Qualys Indication of Compromise

Similar documents
First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

Symantec Ransomware Protection

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Carbon Black PCI Compliance Mapping Checklist

Qualys Cloud Platform

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

CyberArk Privileged Threat Analytics

Incident Response Agility: Leverage the Past and Present into the Future

Speed Up Incident Response with Actionable Forensic Analytics

NIST Special Publication

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

100% Endpoint Protection dank Machine Learning, EDR & Deception?

Security. Made Smarter.

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

Integrated, Intelligence driven Cyber Threat Hunting

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation

Designing and Building a Cybersecurity Program

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Managed Endpoint Defense

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Qualys Cloud Platform

THE ACCENTURE CYBER DEFENSE SOLUTION

Reducing the Cost of Incident Response

An All-Source Approach to Threat Intelligence Using Recorded Future

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

10 FOCUS AREAS FOR BREACH PREVENTION

Cyber Threat Intelligence Debbie Janeczek May 24, 2017

esendpoint Next-gen endpoint threat detection and response

Best Practices for Scoping Infections and Disrupting Breaches

From Managed Security Services to the next evolution of CyberSoc Services

Why Are We Still Being Breached?

RSA INCIDENT RESPONSE SERVICES

Automating Security Practices for the DevOps Revolution

Aligning with the Critical Security Controls to Achieve Quick Security Wins

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

RSA NetWitness Suite Respond in Minutes, Not Months

Regaining Our Lost Visibility

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

RSA Security Analytics

Threat Centric Vulnerability Management

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Moving Beyond Prevention: Proactive Security with Integrity Monitoring

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

Privileged Account Security: A Balanced Approach to Securing Unix Environments

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

RSA INCIDENT RESPONSE SERVICES

Advanced Malware Protection: A Buyer s Guide

Everything visible. Everything secure.

Security Operations 2018: What is Working? What is Not.

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

SentinelOne Technical Brief

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

Symantec Security Monitoring Services

McAfee Advanced Threat Defense

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

BUILT TO STOP BREACHES. Cloud-Delivered Endpoint Protection

CyberSecurity Situational Awareness Monitoring & Reporting Platform Pharos. Cyber Security Showcase Wednesday, 29 February 2012 Brussels, Belgium

Datacenter Security: Protection Beyond OS LifeCycle

The Cognito automated threat detection and response platform

Think Like an Attacker

RSA IT Security Risk Management

Building a Threat-Based Cyber Team

Let s Talk About Threat Intelligence

Combating APTs with the Custom Defense Solution. Hans Liljedahl Peter Szendröi

Un SOC avanzato per una efficace risposta al cybercrime

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Behavioral Analytics A Closer Look

DOWNLOAD OR READ : THREAT AND VULNERABILITY MANAGEMENT COMPLETE SELF ASSESSMENT GUIDE PDF EBOOK EPUB MOBI

CloudSOC and Security.cloud for Microsoft Office 365

Qualys Cloud Suite 2.30

Vulnerability Management

Stopping Advanced Persistent Threats In Cloud and DataCenters

Qualys Cloud Platform

ForeScout Extended Module for Qualys VM

Qualys 8.7 Release Notes

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

The Rise of the Purple Team

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Securing the Modern Data Center with Trend Micro Deep Security

BUILDING AND MAINTAINING SOC

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

WHITEPAPER. Hunt Like a Pro: A Threat Hunting Guide for Cb Response

Infrastructure Blind Spots Continue to Fuel Personal Data Breaches. Sanjay Raja Lumeta Corporation Lumeta Corporation

ForeScout Extended Module for Splunk

Cisco Advanced Malware Protection for Endpoints

ForeScout Extended Module for Carbon Black

Transcription:

18 QUALYS SECURITY CONFERENCE 2018 Qualys Indication of Compromise Bringing IOC to the Next Level Chris Carlson VP, Product Management, Qualys, Inc.

Adversary TTPs are Changing Early 2010s Zero-day Vulnerabilities (Nation State, Industrial Espionage, Black Market) Today Rapidly weaponizing newly-disclosed vulnerabilities (Good, Fast, Cheap Pick 3) 2

Known Critical Vulnerabilities are Increasing 6-7K vulnerabilities are disclosed each year* 30-40% are ranked as High or Critical severity Mean Time to Weaponize (MTTW) is rapidly decreasing y/y 3

Announcing: CVE-2018-12238 Multiple Symantec Products CVE-2018-12238 Local Security Bypass Vulnerability Bugtraq ID: 105917 CVE: CVE-2018-12238 Remote: No Local: Yes Published: Nov 28 2018 12:00AM Credit: Qualys Malware Research Lab Vulnerable: Symantec Norton AntiVirus 22.7 Symantec Norton AntiVirus 21.0 Symantec Norton AntiVirus 17.6.0.32 Symantec Endpoint Protection Cloud 12.1.6 Symantec Endpoint Protection Cloud 14 Symantec Endpoint Protection 12.1.6 MP4 Symantec Endpoint Protection 12.1.6 + 95 other products QID 371337 QID 371338 4

Vulnerability Management Lifecycle Asset Inventory Vulnerability Management Patch Management Threat Risk and Prioritization 5

Get Proactive Reduce the Attack Surface Immediately Identify Vulnerabilities in Production Notify IT Asset Owner to Patch/Stop the Instance Control Network Access / Cloud Security Groups Change Configuration to Limit Access (Compliance) Add Detection and Response Endpoint & Network 6

Proactively Hunt, Detect, and Respond Indication of Compromise Detect IOCs, IOAs, and verify Threat Intel Passive Network Sensor What new devices are on the network? Are there new/ different traffic patterns? 7

Organizations Struggle to Answer Basic Questions Are these hashes on/running in my network? Are these mutexes / processes / registry keys? Did any endpoints connect to these IPs / Domains? Are there any connections to TOR exit nodes? What system is the first impacted? Patient Zero Did this spread to others systems? When? 8

Qualys IOC Use Cases Visibility Beyond AV Threat Intel Verification Threat Intel Feeds / Mandated to Verify Is this hash, registry, process, mutex on my network? Look Back Investigation after a known breach Go back over months of stored events and find the first occurrence of a breach API Integration SIEM Hunting / Find Suspicious Activity Indicator of Activity hunting with pre-built and user-defined queries for Fileless attacks Detect Known/Unknown Malware Family Variants Using Qualys Malware Labs behavior models and Threat Feeds (OEM, customer)

Threat Intel Verification 2 Search for the file hash here 1 Threat Intelligence lists attack information 3 Find the object there.

Malware Hides with Stolen Code-Signing Certificates https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/

IOC 2.0 Release (Dec 2018) Responses - Alerting and Actions Send alerts via Email, Slack, PagerDuty for any Hunting (QQL) searches UI Updates Event Relationship Tree / Trending Widgets / Event Group By Asset Threat Feed (find malware that legacy AV may have missed) Known Bad 1B hashes CVE-to-Malware hashes (shared with Threat Protection) New Scoring Model Prioritization for Investigation and Response (confirmed vs. suspicious) Integration with Alerting / Actions IOC API Integrate with any 3 rd party SIEM / TIP Splunk TA + Dashboards Jan 2019

New IOC CVE - File Reputation Threat Feed VM IOC Find Vulnerabilities Verify that vulnerabilities have been remediated 13 TP Real-Time Indicators for which vulnerabilities have known / POC exploits Prioritize vulnerability remediation on likelihood of attack Threat Feed of malware hashes used in real-world vulnerability exploits Prioritize vulnerability remediation based on successful attacks in your network

DEMO IOC Indication of Compromise Threat Intel Verification Hunting Alerting Create Emergency Patch Job from CVE Exploitation 18fc1b9b29a2d281ec9310f9f226ad77e3cb9c558f696c37390bbac72baa8ba8 168.63.129.16

18 QUALYS SECURITY CONFERENCE 2018 Thank You Chris Carlson ccarlson@qualys.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback