Intelligent Incident Response: Protecting your Organization

  • Published on
    15-Jan-2015

  • View
    561

  • Download
    1

DESCRIPTION

This presentation provides an overview of an Economist Intelligence Unit survey, sponsored by Arbor Networks, that delves into incident response. In this presentation, you will learn how prepared (or not) other organizations are for an incident alongside best practices for intelligent incident response to best protect your organization in the future.

Transcript

  • 1. Intelligentincidentresponse: Protec1ngyourorganisa1on EUROPE

2. Intelligentincidentresponse: Protec1ngyourorganisa1on Darren Anstee 29/04/14 Company logo EUROPE 29 April - 01 May 2014 Earls Court London UK 3. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AnEconomistIntelligenceUnit(EIU) report,sponsoredbyArbor Networks. - Intendedtogaugethelevelof corporatepreparednessfordata- relatedincidents DataSources: - 360surveyrespondents,73%C- Level. - In-depthinterviewswithkey individuals 29% 30% 29% 28% 17% 17% 17% 17% 31% 33% 29% 31% 23% 20% 25% 24% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Overall North America Europe APAC None Same Less More Incidents ARE Increasing in Frequency hNp://www.arbornetworks.com/ciso/eiureport IncidentFrequency 4. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AnEconomistIntelligenceUnit(EIU) report,sponsoredbyArbor Networks. - Intendedtogaugethelevelof corporatepreparednessfordata- relatedincidents DataSources: - 360surveyrespondents,73%C- Level. - In-depthinterviewswithkey individuals Incidents ARE Increasing in Frequency hNp://www.arbornetworks.com/ciso/eiureport 17% 27% 2% 55% 67% 36% 20% 67% 43% 7% 6% 20% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Overall WithIncident ResponsePlan Without Incident ResponsePlan Notatall Prepared Somewhat Unprepared Somewhat Prepared Fully Prepared HowPreparedareYou? 5. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK Cost Business DisrupSon LossofCustomer Trust 6. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK 0 10 20 30 40 50 60 Advanced Persistent Threat BoNedor Compromised Hosts Under-capacity forbandwidth Industrial Espionage Malicious Insider Other ThreatsOnCorporateNetwork Huge number of ways in Drive By Download SPAM/Phishing Watering Hole USB Leveraging vulnerabilities in: JavaScript Java applets Compound Documents Anything Adobe ManyThreatVectors - NewANDOld - IPS/AVLimitedcoverage - Patchinglag How are threats getting through? 7. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK ANackerswillalwayschoosetoobfuscatevs.ndinga newaNackvector What New Threats? Just New Techniques! 8. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK What does Java Script Obfuscation Look Like? 9. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK And in the Real World.. 10. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK Bot Builder with Anti-Detection 11. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK Cyber Crime Service Industry Cryptersbypassan1-malwareandothersecuritysolu1ons DDoSbots,bankingtrojans,passwordstealers,ransomware(blockers),etc. Crypterservice-$20perbot,cyber-crimeserviceindustry 12. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK Lots of Methods and Mechanisms.and Guidance 13. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AtBostonMpaperwork-clipart4edicalCentertheywere experiencing12,000alarmsaday,onaverage.Thatkindof cacophonywasproducingagrowingproblemknownas"alarm fa1gue. "Alarmfapaperwork-clipart43gueiswhenthereare somanynoisesontheunitthatit actuallydesensi3zesthesta Alert Fatigue AtBostonMedicalCentertheywere experiencing12,000alarmsaday, onaverage.Thatkindofcacophony wasproducingagrowingproblem knownas"alarmfa1gue. "Alarmfa3gueiswhenthereare somanynoisesontheunitthatit actuallydesensi3zesthesta 14. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AtBostonMedicalCentertheywereexperiencing12,000alarms aday,onaverage.Thatkindofcacophonywasproducinga growingproblemknownas"alarmfa1gue. "Alarmfa3gueiswhenthereare somanynoisesontheunitthatit actuallydesensi3zesthesta So, how do we get better at this? Ac1onableThreatIntelligence Usetheexper1sewithinvendors,integratorsto maximiseourowneec1veness BroadVisibility Monitorwithinthenetwork,notjustatthe perimeter DeepVisibility Packetcaptureandthreatdetec1onatkey networkloca1ons. Workow Solu1onsthattintoanIRworkowandenable personnelandprocesses. 15. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AtBostonMedicalCentertheywereexperiencing12,000alarms aday,onaverage.Thatkindofcacophonywasproducinga growingproblemknownas"alarmfa1gue. "Alarmfa3gueiswhenthereare somanynoisesontheunitthatit actuallydesensi3zesthesta Actionable Threat Intelligence - Reputation CanbeVERYeec1ve,ifitisderived intherightway Granulardatatopreventfalse posi1ves/nega1ves IPaddressandport,notjustaddress Layer7Hostnames,URLsetc.. Databasedonin-depthresearch andmonitoring NotjustaNackbehavior Historicalcontextforcondence Understandingofthreatfamily +condence CnC Phishing DriveBy Variant1 Variant2 16. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AtBostonMedicalCentertheywereexperiencing12,000alarms aday,onaverage.Thatkindofcacophonywasproducinga growingproblemknownas"alarmfa1gue. "Alarmfa3gueiswhenthereare somanynoisesontheunitthatit actuallydesensi3zesthesta CanbeVERYeec1ve,ifitisderived intherightway Granulardatatopreventfalse posi1ves IPaddressandport,notjustaddress Layer7Hostnames,URLsetc.. Databasedonin-depthresearch andmonitoring NotjustaNackbehavior Historicalcontextforcondence Understandingofthreatfamily +condence AcSveCampaigns Gameover Zeus ZeroAccess Citadel DarkComet Simda Gh0strat Shylock Ramnit XtremeRAT Ponmocup Cridex NetTraveler Carberp Bifrost Hangover Pony PoisonIvy Taidoor Specix Spyeye Actionable Threat Intelligence - Reputation 17. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AtBostonMedicalCentertheywereexperiencing12,000alarms aday,onaverage.Thatkindofcacophonywasproducinga growingproblemknownas"alarmfa1gue. "Alarmfa3gueiswhenthereare somanynoisesontheunitthatit actuallydesensi3zesthesta Broad Visibility - Flow LeverageFlowtechnologiesfor: Cost-eec1ve,scalablevisibility Layer3/4pictureofinternalnetwork Whotalkstowho,whenandhow much Developamodelofnormalnetwork/user behavior Buildpolicy/visibilityarounduser-iden1ty Correlate Withac1onablethreatintelligence Detectsuspiciousormalicious ac1vi1eswherevertheyoccur 18. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AtBostonMedicalCentertheywereexperiencing12,000alarms aday,onaverage.Thatkindofcacophonywasproducinga growingproblemknownas"alarmfa1gue. "Alarmfa3gueiswhenthereare somanynoisesontheunitthatit actuallydesensi3zesthesta Deep Visibility - Packet Capture Usehigh-speedpacketcapture fordeepervisibility Monitorforspecicthreatsat network/data-centreedge. Storeforensicdataforinterav1ve, retrospec1veanalysis Inves1gatescopeofcompromise/ killchain Correlate(repeatedly) Withac1onablethreatintelligence 18 19. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AtBostonMedicalCentertheywereexperiencing12,000alarms aday,onaverage.Thatkindofcacophonywasproducinga growingproblemknownas"alarmfa1gue. "Alarmfa3gueiswhenthereare somanynoisesontheunitthatit actuallydesensi3zesthesta Deep Visibility - Packet Capture Correlate(repeatedly) Withac1onablethreatintelligence 19 Month 1 Traffic Month 2 Traffic Month 3 Traffic Zero Day attack here Intelligence update without signature for the Zero Day attack Intelligence updates INCLUDING signature for the Zero Day attack Detection capability updates occur at different times. Stored traffic can be correlated with updated threat intelligence All Traffic Correlated - Zero Day not found All Traffic Correlated - Zero Day FOUND Now that Zero Day attack has been identified, the attack timeline can be established 20. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AtBostonMedicalCentertheywereexperiencing12,000alarms aday,onaverage.Thatkindofcacophonywasproducinga growingproblemknownas"alarmfa1gue. "Alarmfa3gueiswhenthereare somanynoisesontheunitthatit actuallydesensi3zesthesta Workflow - Maximise Effectiveness Putthepowerbackinthehandsoftheanalysts Network&ThreatVisibility,incontext IncidentResponseWorkow Technologyshouldenablepersonnel&processinvestment Regardlessofhowmanyyouhave Orskillset PROTECT Providesurgicalmi1ga1on andforensiccapabili1es. React ANALYZE Situa1onalAwareness. Augmentdetected eventswithrelevant context PrioriSze Comprehensive monitoringandthreat detec1on IDENTIFY 21. Companylogo EUROPE 29 April - 01 May 2014 Earls Court London UK AtBostonMedicalCentertheywereexperiencing12,000alarms aday,onaverage.Thatkindofcacophonywasproducinga growingproblemknownas"alarmfa1gue. "Alarmfa3gueiswhenthereare somanynoisesontheunitthatit actuallydesensi3zesthesta 13+YearsofInnovaSon TheInternetandsecurityisourheritage FoundedfromaDARPAgrant Over40networkingandsecuritypatents Across60countries ServiceProviders,Hosters,Fortune50companies Largestnancialsandonlinegiants ServingTheWorldsMost DemandingNetworks TrustedExperts Globally Over400employeesaroundtheglobe >50%inEngineering,ServiceandSupport Bestinclasssupportexperts,globalinfrastructure ATLAS/ASERT Unrivalledvisibility,analyzing80Tb/secofdata Wellregardedsecurityresearchexper1se ThreatIntelligence

Recommended

View more >