View
62
Download
0
Embed Size (px)
Citation preview
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Where There Is Smoke, There is FireExtracting Actionable Intelligence
From Network Traffic with Real-time Analysis
David MonahanResearch Director
Security & Risk Management
Enterprise Management Associates (EMA)
@SecurityMonahan
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.2
Today’s Speaker
David Monahan
Research Director, Risk & Security Management,
EMA
David has over 20 years of IT security experience
and has organized and managed both physical and
information security programs, including Security
and Network Operations (SOCs and NOCs) for
organizations ranging from Fortune 100 companies
to local government and small public and private
companies.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.
Visibility Challenges
• Security personnel are overwhelmed
• Security personnel are inexperienced
• Attacks are varied and multifaceted
• Attacks are stealthy
• Attacks exploit user identity
• New zero-day attacks appearing regularly
• Getting the right data in a timely manner!
3IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Top 3 Security Challenges…
4 © 2017 Enterprise Management Associates, Inc.
58%
38%
37%
34%
31%
4%
LACK OF ANALYSIS CAPABILITIES IN THE SOLUTIONS
LACK OF DASHBOARDS
LACK OF REPORTING CAPABILITIES
LACK OF VENDOR SUPPLIED INTEGRATION
LACK OF OPEN APIS
OTHER
Need to combine network capabilities or data with endpoint security capabilities or data
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.
More Context
• 92% of organizations receive as many as 500 overall alerts per day
• 88% or organizations receive as many as 500 severe/critical alerts/day
MEANING: Most incidents are being classified as severe/critical
CAUSE: A lack of context [data] to properly prioritize the events
Result: Attacks cannot be properly prioritized
• 67% of organizations can only investigate <=10 severe/critical events/day
• 88% of organizations can only investigate <=25 severe/critical events/day.
MEANING: Most incidents are not being investigated
CAUSE: A lack of context [data] to properly prioritize the events.
Result: Attacks are going unidentified/uninvestgated
5
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Inexperience and a Lack of Skills
6 © 2017 Enterprise Management Associates, Inc.
72%
15%
7%
5%
I DON'T KNOW
ENDPOINT LOGS
PACKET CAPTURE
PERFORMANCE LOGS
What type of data is best for early breach detection
Affected by Staffing
Shortage, 76%
Affected by Staffing
Shortage, 68%
Not Affected by Staffing
Shortage, 24%
Not Affected by Staffing
Shortage, 32%
20162015
Security Teams affected by staffing
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Security Team Bravado – Detecting breaches
7 © 2017 Enterprise Management Associates, Inc.
25%
47%
24%
4%
1%
VERY STRONG
STRONG
COMPETENT
UNDERDEVELOPED
NETWORK SECURITY DETECTION IS NOT A SIGNIFICANT FOCUS OF OUR SECURITY
PROGRAM
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Security Team Bravado – Incident response
8 © 2017 Enterprise Management Associates, Inc.
25%
41%
25%
8%
2%
VERY STRONG
STRONG
COMPETENT
UNDERDEVELOPED
NETWORK SECURITY INCIDENT RESPONSE IS NOT A SIGNIFICANT FOCUS OF OUR SECURITY
PROGRAM
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Security Team Bravado –
Maintaining Environmental Baseline
9 © 2017 Enterprise Management Associates, Inc.
58%
35%
7%
YES
NO, BUT I BELIEVE IT IS IMPORTANT
NO, AND I DON'T FEEL THAT IT IS NECESSARY
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Data Used for Investigation
10 © 2017 Enterprise Management Associates, Inc.
54%
50%
46%
38%
FULL PACKET DATA
LOG DATA
FLOW DATA
PACKET HEADERS ONLY
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Packet Data Use In Investigations
11 © 2017 Enterprise Management Associates, Inc.
14%
38%
30%
3%
16%
YES, FOR ALL INVESTIGATIONS
YES, BUT ONLY FOR CRITICAL INVESTIGATIONS
NO, BUT WE WOULD LIKE TO/PLAN TO
NO, AND WE HAVE NO PARTICULAR NEED/INTEREST
I DON'T KNOW
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Security Teams Need Automation to be Effective
12 © 2017 Enterprise Management Associates, Inc.
51%
35%
13%
0%
1%
VERY IMPORTANT
IMPORTANT
SOMEWHAT IMPORTANT
SOMEWHAT UNIMPORTANT
NOT IMPORTANT AT ALL
Automation for Detection
49%
35%
15%
1%
1%
VERY IMPORTANT
IMPORTANT
SOMEWHAT IMPORTANT
SOMEWHAT UNIMPORTANT
NOT IMPORTANT AT ALL
Automation for Incident Response
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Centralized Operations Interface is Key
13 © 2017 Enterprise Management Associates, Inc.
38%
43%
15%
3%
2%
VERY IMPORTANT
IMPORTANT
SOMEWHAT IMPORTANT
SOMEWHAT UNIMPORTANT
NOT IMPORTANT AT ALL
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Metadata is Key to Success
14 © 2017 Enterprise Management Associates, Inc.
15%
69%
15%
INVALUABLE
VERY VALUABLE
MODERATELY INVALUABLE
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Why Packets
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.
It’s How the Attacks Arrive
• >99% of cyber attacks traverse the network in
some way
• Email/Web
• Reconnaissance
• Command and control
• Data collection…
• Only insider attacks collecting local system
data and posting it to removable media do not
16
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.
Accelerating Detection and Response
• Address Increased Advanced and Stealthy Threats– Threats hiding in normal application traffic, web, email, file transfers
– Constantly morphing to avoid signatures, low and slow exfiltration
methods
– Abuse of DNS and HTTP traffic to co-ordinate and avoid detection
• Reduce Attacker Dwell Time: Still too Long– Need More Telemetry faster
– Increase Analyst Context
– Lateral Movement not Detected Soon Enough
– Endpoints don’t have all the info
– Better Data to “Connect the Dots” From Events
– Quickly relate data correlations
– Accelerate Investigations with Comprehensive Forensics Data
– Connect the Who, When, and How of a Breach
– Look deep inside files and content to distinguish between normal and
suspect activity
17
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.
QNI- Proactive Breach Detection versus
Reactive Forensics
• QNI Value:
– On-the-fly data stream analysis
– Real –time correlation with other logged data
– Vast metadata creation for case data enrichment
– Better breach prevention
– Earlier detection especially against low and slow or complex
attacks
– Reduced false positives (Alert/no-Alert)
– Better alert classification (Critical, High, Med, Low, Info)
– Accelerated incident response
– Reduced loss/damage of breach
18
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING© 2015 Enterprise Management Associates, Inc.
Where to Use QNI
• Leverage at any SOC Function!
• Tier 1 (Incident receipt and processing)– Reduce incident volume = Reduced alert fatigue
– Faster access to critical data = Faster Response
– Better incident prioritization = Better incident handling
– Force multiplier = Reduced hand offs to Tier 2 and Tier 3
• Tier 2 and Tier 3 (SecOpsTroubleshooting/Investigations)– Better context = Faster resolution
• Tier 4 (Hunters)– Better visibility = Reduced attacker dwell time
– Better analysis = Faster detection of related incidents
– Reduced dwell time = Reduced incident impact/cost
19
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.
Not All SIEM Packet Analysis Created Equal
• Some only through 3rd-party partnerships
• Processing overhead causes delays for data access
– Several minutes to hours based on volume and collection
method
• Most integrated packet capture is only started on
demand
• Accessing data often not intuitive
• Little/No advanced data analysis up front
– Most return data is limited by queries or correlation rules
– Analysis of data returns left to operator
20
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.
QNI Benefits
• Enriching data with:
– DNS and other host detail
– URLs, redirects
– File data, file hashes, file entropy (image and audio files
especially)
– Application Awareness: Detected PII and confidential data
– Usernames and Email addresses
– Embedded scripts detection
• Customizable suspect content feeds
21
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.
Get Free Research from EMA analysts
• http://www.enterprisemanagement.com/freeResearch
22