More Related Content
Similar to Enhanced threat intelligene for s ps v3
Similar to Enhanced threat intelligene for s ps v3 (20)
Enhanced threat intelligene for s ps v3
- 1. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
ENHANCED THREAT INTELLIGENCE
May 14, 2014
Neil King, VP Security Analytics
- 2. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Threat Intelligence Landscape: Wild West
2
- 3. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Threat Intelligence Taxonomy
3
Threat Category
Botnet, Malware, Phishing, Mobile, Policy-based,
Vulnerabilities
Threat Entity IP Address, Domain, URL, File, Application
Providers
Anti-virus, Network Security, Threat Intelligence
Specialists, Non-commercial
Delivery Blocklists, Reports, News/Blogs
- 4. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
URL Feed Comparison
4
Amongst VirusTotal URL feeds there is little overlap across threat feeds….
- 5. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Number of Detections per Threat
5
A majority of threats are detected by 1-2 engines
0
50000
100000
150000
200000
250000
300000
350000
400000
450000
1 2 3 4 5 6 7 8 9 10 11+
- 6. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Detection Fragmentation – Full Feeds
6
Vendor'1 Vendor'2 Vendor'3 Vendor'4 Vendor'5 Vendor'6 Vendor'7 Vendor'8 Vendor'9 Vendor'10
Vendor'1 100% 1.40% 0.30% 0.13% 16.33% 6.27% 10.83% 7.57% 0.03% 45.50%
Vendor'2 0.66% 100% 0% 51.33% 34.89% 40.87% 0.03% 3.50% 1.79% 40.27%
Vendor'3 0.00% 0% 100% 0% 0% 0.01% 0% 0.32% 0.03% 0.01%
Vendor'4 0.05% 9.89% 0% 100% 0.02% 11.90% 0% 0% 0.07% 0.57%
Vendor'5 21.40% 0.74% 0% 0.05% 100% 2.42% 9.35% 7.07% 0.09% 27.07%
Vendor'6 0.35% 0.89% 0.06% 1.62% 0.30% 100% 0.19% 1.34% 0.38% 2.31%
Vendor'7 4.97% 0.03% 0% 0% 4.97% 0.20% 100% 0.03% 0% 26.60%
Vendor'8 0.06% 0.07% 0.27% 0% 0.23% 0.35% 0.00% 100% 0.06% 0.64%
Vendor'9 0.26% 1.99% 0.17% 0.26% 0.26% 2.95% 0% 3.38% 100% 2.86%
Vendor'10 9.93% 0.99% 0.03% 0.25% 10.11% 4.55% 6.17% 5.40% 0.24% 100%
- 7. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Context Fragmentation
7
Vendor
1
Vendor
2
Vendor
3
Vendor
4
Vendor
5
Vendor
6
Vendor
7
Vendor
8
Vendor
9
Vendor
10
Domain
URL
IP
Category
Risk
Score
Last
Seen
Malware
Name
File
Hash
Hash
Type
ASN
Country
Available Derived Not available
- 8. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
IP Addresses and URLs are great, but what about
Mobile Application Reputation?
8
- 9. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Some challenges & opportunities for addressing
mobile application threats
9
Anti-virus
Application
+ See all traffic
- Most subscribers don’t have AV
App Store
Protection
+ Centralized protection for specific App Store
- Miss app downloads from alternative App Stores
Mobile Networks
+ Opportunity protect downloads from all app stores
+ Can protect users that don’t have AV
- 10. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Identify Mobile Application Downloads….
10
~ Billion events
~ 15,000 APKs
downloads
From ~600
unique URLs
Risky APKs
- 11. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
…and Associate APK reputations with URLs
11
We tried downloading some APKs (~36) and scanning them with Norton Security &
Antivirus for Android with the following results
Available Context
• Package Name
• Security Score
• Threat Category
• APK risks (Location, AdLibrary,
device information)
• Destination of leaked information
• Battery impact
• Network impact
• First Seen (Application,
Application Signer)
• More
5%
42%53%
Malicious
Not
Malicious
Greyware
- 12. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Symantec Mobile Insight Metrics
Norton Mobile Insight
747,109 Signers
(Publishers)
Majority of Bad Actors
Russia
China
Stores Crawled Continuously
200+
- 13. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Threat Intelligence Requirements: 7 Cs
13
Coverage
Broad coverage of threats increases likelihood of
identifying malicious events
Criticality Identify the highest impact threats
Confidence
Understanding the confidence level helps prioritize
threats, and reduce false positives
Context
Understanding context, can help prioritize threats
and accelerate investigations
Current
Threats change rapidly so intelligence needs to be
current
Customization
Ability for companies to add specific threats and
adjust weightings to apply to their specific situation
Convenience
Simplifying the aggregation, enhancement and
application of threat intelligence
- 14. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved. 14
Our Approach to Enhanced Threat Intelligence
Threat Intelligence Guavus Customer
Threat Summary
Enhancement &
Normalization
Enhanced Threat Feed
• Domain
• URL
• IP Address
• Threat Name
• APK Enhancement
• Threat Category
• Risk Score
Research / Investigation
• Full Description
• Trending
• Geography
• Associated IPs
• Associated URLs
• Associated Threat Names
- 15. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved. 15
How can Service Providers Utilize ETI?
Network Data Analytics Platform
Enhanced Threat
Intelligence Feed
URL
Rep
IP
Rep
App
Rep
Use Cases
Threat Detection
Threat Prioritization
Threat Investigation
DPI
Netflow
Other
- 16. Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved. 16
Contact:
Neil King
neil.king@guavus.com
www.linkedin.com/pub/neil-king/0/871/3a8/
Thanks for your time