Removing Blind Spots in Network Visibility to Stop Data TheftStephen Newman, CTO, DamballaThursday, October 2911:20 AM - 11:50 AM
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
CLUES TO A CRIME
Photo Source: NBC
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
CYBERCRIMES IN 1H 2015
577 Breaches
155M+ Records
Source: Identity Theft Resource Center, 2015 Data Breach Category Summary
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
DETECTION TAKES TOO LONG
229 days to discover a breach
67% discovered by 3rd parties
Source: Mandiant’s 2014 M-Trends Report
Minutes
11%
Hours
13%
Days
17%
Weeks
25%
Months
29%
Years
5%
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
Tsunami of Noise Layers of Security Prevention Products
BLINDED BY ALERTS
Uncertainty About Actual Threats
Overwhelming volume
High rate of false positives
Snapshot-in-time data
Information without context
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
Unknown indicators
Known indicators
AV HIPS FW DNS FW IDSIPS
WSGProxy
VMSandbox
Endpoint Security Network Security
Proof of Infection
LOTS OF EVIDENCE BUT NO PROOF
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
PREVENTION IS BLIND TO EVASIVE MALWARE
Initial Infection
Dropper
Update/Repurpose
Updater Site Downloader Site
Initial C&C and 2nd Repurpose
C&C Portals
C&C Proxies
Repository
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
Initial Infection
Files Downloaded
HOW CAN YOU REMOVE THE BLINDERS?
Initial C&C and 2nd Repurpose
C&C Portals
C&C Proxies
Automation
Emergent Threat
Domain Fluxing
Update/Repurpose
Queries
P2P Activity
HTTP Attempts
Communications with C&C
Executed files
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
WHAT IF YOU COULD ELIMINATE GUESSWORK?
Slog through alerts
Dig through logs
Chase false positives
Correlate data
Make assumptions
Act/Don’t Act?
Instrument the network for detection
Indicators of compromise are monitored
Pieces of evidence are corroborated
Proof of infection is verified
High-risk devices are prioritized
Data theft is averted
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
NETWORK SECURITY MONITORING BY DAMBALLA
YOUR NETWORK TRAFFIC
& DEVICES
RISK PROFILERSAc
tivity
Impo
rtanc
e
Inte
nt
DETECTION ENGINES
Behaviors
Content
Threats
CASE ANALYZER & MANAGER TRUE POSITIVES CONFIRMED
CLOSED CASES
Threat Discovery
Center
IR TEAM
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
TAKEAWAYS
Prevent what you canUnderstand how malware evades detectionInstrument the network to discovery hidden threatsA compromise doesn’t have to led to a breachRespond in a prioritized way based on risk factors