Download Document

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts
no text concepts found
Transcript 
Real-time Security Analytics (RtSA):
Automating the Discovery, Understanding, and
Action Against Advanced Security Threats
Neal Hartsell
Vice President Marketing
Typical Enterprise Network Today
Cloud Services
Contractor
Mobility
WAN F/W & IPS
EP
Web
Proxy
Server
DMZ F/W & IPS
EP
Malicious
Insider
BYOD
Consumerization of IT
2
Click Security Confidential
Are We Secure?
• IP theft to US Co’s is
$250B / year
• Global cybercrime is
$114 billion…
• $388 billion when you
factor in downtime…
Symantec*
We spent $25B
on IT Security in
2012**
• $1 trillion spent
globally on remediation
McAfee*
* http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-amount-greatest-transfer-wealth-history-070912
**http://www.slideshare.net/Pack22/it-security-market-overview-sept-12
3
Click Security Confidential
What Happened?
Massive
Network Attack Surface
Your
Defense
Signature-based
Defenses
The
Enemy
Intelligent, Stealthy,
Relentless, Motivated
IPS, Anti-X, Firewall
•
•
Complex
Constant Flux
Between 50% and 5%
effective
Staff
Numerous
“Based on some research
by the U.S. intelligence,
the total number of
•
•
•
•
•
4
Social Media
Consumerization of IT
IP Device Explosion
Mobility
Cloud Computing
$1B Revenue
x 5% on IT
x 10% on Security
x 30% on Staff
/ $200K/Yr loaded
7.5 Heads
Click Security Confidential
registered
hackers in China
is approaching
400,000.”
Infosecisland.com
Current Answer…
Event Management + Forensics
2012 Verizon Data Breach Investigations Report
Minutes – hours to execute a breach.
Days – months to discover.
5
Click Security Confidential
Better Answer…
Real-time Security Analytics
Catch This…
6
Click Security Confidential
Before This…
So Why Don’t We Catch Things in Real Time?
39%
35%
29%
29%
28%
28%
28%
23%
7
Click Security Confidential
A Recent Financial Services Attack
•
Actor accesses network and begins
operating from an internal system with a
reserved IP address
•
Actor attacks an internal web server with a
variety of HTTP-based attacks, including
buffer overflows and SQL injection
•
Victim of the HTTP attacks initiates HTTPS
connections with four more external
systems
•
Actor is sending malicious java to an
internal web server
•
Attacker is logged in, anonymously, to an
FTP server – and is actively transferring
data
•
Actor’s IP address is dynamically assigned
from China’s hinet.net, a broadband ISP –
and a well-known haven for hackers and
phishing activity
Attack
Reserved
IP
Address
Attack
Internal
Web
Server
Entry
Hacker
Attack
Internal
Web
Server
ExFil
$
8
Click Security Confidential
If This Happened to Your Company…
• Would you notice these alarms?
– Remember, one F/W @ 15K EPS = 1 Billion EPD
• Would you recognize their importance?
– High, Medium, Low severity?
• Would you know they were connected?
– e.g., how may IP addresses are involved here?
• Would you see them in time to be proactive?
– Or do you study them forensically?
• Do you even have staff to spend time on this?
– Are they skilled, experienced & with time on their hands?
9
Click Security Confidential
Why are Traditional Security Products Failing?
Social Networking
BYODevice
Cloud
Virtualization
IT Consumerization
Relentless Jiggling of Doors
Internal Beachheads
Mobility
Spear Phishing
Compromised Credentials
Covert Control and / or Exfiltration
• Too many holes to defend against a motivated attacker
• Not solvable with signature-based point-product solutions
• 286 million unique variations of malware- Symantec 2010
10
Click Security Confidential
Click Security’s Real-time Security Analytics
•
Get actionable intelligence
around the logs and alerts
that point products
produce…
–
But, takes you hours to days to
determine if it is a false positive
or false negative
•
Find anomalies in
logs/alerts that point
products miss
–
–
One product’s log or alert can
be (on its own) seemingly
innocuous
But, pieced together with
other actor information, it can
be a strong indicator of
compromise
Get situational awareness of your network and its actors
–
Automatically and in real-time
RtSA automates the analysis
which cost-effectively reduces business risk
from advanced malware and attackers
by reducing “time-to-detect”, “time-to-understand” & “time-to-act”
11
Click Security Confidential
Real-time Security Analytics Defined…
Event
•
•
•
– “two nouns and a verb”
John logged in through the VPN
John's PC attacked server X (IDS)
John's machine was blocked by firewall on port X or app Y (Firewall)
Analytic - “two nouns, a verb and some attribution (one or more adjectives)
• A piece of extra intelligence the system provides to an event or a group of events that
enhances the context of an event
• VPN user logged in from far location (simple context augmentation analytic)
• Total # bytes from John's PC to server X exceeded Y bytes (statistical analytic)
• John's PC is sending more traffic than in past 30 days (behavior learning analytic)
Security Analytic – “multiple analytics strung together (+ assessment + guidance)”
• An alert generated by a higher level analytic trigger when one or more analytics or
events fire in a given time period or in a given sequence
• EXAMPLE: Drive by Download analytic fired following by connection from client to
blacklisted host within 1 minute of download of the executable to client
Real-time Security Analytics Solution
• Perform large numbers of Security Analytics – FAST and with high ACCURACY
12
Click Security Confidential
Example Real-time Security Analytic
Real-time
Security Analytic
“I see a user coming into a critical server from an Android device in
Uganda that also has a connection to a blacklisted IP address in
China, and this same user logged in from Dallas 30 minute ago…”
Normal alerts…if you
actually notice them at
all…let alone soon
enough..
“I see a user tied
to an unusual
device”
“I see a flow to
a blacklisted IP
address”
“I see an access from
a strange location”
Collect, Cross-Contextualize and Examine for Anomalies in real-time…
Internet
Threats
13
Enterprise
Security
Events
Security
Policy
Authentication
Activity
Flow
Activity
Vulnerability
Assessment
User
Activity
Click Security Confidential
Access
Activity
Application
Activity
More Examples ...
14
•
•
•
User connected to IP address with bad reputation
Located in foreign countries or enemy networks
Machine facilitating lateral movement
•
•
•
Using many different IPs or usernames
Extreme numbers of consecutive failed logins
Using remote access protocols, such as SSH and RDP
•
•
•
Communicating via non-standard protocols or ports
Generating high event count or anomaly count
Active at odd hours
•
•
•
Participating in large data transfers or certain types of transfers
Using suspicious HTTP user-agents, methods or URIs
Generating large numbers of HTTP client or server errors
•
•
Generating certain sequences / collections of IDS alerts
Multiple systems acting in a coordinated fashion
Click Security Confidential
Real-Time Security Analytics (RtSA)
Click Analytics
Click Platform
Click Labs
15
•
Programmable Real-time Analytics
•
Captured Intelligence
•
“Lego” building blocks
•
Stream Processing Engine
•
Dynamic Visualizations
•
Interactive Workbooks
•
Highly Scalable
•
Security Threat Expertise
•
Protocol / Application Savvy
•
Module Development
•
Customer Environment Assessment
Click Security Confidential
RtSA in Use
ALERT
INVESTIGATE
Click Labs
Analytics Service
Dashboard
Dynamic
Workbooks
Module
Authoring
Click Analytics Stream Processing
Engine
Real-time
Stream Processing
Lockdown
16
Real-time
Investigation
Batch Process
Investigation
Click Security Confidential
•
System Health
Monitoring
•
Analytic Alert
Monitoring
•
Alert Investigation
•
Ad-Hoc Anomaly
Investigation
•
Incident & Status
Reporting
Real World Customer Example
Major Retailer, Monday May 13, 2013
Live
Network
& Security
Telemetry
Click Analytics
CLAS
CLAS
Incident Report
Stream Processing
Engine
General Findings
• Systems from all over the world are logging
into, or attempting to login to, a specific SSH
server at the customer
• Server at xx.xx.xx.xx is under heavy attack,
and a heavy majority of the attackers are
sourcing from the area in and around Beijing,
China
• One Attacker: xx.xx.xx.xx
• IP is located in China
• SANS Internet Storm Center, this IP has
been reported as an attacker since 2010,
with almost 50,000 targets and a
commensurate number of incident reports
17
Specific Findings
• Beach head appears to
have been compromised.
Patterns are consistent with
successful logins from
multiple remote hosts using a
minimal number of attempts.
• Beach head has accessed
4 internal systems. These
internal systems have
unpatched vulnerabilities
• Next layer of fanout
suggests as many as 70
systems involved.
Click Security Confidential
Conclusion
• Appears to be a
compromised
server that is being
used to move
laterally inside
customer network
• Significant
potential for
compromise and
data leakage
How We Are Different
Real-time Security
Analytics
Forensics
• Designed for
“Network DVR”
post analysis
Malware
Protection
SIEM
• Designed for log
management
• Simple alerting
• Short window of
persistence
• Requires PSO to
tune
• Deep “after the
fact” analysis
• Some real-time
alerting
• NGFW
• Good for
application • Simple analytics
anomalies
in nature
• Sandbox
Investigation
• Good for
identified
malicious or
anomalous ‘fileware’ or
communication
channels
Map
Reduced
Fast Log
Search
• Designed to
speed ad hoc
queries of logs
through
distributed data
store and
indexing
• Facilitates full
historical query
of log
information
• Good for
compliance
18
Click Security Confidential
• Designed to automate
the analyst
• Real-time
contextualization and
automated, interactive
analysis
• Long windows of
persistence
• Large # concurrent,
multi-factor analytics
• Integrates visibility,
anomaly, and incident
investigation across:
• Users / Devices
• Servers / Apps /
Flows
• Files
REAL-TIME SECURITY ANALYTICS
AUTOMATE THE ANALYSIS
19
Click Security Confidential
Related documents
BIG DATA ANALYTICS
BIG DATA ANALYTICS
Special Issue on Big Data in Education Internet users worldwide are
Special Issue on Big Data in Education Internet users worldwide are
Web Application Monitoring
Web Application Monitoring
Problem Solving - Must possess the ability and desire to “get their
Problem Solving - Must possess the ability and desire to “get their
Business Intelligence Lead (m|f)
Business Intelligence Lead (m|f)
Marketing Trends for Today: New Media to Reach Customers Better
Marketing Trends for Today: New Media to Reach Customers Better
Quality Planning Corporation, a unit of ISO, is an
Quality Planning Corporation, a unit of ISO, is an
Competitive Analysis - Green Technology Asia Pte Ltd
Competitive Analysis - Green Technology Asia Pte Ltd
New IBM Predictive Analytics Software
New IBM Predictive Analytics Software
BIG DATA AND THE FINANCIAL SECTOR April, 2015
BIG DATA AND THE FINANCIAL SECTOR April, 2015
Business Analytics 12 Hours Program Description
Business Analytics 12 Hours Program Description
DATA SCIENCE MIS0855 | Fall 2015 More on Predictive Analytics Laurel Miller
DATA SCIENCE MIS0855 | Fall 2015 More on Predictive Analytics Laurel Miller