Arbor Networks Spectrum Wim De Niel Consulting Engineer EMEA wdeniel@arbor.net
Arbor Spectrum for Advanced Threats Spectrum Finds Advanced Threats with Network Traffic Unlocks Efficiency to Detect, Investigate, & Confirm Threats 2016 ARBOR CONFIDENTIAL & PROPRIETARY
Arbor: Protecting the World s Networks for 16 Years Unrivalled Network Traffic Expertise For Security o Deployed everywhere on the planet o See more Internet traffic than any other provider o Access to Netscout technology World s Most Powerful Traffic Intelligence Platform o ATLAS monitors one-third of World s Internet traffic o World class security research team analyzing traffic patterns and reverse engineering malware and its infrastructure Proven Scale Across Blue Chip Installed Base o 3/5 Top Global Banks o 9/10 of largest online brands and hosting providers o 100% Tier 1 Service providers Live Digital Attack Map Powered by: Arbor Networks 2016 ARBOR CONFIDENTIAL & PROPRIETARY 3
Global Crime Statistics $114B STOLEN CREDIT CARD MARKET $30B $56B STOLEN VEHICLE MARKET $85B COCAINE MARKET $288B GLOBAL CYBERCRIME MARKET STOLEN SMART PHONE Source: World Economic Forum 4
$10B+ Spent on Fences in 2015 Fences Firewall IDS / IPS SIEM Endpoint Current state failing as IT & attackers evolve Security teams overwhelmed Responses ineffective
The Hidden Threats Threats detected with Perimeter and Alert-based Security Solutions, at the Defense and Infrastructure level Hidden Threats, Lateral movements, Insider Misuse 2016 ARBOR CONFIDENTIAL & PROPRIETARY 6
Attack Campaigns: The Real Advanced Threat o Not a single threat such as advanced malware. o Specific targets. o Well-resourced human attackers orchestrating ongoing, persistent campaigns. o Sneak past current defenses. o Teams built to defend, not to find and contain. o New processes and solutions needed. 7+ Toolkits Did You Know? 40% 20% 60% 200+ Days Advanced attacks in 2015 used 7 or more toolkits, less than half exploited a critical vulnerability. of advanced attacks in 2015 did not involve malware. of all Advanced threat attacks involved DDoS 2014-2015 of enterprises take longer than 3 days to investigate a critical security event. Average dwell time of breaches is greater than 200 days. 2016 ARBOR CONFIDENTIAL & PROPRIETARY 7
$2B on Advanced Threat in 2015 Fences Detectives Firewalls & IDS / IPS Endpoint Security SIEM Internal Network Analysis Boundary Advanced Threat Endpoint Advanced Threat Markets Have Emerged to Meet the Gap in Current Security Protections
Time is the Currency That Matters DWELL TIME Mean Time To Identify (MTTI) CONTAINMENT Mean Time To Contain (MTTC) 198 Days 39 Days 98 Days 21 Days Financial 1 Services Retail 2 Companies Financial 1 Services Retail 2 Companies Source: Ponemon Institute LLC 2015. Sponsored by Arbor Networks 2016 ARBOR CONFIDENTIAL & PROPRIETARY 9
The Security Incident Process Today Analyst Team(s) Identify Triage Verify Contain IPS Firewall Sandbox No Context See Threat in isolation Waste time on False Positives Interrogate multiple systems Human Skill / Expertise to pull data together Tier 1 Underused Tier 2 Frustrated Tier 3 Hard to Find and Keep Long Dwell Times High Risk MTTI Mean Time To Identify (there is a problem) MTTV Mean Time To Verify MTTC Mean Time To Contain 2016 ARBOR CONFIDENTIAL & PROPRIETARY 10
Why Internal Network Analysis for Advanced Threats? ORGANIZATION S NETWORK HEADQUARTERS SENSITIVE ASSETS Unsupervised Consultant Desktop of CFO Remote Subsidiary PASSWORD: ******* STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5 STAGE 6 STAGE 7 Network Traffic gives unique clues to suspicious or malicious activity Answers the who, where, why and what of an attack Superior location to see all nodes, users fast, everywhere
Spectrum: Turning Traffic into a Security Superpower With Arbor Spectrum Network Traffic (Flow & Packets) & Active Directory Custom Intel Identify & Visualize IF Identify Analyze Reduce MTTI Prove Visualize network, threat & user activity Link disparate events together over time Correlate Mean Time To Identify (there is a problem) Investigate Reduce MTTV Analyst Team(s) Mean Time To Verify More effective use of resource Get to containment faster Reduced dwell time and risk Contain More resources focused on finding & containing the threats that matter
Arbor Spectrum Product Principles A complete view of your network traffic provides the most effective means to identify and stop advanced threats. Arbor provides unique automated threat identification, accelerated threat validation and response for security teams. Focus on What Matters Organisations have too many generic alerts. ATLAS threat indicators and Arbor generated behavior indicators represent threats that matter to security teams. Empower security teams to make decisions faster. Easy access to the preserved artifacts of an incident. Workflows to link disparate artifacts into a single investigation 2016 ARBOR CONFIDENTIAL & PROPRIETARY 13
How Arbor Spectrum Works PROVE RESPOND AUTOMATIC PCAP BASED ON INDICATORS FULL NETWORK ARCHIVE IN REAL-TIME AUTOMATIC CORRELATION OF IOCS TO NETWORK ACTIVITY INVESTIGATE REAL-TIME VISUALIZATION & WORKFLOWS INVESTIGATION WORKBENCH DOSSIER: TIES ATTACKS TO USERS CONVERSATIONS SEARCH DETECT MODELS INTERNET ATTACK TRAFFIC INTO HIGH FIDELITY CAMPAIGN INDICATORS INTERNAL NETWORK ACTIVITY BOTNET DARKNET TROJAN HIGH PERFORMANCE TRAFFIC ARCHIVE CUSTOM INTELLIGENCE 2016 ARBOR CONFIDENTIAL & PROPRIETARY 14
ATLAS Approach: The World s Most Powerful Traffic Intelligence Platform Unique Traffic-Based Security Intelligence Platform COLLECT Telemetry for 1/3 of Internet Traffic Per Hour CORRELATE Bot Net & DarkNet Activity ANALYZE Campaign Indicators ACT Confirmed Traffic & Threat Profile ATLAS Indicators (Hourly)
ATLAS Intelligence: Campaign Focused o o ATLAS and ASERT track the use (and re-use) of bad-actor infrastructure Attacks, even from nation state actors, often re-use traffic infrastructure o For ease o To make attribution more difficult ASERT focus on: DDoS APT Financial Retail Geo-Political o ASERT deliver high fidelity network artifacts, tagged with regularly updated severity and confidence data 2016 ARBOR CONFIDENTIAL & PROPRIETARY 16
Spectrum: Using the Network to Detect & Confirm Hidden Threats Smarter & Faster o o o o o o High confidence campaign indicators with ATLAS Intelligence Unique investigation workflows that make every team member more effective Unprecedented visibility Intuitive workflows that connect host, conversation and threat data together Unprecedented scale. Access to forensics data at your finger tips Search and pivot months of network data in seconds Easy install and operation Within an hour of deploying Arbor Spectrum, it became a go-to console each day to quickly confirm a threat inside our network. The detail from the hosts & connections pages became a view into our network we have never seen before. 2016 ARBOR CONFIDENTIAL & PROPRIETARY - Security Analyst 17
Spectrum Customers Reduce MTTV By 10x Investigations per Day Before Spectrum With Spectrum Financial Retail Senior Incident Responder 3 10-15 Mid-level Analyst 0 5-10 Regional Govt Retail Junior Analyst 0 3-5 2016 ARBOR CONFIDENTIAL & PROPRIETARY 18
What to Take Away About Arbor Spectrum 1 2 Scale Your Security Team Customers can scale their teams to detect and confirm security incidents 10x faster. Arbor Spectrum is a new internal traffic analysis platform engineered from the ground or unmatched network visibility combined with scale & speed of analysis of security threats. 3 Spectrum is easy to PoC, Deployment in hours
Q & A