SlideShare a Scribd company logo

Combating Advanced Persistent Threats with Flow-based Security Monitoring

Lancope, Inc.
Lancope, Inc.

Learn how to leverage flow data to: * Proactively detect attacks * Mitigate APTs * Gain forensic intelligence * Improve situational awareness

Technology
1 of 49
Download to read offline
Combating Advanced Persistent Threats with Flow-based Security Monitoring Jeffrey M. Wells, CCIE, CISSP Sr. Systems Engineer Lancope Know Your Network, Run Your Business Thank you for joining. We will begin shortly.
Poll Question What is your organization’s top security concern? A. Insider Threats B. Advanced Persistent Threats (Directed Attacks) C. Virtualization / Cloud Computing D. IT Consumerization / User Mobility / BYOD E. Compliance 2 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
What is an Advanced Persistent Threat? 3 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
What is an Advanced Persistent Threat? Examples: “Operation Aurora” against Google and at least 20 other large companies in 2009, the HBGary attack, the RSA attack against over 700 companies over 2011 4 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) • in that the attacker uses the full spectrum of available tools, including social engineering, to accomplish his or her goals. The toolset and methods mean these will likely evade traditional signature-based detection methods. It’s Advanced… • in that the attacker defines a target and then focuses resources on that target, rather than casting a net in the dark. This is what makes this type of attack so dangerous. Rather than playing the odds, one must actively defend oneself from it. It’s Persistent… • this should be self-explanatory. It’s a Threat…
Anatomy of an APT attack - HBGary  HBGary was attacked by Anonymous in February 2011 in response to provocation by an HBGary employee.  HBGary Federal sought to “out” WikiLeaks and associated Anonymous hacker organization  Anonymous finds out and launches full frontal assault on HBGary  HBGary website defaced, emails stolen, backups deleted, twitter and LinkedIn accounts hacked, etc.  Massive damage to HBGary’s reputation  Cleanup could take weeks or months 5 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)  HBGary vs. Anonymous: Story by Ars Technica http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
Anatomy of an APT attack - RSA  In February 2011 RSA was subjected to an attack by Chinese hackers.  RSA suffered enormous brand damage and was forced to replace existing tokens in the field.  Read more: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ 6 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Footnote: this attack was repeated against hundreds of other companies, as revealed last Fall by the FBI.
APTs in the news 7 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
APTs are here to stay  Facts: • APTs are an evolution of cybercrime. They are the beginnings of truly organized behavior designed to cost you money. • APTs are proliferating. There are many many examples, and they target pretty much every large company. • APTs evade traditional detection. • Many companies do not discover that they’ve been targeted until long after it’s over. 8 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
APT characteristics for the investigator  APT will generally involve: – Information gathering via social media and Google search. It is via this that the targets for the social engineering phase are identified. – Exploit of common vulnerabilities in support of the above. – Targeted social engineering attacks against identified users. – Compromise of one or more internal machines and installation of remote control software of some kind. – Data mining from the inside. – Exfiltration of data. 9 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)  Network-based APT detection boils down to discovering the command-and-control connections, the data mining, and the exfiltration activity. As with all attacks, success is measured by the time lapsed between attack and discovery.
APT Survey by Ponemon Institute, June 2010  “Prevention and detection of advanced threats is difficult. Organizations risk a costly data breach because detection of an advanced threat takes too long. 80 percent of respondents say it takes a day or longer to detect an advanced threat and 46 percent say it takes 30 days or longer. This leaves a huge window of opportunity to steal confidential or sensitive information. In addition, 79 percent believe that advanced threats are very difficult to prevent, detect and resolve.”  “The most effective technologies have yet to be deployed. 92 percent of respondents believe network and traffic intelligence solutions are essential, very important or important. Yet, only 8 percent say these technologies are their first choice to detect or prevent an advanced threat. 69 percent of respondents say that AV and 61 percent of respondents say that IDS are typically used to detect or discover advanced threats. Yet, 90 percent report that exploits or malware have either evaded their IDS systems or they are unsure. 91 percent say that exploits and malware have evaded their AV systems or they are unsure. The same percentage (91 percent) believes exploits bypassing their IDS and AV systems to be advanced threats.” 10 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
User Behavior DMZ Internal Network Internet 11 This goes on, day after day… And then… FTP to foreign destination. This is a Behavioral Anomaly
Anomalous Behavior  If you’re focused solely on a single actor, behavioral anomalies are relatively simple to spot. 12 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)  As the observed population increases, it becomes increasingly difficult to spot anomalies. Where’s Waldo?
Brains and Computers  Our brains happen to be good at focusing on detail or recognizing patterns in limited datasets but very bad at dealing with huge amounts of rapidly-evolving data at once.  Computers, on the other hand, do not suffer from this limitation. 13 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Email interconnection graph 14 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) This is a network of devices speaking SMTP. If they spoke something else it would be trivial to detect – as long as we were focusing on this network as a group and not trying to watch all the other systems that live alongside these devices.
3G Internet 3G Internet Typical Corporate Environment DMZ VPN Internal Network Internet 3G Internet 3G Internet 15 Even though it seems difficult to enumerate the protocols and behaviors on such a network, a statistical system can do so with ease.
APT Detection Objectives and Requirements  Objectives: – Discover APT behavior as rapidly as possible – Discover compromised machines in my environment – Discover potential exfiltrations of data – Some sort of scoring or prioritization of alarms to direct response  Requirements: – Need data sources – Need collection infrastructure – Need analysis infrastructure – Need reporting and alerting engine  Potential data sources: – SYSLOG, IDS/IPS probes, distributed data capture, SNMP, RMON probes, host AV/AS agents, host IDS/IPS agents – Netflow 16 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Data Source Caveats  SYSLOG: Very painful to parse due to the vast number of different potential messages. May or may not contain what you need.  IDS/IPS probes: Expensive to install and maintain, reliance on signature-based technologies makes them less useful for APT detection.  Distributed data capture: Extremely expensive to install and maintain, large amount of hardware required, very inefficient: most of the useful information comes from a tiny percentage of the gathered data.  SNMP: Not enough information on its own to be particularly useful, very slow.  RMON: Expensive to install and maintain, limited support.  Host agents: Expensive to install and maintain, reliance on signature-based technologies not particularly useful, proprietary data output difficult to integrate and correlate, host context limits understanding of network behavior.  Flow-based technology: May not be supported by all of your network hardware. 17 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
3G Internet Flow-based monitoring basics DMZ VPN Internal Network Internet NetFlow 3G Internet 3G Internet NetFlow NetFlow NetFlow NetFlow NetFlow Packets src and dst ip src and dst port start time end time mac address byte count - more - FlowCollector
Major advantages of flow-based telemetry  Fixed and highly-standardized records easy to create, transport, compress and parse.  Generated by the network hardware you already own.  Generation not specifically limited by topology or data rates.  Simple record types lend themselves to rapid and near-real-time analysis on even the biggest, busiest networks.  Most of visibility objectives achievable with no need for probes or signatures.  Generation technology eliminates evasion techniques. All network traffic will generate flow data for analysis.  Can easily be correlated to other data sources to enrich the results. 19 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
DMZ Internet Atlanta San Jose New York NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow ASR-1000 Cat6k UCS with Nexus 1000v ASA Cat6k 3925 ISR 3560-X NetFlow NetFlow NetFlow NetFlow Lancope NetFlow Collector Datacenter 3750-X Stack(s) NetFlow NetFlow Cat4k NetFlow NetFlow WAN Example: NetFlow Technology in a Cisco environment
NetFlow at 10G+ 21 Lancope NetFlow Collector
NetFlow Collection in the WAN NetFlow Packet NetFlow Packet 22 Lancope NetFlow Collector
NetFlow Technology simplified telephone bill NetFlow 23
The Science of Flow Analysis • Lancope specializes in Behavior-based Network Flow Analysis • Detects attacks by baselining and analyzing network traffic patterns • Excellent defense in depth strategy to aid in defense of critical assets • Over 600 customers world-wide • Designed for the large enterprise http://netflowninjas.lancope.com 24
Flow-based telemetry in action
Visibility into “normal” network behavior. What is all this HTTP traffic? 26
Detection of anomalous behavior. Circa 2003! 27
Manual analysis Deduplicated Host Groups provide the basis for many Reports, Baselines, Top N lists, etc. 28
Manual analysis, continued 5 hour 6 Mbps ssh connection? 29
Flow Statistical Analysis 30
StealthWatch Threat Indexes – Attack Detection Without Sigs 31 StealthWatch tracks not only the statistical behavior of normal traffic, but also the behavior of well over a hundred specific network traffic patterns. Concern points are generated by anomalous changes in any –and all – of these. Examples: number of new connections to or from a device. Connection attempts that go unanswered (common in scanning). New ports seen. Number of clients for a server or service. Rejected traffic. Long-lived connections. StealthWatch also alerts when the concern index itself changes.
Target and specialized protocol tracking  StealthWatch pays particular attention to hosts “touched” by a host with high concern.  StealthWatch creates “Target Index” reporting for these hosts, including “Touched Hosts” and “Touched Hosts with high CI.”  StealthWatch has special handling for protocols commonly used for file sharing.  StealthWatch has special logic to watch for and alert on “worm behavior”. All of these are completely automatic, out-of-the-box capabilities of the system. 32 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Host Group tracking 33 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Creating host groups by function, type or location allows the system to easily spot and track anomalous behavior for hosts with high degrees of inherent predictability. The system will for example automatically tell you when your Webservers have stopped behaving like Webservers
Relational Flow Maps 34 The powerful Relational Flow Mapping feature allows you to track the relationships between your host groups as well as their relationships to external groups whether they are business partners, Internet hosts, countries, or suspicious hosts from threat feeds. Once the relationsnip is established, StealthWatch automatically creates a statistical baseline and applies its powerful anomaly detection logic to the relationship.
Relational Anomaly Detection example: PCI hosts Secure Zone 35
Custom views match your particular area of interest 36 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Custom charts focusing on particular alerts related to APT events Relational flow map to track behavior between areas of high interest List of hosts currently creating high concern List of internal hosts exhibiting active scanning behavior All documents are active – current alerts shown over objects as callouts in real time
Drill down from anywhere to any level of detail 37 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Every object is active and can be used as a starting point to drill in for investigation.
Enhanced Application Monitoring  Accelerates troubleshooting and forensic investigations  Quickly differentiate between applications  Easily determine which applications are causing performance or security problems  Displays URL information in flow records  Identifies hostname of the server and error messages within the flow © 2011 Lancope, Inc. All rights reserved.38
21 Botnet - 315,000 nodes, 3 billion connections 39 4/18/2012 Other resources for detection of anomalous behavior
Threat feed correlation and host locking 40 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Putting it all together: Detection Examples
© 2011 Lancope, Inc. All rights reserved.42 Knowing Will Help Decision Making Is there internal spreading malware?
Knowing Will Help Decision Making Bot Detection: Are there bot infected hosts within the network?
Knowing Will Help Decision Making Suspect Data Loss: Is there any sensitive data being uploaded to the Internet?
Knowing Will Help Decision Making Reconnaissance Detection: What hosts are trying to find resources to compromise?
Quick Recap • NetFlow analysis gives us APT defense via A PROVEN, time-honored end-to-end rich view of every conversation Topology independence Deep statistical analysis and alerting Very high performance and scale • Flow telemetry is available from all over the network … Routers Switches Load Balancers Firewalls FlowSensors Even the virtual network! • Once you’ve enabled flow collection you can... Gain deep traffic analysis and network visibility Detect attacks and network anomalies faster Investigate incidents and build up operational context 46
Next Steps 47 Contact Lancope: Jeffrey M. Wells jwells@lancope.com Lancope sales@lancope.com Lancope Marketing marketing@lancope.com Visit Lancope for a live demonstration of the StealthWatch System @  InfoSecurity Europe booth F61  Cisco Live US booth 944
Thank You  Web http://www.lancope.com  Blog http://netflowninjas.lancope.com  Twitter @netflowninjas  LinkedIn : NetFlow Ninjas http://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grppro  NetFlow Ninjas Challenge http://www.lancope.com/netflow-ninja-quiz
Q&A

Recommended

Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
Filip Maertens
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82majolic
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero Trust
Frans Sauermann
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment ReportHarshit Singh Bhatia
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC Guidelines
Hitachi ID Systems, Inc.
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin
 

Recommended

Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
Filip Maertens
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82majolic
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero Trust
Frans Sauermann
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment ReportHarshit Singh Bhatia
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC Guidelines
Hitachi ID Systems, Inc.
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin
 
RA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I startRA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I start
Rockwell Automation
 
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationGuardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
CSNP
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
Cydney Davis
 
Cmmi - An overview
Cmmi - An overviewCmmi - An overview
Cmmi - An overview
sekard
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
Iftikhar Ali Iqbal
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
WAJAHAT IQBAL
 
EMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba CentralEMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba Central
Aruba, a Hewlett Packard Enterprise company
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
SolarWinds
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
CA Technologies
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
♟Sergej Epp
 
Data Center Monitoring
Data Center MonitoringData Center Monitoring
Data Center Monitoring
Powercast Sensors
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEM
Denitsa Dimova
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
Adrian Sanabria
 
Cisco IT and ThousandEyes
Cisco IT and ThousandEyesCisco IT and ThousandEyes
Cisco IT and ThousandEyes
ThousandEyes
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
Alert Logic
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response Swimlanes
Daniel P Wallace
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery Planning
John Wilson
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
Gregory Hanis
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky
 

More Related Content

What's hot

RA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I startRA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I start
Rockwell Automation
 
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationGuardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
CSNP
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
Cydney Davis
 
Cmmi - An overview
Cmmi - An overviewCmmi - An overview
Cmmi - An overview
sekard
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
Iftikhar Ali Iqbal
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
WAJAHAT IQBAL
 
EMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba CentralEMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba Central
Aruba, a Hewlett Packard Enterprise company
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
SolarWinds
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
CA Technologies
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
♟Sergej Epp
 
Data Center Monitoring
Data Center MonitoringData Center Monitoring
Data Center Monitoring
Powercast Sensors
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEM
Denitsa Dimova
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
Adrian Sanabria
 
Cisco IT and ThousandEyes
Cisco IT and ThousandEyesCisco IT and ThousandEyes
Cisco IT and ThousandEyes
ThousandEyes
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
Alert Logic
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response Swimlanes
Daniel P Wallace
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery Planning
John Wilson
 

What's hot (20)

RA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I startRA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I start
 
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationGuardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
Cmmi - An overview
Cmmi - An overviewCmmi - An overview
Cmmi - An overview
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
EMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba CentralEMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba Central
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 
Data Center Monitoring
Data Center MonitoringData Center Monitoring
Data Center Monitoring
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEM
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
 
Cisco IT and ThousandEyes
Cisco IT and ThousandEyesCisco IT and ThousandEyes
Cisco IT and ThousandEyes
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response Swimlanes
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery Planning
 

Similar to Combating Advanced Persistent Threats with Flow-based Security Monitoring

IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
Gregory Hanis
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
centralohioissa
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
21CT Inc.
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
Tiffany Sandoval
 
Achieving high-fidelity security
Achieving high-fidelity securityAchieving high-fidelity security
Achieving high-fidelity security
balejandre
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876
Momita Sharma
 
NetWitness
NetWitnessNetWitness
NetWitness
TechBiz Forense Digital
 
Honeypot Methods and Applications
Honeypot Methods and ApplicationsHoneypot Methods and Applications
Honeypot Methods and Applications
ijtsrd
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014
Bee_Ware
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Simone Onofri
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Software Guru
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works BriefSunny Geo
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works BriefSunny Geo
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 

Similar to Combating Advanced Persistent Threats with Flow-based Security Monitoring (20)

IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
Achieving high-fidelity security
Achieving high-fidelity securityAchieving high-fidelity security
Achieving high-fidelity security
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Honeypot Methods and Applications
Honeypot Methods and ApplicationsHoneypot Methods and Applications
Honeypot Methods and Applications
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works Brief
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works Brief
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 

More from Lancope, Inc.

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
Lancope, Inc.
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
Lancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
Lancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
Lancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Lancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
Lancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Lancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
Lancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
Lancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
Lancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Lancope, Inc.
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 

More from Lancope, Inc. (20)

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 

Recently uploaded

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 

Recently uploaded (20)

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 

Combating Advanced Persistent Threats with Flow-based Security Monitoring

  • 1. Combating Advanced Persistent Threats with Flow-based Security Monitoring Jeffrey M. Wells, CCIE, CISSP Sr. Systems Engineer Lancope Know Your Network, Run Your Business Thank you for joining. We will begin shortly.
  • 2. Poll Question What is your organization’s top security concern? A. Insider Threats B. Advanced Persistent Threats (Directed Attacks) C. Virtualization / Cloud Computing D. IT Consumerization / User Mobility / BYOD E. Compliance 2 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 3. What is an Advanced Persistent Threat? 3 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 4. What is an Advanced Persistent Threat? Examples: “Operation Aurora” against Google and at least 20 other large companies in 2009, the HBGary attack, the RSA attack against over 700 companies over 2011 4 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) • in that the attacker uses the full spectrum of available tools, including social engineering, to accomplish his or her goals. The toolset and methods mean these will likely evade traditional signature-based detection methods. It’s Advanced… • in that the attacker defines a target and then focuses resources on that target, rather than casting a net in the dark. This is what makes this type of attack so dangerous. Rather than playing the odds, one must actively defend oneself from it. It’s Persistent… • this should be self-explanatory. It’s a Threat…
  • 5. Anatomy of an APT attack - HBGary  HBGary was attacked by Anonymous in February 2011 in response to provocation by an HBGary employee.  HBGary Federal sought to “out” WikiLeaks and associated Anonymous hacker organization  Anonymous finds out and launches full frontal assault on HBGary  HBGary website defaced, emails stolen, backups deleted, twitter and LinkedIn accounts hacked, etc.  Massive damage to HBGary’s reputation  Cleanup could take weeks or months 5 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)  HBGary vs. Anonymous: Story by Ars Technica http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
  • 6. Anatomy of an APT attack - RSA  In February 2011 RSA was subjected to an attack by Chinese hackers.  RSA suffered enormous brand damage and was forced to replace existing tokens in the field.  Read more: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ 6 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Footnote: this attack was repeated against hundreds of other companies, as revealed last Fall by the FBI.
  • 7. APTs in the news 7 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 8. APTs are here to stay  Facts: • APTs are an evolution of cybercrime. They are the beginnings of truly organized behavior designed to cost you money. • APTs are proliferating. There are many many examples, and they target pretty much every large company. • APTs evade traditional detection. • Many companies do not discover that they’ve been targeted until long after it’s over. 8 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 9. APT characteristics for the investigator  APT will generally involve: – Information gathering via social media and Google search. It is via this that the targets for the social engineering phase are identified. – Exploit of common vulnerabilities in support of the above. – Targeted social engineering attacks against identified users. – Compromise of one or more internal machines and installation of remote control software of some kind. – Data mining from the inside. – Exfiltration of data. 9 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)  Network-based APT detection boils down to discovering the command-and-control connections, the data mining, and the exfiltration activity. As with all attacks, success is measured by the time lapsed between attack and discovery.
  • 10. APT Survey by Ponemon Institute, June 2010  “Prevention and detection of advanced threats is difficult. Organizations risk a costly data breach because detection of an advanced threat takes too long. 80 percent of respondents say it takes a day or longer to detect an advanced threat and 46 percent say it takes 30 days or longer. This leaves a huge window of opportunity to steal confidential or sensitive information. In addition, 79 percent believe that advanced threats are very difficult to prevent, detect and resolve.”  “The most effective technologies have yet to be deployed. 92 percent of respondents believe network and traffic intelligence solutions are essential, very important or important. Yet, only 8 percent say these technologies are their first choice to detect or prevent an advanced threat. 69 percent of respondents say that AV and 61 percent of respondents say that IDS are typically used to detect or discover advanced threats. Yet, 90 percent report that exploits or malware have either evaded their IDS systems or they are unsure. 91 percent say that exploits and malware have evaded their AV systems or they are unsure. The same percentage (91 percent) believes exploits bypassing their IDS and AV systems to be advanced threats.” 10 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 11. User Behavior DMZ Internal Network Internet 11 This goes on, day after day… And then… FTP to foreign destination. This is a Behavioral Anomaly
  • 12. Anomalous Behavior  If you’re focused solely on a single actor, behavioral anomalies are relatively simple to spot. 12 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)  As the observed population increases, it becomes increasingly difficult to spot anomalies. Where’s Waldo?
  • 13. Brains and Computers  Our brains happen to be good at focusing on detail or recognizing patterns in limited datasets but very bad at dealing with huge amounts of rapidly-evolving data at once.  Computers, on the other hand, do not suffer from this limitation. 13 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 14. Email interconnection graph 14 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) This is a network of devices speaking SMTP. If they spoke something else it would be trivial to detect – as long as we were focusing on this network as a group and not trying to watch all the other systems that live alongside these devices.
  • 15. 3G Internet 3G Internet Typical Corporate Environment DMZ VPN Internal Network Internet 3G Internet 3G Internet 15 Even though it seems difficult to enumerate the protocols and behaviors on such a network, a statistical system can do so with ease.
  • 16. APT Detection Objectives and Requirements  Objectives: – Discover APT behavior as rapidly as possible – Discover compromised machines in my environment – Discover potential exfiltrations of data – Some sort of scoring or prioritization of alarms to direct response  Requirements: – Need data sources – Need collection infrastructure – Need analysis infrastructure – Need reporting and alerting engine  Potential data sources: – SYSLOG, IDS/IPS probes, distributed data capture, SNMP, RMON probes, host AV/AS agents, host IDS/IPS agents – Netflow 16 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 17. Data Source Caveats  SYSLOG: Very painful to parse due to the vast number of different potential messages. May or may not contain what you need.  IDS/IPS probes: Expensive to install and maintain, reliance on signature-based technologies makes them less useful for APT detection.  Distributed data capture: Extremely expensive to install and maintain, large amount of hardware required, very inefficient: most of the useful information comes from a tiny percentage of the gathered data.  SNMP: Not enough information on its own to be particularly useful, very slow.  RMON: Expensive to install and maintain, limited support.  Host agents: Expensive to install and maintain, reliance on signature-based technologies not particularly useful, proprietary data output difficult to integrate and correlate, host context limits understanding of network behavior.  Flow-based technology: May not be supported by all of your network hardware. 17 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 18. 3G Internet Flow-based monitoring basics DMZ VPN Internal Network Internet NetFlow 3G Internet 3G Internet NetFlow NetFlow NetFlow NetFlow NetFlow Packets src and dst ip src and dst port start time end time mac address byte count - more - FlowCollector
  • 19. Major advantages of flow-based telemetry  Fixed and highly-standardized records easy to create, transport, compress and parse.  Generated by the network hardware you already own.  Generation not specifically limited by topology or data rates.  Simple record types lend themselves to rapid and near-real-time analysis on even the biggest, busiest networks.  Most of visibility objectives achievable with no need for probes or signatures.  Generation technology eliminates evasion techniques. All network traffic will generate flow data for analysis.  Can easily be correlated to other data sources to enrich the results. 19 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 20. DMZ Internet Atlanta San Jose New York NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow ASR-1000 Cat6k UCS with Nexus 1000v ASA Cat6k 3925 ISR 3560-X NetFlow NetFlow NetFlow NetFlow Lancope NetFlow Collector Datacenter 3750-X Stack(s) NetFlow NetFlow Cat4k NetFlow NetFlow WAN Example: NetFlow Technology in a Cisco environment
  • 22. NetFlow Collection in the WAN NetFlow Packet NetFlow Packet 22 Lancope NetFlow Collector
  • 24. The Science of Flow Analysis • Lancope specializes in Behavior-based Network Flow Analysis • Detects attacks by baselining and analyzing network traffic patterns • Excellent defense in depth strategy to aid in defense of critical assets • Over 600 customers world-wide • Designed for the large enterprise http://netflowninjas.lancope.com 24
  • 26. Visibility into “normal” network behavior. What is all this HTTP traffic? 26
  • 27. Detection of anomalous behavior. Circa 2003! 27
  • 28. Manual analysis Deduplicated Host Groups provide the basis for many Reports, Baselines, Top N lists, etc. 28
  • 29. Manual analysis, continued 5 hour 6 Mbps ssh connection? 29
  • 31. StealthWatch Threat Indexes – Attack Detection Without Sigs 31 StealthWatch tracks not only the statistical behavior of normal traffic, but also the behavior of well over a hundred specific network traffic patterns. Concern points are generated by anomalous changes in any –and all – of these. Examples: number of new connections to or from a device. Connection attempts that go unanswered (common in scanning). New ports seen. Number of clients for a server or service. Rejected traffic. Long-lived connections. StealthWatch also alerts when the concern index itself changes.
  • 32. Target and specialized protocol tracking  StealthWatch pays particular attention to hosts “touched” by a host with high concern.  StealthWatch creates “Target Index” reporting for these hosts, including “Touched Hosts” and “Touched Hosts with high CI.”  StealthWatch has special handling for protocols commonly used for file sharing.  StealthWatch has special logic to watch for and alert on “worm behavior”. All of these are completely automatic, out-of-the-box capabilities of the system. 32 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 33. Host Group tracking 33 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Creating host groups by function, type or location allows the system to easily spot and track anomalous behavior for hosts with high degrees of inherent predictability. The system will for example automatically tell you when your Webservers have stopped behaving like Webservers
  • 34. Relational Flow Maps 34 The powerful Relational Flow Mapping feature allows you to track the relationships between your host groups as well as their relationships to external groups whether they are business partners, Internet hosts, countries, or suspicious hosts from threat feeds. Once the relationsnip is established, StealthWatch automatically creates a statistical baseline and applies its powerful anomaly detection logic to the relationship.
  • 35. Relational Anomaly Detection example: PCI hosts Secure Zone 35
  • 36. Custom views match your particular area of interest 36 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Custom charts focusing on particular alerts related to APT events Relational flow map to track behavior between areas of high interest List of hosts currently creating high concern List of internal hosts exhibiting active scanning behavior All documents are active – current alerts shown over objects as callouts in real time
  • 37. Drill down from anywhere to any level of detail 37 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Every object is active and can be used as a starting point to drill in for investigation.
  • 38. Enhanced Application Monitoring  Accelerates troubleshooting and forensic investigations  Quickly differentiate between applications  Easily determine which applications are causing performance or security problems  Displays URL information in flow records  Identifies hostname of the server and error messages within the flow © 2011 Lancope, Inc. All rights reserved.38
  • 39. 21 Botnet - 315,000 nodes, 3 billion connections 39 4/18/2012 Other resources for detection of anomalous behavior
  • 40. Threat feed correlation and host locking 40 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 41. Putting it all together: Detection Examples
  • 42. © 2011 Lancope, Inc. All rights reserved.42 Knowing Will Help Decision Making Is there internal spreading malware?
  • 43. Knowing Will Help Decision Making Bot Detection: Are there bot infected hosts within the network?
  • 44. Knowing Will Help Decision Making Suspect Data Loss: Is there any sensitive data being uploaded to the Internet?
  • 45. Knowing Will Help Decision Making Reconnaissance Detection: What hosts are trying to find resources to compromise?
  • 46. Quick Recap • NetFlow analysis gives us APT defense via A PROVEN, time-honored end-to-end rich view of every conversation Topology independence Deep statistical analysis and alerting Very high performance and scale • Flow telemetry is available from all over the network … Routers Switches Load Balancers Firewalls FlowSensors Even the virtual network! • Once you’ve enabled flow collection you can... Gain deep traffic analysis and network visibility Detect attacks and network anomalies faster Investigate incidents and build up operational context 46
  • 47. Next Steps 47 Contact Lancope: Jeffrey M. Wells jwells@lancope.com Lancope sales@lancope.com Lancope Marketing marketing@lancope.com Visit Lancope for a live demonstration of the StealthWatch System @  InfoSecurity Europe booth F61  Cisco Live US booth 944
  • 48. Thank You  Web http://www.lancope.com  Blog http://netflowninjas.lancope.com  Twitter @netflowninjas  LinkedIn : NetFlow Ninjas http://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grppro  NetFlow Ninjas Challenge http://www.lancope.com/netflow-ninja-quiz
  • 49. Q&A