fluency - next generation incident response utilizing big data analytics overview
TRANSCRIPT
1
Discover Fluency
www.fluencysecurity.com
Copyright 2003-2016
Fluency
2
Next Generation Incident Response – Real Time Network Visibility
Next Generation Incident Response utilizing Big Data Analytics. Fluency’s speed provides the capabilities of ingesting network flow data as well as multiple log feeds from disparate security solutions. Fluency analyzes, fuses, cross correlates flow & log data. Fluency then further validates the alerts against reputation & validation engines.
Three Things
3
Records all attributes & events performing real time analytics. No other product can do this at high bandwidth speeds.
Captures all files being transported via http & reviews with all known AV products.
Incorporates Flow Analytics to determine events that did not trigger detection.
Fluency does better than any security offering in the marketplace
Single View, Multiple Perspectives
4
Provide an integrated view organized by flow
Third Party analysis of artifacts
Blue Coat MAA and VirusTotal
Meta provides insight indirect to the event itself
Fluency Metadata sensor
Derived data provides insight from interaction
Deployed IPS, IDS, Firewalls and Web Filters
Validation Metadata Derived Data
Vision
5
Presenting Alerts by Flows is Natural
Same Approach Always
‣ High End-High Load Implementation Current Fluency deployment includes 1 of 13 root DNS servers. Requirements include 10Gbps access points. Fluency’s F-10 offering meets the requirements of over 30,000 EPS & 6,000,000,000 events per day.
‣ SMB/Remote Office Implementation Fluency’s F-250 provides a 250Mbps inline bypass network interface; no tap needed. ESET Antivirus is built into the system scanning transmitted files. Provides the full flow capability of the high-end offerings at a lower investment.
6
Fluency provides offerings from 100Mbps to 10GbpsF-250 F-1 F-5 F-10
250 Mbps 1 Gbps 5 Gbps 10 Gbps
Fluency
7
ArchitectureFluency is deployed in a combination of Sensors & Big Data Analytic Servers
The Sensors collect Metadata Network Flows (MetaFlows), Full Packet Capture plus events from other devices
• Monitors the Network
Big Data Analytic Servers find gaps & direct response to provide the means to remove issues
• Patent Pending Big Data Backend
Increase of detected security incidents in 2015 (PWC Study)
Organizations don’t have sufficient security resources to review dramatic > in number of alerts
8 Numbers from multiple studies
Invest in Response tools that incorporate Big Data analytics & cross correlation, radically reducing staffing requirements & the number of alerts needing review to a manageable number
Fluency Answers
$7,700,000 Avg. Financial Cost
per Breach
Issue SolutionImpact
Emphasis Today is Detection;Sound Security Posture Requires Focus On Response
137% Increase
WHY
9
Security is broken.
Today the focus is on detection. The real need is how to execute a responseconsistently, comprehensively & continuously.
HOWFluency Big Data
Provides the ability to handle vast amounts of data. To do this, data without relationships. Instead of joining data, Fluency performs recursive calls.
Alert Lifecycle in an Incident
10
Key events detect an aspect of an attack
Alert is a message with attributes (client address, server address, server host name, user name …)
Tag
Attributes of an attack can be marked malicious, such as server addressand server host name
Scope
Determine other addresses associated with the server host name
TrackWatch to see if these attributes appear on other communications regardless of the original alert message
Recover
Resolving Issues
11
Focusing on Detection, Hinders Response
Validate Scope Track
Provide Supporting Data Perspectives that Confirm Detection is Correct
Determine if Associated Attributes are Malicious. Pivot on new scope till no new malicious attributes
Determine assets to freeze &recover, while preventing flow from threats
Continually watch threats & their attributes to insure that there are no new related flows
Scope, Categorize & Pivot
12
Tasks an analyst does repeatedly
Scope: Determine all attributes & artifacts associated with a negative attribute
Categorize: Determine if associated attribute is negative
Pivot: Review the scope of any negative attribute
Search Speed limits the number of pivots
13
Key EventsFile Capture to Analysis Process Built In
!
!
!
Tags
Antivirus
Alerts
?Perspective
Vision
14
Provides the means to merge the alerts detected & not detected by deployed solutions to Fluency's perspective.
Fluency provides a holistic/comprehensive picture, not the snapshot organizations see today.
15
The Power of Search
If Google took 3 minutes to perform a search; would anyone use it? NO. One should expect the same from their Incident Response process. Fluency’s patent pending Big Data Analytics technology provides the ability to search billions of events in sub-seconds.
Data Volumes
16
Metadata Firewall Event D
ata
Alert D
ata
Metadata is 3X larger than Firewall logs
1 Gbps line
210M Separate Events 70M 1.2M 10K
SanKey
17
Seeing the Flow of Data
Alerts
Centralized View of Alerts
18
300
5
0 Gb Customer sees only the prevention alerts, resulting in false belief all secure
Fluency Results
19
622
130
10 Gb Fluency clearly sees:• Threats• Infected Machines• Malicious traffic
20
Fluency
21
Fluency RSA SA McAfee Nitro Lancope Blue Coat Fidelis FireEye ArcSight NGIR Components Full Packet Capture
Metaflow Capture Netflow Netflow
File Extraction
Big Database Arc Logger
Real-time Search
Full Field Indexing
Integrated Components Threat Feeds Internal Internal Internal
Reputation Feeds Internal Internal Internal
Validation Engines Sophos
Workflow
Automated Response Mar ‘16
Cloud Option
Multi-tenant
Next Generation Incident Response (NGIR)
Fluency is at the forefront of this developing market segment utilizing patent pending Big Data Analytics & incorporating Full Packet Capture
What Customers are Saying
22
Fluency’s integration into the Cisco ASA platform has enhanced American Fidelity Assurance Company’s investment in our deployed Cisco ASA environment and improved our security posture. Specifically, Fluency added additional value by being able to identify, track, and mitigate security issues in a timely and efficient manner.
“
”— David Maberry
Chief Risk Officer
Fluency
• Accomplishes the fusion of events of the server & the customer’s 10Gbps access point inan environment with requirements of over 30,000 EPS & 6,000,000,000 events a day.
• Reduced number of alerts needing analysis from 450,000,000 to 16 per day.
• Discovered 12 actionable incidents that affected 14 devices in 14 days that existingsecurity systems (IPS, Anti-Virus, Etc.) did not detect.
• Detected an internal host communicating with 696 IP’s located in 46 different countries,that triggered 6 alerts that other security solutions deployed in the environment trusted.
• Discovered > 620 infected machines & 130 C&C systems with more than 10GB of dataleaving per day. All deployed solutions showed the attack was prevented. Fluencyexposed there was a breach & provided timely resolution.
Next Generation Incident Response – Realized Value from Customers/POVs
23
Industry Buzz - Click on each to learn more
24
04/20/15
07/15/15 08/03/15
