Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Modern Cyber Threat Pandemic

Published byGeorgia Anderson Modified over 6 years ago

Similar presentations

Presentation on theme: "The Modern Cyber Threat Pandemic"— Presentation transcript:

1 The Modern Cyber Threat Pandemic
Richard Conley Sales Engineer

2 When Times Were Simpler

3 Fast forward to PWNED test: https://haveibeenpwned.com/
DDOS image taken from:

4 The Economist, November 2015
“Attackers will still get in (too much badly designed hardware and software is out there, and seemingly innocent websites can be doctored to infect computers that visit them). The only safe assumption is that your network is breached, and to make sure that you deal with intruders promptly—not after the 200-odd days which it typically takes. “ - Edward Lucas Too much badly designed..? Quoting, might want to find a different quote expressing a similar viewpoint.

5 The Economist, November 2015
“Many networks have no means of detecting a breach at all. And old-style cyber-security generates too many alerts: “false positives”, in the jargon. When a burglar alarm rings constantly, people ignore it. Now the combination of cleverer algorithms, better data collection, cheaper storage and greater processing power makes it easier to automate the detection of anomalous behaviour, and to work out who is up to what.“ - Edward Lucas Show of hands: ? Who feels confident they can find a potential breach in their network? If YES, how confident are you that you could find evidence in under a week? If NO, what are you doing about shining the light to the dark areas of our network? Log collection? Log Normalization? Alarming? Correlating; Auto and Manually?

6 The Expanding Cyber Threat Motive
Political Ideological Criminal Key Talking Points: Nation states are operating in a cyber cold war. There is a lucrative growing cybercrime economy. The growing cybercrime economy creates an ecosystem that lowers the bar for all threat actors to do bad things. Notes: There are increasing motivations for bad people to bad things. Politically motivated groups may be well-funded, well-educated, and looking for Intellectual Property to advance their own country’s GDP Ideological groups may be small pockets of individuals or crowd-sourced, used the Internet to connect like-minded to create disruption, damage, or create embarrassment for organization Primarily criminally motivated groups are seeking financial reward and can be incredibly well-funded and organized. Regardless of motivation, each three resort to criminal actions to achieve their goals There are different motivations for hackers, but given social media and dark sites different hackers/groups can collaborate or purchase intel from each other to achieve their own ends – force multiplier for all bad actors Examples: Political: Allegedly, North Korea is responsible for the mass data theft of Sony Entertainment as a pay back for releasing the movie, “The Interview” Ideological: The Syrian Electronic Army is responsible for a number of website defacements, including in Jan 2015 SEA hackers managed to infiltrate LeMonde’s publishing tool before launching a denial of service Criminal: A cyber attack exposed 11 million Premera Blue Cross members data to sell the IDs on the black market and enable identity thefts

7 Damaging Data Breaches
Key Talking Points: 1) Victims of damaging cyber breaches make the news every week – don’t become one of them! 2) These are just the high-profile breaches in the past 6mo – countless more happen all of the time and they don’t make headlines ----- Notes: Bad actors have executed a series of high-profile, damaging data breaches. It seems like there’s someone new on the cover of the WSJ every week. This slide illustrates how much damage is being done. Make sure to understand the difference between a data breach vs. just a compromise.

8 Common Security Challenges
Connections Moving to Encrypted Channels Increased Load = poor performance Difficult to Deploy Potential lost visibility "Social Attack" – Employees will mix Personal with Professional social tactics being used in around 20% of confirmed data breaches 30% over larger time frame the top three, phishing (72%), pretexting (16%), and bribery/solicitation (10%), represent the vast majority of social actions in the real world. 80% of data breaches involve exploitation of stolen, weak, default or easily guessable passwords "Many data breach victims believe they are in isolation, dealing with sophisticated tactics and zero-day malware never seen before—we see otherwise. To us, few breaches are unique. In fact, our VERIS research indicates that at any given point in time, a small number of breach scenarios comprise the vast majority of incidents we investigate. There is tremendous commonality in real-world cyber-attacks. In fact, according to our RISK Team incident data set over the previous three years, just 12 scenarios represent over 60% of our investigations." Perimeter applications and appliances are focused on what they do best – the perimeter. They provide a number of tools to effectively combat a large percentage of known threats, leveraging signature based technologies, some dpi for protocol analysis, some user behavior (outbound requests only) and some sandboxing techniques Your employees and your business partners can be potential threat actors or targeted victims. It is important to not lose sight of the role humans play in data breaches.

9 Common Attack Scenario
Weaponization Delivery Reconnaissance Command & Control Actions on Objective Installation >They are not leveraging new techniques – this is the same old story. After performing some initial recon (ie: ping tools, nmap, metasploit) against external facing assets, they move their recon phase over to target acquisition. During the target acquisition phase, they identify and isolate their targets using the same platforms we all do business and pleasure on (linkedin, facebook, amazon, twitter…). Some simple google query hacking and they have the content they need to craft a very compelling with an attachment. >Once the target is primed, a zero day payload is sent out to the target via a spear phishing , and they sit back and wait for a call back to whatever command and control infrastructure the have in place. Could be a dyndns server, could be a twitter feed, could be a fast flux network or ftp server. >Once they’ve exploited your internal asset, they then use that account to gather other hashes or move laterally in the network to other high value assets. Obviously the end goal here is to take your IP, or customer data in the long term and build some redundancy so they can re-infiltrate your network in the future. Exploitation

10 Prevention-Centric is Obsolete
“For many enterprises there is a disconnect between the products they are buying and their effectiveness. "Many people are putting firewall, IPS, and antivirus in place thinking that intelligence is actually going to help them," Chenette said...” “Hope is not a strategy," said Chenette - Stephan Chenette, CEO, AttackIQ

11 “Traditional Security” Creates Silos
Partners Have Engaged Their Customers With These Solutions For Years….. LogRhythm Makes These Pieces Work As A Single Security Eco System… Security Firewall IPS Malware WAF End Point Network Routers Switches Wireless Directory Services Active Directory Users Groups Data Management Data Loss Data in Motion Data at Rest Spam Phishing Physical Alarms Surveillance Access Control There has to be a better way of detecting these compromised accounts and assets internally right?, There is – its starts with breaking down the security and infrastructure silos in the environment. You have 50+ applications and devices running on your networks. Some organizations it can be thousands. Some of these devices can communicate with each other but it’s not contextually around security. Even your IT staff can be segmented – your Exchange admin can be a different group or person from your firewall admin, and your desktop group can be completely separate from your security group. Not only are there technical silos, but also hierarchical silos that have been created over the years.

12 Bringing it all into one place
When we talk about breaking the silos, we’re specifically talking about finding a home for all of the contextual data all your devices and users are creating within the network. The LogRhythm platform is uniquely designed to act as your log management layer for compliance, your SIEM for correlated and high corroborated activities, with another layer and level of UBA (user behavior analytics), network threat analytics and endpoint analytics so you can gain visibility into who is in your network, what they are doing, what risk they pose and mitigate the risk before it becomes loss. Combine this technology stack with people and process, and you have a readily defendable network.

13 A New Security Approach is Required
Big Data Analytics can best detect these threats Prevention-centric approaches can stop common threats An Excellent Security Intelligence Platform Delivers: Big Data analytics to identify advanced threats Qualified and prioritized detection, reducing noise Incident response workflow orchestration and automation Capabilities to prevent high- impact breaches & damaging cyber incidents However, advanced threats: Require a broader view to recognize Only emerge over time Get lost in the noise Key Talking Points: With traditional methods, threats get lost in the noise. “Big Data” analytics can help solve this problem. “Prioritized threats” Notes: Some things can be blocked and stopped, but only known threats in real-time, or otherwise you get in the way of the business. Analytics is needed to address the threats that get through. We use big data analytics to separate the signal from the noise. This slide also sets up our incident response message.

14 Insider Threats Problem Solution Suspicious Movement
Reconnaissance & Planning Initial Compromise Command & Control Lateral Movement Target Attainment • Exfiltration • Corruption • Disruption Problem Solution Suspicious Movement Detect abnormal behavior & access requests Access to Sensitive Materials Monitor sensitive directories & files Data Exfiltration Detect information movement Insider Threat Detection Most often, insider threats result in data exfiltration or damage to systems or information. Several key threat indicators are: Suspicious Movement – User A traverses different file shares that she has normally not accessed. During this effort, she attempts access and surveys the directories then quickly moves to another directory. Normally in her job, User A accesses marketing information. In this survey, she is access customer and financial information. LogRhythm detects her access and authentication attempts into the sensitive directories and will fire alarms. Access to Sensitive Materials – User A starts copying files out of the customers and financial directories to her laptop. The file integrity monitor detects this movement and is correlated with Beth’s previous anomalous behavior. Additional alarms are fired based on her access. Smart Responses can be kicked off to terminate her access to outside networks. Data Exfiltration – User A attempts to move the data from her laptop to a cloud file sharing service. Network monitor detects this activity and fires alarms. Her laptop can be removed from the network using Smart Response. At each step in the insider threat kill chain, LogRhythm can detect the anomalous behavior and prevent movement to the next step in the threat. LogRhythm detection capabilities are beyond normal UBA products because they don’t have information related to Network activity and file information.

15 Threat Lifecycle Management: End-to-End Detection & Response Workflow
Security Intelligence Platform TIME TO DETECT TIME TO RESPOND Security Event Data Example Sources Collect & Generate Detect & Prioritize Qualify Assess threat to determine risk and whether full investigation is necessary Investigate Analyze threat to determine nature and extent of the incident Neutralize Implement countermeasures to mitigate threat and associated risk Recover Cleanup Report Review Adapt User Analytics Log & Machine Data Example Sources Machine Analytics Forensic Sensor Data Key Talking Points: “Threats always evidenced in forensic data” “Machine analytics is the future” Unified Security Intelligence Platform best protects Notes: How do we actually measure detection and response and enable organizations to accelerate these processes? MTTD: When a threat engages, there are tracks left behind. The first challenge is discovering this threat. User Analytics is done by people and works well, but it doesn’t scale well. Good place to take digs at Splunk. Machine Analytics is where we excel. Analytics performed continuously by software. Prioritize threats. This is the future of threat discovery. This is where we lead the market and invest the most heavily. Qualification is about determining whether this is a threat that can bring us hard that requires more investigation. MTTR: The next step is to investigate and determine if there is a real risk. If so, need to mitigate the threat. These comprise time to respond. LR has an embedded case and security incident management facility that manages and streamlines the response process. An alarm comes in and can be moved to a case as part of an evidence locker, it can be annotated, add PCAPs and files, add collaborators, centralize management, determine if it’s an incident, provide visibility to CISO. Can organize response, including automated SmartResponses. The last step is Recover. We don’t really measure this because this can be done at your own pace. We do accelerate recovery because of our incident response facility. What’s unique about LR is that our platform delivers this workflow end-to-end. This increases effectiveness and efficiency. Makes security teams their absolute best. We’ve seen lots of companies that have built something similar from a collection of different providers, with something like ArcSight, Splunk, maybe a custom built system and a bunch of spreadsheets, probably no machine analytics. This gives them an expensive and ineffective Frankenstein system. LR has spent 10 years building a purpose built workflow. ----- Alternate: LogRhythm’s Security Intelligence Platform is unique in the industry to unify all steps of the work flow within a single platform, creating greater efficiencies and effectiveness as a result. Workflow step details: Forensic Data; evidence of the threat will by captured in log and audit data, or captured via sensors on the endpoint or in the network. Discover: This evidence must be discovered. Discovery can be through user analytics, viewing dashboards, reports, running daily searches, etc But more likely via Machine Analytics given the volume and variety of activities on a daily basis. Machine analytics must leverage multiple analytical techniques and corroborate activities to surface those sets of activities requiring an analysts’ attention Qualify: A concerning activity has been discovered, but now must be qualified. The solution provides tools to quickly understand the activities surrounding a concerning event to qualify as a threat, activities that appear to represent true harm intended to the organization Once the threat is qualified, the threat has been discovered. This can be measured as the time to detect. This now starts the clock on the response effort. Investigate: Now that the threat is qualified, a fuller understanding of scope is required. How many hosts were impacted, other user accounts, etc? This requires collecting all of the evidence into a single repository and coordination across multiple analysis as necessary. Mitigation: With full scope understood, the threat can be mitigated. Some countermeasures can be automated, such as disabling user accounts, quarantining hosts, or changing ACLs while other mitigations will require the details of the investigation to be understood. Once the threat is mitigated, it has been responded to. The organization can understand the time it took to respond. Recover: While not as critically time-bound but important, is a recovery step to fully understand how the threat was discovered, qualified, and mitigated to understand how to decrease MTTD and MTTR, as well as other changes to the IT environment or User Training.

16 Faster Detection & Response Reduces Risk
Exposed to Threats Resilient to Threats High Vulnerability Low Vulnerability Months Days Hours Minutes Weeks MTTD & MTTR MEAN-TIME-TO-DETECT (MTTD) The average time it takes to recognize a threat requiring further analysis and response efforts MEAN-TIME-TO-RESPOND (MTTR) The average time it takes to respond and ultimately resolve the incident As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a damaging breach is greatly reduced Key Talking Points: “Mean-time-to-detect” and “Mean-time-to-response” Reduce risk of damaging cyber incident or data breach Notes: What’s the solution? Faster detection and faster response. We’ve developed a model to assess your current maturity and ability to detect and respond to threats. Help customers measure their overall security posture. Many studies show that MTTD and MTTR are measured in weeks and months, and companies that want to improve need the types of solutions we provide.

17 Market Leadership Industry Analysts Company Awards
Company of the Year Certifications & Validations Industry Awards

18 THANK YOU

Download ppt "The Modern Cyber Threat Pandemic"

Similar presentations

Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Network security policy: best practices

Network security policy: best practices
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
Consistency in Reporting Data Breaches

Consistency in Reporting Data Breaches
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Chapter 6 Discovering the Scope of the Incident Spring 2016 - Incident Response & Computer Forensics.

Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
1 | Company Confidential The Modern Cyber Threat Pandemic Nate Traiser Mtn Region Ent Sales Engineer

1 | Company Confidential The Modern Cyber Threat Pandemic Nate Traiser Mtn Region Ent Sales Engineer
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Similar presentations

Ads by Google