• Home

  • Documents

  • SecOps Face Off · Forensic investigation and damage assessment begins. 1 TOOL REQUIRED 1 MANUAL...
1
Failed Login Aempts Analyst manually queries network flow logs, DB logs, and client logs, if available. Analyst is no longer able to obtain forensic evidence from DB logs about exactly which data, and how much, was taken. Several failed logins by a client on a sensive database. Potenal brute force login aempt. Successfully Logged In Client successfully logs into sensive DB. Client aempts to iniate download of data from DB. Database responds in affirmave and commences delivering data. Client instructs DB to delete audit table (logs). Client iniates FTP session with strange IP address outside corporate IP space. STOP Multi-Tool Workflow Reveal(x) Multi-Tool Workflow Analyst receives alert idenfying IP address of suspicious client and must query DHCP logs and CMDB for contextual informaon about the client. Analyst manually gathers database logs, if available. Analyst manually checks SIEM for logs of the suspicious IP address accessing the DB, if available. DHCP LOGS Analyst manually checks LDAP logs or other auth logs to understand the relaonship between the client and DB in queson. LDAP LOGS Automacally detected. Forensic evidence, including all transacon details and packets between client and DB automacally gathered and correlated. DATABASE LOGS DATABASE LOGS SIEM SIEM POTENTIAL BRUTE FORCE ALERT BRUTE FORCE DETECTED Analyst is provided evidence of suspicious DB access and can proacvely assess the situaon and respond. Analyst manually queries DB logs. Analyst manually queries logs from client via SIEM, if available. WIRE DATA LOGS/AGENTS 7 TOOLS REQUIRED 9 MANUAL STEPS DATA DOWNLOADED LOGS DELETED FTP CONNECTION WITH EXTERNAL IP ADDRESS FLOW LOG PROVIDER Analyst consults packet-capture soluon, and downloads mul-Gigabyte PCAP file to examine in Wireshark. The file takes several minutes to open, and much longer to manually comb through for evidence of malicious acon by the client on the database. PCAP & WIRESHARK If no transacon-level detail or DB logs available, analyst must conjecture whether or not data was delivered, and what it might have been. DATABASE LOGS Analyst manually queries logs for internal client, if available. SIEM Analyst manually queries flow data between client and External IP address, which indicates volume of data transferred, but doesn’t have filenames or other forensic details. FLOW Analyst downloads new PCAP of all transacons with the suspicious client and examines in Wireshark. WIRESHARK Reveal(x) sees exactly which data the client is aempng to download by decoding the contents of the client request and DB responses, so analysts can determine instantly whether or not the acon is malicious. Reveal(x) sees client iniate FTP session with external client, and sees exactly which files are being transferred, providing further conclusive evidence and forensic detail about the malicious acon. Reveal(x) sees the client issue a DROP command against the audit table, which should never be done, proving incontroverbly that this is a malicious acon. ALERT New alert is not correlated with earlier suspicious behavior from this client. Having spent several hours, or even days, manually invesgang separate alerts about the same aack, the security analyst discovers that sensive data has been exfiltrated, and iniates a painful forensic invesgaon and reporng process. Forensic invesgaon and damage assessment begins. 1 TOOL REQUIRED 1 MANUAL STEP Upon first receiving the alert about the potenal brute force aack, the analyst cut off access to the DB for the suspicious client, then drilled down to transacon details and packets using Reveal(x) to confirm that the DB access was malicious. Aack averted. GRAND TOTALS SecOps Face Off: CUSTOMER VALUE Reveal(x) 95% IMPROVEMENT IN TIME TO DETECT 77% IMPROVEMENT IN TIME TO RESOLVE 59% REDUCTION IN STAFF TO RESOLVE Automated Invesgaon vs. Manual Meltdown EXTRAHOP.COM/REVEALX UNPRECEDENTED VISIBILITY. DEFINITIVE INSIGHTS. IMMEDIATE ANSWERS. See how Reveal(x) automates security workflows for faster detecon, invesgaon, and remediaon. ALERT OVERLOAD. MANUAL INVESTIGATION. ENDLESS GUESSWORK. ATTACK AVERTED FURTHER INVESTIGATION OF THE INCIDENT CAN OCCUR WITHOUT FEAR OF DAMAGE.

SecOps Face Off · Forensic investigation and damage assessment begins. 1 TOOL REQUIRED 1 MANUAL STEP Upon first receiving the alert about the potential brute force attack, the

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: SecOps Face Off · Forensic investigation and damage assessment begins. 1 TOOL REQUIRED 1 MANUAL STEP Upon first receiving the alert about the potential brute force attack, the

Failed Login Attempts

Analyst manually queries network flow logs, DB logs, and client logs, if available.

Analyst is no longer able to obtain forensic evidence

from DB logs about exactly which data, and how much,

was taken.

Several failed logins by a client on a sensitive database. Potential brute force login attempt.

Successfully Logged In

Client successfully logs into sensitive DB.

Client attempts to initiate download of data from DB. Database responds in affirmative and commences delivering data.

Client instructs DB to delete audit table (logs).

Client initiates FTP session with strange IP address outside corporate IP space.

STOP

Multi-Tool Workflow

Reveal(x) Multi-Tool Workflow

Analyst receives alert identifying IP address of suspicious client and must query DHCP logs and CMDB for contextual information about the client.

Analyst manually gathers database logs, if available.

Analyst manually checks SIEM for logs of the suspicious IP address accessing the DB, if available.

DHCP LOGS

Analyst manually checks LDAP logs or other auth logs to understand the relationship between the client and DB in question.

LDAP LOGS

Automatically detected. Forensic evidence, including

all transaction details and packets between client and DB automatically

gathered and correlated.

DATABASE LOGS

DATABASE LOGS

SIEM

SIEM

POTENTIAL BRUTE FORCE ALERT

BRUTE FORCEDETECTED

Analyst is provided

evidence of suspicious DB access and can

proactively assess the situation and

respond.

Analyst manually queries DB logs.

Analyst manually queries logs from client via SIEM, if available.

WIR

E DATA

LOG

S/AG

ENTS

7 TOOLS REQUIRED

9 MANUAL STEPS

DATA DOWNLOADED

LOGS DELETED

FTP CONNECTION WITH EXTERNAL IP ADDRESS

FLOW LOG PROVIDER

Analyst consults packet-capture solution, and downloads multi-Gigabyte PCAP file to examine in Wireshark. The file takes several minutes to open, and much longer to manually comb through for evidence of malicious action by the client on the database.

PCAP & WIRESHARK

If no transaction-level detail or DB logs available, analyst must conjecture whether or not data was delivered, and what it might have been.

DATABASE LOGS

Analyst manually queries logs for internal client, if available.

SIEM

Analyst manually queries flow data between client and External IP address, which indicates volume of data transferred, but doesn’t have filenames or other forensic details.

FLOW

Analyst downloads new PCAP of all transactions with the suspicious client and examines in Wireshark.

WIRESHARK

Reveal(x) sees exactly which data the client is attempting

to download by decoding the contents of the client

request and DB responses, so analysts can determine

instantly whether or not the action is malicious.

Reveal(x) sees client initiate FTP session with external

client, and sees exactly which files are being transferred,

providing further conclusive evidence and forensic detail about the malicious action.

Reveal(x) sees the client issue a DROP command against the audit table,

which should never be done, proving incontrovertibly that

this is a malicious action.

ALERTNew alert is not correlated with earlier suspicious behavior from this client.

Having spent several hours, or even days, manually investigating separate alerts about the same attack, the security analyst discovers that sensitive data has been exfiltrated, and initiates a painful forensic investigation and reporting process.

Forensic investigation and damage assessment begins.

1 TOOL REQUIRED

1 MANUAL STEP

Upon first receiving the alert about the potential brute force attack, the analyst cut off access to the DB for the suspicious client, then drilled down to transaction details and packets using Reveal(x) to confirm that the DB access was malicious.

Attack averted.

GRAND TOTALS

SecOps Face Off:

CUSTOMER VALUE

Reveal(x)

95%IMPROVEMENT IN TIME TO DETECT

77%IMPROVEMENT IN TIME TO RESOLVE

59%REDUCTIONIN STAFF TO RESOLVE

Automated Investigation vs. Manual Meltdown

EXTRAHOP.COM/REVEALX

UNPRECEDENTED VISIBILITY. DEFINITIVE INSIGHTS. IMMEDIATE ANSWERS.

See how Reveal(x) automates security workflows for faster detection, investigation, and remediation.

ALERT OVERLOAD. MANUAL INVESTIGATION.ENDLESS GUESSWORK.

ATTACK AVERTEDFURTHER INVESTIGATION OF THE INCIDENT CAN OCCUR WITHOUT

FEAR OF DAMAGE.

Dev secops opsec, devsec, devops ?

Dev secops opsec, devsec, devops ?

Technology
126 BRUTE Utility Containers UTILITY REFUSErldistributeur.ca/pdf/p09b_rubber.pdf · UTILITY REFUSE BRUTE ® Utility Containers 127 BRUTE ® Round Containers Durable, heavy-duty containers

126 BRUTE Utility Containers UTILITY REFUSErldistributeur.ca/pdf/p09b_rubber.pdf · UTILITY REFUSE BRUTE ® Utility Containers 127 BRUTE ® Round Containers Durable, heavy-duty containers

Documents
The SecOps Playbook · 2018-01-05 · THE SECOPS PLAYBOOK • 6 PrACTICAL STEPS TO SuCCEEd AT SECOPS 4 Here are the six steps that we consider necessary to succeeding with SecOps

The SecOps Playbook · 2018-01-05 · THE SECOPS PLAYBOOK • 6 PrACTICAL STEPS TO SuCCEEd AT SECOPS 4 Here are the six steps that we consider necessary to succeeding with SecOps

Documents
Theory of Algorithms: Brute Force - perisastry.com · Objectives To introduce the brute-force mind set To show a variety of brute-force solutions: Brute-Force String Matching Polynomial

Theory of Algorithms: Brute Force - perisastry.com · Objectives To introduce the brute-force mind set To show a variety of brute-force solutions: Brute-Force String Matching Polynomial

Documents
Crowdsourcing SecOps Through REN -ISAC - Internet2 · Crowdsourcing SecOps Through REN -ISAC . Kim Milford, REN-ISAC Executive Director. Chris O’Donnell, REN-ISAC Lead Security

Crowdsourcing SecOps Through REN -ISAC - Internet2 · Crowdsourcing SecOps Through REN -ISAC . Kim Milford, REN-ISAC Executive Director. Chris O’Donnell, REN-ISAC Lead Security

Documents
Security at a Crossroad - Qualys · Agile SecOps. SecOps focus on monitoring & response. Drastically reduce security solutions deployed after the fact. New generation of Security

Security at a Crossroad - Qualys · Agile SecOps. SecOps focus on monitoring & response. Drastically reduce security solutions deployed after the fact. New generation of Security

Documents
SecOps Teams Must Automate and Align...This infographic report contains highlights from the research. SecOps Teams Must Automate and Align More than ever, digital business is the new

SecOps Teams Must Automate and Align...This infographic report contains highlights from the research. SecOps Teams Must Automate and Align More than ever, digital business is the new

Documents
These materials are © 2018 John Wiley & Sons, Inc. Any ... · and key SecOps roles (Chapter 1) Important SecOps capabilities (Chapter 2) How to evaluate SecOps tools (Chapter 3)

These materials are © 2018 John Wiley & Sons, Inc. Any ... · and key SecOps roles (Chapter 1) Important SecOps capabilities (Chapter 2) How to evaluate SecOps tools (Chapter 3)

Documents
SecOps, SIEM, and Security Architecture Use Case Development · SecOps, SIEM, and Security Architecture Use Case Development Don Murdoch, GSE #99 Asst. Director, Institute for Cyber

SecOps, SIEM, and Security Architecture Use Case Development · SecOps, SIEM, and Security Architecture Use Case Development Don Murdoch, GSE #99 Asst. Director, Institute for Cyber

Documents
Brute Force Algorithms

Brute Force Algorithms

Documents
Brute Operator's Manual

Brute Operator's Manual

Documents
SecOps : Security Operations - eletsonline.com · ops digests report and plans work extra change documentation potentially many approvals apps secops workflow now automated. 12 compliance

SecOps : Security Operations - eletsonline.com · ops digests report and plans work extra change documentation potentially many approvals apps secops workflow now automated. 12 compliance

Documents
AWS Security and SecOps

AWS Security and SecOps

Internet
MOJO Brute Brunch

MOJO Brute Brunch

Documents
Cooking Log Data for a Real SecOps

Cooking Log Data for a Real SecOps

Documents
07 Brute Force

07 Brute Force

Documents
Team Brute

Team Brute

Documents
Team BRUTE

Team BRUTE

Documents
EMA Report Summary: Integrating SecOps With Operations ... · PDF fileReport Summary – Integrating SecOps With Operations, Development, and ITSM in the Age of Cloud and Agile PAGE

EMA Report Summary: Integrating SecOps With Operations ... · PDF fileReport Summary – Integrating SecOps With Operations, Development, and ITSM in the Age of Cloud and Agile PAGE

Documents
Powering the Practice of SecOps placeholder for cover

Powering the Practice of SecOps placeholder for cover

Documents
Quality assurance in dev ops and secops world

Quality assurance in dev ops and secops world

Engineering
BRUTE® containers

BRUTE® containers

Documents
Dev secops engineering-marketing-sheet

Dev secops engineering-marketing-sheet

Technology
On brute facts

On brute facts

Documents
Brute Force Attack

Brute Force Attack

Technology
SecOps Workshop (Gregory Pickett)

SecOps Workshop (Gregory Pickett)

Technology
Brute Compressor Manual

Brute Compressor Manual

Documents
Brute Force Algorithm

Brute Force Algorithm

Documents
Securing DevOps and Automating SecOps - Black Hat · Securing DevOps and Automating SecOps. Cybersecurity Skills Shortage 2 million global shortage of cybersecurity professionals

Securing DevOps and Automating SecOps - Black Hat · Securing DevOps and Automating SecOps. Cybersecurity Skills Shortage 2 million global shortage of cybersecurity professionals

Documents
Devops, Secops, Opsec, DevSec *ops *.* ?

Devops, Secops, Opsec, DevSec *ops *.* ?

Technology