Behavioral Analytics A Closer Look

Similar documents
RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Un SOC avanzato per una efficace risposta al cybercrime

RSA Security Analytics

RSA NetWitness Suite Respond in Minutes, Not Months

You Can t Stop What You Can t See

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

THE EVOLUTION OF SIEM

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

CloudSOC and Security.cloud for Microsoft Office 365

CyberArk Privileged Threat Analytics

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Building Resilience in a Digital Enterprise

Intro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead

Automated Threat Management - in Real Time. Vectra Networks

User and Entity Behavior Analytics

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

how dtex fights insider threats

Operationalizing the Three Principles of Advanced Threat Detection

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Office 365 Buyers Guide: Best Practices for Securing Office 365

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

Enhancing Threat Intelligence Data. 05/24/2017 DC416

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Intelligent and Secure Network

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Threat Intel for All: There s More to Your Data than Meets the Eye

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Reducing the Cost of Incident Response

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

INCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

Incident Play Book: Phishing

The Cognito automated threat detection and response platform

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Best Practices for Scoping Infections and Disrupting Breaches

Incident Response Agility: Leverage the Past and Present into the Future

How Breaches Really Happen

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Automated Context and Incident Response

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

Advanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

RSA ADVANCED SOC SERVICES

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

Operationalizing your Security Data. Presenter: Lee Imrey Splunk, Security Market Specialist

MODERN DESKTOP SECURITY

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Copyright 2011 Trend Micro Inc.

WHITE PAPER END-TO-END VISIBILITY: THE FOUNDATION OF BUSINESS-DRIVEN SECURITY THREAT DETECTION & RESPONSE OPTIMIZED SIEM

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Security. Risk Management. Compliance.

RSA Web Threat Detection

Optimizing Security for Situational Awareness

A Simple Guide to Understanding EDR

Seceon s Open Threat Management software

RSA Web Threat Detection

Novetta Cyber Analytics

Popular SIEM vs aisiem

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Technical Brochure F-SECURE THREAT SHIELD

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Streaming Prevention in Cb Defense. Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

WHITEPAPER. Protecting Against Account Takeover Based Attacks

MEETING ISO STANDARDS

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK.

WHITEPAPER END-TO-END VISIBILITY: THE FOUNDATION OF BUSINESSDRIVEN SECURITY DETECTING AND RESPONDING TO THE THREATS THAT MATTER MOST TO THE BUSINESS

Not your Father s SIEM

Incident Scale

Power of the Threat Detection Trinity

Using Internet Data Sets to Understand Digital Threats

Put an end to cyberthreats

Think Like an Attacker

Transcription:

SESSION ID: GPS2-F03 Behavioral Analytics A Closer Look Mike Huckaby VP, Global Systems Engineering RSA

The world is full of obvious things which nobody by any chance ever observes. Sherlock Holmes 2

Patterns Signal And The Noise 3

Agenda UBA / UEBA Defined Practical Uses Today What does the future hold? 4

Attackers are Outpacing Defenders Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less Attacker Capabilities 100% 75% Time to compromise 50% 25% Time to discovery Time to Discovery 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

Defender s Challenges The attack surface is expanding Attackers are becoming more sophisticated Existing strategies & controls are failing Security teams need comprehensive visibility from endpoint to cloud Teams need to increase experience & efficiency Tools & processes must adapt to today s threats Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic Evolution of Threat Actors & Detection Implications At first, there were HACKS Preventative controls filter known attack paths Whitespace Successful HACKS Corporate Assets

Threat Actors Evolution of Threat Actors & Detection Implications Firewall IDS/IPS AntiVirus Malicious Traffic More Logs Blocked Session Blocked Session Blocked Session Alert S I E M At first, there were HACKS Preventative controls filter known attack paths Then, ATTACKS Despite increased investment in controls, including SIEM Whitespace Successful ATTACKS Corporate Assets

Threat Actors Evolution of Threat Actors & Detection Implications Firewall IDS/IPS AntiVirus Malicious Traffic Logs Endpoint Visibility Network Visibility Blocked Session Blocked Session Blocked Session Alert Process Network Sessions Advanced Analytics Now, successful ATTACK CAMPAIGNS target any and all whitespace. Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Unified platform for advanced threat detection & investigations Corporate Assets

Behavior what? UBA General Term Fraud and Security UEBA Analysis On Users and Entities Algorithms Machine Learning 10

Visibility & Analytics User Behavior: Anomalous Logins Suspect Access Patterns Suspicious tools: Live Off The Land Anomalous Usage Malware Behavior: Suspicious Domains Mechanized Activity Campaign Detection: Related entities Related indicators Related behaviors 11

A Typical Attack Utilizing C2 (2) User clicks link (3) Dropper is downloaded (4) Dropper downloads Gh0st RAT (5) C2 Beaconing (Gh0st Protocol) Command? Command? COMMAND. Attacker owned control server (client) (6) Attacker Issued Command (1) Spear phishing email with link to malicious URL COMMAND Examples: Capture webcam Download file Upload file Keystroke logging Remove existing rootkits Remote shell System inventory

Spotting C2 Exploit Early Real-time Analytics Data Science algorithms Scores on multiple C2 behavior indicators Utilizes streaming HTTP activity Low False Positives Learns from ongoing and historical activity Supervised whitelisting option LEADING INDICATORS OF A PLANNED C2 EXPLOIT Beaconing Behavior Rare Domains Rare User Agents Missing Referrers Domain Age (WhoIS) Suspicious Domains aggregate score

Workflow for Investigating a C2 Exploit High Risk Score Indicating a C2 exploit Network Session Details Activities indicating and used to calculate risk score of C2 exploit Enable analyst to pivot into associated network sessions

Lateral Movement Detection Identifies suspicious Windows login activity to reveal lateral movement attempts Windows Credential Harvesting Services Suspicious Login activity Explicit logins File move + Services 15

Resource Shift Needed: Budgets & People Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% Today s Priorities Future Requirements

Detection: A Layered Approach 17

Combining Analytics, Context & Content GRC/CMDB Context 18

Apply Slide 1. Evaluate Your Internal Spending Patterns Look for a balanced approach 2.Start Collecting Data Context doesn t appear out of thin air 3. Consult on Data Science Approach You know your business apply analytics to your unique view 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback