Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building a Threat Hunting Practice in the Cloud

276 views

Published on

Building a Threat Hunting Practice Using the Cloud
James Condon, Director of Threat Research and Analysis ProtectWise and Tom Hegel, Senior Threat Researcher ProtectWise

Topics:
Threat Hunting 101
Requirements for Effective Threat Hunting
How the Cloud Can Help
Threat Hunting Best Practices
Questions
Next Steps

Published in: Software
  • Did you try ⇒ www.HelpWriting.net ⇐?. They know how to do an amazing essay, research papers or dissertations.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Did u try to use external powers for studying? Like ⇒ www.WritePaper.info ⇐ ? They helped me a lot once.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Building a Threat Hunting Practice in the Cloud

  1. 1. BUILDING A THREAT HUNTING PRACTICE IN THE CLOUD March 22, 2017
  2. 2. 2 James Condon Director of Threat Research and Analysis ProtectWise Tom Hegel Senior Threat Researcher ProtectWise TODAY’S SPEAKERS
  3. 3. 3 • Threat Hunting 101 • Requirements for Effective Threat Hunting • How the Cloud Can Help • Threat Hunting Best Practices • Questions • Next Steps TODAY’S AGENDA
  4. 4. 4 THREAT HUNTING 101 Following anomalous behavior when or where it occurs to confirm whether it was an actual, active attack. Detection Catch and respond to known threats. vs. Hunting Identify detection gaps and unknown threats. Prevent future incidents.
  5. 5. 5 WHY HUNT FOR THREATS? Be More Proactive Catch What is Unknown and New Increased Team Skill, More Fun
  6. 6. POLL QUESTION 6
  7. 7. Maturity Capability Best practice detection and blocking (AV, Firewall, SIEMs, etc.) Advanced detection with limited response capability Detection and response automation, correlation across tools Hunting, long-term data collection, retrospective forensic capabilities 7 HOW MATURE IS YOUR TEAM?
  8. 8. 8 BEFORE YOU BEGIN Master Detection and Response Correlate Activity Between Tools Automate As Much As Possible Detect on Quality Over Quantity
  9. 9. 9 REQUIREMENTS FOR EFFECTIVE THREAT HUNTING SearchIndexExtractStoreCapture Collect the Right Data Understand the Landscape
  10. 10. POLL QUESTION 10
  11. 11. HOW THE CLOUD CAN HELP 11 What do you get? ● Comprehensive context ● Continuous analysis ● Pervasive visibility Insight & Intelligence What does it give you? ● Unlimited storage ● Advanced analytics capabilities ● Unified haystack Scale & Power
  12. 12. 12 DETECTION VS. HUNTING LOOPS Hunting is Proactive 1. Hypothesize 2. Test 3. Identify 4. Formalize Detection is Reactive 1. Activity observed 2. Engagement 3. Learn 4. Activity resolved 5. Tune Detection
  13. 13. ● Foster an investigative mindset ● Develop and pursue leads ● Gather evidence ● Keep asking questions ● Avoid confirmation bias ● Avoid tunnel vision 13 THREAT HUNTING BEST PRACTICES
  14. 14. 14 THE REALITY OF HUNTING AT SCALE ● Not always about an APT ● Embrace the analyst mindset ● Expand your knowledge ● Share and grow together ● Look beyond InfoSec rockstars
  15. 15. Differences between malicious & legitimate HTTP requests • Small number of headers • Headers out of order • Unusual or small User-Agents 15 MALICIOUS HTTP REQUEST EXAMPLES
  16. 16. QUICK RECAP 16 A great threat hunting practice... • … acts proactively (hunting), not reactively (detection). • … collects the right data, and know your landscape • … relies on the cloud for scalability and power you need. • … follows best practices, they make you more effective. • … is realistic about outcomes and results.
  17. 17. Q&A
  18. 18. 18 NEXT STEPS • We’ll be sending you a copy of our whitepaper “A Comprehensive Start-Up Guide for Proactive Threat Hunting Across Time.” • Questions? Email sales@protectwise.com
  19. 19. THANK YOU www.protectwise.com

×