Detect Active Cyber-Attacks in Real Time
Protect your Network
Verizon DBR & Microsoft SIR
2013- 2015
Prevention Defenses
Are Not Enough
Staff
missed itDetection
Deficit
Insider?
Outsider?
Conclusions• Prevention/perimeter defenses are necessary but not
sufficient.
• Detection is the challenge; technology alone is not enough for
long term success; also expertise and a disciplined process
100% had up to date AV
and Firewalls
properly configured
66% were notified by a
third party
200+average days
between breach
and detection
75% used stolen
credentials to
spread, morph and
steal
DFIR in EventTracker v8
Addressing the Detection Deficit
Perform automated DFIR on Windows
workstations and servers
Move endpoint digital forensics to daily SOP for early
detection of:
Rogue Processes
Unknown Services Running
Unusual OS artifacts
Evidence of Persistence
Suspicious Network Activity
Existing defenses?
Anti Virus
Catches “some” malware based on signatures
Attackers are “hip to its jive”
IDS
Detects network borne attacks
Can’t see the endpoint or out “legitimate” traffic
DLP
Can catch data movement to/from removable media
SIEM
See all logs but is everything logged?
How are they attacking?
Malware based
Threat: Establish Beachhead
Threat: Lateral Movement
Threat: Exfiltrate data
Compromised credentials based
Threat: Valid programs for invalid purpose
Threat: Out of ordinary
Threat: Establish beachhead
Malware lands on the endpoint
As e-mail attachment?
From infected USB?
Evades Anti Virus
Defense
Detect launch of every process
Compare hash against safe list (local and NSRL)
Alert if first-time-seen and not on safe list
Caveat: Requires framework & a watcher
Threat: Lateral movement
Move from less to more valuable systems
From desktop to server/firewall
Defense
User behavior, location affinity
Trace files from endpoint (pre-fetch, default.rdp etc.)
Valid but unusual EXE presence (e.g. route.exe)
Caveat: Requires framework + machine learning
Threat: Ex-filtrate data
Hide as normal traffic
Avoid detection by proxy, network monitor
Defense
Monitor network activity (esp north/south) for out of
ordinary behavior
IDS is useful but can’t say which process was
responsible
Combination of unknown process connecting to low
reputation outside address is a strong advantage
Endpoint Threat Detection & Response
What is required to defend today’s network?
A framework to collect endpoint data
Running processes, network connections, windows
services, users, registry entries, more
A central repository which can receive, store and
index the data
An expandable ruleset to baseline and analyze the
data
And (wait for it...) an analyst to triage/review/escalate for
remediation
Scenario
Win 7 desktop; user is with marketing dept
Required to visit external websites regularly
Defenses
Up to date platform (win updates)
DHCP address
Next Gen firewall
Up to date, brand name Anti Virus
IDS with updated signatures scanning north/south
What was seen
New Windows service created
Persists on logoff or reboot
Invisible to the normal user
Connects to an external site
Avoids proxy detection by using IP address
Avoid blocking by using port 80
Trace back showed phishing e-mail, apparently from HR
About 14 hours later, anti malware signatures updated
and a deep scan suggested it was “Blakamba”
Three days later, Anti Malware showed other files in
temp folders with same signature
EventTracker Framework
Central Console
Data Collection
Indexing
Analysis
Storage
Sensor for Windows
MS Gold certified
Runs in user space
Tiny footprint
Options for IDS, Vuln. Assess, Packet inspection
Dilig
en
tSIEM Simplified Co-ManagedServices for Success
RUN WATCH COMPLY TUNE
Se
curi
ty C
en
ter
Co
mp
lian
ce C
en
ter
Ad
vance
d
Endpoint Threat Detection & Response (ETDR/DFIR)
Correlation Alerts & Analysis
Attackers & TargetsReal Time Dashboards
ManagedSNORT IDS
Managed IntegratedThreat Feeds
User BehaviorAffinity & Analysis
Incident Investigations“SANS” Log Book
DATAMART
Hard
en
edFile Integrity
Monitoring
Log Search & Forensics
PCI- DSS | HIPAA | FFIECFISMA | Gov. | Military
Streamlined ComplianceWorkflow & Reporting
Centralized Log Management
ISO 27001(2) GPG 13
Vulnerability Assessment
ConfigurationAssessment
We provide remote Managed Services:1. RUN: Basic ET Admin – Threat Feeds 2. WATCH: Analytics/Remediation Recos3. COMPLY: Compliance Services4. TUNE: Advanced ET Tuning5. ET VAS – Vulnerability Assessment Service6. ET IDS – Managed SNORT – signature updates
SIEM Simplified Services to get expert help with EventTracker software installed on premise or in the cloud…
Your IT Assets
AuditingChanges
EventTracker Control Center
EventTracker
Remote Access toEventTracker (only)
Your Staff
AlertsReports
DashboardsSearch
Gartner View of Cyber Security
Market Maturity
Secure your Network
Your Challenge: Growing attack frequency and sophisticationYour Need: Cost effective threat remediation. Scalable & Smart
Top Related