How to Access and Make Use of Your “Trapped” Cyber Data

to Reduce Your Risk

Today’s Speakers

2

Jason PolancichFounder & Chief Architect

SurfWatch Labs

Mustafa RassiwalaDirector, Product Management

Platfora

Freeing Your Trapped Security Data!

Case Study: “Chocolate and Peanut Butter”

Extending A Manufacturing Company SIEM

+

3

Bridge the Gap Between Low-Level Tactics & Strategic Insights

4

5

SIEM Can Be Even More Powerful…

… How?• Add the Strategy Piece: Low-level

threat intel is only small part of the full picture of risk

• Stop Navel-Gazing: An outside and inside view is necessary!

• Start Meerkat-ing: Situational awareness makes every defense operation better

• Make it Mean Something for Everyone: Connect security to business operations

• Enable Sustained Diligence: Both inside and outside of SECOPS

6

Customer Profile

Tech/Security Environment•Geographically dispersed IT locations

•Lots of data sources, few source types

•Centralized SIEM analysis

•Historical SIEM data storage

•Focus on low-level, internal threat intel

•Static intel reporting and reactive alerting

•No strategic intelligence analysis function

7

Large Multi-National Manufacturing and Consumer Goods

with Deep and Wide Supply Chain

It All Starts with Data …

8

9

Intuitive, Simple & Standardized

SIEM + Threat Intel

10

Instant Insights

11

Deep-Dive Analysis and Discovery

12

PETABYTES

OF DATA

HADOOP PLATFORA

HDFS ANALYTICS

Network SecurityData

Endpoint Security

Data

Data CenterSecurity Data

SIEMLog/event

Data (30 days)

A complement to SIEM.Security Analyst uses Platfora for investigating incidents:

– User Behavior Analytics– Network Data Based

Analytics– Device Communication

Analytics– Information Flow

Analytics

More Data & Business Context (Multi-Structured)

IT & BusinessData

UnlimitedData

Using Analytics to Understand the Impact of Cyber

Over Time

14

A Typical Data Breach Lasts 243 Days

Recon•Social Engineering

•Network Layout

Weaponization•Targeted Malware

Exploit / Install•Lateral Movement

C2C / Exfil•Command Communication

•Data Exfiltration

Delivery•Spear Phishing

•Watering Hole Attacks

DAY 1DAY 1 DAY 243DAY 243

Multiple Attempts at each stage of the

attack

Multiple Attempts at each stage of the

attack

Fingerprint of attack in Log files and security

events

Fingerprint of attack in Log files and security

events

15

Anunak Gang Targeting Financial Institutions

C2C / Exfil•Gain access to server and banking system admin workstations•Install software for monitoring key system operators•Remote access to servers of interest

Delivery

•Spear Phishing Email to Bank Employee

•From Government Email Acct

•Deliver new payload to existing malware

Recon

•Government and Banking Partners

•Partnership with Bot Operators

•Search for Existing malware already installed in banking environment

Weaponization

•Mimikatz

•MBR Eraser

•SoftPerfect Network Scanner

•Cain and Abel

Exploit / Install•Password of admin user on local machine•Legitimate access to one server•Compromise domain admin password from one server•Gaining access and compromise to domain controller accounts•Gain access to email servers

FINANCIAL INSTITUTION APT

16

C2C / Exfil•Pass the Hash Attack•VPN Connection from external source to maintain continuous access•Covert TCP Channel bounced across servers

Delivery•Targeted Phishing Email•URL Link to Fake Game Site•Download of Game – Install backdoor on user machine•Installing Password Scrapping and network scanning tools

Recon•Controlling “bounce” machines across the globe•Social Media/LinkedIn/Usergroups/Support Forums etc•Corporate Website/Local Events

Weaponization•Password Scrapping Tools•NetCat Backdoor•Remote Access Tools•Fake Game Download Site•Other Techniques – Watering Hole Attacks

Exploit / Install•Backdoor Trojan Installation•Network scans for open ports and services•Connect to multiple fileshares•Overwrite notepad.exe with malicious backdoor

TECHNOLOGY ORGANIZATION APT – SOURCE CODE BREACH

17

C2C / Exfil•Buffer Overflow Attack on Backup Program•Installation of Sniffer to watch internal traffic•Port Scan of Server•SQL Injection on Web Application•Access to database records of millions of Credit Card

Delivery•Ping Sweep•Reverse DNS lookup of Server IP•Port Scan•Password Guessing – connect to FTP Server

Recon•Store Expansion Information•Physical scouting of the stores•Network Scanning•Detect Open Ports for TCP and UDP. Discover webserver and DNS server

Weaponization•Wireless LAN Assessment Tool•MAC Address Detection from SSID•MAC Address Spoofing

Exploit / Install•Network Exploration•Connection over VPN to FTP servers across network•Access to Credit Card Data

RETAIL ORGANIZATION APT – POINT OF SALE (POS) BREACH

18

Major Challenges When Detecting Breaches

Exploit / Install

Recon

Weaponization

C2C / ExfilDelivery

243 DAYS

Difficult to Recognize Sequence of Attacks in

Petabytes of Data

Difficult to Recognize Sequence of Attacks in

Petabytes of Data

Data Silos Make it Hard to Understand

your Critical Business Data

Data Silos Make it Hard to Understand

your Critical Business Data

19

Suspicious File Downloaded by UserA– Possible Spear Phishing Attack

Incident Detectedin SIEM

Security Analyst Investigates

Analyze file download pattern for the Joe over last 6 months – Compare against Org and Dept Statistics

Analyze device behavior anomalies – Examine data over last 6 months and compare against various dimensionsAnalyze source of

download – analyze all communication to source domain across org and dept over last 6 months

Analyze all communication path of device and Joe to uncover if attack has spread

1

24

3

!

20

Malformed Image File Spread – SQL Injection Based Attack

Incident Detectedin SIEM Security Analyst

Investigates

Analyze all recent incidents related to user and device and compare over last 6 months (Various Statistics)

Analyze communication between endpoint and internal web server

Analyze webserver compromise - internal and external communication mapped and analyzed for anomalies

Follow trail of SQL Injection attack followed by compromise of customer accounts and malformed file upload

1

24

3

!

21

User Account Compromise – VPN Authentication Errors

Incident Detectedin SIEM

Security Analyst Investigates

Analyze VPN Access pattern of user over last 6 months – compare against Org and Dept

Analyze all failed and successful authentication for user over last 6 months – compare against Org and Dept

User Behavior Analytics – file downloads, URL access, application access etc

Device Behavior Analytics – destinations, bytes, protocols, ports etc

1

24

3

!

22

Detecting Breaches Through Security Investigations

Forest through

the Trees

Understand Business

Data

Iterate and Pivot

Petabytes of Data

23

Big Data Security Analytics

Forest through

the Trees

Understand Business

Data

Iterate and Pivot

Petabytes of DataVisualization End to End

Platform

Hadoop/HDFSAnalytics

Map Reduce/Spark

Connect Variety of

Data

SecurityAnalyst

24

Security Incident Investigation

25

Security Incident Investigation

26

Security Incident Investigation

27

User Behavior Analytics

28

User Behavior Analytics

29

User Behavior Analytics

30

User Behavior Analytics

Q&A and Additional SurfWatch Labs Resources

31

Get Additional Cyber Intel Resources:

•SurfWatch Cyber Risk Report:http://info.surfwatchlabs.com/Sample-Cyber-Risk-Report

•Big Data, Big Mess Whitepaper:http://info.surfwatchlabs.com/big-data-security-analytics

Learn About SurfWatch Solutions:

•SurfWatch Product Review: www.scmagazine.com/surfwatch-c-suite/review/4324/

•Schedule a Personal SurfWatch Demo:info.surfwatchlabs.com/request-demo

Thank You!

www.surfwatchlabs.comFollow us at: