To Catch A Thief
Sam CurryChief Technology Officer
RSA, The Security Division of EMC
Security is about…
Security isn’t about security. It is about managing risk at some
cost. In the absence of metrics, we tend to over compensate
and focus on risks that are either familiar or recent.
Hugh Thompson, Chief Security StrategistPeople Security
“
”
2
Disruptors to IT (and the world)
Keep in mind today and in the coming days that there are three concurrent disruptors in IT…
1. Cloud (Private, Public, Hybrid et al)
2. User-driven IT / Consumer Computing
3. Proliferation and Maturation of Cybercrime
3
The Criminal Reality today…
4
Context: The Dark Cloud
5
There is an underground economy
Asset Going-rate
Pay-out for each unique adware installation
30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere
Malware package, basic version $1,000 – $2,000
Malware package with add-on services Varying prices starting at $20
Exploit kit rental – 1 hour $0.99 to $1
Exploit kit rental – 2.5 hours $1.60 to $2
Exploit kit rental – 5 hours $4, may vary
Undetected copy of a certain information-stealing Trojan
$80, may vary
Distributed Denial of Service attack $100 per day
10,000 compromised PCs 1,000 $
Stolen bank account credentials Varying prices starting at $50
1 million freshly-harvested emails (unverified)
$8 up, depending on quality
Sample data from research on the underground digital economy in 2007
6
Commercial Motivations: you don’t have to be faster than the bear…
Probability
Total
RewardProbability
Total
Risk
Therefore
Probability ∝Total Reward
Total Risk
Or…
PV ∝AV
DV * RV
• When you are dealing with an intelligent
opponent and quantifiable gains (reward)
and losses (risks), you can apply Game
Theory
• You can determine to some level of
accuracy the relative probability of a set of
attack types with respect to one another
• You can use this information to implement
stronger controls against a dynamic and
increasingly hostile threat environment
• You can use this outlook to examine the
effects of world events and small changes
in “State of the Art” or even the introduction
of disruptive technologies
7
Content Races, Decision Loops and Operational Efficiency
Products and systems always end up in a content race
Who wins in this picture?
It’s all about decision loops
• OODA
• Command-and-control
We have an intelligent opponent
• Adapt and change
• Improve / we improve
GRC APT
8
What does the risk curve look like?
9
Ris
k
1stin
fection
R&
D/B
eta
Zero
-tim
e
1stS
ignatu
re
Solu
tion
Sig
natu
re
The…
.
Long…
.
Wait…
.
9
How do we reduce the “risk window”?
10
Ris
k
1stin
fection
R&
D/B
eta
Zero
-tim
e
1stS
ignatu
re
Solu
tion
Sig
natu
re
The…
.
Long…
.
Wait…
.
10
The APT Challenge: you do have to be faster than the bear
GREATER COMPLEXITY
Architecture of the Virtual Data center and Cloud environments
Consumerization of IT – the growing demand for more unmanaged machines, applications, and
information sharing tools
Increase in information to analyze and correlate
BIGGER THREATS
Prevalence and sophistication of security threats will increase
Advanced Persistent Threat (APT) will become more predominant
Attack vectors continue to make use of infrastructure vulnerabilities and exploit human
vulnerabilities
RESPONSE TIME
Responding to an attack can potentially slow due to increase in data (and noise)
Important to be able stay ahead of the attackers and continue to stay in front of them
11
Advanced Persistent ThreatsThe Ultimate Problem
12
Multiple attack
methodologies
“Low and Slow” Specific objective
Well organized and
funded
Human involvement
Can leverage
automated techniques
The Future Solution: Intelligent SOCA Holistic Approach
Risk Planning 1
▪ First and foremost requirement for building a focused, effective security operations program
▪ Information centric approach to security risk planning
▪ Knowledge determines how fast and well the SOC can react to problem
Attack Modeling 2
▪ Determine which systems, people and processes have access to valuable, protected
information
▪ Model threat surface: normal traffic patterns and potential attack vectors for this information
▪ Determine potential attack vectors, examine all defensive steps, devise optimal defense
Virtualized
Environments 3
▪ Virtualization will be a core capability of the Intelligent SOC
▪ Sandboxing: suspicious file could be launched in an isolated hypervisor and VM cut off from
the rest of the system
▪ “Isolation in depth” for most sensitive information and virtual nodes
Self Learning
Predictive
Analytics4
▪ Continually monitor and learn typical states to identify problematic patterns early
▪ Configuration data, events, contextual information and risk profiles connect unrelated events
to detect high-risk activities instantaneously.
▪ Integrated feedback loops use confirmed alerts to help the system improve threat detection
Automated,
Risk-based
Decision Systems5
▪ Assess risks almost instantly and vary responses accordingly
▪ Automated topography: remap entire network infrastructure to disrupt an attacker’s
reconnaissance efforts
Improvement with
Forensic Analysis
Community
Learning
6
▪ Virtualized environments provide snapshots of the IT environment at the time of the security
event. Provides useful information if detection of the attack was delayed
▪ Information collected centrally and shared among partnering organizations to analyze and
help defend against similar security threats.
13
Modeling an AttackRSA Labs in Collaboration with Ron Rivest
NO
COMPROMISE
INFECT FTP SERVER VM
COMPROMISE
CLIENT
MACHINE
STEAL
SENSITIVE
INFORMATION
Exploit FTP Server
User OpensPDF in time < t
Log intoDocument
Store
User OpensPDF in time > t
Deployment Dynamics
Within time t the FTP server is re-provisioned from a clean VM image
Opportunity for attack is time interval t
Attacker uses stolen credentials from compromised machine to log into
document store
Probability that attacker accesses the document store in the expected context
is low
Attack is blocked with high probability
Adaptive Authentication
Attacker manages to get to the target, but attack is revealed by external
triggering mechanism
Can detect time correlation between FTP server exploit and opening of
malformed PDF file
Assume tamper-resistant logs
Log Analysis
Time Correlation
DELIVERED
INFECT
CLIENT
MACHINE
WITH ZEUS
NO
COMPROMISE
STEAL
SENSITIVE
INFORMATION
Social Engineering
Attack
User opens email
Access Document
Store
Behavior Analytics
Through a social engineering attack, a Zeus variant is installed on an
Internal machine
By monitoring file and network access patterns at the hypervisor layer,
behavior analytics can detect compromise
Log analysis can be used to backtrack the attack path and remove that
attack vector
14
The APT Challenge…in simple terms
TargetThe Game
The Goals
Attacker
Attacker must gain access to the target
Defender must defend access to the target
Both must stay within their financial means
Defender must know which controls cover the attack vectors
15
Modeling an AttackRSA Labs in Collaboration with Ron Rivest
NO
COMPROMISE
INFECT FTP SERVER VM
COMPROMISE
CLIENT
MACHINE
STEAL
SENSITIVE
INFORMATION
DELIVERED
INFECT
CLIENT
MACHINE
WITH ZEUS
Deployment Dynamics
Behavior Analytics
RiskAnalytics
Log Analysis
Exploit FTP Server
Log intoDocument
Store
User OpensPDF in time < t
User OpensPDF in time > t
User OpensEmail
Social Engineering
Attack
Log Analysis
AccessDocument
Store
16
The Right MeasuresSimulate an APT like attack on an Intelligent SOC
NO
COMPROMISE
INFECT FTP SERVER VM
COMPROMISE
CLIENT
MACHINE
STEAL
SENSITIVE
INFORMATION
DELIVERED
INFECT
CLIENT
MACHINE
WITH ZEUS
AccessDocument
Store
Exploit FTP Server
Log intoDocument
Store
User OpensPDF
User OpensEmail
Social Engineering
Attack
Dynamics
Adaptive
BehavioralAssessmentAnalytics
Risk Model
17
Deployment DynamicsDefensive Approach
Attacker
How it works
Deployment Dynamics Server (DDS) instantiates clean FTP server from FTP VM image and moves to production area.
DDS instructs Load Balancer to add FTP Server to the pool of available servers providing FTP service.
After time (t), DDS instructs Load Balancer to remove FTP server from the pool of servers providing FTP service.
DDS destroys FTP Server, and begins process again.
18
Adaptive AuthenticationPreventive Approach
Username:
wolfd
Password:
0ct0rulz
HIGH RISK:
Require
stronger
authentication
How it works
Attacker tries to log into internal restricted document store that leverages adaptive authentication functionality.
Document Store passes authentication credentials and observed network data (IP, device fingerprint) to AMx
AMx calculates high risk score as authentication credentials had not been previously used from observed device.
Document Store prompts Attacker for Secondary Authentication OTP which are sent via SMS to user.
19
AnalyticsResponsive Approach
Data Center
Risk ProfileLogs
Watch ListsContextual Data
Security Management Data Warehouse
How it works
Logs from Endpoints, Servers and VM snapshot data from Deployment Dynamics services are stored in Greenplum.
Given knowledge of a document leak from external sources, the system backtracks through the log-data to identify
past network activity of all endpoints which accessed the leaked document.
Intermediate results are further correlated with VM Re-provisioning's snapshot meta-data to narrow down on
suspicious points of server infection and sources of document leak.
20
Behavior Analytics Learning Approach
Analytics
EngineFolder
Creation
File creation
Read/Write
Activity
Network Activity
Dynamic Reputation
Blacklist
Payload Analysis
How it works
Data flows from multiple VMs, mirrored by the hypervisor and sent to the analytics engine
The engine analyzes the individual input and their relationships
The engine ties multiple events together and if they look suspicious - an alert is generated
Every alert arrives with a severity-score, and the reason of why the alert was generated
User opens
Zeus infects
VMs
21
Techniques used in an Intelligent SOC
Risk Model Adaptive AnalyticsBehavioral
assessmentDynamics
22
The Future Solution: Intelligent SOCA Holistic Approach
Protect what is important
Efficiently, aggressively and thoroughly secure and
comply according to best practices
Make advanced exploits harder: dynamics, sand-
boxing, isolation in depth, stack integrity monitoring
Identify what is important
Assets and asset relationships
Services and service dependencies
User credentials
Sensitive data
Minimize damage
Leverage comprehensive visibility
Focus using analytics
Respond quickly
Adapt by improving response efficiency by
addressing discovered weakness
Disrupt the objective
Interrupt the transaction
Discover the leaked information
Share cyber intelligence (collaborate)
Prosecute aggressively (increase attacker’s cost)
23
SummaryCORE Elements of Intelligent SOC model
“Risk based” security strategy
Predictive modeling and analysis
Leverage techniques in virtualized environments
Self-learning predictive analytics
Automated, adaptive systems
Continual improvement through forensic analysis and community learning
24
2011+
The Future
The bad guys will keep getting worse: we have an intelligent opponent!• E.g. expect a bleed v. butcher approach in malware
• E.g. expect benefits built into malware
• E.g. expect APTs to converge vectors and get faster and more directed to IP
Expect Cybercrime to continue to flourish
Expect a resurgence in non-financially, motivated, sophisticated APT
Move to a progressively more “intelligent” SOC
GRC gives “Security Management” a chance…• To be about risk mitigation
• To become more transparent
• To get close to the business
• To be more efficient and reduce focus on tools
25
26
Thank you!
27