Transcript Document

Real-time Security Analytics (RtSA):
Automating the Discovery, Understanding, and
Action Against Advanced Security Threats
Neal Hartsell
Vice President Marketing
Typical Enterprise Network Today
Cloud Services
Contractor
Mobility
WAN F/W & IPS
EP
Web
Proxy
Server
DMZ F/W & IPS
EP
Malicious
Insider
BYOD
Consumerization of IT
2
Click Security Confidential
Are We Secure?
• IP theft to US Co’s is
$250B / year
• Global cybercrime is
$114 billion…
• $388 billion when you
factor in downtime…
Symantec*
We spent $25B
on IT Security in
2012**
• $1 trillion spent
globally on remediation
McAfee*
* http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-amount-greatest-transfer-wealth-history-070912
**http://www.slideshare.net/Pack22/it-security-market-overview-sept-12
3
Click Security Confidential
What Happened?
Massive
Network Attack Surface
Your
Defense
Signature-based
Defenses
The
Enemy
Intelligent, Stealthy,
Relentless, Motivated
IPS, Anti-X, Firewall
•
•
Complex
Constant Flux
Between 50% and 5%
effective
Staff
Numerous
“Based on some research
by the U.S. intelligence,
the total number of
•
•
•
•
•
4
Social Media
Consumerization of IT
IP Device Explosion
Mobility
Cloud Computing
$1B Revenue
x 5% on IT
x 10% on Security
x 30% on Staff
/ $200K/Yr loaded
7.5 Heads
Click Security Confidential
registered
hackers in China
is approaching
400,000.”
Infosecisland.com
Current Answer…
Event Management + Forensics
2012 Verizon Data Breach Investigations Report
Minutes – hours to execute a breach.
Days – months to discover.
5
Click Security Confidential
Better Answer…
Real-time Security Analytics
Catch This…
6
Click Security Confidential
Before This…
So Why Don’t We Catch Things in Real Time?
39%
35%
29%
29%
28%
28%
28%
23%
7
Click Security Confidential
A Recent Financial Services Attack
•
Actor accesses network and begins
operating from an internal system with a
reserved IP address
•
Actor attacks an internal web server with a
variety of HTTP-based attacks, including
buffer overflows and SQL injection
•
Victim of the HTTP attacks initiates HTTPS
connections with four more external
systems
•
Actor is sending malicious java to an
internal web server
•
Attacker is logged in, anonymously, to an
FTP server – and is actively transferring
data
•
Actor’s IP address is dynamically assigned
from China’s hinet.net, a broadband ISP –
and a well-known haven for hackers and
phishing activity
Attack
Reserved
IP
Address
Attack
Internal
Web
Server
Entry
Hacker
Attack
Internal
Web
Server
ExFil
$
8
Click Security Confidential
If This Happened to Your Company…
• Would you notice these alarms?
– Remember, one F/W @ 15K EPS = 1 Billion EPD
• Would you recognize their importance?
– High, Medium, Low severity?
• Would you know they were connected?
– e.g., how may IP addresses are involved here?
• Would you see them in time to be proactive?
– Or do you study them forensically?
• Do you even have staff to spend time on this?
– Are they skilled, experienced & with time on their hands?
9
Click Security Confidential
Why are Traditional Security Products Failing?
Social Networking
BYODevice
Cloud
Virtualization
IT Consumerization
Relentless Jiggling of Doors
Internal Beachheads
Mobility
Spear Phishing
Compromised Credentials
Covert Control and / or Exfiltration
• Too many holes to defend against a motivated attacker
• Not solvable with signature-based point-product solutions
• 286 million unique variations of malware- Symantec 2010
10
Click Security Confidential
Click Security’s Real-time Security Analytics
•
Get actionable intelligence
around the logs and alerts
that point products
produce…
–
But, takes you hours to days to
determine if it is a false positive
or false negative
•
Find anomalies in
logs/alerts that point
products miss
–
–
One product’s log or alert can
be (on its own) seemingly
innocuous
But, pieced together with
other actor information, it can
be a strong indicator of
compromise
Get situational awareness of your network and its actors
–
Automatically and in real-time
RtSA automates the analysis
which cost-effectively reduces business risk
from advanced malware and attackers
by reducing “time-to-detect”, “time-to-understand” & “time-to-act”
11
Click Security Confidential
Real-time Security Analytics Defined…
Event
•
•
•
– “two nouns and a verb”
John logged in through the VPN
John's PC attacked server X (IDS)
John's machine was blocked by firewall on port X or app Y (Firewall)
Analytic - “two nouns, a verb and some attribution (one or more adjectives)
• A piece of extra intelligence the system provides to an event or a group of events that
enhances the context of an event
• VPN user logged in from far location (simple context augmentation analytic)
• Total # bytes from John's PC to server X exceeded Y bytes (statistical analytic)
• John's PC is sending more traffic than in past 30 days (behavior learning analytic)
Security Analytic – “multiple analytics strung together (+ assessment + guidance)”
• An alert generated by a higher level analytic trigger when one or more analytics or
events fire in a given time period or in a given sequence
• EXAMPLE: Drive by Download analytic fired following by connection from client to
blacklisted host within 1 minute of download of the executable to client
Real-time Security Analytics Solution
• Perform large numbers of Security Analytics – FAST and with high ACCURACY
12
Click Security Confidential
Example Real-time Security Analytic
Real-time
Security Analytic
“I see a user coming into a critical server from an Android device in
Uganda that also has a connection to a blacklisted IP address in
China, and this same user logged in from Dallas 30 minute ago…”
Normal alerts…if you
actually notice them at
all…let alone soon
enough..
“I see a user tied
to an unusual
device”
“I see a flow to
a blacklisted IP
address”
“I see an access from
a strange location”
Collect, Cross-Contextualize and Examine for Anomalies in real-time…
Internet
Threats
13
Enterprise
Security
Events
Security
Policy
Authentication
Activity
Flow
Activity
Vulnerability
Assessment
User
Activity
Click Security Confidential
Access
Activity
Application
Activity
More Examples ...
14
•
•
•
User connected to IP address with bad reputation
Located in foreign countries or enemy networks
Machine facilitating lateral movement
•
•
•
Using many different IPs or usernames
Extreme numbers of consecutive failed logins
Using remote access protocols, such as SSH and RDP
•
•
•
Communicating via non-standard protocols or ports
Generating high event count or anomaly count
Active at odd hours
•
•
•
Participating in large data transfers or certain types of transfers
Using suspicious HTTP user-agents, methods or URIs
Generating large numbers of HTTP client or server errors
•
•
Generating certain sequences / collections of IDS alerts
Multiple systems acting in a coordinated fashion
Click Security Confidential
Real-Time Security Analytics (RtSA)
Click Analytics
Click Platform
Click Labs
15
•
Programmable Real-time Analytics
•
Captured Intelligence
•
“Lego” building blocks
•
Stream Processing Engine
•
Dynamic Visualizations
•
Interactive Workbooks
•
Highly Scalable
•
Security Threat Expertise
•
Protocol / Application Savvy
•
Module Development
•
Customer Environment Assessment
Click Security Confidential
RtSA in Use
ALERT
INVESTIGATE
Click Labs
Analytics Service
Dashboard
Dynamic
Workbooks
Module
Authoring
Click Analytics Stream Processing
Engine
Real-time
Stream Processing
Lockdown
16
Real-time
Investigation
Batch Process
Investigation
Click Security Confidential
•
System Health
Monitoring
•
Analytic Alert
Monitoring
•
Alert Investigation
•
Ad-Hoc Anomaly
Investigation
•
Incident & Status
Reporting
Real World Customer Example
Major Retailer, Monday May 13, 2013
Live
Network
& Security
Telemetry
Click Analytics
CLAS
CLAS
Incident Report
Stream Processing
Engine
General Findings
• Systems from all over the world are logging
into, or attempting to login to, a specific SSH
server at the customer
• Server at xx.xx.xx.xx is under heavy attack,
and a heavy majority of the attackers are
sourcing from the area in and around Beijing,
China
• One Attacker: xx.xx.xx.xx
• IP is located in China
• SANS Internet Storm Center, this IP has
been reported as an attacker since 2010,
with almost 50,000 targets and a
commensurate number of incident reports
17
Specific Findings
• Beach head appears to
have been compromised.
Patterns are consistent with
successful logins from
multiple remote hosts using a
minimal number of attempts.
• Beach head has accessed
4 internal systems. These
internal systems have
unpatched vulnerabilities
• Next layer of fanout
suggests as many as 70
systems involved.
Click Security Confidential
Conclusion
• Appears to be a
compromised
server that is being
used to move
laterally inside
customer network
• Significant
potential for
compromise and
data leakage
How We Are Different
Real-time Security
Analytics
Forensics
• Designed for
“Network DVR”
post analysis
Malware
Protection
SIEM
• Designed for log
management
• Simple alerting
• Short window of
persistence
• Requires PSO to
tune
• Deep “after the
fact” analysis
• Some real-time
alerting
• NGFW
• Good for
application • Simple analytics
anomalies
in nature
• Sandbox
Investigation
• Good for
identified
malicious or
anomalous ‘fileware’ or
communication
channels
Map
Reduced
Fast Log
Search
• Designed to
speed ad hoc
queries of logs
through
distributed data
store and
indexing
• Facilitates full
historical query
of log
information
• Good for
compliance
18
Click Security Confidential
• Designed to automate
the analyst
• Real-time
contextualization and
automated, interactive
analysis
• Long windows of
persistence
• Large # concurrent,
multi-factor analytics
• Integrates visibility,
anomaly, and incident
investigation across:
• Users / Devices
• Servers / Apps /
Flows
• Files
REAL-TIME SECURITY ANALYTICS
AUTOMATE THE ANALYSIS
19
Click Security Confidential