230 likes | 369 Vues
Bad guys are lurking in your network neighborhood, kicking doors and testing entry points, all the time. Threatscape 2015 is evolving rapidly, but your resources and staff may not be enough to meet these challenges. Most IT security heads and admins are so busy managing operations and ensuring the company’s ongoing security efforts that “detection deficit” sets in and they miss key indicators that their network has been compromised.<br><br>Learn about:<br>• Rogue process detection<br>• Evidence of persistence<br>• Suspicious traffic<br>• Unknown processes<br>• Unusual OS artifacts<br>
E N D
Detect Active Cyber-Attacks in Real Time Protect your Network
Threatscape 2015 Big problem Expensive Detection Deficit Insider? Outsider?
EventTracker Threatscape 2015 New Cyber Security reality for the under-staffed enterprise • Assume that a successful/damaging cyber attack on your infrastructure has already occurred. • 200+ days on average before detection • 100% of larger orgs are attacked every day, 1 in 5 SMEs are targeted each year • 76% of all intrusions involve compromised credentials • “Bad traffic” is now encrypted, which thwarts network packet inspection IDS/IPS • Evidence of intrusions gets buried within millions of other artifacts • Prevention - Firewalls, AV, AD/NAC, IDS/IPS – is not enough. • 100% of breached orgs already had these in place.
DFIR in EventTracker v8 Addressing the Detection Deficit • Perform automated DFIR on Windows workstations and servers • Move endpoint digital forensics to daily SOP for early detection of: • Rogue Processes • Unknown Services Running • Unusual OS artifacts • Evidence of Persistence • Suspicious Network Activity
Solution to the problem90% automation / 10% investigation • Implement the post-mortem forensics and analysis as real time SOP for earlier detection of threats. • deploy advanced, purpose-built threat sensors • threat intelligence feeds integrated and correlated to actual enemy contact in real time • behavior analysis/anomaly detection based on heuristics • application whitelisting • and most importantly…skilled people paying attention to the basics, 365 days a year – especially server and workstation skills.
Market feedback • Security Gap • Compliance ≠ Security • Stakeholders personally affected by breaches • Compliance is a requirement • Help reduce cost • Skill shortage • Impacting ROI on SIEM projects • Machine learning, less rules tweaking
Existing defenses? • Anti Virus • Catches “some” malware based on signatures • Attackers are “hip to its jive” • IDS • Detects network borne attacks • Can’t see the endpoint or out “legitimate” traffic • DLP • Can catch data movement to/from removable media • SIEM • See all logs but is everything logged?
How are they attacking? • Malware-based • Threat: Establish Beachhead • Threat: Lateral Movement • Threat: Exfiltrate data • Compromised credentials-based • Threat: Valid programs for invalid purpose • Threat: Out-of-ordinary
Threat: Establish beachhead • Malware lands on the endpoint • As e-mail attachment? • From infected USB? • Evades Anti Virus • Defense • Detect launch of every process • Compare hash against safe list (local and NSRL) • Alert if first-time-seen and not on safe list • Caveat: Requires framework & a watcher
Threat: Lateral movement • Move from less to more valuable systems • From desktop to server/firewall • Defense • User behavior, location affinity • Trace files from endpoint (pre-fetch, default.rdp etc.) • Valid but unusual EXE presence (e.g. route.exe) • Caveat: Requires framework + machine learning
Threat: Ex-filtrate data • Hides as normal traffic • Avoid detection by proxy, network monitor • Defense • Monitor network activity (esp north/south) for out of ordinary behavior • IDS is useful but can’t say which process was responsible • Combination of unknown process connecting to low reputation outside address is a strong advantage
Endpoint Threat Detection & Response • What is required to defend today’s network? • A framework to collect endpoint data • Running processes, network connections, windows services, users, registry entries, more • A central repository which can receive, store and index the data • An expandable ruleset to baseline and analyze the data • And (wait for it...) an analyst to triage/review/escalate for remediation
Scenario • Win 7 desktop; user is with marketing dept • Required to visit external websites regularly • Defenses • Up to date platform (win updates) • DHCP address • Next Gen firewall • Up to date, brand name Anti Virus • IDS with updated signatures scanning north/south
What was seen • New Windows service created • Persists on logoff or reboot • Invisible to the normal user • Connects to an external site • Avoids proxy detection by using IP address • Avoid blocking by using port 80 • Trace back showed phishing e-mail, apparently from HR • About 14 hours later, anti-malware signatures updated and a deep scan suggested it was “Blakamba” • Three days later, Anti-Malware showed other files in temp folders with same signature
EventTracker Framework • Central Console • Data Collection • Indexing • Analysis • Storage • Sensor for Windows • MS Gold certified • Runs in user space • Tiny footprint • Options for IDS, Vulnerability Assess, Packet inspection
SIEM Simplified Co-Managed Services for Success TUNE COMPLY RUN WATCH Correlation Alerts & Analysis Attackers & Targets Real Time Dashboards Endpoint Threat Detection & Response (ETDR/DFIR) DATA MART Advanced Managed Integrated Threat Feeds Managed SNORT IDS Incident Investigations “SANS” Log Book User Behavior Affinity & Analysis Security Center Log Search & Forensics • File Integrity • Monitoring Streamlined Compliance Workflow & Reporting Configuration Assessment PCI- DSS | HIPAA | FFIEC FISMA | Gov. | Military Hardened Compliance Center Centralized Log Management • Vulnerability Assessment ISO 27001(2) GPG 13 Diligent
SIEM Simplified Services to get expert help with EventTracker software installed on premise or in the cloud… EventTracker Alerts Reports Dashboards Search Auditing Changes Your Staff Your IT Assets Remote Access to EventTracker (only) We provide remote Managed Services: RUN: Basic ET Admin – Threat Feeds WATCH: Analytics/Remediation Recos COMPLY: Compliance Services TUNE: Advanced ET Tuning ET VAS – Vulnerability Assessment Service ET IDS – Managed SNORT – signature updates EventTracker Control Center
Secure your Network Your Challenge: Growing attack frequency and sophistication Your Need: Cost effective threat remediation. Scalable & Smart