Live Demo: How to Detect a Cryptolocker Infection with AlienVault USM

@AlienVault

About AlienVault

AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against

today’s modern threats

@AlienVault

• More and more organizations are finding themselves in the crosshairs of various bad actors for a variety of reasons.

• The number of organizations experiencing high profile breaches is unprecedented.

• The “security arms race” cannot continue indefinitely as the economics of securing your organization is stacked so heavily in favor of those launching attacks that incremental security investments are seen as impractical.

Threat landscape: Our new reality

84% of organizations breached

had evidence of the breach in their log files…

@AlienVault

“There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t

have a clue yet.”- James Routh, 2007

CISO Depository Trust Clearing Corporation

Prevention is elusive

@AlienVault

“How would you change your strategy if you knew for certain that you were going to be

compromised?”- Martin Roesch, 2013

Founder & CTO Sourcefire, Author SNORT

@AlienVault

Prevent Detect & Respond

The basics are in place for most

companies…but this alone is a ‘proven’ failed

strategy.

New capabilities to develop

Get (Very) good at detection & response

@AlienVault

Goal is to restrict access to system or files until ransom paidVariations have been circulating since 1989Encrypting ransomware first seen in 2005In June 2013, McAfee reported that it had collected over 250,000 unique samples in Q1 2013• 2X the number collected in Q1 2012

Ransomware / Extortionware

@AlienVault

1. Malware delivered via email or drive-by

2. File executes & compromises system

3. Trojan connects with C&C server

4. Encryption & notification of user begins

CryptoLocker in 4 Easy Steps

@AlienVault

File extensions that Cryptolocker attacks include:

.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm,

.xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd,

.rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .jpg, .jpe, .jpg,

.dng, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw,

.orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, .pem, .pfx, .p12, .p7b, .p7c, .3fr,…

Targeted Filetypes

Source: Softonic.com

@AlienVault

CryptoLocker Even Takes Bitcoin

@AlienVault

So many security technologies to choose fromGiven the 10 most recommended technologies and the pricing range, an organization could expect to spend anywhere from $225,000 to $1.46m in its first year, including technology and staff.

Source: The Real Cost of Security, 451 Research, April 2013

Factor into this: Initial Licensing Costs Implementation / Optimization Costs Ongoing Management Costs Renewal Costs Integration of all the security technologies Training of personnel/incoming personnel

@AlienVault

Many point solutions…integration anyone?

“Security Intelligence through Integration that we do, NOT you”

USM Platform• Bundled Products - 30 Open-Source

Security tools to plug the gaps in your existing controls

• USM Framework - Configure, Manage, & Run Security Tools. Visualize output and run reports

• USM Extension API - Support for inclusion of any other data source into the USM Framework

• Open Threat Exchange –Provides threat intelligence for collaborative defense

@AlienVault

powered by AV Labs Threat

Intelligence

USMASSET DISCOVERY• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software

Inventory

VULNERABILITY ASSESSMENT• Continuous

Vulnerability Monitoring• Authenticated /

Unauthenticated Active Scanning

BEHAVIORAL MONITORING• Log Collection• Netflow Analysis• Service Availability Monitoring

SECURITY INTELLIGENCE• SIEM Event Correlation• Incident Response

THREAT DETECTION• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring

USM Product Capabilities

@AlienVault

Unified Security Management

Complete. Simple. Affordable.

Delivery Options: Hardware, Virtual, or Cloud-based appliances

Open-Source version (OSSIM) also available

AlienVault USM provides the five essential security capabilities in one, pre-integrated platform

Unified Security Management (USM) Platform AlienVault Labs Threat Intelligence AlienVault Open Threat Exchange

@AlienVault

AlienVault Labs Threat Intelligence:Coordinated Analysis, actionable Guidance

• Updates every 30 minutes• 200-350,000 IP validated daily• 8,000 Collection points• 140 Countries

@AlienVault

AlienVault Labs threat intelligence:Coordinated Analysis, acti onable guidance

Weekly updates that cover all your coordinated rule sets: Network-based IDS signatures Host-based IDS signatures Asset discovery and inventory database updates Vulnerability database updates Event correlation rules Report modules and templates Incident response templates / “how to” guidance for each alarm Plug-ins to accommodate new data sources

Fueled by the collective power of the AlienVault’s Open Threat Exchange (OTX)

More Questions? Email

Hello@alienvault.com

NOW FOR SOME Q&A…

Test Drive AlienVault USMDownload a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http

://www.alienvault.com/live-demo-site

@AlienVault