Catch an Active Cyber Attack in minutes

Transcription

1 Catch an Active Cyber Attack in minutes SIGS SOC FORUM, GENEVA FABIAN GENTINETTA Vectra Networks 1

2 It starts with your data source Data Quality and Speed Endpoint agents Data source options NetFlow Network Coverage Network traffic SIEM & logs Endpoint agents Incomplete coverage No context beyond the device NetFlow Volume-based traffic monitoring Optimised for performance Lacks details for threat detection SIEM and logs Relies on 2 nd hand summaries from devices that missed the attack Network traffic analysis Full real-time access to real traffic Context across time & all devices Vectra Networks 2 2

3 SIEM: reduces noise, doesn t find new threats Blind-Spot-free Coverage Security Analytics Cost, Complexity SIEM Manual Hunting Automation Automated Hunting Classic SIEM correlates alerts from other security products, but does not find any new threats Vectra discovers hidden threats by directly analyzing full-fidelity network traffic to expose attackers missed by prevention security solutions Vectra complements SIEM: adds new class of threat visibility into the SIEM Vectra Networks 3 3

4 Security analytics: drowning in the data lake Blind-Spot-free Coverage Security Analytics Cost, Complexity SIEM Manual Hunting Automation Automated Hunting Security Analytics products are manual hunting tools analysts need to figure out the right questions to ask Every data lake is different analytics are custom. Requires dedicated data science teams. E-W packet capture impractical massively expensive ($500K+/yr for Hadoop alone at 1K user org) More cost, more complexity for less coverage Vectra Networks 4 4

5 Endpoint detection and response: Limited device coverage Blind-Spot-free Coverage Endpoint detection & response Covers a subset of devices No IoT (7B business IoT by 2020!) No phone, printers, No BYOD / unmanaged devices Not trustworthy First thing attackers do is turn off endpoint agents Manual Hunting Automation Automated Hunting Vectra Networks 5 5

6 User behavior analytics: designed for a different problem Blind-Spot-free Coverage User Behavior Analytics UBA is designed to find rogue insiders, not attackers Attacker are good at looking just like normal users not going to find them looking at user behavior Vectra sees fundamental attacker behaviors across the kill chain, including the use of stolen credentials Manual Hunting Automation Automated Hunting Vectra Networks 6 6

7 The fastest, most efficient way to find and stop attacks Blind-Spot-free Coverage Security Analytics Cost, Complexity SIEM Endpoint detection & response User Behavior Analytics Vectra Automated vs Manual hunting Artificial intelligence base on machine learning and behavioral analytics Continuously learns and always on Reduces dwell time, increases analyst efficiency and lowers cost Blind-spot-free coverage All devices, including BYOD and IoT High-fidelity vs. logs or flow data Trustworthy endpoint agents are the first thing attackers disable Manual Hunting Automation Automated Hunting Vectra Networks 7

8 Automation makes security teams more efficient Analyzes all traffic all the time Without Vectra, most analysis is performed manually, and by exception Addresses the skills shortage Removes the time-consuming drudge work required of talented analysts Empowers IT generalists to take action Avoid the need for internal and external incident response Vectra Networks 8

9 Automated hunting reduces the data load on your analysts 100s to 1,000s of events and network traits condensed to a single Vectra detection Vectra provides analyst with pcaps, event details, and recommends next steps Detections automatically correlated to pinpoint physical hosts at the center of an attack SOC SIEM Incident Response Vectra integrates with enforcement and incident response platforms Firewall Endpoint NAC Vectra Networks 9

10 Phantom Integrations and Actions Category Vendors Enforcement Actions EndPoint Carbon Black Tanium Crowdstrike Cylance Microsoft Quarantine Host (CB) Terminate Process (CB & Tanium) Block IP (Microsoft) Logoff User (Microsoft) NAC Cisco ISE Quarantine Host FW Palo Alto Juniper Cisco ASA Ticketing Systems BMC Zendesk Jira ServiceNow Block IP Create Ticket LDAP Microsoft Reset Password Disable User Roadmap Vectra Networks

11 Demo Vectra Networks 11

12 Vectra Networks

13 Vectra Networks

14 Vectra Networks 14