SlideShare uma empresa Scribd logo

Internal host-reputation-webinar

Lancope, Inc.
Lancope, Inc.

With so many new threat actors out there, IP reputation is becoming increasingly critical for effectively combating attacks. Under today’s security paradigm, administrators need to know not only about the bad guys lurking on the Internet, but also about the ones operating inside the network perimeter. Lancope uniquely provides both internal and external host reputation, better preparing organizations to: combat APTs and insider threats, address BYOD challenges, and deliver actionable information for security teams. Learn how to leverage internal host reputation to uncover a wide range of suspicious user behaviors such as: * Sending out an unusual amount of traffic * Communicating with known, bad external hosts * Accessing restricted areas of the network * Spreading malware

Tecnologia
1 de 15
Baixar para ler offline
©2013 Lancope , Inc. All Rights Reserved Internal Host Reputation For Combating Advanced Cyber Threats Matthew McKinley mmckinley@lancope.com
©2013 Lancope , Inc. All Rights Reserved Agenda  Background – What is IP reputation? – Why is it important? – How is it used today?  What is the Concern Index? – Basic definition – How it relates to reputation  The two sides of IP reputation – External – Internal  Combating Advanced Cyber Threats – Internal Host Reputation as a function of the Concern Index – The benefits of IHR – How IHR can help with attacks that are not easily categorized
©2013 Lancope , Inc. All Rights Reserved Background  IP reputation is a measure of how trustworthy (or more commonly untrustworthy) an IP is – Based on association with SPAM, botnets, and other malicious activity – Knowing the reputation of IP addresses gives administrators an idea of what to watch for, e.g. is someone on my network talking to a known botnet??  Today, External Host Reputation is used for a variety of purposes, but mostly as a way to identify when – A known bad address has communicated with you, or… – When someone on your network has communicated with a known bad address
©2013 Lancope , Inc. All Rights Reserved The Concern Index  The Concern Index is a measure of, literally, how concerned one should be about a given host – Concern Index Points are accumulated based on: Behavior, e.g. deviation from norms, scanning activity, communication patterns, etc. Communication with particular outside hosts Movement of unexpectedly large amounts of data Communication with unexpected parts of the network, e.g. a desktop talking to a server in a PCI environment – The CI is calculated network-wide because of Visibility provided by NetFlow data – The CI can be leveraged for actions such as alarming, trending, reporting and... – You guessed it: Reputation!
©2013 Lancope , Inc. All Rights Reserved The Concern Index  Here is what the Concern Index looks like in use:
©2013 Lancope , Inc. All Rights Reserved Reputation  Now wait a minute, I already know what reputation is! True. But there are 2 sides to the coin: – External – Internal  External is very useful and many, many security pros make use of one of the many reputation services. – This is good for knowing what to block, what to look out for, etc.  The internal side is also just as important, but harder to do. – External services cannot see the interior of your network – Even if they could, the understanding and visibility required would be complicated  Hosts on the inside of the network misbehave, too. – Data exfiltration – Users hogging bandwidth – Communication with command and control servers – Attempted communication to forbidden parts of the network
©2013 Lancope , Inc. All Rights Reserved Reputation  Internal Host Reputation is a more personal form of reputation service that is unique to your environment – Issues can be spotted before they become problems – Because of ISE integration, users can be tied to IP addresses – Reputation can extend to virtual hosts – Events leading to degraded reputation are easily accessible
©2013 Lancope , Inc. All Rights Reserved Tying it all together  What does the Concern Index have to do with Reputation? – The CI is a measure of how “out-of-bounds” a host on the network has become – As we’ve discussed, there can be many reasons for that – The more CI points a host accumulates, the more incorrectly it’s behaving  Dashboards are close friends of the Admin. The Reputation dashboard ranks hosts based on: – Concern Index, with the worst offenders being at the top  Running a host snapshot for the top offender gives you an idea of: – Its Reputation! How has this host been acting historically on my network?
©2013 Lancope , Inc. All Rights Reserved Combating Advanced Cyber Threats  Perimeter defenses lack signatures for Advanced Cyber Threats – Phishing – Social Engineering – Well engineered email attachments – Insiders  Because the end result is similar, .i.e. the endpoints behaving in ways they might not normally, this accumulates CI points and puts those hosts on the CI dashboard.  Worm propagation can be tracked in this way, too.  If a user brings in an infected laptop that attempts to call a C&C server, it will accumulate CI points.  Hosts that are behaving the worst, particularly in the case of data exfiltration, are clearly visible.
©2013 Lancope , Inc. All Rights Reserved Combating Advanced Cyber Threats  If a host is infected, it is possible to see an internal pivot to attack or infect other machines  Internal Host Reputation is a form of Data Analytics which can spot behaviors that signature-based systems would completely miss.  Attackers are well aware of the current counter measures, but countering analytics is much harder to do  Remember that StealthWatch provides IHR and links it to a user. The battle against Advanced Cyber Threats is a battle against sophisticated behaviors, and it takes a behavioral solution to combat them.
©2013 Lancope , Inc. All Rights Reserved Cyber Threats Dashboard
©2013 Lancope , Inc. All Rights Reserved Conclusions  As the size of internal networks grows, internal reputation will become as important as external reputation  Perimeter devices cannot provide this level of information, only an internal visibility solution leveraging network telemetry such as NetFlow can accomplish this  Advanced Cyber Threats are not easily categorized and can only be identified with an analytical approach – http://www.emc.com/collateral/industry-overview/h11240-advanced-threats-summit-2012-io.pdf  The Concern Index (and IHR) is a valuable tool for tracking potential threats, both internally and externally
©2013 Lancope , Inc. All Rights Reserved Lancope at RSA 2013 Return of the famous Lancope Ninja Sword!  Visit booth #1653  Presentations by Tom Cross, Director of Security Research: - Tuesday @ 4:30 pm - Wednesday @ 2 pp  Email sales@lancope.com to request a private demo at the event.
©2013 Lancope , Inc. All Rights Reserved Get Engaged with Lancope! @Lancope @NetFlowNinjas SubscribeJoin DiscussionDownload @stealth_labs Access StealthLabs Intelligence Center (SLIC) Reports Security Research
©2013 Lancope , Inc. All Rights Reserved Thank you!

Recomendados

Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cyclepenetration Tester
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
SplunkLive! Kansas City April 2013 - UMB Bank
SplunkLive! Kansas City April 2013 - UMB BankSplunkLive! Kansas City April 2013 - UMB Bank
SplunkLive! Kansas City April 2013 - UMB BankSplunk
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT InfomagnumARUN REDDY M
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughSavvius, Inc
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamMohammed Adam
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 

Mais conteúdo relacionado

Mais procurados

Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Mark John Lado, MIT
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)EC-Council
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?RONIKMEHRA
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data ProtectionUthsoNandy
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecurityPriyanka Aash
 
Cyber security
Cyber securityCyber security
Cyber securityEduonix
 
First Responders Course - Session 5 - First Response [2004]
First Responders Course - Session 5 - First Response [2004]First Responders Course - Session 5 - First Response [2004]
First Responders Course - Session 5 - First Response [2004]Phil Huggins FBCS CITP
 
Webinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity RiskWebinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity RiskWPICPE
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudGGV Capital
 
2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident ReportCommunity IT Innovators
 

Mais procurados (20)

Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...
 
Cybersecurity Training
Cybersecurity TrainingCybersecurity Training
Cybersecurity Training
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data Protection
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber security
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent Security
 
Cyber security
Cyber securityCyber security
Cyber security
 
First Responders Course - Session 5 - First Response [2004]
First Responders Course - Session 5 - First Response [2004]First Responders Course - Session 5 - First Response [2004]
First Responders Course - Session 5 - First Response [2004]
 
Webinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity RiskWebinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity Risk
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
Hacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering RisksHacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering Risks
 
Network security basics
Network security basicsNetwork security basics
Network security basics
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
report-final
report-finalreport-final
report-final
 
SME Cyber Insurance
SME Cyber Insurance SME Cyber Insurance
SME Cyber Insurance
 
Supply chain-attack
Supply chain-attackSupply chain-attack
Supply chain-attack
 
Incident handling of cyber espionage
Incident handling of cyber espionageIncident handling of cyber espionage
Incident handling of cyber espionage
 

Semelhante a Internal host-reputation-webinar

Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewRobert Herjavec
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Achieving high-fidelity security
Achieving high-fidelity securityAchieving high-fidelity security
Achieving high-fidelity securitybalejandre
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 

Semelhante a Internal host-reputation-webinar (20)

Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Achieving high-fidelity security
Achieving high-fidelity securityAchieving high-fidelity security
Achieving high-fidelity security
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study Jams
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 

Mais de Lancope, Inc.

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Lancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesLancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Lancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 

Mais de Lancope, Inc. (20)

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 

Último

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 

Último (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 

Internal host-reputation-webinar

  • 1. ©2013 Lancope , Inc. All Rights Reserved Internal Host Reputation For Combating Advanced Cyber Threats Matthew McKinley mmckinley@lancope.com
  • 2. ©2013 Lancope , Inc. All Rights Reserved Agenda  Background – What is IP reputation? – Why is it important? – How is it used today?  What is the Concern Index? – Basic definition – How it relates to reputation  The two sides of IP reputation – External – Internal  Combating Advanced Cyber Threats – Internal Host Reputation as a function of the Concern Index – The benefits of IHR – How IHR can help with attacks that are not easily categorized
  • 3. ©2013 Lancope , Inc. All Rights Reserved Background  IP reputation is a measure of how trustworthy (or more commonly untrustworthy) an IP is – Based on association with SPAM, botnets, and other malicious activity – Knowing the reputation of IP addresses gives administrators an idea of what to watch for, e.g. is someone on my network talking to a known botnet??  Today, External Host Reputation is used for a variety of purposes, but mostly as a way to identify when – A known bad address has communicated with you, or… – When someone on your network has communicated with a known bad address
  • 4. ©2013 Lancope , Inc. All Rights Reserved The Concern Index  The Concern Index is a measure of, literally, how concerned one should be about a given host – Concern Index Points are accumulated based on: Behavior, e.g. deviation from norms, scanning activity, communication patterns, etc. Communication with particular outside hosts Movement of unexpectedly large amounts of data Communication with unexpected parts of the network, e.g. a desktop talking to a server in a PCI environment – The CI is calculated network-wide because of Visibility provided by NetFlow data – The CI can be leveraged for actions such as alarming, trending, reporting and... – You guessed it: Reputation!
  • 5. ©2013 Lancope , Inc. All Rights Reserved The Concern Index  Here is what the Concern Index looks like in use:
  • 6. ©2013 Lancope , Inc. All Rights Reserved Reputation  Now wait a minute, I already know what reputation is! True. But there are 2 sides to the coin: – External – Internal  External is very useful and many, many security pros make use of one of the many reputation services. – This is good for knowing what to block, what to look out for, etc.  The internal side is also just as important, but harder to do. – External services cannot see the interior of your network – Even if they could, the understanding and visibility required would be complicated  Hosts on the inside of the network misbehave, too. – Data exfiltration – Users hogging bandwidth – Communication with command and control servers – Attempted communication to forbidden parts of the network
  • 7. ©2013 Lancope , Inc. All Rights Reserved Reputation  Internal Host Reputation is a more personal form of reputation service that is unique to your environment – Issues can be spotted before they become problems – Because of ISE integration, users can be tied to IP addresses – Reputation can extend to virtual hosts – Events leading to degraded reputation are easily accessible
  • 8. ©2013 Lancope , Inc. All Rights Reserved Tying it all together  What does the Concern Index have to do with Reputation? – The CI is a measure of how “out-of-bounds” a host on the network has become – As we’ve discussed, there can be many reasons for that – The more CI points a host accumulates, the more incorrectly it’s behaving  Dashboards are close friends of the Admin. The Reputation dashboard ranks hosts based on: – Concern Index, with the worst offenders being at the top  Running a host snapshot for the top offender gives you an idea of: – Its Reputation! How has this host been acting historically on my network?
  • 9. ©2013 Lancope , Inc. All Rights Reserved Combating Advanced Cyber Threats  Perimeter defenses lack signatures for Advanced Cyber Threats – Phishing – Social Engineering – Well engineered email attachments – Insiders  Because the end result is similar, .i.e. the endpoints behaving in ways they might not normally, this accumulates CI points and puts those hosts on the CI dashboard.  Worm propagation can be tracked in this way, too.  If a user brings in an infected laptop that attempts to call a C&C server, it will accumulate CI points.  Hosts that are behaving the worst, particularly in the case of data exfiltration, are clearly visible.
  • 10. ©2013 Lancope , Inc. All Rights Reserved Combating Advanced Cyber Threats  If a host is infected, it is possible to see an internal pivot to attack or infect other machines  Internal Host Reputation is a form of Data Analytics which can spot behaviors that signature-based systems would completely miss.  Attackers are well aware of the current counter measures, but countering analytics is much harder to do  Remember that StealthWatch provides IHR and links it to a user. The battle against Advanced Cyber Threats is a battle against sophisticated behaviors, and it takes a behavioral solution to combat them.
  • 11. ©2013 Lancope , Inc. All Rights Reserved Cyber Threats Dashboard
  • 12. ©2013 Lancope , Inc. All Rights Reserved Conclusions  As the size of internal networks grows, internal reputation will become as important as external reputation  Perimeter devices cannot provide this level of information, only an internal visibility solution leveraging network telemetry such as NetFlow can accomplish this  Advanced Cyber Threats are not easily categorized and can only be identified with an analytical approach – http://www.emc.com/collateral/industry-overview/h11240-advanced-threats-summit-2012-io.pdf  The Concern Index (and IHR) is a valuable tool for tracking potential threats, both internally and externally
  • 13. ©2013 Lancope , Inc. All Rights Reserved Lancope at RSA 2013 Return of the famous Lancope Ninja Sword!  Visit booth #1653  Presentations by Tom Cross, Director of Security Research: - Tuesday @ 4:30 pm - Wednesday @ 2 pp  Email sales@lancope.com to request a private demo at the event.
  • 14. ©2013 Lancope , Inc. All Rights Reserved Get Engaged with Lancope! @Lancope @NetFlowNinjas SubscribeJoin DiscussionDownload @stealth_labs Access StealthLabs Intelligence Center (SLIC) Reports Security Research
  • 15. ©2013 Lancope , Inc. All Rights Reserved Thank you!