Detect Cyber Attacks in Real Time: Protect Your Network

download Detect Cyber Attacks in Real Time: Protect Your Network

of 17

  • date post

    18-Jan-2017
  • Category

    Software

  • view

    128
  • download

    0

Embed Size (px)

Transcript of Detect Cyber Attacks in Real Time: Protect Your Network

  • Detect Active Cyber-Attacks in Real Time

    Protect your Network

  • Verizon DBR & Microsoft SIR

    2013- 2015

    Prevention Defenses

    Are Not Enough

    Staff

    missed itDetection

    Deficit

    Insider?

    Outsider?

    Conclusions Prevention/perimeter defenses are necessary but not

    sufficient.

    Detection is the challenge; technology alone is not enough for

    long term success; also expertise and a disciplined process

    100% had up to date AV

    and Firewalls

    properly configured

    66% were notified by a

    third party

    200+average days

    between breach

    and detection

    75% used stolen

    credentials to

    spread, morph and

    steal

  • DFIR in EventTracker v8

    Addressing the Detection Deficit

    Perform automated DFIR on Windows

    workstations and servers

    Move endpoint digital forensics to daily SOP for early

    detection of:

    Rogue Processes

    Unknown Services Running

    Unusual OS artifacts

    Evidence of Persistence

    Suspicious Network Activity

  • Existing defenses?

    Anti Virus

    Catches some malware based on signatures

    Attackers are hip to its jive

    IDS

    Detects network borne attacks

    Cant see the endpoint or out legitimate traffic

    DLP

    Can catch data movement to/from removable media

    SIEM

    See all logs but is everything logged?

  • How are they attacking?

    Malware based

    Threat: Establish Beachhead

    Threat: Lateral Movement

    Threat: Exfiltrate data

    Compromised credentials based

    Threat: Valid programs for invalid purpose

    Threat: Out of ordinary

  • Threat: Establish beachhead

    Malware lands on the endpoint

    As e-mail attachment?

    From infected USB?

    Evades Anti Virus

    Defense

    Detect launch of every process

    Compare hash against safe list (local and NSRL)

    Alert if first-time-seen and not on safe list

    Caveat: Requires framework & a watcher

  • Threat: Lateral movement

    Move from less to more valuable systems

    From desktop to server/firewall

    Defense

    User behavior, location affinity

    Trace files from endpoint (pre-fetch, default.rdp etc.)

    Valid but unusual EXE presence (e.g. route.exe)

    Caveat: Requires framework + machine learning

  • Threat: Ex-filtrate data

    Hide as normal traffic

    Avoid detection by proxy, network monitor

    Defense

    Monitor network activity (esp north/south) for out of

    ordinary behavior

    IDS is useful but cant say which process was

    responsible

    Combination of unknown process connecting to low

    reputation outside address is a strong advantage

  • Endpoint Threat Detection & Response

    What is required to defend todays network?

    A framework to collect endpoint data

    Running processes, network connections, windows

    services, users, registry entries, more

    A central repository which can receive, store and

    index the data

    An expandable ruleset to baseline and analyze the

    data

    And (wait for it...) an analyst to triage/review/escalate for

    remediation

  • Scenario

    Win 7 desktop; user is with marketing dept

    Required to visit external websites regularly

    Defenses

    Up to date platform (win updates)

    DHCP address

    Next Gen firewall

    Up to date, brand name Anti Virus

    IDS with updated signatures scanning north/south

  • What was seen

    New Windows service created

    Persists on logoff or reboot

    Invisible to the normal user

    Connects to an external site

    Avoids proxy detection by using IP address

    Avoid blocking by using port 80

    Trace back showed phishing e-mail, apparently from HR

    About 14 hours later, anti malware signatures updated

    and a deep scan suggested it was Blakamba

    Three days later, Anti Malware showed other files in

    temp folders with same signature

  • EventTracker Framework

    Central Console

    Data Collection

    Indexing

    Analysis

    Storage

    Sensor for Windows

    MS Gold certified

    Runs in user space

    Tiny footprint

    Options for IDS, Vuln. Assess, Packet inspection

  • Dilig

    en

    tSIEM Simplified Co-ManagedServices for Success

    RUN WATCH COMPLY TUNE

    Se

    curi

    ty C

    en

    ter

    Co

    mp

    lian

    ce C

    en

    ter

    Ad

    vance

    d

    Endpoint Threat Detection & Response (ETDR/DFIR)

    Correlation Alerts & Analysis

    Attackers & TargetsReal Time Dashboards

    ManagedSNORT IDS

    Managed IntegratedThreat Feeds

    User BehaviorAffinity & Analysis

    Incident InvestigationsSANS Log Book

    DATAMART

    Hard

    en

    edFile Integrity

    Monitoring

    Log Search & Forensics

    PCI- DSS | HIPAA | FFIECFISMA | Gov. | Military

    Streamlined ComplianceWorkflow & Reporting

    Centralized Log Management

    ISO 27001(2) GPG 13

    Vulnerability Assessment

    ConfigurationAssessment

  • We provide remote Managed Services:1. RUN: Basic ET Admin Threat Feeds 2. WATCH: Analytics/Remediation Recos3. COMPLY: Compliance Services4. TUNE: Advanced ET Tuning5. ET VAS Vulnerability Assessment Service6. ET IDS Managed SNORT signature updates

    SIEM Simplified Services to get expert help with EventTracker software installed on premise or in the cloud

    Your IT Assets

    AuditingChanges

    EventTracker Control Center

    EventTracker

    Remote Access toEventTracker (only)

    Your Staff

    AlertsReports

    DashboardsSearch

  • Gartner View of Cyber Security

    Market Maturity

  • Secure your Network

    Your Challenge: Growing attack frequency and sophisticationYour Need: Cost effective threat remediation. Scalable & Smart