Optimizing Security for Situational Awareness

Similar documents
Top 10 use cases of HP ArcSight Logger

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

RSA Security Analytics

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Network Security: Firewall, VPN, IDS/IPS, SIEM

RSA NetWitness Suite Respond in Minutes, Not Months

Un SOC avanzato per una efficace risposta al cybercrime

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Compare Security Analytics Solutions

McAfee Advanced Threat Defense

Behavioral Analytics A Closer Look

Not your Father s SIEM

Intelligent and Secure Network

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Connection Logging. Introduction to Connection Logging

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Connection Logging. About Connection Logging

CloudSOC and Security.cloud for Microsoft Office 365

SIEM: Five Requirements that Solve the Bigger Business Issues

Cisco s Appliance-based Content Security: IronPort and Web Security

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

Security Information Managers: State of the Art. Joel M Snyder Senior Partner Opus One

SIEM Solutions from McAfee

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cisco Cyber Threat Defense Solution 1.0

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

McAfee Cloud Workload Security Product Guide

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

CyberArk Privileged Threat Analytics

THE PIONEER IN REAL-TIME CYBER SITUATIONAL AWARENESS

IBM services and technology solutions for supporting GDPR program

Building Resilience in a Digital Enterprise

Imperva Incapsula Website Security

Datacenter Security: Protection Beyond OS LifeCycle

Seceon s Open Threat Management software

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Trend Micro Deep Discovery and Custom Defence

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Cisco Firepower NGFW. Anticipate, block, and respond to threats

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

IBM Next Generation Intrusion Prevention System

Agile Security Solutions

Security, Internet Access, and Communication Ports

Dynamic Datacenter Security Solidex, November 2009

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

COMPUTER NETWORK SECURITY

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7

Integrated, Intelligence driven Cyber Threat Hunting

with Advanced Protection

THE EVOLUTION OF SIEM

ForeScout Agentless Visibility and Control

Combating APTs with the Custom Defense Solution. Hans Liljedahl Peter Szendröi

Incident Response Agility: Leverage the Past and Present into the Future

RSA IT Security Risk Management

PULLING OUR SOCS UP VODAFONE GROUP AT RSAC Emma Smith. Andy Talbot. Group Technology Security Director Vodafone Group Plc

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Network Security. Thierry Sans

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Trend Micro and IBM Security QRadar SIEM

BUILDING AND MAINTAINING SOC

Cisco Firepower NGFW. Anticipate, block, and respond to threats

McAfee Total Protection for Data Loss Prevention

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

McAfee Endpoint Threat Defense and Response Family

Security Information & Event Management (SIEM)

Security. Risk Management. Compliance.

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

Security, Internet Access, and Communication Ports

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

the SWIFT Customer Security

10 FOCUS AREAS FOR BREACH PREVENTION

WHITE PAPER HIGH-FIDELITY THREAT INTELLIGENCE: UNDERSTANDING FALSE POSITIVES IN A MULTI-LAYER SECURITY STRATEGY

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

AT&T Endpoint Security

locuz.com SOC Services

Security, Internet Access, and Communication Ports

The following topics describe how to configure correlation policies and rules.

Speed Up Incident Response with Actionable Forensic Analytics

Novetta Cyber Analytics

Cisco Threat Awareness Service - Quick Start Guide. Last Updated: 16/06/16

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

SentinelOne Technical Brief

ADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Mapping BeyondTrust Solutions to

Proactive Approach to Cyber Security

UNIFICATION OF TECHNOLOGIES

Transcription:

Optimizing Security for Situational Awareness BRIAN KENYON McAfee Session ID: SPO1-106 Session Classification: Intermediate

p gg able=network_objects, Operation=Update,Administrator=fwadmin, Machine=cp-mgmt- Machine=cp-mgmt-station, ClientType= ClientType=Policy Editor SessionId=Modification Info: ipaddr: changed from Viewer, Info=connected with user pas 5.3' on,clienttype=policy to '10.10.5.7' Editor SessionId=Modification Info: ipaddr: changed from '10.10.5.3' to '10.10.5.7' Info=connected %PIX-4-106023: with Deny user protocol password src [in %PIX-4-106023: interface]:[src_address/src_port] Deny protocol ds :54 gw.foobar.com %PIX-4-400027: IDS:3041 TCP 356.884.146.12 rule 1514:55:20 accept [inboundinterface]:[src_address/src_port] outbound-interface: dst_address/dst_ s from 10.121.146.23 to 356.512.10.2 on gw.foobar.com >eth1 product VPN-1 & {type}, code {code}] by access_group tside list-name 16 drop gw.foobar.com product VPN-1 & ll-1,kent,userk,,,,,,,16777216, re,,,,,,,,,,savprod,{ 026-356005616892 026-356005616892 },End },End,0:0:0:0:0:0,9.0.0.338,0:0:0:0:0:0,9.0.0.338 Oct 17 10:00:26, Src 66.55.23.4, s_port 4523, dst 192.168.46.15, service smtp, proto tcp, xlatesrc lassification: Attempted formation Leak] [Priority: 2] /06-8:14:09.082119 2.168.1.167:1052 -> 356.884.146.12 rule 1514:55:20 accept gw.foobar.com >eth1 product product VPN-1 VPN-1 & 689.432.146.12 s_port 235.001.10.2 service ms- Oct 17 10:00:27, Application=smtp, Event='Email Status', From=billf1223@gmail.com, size=25140, source=(66.55.23.4), reputation=49, tls=1 src 10.5.5.1 s_port 4523 dst 789.105.10.2 service http proto tcp xlatesrc r 5 07:12:50 10.87.62.40 %PIX-5-304001: 10.5.5.1 cessed URL 2.54.10.2:/aharrison@awod.com?on_url=http://785.131.1 2/scripts/..%%35c../winnt/system32/cmd.exe?/c+ e?/c+ 10/17/2011 10:00:27, TRAFFIC, end, 66.55.23.4, 192.168.46.15, Monitor SPAN Port, Tap Zone, ethernet1/12, 83752, 1, 59404, 25, tcp, allow, any OperationTime=Thu Dec 13 15:00:48 2002, ObjectName=Sanitized-Router,ObjectType=host_plain, Router,ObjectType=host_plain, ObjectTable=network_objects, ObjectTable=network_objects, Operation=Update,Administrator=fwadmin, Machine=cp-mgmt-station,ClientType=Policy Editor SessionId=Modification Info: ipaddr: changed from '10.10.5.3' to '10.10.5.7' 14:53:16 drop gw.foobar.com >eth0 product VPN-1 & 14:53:16 drop gw.foobar.com >eth0 >eth0 product VPN-1 & "Block Windows File Sharing"" blocked (192.168.1.54,netbiosssn(139)). Inbound TCP connection 14:53:16 drop gw.foobar.com >eth0 product VPN-1 & Dec 19 04:40:54 gw.foobar.com %PIX-4-400027: IDS:3041 TCP SYN+FIN flags from 10.121.146.23 to 356.512.10.2 on interface outside %PIX-4-106023: Deny protocol src [inbound- interface]:[src_address/src_port] dst outbound-interface: dst_address/dst_port [type {type}, code {code}] by access_group access-list-name src 10.5.5.1 s_port 4523 dst 789.105.10.2 service http proto tcp xlatesrc 356.884.146.12 rule 1514:55:20 accept gw.foobar.com >eth1 product VPN-1 & Firewa 10/17/2011 10:02:52 PM, (detection Deleted (detection isn't isn't cleanable), W7MANG\host35 C:\Program Files\VMware\Infrastructure \Virtual Infrastructure Client\4.1\vmware-vmrc.exe, C:\Users\brogers\Desktop\45 5_23_setup.exe Generic.dx!bbfq 3/6/2011 8:14:0 (192.168.1.54,n (192.168.1.54,n is(kent(172.30. is(192.168.1.54 [**] [1:1407:9] SNMP trap udp [**] [Classification: [Classification: Attempted Attempted Information Information Leak] Leak] [Priority: 2] 03/06-8:14:09.082119 192.168.1.167:1052 -> 172.30.128.27:162 UDP TTL:118 TOS:0x0 ID:29101 IpLen:20 DgmLen:8

What is SIEM? SIEM the Evolution & Integration of Two Distinct Technologies Security Event Management (SEM) Primarily focused on Collecting and Aggregating Security Events Security Information Management(SIM) Primarily focused on the Enrichment, Normalization, and Correlation of Security Events Security Information & Event Management is a Set of Technologies for: Log Data Collection Correlation Aggregation Normalization Retention Analysis and Workflow Three Major Factors Driving the Majority of SIEM Implementations Real Time Security 1 Threat 2 Operational 3 Visibility Efficiency Compliance and/or Log Management Requirements 3

The SIEM Catch 22 80% of threats come from insiders Source: Forrester, Verizon 39% of threats target software, applications, and services 66% of those involved did not know the data was on the system To address these concerns, there is a need to monitor and analyze more data However, there is already too much data for other SIEMs 4

SIEM is Still Evolving Beyond Logs What else happened at this time? Near this time? What is the time zone? What is this service? What other messages did it produce? What other systems does it run on? DNS name, Windows name, Other names? Whois info? Organization owner? Where does the IP originate from (geo location info)? What else happened on this host? Which other hosts did this IP communicate with? What is the hosts IP address? Other names? Location on the network/datacenter? Who is the admin? Is this system vulnerable to exploits? Who is this user? What is the users access-level? What is the users real name, department, location? What other events from this user? What does this number mean? s this documented somewhere? What is this port? Is this a normal port for this service? What else is this service being used for?

SIEM is Still Evolving To SIEM Content Awareness (Next Generation SIEM) Content Awareness is Understanding the Payload at the Application Layer WebMail Email IM, Chat Web Access (HTTP) P2P File Sharing Protocol Anomalies

SIEM is Still Evolving To Log Sources HRMS Identity Management HR ID Access Rights SIEM Identity Matching Behavior Profiling Event & Risk Analysis

Broad Content and Context Correlation Application Contents Authenticati on & IAM Events from Security Devices Device & Application Log Files User Identity Malware Viruses Trojans Insider Threats Advanced Threats Exploits Database Transactions OS events VA Scan Data Location

Benefits of Content Awareness Visibility into the network Complement logs Data leak monitoring Advanced threat detection Malware, bots, client-side attacks, APTs Network Forensics Security Policy Violations Technology Highlights Protocol Classification Deep Packet Inspection Application Discovery Document Discovery Document Reconstruction Session Replay

The Requirements Threat Intelligence High Performance Database Next Generation SIEM 010011 100 1001 100110 11 100 1 110 10 010011 001 100 1101 10101 110 1 EVENT LOG CONTEXT CONTENT AUDIT COMP. Advanced Correlation 010011 100 1001 100110 11 100 1 110 10 010011 001 100 1101 10101 110 1 Real Time Command RULES / STATISTICS

The Requirements Threat Intelligence High Performance Database Next Generation SIEM 010011 100 1001 100110 11 100 1 110 10 010011 001 100 1101 10101 110 1 EVENT LOG CONTEXT CONTENT AUDIT COMP. Advanced Correlation 010011 100 1001 100110 11 100 1 110 10 010011 001 100 1101 10101 110 1 Real Time Command RULES / STATISTICS 1 SEEK 2 ANALYZE 3 PREVENT 4 ERADICATE

p gg able=network_objects, Operation=Update,Administrator=fwadmin, Machine=cp-mgmt- Machine=cp-mgmt-station, ClientType= ClientType=Policy Editor SessionId=Modification Info: ipaddr: changed from Viewer, Info=connected with user pas 5.3' on,clienttype=policy to '10.10.5.7' Editor SessionId=Modification Info: ipaddr: changed from '10.10.5.3' to '10.10.5.7' Info=connected %PIX-4-106023: with Deny user protocol password src [in %PIX-4-106023: interface]:[src_address/src_port] Deny protocol ds :54 gw.foobar.com %PIX-4-400027: IDS:3041 TCP 356.884.146.12 rule 1514:55:20 accept [inboundinterface]:[src_address/src_port] outbound-interface: dst_address/dst_ s from 10.121.146.23 to 356.512.10.2 on gw.foobar.com >eth1 product VPN-1 & {type}, code {code}] by access_group tside list-name 16 drop gw.foobar.com product VPN-1 & ll-1,kent,userk,,,,,,,16777216, re,,,,,,,,,,savprod,{ 026-356005616892 026-356005616892 },End },End,0:0:0:0:0:0,9.0.0.338,0:0:0:0:0:0,9.0.0.338 Oct 17 10:00:26, Src 66.55.23.4, s_port 4523, dst 192.168.46.15, service smtp, proto tcp, xlatesrc lassification: Attempted formation Leak] [Priority: 2] /06-8:14:09.082119 2.168.1.167:1052 -> 356.884.146.12 rule 1514:55:20 accept gw.foobar.com >eth1 product product VPN-1 VPN-1 & 689.432.146.12 s_port 235.001.10.2 service ms- Oct 17 10:00:27, Application=smtp, Event='Email Status', From=billf1223@gmail.com, size=25140, source=(66.55.23.4), reputation=49, tls=1 src 10.5.5.1 s_port 4523 dst 789.105.10.2 service http proto tcp xlatesrc r 5 07:12:50 10.87.62.40 %PIX-5-304001: 10.5.5.1 cessed URL 2.54.10.2:/aharrison@awod.com?on_url=http://785.131.1 2/scripts/..%%35c../winnt/system32/cmd.exe?/c+ e?/c+ 10/17/2011 10:00:27, TRAFFIC, end, 66.55.23.4, 192.168.46.15, Monitor SPAN Port, Tap Zone, ethernet1/12, 83752, 1, 59404, 25, tcp, allow, any OperationTime=Thu Dec 13 15:00:48 2002, ObjectName=Sanitized-Router,ObjectType=host_plain, Router,ObjectType=host_plain, ObjectTable=network_objects, ObjectTable=network_objects, Operation=Update,Administrator=fwadmin, Machine=cp-mgmt-station,ClientType=Policy Editor SessionId=Modification Info: ipaddr: changed from '10.10.5.3' to '10.10.5.7' 14:53:16 drop gw.foobar.com >eth0 product VPN-1 & 14:53:16 drop gw.foobar.com >eth0 >eth0 product VPN-1 & "Block Windows File Sharing"" blocked (192.168.1.54,netbiosssn(139)). Inbound TCP connection 14:53:16 drop gw.foobar.com >eth0 product VPN-1 & Dec 19 04:40:54 gw.foobar.com %PIX-4-400027: IDS:3041 TCP SYN+FIN flags from 10.121.146.23 to 356.512.10.2 on interface outside %PIX-4-106023: Deny protocol src [inbound- interface]:[src_address/src_port] dst outbound-interface: dst_address/dst_port [type {type}, code {code}] by access_group access-list-name src 10.5.5.1 s_port 4523 dst 789.105.10.2 service http proto tcp xlatesrc 356.884.146.12 rule 1514:55:20 accept gw.foobar.com >eth1 product VPN-1 & Firewa 10/17/2011 10:02:52 PM, (detection Deleted (detection isn't isn't cleanable), W7MANG\host35 C:\Program Files\VMware\Infrastructure \Virtual Infrastructure Client\4.1\vmware-vmrc.exe, C:\Users\brogers\Desktop\45 5_23_setup.exe Generic.dx!bbfq 3/6/2011 8:14:0 (192.168.1.54,n (192.168.1.54,n is(kent(172.30. is(192.168.1.54 [**] [1:1407:9] SNMP trap udp [**] [Classification: [Classification: Attempted Attempted Information Information Leak] Leak] [Priority: 2] 03/06-8:14:09.082119 192.168.1.167:1052 -> 172.30.128.27:162 UDP TTL:118 TOS:0x0 ID:29101 IpLen:20 DgmLen:8

Oct 17 10:00:27, Oct 17 10:00:27, Application=smtp, Application=smtp, Event='Email Status', Event='Email Status', From=billf1223@gmail.com, From=billf1223@gmail.com, size=25140, size=25140, source=(66.55.23.4), source=(66.55.23.4), reputation=49, tls=1 reputation=49, tls=1 10/17/2011 10:00:27, TRAFFIC, end, 10:00:27, 66.55.23.4, 10/17/2011 TRAFFIC, end, Monitor 66.55.23.4, 192.168.46.15, 192.168.46.15, Monitor SPAN SPAN Port, Port,TapTap Zone, Zone, ethernet1/12, 1, ethernet1/12,83752, 83752, 1, 59404, tcp,allow, allow, any 59404, 25, 25, tcp, any 10/17/2011 10:02:52 PM, PM, 10/17/2011 10:02:52 Deleted (detection isn't Deleted (detection isn't cleanable), W7MANG\host35 cleanable), W7MANG\host35 C:\Program Files\VMware\Infrastructure C:\Program \Virtual Infrastructure Files\VMware\Infrastructur Client\4.1\vmware-vmrc.exe, e\virtual Infrastructure C:\Users\brogers\Desktop\45 5_23_setup.exe Client\4.1\vmwareGeneric.dx!bbfq vmrc.exe, C:\Users\brogers\Desktop\4 55_23_setup.exe Generic.dx!bbfq OctOct 171710:00:26, Src 10:00:26, Src 66.55.23.4, s_port 4523, 66.55.23.4, s_port 4523, 192.168.46.15, service dstdst 192.168.46.15, service smtp, proto tcp, xlatesrc smtp, proto tcp, xlatesrc RESPOND

Content-Aware Forensics & Correlated Breach Discovery A user receives an email with an attachment from an external source identified in the GTI blacklist as a malicious host. The HIPS agent running on the local host generates an alert claiming to have identified an unwanted application however due to UAC, the threat failed to be quarantined or deleted. Potential Compromised Endpoint Suspected Malware Infection The compromised system is next seen having failed multiple authentication attempts to a trusted enterprise host. Further investigation reveals that over the past 6 months, several other endpoints have exhibited a similar behavior; Communicating with a known malicious host via email, failing a remediation attempt and launching a subsequent brute force attack against neighboring enterprise systems.. Long-Term Situational Awareness Attack Proliferation 14

Real Time Security Intelligence Enrichment Threat Scoring Enrich from Enterprise Sources Enrich from Threat Feeds (GTI, SANS, etc.) User/Identity Normalization Advanced Vulnerability Feeds Data Source Reputation Accurate Risk Scores Correlation Engines Accurate Threat Correlation Risk Correlation Historical Correlation

Apply These Key Takeaways SIEM functionality can now deliver true situational awareness Assess your specific needs (security, compliance, or both) Centralized or distributed needs Network, endpoints, and cloud feeds benefitting all points of risk with intelligent information Identify critical assets and prioritize Start with a small or incremental project Look for compliance budget to fund your security needs 16

Thank You For Your Time Questions 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback