speed up incident response with actionable forensic analyticsfor example, in the target breach...
TRANSCRIPT
Speed Up Incident Response with Actionable Forensic Analytics Close the Gap between Threat Detection and Effective Response with Continuous Monitoring
July 28, 2014
2
Table of Contents
Introduction .......................................................................................................................................... 3
Current Threat Landscape .................................................................................................................. 3
How Typical IT/Security Processes Inhibit Effective Incident Response ...................................... 4 Typical IT/Security Processes ....................................................................................................................... 4 Common Challenges ...................................................................................................................................... 5 Challenges Specific to Forensic Analytics and Incident Response .......................................................... 5
Actionable Forensic Analytics ........................................................................................................... 5
Flexible Incident Response ................................................................................................................ 6
Tenable Continuous Monitoring Platform ......................................................................................... 7
Benefits of the Tenable Continuous Monitoring Platform ............................................................... 8 Actionable Forensic Analytics ...................................................................................................................... 8 Speeds-up Incident Response ...................................................................................................................... 8
Use-Cases ............................................................................................................................................ 9 Forensic Analysis of Suspicious Activity .................................................................................................... 9 Incident Response Options ......................................................................................................................... 11
Conclusion ......................................................................................................................................... 11
About Tenable Network Security ..................................................................................................... 12
3
Introduction Cyber criminals are using advanced targeted attacks and modern malware to bypass traditional security controls and easily steal credit card data, company sensitive information, and national secrets. According to the 2013 Ponemon Report1, the average total organizational cost of data breach in the US alone was $5.4 Million, followed by Germany ($4.8M) and Australia ($4.1M). In part, these costs are due to delays in breach detection, which can often take weeks to months after the initial compromise. Delays occur because security teams do not have actionable forensic data to pinpoint compromised hosts or identify sensitive data that has been stolen.
Tenable provides a comprehensive continuous network monitoring solution that enables you to rapidly respond to security incidents, by providing actionable forensic data that can help detect incidents more accurately. In this paper, we will explore the forensic analytics and incident response capabilities of Tenable SecurityCenter™ Continuous View (SC CV), a network security platform that identifies vulnerabilities, reduces risk, and ensures compliance. Topics covered will include:
• Recognizing how organizational silos and inefficient process inhibit the effectiveness of IT and Security Operations.
• Gathering actionable forensic analytics data is needed to identify advanced attacks both at the network and host levels.
• Responding to security incidents requires flexible techniques that leverage both workflows and automation.
Current Threat Landscape
Fig. 1: Verizon 2014 DBIR Report -Top 10 types of security incidents that resulted in breaches
The Verizon 2014 Data Breach Investigation Report (DBIR)2 covers breaches affecting organizations in 95 countries in 2013. The top 10 categories of security incidents (as shown in Fig. 1) totaled up to approximately 63,000 incidents, out of which 1,367 (2%) resulted in breaches (data disclosure). However, the same four categories of attacks - POS intrusions, web app attacks, cyber espionage, and card skimmers - have contributed to the top breaches between 2011 and 2013.
Only 33% of victims discover breaches internally according to Mandiant’s 2014 M Trends Threat Report3. Furthermore, in 67% of the cases, victims were notified by external entities after it was already too late to save the reputation of the company. Security breaches can have a devastating impact to any company. For example, in the Target breach alone, 40
1 “2013 Cost of Data Breach Study: Global Analysis”, Ponemon Institute, May 2013. 2 “2014 Data Breach Investigations Report”, Verizon, April 2014. 3 “2014 Threat Report – M Trends Beyond the Breach”, Mandiant – a FireEye Company, April 2014.
4
million credit/debit card data records and 70 million total data records were stolen in the month of November 2013. The attack vector used in Target was a known exploit that had impacted other retail chains. This scenario is all too common.
Therefore, to protect against advanced attacks and security breaches, a company’s IT security strategy should include:
• Continuous network monitoring for known vulnerabilities and threats.
• Correlating anomalous activity at the network and host levels to detect the unknown threats.
How Typical IT/Security Processes Inhibit Effective Incident Response Typical IT/Security Processes
Fig. 2: Typical IT/Security Operations Processes
Typical IT/Security processes (as illustrated in Fig. 2) encompass the following four phases:
1. Discover: Discover all assets on your network including hosts, network devices, and software assets. Theoretically this discovery should include details like what OS versions, network services, and applications are running on those assets. Set up network and system access control policies to reduce the attack surface.
2. Assess: Perform vulnerability assessments on the discovered network, hardware, and software assets. Flag known vulnerabilities in those assets. Track any changes to OS platforms and applications and measure residual risk.
3. Report and Analyze: Correlate anomalous activity with real-time threats (events) and monitor for changes to systems/endpoints to see if they match known indicators of compromise. Collect accurate forensic data and present this in a consumable way. Sophisticated analytics are required to tie together the asset and vulnerability data from across assessment scan, networks sniffed, and log data and produce actionable reports.
4. Take Action: Use forensic data to generate alert notifications to take prioritized manual (workflow-based) actions or automated (API-based) actions to prevent threats from resulting in security breaches.
• Analyze data associated with real-time threats and report
• Respond to vulnerabilities & threats
• Detect known and unknown vulnerabilities
• Understand potential attack surface
1 Discover
2 Assess
3 Report & Analyze
4 Take
Action
5
Forensic Analytics and Incident Response corresponds to the Analyze and Respond phases (bottom-half) of the IT/Security process.
Common Challenges Common challenges encountered by organizations implementing this model include:
• Organizational Silos: Desktop administration, network, and security operations in medium to large companies are typically managed by three different organizations – IT Helpdesk, Network Operations Center (NOC), and Security Operations Center (SOC), who use different tools that do not communicate well with each other.
• Unmanaged Assets: All assets on the network are not discovered or known to IT, and hence they are not monitored or managed, especially mobile phones, tablets, and virtual environments (e.g., VMware instances), which may have vulnerabilities that can be easily exploited.
• Unknown Applications/Services: Many unmanaged assets are not hardened or patched to eliminate known vulnerabilities, such as Heartbleed. These assets could be used as launch pads for malware to penetrate the enterprise.
• Lack of Network Visibility: Any anomalous network traffic to botnets and Command and Control (CnC) servers can go undetected if there are no network monitoring tools with application level (layer 7) visibility looking for traffic to known suspicious destinations.
• Un-prioritized Vulnerabilities: Vulnerabilities are not prioritized by Common Vulnerability Scoring System (CVSS) scores, asset criticality, or users/roles. IT will be unable to quantify business risk without such prioritization.
Challenges Specific to Forensic Analytics and Incident Response • No Actionable Forensic Data: Security and network operations staff are inundated with security events for which
they do not have the right actionable data. This includes indicators of compromise for advanced attacks that go undetected by traditional defenses.
• Inflexible Incident Response: Security and network operations staff have limited ways in responding to incidents, e.g., generating notifications and reports, initiating manual work flows, or spawning automated actions. Having the flexibility to associate different types of response actions with alerts enables IT/Security Operations to speed up incident response and reduce business risk.
Actionable Forensic Analytics The typical requirements for actionable forensic analytics include the following capabilities:
• Network Forensics: Logs of all network traffic, which includes packet capture or meta-data captures from network sensors, application flow data from switches and routers, and application logs from network proxies. This data is useful for identifying suspicious traffic that can be attributed to botnets or CnCs to or from bad sites without deploying any agents on endpoints.
• Host Forensics: Monitoring hosts and endpoints for file integrity, system configurations, processes, DNS queries, and network connections. This typically requires credential-based scanning of endpoints, or agents running on endpoints to gain evidence (using tell-tale signs of indicators of compromise).
• Log Correlation: Encompasses behavioral and statistical analysis to determine anomalies in network and host forensic data. Infuses contextual information about asset location and user identity, and also filters logs using blacklists from external threat intelligence sources. These correlation features are vital for zeroing-in on security incidents that need immediate attention.
6
Actionable forensic data should include monitoring for:
• Network meta-data:
- Source and target of attack: IP address, host name, port/protocol associated with botnets or CnC traffic
- URL/domain name of server hosting malware
- Sender/recipient email address of phishing attack
• Host Indicators of Compromise:
- IP address or hostnames of compromised endpoints
- Hashes of malware files/binaries
- System configurations or auto-runs that should be checked for integrity
- OS registry changes and processes associated with malware
Flexible Incident Response Any solution that identifies security incidents should further enable you to respond to them with the following types of configurable response actions, based on the simplicity or complexity of the problem identified.
• Notifications/Email: Send notifications via the console or by email, and include the recommended action.
• Dashboards/Reports: Automatically update a dashboard or generate a report with the current state of incidents in progress, assigned to appropriate personnel.
• Work Flows: Trigger trouble tickets with workflows assigned to the person responsible for follow through. Especially useful for the most complex and the least understood incidents.
• Automated Actions: Automatically invoke scripts or application programmatic interfaces (APIs), which perform specific actions such as adding a URL to the blacklist of a web gateway or update an ACL on a firewall to automatically block CnC servers. Automated actions are most applicable for frequently occurring incidents that are well understood.
7
Tenable Continuous Monitoring Platform
Fig. 3: The Tenable Platform – Continuous Monitoring of Vulnerabilities, Threats, and Compliance
Tenable SecurityCenter Continuous View breaks down silos between IT, network, and security operations, and delivers actionable forensic data, asset information, and vulnerability context, to speed up incident response. The SecurityCenter Continuous View platform (depicted in Fig. 3) includes the following Tenable products and components:
• Nessus®: is the industry’s most widely-deployed vulnerability, configuration, and compliance scanner. Nessus features high-speed discovery, configuration auditing, asset profiling, malware detection, sensitive data discovery, patch management integration, and vulnerability analysis. Nessus® Enterprise provides a scalable on premise solution to manage multiple Nessus scanners. The SaaS version, Nessus® Enterprise Cloud adds external perimeter scanning and PCI ASV scan validation.
• Passive Vulnerability Scanner™ (PVS): is a non-intrusive network monitoring tool that discovers all devices, applications, services, and their relationships currently active on your network. It automatically pinpoints potential security risks posed by vulnerable assets and new or unknown rogue systems, including SaaS and IaaS services being accessed by users.
• Log Correlation Engine™ (LCE): collects and correlates logs from Nessus®, PVS™, and external sources on the network including firewalls, switches, routers, endpoints, and servers. It can also generate alerts when malware matching indicators of compromise from external threat intelligence sources (e.g., Reversing Labs and IID) are encountered. All log data is compressed and stored in an indexed file system and can be rapidly searched using keywords.
• SecurityCenter Continuous View™ (SC CV): enables continuous monitoring of vulnerabilities, threats, and compliance violations discovered by Nessus®, PVS™, and LCE™. It provides one management console with configurable dashboards, reports, and notifications to provide a comprehensive visualization (as shown in Fig. 4 below) of a company’s vulnerabilities, threats, and compliance posture.
8
Fig. 4: SecurityCenter Executive Summary Dashboard
Benefits of the Tenable Continuous Monitoring Platform Tenable’s Security Center Continuous View breaks down silos between IT, network, and security Operations and enable you to gather actionable forensic data, information about assets, and vulnerability context to speed up incident response efforts.
Actionable Forensic Analytics • Automatically discovers and tags 100% of assets – physical, virtual, mobile, and cloud
• Performs audits to discover known vulnerabilities based on security policies
• Discovers advanced threats by scanning for indicators of compromise
• Continuously monitors network traffic to detect hidden attack paths and suspicious activity
Speeds-up Incident Response • Provides asset and vulnerability context for every incident detected
• Identifies residual risk with correlated vulnerability and threat data
• Automatically generates alerts with configurable response options – manual and automated
• Provides actionable information in customizable dashboards and reports
9
Use-Cases The following use cases illustrate how Tenable SecurityCenter Continuous View (SC CV) gathers accurate forensic data to detect advanced attacks and set up flexible responses to prevent security incidents and breaches.
Forensic Analysis of Suspicious Activity SecurityCenter Continuous View, which includes SecurityCenter, Nessus, PVS, and LCE, can be used to track both inbound and outbound suspicious network traffic to zero in on advanced attacks.
• Inbound: Detect downloads of malware from an external web server and validate if an endpoint was truly compromised.
- Tenable PVS™ can be used to capture all inbound network traffic, and LCE can be used create a “watchlist” of internal assets that exhibit suspicious file/exe downloads from known botnets and websites, as shown in Fig. 5 below:
Fig. 5: Indicators dashboard to track inbound/outbound suspicious activity
- Tenable Nessus® can be used to scan a “watchlist” of assets to look for advanced malware using known Indicators of Compromise (IoC). If IoCs are found on an endpoint (as shown in Fig. 6 below), then the endpoint is confirmed to be compromised.
10
Fig. 6: Indicators of Compromise (IoC) found on a compromised endpoint
• Outbound: Detect an internal host already compromised trying to beacon out to botnet/CnC server.
- PVS™ can be used to capture an anomalous set of failed DNS queries to a known CnC server, which indicates a compromised host that is trying to beacon out to potentially exfiltrate information. Fig. 7 below depicts how such anomalies can be identified in PVS.
Fig. 7: Anomalous outbound communication identified by PVS
11
Incident Response Options SC CV allows you to set up actions for every alert. The following types of actions can be configured for each alert:
Alert Sample Configurable Action
Targeted IDS Email NOC
New Host Discovered Launch a compliance scan
Telnet Server Detected Generate a report of services on host
Host has a compliance failure Notify compliance officer
Critical exploitable vulnerability on Windows endpoint Notify appropriate systems administrator
Fig. 8 below shows a screen shot of the Alerts window with configurable options in SC CV.
Fig. 8: Configurable response actions for an alert in SC CV
Conclusion Organizational, technical, and operational complexity all make effective and timely incident response a significant challenge. While enterprise IT and security teams deploy and manage an expanding array of defensive technologies, many remain challenged to detect and assess the impact of threats until long after vulnerable systems are compromised. Tenable Network Security addresses this situation with its industry-leading continuous monitoring platform - SecurityCenter Continuous View, a comprehensive solution for vulnerability, threat and compliance management. SecurityCenter Continuous View transforms siloed organizational and operational processes, by providing meaningful and actionable forensic analytics with which enterprises can dramatically accelerate incident response.
12
About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Our family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable is relied upon by more than 20,000 organizations, including the entire U.S. Department of Defense and many of the world’s largest companies and governments. For more information, please visit www.tenable.com.
Copyright © 2014. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
GLOBAL HEADQUARTERS
Tenable Network Security 7021 Columbia Gateway Drive Suite 500 Columbia, MD 21046 410.872.0555 www.tenable.com