SlideShare a Scribd company logo

APT Monitoring and Compliance

Marcus Clarke
Marcus Clarke

How do we detect the newest threats? APT challenge us to create innovative defenses to manage risk and syat compliant

1 of 44
Trends in Compliance Monitoring Compliance Automation How does it work and what are the benefits? Presented by Marcus Clarke Meridian Group
Light and Darkness on theStreet If you lose your car keys at night, do you look only under the streetlights? 2 © Meridian Group Inc. 2010
Light and Darkness on theStreet If you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them? 3 © Meridian Group Inc. 2010
Light and Darkness on IT Street If you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them? Durable monitoring for Compliance and Risk Management requires that we look at everything that’s happening on our networks. But can we see everything? 4 © Meridian Group Inc. 2010
Light and Darkness on IT Street If you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them? Durable monitoring for Compliance and Risk Management requires that we look at everything that’s happening on our networks. But can we see everything? No. Not only do we have to look under the lights, but we also have to grope around in the dark. 5 © Meridian Group Inc. 2010
Pattern vs. Behavior In the light, we can immediately recognize the visual pattern of a threat. This is similar to being able to immediately recognize the signature (pattern) of a known virus. 6 © Meridian Group Inc. 2010
Pattern vs. Behavior In the light, we can immediately recognize the visual pattern of a threat. This is similar to being able to immediately recognize the signature (pattern) of a known virus. In the dark, immediate visual recognition is no longer possible. Using all our senses, we must observe behavior and assemble clues over time to deduce the presence of the threat we cannot see. 7 © Meridian Group Inc. 2010
Clarke Threat Matrix 8 © Meridian Group Inc. 2010
“Black Swans” A highly improbable, unanticipated event that carries great impact. Ofteninduces ‘expert’ rationalization in hindsight. Frequently associated with ‘experts’ confusing the absence of evidence as evidence of absence. Unseen danger lurks… While typically a risk management issue, Black Swan events can suddenly expose weaknesses in compliance strategy. 9 © Meridian Group Inc. 2010
Our street lighting just isn’t the same as it once was. Aggregate infection potential of network compromise based on a network of 100 Windows PCs secure using ‘best practice’ malware defenses © Meridian Group Inc. 2010 10
Advanced Persistent Threats (APT) Advanced – Opportunistic operation using the full spectrum of computer intrusion. Designed to actively resist detection and eradication attempts. Persistent – Maximizes control of the target computer by elevating privilege to preserve or regain control and access. Threat – Act as a ‘launch platform’ for a wide variety of malicious activity such as attacks, data theft, extortion and destruction. 11 © Meridian Group Inc. 2010
© Meridian Group Inc. 2010 12
Anatomy of a Known APT operation… The primary detectable evidence of APT infection is the traffic to the Command and Control (CnC) servers. This channel is also used to download new code. Almost all APTs use HTTPS to encrypt CnC traffic to ensure egress and avoid inspection. Use techniques such as Domain Fluxing to obfuscate CnC host identification and location 13 © Meridian Group Inc. 2010
Strategic Priorities Currently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today. 14 © Meridian Group Inc. 2010
Strategic Priorities Currently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today. Unknown APTs and Zero-day Exploits are a secondary focus. Not only because we believe they are less common, but because they are much more expensive to detect. 15 © Meridian Group Inc. 2010
Strategic Priorities Currently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today. Unknown APTs and Zero-day Exploits are a secondary focus. Not only because we believe they are less common, but because they are much more expensive to detect. Black Swan exploits are specifically unknowable without prior knowledge, but consequences can’t be ignored. Business Continuity planning. 16 © Meridian Group Inc. 2010
17 © Meridian Group Inc. 2010
18 © Meridian Group Inc. 2010
APT Defense is Possible Requires prior knowledge of common APT behavior. Have to know what to look for – for example periodic CnC traffic. Works very well for popular APT toolkits such as Zeus, so effective for vast majority of current APTs. Accept that defense today occurs after the fact. Sooner is better. Immediate is best. 19 © Meridian Group Inc. 2010
20 © Meridian Group Inc. 2010
21 © Meridian Group Inc. 2010
22 © Meridian Group Inc. 2010
23 © Meridian Group Inc. 2010
24 © Meridian Group Inc. 2010
25 © Meridian Group Inc. 2010
1. Monitoring Unidentifiable Activity While a particular threat may be unknown, it’s likely intent may be estimated with reasonable accuracy. 26 © Meridian Group Inc. 2010
1. Monitoring Unidentifiable Activity While a particular threat may be unknown, it’s likely intent may be estimated with reasonable accuracy. Understanding probable intent provides us withdefensive knowledge. For example, a threat with the intent of ‘owning’ machine will likely be indicated by new processes or registry changes. 27 © Meridian Group Inc. 2010
2. Making sense of unidentifiable activity Monitor all possible network activity by using technology that reports everything it does. 28 © Meridian Group Inc. 2010
2. Making sense of unidentifiable activity Monitor all possible network activity by using technology that reports everything it does. Use available technology to autonomously identify, and block or quarantine suspect activity. 29 © Meridian Group Inc. 2010
2. Making sense of unidentifiable activity Monitor all possible network activity by using technology that reports everything it does. Use available technology to autonomously identify, and block or quarantine suspect activity. Use available technology to aggregate, normalize and intelligently correlate diverse data. ‘Short-list’ any remaining suspect activity for further investigation and forensic analysis. 30 © Meridian Group Inc. 2010
3. Building Situational Awareness Normalize and aggregate data from diversesources into a single database. 31 © Meridian Group Inc. 2010
3. Building Situational Awareness Normalize and aggregate data from diversesources into a single database. Perform near real-time analysis on data streams to alert on suspect activity. 32 © Meridian Group Inc. 2010
3. Building Situational Awareness Normalize and aggregate data from diversesources into a single database. Perform near real-time analysis on data streams to alert on suspect activity. Provide fast, flexible ad-hoc reporting to examine data in multiple perspectives. 33 © Meridian Group Inc. 2010
3. Building Situational Awareness Normalize and aggregate data from diversesources into a single database. Perform near real-time analysis on data streams to alert on suspect activity. Provide fast, flexible ad-hoc reporting to examine data in multiple perspectives. Provide forensic search capabilities on very large sets of raw data. 34 © Meridian Group Inc. 2010
35 © Meridian Group Inc. 2010
4. Compliance Automation Monitor and map detailed real-time event, configuration, asset and vulnerability data to corresponding sections in the underlying compliance policy. Provide standard and ad-hoc reporting of Compliance over any time frame. Support manual attestation of process controls associated with compliance. 36 © Meridian Group Inc. 2010
37 © Meridian Group Inc. 2010
Conclusion In the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. 38 © Meridian Group Inc. 2010
Conclusion In the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. Comprehensive monitoring, normalizing and aggregation of data for Risk Management is only a short step away from compliance automation with the right technology. 39 © Meridian Group Inc. 2010
Conclusion In the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. Comprehensive monitoring, normalizing and aggregation of data for Risk Management is only a short step away from compliance automation with the right technology. Business Continuity and Disaster Recovery planning are more important than ever. Don’t get ‘too big to fail.’ Look at New Orleans. 40 © Meridian Group Inc. 2010
Thank you! Marcus Clarke mclarke@ipkey.com 505-243-1010
Unknown APT Defense “Build visibility in one’s organization to provide the situational awareness to have a chance to discover, and hopefully frustrate APT activities.” “Without information from the network, hosts, logs and other sources, even the most skilled analyst is helpless. Most security shops should be pursuing such programs already.” 42 © Meridian Group Inc. 2010
IT Security is undergoing a ‘Sea-Change’ Huge investment in signature-based malware detection and prevention systems (AV, IDS) This status quo becoming marginalized as conventional malware is supplanted by botnet agents and other Advanced Persistent Threats (APTs). Infection vectors shifting from file based to web based, requiring rigorous Application Control mechanisms. 43 © Meridian Group Inc. 2010
…and no-one wantsto hear this Executives don’t want to hear how much more time and money the changes in today’s IT Security takes. IT Professionals don’t want to hear that most of their defensive technology and skills are obsolete. 44 © Meridian Group Inc. 2010

Recommended

ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
Edward Johnson
 
Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118
Erik Ginalick
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Andrew Gerber
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
David Sweigert
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
AlienVault
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Ricardo Resnik
 
Cylance Protect-Next-Generation Antivirus-Overview
Cylance Protect-Next-Generation Antivirus-OverviewCylance Protect-Next-Generation Antivirus-Overview
Cylance Protect-Next-Generation Antivirus-Overview
Innovation Network Technologies: InNet
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 

Recommended

ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
Edward Johnson
 
Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118
Erik Ginalick
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Andrew Gerber
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
David Sweigert
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
AlienVault
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Ricardo Resnik
 
Cylance Protect-Next-Generation Antivirus-Overview
Cylance Protect-Next-Generation Antivirus-OverviewCylance Protect-Next-Generation Antivirus-Overview
Cylance Protect-Next-Generation Antivirus-Overview
Innovation Network Technologies: InNet
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
Rahul Neel Mani
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_final
CMR WORLD TECH
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
FireEye, Inc.
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security Recommendations
Michael Kaishar, MSIA | CISSP
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest Resume
Dhishant Abrol
 
Cylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment DatasheetCylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment Datasheet
Innovation Network Technologies: InNet
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service
Netpluz Asia Pte Ltd
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
Muhammad FAHAD
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016
Amgad Magdy
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Exploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeExploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on Utilities
WPICPE
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
Splunk
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
AlienVault
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
Marc Crudgington, MBA
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
Cyber Security Alliance
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
Frederic Roy-Gobeil, CPA, CGA, M.Tax.
 

More Related Content

What's hot

Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
Rahul Neel Mani
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_final
CMR WORLD TECH
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
FireEye, Inc.
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security Recommendations
Michael Kaishar, MSIA | CISSP
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest Resume
Dhishant Abrol
 
Cylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment DatasheetCylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment Datasheet
Innovation Network Technologies: InNet
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service
Netpluz Asia Pte Ltd
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
Muhammad FAHAD
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016
Amgad Magdy
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Exploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeExploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on Utilities
WPICPE
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
Splunk
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
AlienVault
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
Marc Crudgington, MBA
 

What's hot (20)

Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_final
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security Recommendations
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest Resume
 
Cylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment DatasheetCylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment Datasheet
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
 
Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Exploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeExploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of Cybercrime
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on Utilities
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 

Similar to APT Monitoring and Compliance

ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
Cyber Security Alliance
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
Frederic Roy-Gobeil, CPA, CGA, M.Tax.
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017
Blueliv
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017
Blueliv
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
CMR WORLD TECH
 
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
Panda Security
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
21CT Inc.
 
CWTSBWEB022416 (1)
CWTSBWEB022416 (1)CWTSBWEB022416 (1)
CWTSBWEB022416 (1)
Greg Posten
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting Breaches
Splunk
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
Nicholas Chia
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
InnoTech
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
CNSHacking
 
Davitt Potter - CSA Arrow
Davitt Potter - CSA ArrowDavitt Potter - CSA Arrow
Davitt Potter - CSA Arrow
Trish McGinity, CCSK
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Inno Eroraha [NetSecurity]
 
Meletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis -CSIRTs
Meletis Belsis -CSIRTs
Meletis Belsis MPhil/MRes/BSc
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
Mighty Guides, Inc.
 
Cyber Defense Automation
Cyber Defense AutomationCyber Defense Automation
Cyber Defense Automation
♟Sergej Epp
 
10 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 201610 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 2016
Core Security
 
10 Things to Watch for in 2016
10 Things to Watch for in 201610 Things to Watch for in 2016
10 Things to Watch for in 2016
Courion Corporation
 

Similar to APT Monitoring and Compliance (20)

ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
 
CWTSBWEB022416 (1)
CWTSBWEB022416 (1)CWTSBWEB022416 (1)
CWTSBWEB022416 (1)
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting Breaches
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
 
Davitt Potter - CSA Arrow
Davitt Potter - CSA ArrowDavitt Potter - CSA Arrow
Davitt Potter - CSA Arrow
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
 
Meletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis -CSIRTs
Meletis Belsis -CSIRTs
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
Cyber Defense Automation
Cyber Defense AutomationCyber Defense Automation
Cyber Defense Automation
 
10 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 201610 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 2016
 
10 Things to Watch for in 2016
10 Things to Watch for in 201610 Things to Watch for in 2016
10 Things to Watch for in 2016
 

APT Monitoring and Compliance

  • 1. Trends in Compliance Monitoring Compliance Automation How does it work and what are the benefits? Presented by Marcus Clarke Meridian Group
  • 2. Light and Darkness on theStreet If you lose your car keys at night, do you look only under the streetlights? 2 © Meridian Group Inc. 2010
  • 3. Light and Darkness on theStreet If you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them? 3 © Meridian Group Inc. 2010
  • 4. Light and Darkness on IT Street If you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them? Durable monitoring for Compliance and Risk Management requires that we look at everything that’s happening on our networks. But can we see everything? 4 © Meridian Group Inc. 2010
  • 5. Light and Darkness on IT Street If you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them? Durable monitoring for Compliance and Risk Management requires that we look at everything that’s happening on our networks. But can we see everything? No. Not only do we have to look under the lights, but we also have to grope around in the dark. 5 © Meridian Group Inc. 2010
  • 6. Pattern vs. Behavior In the light, we can immediately recognize the visual pattern of a threat. This is similar to being able to immediately recognize the signature (pattern) of a known virus. 6 © Meridian Group Inc. 2010
  • 7. Pattern vs. Behavior In the light, we can immediately recognize the visual pattern of a threat. This is similar to being able to immediately recognize the signature (pattern) of a known virus. In the dark, immediate visual recognition is no longer possible. Using all our senses, we must observe behavior and assemble clues over time to deduce the presence of the threat we cannot see. 7 © Meridian Group Inc. 2010
  • 8. Clarke Threat Matrix 8 © Meridian Group Inc. 2010
  • 9. “Black Swans” A highly improbable, unanticipated event that carries great impact. Ofteninduces ‘expert’ rationalization in hindsight. Frequently associated with ‘experts’ confusing the absence of evidence as evidence of absence. Unseen danger lurks… While typically a risk management issue, Black Swan events can suddenly expose weaknesses in compliance strategy. 9 © Meridian Group Inc. 2010
  • 10. Our street lighting just isn’t the same as it once was. Aggregate infection potential of network compromise based on a network of 100 Windows PCs secure using ‘best practice’ malware defenses © Meridian Group Inc. 2010 10
  • 11. Advanced Persistent Threats (APT) Advanced – Opportunistic operation using the full spectrum of computer intrusion. Designed to actively resist detection and eradication attempts. Persistent – Maximizes control of the target computer by elevating privilege to preserve or regain control and access. Threat – Act as a ‘launch platform’ for a wide variety of malicious activity such as attacks, data theft, extortion and destruction. 11 © Meridian Group Inc. 2010
  • 12. © Meridian Group Inc. 2010 12
  • 13. Anatomy of a Known APT operation… The primary detectable evidence of APT infection is the traffic to the Command and Control (CnC) servers. This channel is also used to download new code. Almost all APTs use HTTPS to encrypt CnC traffic to ensure egress and avoid inspection. Use techniques such as Domain Fluxing to obfuscate CnC host identification and location 13 © Meridian Group Inc. 2010
  • 14. Strategic Priorities Currently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today. 14 © Meridian Group Inc. 2010
  • 15. Strategic Priorities Currently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today. Unknown APTs and Zero-day Exploits are a secondary focus. Not only because we believe they are less common, but because they are much more expensive to detect. 15 © Meridian Group Inc. 2010
  • 16. Strategic Priorities Currently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today. Unknown APTs and Zero-day Exploits are a secondary focus. Not only because we believe they are less common, but because they are much more expensive to detect. Black Swan exploits are specifically unknowable without prior knowledge, but consequences can’t be ignored. Business Continuity planning. 16 © Meridian Group Inc. 2010
  • 17. 17 © Meridian Group Inc. 2010
  • 18. 18 © Meridian Group Inc. 2010
  • 19. APT Defense is Possible Requires prior knowledge of common APT behavior. Have to know what to look for – for example periodic CnC traffic. Works very well for popular APT toolkits such as Zeus, so effective for vast majority of current APTs. Accept that defense today occurs after the fact. Sooner is better. Immediate is best. 19 © Meridian Group Inc. 2010
  • 20. 20 © Meridian Group Inc. 2010
  • 21. 21 © Meridian Group Inc. 2010
  • 22. 22 © Meridian Group Inc. 2010
  • 23. 23 © Meridian Group Inc. 2010
  • 24. 24 © Meridian Group Inc. 2010
  • 25. 25 © Meridian Group Inc. 2010
  • 26. 1. Monitoring Unidentifiable Activity While a particular threat may be unknown, it’s likely intent may be estimated with reasonable accuracy. 26 © Meridian Group Inc. 2010
  • 27. 1. Monitoring Unidentifiable Activity While a particular threat may be unknown, it’s likely intent may be estimated with reasonable accuracy. Understanding probable intent provides us withdefensive knowledge. For example, a threat with the intent of ‘owning’ machine will likely be indicated by new processes or registry changes. 27 © Meridian Group Inc. 2010
  • 28. 2. Making sense of unidentifiable activity Monitor all possible network activity by using technology that reports everything it does. 28 © Meridian Group Inc. 2010
  • 29. 2. Making sense of unidentifiable activity Monitor all possible network activity by using technology that reports everything it does. Use available technology to autonomously identify, and block or quarantine suspect activity. 29 © Meridian Group Inc. 2010
  • 30. 2. Making sense of unidentifiable activity Monitor all possible network activity by using technology that reports everything it does. Use available technology to autonomously identify, and block or quarantine suspect activity. Use available technology to aggregate, normalize and intelligently correlate diverse data. ‘Short-list’ any remaining suspect activity for further investigation and forensic analysis. 30 © Meridian Group Inc. 2010
  • 31. 3. Building Situational Awareness Normalize and aggregate data from diversesources into a single database. 31 © Meridian Group Inc. 2010
  • 32. 3. Building Situational Awareness Normalize and aggregate data from diversesources into a single database. Perform near real-time analysis on data streams to alert on suspect activity. 32 © Meridian Group Inc. 2010
  • 33. 3. Building Situational Awareness Normalize and aggregate data from diversesources into a single database. Perform near real-time analysis on data streams to alert on suspect activity. Provide fast, flexible ad-hoc reporting to examine data in multiple perspectives. 33 © Meridian Group Inc. 2010
  • 34. 3. Building Situational Awareness Normalize and aggregate data from diversesources into a single database. Perform near real-time analysis on data streams to alert on suspect activity. Provide fast, flexible ad-hoc reporting to examine data in multiple perspectives. Provide forensic search capabilities on very large sets of raw data. 34 © Meridian Group Inc. 2010
  • 35. 35 © Meridian Group Inc. 2010
  • 36. 4. Compliance Automation Monitor and map detailed real-time event, configuration, asset and vulnerability data to corresponding sections in the underlying compliance policy. Provide standard and ad-hoc reporting of Compliance over any time frame. Support manual attestation of process controls associated with compliance. 36 © Meridian Group Inc. 2010
  • 37. 37 © Meridian Group Inc. 2010
  • 38. Conclusion In the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. 38 © Meridian Group Inc. 2010
  • 39. Conclusion In the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. Comprehensive monitoring, normalizing and aggregation of data for Risk Management is only a short step away from compliance automation with the right technology. 39 © Meridian Group Inc. 2010
  • 40. Conclusion In the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. Comprehensive monitoring, normalizing and aggregation of data for Risk Management is only a short step away from compliance automation with the right technology. Business Continuity and Disaster Recovery planning are more important than ever. Don’t get ‘too big to fail.’ Look at New Orleans. 40 © Meridian Group Inc. 2010
  • 41. Thank you! Marcus Clarke mclarke@ipkey.com 505-243-1010
  • 42. Unknown APT Defense “Build visibility in one’s organization to provide the situational awareness to have a chance to discover, and hopefully frustrate APT activities.” “Without information from the network, hosts, logs and other sources, even the most skilled analyst is helpless. Most security shops should be pursuing such programs already.” 42 © Meridian Group Inc. 2010
  • 43. IT Security is undergoing a ‘Sea-Change’ Huge investment in signature-based malware detection and prevention systems (AV, IDS) This status quo becoming marginalized as conventional malware is supplanted by botnet agents and other Advanced Persistent Threats (APTs). Infection vectors shifting from file based to web based, requiring rigorous Application Control mechanisms. 43 © Meridian Group Inc. 2010
  • 44. …and no-one wantsto hear this Executives don’t want to hear how much more time and money the changes in today’s IT Security takes. IT Professionals don’t want to hear that most of their defensive technology and skills are obsolete. 44 © Meridian Group Inc. 2010