exe/DLL Interaction
− App Compat Cache
− Windows SxS
• Windows Event Logs
• SQL/AD Event Logs
• Windows Management Instrumentation (WMI)
• Registry
• Processes
• ARP Tables
• Memory
• Lnk Files
• Anti-Forensic
Defection
• PreFetch
• Hash/Entropy
• Open Ports
• DNS Cache
• Internet
• Open Files
Human
Readable Easy Data
Access
High Barrier
to EntryReverse
engineering
required for
truth
No
interpretation
required
Individual
Forensic
Interpretation
22
• Vendor Agnostic
• Process to implement a Security Framework that moves from a Passive to Active Defense
• Applicable for teams with new or mature security plans
• Increase ROI on security analysts and technology
INSIDE OUT SECURITY FRAMEWORK
24
• Every tiny action leaves an artefact of either system or user activity
• Artefact correlation defines a baseline and tells a story of use, no limitations
• Proactively detect the aberrations –known, unknown, insider, and zero day threats
- Anomalies indicate unseen threats
- Review of security policies redefine direction
25
KNOWN AND UNKNOWN
DETECTION OF THE
Eliminate your reliance on signatures,
heuristics, policies or IOCs
The only way to detect what you
haven’t already!
DETECT & ASSESS
• Proactively discover any sensitive data across the organization
- Endpoints
- Structured Repositories (Office 365, Shares, etc.)
• Enforce sensitive data policies
• Prioritize incident response around high-risk assets
MAJOR RISK
EXPOSED DATA IS
Limit risk and exposure an
internal or external threat!
26
ASSESS & RESPOND
• Automated forensic collection integrates with existing security technologies
- No information decay; works 24/7
• Reduce false-positive events quickly and gain down-stream benefits
• Identify unknown binaries triggering behavioral or heuristic alerts
INCIDENTRESPONSE
AUTOMATED
Ensure valid perimeter, network and
log events are being seen!
Reduce compromise to discovery
from months to days or hours
27
RESPOND AUTOMATICALLY
Response shouldn’t take forever
• Quickly identify suspect processes using localized white/black lists
• Root out all potential indicators
• Determine if suspect files are Threats with ThreatGrid and other intelligence sources
• Determine scope and impact across the organization of any threat instance
• Integrate with existing workflow management, home grown and third party point solutions
INCIDENTRESPONSE
ON-DEMAND
Reduce compromise to discovery and
time to resolution from months to hours
28
RESPOND ON DEMAND
• Kill running processes
• Surgically remove all iterations of malware and related artifacts
• Wipe sensitive data from unauthorized locations
• Produce reports demonstrating success/compliance
RECOVERY AND
REMEDIATION
Wipe and reimage costs weeks!
Reduce time to resolution from
weeks to hours
29
RECOVER & REMEDIATE
• #1 in Endpoint Detection and Response by Gartner
• There is no Security without endpoint visibility
• Detect unknown threats that perimeter, network, and logs can’t see
• Detect attacks before you end up a headline
• Enable your team to discover and resolve valid threats immediately
CAN YOU AFFORD TO
BE ONE OF THE
NUMBERS?
31