Date post: | 25-Jul-2015 |
Category: |
Data & Analytics |
Upload: | surfwatch-labs |
View: | 222 times |
Download: | 4 times |
How to Access and Make Use of Your “Trapped” Cyber Data
to Reduce Your Risk
Today’s Speakers
2
Jason PolancichFounder & Chief Architect
SurfWatch Labs
Mustafa RassiwalaDirector, Product Management
Platfora
Freeing Your Trapped Security Data!
Case Study: “Chocolate and Peanut Butter”
Extending A Manufacturing Company SIEM
+
3
Bridge the Gap Between Low-Level Tactics & Strategic Insights
4
5
SIEM Can Be Even More Powerful…
… How?• Add the Strategy Piece: Low-level
threat intel is only small part of the full picture of risk
• Stop Navel-Gazing: An outside and inside view is necessary!
• Start Meerkat-ing: Situational awareness makes every defense operation better
• Make it Mean Something for Everyone: Connect security to business operations
• Enable Sustained Diligence: Both inside and outside of SECOPS
6
Customer Profile
Tech/Security Environment•Geographically dispersed IT locations
•Lots of data sources, few source types
•Centralized SIEM analysis
•Historical SIEM data storage
•Focus on low-level, internal threat intel
•Static intel reporting and reactive alerting
•No strategic intelligence analysis function
7
Large Multi-National Manufacturing and Consumer Goods
with Deep and Wide Supply Chain
It All Starts with Data …
8
9
Intuitive, Simple & Standardized
SIEM + Threat Intel
10
Instant Insights
11
Deep-Dive Analysis and Discovery
12
PETABYTES
OF DATA
HADOOP PLATFORA
HDFS ANALYTICS
Network SecurityData
Endpoint Security
Data
Data CenterSecurity Data
SIEMLog/event
Data (30 days)
A complement to SIEM.Security Analyst uses Platfora for investigating incidents:
– User Behavior Analytics– Network Data Based
Analytics– Device Communication
Analytics– Information Flow
Analytics
More Data & Business Context (Multi-Structured)
IT & BusinessData
UnlimitedData
Using Analytics to Understand the Impact of Cyber
Over Time
14
A Typical Data Breach Lasts 243 Days
Recon•Social Engineering
•Network Layout
Weaponization•Targeted Malware
Exploit / Install•Lateral Movement
C2C / Exfil•Command Communication
•Data Exfiltration
Delivery•Spear Phishing
•Watering Hole Attacks
DAY 1DAY 1 DAY 243DAY 243
Multiple Attempts at each stage of the
attack
Multiple Attempts at each stage of the
attack
Fingerprint of attack in Log files and security
events
Fingerprint of attack in Log files and security
events
15
Anunak Gang Targeting Financial Institutions
C2C / Exfil•Gain access to server and banking system admin workstations•Install software for monitoring key system operators•Remote access to servers of interest
Delivery
•Spear Phishing Email to Bank Employee
•From Government Email Acct
•Deliver new payload to existing malware
Recon
•Government and Banking Partners
•Partnership with Bot Operators
•Search for Existing malware already installed in banking environment
Weaponization
•Mimikatz
•MBR Eraser
•SoftPerfect Network Scanner
•Cain and Abel
Exploit / Install•Password of admin user on local machine•Legitimate access to one server•Compromise domain admin password from one server•Gaining access and compromise to domain controller accounts•Gain access to email servers
FINANCIAL INSTITUTION APT
16
C2C / Exfil•Pass the Hash Attack•VPN Connection from external source to maintain continuous access•Covert TCP Channel bounced across servers
Delivery•Targeted Phishing Email•URL Link to Fake Game Site•Download of Game – Install backdoor on user machine•Installing Password Scrapping and network scanning tools
Recon•Controlling “bounce” machines across the globe•Social Media/LinkedIn/Usergroups/Support Forums etc•Corporate Website/Local Events
Weaponization•Password Scrapping Tools•NetCat Backdoor•Remote Access Tools•Fake Game Download Site•Other Techniques – Watering Hole Attacks
Exploit / Install•Backdoor Trojan Installation•Network scans for open ports and services•Connect to multiple fileshares•Overwrite notepad.exe with malicious backdoor
TECHNOLOGY ORGANIZATION APT – SOURCE CODE BREACH
17
C2C / Exfil•Buffer Overflow Attack on Backup Program•Installation of Sniffer to watch internal traffic•Port Scan of Server•SQL Injection on Web Application•Access to database records of millions of Credit Card
Delivery•Ping Sweep•Reverse DNS lookup of Server IP•Port Scan•Password Guessing – connect to FTP Server
Recon•Store Expansion Information•Physical scouting of the stores•Network Scanning•Detect Open Ports for TCP and UDP. Discover webserver and DNS server
Weaponization•Wireless LAN Assessment Tool•MAC Address Detection from SSID•MAC Address Spoofing
Exploit / Install•Network Exploration•Connection over VPN to FTP servers across network•Access to Credit Card Data
RETAIL ORGANIZATION APT – POINT OF SALE (POS) BREACH
18
Major Challenges When Detecting Breaches
Exploit / Install
Recon
Weaponization
C2C / ExfilDelivery
243 DAYS
Difficult to Recognize Sequence of Attacks in
Petabytes of Data
Difficult to Recognize Sequence of Attacks in
Petabytes of Data
Data Silos Make it Hard to Understand
your Critical Business Data
Data Silos Make it Hard to Understand
your Critical Business Data
19
Suspicious File Downloaded by UserA– Possible Spear Phishing Attack
Incident Detectedin SIEM
Security Analyst Investigates
Analyze file download pattern for the Joe over last 6 months – Compare against Org and Dept Statistics
Analyze device behavior anomalies – Examine data over last 6 months and compare against various dimensionsAnalyze source of
download – analyze all communication to source domain across org and dept over last 6 months
Analyze all communication path of device and Joe to uncover if attack has spread
1
24
3
!
20
Malformed Image File Spread – SQL Injection Based Attack
Incident Detectedin SIEM Security Analyst
Investigates
Analyze all recent incidents related to user and device and compare over last 6 months (Various Statistics)
Analyze communication between endpoint and internal web server
Analyze webserver compromise - internal and external communication mapped and analyzed for anomalies
Follow trail of SQL Injection attack followed by compromise of customer accounts and malformed file upload
1
24
3
!
21
User Account Compromise – VPN Authentication Errors
Incident Detectedin SIEM
Security Analyst Investigates
Analyze VPN Access pattern of user over last 6 months – compare against Org and Dept
Analyze all failed and successful authentication for user over last 6 months – compare against Org and Dept
User Behavior Analytics – file downloads, URL access, application access etc
Device Behavior Analytics – destinations, bytes, protocols, ports etc
1
24
3
!
22
Detecting Breaches Through Security Investigations
Forest through
the Trees
Understand Business
Data
Iterate and Pivot
Petabytes of Data
23
Big Data Security Analytics
Forest through
the Trees
Understand Business
Data
Iterate and Pivot
Petabytes of DataVisualization End to End
Platform
Hadoop/HDFSAnalytics
Map Reduce/Spark
Connect Variety of
Data
SecurityAnalyst
24
Security Incident Investigation
25
Security Incident Investigation
26
Security Incident Investigation
27
User Behavior Analytics
28
User Behavior Analytics
29
User Behavior Analytics
30
User Behavior Analytics
Q&A and Additional SurfWatch Labs Resources
31
Get Additional Cyber Intel Resources:
•SurfWatch Cyber Risk Report:http://info.surfwatchlabs.com/Sample-Cyber-Risk-Report
•Big Data, Big Mess Whitepaper:http://info.surfwatchlabs.com/big-data-security-analytics
Learn About SurfWatch Solutions:
•SurfWatch Product Review: www.scmagazine.com/surfwatch-c-suite/review/4324/
•Schedule a Personal SurfWatch Demo:info.surfwatchlabs.com/request-demo
Thank You!
www.surfwatchlabs.comFollow us at: