Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
•
1 like•513 views
Ian Rainsburgh from Guidance Software presenting at The Cyber Academy
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Similar to Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Similar to Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh (20)
More from Napier University
More from Napier University (20)
Recently uploaded
Recently uploaded (20)
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
- 1. NAPIER UNIVERSITY, EDINBURGH MAY 2016 BIG DATA IN CYBERSECURITY
- 2. TODAY’S TOPICS • Introduction • Credentials • Age of compromise • Today’s InfoSec Challenges • Inside Out Security: Detect, Assess, Respond & Recover • Leverage existing infrastructure • Summary: Can you afford to be one of the numbers? 2
- 3. MARKET LEADING DIGITAL FORENSICS, E-DISCOVERY, AND ENDPOINT DETECTION & RESPONSE • Gartner #1 in Endpoint Detection & Response* • Standard in Digital Forensics - Cited in 100+ published court opinions • 25+ million servlets deployed - 70% of Fortune 100 and 45% of Fortune 500 • Industry recognized Training with 5000+ EnCE - “Best IT Security-Related Training Program” SC Magazine • Industry leading Professional Services 3 CREDENTIALS
- 4. ENDPOINT IS THE TARGET OF ATTACKERS COMPANY DATA: THE EPICENTER OF RISK BUSINESS INTELLIGENCE INTELLECTUAL PROPERTY CUSTOMER DATA CARDHOLDER AND FINANCIAL DATA AUTHENTICATION CREDENTIALS HUMAN RESOURCES ELECTRONIC HEALTH RECORDS 4
- 5. AGE OF COMPROMISE Anthem: Jan 2015 2nd Largest US Health Insurer Customer PII Ebay: March 2015 Used employee details to access User Credentials Target: Summer 2013 $10B drop in market cap (30%) CEO Terminated CIO Resigns 5
- 6. WHY IS IT LIKELY YOU ARE BREACHED? Signature-based Detection is Not Sufficient 6
- 7. DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% in minutes Initial attack to compromise 60% of organizations breached in minutes or less1 1Verizon 2015 Data Breach Investigation Report 7
- 8. Compromise to Discovery 66% in Months or Years DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% of organizations breached in minutes or less1 66% of breaches take months or years to discover2 1Verizon 2015 Data Breach Investigation Report 2Verizon 2013 Data Breach Investigation Report 8
- 9. DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% of organizations breached in minutes or less1 66% of breaches take months or years to discover2 70-90% of malware samples are unique to an organization1 1Verizon 2015 Data Breach Investigation Report 2Verizon 2013 Data Breach Investigation Report Unknown Threat 66% in Months or Years 9
- 10. DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% of organizations breached in minutes or less1 66% of breaches take months or years to discover2 70-90% of malware samples are unique to an organization1 32 days to respond to an incident2 1Verizon 2015 Data Breach Investigation Report 2Verizon 2013 Data Breach Investigation Report Time to Resolution 66% in Months or Years 10 “It smacks us with the fact that the bad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.”
- 11. METHODOLOGY OF AN ATTACK 11 Our Enterprise Their Ecosystem Opportunity RESEARCH INFILTRATION Patient Zero DISCOVERY EXFILTRATION CAPTURE DAYS TO WEEKS SECONDS TO MINUTES WEEKS TO MONTHS
- 12. • Perimeter defenses are breached, almost at will - More than half of survey participants operate assuming compromise - Attackers don’t need stealth or APT-style funding to get the job done. - Proactive hunting is the only way to detect adversaries that have bypassed initial detection - The majority of respondents say they want to be able to obtain data from all queried endpoints in under 1 hour - Some critical endpoints (e.g. payment processing servers) cannot afford any downtime. SANS SURVEY ENDPOINT SECURITY TAKEAWAYS 12
- 13. • Not sure if you have been breached! • Prevention isn’t working but there is no next step YOUR CHALLENGES 14
- 14. • Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint YOUR CHALLENGES Five Styles of Advanced Threat Defense Real-Time/ Near-Real-Time Postcompromise (Days/Weeks) Network Network Traffic Analysis Network Forensics Payload Payload Analysis Endpoint Endpoint Behavior Analysis Endpoint Forensics TIME WHERETOLOOK Style 1 Style 2 Style 3 Style 4 Style 5 15
- 15. • Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint • Too may alerts! What volume do you see? YOUR CHALLENGES 16
- 16. • Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint • Too may alerts! What volume do you see? • No way to identify security gaps and verify policies are working YOUR CHALLENGES 17
- 17. • Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint • Too may alerts! What volume do you see? • No way to identify security gaps and verify policies are working • Lack of visibility into sensitive data YOUR CHALLENGES 18
- 18. • Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & logs ≠ endpoint • Too may alerts! What volume do you see? • No way to identify security gaps and verify policies are working • Lack of visibility into sensitive data • Analysts spend too much time collecting and correlating data YOUR CHALLENGES 19
- 19. YOU CAN FIND THEM ! SO YOU CAN’T STOP THEM GETTING IN, BUT… 20
- 20. • Broad operating system support ensures all your assets are covered, not just servers • Non-reliance on the operating system for trusted and verifiable information • Correlation across disparate data types • Visibility into restricted, hidden and encrypted areas • Forensic-level access to disk, memory and attached devices • True remediation (wiping) capabilities ENDPOINT VISIBILITY IS EVERYTHING 21
- 21. HOW DEEP IS DEEP? • Deep File System • Dead Registry • OS Exe/DLL Interaction − App Compat Cache − Windows SxS • Windows Event Logs • SQL/AD Event Logs • Windows Management Instrumentation (WMI) • Registry • Processes • ARP Tables • Memory • Lnk Files • Anti-Forensic Defection • PreFetch • Hash/Entropy • Open Ports • DNS Cache • Email • Internet • Open Files Human Readable Easy Data Access High Barrier to EntryReverse engineering required for truth No interpretation required Individual Forensic Interpretation 22
- 22. 23 ENDPOINT ACTIVITY CAN REVEAL PATIENT ZERO Machine Name File Name Process Hash User Account
- 23. • Vendor Agnostic • Process to implement a Security Framework that moves from a Passive to Active Defense • Applicable for teams with new or mature security plans • Increase ROI on security analysts and technology INSIDE OUT SECURITY FRAMEWORK 24
- 24. • Every tiny action leaves an artefact of either system or user activity • Artefact correlation defines a baseline and tells a story of use, no limitations • Proactively detect the aberrations – known, unknown, insider, and zero day threats - Anomalies indicate unseen threats - Review of security policies redefine direction 25 KNOWN AND UNKNOWN DETECTION OF THE Eliminate your reliance on signatures, heuristics, policies or IOCs The only way to detect what you haven’t already! DETECT & ASSESS
- 25. • Proactively discover any sensitive data across the organization - Endpoints - Structured Repositories (Office 365, Shares, etc.) • Enforce sensitive data policies • Prioritize incident response around high-risk assets MAJOR RISK EXPOSED DATA IS Limit risk and exposure an internal or external threat! 26 ASSESS & RESPOND
- 26. • Automated forensic collection integrates with existing security technologies - No information decay; works 24/7 • Reduce false-positive events quickly and gain down-stream benefits • Identify unknown binaries triggering behavioral or heuristic alerts INCIDENT RESPONSE AUTOMATED Ensure valid perimeter, network and log events are being seen! Reduce compromise to discovery from months to days or hours 27 RESPOND AUTOMATICALLY
- 27. Response shouldn’t take forever • Quickly identify suspect processes using localized white/black lists • Root out all potential indicators • Determine if suspect files are Threats with ThreatGrid and other intelligence sources • Determine scope and impact across the organization of any threat instance • Integrate with existing workflow management, home grown and third party point solutions INCIDENT RESPONSE ON-DEMAND Reduce compromise to discovery and time to resolution from months to hours 28 RESPOND ON DEMAND
- 28. • Kill running processes • Surgically remove all iterations of malware and related artifacts • Wipe sensitive data from unauthorized locations • Produce reports demonstrating success/compliance RECOVERY AND REMEDIATION Wipe and reimage costs weeks! Reduce time to resolution from weeks to hours 29 RECOVER & REMEDIATE
- 29. DEFENSE IN DEPTH: LEVERAGE EXISTING INFRASTRUCTURE 30
- 30. • #1 in Endpoint Detection and Response by Gartner • There is no Security without endpoint visibility • Detect unknown threats that perimeter, network, and logs can’t see • Detect attacks before you end up a headline • Enable your team to discover and resolve valid threats immediately CAN YOU AFFORD TO BE ONE OF THE NUMBERS? 31
- 31. THANK YOU IAN RAINSBOROUGH GUIDANCE SOFTWARE EMAIL: IAN.RAINSBOROUGH@GUID.COM