This document summarizes a presentation on leveraging big data in cybersecurity. It discusses how current security challenges include breaches occurring within minutes while most go undiscovered for months or years. Inside-out security is proposed to detect both known and unknown threats using deep endpoint visibility and activity correlation. This allows proactive detection, assessment of sensitive data and risks, automated incident response, and recovery to reduce breach discovery times.

1. NAPIER UNIVERSITY, EDINBURGH
MAY 2016
BIG DATA IN
CYBERSECURITY

2. TODAY’S
TOPICS
• Introduction
• Credentials
• Age of compromise
• Today’s InfoSec Challenges
• Inside Out Security: Detect, Assess, Respond & Recover
• Leverage existing infrastructure
• Summary: Can you afford to be one of the numbers?
2

3. MARKET
LEADING DIGITAL
FORENSICS,
E-DISCOVERY,
AND ENDPOINT
DETECTION &
RESPONSE
• Gartner #1 in Endpoint Detection & Response*
• Standard in Digital Forensics
- Cited in 100+ published court opinions
• 25+ million servlets deployed
- 70% of Fortune 100 and 45% of Fortune 500
• Industry recognized Training with 5000+ EnCE
- “Best IT Security-Related Training Program” SC Magazine
• Industry leading Professional Services
3
CREDENTIALS

4. ENDPOINT IS THE TARGET OF ATTACKERS
COMPANY DATA:
THE EPICENTER
OF RISK
BUSINESS
INTELLIGENCE
INTELLECTUAL
PROPERTY
CUSTOMER
DATA
CARDHOLDER AND
FINANCIAL DATA
AUTHENTICATION
CREDENTIALS
HUMAN
RESOURCES
ELECTRONIC
HEALTH RECORDS
4

5. AGE OF COMPROMISE
Anthem: Jan 2015
2nd Largest US Health Insurer
Customer PII
Ebay: March 2015
Used employee details to access
User Credentials
Target: Summer 2013
$10B drop in market cap (30%)
CEO Terminated
CIO Resigns
5

6. WHY IS IT LIKELY YOU ARE BREACHED?
Signature-based Detection is Not Sufficient
6

7. DETECTION AND RESPONSE TIMES
ARE UNTENABLE
60%
in minutes Initial attack to
compromise
60% of organizations breached in minutes or less1
1Verizon 2015 Data Breach Investigation Report
7

8. Compromise to
Discovery
66%
in Months
or Years
DETECTION AND RESPONSE TIMES
ARE UNTENABLE
60% of organizations breached in minutes or less1
66% of breaches take months or years to discover2
1Verizon 2015 Data Breach Investigation Report
2Verizon 2013 Data Breach Investigation Report
8

9. DETECTION AND RESPONSE TIMES
ARE UNTENABLE
60% of organizations breached in minutes or less1
66% of breaches take months or years to discover2
70-90% of malware samples are unique to an organization1
1Verizon 2015 Data Breach Investigation Report
2Verizon 2013 Data Breach Investigation Report
Unknown Threat
66%
in Months
or Years
9

10. DETECTION AND RESPONSE TIMES
ARE UNTENABLE
60% of organizations breached in minutes or less1
66% of breaches take months or years to discover2
70-90% of malware samples are unique to an organization1
32 days to respond to an incident2
1Verizon 2015 Data Breach Investigation Report
2Verizon 2013 Data Breach Investigation Report
Time to
Resolution
66%
in Months
or Years
10
“It smacks us with the fact that the bad guys seldom need
days to get their job done, while the good guys rarely
manage to get the theirs done in a month of Sundays.”

11. METHODOLOGY
OF AN ATTACK
11
Our
Enterprise
Their
Ecosystem
Opportunity
RESEARCH
INFILTRATION Patient Zero
DISCOVERY
EXFILTRATION CAPTURE
DAYS TO WEEKS SECONDS TO MINUTES WEEKS TO MONTHS

12. • Perimeter defenses are breached, almost at will
- More than half of survey participants operate assuming compromise
- Attackers don’t need stealth or APT-style funding to get the job done.
- Proactive hunting is the only way to detect adversaries that have
bypassed initial detection
- The majority of respondents say they want to be able to obtain data
from all queried endpoints in under 1 hour
- Some critical endpoints (e.g. payment processing servers) cannot
afford any downtime.
SANS
SURVEY
ENDPOINT SECURITY TAKEAWAYS
12

13. • Not sure if you have been breached!
• Prevention isn’t working but there is no next step
YOUR CHALLENGES
14

14. • Not sure if you have been breached!
• Prevention isn’t working but there is no next step
• Everything occurs on the endpoint, but
Perimeter, network, & log ≠ endpoint
YOUR CHALLENGES
Five Styles of Advanced Threat Defense
Real-Time/
Near-Real-Time
Postcompromise
(Days/Weeks)
Network
Network Traffic
Analysis
Network Forensics
Payload
Payload Analysis
Endpoint
Endpoint Behavior
Analysis
Endpoint Forensics
TIME
WHERETOLOOK
Style 1 Style 2
Style 3
Style 4 Style 5
15

15. • Not sure if you have been breached!
• Prevention isn’t working but there is no next step
• Everything occurs on the endpoint, but
Perimeter, network, & log ≠ endpoint
• Too may alerts! What volume do you see?
YOUR CHALLENGES
16

16. • Not sure if you have been breached!
• Prevention isn’t working but there is no next step
• Everything occurs on the endpoint, but
Perimeter, network, & log ≠ endpoint
• Too may alerts! What volume do you see?
• No way to identify security gaps and verify
policies are working
YOUR CHALLENGES
17

17. • Not sure if you have been breached!
• Prevention isn’t working but there is no next step
• Everything occurs on the endpoint, but
Perimeter, network, & log ≠ endpoint
• Too may alerts! What volume do you see?
• No way to identify security gaps and verify
policies are working
• Lack of visibility into sensitive data
YOUR CHALLENGES
18

18. • Not sure if you have been breached!
• Prevention isn’t working but there is no next step
• Everything occurs on the endpoint, but
Perimeter, network, & logs ≠ endpoint
• Too may alerts! What volume do you see?
• No way to identify security gaps and verify
policies are working
• Lack of visibility into sensitive data
• Analysts spend too much time
collecting and correlating data
YOUR CHALLENGES
19

19. YOU CAN FIND THEM !
SO YOU CAN’T STOP THEM GETTING IN, BUT…
20

20. • Broad operating system support ensures
all your assets are covered, not just
servers
• Non-reliance on the operating system for
trusted and verifiable information
• Correlation across disparate data types
• Visibility into restricted, hidden and
encrypted areas
• Forensic-level access to disk, memory and
attached devices
• True remediation (wiping) capabilities
ENDPOINT VISIBILITY IS EVERYTHING
21

21. HOW DEEP IS DEEP?
• Deep File System
• Dead Registry
• OS Exe/DLL Interaction
− App Compat Cache
− Windows SxS
• Windows Event Logs
• SQL/AD Event Logs
• Windows Management Instrumentation (WMI)
• Registry
• Processes
• ARP Tables
• Memory
• Lnk Files
• Anti-Forensic
Defection
• PreFetch
• Hash/Entropy
• Open Ports
• DNS Cache
• Email
• Internet
• Open Files
Human
Readable Easy Data
Access
High Barrier
to EntryReverse
engineering
required for
truth
No
interpretation
required
Individual
Forensic
Interpretation
22

22. 23
ENDPOINT ACTIVITY CAN REVEAL
PATIENT ZERO
Machine Name
File Name
Process Hash
User Account

23. • Vendor Agnostic
• Process to implement a Security
Framework that moves from a Passive to
Active Defense
• Applicable for teams with new or mature
security plans
• Increase ROI on security analysts and
technology
INSIDE OUT SECURITY FRAMEWORK
24

24. • Every tiny action leaves an artefact
of either system or user activity
• Artefact correlation defines a
baseline and tells a story of use, no
limitations
• Proactively detect the aberrations –
known, unknown, insider, and zero
day threats
- Anomalies indicate unseen threats
- Review of security policies redefine direction
25
KNOWN AND
UNKNOWN
DETECTION OF THE
Eliminate your reliance on signatures,
heuristics, policies or IOCs
The only way to detect what you
haven’t already!
DETECT & ASSESS

25. • Proactively discover any sensitive
data across the organization
- Endpoints
- Structured Repositories
(Office 365, Shares, etc.)
• Enforce sensitive data policies
• Prioritize incident response
around high-risk assets
MAJOR RISK
EXPOSED DATA IS
Limit risk and exposure an
internal or external threat!
26
ASSESS & RESPOND

26. • Automated forensic collection
integrates with existing security
technologies
- No information decay; works 24/7
• Reduce false-positive events
quickly and gain down-stream
benefits
• Identify unknown binaries triggering
behavioral or heuristic alerts
INCIDENT
RESPONSE
AUTOMATED
Ensure valid perimeter, network and
log events are being seen!
Reduce compromise to discovery
from months to days or hours
27
RESPOND AUTOMATICALLY

27. Response shouldn’t take forever
• Quickly identify suspect processes using
localized white/black lists
• Root out all potential indicators
• Determine if suspect files are Threats with
ThreatGrid and other intelligence sources
• Determine scope and impact across the
organization of any threat instance
• Integrate with existing workflow
management, home grown and third party
point solutions
INCIDENT
RESPONSE
ON-DEMAND
Reduce compromise to discovery and
time to resolution from months to hours
28
RESPOND ON DEMAND

28. • Kill running processes
• Surgically remove all iterations of
malware and related artifacts
• Wipe sensitive data from
unauthorized locations
• Produce reports demonstrating
success/compliance
RECOVERY
AND
REMEDIATION
Wipe and reimage costs weeks!
Reduce time to resolution from
weeks to hours
29
RECOVER & REMEDIATE

29. DEFENSE IN DEPTH: LEVERAGE EXISTING
INFRASTRUCTURE
30

30. • #1 in Endpoint Detection and Response
by Gartner
• There is no Security without endpoint
visibility
• Detect unknown threats that perimeter,
network, and logs can’t see
• Detect attacks before you end up a headline
• Enable your team to discover and resolve
valid threats immediately
CAN YOU
AFFORD TO
BE ONE
OF THE
NUMBERS?
31

31. THANK
YOU
IAN RAINSBOROUGH
GUIDANCE SOFTWARE
EMAIL: IAN.RAINSBOROUGH@GUID.COM