Detect Active Cyber-Attacks in Real Time - PowerPoint PPT Presentation

Loading...

PPT – Detect Active Cyber-Attacks in Real Time PowerPoint presentation | free to download - id: 822bfb-Y2Q4O



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Detect Active Cyber-Attacks in Real Time

Description:

Bad guys are lurking in your network neighborhood, kicking doors and testing entry points, all the time. Threatscape 2015 is evolving rapidly, but your resources and staff may not be enough to meet these challenges. Most IT security heads and admins are so busy managing operations and ensuring the company’s ongoing security efforts that “detection deficit” sets in and they miss key indicators that their network has been compromised. Learn about: • Rogue process detection • Evidence of persistence • Suspicious traffic • Unknown processes • Unusual OS artifacts – PowerPoint PPT presentation

Number of Views:17

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Detect Active Cyber-Attacks in Real Time


1
Detect Active Cyber-Attacks in Real Time Protect
your Network
2
Threatscape 2015
Big problem
Expensive
Detection Deficit
Insider? Outsider?
3
EventTracker Threatscape 2015 New Cyber Security
reality for the under-staffed enterprise
  • Assume that a successful/damaging cyber attack on
    your infrastructure has already occurred.
  • 200 days on average before detection
  • 100 of larger orgs are attacked every day, 1 in
    5 SMEs are targeted each year
  • 76 of all intrusions involve compromised
    credentials
  • Bad traffic is now encrypted, which thwarts
    network packet inspection IDS/IPS
  • Evidence of intrusions gets buried within
    millions of other artifacts
  • Prevention - Firewalls, AV, AD/NAC, IDS/IPS is
    not enough.
  • 100 of breached orgs already had these in place.

4
DFIR in EventTracker v8 Addressing the Detection
Deficit
  • Perform automated DFIR on Windows workstations
    and servers
  • Move endpoint digital forensics to daily SOP for
    early detection of
  • Rogue Processes
  • Unknown Services Running
  • Unusual OS artifacts
  • Evidence of Persistence
  • Suspicious Network Activity

5
Solution to the problem 90 automation / 10
investigation
  • Implement the post-mortem forensics and analysis
    as real time SOP for earlier detection of
    threats.
  • deploy advanced, purpose-built threat sensors
  • threat intelligence feeds integrated and
    correlated to actual enemy contact in real time
  • behavior analysis/anomaly detection based on
    heuristics
  • application whitelisting
  • and most importantlyskilled people paying
    attention to the basics, 365 days a year
    especially server and workstation skills.

6
Market feedback
  • Security Gap
  • Compliance ? Security
  • Stakeholders personally affected by breaches
  • Compliance is a requirement
  • Help reduce cost
  • Skill shortage
  • Impacting ROI on SIEM projects
  • Machine learning, less rules tweaking

7
Existing defenses?
  • Anti Virus
  • Catches some malware based on signatures
  • Attackers are hip to its jive
  • IDS
  • Detects network borne attacks
  • Cant see the endpoint or out legitimate
    traffic
  • DLP
  • Can catch data movement to/from removable media
  • SIEM
  • See all logs but is everything logged?

8
How are they attacking?
  • Malware-based
  • Threat Establish Beachhead
  • Threat Lateral Movement
  • Threat Exfiltrate data
  • Compromised credentials-based
  • Threat Valid programs for invalid purpose
  • Threat Out-of-ordinary

9
Threat Establish beachhead
  • Malware lands on the endpoint
  • As e-mail attachment?
  • From infected USB?
  • Evades Anti Virus
  • Defense
  • Detect launch of every process
  • Compare hash against safe list (local and NSRL)
  • Alert if first-time-seen and not on safe list
  • Caveat Requires framework a watcher

10
Threat Lateral movement
  • Move from less to more valuable systems
  • From desktop to server/firewall
  • Defense
  • User behavior, location affinity
  • Trace files from endpoint (pre-fetch, default.rdp
    etc.)
  • Valid but unusual EXE presence (e.g. route.exe)
  • Caveat Requires framework machine learning

11
Threat Ex-filtrate data
  • Hides as normal traffic
  • Avoid detection by proxy, network monitor
  • Defense
  • Monitor network activity (esp north/south) for
    out of ordinary behavior
  • IDS is useful but cant say which process was
    responsible
  • Combination of unknown process connecting to low
    reputation outside address is a strong advantage

12
Endpoint Threat Detection Response
  • What is required to defend todays network?
  • A framework to collect endpoint data
  • Running processes, network connections, windows
    services, users, registry entries, more
  • A central repository which can receive, store and
    index the data
  • An expandable ruleset to baseline and analyze the
    data
  • And (wait for it...) an analyst to
    triage/review/escalate for remediation

13
Scenario
  • Win 7 desktop user is with marketing dept
  • Required to visit external websites regularly
  • Defenses
  • Up to date platform (win updates)
  • DHCP address
  • Next Gen firewall
  • Up to date, brand name Anti Virus
  • IDS with updated signatures scanning north/south

14
What was seen
  • New Windows service created
  • Persists on logoff or reboot
  • Invisible to the normal user
  • Connects to an external site
  • Avoids proxy detection by using IP address
  • Avoid blocking by using port 80
  • Trace back showed phishing e-mail, apparently
    from HR
  • About 14 hours later, anti-malware signatures
    updated and a deep scan suggested it was
    Blakamba
  • Three days later, Anti-Malware showed other files
    in temp folders with same signature

15
EventTracker Framework
  • Central Console
  • Data Collection
  • Indexing
  • Analysis
  • Storage
  • Sensor for Windows
  • MS Gold certified
  • Runs in user space
  • Tiny footprint
  • Options for IDS, Vulnerability Assess, Packet
    inspection

16
Diligent
17
SIEM Simplified Services to get expert help with
EventTracker software installed on premise or in
the cloud
Your IT Assets
  • We provide remote Managed Services
  • RUN Basic ET Admin Threat Feeds
  • WATCH Analytics/Remediation Recos
  • COMPLY Compliance Services
  • TUNE Advanced ET Tuning
  • ET VAS Vulnerability Assessment Service
  • ET IDS Managed SNORT signature updates

18
Gartner View of Cyber Security Market Maturity
19
Secure your Network
Your Challenge Growing attack frequency and
sophistication Your Need Cost effective threat
remediation. Scalable Smart
20
(No Transcript)
About PowerShow.com