SlideShare a Scribd company logo

Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh

Napier University
Napier University

Ian Rainsburgh from Guidance Software presenting at The Cyber Academy

Technology
1 of 31
Download to read offline
NAPIER UNIVERSITY, EDINBURGH MAY 2016 BIG DATA IN CYBERSECURITY
TODAY’S TOPICS • Introduction • Credentials • Age of compromise • Today’s InfoSec Challenges • Inside Out Security: Detect, Assess, Respond & Recover • Leverage existing infrastructure • Summary: Can you afford to be one of the numbers? 2
MARKET LEADING DIGITAL FORENSICS, E-DISCOVERY, AND ENDPOINT DETECTION & RESPONSE • Gartner #1 in Endpoint Detection & Response* • Standard in Digital Forensics - Cited in 100+ published court opinions • 25+ million servlets deployed - 70% of Fortune 100 and 45% of Fortune 500 • Industry recognized Training with 5000+ EnCE - “Best IT Security-Related Training Program” SC Magazine • Industry leading Professional Services 3 CREDENTIALS
ENDPOINT IS THE TARGET OF ATTACKERS COMPANY DATA: THE EPICENTER OF RISK BUSINESS INTELLIGENCE INTELLECTUAL PROPERTY CUSTOMER DATA CARDHOLDER AND FINANCIAL DATA AUTHENTICATION CREDENTIALS HUMAN RESOURCES ELECTRONIC HEALTH RECORDS 4
AGE OF COMPROMISE Anthem: Jan 2015 2nd Largest US Health Insurer Customer PII Ebay: March 2015 Used employee details to access User Credentials Target: Summer 2013 $10B drop in market cap (30%) CEO Terminated CIO Resigns 5
WHY IS IT LIKELY YOU ARE BREACHED? Signature-based Detection is Not Sufficient 6
DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% in minutes Initial attack to compromise 60% of organizations breached in minutes or less1 1Verizon 2015 Data Breach Investigation Report 7
Compromise to Discovery 66% in Months or Years DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% of organizations breached in minutes or less1 66% of breaches take months or years to discover2 1Verizon 2015 Data Breach Investigation Report 2Verizon 2013 Data Breach Investigation Report 8
DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% of organizations breached in minutes or less1 66% of breaches take months or years to discover2 70-90% of malware samples are unique to an organization1 1Verizon 2015 Data Breach Investigation Report 2Verizon 2013 Data Breach Investigation Report Unknown Threat 66% in Months or Years 9
DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% of organizations breached in minutes or less1 66% of breaches take months or years to discover2 70-90% of malware samples are unique to an organization1 32 days to respond to an incident2 1Verizon 2015 Data Breach Investigation Report 2Verizon 2013 Data Breach Investigation Report Time to Resolution 66% in Months or Years 10 “It smacks us with the fact that the bad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.”
METHODOLOGY OF AN ATTACK 11 Our Enterprise Their Ecosystem Opportunity RESEARCH INFILTRATION Patient Zero DISCOVERY EXFILTRATION CAPTURE DAYS TO WEEKS SECONDS TO MINUTES WEEKS TO MONTHS
• Perimeter defenses are breached, almost at will - More than half of survey participants operate assuming compromise - Attackers don’t need stealth or APT-style funding to get the job done. - Proactive hunting is the only way to detect adversaries that have bypassed initial detection - The majority of respondents say they want to be able to obtain data from all queried endpoints in under 1 hour - Some critical endpoints (e.g. payment processing servers) cannot afford any downtime. SANS SURVEY ENDPOINT SECURITY TAKEAWAYS 12
• Not sure if you have been breached! • Prevention isn’t working but there is no next step YOUR CHALLENGES 14
• Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint YOUR CHALLENGES Five Styles of Advanced Threat Defense Real-Time/ Near-Real-Time Postcompromise (Days/Weeks) Network Network Traffic Analysis Network Forensics Payload Payload Analysis Endpoint Endpoint Behavior Analysis Endpoint Forensics TIME WHERETOLOOK Style 1 Style 2 Style 3 Style 4 Style 5 15
• Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint • Too may alerts! What volume do you see? YOUR CHALLENGES 16
• Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint • Too may alerts! What volume do you see? • No way to identify security gaps and verify policies are working YOUR CHALLENGES 17
• Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint • Too may alerts! What volume do you see? • No way to identify security gaps and verify policies are working • Lack of visibility into sensitive data YOUR CHALLENGES 18
• Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & logs ≠ endpoint • Too may alerts! What volume do you see? • No way to identify security gaps and verify policies are working • Lack of visibility into sensitive data • Analysts spend too much time collecting and correlating data YOUR CHALLENGES 19
YOU CAN FIND THEM ! SO YOU CAN’T STOP THEM GETTING IN, BUT… 20
• Broad operating system support ensures all your assets are covered, not just servers • Non-reliance on the operating system for trusted and verifiable information • Correlation across disparate data types • Visibility into restricted, hidden and encrypted areas • Forensic-level access to disk, memory and attached devices • True remediation (wiping) capabilities ENDPOINT VISIBILITY IS EVERYTHING 21
HOW DEEP IS DEEP? • Deep File System • Dead Registry • OS Exe/DLL Interaction − App Compat Cache − Windows SxS • Windows Event Logs • SQL/AD Event Logs • Windows Management Instrumentation (WMI) • Registry • Processes • ARP Tables • Memory • Lnk Files • Anti-Forensic Defection • PreFetch • Hash/Entropy • Open Ports • DNS Cache • Email • Internet • Open Files Human Readable Easy Data Access High Barrier to EntryReverse engineering required for truth No interpretation required Individual Forensic Interpretation 22
23 ENDPOINT ACTIVITY CAN REVEAL PATIENT ZERO Machine Name File Name Process Hash User Account
• Vendor Agnostic • Process to implement a Security Framework that moves from a Passive to Active Defense • Applicable for teams with new or mature security plans • Increase ROI on security analysts and technology INSIDE OUT SECURITY FRAMEWORK 24
• Every tiny action leaves an artefact of either system or user activity • Artefact correlation defines a baseline and tells a story of use, no limitations • Proactively detect the aberrations – known, unknown, insider, and zero day threats - Anomalies indicate unseen threats - Review of security policies redefine direction 25 KNOWN AND UNKNOWN DETECTION OF THE Eliminate your reliance on signatures, heuristics, policies or IOCs The only way to detect what you haven’t already! DETECT & ASSESS
• Proactively discover any sensitive data across the organization - Endpoints - Structured Repositories (Office 365, Shares, etc.) • Enforce sensitive data policies • Prioritize incident response around high-risk assets MAJOR RISK EXPOSED DATA IS Limit risk and exposure an internal or external threat! 26 ASSESS & RESPOND
• Automated forensic collection integrates with existing security technologies - No information decay; works 24/7 • Reduce false-positive events quickly and gain down-stream benefits • Identify unknown binaries triggering behavioral or heuristic alerts INCIDENT RESPONSE AUTOMATED Ensure valid perimeter, network and log events are being seen! Reduce compromise to discovery from months to days or hours 27 RESPOND AUTOMATICALLY
Response shouldn’t take forever • Quickly identify suspect processes using localized white/black lists • Root out all potential indicators • Determine if suspect files are Threats with ThreatGrid and other intelligence sources • Determine scope and impact across the organization of any threat instance • Integrate with existing workflow management, home grown and third party point solutions INCIDENT RESPONSE ON-DEMAND Reduce compromise to discovery and time to resolution from months to hours 28 RESPOND ON DEMAND
• Kill running processes • Surgically remove all iterations of malware and related artifacts • Wipe sensitive data from unauthorized locations • Produce reports demonstrating success/compliance RECOVERY AND REMEDIATION Wipe and reimage costs weeks! Reduce time to resolution from weeks to hours 29 RECOVER & REMEDIATE
DEFENSE IN DEPTH: LEVERAGE EXISTING INFRASTRUCTURE 30
• #1 in Endpoint Detection and Response by Gartner • There is no Security without endpoint visibility • Detect unknown threats that perimeter, network, and logs can’t see • Detect attacks before you end up a headline • Enable your team to discover and resolve valid threats immediately CAN YOU AFFORD TO BE ONE OF THE NUMBERS? 31
THANK YOU IAN RAINSBOROUGH GUIDANCE SOFTWARE EMAIL: IAN.RAINSBOROUGH@GUID.COM

Recommended

Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPriyanka Aash
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNorth Texas Chapter of the ISSA
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 

Recommended

Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPriyanka Aash
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNorth Texas Chapter of the ISSA
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
SACON16 - SOC Architecture
SACON16 - SOC ArchitectureSACON16 - SOC Architecture
SACON16 - SOC ArchitectureShomiron Das Gupta
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware LabThreatConnect
 
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...Alex Pinto
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsCybereason
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...PROIDEA
 
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: SharingSANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: SharingAlex Pinto
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Cybersecurity is the Future of Computing
Cybersecurity is the Future of ComputingCybersecurity is the Future of Computing
Cybersecurity is the Future of ComputingDavid Fry
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs AlienVault
 
Cyber Crimes: The next five years.
Cyber Crimes: The next five years. Cyber Crimes: The next five years.
Cyber Crimes: The next five years. Gregory McCardle
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinarThreatConnect
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
The Evolution of Cybercrime
The Evolution of CybercrimeThe Evolution of Cybercrime
The Evolution of CybercrimeStephen Cobb
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 

More Related Content

What's hot

Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware LabThreatConnect
 
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...Alex Pinto
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsCybereason
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...PROIDEA
 
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: SharingSANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: SharingAlex Pinto
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Cybersecurity is the Future of Computing
Cybersecurity is the Future of ComputingCybersecurity is the Future of Computing
Cybersecurity is the Future of ComputingDavid Fry
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs AlienVault
 
Cyber Crimes: The next five years.
Cyber Crimes: The next five years. Cyber Crimes: The next five years.
Cyber Crimes: The next five years. Gregory McCardle
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinarThreatConnect
 

What's hot (18)

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
SACON16 - SOC Architecture
SACON16 - SOC ArchitectureSACON16 - SOC Architecture
SACON16 - SOC Architecture
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
 
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
 
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: SharingSANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Cybersecurity is the Future of Computing
Cybersecurity is the Future of ComputingCybersecurity is the Future of Computing
Cybersecurity is the Future of Computing
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs
 
Cyber Crimes: The next five years.
Cyber Crimes: The next five years. Cyber Crimes: The next five years.
Cyber Crimes: The next five years.
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
 

Similar to Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh

Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
The Evolution of Cybercrime
The Evolution of CybercrimeThe Evolution of Cybercrime
The Evolution of CybercrimeStephen Cobb
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...TruShield Security Solutions
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionStephen Cobb
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]APNIC
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Paul C. Van Slyke
 

Similar to Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh (20)

Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
The Evolution of Cybercrime
The Evolution of CybercrimeThe Evolution of Cybercrime
The Evolution of Cybercrime
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 edition
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky Breaches
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
13734729.ppt
13734729.ppt13734729.ppt
13734729.ppt
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
 

More from Napier University

10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and PandasNapier University
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneNapier University
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-WattNapier University
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergNapier University
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinNapier University
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Napier University
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeNapier University
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarNapier University
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiNapier University
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Napier University
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraNapier University
 

More from Napier University (20)

Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
 
Networks
NetworksNetworks
Networks
 
Memory, Big Data and SIEM
Memory, Big Data and SIEMMemory, Big Data and SIEM
Memory, Big Data and SIEM
 
What is Cyber Data?
What is Cyber Data?What is Cyber Data?
What is Cyber Data?
 
Open Source Intelligence
Open Source IntelligenceOpen Source Intelligence
Open Source Intelligence
 
10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence Systems
 
1. Cyber and Intelligence
1. Cyber and Intelligence1. Cyber and Intelligence
1. Cyber and Intelligence
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan Delatinne
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
 
ARTiFACTS, Emma Boswood
ARTiFACTS, Emma BoswoodARTiFACTS, Emma Boswood
ARTiFACTS, Emma Boswood
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris Berg
 
Keynote, Naseem Naqvi
Keynote, Naseem Naqvi Keynote, Naseem Naqvi
Keynote, Naseem Naqvi
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F Mondschein
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair Duke
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael Prabucki
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh

  • 1. NAPIER UNIVERSITY, EDINBURGH MAY 2016 BIG DATA IN CYBERSECURITY
  • 2. TODAY’S TOPICS • Introduction • Credentials • Age of compromise • Today’s InfoSec Challenges • Inside Out Security: Detect, Assess, Respond & Recover • Leverage existing infrastructure • Summary: Can you afford to be one of the numbers? 2
  • 3. MARKET LEADING DIGITAL FORENSICS, E-DISCOVERY, AND ENDPOINT DETECTION & RESPONSE • Gartner #1 in Endpoint Detection & Response* • Standard in Digital Forensics - Cited in 100+ published court opinions • 25+ million servlets deployed - 70% of Fortune 100 and 45% of Fortune 500 • Industry recognized Training with 5000+ EnCE - “Best IT Security-Related Training Program” SC Magazine • Industry leading Professional Services 3 CREDENTIALS
  • 4. ENDPOINT IS THE TARGET OF ATTACKERS COMPANY DATA: THE EPICENTER OF RISK BUSINESS INTELLIGENCE INTELLECTUAL PROPERTY CUSTOMER DATA CARDHOLDER AND FINANCIAL DATA AUTHENTICATION CREDENTIALS HUMAN RESOURCES ELECTRONIC HEALTH RECORDS 4
  • 5. AGE OF COMPROMISE Anthem: Jan 2015 2nd Largest US Health Insurer Customer PII Ebay: March 2015 Used employee details to access User Credentials Target: Summer 2013 $10B drop in market cap (30%) CEO Terminated CIO Resigns 5
  • 6. WHY IS IT LIKELY YOU ARE BREACHED? Signature-based Detection is Not Sufficient 6
  • 7. DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% in minutes Initial attack to compromise 60% of organizations breached in minutes or less1 1Verizon 2015 Data Breach Investigation Report 7
  • 8. Compromise to Discovery 66% in Months or Years DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% of organizations breached in minutes or less1 66% of breaches take months or years to discover2 1Verizon 2015 Data Breach Investigation Report 2Verizon 2013 Data Breach Investigation Report 8
  • 9. DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% of organizations breached in minutes or less1 66% of breaches take months or years to discover2 70-90% of malware samples are unique to an organization1 1Verizon 2015 Data Breach Investigation Report 2Verizon 2013 Data Breach Investigation Report Unknown Threat 66% in Months or Years 9
  • 10. DETECTION AND RESPONSE TIMES ARE UNTENABLE 60% of organizations breached in minutes or less1 66% of breaches take months or years to discover2 70-90% of malware samples are unique to an organization1 32 days to respond to an incident2 1Verizon 2015 Data Breach Investigation Report 2Verizon 2013 Data Breach Investigation Report Time to Resolution 66% in Months or Years 10 “It smacks us with the fact that the bad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.”
  • 11. METHODOLOGY OF AN ATTACK 11 Our Enterprise Their Ecosystem Opportunity RESEARCH INFILTRATION Patient Zero DISCOVERY EXFILTRATION CAPTURE DAYS TO WEEKS SECONDS TO MINUTES WEEKS TO MONTHS
  • 12. • Perimeter defenses are breached, almost at will - More than half of survey participants operate assuming compromise - Attackers don’t need stealth or APT-style funding to get the job done. - Proactive hunting is the only way to detect adversaries that have bypassed initial detection - The majority of respondents say they want to be able to obtain data from all queried endpoints in under 1 hour - Some critical endpoints (e.g. payment processing servers) cannot afford any downtime. SANS SURVEY ENDPOINT SECURITY TAKEAWAYS 12
  • 13. • Not sure if you have been breached! • Prevention isn’t working but there is no next step YOUR CHALLENGES 14
  • 14. • Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint YOUR CHALLENGES Five Styles of Advanced Threat Defense Real-Time/ Near-Real-Time Postcompromise (Days/Weeks) Network Network Traffic Analysis Network Forensics Payload Payload Analysis Endpoint Endpoint Behavior Analysis Endpoint Forensics TIME WHERETOLOOK Style 1 Style 2 Style 3 Style 4 Style 5 15
  • 15. • Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint • Too may alerts! What volume do you see? YOUR CHALLENGES 16
  • 16. • Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint • Too may alerts! What volume do you see? • No way to identify security gaps and verify policies are working YOUR CHALLENGES 17
  • 17. • Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & log ≠ endpoint • Too may alerts! What volume do you see? • No way to identify security gaps and verify policies are working • Lack of visibility into sensitive data YOUR CHALLENGES 18
  • 18. • Not sure if you have been breached! • Prevention isn’t working but there is no next step • Everything occurs on the endpoint, but Perimeter, network, & logs ≠ endpoint • Too may alerts! What volume do you see? • No way to identify security gaps and verify policies are working • Lack of visibility into sensitive data • Analysts spend too much time collecting and correlating data YOUR CHALLENGES 19
  • 19. YOU CAN FIND THEM ! SO YOU CAN’T STOP THEM GETTING IN, BUT… 20
  • 20. • Broad operating system support ensures all your assets are covered, not just servers • Non-reliance on the operating system for trusted and verifiable information • Correlation across disparate data types • Visibility into restricted, hidden and encrypted areas • Forensic-level access to disk, memory and attached devices • True remediation (wiping) capabilities ENDPOINT VISIBILITY IS EVERYTHING 21
  • 21. HOW DEEP IS DEEP? • Deep File System • Dead Registry • OS Exe/DLL Interaction − App Compat Cache − Windows SxS • Windows Event Logs • SQL/AD Event Logs • Windows Management Instrumentation (WMI) • Registry • Processes • ARP Tables • Memory • Lnk Files • Anti-Forensic Defection • PreFetch • Hash/Entropy • Open Ports • DNS Cache • Email • Internet • Open Files Human Readable Easy Data Access High Barrier to EntryReverse engineering required for truth No interpretation required Individual Forensic Interpretation 22
  • 22. 23 ENDPOINT ACTIVITY CAN REVEAL PATIENT ZERO Machine Name File Name Process Hash User Account
  • 23. • Vendor Agnostic • Process to implement a Security Framework that moves from a Passive to Active Defense • Applicable for teams with new or mature security plans • Increase ROI on security analysts and technology INSIDE OUT SECURITY FRAMEWORK 24
  • 24. • Every tiny action leaves an artefact of either system or user activity • Artefact correlation defines a baseline and tells a story of use, no limitations • Proactively detect the aberrations – known, unknown, insider, and zero day threats - Anomalies indicate unseen threats - Review of security policies redefine direction 25 KNOWN AND UNKNOWN DETECTION OF THE Eliminate your reliance on signatures, heuristics, policies or IOCs The only way to detect what you haven’t already! DETECT & ASSESS
  • 25. • Proactively discover any sensitive data across the organization - Endpoints - Structured Repositories (Office 365, Shares, etc.) • Enforce sensitive data policies • Prioritize incident response around high-risk assets MAJOR RISK EXPOSED DATA IS Limit risk and exposure an internal or external threat! 26 ASSESS & RESPOND
  • 26. • Automated forensic collection integrates with existing security technologies - No information decay; works 24/7 • Reduce false-positive events quickly and gain down-stream benefits • Identify unknown binaries triggering behavioral or heuristic alerts INCIDENT RESPONSE AUTOMATED Ensure valid perimeter, network and log events are being seen! Reduce compromise to discovery from months to days or hours 27 RESPOND AUTOMATICALLY
  • 27. Response shouldn’t take forever • Quickly identify suspect processes using localized white/black lists • Root out all potential indicators • Determine if suspect files are Threats with ThreatGrid and other intelligence sources • Determine scope and impact across the organization of any threat instance • Integrate with existing workflow management, home grown and third party point solutions INCIDENT RESPONSE ON-DEMAND Reduce compromise to discovery and time to resolution from months to hours 28 RESPOND ON DEMAND
  • 28. • Kill running processes • Surgically remove all iterations of malware and related artifacts • Wipe sensitive data from unauthorized locations • Produce reports demonstrating success/compliance RECOVERY AND REMEDIATION Wipe and reimage costs weeks! Reduce time to resolution from weeks to hours 29 RECOVER & REMEDIATE
  • 29. DEFENSE IN DEPTH: LEVERAGE EXISTING INFRASTRUCTURE 30
  • 30. • #1 in Endpoint Detection and Response by Gartner • There is no Security without endpoint visibility • Detect unknown threats that perimeter, network, and logs can’t see • Detect attacks before you end up a headline • Enable your team to discover and resolve valid threats immediately CAN YOU AFFORD TO BE ONE OF THE NUMBERS? 31