Upload
bitglass
View
136
Download
1
Embed Size (px)
Citation preview
Rich CampagnaVP Products, Bitglass
@richcampagna
Nat KausikCEO, Bitglass@bnkausik
Breach Stats
*California AG Breach Report 2014
The Reality - Breaches Happen
*Source: Mandiant/FireEye
205 69%Average # of days before detection
Victims notified by external sources
“Two kinds of companies, those that were hacked and those that don’t yet know it”
- John Chambers, CEO, Cisco
Types of Breaches
Nuisance Breach - Opportunistic hack on vulnerable end-points
Untargeted Breach - Opportunistic hack on vulnerable enterprises
Targeted Breach - Custom hack on specific enterprise
Effectiveness of Defense: Good
Tools: Anti-X
Target: Vulnerable end-point
Weapon: Malware
Gain: Ad inserts, host control....
Nuisance Breach
Effectiveness of Defense: Limited
Tools: Anti-X, NGFW, APT protection
Target: Vulnerable enterprises
Weapon: Malware
Gain: Credit card numbers, etc.
Untargeted Breach
1. 3rd party website “Company Fun
Run”
2. Employees Register with
company creds
4. Log into JPM
5. Exfiltrate data over months
6. 3rd party website hires security guru, notifies JPMorgan
3. Hack 3rd party site to steal creds
Untargeted Breach
Effectiveness of Defense: ???
Tools: ???
Target: Specific enterprises
Weapon: Many
Gain: Geo-political advantage?
Targeted Breach
1. May 2014: Spoofed sites prennera.com, we11point.com
3. Employees login with Corporate
creds
4. Corporate creds
5. Log into Premera, Anthem
5. Query & steal 11M identities
2. Spear phishing emails
Jan 2015/Feb: IT discovers breach
Targeted Breach
Think Like a Hacker
Social Engineering, Phishing, Bribery, Etc.
Anatomy of a Data Breach
1. Bait
2. Infect
3. Arm
4. Explore
5. Exfiltrate
Exploit vulnerability
Install additional malware
Acquire & exfiltrate sensitive data
C&C
C&C
Data
C&CInternal replication / lateral movement
Info
Social Engineering, Phishing, Bribery, Etc.
Anatomy of a Data Breach
1. Bait
2. Infect
3. Arm
4. Explore
5. Exfiltrate
Exploit vulnerability
Install additional malware
Acquire & exfiltrate sensitive data
C&C
C&C
Data
C&CInternal replication / lateral movementTr
aditi
onal
pre
vent
ion
tech
nolo
gies
Info
Social Engineering, Phishing, Bribery, Etc.
Anatomy of a Data Breach
1. Bait
2. Infect
3. Arm
4. Explore
5. Exfiltrate
Exploit vulnerability
Install additional malware
Acquire & exfiltrate sensitive data
C&C
C&C
Data
C&CInternal replication / lateral movementTr
aditi
onal
pre
vent
ion
tech
nolo
gies
Info
Bre
ach
disc
over
y so
lutio
ns
Social Engineering, Phishing, Bribery, Etc.
Think Like a Hacker
1. Bait
2. Infect
3. Arm
4. Explore
5. Exfiltrate
Exploit vulnerability
Install additional malware
Acquire & exfiltrate sensitive data
C&C
C&C
Data
C&CInternal replication / lateral movementTr
aditi
onal
pre
vent
ion
tech
nolo
gies
Info
Bre
ach
disc
over
y so
lutio
ns
Spoofed Domains,
New Domains, ...
Malware Hosts,C&C,
...
ToR, Anonymous Proxies, File
shares, ...
Bitglass Breach Discovery
Breach Discovery - How it Works
Upload Firewall or Proxy logs
Big Data Analysis of Outflows
Bitglass Breach Discovery
Ranked alerts on high-risk outflows
ShadowIT Risks
Drill-down investigation
No software
Bitglass Risk Intelligence
Customer Example
Data exfiltration to ~200 TOR nodes
4 high-risk, high-volume Shadow IT apps
Case study at bitglass.com/resources
Transportation company
25,000 Employees
2M log lines per day
Findings
© 2015 Bitglass – Confidential: Do Not Distribute
Customer Example
Several nodes infected with malwareNew domain contact, phishing attack likely
Case study at bitglass.com/resources
Big Pharma 20,000 Employees
2M log lines per day
Findings
Customer Example
Contact with malware hosts
Command & control traffic
Contact with Dark Web
Bkrtx browser hijack outflows
Fed Agency 2,000 Employees
1GB logs per day
Findings
Prevention-focused tools Bitglass Breach DiscoveryPrevention tools increasingly ineffective against targeted and persistent attacks
Outbound Data Flow Analysis catches breaches early
Existing and emerging anomaly detection technologies throw too many alerts to be useful
Prioritized alerts via cloud-powered big data analytics with proprietary ranking
SIEM requires curation of risk intelligence feeds and ongoing manual interpretation by SMEs
Rapid Deployment - Simply upload logs, nothing to install
Discovery vs Prevention
“Determined attackers can get malware into organizations at will.”
Neil MacDonald/Peter Firstbrook, Gartner
Bitglass Breach DiscoveryLimit the Damage