4. 4 | Company Confidential
The Economist, November 2015
“Attackerswillstillgetin(toomuchbadlydesignedhardwareand
softwareisoutthere,andseeminglyinnocentwebsitescanbe
doctoredtoinfectcomputersthatvisitthem).Theonlysafe
assumptionisthatyournetworkisbreached,andtomakesure
thatyoudealwithintruderspromptly—notafterthe200-odd
dayswhichittypicallytakes.“ -EdwardLucas
5. 5 | Company Confidential
The Economist, November 2015
“Manynetworkshavenomeansofdetectingabreachatall.And
old-stylecyber-securitygeneratestoomanyalerts:“false
positives”,inthejargon.Whenaburglaralarmringsconstantly,
peopleignoreit.Nowthecombinationofclevereralgorithms,
betterdatacollection,cheaperstorageandgreaterprocessing
powermakesiteasiertoautomatethedetectionofanomalous
behaviour,andtoworkoutwhoisuptowhat.“ -EdwardLucas
6. 6 | Company Confidential
The Expanding Cyber Threat Motive
Political Ideological Criminal
7. 7 | Company Confidential
Damaging Data Breaches
8. 8 | Company Confidential
Common Security Challenges
• Connections Moving to Encrypted
Channels
• Increased Load = poor performance
• Difficult to Deploy
• Potential lost visibility
• "Social Attack" – Employees will mix
Personal with Professional
• social tactics being used in around 20% of
confirmed data breaches
• 30% over larger time frame
• the top three, phishing (72%), pretexting
(16%), and bribery/solicitation (10%),
represent the vast majority of social actions in
the real world.
• 80% of data breaches involve exploitation of
stolen, weak, default or easily guessable
passwords
"Many data breach victims believe they are
in isolation, dealing with sophisticated
tactics and zero-day malware never seen
before—we see otherwise. To us, few
breaches are unique. In fact, our VERIS
research indicates that at any given point
in time, a small number of breach scenarios
comprise the vast majority of incidents
we investigate. There is tremendous
commonality in real-world cyber-attacks. In
fact, according to our RISK Team incident
data set over the previous three years,
just 12 scenarios represent over 60% of our
investigations."
http://media.scmagazine.com/documents/214/verizon_data_breach_
digest_53373.pdf
9. 9 | Company Confidential
Common Attack Scenario
Weaponization
Delivery
Reconnaissance Command & Control
Actions on Objective
Exploitation
Installation
10. 11 | Company Confidential
Prevention-Centric is Obsolete
“Advanced targeted attacks make prevention-centric
strategies obsolete. Securing enterprises in 2020 will
require a shift to information and people-centric security
strategies, combined with pervasive internal monitoring
and sharing of security intelligence.”
“By 2020, 60% of enterprise information security budgets
will be allocated for rapid detection and response
approaches up from less than 10% in 2013.”
- Neil MacDonald,
11. 12 | Company Confidential
Prevention-Centric is Obsolete
“For many enterprises there is a disconnect between the
products they are buying and their effectiveness. "Many
people are putting firewall, IPS, and antivirus in place
thinking that intelligence is actually going to help them,"
Chenette said...”
“"Hope is not a strategy," said Chenette, so in order for
companies to improve their security strategy, they need to
realize that technology can fail. "Controls fail over time,
and the worst outcome is that there is a breach because
they had a control in place that should’ve detected,"
Chenette said.”
- Stephan Chenette, CEO, AttackIQ
12. 13 | Company Confidential
“Traditional Security” Creates Silos
Security
Firewall
IPS
Malware
WAF
End Point
Network
Routers
Switches
Wireless
Directory
Services
Active
Directory
Users
Groups
Data
Management
Data Loss
Data in
Motion
Data at Rest
Email
Spam
Malware
Phishing
Physical
Alarms
Surveillance
Access
Control
Partners Have
Engaged Their
Customers With
These Solutions
For Years…..
LogRhythm
Makes These
Pieces Work As A
Single Security
Eco System…
13. 14 | Company Confidential
Bringing it all into one place
14. 15 | Company Confidential
Big Data Analytics can best detect these threats
An Excellent Security
Intelligence Platform
Delivers:
• Big Data analytics to identify
advanced threats
• Qualified and prioritized
detection, reducing noise
• Incident response workflow
orchestration and automation
• Capabilities to prevent high-
impact breaches & damaging
cyber incidents
However, advanced threats:
• Require a broader view to recognize
• Only emerge over time
• Get lost in the noise
Prevention-centric approaches
can stop common threats
A New Security Approach is Required
15. 16 | Company Confidential
Data Exfiltration Can Be Avoided
Advanced threats take their time
and leverage the holistic attack surface
Early neutralization = no damaging cyber incident or data breach
Initial
Compromise
Command
& Control
Lateral
Movement
Target
Attainment
• Exfiltration
• Corruption
• Disruption
Reconnaissance
16. 17 | Company Confidential
Security Intelligence Platform
TIME TO DETECT TIME TO RESPOND
Recover
Cleanup
Report
Review
Adapt
Neutralize
Implement
countermeasures
to mitigate threat
and associated
risk
Investigate
Analyze threat to
determine nature
and extent of the
incident
Threat Lifecycle Management: End-to-End Detection & Response Workflow
Qualify
Assess threat to
determine risk
and whether full
investigation
is necessary
Detect &
Prioritize
User
Analytics
Machine
Analytics
Collect &
Generate
Forensic
Sensor Data
Security
Event Data
Example Sources
Log &
Machine Data
Example Sources
17. 18 | Company Confidential
Faster Detection & Response Reduces Risk
High Vulnerability Low Vulnerability
Months
Days
Hours
Minutes
Weeks
MTTD
&
MTTR
MEAN-TIME-TO-DETECT (MTTD)
The average time it takes to recognize
a threat requiring further analysis and
response efforts
MEAN-TIME-TO-RESPOND (MTTR)
The average time it takes to respond
and ultimately resolve the incident
As organizations improve their ability to
quickly detect and respond to threats,
the risk of experiencing a damaging
breach is greatly reduced
Exposed to Threats Resilient to Threats
18. 20 | Company Confidential
Market Leadership
Certifications & Validations Industry Awards
Company Awards
Company of the Year
Industry Analysts
19. 21 | Company Confidential
Nate.Traiser@logrhythm.com
Twitter @1832PRO
THANK YOU
Notes de l'éditeur
Jim Wineberg
Regional Account Manager – Mtn States & NW
Mobile: 970.214.5394
Email: jim.wineberg@logrhythm.com
Nate Traiser
Enterprise Sales Engineer – Mtn States & NW
Mobile: 720.935.7767
Email: nate.traiser@logrhythm.com
http://www.theworldin.com/article/10644/counter-hack
Show of hands:
? Who feels confident they can find a potential breach in their network?
If YES, how confident are you?
If NO, what are you doing about shining light to the dark areas of our network?
Key Talking Points:
Nation states are operating in a cyber cold war.
There is a lucrative growing cybercrime economy.
The growing cybercrime economy creates an ecosystem that lowers the bar for all threat actors to do bad things.
Notes:
There are increasing motivations for bad people to bad things.
Politically motivated groups may be well-funded, well-educated, and looking for Intellectual Property to advance their own country’s GDP
Ideological groups may be small pockets of individuals or crowd-sourced, used the Internet to connect like-minded to create disruption, damage, or create embarrassment for organization
Primarily criminally motivated groups are seeking financial reward and can be incredibly well-funded and organized. Regardless of motivation, each three resort to criminal actions to achieve their goals
There are different motivations for hackers, but given social media and dark sites different hackers/groups can collaborate or purchase intel from each other to achieve their own ends – force multiplier for all bad actors
Examples:
Political: Allegedly, North Korea is responsible for the mass data theft of Sony Entertainment as a pay back for releasing the movie, “The Interview”
Ideological: The Syrian Electronic Army is responsible for a number of website defacements, including in Jan 2015 SEA hackers managed to infiltrate LeMonde’s publishing tool before launching a denial of service
Criminal: A cyber attack exposed 11 million Premera Blue Cross members data to sell the IDs on the black market and enable identity thefts
Key Talking Points:
1) Victims of damaging cyber breaches make the news every week – don’t become one of them!
2) These are just the high-profile breaches in the past 6mo – countless more happen all of the time and they don’t make headlines
-----
Notes:
Bad actors have executed a series of high-profile, damaging data breaches. It seems like there’s someone new on the cover of the WSJ every week. This slide illustrates how much damage is being done.
Make sure to understand the difference between a data breach vs. just a compromise.
https://thehackernews.com/2015/12/hyatt-hotel-hack.html
https://thehackernews.com/2016/03/ddos-protection.html
https://cyber.ciab.com/2015/08/10/social-engineering-hack-costs-ubiquiti-networks-46-7-million/
https://linux.slashdot.org/story/16/02/24/1924229/linux-mint-hack-is-an-indicator-of-a-larger-problem
http://hackinstagram.net/
https://krebsonsecurity.com/2015/10/talktalk-hackers-demanded-80k-in-bitcoin/
http://www.cnbc.com/2015/12/02/vtech-hack-data-of-64m-kids-exposed.html
http://www.usatoday.com/story/tech/2015/06/12/office-of-personnel-management-hack-china/71146452/
http://www.hackbusters.com/news/stories/474978-landesk-hacked
http://arstechnica.com/security/2016/03/seagate-employees-w-2-forms-exposed-in-another-payroll-phish/
Perimeter applications and appliances are focused on what they do best – the perimeter. They provide a number of tools to effectively combat a large percentage of known threats, leveraging signature based technologies, some dpi for protocol analysis, some user behavior (outbound requests only) and some sandboxing techniques
Your employees and your business partners can be potential threat actors or targeted victims. It is important to not lose sight of the role humans play in data breaches.
>They are not leveraging new techniques – this is the same old story. After performing some initial recon (ie: ping tools, nmap, metasploit) against external facing assets, they move their recon phase over to target acquisition. During the target acquisition phase, they identify and isolate their targets using the same platforms we all do business and pleasure on (linkedin, facebook, amazon, twitter…). Some simple google query hacking and they have the content they need to craft a very compelling email with an attachment.
>Once the target is primed, a zero day payload is sent out to the target via a spear phishing email, and they sit back and wait for a call back to whatever command and control infrastructure the have in place. Could be a dyndns server, could be a twitter feed, could be a fast flux network or ftp server.
>Once they’ve exploited your internal asset, they then use that account to gather other hashes or move laterally in the network to other high value assets. Obviously the end goal here is to take your IP, or customer data in the long term and build some redundancy so they can re-infiltrate your network in the future.
Key Talking Points:
A new approach is needed and Gartner agrees.
Detection and response growing from 10% of budget to 60% of budget
Notes:
The punchline is the Gartner quote saying that a prevention-centric approach is obsolete and that budgets are changing to reflect that reality. The industry is shifting from a focus on prevention to a more rounded approach including ability to detect and respond.
There has to be a better way of detecting these compromised accounts and assets internally right?,
There is – its starts with breaking down the security and infrastructure silos in the environment. You have 50+ applications and devices running on your networks. Some organizations it can be thousands. Some of these devices can communicate with each other but it’s not contextually around security.
Even your IT staff can be segmented – your Exchange admin can be a different group or person from your firewall admin, and your desktop group can be completely separate from your security group. Not only are there technical silos, but also hierarchical silos that have been created over the years.
When we talk about breaking the silos, we’re specifically talking about finding a home for all of the contextual data all your devices and users are creating within the network. The LogRhythm platform is uniquely designed to act as your log management layer for compliance, your SIEM for correlated and high corroborated activities, with another layer and level of UBA (user behavior analytics), network threat analytics and endpoint analytics so you can gain visibility into who is in your network, what they are doing, what risk they pose and mitigate the risk before it becomes loss.
Combine this technology stack with people and process, and you have a readily defendable network.
Key Talking Points:
With traditional methods, threats get lost in the noise.
“Big Data” analytics can help solve this problem.
“Prioritized threats”
Notes:
Some things can be blocked and stopped, but only known threats in real-time, or otherwise you get in the way of the business. Analytics is needed to address the threats that get through. We use big data analytics to separate the signal from the noise. This slide also sets up our incident response message.
Key Talking Points:
“Holistic attack surface”
Mission realization
Kill the threat easily
Previous breaches would’ve been avoided if detected early.
-----
Notes:
Goes further on our solution to show that damaging breaches can be avoided because the threat lifecycle takes time.
The lifecycle of a threat begins with reconnaissance. Find their way in by manipulating users, dropping USB keys in parking lot, compromising physical environment, etc. At some point, they will begin to engage with the environment and eventually compromise the system. If that compromise isn’t detected, they will take increasing control over the environment and move laterally toward their target, taking over accounts and systems until they attain their target, where the biggest damage is done: exfiltration, corruption, disruption, etc.
This is how threats work. If we can stop the attacker after the initial compromise, we can prevent the damaging breach.
Key Talking Points:
“Threats always evidenced in forensic data”
“Machine analytics is the future”
Unified Security Intelligence Platform best protects
Notes:
How do we actually measure detection and response and enable organizations to accelerate these processes?
MTTD: When a threat engages, there are tracks left behind. The first challenge is discovering this threat. User Analytics is done by people and works well, but it doesn’t scale well. Good place to take digs at Splunk. Machine Analytics is where we excel. Analytics performed continuously by software. Prioritize threats. This is the future of threat discovery. This is where we lead the market and invest the most heavily. Qualification is about determining whether this is a threat that can bring us hard that requires more investigation.
MTTR: The next step is to investigate and determine if there is a real risk. If so, need to mitigate the threat. These comprise time to respond. LR has an embedded case and security incident management facility that manages and streamlines the response process. An alarm comes in and can be moved to a case as part of an evidence locker, it can be annotated, add PCAPs and files, add collaborators, centralize management, determine if it’s an incident, provide visibility to CISO. Can organize response, including automated SmartResponses.
The last step is Recover. We don’t really measure this because this can be done at your own pace. We do accelerate recovery because of our incident response facility.
What’s unique about LR is that our platform delivers this workflow end-to-end. This increases effectiveness and efficiency. Makes security teams their absolute best. We’ve seen lots of companies that have built something similar from a collection of different providers, with something like ArcSight, Splunk, maybe a custom built system and a bunch of spreadsheets, probably no machine analytics. This gives them an expensive and ineffective Frankenstein system. LR has spent 10 years building a purpose built workflow.
-----
Alternate:
LogRhythm’s Security Intelligence Platform is unique in the industry to unify all steps of the work flow within a single platform, creating greater efficiencies and effectiveness as a result.
Workflow step details:
Forensic Data; evidence of the threat will by captured in log and audit data, or captured via sensors on the endpoint or in the network.
Discover: This evidence must be discovered.
Discovery can be through user analytics, viewing dashboards, reports, running daily searches, etc
But more likely via Machine Analytics given the volume and variety of activities on a daily basis. Machine analytics must leverage multiple analytical techniques and corroborate activities to surface those sets of activities requiring an analysts’ attention
Qualify: A concerning activity has been discovered, but now must be qualified. The solution provides tools to quickly understand the activities surrounding a concerning event to qualify as a threat, activities that appear to represent true harm intended to the organization
Once the threat is qualified, the threat has been discovered. This can be measured as the time to detect. This now starts the clock on the response effort.
Investigate: Now that the threat is qualified, a fuller understanding of scope is required. How many hosts were impacted, other user accounts, etc? This requires collecting all of the evidence into a single repository and coordination across multiple analysis as necessary.
Mitigation: With full scope understood, the threat can be mitigated. Some countermeasures can be automated, such as disabling user accounts, quarantining hosts, or changing ACLs while other mitigations will require the details of the investigation to be understood.
Once the threat is mitigated, it has been responded to. The organization can understand the time it took to respond.
Recover: While not as critically time-bound but important, is a recovery step to fully understand how the threat was discovered, qualified, and mitigated to understand how to decrease MTTD and MTTR, as well as other changes to the IT environment or User Training.
Key Talking Points:
“Mean-time-to-detect” and “Mean-time-to-response”
Reduce risk of damaging cyber incident or data breach
Notes:
What’s the solution? Faster detection and faster response.
We’ve developed a model to assess your current maturity and ability to detect and respond to threats. Help customers measure their overall security posture. Many studies show that MTTD and MTTR are measured in weeks and months, and companies that want to improve need the types of solutions we provide.