defending against persistent threats in a time of skill shortage - a.n. ananth | secure bermuda -...
TRANSCRIPT
Market feedback
Security Gap
Compliance ≠ Security
Stakeholders personally affected by breaches
Compliance is a must, but
Help reduce cost
Skill shortage
Impacting ROI on IT Security projects
Machine learning, less rules tweaking
Existing defenses?
Anti Virus
Catches “some” malware based on signatures
Attackers are “hip to its jive”
IDS
Detects network borne attacks
Can’t see the endpoint or out “legitimate” traffic
DLP
Can catch data movement to/from removable media
SIEM
See all logs but is everything logged?
How are they attacking?
Malware based
Example: C-Suite doesn’t get paid
Threat: Establish Beachhead
Threat: Lateral Movement
Threat: Exfiltrate data
Example: Piracy in the back office
Compromised credentials based
Congrats from CIO
Threat: Valid programs for invalid purpose
Threat: Out of ordinary
Army out of SHAPE on Facebook
Threat: Establish beachhead
Malware lands on the endpoint
As e-mail attachment?
From infected USB?
Evades Anti Virus
Defense
Detect launch of every process
Compare hash against safe list (local and NSRL)
Alert if first-time-seen and not on safe list
Caveat: Requires framework & a watcher
Threat: Lateral movement
Move from less to more valuable systems
From desktop to server/firewall
Defense
User behavior, location affinity
Trace files from endpoint (pre-fetch, default.rdp etc.)
Valid but unusual EXE presence (e.g. route.exe)
Caveat: Requires framework + machine learning
Threat: Ex-filtrate data
Hide as normal traffic
Avoid detection by proxy, network monitor
Defense
Monitor network activity (esp north/south) for out of
ordinary behavior
IDS is useful but can’t say which process was
responsible
Combination of unknown process connecting to low
reputation outside address is a strong advantage
Attacks from Insiders
At Black Hat Aug 2016 by Elie Burzstein of Google
297 USBs dropped at U of Illinois, Urbana
Parking lots, common rooms, lecture halls, hallways
No label, Confidential, Exam answers
45% plugged in; clicked on links; within 10 hours
Myth #1
Myth: Hackers carefully select targets, then hit them with
a zero day attack
Reality
Most attacks are indiscriminate, opportunistic and
exploit known vulnerabilities
More than 85% of successful exploits leverage top 10
vulnerabilities.
Myth #2
Myth: Attackers are fast but good guys are catching up
Reality
Gap is widening – detection deficit disorder
4 of 5 victims don’t realize they’ve been attacked for
weeks
Myth #3
Myth: No one falls for phishing anymore
Reality
More than 30% of phishing emails are opened
12% clicked on links
Endpoint Threat Detection & Response
What is required to defend today’s network?
A framework to collect endpoint data
Running processes, network connections, windows
services, users, registry entries, more
A central repository which can receive, store and
index the data
An expandable ruleset to baseline and analyze the
data
And (wait for it...) an analyst to triage/review/escalate for
remediation
EventTracker Framework
Central Console
Data Collection
Indexing
Analysis
Storage
Sensor for Windows
MS Gold certified
Runs in user space
Tiny footprint
Options for IDS, Vuln. Assess, Packet inspection
Dilig
en
tSIEM Simplified Co-ManagedServices for Success
RUN WATCH COMPLY TUNE
Se
curi
ty C
en
ter
Co
mp
lian
ce C
en
ter
Ad
vance
d
Endpoint Threat Detection & Response (ETDR/DFIR)
Correlation Alerts & Analysis
Attackers & TargetsReal Time Dashboards
ManagedSNORT IDS
Managed IntegratedThreat Feeds
User BehaviorAffinity & Analysis
Incident Investigations“SANS” Log Book
DATAMART
Hard
en
edFile Integrity
Monitoring
Log Search & Forensics
PCI- DSS | HIPAA | FFIECFISMA | Gov. | Military
Streamlined ComplianceWorkflow & Reporting
Centralized Log Management
ISO 27001(2) GPG 13
Vulnerability Assessment
ConfigurationAssessment
We provide remote Managed Services:1. RUN: Basic ET Admin – Threat Feeds 2. WATCH: Analytics/Remediation Recos3. COMPLY: Compliance Services4. TUNE: Advanced ET Tuning5. ET VAS – Vulnerability Assessment Service6. ET IDS – Managed SNORT – signature updates
SIEM Simplified Services to get expert help with EventTracker software installed on premise or in the cloud…
Your IT Assets
AuditingChanges
EventTracker Control Center
EventTracker
Remote Access toEventTracker (only)
Your Staff
AlertsReports
DashboardsSearch
Secure your Network
Your Challenge: Growing attack frequency and sophisticationYour Need: Cost effective threat remediation. Scalable & Smart
Scenario
Win 7 desktop; user is with marketing dept
Required to visit external websites regularly
Defenses
Up to date platform (win updates)
DHCP address
Next Gen firewall
Up to date, brand name Anti Virus
IDS with updated signatures scanning north/south
What was seen
New Windows service created
Persists on logoff or reboot
Invisible to the normal user
Connects to an external site
Avoids proxy detection by using IP address
Avoid blocking by using port 80
Trace back showed phishing e-mail, apparently from HR
About 14 hours later, anti malware signatures updated
and a deep scan suggested it was “Blakamba”
Three days later, Anti Malware showed other files in
temp folders with same signature