achieving hi-fidelity security by combining packet and endpoint data
TRANSCRIPT
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
David MonahanEnterprise Management Associates
Research Director, Security and Risk Management
Twitter: @SecurityMonahan
Achieving Hi-Fidelity Security
by Combining Packet and
Endpoint Data
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Featured Speaker
David MonahanResearch Director, Risk and Security
David is a senior information security executive with several
years of experience. He has organized and managed both
physical and information security programs, including
security and network operations (SOCs and NOCs) for
organizations ranging from Fortune 100 companies to local
government and small public and private companies.
Slide 2 © 2016 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Logistics for Today’s Webinar
Slide 3 © 2016 Enterprise Management Associates, Inc.
• An archived version of the event recording will be
available at www.enterprisemanagement.com
• Log questions in the Q&A panel located on
the lower right corner of your screen
• Questions will be addressed during the Q&A
session of the event
> QUESTIONS
> EVENT RECORDING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
David MonahanEnterprise Management Associates
Research Director, Security and Risk Management
Twitter: @SecurityMonahan
Achieving Hi-Fidelity Security
by Combining Packet and
Endpoint Data
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Sponsors
Slide 5 © 2016 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Report Demographics
• 225 Respondents
• Industries
Education
Finance/Banking
Health care/ Pharma
High Tech
Retail
Manufacturing
Slide 6 © 2016 Enterprise Management Associates, Inc.
25%
30%
45%
SMB (<1K)
MidMarket (1K- <5K)
Enterprise (5K+)
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTINGSlide 7 © 2016 Enterprise Management Associates, Inc.
Top Challenges Driving Combining Data
59%
38%
37%
34%
31%
4%
Lack of analysis capabilities in the solutions
Lack of dashboards
Lack of reporting capabilities
Lack of vendor supplied integration
Lack of open APIs
Other
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTINGSlide 8 © 2016 Enterprise Management Associates, Inc.
Most Important Business Need for Data Integration
25%
20%
16%
14%
13%
6%
6%
Prevent breaches
Respond to breaches
Analyze attacks
Confirm indicators of breach
Predict attacks
Forensic analysis
Reporting/monitoring state of security
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Least Confidence in Security Control
Slide 9 © 2016 Enterprise Management Associates, Inc.
22%
17%
16%
15%
10%
7%
7%
6%
Endpoint Prevention
Endpoint Detection
Concerned equally with more than one
Confident in all four areas
Perimeter Prevention
Perimeter Detection
Incident response (breach investigation capabilities)
Protection (configuration management,…
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Which Type of Data is Best to Identify Attacks?
Slide 10 © 2016 Enterprise Management Associates, Inc.
41%
39%
20%
It really depends upon the type of attack
Network data
Endpoint data
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Endpoint Program Maturity Definitions
Very Strong
At least 99% of endpoints have active prevention/detection (as applicable) and are actively monitored and managed.
AND
The system generates very few, if any, false positives. The system prevents/detects (as applicable) 99% or greater of the endpoint attacks, including those
classified as APT, ATA, or zero-day.)
Strong
At least 85% of endpoints have active prevention/detection (as applicable) and are actively monitored and managed.
AND
The system generates only a few false positives. The system prevents/detects (as applicable) 95% or greater of the endpoint attacks, some of which would
be those classified as APT, ATA, or zero-day.
Competent
At least 75% of endpoints have active prevention/detection (as applicable) and are actively monitored and managed.
AND
The system generates some but not excessive false positives. The system prevents/detects (as applicable) 90% or greater of the endpoint attacks, some of
which could be those classified as APT, ATA, or zero-day.
Slide 11 © 2016 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Network Program Maturity Definitions
Very Strong
At least 99% of the network segments have active prevention and are actively monitored and managed.
AND
The system generates very few, if any, false positives. The system prevents/detects (as applicable) 99% or greater of the network-based attacks.
Strong
At least 85% of the network segments have active prevention/detection (as applicable) and are actively monitored and managed.
AND
The system generates only a few false positives. The system prevents/detects (as applicable) 95% or greater of the network-based attacks.
Competent
At least 75% of network segments have active prevention/detection (as applicable) and are actively monitored and managed.
AND
The system generates some but not excessive false positives. The system prevents/detects (as applicable) 90% or greater of the network-based attacks.
Underdeveloped
Less than 75% of network segments have active prevention/detection (as applicable) and are not necessarily actively monitored and managed.
OR
The system generates an excessive number of false positives. The system prevents/detects (as applicable) no more than 90% of the network-based attacks.
Slide 12 © 2016 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Endpoint & Network Security Detection Program Maturity
Slide 13 © 2016 Enterprise Management Associates, Inc.
20%
47%
26%
5%
2%
25%
46%
24%
4%
1%
Very Strong
Strong
Competent
Underdeveloped
Endpoint security detection is not a significant focusof our security program
Endpoint Network
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Endpoint & Network Security Prevention Program Maturity
Slide 14 © 2016 Enterprise Management Associates, Inc.
21%
42%
28%
7%
2%
19%
47%
27%
6%
1%
Very Strong
Strong
Competent
Underdeveloped
Endpoint security prevention is not a significantfocus of our security program
Endpoint Network
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTINGSlide 15 © 2016 Enterprise Management Associates, Inc.
Endpoint & Network Security Detection Program Maturity
20%
47%
26%
5%
2%
25%
46%
24%
4%
1%
Very Strong
Strong
Competent
Underdeveloped
Endpoint security detection is not a significant focusof our security program
Endpoint Network
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Effectiveness of Endpoint and Network Protection Tools
Slide 16 © 2016 Enterprise Management Associates, Inc.
67%
21%
11%
63%
20%
17%
Effective
Ineffective
I don't know
Endpoint Network
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Importance of Automation for Prevention
Slide 17 © 2016 Enterprise Management Associates, Inc.
41%
44%
12%
1%
2%
46%
39%
13%
1%
1%
Very Important
Important
Somewhat Important
Somewhat Unimportant
Not Important at All
Endpoint Network
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Importance of Automation for Detection
Slide 18 © 2016 Enterprise Management Associates, Inc.
50%
35%
12%
1%
2%
51%
35%
13%
0%
1%
Very Important
Important
Somewhat Important
Somewhat Unimportant
Not Important at All
Endpoint Network
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Maintaining Historical Data for
Behavioral Analysis and Anomaly Detection
Slide 19 © 2016 Enterprise Management Associates, Inc.
45%
40%
2%
13%
58%
35%
7%
We maintain historical Data
We do not, but we believe it is important
We do not and do not believe it is necessary
I don't know
Endpoint Network
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Summary: Best Data for Early Detection
Slide 20 © 2016 Enterprise Management Associates, Inc.
22%
21%
17%
16%
13%
7%
4%
Access logs
Network Security Logs (Firewall, IDS, DNS, etc.)
Systems Log Monitoring (Application, Server, Userchg, etc)
Network Data (Packets, Flows, etc.)
Endpoint Change Data
Performance Logs
Other
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Data Sources Used for Network Security
Slide 21 © 2016 Enterprise Management Associates, Inc.
42%
36%
35%
29%
28%
2%
18%
Network flows (Netflow, IPFIX, etc.)
Deep packet inspection (DPI)
Cloud based API for reporting
Transaction metrics
Time series data/device metrics (SNMP, WMI, etc.)
Other
I don't know
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Endpoint Data Used for Security
Slide 22 © 2016 Enterprise Management Associates, Inc.
79%
52%
49%
41%
38%
36%
33%
27%
26%
File system changes (new files, permission changes,movement, etc)
Successful or Failed logins
Newly installed applications
Registry changes
Unidentified/new processes
Local application logs
Process to network connection mapping
New local users
Disk usage changes
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Tools Used to Correlate Network and Endpoint Data
Slide 23 © 2016 Enterprise Management Associates, Inc.
46%
36%
33%
32%
32%
11%
4%
Log management with custom scripts
Security incident and event management (SIEM )
Single-vendor solution with both endpoint andnetwork prevention or detection capabilities
Vendor-provided APIs to integrate othermonitoring/management tools
Security analytics (UBA, anomaly detection, orpredictive analytics)
We currently do not have the capability and evaluatethese data silos separately
I don’t know
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Using Network Data for Security
Slide 24 © 2016 Enterprise Management Associates, Inc.
37%
30%
14%
3%
16%
Yes, but only for critical investigations
No, but we would like to/plan to
Yes, for all investigations
No, and we have no particular need/interest
I don't know
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Data Integration Approaches in Used in Security
Slide 25 © 2016 Enterprise Management Associates, Inc.
48%
37%
37%
36%
23%
2%
Vendor-driven technology partnerships/integrations
Vendor-created open APIs
Third-party integration tools
In-house created custom integrations
Third party analysis of data
Other
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Metadata: Creation and Value
Slide 26 © 2016 Enterprise Management Associates, Inc.
79%
15%
69%
15%
Collection systems create metadata
Invaluable
Very valuable
Moderately invaluable
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Full-Time Equivalent Working Security
Slide 27 © 2016 Enterprise Management Associates, Inc.
30%
32%
19%
19%
<5 FTE
6 to 10 FTE
11 to 20 FTE
>20 FTE
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTINGSlide 28 © 2016 Enterprise Management Associates, Inc.
FTE Applied to Event Investigation per Day
34%
24%
30%
9%
2%
1%
1-4 (> 1 FTE)
5-8 (approximately 1 FTE)
9-24 (1-3 FTE)
25-40 (>3- <=5 FTE)
41-80 (>5- <=10 FTE)
81+ (more than 10 FTE)
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTINGSlide 29 © 2016 Enterprise Management Associates, Inc.
Alert Volume per Day
60% 40% <100 Alerts / Day
>=100 Alerts / Day
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Sever/Critical Alert Volume per Day
Slide 30 © 2016 Enterprise Management Associates, Inc.
50%
23%
15%
7%
5%
0%
<=25
26-99
100-499
250-499
500-999
>=1,000
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Severe/Critical Alerts Investigated per Day
Slide 31 © 2016 Enterprise Management Associates, Inc.
67%
21%
6%
6%
10 or fewer
11-25
More than 25
We don't generally investigate security alerts
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Network Strengths and Weaknesses:
• Strengths
• Early warning of a network-based attack
• Attack telemetry
• Payload dissection/determination
• Identification of lateral movement (if placed where they can monitor the traffic)
• Weaknesses
• Limited deployment at perimeter hampers internal visibility.
• They provide no warning of attacks that start on endpoint. (e.g. removable media)
• Cannot provide insight if packets are encrypted.
• Dormant or “triggered” attacks may not be detected by network sandboxes.
• May provide “indeterminate” attack success when used alone.
Slide 32 © 2016 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Endpoint Strengths and Weaknesses:
• Strengths
• Provides detailed data:
Application installation and process changes
Registry/configuration changes, file changes, and data moves
User additions, removals, and permission changes
Process association with network connections
• Weaknesses
• Data can be very compartmentalized so trends may be missed.
• Missing or failing agents cause visibility gaps.
• Gaps in scanning or polling cause visibility gaps.
Slide 33 © 2016 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Summary:
• Over Confidence in Prevention
• Over Confidence in the Security Programs
• Focusing on the Wrong Data
• Lack of Tools (and people)
• Task and Analysis Automation are Key for Success
• Too many alerts to manually investigate
• Both Sets of Data are Valuable but Have Gaps
• Need to get out of Data Silos
• Need better analysis capability using combined data
Slide 34 © 2016 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Questions?
Get the Full Report: http://bit.ly/1mKekfd
Slide 35 © 2016 Enterprise Management Associates, Inc.