Infrastructure Blind Spots Continue to Fuel Personal Data Breaches Sanjay Raja Lumeta Corporation
Why Is Real-Time Network & Cloud Situational Awareness Critical? Today s business drivers enable a greater attack surface Data-center migration to cloud offers less visibility (Shadow IT) Risk from acquisitions, suppliers & partners On average, over 40% of dynamic networks, endpoints, cloud infrastructure are unknown, unmanaged, rogue and/or shadow it leading to significant infrastructure blind spots and lacking real-time awareness > 30% of network endpoints are IoT (no security agents) Vulnerable IP-enabled critical infrastructure 2
The Rise and Impact of Ransomware Impact of Ransomware WannaCry Source: Symantec Internet Security Threat Report ISTR July 2017 WannaCry Consumers Local and State Governments Paid in this band Company Executives Met Demands 70% of the time, 50% paid over $10K and 20% over $40K Source: Symantec Internet Security Threat Report ISTR July 2017
Leak-paths are Common to Most Attacks The key consistent metric associated with all external attacks is the presence of a leak-path Firewall/router misconfiguration Unmanaged network devices Shadow IT Malicious intent (route hijacking) Leak-path impact on the enterprise Ransomware attacks utilize leak-paths for Payload download Encryption key exchange Tracking ransomware proliferation Nation-state attacks result in Classified data theft System disruptions IoT/ICS attacks Disrupt critical infrastructure operations Cause manufacturing downtime
Next Wave of Concerns: Cloud & Containers Security Public cloud provider (think AWS, Azure, Google, etc.) is responsible for security of the cloud Enterprise (you) are responsible for security in the cloud And what is the impact of this on the rest of your enterprise? Enterprise considerations of public cloud security should focus on: Misconfiguration Vulnerabilities Shadow-IT 5
Unknown, Unmanaged, Rogue & Shadow IT Infrastructure Limit the Effectiveness of Cyber Security Tools/Processes Lumeta Research Across Verticals Gov t Healthcare Hi-Tech Finance Presumed Endpoints 150,000 60,000 8,000 600,000 Discovered Endpoints 170,000 89,860 14,000 1,200,000 Is your endpoint (EDR), NGAV and VA software protecting all of these? Are these all patched? Endpoint Visibility Gap 12% 33% 43% 50% Unmanaged Networks 3,278 24 5 771 Known but Unreachable Networks 33,256 4 16,828 45 Does NAC, Flow collection, or PCAP-based DPI know all of these? If Lumeta can t reach these, can VA, IPAM, DPI, patch or other cyber tools? DPI Deep Packet Inspection EDR Endpoint Detection and Response Flow NetFlow, Sflow, IPFIX NAC Network AdmissionControl PCAP Packet CAPture VA Vulnerability Assessment NGAV Next Generation Anti-Virus IPAM IP Address Management 6
Early Indicators of Compromise Require Hunting For C2, TOR and Threat-Flows in Cloud Need to immediately inform the SOC of new and unexpected virtual machine hosts spun-up within minutes Combining a complete real-time view of the network and endpoints, the latest threat Intelligence and flow data can unearth suspicious activity In addition, it is critical to identify: Connections from cloud VMs to TOR Connections from cloud VMs to botnets Amazon Web Services Flow- Generator Lumeta Host Discovery Threat Intelligence 7
Leak-path vulnerabilities in Hybrid-Cloud Environments Policy may dictate none, or controlled, access to the Internet from within an enterprise attached cloud Due to security group misconfiguration, or malicious intent an unexpected leakpath to the internet can occur Critical for customers to monitor in realtime the possibility any traffic is forwarded from VPC instances The leak-path needs to be reported directly to the enterprise SOC Lumeta Research Across Verticals Gov t Healthcare Hi-Tech Finance Unauthorized or Unsecured Forwarding Devices Leak-paths to Internet Identified on Deployment Azure Amazon Web Services Lumeta Leak Path Discovery 520 83 2026 420 3,000 120 9,400 220
In Summary, Where We Need to Go Real-Time Network & Cloud Infrastructure Visibility and Monitoring - Together Eliminate Blind Spots in Network, Cloud & Endpoint Monitor and Analyze Network & Cloud Changes in Real-Time Understand Network Complexity With Richer Context Do I really know all my in-use address space? Do I know the edge of my network? Are there any rogue devices? Forwarders? VMs? Cloud? What endpoints are attached? Are there zombie devices I ve lost control over? Are there any threat flows occurring to known badactor IPs on the internet? Are communications being hidden from me via encrypted, including TOR traffic? Are there any leak-paths between enclaves or to the internet? Are there any cloud assets with unmanaged connectivity or split-tunneling to the Internet? Am I able to validate my segmentation policies? 9
Real-World Use Case A Top US Multi-National Bank Assessing Corporate and Branch Security Risk Key Challenges Confident in known devices Completely blind to unknown, rogue or potential Shadow IT devices or undocumented assets handling sensitive user data Real-time monitoring for new connections to Internet at branches and other remote locations Requirements by Organization Actively discover, index and interrogate ALL devices on network, including rogue systems, unknown networks and unmanaged endpoints Worked with existing endpoint security and vulnerability analysis tools to better protect against vulnerabilities and protect all endpoints With applied security intelligence to real-time network context provide real-time detection of any malicious activity Within minutes, identify 100% network segmentation leak paths in real time to prevent data theft Results Found networks and connected endpoints missing from inventory lists and traditional network management Discovered Shadow IT network setup in a lab with unpatched systems with access to corporate network Generated report on internet connection violations that could expose organization to security risks like ransomware and sent to each remote branches for compliance
What can Lumeta do for you? Lumeta Spectre is the only solution that offers 100% real-time infrastructure visibility, real-time change monitoring and threat detection for preventing successful breaches 1 2 3 4 Eliminate 100% of your Infrastructure Blind Spots See 100% of your Dynamic Network Changes Identify and Lock down 100% of your Leaks Detect Suspicious Network Behaviors Find, on average, 40% more IPs and even whole networks beyond other visibility or security solution Monitor for Every Network and Endpoint Add/Drop or Path Change especially at the Edge/Perimeter Within minutes uncover unauthorized movement, segmentation violations and leak paths Detect unauthorized flows, encryption, Zombies, C2 activity and other attack vectors common to advanced attacks 11
The Gaps ONLY Lumeta Can Close Gaps in Visibility and Real-Time Changes Lead to Compromised Systems Typical security stack for threat detection Network Access Control(NAC) Endpoint Security/NGAV SIEM / Logs NetFlow Collector / NBAD Vulnerability Scanners Security Analytics (PCAP) Gaps in Network Infrastructure Visibility Lack of Real-Time Network Visibility for Breach Detection Network Complexity Hides Leaks and other Threats from Traditional Security 12
Lumeta Optimizes Your Existing Security Operations Maximize Security Stack ROI and Breach Detection and Response Lumeta works with your currently deployed security applications, sharing real-time discoveries, network changes and anomalies to enhance your existing security investments and operations Typical Security Applications Network Visibility/Security Analytics Platforms Vulnerability Assessment Endpoint Threat Detection and Response Access Policy Management Threat Intelligence Platforms SIEM GRC+CMDB Platforms 13
Thank You!