A Global Enterprise Confronts Targeted

Attacks Ginnwann Teo

Head of Pre-Sales

Cyberbit Solutions, APAC

2

About CYBERBIT

An Elbit Systems Subsidiary NASDAQ: ESLT; Revenue: $3B

Annual sales 3 digit number (in M USD) and growing

© 2016 CYBERBIT │ CYBERBIT Proprietary

450 employees

350 in R&D

Mature Technology

Deployed since 2012 Global Sales Operation North America, APAC, EMEA

4 Product Lines EDR, SCADA, SIRP, Cyber Training

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND 3

Agenda

Threat Landscape

Behavioural Analysis and Machine Learning Detection

SOC 3.0

Summary

1

2

3

4

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

Threats Landscape – The Challenge

11% 82%

9% 83%

Seconds Minutes Hours Days Weeks+

Time to compromise

1 in 9 (11%) compromises Happened in seconds. Almost all (93%) happened within minutes

Just 3% of compromises were detected within minutes, and only 17% in days. 83% took

weeks or more to discover.

Time to discovery

3% 5%

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND 5

69 days 206 days 3.8M$

Average

cost of a breach

23%

Increase in the

Cost of a breach

from 2013 to 2015

Ponemon Institute's 2015 Global Cost of Data Breach Study

2015 2013

Mean time to

identify

Mean time to

contain

© 2016 by CYBERBIT │ CYBERBIT Proprietary

Cyber attacks are no longer a matter of “if,” but a matter of

“when.” With the understanding that attacks can never be fully

prevented, companies should advance their detection

capabilities so they can respond appropriately

Signatures are obsolete

3.8 million

unique

hashes

99% of malware

hashes are

seen for only 58

seconds or

less

In fact, most

malware is seen

only once

Antivirus products are "doomed to failure“,

“Antivirus products are catching less than

half of all cyberattacks”

Senior VP, Information Security, Symantec

5 May 2014

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

Sandboxes can be Fooled

8

Stalling code

Blind spots

Environmental checks:

Cores Windows Virtualization User Interaction

1

2

3

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

Malware Persistency

Screen Shot: CYBERBIT EDR

9

Cyberbit

EDR

Screenshot

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

C2C Communications Pass Through

10

Encrypted communication or steganography

Compromised botnets

Multiple channels:

HTTP / HTTPS DNS Tunnels

Instant

Messaging

IPv6 and ICMP

Compromised

Websites Social Media Sites

1

2

3

© 2016 by CYBERBIT │ CYBERBIT Proprietary 11

© 2016 by CYBERBIT │ CYBERBIT Proprietary 12

2 June, 2016

Cyber Crisis Management Plan

11. A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the

overall Board approved strategy. …… CERT-IN also have come out with National Cyber Crisis Management

Plan and Cyber Security Assessment Framework. …….

12. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv)

Containment. ……

Sharing of information on cyber-security incidents with RBI

14. …… Banks are also encouraged to actively participate in the activities of their CISOs’ Forum coordinated

by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-

CART) set up by IDRBT. Such collaborative efforts will help the banks in obtaining collective threat

intelligence, timely alerts and adopting proactive cyber security measures.

Supervisory Reporting framework

15. It has been decided to collect both summary level information as well as details on information security

incidents including cyber-incidents. Banks are required to report promptly the incidents, in the format given

in Annex-3.

© 2016 by CYBERBIT │ CYBERBIT Proprietary

There Must Be Focus on

Detection, Response and

Mitigation

13

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

Behavioral Analysis is Key

14

Collect information in the

real environment Focus on what

and not on how

Generalize

behaviors

Use the anti-detection action

as additional indication

Combine behaviors

to reach conclusion

Use advance

visualizations to tell the

story

WHAT

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

Machine Learning

15

Find the needle in the haystack

Rich dataset: learning is useless without quality data

Employ advanced techniques to baseline normal behaviors,

in order to surface malicious ones

Dynamic algorithm: continuous feedback to adjust the

settings

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

Machine Learning Methods

16

• Time based statistical sensor

• Sliding windows features

• Decision mechanism for separating routine

vs. malware behaviour

t

Δt

Routine Malware

• Statistical system behavior description

• Cross correlation for malware and noise

behavior

• Shannon decision tree for maximizing

TP/FP ratio

Example: multi dimensional decision

algorithm

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

Hunting

17

Have all the information at

your finger tips

Be proactive

Use big-data of forensic

information to actively look for

anomalies

Screen Shot: CYBERBIT EDR

SOC 3.0

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND 19

Business Driven

Complete SOC Management

SOC 1.0 - SIEM Log based alerts consolidation

SOC 2.0 - SIRP Incident handling, events analysis, incident management

SOC 3.0 – SOC Management

Platform

Complete incident

management, workflow,

tasking and SLA

Response automation

automatic remedies based on

best practices,

IT systems interface

Analysis automation similar

events identification, threat

intelligence collaboration

Inputs from

organizational

applications & other IT

sources

SOC Evolution

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

Attack Stages

Indications of

Compromise (IOCs)

Events

Breach

Management

SIR –

Incident Management

& Incident Breach

SOA –

Analysis & Correlation

& Event Incident

Communication

Module

Actions , Auto

Tools Escalation process SLA Best Practice

SIEM

Other Alerts (EDR,

cloud–based

detection)

SOC 3.0 Vision

Business Impact

analysis

Compliance

Management

Other inputs (GRC,

email, IT Helpdesk)

Events Correlation Similar Events Data Analysis Threat Intelligence

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

Response and Mitigation Guidelines

Obtain one management platform for all SOC activities

Leverage threat intelligence and external interfaces

Automate and semi-automate response WF

Execute post-incident analysis to improve your procedures and processes

Leverage organizational knowledge for analysis and response

Audit and document

Collaborate with response tools

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

Combine advanced detection,

mitigation and response

Summary

22

Consider business impact for triage,

mitigation and response

Use more than IOCs

to detect unknown threats

Reach maximum detection

results by combination of behavioral analysis

and machine learning

Use advance visualizations

to improve your team’s efficiency

Audit, document, and

post-investigate incidents

to improve SOC processes

© 2016 by CYBERBIT │

CYBERBIT Proprietary DETECT ANALYZE RESPOND

That’s Exactly What We Do

23

Cyberbit Trainer Cyber Security Training and Simulation SOC 3D

SOC Management Platform

Cyberbit EDR Endpoint Detection and Response

CS-ICS (SCADA)

CS-IT

SCADAShield SCADA Detection and Response

Cyberbit Security Suite

Big Data Analytics

Sensors

Any future

sensor

?

Thank You

gteo@cyberbitsolutions.com

www.cyberbit.net