© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 3 Who I am and what I do Former #AusCERT12 #bigdata
2012 Solera Networks. Contains confidential, proprietary, and
trade secret information of Solera Networks. Any use of this work
without express written consent is strictly prohibited. Preparing
for the Inevitable: How to Fight Advanced Targeted Attacks with
Security Intelligence and Big-Data Analytics See everything. Know
everything. Andrew Brandt Director of Threat Research 2012 Solera
Networks. Contains confidential, proprietary, and trade secret
information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. Big Data See
everything. Know everything. Andrew Brandt Director of Threat
Research Little attacks 2012 Solera Networks. Contains
confidential, proprietary, and trade secret information of Solera
Networks. Any use of this work without express written consent is
strictly prohibited. 3 Who I am and what I do Former #AusCERT12
#bigdata 2012 Solera Networks. Contains confidential, proprietary,
and trade secret information of Solera Networks. Any use of this
work without express written consent is strictly prohibited. 4 Who
I am and what I do Former journalist Self-taught security
#AusCERT12 #bigdata 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. 5 Who I am and what I do Former journalist Self-taught
security enthusiast Malware #AusCERT12 #bigdata 2012 Solera
Networks. Contains confidential, proprietary, and trade secret
information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. 6 Who I am and what
I do Former journalist Self-taught security enthusiast Malware
analyst Network security #AusCERT12 #bigdata 2012 Solera Networks.
Contains confidential, proprietary, and trade secret information of
Solera Networks. Any use of this work without express written
consent is strictly prohibited. 7 Who I am and what I do Former
journalist Self-taught security enthusiast Malware analyst Network
security researcher If you code, distribute, or use malware for
gain, prepare for maximum mockery and #AusCERT12 #bigdata 2012
Solera Networks. Contains confidential, proprietary, and trade
secret information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. 8 What I do A story
behind every attack Sometimes, strange stuff just #AusCERT12
#bigdata 2012 Solera Networks. Contains confidential, proprietary,
and trade secret information of Solera Networks. Any use of this
work without express written consent is strictly prohibited. 9
Break computers for fun and profit I couldnt have said it better
myself Yep, you nailed it Little-known mea culpa feature of
Blackshades #AusCERT12 #bigdata 2012 Solera Networks. Contains
confidential, proprietary, and trade secret information of Solera
Networks. Any use of this work without express written consent is
strictly prohibited. 10 Involved, enthusiastic blog #AusCERT12
#bigdata 2012 Solera Networks. Contains confidential, proprietary,
and trade secret information of Solera Networks. Any use of this
work without express written consent is strictly prohibited. 11 Why
so touchy? A little too close to #AusCERT12 #bigdata 2012 Solera
Networks. Contains confidential, proprietary, and trade secret
information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. Todays Persistent,
Blended Threats 12 Social engineering Convince victim to do
something Visit web page Download file Execute binary Communication
Enumerate surface Exploit vulnerability Infiltrate system Maintain
connectivity Exploitation Spread to other systems Expand attack
footprint Adapt to countermeasures Propagation 2012 Solera
Networks. Contains confidential, proprietary, and trade secret
information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. 54% 87% $7.2M of
breaches involved customized malware (no signature available at the
time of exploit) (VzB/USSS) of records stolen were stolen using
Highly Sophisticated Attacks was the average cost of a data breach
in 2011 (VzB/USSS) (Ponemon) 13 The Challenge of Keeping #AusCERT12
#bigdata 2012 Solera Networks. Contains confidential, proprietary,
and trade secret information of Solera Networks. Any use of this
work without express written consent is strictly prohibited. Big
Data Landscape Security Intelligence & Analytics Context-aware
and adaptive security will be the only way to securely support the
dynamic business and IT infrastructures emerging during the next 10
years. Neil MacDonald, VP & Fellow GARTNER BIG DATA ANALYTICS
LOG MANAGEMENT SECURITY INFORMATION EVENT MANAGEMENT CONTENT
FILTERING DATA LEAKAGE PREVENTION INTRUSION PREVENTION SYSTEMS
NEXT-GEN FIREWALLS 14 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. 15 What does this stuff look like when its #AusCERT12
#bigdata 2012 Solera Networks. Contains confidential, proprietary,
and trade secret information of Solera Networks. Any use of this
work without express written consent is strictly prohibited. 16
Would this convince you to click? 2012 Solera Networks. Contains
confidential, proprietary, and trade secret information of Solera
Networks. Any use of this work without express written consent is
strictly prohibited. 17 Reply to the IRSusing LinkedIn? 2012 Solera
Networks. Contains confidential, proprietary, and trade secret
information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. Are you guys new to
this whole trying to convince people thing? 18 #AusCERT12 #bigdata
2012 Solera Networks. Contains confidential, proprietary, and trade
secret information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. 19 What about one
of #AusCERT12 #bigdata 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. 20 Yeah, its #AusCERT12 #bigdata 2012 Solera Networks.
Contains confidential, proprietary, and trade secret information of
Solera Networks. Any use of this work without express written
consent is strictly prohibited. 21 Indistinguishable from normal
#AusCERT12 #bigdata 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. 22 until it isnt, #AusCERT12 #bigdata 2012 Solera
Networks. Contains confidential, proprietary, and trade secret
information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. 23 Jan 10AprJul Oct
Jan Apr Jul 11 Diplomatic Cables Leak Operation Aurora Cyber
Attacks Accelerate 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. The Malware Problem Overwhelming Odds 24 With security
researchers now uncovering close to 100,000 new malware samples a
day, the time and resources needed to conduct deep, human analysis
on every piece of malware has become overwhelming. - GTISC Emerging
Cyber Threats Report 2011 2012 Solera Networks. Contains
confidential, proprietary, and trade secret information of Solera
Networks. Any use of this work without express written consent is
strictly prohibited. Record everything, 24/7 25 Timely analysis and
insight into every packet entering or leaving your network Records,
classifies and indexes all packets and flows from L2 L7 On the
wire, file-level visibility of data exfiltration and malware
infiltration Actionable intelligence, forensics and situational
awareness Unmatched multi-dimensional flow enrichment and big data
warehousing Flexible, open and easy-to-use platform 2012 Solera
Networks. Contains confidential, proprietary, and trade secret
information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. Multiple Levels of
Indexing Full fidelity, full payload streaming capture Capable of
10s of Gb/s data storage Support for simultaneous readers and
writers Maximum throughput via smart streaming writes and reads
Packet Capture and Repository (DSFS) #AusCERT12 #bigdata 2012
Solera Networks. Contains confidential, proprietary, and trade
secret information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. Multiple Levels of
Indexing SoleraDB middle layer contains the data necessary to find
and reconstruct packets, flows, and entire network sessions in
perfect fidelity Handles millions of IOPS on a single appliance
Used as a quick rejection for the Packet Capture and Repository
Solera DB Index #AusCERT12 #bigdata 2012 Solera Networks. Contains
confidential, proprietary, and trade secret information of Solera
Networks. Any use of this work without express written consent is
strictly prohibited. Multiple Levels of Indexing Per-attribute
quick lookup layer Takes milliseconds to accept/reject hundreds of
MBs of capture data Search queries are processed using proprietary
algorithm that generates hash values used by the top layer of the
search engine to quickly determine which 64MB chunks the data are
in Solera DB Bitmask & Hash #AusCERT12 #bigdata 2012 Solera
Networks. Contains confidential, proprietary, and trade secret
information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. Metadata Attribute
Mappings 29 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. What happens when someone clicks one of these links? 30
#AusCERT12 #bigdata 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. 31 The victim sees #AusCERT12 #bigdata 2012 Solera
Networks. Contains confidential, proprietary, and trade secret
information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. 32 MeanwhileCVE
#AusCERT12 #bigdata 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. Most Dreaded Questions from the CISO Who did this to us
and how? How long has this been going on? What did we lose, and
when? Is it over yet? Can we be sure it wont happen again?
#AusCERT12 #bigdata 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. Breaches Happen. Deal With It. #AusCERT12 #bigdata 2012
Solera Networks. Contains confidential, proprietary, and trade
secret information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. 35 I see what you
did there Classic Blackhole Exploit Kit behavior, malware payload
delivered at the #AusCERT12 #bigdata 2012 Solera Networks. Contains
confidential, proprietary, and trade secret information of Solera
Networks. Any use of this work without express written consent is
strictly prohibited. 36 Danger, Will #AusCERT12 #bigdata 2012
Solera Networks. Contains confidential, proprietary, and trade
secret information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. 37 Your reputation
precedes you Look up rep on: Domain IP Any extracted artifact
Reputation services: Virustotal Clam AV SORBS Robtex SANS ISC
Google SafeBrowse #AusCERT12 #bigdata 2012 Solera Networks.
Contains confidential, proprietary, and trade secret information of
Solera Networks. Any use of this work without express written
consent is strictly prohibited. Real-Time Extractor: Malware at the
speed of light Delivering file-level alerting and malware
analysisat the network layerto any enterprise Policy-based:
protocol, country, MIME-type, file extension, etc. Continuous
detection of all network trafficanalyze, index, alert
Alert-triggered analysisPDF,.js, PE, Flash, JAR, OLE,.apk, etc.
Collapse the distributed networkleverage core security
infrastructure 38 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. 39 Whats in your pingback? Exfiltrates sensitive data
Beacon packets Profiling info about infected PC Geolocation Stolen
passwords Extractedaddresses Other documents Receives Instructions
Links to payloads Poison pill self-deletion command When malware
phones #AusCERT12 #bigdata 2012 Solera Networks. Contains
confidential, proprietary, and trade secret information of Solera
Networks. Any use of this work without express written consent is
strictly prohibited. 40 Zbot/Spyeye Target List Partial target
list, downloaded by Trojan. Domains include those of banks that
service business customers. Targets vary based on the victims
location in the world. One mistaken click, by the wrong employee,
can bankrupt a #AusCERT12 #bigdata 2012 Solera Networks. Contains
confidential, proprietary, and trade secret information of Solera
Networks. Any use of this work without express written consent is
strictly prohibited. 41 When malware phones home Some RATs or
phishing Trojans dont bother to hide their activity Others try to
obfuscate the data with #AusCERT12 #bigdata 2012 Solera Networks.
Contains confidential, proprietary, and trade secret information of
Solera Networks. Any use of this work without express written
consent is strictly prohibited. 42 Revealed, you are by your weird
#AusCERT12 #bigdata 2012 Solera Networks. Contains confidential,
proprietary, and trade secret information of Solera Networks. Any
use of this work without express written consent is strictly
prohibited. Collecting Decrypted SSL Traffic 100% encrypted traffic
decrypted, captured, classified and indexed Protects against
SSL-encrypted bot traffic or confidential information leakage Web
Browser (SSL Client) Solera DS Appliance Transparent SSL Proxy
Common Control/Management Decrypted And Captured Traffic Non-SSL
SSL SSL ServerSSL Proxy Session 1Session 2 Internet/WA N Web
Servers (SSL Servers) In partnership with 43 2012 Solera Networks.
Contains confidential, proprietary, and trade secret information of
Solera Networks. Any use of this work without express written
consent is strictly prohibited. 44 Decrypted SSL Zbot/Cridex
Pingback Every 5-60 seconds, the bot sends this SSL- encrypted
packet to its CnC server. Im still here. Ready for #AusCERT12
#bigdata 2012 Solera Networks. Contains confidential, proprietary,
and trade secret information of Solera Networks. Any use of this
work without express written consent is strictly prohibited. 45 One
last thing We know where you are, malware #AusCERT12 #bigdata 2012
Solera Networks. Contains confidential, proprietary, and trade
secret information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. Invest in
preparedness, not in prediction Nassim Taleb, The Black Swan 46
2012 Solera Networks. Contains confidential, proprietary, and trade
secret information of Solera Networks. Any use of this work without
express written consent is strictly prohibited. 47 Thank You Andrew
Brandt blog.soleranetworks.com Facebook.com/soleranetworks
