Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com.

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Advertisements

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
ECE Prof. John A. Copeland Advanced Persistent Threat Material.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Microsoft Ignite /16/2017 4:54 PM
Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
Network security policy: best practices
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?
2015 Security Conference Dietrich Benjes VP UK, Ireland & Middle East.
MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.
Copyright © 2015 Centrify Corporation. All Rights Reserved. 1 Identity is the new Perimeter of Security Wade Tongen NA Enterprise SE Manager
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Role Of Network IDS in Network Perimeter Defense.
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.
Contextual Security Intelligence Suite™ Preventing Data Breaches without Constraining Business.
Why SIEM – Why Security Intelligence??
Why IT auditing is a must in your security strategy ?
Proactive Incident Response
Protect your Digital Enterprise
Advanced Endpoint Security Data Connectors-Charlotte January 2016
[Internal Use] for Check Point employees​
Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Michael Burke.
Do you know who your employees are sharing their credentials with
Real-time protection for web sites and web apps against ATTACKS
Introduction to a Security Intelligence Maturity Model
October 26, 2017 Main Line Association for Continuing Education
Business Risks of Insecure Networks
Cyber Attacks on Businesses 43% of cyber attacks target small business Only 14% of small business rate their ability to mitigate cyber risk highly.
Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Michael Bird Team Lead, Account Executive.
ADVANCED PERSISTENT THREATS (APTs) - Simulation
Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Michael Vanderhoff.
Presented by: Brendan Walsh Manager, Security and Access Management
Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Matthew Gardiner Product Marketing.
بهترین راهکار را انتخاب کنید...
Closing the Breach Detection Gap
Cybersecurity Awareness
COMPTIA CAS-003 Dumps VCE
Valid And Updated CS0-001 Exam Certifications Dumps Questions
Cybersecurity Insider Threat Analytics
Varonis Overview.
Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Andrew Cotton.
How to Operationalize Big Data Security Analytics
Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Matthew Gardiner Product Marketing.
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Home Internet Vulnerabilities
Shifting from “Incident” to “Continuous” Response
Navigating Security Seas in a Small Ship with a Limited Crew
Human (user) behavior patterns and analytics
Chapter 4: Protecting the Organization
Protecting your data with Azure AD
Information Protection
Detection Detect the breach and protect the data. By,
Microsoft Data Insights Summit
Data Security and Privacy Techniques for Modern Databases
Protect data in core business applications
Anomalous Database Transaction Detection
Microsoft Data Insights Summit
Information Protection
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com CONFIDENTIAL

“I personally apologize to each of you.” The Anthem Data Breach “…Attackers gained unauthorized access…” “…Information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information, including income data…” “…Believe it happened over the course of several weeks beginning in early December 2014…” “…contacted the FBI / retained Mandiant…” “I personally apologize to each of you.”

What do these letters really tell us? We’re not completely sure WHEN, HOW, or for HOW LONG we’ve been breached We weren’t able to detect the data breach until well after the fact DBA witnessed own credentials used to execute the queries An attacker obtained credentials that allowed for unauthorized access Due to either technology or personnel limitations we’re not able to figure out what happened so we asked Mandiant in to manually piece together the story of what happened

The Pervasive Data Breach Problem 224 100% Average number of days the attacker was resident …of Breaches involved stolen credentials 224 – Mandiant report 2014 100% -- Mandiant report 2013 59,746 – News accounts 100% 59,746 …of the time evidence of the attack was in log data 1% of all suspicious alerts generated over 8 month attack at Neiman Marcus

What do these numbers tell us? 1 2 3 We have to know what to look for We get too many alerts We don’t get the full picture

We are focused on the attack chain phases… Where most of our detection effort and money goes Some detection effort and money goes here (DLP) Source: FireEye Mandiant APT1 report (Feb 2013)

…instead of what enables each phase POSSIBLE CREDENTIAL USE Initial Recon Initial Compromise Establish Foothold Escalate Privileges Internal Move Laterally Maintain Presence Complete Mission POSSIBLE CREDENTIAL USE Hours Weeks or Months Hours Source: FireEye Mandiant APT1 report (Feb 2013) CONFIDENTIAL

User Behavior Intelligence is the missing layer of detection after perimeter defenses Employees use credentials to access IT systems to create business value. Attackers use credentials to access systems to steal the business value employees create. Attackers and employees have divergent goals resulting in different behaviors and access characteristics.

Defining a UBI Solution User Behavior Intelligence Solutions Learns and remembers normal credential access behaviors and characteristics and score what’s anomalous Provide information about what’s normal user behavior as context Assemble the data into user sessions (log-on to log-off) Keep “state” on the user across identity and internet address switches Attributes security alerts to the credential (user) that was in use on the system when the alert occurred Creates efficiencies in security operations Fits into CDM capability Security Related Behavior Manage Accounts for People and Services (Phase2)

Undetected Attack: South Carolina IRS 13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access off hours VPN access from new device Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL

Undetected Attack: South Carolina IRS 13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access from new device VPN access from outside US Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL

Undetected Attack: South Carolina IRS 13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access off hours VPN access from new device Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL

Undetected Attack: South Carolina IRS 13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access off hours VPN access from new device Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL

Using behavior modeling to determine – Is it anomalous? System automatically asks access context questions Peer Group User Org VPN Access Example ISP ISP ISP Custom Algorithms Applied IP GEO GEO GEO VPN Login Time To Realm To Realm From Device To Server To Server CONFIDENTIAL

Understanding Normal as Context is Critical SIEMs are not engineered to surface abnormal from normal Important for a learning engine To learn or not to learn – that is the question Accounting for divergent behavior -- to a point Know when to say, “I can’t make a determination.” Data distribution and amounts

Example of a Proven UBI Approach IT SECURITY MACHINE DATA LOG MANAGEMENT ERP CMDB Research + Community Insights HRMS ITMS ACTIVE DIRECTORY USER BEHAVIOR INTELLIGENCE Extract & Enrich Session Tracking Behavior Analysis Risk Engine + + + Risk Scoring Incident Ranking Attack Detection SCORE 75 CONFIDENTIAL

Solving the IRS Example Using UBI QUESTION ANSWER RISK ACTIVITY TIMELINE 8:29AM Has Jerry connected during the weekend? Has Jerry used this device to connect to the VPN in the past? Has Jerry previously entered network from abroad? Has Jerry previously entered network from Romania? NO +10 NO +10 YES -5 NO +20 RISK TRACKING Risk score = 35 9:15AM Has Jerry connected to this server in the past? (x4) Has Jerry’s file share contained sensitive information? (x2) Has Jerry’s peer group accessed this server in the past? NO +40 YES +10 NO +5 Risk score = 90 SCORE 95 10:30AM Has Jerry crawled file shares? NO +5 Risk score = 95

UBI Summary Focuses the security team on what attackers want and use—credentials Extracts additional value from existing SIEM and log management data repositories Learns and remembers ‘normal’ user behaviors for individuals and peer groups Prioritizes security risks based based on transparent scoring of user activity outliers and business role context Security events seen in context – reduces false positives Scales to hundreds of thousands of users Detects cyber attacks and insider threats in real time

Q&A Thank You! www.exabeam.com