Embed Size (px)
Citation preview
Novetta Cyber Analytics
[email protected] 512.284.4091 11.24.2014
Scott Van Valkenburgh
Manager, Product Marketing
novetta.com 2
Everyone is Being Breached
Undiscovered for months
66%
NETWORK
BREACHES
70%
NETWORK
BREACHES
Discovered by people outside your network
novetta.com 3
Why?
Too rigid and have serious blind spots
Too slow and/or doesn’t make the right data available to analysts
IPSs, IDSs, Firewalls Network Capture Tools
Captures and analyzes inherently untrustworthy data
LOG
BOOK
SIEMs
novetta.com 4
A Complete Picture of the Ground Truth
Cyber Analytics Hub
Internet
Router
Network
Firewall
Analytics Engine
Batch Ingest Module
Ingestion and Pre-Processing Module
MetaData
Custom Workflows
Web InterfaceAnalysts API Interface
SIEM
PCAPArchive
Packet Capture
LegacySensor
PCAP*
* PCAP is stored at sensors and is instantly retrievable when needed for deeper inspection
Metadata
Sensor
Sensor
Sensor
PCAP*
PCAP*
PCAP*SIEM
IDS/IPS
DLP
ATP
novetta.com 5
Why We’re Different
Novetta Cyber Analytics
Sampled Net Flow Intelligent & Selective Metadata Extraction
Content Unraveling
NOT ENOUGH OPTIMAL FOR ANALYSIS TOO MUCH
See threats as they occur.
Choose which ones to go after before the damage is done.
Developed for agencies within the US government.
Leading Security Analytics Solution (Good for Forensics)
Common Netflow
Based Solutions
Team & Infrastructure
Effectiveness
A Complete Picture in Near Real-time
novetta.com 6
How it Works – System Summary
1
Sensors
70+ pre-built analytical
searches that look for
suspicious behaviors or
build your own queries.
4
Analytics Engine
Security-specific
MetaDataFor a clean and consolidated
view of the network
3
Internet
SIEM
IDS/IPS
DLP
ATP
Router
Network
FirewallPCAP Data
For preprocessing
2
novetta.com 7
How it Works – At the Core
1
Sensors
4
Analytics Engine
Security-specific MetaDataFor a clean and consolidated view
of the network
Internet
SIEM
IDS/IPS
DLP
ATP
Router
Networ
k
FirewallPCAP Data
For preprocessing
2
1%of total
PCAP
data
novetta.com 8
How it Works – Contextualization
Third Party
Forensics
Export Selected PCAP
Searchable
Content
Extract Content
ftp-prod2.largeco.com
Role
Client
Role
4754
Port
RuVPS123.com
Private.RuVPS.com
Role
21
Port
Server
Role
Overlapping sessions
Common IPs
Associated IPs (hopfinder)
Related Sessions and IPs
Bytes to/from server,
TCP flags, Packet counts
Session Details
Traffic AnalysisTaps network traffic
FTP
Service
TCP
Protocol
47 sec
Duration
1.2.3.4 5.6.7.8
Geo
DC, USA
Geo
Moscow, RU
novetta.com 9
How it Works – Top 10 Analytics
Beacon Distant Admin HTTP(s)
Exfiltration
Protocol Abuse RDP Keyboard
Layout
Relay Finder
Suspicious
Admin
Toolkits
2 Degrees of
Separation
Unknown Service
Analysts get the whole picture
Port Scanners
Of 70+ and always growing
novetta.com 10
Results
Choose which ones to go after
before the damage is done
NOVETTA Cyber Analytics
Sampled Net Flow Intelligent & Selective Metadata Extraction
Content Unraveling
NOT ENOUGH OPTIMAL FOR ANALYSIS TOO MUCH
See threats as they occur
Leading Security Analytics Solution (Good for Forensics)
Common Netflow
Based Solutions
Developed for agencies
within the US government.
Team & Infrastructure
Effectiveness
novetta.com 11
Results
Estimated 30x gain
for incident response
Near real-time ability
to respond to attacks
Drastically improved
security team effectiveness
novetta.com 12
Demonstration
A Real World Scenario
novetta.com 13
Proven Effectiveness
DEVELOPED TO SECUREthe largest and most attacked networks on earth
novetta.com 14
Case Study – US DOD Agency 1
Problem: Constant Ongoing Breaches
• Wanted to stop attacks.
• Leading security tools could not provide the visibility,
speed, and flexibility they needed to respond quickly to
incidents or discover malicious behavior.
Solution: Novetta Cyber Analytics
• Uncovered known malicious activity
• Discovered unknown attacks
• Queries that had taken hours were now taking seconds
• Estimated 30x the number of incidents-responded-to
Overview: Sensors: 4
Analytics Hub: 32 nodes
Users: 200+
PCAP Analyzed: 13 TB
Metadata Stored: 1.5 TB
IPS
AnalyticsSIEM
Now the cornerstone tool for their threat response team
novetta.com 15
Case Study, US DOD Agency 2
Problem: Known Breaches
• Wanted to know WHO was attacking their network, WHY,
and WHAT methods used.
• Leading security tools could not provide the visibility,
speed, and flexibility they needed to respond quickly to
incidents or discover malicious behavior.
Solution: Novetta Cyber Analytics
• Uncovered known malicious activity
• Discovered unknown attacks
• Queries that had taken hours were now taking seconds
Now the cornerstone tool for their threat response team
Overview: Sensors: 4
Analytics Hub: 32 nodes
Users: 200+
PCAP Analyzed: 13 TB
Metadata Stored: 1.5 TB
novetta.com 16
Summary
Near real-time analysis: 30x incident response
Respond to attacks as they occur
Figure out what and why
Dramatically improve overall security team effectiveness
Novetta Cyber AnalyticsThe cornerstone tool for the largest and most attacked networks on earth
novetta.com
The Truth is in Your Network
Novetta Cyber Analytics
Thank you!!
novetta.com
Novetta Cyber Analytics
Backup
novetta.com 19
A Real World Breach Story
With enough time, an attacker will find a way in—and out
Attacker
Local Machine
Email Server
Contractor Laptop
Compromised Internet Hosts
Anonymous Internet
Sharing Sites
Attacker Drop Sites
Attacker Infrastructure Contractor Infrastructure Enterprise Infrastructure
Windows File Server
Contractor MaintenanceWeb Server
Database Server
Internal FTP Server
Internal Server
Performs active and passive
reconnaissance
Spear phishes third party contractor to
steal login credentials Finds database server and dumps sensitive records
Sends stolen data to external drop sites
7
Moves laterally to increase privileges
and search for valuable data
6Uses cracked passwords from
Maintenance Server to gain access
5
Executes SQL injection attack to gain admin-level
access
4
9Sends stolen data here for staging
8
Uses stolen login credentials to
access Maintenance Web Server
3
Anonymouslyretrieves data from
drop sites
10
2
1Slow randomized
port scanning
avoids real-time
IDS port scanning
alarms
Not covered by
Contractor’s employee
training or security
technologies
Perimeter defenses
bypassed with
Username and
Password
SIEM alerts dismissed by overwhelmed security team
Logs changed to
bypass high priority
SIEM alerts
Low priority SIEM
alerts again ignored
Further increase in privileges enabled
bypass of DB perimeter
NetFlow-focused
tool triggers alerts,
but analyst doesn’t
have enough detail
Contents encrypted
by attacker and
external sites not
blacklisted
Customer informs
company about
breach, and
becomes viral news
story
novetta.com 20
Same Story with Novetta Cyber AnalyticsAnomalous behavior detected at almost every step
Attacker
Local Machine
Email Server
Compromised Internet Hosts
Anonymous Internet
Sharing Sites
Attacker Drop Sites
Attacker Infrastructure Contractor Infrastructure Enterprise Infrastructure
Windows File Server
Contractor MaintenanceWeb Server
Database Server
Internal FTP Server
Internal Server
Contractor Laptop
Finds database server and dumps sensitive records
7
Moves laterally to increase privileges
and search for valuable data
6Uses cracked passwords from
Maintenance Server to gain access
5
Executes SQL injection attack to gain admin-level
access
4
Sends stolen data to external drop sites
9Sends stolen data here for staging8
Uses stolen login credentials to
access Maintenance Server
3
Anonymously retrieves
data from drop sites
10
Spear phishes third party contractor to
steal login credentials
2
Performs active and passive
reconnaissance
1Port Scanner
analytic identifies & tags suspicious IP
addresses
Occurs on the Contractor’s network
outside the end-target enterprise
Geolocation analytic detects foreign server access or interactions
out of subnet
HTTP analysis can reveal attack
attempts by volume
Protocol Abuse analytic detects
anomalous lateral movement and tags
Unknown Service analytic detects
anomalous lateral movement
Traffic Summary analytic reveals
connections between unrelated internal
hosts
Traffic Summary analytic again
reveals uncommon connections
HTTP Exfil analytic detects data moving
to known anonymous drop sites
Attack would never get this far
novetta.com 21
Network Security Landscape
Post-Compromise ForensicsReal Time and Near Real Time
Analysis
Network Traffic (e.g. websites and email)
What: Forensics, DPI
Who: RSA, Blue Coat
What: Netflow analysis
Who: Lancope, Arbor
What: Security-specific
metadata analysis
Who: Novetta
Traffic Payloads (e.g. attached files)
What: Sandboxing
Who: FireEye, McAfee, Check
Point
Endpoints (e.g. user machines and servers)
What: Forensics, Host-level
change monitoring
Who: Bit9, Carbon Black
What: Application whitelisting,
monitoring
Who: Bromium, Sandboxie
WH
ER
E
WHEN
novetta.com 22
Current Solutions | Incident Response
Tedious labor-intensive investigation
• Days of wrangling data for multiple people
Has enough been done?
Attackers may have covered their tracks• We don’t know because of the manual tools used for
analysis and the incomplete data
Output• Best-effort timeline of events
• Incomplete findings report with recommendations
• Partial list of external actors and impacted machines
Reaction Investigation ConclusionAnalysis
CISO Confidence: Low
Analyst Job Satisfaction: Low
novetta.com 23
Novetta Cyber Analytics | Incident Response
Thoughtful, interesting investigation• Handful of hours for single Tier 1 analyst
Complete high-level visibility
Detailed low-level information on activities
High confidence in analysis
Output• Complete timeline and Full report
• Lists of all external actors
• Complete, exhaustive list of impacted machines
• Full packet capture
• New custom analytics, enhanced tribal knowledge
Reaction Investigation ConclusionAnalysis
CISO Confidence: High
Analyst Job Satisfaction: High
