Download Speed Up Incident Response with Actionable Forensic Analytics

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
Document related concepts

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Deep packet inspection wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Wireless security wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Distributed firewall wikipedia , lookup

Network tap wikipedia , lookup

Airborne Networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
DATA SHEET
|| WHITEPAPER
Speed Up Incident Response with
Actionable Forensic Analytics
Close the Gap between Threat Detection and
Effective Response with Continuous Monitoring
January 15, 2015
| WHITEPAPER
Table of Contents
Introduction
Current Threat Landscape
How Typical IT/Security Processes Inhibit Effective Incident Response
Typical IT/Security Processes
3
3
4
4
Common Challenges
4
Challenges Specific to Forensic Analytics and Incident Response
5
Actionable Forensic Analytics
Flexible Incident Response
Tenable Continuous Monitoring Platform
Benefits of the Tenable Continuous Monitoring Platform
Actionable Forensic Analytics
5
5
6
7
7
Speeds-up Incident Response
7
Use-Cases
Forensic Analysis of Suspicious Activity
7
7
Incident Response Options
8
Conclusion
About Tenable Network Security
9
9
2
| WHITEPAPER
Introduction
Cyber criminals are using advanced targeted attacks and modern malware to bypass traditional security controls and easily steal credit card data,
sensitive corporate information, and national secrets. According to the 2014 Ponemon Report1, the average total organizational cost of a data
breach for companies participating in the survey worldwide increased by 15% over the previous year to $3.5 Million. The average cost paid for each
stolen record containing sensitive data increased more than 9% from $136 in 2013 to $145 this year. In part, these costs are due to delays in breach
detection, which can often take weeks to months after the initial compromise. Delays occur because security teams do not have actionable forensic
data to pinpoint compromised hosts or identify sensitive data that has been stolen.
Tenable provides a comprehensive continuous network monitoring solution that enables you to rapidly respond to security incidents, by providing
actionable forensic data that can help detect incidents more accurately. In this paper, we will explore the forensic analytics and incident response
capabilities of Tenable SecurityCenter Continuous View™ (SC CV), a network security platform that identifies vulnerabilities and threats, reduces risk,
and ensures compliance. Topics covered will include:
• Recognizing how organizational silos and inefficient process inhibit the effectiveness of IT and Security Operations.
• Gathering actionable forensic analytics data is needed to identify advanced attacks both at the network and host levels.
• Responding to security incidents requires flexible techniques that leverage both workflows and automation.
Current Threat Landscape
Fig. 1: Verizon 2014 DBIR Report -Top 10 types of security incidents that resulted in breaches
The Verizon 2014 Data Breach Investigation Report (DBIR)2 covers breaches affecting organizations in 95 countries in 2013. The top 10 categories
of security incidents (as shown in Fig. 1) totaled up to approximately 63,000 incidents, out of which 1,367 (2%) resulted in breaches (data disclosure).
However, the same four categories of attacks - POS intrusions, web app attacks, cyber espionage, and card skimmers - have contributed to the top
breaches between 2011 and 2013.
Only 33% of victims discover breaches internally according to Mandiant’s 2014 M Trends Threat Report3. Furthermore, in 67% of the cases, victims
were notified by external entities after it was already too late to save the reputation of the company. Security breaches can have a devastating impact
on any company. For example, in the Target breach alone, 40 million credit/debit card data records and 70 million total data records were stolen in the
month of November 2013. The attack vector used in Target was a known exploit that had impacted other retail chains. This scenario is all too common.
Therefore, to protect against advanced attacks and security breaches, a company’s IT security strategy should include:
• Continuous network monitoring for known vulnerabilities and threats.
• Correlating anomalous activity at the network and host levels to detect the unknown threats.
1
“2014 Cost of Data Breach Study: Global Analysis”, Ponemon Institute, May 2014.
“2014 Data Breach Investigations Report”, Verizon, April 2014.
3
“2014 Threat Report – M Trends Beyond the Breach,” Mandiant – a FireEye Company, April 2014.
2
3
| WHITEPAPER
How Typical IT/Security Processes Inhibit Effective Incident Response
Typical IT/Security Processes
Fig. 2: Typical IT/Security Operations Processes
Typical IT/Security processes (as illustrated in Fig. 2) encompass the following four phases:
1. Prevent: Identify all vulnerabilities in all known/managed assets in your enterprise. Automatically classify them into asset groups based on OS
and applications/services running on them. Perform configuration audits and patch them to prevent bad configurations and known vulnerabilities.
This enables you to reduce attack surface and prevent known attacks.
2.Detect: Discover unknown/unmanaged assets on your network, including mobile devices, virtual machines and cloud services. Automatically
identify operating system and application services that have exploitable vulnerabilities. Detect known threats based on threat intelligence from
intrusion detection/prevention devices on your network.
3.Analyze: Correlate anomalous activity with real-time threats (events) and monitor for changes to systems/endpoints to see if they match known
indicators of compromise. Collect accurate forensic data and present this in a consumable way. Sophisticated analytics are required to tie
together the asset and vulnerability data from across assessment scan, networks sniffed, and log data and produce actionable reports.
4.Respond: Use forensic data to generate alert notifications to take prioritized manual (workflow-based) actions or automated (API-based) actions
to prevent threats from resulting in security breaches.
Forensic Analytics and Incident Response corresponds to the Analyze and Respond phases (bottom-half) of the IT/Security process.
Common Challenges
Common challenges encountered by organizations implementing this model include:
• Organizational Silos: Desktop administration, network, and security operations in medium to large companies are typically managed by three
different organizations – IT Helpdesk, Network Operations Center (NOC), and Security Operations Center (SOC), who use different tools that do
not communicate well with each other.
• Unmanaged Assets: All assets on the network are not discovered or known to IT, and hence they are not monitored or managed, especially
mobile phones, tablets, and virtual environments (e.g., VMware instances), which may have vulnerabilities that can be easily exploited.
• Unknown Applications/Services: Many unmanaged assets are not hardened or patched to eliminate known vulnerabilities, such as Heartbleed.
These assets could be used as launch pads for malware to penetrate the enterprise.
• Lack of Network Visibility: Any anomalous network traffic to botnets and Command and Control (CnC) servers can go undetected if there are no
network monitoring tools with application level (layer 7) visibility looking for traffic to known suspicious destinations.
• Un-prioritized Vulnerabilities: Vulnerabilities are not prioritized by Common Vulnerability Scoring System (CVSS) scores, asset criticality, or users/
roles. IT will be unable to quantify business risk without such prioritization.
4
| WHITEPAPER
Challenges Specific to Forensic Analytics and Incident Response
• No Actionable Forensic Data: Security and network operations staff are inundated with security events for which they do not have the right
actionable data. This includes indicators of compromise for advanced attacks that go undetected by traditional defenses.
• Inflexible Incident Response: Security and network operations staff have limited ways in responding to incidents, e.g., generating notifications
and reports, initiating manual work flows, or spawning automated actions. Having the flexibility to associate different types of response actions
with alerts enables IT/Security Operations to speed up incident response and reduce business risk.
Actionable Forensic Analytics
The typical requirements for actionable forensic analytics include the following capabilities:
• Network Forensics: Logs of all network traffic, which includes packet capture or meta-data captures from network sensors, application flow data
from switches and routers, and application logs from network proxies. This data is useful for identifying suspicious traffic that can be attributed to
botnets or CnCs to or from bad sites without deploying any agents on endpoints.
• Host Forensics: Monitoring hosts and endpoints for file integrity, system configurations, processes, DNS queries, and network connections.
This typically requires credential-based scanning of endpoints, or agents running on endpoints to gain evidence (using tell-tale signs of
indicators of compromise).
• Log Correlation: Encompasses behavioral and statistical analysis to determine anomalies in network and host forensic data. Infuses contextual
information about asset location and user identity, and also filters logs using blacklists from external threat intelligence sources. These correlation
features are vital for zeroing-in on security incidents that need immediate attention.
Actionable forensic data should include monitoring for:
• Network meta-data:
–– Source and target of attack: IP address, host name, port/protocol associated with botnets or CnC traffic
–– URL/domain name of server hosting malware
–– Sender/recipient email address of phishing attack
• Host Indicators of Compromise:
–– IP address or hostnames of compromised endpoints
–– Hashes of malware files/binaries
–– System configurations or auto-runs that should be checked for integrity
–– OS registry changes and processes associated with malware
Flexible Incident Response
Any solution that identifies security incidents should further enable you to respond to them with the following types of configurable response actions,
based on the simplicity or complexity of the problem identified.
• Notifications/Email: Send notifications via the console or by email, and include the recommended action.
• Dashboards/Reports: Automatically update a dashboard or generate a report with the current state of incidents in progress, assigned to
appropriate personnel.
• Work Flows: Trigger trouble tickets with workflows assigned to the person responsible for follow through. Especially useful for the most complex
and the least understood incidents.
• Automated Actions: Automatically invoke scripts or application programmatic interfaces (APIs), which perform specific actions such as adding a
URL to the blacklist of a web gateway or update an ACL on a firewall to automatically block CnC servers. Automated actions are most applicable
for frequently occurring incidents that are well understood.
5
| WHITEPAPER
Tenable Continuous Monitoring Platform
Fig. 3: The Tenable Platform – Continuous Monitoring of Vulnerabilities, Threats, and Compliance
Tenable SecurityCenter Continuous View™ breaks down silos between IT, network, and security operations, and delivers actionable forensic data,
asset information, and vulnerability context, to speed up incident response. The SecurityCenter Continuous View platform (depicted in Fig. 3) includes
the following Tenable products and components:
• Nessus®: is the industry’s most widely-deployed vulnerability, configuration, and compliance scanner. Nessus features high-speed discovery,
configuration auditing, asset profiling, malware detection, sensitive data discovery, patch management integration, and vulnerability analysis.
Nessus® Manager provides a scalable on premise solution to manage multiple Nessus scanners. The SaaS version, Nessus Cloud adds external
perimeter scanning and PCI ASV scan validation.
• Passive Vulnerability Scanner™ (PVS): is a non-intrusive network monitoring tool that discovers all devices, applications, services, and their
relationships currently active on your network. It automatically pinpoints potential security risks posed by vulnerable assets and new or unknown
rogue systems, including SaaS and IaaS services being accessed by users.
• Log Correlation Engine™ (LCE): collects and correlates logs from Nessus, PVS, and external sources on the network including firewalls, switches,
routers, endpoints, and servers. It can also generate alerts when malware matching indicators of compromise from external threat intelligence
sources (e.g., Reversing Labs and IID) are encountered. All log data is compressed and stored in an indexed file system and can be rapidly
searched using keywords.
• SecurityCenter Continuous View™ (SC CV): enables continuous monitoring of vulnerabilities, threats, and compliance violations discovered by
Nessus, PVS, and LCE. It provides one management console with configurable dashboards, reports, and notifications to provide a comprehensive
visualization (as shown in Fig. 4 below) of a company’s vulnerabilities, threats, and compliance posture.
Fig. 4: SecurityCenter Executive Summary Dashboard
6
| WHITEPAPER
Benefits of the Tenable Continuous Monitoring Platform
Tenable’s Security Center Continuous View breaks down silos between IT, network, and security Operations and enable you to gather actionable
forensic data, information about assets, and vulnerability context to speed up incident response efforts.
Actionable Forensic Analytics
• Automatically discovers and tags 100% of assets – physical, virtual, mobile, and cloud
• Performs audits to discover known vulnerabilities based on security policies
• Discovers advanced threats by scanning for indicators of compromise
• Continuously monitors network traffic to detect hidden attack paths and suspicious activity
Speeds-up Incident Response
• Provides asset and vulnerability context for every incident detected
• Identifies residual risk with correlated vulnerability and threat data
• Automatically generates alerts with configurable response options – manual and automated
• Provides actionable information in customizable dashboards and reports
Use-Cases
The following use cases illustrate how Tenable SecurityCenter Continuous View (SC CV) gathers accurate forensic data to detect advanced attacks
and set up flexible responses to prevent security incidents and breaches.
Forensic Analysis of Suspicious Activity
SecurityCenter Continuous View, which includes SecurityCenter, Nessus, PVS, and LCE, can be used to track both inbound and outbound suspicious
network traffic to zero in on advanced attacks.
• Inbound: Detect downloads of malware from an external web server and validate if an endpoint was truly compromised.
–– Tenable PVS™ can be used to capture all inbound network traffic, and LCE can be used create a “watchlist” of internal assets that exhibit
suspicious file/exe downloads from known botnets and websites, as shown in Fig. 5 below:
Fig. 5: Indicators dashboard to track inbound/outbound suspicious activity
–– Tenable Nessus® can be used to scan a “watchlist” of assets to look for advanced malware using known Indicators of Compromise (IoC). If IoCs
are found on an endpoint (as shown in Fig. 6 below), then the endpoint is confirmed to be compromised.
7
| WHITEPAPER
Fig. 6: Indicators of Compromise (IoC) found on a compromised endpoint
• Outbound: Detect an internal host already compromised trying to beacon out to botnet/CnC server.
–– PVS™ can be used to capture an anomalous set of failed DNS queries to a known CnC server, which indicates a compromised host that is trying
to beacon out to potentially exfiltrate information. Fig. 7 below depicts how such anomalies can be identified in PVS.
Fig. 7: Anomalous outbound communication identified by PVS
Incident Response Options
SC CV allows you to set up actions for every alert. The following types of actions can be configured for each alert:
Alert Sample
Configurable Action
Targeted IDS
Email NOC
New Host Discovered
Launch a compliance scan
Telnet Server Detected
Generate a report of services on host
Host has a compliance failure
Notify compliance officer
Critical exploitable vulnerability on Windows endpoint
Notify appropriate systems administrator
8
| WHITEPAPER
Fig. 8 below shows a screen shot of the Alerts window with configurable options in SC CV.
Fig. 8: Configurable response actions for an alert in SC CV
Conclusion
While enterprise IT and security teams deploy and manage an expanding array of defensive technologies, many remain challenged to detect
and assess the impact of threats until long after vulnerable systems are compromised. Tenable Network Security addresses this situation with its
industry-leading continuous monitoring platform - SecurityCenter Continuous View, a comprehensive solution for vulnerability, threat and compliance
management. SecurityCenter Continuous View transforms organizational silos and operational processes by providing meaningful and actionable
forensic analytics with which enterprises can dramatically accelerate incident response.
About Tenable Network Security
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Our family of
products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®,
the global standard in detecting and assessing network data. Tenable is relied upon by many of the world’s largest corporations, not-for-profit
organizations and public sector agencies, including the entire U.S. Department of Defense. For more information, please visit tenable.com.
For More Information: Please visit tenable.com
Contact Us: Please email us at [email protected] or visit tenable.com/contact
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered
trademarks of Tenable Network Security, Inc. SecurityCenter and Passive Vulnerability Scanner are trademarks of Tenable Network
Security, Inc. All other products or services are trademarks of their respective owners. EN-JAN282015-V4
9
Related documents
Intro to Forensic Science
Intro to Forensic Science
Activity 3.1.3 Forensic Engineer
Activity 3.1.3 Forensic Engineer
Computer Forensics
Computer Forensics
FORENSICS
FORENSICS
FOS: Probability and Statistics in Forensic Science
FOS: Probability and Statistics in Forensic Science
Forensic Anthropology
Forensic Anthropology
Name___________________________
Name___________________________
Forensic Anthropology PowerPoint
Forensic Anthropology PowerPoint
Ch_13_HW_Entomology
Ch_13_HW_Entomology
Slide 1 - cloudfront.net
Slide 1 - cloudfront.net
History of FoSci notes
History of FoSci notes
Nessus
Nessus
Patch Management Integration November 11, 2014 (Revision 20)
Patch Management Integration November 11, 2014 (Revision 20)
PVS 4.2 User Guide - Tenable Network Security
PVS 4.2 User Guide - Tenable Network Security