Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)

Unmask Anonymous Attackers with Advanced Threat IntelligenceJune 29, 2016

2Copyright SecureAuth Corporation 2016

Today’s Speakers

STEPHEN COXChief Security ArchitectSecureAuth

ANDRAS CSERVP, Principal Analyst Forrester Research, Security & Risk


+ All attendee audio lines are muted + Submit questions via Q&A panel at any time+ Questions will be answered during Q&A at the end of the

presentation+ Slides and recording will be sent later this week+ Contact us at [email protected]

Webinar Housekeeping

mailto:[email protected]

mailto:[email protected]

June 29, 2016

Unmask Anonymous Attackers with Advanced Threat IntelligenceAndras Cser, VP & Principal Analyst


Identity Management

Data Protection

Fraud Management

Identity Intelligence

Sea of Data Breaches

Gulf of Security Fiascos

Tropic of Compliance


Cyber threat involves compromised identities and passwords

Data breaches are a huge problem

Forrester estimates that 80% of all data breaches involve misuse of administrative and shared account privileges

Mitigate outsider attacks

API management is a must

Requires behavioral analysis

Network forensics are inadequate and slow


Mobile Threats Are Difficult To Detect

› Business has a higher tolerance for mobile fraud

› IP addresses change frequently

› Old MITB detection techniques do not work

› 3DSecure was not designed for mobile devices

› Legacy tools can’t cope with real-time device and location data

© 2016 Forrester Research, Inc. Reproduction Prohibited12© 2016 Forrester Research, Inc. Reproduction Prohibited 12

Ensure Security using Layered Controls

Encryption at Cloud Vendor/Cloud Service Provider

Encryption in Transit

DLP on Premise and in the Cloud

Identity Context

Encryption on Premise

Risk Assessment

Discovery and Tagging


Identity Centric Data Protection


How IAM can help

Machine learning

Advanced Threat Intel

Identity and access

management

Understand normaldata usage patterns

Certify access to data assets

Understand normalcy and anomalies in access using patterns

Identityintelligence


How Web SSO supports ATI

›Account takeover threatens data (internal and external)

›Single Sign On reduces password vulnerability

›Single source access policy management and enforcement and audit


How Risk Based Authentication Supports ATI

›We need to move away from passwords – without inconveniencing users (too much ☺)

›Adding new attributes to the authentication process (mobile device location, fingerprint, sensor data, etc.)

›B2C but also B2B and B2E

›This is where the convergence with ATI and Payment fraud happens primarily


Risk Based Authentication is a mustNeed to support Risk Based Authentication to minimize user friction

IP address

User identity

Time of Day

Session speed

Device fingerprintRisk score Mobile token

Biometrics

Behavioral biometrics

SMS/Email token

Aut

hent

icat

ion

Con

text

Aut

hent

icat

or

Security Q&A


How Identity Management and Governance Supports ATI

›Avoid over-privileging users right from the start

›Understand the who has access to what and why *before* breaches happen

›Enforce Separation of Duties for apps and data

›Provide visibility into attestation decision making for the reviewer *before* they approve (avoid rubberstamping of attestation)

›B2E, B2B but increasingly B2C as well


Forrester’s Predictions

› Need for Analytics and Prediction in ATI

› IAM context for ATI is of paramount importance

› Bring in network activity, device data, IP geolocation

› Reduce rubber-stamping and fatigue with investigations


Forrester’s Predictions

› Use machine learning and analytics to identify outliers and high-risk users

› Risk Based and Continuous Authentication will take off

› Provide real-time visibility and drill-down to data

› Secure your critical data, infrastructure and application assets across Enterprise and Cloud

Thank you

forrester.com

Andras Cser+1 [email protected]

Unmasking Anonymous Attackers with Advanced Threat IntelligenceStephen CoxChief Security ArchitectSecureAuth


+ Heavy use of stolen credentials – May not even need malware– Credentials are easy to

acquire+ Approach with anonymity

– TOR, VPN, “home grown” anonymity services

– May combine approaches+ Very difficult to detect

once in

The Modern Attacker


The Attack Lifecycle

Initial Penetration

EstablishFoothold

EscalatePrivileges

CompleteMission

LateralMovement

Network Security

Endpoint Security

Endpoint Security

Identity SecurityEndpoint Security

Identity Security

Endpoint Security

Identity Security

Network Security

Identity Security


Anonymity Explained+ Attackers want to conceal their source (and true

identity)+ Achieved through the use of anonymity

networks+ Can be leveraged at many points in the attack

lifecycle


The Onion Router (Tor)

+ Public anonymity network+ Low barrier to entry+ Has legitimate uses+ Also a center of cybercrime


The Infrastructure of APT1+ Threat group discovered and tracked by

Mandiant+ Mandiant released report on them in 2013+ Follow on research pointed at heavy use of

anonymity+ Achieved by compromising a large amount of

machines and software known as HTRAN


The Terra Cotta VPN Network+ Discovered by RSA

FirstWatchthreat research team

+ Large network of compromised machines

+ Used to achieve anonymity at a large scale


Cyber Crime

Hacktivism

Anonymous Proxy

Advanced Persistent Threat (APT)

Device Recognition

Threat Service

Identity Store Lookup

Geo-Location

Geo-Velocity

Behavioral Biometrics

Threat Intelligence

Threat Information

Black/White Lists

• Identify & stop attackers, even with valid credentials

SecureAuth Threat ServiceCombining Threat Intelligence and Threat Information for Best-in-Class Security

Allow Access

Require MFA

Redirect

Deny Access

• No User Experience Impact - only present MFA when needed

• Easily integrate with existing infrastructure in hours


Identity as a Perimeter


The Value of Alerting on Identity+ Why send more to the SIEM?+ Adaptive authentication data and associated alerts

are high fidelity+ Risk based alerting identifies deliberate actions that

may be suspicious and warrant investigation+ Proactive alerting includes observing identities and

systems


Identity Data is The Key+ Detecting attackers operating with legitimate

credentials is challenging+ Security policies must shift focus to stolen

credentials and lateral movement+ Adaptive authentication data can fill this blind spot+ Correlation pulls together events and pinpoints

incidents

Source: 2016 Mandiant M-Trends® Report

Thank You! secureauth.com/threat-service

Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)

Software

Transcript of Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)