Real-time Security Analytics: Visibility, Alerting or Forensic Digging - Which is it? Neal Hartsell Vice President Marketing

What this prezo will address… 1.What is a security analytic anyway? 2.Who on my staff would actually use this product? 3.What problems does it actually solve? 4.Does it replace products like Log Management systems and SIEMs? Click Security Confidential 2

Typical Enterprise Network Today Click Security Confidential 3 WAN F/W & IPS EP Cloud Services BYOD Consumerization of IT Malicious Insider DMZ F/W & IPS Contractor Web Proxy Server Mobility

Are We Secure? Click Security Confidential 4 We spent $25B on IT Security in 2012** IP theft to US Co’s is $250B / year Global cybercrime is $114 billion… $388 billion when you factor in downtime… Symantec* $1 trillion was spent globally on remediation McAfee* IP theft to US Co’s is $250B / year Global cybercrime is $114 billion… $388 billion when you factor in downtime… Symantec* $1 trillion was spent globally on remediation McAfee* * **

What Happened? Click Security Confidential 5 Massive Network Attack Surface “Based on some research by the U.S. intelligence, the total number of registered hackers in China is approaching 400,000.” Infosecisland.com “Based on some research by the U.S. intelligence, the total number of registered hackers in China is approaching 400,000.” Infosecisland.com $1B Revenue x 5% on IT x 10% on Security x 30% on Staff / $200K/Yr loaded 7.5 Heads Your Defense The Enemy Social Media Consumerization of IT IP Device Explosion Mobility Cloud Computing Signature-based Defenses IPS, Anti-X, Firewall Between 50% and 5% effective Intelligent, Stealthy, Relentless, Motivated Numerous Complex Constant Flux Staff

Click Security Confidential 6 $ $ Reserved IP Address Attack Internal Web Server Attack Internal Web Server Entry ExFil Attribution

Autopsy Report Did you see these alarms? –Remember a 15K EPS = 1 Billion EPD Did you recognize their relative importance? –High, Medium, Low severity? Did you know they were connected? –e.g., how may IP addresses are involved here? Did you see them in time to be proactive? –Or do you study them forensically? Do you even have staff to spend time on this? –Or are you chief, cook and bottle washer? Click Security Confidential 7

Current Answer… Click Security Confidential 8 Minutes – hours to execute a breach. Days – months to discover Verizon Data Breach Investigations Report Forensics

Better Answer… Click Security Confidential 9 Real-time Security Analytics Catch This…Before This…

Incident Detection Challenges Click Security Confidential 10

Security Analytics Defined Click Security Confidential 11

What is a Security Analytic? Click Security Confidential 12 Visibility… Detect … Did this entitytake this actionon this entity? Action … If this entitytook this actionon this entity… then take this action AUTOMATICALLY and in REAL TIME… then take this action AUTOMATICALLY and in REAL TIME… Examples: Alert Human Block IP Quarantine Endpoint Gather more data Create trouble ticket Execute script Examples: Alert Human Block IP Quarantine Endpoint Gather more data Create trouble ticket Execute script …and a Real-time Security Analytic

Example Analytics Example Interactive Reports 1.Authentication history for this entity (user, dept, zone, etc.) 2.What accts in this entity logged in during x timeframe 3.Show all service accounts –Show al that are machine local / distributed 4.Authentication history by (user, dept, zone, geo…) 5.Root cause a user account lock out Example Interactive Reports 1.Authentication history for this entity (user, dept, zone, etc.) 2.What accts in this entity logged in during x timeframe 3.Show all service accounts –Show al that are machine local / distributed 4.Authentication history by (user, dept, zone, geo…) 5.Root cause a user account lock out Click Security Confidential 13 Example Alerts 1.Anomalous log in by some attribute (to service, time, loc, etc.) 2.“Relative to user” failed log in attempts 3.Failed log ins to a specific app 4.Distributed failed log ins 5.Service acct failed log in 6.Acct log in from non-whitelisted geo area 7.Outlier detection Example Alerts 1.Anomalous log in by some attribute (to service, time, loc, etc.) 2.“Relative to user” failed log in attempts 3.Failed log ins to a specific app 4.Distributed failed log ins 5.Service acct failed log in 6.Acct log in from non-whitelisted geo area 7.Outlier detection

Real-Time Security Analytics Click Security Confidential 14 Programmable Real-time Analytics Captured Intelligence “Lego” building blocks Programmable Real-time Analytics Captured Intelligence “Lego” building blocks Security Threat Expertise Protocol / Application Savvy Module Development Customer Environment Assessment Security Threat Expertise Protocol / Application Savvy Module Development Customer Environment Assessment Stream Processing Engine Dynamic Visualizations Interactive Workbooks Highly Scalable Stream Processing Engine Dynamic Visualizations Interactive Workbooks Highly Scalable Click Labs Click Modules Click Platform

Solution Requirements… Click Security Confidential ’s to 1000’s of complex statistical, heuristic, and behavioral correlation analytics running persistently Lots of data sources …in their full glory Parallel processing real-time data crunching and visualization engine Coverage Speed Accuracy

Automated, Real-time Contextualization Click Security Confidential 16 Flow Events -Client Entity -Server Entity -Time First / Last Active -Flow Type -Transport Protocol -Application Protocol -Prior / Current State -Byte / Packet Count -Session ID -Other Entities Flow Events -Client Entity -Server Entity -Time First / Last Active -Flow Type -Transport Protocol -Application Protocol -Prior / Current State -Byte / Packet Count -Session ID -Other Entities Security Events -Client Entity -Server Entity -Detection Time -Rule -Result -Message -Other Entities Security Events -Client Entity -Server Entity -Detection Time -Rule -Result -Message -Other Entities Actor / Entity -Username -Hostname -Entity Type -Time First / Last Active -IP Address -MAC Address -Recent Network Flows -Recent Authentications -Recent Accesses -Recent Security Events -DHCP Lease -NAT Lease -VPN Lease -Other Entities Actor / Entity -Username -Hostname -Entity Type -Time First / Last Active -IP Address -MAC Address -Recent Network Flows -Recent Authentications -Recent Accesses -Recent Security Events -DHCP Lease -NAT Lease -VPN Lease -Other Entities Augmentation Modules Utility Modules - Directory Lookup - HRIS Information - DHCP Information - WHOIS Information - O/S Fingerprint Data - NMAP Assessments - Anti-Virus Information - Asset Information Data - Vulnerability Scan Data - Geo-Location Information - Entity Severity Inormation - Password Cracking Information - Network Monitoring Information - Firewall Configuration and Logs - IDS/IPS Configuration and Logs - Forward & Reverse DNS Resolution - Blacklist/Whitelist Reputational Data Analysis Modules Action Modules External System - Routing Anomalies - Malicious Callbacks - SPAM Relay Detector - Proxy Bypass Detector - Information Ex-filtration - Suspicious Web Traffic - Covert Channel Detector - Suspicious Data Access - Anomalous User Behavior - Anomalous Detector - Suspicious Account Lockouts - Firewall Rule Analysis Module - Anomalous Endpoint Behavior - Data Storage/Access Anomalies - Compromised Account Detection - Inappropriate Resource Utilization - Anomalous Network Transmission Authentication Events -Client Entity -Server Entity -Authentication Time -Protocol Type -Result -Message -Other Entities Authentication Events -Client Entity -Server Entity -Authentication Time -Protocol Type -Result -Message -Other Entities Access Events -Client Entity -Server Entity -Access Time -Resource Type -Result -Message -Other Entities Access Events -Client Entity -Server Entity -Access Time -Resource Type -Result -Message -Other Entities

Data Storage Data Storage Different Strokes… Click Security Confidential 17 Data Storage Data Storage Processor Memory SIEM (RDBMS) SERIAL Query Analytic Crunch Time Hours to Days Good for: Compliance Mgmt (Limited data volume processing, simple alerting) Data Storage Data Storage Processor Memory Batch Query Analytics (Distributed Map Reduce) SERIAL Query Analytic Crunch Time Minutes Good for: Forensic Analysis (Large data volume processing, but not large # analytics) Processor Data in Memory RtSA (Stream Processing Engine) PARALLEL Query Analytic Crunch Time Seconds Good for: Real-time Analytics (Large data volume processing, AND large # concurrent analytics) Data Storage Data Storage

Example Analytics Application: RtSA Tracker Click Security Confidential 18 Actor Prioritization Automated Histogram of High Anomaly Actors Actor Fanout Automated Fan-out of Actor Connectivity RtSA

RtSA Tracker Workbook Blacklisted Actors by Country Click Security Confidential 19 Miners ingest 100,000+ events into “human usable” tables Interpreters apply Click Lab’s application and protocol knowledge to the data Analyzers automatically contextualize event, flow, authentication, access and augmentation data to 12,000+ actors RtSA Tracker’s Blacklist Workbook brings visual acuity to 43 blacklisted Actors Actor Location 43 blacklisted actors by country of origin Actor Relationships Selected actors (Germany, Bahamas, and US) relationships by status and communications Actor Activity Blacklisted actors: servers receiving transmissions from a handful of systems on a protected network

RtSA Tracker Workbook Total Critical: Top 25 Actors by Critical Event Count Click Security Confidential 20 Actor is an internal system with a reserved IP address (blue) Actor is attacking an internal (blue) web server with a variety of HTTP-based attacks, including buffer overflows and SQL injection Actor is sending malicious java to an internal web server Victim of the HTTP attacks has initiated HTTPS connections with four external systems (the rightmost fan- out pattern); three in the US (gray), one in Europe (pink) Attacker is logged in, anonymously, to an FTP server – and is actively transferring data. The blue (internal) node top left also anonymously logged into same FTP server. The gold-colored node is from Asia – actor’s IP address is dynamically assigned from China’s hinet.net, a broadband ISP – and a well-known haven for hackers and phishing activity

RtSA Workflow Click Security Confidential 21 Looking for Something… New Module Authoring Lockdown Action Real-time Stream Processing Click Modules Found Something! Confident Needs Investigation Understood & Actionable Dynamic Workbooks External Triggers Real-time Investigation Interactive Reporting Batch Process Investigation

Market Evolution Click Security Confidential 22 SIEM Batch Query Analytics Real-time Security Analytics Log Management Forensic Archive Compliance Reporting Big Data Search Big Data Analytics

RtSA Solution Benefits Click Security Confidential 23 Find and Stop Attack Activity – Early in the Kill Chain Actor-tracking contextualizes big data into prioritized, in-depth security visibility - automatically Speed & Simplify Analysis / Incident Response Process Dynamic Workbooks provide real-time visualization, interactive data analysis, and immediate results encoding Modular Analytics Evolve with Changing Threat Landscape Click Labs continually adds new Workbooks and Click Modules Analysts can quickly and easily create their own Leverage Existing Information and Enforcement Infrastructure No rip and replace. Utilize existing data sources and enforcement points.

Click Security Confidential 24 R EAL- T IME S ECURITY A NALYTICS A UTOMATED I NVESTIGATION | A UTOMATED L OCKDOWN