1 / 6

Identifying a Cyber Security Platform that will maximize your investment for years to come. - Seceon

Chandra is an expert in data center architecture and highly scalable network solutions and a proven business leader with more than twenty years of experience developing and marketing innovative technology solutions. Before founding Seceon in 2014, Chandra was General Manager and Vice President of Platform Solutions at BTI Systems. Call Us: 1 (978)-923-0040

Companyseceon
Download Presentation

Identifying a Cyber Security Platform that will maximize your investment for years to come. - Seceon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identifying a Cyber Security Platformthatwillmaximizeyour investmentforyearstocome.

  2. Breakingdownasuccessfulcyber-attackinits simplest form;Threat actorsuse computers astheyweredesignedwhichistoperform hundreds ofmillionsof operationspersecondbasedondarkbut creativeinstructions.Ok,sosomewhere ontheinternetthere’sgotta beadisgruntledMicrosoftEmployee, right? Armedwith anidea,liketargetingdisgruntledemployees,Hackers areable to useacombinationoftrainingvideos,opensourcetools andhighspeedinternetto harvest ausernameandanentrypointinto the target network, by scraping the internet looking for their desired human behavior in the form of text. Asking the average computer to scanthroughan entire websitelookingforaparticularpatterncanbe doneinminutesonanydeviceincludingasmartphonewithoneline ofcode, like thisone:Cewl-e–email_fileemaillist.txt https://yourcompanieswebsite.com/. AWebForumwheresomeoneisusingall capsor following sentenceswithmorethanoneexclamationpoint?Disgruntleduser identified!Theusernamefoundononeforummightallowathreat actor to pivot to additional threat vectors such as email addresses, Facebookor LinkedInaccounts.Wealluse similar usernamesacross web services, right? Additional behaviors about the target can be profiled by the threat actor inducing more dark but creative potential exploits which focus on harvesting more potential entry points. Next, befriend this user across multiple platforms and learn about them and howtheycommunicatetopeers. Askthemthrougha privatemessage forthecredentialsneeded inawaythat doesn’traisesuspicion. Accesstotargetnetworkachieved. Human vulnerabilitiescanbeturnedinto realvulnerabilities, andwe allknowhumansareanunpredictable species therefore theattack surfaceofthehumanpsycheislimitless. This is how Cyber threat actors continue to demonstrate they can executesuccessfulcyber-attacksseemingly everywhere including attacksagainstlargeorganizations,likeMicrosoft,wholeveragethe mostadvancedCyber Securitydefensesystems.

  3. CyberSecurityArtifacts–Artifactsaretracksthatgetleftbehind.CyberSecurityArtifacts–Artifactsaretracksthatgetleftbehind. When looking from afar at the details of new Cyber threats the most important question to ask is how did the analysts obtain this artifact? Actionmovielovers, likemyself,imagineatactical situationwherea “highspeed”S.W.A.T. team enterstheHackers location fromtheroof using ropes and helicopters before smashing through windows and arresting the hacker. While under an intense interrogation the hacker eventuallyspillstheirsecretsandshowsagentsthesourcecode.All vulnerabilitiesare solvedthisway,right? Jokingasidetheansweris farless action packed. Themostbasicnetworks,includinghomenetworks,arelitteredwith millions of artifacts or little digital footprints found inside each device. Analysts obtain details about attacks by logging into devices, pulling artifacts and eventually solve the puzzle by recreating the story by correlatingartifactsfromdifferentdevices. CyberSecurityCompliance Basedonmyexperience,artifactcollectionisdriven byCyberSecurity compliance.CyberSecuritycompliance involvesmeetingvarious controlsusuallyenactedbyaregulatory authority,law, orindustry group to protect the confidentiality, integrity, and availability of data. Thenumberofcontrolsthatneedtobemetvariesbyindustryand the number of controls increases based on the sensitivity of the data theyintendtoprotect. Theenforcementofasset identificationandsubsequentstorageof asset artifacts in the form of system logs and events are common controlspenetratingcompliancestandardsacrossmanyindustries. Both control requirements work together by getting organizations, through process, to identify and document all its assets and then ensuring assetartifactsaresavedtoaSecurityInformationEvent Management system, or (SIEM) for short. Yes,even that dusty old, networkedprinter nooneusesneedsto push itsdevicelogstothean I helpyou? Tosummarizethegoalofthecombinedcontrolsisto push

  4. organizationstocollectandstoreasmanyartifactsfromasmany devicesas possible sowhenanincidentoccurs analysts havethebest chancetoidentifythebreach. Incident ResponseandBehaviormodeling Incident Response(IR)isa set ofinformation security policiesand procedures that identify, contain and eliminate cyberattacks. A good IRplantypicallyincludesnotifyingauthorities whena novelincident issuspected.Organizations liketheFederalBureauof Investigations (F.B.I.)dispatchforensicanalystswho immediately obtainaccessto anorganizationsSIEM dataset andbegin identifyinginteresting artifacts. Interesting artifacts are buried next to billions of ordinary ones but include firewall connection logs, IPs connected to apps, ExtendedDetection andResponse(EDR)eventsanduseraccount activity. Combininginterestingartifactsfromeachdeviceeventuallyleads analyststoidentifyingIndicatorsofCompromise(IoC).FlashNumber: CU-000163-MW RagnarLocker Ransomware Indicators of Compromiseisarecent exampleofthe analysts workin thefield. Mined IoC’sfromthefieldareshareddigitallywithamultinational community of Cyber Warriors. Sharing includes documenting Behavioral models of Novel attacksinknowledgebases likeMITRE ATT&CKandthenbuildinganduploadingaSTIX 2.0statementtothe communitywhichcanbedownloadedandusedbyCyberSecurity defenseplatforms. ChoosingaCyberSecurityPlatformthatwill maximizeyour investmentfor yearsto come A platform that will perform the best and provide the most value for years to come will act like a virtual field analyst working at the speed of a computer parsing streams of device artifacts. It will ingest artifactsfromapps,networkdevicesandcloud sourcesfromany lHoocwatcioannIinhteolpitysoou?wnSIEM dataset effectively centralizing intelligence insideanopenarchitecture.Itwillworkwithexistingandnew

  5. security layers, not in place of them. Like an analyst, it will correlate artifacts from perimeter security infrastructure and other security telemetry. It will be aware of the most current threat intelligence data byregularlyretrieving STIX 2.0 statements andwillscaneachartifact coming into the system looking for a detail that matches something bad.TheplatformshouldpushitsSIEMdatasetthroughan embeddedMachineLearningsystemsoknownbehaviorsaboutthe technology environmentcanbeunderstood.ArtificialIntelligence(AI), atoolmostthreatactorscannotutilize,shouldbeusedtoidentify, andreportsuspicious or anomalousbehavior.AI shouldbuildstories referencingindustry standardslike the MitreATT&CKFrameworkto bepresentedtohumananalysts,whenastringofmaliciousactions are identified in the network. As AI improves it will simply be pushed asafuturesystemupdate. Theendresultsshouldbeaplatformthatcan consistentlyidentify anycreativedarkexploitslaunched by threatactors.Acreativedark exploit like; Finding disgruntled employee accounts that are logging into the network for the first time, outside of their normal business hoursfrom anothercontinentandfromanIPaddressthat’scurrently flaggedbyanIntelligenceAgency. Conclusion Theplatformclassificationasdescribedistypicallyreferredtoas Extended Detection & Response (xDR) and not to be confused with EndpointDetectionandResponse(EDR).Confusingnaming convention aside, further diligence around platform log retention periodisneededwhenanxDRplatformisidentified.MostxDR platforms have a non-compliant artifact retention period around their embeddedSIEMdatasets.The shortenedperiod isbecausethere are performance challenges with ML and AI when they are asked to look beyond 3 months’ worth of data so many platforms are parsing artifact data well short of the regulatory data retention periods. So, whilethesexDRplatformsareaffordableatraditionalSIEMsolution would also need to be implemented to meet regulatory data retention periods.ThankfullysomexDRvenderscanextendlogretentionout to7yearsandtherefore becometrulycomprehensivenextgen.

  6. RandyBlasik, VPTechnologySolutions Randyisa veteranofmorethan20years in thefieldsofTechnology development,TechnologySupportandCyberSecurity.PriortoSeceon,Randy has spent the last 7 years working as the Chief Technology Officer where he playedakeyrole in buildingthebusinessintoanationallyrecognized ManagedServicesProvider.Randyhasalsoheldkeytechnologyfocused roles in small, mid and large market firms dating back to the year 2000. At SeceonRandyprovidesseasonedleadership,overseesTechnologySolutions and is using his wide range of experience to drive both internal and external successes. Contact Us Address -238 Littleton Road, Suite #206,Westford, MA 01886, USA Phone Number - +1 (978)-923-0040 Email Id - sales@seceon.com, info@seceon.com Website https://www.seceon.com/

More Related