visibility: the foundation of your cybersecurity infrastructure · 2019. 12. 3. · visibility...
TRANSCRIPT
Visibility: The Foundation of your Cybersecurity Infrastructure
Marlin McFateFederal CTO, Riverbed
© 2018 Riverbed Technology, Inc. All rights reserved. 2
Detection is Only One Part of the StoryPlanning and Remediation are just as critical
146 daysAverage duration it takes to discover attackers are present on a network
0.5
2
5 5
8
18
0
2
4
6
8
10
12
14
16
18
20
Target JPMorgan Neiman Marcus Home Depot Michaels Goodwill
Hackers Went Undetected for Months
© 2018 Riverbed Technology, Inc. All rights reserved. 3
59% of Organizations are notified about their breach by an external entity.
© 2018 Riverbed Technology, Inc. All rights reserved. 4
What could you do with $8,850,000,000.00?
In just one industry/vertical there were 72 total breaches reported (2016), over 56 Million records exposed
205 days on average threats were present before detection
Estimated loss for those 72 breaches was over $8.85 billion
© 2018 Riverbed Technology, Inc. All rights reserved. 5
$33,440,756,448.00
1339 Identity theft breaches, over 174 Million records exposed
In 2017 it grew to 191 days on average threats were present before detection
Estimated 2017 loss for identity record breaches cost ~$24.6 billion
“...network security forensics is an important technology. Without a proper post-breach forensic investigation, the ability to remediate
damages from the current threat, as well as to the ability to properly mitigate future threats remains very much in doubt.”
© 2018 Riverbed Technology, Inc. All rights reserved. 6
© 2018 Riverbed Technology, Inc. All rights reserved. 7
Russia’s 5th-Dimension Cyber Army
Hezbollah China
© 2018 Riverbed Technology, Inc. All rights reserved. 8
© 2018 Riverbed Technology, Inc. All rights reserved. 9
This is Cyber Warfare!
© 2017 Riverbed Technology. All rights reserved.10 | @Riverbed
© 2018 Riverbed Technology, Inc. All rights reserved. 11
Riverbed provides visibility on the cyber battlefield like a drone or satellite provides generals with real-time physical battlefield info
“”
© 2018 Riverbed Technology, Inc. All rights reserved. 12
Attack Continuum
BEFOREDiscoverEnforceHarden
DURINGDetectBlock
Defend
AfterScope
ContainRemediate
© 2017 Riverbed Technology. All rights reserved.13 | @Riverbed
Understand the Surface Area
© 2018 Riverbed Technology, Inc. All rights reserved. 14
Total Enterprise Visibility Is CriticalAttacks can come from anywhere, anytime, anyone
Visibility is the glue that empowers both the business and the IT teams with the insight they need to make effective resourcing decisions and to resolve problems fasterIf you can’t see it, you can’t protect it!
Servers Applications
Protocols
Ports
Network Behavior
End-Users
Operating Systems
Services
© 2018 Riverbed Technology, Inc. All rights reserved. 15
Visibility Driving Security ValueOnce you know what you have, you can properly secure it
• All the moving parts of an application (what is in scope)
• All hosts/paths/ports/protocols that need to be monitored
• Paths of attack that may have gone overlooked
• Clear text protocols that may be a means of eavesdropping
• Un-related systems that need to be treated at the same trust level due to proximity
Identify Everything
© 2018 Riverbed Technology, Inc. All rights reserved. 16
Visibility Driving Security Value
© 2018 Riverbed Technology, Inc. All rights reserved. 17
Identify Lateral Movement & Network Behavior Anomaly Detection
Track lateral movement, governance violations and other challenges such as P2P, tunneling, and SPAM activity
Analysis of network behavior can identify suspect activity including; scans, suspicious connections,new hosts, worms, and more
© 2018 Riverbed Technology, Inc. All rights reserved. 18
Assess Application Usage and Combat Shadow IT
1. Discover every local, cloud, and mobile application, to combat “Shadow IT”
1 23
3. Consider mainstreaming popular Shadow IT apps
2. Immediately assess the breadth, surface area of Shadow IT
2
© 2017 Riverbed Technology. All rights reserved.19 | @Riverbed
Configuration, Network, and Service Hardening
© 2018 Riverbed Technology, Inc. All rights reserved. 20
Hackers are Always Looking for the Weak Link to Gain EntryWhat are your weak links? Where are they?
© 2018 Riverbed Technology, Inc. All rights reserved. 21
• Edge routers block incoming ICMP, telnet, FTP sessions
• No redundant ACL statements
• No overlapping NAT translation addresses
• …
Rules Engine
BeforeHarden – Infrastructure patching and configuration
Checks all collected network devices for known OS vulnerabilities
Check for any instance of OS vulnerability “Advisory ID: cisco-sa-20140924-nat”
440 OS vulnerabilities30% devices with vulnerabilities25 vulnerabilities remediated
NPCM Security Workflow 3
Potential Exposures
Validations
Metrics
© 2018 Riverbed Technology, Inc. All rights reserved. 22
Automated Compliance Reporting
Automated Topology Diagramming
• Automate generation of audit-quality diagrams
• Out-of-the box templates for regulatory & industry standards STIG, CCRI,NIST 800-53
• Validate against a “golden” configuration
• Automatic & periodic security advisory updates
• Analyze ACLs, firewall policies, and other security controls
• Analyze device administrative control
• Leverage best practices from Cisco, AAA, NSA security guidelines, and more
• Trend audit results over time
• Automatically generate high-definition network diagrams using configuration and operational data
• Provide detailed insight into physical, logical and virtual components
• Generate professional quality HTML or Visio diagrams
• Customizable diagram layout and annotations
Manage Security Audits Effectively
© 2018 Riverbed Technology, Inc. All rights reserved. 23
Change ControlSee changes, route propagations, survivability/redundancy testing
Visualize BGP Route Propagation…
© 2017 Riverbed Technology. All rights reserved.24 | @Riverbed
Understand Movement NSEWGo Threat Hunting
© 2018 Riverbed Technology, Inc. All rights reserved. 25
We can take a proactive approach to searching for those intruders rather than a reactive approach that focuses on known incidents – government has to start searching for the unknown.
Jeff Wagner, (OPM Director of Security Operations)
“”
© 2018 Riverbed Technology, Inc. All rights reserved. 26
Find Every Sensitive device & Who it Talks with in 30 seconds
1
2 3
© 2018 Riverbed Technology, Inc. All rights reserved. 27
Leverage Reporting To Track Activity
Run on-demand or scheduled• Progressive SSH/RDP burrowing across the network • SMTP requests not on TCP/25• DNS requests not on UDP/53• CIFS to/from the Internet• Weekly foreign country business reports• Tunneled traffic• Access to production network not during change windows• Servers not within the data center subnets• East/West traffic where none is expected• North/South traffic where none is expected• …
Discover and remediate
© 2018 Riverbed Technology, Inc. All rights reserved. 28
Assess Impact of Code/SQL Injection…Using your Phone!
GENUINE TRANSACTIONS
TRANSACTIONS FROM INJECTION ATTACK
© 2018 Riverbed Technology, Inc. All rights reserved. 29
Identify Scope of Intrusion
© 2018 Riverbed Technology, Inc. All rights reserved. 30
Extend Visibility into Attack Surface Go Beyond Attack Points of Entry
URL http://www.xxxx.com/yyy/zzz.aspx?cm_re=${@print(md5(acunetix_wvs_security_test))}
Using Typical Security Tools Injection Detection occurs ONLY at
Points of Entry
• Discover Entire Surface Area of Attack
• For every SINGLE transactions – No Transaction Sampling
• Would it acceptable to have visibility into just 1 of 10,000 intrusions?
© 2017 Riverbed Technology. All rights reserved.31 | @Riverbed
Alarm On Violations
© 2018 Riverbed Technology, Inc. All rights reserved. 32
New Host Analytic
New Host Policy workflow: New host appears on VLAN supporting
PCI-compliant ERP servers Alert via SNMP trap or email with context-sensitive
drill-down to details Complete visibility into offending host, with
conversational details, packets for deep-dive analysis, and MAC address/switch port info
Optional vulnerability scanningDetect changes in sensitive parts of the network to improve security posture and help with regulatory compliance
Alert on new hosts in secured areas of the network
© 2018 Riverbed Technology, Inc. All rights reserved. 33
Malware Analytics
Drill-down for event details, including start/end time, duration, list of scanned traffic, etc.Graphical view of the threat propagation including patient zeroMultiple host infections are recognized as a single eventImprove your security posture, detect worms and malware that don’t rely on signatures
Details of worm propagation
© 2018 Riverbed Technology, Inc. All rights reserved. 34
Alarm on Anything/Any Place
Anyone trying or succeeding in accessing routers• Log or alert on anyone who tries to connect to an IP x.x.x.1Non-encrypted connections to/from regulated servers• Log or alert on anyone NOT using SSH or SSLConnections to/from restricted network segmentsFind tunneling• Port 80 != HTTP• Port 443 != HTTPS• Port 53 != DNS• …
Your creativity is the limit here
© 2017 Riverbed Technology. All rights reserved.35 | @Riverbed
Address Real Problems
© 2018 Riverbed Technology, Inc. All rights reserved. 36
1. Report events to your SIEM or enable your SIEM to extract contextual information from NetProfiler
A. SIEM identifies a problemB. Right-click the node IP2. Get context information. All of
the detailed information that NetProfiler collects is delivered through the SIEM console
SIEM integration – Instantly Add ContextScope & Triage
2
1
© 2018 Riverbed Technology, Inc. All rights reserved. 37
Packet level integration – Instantly drill downScope & Triage
REST call to NetShark
© 2018 Riverbed Technology, Inc. All rights reserved. 38
Programmability/3rd-party Integration
• Script common or tedious tasks• React to IT events faster• Benefit from custom features created
by the community
Automate Expert WorkflowsScripting Library
REST API
Custom Apps
Threat Visualization Server Fail Over
© 2018 Riverbed Technology, Inc. All rights reserved. 39
DECISION SUPPORTManeuver CYBER to affect our adversaries• Discrete Event Simulation — to support decisions• Understand where and who• Mitigate an immediate attack (Opportunity to insert Mis-information) • Monitor — trace the path (Attack Vectors) adversary used• Packets — see the data the adversary took
Thank You
© 2018 Riverbed Technology, Inc. All rights reserved. 40