View
136
Download
0
Embed Size (px)
Citation preview
David Monahan
Research Director
Enterprise Management Associates (EMA)
Ahead of RSA – Threat Detection Algorithms
Make Big Data into Better Data
April 29, 2016
Wade Williamson
Director of Product Marketing
Vectra Networks
Today’s Presenters
Slide 2 © 2016 Enterprise Management Associates, Inc.
David Monahan – Research Director, Risk and SecurityDavid is a senior information security executive with several years of experience.
He has organized and managed both physical and information security
programs, including security and network operations (SOCs and NOCs) for
organizations ranging from Fortune 100 companies to local government and
small public and private companies.
Wade Williamson, Director of Product Marketing, Vectra NetworksWade has extensive industry experience in intrusion prevention, malware
analysis, and secure mobility, and has spoken at a variety of industry
conferences, including the keynote address at the EICAR malware conference
and led the Malware Researcher Peer Discussion at RSA. Prior to joining Vectra,
he was Sr. Security Analyst at Palo Alto Networks where he led the monthly
Threat Review Series and authored the Modern Malware Review.
Logistics for Today’s Webinar
Slide 3 © 2016 Enterprise Management Associates, Inc.
Questions
• An archived version of the event recording
will be available at
www.enterprisemanagement.com
• Log questions in the Q&A panel located on the
lower right corner of your screen
• Questions will be addressed during the Q&A
session of the event
Event recording
Event presentation
• A PDF of the PowerPoint presentation will be
emailed to you as part of the follow-up email.
Security Challenges
Slide 4 © 2016 Enterprise Management Associates, Inc.
Lack of Visibility
Attack Complexity
Patient Attackers Persistent Attack
Protecting Information
© Vectra Networks | www.vectranetworks.com
About Vectra Networks
5
Leadership
Customers
Alain MayerVP Product Mgmt
Jason KehlVP Engineering
Mike BanicVP Marketing
Rick GeehanVP Sales, N. Amer.
Oliver
TavakoliCTO
Hitesh ShethPresident & CEO
Investors
MissionAutomatically detect ongoing cyber attacks in real time
Industry Recognition
8% 4% 6% 18% 6% 12% 6% 6% 19% 17%
Education Energy Entertainment Finance Legal Health S&L Govt Media Technology Other
Gerard BauerVP EMEA
© Vectra Networks | www.vectranetworks.com
Detecting Threats Across the Kill Chain
Slide 6
© Vectra Networks | www.vectranetworks.com
The Cybersecurity Gap
Slide 7
Prevention Phase Active Phase Clean-up Phase
Key assets found in the wild
Initial Infection
Cybersecurity Gap
days Attackers had free rein
in breached networks1
205
• Firewalls
• IPS
• Proxies
• Sandboxes
• SIEM analysis
• Forensic
consultants
$$$$
$
$$$
$$
Internal
Recon
Lateral
Movement
External
Remote
Access
Exfiltrate
Data
Command &
Control
Botnet
Fraud
© Vectra Networks | www.vectranetworks.com
Addressing the Cybersecurity Gap
Slide 8
Prevention Phase Active Phase Clean-up Phase
• Analyze all traffic and detects all phases of attack
• Apply data science to original traffic finds hidden threats
• Automate time-consuming, expensive analysis in real time
• Learn and share fundamental attack behaviors across systems
• Firewalls
• IPS
• Proxies
• Sandboxes
• SIEM analysis
• Forensic
consultants
$$$$
$
$$$
$$
Vectra Networks: Real-time, automated
detection of all phases of active cyber attacks
Approaches to Security
• Focuses
• Network
• Endpoint
• Users
• Data
• Methodologies
• Signature/Pattern
• Policy/Rule
• Data Science
Behavioral
Anomaly
Prediction
Slide 9 © 2016 Enterprise Management Associates, Inc.
Sandboxing DPI/Netflows
Antivirus, HIDS, DLP
Program Maturity...
Slide 10 © 2016 Enterprise Management Associates, Inc.
66%Strong to
Very Strong Network
Prevention Maturity
65%Strong to
Very Strong Network IR
Maturity
71%Strong to
Very Strong Network
Detection Maturity
Very StrongAt least 99% of the network segments have active prevention and are actively monitored and managed. AND
The system generates very few, if any, false positives. The system prevents/detects (as applicable) 99% or greater of the network-based attacks.
StrongAt least 85% of the network segments have active prevention/detection (as applicable) and are actively monitored and managed. AND
The system generates only a few false positives. The system prevents/detects (as applicable) 95% or greater of the network-based attacks.
UnderdevelopedLess than 75% of network segments have active prevention/detection (as applicable) and are not necessarily actively monitored and managed.
OR
The system generates an excessive number of false positives. The system prevents/detects (as applicable) no more than 90% of the network-based attacks.
Is Overrated and Underdeveloped
Slide 11 © 2016 Enterprise Management Associates, Inc.
59%Lack
Analysis Capabilities
40%Have
Network Analysis
tools
58%Maintain Historical Data for Analysis
Decline of Baselines and Asset Prioritization
Slide 12 © 2016 Enterprise Management Associates, Inc.
Decline in Monitoring High Value Assets
Slide 13 © 2016 Enterprise Management Associates, Inc.
Decline in Security Confidence
Slide 14 © 2016 Enterprise Management Associates, Inc.
© Vectra Networks | www.vectranetworks.com
Focus on what threats do, not what they are called
Trying to name all bad things only ensures that you are always behind
• Near infinite supply of repackaged malware, IP addresses, and URLs
Vectra uses behavioral traffic analysis to expose the true purpose and effect of traffic
Malicious behaviors are similar across platforms
• Does it really matter if that port scanner is on laptop or iPhone?
© Vectra Networks | www.vectranetworks.com
Traditional DPI vs Behavioral DPI
How the threat looks
Find threats that you’ve seen before
Snapshot in time
No local context
Signatures Data Science
What the threat does
Find what all threats have in common
Learning over time
Local learning and context
Short-lived
reactive
intelligence
Long-lived
predictive
intelligence
© Vectra Networks | www.vectranetworks.com
Extending behavioral analysis where it matters most
Slide 17
Signatures
Sandboxes
Finds unique identifiers of known threats
Detects infecting behavior based on short-term analysis in a virtual environment
Vectra
ü Detects behavior of all phases of attack
ü Short-term and long-term analysis
ü Real network environment, real traffic
ü See threats in context of key assets
ü Device and OS agnostic
Windows 8 Windows 10
Vista Lollipop
KitKat
Jellybean
Ubuntu Debian
CentOS
iOS 9
Mavericks
Yosemite iOS 8
© Vectra Networks | www.vectranetworks.com
External remote access case study: GlassRAT
Undetected for over 3 years
• Discovered by RSA Security
• Used a cert of a valid software
company in China
• No AV coverage initially
• Rare overlaps with C&C
servers used in nation-state
attacks
Source: https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf
© Vectra Networks | www.vectranetworks.com
External remote access case study: GlassRAT
Highly successful at
avoiding signatures
Behavior still looked exactly
like a RAT
• Similar to Netcat connected to
a command shell over TCP
Data Science: Bigger Data is Not necessarily Better Data
• Storage is cheap so data is rampant!
• Analysis is key
Slide 20 © 2016 Enterprise Management Associates, Inc.
Machine Learning Not Magic
• Supervised
• Uses large datasets specific to an environment or community
• Outliers are ignored
• Algorithms attempt to determine expected behaviors
• Faster but needs direction
• Unsupervised
• Uses large datasets specific to an environment or community
• Identifies what is normal/acceptable and what is anomalous/abnormal
with respect the group
• Outliers are considered bad (or at least anomalous and worth
investigating).
• Slower but does not requires directionSlide 21 © 2016 Enterprise Management Associates, Inc.
© Vectra Networks | www.vectranetworks.com
Data science requires the right data
First-hand data is required• Summaries will often lack
details to catch a threat
• Dependent on systems that missed the attack
Must have context• Attacks take place over multiple
hosts and over time
Must be in real-time• Prevention of loss, not post-
mortem forensicsNetwork Coverage
Data
Qu
ality
an
d S
peed
Network
traffic
Endpoint
agents
SIEM &
logs
NetFlow
Data source options
© Vectra Networks | www.vectranetworks.com
An example of supervised machine learning
Recently observed
malware using Gmail as
an automated C&C
Synced encoded Python
scripts using the Drafts
folder
Signatures, reputation,
and approved use
policies all fail
© Vectra Networks | www.vectranetworks.com
It’s what it does, not what it is
Command and control via Gmail
• Trusted application, trusted URL, trusted IP, allowed behavior
• No email ever sent
Communication behavior still looks like traditional botnet pulling behavior
• Unique pattern of call and response
• Bot completes a task and asks for next instructions
© Vectra Networks | www.vectranetworks.com
Example of unsupervised machine learning in action
Vectra observes Kerberos traffic to learn the user accounts and services normally used on each device
Vectra detected admin account being used on several devices and accessing new hosts and services
Perspectives on Technology
Slide 26 © 2016 Enterprise Management Associates, Inc.
Staffing Impacts
Slide 27 © 2016 Enterprise Management Associates, Inc.
Automation of tasks, actions and/or analysis in detection
Slide 28 © 2016 Enterprise Management Associates, Inc.
51%
35%
13%
0%
1%
Very Important
Important
Somewhat Important
Somewhat Unimportant
Not Important at All
Network
Automation of tasks, actions and/or analysis in IR
Slide 29 © 2016 Enterprise Management Associates, Inc.
48%
35%
15%
1%
1%
Very Important
Important
Somewhat Important
Somewhat Unimportant
Not Important at All
Network
Rank of Automation for security functions/actions in terms
of importance
Slide 30 © 2016 Enterprise Management Associates, Inc.
2.37
2.72
3.00
3.37
3.39
Threat Intelligence
Integration
Scalability
Price
Ease of Use
Security Tasks
© Vectra Networks | www.vectranetworks.com
Automation to address the skills shortage
Slide 31
Delivering security analysts in software
• Automatically does the investigative work of a dedicated team of security analysts
• Hours and days of manual work performed in real-time
Empowers the security organization
• Enables IT and security generalists to address advanced threats
• Reveals hidden problems that can lead to future attacks
20
© Vectra Networks | www.vectranetworks.com
Turning complexity against the attackers
Slide 32
Internal Recon
Lateral Movement
Acquire Data
Botnet Monetization
Standard C&C
Exfiltrate Data
Custom C&C& RAT
Opportunistic
Targeted
Custom C&C
Initial Infection
© Vectra Networks | www.vectranetworks.com 33
Slide 34 © 2016 Enterprise Management Associates, Inc.
Log Your Questions in the Q&A Panel
• Learn more! Request a demo: http://bit.ly/1Qnbc0I
• Learn more about EMA IT Analyst Research:
http://www.enterprisemanagement.com/freeResearch