Where did we go wrong? 1
Jan 22, 2018
Where did we go wrong?
1. Addressing information overload/alert fatigue
2. Blind spots
3. Control over environment
2
Hi, I’m the needle in this haystack
Where did we go wrong? Fatigued yet?BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!BARK!
BARK! BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!
BARK!BARK!
BARK!
BARK!
BARK! BARK!
BARK!
BARK!
BARK!BARK!
Three big (non-malware) problems in Security today
1. Addressing information overload/alert fatigue
2.Blind spots
3. Control over environment
6
Enterprise security spending vs blind spots
7
Blind Spot #3:
The Cloud
Most enterprise spending
is tied up in the perimeterBlind Spot #1:
The Endpoint
Blind Spot #2:
Internal network Communications
(East-West traffic)
Blind Spot #4:
Data
Three big (non-malware) problems in Security today
1. Addressing information overload/alert fatigue
2. Blind spots
3.Control over environment
8
Where did we go wrong?
1.Not enough root cause
analysis
2.Not enough process
improvement (if any)
3.Even when we do succeed,
we force the attacker to
change tactics.
Are we ready for that?
Where did we go wrong? Prevention and Evasion
Zeus
Trojan
PE (.exe)
Preventative Controls Block
Endpoint Protected
Da
y 1
Where did we go wrong? Prevention and Evasion
Zeus
Trojan
Java (.jar)
Preventative Controls Fail
JAR reassembles
EXE on Endpoint
Endpoint
Infected
Da
y 2
Why is the endpoint important?
1. This is where work happens
2. One of the easiest paths into a company
3. BYOD and ShadowIT are unsolved problems
How I see the market
Prevention (pre-execution)
Detection and Data Collection (post-execution)
Platform Hardening
80+ Vendors
50/50 split
complementary/
primary
Buzzword Bingo: NGAV and EDR definitions
NGAV: The ability to stop threats without prior
knowledge of them
EDR: Endpoint Data Recorder (a slight acronym modification)
NGAV
NEED: a better malware
mousetrap
WHAT: Automated detection of
unknown threats
WHY: auto-generated
malware gets through
EDR
NEED: endpoint visibility; serious
blind spot otherwise
WHAT: Record detailed endpoint
data
WHY: detect attacks that defeat
1st layers of defense
Hardening
NEED: More permanent,
resilient solutions
WHAT: Wide variety of
approaches
WHY: Passive defenses reduce
pressure on frontline defenses
Remediation
NEED: Contain and clean up
threats
WHAT: Containment and
automated remediation
WHY: Reduce expense and labor
of dealing with threats
Endpoint categories: What’s driving them?
EDR: Endpoint Detection and Response
Many use cases:
• detection
• forensics
• incident response
• source for automation event triggers
Ultimately, EDR is a sensor that provides rich,
forensic data before you need it
18
Examples: Ransomware prevention
1. Kill any process attempting to stop the volume shadow
service (VSS)
2. If a powershell or CMD process is created shortly after
opening an office document, inspect and/or quarantine
the office document.
3. Create a hidden folder sure to be the first in an
alphabetical list (e.g. __aardvarks). Any file change
triggers a containment action (e.g. isolate machine).
19
Strategies to get us back on track
1. Change Mindset
2. Better quality visibility (not quantity!)
3. Plan to mature detection capabilities
22
Changing mindset: things I have a problem with
1. Defeatist statements
2. That ‘dwell time’ has
become a metric
3. The 1m unfilled jobs
myth/rumor
23
Myth #1: Solving malware changes everything!
No, it just shifts the problem – attackers don’t give up, they just change
tactics to things like:
1. Interpreted languages (javascript, python, powershell)
2. Social engineering
3. Credential theft
4. Abuse of valid admin tools
5. Web attacks (SQL Injection, XSS, XSRF, etc)
24
Myth #2: Once the bad guys get in… Game Over!Common perspective of getting hacked
(prevention only)
1. Attacker’s exploit succeeds.
2.
Reality
1. Attacker’s exploit succeeds
2. Attempts to escalate privileges
3. Begins exploring network
4. Sniffs network
5. Pivots to another host using an
exploit
6. Dumps and cracks credentials
7. Pivots with credentials
8. Creates domain admin account
= detection opportunity
Lesson: Layer detection with prevention
Recon & early ops detection
Exfiltration detection
DatalossDetection
Threat detection and
responseThreat Hunting
When does incident become breach?
26
Initial Hacking
Attempts
Success!Attacker gets in, pivots,
searchesExfiltration
Days, Weeks Average of 146 99 days*
Sale & Profit of
stolen data
Discovery
DEF
END
ER
Prevention
Isolation
Forensics IR Automation
Security Analytics
DatalosspreventionDetection by
Deception
Fraud detection by a
3rd party
Breach Occurs
CustomerImpact
Timeline
* Average dwell time, according to Mandiant’s M-Trends Reports
Red flags are everywhere
Why aren’t we looking for them?
Basic Red Flag Examples
1. Local account creation
2. VSS disabled; snapshots deleted
3. AV turned off
4. SAM database dumped
5. ARP route poisoning
6. CMD.exe child of POWERPNT.EXE?
28
Strategies to get us back on track
1. Change Mindset
2.Better quality visibility (not quantity!)
3. Plan to mature detection capabilities
29
What are we talking about here, anyway?
The importance of visibility and awareness in
security cannot be overstated!
30
Detection challenges: How do we improve quality?
We need a way to separate actionable data from anecdotal data.
The solution isn’t getting rid of the anecdotal data, it’s hiding it from
view until it’s needed.
Detection challenges: fighting the noise1. Have a baseline – otherwise everything will look suspicious!
2. Instead of tuning the default, consider starting from scratch
3. Explore other methods of alerting (ChatOps, sound, lighting)
4. Understand users/business and apply lessons to monitoring
5. Pick one very important scenario, and build it out...
Strategies to get us back on track
1. Change Mindset
2. Better quality visibility (not quantity!)
3.Plan to mature detection capabilities
35
Detection challenges: fighting the fires1. Get better prevention
1. Prevention is ‘free’
2. IR is expensive
3. Minimize need for IR
2. Get tools and processes in place to enable root cause analysis
3. Practice IR as much as possible Process improvement
4. Automate IR workflows Process improvement
5. Never, ever skip lessons learned
Detection challenges: Less is More1. Disable, remove and shut down
anything you don’t use. This
reduces attack surface AND noise.
2. Take care of Low Hanging Fruit
3. Standardize systems. Less variation
makes systems easier to defend &
produce less noise
4. Simplify systems – monitor app use
and remove unused software or
features. Less software = Less
attack surface.
Low Hanging Fruit
• enable click-to-run for Flash
• office macro restrictions
• powershell restrictions
• disable java plugin if not needed
• disable Windows EFS if not needed
• use free security tools
• AppLocker
• LAPS
• EMET (maybe? maybe not?)
• Low or no-impact improvements
from CIS benchmarks
What are your endpoint security pain points and goals?Pain Points
1. Cleaning up infections 24/7
2. Catch attacks that bypass preventative controls
3. Catch/prevent non-malware threats
4. Catch insider threats
5. Did a breach actually occur?
Goals
1. Better prevention; hardening
2. Better detective controls, better endpoint
visibility
3. Better endpoint visibility; hardening
4. Better endpoint visibility
5. Visibility into file movement, data exfiltration
39
Recommendations
1. Think through and act out worst-case
scenarios. Test and fail repeatedly. Learn
from failures.
2. Don’t turn security products to 11
immediately – deploy slowly.
3. Choose one important attack scenario, and
get really good at defending against it.
4. Don’t break the user.
5. Consider time-to-value and labor-to-value
ratios.
6. Cut down on attack surface and noise by
stripping out everything you don’t need or
use
40