Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Real-time Security Analytics (RtSA): Automating the Discovery, Understanding, and Action Against Advanced Security Threats Neal Hartsell Vice President Marketing Typical Enterprise Network Today Cloud Services Contractor Mobility WAN F/W & IPS EP Web Proxy Server DMZ F/W & IPS EP Malicious Insider BYOD Consumerization of IT 2 Click Security Confidential Are We Secure? • IP theft to US Co’s is $250B / year • Global cybercrime is $114 billion… • $388 billion when you factor in downtime… Symantec* We spent $25B on IT Security in 2012** • $1 trillion spent globally on remediation McAfee* * http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-amount-greatest-transfer-wealth-history-070912 **http://www.slideshare.net/Pack22/it-security-market-overview-sept-12 3 Click Security Confidential What Happened? Massive Network Attack Surface Your Defense Signature-based Defenses The Enemy Intelligent, Stealthy, Relentless, Motivated IPS, Anti-X, Firewall • • Complex Constant Flux Between 50% and 5% effective Staff Numerous “Based on some research by the U.S. intelligence, the total number of • • • • • 4 Social Media Consumerization of IT IP Device Explosion Mobility Cloud Computing $1B Revenue x 5% on IT x 10% on Security x 30% on Staff / $200K/Yr loaded 7.5 Heads Click Security Confidential registered hackers in China is approaching 400,000.” Infosecisland.com Current Answer… Event Management + Forensics 2012 Verizon Data Breach Investigations Report Minutes – hours to execute a breach. Days – months to discover. 5 Click Security Confidential Better Answer… Real-time Security Analytics Catch This… 6 Click Security Confidential Before This… So Why Don’t We Catch Things in Real Time? 39% 35% 29% 29% 28% 28% 28% 23% 7 Click Security Confidential A Recent Financial Services Attack • Actor accesses network and begins operating from an internal system with a reserved IP address • Actor attacks an internal web server with a variety of HTTP-based attacks, including buffer overflows and SQL injection • Victim of the HTTP attacks initiates HTTPS connections with four more external systems • Actor is sending malicious java to an internal web server • Attacker is logged in, anonymously, to an FTP server – and is actively transferring data • Actor’s IP address is dynamically assigned from China’s hinet.net, a broadband ISP – and a well-known haven for hackers and phishing activity Attack Reserved IP Address Attack Internal Web Server Entry Hacker Attack Internal Web Server ExFil $ 8 Click Security Confidential If This Happened to Your Company… • Would you notice these alarms? – Remember, one F/W @ 15K EPS = 1 Billion EPD • Would you recognize their importance? – High, Medium, Low severity? • Would you know they were connected? – e.g., how may IP addresses are involved here? • Would you see them in time to be proactive? – Or do you study them forensically? • Do you even have staff to spend time on this? – Are they skilled, experienced & with time on their hands? 9 Click Security Confidential Why are Traditional Security Products Failing? Social Networking BYODevice Cloud Virtualization IT Consumerization Relentless Jiggling of Doors Internal Beachheads Mobility Spear Phishing Compromised Credentials Covert Control and / or Exfiltration • Too many holes to defend against a motivated attacker • Not solvable with signature-based point-product solutions • 286 million unique variations of malware- Symantec 2010 10 Click Security Confidential Click Security’s Real-time Security Analytics • Get actionable intelligence around the logs and alerts that point products produce… – But, takes you hours to days to determine if it is a false positive or false negative • Find anomalies in logs/alerts that point products miss – – One product’s log or alert can be (on its own) seemingly innocuous But, pieced together with other actor information, it can be a strong indicator of compromise Get situational awareness of your network and its actors – Automatically and in real-time RtSA automates the analysis which cost-effectively reduces business risk from advanced malware and attackers by reducing “time-to-detect”, “time-to-understand” & “time-to-act” 11 Click Security Confidential Real-time Security Analytics Defined… Event • • • – “two nouns and a verb” John logged in through the VPN John's PC attacked server X (IDS) John's machine was blocked by firewall on port X or app Y (Firewall) Analytic - “two nouns, a verb and some attribution (one or more adjectives) • A piece of extra intelligence the system provides to an event or a group of events that enhances the context of an event • VPN user logged in from far location (simple context augmentation analytic) • Total # bytes from John's PC to server X exceeded Y bytes (statistical analytic) • John's PC is sending more traffic than in past 30 days (behavior learning analytic) Security Analytic – “multiple analytics strung together (+ assessment + guidance)” • An alert generated by a higher level analytic trigger when one or more analytics or events fire in a given time period or in a given sequence • EXAMPLE: Drive by Download analytic fired following by connection from client to blacklisted host within 1 minute of download of the executable to client Real-time Security Analytics Solution • Perform large numbers of Security Analytics – FAST and with high ACCURACY 12 Click Security Confidential Example Real-time Security Analytic Real-time Security Analytic “I see a user coming into a critical server from an Android device in Uganda that also has a connection to a blacklisted IP address in China, and this same user logged in from Dallas 30 minute ago…” Normal alerts…if you actually notice them at all…let alone soon enough.. “I see a user tied to an unusual device” “I see a flow to a blacklisted IP address” “I see an access from a strange location” Collect, Cross-Contextualize and Examine for Anomalies in real-time… Internet Threats 13 Enterprise Security Events Security Policy Authentication Activity Flow Activity Vulnerability Assessment User Activity Click Security Confidential Access Activity Application Activity More Examples ... 14 • • • User connected to IP address with bad reputation Located in foreign countries or enemy networks Machine facilitating lateral movement • • • Using many different IPs or usernames Extreme numbers of consecutive failed logins Using remote access protocols, such as SSH and RDP • • • Communicating via non-standard protocols or ports Generating high event count or anomaly count Active at odd hours • • • Participating in large data transfers or certain types of transfers Using suspicious HTTP user-agents, methods or URIs Generating large numbers of HTTP client or server errors • • Generating certain sequences / collections of IDS alerts Multiple systems acting in a coordinated fashion Click Security Confidential Real-Time Security Analytics (RtSA) Click Analytics Click Platform Click Labs 15 • Programmable Real-time Analytics • Captured Intelligence • “Lego” building blocks • Stream Processing Engine • Dynamic Visualizations • Interactive Workbooks • Highly Scalable • Security Threat Expertise • Protocol / Application Savvy • Module Development • Customer Environment Assessment Click Security Confidential RtSA in Use ALERT INVESTIGATE Click Labs Analytics Service Dashboard Dynamic Workbooks Module Authoring Click Analytics Stream Processing Engine Real-time Stream Processing Lockdown 16 Real-time Investigation Batch Process Investigation Click Security Confidential • System Health Monitoring • Analytic Alert Monitoring • Alert Investigation • Ad-Hoc Anomaly Investigation • Incident & Status Reporting Real World Customer Example Major Retailer, Monday May 13, 2013 Live Network & Security Telemetry Click Analytics CLAS CLAS Incident Report Stream Processing Engine General Findings • Systems from all over the world are logging into, or attempting to login to, a specific SSH server at the customer • Server at xx.xx.xx.xx is under heavy attack, and a heavy majority of the attackers are sourcing from the area in and around Beijing, China • One Attacker: xx.xx.xx.xx • IP is located in China • SANS Internet Storm Center, this IP has been reported as an attacker since 2010, with almost 50,000 targets and a commensurate number of incident reports 17 Specific Findings • Beach head appears to have been compromised. Patterns are consistent with successful logins from multiple remote hosts using a minimal number of attempts. • Beach head has accessed 4 internal systems. These internal systems have unpatched vulnerabilities • Next layer of fanout suggests as many as 70 systems involved. Click Security Confidential Conclusion • Appears to be a compromised server that is being used to move laterally inside customer network • Significant potential for compromise and data leakage How We Are Different Real-time Security Analytics Forensics • Designed for “Network DVR” post analysis Malware Protection SIEM • Designed for log management • Simple alerting • Short window of persistence • Requires PSO to tune • Deep “after the fact” analysis • Some real-time alerting • NGFW • Good for application • Simple analytics anomalies in nature • Sandbox Investigation • Good for identified malicious or anomalous ‘fileware’ or communication channels Map Reduced Fast Log Search • Designed to speed ad hoc queries of logs through distributed data store and indexing • Facilitates full historical query of log information • Good for compliance 18 Click Security Confidential • Designed to automate the analyst • Real-time contextualization and automated, interactive analysis • Long windows of persistence • Large # concurrent, multi-factor analytics • Integrates visibility, anomaly, and incident investigation across: • Users / Devices • Servers / Apps / Flows • Files REAL-TIME SECURITY ANALYTICS AUTOMATE THE ANALYSIS 19 Click Security Confidential