Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real-time Security Analytics: Visibility, Alerting or Forensic Digging - Which is it? Steven Urban Click Security.

Similar presentations


Presentation on theme: "Real-time Security Analytics: Visibility, Alerting or Forensic Digging - Which is it? Steven Urban Click Security."— Presentation transcript:

1 Real-time Security Analytics: Visibility, Alerting or Forensic Digging - Which is it? Steven Urban Click Security

2 What this prezo will address… 1.What is a security analytic anyway? 2.Who on my staff would actually use this product? 3.What problems does it actually solve? 4.Does it replace products like Log Management systems and SIEMs? Click Security Confidential 2

3 Typical Enterprise Network Today Click Security Confidential 3 WAN F/W & IPS EP Cloud Services BYOD Consumerization of IT Malicious Insider DMZ F/W & IPS Contractor Web Proxy Server Mobility

4 Are We Secure? Click Security Confidential 4 We spent $25B on IT Security in 2012** IP theft to US Co’s is $250B / year Global cybercrime is $114 billion… $388 billion when you factor in downtime… Symantec* $1 trillion spent globally on remediation McAfee* IP theft to US Co’s is $250B / year Global cybercrime is $114 billion… $388 billion when you factor in downtime… Symantec* $1 trillion spent globally on remediation McAfee* * **http://www.slideshare.net/Pack22/it-security-market-overview-sept-12 NAC IAM MDM DLP Secure Web Proxy SIEM UTM Secure G/W Endpoint Protection MSSP Firewall

5 What Happened? Click Security Confidential 5 Massive Network Attack Surface “Based on some research by the U.S. intelligence, the total number of registered hackers in China is approaching 400,000.” Infosecisland.com “Based on some research by the U.S. intelligence, the total number of registered hackers in China is approaching 400,000.” Infosecisland.com $1B Revenue x 5% on IT x 10% on Security x 30% on Staff / $200K/Yr loaded 7.5 Heads Your Defense The Enemy Social Media Consumerization of IT IP Device Explosion Mobility Cloud Computing Signature-based Defenses IPS, Anti-X, Firewall Between 50% and 5% effective Intelligent, Stealthy, Relentless, Motivated Numerous Complex Constant Flux Staff

6 Click Security Confidential 6 $ $ Reserved IP Address Attack Internal Web Server Attack Internal Web Server Entry ExFil Attribution A Recently Experienced Attack…

7 Autopsy Report Did you see these alarms? –Remember a 15K EPS = 1 Billion EPD Did you recognize their relative importance? –High, Medium, Low severity? Did you know they were connected? –e.g., how may IP addresses are involved here? Did you see them in time to be proactive? –Or do you study them forensically? Do you even have staff to spend time on this? –Or are you chief, cook and bottle washer? Click Security Confidential 7

8 Current Answer… Click Security Confidential 8 Minutes – hours to execute a breach. Days – months to discover Verizon Data Breach Investigations Report Event Management + Forensics

9 Better Answer… Click Security Confidential 9 Real-time Security Analytics Catch This…Before This…

10 So Why Don’t We Catch Things in Real Time? Click Security Confidential 10 39% 35% 29% 28% 23%

11 The Security Analytics Spectrum Click Security Confidential 11 Real-timeAsymmetric (batch, offline) Tuned for real-time contextualization of anomalies and quick investigative / incident response action Tuned for off-line deep, historical investigation

12 Example Real-time Security Analytic Click Security Confidential 12 Internet Threats Enterprise Security Events Security Policy Authentication Activity Flow Activity User Activity Vulnerability Assessment Application Activity Access Activity Collect, Cross-Contextualize and Examine for Anomalies in real-time… “I see a flow to a blacklisted IP address” “I see a user tied to an unusual device” “I see an access from a strange location” Normal alerts…if you actually notice them…. Real-time Security Analytic “I see a user coming into a critical server from an Android device in Uganda that also has a connection to a blacklisted IP address in China, and this same user logged in from Dallas 30 minute ago…”

13 What If You Could Do This…? Click Security Confidential 13

14 Real-Time Security Analytics (RtSA) Click Security Confidential 14 Programmable Real-time Analytics Captured Intelligence “Lego” building blocks Programmable Real-time Analytics Captured Intelligence “Lego” building blocks Security Threat Expertise Protocol / Application Savvy Module Development Customer Environment Assessment Security Threat Expertise Protocol / Application Savvy Module Development Customer Environment Assessment Stream Processing Engine Dynamic Visualizations Interactive Workbooks Highly Scalable Stream Processing Engine Dynamic Visualizations Interactive Workbooks Highly Scalable Click Labs Click Modules Click Platform

15 Automated, Real-time Contextualization Click Security Confidential 15 Flow Events -Client Entity -Server Entity -Time First / Last Active -Flow Type -Transport Protocol -Application Protocol -Prior / Current State -Byte / Packet Count -Session ID -Other Entities Flow Events -Client Entity -Server Entity -Time First / Last Active -Flow Type -Transport Protocol -Application Protocol -Prior / Current State -Byte / Packet Count -Session ID -Other Entities Security Events -Client Entity -Server Entity -Detection Time -Rule -Result -Message -Other Entities Security Events -Client Entity -Server Entity -Detection Time -Rule -Result -Message -Other Entities Actor / Entity -Username -Hostname -Entity Type -Time First / Last Active -IP Address -MAC Address -Recent Network Flows -Recent Authentications -Recent Accesses -Recent Security Events -DHCP Lease -NAT Lease -VPN Lease -Other Entities Actor / Entity -Username -Hostname -Entity Type -Time First / Last Active -IP Address -MAC Address -Recent Network Flows -Recent Authentications -Recent Accesses -Recent Security Events -DHCP Lease -NAT Lease -VPN Lease -Other Entities Augmentation Modules Utility Modules - Directory Lookup - HRIS Information - DHCP Information - WHOIS Information - O/S Fingerprint Data - NMAP Assessments - Anti-Virus Information - Asset Information Data - Vulnerability Scan Data - Geo-Location Information - Entity Severity Inormation - Password Cracking Information - Network Monitoring Information - Firewall Configuration and Logs - IDS/IPS Configuration and Logs - Forward & Reverse DNS Resolution - Blacklist/Whitelist Reputational Data Analysis Modules Action Modules External System - Routing Anomalies - Malicious Callbacks - SPAM Relay Detector - Proxy Bypass Detector - Information Ex-filtration - Suspicious Web Traffic - Covert Channel Detector - Suspicious Data Access - Anomalous User Behavior - Anomalous Detector - Suspicious Account Lockouts - Firewall Rule Analysis Module - Anomalous Endpoint Behavior - Data Storage/Access Anomalies - Compromised Account Detection - Inappropriate Resource Utilization - Anomalous Network Transmission Authentication Events -Client Entity -Server Entity -Authentication Time -Protocol Type -Result -Message -Other Entities Authentication Events -Client Entity -Server Entity -Authentication Time -Protocol Type -Result -Message -Other Entities Access Events -Client Entity -Server Entity -Access Time -Resource Type -Result -Message -Other Entities Access Events -Client Entity -Server Entity -Access Time -Resource Type -Result -Message -Other Entities

16 Data Storage Data Storage Different Strokes… Click Security Confidential 16 Data Storage Data Storage Processor Memory SIEM (RDBMS) SERIAL Query Analytic Crunch Time Hours to Days Good for: Compliance Mgmt (Limited data volume processing, simple alerting) Data Storage Data Storage Processor Memory Batch Query Analytics (Distributed Map Reduce) SERIAL Query Analytic Crunch Time Minutes Good for: Forensic Analysis (Large data volume processing, but not large # analytics) Processor Data in Memory RtSA (Stream Processing Engine) PARALLEL Query Analytic Crunch Time Seconds Good for: Real-time Analytics (Large data volume processing, AND large # concurrent analytics) Data Storage Data Storage

17 Example Analytics Application: RtSA Tracker Click Security Confidential 17 Actor Prioritization Automated Histogram of High Anomaly Actors Actor Fanout Automated Fan-out of Actor Connectivity RtSA

18 RtSA Tracker Workbook Blacklisted Actors by Country Click Security Confidential 18 Miners ingest 100,000+ events into “human usable” tables Interpreters apply Click Lab’s application and protocol knowledge to the data Analyzers automatically contextualize event, flow, authentication, access and augmentation data to 12,000+ actors RtSA Tracker’s Blacklist Workbook brings visual acuity to 43 blacklisted Actors Actor Location 43 blacklisted actors by country of origin Actor Relationships Selected actors (Germany, Bahamas, and US) relationships by status and communications Actor Activity Blacklisted actors: servers receiving transmissions from a handful of systems on a protected network

19 RtSA Tracker Workbook Total Critical: Top 25 Actors by Critical Event Count Click Security Confidential 19 Actor is an internal system with a reserved IP address (blue) Actor is attacking an internal (blue) web server with a variety of HTTP-based attacks, including buffer overflows and SQL injection Actor is sending malicious java to an internal web server Victim of the HTTP attacks has initiated HTTPS connections with four external systems (the rightmost fan- out pattern); three in the US (gray), one in Europe (pink) Attacker is logged in, anonymously, to an FTP server – and is actively transferring data. The blue (internal) node top left also anonymously logged into same FTP server. The gold-colored node is from Asia – actor’s IP address is dynamically assigned from China’s hinet.net, a broadband ISP – and a well-known haven for hackers and phishing activity

20 RtSA Workflow Click Security Confidential 20 Looking for Something… New Module Authoring Lockdown Action Real-time Stream Processing Click Modules Found Something! Confident Needs Investigation Understood & Actionable Dynamic Workbooks External Triggers Real-time Investigation Interactive Reporting Batch Process Investigation

21 Market Evolution Click Security Confidential 21 SIEM Batch Query Analytics Real-time Security Analytics Log Management Forensic Archive Compliance Reporting Big Data Search Big Data Analytics

22 RtSA Solution Benefits Click Security Confidential 22 Find and Stop Attack Activity – Early in the Kill Chain Actor-tracking contextualizes big data into prioritized, in-depth security visibility - automatically Speed & Simplify Analysis / Incident Response Process Dynamic Workbooks provide real-time visualization, interactive data analysis, and immediate results encoding Modular Analytics Evolve with Changing Threat Landscape Click Labs continually adds new Workbooks and Click Modules Analysts can quickly and easily create their own Leverage Existing Information and Enforcement Infrastructure No rip and replace. Utilize existing data sources and enforcement points.

23 Click Security Confidential 23 R EAL- T IME S ECURITY A NALYTICS A UTOMATED I NVESTIGATION | A UTOMATED L OCKDOWN


Download ppt "Real-time Security Analytics: Visibility, Alerting or Forensic Digging - Which is it? Steven Urban Click Security."

Similar presentations


Ads by Google