• Save
APT Monitoring and Compliance
Upcoming SlideShare
Loading in...5
×
 

APT Monitoring and Compliance

on

  • 1,087 views

How do we detect the newest threats? APT challenge us to create innovative defenses to manage risk and syat compliant

How do we detect the newest threats? APT challenge us to create innovative defenses to manage risk and syat compliant

Statistics

Views

Total Views
1,087
Views on SlideShare
1,082
Embed Views
5

Actions

Likes
1
Downloads
0
Comments
1

2 Embeds 5

http://www.linkedin.com 4
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Very good slides !
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

APT Monitoring and Compliance APT Monitoring and Compliance Presentation Transcript

  • Trends in Compliance Monitoring
    Compliance Automation
    How does it work and what are the benefits?
    Presented by
    Marcus Clarke
    Meridian Group
  • Light and Darkness on theStreet
    If you lose your car keys at night, do you look only under the streetlights?
    2
    © Meridian Group Inc. 2010
  • Light and Darkness on theStreet
    If you lose your car keys at night, do you look only under the streetlights?
    Do you get down on your hands and knees and feel around for them?
    3
    © Meridian Group Inc. 2010
  • Light and Darkness on IT Street
    If you lose your car keys at night, do you look only under the streetlights?
    Do you get down on your hands and knees and feel around for them?
    Durable monitoring for Compliance and Risk Management requires that we look at everything that’s happening on our networks. But can we see everything?
    4
    © Meridian Group Inc. 2010
  • Light and Darkness on IT Street
    If you lose your car keys at night, do you look only under the streetlights?
    Do you get down on your hands and knees and feel around for them?
    Durable monitoring for Compliance and Risk Management requires that we look at everything that’s happening on our networks. But can we see everything?
    No. Not only do we have to look under the lights, but we also have to grope around in the dark.
    5
    © Meridian Group Inc. 2010
  • Pattern vs. Behavior
    In the light, we can immediately recognize the visual pattern of a threat. This is similar to being able to immediately recognize the signature (pattern) of a known virus.
    6
    © Meridian Group Inc. 2010
  • Pattern vs. Behavior
    In the light, we can immediately recognize the visual pattern of a threat. This is similar to being able to immediately recognize the signature (pattern) of a known virus.
    In the dark, immediate visual recognition is no longer possible. Using all our senses, we must observe behavior and assemble clues over time to deduce the presence of the threat we cannot see.
    7
    © Meridian Group Inc. 2010
  • Clarke Threat Matrix
    8
    © Meridian Group Inc. 2010
  • “Black Swans”
    A highly improbable, unanticipated event that carries great impact. Ofteninduces ‘expert’ rationalization in hindsight.
    Frequently associated with ‘experts’ confusing the absence of evidence as evidence of absence. Unseen danger lurks…
    While typically a risk management issue, Black Swan events can suddenly expose weaknesses in compliance strategy.
    9
    © Meridian Group Inc. 2010
  • Our street lighting just isn’t the same as it once was.
    Aggregate infection potential of network compromise
    based on a network of 100 Windows PCs secure using ‘best practice’ malware defenses
    © Meridian Group Inc. 2010
    10
  • Advanced Persistent Threats (APT)
    Advanced – Opportunistic operation using the full spectrum of computer intrusion. Designed to actively resist detection and eradication attempts.
    Persistent – Maximizes control of the target computer by elevating privilege to preserve or regain control and access.
    Threat – Act as a ‘launch platform’ for a wide variety of malicious activity such as attacks, data theft, extortion and destruction.
    11
    © Meridian Group Inc. 2010
  • © Meridian Group Inc. 2010
    12
  • Anatomy of a Known APT operation…
    The primary detectable evidence of APT infection is the traffic to the Command and Control (CnC) servers. This channel is also used to download new code.
    Almost all APTs use HTTPS to encrypt CnC traffic to ensure egress and avoid inspection.
    Use techniques such as Domain Fluxing to obfuscate CnC host identification and location
    13
    © Meridian Group Inc. 2010
  • Strategic Priorities
    Currently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today.
    14
    © Meridian Group Inc. 2010
  • Strategic Priorities
    Currently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today.
    Unknown APTs and Zero-day Exploits are a secondary focus. Not only because we believe they are less common, but because they are much more expensive to detect.
    15
    © Meridian Group Inc. 2010
  • Strategic Priorities
    Currently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today.
    Unknown APTs and Zero-day Exploits are a secondary focus. Not only because we believe they are less common, but because they are much more expensive to detect.
    Black Swan exploits are specifically unknowable without prior knowledge, but consequences can’t be ignored. Business Continuity planning.
    16
    © Meridian Group Inc. 2010
  • 17
    © Meridian Group Inc. 2010
  • 18
    © Meridian Group Inc. 2010
  • APT Defense is Possible
    Requires prior knowledge of common APT behavior. Have to know what to look for – for example periodic CnC traffic.
    Works very well for popular APT toolkits such as Zeus, so effective for vast majority of current APTs.
    Accept that defense today occurs after the fact. Sooner is better. Immediate is best.
    19
    © Meridian Group Inc. 2010
  • 20
    © Meridian Group Inc. 2010
  • 21
    © Meridian Group Inc. 2010
  • 22
    © Meridian Group Inc. 2010
  • 23
    © Meridian Group Inc. 2010
  • 24
    © Meridian Group Inc. 2010
  • 25
    © Meridian Group Inc. 2010
  • 1. Monitoring Unidentifiable Activity
    While a particular threat may be unknown, it’s likely intent may be estimated with reasonable accuracy.
    26
    © Meridian Group Inc. 2010
  • 1. Monitoring Unidentifiable Activity
    While a particular threat may be unknown, it’s likely intent may be estimated with reasonable accuracy.
    Understanding probable intent provides us withdefensive knowledge. For example, a threat with the intent of ‘owning’ machine will likely be indicated by new processes or registry changes.
    27
    © Meridian Group Inc. 2010
  • 2. Making sense of unidentifiable activity
    Monitor all possible network activity by using technology that reports everything it does.
    28
    © Meridian Group Inc. 2010
  • 2. Making sense of unidentifiable activity
    Monitor all possible network activity by using technology that reports everything it does.
    Use available technology to autonomously identify, and block or quarantine suspect activity.
    29
    © Meridian Group Inc. 2010
  • 2. Making sense of unidentifiable activity
    Monitor all possible network activity by using technology that reports everything it does.
    Use available technology to autonomously identify, and block or quarantine suspect activity.
    Use available technology to aggregate, normalize and intelligently correlate diverse data. ‘Short-list’ any remaining suspect activity for further investigation and forensic analysis.
    30
    © Meridian Group Inc. 2010
  • 3. Building Situational Awareness
    Normalize and aggregate data from diversesources into a single database.
    31
    © Meridian Group Inc. 2010
  • 3. Building Situational Awareness
    Normalize and aggregate data from diversesources into a single database.
    Perform near real-time analysis on data streams to alert on suspect activity.
    32
    © Meridian Group Inc. 2010
  • 3. Building Situational Awareness
    Normalize and aggregate data from diversesources into a single database.
    Perform near real-time analysis on data streams to alert on suspect activity.
    Provide fast, flexible ad-hoc reporting to examine data in multiple perspectives.
    33
    © Meridian Group Inc. 2010
  • 3. Building Situational Awareness
    Normalize and aggregate data from diversesources into a single database.
    Perform near real-time analysis on data streams to alert on suspect activity.
    Provide fast, flexible ad-hoc reporting to examine data in multiple perspectives.
    Provide forensic search capabilities on very large sets of raw data.
    34
    © Meridian Group Inc. 2010
  • 35
    © Meridian Group Inc. 2010
  • 4. Compliance Automation
    Monitor and map detailed real-time event, configuration, asset and vulnerability data to corresponding sections in the underlying compliance policy.
    Provide standard and ad-hoc reporting of Compliance over any time frame.
    Support manual attestation of process controls associated with compliance.
    36
    © Meridian Group Inc. 2010
  • 37
    © Meridian Group Inc. 2010
  • Conclusion
    In the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity.
    38
    © Meridian Group Inc. 2010
  • Conclusion
    In the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity.
    Comprehensive monitoring, normalizing and aggregation of data for Risk Management is only a short step away from compliance automation with the right technology.
    39
    © Meridian Group Inc. 2010
  • Conclusion
    In the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity.
    Comprehensive monitoring, normalizing and aggregation of data for Risk Management is only a short step away from compliance automation with the right technology.
    Business Continuity and Disaster Recovery planning are more important than ever. Don’t get ‘too big to fail.’ Look at New Orleans.
    40
    © Meridian Group Inc. 2010
  • Thank you!
    Marcus Clarke
    mclarke@ipkey.com
    505-243-1010
  • Unknown APT Defense
    “Build visibility in one’s organization to provide the situational awareness to have a chance to discover, and hopefully frustrate APT activities.”
    “Without information from the network, hosts, logs and other sources, even the most skilled analyst is helpless. Most security shops should be pursuing such programs already.”
    42
    © Meridian Group Inc. 2010
  • IT Security is undergoing a ‘Sea-Change’
    Huge investment in signature-based malware detection and prevention systems (AV, IDS)
    This status quo becoming marginalized as conventional malware is supplanted by botnet agents and other Advanced Persistent Threats (APTs).
    Infection vectors shifting from file based to web based, requiring rigorous Application Control mechanisms.
    43
    © Meridian Group Inc. 2010
  • …and no-one wantsto hear this
    Executives don’t want to hear how much more time and money the changes in today’s IT Security takes.
    IT Professionals don’t want to hear that most of their defensive technology and skills are obsolete.
    44
    © Meridian Group Inc. 2010