achieving hi-fidelity security by combining packet and endpoint data

IT & DATA MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS & CONSULTING

David MonahanEnterprise Management Associates

Research Director, Security and Risk Management

Twitter: @SecurityMonahan

Achieving Hi-Fidelity Security

by Combining Packet and

Endpoint Data



Featured Speaker

David MonahanResearch Director, Risk and Security

David is a senior information security executive with several

years of experience. He has organized and managed both

physical and information security programs, including

security and network operations (SOCs and NOCs) for

organizations ranging from Fortune 100 companies to local

government and small public and private companies.

Slide 2 © 2016 Enterprise Management Associates, Inc.



Logistics for Today’s Webinar


• An archived version of the event recording will be

available at www.enterprisemanagement.com

• Log questions in the Q&A panel located on

the lower right corner of your screen

• Questions will be addressed during the Q&A

session of the event

> QUESTIONS

> EVENT RECORDING

http://www.enterprisemanagement.com/



David MonahanEnterprise Management Associates

Research Director, Security and Risk Management

Twitter: @SecurityMonahan

Achieving Hi-Fidelity Security

by Combining Packet and

Endpoint Data



Sponsors




Report Demographics

• 225 Respondents

• Industries

Education

Finance/Banking

Health care/ Pharma

High Tech

Retail

Manufacturing


25%

30%

45%

SMB (<1K)

MidMarket (1K- <5K)

Enterprise (5K+)


INDUSTRY ANALYSIS & CONSULTINGSlide 7 © 2016 Enterprise Management Associates, Inc.

Top Challenges Driving Combining Data

59%

38%

37%

34%

31%

4%

Lack of analysis capabilities in the solutions

Lack of dashboards

Lack of reporting capabilities

Lack of vendor supplied integration

Lack of open APIs

Other



Most Important Business Need for Data Integration

25%

20%

16%

14%

13%

6%

6%

Prevent breaches

Respond to breaches

Analyze attacks

Confirm indicators of breach

Predict attacks

Forensic analysis

Reporting/monitoring state of security



Least Confidence in Security Control


22%

17%

16%

15%

10%

7%

7%

6%

Endpoint Prevention

Endpoint Detection

Concerned equally with more than one

Confident in all four areas

Perimeter Prevention

Perimeter Detection

Incident response (breach investigation capabilities)

Protection (configuration management,…



Which Type of Data is Best to Identify Attacks?


41%

39%

20%

It really depends upon the type of attack

Network data

Endpoint data



Endpoint Program Maturity Definitions

Very Strong

At least 99% of endpoints have active prevention/detection (as applicable) and are actively monitored and managed.

AND

The system generates very few, if any, false positives. The system prevents/detects (as applicable) 99% or greater of the endpoint attacks, including those

classified as APT, ATA, or zero-day.)

Strong


AND

The system generates only a few false positives. The system prevents/detects (as applicable) 95% or greater of the endpoint attacks, some of which would

be those classified as APT, ATA, or zero-day.

Competent


AND

The system generates some but not excessive false positives. The system prevents/detects (as applicable) 90% or greater of the endpoint attacks, some of

which could be those classified as APT, ATA, or zero-day.




Network Program Maturity Definitions

Very Strong

At least 99% of the network segments have active prevention and are actively monitored and managed.

AND

The system generates very few, if any, false positives. The system prevents/detects (as applicable) 99% or greater of the network-based attacks.

Strong

At least 85% of the network segments have active prevention/detection (as applicable) and are actively monitored and managed.

AND

The system generates only a few false positives. The system prevents/detects (as applicable) 95% or greater of the network-based attacks.

Competent

At least 75% of network segments have active prevention/detection (as applicable) and are actively monitored and managed.

AND

The system generates some but not excessive false positives. The system prevents/detects (as applicable) 90% or greater of the network-based attacks.

Underdeveloped

Less than 75% of network segments have active prevention/detection (as applicable) and are not necessarily actively monitored and managed.

OR

The system generates an excessive number of false positives. The system prevents/detects (as applicable) no more than 90% of the network-based attacks.




Endpoint & Network Security Detection Program Maturity


20%

47%

26%

5%

2%

25%

46%

24%

4%

1%

Very Strong

Strong

Competent

Underdeveloped

Endpoint security detection is not a significant focusof our security program

Endpoint Network



Endpoint & Network Security Prevention Program Maturity


21%

42%

28%

7%

2%

19%

47%

27%

6%

1%

Very Strong

Strong

Competent

Underdeveloped

Endpoint security prevention is not a significantfocus of our security program

Endpoint Network



Endpoint & Network Security Detection Program Maturity

20%

47%

26%

5%

2%

25%

46%

24%

4%

1%

Very Strong

Strong

Competent

Underdeveloped

Endpoint security detection is not a significant focusof our security program

Endpoint Network



Effectiveness of Endpoint and Network Protection Tools


67%

21%

11%

63%

20%

17%

Effective

Ineffective

I don't know

Endpoint Network



Importance of Automation for Prevention


41%

44%

12%

1%

2%

46%

39%

13%

1%

1%

Very Important

Important

Somewhat Important

Somewhat Unimportant

Not Important at All

Endpoint Network



Importance of Automation for Detection


50%

35%

12%

1%

2%

51%

35%

13%

0%

1%

Very Important

Important

Somewhat Important

Somewhat Unimportant

Not Important at All

Endpoint Network



Maintaining Historical Data for

Behavioral Analysis and Anomaly Detection


45%

40%

2%

13%

58%

35%

7%

We maintain historical Data

We do not, but we believe it is important

We do not and do not believe it is necessary

I don't know

Endpoint Network



Summary: Best Data for Early Detection


22%

21%

17%

16%

13%

7%

4%

Access logs

Network Security Logs (Firewall, IDS, DNS, etc.)

Systems Log Monitoring (Application, Server, Userchg, etc)

Network Data (Packets, Flows, etc.)

Endpoint Change Data

Performance Logs

Other



Data Sources Used for Network Security


42%

36%

35%

29%

28%

2%

18%

Network flows (Netflow, IPFIX, etc.)

Deep packet inspection (DPI)

Cloud based API for reporting

Transaction metrics

Time series data/device metrics (SNMP, WMI, etc.)

Other

I don't know



Endpoint Data Used for Security


79%

52%

49%

41%

38%

36%

33%

27%

26%

File system changes (new files, permission changes,movement, etc)

Successful or Failed logins

Newly installed applications

Registry changes

Unidentified/new processes

Local application logs

Process to network connection mapping

New local users

Disk usage changes



Tools Used to Correlate Network and Endpoint Data


46%

36%

33%

32%

32%

11%

4%

Log management with custom scripts

Security incident and event management (SIEM )

Single-vendor solution with both endpoint andnetwork prevention or detection capabilities

Vendor-provided APIs to integrate othermonitoring/management tools

Security analytics (UBA, anomaly detection, orpredictive analytics)

We currently do not have the capability and evaluatethese data silos separately

I don’t know



Using Network Data for Security


37%

30%

14%

3%

16%

Yes, but only for critical investigations

No, but we would like to/plan to

Yes, for all investigations

No, and we have no particular need/interest

I don't know



Data Integration Approaches in Used in Security


48%

37%

37%

36%

23%

2%

Vendor-driven technology partnerships/integrations

Vendor-created open APIs

Third-party integration tools

In-house created custom integrations

Third party analysis of data

Other



Metadata: Creation and Value


79%

15%

69%

15%

Collection systems create metadata

Invaluable

Very valuable

Moderately invaluable



Full-Time Equivalent Working Security


30%

32%

19%

19%

<5 FTE

6 to 10 FTE

11 to 20 FTE

>20 FTE



FTE Applied to Event Investigation per Day

34%

24%

30%

9%

2%

1%

1-4 (> 1 FTE)

5-8 (approximately 1 FTE)

9-24 (1-3 FTE)

25-40 (>3- <=5 FTE)

41-80 (>5- <=10 FTE)

81+ (more than 10 FTE)



Alert Volume per Day

60% 40% <100 Alerts / Day

>=100 Alerts / Day



Sever/Critical Alert Volume per Day


50%

23%

15%

7%

5%

0%

<=25

26-99

100-499

250-499

500-999

>=1,000



Severe/Critical Alerts Investigated per Day


67%

21%

6%

6%

10 or fewer

11-25

More than 25

We don't generally investigate security alerts



Network Strengths and Weaknesses:

• Strengths

• Early warning of a network-based attack

• Attack telemetry

• Payload dissection/determination

• Identification of lateral movement (if placed where they can monitor the traffic)

• Weaknesses

• Limited deployment at perimeter hampers internal visibility.

• They provide no warning of attacks that start on endpoint. (e.g. removable media)

• Cannot provide insight if packets are encrypted.

• Dormant or “triggered” attacks may not be detected by network sandboxes.

• May provide “indeterminate” attack success when used alone.




Endpoint Strengths and Weaknesses:

• Strengths

• Provides detailed data:

Application installation and process changes

Registry/configuration changes, file changes, and data moves

User additions, removals, and permission changes

Process association with network connections

• Weaknesses

• Data can be very compartmentalized so trends may be missed.

• Missing or failing agents cause visibility gaps.

• Gaps in scanning or polling cause visibility gaps.




Summary:

• Over Confidence in Prevention

• Over Confidence in the Security Programs

• Focusing on the Wrong Data

• Lack of Tools (and people)

• Task and Analysis Automation are Key for Success

• Too many alerts to manually investigate

• Both Sets of Data are Valuable but Have Gaps

• Need to get out of Data Silos

• Need better analysis capability using combined data




Questions?

Get the Full Report: http://bit.ly/1mKekfd


http://bit.ly/1mKekfd

achieving hi-fidelity security by combining packet and endpoint data

Technology