On April 15, 2015, Scalar hosted our Security Roadshow in Toronto where we'll be focused on defence in three key areas - endpoint, application, and network. Led by our team of experts, these quick-fire, interactive sessions will arm you with the knowledge you need to improve your cyber security posture in some of the most common areas of vulnerability. Defend the Endpoint with Bromium Bromium is a new security protection tool for the host that relies on task-based virtualization. In this demo we'll look at how Bromium runs and protects the endpoint. We'll invite 0days from the audience and bring our own to show how the system really works. Much like how each virtual server is contained in a hypervisor, with Bromium each individual task on a host is contained in its own task-based virtual container. If you’ve ever looked at the Windows Task Manager, or the output of a Unix ‘ps’ process list, imagine if each group of processes, that makes up the task, was contained in its own hypervisor. That can be 40-50 tasks or more, each isolated in its own little hypervisor with no real access to the host. Why is task virtualization helpful? By keeping each task in its own hypervisor, Bromium gives you a bottoms-up view of each individual task’s behaviour – without impacting system performance. If each process is contained in its own hypervisor, it’s easy to see when a process begins spawning other activities or creating any unusual traffic. Basically, it can very easily identify anything shifty. This is the most granular level of inspection you can get at a host level – Bromium is there at the very beginning when the virus begins to execute. Defend the Application with WhiteHat In this session we will look at a newer approach to application security and penetration testing, which combines persistent and automated testing processes to continuously monitor applications for vulnerabilities, as well as deep inspection of the business logic by trained specialists. This approach exceeds newer PCI 3 requirements and provides ongoing assurance that web application vulnerabilities are quickly detected and tracked to remediation. We'll walk through the WhiteHat Security client management portal and discuss the WhiteHat methodology that can now be used, by you, to leverage the 150+ application specialists at WhiteHat to build a continuous application assessment process for your company's active web applications and software development teams. Defend the Network with LogRhythm As the security landscape changes, Security Information and Event Management (SIEM) tools that detect and investigate security breaches and threats have become increasingly complex to implement, integrate, and support. Inefficient solutions leave organizations slow to defend against and respond to complex attacks. LogRhythm’s Security Intelligence Platform has removed the complexity from SIEM, while leveraging real-time threat intelligence with behavioural an

1. Scalar Security Roadshow
April 15, 2015
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 1

2. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 2
Vancouver Calgary
Toronto
Ottawa
London
Montreal
100%

3. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 3
We studied the Canadian market
Believe they are winning the
CyberSecurity war
Suffered a breach leading to loss or
disclosure of sensitive data
Average annual number of attacks
Average cost to address a security
breach
41%
46%
34
$200,000

4. • Security is more complicated than ever;
hackers are funded and motivated
• Many organizations struggle to understand
and effectively control security risk
• Traditional security approaches have not
been effective
• Companies who invest in security are still
suffering catastrophic breaches
Traditional Approaches Have Failed
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

5. “Good Enough” always fails
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

6. • Are more aware of the threat landscape
• Have a higher percentage of their IT
budget dedicated to security
• Invest in cutting edge technologies
• Measure the ROI of those technologies
• And have a security strategy that is
aligned with their business objectives
and mission
High-performers – 25% less breaches
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

7. Be more aware of threats and align your security
strategy with business objectives. Build effective
security programs to protect critical assets.
Design and build robust security solutions using
leading technologies that provide visibility
understanding and control.
Develop or acquire expertise to monitor and respond
to security events. Continuously validate the
effectiveness of security controls.
What do Top Performers do?
Prepare
Respond
Defend
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

8. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 8
Winning The War
• Addressing business risk
• Effective reduction of attack surface
• Understandable and actionable security
intelligence
• Rapid incident containment and response
• Continuous validation and meaningful reporting

9. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 9
Today’s Agenda

10. Isolated. Protected.
Bromium.

11. Security Architecture 1.0…
Traditional Security Technologies
ANY CO. PLC
usDon’t stop next generation threats

12. Endpoint: The Path of Least Resistance
THREAT TARGETS
DESKTOPS
USERS
WINDOWS 7
WINDOWS 8.1
LAPTOPS
INTERNET EXPLORER
The key security threat channels are Web
and Email. The key threat vectors are
web-links and downloaded files.
Your security posture is significantly
improved by negating the key security
issues of users clicking malicious web-
links and opening infected attachments
Prioritize
Focus
THREAT VECTORS
VIDEOS
PICTURES
DOCUMENTS
WEBLINKS
MAIL
WEB
THREAT CHANNELS

13. The Business Problem: The Bromium Cure
SECURE
WEB BROWSING
SECURE
EMAIL
SECURITY
PATCHING

14. Endpoint Isolation Technology
How It Works – Bromium
ISOLATED. PROTECTED.DISRUPTIVE DAMAGING
HARDWARE
OS KERNEL
Untrusted user tasks and any malware
are isolated in a super-efficient micro-VM.
All micro-VMs destroyed, eliminating all
traces of malware with them.
Hardware-isolated
micro-VMs

15. Why Bromium?
Open Anything,
From Anyone,
Anywhere…

16. Isolated. Protected.

17. WhiteHat Security
Application Testing
Rob Stonehouse, CISSP
Chief Security Architect
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience. 17

18. About WhiteHat Security
• Application security testing leader in Gartner Magic Quadrant
• HQ in Santa Clara, California
• Employees: 300
• Customers: 650+
• Sites under management: 30,000+
18

19. SAST - “Sentinel Source” Static Testing
• Integrates into your
development process
• Directly connects to source
code repository
• Designed for Agile
• Your code stays onsite
• Verified vulnerabilities avoid
false positives
• Assesses partial code, as
often as needed
19

20. Sentinel Mobile - Secure Mobile Devices
§ Assesses both iOS and Android
applications
§ Tests native mobile code and server-side
APIs
§ Identifies critical vulnerabilities including
OWASP Mobile Top 10
§ Verified findings:
Zero false positives reduce overhead for
developers
Results prioritized by risk
§ Covers traffic analysis between client and
server-side

21. DAST – Dynamic Application Testing
• Non-intrusive, non-disruptive, 24x7
coverage
• Meets and exceeds PCI 6.5/6.6
requirements
• Full service and support included in
all offerings
• Unlimited retests, integration
support, and remediation guidance
at no additional charge
• Persistent, consistent testing and
results
Cross-site scripting
Credential/Session
Prediction
Weak Password
Recovery Validation
Information Leakage
Brute Force
SQL Injection
Insufficient
Authentication

22. Application Security Lifecycle
Integrated Application
Security Lifecycle
Software
Development
Lifecycle
SAST
22

23. How to Remediate Vulnerabilities?
Continuous Testing
• Full SDLC coverage: training, development, QA, and
production
• Stop using Tiger teams!
Expert hands-on guidance from the Threat Research Center
• 100% verified vulnerabilities, 0 false positives
• 150+ security engineers available by phone/email/WebEx
Retest, Retest, Retest
• Trending of vulnerabilities across time and continuous
assessment of deployment

24. How Deep to Test?
§ Sentinel PE (Fully Targeted / High Risk)
• Ideal for high impact sites with sensitive
user and financial information
• Technical and business logic
vulnerabilities, complete WASC v2
§ Baseline Edition (Static Webpages)
• Unauthenticated, Verified Results
§ Standard Edition (Directed/Opportunistic)
• Custom configured logins and multi-step
sequences
• Comprehensive coverage for technical
vulnerabilities

26. Scan Scheduling

27. 27

28. © WhiteHat Security 2013 28

29. © WhiteHat Security 2013 29

30. Flexible Reporting
§ Web & PDF Based
§ Bi-Directional XML API
§ Integration with popular technologies like
Jira, Archer, F5 & Imperva

31. Command Execution
§ Buffer Overflow
§ Format String Attack
§ LDAP Injection
§ OS Commanding
§ SQL Injection
§ SSI Injection
§ XPath Injection
Information Disclosure
§ Directory Indexing
§ Information Leakage
§ Path Traversal
§ Predictable Resource Location
Business Logic: Hands-on Inspection
Authentication
§ Brute Force
§ Insufficient Authentication
§ Weak Password Recovery Validation
Authorization
§ Credential/Session Prediction
§ Insufficient Authorization
§ Insufficient Session Expiration
§ Session Fixation
Logical Attacks
§ Abuse of Functionality
§ Insufficient Anti-automation
§ Insufficient Process Validation
Premium Edition Baseline Edition Standard Edition
WhiteHat Sentinel Vulnerability Coverage
Client-Side
§ Content Spoofing
§ Cross-site Scripting
§ HTTP Response Splitting
§ Insecure Content

32. Protecting the Network with
LogRhythm
Nyron Samaroo, Security Architect
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 32

33. Introduction
Questions:
• What is SIEM?
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 33
Answers:
• Security Information and Event Management (SIEM) is a
tool used to gather and report on security information.
• Who is LogRhythm?
• LogRhythm is a global leader in security intelligence and
analytics empowering organizations to rapidly detect,
respond and neutralize cyber threats. Their Security
Intelligence platform unifies next-gen SIEM, log
management, network and endpoint forensics, and
advanced security analytics.
• How will LogRhythm
defend my network?
• Through the process of Intelligent and Behavioral
Analytics LogRhythm is capable of detecting and
protecting in near real-time security events not just on
the network but on critical assets residing on the
network.

34. LogRhythm in Motion
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 34
LogRhythm Agents
Workstations and Servers
Archiving
AI Engine
Log Manager
LogRhythm Personal
Dashboard / Web UI
Event Manager
Network Devices
Identification
Classification
Normalization
Prioritization
Aggregation
Events
Console
Reporting
Alarming
Configuration
Behavior Analytics /
Advanced Correlation

35. The Platform for Security Intelligence
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 35
Input Analytics Output

36. LogRhythm System Monitor
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 36
Host Activity Monitoring
• Independently collects forensic detail
• Ideal for hosts with sensitive data or critical applications
• Support for Microsoft, Linux, and Unix platforms
File Integrity and
Windows Registry
Monitoring
• Meet Compliance Requirements
• Recognize “who” performed unauthorized
file changes or moves
• Build whitelists for recognizing malware
or blacklists of undesired applications
• Identify new, non-whitelisted network
services
• Detect anomalous network activity
indicating data exfiltration or botnet C&C
• Monitor unauthorized data movement to
prevent data theft
Process Monitoring
Network
Connection
Monitoring
Data Loss Defender

37. LogRhythm Network Monitor
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 37
1. True Application Identification for over 2800
applications
2. SmartFlow™: Search and analyze packet data from
each network session up to Layer7
3. SmartCapture™: Full or selective packet capture
for deeper forensic analysis
Google Docs
PostGres
SMTP
Facebook Apps
TorSkype DropBox
XBoxLive
AWS
BitTorrent
GoToDevice
Gmail
Source IP: 192.168.12.59
Destination IP: 192.168.2.84
Command: smb2 change
Filename: SethMy Documents
todayspreso.ppt
Path: serverfileUsers
ApplicationPath: /tcp/netbios/smb
Login: seth.goldhammer
Bytes: 4.52 Mb
Time Start: 2013/10/10 19:30:38
Time Updated: 2013/10/10
………………
Samba
Source IP: 192.168.12.59
Destination IP: 192.168.18.2
Sender: seth@logrhythm.com
Receiver: kbroughton@recruiter.com
Attachment File Name: SethMy Docs
employeedata.txt
Mime Type: http/text
Bytes: 4.52 Mb
Time Start: 2013/10/10 19:30:38
Time Updated: 2013/10/10
………………

38. Real-time Forensic Monitoring
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 38
System Monitoring
• Capture host activities not
represented by log data
• Gain deep visibility on valuable
hosts, sensitive data
Network Monitoring
• Capture network activities not
captured by standard flow data
• Recognize applications and perform
Deep Packet Inspection (DPI) on all
network traffic
Independent collection of forensic detail is
CRITICAL for recognizing high risk activities

39. The Platform for Security Intelligence
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 39
Input Analytics Output

40. Data Classification
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 40
• LogRhythm not only structures incoming
data but adds contextual information
such as:
• Classification
• Common Event
• Risk Score
• Reduces time required for analysis and
ensures query results are complete
• Provides deep intelligence on more than
600 different systems, devices, apps,
databases, etc.
• 20-30 added each quarter
Confidential Information
0
100
200
300
400
500
600
700
Total
Customer Relations Management
Data Loss Prevention
File Integrity Monitor
Network Controllers
Unified Threat Managers
UPS
Anti-Spam
Physical Security
Encryption
Wireless Access Management
Vulnerability Assessment
Directory Services
Point-Of-Sale
VOIP
Storage
Virtualization
Wireless Access Point
Remote Access
VPN
E-Mail Security
Load Balancers
Content Inspection/Filters
Routers
Anti-Virus
Email Servers
Switch
Access Control
Other
Databases
Web Servers
Network Management
IDS/IPS
Firewalls
Applications
Operating Systems

41. Scenario Building Blocks
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 41
Log
Observed
Log
Not
Observed
Log
Not
Observed
Scheduled
Threshold
Observed
Threshold
Not
Observed
Threshold
Not
Observed
Scheduled
Unique
Value
Observed
Unique
Value
Not
Observed
Unique
Value
Not
Observed
Scheduled
Whitelist
Trend
Sta;s;cal

42. Scenario Examples
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 42
Log
Observed
Log
Observed
Account
Created
Account
Deleted
Account=Account
Short
;me
period
Log
Observed
Log
Not
Observed
Secure
Panel
Accessed
No
Badge
Swipe
Short
;me
period
before
Detec%ng
Temporary
Accounts
Detec%ng
Forced
Physical
Access

43. Complex Scenario
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 43
Trend
Abnormal
Access
and
Authen%ca%on
Failures
Log
count
comparison
of
auth
and
access
failures
per
user
Trend
Abnormal
Authen%ca%on
Behavior
Histogram
of
auth
success
and
failures
per
user
Trend
Abnormal
Authen%ca%on
Loca%ons
Histogram
of
auth
success
loca;ons
per
user
Unique
Value
Observed
Same
user
with
mul;ple
anomalies
Event
Loop
Back

44. The Platform for Security Intelligence
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 44
Input Analytics Output

45. Smart Response (closing the loop)
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 45
SmartResponse™ delivers immediate
action on real-world issues, such as when
suspicious behavior patterns are detected,
specific internal or compliance-driven
policies are violated, or critical
performance thresholds are crossed.
• Pull Attacking IP from Alarm and add to firewall
ACL. Terminating dangerous access to network
• Suspend or remove newly added or recently
modified privileged user account until activity is
verified as legitimate
• Remove suspicious users from network during
investigative period
• Restart operational processes from alarms

46. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 46
Analytics Driven Defense Modules

47. Privileged User Monitoring
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 47
Use Case: Detect a rogue
administrator account
Details: Identify when a privileged
user is abusing authority, indicating
either insider threat activity or
compromised credentials
AIE Rules look for:
• New Admin Activity
• Mass Object Deletion
• Users added to privileged group
• Recently disabled privileged account activity

48. Retail Cyber Crime Module
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 48
Use Case: Detect Compromised Back
Office Systems
Details: Identify suspicious changes on
back office systems and the network
activity they generate.
AIE Rules look for:
• New processes
• New authentications
• New FIM access events
• Any FIM modification event
• Any DLD Activity
• New Common Event
• New Network Activity

49. Analytics Modules
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 49
Rapid-Time
to-Value
Knowledge
• Industry
experts
• Machine
Data
Intelligence
• Security
• Compliance
• Advanced
Threat
Research
• Embedded
Exper;se
• Ready-­‐to-­‐use
content
• Frequent,
automa;c
updates
• Knowledge
aligned
to
organiza;onal
goals
• Quick
benefit
recogni;on
• Ongoing
addi;onal
value

50. We deliver IT.
50© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. April 18, 2015

51. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 51
Thank you

52. Download our 2015 Security Study: The Cyber
Security Readiness of Canadian Organizations
Download Here: http://blog.scalar.ca/security-
study-2015
What’s Next?
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

53. Connect with us!
© 2014 Scalar Decisions Inc. 53
facebook.com/scalardecisions
@scalardecisions linkedin.com/company/scalar-decisions
slideshare.net/scalardecisions