Speed Up Incident Response with Actionable Forensic Analytics

Transcription

1 WHITEPAPER DATA SHEET Speed Up Incident Response with Actionable Forensic Analytics Close the Gap between Threat Detection and Effective Response with Continuous Monitoring January 15, 2015

2 Table of Contents Introduction 3 Current Threat Landscape 3 How Typical IT/Security Processes Inhibit Effective Incident Response 4 Typical IT/Security Processes 4 Common Challenges 4 Challenges Specific to Forensic Analytics and Incident Response 5 Actionable Forensic Analytics 5 Flexible Incident Response 5 Tenable Continuous Monitoring Platform 6 Benefits of the Tenable Continuous Monitoring Platform 7 Actionable Forensic Analytics 7 Speeds-up Incident Response 7 Use-Cases 7 Forensic Analysis of Suspicious Activity 7 Incident Response Options 8 Conclusion 9 About Tenable Network Security 9 2

3 Introduction Cyber criminals are using advanced targeted attacks and modern malware to bypass traditional security controls and easily steal credit card data, sensitive corporate information, and national secrets. According to the 2014 Ponemon Report 1, the average total organizational cost of a data breach for companies participating in the survey worldwide increased by 15% over the previous year to $3.5 Million. The average cost paid for each stolen record containing sensitive data increased more than 9% from $136 in 2013 to $145 this year. In part, these costs are due to delays in breach detection, which can often take weeks to months after the initial compromise. Delays occur because security teams do not have actionable forensic data to pinpoint compromised hosts or identify sensitive data that has been stolen. Tenable provides a comprehensive continuous network monitoring solution that enables you to rapidly respond to security incidents, by providing actionable forensic data that can help detect incidents more accurately. In this paper, we will explore the forensic analytics and incident response capabilities of Tenable SecurityCenter Continuous View (SC CV), a network security platform that identifies vulnerabilities and threats, reduces risk, and ensures compliance. Topics covered will include: Recognizing how organizational silos and inefficient process inhibit the effectiveness of IT and Security Operations. Gathering actionable forensic analytics data is needed to identify advanced attacks both at the network and host levels. Responding to security incidents requires flexible techniques that leverage both workflows and automation. Current Threat Landscape Fig. 1: Verizon 2014 DBIR Report -Top 10 types of security incidents that resulted in breaches The Verizon 2014 Data Breach Investigation Report (DBIR) 2 covers breaches affecting organizations in 95 countries in The top 10 categories of security incidents (as shown in Fig. 1) totaled up to approximately 63,000 incidents, out of which 1,367 (2%) resulted in breaches (data disclosure). However, the same four categories of attacks - POS intrusions, web app attacks, cyber espionage, and card skimmers - have contributed to the top breaches between 2011 and Only 33% of victims discover breaches internally according to Mandiant s 2014 M Trends Threat Report 3. Furthermore, in 67% of the cases, victims were notified by external entities after it was already too late to save the reputation of the company. Security breaches can have a devastating impact on any company. For example, in the Target breach alone, 40 million credit/debit card data records and 70 million total data records were stolen in the month of November The attack vector used in Target was a known exploit that had impacted other retail chains. This scenario is all too common. Therefore, to protect against advanced attacks and security breaches, a company s IT security strategy should include: Continuous network monitoring for known vulnerabilities and threats. Correlating anomalous activity at the network and host levels to detect the unknown threats Cost of Data Breach Study: Global Analysis, Ponemon Institute, May Data Breach Investigations Report, Verizon, April Threat Report M Trends Beyond the Breach, Mandiant a FireEye Company, April

4 How Typical IT/Security Processes Inhibit Effective Incident Response Typical IT/Security Processes Fig. 2: Typical IT/Security Operations Processes Typical IT/Security processes (as illustrated in Fig. 2) encompass the following four phases: 1. Prevent: Identify all vulnerabilities in all known/managed assets in your enterprise. Automatically classify them into asset groups based on OS and applications/services running on them. Perform configuration audits and patch them to prevent bad configurations and known vulnerabilities. This enables you to reduce attack surface and prevent known attacks. 2. Detect: Discover unknown/unmanaged assets on your network, including mobile devices, virtual machines and cloud services. Automatically identify operating system and application services that have exploitable vulnerabilities. Detect known threats based on threat intelligence from intrusion detection/prevention devices on your network. 3. Analyze: Correlate anomalous activity with real-time threats (events) and monitor for changes to systems/endpoints to see if they match known indicators of compromise. Collect accurate forensic data and present this in a consumable way. Sophisticated analytics are required to tie together the asset and vulnerability data from across assessment scan, networks sniffed, and log data and produce actionable reports. 4. Respond: Use forensic data to generate alert notifications to take prioritized manual (workflow-based) actions or automated (API-based) actions to prevent threats from resulting in security breaches. Forensic Analytics and Incident Response corresponds to the Analyze and Respond phases (bottom-half) of the IT/Security process. Common Challenges Common challenges encountered by organizations implementing this model include: Organizational Silos: Desktop administration, network, and security operations in medium to large companies are typically managed by three different organizations IT Helpdesk, Network Operations Center (NOC), and Security Operations Center (SOC), who use different tools that do not communicate well with each other. Unmanaged Assets: All assets on the network are not discovered or known to IT, and hence they are not monitored or managed, especially mobile phones, tablets, and virtual environments (e.g., VMware instances), which may have vulnerabilities that can be easily exploited. Unknown Applications/Services: Many unmanaged assets are not hardened or patched to eliminate known vulnerabilities, such as Heartbleed. These assets could be used as launch pads for malware to penetrate the enterprise. Lack of Network Visibility: Any anomalous network traffic to botnets and Command and Control (CnC) servers can go undetected if there are no network monitoring tools with application level (layer 7) visibility looking for traffic to known suspicious destinations. Un-prioritized Vulnerabilities: Vulnerabilities are not prioritized by Common Vulnerability Scoring System (CVSS) scores, asset criticality, or users/ roles. IT will be unable to quantify business risk without such prioritization. 4

5 Challenges Specific to Forensic Analytics and Incident Response No Actionable Forensic Data: Security and network operations staff are inundated with security events for which they do not have the right actionable data. This includes indicators of compromise for advanced attacks that go undetected by traditional defenses. Inflexible Incident Response: Security and network operations staff have limited ways in responding to incidents, e.g., generating notifications and reports, initiating manual work flows, or spawning automated actions. Having the flexibility to associate different types of response actions with alerts enables IT/Security Operations to speed up incident response and reduce business risk. Actionable Forensic Analytics The typical requirements for actionable forensic analytics include the following capabilities: Network Forensics: Logs of all network traffic, which includes packet capture or meta-data captures from network sensors, application flow data from switches and routers, and application logs from network proxies. This data is useful for identifying suspicious traffic that can be attributed to botnets or CnCs to or from bad sites without deploying any agents on endpoints. Host Forensics: Monitoring hosts and endpoints for file integrity, system configurations, processes, DNS queries, and network connections. This typically requires credential-based scanning of endpoints, or agents running on endpoints to gain evidence (using tell-tale signs of indicators of compromise). Log Correlation: Encompasses behavioral and statistical analysis to determine anomalies in network and host forensic data. Infuses contextual information about asset location and user identity, and also filters logs using blacklists from external threat intelligence sources. These correlation features are vital for zeroing-in on security incidents that need immediate attention. Actionable forensic data should include monitoring for: Network meta-data: Source and target of attack: IP address, host name, port/protocol associated with botnets or CnC traffic URL/domain name of server hosting malware Sender/recipient address of phishing attack Host Indicators of Compromise: IP address or hostnames of compromised endpoints Hashes of malware files/binaries System configurations or auto-runs that should be checked for integrity OS registry changes and processes associated with malware Flexible Incident Response Any solution that identifies security incidents should further enable you to respond to them with the following types of configurable response actions, based on the simplicity or complexity of the problem identified. Notifications/ Send notifications via the console or by , and include the recommended action. Dashboards/Reports: Automatically update a dashboard or generate a report with the current state of incidents in progress, assigned to appropriate personnel. Work Flows: Trigger trouble tickets with workflows assigned to the person responsible for follow through. Especially useful for the most complex and the least understood incidents. Automated Actions: Automatically invoke scripts or application programmatic interfaces (APIs), which perform specific actions such as adding a URL to the blacklist of a web gateway or update an ACL on a firewall to automatically block CnC servers. Automated actions are most applicable for frequently occurring incidents that are well understood. 5

6 Tenable Continuous Monitoring Platform Fig. 3: The Tenable Platform Continuous Monitoring of Vulnerabilities, Threats, and Compliance Tenable SecurityCenter Continuous View breaks down silos between IT, network, and security operations, and delivers actionable forensic data, asset information, and vulnerability context, to speed up incident response. The SecurityCenter Continuous View platform (depicted in Fig. 3) includes the following Tenable products and components: Nessus : is the industry s most widely-deployed vulnerability, configuration, and compliance scanner. Nessus features high-speed discovery, configuration auditing, asset profiling, malware detection, sensitive data discovery, patch management integration, and vulnerability analysis. Nessus Manager provides a scalable on premise solution to manage multiple Nessus scanners. The SaaS version, Nessus Cloud adds external perimeter scanning and PCI ASV scan validation. Passive Vulnerability Scanner (PVS): is a non-intrusive network monitoring tool that discovers all devices, applications, services, and their relationships currently active on your network. It automatically pinpoints potential security risks posed by vulnerable assets and new or unknown rogue systems, including SaaS and IaaS services being accessed by users. Log Correlation Engine (LCE): collects and correlates logs from Nessus, PVS, and external sources on the network including firewalls, switches, routers, endpoints, and servers. It can also generate alerts when malware matching indicators of compromise from external threat intelligence sources (e.g., Reversing Labs and IID) are encountered. All log data is compressed and stored in an indexed file system and can be rapidly searched using keywords. SecurityCenter Continuous View (SC CV): enables continuous monitoring of vulnerabilities, threats, and compliance violations discovered by Nessus, PVS, and LCE. It provides one management console with configurable dashboards, reports, and notifications to provide a comprehensive visualization (as shown in Fig. 4 below) of a company s vulnerabilities, threats, and compliance posture. Fig. 4: SecurityCenter Executive Summary Dashboard 6

7 Benefits of the Tenable Continuous Monitoring Platform Tenable s Security Center Continuous View breaks down silos between IT, network, and security Operations and enable you to gather actionable forensic data, information about assets, and vulnerability context to speed up incident response efforts. Actionable Forensic Analytics Automatically discovers and tags 100% of assets physical, virtual, mobile, and cloud Performs audits to discover known vulnerabilities based on security policies Discovers advanced threats by scanning for indicators of compromise Continuously monitors network traffic to detect hidden attack paths and suspicious activity Speeds-up Incident Response Provides asset and vulnerability context for every incident detected Identifies residual risk with correlated vulnerability and threat data Automatically generates alerts with configurable response options manual and automated Provides actionable information in customizable dashboards and reports Use-Cases The following use cases illustrate how Tenable SecurityCenter Continuous View (SC CV) gathers accurate forensic data to detect advanced attacks and set up flexible responses to prevent security incidents and breaches. Forensic Analysis of Suspicious Activity SecurityCenter Continuous View, which includes SecurityCenter, Nessus, PVS, and LCE, can be used to track both inbound and outbound suspicious network traffic to zero in on advanced attacks. Inbound: Detect downloads of malware from an external web server and validate if an endpoint was truly compromised. Tenable PVS can be used to capture all inbound network traffic, and LCE can be used create a watchlist of internal assets that exhibit suspicious file/exe downloads from known botnets and websites, as shown in Fig. 5 below: Fig. 5: Indicators dashboard to track inbound/outbound suspicious activity Tenable Nessus can be used to scan a watchlist of assets to look for advanced malware using known Indicators of Compromise (IoC). If IoCs are found on an endpoint (as shown in Fig. 6 below), then the endpoint is confirmed to be compromised. 7

8 Fig. 6: Indicators of Compromise (IoC) found on a compromised endpoint Outbound: Detect an internal host already compromised trying to beacon out to botnet/cnc server. PVS can be used to capture an anomalous set of failed DNS queries to a known CnC server, which indicates a compromised host that is trying to beacon out to potentially exfiltrate information. Fig. 7 below depicts how such anomalies can be identified in PVS. Fig. 7: Anomalous outbound communication identified by PVS Incident Response Options SC CV allows you to set up actions for every alert. The following types of actions can be configured for each alert: Alert Sample Targeted IDS New Host Discovered Telnet Server Detected Host has a compliance failure Critical exploitable vulnerability on Windows endpoint Configurable Action NOC Launch a compliance scan Generate a report of services on host Notify compliance officer Notify appropriate systems administrator 8

9 Fig. 8 below shows a screen shot of the Alerts window with configurable options in SC CV. Fig. 8: Configurable response actions for an alert in SC CV Conclusion While enterprise IT and security teams deploy and manage an expanding array of defensive technologies, many remain challenged to detect and assess the impact of threats until long after vulnerable systems are compromised. Tenable Network Security addresses this situation with its industry-leading continuous monitoring platform - SecurityCenter Continuous View, a comprehensive solution for vulnerability, threat and compliance management. SecurityCenter Continuous View transforms organizational silos and operational processes by providing meaningful and actionable forensic analytics with which enterprises can dramatically accelerate incident response. About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Our family of products includes SecurityCenter Continuous View, which provides the most comprehensive and integrated view of network health, and Nessus, the global standard in detecting and assessing network data. Tenable is relied upon by many of the world s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense. For more information, please visit tenable.com. For More Information: Please visit tenable.com Contact Us: Please us at sales@tenable.com or visit tenable.com/contact Copyright Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. EN-JAN V4 9