Intro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead

Transcription

1 Intro to Niara no compromise behavioral analytics Tomas Muliuolis HPE Aruba Baltics Lead

2 THE SECURITY GAP SECURITY SPEND DATA BREACHES 146 days median time from compromise to discovery PREVENTION & DETECTION (US $B) # BREACHES % DISCOVERED INTERNALLY SOURCES Mandiant M-Trends 2016, Verizon Data Breach Investigations 2016, IDC

3 PROBLEM CAUSE OF THE GAP ATTACKERS ARE QUICKLY INNOVATING & ADAPTING BATTLEFIELD WITH IOT AND CLOUD, SECURITY IS BORDERLESS 3

4 PROBLEM ADDRESSING THE CAUSE ATTACKERS ARE QUICKLY INNOVATING & ADAPTING SECURITY ANALYTICS SOLUTIONS MUST BE RESPONSIVE TO CHANGES 4

5 Attacks utilizing Legitimate credentials COMPROMISED 40 million credit cards were stolen from Target s severs STOLEN CREDENTIALS MALICIOUS Edward Snowden stole more than 1.7 million classified documents INTENDED TO LEAK INFORMATION NEGLIGENT DDoS attack from 10M+ hacked home devices took down major websites ALL USED THE SAME PASSWORD 5

6 Why Niara? ClearPass Great Visibility and Context Wired and Wi-Fi Policies Real-time Network Enforcement Niara User and Entity Security Continuous Behavior Analytics Early Attack Detection 6

7 ClearPass as a Security Brand ClearPass Policy Manager ClearPass Universal Profiler Niara Pre-Authentication Post-Authentication 7

8 USER AND ENTITY BEHAVIOR ANALYTICS

9 NIARA OVERVIEW Founded 2013 Focused on solving two key problems Detecting attacks that have co-opted legitimate credentials Reducing the time and effort required to understand and respond to attacks Enabling technologies Big Data: Spark/Hadoop Artificial Intelligence: Machine Learning 9

10 AUTOMATED DETECTION OF THREATS INSIDE THE ORGANIZATION Compromised Users & Hosts Negligent Employees ATTACKS AND RISKY BEHAVIORS on the inside Malicious Insiders 10

11 THE START: USER VIEW OF EVENTS IP Address 11

12 CHARACTERIZING BEHAVIOR Time of Access Location Typical Activity Device Duration Frequency of Access 12

13 BASICS OF BEHAVIORAL ANALYTICS MACHINE LEARNING UNSUPERVISED Behavioral Analytics BASELINES HISTORICAL + PEER GROUP ABNORMAL INTERNAL RESOURCE ACCESS 13

14 BASICS OF BEHAVIORAL ANALYTICS MACHINE LEARNING UNSUPERVISED Behavioral Analytics BASELINES HISTORICAL + PEER GROUP ABNORMAL INTERNAL RESOURCE ACCESS 14

15 PEER BASELINES ACROSS MULTIPLE DIMENSIONS 15

16 MODEL CONFIDENCE AND BUSINESS IMPACT Business Impact Model Confidence 16

17 FINDING THE MALICIOUS IN THE ANOMALOUS Behavioral Analytics MACHINE LEARNING SUPERVISED THIRD PARTY ALERTS DLP Sandbox Firewalls STIX Rules Etc. 17

18 FORCE MULTIPLIER FOR SECURITY ANALYSTS Consolidated Data Access Rapid Decision-Making and Action Have I seen this before? BREAKTHROUGH ROI for Incident Investigation and Threat Hunting 18

19 ACCELERATED INVESTIGATION AND RESPONSE Behavioral Analytics 19

20 ENTITY 360 SECURITY DOSSIER 20

21 UNUSUAL INTERNAL ACTIVITY 21

22 LOG DETAILS 22

23 NETWORK CONVERSATIONS DRILL DOWN 23

24 SOLUTION AT A GLANCE IDENTITY NAC, AD, DHCP INFASTRUCTURE Logs DNS, Firewall, Proxy, VPN, , DLP Console / Workflow SaaS Box, Office360 ANALYZER ENTITY360 laas AWS, Azure ANALYTICS DATA FUSION FORENSICS BIG DATA ALERTS Endpoint, Network, STIX Spark/Hadoop 24

25 SOLUTION AT A GLANCE IDENTITY NAC, AD, DHCP INFASTRUCTURE Logs DNS, Firewall, Proxy, VPN, , DLP Console / Workflow SIEM/LOGGING SaaS Box, Office360 ANALYZER ENTITY360 laas AWS, Azure ANALYTICS DATA FUSION FORENSICS BIG DATA ALERTS Endpoint, Network, STIX Spark/Hadoop 25

26 SOLUTION AT A GLANCE IDENTITY NAC, AD, DHCP INFASTRUCTURE Logs DNS, Firewall, Proxy, VPN, , DLP Console / Workflow SIEM/LOGGING SaaS Box, Office360 laas ANALYZER ANALYTICS ENTITY360 FORENSICS PACKET BROKER NETWORK TRAFFIC PACKETS FLOWS AWS, Azure DATA FUSION BIG DATA ALERTS Endpoint, Network, STIX Spark/Hadoop 26

27 SOLUTION AT A GLANCE IDENTITY NAC, AD, DHCP INFASTRUCTURE Logs DNS, Firewall, Proxy, VPN, , DLP Console / Workflow SIEM/LOGGING SaaS Box, Office360 laas ANALYZER ANALYTICS ENTITY360 FORENSICS PACKET BROKER NETWORK TRAFFIC PACKETS FLOWS AWS, Azure DATA FUSION BIG DATA ALERTS Endpoint, Network, STIX Spark/Hadoop 27

28 Aruba ClearPass - Niara Integration Workflow Automated Network and Security Controls 1 Wired/Wireless Device Auth 3 User/Device Context Shared 2 Devices Profiled ClearPass Policy Manager

29 Aruba ClearPass - Niara Integration Workflow Automated Network and Security Controls 1 Wired/Wireless Device Auth 3 User/Device Context Shared Niara UEBA ANALYZER 4 Network and Log-based Machine Learning Packets ENTITY360 2 Devices Profiled ClearPass Policy Manager 5 Actionable Alerts Initiated ANALYTICS DATA FUSION FORENSICS BIG DATA Flows Logs Alerts Entity360 Profile with Risk Scoring

30 Aruba ClearPass - Niara Integration Workflow Automated Network and Security Controls 1 Wired/Wireless Device Auth 3 User/Device Context Shared Niara UEBA ANALYZER 4 Network and Log-based Machine Learning Packets ENTITY360 2 Devices Profiled ClearPass Policy Manager 5 Actionable Alerts Initiated ANALYTICS DATA FUSION FORENSICS BIG DATA Flows 6 ClearPass Performs Real-time Policy-based Actions Logs Real-time quarantine, re-authentication Bandwidth Control Blacklist Role-change Entity360 Profile with Risk Scoring Alerts

31 UEBA INCIDENT RESPONSE ROI 31

32 THANK YOU!