Proactive Defense with Automated First Responder (AFR) Anuj Soni Jason Losco

Similar documents
RSA INCIDENT RESPONSE SERVICES

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RSA INCIDENT RESPONSE SERVICES

RSA NetWitness Suite Respond in Minutes, Not Months

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

PALANTIR CYBERMESH INTRODUCTION

Managed Endpoint Defense

Unlocking the Power of the Cloud

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Novetta Cyber Analytics

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Continuous protection to reduce risk and maintain production availability

TRUE SECURITY-AS-A-SERVICE

McAfee Public Cloud Server Security Suite

CYBER RESILIENCE & INCIDENT RESPONSE

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

BUILT TO STOP BREACHES. Cloud-Delivered Endpoint Protection

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SentinelOne Technical Brief

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Enterprise Situational Intelligence

McAfee Endpoint Threat Defense and Response Family

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Fast Incident Investigation and Response with CylanceOPTICS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

BUILDING AND MAINTAINING SOC

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

SIEM: Five Requirements that Solve the Bigger Business Issues

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Put an end to cyberthreats

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Reducing the Cost of Incident Response

Combatting advanced threats with endpoint security intelligence

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

MANAGED DETECTION AND RESPONSE

SentryWire Next generation packet capture and network security.

SentryWire Next generation packet capture and network security.

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Trend Micro Deep Discovery for Education. Identify and mitigate APTs and other security issues before they corrupt databases or steal sensitive data

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

भ रत य ररज़र व ब क. Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

Transforming Security from Defense in Depth to Comprehensive Security Assurance

NIST Special Publication

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Advanced Threat Hunting:

Advanced Threat Protection Buyer s Guide GUIDANCE TO ADVANCE YOUR ORGANIZATION S SECURITY POSTURE

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Deep Instinct v2.1 Extension for QRadar

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

The New Era of Cognitive Security

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

THE ACCENTURE CYBER DEFENSE SOLUTION

Building a Threat-Based Cyber Team

CYBER ANALYTICS. An Advanced Network- Traffic Analytics Solution

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

Be effective in protecting against the cybercrime

Speed Up Incident Response with Actionable Forensic Analytics

Are we breached? Deloitte's Cyber Threat Hunting

align security instill confidence

THE CYBERX PLATFORM: PROTECT YOUR PEOPLE, PRODUCTION, AND PROFITS HIGHLIGHTS SOLUTION BRIEF

esendpoint Next-gen endpoint threat detection and response

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

ADVANCED THREAT HUNTING

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Endpoint Security for the Enterprise. Multilayered Defense for the Cloud Generation FAMILY BROCHURE

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

SIEMLESS THREAT MANAGEMENT

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

locuz.com SOC Services

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Sustainable Security Operations

RiskSense Attack Surface Validation for IoT Systems

100% Endpoint Protection dank Machine Learning, EDR & Deception?

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

WHITEPAPER. Lookout Mobile Endpoint Security for App Risks

Best Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

SIEMLESS THREAT DETECTION FOR AWS

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

Cyber Analyst Academy. Closing the Cyber Security Skills Gap.

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Managing Microsoft 365 Identity and Access

Asset Discovery with Symantec Control Compliance Suite WHITE PAPER

SIEM Solutions from McAfee

Power of the Threat Detection Trinity

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Empower stakeholders with single-pane visibility and insights Enrich firewall security data

Transcription:

Proactive Defense with Automated First Responder (AFR) Anuj Soni Jason Losco July 18, 2013

Combating increasingly sophisticated attackers requires a proactive cyber program incorporating diverse solution sets How serious is the problem? How does my posture compare to that of my industry peers? Is my sector/industry being targeted, and if so why and how? Are my existing detection and response capabilities sufficient? Are my networks and systems current compromised or under attack? How can we optimize our existing people, processes, and technologies? How do we attract, retain, and develop staff with the right skills? What tactical and strategic responses can I implement? Where do I begin? Identify Analyze Remediate Optimize Prevent 2

Comprehensive risk mitigation requires a cohesive strategy integrating both tactical and strategic solutions Cohesive Strategy Threat Risk Mitigation Approach Two-pronged Approach Tactical Solutions Strategic Solutions Proactive Threat Identification (PTI) Identify Compromises Identify Intrusion Risk Factors Remediation Coordinated Counterstrike Continuous Assessment 3 3

Our Proactive Threat Identification offering is based on Hunt methodologies refined through analysis of data from millions of hosts APT Discovery & Hunt Iterative phases of analysis and refinement to pinpoint specific APT indicators and behaviors: Host based indicator analysis Binary code analysis Digital forensics analysis Network analysis Refinement Development of site specific indicators Enhancements to Network Security Controls Data Collection Host based indicators Configuration files Registry settings Data Analysis Statistical analysis Comparison against known indicators of compromise Refinement enables the discovery of: Unauthorized system or network access Malware on other systems on the network Variants of the malware already discovered Attack vectors Network Analysis Log analysis Traffic analysis Targeted Threat Mitigation Forensic Analysis Code Analysis Static analysis Dynamic analysis Reverse engineering Results in Tactical and Strategic mitigation of targeted threats to the enterprise Behavioral analysis Timeline analysis Exfiltration analysis 4

Automated First Responder (AFR) helps us rapidly detect malware and triage hosts Utilizes statistical analysis to identify malware Focused on detecting anomalies rather than signatures Software Distribution Server Booz Allen Cloud Reference Architecture 1 3 Big Data Analytic Environment Analyst Analyst Enterprise Workstations/Servers 2 Collection Server

AFR is a flexible, scalable, lightweight toolset Collects data including activity, persistence, investigative info and risk factors Non-persistent agent, no installation required Scalable deployed to networks with >400k hosts Combines benefits of automated analysis and human intelligence Easily modifiable as attacker tactics change Execution occurs in background with no impact to user experience Lightweight AFR Type Average File Size Storage per 20,000 units Workstation 160 KB ~ 3GB Server 134 KB ~ 2.5 GB User 43 KB ~ 1GB

Executive Dashboard

Alerts Dashboard

Alerts Svchost Drill Down ftpsvc ftpsvc secsvcs bthsvcs WinDefend;svcz bthserv Observation Notes

Indicators Run Keys Drill Down SYS_RUNKEYS;FileViewer;C:\Users\cbrown\AppData\Local\diwox\wlduirowz.exe; wlduirowz.exe;nada;13/07/10_16:06;13/07/10_14:12; C:\Users\cbrown\AppData\diwox\wlduirowz.exe;a8d0c2f5e2b25610480c1e9f4c25ed

AFR Automated Ingest and Analytics Pipeline AFR Collections Hadoop Environment Accumulo Analytics Collection Server Storm Topologies Auto-generated Alerts

Kaizen: CTF event hosted by Booz Allen Hamilton Wednesday, July 31, 2013 2:15pm-6:00pm Milano Ballroom III, Caesars Palace

Kaizen: CTF event hosted by Booz Allen Hamilton Wednesday, July 31, 2013 2:15pm-6:00pm Milano Ballroom III, Caesars Palace

Contact Information Anuj Soni Lead Associate Booz Allen Hamilton Booz Allen Hamilton, Inc. soni_anuj@bah.com Jason Losco Associate Booz Allen Hamilton Booz Allen Hamilton, Inc. losco_jason@bah.com

Questions & Answers T O JOIN THE BLACK HAT MAILING LIST, EMAIL BH LIST TO: FEEDBACK@ BLACKHAT. COM T O JOIN OUR LINKEDI N GROUP: HTTP://WWW. LINKEDIN. COM/ GROUPS? GID=37658&TRK= HB_ SIDE_ G T O FOLLOW BLACK HAT ON TWITTER: HTTPS://TWITTER. COM/BLACKHATEVENTS B LACK HAT S F ACEBOOK FAN PAGE: HTTP://WWW. FACEBOOK. COM/ BLACKHAT F IND OUT MORE AT WWW. BLACKHAT. COM N EXT WEBCAST: AUGUST 15: BLACK HAT USA HIGHLIGHTS F OR MORE INFORMATION, VISIT WWW. BOOZALLEN. COM

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback