Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics


Published on

Presentation material from Cyber Security Briefing held in Ottawa on June 12, 2013.
- Investigating, Mitigating, and Preventing Cyber Attacks with Security Analytics and Visualization - Presented by: Orion Suydam, Director of Product Management, 21CT

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics

  1. 1. Investigating and Preventing Cyber Attackswith Security Analytics and VisualizationOrion SuydamDirector of Product Management, 21CTJune 12, 2013Unleash Your Data.Secure Your World.
  2. 2. About 21CT21CT Established:Innovation incubatorfor Department ofDefense and Intelcommunity21CT applies GraphPattern Matchingtechnology toDepartment of Defenseprojects for detectingterrorist activityCommercializationof Graph PatternMatching in cybersecurityLaunch of LYNXeonfor intelligencecommunityLaunch of LYNXeonfor cyber securitywithin DoDLYNXeon launchesfor enterprise cybersecurityLYNXeon releasesenhanced graphsearch for pattern-detection1999 2001 2003 2005 2007 2009 2011 20138 Patents Awarded and 5 Applied21CTsurpasses 100employees2
  3. 3. 3Human Versus Human BattleYou know they are inside your network and youwant to go on the offensiveProtecting the business is YOUR business andperimeter defenses only stop what they recognizeUnleash Your Data
  4. 4. •  Provide unprecedented network visibility•  Identify previously hidden malicious behavior•  Determine incident impact with full activity historypre- and post-breach•  Create active defense and go head-to-head againstthe adversariesLYNXeon from 21CTSecurity Data Visualization & Analytics4
  5. 5. LYNXeon DemoThreat Feed Insights
  6. 6. Threat Feed Demo (Step 1)6•  We’ve imported our favorite threat feed of known bad IP addresses•  Question: Which internal hosts have connected to a known bad IP?•  Answer: initiated 2 port 80 connections to a known bad IP
  7. 7. Threat Feed Demo (Step 2)7•  We’ve “expanded” on the known bad host to learn more about it•  The good news: no other internal hosts have connected to it•  More good news: we have some detail on one of the port 80 connections•  The bad news: the external website is called “”•  Hovering over the HTTP node reveals that a binary was downloaded inthe process
  8. 8. Threat Feed Demo (Step 3)8•  Let’s find other cases of this binary being downloaded from other sites•  We ask the question by clicking on the nodes that represent our patternof interest: an external host, an internal host, and an HTTP file download•  Note that we retain the MD5 hash of the downloaded file•  With this pattern defined, LYNXeon finds all other instances
  9. 9. Threat Feed Demo (Step 4)9•  The bad news is that we have identified yet another internal host thatdownloaded the same file (but from a different external site)•  This new external site was NOT in our threat feed•  So we now have two internal hosts to investigate & remediate and a newexternal IP to add to our list of known bad IP addresses•  The good news is that no other internal hosts connected to this 2nd host
  10. 10. LYNXeon Use Cases
  11. 11. 11“Using LYNXeon is like setting fire tothe haystack to find the needle.”Josh Sokol, National Instruments
  12. 12. •  “Ultimate Malware Intelligence” | “Threat FeedIntelligence” | “Behavioral Analysis Intelligence”12Malware Insight–  Confirmed gaps inMalware Detection–  Identified otherundetected infectedhosts–  Extended the value oftheir perimeter defenseThreat Feed Insight–  Cross-check threat feedsagainst historical NetFlowand DPI logs–  Identify suspicious hostactivity–  Find similarly undetectedpatterns in the networkHunting Insight–  Reveal hosts notconforming to corporatepolicy–  Highlight and flag assetsacting abnormally–  Find compromised hoststhat no detection systemwill find
  13. 13. Malware Insight13LYNXeon in use by NationalInstruments to extendmalware threat defenseChallenge:•  Perimeter defense systems (IPS/IDS, Malwaredetection, etc…) miss attacksNeed:•  Comprehensive malware coverage“By combining our malwareanalysis using FireEye andour NetFlow analysis usingLYNXeon, we have created ahybrid system capable of farmore than either of thesetools by themselves. This isthe magic of symbioticsecurity in action.”--Josh Sokol, NI
  14. 14. •  Fuse data from existingsystems: FireEye & NetFlow•  FireEye alert detectedbetween malicious host andinternal hostMalware Insight: Step 1FireEyeAlertMalicioushost14
  15. 15. Malware Insight: Step 21. Original hostpair2. OtherHosts3. LYNXeon analytic revealspotential command and controlhostsLYNXeon:–  Reveals other compromised hosts and potentially malicious external hosts–  Extends the value of perimeter defenses15
  16. 16. Threat Feed Insights16Challenge:•  US Air Force receives a constant stream ofintelligence feeds from various sources•  Analysts typically have limited experience toutilize and respond to threat feedsNeed:•  Analysts must quickly answer:–  Have we seen these threats on our network?–  How did a threat propagate?–  Who was affected?“First term airmen with limitedexperience can easily operateLYNXeon, developing theirown query patterns touncover suspicious andpotentially threateningnetwork activity.”--Air Force, Cyber ThreatAnalysis Lead
  17. 17. •  In seconds determine whichhosts are talking to knownbad sites•  Further investigation quicklyreveals the depth of theproblemThreat Feed InsightsThese hosts havetalked to known badhostFrom which othersites were thesefiles downloaded?Were filesdownloaded?17
  18. 18. Hunting Insight18Challenge:•  Investigating anomalous network behavior toproactively remediate issuesNeed:•  Implement active defenses and stay aheadof the threatRackspace also usesLYNXeon for “proactivehunting” to uncoverabnormalities and arerevealing surprising results.
  19. 19. •  Rapidly visualize network and observethe behavior of high value assets•  Find managed assets using externalDNS•  LYNXeon uncovers managed assetusing more than 216 different externalDNS servers in one day19DomainControllersInternalsystemconnectingto myriadexternalDNSHunting for Anomalies
  20. 20. Policy violation:web traffic leavingdomain controllersLYNXeon:–  Reveals hosts not conforming to corporate policy, helping IT resolve policy issues–  In the best case: a policy violation–  In the worst case: compromised assetHunting for Anomalies20
  21. 21. 6011 W Courtyard DrBuilding 5, Suite 300Austin, TX 78730Phone: 512.682.4700Fax: 512.682.4701www.21CT.com21