1 / 23

What this prezo will address…

Real -time Security Analytics: Visibility, Alerting or Forensic Digging - Which is it ? Steven Urban Click Security. What this prezo will address…. What is a security analytic anyway? Who on my staff would actually use this product? What problems does it actually solve?

keren
Download Presentation

What this prezo will address…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real-time Security Analytics: Visibility, Alerting or Forensic Digging - Which is it?Steven UrbanClick Security

  2. What this prezo will address… • What is a security analytic anyway? • Who on my staff would actually use this product? • What problems does it actually solve? • Does it replace products like Log Management systems and SIEMs? Click Security Confidential

  3. Typical Enterprise Network Today Cloud Services Contractor Web Proxy Server Mobility WAN F/W & IPS DMZ F/W & IPS EP EP Malicious Insider BYOD Consumerization of IT Click Security Confidential

  4. Are We Secure? • IP theft to US Co’s is $250B / year • Global cybercrime is $114 billion… • $388 billion when you factor in downtime… • Symantec* • $1 trillionspent globally on remediation • McAfee* NAC IAM MDM DLP Secure Web Proxy SIEM UTM Secure Email G/W Endpoint Protection MSSP Firewall We spent $25Bon IT Security in 2012** * http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-amount-greatest-transfer-wealth-history-070912 **http://www.slideshare.net/Pack22/it-security-market-overview-sept-12 Click Security Confidential

  5. What Happened? Massive Network Attack Surface Your Defense The Enemy Intelligent, Stealthy, Relentless, Motivated Signature-based Defenses IPS, Anti-X, Firewall Between 50% and 5% effective • Complex • Constant Flux Staff Numerous “Based on some research by the U.S. intelligence, the total number of registeredhackers in China is approaching 400,000.” Infosecisland.com $1B Revenue x 5% on IT x 10% on Security x 30% on Staff / $200K/Yr loaded 7.5 Heads • Social Media • Consumerization of IT • IP Device Explosion • Mobility • Cloud Computing Click Security Confidential

  6. A Recently Experienced Attack… Attack Reserved IP Address Internal Web Server Entry Attack Internal Web Server Attribution ExFil $ Click Security Confidential

  7. Autopsy Report • Did you see these alarms? • Remember a F/W @ 15K EPS = 1 Billion EPD • Did you recognize their relative importance? • High, Medium, Low severity? • Did you know they were connected? • e.g., how may IP addresses are involved here? • Did you see them in time to be proactive? • Or do you study them forensically? • Do you even have staff to spend time on this? • Or are you chief, cook and bottle washer? Click Security Confidential

  8. Current Answer… Event Management + Forensics 2012 Verizon Data Breach Investigations Report Minutes – hours to execute a breach. Days – months to discover. Click Security Confidential

  9. Better Answer… Real-time Security Analytics Catch This… Before This… Click Security Confidential

  10. So Why Don’t We Catch Things in Real Time? 39% 35% 29% 29% 28% 28% 28% 23% Click Security Confidential

  11. The Security Analytics Spectrum Real-time Asymmetric (batch, offline) Tuned for real-time contextualization of anomalies and quick investigative / incident response action Tuned for off-line deep, historical investigation Click Security Confidential

  12. Example Real-time Security Analytic “I see a user coming into a critical server from an Android device in Uganda that also has a connection to a blacklisted IP address in China, and this same user logged in from Dallas 30 minute ago…” Real-time Security Analytic “I see a user tied to an unusual device” “I see a flow to a blacklisted IP address” Normal alerts…if you actually notice them…. “I see an access from a strange location” Collect, Cross-Contextualize and Examine for Anomalies in real-time… Access Activity Internet Threats Vulnerability Assessment Security Policy Authentication Activity Flow Activity Application Activity Enterprise Security Events User Activity Click Security Confidential

  13. What If You Could Do This…? Click Security Confidential

  14. Real-Time Security Analytics (RtSA) • Programmable Real-time Analytics • Captured Intelligence • “Lego” building blocks Click Labs • Stream Processing Engine • Dynamic Visualizations • Interactive Workbooks • Highly Scalable Click Modules • Security Threat Expertise • Protocol / Application Savvy • Module Development • Customer Environment Assessment Click Platform Click Security Confidential

  15. Automated, Real-time Contextualization • Security Events • Client Entity • Server Entity • Detection Time • Rule • Result • Message • Other Entities • Authentication Events • Client Entity • Server Entity • Authentication Time • Protocol Type • Result • Message • Other Entities • Access Events • Client Entity • Server Entity • Access Time • Resource Type • Result • Message • Other Entities • Flow Events • Client Entity • Server Entity • Time First / Last Active • Flow Type • Transport Protocol • Application Protocol • Prior / Current State • Byte / Packet Count • Session ID • Other Entities - Routing Anomalies - Malicious Callbacks - SPAM Relay Detector - Proxy Bypass Detector - Information Ex-filtration - Suspicious Web Traffic - Covert Channel Detector - Suspicious Data Access - Anomalous User Behavior - Anomalous Email Detector - Suspicious Account Lockouts - Firewall Rule Analysis Module - Anomalous Endpoint Behavior - Data Storage/Access Anomalies - Compromised Account Detection - Inappropriate Resource Utilization - Anomalous Network Transmission - Directory Lookup - HRIS Information - DHCP Information - WHOIS Information - O/S Fingerprint Data - NMAP Assessments - Anti-Virus Information - Asset Information Data - Vulnerability Scan Data - Geo-Location Information - Entity Severity Inormation - Password Cracking Information - Network Monitoring Information - Firewall Configuration and Logs - IDS/IPS Configuration and Logs - Forward & Reverse DNS Resolution - Blacklist/Whitelist Reputational Data Augmentation Modules Analysis Modules • Actor / Entity • Username • Hostname • Entity Type • Time First / Last Active • IP Address • MAC Address • Recent Network Flows • Recent Authentications • Recent Accesses • Recent Security Events • DHCP Lease • NAT Lease • VPN Lease • Other Entities Utility Modules Action Modules External System Click Security Confidential

  16. Different Strokes… SIEM (RDBMS) Batch Query Analytics (Distributed Map Reduce) RtSA (Stream Processing Engine) Data Storage Processor Processor Processor Data Storage Data Storage Memory Memory Data Storage Data in Memory SERIAL Query Analytic Crunch Time Hours to Days Good for: Compliance Mgmt (Limited data volume processing, simple alerting) SERIALQuery Analytic Crunch Time Minutes Good for: Forensic Analysis (Large data volume processing, but not large # analytics) PARALLELQuery Analytic Crunch Time Seconds Good for: Real-time Analytics (Large data volume processing, AND large # concurrent analytics) Click Security Confidential

  17. Example Analytics Application: RtSA Tracker Actor Prioritization Automated Histogram of High Anomaly Actors Actor Fanout Automated Fan-out of Actor Connectivity RtSA Click Security Confidential

  18. RtSA Tracker WorkbookBlacklisted Actors by Country Actor Activity Blacklisted actors: email servers receiving transmissions from a handful of systems on a protected network Actor Relationships Selected actors (Germany, Bahamas, and US) relationships by status and communications Actor Location 43 blacklisted actors by country of origin • Miners ingest 100,000+ events into “human usable” tables • Interpreters apply Click Lab’s application and protocol knowledge to the data • Analyzers automatically contextualize event, flow, authentication, access and augmentation data to 12,000+ actors • RtSA Tracker’s Blacklist Workbook brings visual acuity to 43 blacklisted Actors Click Security Confidential

  19. RtSA Tracker WorkbookTotal Critical: Top 25 Actors by Critical Event Count • Actor is an internal system with a reserved IP address (blue) • Actor is attacking an internal (blue) web server with a variety of HTTP-based attacks, including buffer overflows and SQL injection • Actor is sending malicious java to an internal web server • Victim of the HTTP attacks has initiated HTTPS connections with four external systems (the rightmost fan-out pattern); three in the US (gray), one in Europe (pink) • Attacker is logged in, anonymously, to an FTP server – and is actively transferring data. The blue (internal) node top left also anonymously logged into same FTP server. • The gold-colored node is from Asia – actor’s IP address is dynamically assigned from China’s hinet.net, a broadband ISP – and a well-known haven for hackers and phishing activity Click Security Confidential

  20. RtSAWorkflow External Triggers Lockdown Action Interactive Reporting Confident Looking for Something… Needs Investigation Found Something! Dynamic Workbooks Click Modules Real-time Stream Processing Real-time Investigation Understood & Actionable New Module Authoring Batch Process Investigation Click Security Confidential

  21. Market Evolution Real-time Security Analytics Big Data Analytics Batch Query Analytics Big Data Search SIEM Compliance Reporting Log Management Forensic Archive Click Security Confidential

  22. RtSA Solution Benefits • Find and Stop Attack Activity – Early in the Kill Chain • Actor-tracking contextualizes big data into prioritized, in-depth security visibility - automatically • Speed & Simplify Analysis / Incident Response Process • Dynamic Workbooks provide real-time visualization, interactive data analysis, and immediate results encoding • Modular Analytics Evolve with Changing Threat Landscape • Click Labs continually adds new Workbooks and Click Modules • Analysts can quickly and easily create their own • Leverage Existing Information and Enforcement Infrastructure • No rip and replace. Utilize existing data sources and enforcement points. Click Security Confidential

  23. REAL-TIME SECURITY ANALYTICS AUTOMATED INVESTIGATION | AUTOMATED LOCKDOWN Click Security Confidential

More Related