Preventing Data Breaches without Constraining Business Beograd 2016

Transcription

1 Contextual Security Intelligence Preventing Data Breaches without Constraining Business Beograd 2016

2 200+ employees > 50% y/y growth over year London Tower 42, 25 Old Broad Street, London EC2N 1HN Paris 105, rue Jules Guesde, Levallois Perret Munich 100+ resellers Stefan-George-Ring 29. D München Budapest Alíz street 2. H-1117 Budapest New York 40 Wall St. 28th Floor, NYC, NY Customers

3 Founded: 2000 Customers: Users: 1M+ Specializing: log management, advanced monitoring, user behavior analytics

4

5

6

7 Impossible to pre-define all rules Constant fear of breaches Activities without context

8 Impossible to pre-define all rules Constant fear of breaches Activities without context

9 Impossible to pre-define all rules Constant fear of breaches Activities without context

10 Professionals are target people. And any solutions will have to target the people problem, not the math problem

11 Immediate reaction Real-time knowledge of all actions CSI Recognition of the unusual Norm and pattern recognition and learning

12 Breach Prevention Intervention at the most relevant step of the kill chain Security Operations Real-time behavior intelligence Efficient forensic investigations CSI Compliance ROI Comprehensive overview of privileged activities Decreased cost of compliance Risk Assessment Policy breach & account risk detection

13 Identify malicious activity by detecting unusual behavior patterns Date, time, geo, commands, keystrokes, mouse, peer group outliers, etc. Insider threats and hijacked CSI accounts APT Kill Chain Intervention at the most relevant step of the kill chain

14 Efficient incident response & forensics capabilities Real time behavior intelligence through alerts Automated security reactions & CSI intervention

15 Account and global risk estimation Identifying account related policy violations Identify the gap between the privileges and actual behavior CSI

16 Comprehensive audit and review of application and system level access Compliance Plus integrating existing data recorded for compliance reasons into CSI to unveil security risks CSI Prioritize recorded audit trails based on risk

17 PREVENTION BY MONITORING LET S EXAMINE A HUMAN ATTACK! Time-frame for prevention Forensics

18 Privileged User Session Activity Log Activity User Profiles Login Time Login Location Host login Commands Keystrokes Mouse Applications Peer groups Privileged User Behavior Analytics

19 Privileged Imposter Session Activity Log Activity User Profiles Login Time Login Location Host login Commands Keystrokes Mouse Applications Peer groups Privileged User Behavior Analytics

20 Privileged Imposter Session Activity Log Activity Security Operations Center Login Time Login Location Host login Commands User Profiles Keystrokes Mouse Applications Peer groups Privileged User Behavior Analytics

21 Privileged Imposter Session Activity Log Activity Security Operations Center Login Time Login Location Host login Commands User Profiles Keystrokes Mouse Applications Peer groups Privileged User Behavior Analytics

22

23 Monitor user activity Baseline business-as-usual using machine learning Discover unknown threats based on deviation from the norm and risk in real-time Access Controls & Policies CSI Investigate and respond immediately

24 The Problem The Solution Vast amount of data Enriched Data Platform Instant access to activity data in forensic situations. Activity & log data collection across the entire enterprise Transparent session monitoring with agentless deployment Real-time data delivery for analytics and investigation Filtering, normalization and enrichment Understanding the situation The User Perspective Integrate contextual information into a single profile Drill down into CSI.DATA for deeper understanding Video replay & search in user recordings Visualize normal behaviour Not asked and not known CSI.DATA CSI.USER CSI.RISK Behavioural Analytics Machine learning of activities Anomaly Detection Real-time intervention Risk scoring and alerting 28

25

26

27 Syslog-NG & Syslog-ng STORE BOX

28 Information on all activities from the systems Reliable and secure collection, transport and storage Advanced processing & filtering

29 SYSLOG-NG DESCRIPTION Log Sources syslog-ng Destinations Servers Virtual Machines Filter Parse Flat Files Logstore TM Applications SQL Classify Normalize SIEM Log Analysis Network Devices Security Devices Store Rewrite SQL NoSQL syslog-ng Store Box

30 CHALLENGES OF LOG COLLECTION Log Sources Data in motion Data at rest Servers Virtual Machines Applications SQL Network Devices Security Devices

31 SYSLOG-NG ARCHITECTURE syslog-ng Relay syslog-ng syslog-ng Relay Server syslog-ng Clients

32 REAL TIME TRANSFORMATION Filter Classify Parse Rewrite Normalize Makes Log Data Easier to Analyze

33 SYSLOG-NG STORE BOX DESCRIPTION Turnkey solution Reports Physical / Virtual Appliance High performance indexing 100,000 logs/sec sustained Automated Archiving Raw storage: 1TB - 10 TB 35 GB/hr Web- Based Intuitive GUI Visualization Statistics Granular access control LDAP/Radius Integration Full text search RESTful API

34 Shell Control Box

35

36 Privileged Activity Monitoring = Immediate Benefits Implementation without changing workflows, clients/servers (no agents) Augmented log data Centralized authentication and authorization Credential management Audit trails for forensic investigations

37 IT Staff NO AGENTS Firewall, Network devices, Databases, Web/file servers, Citrix server Outsourcing partners Managers VDI users TRANSPARENT PROXY SOLUTION

38 IT Staff USE STANDARD TOOLS Firewall, Network devices, Databases, Web/file servers, Citrix server Outsourcing partners Managers VDI users TRANSPARENT PROXY SOLUTION

39 IT Staff TAMPER-PROOF EVIDENCE Firewall, Network devices, Databases, Web/file servers, Citrix server Outsourcing partners Managers VDI users TRANSPARENT PROXY SOLUTION

40 Outsourcee 4-eyes Control

41 Outsourcee 4-eyes Control

42 4-eyes Control Authorizer Outsourcee

43 4-eyes Control Authorizer Outsourcee

44 4-eyes Control Authorizer Auditor Real-Time follow Outsourcee

45 Real-time Prevention > scp financial.db Command detection > cat credit-cards > Screen-content detection Window-title detection

46 Real-time Prevention Never reaches other side SNMP

47 Review of the Audit Trails

48 Is reliable data enough? How do you know when privileged users do something bad? Are you sure that your people use their access in a responsible and compliant way? Can you hire enough skilled security analysts? Are you comfortable with your current method of reviewing logs and auditing records?

49

50

51 Time distributions Kernel density analysis

52 Time distributions Kernel density analysis Association rule learning Frequent itemset mining

53 Time distributions Kernel density analysis Association rule learning Frequent itemset mining Recommender systems & clustering

54 Time distributions Kernel density analysis Association rule learning Frequent itemset mining Recommender systems & clustering Analysis of commands and window titles Text analysis

55 Time distributions Kernel density analysis Association rule learning Frequent itemset mining Recommender systems & clustering Analysis of commands and window titles Text analysis Keystroke dynamics Stochastic outlier selection

56 Time distributions Kernel density analysis Association rule learning Frequent itemset mining Recommender systems & clustering Analysis of commands and window titles Text analysis Keystroke dynamics Stochastic outlier selection Pointing device detection Supervised machine learning on mouse gestures

57 Time distributions Kernel density analysis Association rule learning Frequent itemset mining Recommender systems & clustering Analysis of commands and window titles Text analysis Keystroke dynamics Stochastic outlier selection Pointing device detection Supervised machine learning on mouse gestures Scripted account detection Statistical hypothesis testing of periodicity

58

59 How to Review? Which part of the audit trails are the most interesting? How to choose which vendors should be reviewed? Which solution is significantly better than random sampling?

60

61

62 Cheating ONE algorithm requires: A valid user credential Perfect knowledge about the selected algorithm Time Cheating ALL algorithms requires: Several valid user credentials Perfect knowledge about ALL of the algorithms in Blindspotter Really lot of time even years and peer group analysis may be able to find this anomaly as well

63 What is Behavior? Behavior is the internally coordinated responses of whole living organisms to internal and/or external stimuli Daniel A. Levitis, PhD in Integrative Biology

64 0-knowledge Threats Things you do NOT know Questions you are NOT asking Questions you are asking Things you know

65 0-knowledge Threats Things you do NOT know Questions you are NOT asking Questions you are asking Things you know

66 0-knowledge Threats Things you do NOT know Questions you are NOT asking Questions you are asking Things you know

67 0-knowledge Threats PEN-TEST Things you do NOT know UBA VUL-SCAN NETWORK ANALYTICS SIEM Questions you are NOT asking Questions you are asking SPAM NAC AV DLP IDS/IPS FRAUD FW APP-WL Things you know

68 0-knowledge Threats PEN-TEST Things you do NOT know UBA VUL-SCAN NETWORK ANALYTICS SIEM Questions you are NOT asking Questions you are asking SPAM NAC AV DLP IDS/IPS FRAUD FW APP-WL Things you know

69 Traditional security approach Contextual security approach Manually defined Self learning Enforcing control Real-time knowledge & interaction Security damages continuity More Security with more freedom ROI only when accatcked Immediate visibility of ROI Partial vision Full knowledge of all actions

70 Traditional security approach Contextual security approach Manually defined Self learning Enforcing control Real-time knowledge & interaction Security damages continuity More Security with more freedom ROI only when accatcked Immediate visibility of ROI Partial vision Full knowledge of all actions

71 Traditional security approach Contextual security approach Manually defined Self learning Enforcing control Real-time knowledge & interaction Security damages continuity More Security with more freedom ROI only when accatcked Immediate visibility of ROI Partial vision Full knowledge of all actions

72 Traditional security approach Contextual security approach Manually defined Self learning Enforcing control Real-time knowledge & interaction Security damages continuity More Security with more freedom ROI only when accatcked Immediate visibility of ROI Partial vision Full knowledge of all actions

73 Traditional security approach Contextual security approach Manually defined Self learning Enforcing control Real-time knowledge & interaction Security damages continuity More Security with more freedom ROI only when attacked Immediate visibility of ROI Partial vision Full knowledge of all actions

74 Traditional security approach Contextual security approach Manually defined Self learning Enforcing control Real-time knowledge & interaction Security damages continuity More Security with more freedom ROI only when attacked Immediate visibility of ROI Partial vision Full knowledge of all actions

75

76