Slide 1

Real-time Security Analytics: Visibility, Alerting or Forensic Digging - Which is it? Steven Urban Click Security Slide 2 What this prezo will address 1.What is a security analytic anyway? 2.Who on my staff would actually use this product? 3.What problems does it actually solve? 4.Does it replace products like Log Management systems and SIEMs? Click Security Confidential 2 Slide 3 Typical Enterprise Network Today Click Security Confidential 3 WAN F/W & IPS EP Cloud Services BYOD Consumerization of IT Malicious Insider DMZ F/W & IPS Contractor Web Proxy Server Mobility Slide 4 Are We Secure? Click Security Confidential 4 We spent $25B on IT Security in 2012** IP theft to US Cos is $250B / year Global cybercrime is $114 billion $388 billion when you factor in downtime Symantec* $1 trillion spent globally on remediation McAfee* IP theft to US Cos is $250B / year Global cybercrime is $114 billion $388 billion when you factor in downtime Symantec* $1 trillion spent globally on remediation McAfee* * http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-amount-greatest-transfer-wealth-history-070912 **http://www.slideshare.net/Pack22/it-security-market-overview-sept-12 NAC IAM MDM DLP Secure Web Proxy SIEM UTM Secure Email G/W Endpoint Protection MSSP Firewall Slide 5 What Happened? Click Security Confidential 5 Massive Network Attack Surface Based on some research by the U.S. intelligence, the total number of registered hackers in China is approaching 400,000. Infosecisland.com Based on some research by the U.S. intelligence, the total number of registered hackers in China is approaching 400,000. Infosecisland.com $1B Revenue x 5% on IT x 10% on Security x 30% on Staff / $200K/Yr loaded 7.5 Heads Your Defense The Enemy Social Media Consumerization of IT IP Device Explosion Mobility Cloud Computing Signature-based Defenses IPS, Anti-X, Firewall Between 50% and 5% effective Intelligent, Stealthy, Relentless, Motivated Numerous Complex Constant Flux Staff Slide 6 Click Security Confidential 6 $ $ Reserved IP Address Attack Internal Web Server Attack Internal Web Server Entry ExFil Attribution A Recently Experienced Attack Slide 7 Autopsy Report Did you see these alarms? Remember a F/W @ 15K EPS = 1 Billion EPD Did you recognize their relative importance? High, Medium, Low severity? Did you know they were connected? e.g., how may IP addresses are involved here? Did you see them in time to be proactive? Or do you study them forensically? Do you even have staff to spend time on this? Or are you chief, cook and bottle washer? Click Security Confidential 7 Slide 8 Current Answer Click Security Confidential 8 Minutes hours to execute a breach. Days months to discover. 2012 Verizon Data Breach Investigations Report Event Management + Forensics Slide 9 Better Answer Click Security Confidential 9 Real-time Security Analytics Catch ThisBefore This Slide 10 So Why Dont We Catch Things in Real Time? Click Security Confidential 10 39% 35% 29% 28% 23% Slide 11 The Security Analytics Spectrum Click Security Confidential 11 Real-timeAsymmetric (batch, offline) Tuned for real-time contextualization of anomalies and quick investigative / incident response action Tuned for off-line deep, historical investigation Slide 12 Example Real-time Security Analytic Click Security Confidential 12 Internet Threats Enterprise Security Events Security Policy Authentication Activity Flow Activity User Activity Vulnerability Assessment Application Activity Access Activity Collect, Cross-Contextualize and Examine for Anomalies in real-time I see a flow to a blacklisted IP address I see a user tied to an unusual device I see an access from a strange location Normal alertsif you actually notice them. Real-time Security Analytic I see a user coming into a critical server from an Android device in Uganda that also has a connection to a blacklisted IP address in China, and this same user logged in from Dallas 30 minute ago Slide 13 What If You Could Do This? Click Security Confidential 13 Slide 14 Real-Time Security Analytics (RtSA) Click Security Confidential 14 Programmable Real-time Analytics Captured Intelligence Lego building blocks Programmable Real-time Analytics Captured Intelligence Lego building blocks Security Threat Expertise Protocol / Application Savvy Module Development Customer Environment Assessment Security Threat Expertise Protocol / Application Savvy Module Development Customer Environment Assessment Stream Processing Engine Dynamic Visualizations Interactive Workbooks Highly Scalable Stream Processing Engine Dynamic Visualizations Interactive Workbooks Highly Scalable Click Labs Click Modules Click Platform Slide 15 Automated, Real-time Contextualization Click Security Confidential 15 Flow Events -Client Entity -Server Entity -Time First / Last Active -Flow Type -Transport Protocol -Application Protocol -Prior / Current State -Byte / Packet Count -Session ID -Other Entities Flow Events -Client Entity -Server Entity -Time First / Last Active -Flow Type -Transport Protocol -Application Protocol -Prior / Current State -Byte / Packet Count -Session ID -Other Entities Security Events -Client Entity -Server Entity -Detection Time -Rule -Result -Message -Other Entities Security Events -Client Entity -Server Entity -Detection Time -Rule -Result -Message -Other Entities Actor / Entity -Username -Hostname -Entity Type -Time First / Last Active -IP Address -MAC Address -Recent Network Flows -Recent Authentications -Recent Accesses -Recent Security Events -DHCP Lease -NAT Lease -VPN Lease -Other Entities Actor / Entity -Username -Hostname -Entity Type -Time First / Last Active -IP Address -MAC Address -Recent Network Flows -Recent Authentications -Recent Accesses -Recent Security Events -DHCP Lease -NAT Lease -VPN Lease -Other Entities Augmentation Modules Utility Modules - Directory Lookup - HRIS Information - DHCP Information - WHOIS Information - O/S Fingerprint Data - NMAP Assessments - Anti-Virus Information - Asset Information Data - Vulnerability Scan Data - Geo-Location Information - Entity Severity Inormation - Password Cracking Information - Network Monitoring Information - Firewall Configuration and Logs - IDS/IPS Configuration and Logs - Forward & Reverse DNS Resolution - Blacklist/Whitelist Reputational Data Analysis Modules Action Modules External System - Routing Anomalies - Malicious Callbacks - SPAM Relay Detector - Proxy Bypass Detector - Information Ex-filtration - Suspicious Web Traffic - Covert Channel Detector - Suspicious Data Access - Anomalous User Behavior - Anomalous Email Detector - Suspicious Account Lockouts - Firewall Rule Analysis Module - Anomalous Endpoint Behavior - Data Storage/Access Anomalies - Compromised Account Detection - Inappropriate Resource Utilization - Anomalous Network Transmission Authentication Events -Client Entity -Server Entity -Authentication Time -Protocol Type -Result -Message -Other Entities Authentication Events -Client Entity -Server Entity -Authentication Time -Protocol Type -Result -Message -Other Entities Access Events -Client Entity -Server Entity -Access Time -Resource Type -Result -Message -Other Entities Access Events -Client Entity -Server Entity -Access Time -Resource Type -Result -Message -Other Entities Slide 16 Data Storage Data Storage Different Strokes Click Security Confidential 16 Data Storage Data Storage Processor Memory SIEM (RDBMS) SERIAL Query Analytic Crunch Time Hours to Days Good for: Compliance Mgmt (Limited data volume processing, simple alerting) Data Storage Data Storage Processor Memory Batch Query Analytics (Distributed Map Reduce) SERIAL Query Analytic Crunch Time Minutes Good for: Forensic Analysis (Large data volume processing, but not large # analytics) Processor Data in Memory RtSA (Stream Processing Engine) PARALLEL Query Analytic Crunch Time Seconds Good for: Real-time Analytics (Large data volume processing, AND large # concurrent analytics) Data Storage Data Storage Slide 17 Example Analytics Application: RtSA Tracker Click Security Confidential 17 Actor Prioritization Automated Histogram of High Anomaly Actors Actor Fanout Automated Fan-out of Actor Connectivity RtSA Slide 18 RtSA Tracker Workbook Blacklisted Actors by Country Click Security Confidential 18 Miners ingest 100,000+ events into human usable tables Interpreters apply Click Labs application and protocol knowledge to the data Analyzers automatically contextualize event, flow, authentication, access and augmentation data to 12,000+ actors RtSA Trackers Blacklist Workbook brings visual acuity to 43 blacklisted Actors Actor Location 43 blacklisted actors by country of origin Actor Relationships Selected actors (Germany, Bahamas, and US) relationships by status and communications Actor Activity Blacklisted actors: email servers receiving transmissions from a handful of systems on a protected network Slide 19 RtSA Tracker Workbook Total Critical: Top 25 Actors by Critical Event Count Click Security Confidential 19 Actor is an internal system with a reserved IP address (blue) Actor is attacking an internal (blue) web server with a variety of HTTP-based attacks, including buffer overflows and SQL injection Actor is sending malicious java to an internal web server Victim of the HTTP attacks has initiated HTTPS connections with four external systems (the rightmost fan- out pattern); three in the US (gray), one in Europe (pink) Attacker is logged in, anonymously, to an FTP server and is actively transferring data. The blue (internal) node top left also anonymously logged into same FTP server. The gold-colored node is from Asia actors IP address is dynamically assigned from Chinas hinet.net, a broadband ISP and a well-known haven for hackers and phishing activity Slide 20 RtSA Workflow Click Security Confidential 20 Looking for Something New Module Authoring Lockdown Action Real-time Stream Processing Click Modules Found Something! Confident Needs Investigation Understood & Actionable Dynamic Workbooks External Triggers Real-time Investigation Interactive Reporting Batch Process Investigation Slide 21 Market Evolution Click Security Confidential 21 SIEM Batch Query Analytics Real-time Security Analytics Log Management Forensic Archive Compliance Reporting Big Data Search Big Data Analytics Slide 22 RtSA Solution Benefits Click Security Confidential 22 Find and Stop Attack Activity Early in the Kill Chain Actor-tracking contextualizes big data into prioritized, in-depth security visibility - automatically Speed & Simplify Analysis / Incident Response Process Dynamic Workbooks provide real-time visualization, interactive data analysis, and immediate results encoding Modular Analytics Evolve with Changing Threat Landscape Click Labs continually adds new Workbooks and Click Modules Analysts can quickly and easily create their own Leverage Existing Information and Enforcement Infrastructure No rip and replace. Utilize existing data sources and enforcement points. Slide 23 Click Security Confidential 23 R EAL- T IME S ECURITY A NALYTICS A UTOMATED I NVESTIGATION | A UTOMATED L OCKDOWN