Cyber Security, Big Data and Risk

Similar documents
Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

RSA INCIDENT RESPONSE SERVICES

10 FOCUS AREAS FOR BREACH PREVENTION

RSA INCIDENT RESPONSE SERVICES

RiskSense Attack Surface Validation for IoT Systems

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Business Context: Key for Successful Risk Management

Best Practices for Scoping Infections and Disrupting Breaches

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Automated Threat Management - in Real Time. Vectra Networks

THE EVOLUTION OF SIEM

SentinelOne Technical Brief

The McGill University Health Centre (MUHC)

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

SIEM FOR BEGINNERS Everything You Wanted to Know About

Machine-Powered Learning for People-Centered Security

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

with Advanced Protection

68 Insider Threat Red Flags

SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK.

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Securing Your Most Sensitive Data

empow s Security Platform The SIEM that Gives SIEM a Good Name

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

CyberArk Privileged Threat Analytics

Spotlight Report. Information Security. Presented by. Group Partner

Incident Response Agility: Leverage the Past and Present into the Future

Security+ SY0-501 Study Guide Table of Contents

ForeScout ControlFabric TM Architecture

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Compare Security Analytics Solutions

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Agile Security Solutions

RSA Security Analytics

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Seceon s Open Threat Management software

Combating Cyber Risk in the Supply Chain

RiskSense Attack Surface Validation for Web Applications

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Endpoint Protection : Last line of defense?

Security Solutions. Overview. Business Needs

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Transforming Security Part 2: From the Device to the Data Center

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

SentinelOne Technical Brief

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

Imperva Incapsula Website Security

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

How Breaches Really Happen

SOLUTION BRIEF REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING

Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman

Copyright 2011 Trend Micro Inc.

Cisco Firepower NGFW. Anticipate, block, and respond to threats

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Office 365 Buyers Guide: Best Practices for Securing Office 365

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

MEETING ISO STANDARDS

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

ANATOMY OF AN ATTACK!

Monthly Cyber Threat Briefing

Behavioral Analytics A Closer Look

SIEM: Five Requirements that Solve the Bigger Business Issues

From Managed Security Services to the next evolution of CyberSoc Services

Paloalto Networks PCNSA EXAM

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

PrecisionAccess Trusted Access Control

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

CloudSOC and Security.cloud for Microsoft Office 365

A Comprehensive CyberSecurity Policy

Title: Planning AWS Platform Security Assessment?

Security Challenges and

2015 VORMETRIC INSIDER THREAT REPORT

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Evidence-based protection of web resources a must under the GDPR. How the Akamai Intelligent Platform helps customers to mitigate risks

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

Defensible and Beyond

COMPUTER NETWORK SECURITY

align security instill confidence

Chapter 9. Firewalls

Transcription:

Cyber Security, Big Data and Risk Mark Seward, Sr. Director, Security and Compliance, Splunk In-Depth Seminars D24 CRISC CGEIT CISM CISA

AGENDA Why are attacks successful? How does big data help Changing our thinking The advanced threat playbook Thinking security talking business risk Questions CRISC CGEIT CISM CISA 9/24/2013 2

Advanced threats are hard to detect 100% Valid credentials were used 243 Median # of days before detection 40 Average # of systems accessed 63% Of victims were notified by external entity Source: Mandiant M-Trends Report 2012 and 2013 3

Attacker think Attackers don t want to work too hard to get what they want. What s the easiest way to target the right people who have access to the stuff I can sell? 4

Why are attacks successful -- Silos Defenders are isolated focused on narrow defensive zones Opponents are organized, persistent and creative 5

Why are attacks successful People They are the weak point in our cyber defense. Only takes one time to be right Employee activities are credentialed Bypassing the perimeter Must gain an understanding of what is normal and what is not. Need a real-time big data approach to security and statistical analysis of the data 6

Why are attacks successful Your Partners Monitoring the partner and service provider access is about what s normal and what s not Understand your partner s cyber posture and policy 7

How much and what kinds of data do we need? CRISC CGEIT CISM CISA 8 9/24/2013 8

Telling your data security story The 5 Ws of Journalism The 5 Ws of Information Security 9

Unstructured industrial control data: A risk blind spot Security teams not focused on machine generated data Machines deliver goods or services Machines monitor product quality Machine health affects product/service quality Industrial Control Systems support JiT supply chains Environmental control data Machine Generated Data 10

An ever expanding universe of security data Security Relevant Data Security Relevant Data (IT infrastructure logs / Physical Security / Communication systems logs / Application data / non-traditional data sources) Expanded context (more data) required for who, what, when, where, and why SIEM An incomplete story will often tell you something happened Without enough context 11

An ever expanding universe of security data Email (How) Time (When) Location (Where) Proxy data Browsing History (What) IP Address DHCP / DNS (Who) Badge (Who) Supervisor (Why) Date (When) 12

The False Promise of SIEM and Data Reduction CRISC CGEIT CISM CISA 13 9/24/2013 13

Why are attacks successful Data reduction Typical SIEM Architecture Data Reduction Model Have to know what you need for investigation before you need it Useful data can come from anywhere not just what s supported by the vendor Lack of scalability restricts visibility Creates vendor dependency (people forget how to wade into their data) The cold case problem 14

Security posture homogenized Data reduction and normalization at collection time gives analysts a Skim Milk view of security posture The data fat can be relevant to an investigation All data is relevant for security 15

Moving to a data inclusion model Specific behavior based pattern modeling for humans and machines Based on combinations of: Location Role Data/Asset type Data/Asset criticality Time of day Action type Action length of time No up front normalization Time-indexed Data Analytics and Statistics Commands Correlation Pattern Analysis Data Inclusion Model 16

Meeting at the big data layer IT Operations Business Intelligence Compliance & Audit Security Web Analytics 17

What s the playbook for advanced persistent attackers? CRISC CGEIT CISM CISA 18 9/24/2013 18

What is the Kill Chain? Represents the typical phases of an advanced attack What are the characteristics of an advanced threat or attack Stealth Stay resident as long as possible Collection of high value data Can be nation state driven Malware acts as a proxy for the malicious insider Hacking the human trust The Kill-chain is a game film of typical attack activities a list of things that almost always happen but maybe not in order. 19

Kill-chain idea origin In military parlance, a Kill Chain is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks. These stages are referred to as: Find Fix Track Target Engage Assess The further towards the beginning of the Kill Chain an attack can be stopped, the better. 20

Kill-chain for cyber security as outlined by Miter A successful strategy requires analysis of the game film called the advanced threat kill-chain 21

Kill-Chain activities defined 22

Monitoring the Kill-chain Web Analytics Get an understanding of clicks to the management or board member portion of your website from outside the country where your company is based. Google Analytics visitor flow report can help you understand where visitors come from how they troll and access the site. Social Media Monitor out-going data, especially file sharing that may help an attacker with social engineering Monitor company sentiment to understand whether a storm is gathering that may result in an attack Traffic Data originating from data center (know IP address spaces) 23

Monitoring the Kill-chain Identify Threat Characteristics Identify the domain the email came from as a legitimate business Use analytics to understand if the email is seen for the first time from the sender. Monitor the types of attachments and perform packet level inspection to understand file attachment content (what is the attachment? Javascript,.exe, or does it contain a launch action) 24

Monitoring the Kill-chain Malware Behavior Identification and Detection Use Virus Total or GTRI s Apiary to identify malware actions and characteristics Import Data from services into Splunk to monitor for infection characteristics not detected by AV engines o Collect malware Hash o Communication IPs, ports and protocols used o File or registry key changes o Domain the email came from as a legitimate business o Network connection(s) o DLL changes Correlate this data with host data collected Are changes made outside of change windows Monitor for unusual rare traffic between hosts for lateral movement Monitor changes to hosts processes 25

Monitoring the Kill-chain Malware Communication Analytics Monitor URL / and user agent strings for embedded command and control o Lengths above particular standard deviation Monitor web traffic to known bad IPs and domains Monitor web traffic to domains registered in the last 24-72 hours Monitor web traffic w/o referrer Use Virus Total or GTRI s Apiary to identify malware actions and characteristics Outbound encrypted traffic (from DMZ, webservers, DBs, other hosts that should not be initiating connections Identify self-signed certificates Falsified HTTP headers Beaconing hosts Non-standard encryption over allowed paths Use of Remote windows shell or remote desktop 26

Monitoring the Kill-chain DDoS from the inside CPU cycles eaten up Performance degradation Land and expand (what hosts are exhibiting same issues) Webserver content replaced Log files missing/erased New executable on host Host AV not updating Elevated privileges Movement of encrypted.rar or.zip files Use of sftp or ftp to a controlled host Use of pwdump tool 27

A tall order for the average security team? Take small measures/steps Pick one phase and focus then pick the next one Stopping the attacker at any one phase is good The earlier in the chain you are able to focus the better Know your environment you can bet the attacker will try to know it What information does your web presence tell an attacker? 28

Don t let vendors tell you what questions their solution can answer. Ask the questions your business cares about. CRISC CGEIT CISM CISA 29 9/24/2013 29

A Process for Using Big Data for Security: Identify the Business Issue What does the business care about? What could cause loss of service or financial harm? Performance Degradation Unplanned outages (security related) Intellectual property access Data theft 30

A Process for Using Big Data for Security: Construct a Hypothesis How could someone gain access to data that should be kept private? What could cause a mass system outage does the business care about? What could cause performance degradation resulting in an increase in customers dissatisfaction? 31

A Process for Using Big Data for Security: It s about the Data Where might our problem be in evidence? For data theft start with unauthorized access issues Facility access data, VPN, AD, Wireless, Applications, others Beg, Borrow, SME from system owners 32

A Process for Using Big Data for Security: Data Analysis For data theft start with what s normal and what s not (create a statistical model) How do we normally behave? What patterns would we see to identify outliers? Patterns based on ToD, Length of time, who, organizational role, IP geo-lookups, the order in which things happen, how often a thing normally happens, etc. 33

A Process for Using Big Data for Security: Interpret and Identify What are the mitigating factors? Does the end of the quarter cause increased access to financial data? Does our statistical model need to change due to network architecture changes, employee growth, etc? Can we gather vacation information to know when it is appropriate for HPA users to access data from foreign soil. What are the changes in attack patterns? 34

Big Data Platform: Insight for Business Risk App Monitoring Data Security Data IT Operations Data LDAP, AD Watch Lists Distributio n System Data Business Process Data Business Risk and Security Security & Compliance IT Operations Management Business Analytics Web Intelligence Application Monitoring 35

Thank You

Outside Live Threat Intelligence Live data sampling from 38 international data centers Presence in top 20 Internet Exchange (IX) points world wide Core Long haul fiber access from tier 1 operators with several 10 Gbps pipes 1500 factors for creating an IPQ risk score to asses potential attacks 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback