Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)
-
Upload
secureauth -
Category
Software
-
view
162 -
download
0
Transcript of Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)
Unmask Anonymous Attackers with Advanced Threat IntelligenceJune 29, 2016
2Copyright SecureAuth Corporation 2016
Today’s Speakers
STEPHEN COXChief Security ArchitectSecureAuth
ANDRAS CSERVP, Principal Analyst Forrester Research, Security & Risk
3Copyright SecureAuth Corporation 2016
+ All attendee audio lines are muted + Submit questions via Q&A panel at any time+ Questions will be answered during Q&A at the end of the
presentation+ Slides and recording will be sent later this week+ Contact us at [email protected]
Webinar Housekeeping
June 29, 2016
Unmask Anonymous Attackers with Advanced Threat IntelligenceAndras Cser, VP & Principal Analyst
© 2016 Forrester Research, Inc. Reproduction Prohibited5
© 2016 Forrester Research, Inc. Reproduction Prohibited6
Identity Management
Data Protection
Fraud Management
Identity Intelligence
Sea of Data Breaches
Gulf of Security Fiascos
Tropic of Compliance
© 2016 Forrester Research, Inc. Reproduction Prohibited7
© 2016 Forrester Research, Inc. Reproduction Prohibited8
© 2016 Forrester Research, Inc. Reproduction Prohibited9
Cyber threat involves compromised identities and passwords
Data breaches are a huge problem
Forrester estimates that 80% of all data breaches involve misuse of administrative and shared account privileges
Mitigate outsider attacks
API management is a must
Requires behavioral analysis
Network forensics are inadequate and slow
© 2016 Forrester Research, Inc. Reproduction Prohibited10
© 2016 Forrester Research, Inc. Reproduction Prohibited1111
Mobile Threats Are Difficult To Detect
› Business has a higher tolerance for mobile fraud
› IP addresses change frequently
› Old MITB detection techniques do not work
› 3DSecure was not designed for mobile devices
› Legacy tools can’t cope with real-time device and location data
© 2016 Forrester Research, Inc. Reproduction Prohibited12© 2016 Forrester Research, Inc. Reproduction Prohibited 12
Ensure Security using Layered Controls
Encryption at Cloud Vendor/Cloud Service Provider
Encryption in Transit
DLP on Premise and in the Cloud
Identity Context
Encryption on Premise
Risk Assessment
Discovery and Tagging
© 2016 Forrester Research, Inc. Reproduction Prohibited13
Identity Centric Data Protection
© 2016 Forrester Research, Inc. Reproduction Prohibited14
How IAM can help
Machine learning
Advanced Threat Intel
Identity and access
management
Understand normaldata usage patterns
Certify access to data assets
Understand normalcy and anomalies in access using patterns
Identityintelligence
© 2016 Forrester Research, Inc. Reproduction Prohibited15© 2016 Forrester Research, Inc. Reproduction Prohibited 15
How Web SSO supports ATI
›Account takeover threatens data (internal and external)
›Single Sign On reduces password vulnerability
›Single source access policy management and enforcement and audit
© 2016 Forrester Research, Inc. Reproduction Prohibited16© 2016 Forrester Research, Inc. Reproduction Prohibited 16
How Risk Based Authentication Supports ATI
›We need to move away from passwords – without inconveniencing users (too much ☺)
›Adding new attributes to the authentication process (mobile device location, fingerprint, sensor data, etc.)
›B2C but also B2B and B2E
›This is where the convergence with ATI and Payment fraud happens primarily
© 2016 Forrester Research, Inc. Reproduction Prohibited17
Risk Based Authentication is a mustNeed to support Risk Based Authentication to minimize user friction
IP address
User identity
Time of Day
Session speed
Device fingerprintRisk score Mobile token
Biometrics
Behavioral biometrics
SMS/Email token
Aut
hent
icat
ion
Con
text
Aut
hent
icat
or
Security Q&A
© 2016 Forrester Research, Inc. Reproduction Prohibited18© 2016 Forrester Research, Inc. Reproduction Prohibited 18
How Identity Management and Governance Supports ATI
›Avoid over-privileging users right from the start
›Understand the who has access to what and why *before* breaches happen
›Enforce Separation of Duties for apps and data
›Provide visibility into attestation decision making for the reviewer *before* they approve (avoid rubberstamping of attestation)
›B2E, B2B but increasingly B2C as well
© 2016 Forrester Research, Inc. Reproduction Prohibited19
© 2016 Forrester Research, Inc. Reproduction Prohibited2020
Forrester’s Predictions
› Need for Analytics and Prediction in ATI
› IAM context for ATI is of paramount importance
› Bring in network activity, device data, IP geolocation
› Reduce rubber-stamping and fatigue with investigations
© 2016 Forrester Research, Inc. Reproduction Prohibited2121
Forrester’s Predictions
› Use machine learning and analytics to identify outliers and high-risk users
› Risk Based and Continuous Authentication will take off
› Provide real-time visibility and drill-down to data
› Secure your critical data, infrastructure and application assets across Enterprise and Cloud
© 2016 Forrester Research, Inc. Reproduction Prohibited22
© 2016 Forrester Research, Inc. Reproduction Prohibited23Source: http://www.flickr.com/photos/dgonzal111139/7105647869/sizes/l/in/photostream/
Unmasking Anonymous Attackers with Advanced Threat IntelligenceStephen CoxChief Security ArchitectSecureAuth
26Copyright SecureAuth Corporation 2016
+ Heavy use of stolen credentials – May not even need malware– Credentials are easy to
acquire+ Approach with anonymity
– TOR, VPN, “home grown” anonymity services
– May combine approaches+ Very difficult to detect
once in
The Modern Attacker
27Copyright SecureAuth Corporation 2016
The Attack Lifecycle
Initial Penetration
EstablishFoothold
EscalatePrivileges
CompleteMission
LateralMovement
Network Security
Endpoint Security
Endpoint Security
Identity SecurityEndpoint Security
Identity Security
Endpoint Security
Identity Security
Network Security
Identity Security
28Copyright SecureAuth Corporation 2016
Anonymity Explained+ Attackers want to conceal their source (and true
identity)+ Achieved through the use of anonymity
networks+ Can be leveraged at many points in the attack
lifecycle
29Copyright SecureAuth Corporation 2016
The Onion Router (Tor)
+ Public anonymity network+ Low barrier to entry+ Has legitimate uses+ Also a center of cybercrime
30Copyright SecureAuth Corporation 2016
The Infrastructure of APT1+ Threat group discovered and tracked by
Mandiant+ Mandiant released report on them in 2013+ Follow on research pointed at heavy use of
anonymity+ Achieved by compromising a large amount of
machines and software known as HTRAN
31Copyright SecureAuth Corporation 2016
The Terra Cotta VPN Network+ Discovered by RSA
FirstWatchthreat research team
+ Large network of compromised machines
+ Used to achieve anonymity at a large scale
32Copyright SecureAuth Corporation 2016
Cyber Crime
Hacktivism
Anonymous Proxy
Advanced Persistent Threat (APT)
Device Recognition
Threat Service
Identity Store Lookup
Geo-Location
Geo-Velocity
Behavioral Biometrics
Threat Intelligence
Threat Information
Black/White Lists
• Identify & stop attackers, even with valid credentials
SecureAuth Threat ServiceCombining Threat Intelligence and Threat Information for Best-in-Class Security
Allow Access
Require MFA
Redirect
Deny Access
• No User Experience Impact - only present MFA when needed
• Easily integrate with existing infrastructure in hours
33Copyright SecureAuth Corporation 2016
Identity as a Perimeter
34Copyright SecureAuth Corporation 2016
The Value of Alerting on Identity+ Why send more to the SIEM?+ Adaptive authentication data and associated alerts
are high fidelity+ Risk based alerting identifies deliberate actions that
may be suspicious and warrant investigation+ Proactive alerting includes observing identities and
systems
35Copyright SecureAuth Corporation 2016
Identity Data is The Key+ Detecting attackers operating with legitimate
credentials is challenging+ Security policies must shift focus to stolen
credentials and lateral movement+ Adaptive authentication data can fill this blind spot+ Correlation pulls together events and pinpoints
incidents
Source: 2016 Mandiant M-Trends® Report
Thank You! secureauth.com/threat-service