Visibility: The Foundation of your Cybersecurity Infrastructure Marlin McFate Federal CTO, Riverbed
Detection is Only One Part of the Story Planning and Remediation are just as critical 20 18 Hackers Went Undetected for Months 18 16 14 12 10 8 6 4 2 0 146 days Average duration it takes to discover 8 attackers are present on a network 5 5 2 0.5 Target JPMorgan Neiman Marcus Home Depot Michaels Goodwill 2018 Riverbed Technology, Inc. All rights reserved. 2
59% of Organizations are notified about their breach by an external entity. 2018 Riverbed Technology, Inc. All rights reserved. 3
In just one industry/vertical there were 72 total breaches reported (2016), over 56 Million records exposed 205 days on average threats were present before detection Estimated loss for those 72 breaches was over $8.85 billion What could you do with $8,850,000,000.00? 2018 Riverbed Technology, Inc. All rights reserved. 4
In 2017 it grew to 191 days on average threats were present before detection 1339 Identity theft breaches, over 174 Million records exposed Estimated 2017 loss for identity record breaches cost ~$24.6 billion $33,440,756,448.00...network security forensics is an important technology. Without a proper post-breach forensic investigation, the ability to remediate damages from the current threat, as well as to the ability to properly mitigate future threats remains very much in doubt. 2018 Riverbed Technology, Inc. All rights reserved. 5
2018 Riverbed Technology, Inc. All rights reserved. 6
Russia s 5th-Dimension Cyber Army Hezbollah China 2018 Riverbed Technology, Inc. All rights reserved. 7
2018 Riverbed Technology, Inc. All rights reserved. 8
This is Cyber Warfare! 2018 Riverbed Technology, Inc. All rights reserved. 9
10 2017 Riverbed Technology. All rights reserved. @Riverbed
Riverbed provides visibility on the cyber battlefield like a drone or satellite provides generals with real-time physical battlefield info 2018 Riverbed Technology, Inc. All rights reserved. 11
Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend After Scope Contain Remediate 2018 Riverbed Technology, Inc. All rights reserved. 12
Understand the Surface Area 13 2017 Riverbed Technology. All rights reserved. @Riverbed
Total Enterprise Visibility Is Critical Attacks can come from anywhere, anytime, anyone Visibility is the glue that empowers both the business and the IT teams with the insight they need to make effective resourcing decisions and to resolve problems faster If you can t see it, you can t protect it! Servers Services Ports Applications Protocols End-Users Network Behavior Operating Systems 2018 Riverbed Technology, Inc. All rights reserved. 14
Visibility Driving Security Value Once you know what you have, you can properly secure it Identify Everything All the moving parts of an application (what is in scope) All hosts/paths/ports/protocols that need to be monitored Paths of attack that may have gone overlooked Clear text protocols that may be a means of eavesdropping Un-related systems that need to be treated at the same trust level due to proximity 2018 Riverbed Technology, Inc. All rights reserved. 15
Visibility Driving Security Value 2018 Riverbed Technology, Inc. All rights reserved. 16
Identify Lateral Movement & Network Behavior Anomaly Detection Track lateral movement, governance violations and other challenges such as P2P, tunneling, and SPAM activity Analysis of network behavior can identify suspect activity including; scans, suspicious connections, new hosts, worms, and more 2018 Riverbed Technology, Inc. All rights reserved. 17
Assess Application Usage and Combat Shadow IT 1. Discover every local, cloud, and mobile application, to combat Shadow IT 2. Immediately assess the breadth, surface area of Shadow IT 1 3 2 2 3. Consider mainstreaming popular Shadow IT apps 2018 Riverbed Technology, Inc. All rights reserved. 18
Configuration, Network, and Service Hardening 19 2017 Riverbed Technology. All rights reserved. @Riverbed
Hackers are Always Looking for the Weak Link to Gain Entry What are your weak links? Where are they? 2018 Riverbed Technology, Inc. All rights reserved. 20
Before Harden Infrastructure patching and configuration Potential Exposures NPCM Security Workflow 3 Validations Metrics Checks all collected network devices for known OS vulnerabilities Check for any instance of OS vulnerability Advisory ID: cisco-sa-20140924-nat 440 OS vulnerabilities 30% devices with vulnerabilities 25 vulnerabilities remediated Rules Engine Edge routers block incoming ICMP, telnet, FTP sessions No redundant ACL statements No overlapping NAT translation addresses 2018 Riverbed Technology, Inc. All rights reserved. 21
Automated Compliance Reporting Manage Security Audits Effectively Automated Topology Diagramming Automate generation of auditquality diagrams Out-of-the box templates for regulatory & industry standards STIG, CCRI, NIST 800-53 Validate against a golden configuration Automatic & periodic security advisory updates Analyze ACLs, firewall policies, and other security controls Analyze device administrative control Leverage best practices from Cisco, AAA, NSA security guidelines, and more Trend audit results over time Automatically generate high-definition network diagrams using configuration and operational data Provide detailed insight into physical, logical and virtual components Generate professional quality HTML or Visio diagrams Customizable diagram layout and annotations 2018 Riverbed Technology, Inc. All rights reserved. 22
Change Control See changes, route propagations, survivability/redundancy testing Visualize BGP Route Propagation 2018 Riverbed Technology, Inc. All rights reserved. 23
Understand Movement NSEW Go Threat Hunting 24 2017 Riverbed Technology. All rights reserved. @Riverbed
We can take a proactive approach to searching for those intruders rather than a reactive approach that focuses on known incidents government has to start searching for the unknown. Jeff Wagner, (OPM Director of Security Operations) 2018 Riverbed Technology, Inc. All rights reserved. 25
Find Every Sensitive device & Who it Talks with in 30 seconds 1 2 3 2018 Riverbed Technology, Inc. All rights reserved. 26
Leverage Reporting To Track Activity Discover and remediate Run on-demand or scheduled Progressive SSH/RDP burrowing across the network SMTP requests not on TCP/25 DNS requests not on UDP/53 CIFS to/from the Internet Weekly foreign country business reports Tunneled traffic Access to production network not during change windows Servers not within the data center subnets East/West traffic where none is expected North/South traffic where none is expected 2018 Riverbed Technology, Inc. All rights reserved. 27
Assess Impact of Code/SQL Injection Using your Phone! TRANSACTIONS FROM INJECTION ATTACK GENUINE TRANSACTIONS 2018 Riverbed Technology, Inc. All rights reserved. 28
Identify Scope of Intrusion 2018 Riverbed Technology, Inc. All rights reserved. 29
Extend Visibility into Attack Surface Go Beyond Attack Points of Entry URL http://www.xxxx.com/yyy/zzz.aspx?cm_re=${@print(md5(acunetix_wvs_security_test))} Using Typical Security Tools Injection Detection occurs ONLY at Points of Entry Discover Entire Surface Area of Attack For every SINGLE transactions No Transaction Sampling Would it acceptable to have visibility into just 1 of 10,000 intrusions? 2018 Riverbed Technology, Inc. All rights reserved. 30
Alarm On Violations 31 2017 Riverbed Technology. All rights reserved. @Riverbed
New Host Analytic Alert on new hosts in secured areas of the network New Host Policy workflow: New host appears on VLAN supporting PCI-compliant ERP servers Alert via SNMP trap or email with context-sensitive drill-down to details Complete visibility into offending host, with conversational details, packets for deep-dive analysis, and MAC address/switch port info Optional vulnerability scanning Detect changes in sensitive parts of the network to improve security posture and help with regulatory compliance 2018 Riverbed Technology, Inc. All rights reserved. 32
Malware Analytics Details of worm propagation Drill-down for event details, including start/end time, duration, list of scanned traffic, etc. Graphical view of the threat propagation including patient zero Multiple host infections are recognized as a single event Improve your security posture, detect worms and malware that don t rely on signatures 2018 Riverbed Technology, Inc. All rights reserved. 33
Alarm on Anything/Any Place Your creativity is the limit here Anyone trying or succeeding in accessing routers Log or alert on anyone who tries to connect to an IP x.x.x.1 Non-encrypted connections to/from regulated servers Log or alert on anyone NOT using SSH or SSL Connections to/from restricted network segments Find tunneling Port 80!= HTTP Port 443!= HTTPS Port 53!= DNS 2018 Riverbed Technology, Inc. All rights reserved. 34
Address Real Problems 35 2017 Riverbed Technology. All rights reserved. @Riverbed
SIEM integration Instantly Add Context Scope & Triage 1. Report events to your SIEM or enable your SIEM to extract contextual information from NetProfiler A. SIEM identifies a problem B. Right-click the node IP 2. Get context information. All of the detailed information that NetProfiler collects is delivered through the SIEM console 1 2 2018 Riverbed Technology, Inc. All rights reserved. 36
Packet level integration Instantly drill down Scope & Triage REST call to NetShark 2018 Riverbed Technology, Inc. All rights reserved. 37
Programmability/3 rd -party Integration REST API Automate Expert Workflows Script common or tedious tasks React to IT events faster Benefit from custom features created by the community Scripting Library Custom Apps Threat Visualization Server Fail Over 2018 Riverbed Technology, Inc. All rights reserved. 38
DECISION SUPPORT Maneuver CYBER to affect our adversaries Discrete Event Simulation to support decisions Understand where and who Mitigate an immediate attack (Opportunity to insert Mis-information) Monitor trace the path (Attack Vectors) adversary used Packets see the data the adversary took 2018 Riverbed Technology, Inc. All rights reserved. 39
Thank You 2018 Riverbed Technology, Inc. All rights reserved. 40