RSA ECAT DETECT, ANALYZE, RESPOND!
Cyber Threat Landscape Attack surface (& attackers) expanding Web app Existing strategies & controls are failing Laptop EHR Firewall Attacks sophistication on the rise DNS TACTICS TECHNIQUES PROCEDURES IP 2
49% of enterprises know they were compromised by a malware-based attack in the last 2 years ESG, September 2014 70-90% of malware samples are unique to an organization 83% of incidents that took weeks or more to discover Verizon 2014 #DBIR Verizon 2015 #DBIR Source: http://www.informationisbeautiful.net/ 3
How Attackers work TTP your way in Stage #1: Establish Foothold Probe servers/ apps for vuln. Develop exploits Install webshells/ remote access SpearPhish users Obtain credentials Deliver malware Gain remote access Stage #2: Entrench, Expend, Explore Dump local credentials Install malware Download cracking tools Move laterally Identify privileged accounts (IT Admin), domain controllers, exchange servers, Expend access methods (VPN, RDP, Proxy) Map network Stage #3: Exfiltrate, maintain Aggregate and stage data Obfuscate to avoid detection Exiltrate data > http, ssh, ftp, email Leverage Dyn dns to rotate drop zones Damage/ Cost Sec. Min. Hrs. Days Weeks Months Time 4
Why endpoints matter? Where evil starts > weakest link in the (kill)-chain IP Lack deep endpoint visibility as well as lateral movements across the organization. Leading to increased attack dwell time Partner Access Employees Access End- users Access reallybadfile.exe Detection: 0/48 Network alone is not enough Siloed, partial views Enable analysts to instantly determine full attack scope and gather critical forensics data 5
Old vs. New A/V Wrong data overflow Right data missing Contextual visibility Next Gen attacks Old Gen tools (good, but not enough) Behavioral Analytics lssas.exe (signature vs. behavior) 64ef07ce3e4b420c334227eecb3b3f4c Suspicious SVCHOST running Autorun unsigned hidden module Invalid kernel object type Floating module in OS process Unsigned writes executable to UNC Threat Intel Module Machine Malware/RAT 6
What is RSA ECAT? Leader of the UNKNOWN Continuous endpoint monitoring solution providing contextual visibility, seeing beyond a single alert across endpoints deployed in- and Off-premises Providing incident responders and security analysts a full attack investigation platform ECAT reveals targeted threats by Automatic abnormal behavior whitebox analysis patterns (beyond known signatures) Machine-learning risk scoring STIX and RSA Live threat intelligence 7
Enterprise-Ready ECAT From Silicium Security to RSA ECAT Endpoint Security TBD First production customer. A large Canadian government agency 2009 Stuxnet APT (and Flamer) detected ECAT detected these targeted attacks out-of-the-box # of customers Sep 2012 Tip from EMC CIRC lead to RSA Acquiring Silicium Security ECAT v4.1 (3 rd major release post RSA acquisition) Blocking, STIX CTI, Remote Relay, Machine-learning Risk Score 2007 2008 2009 2010 2011 2012 2013 2014 2015 Inventory and anomaly detection v3.x ECAT 4.0 Instant IOC (IIOC) Windows only Windows and Mac OS Sep 2007 Silicium Security is silently being built in a basement in Montreal 2011 Government only to commercial @RSA Re-skin of ECAT UI Integration with SA RSA Live 8
How does it work? RSA Research RSA Live Process Inventory Threat Intel Network Data User Space Response Action (Blocking, quarantine) Physical data Status Kernel Space Behavioral Profiling Module Behavior Behavior Malware/RAT Behavior 127.0.0.1 Security Config Process Tracking 3rd Party Sandbox solution Yara Engine OPSWAT A/V Engine Network AutomaHc InformaHon LisHng Operating System RSA Security Analytics (and other 3rd party applications) Syslog, JSON, SMTP (Ticketing system) Risk Score Priority Root Cause Full attack scope (Organization-side) 9
ECAT Endpoint Client 100% 20m 5% 500k 2m Process Inventory Network Data User Space Agent Uptime Per endpoint CPU network bandwidth Consumption Client Disk Footprint (Configurable) Physical data Status Kernel Space Security Config Process Tracking Memory Usage Operating System Tested and verified with major AV, DLP, disk encryption Servers, Laptops, Desktops, VMs, VDIs Windows (xp-win10) and Mac OS X (10.6-10.11) In- and off-premises endpoints monitoring Automatic & on-demand scanning Automatically download unknown files for additional analysis Disconnected or formatted machine? Risk is still there! 10
ECAT Endpoint Client (Cont.) Always & Everywhere Visibility Full system inventory Executables, DLLs, Drivers, etc. Detect & analyze suspicious traffic Find files on disk & inspect Disk Inspection Live Memory Analysis Compare & Flag Anomalies Network Traffic Analysis Validate integrity of system & files Identify hidden processes, modifications & tampering 11
ECAT Console Primary & Secondary RSA Live RSA Research Threat Intel Analyzes scan data & flags anomalies SQL Server Maintain repository for global correlation and both on- and off-line investigation Know exact location & persistence of malicious file for removal Scale up to 50k agents per ConsoleServer Primary Console Server Secondary Console Server(s) x1 x2 xn Behavioral Profiling Yara Engine Module Behavior OPSWAT A/V Engine Risk Score Priority Machine Behavior 127.0.0.1 Network InformaHon Root Cause Malware/RAT Behavior AutomaHc LisHng Full attack scope (Organization-side) 12
Behavior Analytics Detection RSA PEDIA > Instant IOC (IIOC) RSA Live Geo LocaHon ECAT IIOCs (Instant Indicator of Compromise) determine the threat attack vector(s) and identify abnormal behavior indicative of malware. IP InformaHon 127.0.0.1 Yara Engine ECAT provides ~300 IIOC out-of-the-box that are executed server side as data is processed, causing zero performance load on client. Behavioral Profiling OPSWAT A/V Engine ECAT IIOCs enhance detection and prioritization capabilities, so that analysts can instantly pinpoint full attack scope root-cause and attacker TTPs. Module Behavior Threat Intelligence They are NOT known signature-based malicious IOCs (MD5, IP, Domain, etc.) Customer can create their own customized Machine(s) Behavior Malware / RAT Behavior 13
Real-Time Response Action Find commodity and prioritize accordingly Enable SOC analyst taking real-time action against modules being Written to disk Loaded in memory Block: File is blocked but remain at its location Quarantine: File is blocked and quarantined to a separate directory (subdir from deleted files folder) and are only accessible to system administrators. Malware drops or already exists on a machine t=0 > > > > Blacklist and Block based on hash value.exe, COM,.SYS,.DLL,.SCR,.OCX,.JAR,.BAT,.PS1,.VBS,. SF,.VBE,.PYC,.WSF,.WAR,.VB,.PY,.CLASS ECAT Agent identify a new module suspicoiusfiledonotopen.exe MD5: bd33f0f22b8038489e4542b8a08d75c4 SHA- 1: 49de968090ad7fe0bf22b6f9f60b65c05c077cfa SHA- 2: 2e94fee2094ff92c807b067ad86c17ce903db0f72ad767b t=0+ <STIX> Threat Intel ed0f027320c419f71730546f7b2fa171 bd33f0f22b8038489e4542b8a08d75c4 406dff23418df9083979dfbff12488d8 18ada35e0e9137f1177ab4d32a24a971... 0df525e5c0d6f6fa17c58b102390171f 14
ECAT Threat Intelligence Data Enrichment RSA Live, RSA Research & External Threat Intel Gathers advanced, high-quality, threat intelligence content Aggregates & consolidates data Operationalize on known-unknown community intelligence <stix: STIX Package> Support Where Content and Context meet! RSA Live RSA Research Threat Intel Malware IP/Domain Lists RSA Research APT IP/Domains RSA Research C2/Exploits IP/Domains Suspicious Proxies Malicious Networks 0day Identifiers 15
ECAT Threat Intelligence Data Enrichment (Cont.) Results from previous Incident Response Engagement, Live Data, Demonstrate results During a recent Incident Response engagement, using RSA Live data ALONE, at a Global Financial Institution, RSA IR team were able to Immediately identify infected machines communicating with a suspicious high-target APT domain Identify machines exfiltrating (which) data When used in connection to ECAT s behavioral analytics and Contextual Visibility, customer was able to instantly pinpoint infected machines across the environment and initiate a cross organization block 16
RSA Advanced SOC Platform PACKETS LOGS Visibility Capture Time Data Enrichment Analysis Incident Management Action Compliance Reporting ENDPOINT Investigation Session Reconstruction NETFLOW Advanced Analytics Endpoint Analysis RSA LIVE INTELLIGENCE Threat Intelligence Rules Parsers Feeds Reports RSA Research 17
Integrate your ECAT Layering endpoint on top of packets and logs data Use Case #1 Pivot from Security Analytics to ECAT Use Case #2 Pivot from ECAT to Security Analytics 127.0.0.1 8.8.8.8 TCP network traffic to suspicious location was recorded SourceIP: 10.100.161.2 DestinationIP: 127.0.0.1 Before scenario: Analyst explore DHCP logs to identify and match username and its assigned IP for a specific timeframe After scenario: Right- click from SA to ECAT Instantly identify ALL machines communicated with suspicious IP Infected endpoint identified (server) Recorded network traffic to a suspicious location. Abnormal bytes received vs. bytes sent ratio IIOC triggered MachineID: LT- US- HWashington DestinationIP: 8.8.8.8 Before scenario: Pivot to a SIEM will be able to provide more context about process and action After scenario: 1) Right- click from ECAT to SA will direct to exact SA investigation filter. 2) Reconstructing the session will enable to identify the exact content exfiltrated 18
Integrate your ECAT (Cont.) Layering endpoint on top of packets and logs data Use Case #3 Ingest endpoint data feed to Security Analytics Use Case #4 REST API & protocols integration options Network Forensics (packets) destinationip sourceip useragentstring HTTP Referer RESTful API Log Management AV_Login_attempt_Time AV_Login_success/failure FW_entry_src_ip Investigation Reporting Alerting Endpoint data (ECAT) Machine name: LT- US- FWashington Machine score: 1007 Username: FWashington Machine OS: Win8.1 (VMware VDI) MAC address: 01-23- 45-67- 89- ab syslog SMTP RabbitMQ 19
Proven and Widely Deployed Solution 1,600+ Customers worldwide Top 20 U.S. Financials 90+ Countries worldwide 70+ U.S. Federal/Govt. Agencies 20
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.