Upload
others
View
20
Download
0
Embed Size (px)
Citation preview
Defining cybersecurity.
PREPARING FOR TOMORROW’S THREATS 28 September 2016
Andrew Facchini Presales & Product Manager +47 459 07 330 [email protected]
QUALIFIED SECURITY ASSESSOR (QSA) APPROVED SCANNING VENDOR (ASV) PAYMENT APPLICATION QSA (PA-QSA) FORENSIC INVESTIGATOR (PFI) LEVEL 1 SERVICE PROVIDER
2013 2014 2015 2016
events analysed daily in our global sensor
network
3 billion Advisory Group for
Internet Security
Advanced threat analytics, detection &
response platform
24x7 Managed Security Services Incident Response Risk Services Products & Support
• Founded in 2000 • 110+ security specialists • Among Europe’s largest incident response teams • Over 14 years’ R&D into Argus
WHO IS MNEMONIC?
100% PREVENTION IS NOT POSSIBLE. DETERMINED ATTACKERS WILL ALWAYS GET THROUGH. ALWAYS.
i CYBERSECURITY FACT
DETECTION Generate and collect alerts
Triage & validate alert
Investigate & verify incident
Identify scope of incident
Assess priority & response
actions
Execute response actions
Is it a duplicated alert? Eliminate obvious false positives Does the alert warrant further investigation?
Analyse the alert Is the source reputable? Are there any other indicators? Answer question: does this pose a potential threat?
Identify involved users, assets, services Understand what you’re dealing with, Put the incident in context of your organisation
Evaluate how your business is affected How should we handle it? Who needs to be contacted?
Take corrective measures to recover e.g. Isolate devices from network Revoke credentials Take service offline
STAGES OF DETECTING AND RESPONDING TO SECURITY INCIDENTS
Received from: Firewalls Web proxies IDS/IPS Anti-Virus Email gateway, SIEM +other security products
RESPONSE
Applies to all organisations, regardless of technology, industry, or the type & severity of the threat
DETECTION Generate and collect alerts
Triage & validate alert
Investigate & verify incident
Identify scope of incident
Assess priority & response
actions
Execute response actions
Is it a duplicated alert? Eliminate obvious false positives Does the alert warrant further investigation?
Analyse the alert Is the source reputable? Are there any other indicators? Answer question: does this pose a potential threat?
Identify involved users, assets, services Understand what you’re dealing with Put the incident in context of your organisation
Evaluate how your business is affected How should we handle it? Who needs to be contacted?
Take corrective measures to recover e.g. Isolate devices from network Revoke credentials Take service offline
STAGES OF DETECTING AND RESPONDING TO SECURITY INCIDENTS
Received from: Firewalls Web proxies IDS/IPS Anti-Virus Email gateway, SIEM +other security products
RESPONSE
Applies to all organisations, regardless of technology, industry, or the type & severity of the threat
TECHNOLOGY DRIVEN HUMAN DRIVEN, TECHNOLOGY ASSISTED
of security staff’s time is wasted because of faulty intelligence 66%
alerts considered reliable 19%
Alerts can be overwhelming
4% of alerts are investigated
[1] [2] [3] The Cost of Malware Containment, Ponemon Institute, January 2015
An “ordinary” organisation with 2000 employees and standard security controls
403 602 SECURITY ALERTS
82
MANUALLY ASSESSED INCIDENTS
1.8
CONFIRMED SECURITY INCIDENTS
A day in the life of Company X
Manual analysis of new suspected incident every 5.5 working minutes
Security Incident examples: Malware infection, suspicious user behaviour, detected intrusion, targeted attack, denial of service, data leakage, ++
0.2 to 0.3 CONFIRMED SECURITY INCIDENTS PER YEAR
EXPECT EACH USER IN YOUR COMPANY TO GENERATE
45 to 60 INCIDENTS FOR EVERY CONFIRMED INCIDENT
EXPECT TO MANUALLY ANALYSE
USERS MANUALLY ANALYSED
100 500 1000 3000 5000
25 125 250 750
1 250
CONFIRMED INCIDENTS
1 312 6 562
13 125 39 375 65 625
ON AN ANNUAL BASIS
Receive reliable, accurate alerts Respond faster with actionable intelligence
Concentrate your security resources on the real threats Gain insight and confidently report on security
MNEMONIC MANAGED DETECTION AND RESPONSE AVAILABLE ON
DEMAND
DETECTION Generate and collect alerts
Triage & validate alert
Investigate & verify incident
Identify scope of incident
Assess priority & response
actions
Execute response actions
RESPONSE
97% alert accuracy
from mnemonic
19% alerts considered
reliable
The importance of context
CONTEXT IN ACTION
Market Guide for Managed Detection and Response Services
Download the report free at www.mnemonic.no/Gartner
mnemonic is the only European vendor featured in the report
Predictions for 2020 15% of midsize & enterprise organisations will be using MDR services – up from 1% today. 50% of MSSPs will offer MDR-type services
Preparing for the future Collaboration between academia, government and enterprise is key
Research collaborations OSLO ANALYTICS Developing new analytical methods to gain a deep situational awareness of security incidents
Participants: University of Oslo (UiO) mnemonic The US Army Research Labs The Norwegian National Security Authority (NSM) The Norwegian Defence Intelligence College Norwegian Computing Center (NR) Technische Universität Darmstadt
ARS FORENSICA Global research effort to improve the investigation and prosecution of cybercrime
Participants: Center for Cyber and Information Security (CCIS) mnemonic Europol Cybercrime Center (EC3) United Nations The Netherlands Forensic Institute (NFI) The Norwegian National Police Directorate (POD) The Norwegian National Criminal Investigation Service (Kripos) The Norwegian Police University College Økokrim The Oslo Police District The Norwegian Ministry of Justice and Public Security
Dedicate 10% of our resources to research Contribute to security community
Examples: FIRST, Europol Cybercrime Centre (EC3), Center for Cyber & Information Security (CCIS), open source contributions
Share threat intelligence Academic involvement
2 post doctorates 1 PhD 1.5 university professorships 3 masters thesis mentors
semi-Automated Cyber Threat intelligence - ACT mnemonic led, 3-year collaborative research project to solve the
challenges in receiving, storing, and sharing threat data
Partners
The resulting platform will be open-sourced
Want to contribute? Contact us!
Develop new algorithms for automated analysis to detect more attacks with more precise results Develop new algorithms to identify threat actors and attack campaigns Automated exchange of analysis results between private and public industry
Goals include
PassiveDNS.mnemonic.no Investigate historical relationship between domains and IP addresses
OPEN TOOLS & SERVICES URLQuery.net Automatically scan public webpages
SecureDNS Intercept and block users from known malicious pages. Takes minutes to set up.
Andrew Facchini [email protected] +47 459 07 330
@andrewfacchini
CONTACT ME
READ
Market Guide for Managed Detection and Response Services
www.mnemonic.no/Gartner
mnemonic Security Seminar in Stockholm October 25th
Follow us for all the details
LEARN MORE
mnemonic-as mnemonic.no
THANK YOU!