Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman jdeerman@isc8.com
Safe Harbor Statement All statements included or incorporated by reference in these slides, other than statements or characterizations of historical fact, are forward looking. These forward looking statements include guidance we will provide on our future operating results as well as the prospects for our various businesses and the development and status of new products and technologies. These forward looking statements and our assumptions about the factors that influence them, are based on the limited information available to us at this date. Such information is subject to change, and we may not inform you when changes occur. We do not undertake any obligation to revise or update publicly any forward looking statement, except as required by law. Forward-looking statements are not guarantees of future results and are subject to risks, uncertainties and assumptions that are difficult to predict. Therefore, our actual results could differ materially and adversely from those described in statements you hear today as a result of various factors. We refer you to our current Form 10-K, subsequent Form 10-Qs and other filings with the SEC, which discuss some of the important risk factors that could contribute to such differences or otherwise affect our business, results of operations and financial condition. 2
Emergence of Modern Malware 3
Advanced Persistent Threats - Smart Bombs of the Cyber World 4
Cyber Kill Chain of APT 5
State of Advanced Persistent Threats (APT s) State of Advanced Persistent Threats (APT s) 416 days Median number of days that the attackers were present on a victim network BEFORE 75 million Unique examples of malware in 2012 (2), detection (1) growing at 50,000 / day 69% 59% of enterprises are certain or fairly certain that they ve been the target of an APT (3) of APT victims are NOTIFIED BY AN EXTERNAL ENTITY, not internal detection 6
The New Cyber Norm Stealth Well Funded Black Market Very Knowledgeable Very Shrewd Large Numbers (and Growing) Multiple Enemies in Multiple Geographies You are outnumbered & outgunned everyday 7
Finding Advanced Threats Has Become Big Data Analysis Problem What data can be used to detect the Attacker? The amount of data (logs, netflows, packet capture data, ) Finding an APT is about finding the can be massive malicious activity hidden in the Network 8
Current State of Big Data Security COLLECT LOGS TO DETECT AND TRACK SUSPICIOUS BEHAVIOR 50% 50% DON T COMMIT OR DON T KNOW HOW MUCH TIME THEY VE SPENT ANALYZING THESE LOGS By 2016, over 40% will use datasets of at least 10TB to spot security incidents Source: TrustWave Finding Big Benefits in Big Data 9
Advanced Persistent Threats Are More Than Just Malware APT s Are About The Attacker - Not Just The Attack 10
Finding an Attack is about finding the Attacker The Attacker may look like a normal User doing suspicious activities Where are the activities coming from When are the activities carried out What behaviors are not normal to the usage of the network or network segment Must look at the network as a whole, not just the perimeter What data can be used to detect the Attacker Firewall logs, IDS/IPS logs, access logs, netflow data, packet capture data, etc. In a medium to large network this can be massive amounts of data Finding ATP s has become a Big Data analysis problem 11
How does IT Security handle this Problem Is there an attack occurring? How do you know that you have been or are currently under attack? Where do you start looking? When did the attack start? How has the attacker spread malware across the network? This Big Data problem can overwhelm the IT Security of the corporation 12
Incident Detection Challenges Which of the following challenges does your organization face when it comes to incident detection? (Percent of respondents, N=257, multiple responses accepted) Lack of adequate staffing in security operations/incident response team(s) Too many false positive responses 35% 39% Incident detection depends upon too many manual processes Incident detection depends upon too many independent rtools that aen t integrated together Sophisticated security events have become too hard to detect for us My organization lacks the right level of security analysis skills needed Lack of adequate data collection/monitoring in one or more critical area Lack of proper level of tuning of our SIEM and other security tools 29% 29% 28% 28% 28% 23% 0% 10% 20% 30% 40% 50% Source: Enterprise Security Group, 2013 The security organization is understaffed and underskilled. Of those organizations adding IT staff in 2013, 36% plan to increase security headcount. 2 Unfortunately, this isn t easy ESG research indicates that 83% of enterprise organizations say it is extremely difficult or somewhat difficult to recruit/hire security 13
The Critical Need for Network-Based Security Automation Network-Based Security Automation Automation is a Force Multiplier in the Fight Against APTs and the Massive Amounts of Data Required to Detect Them 14
Next Gen High Fidelity Cyber Sensor Effective Analytics & Correlation Source : Pacific Northwest National Laboratory 15
Situational Awareness From the Network Core to the Perimeter Complete Cyber Security network protection (from the Core to the Perimeter) is the Holy Grail of Tomorrow s CISO. Whose Definition of Secure are You Using? 16
Three main trends framing the security discussion moving forward Advanced targeted attacks: The latest attack strategies use custom or dynamically generated malware for the initial breach and datagathering phase. Enterprises should employ a defense-indepth, layered approach model. Big data: Delivering risk-prioritized actionable insight will require security analytics as well as changes in information security technologies, integration methods and processes Mobile: As focus shifts from the device to the app/data, understanding the device types and how users are using them is just as important as the user identities 17
ISC8 Cyber adapt Automates the Process of Detecting APT. Provides detection of advanced malware techniques and behavior inside a network prior to harm occurring Multi-event detection over time reduces false positives Doesn t depend on patterns that require updating as new malware is detected Provides tracking of malicious activity back to infected host Malware propagation tracking High bandwidth (10Gbps+) sensors to allow monitoring internal to the network 18
19