O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

0

Compartilhar

Baixar para ler offline

Security Whack-a-Mole: SANS 2017 Threat Landscape Survey

Baixar para ler offline

As quickly as we learn to detect new threats, the threats change — like a game of Whack-a-Mole happening at an ever-increasing pace.

A new survey by the SANS Institute focuses on providing valuable intelligence into the types of threats most severely impacting organizations like yours, and how those threats are evolving.

In this webcast, Lee Neely, who teaches cyber security courses for SANS, Mark Butler, Chief Information Security Officer at Qualys, and other survey sponsors discuss what threat actors are currently up to and how they’re getting around existing defenses, so that you can anticipate attacks and get ahead of the attackers.

Key trends discussed include:
• Primary vectors attackers enter through
• Methods attackers use most effectively as part of their layered attacks
• Impacts of breaches and how to remediate
• Best places to apply defenses
• Lessons learned by those who have been breached

Watch the on-demand webcast: https://www.sans.org/webcasts/105430

Download the complete report: https://goo.gl/rP4KEs

  • Seja a primeira pessoa a gostar disto

Security Whack-a-Mole: SANS 2017 Threat Landscape Survey

  1. 1. Security Whack-a-Mole 2017 Threat Landscape Survey 1
  2. 2. from the most trusted name in information security • Lee Neely, SANS Analyst and Instructor • Chad Skipper, VP of Industry Relations and Product Testing, Cylance • Robert Leong, Director of Product Management within McAfee Labs, McAfee • Sean Murphy, Senior Manager of Solutions Architecture, FireEye • Mark Butler, Chief Information Security Officer, Qualys Today’s Speakers 2© 2017 The SANS™ Institute – www.sans.org
  3. 3. from the most trusted name in information security SANS 2017 THREAT LANDSCAPE SURVEY Security Whack-a-Mole: Users On the Front Line 3
  4. 4. from the most trusted name in information security Threats Seen with Significant Impact Most seen: • Phishing • Spyware • Ransomware • Trojans Significant: • Phishing • Ransomware • DDoS* • APT 4
  5. 5. from the most trusted name in information security Malware-less with Significant Impact Most seen: • Scripting attacks • Compromised creds • Process exploits Significant: • Compromised creds • Scripting attacks • Process exploits • Malicious binaries 5 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Credentialcompromise orprivilegeescalation Scriptingattacks (PowerShell,… Processexploit(ina browser) Maliciousbinaries HTTPSdowngradeof encryptedconnection Lateralmovementfrom otherdevices Hiddenregistries Processexploitof otherservices Memory-based(file- less)attacks Writingbinarytodisk Other What type of malware-less threats have you just seen in your organization or which you have seen and had the most significant impact? If you have not encountered malware-less threats, please skip this question. Just Seen Seen and Significant Impact
  6. 6. from the most trusted name in information security What Defines Significant? • Availability (DoS) • Cost to respond • Loss of sensitive data • Damage to brand/rep • Financial loss 6 0% 10% 20% 30% 40% 50% 60% Impactonavailability Costtorespondand recover Lossofsensitivedata Damagetobrandor reputation Financiallosstothe organization Triggeredinvestment innewtoolsor… Other What were the top three reasons you consider this incident to be the most significant? First Second Third
  7. 7. from the most trusted name in information security Impact? What Impact? 7 Nuisance 59%, DoS 27%, System damage 26% 0% 10% 20% 30% 40% 50% 60% Loss of intellectual property (IP) or other business-related sensitive… Payments made as result of ransomware Corporate financial accounts breached or drained Other Loss of personal identifying information (PII; Social Security… Customer financial data loss Data destruction, including loss of data integrity System damage Denial of service Nuisance What damages resulted from discovered threats? Select all that apply.
  8. 8. from the most trusted name in information security Zero-Day Threats 8 42.2% 24.0% 9.3% 8.9% 5.8% 3.5% 3.9% 2.3% How many of your significant threats were previously “unknown” threats or zero days? None 1–5% 6–10% 11–25% 26–50% 51–75% 76–99% 100%
  9. 9. from the most trusted name in information security Surprising Threats • Ransomware • Phishing • Targeted attacks • DNS poisoning • Malware on air-gapped laptops • Persistent malware • Accidental DDoS • SSO exploitation • Mobile inside attack 9
  10. 10. from the most trusted name in information security Threat Vectors Used 10 Email 74%, Browser 48%, Application 30%, Web server 26%, USB Media 26% 0% 20% 40% 60% 80% Other ICS system IoT device Cloud application or connection DNS vulnerability Firewall/IDS/UTM misconfiguration or weakness Third-party vendor or contractor connection Remote access service (VPN, RDP) compromise Server-side vulnerabilities User endpoint misconfiguration or configuration not up to date Removable storage device (USB) Web server or web application vulnerability Application vulnerability on user endpoints Web-based drive-by or download Email attachment or link What vector(s) did these threats take to enter your organization? Select those that most apply.
  11. 11. from the most trusted name in information security Discovery Versus Remediation 11 Within 24 hours: 72% Detected 63% Remediate 0% 5% 10% 15% 20% 25% 30% 35% Discovery Remediation On average, how much time do you estimate it took to discover the threats that actually became incidents? How long was it from discovery until you considered remediation complete? Please check both columns as they apply. Unknown < 1 hour 1–5 hours 6–24 hours 2–7 days 8–30 days 1–3 months 4–6 months 7–12 months
  12. 12. from the most trusted name in information security How Are Threats Revealed? Detection/Discovery Help Desk Calls • 42% Network monitoring • 37% UTM/IDS • 37% Help desk calls • 37% SIEM • 34% Log review 12 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Fewerthan10 10to15 16to20 21to50 Morethan50 How many calls per week does your help desk field are investigated as threats? How many calls actually represented actual incidents? Possible Threat Actual Threat
  13. 13. from the most trusted name in information security False Positives = Lost Resources 13 15.8% 24.9% 19.4% 17.4% 11.5% 6.3% 3.6% 1.2% How many threats that you followed up on could be considered “false positives” that don’t apply to your organization? None 1–5% 6–10% 11–25% 26–50% 51–75% 76–99% 100%
  14. 14. from the most trusted name in information security Determine Scope 14 0% 10% 20% 30% 40% 50% 60% 70% 80% Logmanagement Forensicsorincident responsetoolsor platform SIEM Threatintelligence Securityanalytics platform Third-partyincident responseservice Threathunting Other What tools or services do you find most helpful in accurately determining the scope of these events? Please select those that most apply. Tools Both Services
  15. 15. from the most trusted name in information security How Organizations Are Remediating Option Use Reimage/Restore compromised machines from gold baseline image 77.5% Isolate infected machines from the network while remediation is performed 78.4% Shut down system and take it offline 68.8% Quarantine affected hosts 68.8% Block command and control to malicious IP addresses 65.6% Update policies and rules based on IOC findings and lessons learned 57.8% Remove rogue files 58.7% Identify similar systems that are affected 57.8% Kill rogue processes 50.0% Remove file and registry keys related to the compromise without rebuilding or reinstalling the entire machine 43.1% Reboot system to recovery media 38.5% Boot from removable media and repair system remotely 36.2% Remotely deploy custom content or signatures from security vendor 44.5% Other 10.1% 15 Frequency of Remediation: 36% Weekly, 19% Monthly, 18% Daily
  16. 16. from the most trusted name in information security Ability to Respond Overall confidence in meeting challenges: 16 Challenge Confidence Respond to significant threats on the network and endpoints 90% Detect significant threats occurring on your network and endpoints 82% Intercept threats before they cause damage on your network and endpoints 74% Remove all artifacts of significant threats on network and endpoints 73% Detect zero days/unknown threats that could impact your organization 48%
  17. 17. from the most trusted name in information security Prevention & Challenges 17 Prevention: Train Users, Improve OpSec, Better Net/Endpoint Visibility 0% 10% 20% 30% 40% 50% 60% Filteringouttoomuch noiseorfalse-positive activity Distinguishingreal, high-impactthreats Collectingthe appropriatethreat detectiondata Lackofskillsand budgetforprotecting againstthreats Establishingan appropriatebaseline thatdefinesnormal Findingnewunknown threatsourcurrent securityinfrastructure doesn’thave… Visibilityintothreats acrossmultiple systemsandthreat actions Inabilitytofullydeploy newprotectionsfor knownrisksbeforea breach Inabilitytoscope threateffectsoncewe discoverthethreat Other What challenges do you face in protecting against threats in your enterprise? Select all that apply.
  18. 18. from the most trusted name in information security Improvements: Investments 18 User Training, OpSec, Staff Training, Existing Technology Use 0% 5% 10% 15% 20% 25% Improve our application security processes Other Improve our approach to secure development Improve visibility into network and endpoint behavior for… Improve our use of existing endpoint security and… Invest in new network security and detection technology Invest in new endpoint security and detection… Improve our use of existing network security and… Invest in training our staff in existing or new skills, such… Improve our operational security practices (e.g., timely… Train our users to be more aware In the next 18 months, in what area do you intend to make a major investment to protect, detect and respond to threats in your environment?
  19. 19. from the most trusted name in information security Endpoints on the Front Line • 74% of respondents named clicking a link or opening an attachment in an email as the top ways threats enter the organization, and 48% named web drive-by or download, both of which involve user intervention • 21% identified awareness training for users as the top mitigation effort they intend to invest in over the next 18 months • 81% see endpoint security tools as the most helpful for threat detection • 81% noted log management tools and services were helpful in determining threat scope 19
  20. 20. from the most trusted name in information security Conclusions • Few new weaknesses • Zero-day threats exploit same old weaknesses • Endpoints are the primary target • User training • Time to turn on it’s head • Operational procedures • Need to cleanup • Supporting technology needed • Operations, Users and Endpoints 20
  21. 21. Presenter’s Name Presenter's Position Chad Skipper VP Industry Relations & Product Testing SANS Threat Landscape Survey
  22. 22. S I G N I F I C AN C E O F U N K N O W N T H R E AT S Traditional security approach is no match for today’s dynamic threat landscape Respondents had some significant threats within their environment that were previously unknown Achieve a State of Prevention with Cylance 58% • It only takes one small change to an existing threat to make static signature based detection useless • Relying on static detection techniques is highly ineffective, especially with unknown threats • Organizations need security products capable of detecting unknown threats prior to detonation
  23. 23. C H AL L E N G E S FAC E D I N P R O T E C T I N G AG AI N S T T H R E AT S Indicated a key challenge is finding the unknown threats where their current security infrastructure doesn’t have signatures Achieve a State of Prevention with Cylance 60% Big data means big problems for security products • Vast amounts of security data generated daily, much of which is irrelevant • Redundant events from different security products drive down efficiency of security analysts • With expertise shortage organizations need security tools that reduce the noise, introduce automation, and make security analysts more efficient
  24. 24. T H E I M PAC T O F D I S C O V E R E D T H R E AT S Impact of availability Cost to respond & recover Loss of sensitive data Achieve a State of Prevention with Cylance The long tail of security incidents • Recovering from successful breaches and compromises impact employee effectiveness • Imaging of drives, overtime, or contracting outside help to recover makes incident response costs explode • Losing customer data will result in fines, added scrutiny from regulators, as well as impact brand perception
  25. 25. AR E W E L O O K I N G I N T H E W R O N G D I R E C T I O N ? NOT CONFIDENT DETECTING UNKNOWN THREATS Achieve a State of Prevention with Cylance 51% Demand the following from vendors: • First and foremost focus on preventing threats from impacting business, pre execution • Provide capabilities to uncover and prevent unknown threats in real time • Deliver consistent visibility across endpoints to enable easy threat hunting and fast incident response • Security should be silent on the endpoint with low system resources as to not disrupt business
  26. 26. 26Robert H. Leong | McAfee Labs / OCTO | June 2017 MCAFEE COMPANY CONFIDENTIAL. COPYRIGHT 2017 McAfee Company Confidential, Copyright 2017 Security Whack-a-Mole Threat Landscape Survey How are attackers getting past defenses and what can we do about it? Robert H. Leong | Director, Product Management Version 1.4RC2 McAfee Labs, Office of the CTO
  27. 27. 27Robert H. Leong | McAfee Labs / OCTO | June 2017 MCAFEE COMPANY CONFIDENTIAL. COPYRIGHT 2017 Recreational / Vandals Cybercriminals / Organized Crime Hacktivism / Reputation Attacks State Sponsored Cyberespionage Cyberattacks Sources: McAfee Labs/OCTO 2017 Why Is Whack-a-Mole Occurring?
  28. 28. 28Robert H. Leong | McAfee Labs / OCTO | June 2017 MCAFEE COMPANY CONFIDENTIAL. COPYRIGHT 2017 What are the Underlying Methods used by these Threats? Malware will change disguises on every PC Malware can see the sandbox Malware ‘Piggybacks’ behind clean applications Malware will misuse clean applications Malware uses “file-less” methods McAfee Labs Threat Research • 44.5 B queries/day to Labs’ GTI • Detects 316 threats per minute, 5 per second • 250 threat researchers worldwide • 300+ million sensors globally • Over 15 billion lines of telemetry per day • 1.2 million files analyzed per day • 750,000 URLs analyzed per day • 300,000 files analyzed in a sandbox per day What “Moles” Are Getting In, and How Do We Know That? Methods attackers use most effectively as part of their layered attacks SANS 2017 Threat Landscape Survey • 40% respondents said phishing was top perceived threat (including spear-phishing and whaling) • 20% identified ransomware • 11% chose DDoS • 11% chose APT
  29. 29. 29Robert H. Leong | McAfee Labs / OCTO | June 2017 MCAFEE COMPANY CONFIDENTIAL. COPYRIGHT 2017 Layered Security: Attacks Must Pass Layers – Layers Speak to Each Other Layer 5 Layer 1 Layer 2 Layer 3 Layer 4 Layer 0 Layer 6 What Did You See? Should Other Layers Know About It or do Something About it? “Have we or anyone else seen this before? How often? How long? Did it do anything bad worldwide?” “Have we run this thing before? Do we know if this is clean or dirty based on what it did then? If we put it in a fake room and let it run right now, does it do anything bad?” “Do the fingerprints match any dirty objects? Does the way it looks match any dirty objects? Does its relationships reveal anything bad?” “If this thing is still suspicious, what should we prevent it from doing? Is it performing bad behaviors right now? When we unmask its blueprints, does it imply bad behavior? “If we put it in a fake room and let it run, does it do anything bad? Has anyone else put it in a fake room and let it run? Did they find anything out?” “Looking at what happened as the object came in to our house, did it do anything suspicious or bad? Did it follow a suspicious path or do something weird across our Networks to get to us? Did a lot of suspicious activities occur? “ “If we look at the overall activity of suspicious stuff on the network, then do we see an attack pattern? Can we figure out what’s bad and then fix it?“ Successful “Whack-a-Mole” Defenses
  30. 30. 30Robert H. Leong | McAfee Labs / OCTO | June 2017 MCAFEE COMPANY CONFIDENTIAL. COPYRIGHT 2017 Change disguises on every PC Can see the sandbox ‘Piggybacks’ behind clean applications Misuse clean applications Uses “file- less” methods Whack-a-Mole Success Statistics… Where is the mole usually slowed or stopped?
  31. 31. Copyright © FireEye, Inc. All rights reserved.31 Copyright © FireEye, Inc. All rights reserved.31 Identifying and Prioritizing Advanced Threats SANS 2017 Threat Landscape Survey Presented by: Sean Murphy, Sr. Manager Americas Solutions Architects Global Services & Intelligence
  32. 32. Copyright © FireEye, Inc. All rights reserved.32 SURVEY SAYS: CHALLENGES REMAIN CONSTANT Security budgets are flat or falling Can’t find Security Expertise Lack of deep visibility into emerging threats Overwhelmed by Data Volumes
  33. 33. Copyright © FireEye, Inc. All rights reserved.33 Frequency-based Based on numbers (includes Global Prevalence) Hunting – Hypothesis-driven analysis Significant ExperienceMinimal Experience Intelligence-based Based on things we have seen before Anomaly-based Based on norms or non-standard characteristics (Or some combination of the above) Discovery Indicators TTPs/Methodologies Signatures Adaptive Detection Proven: Codified into detection products High confidence, low false positives Intelligence researchers integrate IOCs and malware samples Advanced: Experienced analysts search through large data sets to find anomalies or evidence of compromise Broad Hunting Expertise TTP-based Based on methodology of attackers and signals Fidelity Refined: Develop filters to detect attacker TTPs Proactive sweeps across enterprise Scalable, repeatable, & measurableDeliberate Hunting Higher Fidelity Lower Fidelity Hunting is the process of applying our understanding of attackers and malware to raw data in order to find evil in the absence of alerts. Assume evil is happening. Assume we’re missing something.
  34. 34. Copyright © FireEye, Inc. All rights reserved.34 Hunting – Gathering the Evidence and Applying Knowledge Endpoint Visibility: • Registry key creation/modification • File writes • DNS lookups • Network connections • Process execution • User creation/privilege escalation Network Visibility: • Packet capture • Netflow • Network metadata Log Data: • Remote access • Authentication • Native OS or Application event logs • Security alerts (Sandbox, AV, IDS/IPS, Proxy, FW) KNOWLEDGE is the sum of INTELLIGENCE and EXPERIENCE Intelligence: • Atomic indicators/telemetry • Techniques, tactics, procedures • Threat actor history and motivation • Relationships Experience: • Do you know who is targeting you and what they want? • Have you responded to an incident like this before? • Have you encountered this threat actor before?
  35. 35. Copyright © FireEye, Inc. All rights reserved.35 FireEye-as-a-Service provides continuous compromise assessment and response, using FireEye products and intelligence to detect signs of intrusion early, rapidly investigate, and provide the answers you need to respond effectively. In most cases, detection through response occurs within hours, drastically minimizing the scope, impact, and cost of a breach. FireEye-as-a-Service offers answers, not alerts. VISIBILITY Across the threatscape Across your environment SPEED Accelerate detection and response Reduce dwell time LOWER COST Lower dwell time = lower impact IR cost avoidance Integrated Technology Unrivaled Intelligence Proven Expertise Intelligence Detection Validation & Triage Communication Investigation & Response Threat Hunting Gain visibility into emerging attacks and campaigns Know when you are truly compromised and minimize impact Amplify your team with experts to accelerate response Deploy Fortune 50 Security at a fraction of the cost
  36. 36. SANS Threat Landscape Survey Mark Butler CISO, Qualys, Inc.
  37. 37. Threat Landscape Endpoint Prevent & Detect Email & Internet browsing risks = ransomware & file- less malware risks & exposures Existing Account credential takeover Memory based exploits will increase to avoid detection Network Monitor & Restore Traffic Patterns Analysis / Geo Filters / Bandwidth Tuning Threat Intelligence Gaps (lack of context) SSL / Payload Analysis / Connection Tracking DDoS / DNS / Circuit Protection / Resiliency Identity Monitor & Recover Account behaviors not tracked over time Existing Acct Misuse Lack of clearly defined Roles / Functions / Permissions Credential Mgmt. / Token / 2FA / One-time use tokens 37
  38. 38. Observations of Qualys Threat Data Inadequate Patching timing: high severity vulnerabilities are taking 100+ days to patch/configure/correct Exploits and attacks patterns are speeding up and taking < 30 days on average (WannaCry was distributed in 26 days) 38
  39. 39. 39 The core IT service areas must be improved: • Risk Identification, Monitoring critical in-scope assets • Alert Speed, Triage Accuracy, Enabling effective response • Asset & Configuration Management / Build Compliance • Effective Vulnerability Remediation over time for real risks targeting individual environments vs. commodity risks • Network Architecture and Segmentation gaps Observations of Qualys Threat Data
  40. 40. Recommendations 40 • Take time to learn instead of wiping / re-imaging systems quickly • Track progress on solving root cause issues System build compliance, administrative access, unapproved software, poor email/internet filters, user security awareness competencies • Increase data analytics skills and capabilities • Figure out how to ask the harder questions (Why / Root Cause) • What vertical specific attacks or malware families are seen? • Why are the threat patterns occurring? Network attacks to capture Health Data – ePHI, DDoS attacks to cover up account fraud, POS attacks for capturing CHD, Diversion attacks
  41. 41. from the most trusted name in information security Q & A Please use GoToWebinar’s Questions tool to submit questions to our panel. Send to “Organizers” and tell us if it’s for a specific panelist. 41
  42. 42. from the most trusted name in information security Acknowledgements Thanks to our sponsors: Cylance, FireEye, McAfee, and Qualys To our special guests: Chad Skipper, Robert Leong, Sean Murphy, and Mark Butler And to our attendees, Thank you for joining us today! 42

As quickly as we learn to detect new threats, the threats change — like a game of Whack-a-Mole happening at an ever-increasing pace. A new survey by the SANS Institute focuses on providing valuable intelligence into the types of threats most severely impacting organizations like yours, and how those threats are evolving. In this webcast, Lee Neely, who teaches cyber security courses for SANS, Mark Butler, Chief Information Security Officer at Qualys, and other survey sponsors discuss what threat actors are currently up to and how they’re getting around existing defenses, so that you can anticipate attacks and get ahead of the attackers. Key trends discussed include: • Primary vectors attackers enter through • Methods attackers use most effectively as part of their layered attacks • Impacts of breaches and how to remediate • Best places to apply defenses • Lessons learned by those who have been breached Watch the on-demand webcast: https://www.sans.org/webcasts/105430 Download the complete report: https://goo.gl/rP4KEs

Vistos

Vistos totais

663

No Slideshare

0

De incorporações

0

Número de incorporações

10

Ações

Baixados

38

Compartilhados

0

Comentários

0

Curtir

0

×