Recommandé
Contenu connexe
Similaire à LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
Similaire à LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx (20)
Plus de CNSHacking
Dernier
Dernier (20)
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
- 1. 1 | Company Confidential The Modern Cyber Threat Pandemic Nate Traiser Mtn Region Ent Sales Engineer Nate.Traiser@LogRhythm.com
- 2. 2 | Company Confidential When Times Were Simpler
- 3. 3 | Company Confidential Fast forward to
- 4. 4 | Company Confidential The Economist, November 2015 “Attackerswillstillgetin(toomuchbadlydesignedhardwareand softwareisoutthere,andseeminglyinnocentwebsitescanbe doctoredtoinfectcomputersthatvisitthem).Theonlysafe assumptionisthatyournetworkisbreached,andtomakesure thatyoudealwithintruderspromptly—notafterthe200-odd dayswhichittypicallytakes.“ -EdwardLucas
- 5. 5 | Company Confidential The Economist, November 2015 “Manynetworkshavenomeansofdetectingabreachatall.And old-stylecyber-securitygeneratestoomanyalerts:“false positives”,inthejargon.Whenaburglaralarmringsconstantly, peopleignoreit.Nowthecombinationofclevereralgorithms, betterdatacollection,cheaperstorageandgreaterprocessing powermakesiteasiertoautomatethedetectionofanomalous behaviour,andtoworkoutwhoisuptowhat.“ -EdwardLucas
- 6. 6 | Company Confidential The Expanding Cyber Threat Motive Political Ideological Criminal
- 7. 7 | Company Confidential Damaging Data Breaches
- 8. 8 | Company Confidential Common Security Challenges • Connections Moving to Encrypted Channels • Increased Load = poor performance • Difficult to Deploy • Potential lost visibility • "Social Attack" – Employees will mix Personal with Professional • social tactics being used in around 20% of confirmed data breaches • 30% over larger time frame • the top three, phishing (72%), pretexting (16%), and bribery/solicitation (10%), represent the vast majority of social actions in the real world. • 80% of data breaches involve exploitation of stolen, weak, default or easily guessable passwords "Many data breach victims believe they are in isolation, dealing with sophisticated tactics and zero-day malware never seen before—we see otherwise. To us, few breaches are unique. In fact, our VERIS research indicates that at any given point in time, a small number of breach scenarios comprise the vast majority of incidents we investigate. There is tremendous commonality in real-world cyber-attacks. In fact, according to our RISK Team incident data set over the previous three years, just 12 scenarios represent over 60% of our investigations." http://media.scmagazine.com/documents/214/verizon_data_breach_ digest_53373.pdf
- 9. 9 | Company Confidential Common Attack Scenario Weaponization Delivery Reconnaissance Command & Control Actions on Objective Exploitation Installation
- 10. 11 | Company Confidential Prevention-Centric is Obsolete “Advanced targeted attacks make prevention-centric strategies obsolete. Securing enterprises in 2020 will require a shift to information and people-centric security strategies, combined with pervasive internal monitoring and sharing of security intelligence.” “By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches up from less than 10% in 2013.” - Neil MacDonald,
- 11. 12 | Company Confidential Prevention-Centric is Obsolete “For many enterprises there is a disconnect between the products they are buying and their effectiveness. "Many people are putting firewall, IPS, and antivirus in place thinking that intelligence is actually going to help them," Chenette said...” “"Hope is not a strategy," said Chenette, so in order for companies to improve their security strategy, they need to realize that technology can fail. "Controls fail over time, and the worst outcome is that there is a breach because they had a control in place that should’ve detected," Chenette said.” - Stephan Chenette, CEO, AttackIQ
- 12. 13 | Company Confidential “Traditional Security” Creates Silos Security Firewall IPS Malware WAF End Point Network Routers Switches Wireless Directory Services Active Directory Users Groups Data Management Data Loss Data in Motion Data at Rest Email Spam Malware Phishing Physical Alarms Surveillance Access Control Partners Have Engaged Their Customers With These Solutions For Years….. LogRhythm Makes These Pieces Work As A Single Security Eco System…
- 13. 14 | Company Confidential Bringing it all into one place
- 14. 15 | Company Confidential Big Data Analytics can best detect these threats An Excellent Security Intelligence Platform Delivers: • Big Data analytics to identify advanced threats • Qualified and prioritized detection, reducing noise • Incident response workflow orchestration and automation • Capabilities to prevent high- impact breaches & damaging cyber incidents However, advanced threats: • Require a broader view to recognize • Only emerge over time • Get lost in the noise Prevention-centric approaches can stop common threats A New Security Approach is Required
- 15. 16 | Company Confidential Data Exfiltration Can Be Avoided Advanced threats take their time and leverage the holistic attack surface Early neutralization = no damaging cyber incident or data breach Initial Compromise Command & Control Lateral Movement Target Attainment • Exfiltration • Corruption • Disruption Reconnaissance
- 16. 17 | Company Confidential Security Intelligence Platform TIME TO DETECT TIME TO RESPOND Recover Cleanup Report Review Adapt Neutralize Implement countermeasures to mitigate threat and associated risk Investigate Analyze threat to determine nature and extent of the incident Threat Lifecycle Management: End-to-End Detection & Response Workflow Qualify Assess threat to determine risk and whether full investigation is necessary Detect & Prioritize User Analytics Machine Analytics Collect & Generate Forensic Sensor Data Security Event Data Example Sources Log & Machine Data Example Sources
- 17. 18 | Company Confidential Faster Detection & Response Reduces Risk High Vulnerability Low Vulnerability Months Days Hours Minutes Weeks MTTD & MTTR MEAN-TIME-TO-DETECT (MTTD) The average time it takes to recognize a threat requiring further analysis and response efforts MEAN-TIME-TO-RESPOND (MTTR) The average time it takes to respond and ultimately resolve the incident As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a damaging breach is greatly reduced Exposed to Threats Resilient to Threats
- 18. 20 | Company Confidential Market Leadership Certifications & Validations Industry Awards Company Awards Company of the Year Industry Analysts
- 19. 21 | Company Confidential Nate.Traiser@logrhythm.com Twitter @1832PRO THANK YOU
Notes de l'éditeur
- Jim Wineberg Regional Account Manager – Mtn States & NW Mobile: 970.214.5394 Email: jim.wineberg@logrhythm.com Nate Traiser Enterprise Sales Engineer – Mtn States & NW Mobile: 720.935.7767 Email: nate.traiser@logrhythm.com
- http://gizmodo.com/what-do-you-miss-most-about-the-early-days-of-the-inter-1653696250
- PWNED test: https://haveibeenpwned.com/ DDOS image taken from: https://nakedsecurity.sophos.com/2016/03/15/attacker-leaves-security-tips-after-invading-anti-ddos-firm-staminus/
- http://www.theworldin.com/article/10644/counter-hack
- http://www.theworldin.com/article/10644/counter-hack Show of hands: ? Who feels confident they can find a potential breach in their network? If YES, how confident are you? If NO, what are you doing about shining light to the dark areas of our network?
- Key Talking Points: Nation states are operating in a cyber cold war. There is a lucrative growing cybercrime economy. The growing cybercrime economy creates an ecosystem that lowers the bar for all threat actors to do bad things. Notes: There are increasing motivations for bad people to bad things. Politically motivated groups may be well-funded, well-educated, and looking for Intellectual Property to advance their own country’s GDP Ideological groups may be small pockets of individuals or crowd-sourced, used the Internet to connect like-minded to create disruption, damage, or create embarrassment for organization Primarily criminally motivated groups are seeking financial reward and can be incredibly well-funded and organized. Regardless of motivation, each three resort to criminal actions to achieve their goals There are different motivations for hackers, but given social media and dark sites different hackers/groups can collaborate or purchase intel from each other to achieve their own ends – force multiplier for all bad actors Examples: Political: Allegedly, North Korea is responsible for the mass data theft of Sony Entertainment as a pay back for releasing the movie, “The Interview” Ideological: The Syrian Electronic Army is responsible for a number of website defacements, including in Jan 2015 SEA hackers managed to infiltrate LeMonde’s publishing tool before launching a denial of service Criminal: A cyber attack exposed 11 million Premera Blue Cross members data to sell the IDs on the black market and enable identity thefts
- Key Talking Points: 1) Victims of damaging cyber breaches make the news every week – don’t become one of them! 2) These are just the high-profile breaches in the past 6mo – countless more happen all of the time and they don’t make headlines ----- Notes: Bad actors have executed a series of high-profile, damaging data breaches. It seems like there’s someone new on the cover of the WSJ every week. This slide illustrates how much damage is being done. Make sure to understand the difference between a data breach vs. just a compromise. https://thehackernews.com/2015/12/hyatt-hotel-hack.html https://thehackernews.com/2016/03/ddos-protection.html https://cyber.ciab.com/2015/08/10/social-engineering-hack-costs-ubiquiti-networks-46-7-million/ https://linux.slashdot.org/story/16/02/24/1924229/linux-mint-hack-is-an-indicator-of-a-larger-problem http://hackinstagram.net/ https://krebsonsecurity.com/2015/10/talktalk-hackers-demanded-80k-in-bitcoin/ http://www.cnbc.com/2015/12/02/vtech-hack-data-of-64m-kids-exposed.html http://www.usatoday.com/story/tech/2015/06/12/office-of-personnel-management-hack-china/71146452/ http://www.hackbusters.com/news/stories/474978-landesk-hacked http://arstechnica.com/security/2016/03/seagate-employees-w-2-forms-exposed-in-another-payroll-phish/
- Perimeter applications and appliances are focused on what they do best – the perimeter. They provide a number of tools to effectively combat a large percentage of known threats, leveraging signature based technologies, some dpi for protocol analysis, some user behavior (outbound requests only) and some sandboxing techniques Your employees and your business partners can be potential threat actors or targeted victims. It is important to not lose sight of the role humans play in data breaches.
- >They are not leveraging new techniques – this is the same old story. After performing some initial recon (ie: ping tools, nmap, metasploit) against external facing assets, they move their recon phase over to target acquisition. During the target acquisition phase, they identify and isolate their targets using the same platforms we all do business and pleasure on (linkedin, facebook, amazon, twitter…). Some simple google query hacking and they have the content they need to craft a very compelling email with an attachment. >Once the target is primed, a zero day payload is sent out to the target via a spear phishing email, and they sit back and wait for a call back to whatever command and control infrastructure the have in place. Could be a dyndns server, could be a twitter feed, could be a fast flux network or ftp server. >Once they’ve exploited your internal asset, they then use that account to gather other hashes or move laterally in the network to other high value assets. Obviously the end goal here is to take your IP, or customer data in the long term and build some redundancy so they can re-infiltrate your network in the future.
- Key Talking Points: A new approach is needed and Gartner agrees. Detection and response growing from 10% of budget to 60% of budget Notes: The punchline is the Gartner quote saying that a prevention-centric approach is obsolete and that budgets are changing to reflect that reality. The industry is shifting from a focus on prevention to a more rounded approach including ability to detect and respond.
- http://www.csoonline.com/article/3042601/security/defense-in-depth-stop-spending-start-consolidating.html
- There has to be a better way of detecting these compromised accounts and assets internally right?, There is – its starts with breaking down the security and infrastructure silos in the environment. You have 50+ applications and devices running on your networks. Some organizations it can be thousands. Some of these devices can communicate with each other but it’s not contextually around security. Even your IT staff can be segmented – your Exchange admin can be a different group or person from your firewall admin, and your desktop group can be completely separate from your security group. Not only are there technical silos, but also hierarchical silos that have been created over the years.
- When we talk about breaking the silos, we’re specifically talking about finding a home for all of the contextual data all your devices and users are creating within the network. The LogRhythm platform is uniquely designed to act as your log management layer for compliance, your SIEM for correlated and high corroborated activities, with another layer and level of UBA (user behavior analytics), network threat analytics and endpoint analytics so you can gain visibility into who is in your network, what they are doing, what risk they pose and mitigate the risk before it becomes loss. Combine this technology stack with people and process, and you have a readily defendable network.
- Key Talking Points: With traditional methods, threats get lost in the noise. “Big Data” analytics can help solve this problem. “Prioritized threats” Notes: Some things can be blocked and stopped, but only known threats in real-time, or otherwise you get in the way of the business. Analytics is needed to address the threats that get through. We use big data analytics to separate the signal from the noise. This slide also sets up our incident response message.
- Key Talking Points: “Holistic attack surface” Mission realization Kill the threat easily Previous breaches would’ve been avoided if detected early. ----- Notes: Goes further on our solution to show that damaging breaches can be avoided because the threat lifecycle takes time. The lifecycle of a threat begins with reconnaissance. Find their way in by manipulating users, dropping USB keys in parking lot, compromising physical environment, etc. At some point, they will begin to engage with the environment and eventually compromise the system. If that compromise isn’t detected, they will take increasing control over the environment and move laterally toward their target, taking over accounts and systems until they attain their target, where the biggest damage is done: exfiltration, corruption, disruption, etc. This is how threats work. If we can stop the attacker after the initial compromise, we can prevent the damaging breach.
- Key Talking Points: “Threats always evidenced in forensic data” “Machine analytics is the future” Unified Security Intelligence Platform best protects Notes: How do we actually measure detection and response and enable organizations to accelerate these processes? MTTD: When a threat engages, there are tracks left behind. The first challenge is discovering this threat. User Analytics is done by people and works well, but it doesn’t scale well. Good place to take digs at Splunk. Machine Analytics is where we excel. Analytics performed continuously by software. Prioritize threats. This is the future of threat discovery. This is where we lead the market and invest the most heavily. Qualification is about determining whether this is a threat that can bring us hard that requires more investigation. MTTR: The next step is to investigate and determine if there is a real risk. If so, need to mitigate the threat. These comprise time to respond. LR has an embedded case and security incident management facility that manages and streamlines the response process. An alarm comes in and can be moved to a case as part of an evidence locker, it can be annotated, add PCAPs and files, add collaborators, centralize management, determine if it’s an incident, provide visibility to CISO. Can organize response, including automated SmartResponses. The last step is Recover. We don’t really measure this because this can be done at your own pace. We do accelerate recovery because of our incident response facility. What’s unique about LR is that our platform delivers this workflow end-to-end. This increases effectiveness and efficiency. Makes security teams their absolute best. We’ve seen lots of companies that have built something similar from a collection of different providers, with something like ArcSight, Splunk, maybe a custom built system and a bunch of spreadsheets, probably no machine analytics. This gives them an expensive and ineffective Frankenstein system. LR has spent 10 years building a purpose built workflow. ----- Alternate: LogRhythm’s Security Intelligence Platform is unique in the industry to unify all steps of the work flow within a single platform, creating greater efficiencies and effectiveness as a result. Workflow step details: Forensic Data; evidence of the threat will by captured in log and audit data, or captured via sensors on the endpoint or in the network. Discover: This evidence must be discovered. Discovery can be through user analytics, viewing dashboards, reports, running daily searches, etc But more likely via Machine Analytics given the volume and variety of activities on a daily basis. Machine analytics must leverage multiple analytical techniques and corroborate activities to surface those sets of activities requiring an analysts’ attention Qualify: A concerning activity has been discovered, but now must be qualified. The solution provides tools to quickly understand the activities surrounding a concerning event to qualify as a threat, activities that appear to represent true harm intended to the organization Once the threat is qualified, the threat has been discovered. This can be measured as the time to detect. This now starts the clock on the response effort. Investigate: Now that the threat is qualified, a fuller understanding of scope is required. How many hosts were impacted, other user accounts, etc? This requires collecting all of the evidence into a single repository and coordination across multiple analysis as necessary. Mitigation: With full scope understood, the threat can be mitigated. Some countermeasures can be automated, such as disabling user accounts, quarantining hosts, or changing ACLs while other mitigations will require the details of the investigation to be understood. Once the threat is mitigated, it has been responded to. The organization can understand the time it took to respond. Recover: While not as critically time-bound but important, is a recovery step to fully understand how the threat was discovered, qualified, and mitigated to understand how to decrease MTTD and MTTR, as well as other changes to the IT environment or User Training.
- Key Talking Points: “Mean-time-to-detect” and “Mean-time-to-response” Reduce risk of damaging cyber incident or data breach Notes: What’s the solution? Faster detection and faster response. We’ve developed a model to assess your current maturity and ability to detect and respond to threats. Help customers measure their overall security posture. Many studies show that MTTD and MTTR are measured in weeks and months, and companies that want to improve need the types of solutions we provide.