1 / 20

Addressing the Unknown Known The Case For Cyberforensics

Addressing the Unknown Known The Case For Cyberforensics. Anthony Di Bello Product Manager, Compliance & Cybersecurity Solutions. Data is an Organizations Lifeblood. Intellectual Property. Business Intelligence. Company Data. Business Unit Data. Epicenter of Risk. Customer Data.

salene
Download Presentation

Addressing the Unknown Known The Case For Cyberforensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Addressing the Unknown Known The Case For Cyberforensics Anthony Di BelloProduct Manager, Compliance & Cybersecurity Solutions

  2. Data is an Organizations Lifeblood Intellectual Property BusinessIntelligence Company Data Business Unit Data Epicenter of Risk Customer Data Human Resources Financial Sales

  3. Recent High Profile Threats Highlight Ongoing Vulnerability of Our Data • Zeus3 Trojan (Financial Gain) • Targets financial institutions via web based attack • Uses polymorphic java script for distribution • Stuxnet (Industrial Espionage) • Highly targeted single purpose malware • Designed to have a real-world effect • Rootkit designed for PLCs

  4. Recent High Profile Threats Highlight Ongoing Vulnerability of Our Data • Operation Aurora (IP Theft) • Affected Google, Adobe, Intel, and others • Multi-phase (persistent and long-term) to penetrate deep into enterprise • Conficker Worm (Botnet) • Polymorphic, covert and used self-defense mechanisms • Multiple infection vectors and propagation methods • Accounts for 6% of total infections in theworld as of q3’2010

  5. Layered Security and Defense-in-depth are Effective — But Not 100% Firewalls rated most effective…at 86% DLP near the bottom, rated 38% effective Multiple technologies must be layered for effective security Security Gap Effectiveness (somewhat+) *Source: 2010 Cybersecurity Watch Survey

  6. On a Normal Day, Fortune 1000 Companies Get Hit by up to 1M Events How effective is your security? 80%? 200,000 successful breaches 90%? 100,000 successful breaches each day 99%? 10,000 successful breaches

  7. You Must Be Ready for Anything… “The CISO's job has mostly been about governance, risk, compliance, and some operational aspects. It was sometimes associated with incident response. Now it's becoming more [associated] with incident response and will be into the future.” — Gary Terrell, CISO, Adobe, and Bay Area CSO council, as quoted in CIO.com after Operation Aurora “As western companies take a hard look at their security postures, forensics may become key to survival.” — Robert McMillan, CIO Magazine, 3/17/2010, “Forensics Tools Help Companies Investigate Intrusions Remotely”

  8. Why Risk Compromising Your Data? New Capabilities are Required to Deal with New Threats System integrity assessments • Expose system integrity issues caused by anomalous or unknown threats Network-enabled incident response • Cyberforensic triage, analysis, and remediation of static and volatile data Data policy enforcement • Identify and wipe sensitive data (PII/IP/PCI) from unauthorized endpoints

  9. How do you address the unknown known? Integrity assessments capture running processes Even hidden, zero-day or otherwise obfuscated processes Multiple OS in same environment All networked endpoints in hours instead of days! Regularly compare against trusted baseline Analyze resulting set of unknown processes Expose unknown malware without a signature Identify unapproved process or malware Update baseline(s) System Integrity Assessment

  10. System Integrity AssessmentHow It Works System Integrity AssessmentRegularly scheduled, rapid scans for anomalies across a range of endpoints Running processes are gathered from network endpoints at lightning speed …And are then compared to the appropriate customer defined profiles …culled down further if need be by comparison to a whitelist Good processes can be added to the trusted profile(s). Unapproved processes can be remediated. Leaving a small set of highpriority binaries for forensic analysis 1001 0101

  11. System Integrity AssessmentHow do You Expose the Unknown? Assess: Scan endpoints against baselines to expose unknowns Detect: Unknowns become events Secure: Restore systems to baseline through remediation, update baseline(s) Respond: Analyze unknowns, identify malware or unapproved processes

  12. Network-enabled Incident Response • You’ve been compromised — now what? Your data is leaving the building… • Is the threat internal or external? • Inadvertent or malicious? • Was there malware involved? • Where was it? • Where is it now? • What’s it look like? • Find it, where it went, what it morphed to, and remediate it.

  13. Network-enabled Incident Response How it Works You’ve Been Compromised!An alert can be received from a SEIM or other altering source and data is collected from potentially affected machines for analysis… …Which are then compared to the appropriate customer defined system profiles …culled down further if need be by comparison to a whitelist The resulting set is analyzed against potentially relevant running processes The resulting confirmed malware is used as a basis for exact and near match scans in order to locate and remove the threat network-wide. This is where Entropy takes charge… Leaving a small set of highpriority binaries for forensic analysis 1001 0101

  14. Network-enabled Incident ResponseUsing Entropy to Detect Advanced Threats • Which binaries are most similar to the suspected malware?

  15. Network-enabled Incident ResponseYou’ve Been Compromised — Now What? Expose: Cyber forensics quickly reveal suspicious activity or mutating software on any system on the network Triage: Understand the extent of the compromise or capabilities of malware;zero in on biggest threats Recover: Remediate systems by deleting all malicious or inappropriate code and by remediating associated registry entries, files, and processes Contain: Remotely collect malware and relevant data, capturing the crucial malware and artifacts to determine remediation steps

  16. Data Risk and Compliance Assessment Do you have complete visibility into sensitive data at the endpoint? Unallocated, file slack, deleted etc. Can you immediately determine if potentially compromised machines contain sensitive data? Do you plan to implement endpoint DLP? Cyberforensic technology provides an alternative that will not necessitate burdensome new agent deployments How do you remediate risk & enforce policies?

  17. Policies are only as good as enforcement methods Ongoing risk assessments for sensitive data stored on endpoints Configurable for specific data formats (e.g., account numbers) Light passive service as opposed to a heavy and active agent Forensic-grade disk level visibility and validation Risk mitigation and policy enforcement through remediation Data Risk and Compliance AssessmentData Remediation & Policy Enforcement

  18. Data Risk and Compliance AssessmentHow do You Ensure Sensitive Data is Kept in Check? Define: Create search criteria for relevant sensitive data Identify: Automatically search systems for sensitive data Enforce: Collect and/or wipe sensitive data from unauthorized locations Assess: Map data found to data policies

  19. ResultsCost, Time and Resource Reduction scope BEFORE 1st Instance of threat Saturation Detection Remediation Time/cost Uncompromised endpoints Scope of compromise Resources • Early exposure of known unknown • Rapid response • Fewer required resources • Rapid remediation scope AFTER Detection 1st Instanceof threat Remediation Time/cost

  20. Anthony Di BelloProduct Manager, Compliance & Cybersecurity Solutionsanthony.dibello@guidancesoftware.com

More Related