Operationalizing your Security Data. Presenter: Lee Imrey Splunk, Security Market Specialist

Size: px
Start display at page:

Download "Operationalizing your Security Data. Presenter: Lee Imrey Splunk, Security Market Specialist"

Transcription

1 Operationalizing your Security Data Presenter: Lee Imrey Splunk, Security Market Specialist

2 Agenda Introduction Basics Using the right tools for the jobs Identifying (and Exploring) Data Sources Investigation and Deconstruction of an Attack Using Splunk Demos

3 > Lee Imrey $whoami < 1 year at Splunk Security Specialist Based in South Dakota / Texas 20+ years in security, every role from uber-geek to CISO Certifications from (ISC)2, SANS, ISACA, IAPP, CPP, etc. Experience from healthcare, finance, consulting, fed gov, etc. Blah blah blah 3

4 Security Data Comes In Many Forms IP Addresses: threat intelligence, blacklist, whitelist, reputation monitoring Tools: Firewalls, Proxies, Splunk Stream, Bro, IDS Network Artifacts and Patterns: network flow, packet capture, active network connections, historic network connections, active ports and services Tools: Splunk Stream, Bro IDS, FPC, Netflow DNS: queries and responses, zone transfers, other activities Tools: Splunk Stream, Bro IDS, OpenDNS Endpoints: users, processes, drivers, registry, hardware, memory, disk activity, file integrity, file creation or deletion Tools: Windows/Linux, Carbon Black, Tanium, Tripwire, Active Directory Vulnerability Management Data Tools: Qualys, Nessus, Rapid7, etc. User Behavior Analytics: TTPs, user monitoring, time of day, location, HR watchlist Tools: Splunk UBA (All of the above) 4

5 You Need The Right Tools For The Job or 5

6 But Even More, You Need The Right Data Threat Intelligence Web Desktops Traditional Servers DHCP/ DNS CMDB Hypervisor Badges Firewall Authentication Vulnerability Scans Custom Apps Network Flows Storage Mobile Intrusion Detection Data Loss Prevention Anti- Malware Physical Access Transaction Records 6

7 How Do You Use All Your Data? 7

8 You Have Your Data What Do You Do With It? SANS Threat Hunting Maturity Ad Hoc Search Statistical Analysis Visualization Techniques Aggregation Machine Learning/ Data Science 85% 55% 50% 48% 32% Source: SANS IR & Threat Hunting Summit

9 Choosing Data Sources to Expose the Kill Chain

10 Demo Story - Kill Chain Framework Brute force attack get sensitive pdf Phishing mail with weaponized pdf Dropper retrieves and installs malware payload Data Exfiltration Source: Lockheed Martin Weaponize pdf with Zeus Malware Dropper process created through exploitation of vulnerable pdf reader Persistence via regular outbound comm

11 APT Transaction Flow Across Data Sources Data Sources Threat Intelligence Network , Proxy, DNS, and Web Endpoint Transaction Attacker creates malware, embed in.pdf, s to the target Attacker hacks website Steals.pdf files MAIL Gain Access to system Create additional environment Our Investigation begins by detecting Web high risk communications Portal.pdf through the proxy, at the endpoint, and even a DNS call. Read , open attachment http (proxy) session to command & control server.pdf executes & unpacks malware overwriting and running allowed programs Conduct Business Remote control Steal data Persist in company Rent as botnet Proxy.pdf Calc.exe (dropper) Svchost.exe (malware) 11

12 To begin our investigation, we will start with a quick search to familiarize ourselves with the data sources. In this demo environment, we have a variety of security relevant data including Web DNS Proxy Firewall Endpoint

13 Take a look at the Lets get our day started by looking endpoint data source. using threat intel to prioritize We our are using the efforts and focus on communication Microsoft SysmonTA. with known high risk entities. We have endpoint visibility into all network communication and can map each connection back to a process. } } We also have detailed info on each process and can map it back to the user and parent process.

14 We have multiple source IPs communicating to high risk entities identified by these 2 threat sources. We see multiple threat We are intel seeing related high risk events across multiple communication source types from associated with the multiple IP Address data of sources. Chris Gilbert. Let s take closer look at the IP Address. This dashboard is based on event data that contains a threat intel based indicator match( IP Address, domain, etc.). The data is further enriched with CMDB based We can Asset/identity now see the owner information. of the system (Chris Gilbert) and that it isn t a PII or PCI related asset, so there are no immediate business implications that would require informing agencies or external customers within a certain timeframe.

15 We are now looking at only threat intel related activity for the IP Address associated with Chris Gilbert and see activity spanning endpoint, proxy, and DNS data sources. These We then trend see lines threat tell a intel very related interesting endpoint and visual proxy story. events It appears that occurring the asset periodically makes a DNS and query likely Scroll involving communicating down the a threat dashboard with intela to related known Zeus examine domain botnet these or based threat IP Address. on intel the threat events intel associated source with (zeus_c2s). the IP Address. Scroll Down

16 It s worth mentioning that at this point you could create a ticket to have someone re-image the machine to prevent further damage as we continue our investigation within Splunk. The initial goal of the investigation is to determine whether this communication is malicious or a potential false positive. Expand the endpoint event to continue the investigation. Within the same Proxy dashboard, related threat we have intel matches are access to very important high fidelity for endpoint helping us to prioritize our data that allows efforts an analyst toward to initiating continue an the investigation investigation. in a very efficient Further investigation into manner. It is the important endpoint to is note often that very time near real-time consuming access to and this type often of involves multiple endpoint data internal is not not hand-offs common to within other teams or the traditional needing SOC. to access additional systems. This encrypted proxy traffic is concerning because of the large amount of data (~1.5MB) being transferred which is common when data is being exfiltrated.

17 We immediately see the outbound communication with via https Outbound is associated communication with the svchost.exe to a process known on high-risk the windows external endpoint. address, The Lets continue the investigation. process especially id is when There encrypted, is a great suggests deal more exfiltration information of data. from This the endpoint is a serious as you concern scroll down to any such organization. as the user ID that started the process and the associated CMDB enrichment information. We also see that svchost.exe should be located in a Windows system directory but this is being run in the user space. This suggests malicious intent.

18 We have a workflow action that will link us to a Process Explorer dashboard and populate it with the process id extracted from the event (4768).

19 This has brought us to the Process Explorer dashboard which lets We us also can see that the parent process that created this This process calls itself svchost.exe, view Windows Sysmon endpoint data. suspicious svchost.exe process is a common Windows process, but the called Lets continue calc.exe. the investigation by path is not the normal path for examining the parent process as this svchost.exe. is almost certainly a genuine threat Suspected Malware Suspected Downloader/Dropper and we are now working toward a root cause. which is a common trait of malware attempting to evade detection. We also see it making a This is very consistent with Zeus DNS query (port 53) then behavior. The initial exploitation communicating This via is a port standard 443. Windows app, but generally creates a downloader or not in its usual directory, telling us dropper that will then download the that the malware has again spoofed Zeus malware. It seems like calc.exe a common file name. may be that downloader/dropper.

20 Suspected Downloader/Dropper The Parent Process of our suspected downloader/dropper is the legitimate PDF Reader program. This will likely turn out to be the vulnerable app that was exploited in this attack. We have very quickly moved from threat intel related network and endpoint activity to the likely exploitation of a vulnerable app. Click on the parent process to keep investigating. Suspected Vulnerable App

21 We can see that the PDF Reader process has no identified parent and is the root of the infection. Scroll down the dashboard to examine activity related to the PDF reader process. Scroll Down

22 We have our root cause! Chris opened a weaponized.pdf file which contained the Zeus malware. It appears to have been delivered via and we have access to our logs as one of our important data sources. Lets copy the filename 2nd_qtr_2014_report.pdf and search a bit further to determine the scope of this compromise. Chris opened 2nd_qtr_2014_report.pdf which was an attachment to an !

23 Lets dig a little further into 2nd_qtr_2014_report.pdf to determine the scope of this compromise.

24 Lets search though multiple data sources to quickly get a sense for who else may have have been exposed to this file. We will come back to the web activity that contains reference to the pdf file but lets first look at the event to determine the scope of this apparent phishing attack.

25 Hold On! That s not our Domain Name! The spelling is close but it s missing a t. The attacker likely registered a This looks to be a very domain name that is very close targeted spear phishing to the company domain hoping attack as it was sent to Chris would not notice. only one We employee have access (Chris). to the body and can see why this was such a convincing attack. The sender apparently had access to sensitive insider knowledge and hinted at quarterly results. There s our attachment.

26 Root Cause Recap Data Sources Threat Intelligence Gain Access to system Transaction We utilized threat intel to detect communication with known high risk indicators and kick off our investigation Attacker hacks website Web Steals.pdf then files worked backward Portal through the kill.pdf chain toward a root cause. Create additional environment Conduct Business Remote control Steal data Persist in company Rent as botnet Network , Proxy, DNS, and Web Endpoint Attacker creates malware, embed in.pdf, s to the target MAIL This investigation was significantly enhanced by our ability Read to , associate open attachment network comms with endpoint process data. The ability to quickly identify root cause in a http (proxy) session malware investigation to is very streamlined Proxy command & control compared to legacy server SIEMs. This translates into saved time, saved resources, and saved money..pdf executes & unpacks malware overwriting and running allowed programs.pdf Calc.exe (dropper) Svchost.exe (malware) 26

27 Let s revisit the search for additional information on the bad pdf file. Select the access_combined sourcetype to investigate further. We saw that the file arrived via and opened at the endpoint. Why do we see a reference to the file in our web server logs (called access_combined)? 27

28 The results show has accessed this file from the web portal of buttergames.com. There is also a known threat intel association with the source IP Address downloading (HTTP GET) the file. 28

29 29 Select the IP Address, left-click, then select New search. We would like to understand what else this IP Address has accessed in the environment.

30 That s an abnormally large number of requests sourced from a single IP Address in a ~90 minute window. This looks like a scripted action given the constant high rate of requests over the below window. Notice the Googlebot useragent string which is another attempt to avoid raising attention.. Scroll down the dashboard to examine other interesting fields to further investigate. Scroll Down 30

31 The requests from are dominated by requests to the login page (wp-login.php). It s clearly not possible to attempt a login this many times in a short period of time this is clearly a scripted brute force attack. The attacker is also accessing admin pages which may be an attempt to establish persistence via a backdoor into the web site. After successfully gaining access to our website, the attacker downloaded the pdf file, weaponized it with the zeus malware, then delivered it to Chris Gilbert as a phishing . 31

32 Kill Chain Analysis Across Data Sources Data Sources Threat Intelligence Network , Proxy, DNS, and Web Endpoint Transaction Attacker creates malware, embed in.pdf, s to the target Attacker hacks website Steals.pdf files MAIL Once We Gain began our root Access by reviewing cause analysis We to system We were was threat complete, continued able intel to the see related we investigation which shifted events out file by was focus for pivoting opened a into particular the into by web IP address the the logs to endpoint vulnerable determine Web data and source observed app and and that used DNS, the sensitive a Proxy, pdf We traced Portal.pdf determined file and the Endpoint svchost.exe events for a Zeus workflow malware A quick was that obtained action to determine user in back search the via a brute force attack Sales. against to into it s the mail malicious the parent which logs process process revealed We file was traced ID which on delivered the the calc.exe details was endpoint back to to company website. the calc.exe was the behind user responsible the via the vulnerable . phishing for the application attack downloader/dropper. outbound and revealed PDF communication. Reader. that the scope of the compromise was limited to just the one user. Read , open attachment Create additional environment http (proxy) session to command & control server.pdf executes & unpacks malware overwriting and running allowed programs Conduct Business Remote control Steal data Persist in company Rent as botnet Proxy Investigation complete!.pdf Calc.exe (dropper) Svchost.exe (malware) 32

33 To get your hands-on Splunk ES If you want to follow along during today s demo of Splunk Enterprise Security, go to: responsive=1&redirecturl=%2fgetsplunk%2fes_sandbox (If you don t like typing, go to: Either will give you your own ES Sandbox.

34 Attend a demo session to learn more about Enterprise Security & Splunk UBA. Or leave a card if you d like someone to contact you 34

Best Practices for Scoping Infections and Disrupting Breaches

Best Practices for Scoping Infections and Disrupting Breaches 2017 SPLUNK INC. Best Practices for Scoping Infections and Disrupting Breaches Analytics-Driven Security Alain Gutknecht Staff SE alain@splunk.com 2017 SPLUNK INC. The Ever-Changing Threat Landscape 100%

More information

Un SOC avanzato per una efficace risposta al cybercrime

Un SOC avanzato per una efficace risposta al cybercrime Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant Agenda A look into the threat

More information

Behavioral Analytics A Closer Look

Behavioral Analytics A Closer Look SESSION ID: GPS2-F03 Behavioral Analytics A Closer Look Mike Huckaby VP, Global Systems Engineering RSA The world is full of obvious things which nobody by any chance ever observes. Sherlock Holmes 2 Patterns

More information

Automated Threat Management - in Real Time. Vectra Networks

Automated Threat Management - in Real Time. Vectra Networks Automated Threat Management - in Real Time Security investment has traditionally been in two areas Prevention Phase Active Phase Clean-up Phase Initial Infection Key assets found in the wild $$$$ $$$ $$

More information

RSA Security Analytics

RSA Security Analytics RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security

More information

Reducing the Cost of Incident Response

Reducing the Cost of Incident Response Reducing the Cost of Incident Response Introduction Cb Response is the most complete endpoint detection and response solution available to security teams who want a single platform for hunting threats,

More information

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved. Key Technologies for Security Operations 2 Traditional Security Is Not Working 97% of breaches led to compromise within days or less with 72% leading to data exfiltration in the same time Source: Verizon

More information

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson THE RSA NETWITNESS SUITE REINVENT YOUR SIEM Presented by: Walter Abeson 1 Reality Goals GOALS VERSUS REALITY OF SIEM 1.0 Single compliance & security interface Analyze & prioritize alerts across various

More information

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Automated Response in Cyber Security SOC with Actionable Threat Intelligence Automated Response in Cyber Security SOC with Actionable Threat Intelligence while its biggest weakness is lack of visibility: SOCs still can t detect previously unknown threats, which is a consistent

More information

Compare Security Analytics Solutions

Compare Security Analytics Solutions Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch

More information

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data Sharing What Matters Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data Dan Gunter, Principal Threat Analyst Marc Seitz, Threat Analyst Dragos, Inc. August 2018 Today s Talk at

More information

SentinelOne Technical Brief

SentinelOne Technical Brief SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking

More information

Building Resilience in a Digital Enterprise

Building Resilience in a Digital Enterprise Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.

More information

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting Microsoft Cloud Evangelist at Patriot Consulting Principal Systems Architect with 17 Years of experience Technical certifications: MCSE, MCITP Office

More information

Qualys Indication of Compromise

Qualys Indication of Compromise 18 QUALYS SECURITY CONFERENCE 2018 Qualys Indication of Compromise Bringing IOC to the Next Level Chris Carlson VP, Product Management, Qualys, Inc. Adversary TTPs are Changing Early 2010s Zero-day Vulnerabilities

More information

esendpoint Next-gen endpoint threat detection and response

esendpoint Next-gen endpoint threat detection and response DATA SHEET esendpoint Next-gen endpoint threat detection and response esendpoint powered by Carbon Black eliminates endpoint blind-spots that traditional technologies miss. Operating on a philosophy that

More information

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Cisco Cyber Range. Paul Qiu Senior Solutions Architect Cisco Cyber Range Paul Qiu Senior Solutions Architect Cyber Range Service A platform to experience the intelligent Cyber Security for the real world What I hear, I forget What I see, I remember What I

More information

Imperva Incapsula Website Security

Imperva Incapsula Website Security Imperva Incapsula Website Security DA T A SH E E T Application Security from the Cloud Imperva Incapsula cloud-based website security solution features the industry s leading WAF technology, as well as

More information

CloudSOC and Security.cloud for Microsoft Office 365

CloudSOC and  Security.cloud for Microsoft Office 365 Solution Brief CloudSOC and Email Security.cloud for Microsoft Office 365 DID YOU KNOW? Email is the #1 delivery mechanism for malware. 1 Over 40% of compliance related data in Office 365 is overexposed

More information

ForeScout Extended Module for Carbon Black

ForeScout Extended Module for Carbon Black ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent

More information

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The SANS Institute Top 20 Critical Security Controls. Compliance Guide The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise

More information

Sandboxing and the SOC

Sandboxing and the SOC Sandboxing and the SOC Place McAfee Advanced Threat Defense at the center of your investigation workflow As you strive to further enable your security operations center (SOC), you want your analysts and

More information

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture About this Course This course will best position your organization to analyse threats and detect anomalies that could indicate cybercriminal behaviour. The payoff for this new proactive approach would

More information

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Detect Cyber Threats with Securonix Proxy Traffic Analyzer Detect Cyber Threats with Securonix Proxy Traffic Analyzer Introduction Many organizations encounter an extremely high volume of proxy data on a daily basis. The volume of proxy data can range from 100

More information

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X Demonstration / Feature Walk Through Deployment Options Q & A 2 Endpoint Security has reached a Tipping Point Attacks

More information

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018 Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years

More information

A YEAR OF PURPLE. By Ryan Shepherd

A YEAR OF PURPLE. By Ryan Shepherd A YEAR OF PURPLE By Ryan Shepherd WHOAMI DETECTION and RESPONSE Investigator for Countercept Threat Hunter PURPLE Team Consultant Offensive Security Certified Professional (OSCP) Crest Registered Intrusion

More information

RSA NetWitness Suite Respond in Minutes, Not Months

RSA NetWitness Suite Respond in Minutes, Not Months RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations

More information

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT? WHAT IS FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT? While firewalls started life simply protecting networks from outside hacks and attacks, the role of the firewall has greatly evolved to take

More information

THE ACCENTURE CYBER DEFENSE SOLUTION

THE ACCENTURE CYBER DEFENSE SOLUTION THE ACCENTURE CYBER DEFENSE SOLUTION A MANAGED SERVICE FOR CYBER DEFENSE FROM ACCENTURE AND SPLUNK. YOUR CURRENT APPROACHES TO CYBER DEFENSE COULD BE PUTTING YOU AT RISK Cyber-attacks are increasingly

More information

Seceon s Open Threat Management software

Seceon s Open Threat Management software Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real

More information

Integrated, Intelligence driven Cyber Threat Hunting

Integrated, Intelligence driven Cyber Threat Hunting Integrated, Intelligence driven Cyber Threat Hunting THREAT INVESTIGATION AND RESPONSE PLATFORM Zsolt Kocsis IBM Security Technical Executive, CEE zsolt.kocsis@hu.ibm.com 6th Nov 2018 Build an integrated

More information

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response Advanced Threat Hunting with Carbon Black Enterprise Response TABLE OF CONTENTS Overview Threat Hunting Defined Existing Challenges and Solutions Prioritize Endpoint Data Collection Over Detection Leverage

More information

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION BREACH & ATTACK SIMULATION THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION Cymulate s cyber simulation platform allows you to test your security assumptions, identify possible security gaps and receive

More information

Not your Father s SIEM

Not your Father s SIEM Not your Father s SIEM Getting Better Insights & Results Bill Thorn Director, Security Operations Apollo Education Group Agenda Why use a SIEM? What is a SIEM? Benefits of Using a SIEM Considerations Before

More information

RULES VERSUS MODELS IN YOUR SIEM

RULES VERSUS MODELS IN YOUR SIEM WHITE PAPER RULES VERSUS MODELS IN YOUR SIEM INTRODUCTION There has been a rapid increase in malicious insider threats, compromised insiders, and sensitive data exfiltration targeting enterprises today.

More information

RSA ECAT DETECT, ANALYZE, RESPOND!

RSA ECAT DETECT, ANALYZE, RESPOND! RSA ECAT DETECT, ANALYZE, RESPOND! Cyber Threat Landscape Attack surface (& attackers) expanding Web app Existing strategies & controls are failing Laptop EHR Firewall Attacks sophistication on the rise

More information

SentinelOne Technical Brief

SentinelOne Technical Brief SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.

More information

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1 Forescout Version 1.1 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191

More information

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.

More information

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

10x Increase Your Team s Effectiveness by Automating the Boring Stuff SESSION ID: TTA-R02 10x Increase Your Team s Effectiveness by Automating the Boring Stuff Jonathan Trull Chief Cybersecurity Advisor Microsoft @jonathantrull Vidhi Agarwal Senior Program Manager Microsoft

More information

Novetta Cyber Analytics

Novetta Cyber Analytics Know your network. Arm your analysts. Introduction Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility

More information

Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017

Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017 Security Automation & Orchestration That Won t Get You Fired Syra Arif Advisory Security Solutions Architect ServiceNow @syraarif November 2017 1 Speaker Introduction NAME: Syra Arif TITLE: Advisory Security

More information

Trend Micro and IBM Security QRadar SIEM

Trend Micro and IBM Security QRadar SIEM Trend Micro and IBM Security QRadar SIEM Ellen Knickle, PM QRadar Integrations Robert Tavares, VP IBM Strategic Partnership February 19, 2014 1 Agenda 1. Nature of the IBM Relationship with Trend Micro

More information

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX 1 INTRODUCTION The MITRE Corporation Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) Matrix provides a model

More information

Synchronized Security

Synchronized Security Synchronized Security 2 Endpoint Firewall Synchronized Security Platform and Strategy Admin Manage All Sophos Products Self Service User Customizable Alerts Partner Management of Customer Installations

More information

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview Overview Product overview Aruba s User and Entity Behavior Analytics (UEBA) solution, Aruba IntroSpect, detects attacks by spotting small changes in behavior that are often indicative of attacks that have

More information

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ Threat Containment and Operations Yong Kwang Kek, Director of Presales SE, APJ 2018-07-19 1 1 2017 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. Three Aspects of Security #1

More information

User and Entity Behavior Analytics

User and Entity Behavior Analytics User and Entity Behavior Analytics Shankar Subramaniam Co-Founder, Niara Senior Director of Customer Solutions, HPE Aruba Introspect shasubra@hpe.com THE SECURITY GAP SECURITY SPEND DATA BREACHES 146 days

More information

Built-in functionality of CYBERQUEST

Built-in functionality of CYBERQUEST CYBERQUEST Knows everything Built-in functionality of CYBERQUEST Summary Demonstration of CyberQuest functionality E-mail: office@nextgensoftware.solutions Content Intro... 3 Built-in functionality of CYBERQUEST...

More information

Incident Scale

Incident Scale SESSION ID: SOP-T07 Incident Response @ Scale Salah Altokhais Incident Response Consultant National Cyber Security Center (NCSC),KSA @salah.altokhais Khalid Alsuwaiyel Incident Response Specialist National

More information

Office 365 Buyers Guide: Best Practices for Securing Office 365

Office 365 Buyers Guide: Best Practices for Securing Office 365 Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.

More information

Simplify, Streamline and Empower Security with ISecOps

Simplify, Streamline and Empower Security with ISecOps Simplify, Streamline and Empower Security with ISecOps Matthew O Brien Senior Global Product Manager Cybersecurity DXC.technology 1 What is Integrated Security Operations (ISecOps)? Intelligence Driven,

More information

SIEM: Five Requirements that Solve the Bigger Business Issues

SIEM: Five Requirements that Solve the Bigger Business Issues SIEM: Five Requirements that Solve the Bigger Business Issues After more than a decade functioning in production environments, security information and event management (SIEM) solutions are now considered

More information

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches

More information

Managing an Active Incident Response Case. Paul Underwood, COO

Managing an Active Incident Response Case. Paul Underwood, COO Managing an Active Incident Response Case Paul Underwood, COO 2 About Us Paul Underwood - COO Emagined Security is a leading professional services firm for Information Security, Privacy & Compliance solutions.

More information

10 FOCUS AREAS FOR BREACH PREVENTION

10 FOCUS AREAS FOR BREACH PREVENTION 10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual

More information

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE Vectra Cognito HIGHLIGHTS Finds active attackers inside your network Automates security investigations with conclusive

More information

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1 RSA Advanced Security Operations Richard Nichols, Director EMEA 1 What is the problem we need to solve? 2 Attackers Are Outpacing Defenders..and the Gap is Widening Attacker Capabilities The defender-detection

More information

CONTROLLING YOUR OWN BATTLESPACE. From Threat Response Teams To Threat Intelligence Teams

CONTROLLING YOUR OWN BATTLESPACE. From Threat Response Teams To Threat Intelligence Teams CONTROLLING YOUR OWN BATTLESPACE From Threat Response Teams To Threat Intelligence Teams Agenda Motivations The Intelligence Process The Cyber Kill Chain Approach Indicators of Compromise Information Sharing

More information

Operationalizing the Three Principles of Advanced Threat Detection

Operationalizing the Three Principles of Advanced Threat Detection SESSION ID: SDS2-R08 Operationalizing the Three Principles of Advanced Threat Detection ZULFIKAR RAMZAN, PH.D Chief Technology Officer RSA @zulfikar_ramzan Dealing with Traffic Congestion Singapore: Major

More information

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1 Largest Breach Ever 2 The Business Impact Equation All CEOs know stuff happens in business and in security The goal is

More information

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES A Guide to Making Your Security Team Successful with Automation TABLE OF CONTENTS Introduction 3 What Is Security Automation? 3 Security Automation: A Tough Nut to Crack

More information

Optimizing Security for Situational Awareness

Optimizing Security for Situational Awareness Optimizing Security for Situational Awareness BRIAN KENYON McAfee Session ID: SPO1-106 Session Classification: Intermediate p gg able=network_objects, Operation=Update,Administrator=fwadmin, Machine=cp-mgmt-

More information

CTI Capability Maturity Model Marco Lourenco

CTI Capability Maturity Model Marco Lourenco 1 CTI Capability Maturity Model Cyber Threat Intelligence Course NIS Summer School 2018, Crete October 2018 MARCO LOURENCO - ENISA Cyber Security Analyst Lead European Union Agency for Network and Information

More information

with Advanced Protection

with Advanced  Protection with Advanced Email Protection OVERVIEW Today s sophisticated threats are changing. They re multiplying. They re morphing into new variants. And they re targeting people, not just technology. As organizations

More information

Agile Security Solutions

Agile Security Solutions Agile Security Solutions Piotr Linke Security Engineer CISSP CISA CRISC CISM Open Source SNORT 2 Consider these guys All were smart. All had security. All were seriously compromised. 3 The Industrialization

More information

ADVANCED THREAT HUNTING

ADVANCED THREAT HUNTING ERADICATE CONCEALED THREATS: ADVANCED THREAT HUNTING WITH CARBON BLACK OVERVIEW OVERVIEW In a SANS survey, 56% of incident responders claim they assume their enterprise is already compromised i. By preparing

More information

How Vectra Cognito enables the implementation of an adaptive security architecture

How Vectra Cognito enables the implementation of an adaptive security architecture Compliance brief How Vectra Cognito enables the implementation of an adaptive security architecture Historically, enterprises have relied on prevention and policy-based controls for security, deploying

More information

Phishing in the Age of SaaS

Phishing in the Age of SaaS Phishing in the Age of SaaS AN ESSENTIAL GUIDE FOR BUSINESSES AND USERS The Cloud Security Platform Q3 2017 intro Phishing attacks have become the primary hacking method used against organizations. In

More information

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse. Sobering statistics The frequency and sophistication of cybersecurity attacks are getting worse. 146 >63% $500B $3.8M The median # of days that attackers reside within a victim s network before detection

More information

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux EU GENERAL DATA PROTECTION: TIME TO ACT Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux Is this the WAY you handle GDPR today 2 3 area s to consider

More information

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN Perimeter Defenses Enterprises need to take their security strategy beyond stacking up layers of perimeter defenses to building up predictive

More information

Security Automation Best Practices

Security Automation Best Practices WHITEPAPER Security Automation Best Practices A guide to making your security team successful with automation TABLE OF CONTENTS Introduction 3 What Is Security Automation? 3 Security Automation: A Tough

More information

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar Response Automation SOCAutomation is an information security automation and orchestration platform that transforms incident response.

More information

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7 Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update

More information

Securing the Modern Data Center with Trend Micro Deep Security

Securing the Modern Data Center with Trend Micro Deep Security Advania Fall Conference Securing the Modern Data Center with Trend Micro Deep Security Okan Kalak, Senior Sales Engineer okan@trendmicro.no Infrastructure change Containers 1011 0100 0010 Serverless Public

More information

Automated Security for the Real-time Enterprise with VMware NSX and Trend Micro Deep Security Chris Van Den Abbeele, Global Solution Architect, Trend

Automated Security for the Real-time Enterprise with VMware NSX and Trend Micro Deep Security Chris Van Den Abbeele, Global Solution Architect, Trend SAI3314BES Automated Security for the Real-time Enterprise with VMware NSX and Trend Micro Deep Security Chris Van Den Abbeele, Global Solution Architect, Trend Micro #VMworld #SAI3314BES Automated Security

More information

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE SESSION ID: SPO2-W12 A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE Frank Bunton VP, CISO MedImpact Healthcare Systems, Security @frankbunton Larry Biggs Security Engineer III - Threat

More information

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO INFORMATION SECURITY PAINS CISO RESPONSIBILITY WITHOUT AUTHORITY INVENTORY TO MANAGE ALERTS WITHOUT MEANING ASSETS SPREAD ACROSS

More information

Imperva CounterBreach

Imperva CounterBreach Imperva CounterBreach DATASHEET Protect Your Data from Insider Threats The greatest threat to enterprise security is the people already on the payroll. To do their jobs, employees, contractors, consultants

More information

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access

More information

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1 CISCO BORDERLESS NETWORKS 2009 Cisco Systems, Inc. All rights reserved. 1 Creating New Business Models The Key Change: Putting the Interaction Where the Customer Is Customer Experience/ Innovation Productivity/

More information

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7 Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information

More information

Symantec Advanced Threat Protection: Endpoint

Symantec Advanced Threat Protection: Endpoint Symantec Advanced Threat Protection: Endpoint Data Sheet: Advanced Threat Protection The Problem Virtually all of today's advanced persistent threats leverage endpoint systems in order to infiltrate their

More information

TestBraindump. Latest test braindump, braindump actual test

TestBraindump.   Latest test braindump, braindump actual test TestBraindump http://www.testbraindump.com Latest test braindump, braindump actual test Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version : DEMO Get Latest & Valid

More information

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access

More information

Continuous Data Analysis

Continuous Data Analysis Continuous Data Analysis Translating Data into Knowledge With AI 19.June 2018 meno@geminidata.com Market Outlook Big Data and Analytics are a huge priority for the enterprise but existing solutions don

More information

Copyright 2011 Trend Micro Inc.

Copyright 2011 Trend Micro Inc. Copyright 2011 Trend Micro Inc. 2008Q1 2008Q2 2008Q3 2008Q4 2009Q1 2009Q2 2009Q3 2009Q4 2010Q1 2010Q2 2010Q3 2010Q4 2011Q1 2011Q2 2011Q3 2011Q4 M'JPY Cloud Security revenue Q to Q Growth DeepSecurity/Hosted/CPVM/IDF

More information

Post-Exploitation Hunting with ATT&CK & Elastic

Post-Exploitation Hunting with ATT&CK & Elastic Post-Exploitation Hunting with ATT&CK & Elastic John Hubbard @SecHubb SOC Lead at GlaxoSmithKline SANS Author & Instructor SEC455: SIEM Design & Implementation SEC511: Continuous Monitoring & Security

More information

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM Modern threats demand analytics-driven security and continuous monitoring Legacy SIEMs are Stuck in the Past Finding a mechanism to collect, store

More information

Hunting Threats In your Enterprise

Hunting Threats In your Enterprise Hunting Threats In your Enterprise ü Who am I? ü Abdulrahman Al-Nimari ü 25 Years IT & Infosec Experience ü Lead Enterprise Security Architect ü Mantech International Corporation, Riyadh, KSA ü CISSP,

More information

The Cognito automated threat detection and response platform

The Cognito automated threat detection and response platform Overview The Cognito automated threat detection and response platform HIGHLIGHTS Finds active cyberattackers inside cloud, data center and enterprise environments Automates security investigations with

More information

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security

More information

Maximum Security with Minimum Impact : Going Beyond Next Gen

Maximum Security with Minimum Impact : Going Beyond Next Gen SESSION ID: SP03-W10 Maximum Security with Minimum Impact : Going Beyond Next Gen Wendy Moore Director, User Protection Trend Micro @WMBOTT Hyper-competitive Cloud Rapid adoption Social Global Mobile IoT

More information

Symantec Ransomware Protection

Symantec Ransomware Protection Symantec Ransomware Protection Protection Against Ransomware Defense in depth across all control points is required to stop ransomware @ Email Symantec Email Security.cloud, Symantec Messaging Gateway

More information

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Pass4suresVCE.   Pass4sures exam vce dumps for guaranteed success with high scores Pass4suresVCE http://www.pass4suresvce.com Pass4sures exam vce dumps for guaranteed success with high scores Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version :

More information

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002 ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION

More information

DomainTools for Splunk

DomainTools for Splunk DomainTools for Splunk Installation Guide version 2.0 January 2018 Solution Overview The DomainTools Technology Add-On (TA) for Splunk populates a whois index with DomainTools Whois and Risk Score data

More information

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale WHITE PAPER Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale One key number that is generally

More information