A Global Enterprise Confronts Targeted Attacks Ginnwann Teo Head of Pre-Sales Cyberbit Solutions, APAC
A Global Enterprise Confronts Targeted
Attacks Ginnwann Teo
Head of Pre-Sales
Cyberbit Solutions, APAC
2
About CYBERBIT
An Elbit Systems Subsidiary NASDAQ: ESLT; Revenue: $3B
Annual sales 3 digit number (in M USD) and growing
© 2016 CYBERBIT │ CYBERBIT Proprietary
450 employees
350 in R&D
Mature Technology
Deployed since 2012 Global Sales Operation North America, APAC, EMEA
4 Product Lines EDR, SCADA, SIRP, Cyber Training
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND 3
Agenda
Threat Landscape
Behavioural Analysis and Machine Learning Detection
SOC 3.0
Summary
1
2
3
4
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
Threats Landscape – The Challenge
11% 82%
9% 83%
Seconds Minutes Hours Days Weeks+
Time to compromise
1 in 9 (11%) compromises Happened in seconds. Almost all (93%) happened within minutes
Just 3% of compromises were detected within minutes, and only 17% in days. 83% took
weeks or more to discover.
Time to discovery
3% 5%
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND 5
69 days 206 days 3.8M$
Average
cost of a breach
23%
Increase in the
Cost of a breach
from 2013 to 2015
Ponemon Institute's 2015 Global Cost of Data Breach Study
2015 2013
Mean time to
identify
Mean time to
contain
© 2016 by CYBERBIT │ CYBERBIT Proprietary
Cyber attacks are no longer a matter of “if,” but a matter of
“when.” With the understanding that attacks can never be fully
prevented, companies should advance their detection
capabilities so they can respond appropriately
Signatures are obsolete
3.8 million
unique
hashes
99% of malware
hashes are
seen for only 58
seconds or
less
In fact, most
malware is seen
only once
Antivirus products are "doomed to failure“,
“Antivirus products are catching less than
half of all cyberattacks”
Senior VP, Information Security, Symantec
5 May 2014
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
Sandboxes can be Fooled
8
Stalling code
Blind spots
Environmental checks:
Cores Windows Virtualization User Interaction
1
2
3
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
Malware Persistency
Screen Shot: CYBERBIT EDR
9
Cyberbit
EDR
Screenshot
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
C2C Communications Pass Through
10
Encrypted communication or steganography
Compromised botnets
Multiple channels:
HTTP / HTTPS DNS Tunnels
Instant
Messaging
IPv6 and ICMP
Compromised
Websites Social Media Sites
1
2
3
© 2016 by CYBERBIT │ CYBERBIT Proprietary 11
© 2016 by CYBERBIT │ CYBERBIT Proprietary 12
2 June, 2016
Cyber Crisis Management Plan
11. A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the
overall Board approved strategy. …… CERT-IN also have come out with National Cyber Crisis Management
Plan and Cyber Security Assessment Framework. …….
12. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv)
Containment. ……
Sharing of information on cyber-security incidents with RBI
14. …… Banks are also encouraged to actively participate in the activities of their CISOs’ Forum coordinated
by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-
CART) set up by IDRBT. Such collaborative efforts will help the banks in obtaining collective threat
intelligence, timely alerts and adopting proactive cyber security measures.
Supervisory Reporting framework
15. It has been decided to collect both summary level information as well as details on information security
incidents including cyber-incidents. Banks are required to report promptly the incidents, in the format given
in Annex-3.
© 2016 by CYBERBIT │ CYBERBIT Proprietary
There Must Be Focus on
Detection, Response and
Mitigation
13
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
Behavioral Analysis is Key
14
Collect information in the
real environment Focus on what
and not on how
Generalize
behaviors
Use the anti-detection action
as additional indication
Combine behaviors
to reach conclusion
Use advance
visualizations to tell the
story
WHAT
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
Machine Learning
15
Find the needle in the haystack
Rich dataset: learning is useless without quality data
Employ advanced techniques to baseline normal behaviors,
in order to surface malicious ones
Dynamic algorithm: continuous feedback to adjust the
settings
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
Machine Learning Methods
16
• Time based statistical sensor
• Sliding windows features
• Decision mechanism for separating routine
vs. malware behaviour
t
Δt
Routine Malware
• Statistical system behavior description
• Cross correlation for malware and noise
behavior
• Shannon decision tree for maximizing
TP/FP ratio
Example: multi dimensional decision
algorithm
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
Hunting
17
Have all the information at
your finger tips
Be proactive
Use big-data of forensic
information to actively look for
anomalies
Screen Shot: CYBERBIT EDR
SOC 3.0
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND 19
Business Driven
Complete SOC Management
SOC 1.0 - SIEM Log based alerts consolidation
SOC 2.0 - SIRP Incident handling, events analysis, incident management
SOC 3.0 – SOC Management
Platform
Complete incident
management, workflow,
tasking and SLA
Response automation
automatic remedies based on
best practices,
IT systems interface
Analysis automation similar
events identification, threat
intelligence collaboration
Inputs from
organizational
applications & other IT
sources
SOC Evolution
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
Attack Stages
Indications of
Compromise (IOCs)
Events
Breach
Management
SIR –
Incident Management
& Incident Breach
SOA –
Analysis & Correlation
& Event Incident
Communication
Module
Actions , Auto
Tools Escalation process SLA Best Practice
SIEM
Other Alerts (EDR,
cloud–based
detection)
SOC 3.0 Vision
Business Impact
analysis
Compliance
Management
Other inputs (GRC,
email, IT Helpdesk)
Events Correlation Similar Events Data Analysis Threat Intelligence
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
Response and Mitigation Guidelines
Obtain one management platform for all SOC activities
Leverage threat intelligence and external interfaces
Automate and semi-automate response WF
Execute post-incident analysis to improve your procedures and processes
Leverage organizational knowledge for analysis and response
Audit and document
Collaborate with response tools
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
Combine advanced detection,
mitigation and response
Summary
22
Consider business impact for triage,
mitigation and response
Use more than IOCs
to detect unknown threats
Reach maximum detection
results by combination of behavioral analysis
and machine learning
Use advance visualizations
to improve your team’s efficiency
Audit, document, and
post-investigate incidents
to improve SOC processes
© 2016 by CYBERBIT │
CYBERBIT Proprietary DETECT ANALYZE RESPOND
That’s Exactly What We Do
23
Cyberbit Trainer Cyber Security Training and Simulation SOC 3D
SOC Management Platform
Cyberbit EDR Endpoint Detection and Response
CS-ICS (SCADA)
CS-IT
SCADAShield SCADA Detection and Response
Cyberbit Security Suite
Big Data Analytics
Sensors
Any future
sensor
?