Detect Active Cyber-Attacks in Real Time

Protect your Network

Verizon DBR & Microsoft SIR

2013- 2015

Prevention Defenses

Are Not Enough

Staff

missed itDetection

Deficit

Insider?

Outsider?

Conclusions• Prevention/perimeter defenses are necessary but not

sufficient.

• Detection is the challenge; technology alone is not enough for

long term success; also expertise and a disciplined process

100% had up to date AV

and Firewalls

properly configured

66% were notified by a

third party

200+average days

between breach

and detection

75% used stolen

credentials to

spread, morph and

steal

DFIR in EventTracker v8

Addressing the Detection Deficit

Perform automated DFIR on Windows

workstations and servers

Move endpoint digital forensics to daily SOP for early

detection of:

Rogue Processes

Unknown Services Running

Unusual OS artifacts

Evidence of Persistence

Suspicious Network Activity

Existing defenses?

Anti Virus

Catches “some” malware based on signatures

Attackers are “hip to its jive”

IDS

Detects network borne attacks

Can’t see the endpoint or out “legitimate” traffic

DLP

Can catch data movement to/from removable media

SIEM

See all logs but is everything logged?

How are they attacking?

Malware based

Threat: Establish Beachhead

Threat: Lateral Movement

Threat: Exfiltrate data

Compromised credentials based

Threat: Valid programs for invalid purpose

Threat: Out of ordinary

Threat: Establish beachhead

Malware lands on the endpoint

As e-mail attachment?

From infected USB?

Evades Anti Virus

Defense

Detect launch of every process

Compare hash against safe list (local and NSRL)

Alert if first-time-seen and not on safe list

Caveat: Requires framework & a watcher

Threat: Lateral movement

Move from less to more valuable systems

From desktop to server/firewall

Defense

User behavior, location affinity

Trace files from endpoint (pre-fetch, default.rdp etc.)

Valid but unusual EXE presence (e.g. route.exe)

Caveat: Requires framework + machine learning

Threat: Ex-filtrate data

Hide as normal traffic

Avoid detection by proxy, network monitor

Defense

Monitor network activity (esp north/south) for out of

ordinary behavior

IDS is useful but can’t say which process was

responsible

Combination of unknown process connecting to low

reputation outside address is a strong advantage

Endpoint Threat Detection & Response

What is required to defend today’s network?

A framework to collect endpoint data

Running processes, network connections, windows

services, users, registry entries, more

A central repository which can receive, store and

index the data

An expandable ruleset to baseline and analyze the

data

And (wait for it...) an analyst to triage/review/escalate for

remediation

Scenario

Win 7 desktop; user is with marketing dept

Required to visit external websites regularly

Defenses

Up to date platform (win updates)

DHCP address

Next Gen firewall

Up to date, brand name Anti Virus

IDS with updated signatures scanning north/south

What was seen

New Windows service created

Persists on logoff or reboot

Invisible to the normal user

Connects to an external site

Avoids proxy detection by using IP address

Avoid blocking by using port 80

Trace back showed phishing e-mail, apparently from HR

About 14 hours later, anti malware signatures updated

and a deep scan suggested it was “Blakamba”

Three days later, Anti Malware showed other files in

temp folders with same signature

EventTracker Framework

Central Console

Data Collection

Indexing

Analysis

Storage

Sensor for Windows

MS Gold certified

Runs in user space

Tiny footprint

Options for IDS, Vuln. Assess, Packet inspection

Dilig

en

tSIEM Simplified Co-ManagedServices for Success

RUN WATCH COMPLY TUNE

Se

curi

ty C

en

ter

Co

mp

lian

ce C

en

ter

Ad

vance

d

Endpoint Threat Detection & Response (ETDR/DFIR)

Correlation Alerts & Analysis

Attackers & TargetsReal Time Dashboards

ManagedSNORT IDS

Managed IntegratedThreat Feeds

User BehaviorAffinity & Analysis

Incident Investigations“SANS” Log Book

DATAMART

Hard

en

edFile Integrity

Monitoring

Log Search & Forensics

PCI- DSS | HIPAA | FFIECFISMA | Gov. | Military

Streamlined ComplianceWorkflow & Reporting

Centralized Log Management

ISO 27001(2) GPG 13

Vulnerability Assessment

ConfigurationAssessment

We provide remote Managed Services:1. RUN: Basic ET Admin – Threat Feeds 2. WATCH: Analytics/Remediation Recos3. COMPLY: Compliance Services4. TUNE: Advanced ET Tuning5. ET VAS – Vulnerability Assessment Service6. ET IDS – Managed SNORT – signature updates

SIEM Simplified Services to get expert help with EventTracker software installed on premise or in the cloud…

Your IT Assets

AuditingChanges

EventTracker Control Center

EventTracker

Remote Access toEventTracker (only)

Your Staff

AlertsReports

DashboardsSearch

Gartner View of Cyber Security

Market Maturity

Secure your Network

Your Challenge: Growing attack frequency and sophisticationYour Need: Cost effective threat remediation. Scalable & Smart