Intro to Niara no compromise behavioral analytics Tomas Muliuolis HPE Aruba Baltics Lead
THE SECURITY GAP SECURITY SPEND DATA BREACHES 146 days median time from compromise to discovery PREVENTION & DETECTION (US $B) # BREACHES % DISCOVERED INTERNALLY SOURCES Mandiant M-Trends 2016, Verizon Data Breach Investigations 2016, IDC 2016 2
PROBLEM CAUSE OF THE GAP ATTACKERS ARE QUICKLY INNOVATING & ADAPTING BATTLEFIELD WITH IOT AND CLOUD, SECURITY IS BORDERLESS 3
PROBLEM ADDRESSING THE CAUSE ATTACKERS ARE QUICKLY INNOVATING & ADAPTING SECURITY ANALYTICS SOLUTIONS MUST BE RESPONSIVE TO CHANGES 4
Attacks utilizing Legitimate credentials COMPROMISED 40 million credit cards were stolen from Target s severs STOLEN CREDENTIALS MALICIOUS Edward Snowden stole more than 1.7 million classified documents INTENDED TO LEAK INFORMATION NEGLIGENT DDoS attack from 10M+ hacked home devices took down major websites ALL USED THE SAME PASSWORD 5
Why Niara? ClearPass Great Visibility and Context Wired and Wi-Fi Policies Real-time Network Enforcement Niara User and Entity Security Continuous Behavior Analytics Early Attack Detection 6
ClearPass as a Security Brand ClearPass Policy Manager ClearPass Universal Profiler Niara Pre-Authentication Post-Authentication 7
USER AND ENTITY BEHAVIOR ANALYTICS
NIARA OVERVIEW Founded 2013 Focused on solving two key problems Detecting attacks that have co-opted legitimate credentials Reducing the time and effort required to understand and respond to attacks Enabling technologies Big Data: Spark/Hadoop Artificial Intelligence: Machine Learning 9
AUTOMATED DETECTION OF THREATS INSIDE THE ORGANIZATION Compromised Users & Hosts Negligent Employees ATTACKS AND RISKY BEHAVIORS on the inside Malicious Insiders 10
THE START: USER VIEW OF EVENTS IP Address 11
CHARACTERIZING BEHAVIOR Time of Access Location Typical Activity Device Duration Frequency of Access 12
BASICS OF BEHAVIORAL ANALYTICS MACHINE LEARNING UNSUPERVISED Behavioral Analytics BASELINES HISTORICAL + PEER GROUP ABNORMAL INTERNAL RESOURCE ACCESS 13
BASICS OF BEHAVIORAL ANALYTICS MACHINE LEARNING UNSUPERVISED Behavioral Analytics BASELINES HISTORICAL + PEER GROUP ABNORMAL INTERNAL RESOURCE ACCESS 14
PEER BASELINES ACROSS MULTIPLE DIMENSIONS 15
MODEL CONFIDENCE AND BUSINESS IMPACT Business Impact Model Confidence 16
FINDING THE MALICIOUS IN THE ANOMALOUS Behavioral Analytics MACHINE LEARNING SUPERVISED THIRD PARTY ALERTS DLP Sandbox Firewalls STIX Rules Etc. 17
FORCE MULTIPLIER FOR SECURITY ANALYSTS Consolidated Data Access Rapid Decision-Making and Action Have I seen this before? BREAKTHROUGH ROI for Incident Investigation and Threat Hunting 18
ACCELERATED INVESTIGATION AND RESPONSE Behavioral Analytics 19
ENTITY 360 SECURITY DOSSIER 20
UNUSUAL INTERNAL ACTIVITY 21
LOG DETAILS 22
NETWORK CONVERSATIONS DRILL DOWN 23
SOLUTION AT A GLANCE IDENTITY NAC, AD, DHCP INFASTRUCTURE Logs DNS, Firewall, Proxy, VPN, Email, DLP Console / Workflow SaaS Box, Office360 ANALYZER ENTITY360 laas AWS, Azure ANALYTICS DATA FUSION FORENSICS BIG DATA ALERTS Endpoint, Network, STIX Spark/Hadoop 24
SOLUTION AT A GLANCE IDENTITY NAC, AD, DHCP INFASTRUCTURE Logs DNS, Firewall, Proxy, VPN, Email, DLP Console / Workflow SIEM/LOGGING SaaS Box, Office360 ANALYZER ENTITY360 laas AWS, Azure ANALYTICS DATA FUSION FORENSICS BIG DATA ALERTS Endpoint, Network, STIX Spark/Hadoop 25
SOLUTION AT A GLANCE IDENTITY NAC, AD, DHCP INFASTRUCTURE Logs DNS, Firewall, Proxy, VPN, Email, DLP Console / Workflow SIEM/LOGGING SaaS Box, Office360 laas ANALYZER ANALYTICS ENTITY360 FORENSICS PACKET BROKER NETWORK TRAFFIC PACKETS FLOWS AWS, Azure DATA FUSION BIG DATA ALERTS Endpoint, Network, STIX Spark/Hadoop 26
SOLUTION AT A GLANCE IDENTITY NAC, AD, DHCP INFASTRUCTURE Logs DNS, Firewall, Proxy, VPN, Email, DLP Console / Workflow SIEM/LOGGING SaaS Box, Office360 laas ANALYZER ANALYTICS ENTITY360 FORENSICS PACKET BROKER NETWORK TRAFFIC PACKETS FLOWS AWS, Azure DATA FUSION BIG DATA ALERTS Endpoint, Network, STIX Spark/Hadoop 27
Aruba ClearPass - Niara Integration Workflow Automated Network and Security Controls 1 Wired/Wireless Device Auth 3 User/Device Context Shared 2 Devices Profiled ClearPass Policy Manager www.arubanetworks.com/clearpass www.niara.com 28
Aruba ClearPass - Niara Integration Workflow Automated Network and Security Controls 1 Wired/Wireless Device Auth 3 User/Device Context Shared Niara UEBA ANALYZER 4 Network and Log-based Machine Learning Packets ENTITY360 2 Devices Profiled ClearPass Policy Manager 5 Actionable Alerts Initiated ANALYTICS DATA FUSION FORENSICS BIG DATA Flows Logs Alerts Entity360 Profile with Risk Scoring www.arubanetworks.com/clearpass www.niara.com 29
Aruba ClearPass - Niara Integration Workflow Automated Network and Security Controls 1 Wired/Wireless Device Auth 3 User/Device Context Shared Niara UEBA ANALYZER 4 Network and Log-based Machine Learning Packets ENTITY360 2 Devices Profiled ClearPass Policy Manager 5 Actionable Alerts Initiated ANALYTICS DATA FUSION FORENSICS BIG DATA Flows 6 ClearPass Performs Real-time Policy-based Actions Logs Real-time quarantine, re-authentication Bandwidth Control Blacklist Role-change Entity360 Profile with Risk Scoring Alerts www.arubanetworks.com/clearpass www.niara.com 30
UEBA INCIDENT RESPONSE ROI 31
THANK YOU!