Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Voice of the Customer: Piecing together AWS services to deliver monitoring and alerting of legacy security controls.


Published on

Our business still retains many legacy security controls and we are looking to modernize the way we operate those controls to give us more freedom in terms of how we manage monitoring and alerting. In a relatively short amount of time I was able to build two solutions to meet some basic needs our team had. The first would check the health of systems in our controls suite and alert an on call person of an issue while the second was an automated config backup solution to ensure our controls could be restored to current config.

  • Be the first to comment

  • Be the first to like this

Voice of the Customer: Piecing together AWS services to deliver monitoring and alerting of legacy security controls.

  2. 2. QUOTE FROM OUR SAGES • “Every single thing that a person sees or hears, is an instruction …” -Ba’al Shemtov
  3. 3. WHO IS IDT? FOUNDED 1990 EMPLOYEES 1400 INDUSTRY Telecom OPERATIONS 20 countries IDT corporation (NYSE: IDT) is a multinational conglomerate headquartered in Newark, New Jersey with operations primarily in the following industries: • Telecommunications • Energy and Oil • Banking and Finance • Media and Entertainment • Pharmaceuticals • Education
  4. 4. THE SECURITY CHALLENGE • Security is becoming increasingly challenging as new threat actors emerge and increase in numbers. The number of successful attacks against organizations have increased, despite an increase in spending. • Customer Data is being leaked, Scripts and Television Series are being stolen, and Intellectual Property is walking out of open windows. • Recent attacks has caused immense damage and the challenges are great. • We are told: “Just keep us out of the New York Times …”
  5. 5. PRIMARY REASONS FOR WHERE WE ARE TODAY • Increase in sophistication of attacks – including the release of state sponsored tools into the open market. • Costs of attack vs. defense • Lack of Security Subject Matter Experts • Poorly integrated components of the environment • Lack of Visibility and Poor Response Times
  6. 6. IS WHAT WE’VE BEEN TOLD TO DO REALLY WORKING? • Security Hygiene: • Keeping Software Up-To-Date • Following Best Practices • Keeping Users informed about Safe Browsing • “It must be User Error…” • People are the weakest link • Keeping users informed and properly trained • (Demand that we turn every employee into Security Subject Matter Experts)
  7. 7. CHALLENGES IN SECURITY • In order to meet the demand of strong defenses, we met with and discussed the challenge with the N.S.A. who simply recommended “deploy three of everything…” • We spent years evaluating, deploying, and testing security technologies – summarizing findings, efficacy rates, false positives between vendors. • In 2013, we realized that although we addressed an important visibility gap, we had not yet addressed an important need around orchestration and automation. • On average, it was taking us between 30-45 minutes to address important alerts that were arriving into our Security Operations Center. • At the same time, the Verizon Breach Report began identifying that breaches of customer data were occurring in a moments time, with over 40% occurring in minutes. • The standard approach of human-action oriented response was a bit like bringing a knife to a gunfight – attackers began utilizing automation themselves and we were too slow to respond.
  8. 8. THE ILLUSIVE SILVER BULLET • With hundreds of new security startups appearing regularly, there still is no silver bullet in security. • Deploying a layered defense and following best practices is important to do, but sometimes you can do everything you believe is correct, and still have a security breach. • Attackers will find the weakest link in your environment and enter there. • What is most important here is to be in a regular cycle of improvement and learning.
  9. 9. WALK THROUGH THE EVENTS OF APRIL 29TH, 2017. • Attackers researched and cased the background of a contractor via social networks, determining who they were, what they did, and their working hours. • Reverse Engineered NSA Exploit Tools that were released just a couple weeks earlier. • Attack took place during the one day the contractor did not work (a Saturday). • For the attack to have been successful, several issues needed to have been present: • Firewall , including local host firewall was DISABLED. • Found a system that was missing MS17-010 a critical Microsoft Patch that would have prevented the use of NSA Tools DOUBLE-PULSAR and ETERNAL BLUE. • In-Memory process level injection attack that leveraged FILELESS Malware – standard AV did not detect this.
  10. 10. STAGES OF ATTACK • Disabling of Firewall leveraging an previously unknown exploit of the users Cable Modem • Unauthenticated remote access to local system leveraging NSA exploit tool - ETERNAL BLUE. • Process injection into LSASS.EXE (a protected Windows Process responsible for user session and authentication). • Injection Communicated with C&C and downloaded Credential Theft Module which stole credentials from the Windows Environment and Web Browsers • Attempt to move laterally (since VPN was down at the time, this was not possible). • Ransomware Encryption (file-less variant based on CRY-128) in order to cover tracks.
  11. 11. THE 4 STAGES OF THE ATTACK 3 Lateral Movement attempts (using Credentials: This can impact even patched systems, as it did in Petya / NotPetya) 2 Credential Theft (Browser History, Browser Credentials and Windows Credentials) 1 Exploitation and Injection using Eternal Blue / Double Pulsar 4 Ransomware (All else fails, cover tracks)
  12. 12. VISIBILITY • Here, visibility of the attack was critical. IDT leveraged an EDR tool, which we have deployed throughout our environment, both at Amazon and within the Enterprise. • EDR records all events on the endpoints, including file activity changes, network connections, registry modifications, process injection, and authentication activity. • It is critical to record events because we can never be certain that our defenses will be 100% effective • We don’t know ahead of time what will become important for analysis, and future defense so we record all events. • History is streamed live into a Hardened Amazon instance for analytics and secure offline storage.
  13. 13. MINIMIZING THE RISK • Record Everything on the Endpoints • Understand Attack Patterns and Methods • Improve Detection, Prevention and Response • Create alerts for exploits and behaviors (including NSA exploit tools) • Immediate Isolation of impacted hosts (real-time)
  14. 14. UNDERSTANDING THE DATA • IDT worked with over a several dozen researchers before coming to a deep understanding of the activity that took place. • IDT understood that this activity was one of the first hit with this attack and most of the IP addresses involved in the attack were not yet registered on any threat intelligence feed after speaking to dozens more. • IDT shared the information of the attack directly with its Security Vendors and Service Providers in order to bring additional visibility to the issue. • IDT felt that this method of attack would become wide-spread, and in short order, WannaCry, Petya and Not-Petya variants leveraged similar tools and capabilities throughout the world.
  15. 15. CLOUD SECURITY; HOW IT IS DIFFERENT – BETTER • Software Defined Networking and Software Defined Security – allows you to effect changes in the environment within seconds via API Integrations, Orchestration and Automation. • Configuration Auditing Tools that examine configurations directly. • Cloud Security vendors keep software updated for you, lowering requirements around management and software update lifecycles.
  16. 16. WHAT WAS LIFE LIKE PRIOR TO SECURITY AUTOMATION? • SIEM Correlation - Minutes • Initiate investigation - Minutes • Contain - Minutes • Search, Investigate, Pivot – Minutes / Hours • Building context - Minutes / Hours • Triage - Minutes / Hours / Days • Remediation - Minutes / Hours / Days • Reports and Auditing – Hours / Days • Learns from Events / Incident and Improves Logic - Hours / Days
  17. 17. FOLLOWING TIGHT INTEGRATION USING AUTOMATION • Initiate automated investigation from alert received – Seconds (Splunk + WildFire) • Automatic Containment – Seconds (Hexadite + Palo Alto + AWS) • Automated Search, Investigate, Pivot – Seconds / Minutes (Splunk Splunk and Splunk again) • Automated Building of context - Seconds / Minutes (Hexadite + Secdo + Splunk) • Automated Triage - Seconds / Minutes (Splunk + Hexadite ) • Automated Remediation – Seconds (Hexadite + Splunk + Palo Alto + Secdo + AWS) • Automated Reports generation and full audit trail – Seconds (Hexadite + Splunk) • Automated Iterative Improvement from prior Events / Incident and Improves Logic - Seconds (Hexadite)
  18. 18. TRADITIONAL VS. AUTOMATED IR Traditional IR Automated IR Min. Hr. Hr. or Days Sec. Min. Sec. Mean Time to Initiate Mean Time to Validate Mean Time to Contain
  19. 19. TRADITIONAL (MANUAL) IR Total Time 9 Hours WildFire Alert Received in SIEM Locate the Downloaded File Analyze Suspicious Host’s Processes Analyze Persistency Methods 10 Min. 32 Min. 3.5 Hr. 8.0 Hr. 14 Min. 1.2 Hr. +Days Follow Leads Isolate Suspicious Host Manually Find Evidence for File Execution Initiate Forensics Imaging 2 Hr. 2.3 Hr. Analyze Splunk for Network Activity 7.0 Hr. Analyze Recently Created Files 8.5 Hr. Analyze Drivers And Services Generate Leads 9.0 Hr.
  20. 20. Total Time 1.5 Minutes Splunk Receives WILDFIRE Alert Search Host for Malicious Activity Collect Open Connections Generate Leads Analyze All Running Processes Analyze Installed Services and Drivers Analyze Recently Created Files Analyze Persistency Methods Analyze Network Logs Analyze Authentication Logs 1 Sec. 18 Sec. 49 Sec. 1.5 Min. 7 Sec. 24 Sec. +Min. Follow Leads Isolate Suspicious Host with Palo Alto App Terminate Process 1.3 Min. Alert User about his Host being Investigated Analyze WildFire Behavioral Report via WF API Search Behavioral Report within Suspicious Host Quarantine Files Collect Running Processes Collect Recently Created Files Collect Persistency Methods Collect Authentication Logs Collect Network Logs Automated IR
  21. 21. TAKEAWAYS • Visibility and Speed to Resolution is Key • Security Automation is Achievable • Automation is the only way we can stay ahead of the emerging threat landscape