Scalar Security Roadshow: Toronto Presentation - April 15, 2015

3. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 3 We studied the Canadian market Believe they are winning the CyberSecurity war Suffered a breach leading to loss or disclosure of sensitive data Average annual number of attacks Average cost to address a security breach 41% 46% 34 $200,000

4. •  Security is more complicated than ever; hackers are funded and motivated •  Many organizations struggle to understand and effectively control security risk •  Traditional security approaches have not been effective •  Companies who invest in security are still suffering catastrophic breaches Traditional Approaches Have Failed © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

6. •  Are more aware of the threat landscape •  Have a higher percentage of their IT budget dedicated to security •  Invest in cutting edge technologies •  Measure the ROI of those technologies •  And have a security strategy that is aligned with their business objectives and mission High-performers – 25% less breaches © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

7. Be more aware of threats and align your security strategy with business objectives. Build effective security programs to protect critical assets. Design and build robust security solutions using leading technologies that provide visibility understanding and control. Develop or acquire expertise to monitor and respond to security events. Continuously validate the effectiveness of security controls. What do Top Performers do? Prepare Respond Defend © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

8. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 8 Winning The War •  Addressing business risk •  Effective reduction of attack surface •  Understandable and actionable security intelligence •  Rapid incident containment and response •  Continuous validation and meaningful reporting

10. Isolated. Protected. Bromium.

11. Security Architecture 1.0… Traditional Security Technologies ANY CO. PLC usDon’t stop next generation threats

12. Endpoint: The Path of Least Resistance THREAT TARGETS DESKTOPS USERS WINDOWS 7 WINDOWS 8.1 LAPTOPS INTERNET EXPLORER The key security threat channels are Web and Email. The key threat vectors are web-links and downloaded files. Your security posture is significantly improved by negating the key security issues of users clicking malicious weblinks and opening infected attachments Prioritize Focus THREAT VECTORS VIDEOS PICTURES DOCUMENTS WEBLINKS MAIL WEB THREAT CHANNELS

13. The Business Problem: The Bromium Cure SECURE WEB BROWSING SECURE EMAIL SECURITY PATCHING

14. Endpoint Isolation Technology How It Works – Bromium ISOLATED. PROTECTED.DISRUPTIVE DAMAGING HARDWARE OS KERNEL Untrusted user tasks and any malware are isolated in a super-efficient micro-VM. All micro-VMs destroyed, eliminating all traces of malware with them. Hardware-isolated micro-VMs

15. Why Bromium? Open Anything, From Anyone, Anywhere…

16. Isolated. Protected.

18. About WhiteHat Security •  Application security testing leader in Gartner Magic Quadrant •  HQ in Santa Clara, California •  Employees: 300 •  Customers: 650+ •  Sites under management: 30,000+ 18

19. SAST - “Sentinel Source” Static Testing •  Integrates into your development process •  Directly connects to source code repository •  Designed for Agile •  Your code stays onsite •  Verified vulnerabilities avoid false positives •  Assesses partial code, as often as needed 19

20. Sentinel Mobile - Secure Mobile Devices §  Assesses both iOS and Android applications §  Tests native mobile code and server-side APIs §  Identifies critical vulnerabilities including OWASP Mobile Top 10 §  Verified findings: Zero false positives reduce overhead for developers Results prioritized by risk §  Covers traffic analysis between client and server-side

21. DAST – Dynamic Application Testing •  Non-intrusive, non-disruptive, 24x7 coverage •  Meets and exceeds PCI 6.5/6.6 requirements •  Full service and support included in all offerings •  Unlimited retests, integration support, and remediation guidance at no additional charge •  Persistent, consistent testing and results Cross-site scripting Credential/Session Prediction Weak Password Recovery Validation Information Leakage Brute Force SQL Injection Insufficient Authentication

22. Application Security Lifecycle Integrated Application Security Lifecycle Software Development Lifecycle SAST 22

23. How to Remediate Vulnerabilities? Continuous Testing •  Full SDLC coverage: training, development, QA, and production •  Stop using Tiger teams! Expert hands-on guidance from the Threat Research Center •  100% verified vulnerabilities, 0 false positives •  150+ security engineers available by phone/email/WebEx Retest, Retest, Retest •  Trending of vulnerabilities across time and continuous assessment of deployment

24. How Deep to Test? §  Sentinel PE (Fully Targeted / High Risk) •  Ideal for high impact sites with sensitive user and financial information •  Technical and business logic vulnerabilities, complete WASC v2 §  Baseline Edition (Static Webpages) •  Unauthenticated, Verified Results §  Standard Edition (Directed/Opportunistic) •  Custom configured logins and multi-step sequences •  Comprehensive coverage for technical vulnerabilities

25. Scan Scheduling

26. 27

27. © WhiteHat Security 2013 28

28. © WhiteHat Security 2013 29

29. Flexible Reporting §  Web & PDF Based §  Bi-Directional XML API §  Integration with popular technologies like Jira, Archer, F5 & Imperva

30. Command Execution §  Buffer Overflow §  Format String Attack §  LDAP Injection §  OS Commanding §  SQL Injection §  SSI Injection §  XPath Injection Information Disclosure §  Directory Indexing §  Information Leakage §  Path Traversal §  Predictable Resource Location Business Logic: Hands-on Inspection Authentication §  Brute Force §  Insufficient Authentication §  Weak Password Recovery Validation Authorization §  Credential/Session Prediction §  Insufficient Authorization §  Insufficient Session Expiration §  Session Fixation Logical Attacks §  Abuse of Functionality §  Insufficient Anti-automation §  Insufficient Process Validation Premium Edition Baseline Edition Standard Edition WhiteHat Sentinel Vulnerability Coverage Client-Side §  Content Spoofing §  Cross-site Scripting §  HTTP Response Splitting §  Insecure Content

32. Introduction Questions: •  What is SIEM? © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 33 Answers: •  Security Information and Event Management (SIEM) is a tool used to gather and report on security information. •  Who is LogRhythm? •  LogRhythm is a global leader in security intelligence and analytics empowering organizations to rapidly detect, respond and neutralize cyber threats. Their Security Intelligence platform unifies next-gen SIEM, log management, network and endpoint forensics, and advanced security analytics. •  How will LogRhythm defend my network? •  Through the process of Intelligent and Behavioral Analytics LogRhythm is capable of detecting and protecting in near real-time security events not just on the network but on critical assets residing on the network.

33. LogRhythm in Motion © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 34 LogRhythm Agents Workstations and Servers Archiving AI Engine Log Manager LogRhythm Personal Dashboard / Web UI Event Manager Network Devices Identification Classification Normalization Prioritization Aggregation Events Console Reporting Alarming Configuration Behavior Analytics / Advanced Correlation

35. LogRhythm System Monitor © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 36 Host Activity Monitoring •  Independently collects forensic detail •  Ideal for hosts with sensitive data or critical applications •  Support for Microsoft, Linux, and Unix platforms File Integrity and Windows Registry Monitoring •  Meet Compliance Requirements •  Recognize “who” performed unauthorized file changes or moves •  Build whitelists for recognizing malware or blacklists of undesired applications •  Identify new, non-whitelisted network services •  Detect anomalous network activity indicating data exfiltration or botnet C&C •  Monitor unauthorized data movement to prevent data theft Process Monitoring Network Connection Monitoring Data Loss Defender

36. LogRhythm Network Monitor © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 37 1.  True Application Identification for over 2800 applications 2.  SmartFlow™: Search and analyze packet data from each network session up to Layer7 3.  SmartCapture™: Full or selective packet capture for deeper forensic analysis Google Docs PostGres SMTP Facebook Apps TorSkype DropBox XBoxLive AWS BitTorrent GoToDevice Gmail Source IP: 192.168.12.59 Destination IP: 192.168.2.84 Command: smb2 change Filename: SethMy Documents todayspreso.ppt Path: serverfileUsers ApplicationPath: /tcp/netbios/smb Login: seth.goldhammer Bytes: 4.52 Mb Time Start: 2013/10/10 19:30:38 Time Updated: 2013/10/10 ……………… Samba Source IP: 192.168.12.59 Destination IP: 192.168.18.2 Sender: seth@logrhythm.com Receiver: kbroughton@recruiter.com Attachment File Name: SethMy Docs employeedata.txt Mime Type: http/text Bytes: 4.52 Mb Time Start: 2013/10/10 19:30:38 Time Updated: 2013/10/10 ………………

37. Real-time Forensic Monitoring © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 38 System Monitoring •  Capture host activities not represented by log data •  Gain deep visibility on valuable hosts, sensitive data Network Monitoring •  Capture network activities not captured by standard flow data •  Recognize applications and perform Deep Packet Inspection (DPI) on all network traffic Independent collection of forensic detail is CRITICAL for recognizing high risk activities

39. Data Classification © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 40 • LogRhythm not only structures incoming data but adds contextual information such as: • Classification • Common Event • Risk Score • Reduces time required for analysis and ensures query results are complete • Provides deep intelligence on more than 600 different systems, devices, apps, databases, etc. • 20-30 added each quarter Confidential Information 0 100 200 300 400 500 600 700 Total Customer Relations Management Data Loss Prevention File Integrity Monitor Network Controllers Unified Threat Managers UPS Anti-Spam Physical Security Encryption Wireless Access Management Vulnerability Assessment Directory Services Point-Of-Sale VOIP Storage Virtualization Wireless Access Point Remote Access VPN E-Mail Security Load Balancers Content Inspection/Filters Routers Anti-Virus Email Servers Switch Access Control Other Databases Web Servers Network Management IDS/IPS Firewalls Applications Operating Systems

40. Scenario Building Blocks © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 41 Log Observed Log Not Observed Log Not Observed Scheduled Threshold Observed Threshold Not Observed Threshold Not Observed Scheduled Unique Value Observed Unique Value Not Observed Unique Value Not Observed Scheduled Whitelist Trend Sta;s;cal

41. Scenario Examples © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 42 Log Observed Log Observed Account Created Account Deleted Account=Account Short ;me period Log Observed Log Not Observed Secure Panel Accessed No Badge Swipe Short ;me period before Detec%ng Temporary Accounts Detec%ng Forced Physical Access

42. Complex Scenario © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 43 Trend Abnormal Access and Authen%ca%on Failures Log count comparison of auth and access failures per user Trend Abnormal Authen%ca%on Behavior Histogram of auth success and failures per user Trend Abnormal Authen%ca%on Loca%ons Histogram of auth success loca;ons per user Unique Value Observed Same user with mul;ple anomalies Event Loop Back

44. Smart Response (closing the loop) © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 45 SmartResponse™ delivers immediate action on real-world issues, such as when suspicious behavior patterns are detected, specific internal or compliance-driven policies are violated, or critical performance thresholds are crossed. •  Pull Attacking IP from Alarm and add to firewall ACL. Terminating dangerous access to network •  Suspend or remove newly added or recently modified privileged user account until activity is verified as legitimate •  Remove suspicious users from network during investigative period •  Restart operational processes from alarms

46. Privileged User Monitoring © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 47 Use Case: Detect a rogue administrator account Details: Identify when a privileged user is abusing authority, indicating either insider threat activity or compromised credentials AIE Rules look for: •  New Admin Activity •  Mass Object Deletion •  Users added to privileged group •  Recently disabled privileged account activity

47. Retail Cyber Crime Module © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 48 Use Case: Detect Compromised Back Office Systems Details: Identify suspicious changes on back office systems and the network activity they generate. AIE Rules look for: •  New processes •  New authentications •  New FIM access events •  Any FIM modification event •  Any DLD Activity •  New Common Event •  New Network Activity

48. Analytics Modules © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 49 Rapid-Time to-Value Knowledge •  Industry experts •  Machine Data Intelligence •  Security •  Compliance •  Advanced Threat Research •  Embedded Exper;se •  Ready-‐to-‐use content •  Frequent, automa;c updates •  Knowledge aligned to organiza;onal goals •  Quick beneﬁt recogni;on •  Ongoing addi;onal value

51. Download our 2015 Security Study: The Cyber Security Readiness of Canadian Organizations Download Here: http://blog.scalar.ca/security- study-2015 What’s Next? © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

Scalar Security Roadshow: Toronto Presentation - April 15, 2015

Esté a ler uma amostra.

Confira estes a seguir

Scalar Security Roadshow: Toronto Presentation - April 15, 2015

Mais Conteúdo rRelacionado

Diapositivos para si (19)

Quem viu também gostou (20)

Semelhante a Scalar Security Roadshow: Toronto Presentation - April 15, 2015 (20)

Mais de Scalar Decisions (20)

Mais recentes (20)