daniel tucci – rsm dach & italy cover page....• sc magazine innovator of the year award 2016...
TRANSCRIPT
Daniel Tucci – RSM DACH & Italy
© 2016 / Confidential 2
About Securonix
• Founded 2008 – Pioneers in UEBA and Big Data Security Analytics
• 300+ employees, worldwide offices
• 200+ customers, globally across industry verticals
Company Background
Recent Patents
Solutions• Securonix User Entity Behavior Analytics (UEBA Bolt)
• SNYPR Security Analytics (Next Gen SIEM)
• SNYPR Security Enterprise Data Lake (Next Gen Log Mgmt.)
• Behavior anomaly detection for identification of malicious activity
• Risk scoring for threat analytics
• Anomaly detection using adaptive behavioral profiles
Industry Recognition
Analyst Recognition
• # 1 in UEBA Market Share and Market Inquiries
• SNYPR ranked as strong performing SIEM in Forrester wave
© 2016 / Confidential 3
Sample Customers by Vertical MarketGlobal FS
Insurance
Regional FS
Systems Integrators
Life Sciences
Manufacturing
Healthcare
Retail
Utilities, Oil & Gas
Communications
Government
Other
• #1 Security Analytics Platform Solution• #1 UEBA Solution• SC Magazine Innovator of the Year Award 2016• InfoSecurity Grand Trophy Winner 2016• Golden Bridge Grand Trophy Winner 2016
© 2016 / Confidential 4
UEBA Key Takeaways
• Gartner Estimate the SIEM market is worth over $2billion dollars
• Gartner also states the SIEM market will eventually crossover with the UEBA market
• This year 2017 the UEBA market will be worth $200million
• Securonix is the most mature UEBA vendor on the market with 75% market share (revenue)
• Most Enterprise’s will look to add a UEBA product to enhance their SIEM in the next 2 years
• UEBA is a pure SECURITY play that focus’s 4 main things • Insider Threat • Cyber Threat • Fraud (Financial or Data misuse)• Compliance
• Securonix is platform rather than a point solution so the Customer can build their own use cases or leverage our existing Threat Models - very important for a lot of customers especially around Fraud
• Not to be confused with other products such as• Network Analytics – Darktrace, Rapid 7, Microsoft ATA • End Point Analytics – Nexthink, Sophos, Systrack
Lakeside
• Securonix and UEBA can provide an ROI for all SIEM Customers – making a UEBA Business Case
Easy
© 2016 / Confidential 5
UEBA – User and Entity Behaviour Analytics is an innovative approach to Security monitoring and operations that utilises machine learning technology and advanced analytics in order to provide with real-time detection of advanced threats to organisations and simplify the investigation workflow process while reducing false positives or irrelevant data and adding valuable context, such as threat intelligence, user and geolocation.
Overview of UEBA
• UEBA technology is maturing and UEBA use cases are becoming standardised. Most organisations are looking for better detection of account compromise, system compromise, data leak and insider threats and they want to gain better insights about the environment.
• Today, large enterprises often buy UEBA to improve insider threat and/or data theft detection. Smaller organisations increasingly see it as a SIEM alternative, relying more on vendor-provided algorithms instead of SIEM rules.
Introduction
© 2016 / Confidential 6
Old School - Rule Based• SIEM Broad-Scope Monitoring• Intrusion Detection and Prevention• Data Loss Prevention via Keywords• Identity Access Management• Endpoint Protection Platforms
New School Analytics•UEBA Broad-Scope Analytics•Data Exfiltration Analytics
• Endpoint Detection and Response• Network Traffic Analytics• Identity Analytics
Old vs New School Security Analytics
© 2016 / Confidential 7
UEBA vs SIEM
SIEM Today UEBA Today
Detection Logic Mostly expert-written rules, basics statistics and thresholds
Machine learning and advanced analytics
Use Case Focus Broad set of use cases across security and compliance
Mostly User-Activity-Related Use Cases
Types of Data Analyzed Mostly IT infrastructure data Non-IT data analysis common, application data, user role, and data from SIEM
Common Analysis Timeframe
Real time, short term Long term, historical
Threats Detected Mostly known, even if "known unknowns"
Mostly unknown, and sometimes "unknown unknowns"
Context Data Optionally collects limited context data
Collects extensive user context data, can be used to create context data
Typical licensing model By log volume (EPS) or by log source count
By user account or entity count
© 2016 / Confidential 8
Securonix UEBA – Pioneer in UEBA space (founded 2008) with an architecture based in two platforms and multiple solution modules covering business applications such as Insider Threat, Fraud and CyberSecurity analytics. We leverage an advanced combination of statistical models, unsupervised and supervised machine learning, fuzzy logic and deep learning.
Our product set comprises:
• Securonix UEBA for Enterprise deployment (Bolt)• Securonix SNYPR: A Hadoop-based platform for security data collection and analysis with modular log management,
SIEM and UEBA capabilities, offering long-term data retention as well as big data scalability.• Securonix SNYPR Enterprise Data Lake
• Over 150 successful deployments delivering results on Use Cases such as
• Insider Threat: finding malicious and accidental events• Performing deep custom application monitoring and analytics• Data theft detection• Identifying account compromise
Securonix
© 2016 / Confidential 9
Why Securonix
• Quick Value through ease of deployment with Securonix UEBA Bolt. Over 1000 threat models available covering insider threat, cyber threat and fraud
• Ability to match users to accounts and emails, to dynamically associate IP address to Users and Pivoting on findings, enhancing investigation workflow and reducing time-to-analyse
• Ability to grow use cases and data sources beyond existing SIEM, deploying over 400 out of the box connectors for data ingestion and techniques such as API, Syslog, Database, Files, Custom Cloud API, Unstructured data and Hadoop. Fully extensible platform.
• Technology leverages advanced analytics to apply super enrichment onto events: geolocation, user and entity and threat context with the value of integration with major Identity stores and HR Systems, SAP, Cloud
• A strong and experienced Consulting practice for implementation and optimization of UEBA implementation, forums, Community and extensive training offer
• Customers in Production since 2011. Over 150 current deployments.• Exponential scalability with a Hadoop backend extending capacity of 10+ TB data per day
© 2016 / Confidential 10
Customer/Project Profile
• CUSTOMER has 80,000 users who are being monitored for data ex-filtration
• Has moderately high attrition rate. 18-20%
• Securonix has been in use since March 2016
• Key Business driver: The firm was losing data with no control nor visibility
• A phased approach was taken to enable monitoring location wide
• Environment is porous and relaxed
• Project sponsor is CUSTOMER’s Chief confidentiality officer
• Securonix – CUSTOMER build a partnership which adds value and accelerates adoption
© 2016 / Confidential 11
Non-Technical/Non Virtual Indicators
Implementation Overview
Technical/Virtual Indicators
Ironport(Email Gateway logs)
Palo Alto(proxy)
Symantec DLP(Email, USB, Web Upload,
Print)
Employee Performance Data
Sharepoint
Lost/Stolen devices
Background Investigations FlagsFinance Violations Watch list
Fed projects/Sensitive MO
Users with Intent ex-filtrating data
HR DATA
© 2016 / Confidential 12
Findings Summary
FACTS:• 530 cases have been opened since March
1st 2016. • 416 cases have been closed as true
infractions. • The analysts said they are tracking 85%
accuracy – case escalated Vs. true incident
• Users are constantly taking files when they are about to leave the organisation.
• Data is ex-filtrated on the day of departure or up to 60 days prior
• Email seems to be the most popular egress vector followed by http uploads. Mostly Google drive and drop box
• People take files that they worked on because they feel entitled.
• Proprietary info is co-mingled with personal data when ex-filtrated
• Non-technical indicators are providing additional context to investigations team
• Flight risk user checks work. E.g : Employee talking to other employers has been detected
• Amount based checks work. E.g. Users are being flagged for large volumes of USB writes.
© 2016 / Confidential 13
# Metrics quantification Description Example ROI Measure Type
1 Business process improvements
As a result of monitoring and detection results seen, Securonix helps to identify GAP’s in existing data sources and monitoring controls so organisations are able to address those GAP’s resulting in better detection mechanisms overall.
• Writing additional rules in DLP to expand deep packet inspection. • On-boarding a new email gateway solution because the existing one is limited in data
attributes that can be provided or is not scalingIn-tangible – soft ROI
2 Information Technology use policy changesAs a result of data ex-filtration activity monitoring in Securonix, changes are made to how employees should use firm’s assets and systems
• Introducing a plant wide IT policy to stop USB usage because high ex-filtration activity was noticed with USB transfers. As a result of this policy enactment – users were given USB access with proper business need and justification. Metrics, cases from Securonix is used as evidence with policy makers to drive changes.
• Blocking un-categorized URL’s because users uncategorized sites that have file upload capability to take data out.
In-tangible – soft ROI
3Employee / contractor on-boarding and off-boarding policy changes
Based on the behaviours noticed by employee’s leaving the organisation in Securonix, HR makes changes to their on-boarding and off-boarding agreements/procedures to strengthen their language around how employees should handle firm property (documents) during their tenure and when they leave.
Many times employees take those documents which they worked on during the company’s time and dime, with a sense of entitlement that they own it because they created it. Evidence from Securonix is presented to HR/Ethics/ Confidentiality organisations to drive this policy change.
In-tangible – soft ROI
4 Number of documents retrieved post ex-filtration
When data ex-filtration is detected just about or after a person leaves an organisation, organisations reach out to them asking them return the documents hence preventing further distribution or usage of that document.
In some instances at a large big 4 company and at an investment company, HR and legal teams reached out to the employee after termination to have them return the sensitive documents or some times even delete the documents. They use evidence from Securonix to work with legal /HR to take legal action if term employee does not comply
Tangible – measured by number of documents retrieved
5 Number of employee terminated post ex-filtration activity
Employees / contractors are terminated due to IP theft. The user here has malicious intent.
Any user stealing highly sensitive data. Law enforcement referrals on this malicious act could also result in ROI to the organisation dealing with the situation.
Tangible – measured by # of employees terminated
6 Number of employees warned post ex-filtration activity
Employee’s motive is not malice rather complacency orignorance resulting in data ex-filtration activity
• A user copying sensitive data to an un-encrypted USB device against company policy• A user renaming file extensions to by pass existing DLP/ email gateway controls
Tangible – measure by # of employees warned
7 Decommissioning previous / outdated technologies or augmenting existing tools
Securonix is used to replace an existing user activity monitoring tool due to its limitations. Also, Securonix enhances the DLP tool investments an organisation has made.
• Securonix replaces Splunk due to limited detection capabilities and features. • Securonix drastically reduces the number of alerts generated by Vontu by applying
behaviour analytics, threat models and prioritization of alerts.
Tangible. Reduction in Cost/time measure of staff working on previous technology compared to time/cost reduced due to efficiencies gained with Securonix
Securonix Insider Threat Detection - ROI Indicators