weapons in your security assessment arsenal · the active phase is the gaping hole in enterprise...
TRANSCRIPT
© Vectra Networks | www.vectranetworks.com
Weapons in Your Security Assessment Arsenal
Jared Hufferd, Security Evangelist, Vectra Networks
Professional Techniques – T13
© Vectra Networks | www.vectranetworks.com11/9/2015 2
CRISC
CGEIT
CISM
CISA2013 Fall Conference – “Sail to Success”
ADDING TO THE STACK
2
© Vectra Networks | www.vectranetworks.com
Security Assessment Stack – What Could Happen
3
Penetration Testing
Vulnerability Assessment
Network Assessment
© Vectra Networks | www.vectranetworks.com
Add Real-time Breach Assessment – What IS Happening
4
Breach Assessment
Penetration Testing
Vulnerability Assessment
Network Assessment
© Vectra Networks | www.vectranetworks.com
Real-time Breach Assessment Components – What IS Happening
5
Score & Report
Correlate Behaviors to Host
Algorithmic Behavior Analysis
Baseline Common Behaviors
© Vectra Networks | www.vectranetworks.com11/9/2015 6
CRISC
CGEIT
CISM
CISA2013 Fall Conference – “Sail to Success”
WHY THIS NEW ADDITION TO THE ASSESSMENT STACK?
6
© Vectra Networks | www.vectranetworks.com
Cyber Attacks Follow the Same Blueprint
2007
• TJX Breach – systemic,
massive financial impact
• Security: more prevention,
cleanup and forensics
2013
• Breaches become a
regular occurrence
• Security: evolving to a
proactive daily effort to
find active breaches
2000
• Breaches are relatively
simple (SQL Injection)
• Security: focus on
preventing exploits
They all had the latest prevention
© Vectra Networks | www.vectranetworks.com 8
© Vectra Networks | www.vectranetworks.com
Security investment has traditionally been in two areasS
ecurity
Investm
ent
& E
ffo
rt
High
Low
9
SIEM analysis and incident
response reconstructs the
active phase after the breach
Perimeter security looks
for exploits and malware
• Firewalls
• IPS
• Malware Sandboxes
Prevention Phase Clean-up Phase
© Vectra Networks | www.vectranetworks.com
The active phase is the gaping hole in enterprise security
SIEM analysis and incident
response reconstructs the
active phase after the breach
Perimeter security looks
for exploits and malware
• Firewalls
• IPS
• Malware Sandboxes
Security
Investm
ent
& E
ffo
rt
High
Low
Enterprises are overly
dependent on blocking and
prevention mechanisms that
are decreasingly effective
against advanced attacks.1
1Designing an Adaptive Security Architecture for Protection from Advanced Attacks, 12 February 2014, ID G00259490
10
Prevention Phase Active Phase Clean-up Phase
205 Days Average
Assets found in the wild
© Vectra Networks | www.vectranetworks.com
A closer look at the phases of modern cyber attacks
11
Internal
Recon
Lateral
Movement
Acquire
Data
Botnet
Monetization
Standard C&C
Exfiltrate
Data
Custom C&C
& RAT
Custom C&C
Initial
Infection
© Vectra Networks | www.vectranetworks.com
Detects all phases of a cyber attack in progress
12
Internal
Recon
Lateral
Movement
Acquire
Data
Botnet
Monetization
Standard C&C
Exfiltrate
Data
Custom C&C
& RAT
Custom C&C
Initial
Infection
© Vectra Networks | www.vectranetworks.com
Alignment to existing security solutions
13
Internal
Recon
Lateral
Movement
Acquire
Data
Botnet
Monetization
Standard C&C
Exfiltrate
Data
Custom C&C
& RAT
Custom C&C
Initial
Infection
Security Information Event Management
PAYLOAD ANALYSIS FORENSICS
EVENT & LOG MANAGEMENT
© Vectra Networks | www.vectranetworks.com
Automatically detect breaches in real time
Automation
Continuous
Monitoring
Real-time
Detection
Immunize
the Herd
Prioritized
Contextual
Results
14
All packets
N-S, E-W traffic
Any OS, app, device
Meta data to cloud
Centralized learning
No required rules
Behavioral
Machine learning
Correlated over time
Prioritized by risk
Correlated by host
Insight into attack
© Vectra Networks | www.vectranetworks.com
Sensor• Deployed at access switch/router
• Sees N-S Traffic
• Sees E-W Traffic within the switch
• Malware spreading, privilege
escalation, data theft
Brain • Deployed at core switch
• Sees N-S Traffic
• Sees E-W Traffic that crosses a switch
• Malware spreading, privilege
escalation, data theft
Full cyber security visibility - Watch all critical traffic
Perimeter devices
have N-S visibility only
Core Switch
AccessSwitch
Remote Site
15
Data Center
Internet
© Vectra Networks | www.vectranetworks.com11/9/2015 16
CRISC
CGEIT
CISM
CISA2013 Fall Conference – “Sail to Success”
BEHAVIOR DETECTION TYPES
16
© Vectra Networks | www.vectranetworks.com
The Good, The Bad, The Ugly & The Ugliest Behaviors
The Good• Legitimate applications run by authorized user/host behavior that acts like an infected host
• C&C – WebEx, GoToMyPC
• Scans/Scanners – Nessus, Qualys, VOIP PBX
• Exfiltration – Box.com, AWS
The Bad• Legitimate Applications with misconfigurations
• Brute force – Print server changed settings
• Scans/Scanners – Asynchronous traffic
The Ugly• Legitimate Applications run by unauthorized user/host behavior that acts like an infected host
• C&C – WebEx, GoToMyPC, Canvas, CoreImpact,
• Scans/Scanners – Nessus, NMAP
• Exfiltration – Box.com, AWS
The Ugliest• Botnets
• Pirate cloud – uses resources
• Spam – hurts reputation
• Password capture – See Fazio/Target
17
• Targeted Attacks• Stealing IP/CC/PII
• Damage - Corruption
• See SONY
Whitelist
Noise – Help Desk
What Could Happen
What is Happening
© Vectra Networks | www.vectranetworks.com 18
© Vectra Networks | www.vectranetworks.com 19
© Vectra Networks | www.vectranetworks.com 20
© Vectra Networks | www.vectranetworks.com 21
© Vectra Networks | www.vectranetworks.com 22
© Vectra Networks | www.vectranetworks.com 23
© Vectra Networks | www.vectranetworks.com 24
© Vectra Networks | www.vectranetworks.com 25
© Vectra Networks | www.vectranetworks.com 26
© Vectra Networks | www.vectranetworks.com 27
© Vectra Networks | www.vectranetworks.com 28
© Vectra Networks | www.vectranetworks.com 29
© Vectra Networks | www.vectranetworks.com 30
© Vectra Networks | www.vectranetworks.com 31
© Vectra Networks | www.vectranetworks.com 32
© Vectra Networks | www.vectranetworks.com 33
© Vectra Networks | www.vectranetworks.com 34
© Vectra Networks | www.vectranetworks.com 35
© Vectra Networks | www.vectranetworks.com 36
© Vectra Networks | www.vectranetworks.com 37
© Vectra Networks | www.vectranetworks.com 38
© Vectra Networks | www.vectranetworks.com 39
© Vectra Networks | www.vectranetworks.com 40
© Vectra Networks | www.vectranetworks.com 41
© Vectra Networks | www.vectranetworks.com 42
© Vectra Networks | www.vectranetworks.com 43
© Vectra Networks | www.vectranetworks.com 44
© Vectra Networks | www.vectranetworks.com 45
© Vectra Networks | www.vectranetworks.com 46
© Vectra Networks | www.vectranetworks.com 47
© Vectra Networks | www.vectranetworks.com11/9/2015 48
CRISC
CGEIT
CISM
CISA2013 Fall Conference – “Sail to Success”
VECTRA
48
© Vectra Networks | www.vectranetworks.com
Sample Vectra customers and vertical industries
49
8%4%
6%
16%
6%
12%6%6%
19%
17%
Education Energy
Entertainment Finance
Legal Health
S&L Gov't Media
Technology Other
© Vectra Networks | www.vectranetworks.com
The team
50
Leadership
Customers
Alain MayerVP Product Mgmt
Cyphort, Redseal
Jason KehlVP Engineering
Juniper, Cisco, Ironport
Mike BanicVP Marketing
HP, Juniper, Peribit
Rick GeehanVP Americas Sales
Riverbed
Oliver
TavakoliCTO
Juniper, Funk
Hitesh ShethPresident & CEO
Aruba, Juniper, Cisco
Investors
Mission
Automatically detect ongoing cyber attacks in real time
Industry Recognition
8% 4% 6% 18% 6% 12% 6% 6% 19% 17%
Education Energy Entertainment Finance Legal Health S&L Govt Media Technology Other
Gerard BauerVP EMEA Sales
Riverbed
© Vectra Networks | www.vectranetworks.com11/9/2015 51
CRISC
CGEIT
CISM
CISA2013 Fall Conference – “Sail to Success”
LIVE DETECTION REVIEW
51
© Vectra Networks | www.vectranetworks.com© Vectra Networks | www.vectranetworks.com