200 likes | 319 Views
Addressing the Unknown Known The Case For Cyberforensics. Anthony Di Bello Product Manager, Compliance & Cybersecurity Solutions. Data is an Organizations Lifeblood. Intellectual Property. Business Intelligence. Company Data. Business Unit Data. Epicenter of Risk. Customer Data.
E N D
Addressing the Unknown Known The Case For Cyberforensics Anthony Di BelloProduct Manager, Compliance & Cybersecurity Solutions
Data is an Organizations Lifeblood Intellectual Property BusinessIntelligence Company Data Business Unit Data Epicenter of Risk Customer Data Human Resources Financial Sales
Recent High Profile Threats Highlight Ongoing Vulnerability of Our Data • Zeus3 Trojan (Financial Gain) • Targets financial institutions via web based attack • Uses polymorphic java script for distribution • Stuxnet (Industrial Espionage) • Highly targeted single purpose malware • Designed to have a real-world effect • Rootkit designed for PLCs
Recent High Profile Threats Highlight Ongoing Vulnerability of Our Data • Operation Aurora (IP Theft) • Affected Google, Adobe, Intel, and others • Multi-phase (persistent and long-term) to penetrate deep into enterprise • Conficker Worm (Botnet) • Polymorphic, covert and used self-defense mechanisms • Multiple infection vectors and propagation methods • Accounts for 6% of total infections in theworld as of q3’2010
Layered Security and Defense-in-depth are Effective — But Not 100% Firewalls rated most effective…at 86% DLP near the bottom, rated 38% effective Multiple technologies must be layered for effective security Security Gap Effectiveness (somewhat+) *Source: 2010 Cybersecurity Watch Survey
On a Normal Day, Fortune 1000 Companies Get Hit by up to 1M Events How effective is your security? 80%? 200,000 successful breaches 90%? 100,000 successful breaches each day 99%? 10,000 successful breaches
You Must Be Ready for Anything… “The CISO's job has mostly been about governance, risk, compliance, and some operational aspects. It was sometimes associated with incident response. Now it's becoming more [associated] with incident response and will be into the future.” — Gary Terrell, CISO, Adobe, and Bay Area CSO council, as quoted in CIO.com after Operation Aurora “As western companies take a hard look at their security postures, forensics may become key to survival.” — Robert McMillan, CIO Magazine, 3/17/2010, “Forensics Tools Help Companies Investigate Intrusions Remotely”
Why Risk Compromising Your Data? New Capabilities are Required to Deal with New Threats System integrity assessments • Expose system integrity issues caused by anomalous or unknown threats Network-enabled incident response • Cyberforensic triage, analysis, and remediation of static and volatile data Data policy enforcement • Identify and wipe sensitive data (PII/IP/PCI) from unauthorized endpoints
How do you address the unknown known? Integrity assessments capture running processes Even hidden, zero-day or otherwise obfuscated processes Multiple OS in same environment All networked endpoints in hours instead of days! Regularly compare against trusted baseline Analyze resulting set of unknown processes Expose unknown malware without a signature Identify unapproved process or malware Update baseline(s) System Integrity Assessment
System Integrity AssessmentHow It Works System Integrity AssessmentRegularly scheduled, rapid scans for anomalies across a range of endpoints Running processes are gathered from network endpoints at lightning speed …And are then compared to the appropriate customer defined profiles …culled down further if need be by comparison to a whitelist Good processes can be added to the trusted profile(s). Unapproved processes can be remediated. Leaving a small set of highpriority binaries for forensic analysis 1001 0101
System Integrity AssessmentHow do You Expose the Unknown? Assess: Scan endpoints against baselines to expose unknowns Detect: Unknowns become events Secure: Restore systems to baseline through remediation, update baseline(s) Respond: Analyze unknowns, identify malware or unapproved processes
Network-enabled Incident Response • You’ve been compromised — now what? Your data is leaving the building… • Is the threat internal or external? • Inadvertent or malicious? • Was there malware involved? • Where was it? • Where is it now? • What’s it look like? • Find it, where it went, what it morphed to, and remediate it.
Network-enabled Incident Response How it Works You’ve Been Compromised!An alert can be received from a SEIM or other altering source and data is collected from potentially affected machines for analysis… …Which are then compared to the appropriate customer defined system profiles …culled down further if need be by comparison to a whitelist The resulting set is analyzed against potentially relevant running processes The resulting confirmed malware is used as a basis for exact and near match scans in order to locate and remove the threat network-wide. This is where Entropy takes charge… Leaving a small set of highpriority binaries for forensic analysis 1001 0101
Network-enabled Incident ResponseUsing Entropy to Detect Advanced Threats • Which binaries are most similar to the suspected malware?
Network-enabled Incident ResponseYou’ve Been Compromised — Now What? Expose: Cyber forensics quickly reveal suspicious activity or mutating software on any system on the network Triage: Understand the extent of the compromise or capabilities of malware;zero in on biggest threats Recover: Remediate systems by deleting all malicious or inappropriate code and by remediating associated registry entries, files, and processes Contain: Remotely collect malware and relevant data, capturing the crucial malware and artifacts to determine remediation steps
Data Risk and Compliance Assessment Do you have complete visibility into sensitive data at the endpoint? Unallocated, file slack, deleted etc. Can you immediately determine if potentially compromised machines contain sensitive data? Do you plan to implement endpoint DLP? Cyberforensic technology provides an alternative that will not necessitate burdensome new agent deployments How do you remediate risk & enforce policies?
Policies are only as good as enforcement methods Ongoing risk assessments for sensitive data stored on endpoints Configurable for specific data formats (e.g., account numbers) Light passive service as opposed to a heavy and active agent Forensic-grade disk level visibility and validation Risk mitigation and policy enforcement through remediation Data Risk and Compliance AssessmentData Remediation & Policy Enforcement
Data Risk and Compliance AssessmentHow do You Ensure Sensitive Data is Kept in Check? Define: Create search criteria for relevant sensitive data Identify: Automatically search systems for sensitive data Enforce: Collect and/or wipe sensitive data from unauthorized locations Assess: Map data found to data policies
ResultsCost, Time and Resource Reduction scope BEFORE 1st Instance of threat Saturation Detection Remediation Time/cost Uncompromised endpoints Scope of compromise Resources • Early exposure of known unknown • Rapid response • Fewer required resources • Rapid remediation scope AFTER Detection 1st Instanceof threat Remediation Time/cost
Anthony Di BelloProduct Manager, Compliance & Cybersecurity Solutionsanthony.dibello@guidancesoftware.com