intelligent incident response: protecting your organization
DESCRIPTION
This presentation provides an overview of an Economist Intelligence Unit survey, sponsored by Arbor Networks, that delves into incident response. In this presentation, you will learn how prepared (or not) other organizations are for an incident alongside best practices for intelligent incident response to best protect your organization in the future.TRANSCRIPT
Intelligent incident response: Protec1ng your organisa1on
EUROPE
Intelligent incident response: Protec1ng your organisa1on Darren Anstee 29/04/14
Company logo
EUROPE29 April - 01 May 2014 Earls Court London UK
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
§ An Economist Intelligence Unit (EIU) report, sponsored by Arbor Networks. - Intended to gauge the level of
corporate preparedness for data-‐related incidents
§ Data Sources: - 360 survey respondents, 73% C-‐
Level. - In-‐depth interviews with key
individuals
29% 30% 29% 28%
17% 17% 17% 17%
31% 33% 29% 31%
23% 20% 25% 24%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Overall North America
Europe APAC
None
Same
Less
More
Incidents ARE Increasing in Frequency
hNp://www.arbornetworks.com/ciso/eiureport
Incident Frequency
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
§ An Economist Intelligence Unit (EIU) report, sponsored by Arbor Networks. - Intended to gauge the level of
corporate preparedness for data-‐related incidents
§ Data Sources: - 360 survey respondents, 73% C-‐
Level. - In-‐depth interviews with key
individuals
Incidents ARE Increasing in Frequency
hNp://www.arbornetworks.com/ciso/eiureport
17% 27% 2%
55% 67%
36%
20% 67%
43%
7% 6% 20%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Overall With Incident Response Plan
Without Incident
Response Plan
Not at all Prepared
Somewhat Unprepared
Somewhat Prepared
Fully Prepared
How Prepared are You?
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
Cost Business DisrupSon
Loss of Customer Trust
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
0
10
20
30
40
50
60
Advanced Persistent Threat
BoNed or Compromised
Hosts
Under-‐capacity for bandwidth
Industrial Espionage
Malicious Insider
Other
Threats On Corporate Network
• Huge number of ‘ways in’ – Drive By Download – SPAM/Phishing – Watering Hole – USB
• Leveraging vulnerabilities in:
– JavaScript – Java applets – Compound Documents – Anything Adobe
• Many Threat Vectors - New AND Old - IPS / AV Limited coverage - Patching lag
How are threats getting through?
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
• ANackers will always choose to obfuscate vs. finding a new aNack vector
What New Threats? Just New Techniques!
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
What does Java Script Obfuscation Look Like?
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
And in the Real World……..
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
Bot Builder with Anti-Detection
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
Cyber Crime Service Industry • Crypters bypass an1-‐malware and other security solu1ons • DDoS bots, banking trojans, password stealers, ransomware (“blockers”), etc. • Crypter service -‐ $20 per bot, cyber-‐crime service industry
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
Lots of Methods and Mechanisms….and Guidance
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
At Boston Mpaperwork-‐clipart4edical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”
"Alarm fapaperwork-‐clipart43gue is when there are so many noises on the unit that it actually desensi3zes the staff
Alert Fatigue
• At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.” – "Alarm fa3gue is when there are
so many noises on the unit that it actually desensi3zes the staff”
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”
"Alarm fa3gue is when there are so many noises on the unit that it actually desensi3zes the staff
So, how do we get ‘better’ at this?
• Ac1onable Threat Intelligence – Use the exper1se within vendors, integrators to
maximise our own effec1veness
• Broad Visibility – Monitor within the network, not just at the
perimeter
• Deep Visibility – Packet capture and threat detec1on at key
network loca1ons.
• Workflow – Solu1ons that fit into an IR workflow and enable
personnel and processes.
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”
"Alarm fa3gue is when there are so many noises on the unit that it actually desensi3zes the staff
Actionable Threat Intelligence - Reputation
• Can be VERY effec1ve, if it is derived in the right way… – Granular data to prevent false
posi1ves / nega1ves • IP address and port, not just address • Layer 7 Hostnames, URLs etc..
– Data based on in-‐depth research and monitoring
• Not just aNack behavior
– Historical context for confidence • Understanding of threat ‘family’ + confidence
CnC
Phishing
DriveBy
Variant 1
Variant 2
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”
"Alarm fa3gue is when there are so many noises on the unit that it actually desensi3zes the staff
• Can be VERY effec1ve, if it is derived in the right way… – Granular data to prevent false
posi1ves • IP address and port, not just address • Layer 7 Hostnames, URLs etc..
– Data based on in-‐depth research and monitoring
• Not just aNack behavior
– Historical context for confidence • Understanding of threat ‘family’ + confidence
AcSve Campaigns Gameover Zeus ZeroAccess Citadel DarkComet Simda Gh0strat Shylock Ramnit Xtreme RAT Ponmocup Cridex NetTraveler Carberp Bifrost Hangover Pony PoisonIvy Taidoor Specifix Spyeye
Actionable Threat Intelligence - Reputation
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”
"Alarm fa3gue is when there are so many noises on the unit that it actually desensi3zes the staff
Broad Visibility - Flow • Leverage Flow technologies for:
• Cost-‐effec1ve, scalable visibility • Layer 3/4 picture of internal network
• Who talks to who, when and how much
• Develop a model of normal network / user behavior
• Build policy/visibility around user-‐iden1ty
• Correlate • With ac1onable threat intelligence
• Detect suspicious or malicious ac1vi1es wherever they occur
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”
"Alarm fa3gue is when there are so many noises on the unit that it actually desensi3zes the staff
Deep Visibility - Packet Capture • Use high-‐speed packet capture
for deeper visibility • Monitor for specific threats at
network / data-‐centre edge. • Store forensic data for interav1ve,
retrospec1ve analysis • Inves1gate scope of compromise /
kill chain
• Correlate (repeatedly) • With ac1onable threat intelligence
18
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”
"Alarm fa3gue is when there are so many noises on the unit that it actually desensi3zes the staff
Deep Visibility - Packet Capture • Correlate (repeatedly)
• With ac1onable threat intelligence
19
Month 1 Traffic Month 2 Traffic Month 3 Traffic
Zero Day attack here
Intelligence update without signature for the Zero Day attack
Intelligence updates INCLUDING signature for the Zero Day attack
Detection capability updates occur at different times. Stored traffic can be correlated with updated threat intelligence
All Traffic Correlated - Zero Day not found
All Traffic Correlated - Zero Day FOUND
Now that Zero Day attack has been identified, the attack timeline can be established
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”
"Alarm fa3gue is when there are so many noises on the unit that it actually desensi3zes the staff
Workflow - Maximise Effectiveness • Put the power back in the hands of the analysts
– Network & Threat Visibility, in context – Incident Response Workflow
• Technology should enable personnel & process investment – Regardless of how many you have – Or skillset
PROTECT
Provide surgical mi1ga1on and forensic capabili1es.
React
ANALYZE
Situa1onal Awareness. Augment detected events with relevant
context
PrioriSze
Comprehensive monitoring and threat
detec1on
IDENTIFY
Company logo EUROPE
29 April - 01 May 2014 Earls Court London UK
At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”
"Alarm fa3gue is when there are so many noises on the unit that it actually desensi3zes the staff
13+ Years of InnovaSon • The Internet and security is our heritage • Founded from a DARPA grant • Over 40 networking and security patents
• Across 60 countries • Service Providers, Hosters, Fortune 50 companies • Largest financials and online giants
Serving The Worlds Most Demanding Networks
Trusted Experts Globally
• Over 400 employees around the globe • >50% in Engineering, Service and Support • Best in class support experts, global infrastructure
ATLAS / ASERT • Unrivalled visibility, analyzing 80Tb/sec of data • Well regarded security research exper1se • Threat Intelligence