Today’s business world is online and as such is inherently chock full of cyber risks. Cybercriminals continue to take advantage of system vulnerabilities and social engineering to target personally identifiable information, credit card numbers, trade secrets and more. Although there are hundreds of security solutions, products and consultants that claim to solve and address data breaches, the traditional, tactical approach to security is not working. Evaluated cyber intelligence is trapped in your systems, applications and employees – and making that intelligence easily available and quickly understood can help your organization significantly reduce the cyber risks it faces and improve its business resilience. This presentation examines how to reduce your cyber risks by unlocking the door to evaluated intelligence. Learn: • Why the traditional threat intelligence approach is not addressing the problem • Why it’s not just about adding on more security layers, but shifting your cybersecurity approach • How to mine both your tactical and strategic cyber data for improved operational intelligence • How to derive immediate visual insights of relevant trending cyber problems through security analytics

1. How to Access and Make Use
of Your “Trapped” Cyber Data
to Reduce Your Risk

2. Today’s Speakers
2
Jason Polancich
Founder & Chief Architect
SurfWatch Labs
Mustafa Rassiwala
Director, Product Management
Platfora

3. Freeing Your Trapped
Security Data!
Case Study: “Chocolate and Peanut Butter”
Extending A Manufacturing Company SIEM
+
3

4. Bridge the Gap Between
Low-Level Tactics & Strategic Insights
4

5. 5
SIEM Can Be Even More Powerful…

6. … How?
• Add the Strategy Piece: Low-level
threat intel is only small part of the
full picture of risk
• Stop Navel-Gazing: An outside
and inside view is necessary!
• Start Meerkat-ing: Situational
awareness makes every defense
operation better
• Make it Mean Something for
Everyone: Connect security to
business operations
• Enable Sustained Diligence:
Both inside and outside of SECOPS
6

7. Customer Profile
Tech/Security Environment
•Geographically dispersed IT locations
•Lots of data sources, few source types
•Centralized SIEM analysis
•Historical SIEM data storage
•Focus on low-level, internal threat intel
•Static intel reporting and reactive alerting
•No strategic intelligence analysis function
7
Large Multi-National
Manufacturing and
Consumer Goods
with Deep and Wide
Supply Chain

8. It All Starts with Data …
8

9. 9
Intuitive, Simple & Standardized

10. SIEM + Threat Intel
10

11. Instant Insights
11

12. Deep-Dive Analysis
and Discovery
12
PETABYTE
S
OF DATA
HADOOP PLATFOR
A
HDFS ANALYTIC
S
Network Security
Data
Endpoint
Security
Data
Data Center
Security Data
SIEM
Log/event
Data
(30 days)
A complement to SIEM.
Security Analyst uses
Platfora for investigating
incidents:
– User Behavior Analytics
– Network Data Based
Analytics
– Device Communication
Analytics
– Information Flow
Analytics
More Data & Business
Context (Multi-Structured)
IT & Business
Data
Unlimited
Data

13. Using Analytics to
Understand the
Impact of Cyber
Over Time

14. 14
A Typical Data Breach
Lasts 243 Days
Recon
•Social
Engineering
•Network Layout
Weaponization
•Targeted Malware
Exploit / Install
•Lateral Movement
C2C / Exfil
•Command Communication
•Data Exfiltration
Delivery
•Spear Phishing
•Watering Hole Attacks
DAY 1 DAY 243
Multiple Attempts at
each stage of the
attack
Multiple Attempts at
each stage of the
attack
Fingerprint of attack in
Log files and security
events
Fingerprint of attack in
Log files and security
events

15. 15
Anunak Gang Targeting
Financial Institutions
C2C / Exfil
•Gain access to server and
banking system admin
workstations
•Install software for monitoring
key system operators
•Remote access to servers of
interest
Delivery
•Spear Phishing Email to Bank
Employee
•From Government Email Acct
•Deliver new payload to existing
malware
Recon
•Government and Banking Partners
•Partnership with Bot Operators
•Search for Existing malware already
installed in banking environment
Weaponization
•Mimikatz
•MBR Eraser
•SoftPerfect Network Scanner
•Cain and Abel
Exploit / Install
•Password of admin user on local machine
•Legitimate access to one server
•Compromise domain admin password from one
server
•Gaining access and compromise to domain
controller accounts
•Gain access to email servers
FINANCIAL INSTITUTION APT

16. 16
C2C / Exfil
•Pass the Hash Attack
•VPN Connection from external
source to maintain continuous
access
•Covert TCP Channel bounced
across servers
Delivery
•Targeted Phishing Email
•URL Link to Fake Game Site
•Download of Game – Install
backdoor on user machine
•Installing Password Scrapping
and network scanning tools
Recon
•Controlling “bounce” machines
across the globe
•Social
Media/LinkedIn/Usergroups/Su
pport Forums etc
•Corporate Website/Local
Events
Weaponization
•Password Scrapping Tools
•NetCat Backdoor
•Remote Access Tools
•Fake Game Download Site
•Other Techniques – Watering
Hole Attacks
Exploit / Install
•Backdoor Trojan Installation
•Network scans for open ports and
services
•Connect to multiple fileshares
•Overwrite notepad.exe with malicious
backdoor
TECHNOLOGY ORGANIZATION
APT – SOURCE CODE BREACH

17. 17
C2C / Exfil
•Buffer Overflow Attack on
Backup Program
•Installation of Sniffer to watch
internal traffic
•Port Scan of Server
•SQL Injection on Web Application
•Access to database records of
millions of Credit Card
Delivery
•Ping Sweep
•Reverse DNS lookup of Server IP
•Port Scan
•Password Guessing – connect to
FTP Server
Recon
•Store Expansion Information
•Physical scouting of the stores
•Network Scanning
•Detect Open Ports for TCP
and UDP. Discover webserver
and DNS server
Weaponization
•Wireless LAN Assessment Tool
•MAC Address Detection from SSID
•MAC Address Spoofing
Exploit / Install
•Network Exploration
•Connection over VPN to FTP servers
across network
•Access to Credit Card Data
RETAIL ORGANIZATION APT –
POINT OF SALE (POS) BREACH

18. 18
Major Challenges When
Detecting Breaches
Exploit / Install
Recon
Weaponization
C2C / ExfilDelivery
243 DAYS
Difficult to Recognize
Sequence of Attacks
in Petabytes of Data
Difficult to Recognize
Sequence of Attacks
in Petabytes of Data
Data Silos Make it
Hard to Understand
your Critical Business
Data
Data Silos Make it
Hard to Understand
your Critical Business
Data

19. 19
Suspicious File Downloaded by UserA–
Possible Spear Phishing Attack
Incident Detected
in SIEM
Security Analyst
Investigates
Analyze file download pattern
for the Joe over last 6 months –
Compare against Org and Dept
Statistics
Analyze device behavior
anomalies – Examine data over
last 6 months and compare
against various dimensionsAnalyze source of
download – analyze all
communication to source
domain across org and dept
over last 6 months
Analyze all communication
path of device and Joe to
uncover if attack has spread
1
24
3
!

20. 20
Malformed Image File Spread –
SQL Injection Based Attack
Incident Detected
in SIEM
Security Analyst
Investigates
Analyze all recent incidents
related to user and device and
compare over last 6 months
(Various Statistics)
Analyze communication
between endpoint and
internal web server
Analyze webserver
compromise - internal and
external communication
mapped and analyzed for
anomalies
Follow trail of SQL Injection
attack followed by compromise
of customer accounts and
malformed file upload
1
24
3
!

21. 21
User Account Compromise –
VPN Authentication Errors
Incident Detected
in SIEM
Security Analyst
Investigates
Analyze VPN Access pattern of
user over last 6 months –
compare against Org and Dept
Analyze all failed and
successful authentication for
user over last 6 months –
compare against Org and Dept
User Behavior Analytics –
file downloads, URL access,
application access etc
Device Behavior Analytics –
destinations, bytes, protocols,
ports etc
1
2
4
3
!

22. 22
Detecting Breaches Through
Security Investigations
Forest
through
the Trees
Understand
Business
Data
Iterate
and
Pivot
Petabytes
of Data

23. 23
Big Data Security Analytics
Forest
through
the Trees
Understand
Business
Data
Iterate
and
Pivot
Petabytes
of Data
Visualization End to End
Platform
Hadoop/HDFS
Analytics
Map
Reduce/Spark
Connect
Variety of
Data
Security
Analyst

24. 24
Security Incident Investigation

25. 25
Security Incident Investigation

26. 26
Security Incident Investigation

27. 27
User Behavior Analytics

28. 28
User Behavior Analytics

29. 29
User Behavior Analytics

30. 30
User Behavior Analytics

31. Q&A and Additional
SurfWatch Labs Resources
31
Get Additional Cyber Intel Resources:
•SurfWatch Cyber Risk Report:
http://info.surfwatchlabs.com/Sample-Cyber-Risk-Report
•Big Data, Big Mess Whitepaper:
http://info.surfwatchlabs.com/big-data-security-analytics
Learn About SurfWatch Solutions:
•SurfWatch Product Review:
www.scmagazine.com/surfwatch-c-suite/review/4324/
•Schedule a Personal SurfWatch Demo:
info.surfwatchlabs.com/request-demo

32. Thank You!
www.surfwatchlabs.com
Follow us at: