Detect Active Cyber-Attacks in Real Time Protect your Network
Detect Active Cyber-Attacks in Real Time Protect your Network
Threatscape 2015
Big problem Expensive DetectionDeficit
Insider?Outsider?
EventTracker Threatscape 2015 New Cyber Security reality for the under-staffed
enterpriseAssume that a successful/damaging cyber attack on your infrastructure has already occurred.
200+ days on average before detection 100% of larger orgs are attacked every day, 1 in 5 SMEs are targeted each year76% of all intrusions involve compromised credentials“Bad traffic” is now encrypted, which thwarts network packet inspection IDS/IPSEvidence of intrusions gets buried within millions of other artifacts
Prevention - Firewalls, AV, AD/NAC, IDS/IPS – is not enough. 100% of breached orgs already had these in place.
DFIR in EventTracker v8 Addressing the Detection Deficit
Perform automated DFIR on Windows workstations and servers
Move endpoint digital forensics to daily SOP for early detection of:
Rogue ProcessesUnknown Services RunningUnusual OS artifactsEvidence of PersistenceSuspicious Network Activity
Solution to the problem90% automation / 10% investigation
Implement the post-mortem forensics and analysis as real time SOP for earlier detection of threats.
deploy advanced, purpose-built threat sensors threat intelligence feeds integrated and correlated to actual enemy contact in real timebehavior analysis/anomaly detection based on heuristicsapplication whitelisting
and most importantly…skilled people paying attention to the basics, 365 days a year – especially server and workstation skills.
Market feedbackSecurity Gap
Compliance ≠ SecurityStakeholders personally affected by breaches
Compliance is a requirementHelp reduce cost
Skill shortageImpacting ROI on SIEM projectsMachine learning, less rules tweaking
Existing defenses?Anti Virus
Catches “some” malware based on signaturesAttackers are “hip to its jive”
IDSDetects network borne attacksCan’t see the endpoint or out “legitimate” traffic
DLPCan catch data movement to/from removable media
SIEMSee all logs but is everything logged?
How are they attacking?Malware-based
Threat: Establish BeachheadThreat: Lateral MovementThreat: Exfiltrate data
Compromised credentials-basedThreat: Valid programs for invalid purposeThreat: Out-of-ordinary
Threat: Establish beachheadMalware lands on the endpoint
As e-mail attachment?From infected USB?
Evades Anti Virus
DefenseDetect launch of every processCompare hash against safe list (local and NSRL)Alert if first-time-seen and not on safe listCaveat: Requires framework & a watcher
Threat: Lateral movementMove from less to more valuable systems
From desktop to server/firewall
DefenseUser behavior, location affinityTrace files from endpoint (pre-fetch, default.rdp etc.)Valid but unusual EXE presence (e.g. route.exe)Caveat: Requires framework + machine learning
Threat: Ex-filtrate dataHides as normal traffic
Avoid detection by proxy, network monitor
DefenseMonitor network activity (esp north/south) for out of ordinary behaviorIDS is useful but can’t say which process was responsibleCombination of unknown process connecting to low reputation outside address is a strong advantage
Endpoint Threat Detection & Response
What is required to defend today’s network?
A framework to collect endpoint dataRunning processes, network connections, windows services, users, registry entries, moreA central repository which can receive, store and index the dataAn expandable ruleset to baseline and analyze the data
And (wait for it...) an analyst to triage/review/escalate for remediation
ScenarioWin 7 desktop; user is with marketing dept
Required to visit external websites regularly
DefensesUp to date platform (win updates)DHCP address Next Gen firewallUp to date, brand name Anti VirusIDS with updated signatures scanning north/south
What was seenNew Windows service created
Persists on logoff or rebootInvisible to the normal userConnects to an external site
Avoids proxy detection by using IP addressAvoid blocking by using port 80
Trace back showed phishing e-mail, apparently from HRAbout 14 hours later, anti-malware signatures updated and a deep scan suggested it was “Blakamba”Three days later, Anti-Malware showed other files in temp folders with same signature
EventTracker FrameworkCentral Console
Data CollectionIndexingAnalysisStorage
Sensor for WindowsMS Gold certifiedRuns in user spaceTiny footprint
Options for IDS, Vulnerability Assess, Packet inspection
DiligentSIEM Simplified Co-ManagedServices for Success
RUN WATCH
COMPLY
TUNE
Secu
rity
Cent
er
Com
plia
nce
Cent
erAdvanced
Endpoint Threat Detection & Response (ETDR/DFIR)
Correlation Alerts & Analysis
Attackers & TargetsReal Time Dashboards
ManagedSNORT IDS
Managed IntegratedThreat Feeds
User BehaviorAffinity & Analysis
Incident Investigations“SANS” Log Book
DATAMART
HardenedFile Integrity Monitoring
Log Search & Forensics
PCI- DSS | HIPAA | FFIECFISMA | Gov. | Military
Streamlined ComplianceWorkflow & Reporting
Centralized Log Management
ISO 27001(2) GPG 13
Vulnerability Assessment
ConfigurationAssessment
We provide remote Managed Services:1. RUN: Basic ET Admin – Threat Feeds 2. WATCH: Analytics/Remediation Recos3. COMPLY: Compliance Services4. TUNE: Advanced ET Tuning5. ET VAS – Vulnerability Assessment Service6. ET IDS – Managed SNORT – signature updates
SIEM Simplified Services to get expert help with EventTracker software installed on premise or in the cloud…
Your IT Assets
AuditingChanges
EventTracker Control Center
EventTracker
Remote Access toEventTracker (only)
Your Staff
AlertsReports
Dashboards
Search
Gartner View of Cyber Security Market Maturity
Secure your Network
Your Challenge: Growing attack frequency and sophisticationYour Need: Cost effective threat remediation. Scalable & Smart