Download networkworld - Sift Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
Document related concepts

Carrier IQ wikipedia , lookup

Wireless security wikipedia , lookup

Airport security wikipedia , lookup

Microsoft Security Essentials wikipedia , lookup

Data remanence wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Unix security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Malware wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Mobile security wikipedia , lookup

Transcript 
NETWORKWORLD
www.networkworld.com
July 22, 2016
The Leader In Network Knowledge
Sift Security helps SecOps teams analyze and visualize
patterns of threats and speed up investigations
By Linda Musthaler, Principal Analyst with Essential Solutions Corp.
There's a powerful new generation of security tools
coming to market designed to help security operations
(SecOps) teams find and react to threats much quicker
than before. The best of these tools also enable
security analysts to proactively hunt for threats that
might be present in their enterprise environment.
Symantec reports there will be a projected shortfall of
1.5 million cybersecurity professionals by the year
2019, meaning the people who currently do this job are
stretched thin.
These tools bring data together from disparate sources
and begin to connect the dots so analysts can dive
right into the investigation without having to search
for relevant data points. The products tend to
eliminate the manual work of sifting through logs,
finding all the relevant data, and trying to find
correlations among the events.
Sift Security is a new player that is out to make it
easier, faster and less frustrating for SecOps teams to
get their jobs done. Sift Security's Threat Hunting &
Investigation Platform has a visual user interface that
helps the security analyst see complex threat patterns
at a glance. The UI shows which anomalous activities
and entities are related and helps to prioritize the
alerts that deserve further investigation.
Why are these tools so desperately needed? Consider
some of the statistics that illustrate the pain points of
the enterprise security operations team:


According to Mandiant, the average number of
days it takes to detect a data breach is 205.
Verizon says the detection deficit is getting worse,
and approximately 80% of compromises are
detected by law enforcement or third parties.
Gartner says that detection is only a small part of
managing an incident, with the majority of the work
coming after the discovery and requiring more
resources.
Ponemon Institute reports that, on average,
organizations receive almost 17,000 alerts a week just
on malware alone. Of these, only 3,218 are deemed
reliable and 705 are actually investigated. What's more,
organizations waste an average of 395 hours per week
detecting and containing malware because of false
positives and/or false negatives, costing approximately
$1.27 million annually.
Clearly, SecOps teams need a better way to work.
The Sift Security platform has four elements: Graph
Mapper, Sifter, Investigator and Terminator. Here's
how they work together.
As soon as a customer installs the Sift Security
software (on premises or on AWS using commodity
hardware), the platform begins to ingest data from
whatever sources are pointed to it. These can be
existing logs or custom or proprietary logs. Since Sift
Security's software isn't priced according to data
volumes like some security products are, the customer
can feed the Sift Security platform as much data as
desired. Graph Mapper then creates a graph data
structure and index from the raw logs. This is where
meaningful relationships among entities such as
workstations, hosts, networks and applications start to
emerge.
In the next stage, Sifter identifies known threats,
clusters of risk and anomalous behavior. Sifter uses
third party and custom rules to identify known bad IP
addresses, malware and so on. Using unique
algorithms and novel data science techniques
Copyright 2016 by Network World, Inc., 118 Turnpike Road, Southborough, MA 01772.
This article originally appeared in the Network World IT Best Practices newsletter, July 22, 2016.
Reprinted with permission from Network World.
developed at MIT and Stanford universities, Sifter is
able to find previously unknown threats.
The next element, Investigator, is the UI that combines
graph, search and dashboards. The graph UI makes it
easy to see patterns and pivot across entities to trace
an incident across the environment. Customizable
dashboards allow a customer to build views of what
they prefer to see.
And finally, Terminator is a workflow and API
integration that is said to enable seamless
collaboration among team members and the actions to
address threats. The workflow enables the incident
response team to work easier and faster. For example,
say a junior analyst starts the investigation and takes it
as far as they can. Then they share it with a senior
analyst to continue with the investigation and take it to
its conclusion. Actions can include things like opening
a ticket or adding an IP address to a block list.
Now let's take a more detailed look at how an analyst
can conduct an investigation using the graph data
structure. The investigators would use a graph similar
to the one below to see what triggered an alert. Minus
the chart labels, the graph is part of the actual user
interface, which is interactive to allow for pivoting and
drill-downs.
In terms of how an attack that triggered an alert
happened, it goes in the numerical order seen in the
graphic below.
1.
A user receives a phishing email and clicks on the malicious attachment
2.
The exploit, embedded in a PDF file, is triggered.
3.
Malware (rat.sh) is dropped on the user's workstation (ws02.siftsec.com). The malware is also on a
second host (ws35.siftsec.com).
4.
The malware is executed and it performs reconnaissance activities.
5.
A user's account ([email protected]) is used to attempt logins to other hosts.
6.
An infected workstation reaches out to a blacklisted C2 server to receive further instructions.
Numerous activities in this graph could trigger an alert: failed logins, anomalous behaviors, communication with a
blacklisted IP, etc. This would escalate the priority of the investigation.
Using this same chart, the investigators work in reverse, as shown in the image below, to find the root cause of the
alerts.
A. Communication with a blacklisted IP address triggers an alert.
B. Investigators determine what workstation made the connection.
C. They look for anomalous activity associated with that workstation and find reconnaissance activity.
D. They discover malware on the workstation (ws02.siftsec.com) and pivot to find it on a second workstation (ws35.siftsec.com).
E. They discover the source of the malware, which was embedded in a PDF file.
F.
They trace the PDF file to a phishing email.
G. They see that Robert's account was used in several failed login attempts.
This graphical interface really simplifies the investigation and the search for details in order to mitigate threat
activity. Sift Security says that customers report being able to reduce investigation times down from weeks to hours,
or even minutes.
1259 El Camino Real, Suite B | Menlo Park, CA 94025
+1 (661) 418-7438
www.siftsecurity.com
Related documents
Marketing Research
Marketing Research
the Presentation
the Presentation
Emsisoft Internet Security
Emsisoft Internet Security
Structure Determination and Analysis of Terminal
Structure Determination and Analysis of Terminal
cdspsift vedsion 4.2 delease notes
cdspsift vedsion 4.2 delease notes
ForcesandMotionSummativeAssessment
ForcesandMotionSummativeAssessment
Chapter Lectures
Chapter Lectures
Title of the experiment/investigation
Title of the experiment/investigation
Computer Forensics
Computer Forensics
Actors behind advanced threats - Med-IT
Actors behind advanced threats - Med-IT
Towards a framework for Network-based Malware detection System
Towards a framework for Network-based Malware detection System
Malware Analysis Report - Alcatel
Malware Analysis Report - Alcatel
Name___________________________
Name___________________________
Science Physical Sciences Science Life Sciences Science Earth
Science Physical Sciences Science Life Sciences Science Earth
High-Dimensional Feature Descriptors to Characterize Volumetric
High-Dimensional Feature Descriptors to Characterize Volumetric
Business Intelligence Based Malware Log Data
Business Intelligence Based Malware Log Data
CIMDS: Adapting Postprocessing Techniques of Associative
CIMDS: Adapting Postprocessing Techniques of Associative