Lancope, Inc., profile picture
Uploaded byLancope, Inc.
PPTX, PDF712 views

Detecting Threats: A Look at the Verizon DBIR and StealthWatch

The document discusses threat detection through Lancope's Stealthwatch in relation to insights from the Verizon Data Breach Investigations Report (DBIR). It highlights the common types of data breaches, emphasizing that the majority of incidents involve human factors and includes breaches due to point-of-sale intrusions, cyber-espionage, and insider misuse. Additionally, it advocates for continuous monitoring of network traffic to enhance threat detection and response capabilities.

Embed presentation

Downloaded 30 times
© 2014 Lancope, Inc. All rights reserved. Detecting Threats Lancope, Inc. A Look at the Verizon DBIR and StealthWatch
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. A Look into a case- study of case- studies 2
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Defenders are too slow, too often 3
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. So why do we have this problem? 4
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Once Upon a Time DMZ VPN Internal Network Internet
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Then Came Mobile Computing DMZ VPN Internal Network Internet
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Telemetry 7 Drilling into a single flow provides a plethora of information
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Let the Network be Your sensor Internal visibility from core to access to edge 8 010 101 001 011 010 101 001 011 010 101 001 011 010 101 001 011 Laptop Tablet Phone Desktop / VDI WLAN LAN On Premise Public Internet Public Cloud Router / Switch Achieve pervasive, scalable network visibility into all traffic to monitor all network activities 24/7/365 Turn the network into an active sensor grid to detect potentially malicious activities in real-time Transform network data into actionable, context-aware intelligence to analyze and make fast, effective decisions regarding threat activity Take advantage of in-depth situational awareness to continuously analyze and respond to threats before, during, and after a security incident StealthWatch and Your Network
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Two Halves of the Puzzle Real Time Detection & Incident Response 9
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Security Algorithms describe traffic or behavior in a way that allows StealthWatch to constantly be on the lookout 10
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Back to the Data Breach report… 11
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Incident Classification Patterns 12 “…the common denominator across the top four patterns— accounting for nearly 90% of all incidents is people”
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Incident Classification Patterns (cont.) Data looks slightly different when confirmed data breaches are involved 13
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Point-of-sale (POS) Intrusions • Represents 28.5% of all confirmed data breaches in the report • Most affected industries: • Accommodation • Entertainment • Retail industries • Larger breaches tend to involve multi-step attack with some secondary system being compromised before attacking the POS system • It’s a problem for big and small 14
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 15 Suspect Data Hoarding Suspect Data Loss Credit card data has to be exfiltrated to be any good to attackers
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 16 Multi-stage attacks have precursors Long Flow/Beaconing Address Scan/Stealth Scan ICMP Port Unreachable Talks to Phantoms (6.6) Brute Force Login (6.6)
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Crimeware • Malware infections that are not associated with more specialized classification patterns • Represents 18.8% of all confirmed data breaches in the report • Most commonly used to: • Establish command-and-control capability • Launch DoS attacks • Most frequent targets: • Bank records • User credentials 17
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 18 DDoS Source --- [tcp|udp|icmp] Flood Slow Connection Flood Packet Flood High Total Traffic TCP Resets Scanning / Brute Force --- Address Scan [tcp|udp] Stealth Scan [tcp|udp] ICMP Port Unreachable Talks to Phantoms (6.6) Brute Force Login (6.6) Mail --- Spam Source High Volume Email Mail Reject
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Cyber-espionage • Attribution is difficult; only one-third of cyber-espionage cases had any kind of attacker attribution • Represents 18% of all confirmed data breaches in the report • Most targeted industries: • Manufacturing • Government • Information Services • Often involved social engineering and advanced, versatile malware • Most targeted data: • Organization secrets • Credentials 19
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 20 Monitor outbound traffic for suspicious connections and signs of infiltration In order to know what is abnormal, you need to know what normal traffic looks like Traffic Totals Flow Counts Packet-type Counts Index Values
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 21 Detect and stop lateral movement inside the network Address Scan [tcp|udp] Stealth Scan [tcp|udp] ICMP Port Unreachable Talks to Phantoms (6.6) Brute Force Login (6.6)
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Insider Misuse • Trusted insiders who have already been given network access, but betray that trust maliciously or through negligence • Represents 10.6% of all confirmed data breaches in the report • 37.6% of insider misuse cases are perpetrated by end users • Primary motivators: • Financial gain • Convenience 22
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 23 Know your data and who has access to it Suspect Data Hoarding Target Data Hoarding
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 24 Detect data exfiltration Suspect Data Loss
© 2014 Lancope, Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Thanks for watching! Questions and Answers 25

More Related Content

PDF
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
byLancope, Inc.
 
PDF
Cisco, Sourcefire and Lancope - Better Together
byLancope, Inc.
 
PPTX
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
byLancope, Inc.
 
PPTX
Insider threats webinar 01.28.15
byLancope, Inc.
 
PPTX
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
PPTX
Extending Network Visibility: Down to the Endpoint
byLancope, Inc.
 
PDF
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
byLancope, Inc.
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
byMyNOG
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
byLancope, Inc.
 
Cisco, Sourcefire and Lancope - Better Together
byLancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
byLancope, Inc.
 
Insider threats webinar 01.28.15
byLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
byLancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
byLancope, Inc.
 
Are you ready for the next attack? Reviewing the SP Security Checklist
byMyNOG
 

What's hot

PPTX
Infoblox - turning DNS from security target to security tool
byJisc
 
PPTX
Splunk Webinar: Splunk App for Palo Alto Networks
byGeorg Knon
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
PPTX
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
byShakacon
 
PDF
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
byAPNIC
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
PDF
The Post Covid-19 Cybersecurity World - Where Is It Headed?
byBangladesh Network Operators Group
 
PDF
Palo Alto Networks Sponsor Session
bySplunk
 
PPTX
What's New in StealthWatch v6.5
byLancope, Inc.
 
PDF
Breach and attack simulation tools
byBangladesh Network Operators Group
 
PDF
Using Your Network as a Sensor for Enhanced Visibility and Security
byLancope, Inc.
 
PPTX
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
byChrysostomos Christofi
 
PPTX
Protecting Financial Networks from Cyber Crime
byLancope, Inc.
 
PPTX
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
bySWITCHPOINT NV/SA
 
PDF
What Happens Before the Kill Chain
byOpenDNS
 
PPT
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
byPraetorian
 
PDF
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
byPraetorian
 
PDF
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
byMITRE - ATT&CKcon
 
PDF
AWS Cloud Security From the Point of View of the Compliance
byYury Chemerkin
 
PDF
DNS Measurement Activity on ITB 2010
byAffan Basalamah
 
Infoblox - turning DNS from security target to security tool
byJisc
 
Splunk Webinar: Splunk App for Palo Alto Networks
byGeorg Knon
 
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
byShakacon
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
byAPNIC
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
The Post Covid-19 Cybersecurity World - Where Is It Headed?
byBangladesh Network Operators Group
 
Palo Alto Networks Sponsor Session
bySplunk
 
What's New in StealthWatch v6.5
byLancope, Inc.
 
Breach and attack simulation tools
byBangladesh Network Operators Group
 
Using Your Network as a Sensor for Enhanced Visibility and Security
byLancope, Inc.
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
byChrysostomos Christofi
 
Protecting Financial Networks from Cyber Crime
byLancope, Inc.
 
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
bySWITCHPOINT NV/SA
 
What Happens Before the Kill Chain
byOpenDNS
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
byPraetorian
 
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
byPraetorian
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
byMITRE - ATT&CKcon
 
AWS Cloud Security From the Point of View of the Compliance
byYury Chemerkin
 
DNS Measurement Activity on ITB 2010
byAffan Basalamah
 

Viewers also liked

PDF
The Seven Deadly Sins of Incident Response
byLancope, Inc.
 
PDF
RSA: Security Analytics Architecture for APT
byLee Wei Yeong
 
PPTX
SCADA Security: The Five Stages of Cyber Grief
byLancope, Inc.
 
PDF
RSA NetWitness Log Decoder
bySusam Pal
 
PDF
Network Security and Visibility through NetFlow
byLancope, Inc.
 
PPTX
The Internet of Everything is Here
byLancope, Inc.
 
PPTX
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
byLancope, Inc.
 
PDF
Fire Eye Appliance Quick Start
byContent Rules, Inc.
 
PDF
Cisco Threat Defense (Cisco Stealthwatch)
byCisco Russia
 
PDF
StackOverflow
bySusam Pal
 
PDF
StealthWatch & Point-of-Sale (POS) Malware
byLancope, Inc.
 
PPTX
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
PDF
5 Signs you have an Insider Threat
byLancope, Inc.
 
PPTX
DDos Attacks and Web Threats: How to Protect Your Site & Information
byjenkoon
 
PDF
Top 10 Security Vulnerabilities (2006)
bySusam Pal
 
The Seven Deadly Sins of Incident Response
byLancope, Inc.
 
RSA: Security Analytics Architecture for APT
byLee Wei Yeong
 
SCADA Security: The Five Stages of Cyber Grief
byLancope, Inc.
 
RSA NetWitness Log Decoder
bySusam Pal
 
Network Security and Visibility through NetFlow
byLancope, Inc.
 
The Internet of Everything is Here
byLancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
byLancope, Inc.
 
Fire Eye Appliance Quick Start
byContent Rules, Inc.
 
Cisco Threat Defense (Cisco Stealthwatch)
byCisco Russia
 
StackOverflow
bySusam Pal
 
StealthWatch & Point-of-Sale (POS) Malware
byLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
5 Signs you have an Insider Threat
byLancope, Inc.
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
byjenkoon
 
Top 10 Security Vulnerabilities (2006)
bySusam Pal
 

Similar to Detecting Threats: A Look at the Verizon DBIR and StealthWatch

PDF
Combating Advanced Persistent Threats with Flow-based Security Monitoring
byLancope, Inc.
 
PPTX
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
byEmulex Corporation
 
PDF
Pivotal Data Lake Architecture & its role in security analytics
byEMC
 
PPTX
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
byAndrew Gerber
 
PPTX
Intrusion detection system
bySweta Sharma
 
PPTX
Security and-visibility
byedwardstudyemai
 
PPTX
Attack Prevention Solution for RADWARE
byDeivid Toledo
 
PPTX
Insider threat v3
byLancope, Inc.
 
PDF
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
byBig Data Spain
 
PPTX
Save Your Network – Protecting Healthcare Data from Deadly Breaches
byLancope, Inc.
 
PPTX
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
byForgeRock
 
PPTX
Cyber Attack Survival: Are You Ready?
byRadware
 
PDF
Solving the Visibility Gap for Effective Security
byLancope, Inc.
 
PPTX
Detect Threats Faster
byForce 3
 
PPTX
Challenges2013
byLancope, Inc.
 
PDF
Why_TG
byTOP GUN
 
PDF
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
byDell EMC World
 
PDF
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
byNapier University
 
ODP
Unlock Security Insight from Machine Data
byNarudom Roongsiriwong, CISSP
 
PDF
Continuous Monitoring and Real Time Risk Scoring
byQ1 Labs
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
byLancope, Inc.
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
byEmulex Corporation
 
Pivotal Data Lake Architecture & its role in security analytics
byEMC
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
byAndrew Gerber
 
Intrusion detection system
bySweta Sharma
 
Security and-visibility
byedwardstudyemai
 
Attack Prevention Solution for RADWARE
byDeivid Toledo
 
Insider threat v3
byLancope, Inc.
 
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
byBig Data Spain
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
byLancope, Inc.
 
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
byForgeRock
 
Cyber Attack Survival: Are You Ready?
byRadware
 
Solving the Visibility Gap for Effective Security
byLancope, Inc.
 
Detect Threats Faster
byForce 3
 
Challenges2013
byLancope, Inc.
 
Why_TG
byTOP GUN
 
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
byDell EMC World
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
byNapier University
 
Unlock Security Insight from Machine Data
byNarudom Roongsiriwong, CISSP
 
Continuous Monitoring and Real Time Risk Scoring
byQ1 Labs
 

More from Lancope, Inc.

PPTX
Reverse Engineering Malware: A look inside Operation Tovar
byLancope, Inc.
 
PDF
The Critical Security Controls and the StealthWatch System
byLancope, Inc.
 
PDF
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
byLancope, Inc.
 
PDF
SCADA Security: The Five Stages of Cyber Grief
byLancope, Inc.
 
PDF
Needs of a Modern Incident Response Program
byLancope, Inc.
 
PPTX
Protecting the Crown Jewels from Devastating Data Breaches
byLancope, Inc.
 
PPTX
Looking for the weird webinar 09.24.14
byLancope, Inc.
 
PPTX
Data center webinar_v2_1
byLancope, Inc.
 
PDF
The Library of Sparta
byLancope, Inc.
 
Reverse Engineering Malware: A look inside Operation Tovar
byLancope, Inc.
 
The Critical Security Controls and the StealthWatch System
byLancope, Inc.
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
byLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
byLancope, Inc.
 
Needs of a Modern Incident Response Program
byLancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
byLancope, Inc.
 
Looking for the weird webinar 09.24.14
byLancope, Inc.
 
Data center webinar_v2_1
byLancope, Inc.
 
The Library of Sparta
byLancope, Inc.
 

Recently uploaded

PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
December Patch Tuesday
byIvanti
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
The year in review - MarvelClient in 2025
bypanagenda
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 

Detecting Threats: A Look at the Verizon DBIR and StealthWatch

  • 1.
    © 2014 Lancope,Inc. All rights reserved. Detecting Threats Lancope, Inc. A Look at the Verizon DBIR and StealthWatch
  • 2.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. A Look into a case- study of case- studies 2
  • 3.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Defenders are too slow, too often 3
  • 4.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. So why do we have this problem? 4
  • 5.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Once Upon a Time DMZ VPN Internal Network Internet
  • 6.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Then Came Mobile Computing DMZ VPN Internal Network Internet
  • 7.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Telemetry 7 Drilling into a single flow provides a plethora of information
  • 8.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Let the Network be Your sensor Internal visibility from core to access to edge 8 010 101 001 011 010 101 001 011 010 101 001 011 010 101 001 011 Laptop Tablet Phone Desktop / VDI WLAN LAN On Premise Public Internet Public Cloud Router / Switch Achieve pervasive, scalable network visibility into all traffic to monitor all network activities 24/7/365 Turn the network into an active sensor grid to detect potentially malicious activities in real-time Transform network data into actionable, context-aware intelligence to analyze and make fast, effective decisions regarding threat activity Take advantage of in-depth situational awareness to continuously analyze and respond to threats before, during, and after a security incident StealthWatch and Your Network
  • 9.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Two Halves of the Puzzle Real Time Detection & Incident Response 9
  • 10.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Security Algorithms describe traffic or behavior in a way that allows StealthWatch to constantly be on the lookout 10
  • 11.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Back to the Data Breach report… 11
  • 12.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Incident Classification Patterns 12 “…the common denominator across the top four patterns— accounting for nearly 90% of all incidents is people”
  • 13.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Incident Classification Patterns (cont.) Data looks slightly different when confirmed data breaches are involved 13
  • 14.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Point-of-sale (POS) Intrusions • Represents 28.5% of all confirmed data breaches in the report • Most affected industries: • Accommodation • Entertainment • Retail industries • Larger breaches tend to involve multi-step attack with some secondary system being compromised before attacking the POS system • It’s a problem for big and small 14
  • 15.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 15 Suspect Data Hoarding Suspect Data Loss Credit card data has to be exfiltrated to be any good to attackers
  • 16.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 16 Multi-stage attacks have precursors Long Flow/Beaconing Address Scan/Stealth Scan ICMP Port Unreachable Talks to Phantoms (6.6) Brute Force Login (6.6)
  • 17.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Crimeware • Malware infections that are not associated with more specialized classification patterns • Represents 18.8% of all confirmed data breaches in the report • Most commonly used to: • Establish command-and-control capability • Launch DoS attacks • Most frequent targets: • Bank records • User credentials 17
  • 18.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 18 DDoS Source --- [tcp|udp|icmp] Flood Slow Connection Flood Packet Flood High Total Traffic TCP Resets Scanning / Brute Force --- Address Scan [tcp|udp] Stealth Scan [tcp|udp] ICMP Port Unreachable Talks to Phantoms (6.6) Brute Force Login (6.6) Mail --- Spam Source High Volume Email Mail Reject
  • 19.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Cyber-espionage • Attribution is difficult; only one-third of cyber-espionage cases had any kind of attacker attribution • Represents 18% of all confirmed data breaches in the report • Most targeted industries: • Manufacturing • Government • Information Services • Often involved social engineering and advanced, versatile malware • Most targeted data: • Organization secrets • Credentials 19
  • 20.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 20 Monitor outbound traffic for suspicious connections and signs of infiltration In order to know what is abnormal, you need to know what normal traffic looks like Traffic Totals Flow Counts Packet-type Counts Index Values
  • 21.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 21 Detect and stop lateral movement inside the network Address Scan [tcp|udp] Stealth Scan [tcp|udp] ICMP Port Unreachable Talks to Phantoms (6.6) Brute Force Login (6.6)
  • 22.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Insider Misuse • Trusted insiders who have already been given network access, but betray that trust maliciously or through negligence • Represents 10.6% of all confirmed data breaches in the report • 37.6% of insider misuse cases are perpetrated by end users • Primary motivators: • Financial gain • Convenience 22
  • 23.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 23 Know your data and who has access to it Suspect Data Hoarding Target Data Hoarding
  • 24.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. 24 Detect data exfiltration Suspect Data Loss
  • 25.
    © 2014 Lancope,Inc. All rights reserved.© 2014 Lancope, Inc. All rights reserved. Thanks for watching! Questions and Answers 25

Editor's Notes

  • #3 Demonstrate usefulness of algorithms as a whole, relevance of ours Not based on 6.6 alone, SE training on Friday Introduce DBIR Most well regarded annual report Incident data from FBI, other CERTs Break everything up by market vertical, definitely worth a read Look at big picture instead of one or two incidents Show what need drives our existing algorithms
  • #4 If you are not familiar with it, this graph illustrates the percentage of compromises and detections that were completed in “days or less.” Clearly, discovery is far below compromise, but we can help with that!
  • #11 Combine human strengths and computers
  • #12 Combine human strengths and computers
  • #15 Nearly 30 percent of confirmed data breaches. This responsible for some of the largest breaches in the news involving major retailers. Lots of money was lost because of POS intrusions.
  • #16 Suspect Data Loss good for POS, should be little other inside -> outside for noise SDH for scenarios where data was collected first
  • #17 Attackers generally have the advantage Luxury of being able to fail over and over again But defenders have ‘home field advantage.’ Defenders built environment, attackers have to navigate it Recon outside might not be a huge deal, inside it matters
  • #18 The first category we’ll go into is Crimeware. Non-APT, non-POST Malware About 20% of confirmed breaches Listed ‘key finding’ is DDoS, Spam, etc
  • #19 Not slow and low Outgoing DDoS is valuable Brute force SSH and RDP Spam Email Things an experienced security team would want to monitor Algorithm lets us watch every host all the time rather than require an analyst to do it
  • #20 Cyber espionage is the state actor, APT bucket. Proper attribution is really difficult. Different target industries than other attack patterns. Instead of Financial Services and Retail, Manufacturing and Government organizations are the most common targets. In addition, different types of data is stolen than other attack types. Organization secrets, credentials, and internal and system data is most commonly targeted. Often include social engineering and advanced malware.
  • #21 Find normal and watch it Super clued in might know averages for certain subnets, but this is hard for humans We’re tracking a bunch of types of stats for every individual host Some concrete, some not
  • #22 Attackers generally have the advantage Luxury of being able to fail over and over again But defenders have ‘home field advantage.’ Defenders built environment, attackers have to navigate it Recon outside might not be a huge deal, inside it matters
  • #23 Insider and privilege misuse, or insider threat About 10% of confirmed breaches Valuable for us, internal visibility a lot of tools don’t have
  • #24 First, know your data and who has access to it. Part of this is account and access audit, but also know where your data is and building control to detect misuse. I’m not going to tell you that we’re the best option to track the movement of one PDF, but when it’s a bit more volume we’re there.
  • #25 Watch for data exfiltration With insider, often don’t have ability to look for exploitation Using proper credentials Instead, watch for data leaving