Security is everyone's responsibility. That’s the lesson learned as enterprises seek to improve their detection and response for cyber incidents. This session introduces a new model where InfoSec sets the policies and delegates monitoring to application teams.
5. “You know the things you intend to have in your
network. We know the things that are actually in
your network.”
Rob Joyce
Chief of Tailored Access Operations
National Security Agency
8. Wire Data = Risk Visibility
CVE Detection
Shellshock
HTTP.sys
Turla malware
Heartbleed
FREAK SSL/TLS
POODLE
Logjam
Compliance
SSH tunneling
Non-standard ICMP
Non-standard DNS
Non-standard HTTP
Disallowed file types
Invalid file extension writes
Blacklisted traffic
Encryption Profile
Certificate expiration
Key length
Outdated SSL sessions
MD5/SHA-1 cert signing
SSL traffic by port
Email encryption
Wild card certificates
Protocol Activity
Unencrypted FTP
Telnet
Gopher
TACACS
SNMP v1, v2, v2c
Finger
IRC
Application & User Behavior
Privileged user logins
Unauthorized connections
Lateral network traversal
Brute force attacks
Storage/DB access
Fraudulent transactions
Large data transfers
Unstructured Packets Structured Wire Data
9. Scaling SecOps
Traditional Model: Enterprise Perimeter
• InfoSec is siloed
• Not enough skilled staff
• Security controls fail due to complexity
New Model: Micro-Perimeters
• InfoSec is partner (enforcement and advisory)
• Equip everyone to make security part of their job
• Focus on InfoSec as a service
App A: Assets
App A: Data
App A: Assets
App A: Data
Corporate IT
Specialist IT
Remote
Workers
IaaS: Assets
IaaS: Data
SaaS App
App A: Assets
App A: Data
App A: Assets
App A: Data
Corporate IT
Specialist IT
Remote
Workers
IaaS: Assets
IaaS: Data
SaaS App
10. Enrich Your Security Infrastructure
User behavior
Application behavior
System behavior
Network behavior
Open Data Stream
Big Data lake for
security
Stream Analytics
Unstructured
network packets
• Programmable stream processor for custom metrics
• Open Data Stream (syslog, Kafka, HTTP) for any data
• Bi-directional REST API for ingest and orchestration
11. Everything Transacts on the Network
Target
Host
Evil
Mail ServerDatabase
Day 30 – Exfiltration of data over a throttled connection.
Day 0 – Target compromised
Day 5 – Rootkit downloaded
Day 5 - Command and control set up.
Day 6 through 14 - Slow port scan
Day 14 through 25 - Low-intensity brute-force login
attempts
Day 26 through 29 - Data downloaded over a four-day
period.
7 different L7 protocols, various
behaviors, and data exchanged
over a 30-day period
SMTPHTTP
SSH
ICMP & TCP
LDAP
FTP
MySQL
12. Data Exfiltration
Observe and correlate every step of the intrusion lifecycle on the network:
malicious email -> malware download -> C&C -> scanning -> brute-force login -> data download ->
exfiltration
ICMP Ping and TCP-SYN scanning Failed database logins FTP to internal and external servers
13. Realization of Threat Intelligence
• Detect attacks based on
observed behavior, not
signatures
• Reduce alert fatigue with
intelligence based on precise
activity
• Better than logs: Network
observation is always on and
cannot be deleted or turned off
14. Business Process Anomaly Detection
4 hours
Traditional security analytics/intelligence systems are too slow to catch fraud.
Example: An online travel management service needed to detect and cancel fraudulent activity
before the criminals went to the airport and received cash refunds for the tickets.
Policy
violation!
15. Simplify Compliance Audit
• Track every AD login, CIFS file access,
and who connected to sensitive
applications
• Store historical data to simplify audit
reporting and enable investigation
• Verify existing security controls are
working or not
• Monitor encryption use and cipher
suite strength