Detect Active Cyber-Attacks in Real Time

Detect Active Cyber-Attacks in Real Time Protect your Network

Threatscape 2015

Big problem Expensive DetectionDeficit

Insider?Outsider?

EventTracker Threatscape 2015 New Cyber Security reality for the under-staffed

enterpriseAssume that a successful/damaging cyber attack on your infrastructure has already occurred.

200+ days on average before detection 100% of larger orgs are attacked every day, 1 in 5 SMEs are targeted each year76% of all intrusions involve compromised credentials“Bad traffic” is now encrypted, which thwarts network packet inspection IDS/IPSEvidence of intrusions gets buried within millions of other artifacts

Prevention - Firewalls, AV, AD/NAC, IDS/IPS – is not enough. 100% of breached orgs already had these in place.

DFIR in EventTracker v8 Addressing the Detection Deficit

Perform automated DFIR on Windows workstations and servers

Move endpoint digital forensics to daily SOP for early detection of:

Rogue ProcessesUnknown Services RunningUnusual OS artifactsEvidence of PersistenceSuspicious Network Activity

Solution to the problem90% automation / 10% investigation

Implement the post-mortem forensics and analysis as real time SOP for earlier detection of threats.

deploy advanced, purpose-built threat sensors threat intelligence feeds integrated and correlated to actual enemy contact in real timebehavior analysis/anomaly detection based on heuristicsapplication whitelisting

and most importantly…skilled people paying attention to the basics, 365 days a year – especially server and workstation skills.

Market feedbackSecurity Gap

Compliance ≠ SecurityStakeholders personally affected by breaches

Compliance is a requirementHelp reduce cost

Skill shortageImpacting ROI on SIEM projectsMachine learning, less rules tweaking

Existing defenses?Anti Virus

Catches “some” malware based on signaturesAttackers are “hip to its jive”

IDSDetects network borne attacksCan’t see the endpoint or out “legitimate” traffic

DLPCan catch data movement to/from removable media

SIEMSee all logs but is everything logged?

How are they attacking?Malware-based

Threat: Establish BeachheadThreat: Lateral MovementThreat: Exfiltrate data

Compromised credentials-basedThreat: Valid programs for invalid purposeThreat: Out-of-ordinary

Threat: Establish beachheadMalware lands on the endpoint

As e-mail attachment?From infected USB?

Evades Anti Virus

DefenseDetect launch of every processCompare hash against safe list (local and NSRL)Alert if first-time-seen and not on safe listCaveat: Requires framework & a watcher

Threat: Lateral movementMove from less to more valuable systems

From desktop to server/firewall

DefenseUser behavior, location affinityTrace files from endpoint (pre-fetch, default.rdp etc.)Valid but unusual EXE presence (e.g. route.exe)Caveat: Requires framework + machine learning

Threat: Ex-filtrate dataHides as normal traffic

Avoid detection by proxy, network monitor

DefenseMonitor network activity (esp north/south) for out of ordinary behaviorIDS is useful but can’t say which process was responsibleCombination of unknown process connecting to low reputation outside address is a strong advantage

Endpoint Threat Detection & Response

What is required to defend today’s network?

A framework to collect endpoint dataRunning processes, network connections, windows services, users, registry entries, moreA central repository which can receive, store and index the dataAn expandable ruleset to baseline and analyze the data

And (wait for it...) an analyst to triage/review/escalate for remediation

ScenarioWin 7 desktop; user is with marketing dept

Required to visit external websites regularly

DefensesUp to date platform (win updates)DHCP address Next Gen firewallUp to date, brand name Anti VirusIDS with updated signatures scanning north/south

What was seenNew Windows service created

Persists on logoff or rebootInvisible to the normal userConnects to an external site

Avoids proxy detection by using IP addressAvoid blocking by using port 80

Trace back showed phishing e-mail, apparently from HRAbout 14 hours later, anti-malware signatures updated and a deep scan suggested it was “Blakamba”Three days later, Anti-Malware showed other files in temp folders with same signature

EventTracker FrameworkCentral Console

Data CollectionIndexingAnalysisStorage

Sensor for WindowsMS Gold certifiedRuns in user spaceTiny footprint

Options for IDS, Vulnerability Assess, Packet inspection

DiligentSIEM Simplified Co-ManagedServices for Success

RUN WATCH

COMPLY

TUNE

Secu

rity

Cent

er

Com

plia

nce

Cent

erAdvanced

Endpoint Threat Detection & Response (ETDR/DFIR)

Correlation Alerts & Analysis

Attackers & TargetsReal Time Dashboards

ManagedSNORT IDS

Managed IntegratedThreat Feeds

User BehaviorAffinity & Analysis

Incident Investigations“SANS” Log Book

DATAMART

HardenedFile Integrity Monitoring

Log Search & Forensics

PCI- DSS | HIPAA | FFIECFISMA | Gov. | Military

Streamlined ComplianceWorkflow & Reporting

Centralized Log Management

ISO 27001(2) GPG 13

Vulnerability Assessment

ConfigurationAssessment

We provide remote Managed Services:1. RUN: Basic ET Admin – Threat Feeds 2. WATCH: Analytics/Remediation Recos3. COMPLY: Compliance Services4. TUNE: Advanced ET Tuning5. ET VAS – Vulnerability Assessment Service6. ET IDS – Managed SNORT – signature updates

SIEM Simplified Services to get expert help with EventTracker software installed on premise or in the cloud…

Your IT Assets

AuditingChanges

EventTracker Control Center

EventTracker

Remote Access toEventTracker (only)

Your Staff

AlertsReports

Dashboards

Search

Gartner View of Cyber Security Market Maturity

Secure your Network

Your Challenge: Growing attack frequency and sophisticationYour Need: Cost effective threat remediation. Scalable & Smart