Threat Detection Algorithms Make Big Data into Better Data

David Monahan

Research Director

Enterprise Management Associates (EMA)

Ahead of RSA – Threat Detection Algorithms

Make Big Data into Better Data

April 29, 2016

Wade Williamson

Director of Product Marketing

Vectra Networks

Today’s Presenters

Slide 2 © 2016 Enterprise Management Associates, Inc.

David Monahan – Research Director, Risk and SecurityDavid is a senior information security executive with several years of experience.

He has organized and managed both physical and information security

programs, including security and network operations (SOCs and NOCs) for

organizations ranging from Fortune 100 companies to local government and

small public and private companies.

Wade Williamson, Director of Product Marketing, Vectra NetworksWade has extensive industry experience in intrusion prevention, malware

analysis, and secure mobility, and has spoken at a variety of industry

conferences, including the keynote address at the EICAR malware conference

and led the Malware Researcher Peer Discussion at RSA. Prior to joining Vectra,

he was Sr. Security Analyst at Palo Alto Networks where he led the monthly

Threat Review Series and authored the Modern Malware Review.

Logistics for Today’s Webinar


Questions

• An archived version of the event recording

will be available at

www.enterprisemanagement.com

• Log questions in the Q&A panel located on the

lower right corner of your screen

• Questions will be addressed during the Q&A

session of the event

Event recording

Event presentation

• A PDF of the PowerPoint presentation will be

emailed to you as part of the follow-up email.

http://www.enterprisemanagement.com/

Security Challenges


Lack of Visibility

Attack Complexity

Patient Attackers Persistent Attack

Protecting Information

© Vectra Networks | www.vectranetworks.com

About Vectra Networks

5

Leadership

Customers

Alain MayerVP Product Mgmt

Jason KehlVP Engineering

Mike BanicVP Marketing

Rick GeehanVP Sales, N. Amer.

Oliver

TavakoliCTO

Hitesh ShethPresident & CEO

Investors

MissionAutomatically detect ongoing cyber attacks in real time

Industry Recognition

8% 4% 6% 18% 6% 12% 6% 6% 19% 17%

Education Energy Entertainment Finance Legal Health S&L Govt Media Technology Other

Gerard BauerVP EMEA


Detecting Threats Across the Kill Chain

Slide 6


The Cybersecurity Gap

Slide 7

Prevention Phase Active Phase Clean-up Phase

Key assets found in the wild

Initial Infection

Cybersecurity Gap

days Attackers had free rein

in breached networks1

205

• Firewalls

• IPS

• Proxies

• Sandboxes

• SIEM analysis

• Forensic

consultants

$$$$

$

$$$

$$

Internal

Recon

Lateral

Movement

External

Remote

Access

Exfiltrate

Data

Command &

Control

Botnet

Fraud


Addressing the Cybersecurity Gap

Slide 8

Prevention Phase Active Phase Clean-up Phase

• Analyze all traffic and detects all phases of attack

• Apply data science to original traffic finds hidden threats

• Automate time-consuming, expensive analysis in real time

• Learn and share fundamental attack behaviors across systems

• Firewalls

• IPS

• Proxies

• Sandboxes

• SIEM analysis

• Forensic

consultants

$$$$

$

$$$

$$

Vectra Networks: Real-time, automated

detection of all phases of active cyber attacks

Approaches to Security

• Focuses

• Network

• Endpoint

• Users

• Data

• Methodologies

• Signature/Pattern

• Policy/Rule

• Data Science

Behavioral

Anomaly

Prediction


Sandboxing DPI/Netflows

Antivirus, HIDS, DLP

Program Maturity...


66%Strong to

Very Strong Network

Prevention Maturity

65%Strong to

Very Strong Network IR

Maturity

71%Strong to

Very Strong Network

Detection Maturity

Very StrongAt least 99% of the network segments have active prevention and are actively monitored and managed. AND

The system generates very few, if any, false positives. The system prevents/detects (as applicable) 99% or greater of the network-based attacks.

StrongAt least 85% of the network segments have active prevention/detection (as applicable) and are actively monitored and managed. AND

The system generates only a few false positives. The system prevents/detects (as applicable) 95% or greater of the network-based attacks.

UnderdevelopedLess than 75% of network segments have active prevention/detection (as applicable) and are not necessarily actively monitored and managed.

OR

The system generates an excessive number of false positives. The system prevents/detects (as applicable) no more than 90% of the network-based attacks.

Is Overrated and Underdeveloped


59%Lack

Analysis Capabilities

40%Have

Network Analysis

tools

58%Maintain Historical Data for Analysis

Decline of Baselines and Asset Prioritization


Decline in Monitoring High Value Assets


Decline in Security Confidence



Focus on what threats do, not what they are called

Trying to name all bad things only ensures that you are always behind

• Near infinite supply of repackaged malware, IP addresses, and URLs

Vectra uses behavioral traffic analysis to expose the true purpose and effect of traffic

Malicious behaviors are similar across platforms

• Does it really matter if that port scanner is on laptop or iPhone?


Traditional DPI vs Behavioral DPI

How the threat looks

Find threats that you’ve seen before

Snapshot in time

No local context

Signatures Data Science

What the threat does

Find what all threats have in common

Learning over time

Local learning and context

Short-lived

reactive

intelligence

Long-lived

predictive

intelligence


Extending behavioral analysis where it matters most

Slide 17

Signatures

Sandboxes

Finds unique identifiers of known threats

Detects infecting behavior based on short-term analysis in a virtual environment

Vectra

ü Detects behavior of all phases of attack

ü Short-term and long-term analysis

ü Real network environment, real traffic

ü See threats in context of key assets

ü Device and OS agnostic

Windows 8 Windows 10

Vista Lollipop

KitKat

Jellybean

Ubuntu Debian

CentOS

iOS 9

Mavericks

Yosemite iOS 8


External remote access case study: GlassRAT

Undetected for over 3 years

• Discovered by RSA Security

• Used a cert of a valid software

company in China

• No AV coverage initially

• Rare overlaps with C&C

servers used in nation-state

attacks

Source: https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf

https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf


External remote access case study: GlassRAT

Highly successful at

avoiding signatures

Behavior still looked exactly

like a RAT

• Similar to Netcat connected to

a command shell over TCP

Data Science: Bigger Data is Not necessarily Better Data

• Storage is cheap so data is rampant!

• Analysis is key


Machine Learning Not Magic

• Supervised

• Uses large datasets specific to an environment or community

• Outliers are ignored

• Algorithms attempt to determine expected behaviors

• Faster but needs direction

• Unsupervised

• Uses large datasets specific to an environment or community

• Identifies what is normal/acceptable and what is anomalous/abnormal

with respect the group

• Outliers are considered bad (or at least anomalous and worth

investigating).

• Slower but does not requires directionSlide 21 © 2016 Enterprise Management Associates, Inc.


Data science requires the right data

First-hand data is required• Summaries will often lack

details to catch a threat

• Dependent on systems that missed the attack

Must have context• Attacks take place over multiple

hosts and over time

Must be in real-time• Prevention of loss, not post-

mortem forensicsNetwork Coverage

Data

Qu

ality

an

d S

peed

Network

traffic

Endpoint

agents

SIEM &

logs

NetFlow

Data source options


An example of supervised machine learning

Recently observed

malware using Gmail as

an automated C&C

Synced encoded Python

scripts using the Drafts

folder

Signatures, reputation,

and approved use

policies all fail


It’s what it does, not what it is

Command and control via Gmail

• Trusted application, trusted URL, trusted IP, allowed behavior

• No email ever sent

Communication behavior still looks like traditional botnet pulling behavior

• Unique pattern of call and response

• Bot completes a task and asks for next instructions


Example of unsupervised machine learning in action

Vectra observes Kerberos traffic to learn the user accounts and services normally used on each device

Vectra detected admin account being used on several devices and accessing new hosts and services

Perspectives on Technology


Staffing Impacts


Automation of tasks, actions and/or analysis in detection


51%

35%

13%

0%

1%

Very Important

Important

Somewhat Important

Somewhat Unimportant

Not Important at All

Network

Automation of tasks, actions and/or analysis in IR


48%

35%

15%

1%

1%

Very Important

Important

Somewhat Important

Somewhat Unimportant

Not Important at All

Network

Rank of Automation for security functions/actions in terms

of importance


2.37

2.72

3.00

3.37

3.39

Threat Intelligence

Integration

Scalability

Price

Ease of Use

Security Tasks


Automation to address the skills shortage

Slide 31

Delivering security analysts in software

• Automatically does the investigative work of a dedicated team of security analysts

• Hours and days of manual work performed in real-time

Empowers the security organization

• Enables IT and security generalists to address advanced threats

• Reveals hidden problems that can lead to future attacks

20


Turning complexity against the attackers

Slide 32

Internal Recon

Lateral Movement

Acquire Data

Botnet Monetization

Standard C&C

Exfiltrate Data

Custom C&C& RAT

Opportunistic

Targeted

Custom C&C

Initial Infection

© Vectra Networks | www.vectranetworks.com 33


Log Your Questions in the Q&A Panel

• Learn more! Request a demo: http://bit.ly/1Qnbc0I

• Learn more about EMA IT Analyst Research:

http://www.enterprisemanagement.com/freeResearch

http://bit.ly/1Qnbc0I

http://www.enterprisemanagement.com/freeResearch