Contenu connexe Similaire à The State of Threat Detection 2019 (20) Plus de Fidelis Cybersecurity (16) The State of Threat Detection 20191. THE STATE OF THREAT
DETECTION 2018
It’s time to lean forward
LIVE WEBINAR
2. © Fidelis Cybersecurity
Agenda
Introductions
2018 in a Nutshell
Temperature Check
Pain Points
Definitions
Threat Hunting Plans
Bob Flores
Former CIA CTO and current
Advisor, Fidelis Cybersecurity
Tom Clare
Product/Technical Marketing
Fidelis Cybersecurity
2
3. © Fidelis Cybersecurity
2018 in Nutshell
Email is still delivering the vast majority of malware –with some reports claiming that as
much as 92% of attacks are still delivered by email
The use of sandboxes means attacks are getting better at using phishing, social
engineering and drive-bys to gain initial footholds in private domains
Over 50% of attacks are file-less with macros and PowerShell scripts evading preventive
defenses
The cases of ransomware attacks has reduced, while cryptocurrency mining is stepping up
– reports suggest $1 billion in cryptocurrency has so far been stolen in 2018
Cyber-attacks are the biggest concern for businesses in Europe, Asia and North America,
according to a new survey of executives by the World Economic Forum (WEF)
4. © Fidelis Cybersecurity
Attackers are Breaching Defenses
How are organizations responding?
Fidelis conducted a study of 582 security professionals to evaluate the adoption of threat hunting
practices and overall threat detection strengths and weaknesses.
REGION
› Europe: 25%
› USA: 29%
› Global: 36%
› Other: 10%
JOB TITLE
› CISO/CITO/CTO: 10%
› VP/Director/Manager:
36%
› Architect/Engineer: 27%
› Analyst: 16%
› Other: 12%
COMPANY SIZE
› Large Enterprise (5000+ employees): 39%
› Medium Enterprise (1000-4999 employees):
18%
› Medium Business (250-999 employees): 19%
› Small Business (1-249 employees): 24%
5. © Fidelis Cybersecurity
Temperature Check - Preventive Defenses
How effective do you believe your preventive
defenses to be against targeted attacks?
28%
50%
10%
11%
HI GHLY
E FFE CTI V E
E FFE CTI V E NOT V E RY
E FFE CTI V E
DO NOT K NOW
Only 28% of respondents said that they felt their
solutions were highly effective.
AV Test industry averages for real time prevention is
97.4% for Android, 99.7% for MacOS and a
resounding 100% for Windows.
33% of Financial organizations said they believed
their solutions to be highly effective.
Insurance (28%) and technology (25%)
organizations followed closely behind
Just 4% of manufacturing organizations deemed
their preventative solutions to be highly effective.
6. © Fidelis Cybersecurity
Temperature Check – Detection Capabilities
How effective do you believe your post breach detection to
be?
21%
53%
13%
14%
HI GHLY
E FFE CTI V E
EFFECTI VE NOT VERY
E FFE CTI V E
DO NOT KNOW
Just 21% of respondents cited that they perceive
their post-breach detection measures to be highly
effective
68% do not have an Endpoint Detection and
Response solution
25% of all participants stated that they do not
have a detection and response strategy in place
at all
Healthcare organizations were least confident,
with just 5% citing that they trusted their detection
and response capabilities to be highly effective
7. © Fidelis Cybersecurity
Pain Points
33% of respondents cited
that ‘insufficient security
resources’ was a main
concern.
30% of respondents cited
‘lack of automation for IR
and investigation’ as a
major issue
29% of respondents cited
‘alert overload’ as a major
issue
What are the main issues facing your organization?
16%
18%
21%
24%
29%
30%
33%
MEAN TIME TO RESPOND IS TOO
LONG
MEAN TIME TO DETECT IS TOO LONG
TOO MANY DISPARATE TOOLS FOR IR
AND INVESTIGATIONS
NONE OF THE ABOVE
ALERT OVERLOAD
LACK OF AUTOMATION FOR IR AND
INVESTIGATIONS
INSUFFICIENT SECURITY
RESOURCES
8. © Fidelis Cybersecurity
CISO/CIO/CTO
ARCHITECT
41%
41%
34%
ALERT OVERLOAD
LACK OF AUTOMATION
INSUFFICIENT SECURITY RESOURCES
51%
36%
36%
LACK OF AUTOMATION
INSUFFICIENT SECURITY RESOURCES
TOO MANY DISPARATE TOOLS FOR IR AND…
33%
28%
24%
INSUFFICIENT RESOURCES
ALERT OVERLOAD
LACK OF AUTOMATION
ANALYST/RESEARCHER
By Job Title
9. © Fidelis Cybersecurity
Priorities
62.61%
24.87%
4.52%
8.00%
V E RY I MP ORTA NT I MP ORTA NT NOT V E RY I MP ORTA NT DO NOT K NOW / THI S I S N' T
MY A RE A OF E XP E RT I S E
How important to you is detecting post-breach attacks in the first few minutes and
hours?
• Oil/Gas/Utilities – 81%
• Finance/Banking – 72%
• Manufacturing – 43%
• State and Local Gov – 56%
• Manufacturing – 47%
• State and Local Gov – 30%
• Balance among other industries
• Education – 21%
• State and local Gov – 12%
10. © Fidelis Cybersecurity
The Knowledge Gap
• Mission brief provided key
intel on first challenge
• Read the brief, averaged
~100 commands
• Did not read, used spray
and pray efforts
• Knowledge before and
during phases reduces
knowledge gap/commands
• Over time hackers become
quieter and harder to detect
• Early detection is critical
• Deception layers need to be
automatically kept current
and dynamic
10
11. © Fidelis Cybersecurity
How are Organizations Detecting Attacks?
15%
20%
28%
38%
55%
63%
DECEPTION DEFENSE PLATFORMS
DO NOT KNOW/ THIS ISN'T MY AREA OF
EXPERTISE
USER/ENTITY BEHAVIOR ANALYTICS (UEBA)
DATA LOSS PREVENTION (DLP)
ENDPOINT DETECTION AND RESPONSE (EDR)
SIEM OR LOG/EVENT MONITORING (SIM/SEM)
12. © Fidelis Cybersecurity
What About Threat Hunting?
First,let’sdefineit
Threat Detection
Multiple Detection Techniques:
Signatures, Patterns, Rules, Statistics,
Sandboxing, Emulation, Anomaly
Detection, Machine Learning, Behavior
Analysis, etc.
Matching IoCs, IoAs
Real-time and Retrospectively
Query, Search, Pivot:
Logs, Events, SIEM, Data Lakes,
Metadata, etc.
Threat Modeling
Proactive process to improve
applications, systems and network
security
Assessing potential risks, threats, and
vulnerabilities often from an attacker’s
perspective
Enumerate and prioritize
countermeasures to address the effects
Increasingly important for Cloud, IoT and
autonomous converged IT/OT solutions
Threat Hunting
Proactive, analyst-centric, iterative and
interactive ad hoc process
Driven by expert intuitive hypotheses
assuming a breach
Combines security expertise, data analyst
skills and creative thinking upon a
knowledgebase across applications,
systems and networks
13. © Fidelis Cybersecurity
What is NOT Threat Hunting…
• Threat hunting is triggered by SIEM or AV alerts…
• Investigating the most frequent AV alert for root cause and hunting on it…
• Constantly monitoring and investigating any suspicious activity or anomalies…
• Non-baseline behavior or triggered events drive analyst investigations…
• Reviewing many logs within a SIEM and developing custom queries…
• Using Endpoint Detection & Response (EDR) to match TI and IOCs…
• Better alert triage or improved investigation capabilities…
• Searching through a data lake…
14. © Fidelis Cybersecurity
Who is doing it?
Does you security team currently engage in threat hunting?
42%
21%
37%
NO A ND W E DO NOT HA V E P LA NS TO
NO B UT W E HA V E P LA N T O W I THI N T HE NE XT Y E A R
Y E S W E CURRE NTLY HA V E THRE A T HUNTE RS
15. © Fidelis Cybersecurity
Threat Hunting by Industry
25%
26%
28%
30%
36%
36%
36%
36%
38%
44%
46%
MANUFACTURING
OTHER
STATE & LOCAL GOVERNMENT
TECHNOLOGY
OIL/GAS/UTILITIES
HEALTH CARE
EDUCATION
SERVICES
FEDERAL PUBLIC SECTOR
INSURANCE
FINANCE/BANKING
ORGANIZATIONS WHO ARE THREAT HUNTING
16. © Fidelis Cybersecurity
What’s Stopping us from Threat Hunting?
48%
35%
4.40%
12.40%
W E DON' T HA V E THE TI ME TE A M DOE S N' T HA V E THE S K I LLS W E DON' T HA V E THE V I S I B I LI TY W E DON' T THI NK I T' S NE CE S S A RY
86% of those who do not threat hunt want to but can’t – due
to lack of time, skills and visibility
17. © Fidelis Cybersecurity
Hunting
Threat Hunting Evolution
AV
IDS
Events/Logs
SIEMs
Data Lakes
ML/Analytics
NTA/Sensors
EDR
METADATA
- Indexed Ready to Query
- 90% of Content
- 20% of Storage Fees
Skills
Training
Internal Threat
Intelligence
Reactionary
Indicators
Internal Skills
& Resources
Services
Platforms
3rd Party Threat
Intelligence
Detection
Detection
Proactive Hunting
18. © Fidelis Cybersecurity
Types of Metadata
• Investigation and Response
Alert pivots and hunting by switching
between content and context of sessions
• Automatic Retrospective Application of
Threat Intelligence
• Cross Session Correlation, plus
Security Analytics
• Network Visibility & Profiles
See patterns not seen in firewall logs or
SIEM dashboards
• Anomaly Detection
Frequent and rare instances of attributes,
plus cross session, multi-faceted and
behavioral analysis
18
Plus custom tags!
19. © Fidelis Cybersecurity
Improving Threat Detection and Hunting in 2019
We suggest 3 areas of focus to improve threat detection capabilities in the coming year:
Collect Metadata
Develop the Skill Sets for Threat Hunting and Threat Detection
1
Incorporate Internal and 3rd Party Threat Intelligence2
3