Defending against persistent threats in

a time of skill shortage

Threatscape 2016

Big problem Expensive Detection

Deficit

Insider?

Outsider?

Market feedback

Security Gap

Compliance ≠ Security

Stakeholders personally affected by breaches

Compliance is a must, but

Help reduce cost

Skill shortage

Impacting ROI on IT Security projects

Machine learning, less rules tweaking

Why are they attacking?

Existing defenses?

Anti Virus

Catches “some” malware based on signatures

Attackers are “hip to its jive”

IDS

Detects network borne attacks

Can’t see the endpoint or out “legitimate” traffic

DLP

Can catch data movement to/from removable media

SIEM

See all logs but is everything logged?

How are they attacking?

Malware based

Example: C-Suite doesn’t get paid

Threat: Establish Beachhead

Threat: Lateral Movement

Threat: Exfiltrate data

Example: Piracy in the back office

Compromised credentials based

Congrats from CIO

Threat: Valid programs for invalid purpose

Threat: Out of ordinary

Army out of SHAPE on Facebook

Threat: Establish beachhead

Malware lands on the endpoint

As e-mail attachment?

From infected USB?

Evades Anti Virus

Defense

Detect launch of every process

Compare hash against safe list (local and NSRL)

Alert if first-time-seen and not on safe list

Caveat: Requires framework & a watcher

Threat: Lateral movement

Move from less to more valuable systems

From desktop to server/firewall

Defense

User behavior, location affinity

Trace files from endpoint (pre-fetch, default.rdp etc.)

Valid but unusual EXE presence (e.g. route.exe)

Caveat: Requires framework + machine learning

Threat: Ex-filtrate data

Hide as normal traffic

Avoid detection by proxy, network monitor

Defense

Monitor network activity (esp north/south) for out of

ordinary behavior

IDS is useful but can’t say which process was

responsible

Combination of unknown process connecting to low

reputation outside address is a strong advantage

Attacks from Insiders

At Black Hat Aug 2016 by Elie Burzstein of Google

297 USBs dropped at U of Illinois, Urbana

Parking lots, common rooms, lecture halls, hallways

No label, Confidential, Exam answers

45% plugged in; clicked on links; within 10 hours

Myth #1

Myth: Hackers carefully select targets, then hit them with

a zero day attack

Reality

Most attacks are indiscriminate, opportunistic and

exploit known vulnerabilities

More than 85% of successful exploits leverage top 10

vulnerabilities.

Myth #2

Myth: Attackers are fast but good guys are catching up

Reality

Gap is widening – detection deficit disorder

4 of 5 victims don’t realize they’ve been attacked for

weeks

Myth #3

Myth: No one falls for phishing anymore

Reality

More than 30% of phishing emails are opened

12% clicked on links

Endpoint Threat Detection & Response

What is required to defend today’s network?

A framework to collect endpoint data

Running processes, network connections, windows

services, users, registry entries, more

A central repository which can receive, store and

index the data

An expandable ruleset to baseline and analyze the

data

And (wait for it...) an analyst to triage/review/escalate for

remediation

EventTracker Framework

Central Console

Data Collection

Indexing

Analysis

Storage

Sensor for Windows

MS Gold certified

Runs in user space

Tiny footprint

Options for IDS, Vuln. Assess, Packet inspection

Dilig

en

tSIEM Simplified Co-ManagedServices for Success

RUN WATCH COMPLY TUNE

Se

curi

ty C

en

ter

Co

mp

lian

ce C

en

ter

Ad

vance

d

Endpoint Threat Detection & Response (ETDR/DFIR)

Correlation Alerts & Analysis

Attackers & TargetsReal Time Dashboards

ManagedSNORT IDS

Managed IntegratedThreat Feeds

User BehaviorAffinity & Analysis

Incident Investigations“SANS” Log Book

DATAMART

Hard

en

edFile Integrity

Monitoring

Log Search & Forensics

PCI- DSS | HIPAA | FFIECFISMA | Gov. | Military

Streamlined ComplianceWorkflow & Reporting

Centralized Log Management

ISO 27001(2) GPG 13

Vulnerability Assessment

ConfigurationAssessment

We provide remote Managed Services:1. RUN: Basic ET Admin – Threat Feeds 2. WATCH: Analytics/Remediation Recos3. COMPLY: Compliance Services4. TUNE: Advanced ET Tuning5. ET VAS – Vulnerability Assessment Service6. ET IDS – Managed SNORT – signature updates

SIEM Simplified Services to get expert help with EventTracker software installed on premise or in the cloud…

Your IT Assets

AuditingChanges

EventTracker Control Center

EventTracker

Remote Access toEventTracker (only)

Your Staff

AlertsReports

DashboardsSearch

Gartner View of Cyber Security

Market Maturity

Secure your Network

Your Challenge: Growing attack frequency and sophisticationYour Need: Cost effective threat remediation. Scalable & Smart

Scenario

Win 7 desktop; user is with marketing dept

Required to visit external websites regularly

Defenses

Up to date platform (win updates)

DHCP address

Next Gen firewall

Up to date, brand name Anti Virus

IDS with updated signatures scanning north/south

What was seen

New Windows service created

Persists on logoff or reboot

Invisible to the normal user

Connects to an external site

Avoids proxy detection by using IP address

Avoid blocking by using port 80

Trace back showed phishing e-mail, apparently from HR

About 14 hours later, anti malware signatures updated

and a deep scan suggested it was “Blakamba”

Three days later, Anti Malware showed other files in

temp folders with same signature