Introduction, Overview and Capabilities. Revision Date: 01/11/13 Copyright MicroSolved, Inc., 2013 All Rights Reserved.

Transcription

1 Introduction, Overview and Capabilities Revision Date: 01/11/13 Copyright MicroSolved, Inc., 2013 All Rights Reserved 1

2 Executive Summary HoneyPoint Security Server (HPSS) is the most powerful tool you can use to lock in on and lock out attackers. HPSS is a powerful tool for organizations seeking to add effective threat management to their security efforts. Like a Swiss Army knife, HoneyPoint has many uses. It can assist with identifying internal malicious activity, help defend your perimeter against scans and probes, and reduce your risk levels by breaking attacker tools used against you. It can help you find and block malware and bots in your environment and even bring realistic threat metrics into your SDLC and other architecture changes before a single line of code is written or a single change is made. Platform Overview Launched in 2006, initially as a distributed honey pot product, HoneyPoint Security Server (HPSS) has grown well beyond the initial concept. Today HPSS is a patented platform of components woven into a tightly integrated, fully capable, extremely flexible threat detection product. Organizations around the world are using it as a means of early detection of internal and external attackers, malware outbreaks and signs of users poking around where they shouldn t be. Mature organizations have leveraged the product as a means of deterring attacks through automated black holing of scanning hosts on their perimeter, embedded detective controls inside their web applications to cut off users violating their terms of service and gather real world threat metrics to feed back into their mature risk management initiatives. Today, the HoneyPoint platform has grown into a centrally monitored set of components, each with a deeply focused detection ability. You can think of the components as a set of security building blocks which you can use to build a custom detection strategy for your environment. The blocks you can use from the HoneyPoint family look like this: 2

3 HPSS Overview Diagram 3

4 Here is a high level overview of each of the components pictured above: HPSS Console This is the central brain of the product. Designed as an easy to use GUI application, it receives the alerts detected by the sensor components and presents them to the user for analysis. It includes the plugin capability which allows for additional reporting and security automation based on the event data detected. The Console provides for point and click easy integration with SIEM products for clients who have deeper back-end data aggregation systems in place. HoneyPoint Agent This is the original HoneyPoint detection capability. Agent creates fake services on the network that have no real use other than detection. Since the services aren t real, any interaction with them is suspicious at best and malicious at worst. Agent is capable of emulating a great variety of services and is completely user configurable. Agent runs on Windows, Linux and OS X. Wasp Wasp is HoneyPoint s hybrid client for Windows systems. It offers many of the port dilation features of Agent, but layers on top of that a whitelisting detection mechanism, file change detection for key files and some simple heuristics to identify the most common signs of intrusion. Tiny footprint, immense flexibility, self tuning whitelisting and no interference with operations make it an excellent choice for critical infrastructure use. HoneyPoint Web This is a completely emulated web environment with a mock up of applications that the organization uses. The entire environment is fake and studded with detection mechanisms that capture and measure attacker behavior, intent and capability. It might seem to be a new version of a banking application accidentally exposed to the Internet, or a replica of an HMI or maybe a login portal for Sharepoint/ VPN or some other mechanism. What it really is is a detection mechanism for the good guys. Completely customized, able to detect the difference between a human attacker and most malware, it offers organizations a deeper, sneakier way to detect illicit behavior and measure the attacker attention various attack surfaces receive. HoneyElements Embeddable HTML and Javascript objects that can be added to new or existing real web applications, these HoneyPoints extend detection into the layers of the application itself. Integrates well with automated response and attacker black holing defenses to stop attackers and those engaging in undesired behaviors in real time. HoneyBees These work with Agent to simulate users authenticating to emulated services with plain text credentials. Organizations use this combination of tools to detect sniffing attacks and other attempts to harvest credentials off the wire or from network monitoring systems. HoneyPoint Trojans Trojans are fake documents, applications or archives that appear to be real, but are actually detection mechanisms. For example, they might appear to be a PDF of some acquisition plans, while in reality they are armed with code to alert the security team when they have been opened or tampered with. Trojans use many of the same tactics as attackers, but instead of infection as a goal, they provide for detection and alerting. HoneyPoint Decoy Appliances This is a set of hardened Linux powered devices that serve as an appliance for other components, usually Agent and Web. The appliances are available in three physical form factors (a rack mountable server, a 4

5 mini-desktop, and a field deployable power substation solid state system) and/or a set of virtual appliances for most common virtualization platforms. To learn more about these components and how they can be leveraged to give your organization new, flexible and deep detection capabilities, give us a call. Our engineers would be glad to discuss the technical capabilities and an account executive would be happy to work with you to create a HoneyPoint deployment that meets your needs AND your budget. At MicroSolved, we are passionate about information security and HoneyPoint Security Server is just another that way it shows! Use Cases HoneyPoint has been deployed in a variety of network architectures across a wide range of verticals. Below are a few quick summaries of how HPSS has been leveraged to create new visibility and detective capability in some client environments: In the world of ICS/SCADA, HoneyPoint has found a quickly growing set of fans. HPSS can be deployed in a completely passive way that has no chance of interfering with critical operations, yet still brings incredible detection capability and vision into even the most sensitive of networks. ICS/SCADA environments have traditionally embraced the honeypot ideal, coining the term canary for these tools, but never before have they had such an easy to use, distributable, centrally monitored honeypot capability like HoneyPoint brings to the table. This quick diagram shows a couple of ways that many organizations use HoneyPoint as a nuance detection platform inside ICS/SCADA deployments today. 5

6 Basically, they use HoneyPoint Agent/Decoy to pick up scans and probes, configuring it to emulate an endpoint or PLC. This is particularly useful for picking up wider area scans, probes and malware propagations. Additionally, many organizations are finding value in HoneyPoint Wasp, using its white list detection capabilities to identify new code running on HMIs, Historian or other Windows telemetry data systems. In many cases, Wasp can quickly and easily identify malware, worms or even unauthorized updates to the ICS/SCADA components. Another way that Wasp is used is to monitor key systems for malware. These systems could be the Windows workstations of likely phishing targets, critical workstations involved in sensitive business processes or frequent offenders, as detailed below: 6

7 Several organizations have begun to deploy HoneyPoint Wasp as a support tool for malware cleanup and as a component of monitoring specific workstations and servers for suspicious activity. In many cases, where the help desk prefers cleanup to turn and burn/re-image approaches, this may help reduce risk and overall threat exposures by reducing the impact of compromised machines flowing back into normal use. The diagram demonstrates one approach used by a customer to leverage Wasp for this purpose. A variety of other use cases are in play today around the world. Areas of focus have included retail point of sale, general network detections, acquired company network monitoring, specific sting operations to identify bad actors and a wide range of other applications. If you would like to discuss other specific scenarios, please contact an account executive. Licensing HoneyPoint Security Server is licensed by the number of sensors hosting the HoneyPoint applications. These can be a mixture of HoneyPoint Agents, Wasps, HoneyPoint Trojans, etc. Each license includes one Console on the platform of your choice. Additional Consoles are also available at a nominal fee. A HoneyPoint proxy is available to facilitate crossing network boundaries without exposing the Console system. HoneyPoint Security Server is licensed on a deployed host, per annum basis. The Console component controls licensing for most components. Each year of licensing includes support and all updates to the licensed components. Licenses may be purchased directly from MicroSolved, through a registered reseller or from a distributor such as SHI. Discounts are available for volume purchases and multiple year licenses. How to Purchase To obtain HoneyPoint Security Server, please contact your account executive or reseller. If you would like to discuss purchasing a license and need an account executive, please call (614) for assistance. Managed Service Offerings HoneyPoint Security Server is also available as a managed service option. Both internal and external networks are supported. Services are available from several Managed Services Partners, and in some specific cases, directly from MicroSolved, Inc. (for sensitive networks). Please contact your account executive or (614) for more information about managed services. 7

8 Sources for More Information More information about HoneyPoint Security Server can be found online at the following locations: HoneyPoint Deployment Maturity Model: Detection in Depth Maturity Model: Additionally, an online demonstration can be scheduled to walk your team through the product. Contact your account executive for more information. About MicroSolved, Inc. Founded in 1992, MicroSolved, Inc. was started by Brent Huston, whose vision of providing deeper security analysis to organizations continues to define the company. Over the past two decades, MicroSolved, Inc. has grown from a local information security company to an organization with international presence. Brent Huston has also become a popular information security conference speaker, author and senior editor for security books and magazines. 8