200 likes | 419 Views
Real-time Security Analytics ( RtSA ) : Automating the Discovery, Understanding, and Action Against Advanced Security Threats. Neal Hartsell Vice President Marketing. Typical Enterprise Network Today. Cloud Services. Contractor. Web Proxy Server. Mobility. WAN F/W & IPS. DMZ F/W & IPS.
E N D
Real-time Security Analytics (RtSA):Automating the Discovery, Understanding, and Action Against Advanced Security Threats Neal Hartsell Vice President Marketing
Typical Enterprise Network Today Cloud Services Contractor Web Proxy Server Mobility WAN F/W & IPS DMZ F/W & IPS EP EP Malicious Insider BYOD Consumerization of IT Click Security Confidential
Are We Secure? • IP theft to US Co’s is $250B / year • Global cybercrime is $114 billion… • $388 billion when you factor in downtime… • Symantec* • $1 trillionspent globally on remediation • McAfee* NAC IAM MDM DLP Secure Web Proxy SIEM UTM Secure Email G/W Endpoint Protection MSSP Firewall We spent $25Bon IT Security in 2012** * http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-amount-greatest-transfer-wealth-history-070912 **http://www.slideshare.net/Pack22/it-security-market-overview-sept-12 Click Security Confidential
What Happened? Massive Network Attack Surface Your Defense The Enemy Intelligent, Stealthy, Relentless, Motivated Signature-based Defenses IPS, Anti-X, Firewall Between 50% and 5% effective • Complex • Constant Flux Staff Numerous “Based on some research by the U.S. intelligence, the total number of registeredhackers in China is approaching 400,000.” Infosecisland.com $1B Revenue x 5% on IT x 10% on Security x 30% on Staff / $200K/Yr loaded 7.5 Heads • Social Media • Consumerization of IT • IP Device Explosion • Mobility • Cloud Computing Click Security Confidential
Current Answer… Event Management + Forensics 2012 Verizon Data Breach Investigations Report Minutes – hours to execute a breach. Days – months to discover. Click Security Confidential
Better Answer… Real-time Security Analytics Catch This… Before This… Click Security Confidential
So Why Don’t We Catch Things in Real Time? 39% 35% 29% 29% 28% 28% 28% 23% Click Security Confidential
A Recent Financial Services Attack • Actor accesses network and begins operating from an internal system with a reserved IP address Attack Reserved IP Address • Actor attacks an internal web server with a variety of HTTP-based attacks, including buffer overflows and SQL injection Attack Entry Internal Web Server • Victim of the HTTP attacks initiates HTTPS connections with four more external systems Hacker Attack • Actor is sending malicious java to an internal web server Internal Web Server • Attacker is logged in, anonymously, to an FTP server – and is actively transferring data ExFil $ • Actor’s IP address is dynamically assigned from China’s hinet.net, a broadband ISP – and a well-known haven for hackers and phishing activity Click Security Confidential
If This Happened to Your Company… • Would you notice these alarms? • Remember, one F/W @ 15K EPS = 1 Billion EPD • Would you recognize their importance? • High, Medium, Low severity? • Would you know they were connected? • e.g., how may IP addresses are involved here? • Would you see them in time to be proactive? • Or do you study them forensically? • Do you even have staff to spend time on this? • Are they skilled, experienced & with time on their hands? Click Security Confidential
Why are Traditional Security Products Failing? Social Networking Cloud Virtualization BYODevice IT Consumerization Mobility Relentless Jiggling of Doors Spear Phishing Compromised Credentials Internal Beachheads Covert Control and / or Exfiltration • Too many holes to defend against a motivated attacker • Not solvable with signature-based point-product solutions • 286 million unique variations of malware- Symantec 2010 Click Security Confidential
Click Security’s Real-time Security Analytics • Find anomalies in logs/alerts that point products miss • One product’s log or alert can be (on its own) seemingly innocuous • But, pieced together with other actor information, it can be a strong indicator of compromise • Get actionable intelligence around the logs and alerts that point products produce… • But, takes you hours to days to determine if it is a false positive or false negative RtSA automates the analysis which cost-effectively reduces business risk from advanced malware and attackers by reducing “time-to-detect”, “time-to-understand” & “time-to-act” Get situational awareness of your network and its actors • Automatically and in real-time Click Security Confidential
Real-time Security Analytics Defined… • Event – “two nouns and a verb” • John logged in through the VPN • John's PC attacked server X (IDS) • John's machine was blocked by firewall on port X or app Y (Firewall) • Analytic - “two nouns, a verb and some attribution (one or more adjectives) • A piece of extra intelligence the system provides to an event or a group of events that enhances the context of an event • VPN user logged in from far location (simple context augmentation analytic) • Total # bytes from John's PC to server X exceeded Y bytes (statistical analytic) • John's PC is sending more traffic than in past 30 days (behavior learning analytic) • Security Analytic – “multiple analytics strung together (+ assessment + guidance)” • An alert generated by a higher level analytic trigger when one or more analytics or events fire in a given time period or in a given sequence • EXAMPLE: Drive by Download analytic fired following by connection from client to blacklisted host within 1 minute of download of the executable to client • Real-time Security Analytics Solution • Perform large numbers of Security Analytics – FAST and with high ACCURACY Click Security Confidential
Example Real-time Security Analytic “I see a user coming into a critical server from an Android device in Uganda that also has a connection to a blacklisted IP address in China, and this same user logged in from Dallas 30 minute ago…” Real-time Security Analytic Normal alerts…if you actually notice them at all…let alone soon enough.. “I see a user tied to an unusual device” “I see a flow to a blacklisted IP address” “I see an access from a strange location” Collect, Cross-Contextualize and Examine for Anomalies in real-time… Access Activity Internet Threats Vulnerability Assessment Security Policy Authentication Activity Flow Activity Application Activity Enterprise Security Events User Activity Click Security Confidential
More Examples ... • User connected to IP address with bad reputation • Located in foreign countries or enemy networks • Machine facilitating lateral movement • Using many different IPs or usernames • Extreme numbers of consecutive failed logins • Using remote access protocols, such as SSH and RDP • Communicating via non-standard protocols or ports • Generating high event count or anomaly count • Active at odd hours • Participating in large data transfers or certain types of transfers • Using suspicious HTTP user-agents, methods or URIs • Generating large numbers of HTTP client or server errors • Generating certain sequences / collections of IDS alerts • Multiple systems acting in a coordinated fashion Click Security Confidential
Real-Time Security Analytics (RtSA) • Programmable Real-time Analytics • Captured Intelligence • “Lego” building blocks Click Labs • Stream Processing Engine • Dynamic Visualizations • Interactive Workbooks • Highly Scalable Click Analytics • Security Threat Expertise • Protocol / Application Savvy • Module Development • Customer Environment Assessment Click Platform Click Security Confidential
RtSAin Use INVESTIGATE ALERT Click Labs AnalyticsService Dynamic Workbooks Module Authoring Dashboard • System Health Monitoring • Analytic Alert Monitoring • Alert Investigation • Ad-Hoc Anomaly Investigation • Incident & Status Reporting Click Analytics Stream Processing Engine Real-time Stream Processing Real-time Investigation Lockdown Batch Process Investigation Click Security Confidential
Real World Customer ExampleMajor Retailer, Monday May 13, 2013 Live Network & Security Telemetry CLAS Click Analytics Stream Processing Engine • General Findings • Systems from all over the world are logging into, or attempting to login to, a specific SSH server at the customer • Server at xx.xx.xx.xx is under heavy attack, and a heavy majority of the attackers are sourcing from the area in and around Beijing, China • One Attacker: xx.xx.xx.xx • IP is located in China • SANS Internet Storm Center, this IP has been reported as an attacker since 2010, with almost 50,000 targets and a commensurate number of incident reports • Specific Findings • Beach head appears to have been compromised. Patterns are consistent with successful logins from multiple remote hosts using a minimal number of attempts. • Beach head has accessed 4 internal systems. These internal systems have unpatched vulnerabilities • Next layer of fanout suggests as many as 70 systems involved. • Conclusion • Appears to be a compromised server that is being used to move laterally inside customer network • Significant potential for compromise and data leakage CLAS Incident Report Click Security Confidential
How We Are Different • Real-time Security Analytics • Designed to automate the analyst • Real-time contextualization and automated, interactive analysis • Long windows of persistence • Large # concurrent, multi-factor analytics • Integrates visibility, anomaly, and incident investigation across: • Users / Devices • Servers / Apps / Flows • Files • Map Reduced Fast Log Search • Designed to speed ad hoc queries of logs through distributed data store and indexing • Facilitates full historical query of log information • Forensics • Designed for “Network DVR” post analysis • Deep “after the fact” analysis • Some real-time alerting • Simple analytics in nature • Malware Protection • NGFW • Good for application anomalies • Sandbox Investigation • Good for identified malicious or anomalous ‘file-ware’ or communication channels • SIEM • Designed for log management • Simple alerting • Short window of persistence • Requires PSO to tune • Good for compliance Click Security Confidential
REAL-TIME SECURITY ANALYTICS AUTOMATETHE ANALYSIS Click Security Confidential